MacBook Hacked in Seconds in Pwn2Own Contest | News | The Mac Observer

<script language="JavaScript" src="http://bullseye.backbeatmedia.com/bullseye/adserver/253/242/viewJScript?pool=124&type=13&pos=12&zone=5000&redirect=aj"></script> <noscript><a href="http://adserver1.backbeatmedia.com/servlet/ajrotator/253/242/clickCGI?pos=12&zone=5000"><img src="http://bullseye.backbeatmedia.com/bullseye/adserver/253/242/viewCGI?pool=124&type=13&pos=12&zone=5000&redirect=aj" border="0"></a></noscript> iObserver App Store Apple TV Game Center iAd iCloud iOS iPad iPhone iPod iTunes Siri Features Computing with Bifocals Dr. Mac's Rants and Raves Editorial Free on iTunes Hidden Dimensions Just a Peek Just a Thought MacOS KenDensed Monday's Mac Gadget Oh the Games You'll Play Particle Debris Ted Landau's User Friendly View The Back Page The Devil's Advocate The Flashback Files Reviews In-Depth Review Quick Look Review Video Review Tips How-To MGG Answers TMO Quick Tip Blogs Dave Hamilton's Blog Jeff Gamet's Blog John Martellaro's Blog Podcasts Apple Context Machine Podcast Mac Geek Gab Podcast Mac Geek Gab Premium Podcast Reports Apple Stock Watch Conferences Death Knell Games Mac OS TMO Interview Archives 2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999 1998 1997 Forums 1 Infinite Loop - The Mac Room Apple Finance Board iObserver Mac Geek Gab Crew Announcements & Suggestions Design & Create Buy or Sell Mac Merch. & Job Postings The TMO Lounge World News/Politics/Philosophy Contact RSS .(JavaScript must be enabled to view this email address)
MacBook Hacked in Seconds in Pwn2Own Contest News Jeff Gamet 8:37 AM, Mar. 19th ET, 2009 TMO Talk (14) Articles by Author Jeff Gamet on Twitter Contact Author Bio Tweet Comments (14) The CanSecWest Pwn2Own hacking contest had barely begun before an Apple MacBook running the Safari Web browser was compromised. The successful security attack was carried out by Charlie Miller -- the same contestant that hacked into a MacBook last year. According to ZDNet, Mr. Miller was able to breach the Mac's security with a remote attack that only required the MacBook user to click a specific link in the Safari Web browser. "It took couple of seconds," Mr. Miller said. Mr. Miller's exploit last year took advantage of a security flaw in the Safari Web browser, too. Another hacker going by the name "Nils" also executed a successful exploit against Safari, and also managed to hack through Microsoft's Internet Explorer 8 as well as the Firefox Web browser running on a Sony Vaio with Windows 7. While the hackers did win prizes for their successful exploits, they don't get to share their code with the public. The contest rules give ownership of the hacks to TippingPoint's Zero Day Initiative who will provide information to Apple, Microsoft and Mozilla to help patch the security flaws. Email This Tweet This Jeff Gamet on Twitter 14175 Jeff Gamet news 1237466242 Post A Comment or Log-in. Need an account? Register here. 14 Observer Comments JulesLt said on March 19th, 2009 at 8:30 AM (Edited: 03/19/2009 1:54 PM): The good news here is that they’ve basically given up on the first day event - when people had to try and hack into the computers remotely - as all O/S now pass in shipped configuration. B9robot said on March 19th, 2009 at 8:46 AM: The whole thing is fake. And physical access to the machine isn’t a real test of any security. Have him try over a network with no admin rights, no passwords. He won’t get in, PERIOD!!! vasic said on March 19th, 2009 at 9:06 AM: Not to mention that he had as much time as he needed to develop the hack. He didn’t write the exploit then and there; he gave them a link to a web site which he developed and tested. For all we know, he could have been working on that site since last year and only finally succeeded in making it work yesterday. Let the Windows sufferers rejoice for one day in the year (“Your OS is just as bad as mine!”). Tomorrow, it’s back to the virus-laden, antivirus-CPU-hogging