The Mac Observer

Skip navigational links

You're viewing an article in TMO's historic archive vault. Here, we've preserved the comments and how the site looked along with the article. Use this link to view the article on our current site:
Mac Hacked In Contest... Sort Of

Mac Hacked In Contest... Sort Of

by , 7:55 AM EDT, April 23rd, 2007

The CanSecWest 2007 security conference hosted a "Hack a Mac" contest where contestants worked to gain unauthorized access to a Mac OS X system. Yes, there was a winner, but not until the contest rules were relaxed to the point that someone actually could win.

Shane Macaulay and Dino Dai Zovi won a US$10,000 prize and the compromised Mac for their efforts which included discovering a bug in Safari that allowed them to use a maliciously crafted URL to gain user level access to the computer. The vulnerability is known as a "zero day exploit," meaning an exploit is released the same day it is announced, that there is little or no protection for.

In this case, the security flaw requires a local user attempting to open the malicious URL with Safari before unauthorized user level access can be obtained. Apple has been alerted to the security flaw, and the exploit has not been released to the public.

The original rules required the attackers to gain root level access to a Mac running Mac OS X 10.4.9 with the latest security updates from a different point on the same network. Contestants were not able to gain root access to a second Mac during the two-day conference even after the rules were modified to allow for local attacks using Safari.

Although the prospect of a potential Safari exploit that allows unauthorized access to a Mac is a serious concern, it also underscores the importance of user vigilance. Clicking a Web site link that's in am email message from someone you don't know, for example, is a really bad idea. The URL may be legit, or it could take you to a Web site that you would rather not see, or it could be constructed to allow someone else to gain control of your Mac.

Unfortunately, many news outlets are taking advantage of this potential exploit to run sensationalized headlines and to incorrectly state that the Mac used in the contest was remotely hacked. It appears that zero day exploits and remote hacks for Windows PCs are par for the course, but a potential Mac exploit - now that's news.

Recent Headlines - Updated October 31st

Fri,11:25 AM
How To Clean Up and Rebuild Apple Mail Data [Yosemite Update]
9:39 AM
Judge to Unseal GT Advanced Bankruptcy Filing Documents
8:45 AM
Yosemite: Maximizing Windows & the Green “Stoplight” Button
Thu,7:17 PM
Meijer, the CurrenctC/MCX Member Who Refuses to Block Apple Pay
6:36 PM
Get Free Bitcoins with 52 Website Faucets that Really Pay [Update]
5:17 PM
Last Chance for The Bluetooth Shower Speaker: $39
5:09 PM
CES Rebrands iLounge Pavilion as iProducts, Hopes to Attract Macworld Expo Exhibitors
2:13 PM
Apple Reverses PCalc Decision; App and Widget Can Stay
1:29 PM
TMO Daily Observations: 2014-10-30
11:36 AM
Microsoft Joins the Fitness Tracking Game with Fitness Band
9:52 AM
Tim Cook’s Gay Coming Out is a Big Deal for Equal Rights
Wed,9:37 PM
MCX Holds Press Conference, Does Itself No Favors
  • __________
  • Buy Stuff, Support TMO!
  • Podcast: Mac Geek Gab
  • Podcast: Apple Weekly Report
  • TMO on Twitter!