On GameSpot: The Sith return to The Old Republic
BNET Business Network:
BNET
TechRepublic
ZDNet
147 TalkBacks

By Joris Evers
Posted on ZDNet News: Apr 20, 2007 11:03:00 PM

VANCOUVER, B.C.--Shane Macaulay just got himself a free MacBook.

Macaulay, a software engineer, was able to hack into a MacBook through a zero-day security hole in Apple's Safari browser. The computer was one of two offered as a prize in the "PWN to Own" hack-a-Mac contest at the CanSecWest conference here.

MacBook hacker
Credit: Joris Evers
Hack-a-Mac winner Shane Macaulay
attacks a MacBook at the
CanSecWest conference.

The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook--a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.

Macaulay teamed with Dino Dai Zovi, a security researcher until recently with Matasano Security. Dai Zovi, who has previously been credited by Apple for finding flaws in Mac software, found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said.

"The vulnerability and the exploit are mine," Dai Zovi said in a telephone interview from New York. "Shane is my man on the ground."

Apple spokeswoman Lynn Fox declined to comment on the MacBook hack specifically, but provided Apple's standard security comment: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."

Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said. TippingPoint runs the Zero Day Initiative bug bounty program.

A TippingPoint representative said the company would pay, after looking at the vulnerability. "If it is an actual zero-day in Safari that's fine with us," said Terri Forslof, manager of security response at TippingPoint.

The successful hack comes a day after Apple release its fourth security update for Mac OS X this year. The update repairs 25 vulnerabilities.

