MacBook Air First To Be Compromised In Hacking Contest

Multiple readers have written to let us know that the MacBook Air was the first laptop to fall in the CanSecWest hacking contest. The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000. We covered the contest last year, and the results were similar.

0wnership

Ah, the pride of 0wnership.

do you hear that ?

the sound of a million fanbois as they screamed Nooooooooooooo i sense i disturbance in the reality distortion generator set comments to flamebait and activate the extra moderation modules captain taco

Better headline

[BadAnalogyGuy]

Safari browser has massive security hole.

It's funny how they turned a huge hole in the Safari browser into a commercial for the Mac Air.

"Small size, big holes"

Re:Better headline

[ilikejam]

There's a 'yo mama' joke in there somewhere.

Re:Identical articles

No, this year Vista and Ubuntu were in the contest as well. But the mac got hacked in two minutes and the Vista and Ubuntu machines resisted every hack. Big difference there. Oh, and I'd like to say, HA HA /nelson - now tell us again how absense of mac malware is not because of small market share.

Re:I think this section is relevant

[chubs730]

Pretty much says that a laptop widely meant for home users was only compromised when allowed access to some of the most widely used applications? I'm not sure what you're trying to say (or not, rather) but a hole in safari is a bit of an issue; unless of course you're just concerned with that server running on your Air ;).

Re:Identical articles

The Vista machine would have been hacked quicker if it ran faster

Re:Get the Facts is a better tag.

Yes. The totally unbiased facts from a guy with "Mac" in his username.

Re:right

[recoiledsnake]

And the karma-whoring RDF sets in.

anyone who either has physical access to the computer being attacked or can convince the user running the machine to install/download anything is capable of breaking pretty much any OS they want. So no one wanted 20k of cash and expensive windows and linux laptops? Why weren't anyone able to hack the Windows and Linux laptops? They did not have physical access to the machine. Nothing was downloaded or installed manually. Only a website hosted by the attacker was just visited by the organizers on the browsers and mails were opened(attachemnts were not) and read.

The fact that they had to relax the rules so that the Mac could be broken into illustrates this nicely. The fact that inspite of the relaxed rules, the Windows and Linux laptops were not broken into, illustrates totally something else. I will let you guess it. They are going to further relax the rules tomorrow to include third party applications to make it even easier to hack. Unfortunately, the Mac won't be there because it didn't make it to the third day.

Re:And in other news.....

[chubs730]

"We Love Microsoft and Hate All Things Apple." O_O Are we on the same slashdot?

Re:Users == the problem

[recoiledsnake]

Good to see that social engineering is still all it requires to compromise something. So why weren't the Windows and Linux machines be able to be hacked inspite of the social engineering and users being at the helm all day?

Re:Identical articles

[recoiledsnake]

You aren't totally correct on that. The article says "He was the first contestant to attempt an attack on any of the systems." (on the second day). None of the systems fell on the remote only side but when it came to test user interaction the Mac was the first one tested. I'm still waiting for the result on the other machines. It is what a lot of us suspected... because of Apple's rep., people would be eager to take on the Mac first. It is still not to say it isn't bad... oh, it is. But the contest isn't over yet. Sorry, that's just plain wrong. Every laptop had different contestants going on about it in 30 minute slots all day.

Day 1: March 26th: Remote pre-auth All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize. The pwned machine(s) will be taken out of the contest at that time. Day 2: March 27th: Default client-side apps The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize. The pwned machine(s) will be taken out of the contest at that time. Day 3: March 28th: Third Party apps Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize So the Macbook is out of the race since it finished last. Tomorrow, the Ubuntu and Vista machines will have a prize of $5000 on them being cracked with lots of third party apps installed.

Day 2 results

[Nightspirit]

If you look at their blog it seems the Vista and Ubuntu laptops are still not hacked yet at the end of day 2:
http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture

Re:And, in this case, the attacker deliberately ch

[recoiledsnake]

It's time to abandon the general purpose browser. It's also time to quit surfing as your log-in user. You need a browser for surfing that you run (sudo or something) as a strictly limited privilege user without log-in capabilities. If you pulled your head out of the sand and informed yourself beyond the anti-Vista tripe that's posted on here, you might have known that IE7 on Vista does exactly what you described ever since it came out more than a year ago.

