In association with heise online

23 April 2007, 09:52

Hack-a-Mac - security vulnerability found in Apple's Safari

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

As part of the Hack-a-Mac "PWN to own" competition at the CanSecWest security conference, two competitors succeeded in hacking a fully patched MacBook Pro running Mac OS X 10.4.9. They did not, however, penetrate the computer directly, rather they exploited a vulnerability in Apple's Safari web browser. On visiting a website prepared by the hackers, malicious code was injected onto the MacBook and executed with user privileges. This kind of vulnerability was previously better known from Microsoft's Internet Explorer - the Redmond company were recently forced to release an unscheduled patch for a similar vulnerability. In that case, however, the browser was merely the vehicle for the attack - the actual bug was in Windows.

The hackers, Shane Macaulay and Dino Dai Zovi, received a prize of 10,000 US dollars and the hacked MacBook for their exploit. Dai Zovi apparently found the vulnerability and programmed the exploit in just 9 hours. No details of the vulnerability will initially be released. The two discoverers may be wanting to make more money out of the hack - security services provider TippingPoint pays a bounty for new, unpublished vulnerabilities, in this case another 10,000 US dollars. Apple have been informed of the hack. It is not known whether they have been given further information or whether they are working on a patch.

The competition initially involved hacking one system, with, however, tighter rules - the vulnerability should allow the intruder to obtain root privileges - which apparently no-one succeeded in doing. The organisers therefore made a second system available, for which the conditions were somewhat less stringent.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit