Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

MacBook Air First To Be Compromised In Hacking Contest

Posted by Soulskill on Fri Mar 28, 2008 12:06 AM
from the potential-reality-tv-show dept.
Businesses Portables Security Apple Hardware
Multiple readers have written to let us know that the MacBook Air was the first laptop to fall in the CanSecWest hacking contest. The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000. We covered the contest last year, and the results were similar.
+ -
story

Related Stories

[+] IT: MacBook Hacked In Contest Via Zero-Day Hole in Safari 156 comments
EMB Numbers writes "Shane Macaulay just won a MacBook as a prize for successfully hacking OS X at CanSecWest conference in Vancouver, BC. The hack was based on a Safari vulnerability found by Dai Zovi and written in about 9 hours. CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions. 'Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said in a telephone interview from New York. TippingPoint runs the Zero Day Initiative bug bounty program.'"
Firehose:Macbook Air compromised in just 2 minutes by Anonymous Coward
[+] IT: Last Year's CanSecWest Winner Repeats on Vista, Ubuntu Wins 337 comments
DimitryGH followed up on the earlier news that the MacBook Air lost CanSecWest by noting that "Last year's winner of the CanSecWest hacking contest has won the Vista laptop in this year's competition. According to the sponsor TippingPoint's blog, Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"
[+] IT: First Pwn2Own 2009 Contest Winners Emerge 98 comments
mellowdonkey writes "Last year's CanSecWest hacking contest winner, Charlie Miller, does it again this year in the 2009 Pwn2Own contest. Charlie was the first to compromise Safari this year to win a brand spankin new Macbook. Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well. Full detail and pictures are available from the sponsor, TippingPoint, who acquired all of the exploits through their Zero Day Initiative program."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

MacBook Air First To Be Compromised In Hacking Contest 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • 0wnership (Score:5, Funny)

    by Anonymous Coward on Friday March 28 2008, @12:10AM (#22890086)
    Ah, the pride of 0wnership.

  • do you hear that ? (Score:5, Funny)

    by Anonymous Coward on Friday March 28 2008, @12:10AM (#22890090)
    the sound of a million fanbois as they screamed Nooooooooooooo i sense i disturbance in the reality distortion generator set comments to flamebait and activate the extra moderation modules captain taco

    • I say well done. (Score:5, Insightful)

      by catwh0re (540371) on Friday March 28 2008, @01:07AM (#22890446)
      In the past I've written replies which effectively defended the mac platform, not due to some loyalty, but because most of the feedback people write is pure b/s. I prefer factual arguments, not near-random fear mongering.

      I haven't RTFA but from the surface it sounds like a fair exploit test, and sure it only fell over with user interaction, but it still fell first. So good on them, they'll enjoy their prize of a macbook air and a sweet $10k.

  • Better headline (Score:5, Funny)

    by BadAnalogyGuy (945258) <BadAnalogyGuy@gmail.com> on Friday March 28 2008, @12:11AM (#22890094)
    Safari browser has massive security hole.

    It's funny how they turned a huge hole in the Safari browser into a commercial for the Mac Air.

    "Small size, big holes"

  • Maybe it's major, or maybe no big deal (Score:5, Insightful)

    by jht (5006) on Friday March 28 2008, @12:45AM (#22890296) Homepage Journal
    To me, a web hack to worry about (on any platform/browser) is one that can just be triggered by viewing a compromised page (like happens to most unpatched Windows machines that get nailed by drive-bys). I'm not nearly as worried about ones that require user intervention - clicking on a link, button, or something of the sort.

    So if the Mac was tagged by just loading a page that delivered the hack, that's bad. Quite bad. If he had to click and download something (and perhaps defeat the auto-quarantine they use), that's not so much a big deal, though still a hole that needs patching.

    One of the things about vulnerabilities on all platforms is that a significant part of the magnitude depends on how difficult it is to exploit. Remote connections to a system that avoid/defeat a firewall are really dangerous. Attacks that require the user to do something stupid are inevitable, but far less dangerous.

    Thus far most of the Mac vulnerabilities have been the second type. Luckily.