reality… Dean Lewis said on March 19th, 2009 at 9:08 AM: It’s pretty telling, also, that IE8 and Firefox failed pretty much just as fast, and yet they always attack the Mac first. What gets headlines and notoriety? Attacking the Mac. Which computer do they want to win? The Mac. I agree with Jules and B9. The real news here is that they’ve all given up on actual hacking and resort to user ignorance exploits. Users clicking on any old links will always be a problem, and patches to the browsers will be necessary, but getting a user to click on your link is a whole different animal than hacking through security. Lee Dronick said on March 19th, 2009 at 9:27 AM (Edited: 10/18/2011 6:20 PM): Question. I understand that we don’t any details of the hack, but did he have access to the MacBook, did he install something on it that allowed the hack to work? If one of us were to click on the link would he be able to take over the Mac? mrhooks said on March 19th, 2009 at 10:23 AM: The report says “remote attack.” Sounds like a malicious website that depends on user stupidity to be effective. Lee Dronick said on March 19th, 2009 at 10:53 AM (Edited: 10/18/2011 6:20 PM): The report says “remote attack.“ Sounds like a malicious website that depends on user stupidity to be effective. Well if that is the case the mere clicking on a link allowed the take-over, he must have had some java code or whatever in the link. I hope that Apple gets a fix soon. I wonder if Safari 4 is vulnerable? drew said on March 19th, 2009 at 10:59 AM: The report says “remote attack.“ Sounds like a malicious website that depends on user stupidity to be effective. The report doesn’t mention any user stupidity, but it does state… …a remote attack that only required the MacBook user to click a specific link in the Safari Web browser This is bad news - a malicious site can gain access to your files. I love using a Mac, but don’t be fooled into thinking this is not a real security issue. It requires a user to navigate to a page & click a link, when was the last time you did that? deasys said on March 19th, 2009 at 1:28 PM: Miller was able to breach the Mac’s security with a remote attack that only required the MacBook user to click a specific link in the Safari Web browser Since when is sitting at a computer you intend to compromise considered a “remote attack?” daemon said on March 19th, 2009 at 1:42 PM: Since when is sitting at a computer you intend to compromise considered a “remote attack?“ When you’re demonstrating a proof of concept. Drew said on March 19th, 2009 at 1:59 PM: Since when is sitting at a computer you intend to compromise considered a “remote attack? The attack comes from a webserver (that is the remote bit). Physical access isn’t required, but a user is required to click a link on a malicious site. It is a basic ‘phishing’ scam that has been compromising Windows machines for years, it isn’t good news if it can be performed on a Mac too. It may be possible to deliver the attack via other methods, such as Flash movies or Quicktime files that contain links to the hack method. It’s really easy to assume the mac is safe & secure, but this shows it isn’t, and Apple should be embarrassed that these flaws exist. JulesLt said on March 19th, 2009 at 2:52 PM: I understand from further interviews that he actually knew about the vulnerability over 12 months ago - i.e. it’s one he saved from last time, so he could win another Mac this year. It’s a good enough prize to encourage you to try. There is the moral question on whether it should have been reported anyway, but I can’t blame the guy for winning a MacBook AND generating lots of publicity for himself as a security consultant . . and, crucial point, one who uses OS X, not Windows or Linux, as his main platform. I also think that clicking on a link to a ‘bad’ page is a valid approach. Hijacking reputable sites is something that hackers do (even part of apple.com was defaced by hackers at some point in the past 2 