Feeds

Mac is the first to fall in Pwn2Own hack contest

Safari's bad-hair week

Intelligent flash storage arrays

CanSecWest A brand-new MacBook Air running a fully patched version of Leopard was the first to fall in a contest that pitted the security of machines running OS X, Vista and Linux. The exploit took less than two minutes to pull off.

Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. The feat won him a $10,000 prize paid by Tipping Point, whose Zero Day Initiative pays bounties to researchers for responsibly disclosing vulnerabilities.

The hack came during the Pwn2Own contest, which is being held at the CanSecWest conference in Vancouver. The competition took place in a conference room overlooking the city's Burrard Inlet, a harbor where pontoon planes took off and disappeared into black rain clouds shrouding nearby Grouse Mountain. A small round of applause broke out immediately after contest officials confirmed Miller's exploit was legit.

At time of writing, the Windows and Linux machines were still standing.

Under contest rules, Miller was forbidden from providing specifics of his hack. He said he chose Apple over the other machines because "I thought of the three it was the easiest". He said he didn't test the exploit on any other platform. As a Mac user, he added, he felt an incentive to exploit the system because he believes it will help make the platform stronger. Miller, who works for Independent Security Evaluators, received help from co-workers Jake Honoroff and Mark Daniel.

Miller's win came on day two of the contest, which gradually eases the rules for what constitutes a qualifying exploit. Not a single attendee entered the contest on day one, when all vulnerabilities had to reside in the machine's operating system, drivers or network stack. Winners were eligible for a $20,000 prize.

On day two, the attack surface was expanded to include browsers, mail applications and other common applications, and the bounty was reduced to $10,000. Contestants on day three will be allowed to attack still more applications, such as Skype, QuickTime and browser plugins for a $5,000 prize.

The Safari exploit came a day after Secunia warned of two critical vulnerabilities in the Apple browser.

As we've said in the past, one benefit of the Pwn2Own contest is its ability to eliminate economic variables from the argument over whether a given platform is vulnerable to attack. Given the proper incentive, it's safe to say that any is ripe for the picking. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Don't wait for that big iPad, order a NEXUS 9 instead, industry little bird says
Google said to debut next big slab, Android L ahead of Apple event
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
A drone of one's own: Reg buyers' guide for UAV fanciers
Hardware: Check. Software: Huh? Licence: Licence...?
Jaguar Sportbrake: The chicken tikka masala of van-sized posh cars
Indian-owned Jag's latest offering curries favour with us
The Apple launch AS IT HAPPENED: Totally SERIOUS coverage, not for haters
Fandroids, Windows Phone fringe-oids – you wouldn't understand
Apple SILENCES Bose, YANKS headphones from stores
The, er, Beats go on after noise-cancelling spat
Here's your chance to buy an ancient, working APPLE ONE
Warning: Likely to cost a lot even for a Mac
Xiaomi boss snaps back at Jony Ive's iPhone rival 'theft' swipe
I'll have a handset delivered. Judge us after you try us...
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.