Slashdot Mirror

← Back to Stories (view on slashdot.org)

MacBook Hacked In Contest Via Zero-Day Hole in Safari

Posted by Zonk on from the and-the-winner-is dept.

EMB Numbers writes "Shane Macaulay just won a MacBook as a prize for successfully hacking OS X at CanSecWest conference in Vancouver, BC. The hack was based on a Safari vulnerability found by Dai Zovi and written in about 9 hours. CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions. 'Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said in a telephone interview from New York. TippingPoint runs the Zero Day Initiative bug bounty program.'"

4 of 156 comments (clear)

  1. So, if I reaf TFA correctly: by noewun · · Score: 4, Insightful

    The machine couldn't be hacked, so they relaxed the rules so it could be? I wish they'd been more explicit as to what 'relaxing the rules' meant. But maybe that would've spoiled the story.

    --
    I am a believer of momentum and curves.
  2. Re:Admin user or regular user? by Tickletaint · · Score: 5, Insightful

    From one Mac user to (presumably) another, please get your head out of the sand. These "stupid people" to whom you refer you might otherwise know as "The Rest of Us." It doesn't matter how technically competent you are, we are all "stupid" every now and then—or do you only ever visit the same two or three well-known sites every day? Even if you do, how can you be sure they haven't been compromised by, say, some sort of injection attack? Or even by an unscrupulous advertiser in an iframe?

    And why on earth does it make a difference whether the user account was admin or regular? If an intruder has access to your personal documents, you're just as fucked either way.

    --
    Make Slashdot readable! See journal.
  3. Explanatin of rules relaxation by Overly+Critical+Guy · · Score: 4, Insightful

    CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions.


    In other words, nobody was able to remotely hack the machine, so they allowed for local exploits, which someone used in a Safari URL.

    Expect Apple-haters and other FUDmeisters to completely ignore the difference, like InfoWorld did yesterday in their breathless headline about "remotely breaking in."
    --
    "Sufferin' succotash."
    1. Re:Explanatin of rules relaxation by DECS · · Score: 5, Insightful

      InfoWorld Publishes False Report on Mac Security

      "Nancy Gohring, writing for InfoWorld, delivered a misleading report yesterday on a Mac security exploit contest held at the CanSecWest conference in Vancouver, BC.

      "In her defense, it appears likely that Gohring did not write the headline for her InfoWorld article, which described the contest winner as being "able to remotely break into a Mac as part of a contest designed to illustrate security flaws in OS X." That part was simply wrong.

      "Whoever did write the headline must have been smoking weed in celebration of 4/20, because Gohring's article clearly described a local exploit. There's a big difference between the remote exploits that made Windows infamous for its insecurity and a local exploit of an application."

      More info under a series of subheadings:

      Gohring's Mac Security Myths
      Microsoft's Security Embarrassment
      Mac OS X and Security
      The Mac Minority Malware Myth
      Why Macs Aren't Sending You Spam