MacBook Air Hacked through Safari

[chameleon81]

http://www.news.com/8301-13579_3-9905095-37.html?tag=tb

 

[Aranince]

Yup. Owned.

 

[Josheek]

MacBook Air Hacked through Safari

In a security hackers contest, the hacker was able to gain control of the MBA through a vulnerability in Safari within two minutes!!! Here is the Article. The contest involved the MBA, Windows Vista, and Ubuntu machines. The Air was first to be hacked. Apple has advertised how secure their OS is and how much of an advantage it has over other competitive OS's. I guess everything can't be perfect. Oh well, hope they don't hack mine.

 

[priller]

http://www.news.com/2100-7349_3-6178131.html

Apple didn't do very well last year either.

 

[MacBook-Gal]

And here I (after switching from Windows a year ago) was just starting to believe that my Mac is secure without having virus protection.

 

[BiikeMike]

MBA hacked in under 2 minutes at CanSecWest security conference's PWN 2 OWN

San Francisco - It may be the quickest $10,000 Charlie Miller ever earned.
ADVERTISEMENT

He took the first of three laptop computers -- and a $10,000 cash prize -- Thursday after breaking into a MacBook Air at the CanSecWest security conference's PWN 2 OWN hacking contest.

Show organizers offered a Sony Vaio, Fujitsu U810, and the MacBook as prizes, saying that they could be won by anybody at the show who could find a way to hack into each of them and read the contents of a file on the system using a previously undisclosed "0day" attack.

Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday, the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.

Miller, best known as one of the researchers who first hacked Apple's iPhone last year, didn't take much time. Within 2 minutes, he directed the contest's organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on.

He was the first contestant to attempt an attack on any of the systems.

Miller was quickly given a nondisclosure agreement to sign, and he's not allowed to discuss particulars of his bug until the contest's sponsor, TippingPoint, can notify the vendor.

Contest rules state that Miller could only take advantage of software that was preinstalled on the Mac, so the flaw he exploited must have been accessible by, or possibly inside, Apple's Safari browser.

Last year's contest winner, Dino Dai Zovi, exploited a vulnerability in QuickTime to take home the prize.

Dai Zovi, who congratulated Miller after his hack, didn't participate in this year's contest, saying it was time for someone else to win.

Link 1

Link 2


Wow, $10 grand and a MacBookAir in 2 minutes, sign me up!

 

[coffey7]

Macbook air hacked in 2 minutes in contest

http://www.news.com/8301-13579_3-9905095-37.html?tag=nefd.top

the vista and Ubuntu machines have not been hacked yet.

 

[Aea]

Way to drop the there Safari Team

 

[SilentPanda]

It was a Safari exploit. So it's not limited to MacBook Airs.

 

[coffey7]

I didn't know what forum to put it in. I guess the guy who did it is a big apple fans and just wants to strengthen the OS.

http://www.channelregister.co.uk/2008/03/28/mac_hack/

Last year it was a quicktime problem that was the culprit.

 

[ayeying]

I never use safari.. so does that mean I'm hacker proof? lol... any OS can be hacked, its just whether or not someone has the time to do it.

 

[killerrobot]

Good read. Glad I don't use Safari.

Good to know no one get access through direct attacks.

 

[em500]

Preparing the exploit actually took three weeks, but hacked in 2 minutes makes a better headline.

 

[mackindergarten]

If you can choose to attack (and subsequently take it home) a Vista, Ubuntu or Mac machine, there is no question why he tried to hack the MBA.

I mean who wants a Vista machine, if you can get a MBA?

 

[Cloudsurfer]

This is no surpsise. Safari has been subject to security leaks in the past, so naturally, that's where the geeks would look first. Now it's up to Apple to patch that hole

 

[rom]

Safari has a vulnerability, which Apple should fix immediately and I have no doubts that Apple will release the fix soon.

However, the exploit requires that you visit a malicious website - so the moral of the story is, don't click on those links if and when you are not sure if the site is legit.

 

[chameleon81]

Safari has a vulnerability, which Apple should fix immediately and I have no doubts that Apple will release the fix soon.

However, the exploit requires that you visit a malicious website - so the moral of the story is, don't click on those links if and when you are not sure if the site is legit.

Yeah but the problem is that people click those websites Same happens with Windows.

I use Mac actually I switched like 8 months ago. But security wasnt my motivation. I believe this security and ease of use are marketing things which are being very well practiced by apple.

I think it is the fact that the more people switch to mac the more viruses we will have .

 

[sreedy]

If you can choose to attack (and subsequently take it home) a Vista, Ubuntu or Mac machine, there is no question why he tried to hack the MBA.

I mean who wants a Vista machine, if you can get a MBA?

There was $10,000 on offer for the first to break any system so with that logic surly they'd go after the one with the most obvious or easy to find vulnerability??? It's irrelevant which one they get to take home with $10,000 on offer!!!!!!!!!!

You may have said that in jest but it makes us all look like crazy Fan Bois, "they only hacked it as it's the best"

 

[em500]

However, the exploit requires that you visit a malicious website - so the moral of the story is, don't click on those links if and when you are not sure if the site is legit.

Unfortunately almost all legit sites these days are also running (mainly ad) content from 3rd parties, which can also be cracked to serve the exploits.

 

[boast]

if windows lost first, you would all be talking ****.

give me a break

 

[em500]

The rules of the contest are here
http://dvlabs.tippingpoint.com/blog/2008/03/19/cansecwest-pwn-to-own-2008

The first day was attacking the system over the network without any user intervention for a $20000 price, and 3 systems survived.

The second day was attacking the system over the network by directing a user to do some simple things with a default setup, like opening email you send them or visiting a website you prepared. The Mac got hacked here, probably due to a bug in Safari, and the winner got the laptop and $10000.

Note that after the Mac was out of the race, different teams continued to work on the Vista and Ubuntu laptops (and could still win them and their $10000 prices), but both survived the second day.

3rd day (today/tomorrow), you can still win the Vista or Ubuntu laptops plus $5000, and they will now also have "popular 3rd party client applications" installed", though I haven't seen the list of apps yet.

 

[rhett7660]

if windows lost first, you would all be talking ****.

give me a break

I agree... boy I can hear it now.. LOL..

I am kind of curious as to what Apple has, in terms of teams who try to hack, exploit etc before the OS is released. Maybe Apple needs to hire some fresh talent.

 

[72930]

And here I (after switching from Windows a year ago) was just starting to believe that my Mac is secure without having virus protection.

Well you are, there are no viruses out in the wild for OSX. In fact there is no virus protection for OSX viruses.

 

[Wild-Bill]

MacBook Air HACKED in 2 Minutes Flat

Link

 

[aristobrat]

Since it was a Safari vulnerability present on all current Macs that they used, shouldn't this be in the General Mac forum, as any Mac can apparently be pwned in 2 minutes flat?