News, info, and opinion by Mac users, for Mac users.

March 27, 2008

security

Security researcher hacks Mac at CanSecWest

Posted Mar. 27, ’08, 2:26 PM PT by Dan Moren
Category | Security

Charlie MillerAs we mentioned last month, the CanSecWest security conference is running a hacking competition on Vista, OS X, and Linux. News just in from day two of the PWN 2 OWN contest suggests that OS X has fallen at the hands of Dr. Charlie Miller, a security researcher from Independent Security Evaluator (and former NSA employee), who’s perhaps best known for demonstrating a Safari security vulnerability on the iPhone last July.

While there were no winners on day one of the contest, which limited attacks to external forays over the network, day two added to the list the potential for visiting sites or reading emails from the computer. Miller was the first to give it a shot; when the contest directors visited his site, he was reputedly able to use his exploit to take control of the computer. Rules prohibited any additional software from being installed.

The exploit means that Miller will take home $10,000 as well as the MacBook Air that he successfully hacked—had a participant managed to win on the first day, they would have gotten $20,000 from sponsor TippingPoint. Miller was also required to sign an NDA which prevents him from giving out details on the exploit until Apple is informed.

This is scary stuff, to be sure. Last year at the same event, researcher Dino Dai Zovi managed to take advantage of a loophole in QuickTime to win the prize; his method also involved visiting a malicious URL. Despite that, we anticipate a prompt fix from Apple once they’re alerted; they patched Dai Zovi’s two weeks later. So don’t break out the duct tape and emergency rations just yet.

[Glenn F. via Twitter; Image via New York Times]


8 Comments

Call Me Yo Daddy Author Profile Page said:

This is exactly the reason why I have both Intego's VirusBarrier and NetBarrier running! Mac's CAN be hacked and malware for them CAN be created. Very recently a trojan horse for the Mac was discovered by Intego security researchers. Although damage wasn't wide spread, it's still malware that is malicious.

I do not trust the default firewall in Mac OS X. Hackers can easily get around it if they target Macs. However a third party firewall such as NetBarrier offers far more robust and stronger protection. I wish there was a way to visit the same Miller's site and prove he would have failed on my Mac. 

March 27, 2008 3:16 PM
Call Me Yo Daddy Author Profile Page said:

This is exactly the reason why I have both Intego's VirusBarrier and NetBarrier running! Mac's CAN be hacked and malware for them CAN be created. Very recently a trojan horse for the Mac was discovered by Intego security researchers. Although damage wasn't wide spread, it's still malware that is malicious.

I do not trust the default firewall in Mac OS X. Hackers can easily get around it if they target Macs. However a third party firewall such as NetBarrier offers far more robust and stronger protection. I wish there was a way to visit the same testing site used by Mr. Miller and prove he would have failed on my Mac. 

March 27, 2008 3:17 PM
Call Me Yo Daddy Author Profile Page said:

I'm sorry for the redundant post, I wish there was an edit button.

March 27, 2008 3:19 PM
Dave-O said:

Yet another reminder that you can't go visit every website linked in your spam messages.

Bracing for all the stories saying Mac users think they're invulnerable...

March 27, 2008 3:39 PM
Richard Dawson said:

^^
You must be the Vice President of sales at Intego. Glad it works so well for you.

March 27, 2008 4:07 PM
gresmi said:

I'm not saying your point isn't correct, but just to clarify:

None of the hackers were able to get through the firewall on the mac, or either of the other boxes. This exploit came through the browser (Safari) and hence sidestepped the firewall completely. You could have had server grade IPFW running, as you did in Tiger, and you would have had teh same result.

March 27, 2008 4:10 PM
Greg said:

I'm not trying to make this less than what it is, but most likely, the Mac was targeted first so "those smug Mac users would shut up."

Honestly, these kinds of contests are pure crap except for the exploit themselves. What they need to do is do one system one time, then another, and then another. Then things like some idiot coming in and screaming "OMG, MAC SUXX0RS!!!!!!ONE!!!ELEVEN!!!" won't happen.

March 27, 2008 8:55 PM
James Madley said:

Judging by Call Me Yo Daddy's post(s) he must like porn.

The trojan Intego found almost 6 months ago could only be found on malicious porn sites.

March 27, 2008 11:55 PM

Leave a comment

 



IDG IDG NETWORK:   CIO   Computerworld   CSO   GamePro   GamerHelp   IDG Connect   Infoworld  
   JavaWorld   LinuxWorld   Macworld   Network World   PC World   PC World Canada   Playlist   Techworld