updated 10:10 am EDT, Sat April 21, 2007
MacBook Hacked in Contest
One of two "honeypot" MacBook Pros at the CanSecWest security conference has been successfully hacked, according to officials. The Vancouver, British Columbia event had established a contest to try and gain user-level shell access in Mac OS X over a wireless network, which was successfully accomplished after contest hosts eased rules and allowed security experts to attack through code sent through malicious websites instead of directly compromising the OS itself.
The successful hack had been written by Matasano Security researcher Dino Dai Zovi and implemented by engineer Shane Macaulay, the combined team of which took nine hours to craft an exploit for Apple's built-in Safari browser. CanSecWest managers wouldn't elaborate on details but confirmed that the hack had been genuine.
"At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page," they wrote. "Of course all of the latest security patches have been applied. This one is 0day folks."
Macaulay is expected to win the MacBook Pro in question as part of the contest rules, while Dai Zovi is claiming a $10,000 prize established by 3Com for any exploit used during the challenge that was confirmed as a zero-day attack, which meant it would be exploitable before the software developer could react. A remaining system had yet to be broken and required that any successful compromise gain complete root-level access to qualify for a prize.
Apple has turned down an opportunity to comment on the Safari flaw and has so far only issued its common response to exploits that appear before their related patches. "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users," said company spokeswoman Lynn Fox.
Despite a lack of known examples of "in the wild" malicious exploits, Mac OS X has recently come under increasing pressure by security teams discovering previously unknown exploits. The now well-known Month of Apple Bugs successfully discovered then-fresh vulnerabilities in QuickTime, Safari, and other components, all of which have forced Apple to release multiple patches to address the security holes in its software.
The April security update released by the Mac maker touches on further Month of Apple Bugs issues, but doesn't contain any fixes for Safari and thus leaves the CanSecWest exploit viable in the foreseeable future. (Photo via CNET)