years). Equally, it’s ridiculous to pretend that people aren’t going to visit ‘less safe’ parts of the Internet. As regards needing Java code, etc, on the link - as I understand it, plugins are disabled on the first day - i.e. it cannot be a problem in Flash, Java, etc. From a hacking point of view, what you try to do is get the processor to ‘jump the tracks’ and execute something that was hidden as data - which could be anything from images to XML data to JavaScript code. HOWEVER . . . . and this is a big however . . . . looking on the CanSecWest website the definition of ‘owned’ is ‘code execution within context of application’. Now, that ignores the difference on what you can do once you gain ownership of the browser - i.e. do wider security features of the operating system prevent bad things happening? (As it happens OS X isn’t as good as people think it is - if you look at the improvements in Leopard and Snow Leopard you can see how much better they are than 10.4) JulesLt said on March 19th, 2009 at 3:37 PM: Drew - none of the browsers escaped unscathed, and realistically software flaws will be with us for a long time (certainly while we write code in C++). The key thing with security is defence in depth - if we presume the browser code has problems, what can we do to protect against them? We can ensure that the processor cannot evaluate data as code - Snow Leopard does this better than Leopard, and Tiger/Leopard did it better than XP. That will eliminate the single most common category of security problems, with The other big thing is sandboxing processes at the O/S level - we presume the hackers are still going to pown Safari, so we make sure that rather than being able to do anything a user can do, the Safari process is restricted as far as possible. I trust that a lot more than hoping automated code analysis and manual code reviews will find all the possible bugs. Drew said on March 19th, 2009 at 3:37 PM: HOWEVER . . . . and this is a big however . . . . looking on the CanSecWest website the definition of ‘owned’ is ‘code execution within context of application’. The problem is that browsers are allowed to access keychain items to make autofill convenient. Permission is set on a per keychain item basis, so gaining user account passwords should be difficult, but obtaining site passwords & usernames is possible. It could contain a lot of sensitive data if the details for a webmail account are accessed etc. Post A Comment or Log-in. Need an account? Register here. said on May 27th, 2012 at 7:37 AM: Username Password Auto-login on future visits Show my name in the online users list Forgot your password? Recent Headlines - Updated May 27th Sat, 10:00 AM MacOS KenDensed - MacOS KenDensed: Apple’s Patent Lawsuit & Antitrust Shuffle Fri, 5:58 PM News - Sotheby’s to Auction Steve Jobs Atari Memo (Photo Gallery) 5:42 PM Free on iTunes - 3 Free iOS Apps for News Hounds 3:00 PM Rumor - Nest Thermostat Reportedly Coming to Apple Retail Stores 2:40 PM Particle Debris - The TV Industry’s Dreadful Little Secret 2:33 PM News - Mobile Devices Account for 20% of Web Traffic in US, Canada 12:49 PM News - Apple Now Offering “Free App of the Week” for iOS 12:21 PM News - Tim Cook Declines $75 Million Dividend Payout 11:25 AM News - Absinthe 2.0 Provides Untethered Jailbreak for iOS 5.1.1 11:09 AM Quick Look Review - F18 Carrier Landing (iOS) is a Boatload of Fun 10:51 AM TMO Appearances - Jeff Gamet talks Cool Apps & Accessories on Not Another Mac Podcast 10:12 AM Hot Forum Topic - Forum Poll: Which is Your Favorite Photo Sharing Service? The Mac Observer Reader Specials Macsales.com for the Right Mac Memory. Most Popular: 16GB from $128; 8GB from $50. MacBook Pro & Mac mini Kits up to 16GB. iMac up to 32GB & Mac Pro now up to 128GB. - Macsales.com Mac RAM Upgrades: MacBook Pro 16GB kits $475, 8GB Kits for $119.99! iMac 16GB RAM Kits (4x 4GB) for $229.99! Mac Pro Memory 32GB Kit for $399.99, 64GB Kit for $889.99! Mac Hard Drives 2TB Seagate SATA II for $249.99! Click Here! If you're using a Mac, then you've gotta check out PokerOnAMac.com. Online casinos and poker rooms are literally giving away cash and the casino sites at Poker on a Mac do the unthinkable, they actually reward! Join today, the download is free! Looking to find online casinos for mac? We can help you find the best real money casino sites where you can play your favorite casino games including blackjack and slots.	