Apple's Leopard has been hacked within 30 seconds using a flaw in Safari, with rival OSes Ubuntu and Vista so far remaining impenetrable in the CanSecWest PWN to OWN competition.
Security firm Independent Security Evaluators (ISE) — the same company that discovered the first iPhone bug last year — successfully compromised a fully patched Apple MacBook Air at the CanSecWest competition, winning them US$10,000.
Although the competition recorded the hack taking eight minutes, Charlie Miller, a principal analyst with ISE, told ZDNet.com.au that it took just 30 seconds and was achieved using a previously unknown flaw in Apple's Web browser Safari.
"It might have taken eight minutes to sit down and open the computer, but when the competition started, 30 seconds later it was over," said Miller.
Apple has been notified of the flaw, according to the intrusion detection company which offers the prize money, TippingPoint.
Competitors in the hacking race were allowed to choose either a Sony laptop running Ubuntu 7.10, a Fujitsu laptop running Vista Ultimate SP1 or a MacBook Air running OSX 10.5.2.
"We could have chosen any of those three but had to make a judgment call on which would be the easiest and decided it would be Leopard," Miller said.
"Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows. I found the iPhone bug a year ago and that was a Safari bug as well. I've also found other bugs in Quicktime."
When the three decided to enter the competition a few weeks ago, they began looking for a bug and then spent time refining the attack to ensure it worked well on competition day.
The technique used to PWN the MacBook Air was similar to a phishing attack where a victim is sent a link which they click on to visit a site containing malicious code, said Miller.
"Basically you type in something to the Web browser and go to Web site that is controlled. In real life, you would get a link an e-mail and if you clicked on it, that would be the same thing," he said.
But hacking Leopard was not meant as an attack on Apple, according to Miller: "I use a MacBook all the time and that's what I used in the contest to attack the MacBook Air. I like Macs. That's the reason I went for it — it's in my best interest for them to be as secure as possible."
1
Brandon Martinez - 06/04/08
Not really fair to say 30 seconds, the hack alone probably took at least a few days to figure out. Saying it happened in 30 seconds makes it seem like it was no big deal.
» Report offensive content
2
Joe Anonymous - 11/04/08
It's really quite simple. EVERY OS can be hacked, that's a given. No matter what computer you use, there is probably a way it can be hacked. But there are tens of millions of zombie Windows computers out there and zero zombie Macs. There are thousands of self-propogating Windows viruses in the wild - and none for the Mac.
It's like this. If you're going to choose a neighborhood to live in, you are going to choose a safer neighborhood (everything else being equal). Even in the safer neighborhood, you might choose to put in deadbolts and an alarm system (in fact, I'd recommend it), but for any given level of security, the safer neighborhood is a better choice.
The same is true for computers. Macville is infinitely safer than Windowstown. It doesn't matter if that's because of lower population, a moat around the town, or just that burglars don't like Macville. The fact is that it's the safer neighborhood.
Similarly, if you're buying a computer today, there are no known exploits in the wild affecting Macs, so they're a better choice. What might happen in some theoretical future is irrelevant.
» Report offensive content