Please wait while the page is being loaded Skip this advertisement >
Sunday | 23 November, 2008
ARN

Mac easiest to hack, says $10,000 winner

Security researcher Charlie Miller exploited Safari in two minutes
Gregg Keizer (Computerworld) 31 March, 2008 09:56:10
Page:

The security researcher who walked away with US$10,000 last week by hacking a MacBook Air in less than two minutes said he chose to attack Apple's operating system for one simple reason.

"It was the easiest one of the three," said Charlie Miller, a principal analyst with Independent Security Evaluators (ISE), a US-based security consultancy. "We wanted to spend as little time as possible coming up with an exploit, so we picked Mac OS X."

Last Thursday afternoon, Miller breached a MacBook Air, one of three laptops up for grabs in the "PWN To OWN" hacker challenge at CanSecWest, a security conference in Canada. For his efforts, he was got the computer and a US$10,000 cash prize.

The MacBook Air was running the most current version of Mac OS X, 10.5.2, with all the latest security patches applied. The other two computers, a Sony Vaio VGN-TZ37CN running Ubuntu 7.10 and a Fujitsu U810 notebook running Windows Vista Ultimate SP1, were also up-to-date and fully patched.

"We sat down about three weeks ago and decided we wanted to throw our hats into the ring," said Miller, referring to himself and ISE colleagues. "It took us a couple of days to find something, then the rest of the week to work up an exploit and test it.

"It took us maybe a week altogether," Miller said.

Because Miller was bound by a non-disclosure agreement with 3Com's TippingPoint, the security company that ponied up PWN To OWN's cash prizes, he was unable to share details of the vulnerability. He did confirm, however, that he had exploited a bug in Safari 3.1, the current version of Apple's browser.

The PWN To OWN challenge actually started Wednesday, but the rules for that first day required researchers to break into one of laptops using a remote code-execution exploit of a zero-day. At stake: the laptop and US$20,000. Only one researcher stepped up that day, however, and was unsuccessful.

The computers' exposure to attack was expanded by allowing hackers to go after any client-side applications installed by default, including Web browsers. Contestants were also allowed to replicate the common tactic of duping a user into following a link in an e-mail or visiting a malicious Web site. In Miller's case, he had set up a malicious Web site; the URL to that site was typed into Safari's address bar.

Page:
Related Stories
  • +

    After attacks, Apple fixes QuickTime bug 14 December, 2007 12:19:30

    Apple has patched a critical security flaw in QuickTime that was being exploited by attackers.
    Apple has released a new security patch for QuickTime, its eighth update this year for the media player software.
Have your say!
ARN Directory | Distributors relevant to this article
ACA Pacific , Achieva Technology Australia , Alloys International , Also Technology , Altech Computers , Anixter , Annuity Systems , Aquion , ASI Solutions , Australia IT , Bluechip Infotech , Cellnet , Compucon Computers , Datastor , Data Technology Solutions , EDsys Computers , Electronic Concepts , Express Online , Firewall Systems , Infortech Distribution , Ingram Micro Australia , itX , Leader Computers , Leading Pacific Australia , Multimedia Technology , Ocean Office Automation , Phoenix Toner , Protac International Computers , Simms International , T Data , Techhead Connect , Xpress I.T.
ARN Directory | Vendors relevant to this article
3Com
Additional Resources
ARN Library
white paper Click here for case studies, whitepapers and other useful vendor content
Newsletter Subscription
Sign up for our ARN newsletters!
RSS Feeds
Market Place
Kaspersky Internet Security 2009 released - with virtual keyboard for safe entry of passwords. Try it..
Become a Lenovo Legend Now! Join the sales incentive exclusively for Lenovo Business Partners.
Power through the disruptions: Uninterruptibility from Eaton!
Find out how to win an IPod Touch with ARN.
POS POS is the leading value-added distributor of point of sale & point of service technologies in ANZ.
 
Panel Sessions

  • ARN Panel Sessions: Day 3

    The last of our panel sessions recorded live at CeBIT 2008. Today, the topic is storage. Data is growing at an enormous rate, so what does the future hold?

Play
See all Panel Sessions videos >>
ARN news
Play
See all news >>
Channel Watch
Play
See all Channel Watch videos >>
Business Continuity & Disaster Recovery Zone

When an IT disaster occurs, how handy it would be to push a button and start again as if nothing had happened.
Discover and learn more about CA XOSoft today.
ARN Distributor Directory
 
Find distributors by name
Find distributors by vendor
Find distributors by location
ARN Vendor Directory
 
Find vendors by name | Find by category
Get a job Careerone
ARN Library


Read Material

Understanding Email Marketing: A Guide for SMBs

Email marketing is often viewed as a marketers silver bullet. If used effectively, email campaigns will provide strong results for a limited spend each and every time. Download this white paper to discover how email marketing can work for you and your business.

Sponsored Links