Re:well, tFriendlyA does mention

[recoiledsnake]

as more than one person mentions above,) ... that the attack on the mac was the first attempted hack under the relaxed rules. I think it's clear that the hacker wanted the mac, especially since there are known open vulnerabilities that could have been used on MSIE, and some highly probable directions fairly well known on Firefox. You've lost me. Where does it say that the mac(apart from your 'persons above' handwaving) was the first attempted hack under the relaxed rules? Go read the site. It says that all three laptops were tried all day and the Mac was removed from the competition because it failed to survive the second day. The others did. Under the same rules.

especially since there are known open vulnerabilities that could have been used on MSIE, and some highly probable directions fairly well known on Firefox. So there are known open vulnerabilities in IE7 and Firefox and no one wanted a free 10k in cash (20k in total) for just running them plus 2 expensive laptops? Are you kidding me?

We know that the browser is vulnerable. Anyone who thinks general purpose browsers are invincible is living in a dream world. IE7 on Vista runs in a sandbox. This kind of attack on IE7 wouldn't have worked without another hole compromising the sandbox. Stop coloring all the browsers with the same color just because the one you use got pwned.

Re:Identical articles

[Nightspirit]

The results for the other machines are in, at the end of day 2 the Vista and Ubuntu laptops have yet to be compromised:
http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture

Re:And in other news.....

[linumax]

"We Love Microsoft and Hate All Things Apple." O_O Are we on the same slashdot? We all are on the same website; some posters though, are inside the Reality Distortion Field.

Re:Contest rules...

[Nightspirit]

According to secunia Vista has 2 minor vulnerabilities unpatched, Ubuntu 0, and OS X 6 vulnerabilities.

Re:Identical articles

[recoiledsnake]

So is it official that the Vista and Ubuntu machines have survived day 2??! Judging from the blog... it isn't: Update 5:45 PST - The contest is officially over for today. Check back tomorrow to see how the Vista and Ubuntu laptops fare. Do you have an inside scoop?? You misunderstod the contest rules. No inside scoop. Just the blog.

Day 1: March 26th: Remote pre-auth
All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 2: March 27th: Default client-side apps
The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 3: March 28th: Third Party apps
Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize.
So the security will be even more relaxed on the third day because Ubuntu and Vista survived the first two days without a hack. The Mac finished last and is out of the race.

Re:And, in this case, the attacker deliberately ch

[AdamTheBastard]

Sudo runs things as the super user, hence the name Wrong. sudo, an extension of the idea behind su, allows you to switch user and do something, hence the name. Yes, the default is to switch to the super user. It also allows you to switch to any another user (which it has been configured to allow you to access) using the '-u username' command line parameter and do things under their account.

What the parent was suggesting is to create an account with very limited access and to run the browser as that account using something like: `sudo -u sandboxaccount browserbin`.

Re:Get the Facts is a better tag.

[exley]

The contest was also sponsored by the likes of Google, Cisco, Adobe, some security folk... They must all have it in for Apple, oh no Apple is screwed! Plus if you read how the contest was run, it's hard to make the case that this was all pro-MS.

Get the facts... Up to the point where they support your agenda and then punt.

Good.

[brainfsck]

I'm typing this on a Macbook Pro running Safari, and I'm happy about the results of this competition. As Apple computers (slowly?) gain market share, they will eventually be forced to significantly adjust their terrible attitude in terms of security.

I would rather have Apple "shamed" into providing me (and other OS X users) a more secure web browser/operating system than gain some pathetic "my system is more secure than yours" bragging rights.

Re:I think the relevant part is:

[vux984]

In other words, the first to hack it gets it! Who wants a Vaio or a Fujitsu anyway? Given a choice between the three, I'm sure everybody wanted the MacBook Air. Naturally, the only machine getting the pounding is going to be the first to crack.

Yes, that sounds logical, if your genitals are hooked up to a car battery.

The winner got to keep the unit AND 10,000. So OBVIOUSLY they should crack the easiest unit, flip it on ebay, and then buy whatever they actually want, while pocketing the remaining 8-9 grand...

So... the moral of this story? Never underestimate the ability of an Apple fan to rationalize how the Mac could be the first to fail, yet still be the finest computer in the competition. d(^_~) [Thumbs up!]

I ... Zzzzzzzap.... couldn't.... Zzzzzzzzzap. ... agree... Zzzzzzzzzzap.... more. ;)

Re:Inquiring minds...

[moderatorrater]

Does "first to be compromised" mean the only one to be compromised? At this time, it was the only one hacked. The contest continue tomorrow.

Is the contest completely over once one machine is cracked? It continues tomorrow with more 3rd party apps installed that can be used to break into the system. I don't see much chance of the other two making it through tomorrow, but that depends on the programs they install.

If not, were Windows and Ubuntu cracked minutes or hours after OS X? They're both still un-cracked.

