- Related Stories
-
Offering a bounty for security bugs
July 24, 2005
Macaulay, a software engineer, was able to hack into a MacBook through a zero-day security hole in Apple's Safari browser. The computer was one of two offered as a prize in the "PWN to Own" hack-a-Mac contest at the CanSecWest conference here.
attacks a MacBook at the
CanSecWest conference.
The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook--a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.
Macaulay teamed with Dino Dai Zovi, a security researcher until recently with Matasano Security. Dai Zovi, who has previously been credited by Apple for finding flaws in Mac software, found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said.
"The vulnerability and the exploit are mine," Dai Zovi said in a telephone interview from New York. "Shane is my man on the ground."
Apple spokeswoman Lynn Fox declined to comment on the MacBook hack specifically, but provided Apple's standard security comment: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."
Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said. TippingPoint runs the Zero Day Initiative bug bounty program.
A TippingPoint representative said the company would pay, after looking at the vulnerability. "If it is an actual zero-day in Safari that's fine with us," said Terri Forslof, manager of security response at TippingPoint.
The successful hack comes a day after Apple release its fourth security update for Mac OS X this year. The update repairs 25 vulnerabilities.
CanSecWest organizers set up the MacBooks connected to a wireless router and with all security updates installed, but without additional security software or settings.
See more CNET content tagged:
TippingPoint Technologies,
Apple MacBook,
contest,
vulnerability,
Apple Safari
Which version of MAC OSX was on the MacBook? OSX 10.4.9 with latest security updates?
Mac & PCS both are not hack proof & Apple has never said it was, but Apple & MacOSX has a loooooooooooooooong way to go before ever catching up to Windows security problems ( even VISTA OS ).
"The successful attack on the second and final day of the contest
required participants to surf to a malicious Web site using
Safari--a type of attack familiar to Windows users. CanSecWest
organizers relaxed the rules Friday after nobody at the event had
breached either of the Macs on the previous day."
So its considered to be hacked to simply surf to a web site?
Also, how were the rules relaxed???? It seem they COULDN'T
hack it as originally set up???
Why can't CNET at least provide a link to the real story.
That's a rhetorical question because if the Mac is successfully hacked someday like that Mac fanboys will find some way that it wasn't really a hack. On the other hand Windows and maybe Linux fanboys will be pointed and saying we told you so.
The reality is that all software has flaws and some flaws in some software will allow the hacker to gain full control over a entire system. I think it's a much safer and less arrogant statement to say that the Mac could possibly be hacked, but due to flaws being fixed quickly and the fact that it has a good platform under it it's less likely to be hack in any meaning full manner.
But that's probably asking to much. :-P
The article states the hack occured on the second day and only
after the rules were relaxed. Personally, I can't believe how tight
OSX is...
i imagine a lot of Mac haters that participated are having a bad
weekend - haha...
people running the contest realized they were about to be totally
embarrassed because nobody was even able to do that - so bent
the rules... This, to me, is priceless... haha
1) The Mac was exploited which means that it is one more flaw that will be corrected by Apple.
2) The first day went by without a successful attack. Macs will be able to continue to fend off attacks.
3) The root level test is still not won. This is very good because the hierarchy within OSX is robust.
4) No successful wild viruses or Trojans for OSX (so far). It continues to be the case for the ~22 million OSX users (and five years of OSX) that there is not a virus in the wild that exploits OSX. Impressive.
There are flaws in all software, but the fact remains that OSX (and Linux) is far more secure than any Windows operating system.
was hacked after, and only after the rules were changed. If the
rules stayed the same, there could of been a very good chance the
MacBook Pro may never of been hacked. I'd like to know what rules
they changed, and how it affected the end results.
- How about a truly meaningful "real world" hack?
-
by drdocument
April 21, 2007 7:51 AM PDT
- Rather than creating an artificial set of conditions, how about a
-
Reply to this comment
View
all 3 replies
-
-
1 | 2 | 3 | Next 10 Comments >>practical test?
I consider myself an "average" Mac user, OS 10.4.9 with all updates,
OS X firewall on (default), one user with admin privileges, always-
on DSL connection with firewall enabled in DSL router (default).
Can you reach my Mac? If so, can you do any meaningful harm?