MacBook Air first to be cracked at PWN to OWN hack competition

Of three laptops to be hacked, a MacBook Air with Mac OS X 10.5.2 was the first to fall victim to crack attempts of participants in the PWN to OWN contest at CanSecWest. The laptops running Windows Vista SP1 and Ubuntu 7.10 remain uncompromised. According to information provided by organisers of the TippingPoint competition, Charlie Miller, Jake Honoroff and Mark Daniel of security service provider Independent Security Evaluator were able to take control of the machine through a hole in the Safari web browser. The vulnerability has supposedly not yet been made public and is still under wraps until Apple is able to provide a patch. In addition to $10,000 prize money, the winners also get to keep the MacBook as a bonus.

As early as last year, hackers were able to crack a completely patched MacBook Pro with Mac OS X 10.4.9. That time they used a Zero Day hole in QuickTime that allows malicious code to be injected when a website is accessed using Safari or Firefox. This time too, the hack only succeeded in the second stage – with the interaction of a user who surfed to a specially crafted website. The MacBook was able to withstand external network attacks.

It is not clear so far whether MacOS X was actually easier to hack or if it was simply a more attractive target since the MacBook Air came as a bonus. But the hardware that the Ubuntu system is running on is also attractive: a Vaio VGN-TZ37CN. The incident should not worsen Apple's Zero Day patch rate, since both the information and the exploit are being kept under wraps.

It is not known whether the vulnerability also exists in the Windows version of Apple's Safari. Apple had just started distributing Safari to Windows PCs via iTunes updates.

See also:

• PWN to OWN Day Two: First Winner Emerges!, TippingPoint report

(mba)