jod
04-21-07, 02:46 PM
Never liked MAC's anyway, but Zero day on Safari... pfft keep it
Shane Macaulay, a software engineer, was able to hack into a MacBook through a zero-day security hole in Apple's Safari browser. The computer was one of two offered as a prize in the "PWN to Own" hack-a-Mac contest at the CanSecWest conference here.
MacBook hacker
Credit: Joris Evers
Hack-a-Mac winner Shane Macaulay
attacks a MacBook at the
CanSecWest conference.
The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook--a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.
Macaulay teamed with Dino Dai Zovi, a security researcher until recently with Matasano Security. Dai Zovi, who has previously been credited by Apple for finding flaws in Mac software, found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said.
"The vulnerability and the exploit are mine," Dai Zovi said in a telephone interview from New York. "Shane is my man on the ground."
Apple spokeswoman Lynn Fox declined to comment on the MacBook hack specifically, but provided Apple's standard security comment: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."
Now on News.com:
* Skyscraper design gets a new spin
* Plenty of Google to go around
* No simple answers for tax questions
* Extra: Federal database exposes Soc Sec'y numbers
* Video: Hot metal for cool computers
Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said. TippingPoint runs the Zero Day Initiative bug bounty program.
A TippingPoint representative said the company would pay, after looking at the vulnerability. "If it is an actual zero-day in Safari that's fine with us," said Terri Forslof, manager of security response at TippingPoint.
The successful hack comes a day after Apple release its fourth security update for Mac OS X this year. The update repairs 25 vulnerabilities.
CanSecWest organizers set up the MacBooks connected to a wireless router and with all security updates installed, but without additional security software or settings.
Source (http://news.com.com/2100-7349_3-6178131.html?part=rss&tag=2547-1_3-0-5&subj=news)
Shane Macaulay, a software engineer, was able to hack into a MacBook through a zero-day security hole in Apple's Safari browser. The computer was one of two offered as a prize in the "PWN to Own" hack-a-Mac contest at the CanSecWest conference here.
MacBook hacker
Credit: Joris Evers
Hack-a-Mac winner Shane Macaulay
attacks a MacBook at the
CanSecWest conference.
The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook--a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.
Macaulay teamed with Dino Dai Zovi, a security researcher until recently with Matasano Security. Dai Zovi, who has previously been credited by Apple for finding flaws in Mac software, found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said.
"The vulnerability and the exploit are mine," Dai Zovi said in a telephone interview from New York. "Shane is my man on the ground."
Apple spokeswoman Lynn Fox declined to comment on the MacBook hack specifically, but provided Apple's standard security comment: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."
Now on News.com:
* Skyscraper design gets a new spin
* Plenty of Google to go around
* No simple answers for tax questions
* Extra: Federal database exposes Soc Sec'y numbers
* Video: Hot metal for cool computers
Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said. TippingPoint runs the Zero Day Initiative bug bounty program.
A TippingPoint representative said the company would pay, after looking at the vulnerability. "If it is an actual zero-day in Safari that's fine with us," said Terri Forslof, manager of security response at TippingPoint.
The successful hack comes a day after Apple release its fourth security update for Mac OS X this year. The update repairs 25 vulnerabilities.
CanSecWest organizers set up the MacBooks connected to a wireless router and with all security updates installed, but without additional security software or settings.
Source (http://news.com.com/2100-7349_3-6178131.html?part=rss&tag=2547-1_3-0-5&subj=news)