  • Day 2 results (Score:5, Informative)

    by Nightspirit (846159) on Friday March 28 2008, @12:47AM (#22890312)
    If you look at their blog it seems the Vista and Ubuntu laptops are still not hacked yet at the end of day 2:
    http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture [tippingpoint.com]

    • Re:Identical articles (Score:5, Insightful)

      by Anonymous Coward on Friday March 28 2008, @12:14AM (#22890116)
      No, this year Vista and Ubuntu were in the contest as well. But the mac got hacked in two minutes and the Vista and Ubuntu machines resisted every hack. Big difference there. Oh, and I'd like to say, HA HA /nelson - now tell us again how absense of mac malware is not because of small market share.

      • Re:Identical articles (Score:5, Funny)

        by Anonymous Coward on Friday March 28 2008, @12:36AM (#22890240)
        The Vista machine would have been hacked quicker if it ran faster

        • Re:Identical articles (Score:5, Informative)

          by recoiledsnake (879048) on Friday March 28 2008, @12:46AM (#22890300)

          You aren't totally correct on that. The article says "He was the first contestant to attempt an attack on any of the systems." (on the second day). None of the systems fell on the remote only side but when it came to test user interaction the Mac was the first one tested. I'm still waiting for the result on the other machines. It is what a lot of us suspected... because of Apple's rep., people would be eager to take on the Mac first. It is still not to say it isn't bad... oh, it is. But the contest isn't over yet.
          Sorry, that's just plain wrong. Every laptop had different contestants going on about it in 30 minute slots all day.

          Day 1: March 26th: Remote pre-auth All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize. The pwned machine(s) will be taken out of the contest at that time. Day 2: March 27th: Default client-side apps The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize. The pwned machine(s) will be taken out of the contest at that time. Day 3: March 28th: Third Party apps Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize
          So the Macbook is out of the race since it finished last. Tomorrow, the Ubuntu and Vista machines will have a prize of $5000 on them being cracked with lots of third party apps installed.

            • Re:Identical articles (Score:5, Informative)

              by recoiledsnake (879048) on Friday March 28 2008, @01:30AM (#22890556)

              So is it official that the Vista and Ubuntu machines have survived day 2??! Judging from the blog... it isn't: Update 5:45 PST - The contest is officially over for today. Check back tomorrow to see how the Vista and Ubuntu laptops fare. Do you have an inside scoop??
              You misunderstod the contest rules. No inside scoop. Just the blog.

              Day 1: March 26th: Remote pre-auth
              All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize.
              The pwned machine(s) will be taken out of the contest at that time.
              Day 2: March 27th: Default client-side apps
              The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize.
              The pwned machine(s) will be taken out of the contest at that time.
              Day 3: March 28th: Third Party apps
              Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize.
              So the security will be even more relaxed on the third day because Ubuntu and Vista survived the first two days without a hack. The Mac finished last and is out of the race.

        • Re:Identical articles (Score:5, Informative)

          by Nightspirit (846159) on Friday March 28 2008, @01:14AM (#22890478)
          The results for the other machines are in, at the end of day 2 the Vista and Ubuntu laptops have yet to be compromised:
          http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture [tippingpoint.com]

        • Re:And, in this case, the attacker deliberately ch (Score:5, Informative)

          by recoiledsnake (879048) on Friday March 28 2008, @12:54AM (#22890360)

          It's time to abandon the general purpose browser. It's also time to quit surfing as your log-in user. You need a browser for surfing that you run (sudo or something) as a strictly limited privilege user without log-in capabilities.
          If you pulled your head out of the sand and informed yourself beyond the anti-Vista tripe that's posted on here, you might have known that IE7 on Vista does exactly what you described ever since it came out more than a year ago.

            • Re:linky, pleasey (Score:5, Informative)

              by Chokolad (35911) on Friday March 28 2008, @01:11AM (#22890460)
              Here is your linkey http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx [msdn.com]

              Quote from the linkey

                In IE7's Protected Mode--which is the default in other than the Trusted security zone--the IE process runs with Low rights, even if the logged-in user is an administrator. Since add-ins to IE such as ActiveX controls and toolbars run within the IE process, those add-ins run Low as well. The idea behind Protected Mode IE is that even if an attacker somehow defeated every defense mechanism and gained control of the IE process and got it to run some arbitrary code, that code would be severely limited in what it could do. Almost all of the file system and registry would be off-limits to it for writing, reducing the ability of an exploit to modify the system or harm user files. The code wouldn't have enough privileges to install software, put files in the user's Startup folder, hijack browser settings, or other nastiness.

