The Tech Herald

CanSecWest: MacBook Air first to be PWN’d and OWN’d

by Steve Ragan - Mar 28 2008, 15:00

Apple the first to fall..the battle royale of security is in full swing. (IMG: J.Anderson)

Out of the three available laptops at this year’s CanSecWest hacking contest PWN2OWN, the MacBook Air ended up being the first to fall. Charlie Miller, Jake Honoroff, and Mark Daniel, each with Independent Security Evaluators, worked for close to three weeks to take the $10,000 prize and the Mac.

On Thursday at 12:38pm local time, the team from ISE successfully compromised the Apple MacBook Air, winning the laptop and $10,000 from TippingPoint's Zero Day Initiative (ZDI). They did so by exploiting a newly discovered vulnerability in the Safari web browser (v3.1). Along with the prize money, they now get to fight over the ownership rights to the MacBook Air.

“Coincidentally, Apple has just started to ship Safari to some Windows machines, with its iTunes update service. The vulnerability has been acquired by the Zero Day Initiative, and has been responsibly disclosed to Apple who is now working on the issue,” TippingPoint said.

The responsible disclosure also means that exact details of the exploit used will not be disclosed before Apple releases a patch.

While not confirmed, there is some early talk that the exploit might be related to issues recently discovered in the Windows version of the Apple created browser.

The MacBook was running all the latest patches and software according to CanSecWest and ZDI officials. While the contest prize money was originally for $20,000, the prize dropped to $10,000 because the hack took place on the second day.

Also on the second day was a change in rules. The second day allowed exploitation of default installed client-side applications. This means that contestants can force the “user” to click on an email link, visit a malicious website, or compromise one of the installed IM clients. If the rumors are correct, then the attack was a drive-by-download, something that in theory could work on all three available systems. This would give proof that more focus is needed on the user if there is ever to be an improvement in overall security.

There are two laptops left. The first is a Sony VAIO, (VGN-TZ37CN) running Ubuntu 7.10. The second is a Fujitsu U810 running Windows Vista Ultimate with Service Pack 1.

Last year, there was much debate over the nature of the exploit used in the ‘PWN2OWN’ contest held by CanSecWest. At the end of the day, Dino Dai Zovi (Who attended in person this year.), through his friend Shane Macaulay, took the top prize of $10,000 for successfully gaining root level access to OS X. (The root level was contested by fan-boys and some experts. However, the prize was ultimately awarded.)

You can track the exploit here: http://www.zerodayinitiative.com/advisories/upcoming/

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

Chevrolet shows off the 2015 Colorado with digital experience

Chevrolet has launched a new website to show buyers all the bells and whistles available on ...

Mazda to debut CX-3 and MX-5 at Los Angeles Auto Show

Mazda has announced plans to premiere the new Mazda CX 3, its new compact crossover SUV, at ...

Ford issues safety recall for 204,448 Ford Edge and Lincoln MKX

Ford has issued a safety recall for 204,448 of the 2007-2008 Ford Edge and Lincoln MKX in No...

Mopar Previews SEMA Custom Rides

We have added a set of pictures released by Mopar ahead of the SEMA Show. Mopar are bri...

Audi R8 Competition – The Most Powerful Production Audi Ever

Audi has revealed details of their new super-fast Audi R8 Competititon — the most powerful a...