Slashdot Mirror

← Back to Stories (view on slashdot.org)

MacBook Hacked In Contest Via Zero-Day Hole in Safari

Posted by Zonk on from the and-the-winner-is dept.

EMB Numbers writes "Shane Macaulay just won a MacBook as a prize for successfully hacking OS X at CanSecWest conference in Vancouver, BC. The hack was based on a Safari vulnerability found by Dai Zovi and written in about 9 hours. CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions. 'Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said in a telephone interview from New York. TippingPoint runs the Zero Day Initiative bug bounty program.'"

13 of 156 comments (clear)

  1. Re:So, if I reaf TFA correctly: by richdun · · Score: 4, Informative

    If I recall correctly, originally the requirement was remote access, but when that went nowhere, they allowed entrants to submit URLs that would be navigated to via Safari. Check out Engadget for more details...

  2. Re:So, if I reaf TFA correctly: by RalphBNumbers · · Score: 5, Informative

    As I understand it:

    The rules originally required getting a user shell on a macbook connected to a wireless router without any other access, or getting a root shell under the same conditions on a second macbook without using the same bug.
    The prize was the macbook(s) you hacked.

    But they decided not enough people were interested, so 3Com added a $10,000 bounty for a winning bug.

    But no one could crack it, so they set the machine up to visit malicious web pages submitted by email.

    Then someone found a bug in Safari, and successfully crafted a webpage to exploit it to get user shell access.

    --
    "The worst tyrannies were the ones where a governance required its own logic on every embedded node." - Vernor Vinge
  3. Re:So, if I reaf TFA correctly: by Phil246 · · Score: 4, Informative
    The Register is a little more informative in that regard, from http://www.theregister.co.uk/2007/04/20/pwn-2-own_ winner/

    The pwn-2-own contest got off to a slow start on Thursday. The rules originally mandated an exploit that required no action on the part of the user. The reward for a successful hack was the machine that had been compromised. Conference attendees were underwhelmed, reasoning a Mac exploit that required no end-user interaction could be sold for upwards of $20,000. Things changed significantly on Day 2. That's when Tipping Point upped the ante with its promise of a $10,000 bounty. Contest organizers also relaxed the rules so exploits could include malicious websites that attacked Safari.
  4. The Register is more informative. by twitter · · Score: 1, Informative

    I wish they'd been more explicit as to what 'relaxing the rules' meant. But maybe that would've spoiled the story.

    They allowed user activity, aka he browsed to a site he created for the purpose. It seems this is not a full auto worm type exploit of the kind common in the Windoze world. See here. It's hard to say if the problem was javascript of something like Flash called by it.

    All the M$ tools are going to be underlining their popularity arguments and slinging mud at all the more secure OS. Even the Register indulged in a little of that kind of flamage.

    --

    Friends don't help friends install M$ junk.

  5. Read a better article than the one linked. by Anonymous Coward · · Score: 5, Informative

    The MacBook was actually only hacked because they lessened the rules and actually had someone open Safari and use a malicious website. No ports were closed nor was the firewall running.

  6. This seems a little sensationalized... by Rod76 · · Score: 4, Informative

    I'm a Mac user and as such I'm not claiming invincibility although the "Unix" like foundation makes me more secure its still the end user's responsibility to not run as admin or God forbid root. Not to mention using a good firewall or correctly configuring the one that's already built in is vital and just practicing caution on the web. That aside I just don't think this is entirely honest, I wish they would disclose all the variables involved to include all settings used. But as others here have said considering Apples foresight using open source means the between Apple and the Konqueror devs this will be quickly addressed. But my gut feeling here is that something stinks in Denmark!

    --
    Die First, Then Quit
  7. Regular User by Anonymous Coward · · Score: 1, Informative

    It appears on the Cansec website that the contest was for shell access on a regular users account.

    2007-04-20-14:54:00.First_Mac_Hacked_Cancel_Or_All ow
    Just to review the rules, the first box required a flaw that allows the attacker to get a shell with user level privilages. The second box, still up for grabs, requires the same, plus the attacker needs to get root.

    http://cansecwest.com/

  8. Re:So, if I reaf TFA correctly: by biftek · · Score: 2, Informative

    The intent was always that the rules would be progressively relaxed - see http://www.securityfocus.com/archive/142/464216/30 /0/threaded from last month.

  9. Re:Hey, good! by Anonymous Coward · · Score: 0, Informative

    (I said honest efforts. That guy who claimed the AirPort hack is still a raging tool.)

    No he wasn't. He was the subject of a major Apple lead smear campaign which misrepresented his claims. The bug he found was actually fixed by Apple a few months later, but the usual bunch of apologists, even at the time Apple was fixing the bug, went out of their way to lie about what both Apple and the bug finders had done.

    This basically explains what happened. Anyone who reads it and continues to claim anything from "the Airport hack didn't exist" to "Maynor and Ellch faked the demo" is, frankly,to use your language, a raging tool.

  10. Re:So not the OS then! by Anonymous Coward · · Score: 1, Informative

    OS-X is essentially BSD
    No, it's not. OS X has some modified BSD user land tools and that's the only thing they truly have in common.
  11. there are some weird things in Safari... by lixlpixel · · Score: 5, Informative

    Safari lets you include local files, for example...

    i told apple (and got a lame reply that it would be fixed eventually) month ago, yet it still works.

    see http://destabili.zation.eu/ for a quick harmless example that can check what applications you got installed.

    and then there is a way to crash Safari which exists for more than a year - again i had an email conversation where they wanted more info and crashreports - yet nothing was ever done about it.

    http://lixlpixel.org/safaricrash/ and follow the instructions - but make sure you don't have any important tabs open...

  12. Re:switcher by Paradise+Pete · · Score: 2, Informative
    Lets see how quickly Apple responds to this hack.

    Well in the nightly Webkit builds the javascript engine has been overhauled, so chances are it's "already" fixed, in a sense. Up until now it's looked like Apple's been prepping that for a Leopard release, but maybe this will prompt them to move it up.

    By the way, those Webkit nightlies are really looking strong.

  13. Re:Konqueror by TheRaven64 · · Score: 2, Informative
    WebKit was forked from KHTML and developed internally at Apple for about a year before Safari was released. Then the patches were all sent back in one big lump. During this time, the KHTML team cleaned up the code a lot, and had to go to a lot of effort to re-import all of the WebKit patches (some weren't needed, since the same functionality had been re-imported). This continued in the run-up to OS X 10.4, where large blobs of patches were released in one go, making it very hard for the KHTML team to keep up.

    Now, WebKit is developed in a public repository, and used by Nokia and others, as well as Apple. There has been some discussion of KDE abandoning KHTML and using WebKit for Konqueror, but this was met with mixed reactions. WebKit and HTML are now very different systems, although they share a common heritage and often import each others' changes when possible.

    --
    I am TheRaven on Soylent News