Buy Stuff, Support TMO via Apple or Amazon Deals from DealBrothers.com Reader Specials Read TMO on Kindle TMO on Twitter and FaceBook: <script language="JavaScript" src="http://bullseye.backbeatmedia.com/bullseye/adserver/253/999/viewJScript?pool=9077&type=3158&pos=4&zone=5000&redirect=aj&dontcount=1"></script> <noscript><a href="http://adserver1.backbeatmedia.com/servlet/ajrotator/253/999/clickCGI?pos=4&zone=5000"><img src="http://bullseye.backbeatmedia.com/bullseye/adserver/253/999/viewCGI?pool=9077&type=3158&pos=4&zone=5000&redirect=aj&dontcount=1" border="0"></a></noscript> Apple Stock Quote (AAPL) Loading... Last trade: $---.-- $---.-- Market cap: $---.-- Discuss in our Apple Finance Board Quotes are delayed. Currency in USD Hot Topics What's the buzz? These articles have TMO readers talking. Samsung: Apple’s Trial Experts Are “Slavish” Fanboys - 19 Comments Forrester: Maybe Apple’s TV Isn’t a TV - 9 Comments The TV Industry’s Dreadful Little Secret - 8 Comments Analyst: Apple to Offer iPhone 3GS as Pre-Paid Option - 8 Comments Jonathan Ive Calls Apple’s Current Project the “Most Important” - 7 Comments Estimated Apple TV Sales to Date: 6.3 Million - 7 Comments TMO Express Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday. Find out more! Your address: <script language="JavaScript" src="http://bullseye.backbeatmedia.com/bullseye/adserver/253/871/viewJScript?pool=16773&type=13884&pos=7&zone=5000&redirect=aj&dontcount=1"></script> <noscript><a href="http://adserver1.backbeatmedia.com/servlet/ajrotator/253/871/clickCGI?pos=7&zone=5000"><img src="http://bullseye.backbeatmedia.com/bullseye/adserver/253/871/viewCGI?pool=16773&type=13884&pos=7&zone=5000&redirect=aj&dontcount=1" border="0"></a></noscript> Top Deals From DealBrothers.com 11” MacBook Air 1.6GHz dual-core Intel Core i5: $829.00 Delivered Samsung S22B300B 21.5” LED Backlit LCD Monitor: $129.99 Delivered NeatDesk Desktop Scanner: $249.99 - Today Only Canon imageCLASS Monochrome Multifunction Laser Printer: $129.99 Delivered Recent Features Get the latest installments of TMO Columns, Podcasts, & Blogs. MacOS KenDensed: MacOS KenDensed: Apple’s Patent Lawsuit & Antitrust Shuffle Free on iTunes: 3 Free iOS Apps for News Hounds Particle Debris: The TV Industry’s Dreadful Little Secret Mac Geek Gab Premium Podcast: MGG 399: Five Questions from Three Scotts Editorial: How the Ripples in Apple’s TechSphere Will Influence Us John Martellaro's Blog: Pitch Perfect for Developers is a Perfect Pitch
iObserver Features Reviews Blogs Podcasts Archives Reader Specials Forums Search Contact Privacy RSS © The Mac Observer, Inc. -- All rights reserved. All information presented on this site is copyrighted by The Mac Observer, Inc. except where otherwise noted. No portion of this site may be copied without express written consent. Other sites are invited to link to any aspect of this site provided that all content is presented in its original form and is not placed within another frame. The Mac Observer is an independent publication and has not been authorized, sponsored, or otherwise approved by Apple, Inc.

Support The Mac Observer

We noticed you may be running AdBlock on your computer. It takes real money to run this site and to deliver the news, tips, and opinions you love to read.

If you wish to block the ads that pay for the creation of our content, we ask that you instead support TMO Directly, either with a $5 monthly recurring contribution, or a one-time donation of any amount of your choice. Thanks!

Subscribe with Paypal

Donate with Paypal