              In Protected Mode IE writes/reads special Low versions of the cache, TEMP folder, Cookies and History:

              Cache: %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
              Temp: %userprofile%\AppData\Local\Temp\Low
              Cookies: %userprofile%\AppData\Roaming\Microsoft\Windows\Cookies\Low
              History: %userprofile%\AppData\Local\Microsoft\Windows\History\Low

    • Re:I think this section is relevant (Score:5, Insightful)

      by chubs730 (1095151) on Friday March 28 2008, @12:18AM (#22890134)
      Pretty much says that a laptop widely meant for home users was only compromised when allowed access to some of the most widely used applications? I'm not sure what you're trying to say (or not, rather) but a hole in safari is a bit of an issue; unless of course you're just concerned with that server running on your Air ;).

    • Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.

      Pretty much says it all.

      Wow, at +4 already for just quoting the summary and tossing in a vague and meaningless sentence.

      So anyway, what exactly is it saying? The only thing I see there is that a completely passive attack (that is, absolutely no user interaction, like many well-known worms worked) failed. Once this part of the test was passed they allowed interactive attacks (where the user must assist the attacker in some way). Since this is how nearly all malware and malicious software spreads these days, I don't see anything wrong with this. Aside from just attaching hardware to the network, a web browser and email client are the two applications with the most Internet "surface area". As all major operating systems come bundled with a primary browser (IE, Safari, Firefox) a flaw in the browser essentially amounts to a flaw in the OS. It seems natural and obvious to put them to the test.

    • Re:Keep the laptop (Score:5, Insightful)

      by MobileTatsu-NJG (946591) on Friday March 28 2008, @12:27AM (#22890188)

      You mean like when your airplane flight is cancelled and the airline offers you a free ticket. Or when the food at a restaurant is crappy and they give you a coupon to eat there again.
      Well.. sorta. It's more like when a company loans you a laptop to hack, then they let ya keep it, then they give ya ten thousand dollars on top of that.

    • Re:right (Score:5, Insightful)

      by recoiledsnake (879048) on Friday March 28 2008, @12:37AM (#22890248)
      And the karma-whoring RDF sets in.

      anyone who either has physical access to the computer being attacked or can convince the user running the machine to install/download anything is capable of breaking pretty much any OS they want.
      So no one wanted 20k of cash and expensive windows and linux laptops? Why weren't anyone able to hack the Windows and Linux laptops? They did not have physical access to the machine. Nothing was downloaded or installed manually. Only a website hosted by the attacker was just visited by the organizers on the browsers and mails were opened(attachemnts were not) and read.

      The fact that they had to relax the rules so that the Mac could be broken into illustrates this nicely.
      The fact that inspite of the relaxed rules, the Windows and Linux laptops were not broken into, illustrates totally something else. I will let you guess it. They are going to further relax the rules tomorrow to include third party applications to make it even easier to hack. Unfortunately, the Mac won't be there because it didn't make it to the third day.

    • Re:Users == the problem (Score:5, Insightful)

      by recoiledsnake (879048) on Friday March 28 2008, @12:43AM (#22890284)

      Good to see that social engineering is still all it requires to compromise something.
      So why weren't the Windows and Linux machines be able to be hacked inspite of the social engineering and users being at the helm all day?

        • Re:well, tFriendlyA does mention (Score:5, Informative)

          by recoiledsnake (879048) on Friday March 28 2008, @01:05AM (#22890440)

          as more than one person mentions above,) ... that the attack on the mac was the first attempted hack under the relaxed rules. I think it's clear that the hacker wanted the mac, especially since there are known open vulnerabilities that could have been used on MSIE, and some highly probable directions fairly well known on Firefox.
          You've lost me. Where does it say that the mac(apart from your 'persons above' handwaving) was the first attempted hack under the relaxed rules? Go read the site. It says that all three laptops were tried all day and the Mac was removed from the competition because it failed to survive the second day. The others did. Under the same rules.

          especially since there are known open vulnerabilities that could have been used on MSIE, and some highly probable directions fairly well known on Firefox.
          So there are known open vulnerabilities in IE7 and Firefox and no one wanted a free 10k in cash (20k in total) for just running them plus 2 expensive laptops? Are you kidding me?

          We know that the browser is vulnerable. Anyone who thinks general purpose browsers are invincible is living in a dream world.
          IE7 on Vista runs in a sandbox. This kind of attack on IE7 wouldn't have worked without another hole compromising the sandbox. Stop coloring all the browsers with the same color just because the one you use got pwned.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.