CanSecWest organizers set up the MacBooks connected to a wireless router and with all security updates installed, but without additional security software or settings.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 147 Talkback(s)
Aw, how lame! I've used Macs since 1986
and never had a virus, never mind anyone hack into them! (Read the rest)
Posted by: labarker Posted on: 05/03/07 You are currently: a Guest | | Terms of Use
I'm interested to know  zkiwi | 04/20/07
I don't think so.  xuniL_z | 04/22/07
Then thing again.  Fil0403 | 04/28/07
Here  Fil0403 | 04/28/07
Thanks Shane!  Fred Fredrickson | 04/20/07
Unless...  comp_indiana | 04/20/07
No mockery whatsoever  YinToYourYang | 04/21/07
Well "safer" does not mean perfect...so does it?  Laff | 04/23/07
No, indeed not. Apparently it means  xuniL_z | 04/23/07
As long as I don't get an exploit I'm OK with that...:)  Laff | 04/23/07
RE: As long as I don't get an exploit I'm OK with that...:)  xuniL_z | 04/23/07
Hmmm, which would I rather deal with?  maldain | 04/23/07
hmmmmmm.....do you even know  xuniL_z | 04/23/07
Vista Exploits  SGIOctane2 | 04/23/07
Well, when you have a fractional  xuniL_z | 04/24/07
Mockery?  Swift48 | 04/23/07
Well done sir!  tic swayback | 04/20/07
And this differs from Windows how?  ye | 04/20/07
Windows would survive less  ITGuy04 | 04/20/07
Windows hacked remotely in 15 minutes; Mac never hacked remotely  YinToYourYang | 04/21/07
What version of Windows?  NonZealot | 04/21/07
You make me laugh...  SquishyParts | 04/21/07
I'm a PC, and I've never been hacked  dansen926 | 04/22/07
I do use a firewall  xuniL_z | 04/22/07
You might not know this...  billbryan516 | 04/23/07
We burn Macs for the fun of it  John Zern | 04/22/07
Nope no quest or defesive talk....just curiosity?  Laff | 04/23/07
Actually, No.  John Zern | 04/23/07
It differs in a couple ways  tic swayback | 04/21/07
Is this not becoming a bit ridiculous?  GuidingLight | 04/23/07
It's a legit exploit  tic swayback | 04/23/07
Social Engineering  3D0G | 04/23/07
This is an easy one.  John Zern | 04/22/07
Are you sure?  zkiwi | 04/23/07
And therein lies the problem  xuniL_z | 04/23/07
Well...  zkiwi | 04/23/07
hardy har harr  xuniL_z | 04/24/07
Just how much did they relax the rules?  Ken_z | 04/20/07
It is a normal consumer setup  YinToYourYang | 04/21/07
As has Apple  GuidingLight | 04/23/07
wounder if the fixes that went in yesterday fix this? nt  doctorSpoc | 04/20/07
To the victor goes the spoils...  Mike Cox | 04/20/07
4.5 Not your best work Mike!! Nt  bka1959 | 04/21/07
Same Old Material Mike  Blogsworth | 04/21/07
MacBook hacked in contest at security event  Loverock Davidson | 04/20/07
If it makes you feel better to believe this...  comp_indiana | 04/20/07
It's too bad  Loverock Davidson | 04/21/07
It's all about the love  dansen926 | 04/22/07
You are Exactly right in both cases.  xuniL_z | 04/22/07
Yeah...  jasonp@... | 04/22/07
Good for you, Loverock!  Zeppo9191 | 04/23/07
Does this sound familiar, Loverock?  Zeppo9191 | 04/23/07
It's called "probability" -  deleweye | 04/23/07
One exploit compared to 114000!  netzd | 04/20/07
Oh it's confirmed  zkiwi | 04/20/07
Oh, but if there were details, it would lose it's FUD!  comp_indiana | 04/20/07
This isn't about security. It's about Microsoft marketing  YinToYourYang | 04/21/07
Grow the heck up, allready  John Zern | 04/22/07
I'll take this one.  xuniL_z | 04/22/07
Well...  zkiwi | 04/22/07
Yes.  xuniL_z | 04/23/07
Well...  zkiwi | 04/23/07
I'm noticed  xuniL_z | 04/23/07
Seriously  zkiwi | 04/23/07
Wow!!  xuniL_z | 04/24/07
Yeah we've been have "GREAT" luch with Vista..sheeezzzz!  Laff | 04/23/07
Nobody ever said it was going to be easy.  xuniL_z | 04/23/07
Apple seems to be doing fine and I don't sense fear.  Laff | 04/23/07
Yeah, if it only went that far, but.....  xuniL_z | 04/23/07
well  Badgered | 04/23/07
Ah, but not just any exploit  YinToYourYang | 04/21/07
Without any proof???  No_Ax_to_Grind | 04/22/07
Wait a minute has this "exploit" been released in the wild?  Laff | 04/23/07
Sponsor?  3D0G | 04/23/07
re: Wait a minute...  Badgered | 04/23/07
Nope..but this "exploit" did depend on the social engineer factor  Laff | 04/23/07
amazing  Badgered | 04/23/07
Doesn't rely on social engineering at all  NonZealot | 04/23/07
And what should I learn from this?  Laff | 04/23/07
Then why pay more for a Mac?  NonZealot | 04/23/07
As I've said before "No exploits in and of itself translates into better"  Laff | 04/23/07
MacBook "hacked"....  middle of nowhere | 04/20/07
the MacBook Pro was NOT hacked.  Pederson | 04/21/07
Now we are redefinig exploits?  NonZealot | 04/21/07
According to Microsoft....  Rick_K | 04/21/07
Your definition is wrong.  xuniL_z | 04/22/07
Wrong - IE _IS_ required for the OS  jacarter3 | 04/23/07
Not what I meant.  xuniL_z | 04/23/07
Really?  Rick_K | 04/23/07
Actually I'm not wrong.  Rick_K | 04/23/07
Sorry but you are wrong again.  xuniL_z | 04/23/07
No it's you...  Rick_K | 04/23/07
dumb logic  xuniL_z | 04/23/07
And you claim that...  Rick_K | 04/23/07
Rick_K knows better than the Firefox coders  NonZealot | 04/23/07
Rick_K and Rendering Engines...  Gazok | 04/23/07
Rick....  xuniL_z | 04/24/07
Rendering Engines  Patrick Jones | 04/22/07
You can remove DNS Services from Windows Server  PB_z | 04/22/07
Yes..  Patrick Jones | 04/23/07
ZING!  John Zern | 04/22/07
NZ is redefining 'exploit' for us.  Mr_Dave | 04/23/07
NZ is really  Rick_K | 04/23/07
Haha, look at all the scared zealots!!!  NonZealot | 04/21/07
Message has been deleted.  SquishyParts | 04/22/07
"Easily" you did catch the part where the rules were loosened up right?  Laff | 04/23/07
OSX users rarely surf the net?  NonZealot | 04/23/07
How do I know....THAT would be news!!  Laff | 04/23/07
Why?  NonZealot | 04/23/07
Was that spyware or addware?  Laff | 04/23/07
indeed  Badgered | 04/23/07
Tru Dat!!!  Laff | 04/23/07
I really think...  RocketEater | 04/23/07
Non Zealot? I don't think so  murdock@... | 04/23/07
Wow!  SquishyParts | 04/21/07
Relaxing restrictions, not the real deal  Boot_Agnostic | 04/21/07
In other words, the final result was already known, and guaranteed...  BitTwiddler | 04/23/07
mac users are just jealous...  jjarman | 04/23/07
Question  People | 04/23/07
Story still developing  dragosani | 04/23/07
Question  People | 04/23/07
An unprotected Windows box  Swift48 | 04/23/07
Links please!  NonZealot | 04/23/07
Well he did say "Windows" and a lot of people out there  Laff | 04/23/07
You do that  Rick_K | 04/23/07
Vista come infected...  Rick_K | 04/23/07
That might be funny, IF Apple didn't ship  xuniL_z | 04/23/07
It would be funny...  Rick_K | 04/23/07
Actually  Badgered | 04/23/07
Actually...  UbiquitousGeek | 04/23/07
Actually, your argument makes no sense  xuniL_z | 04/24/07
UbiquitousGeek  Badgered | 04/24/07
If you checked on the facts.  Rick_K | 04/24/07
LOL  Badgered | 04/24/07
LOL....oh Rick man....lol...yoiu kill me.  xuniL_z | 04/24/07
So you are saying that Apple  xuniL_z | 04/24/07
Why would the...  Rick_K | 04/24/07
On what grounds or data  xuniL_z | 04/24/07
by that do you mean  Badgered | 04/23/07
Might depend on the Windows version might it not?  Laff | 04/23/07
well  Badgered | 04/23/07
Hit or miss, who cares?  UbiquitousGeek | 04/23/07
i think it's telling that the hacker's platform of choice is OS X...  doctorSpoc | 04/23/07
Open Your Source or Suffer  bcroner | 04/25/07
Don't Be Ignorant or Shut Up  Fil0403 | 04/28/07
MacBook hacked (again) in security event  Fil0403 | 04/28/07
Aw, how lame! I've used Macs since 1986  labarker | 05/03/07

What do you think?

SmartPlanet

advertisement
Click Here