Does using Firefox on OS X make it uncrackable? If you plug one hole in a sieve, will it hold water?

Was each OS required to use it's own browser: IE, Safari, and Epiphany? They had to use the software that comes pre-installed on the machine.

Since Firefox works on all 3 systems, wouldn't that be a better gauge of OS security? Only if Firefox came preinstalled on all 3 systems.

Where did I come from? Your mother's vagina. Hopefully you've never been back.

Why is the sky blue? Do I look like Einstein?

Can't wait to find out what and how

[SpeedyG5]

I am an apple fan and enjoy a lot of their products.

There is no way any system can be perfectly secure, but this is a significant hole. While they probably won't get me to click that stupid link, they might get my mom or any number of the other avg everyday users.

At least now we can get beyond the macs can't be hacked BS and move on to securing my favorite OS and keeping it that way.

Now lets see how long it takes for apple to post a patch, that is really where the rubber meets the road.

Re:I think the relevant part is:

[recoiledsnake]

The winner got to keep the unit AND 10,000 Don't forget that the prize was 20,000 each for the first day. And none of the machines got compromised. Including the Vista and Ubuntu machines. So, the GP is even more wrong than you think.

I don't get it

[CannonballHead]

Can't we admit that, for whatever reason, the Air/Safari was easier hacked than Vista/IE7? I know this is an unpopular bandwagon to be on, especially on Slashdot, but it seems there's no two ways about it. I refuse to believe that it was a conspiracy and that every hacker was actually just trying to hack the Air and make Ubuntu and Vista pass, that's stupid. If I were a hacker, I'd totally hack the EASIEST one simply to get the $10k and the laptop. And if there were known or open vulnerabilities, it should have fallen in what, 30 seconds?

Seriously, it's not a huge deal. If we, like good open source cronies, admit that there was a problem with *gasp* part of the Apple software/laptop combo (whether it was Safari or the OS or whatever), then maybe it will be fixed. Isn't that the main idea here? I thought the point of these things were to discover vulnerabilities so that they could be fixed, not to place bets on Microsoft falling and go up in arms if it doesn't.

Unless, of course, we really aren't interested in open source software or good software at all, but are more about claiming a company name as our own.

Dell is actually starting to not suck.

[Cordath]

I was pretty surprised when Dell finally started putting some effort into their laptop designs. For example, take the XPS m1330 that came out last year. It's actually really nice. I wanted an near-ultra-portable but *powerful* Ubuntu laptop and was within a hair's breadth of getting a macbook pro. (The air is a slick design, but the power just isn't there.) Then I found out I could get something every bit as powerful as a high-end macbook pro in the form-factor of a 13" macbook, only lighter, and for less money. (Caveat to follow.) Then I found out that the design actually looked nice. Nicer than the macbooks to my tastes. (Seriously, it's time for a design update Apple.) On top of that, the m1330's design makes a fair bit of ergonomic sense too. The laptop tapers down towards your wrists, rather than the tendinitis-inducing edge on macbooks.

Even more surprising, the m1330 is really well supported in Ubuntu. (Dell actually sells the m1330 with Ubuntu pre-installed, although the discount is rather pathetic.) More things just work in a default install of Ubuntu on the m1330 than in Vista! (The only thing that doesn't work as well in Ubuntu as it does in Vista is the fingerprint reader, but that's just because biometric password support in Linux, and KDE especially, sucks dingo balls at present.) And yes, if I bought a macbook I probably would have tossed the OSX disks and reformated the drive first thing. I've had to develop under OSX and, while I don't mind it, I definitely prefer Ubuntu.

Caveat time. Dell's customization options are still royally borked. You can pick up a lot of accessories, like bluetooth mice, fairly cheap when buying a laptop, but other components are just insanely expensive. Anyone who maxes out the memory on a Dell while ordering it and then complains about the price is an idiot. Upgrading the memory on a Dell won't void the warranty. You want 4GB? Get 1GB from Dell and, toss it, and buy a couple 2GB sticks yourself. You'll save at least a couple hundred dollars. If Dell would smarten up about that kind of thing I'd have no complaints.

Still, one thing is pretty clear. You can no longer mindlessly slag Dell for epitomizing bland and crappy laptop designs. They do still have ultra-cheap crap and bland bricks built like tanks for the corporate types, but they're also gunning for the sexier end of the market now.

A real hero

[Fulkkari]

The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000.

In other words this guy most likely found a security bug in Safari, but instead of reporting it directly, made an exploit and waited for a hacking contest to get a monetary benefit out of it. A real hero. Or maybe he was just quick. Which seems more plausible?