Hack-a-Mac - security vulnerability found in Apple's Safari
As part of the Hack-a-Mac "PWN to own" competition at the CanSecWest security conference, two competitors succeeded in hacking a fully patched MacBook Pro running Mac OS X 10.4.9. They did not, however, penetrate the computer directly, rather they exploited a vulnerability in Apple's Safari web browser. On visiting a website prepared by the hackers, malicious code was injected onto the MacBook and executed with user privileges. This kind of vulnerability was previously better known from Microsoft's Internet Explorer - the Redmond company were recently forced to release an unscheduled patch for a similar vulnerability. In that case, however, the browser was merely the vehicle for the attack - the actual bug was in Windows.
The hackers, Shane Macaulay and Dino Dai Zovi, received a prize of 10,000 US dollars and the hacked MacBook for their exploit. Dai Zovi apparently found the vulnerability and programmed the exploit in just 9 hours. No details of the vulnerability will initially be released. The two discoverers may be wanting to make more money out of the hack - security services provider TippingPoint pays a bounty for new, unpublished vulnerabilities, in this case another 10,000 US dollars. Apple have been informed of the hack. It is not known whether they have been given further information or whether they are working on a patch.
The competition initially involved hacking one system, with, however, tighter rules - the vulnerability should allow the intruder to obtain root privileges - which apparently no-one succeeded in doing. The organisers therefore made a second system available, for which the conditions were somewhat less stringent.
- First Mac Hacked Cancel Or Allow, report from CanSecWest