Out of the three available laptops at this year’s CanSecWest hacking contest PWN2OWN, the MacBook Air ended up being the first to fall. Charlie Miller, Jake Honoroff, and Mark Daniel, each with Independent Security Evaluators, worked for close to three weeks to take the $10,000 prize and the Mac.
On Thursday at 12:38pm local time, the team from ISE successfully compromised the Apple MacBook Air, winning the laptop and $10,000 from TippingPoint's Zero Day Initiative (ZDI). They did so by exploiting a newly discovered vulnerability in the Safari web browser (v3.1). Along with the prize money, they now get to fight over the ownership rights to the MacBook Air.
“Coincidentally, Apple has just started to ship Safari to some Windows machines, with its iTunes update service. The vulnerability has been acquired by the Zero Day Initiative, and has been responsibly disclosed to Apple who is now working on the issue,” TippingPoint said.
The responsible disclosure also means that exact details of the exploit used will not be disclosed before Apple releases a patch.
While not confirmed, there is some early talk that the exploit might be related to issues recently discovered in the Windows version of the Apple created browser.
The MacBook was running all the latest patches and software according to CanSecWest and ZDI officials. While the contest prize money was originally for $20,000, the prize dropped to $10,000 because the hack took place on the second day.
Also on the second day was a change in rules. The second day allowed exploitation of default installed client-side applications. This means that contestants can force the “user” to click on an email link, visit a malicious website, or compromise one of the installed IM clients. If the rumors are correct, then the attack was a drive-by-download, something that in theory could work on all three available systems. This would give proof that more focus is needed on the user if there is ever to be an improvement in overall security.
There are two laptops left. The first is a Sony VAIO, (VGN-TZ37CN) running Ubuntu 7.10. The second is a Fujitsu U810 running Windows Vista Ultimate with Service Pack 1.
Last year, there was much debate over the nature of the exploit used in the ‘PWN2OWN’ contest held by CanSecWest. At the end of the day, Dino Dai Zovi (Who attended in person this year.), through his friend Shane Macaulay, took the top prize of $10,000 for successfully gaining root level access to OS X. (The root level was contested by fan-boys and some experts. However, the prize was ultimately awarded.)
You can track the exploit here: http://www.zerodayinitiative.com/advisories/upcoming/