Computerworld - The security researcher who walked away with $10,000 yesterday by hacking a MacBook Air in less than two minutes said he chose to attack Apple Inc.'s operating system for one simple reason.

"It was the easiest one of the three," said Charlie Miller, an analyst at Independent Security Evaluators (ISE), a Baltimore-based security consultancy. "We wanted to spend as little time as possible coming up with an exploit, so we picked Mac OS X."

On Thursday afternoon, Miller breached a MacBook Air, one of three laptops up for grabs in the "PWN to OWN" hacker challenge at CanSecWest, a security conference that wraps up today in Vancouver, British Columbia. For his efforts, he got the computer and a $10,000 cash prize.

The MacBook Air was running the current version of Mac OS X, 10.5.2, with all the latest security patches applied. The other two computers, a Sony Vaio VGN-TZ37CN running Ubuntu 7.10 and a Fujitsu U810 notebook running Windows Vista Ultimate SP1, were also up to date and fully patched.

"We sat down about three weeks ago and decided we wanted to throw our hats into the ring," said Miller, referring to himself and ISE colleagues. "It took us a couple of days to find something, then the rest of the week to work up an exploit and test it.

"It took us maybe a week altogether," Miller said.

Because Miller was bound by a nondisclosure agreement with 3Com Corp.'s TippingPoint, the security company that ponied up PWN To OWN's cash prizes, he was unable to share details of the vulnerability. He did confirm, however, that he had exploited a bug in Safari 3.1, the current version of Apple's browser.

The PWN to OWN challenge actually started Wednesday, but the rules for that first day required researchers to break into one of the laptops using a remote code-execution exploit of a zero-day. At stake: the laptop and $20,000. Only one researcher stepped up that day, however, and was unsuccessful.

Yesterday, the computers' exposure to attack was expanded by allowing hackers to go after any client-side applications installed by default, including Web browsers. Contestants were also allowed to replicate the common tactic of duping a user into following a link in an e-mail or visiting a malicious Web site. In Miller's case, he had set up a malicious Web site; the URL to that site was typed into Safari's address bar.

Related Blog

IT Blogwatch: MacBook pwned in two minutes (and fly me!)

"I've had a change of heart," said Miller today. "I used to think server-side vulnerabilities were easier to exploit, but now I almost think it's easier to exploit the client side. Think about a browser. There's a million things it has to do. It has to handle images and video and audio and ... that's where the danger is these days."

Comment Recommend Digg Twitter ShareThis

Email Print Send Feedback Reprints

Jump to comments

PWN To OWN

Additional Resources

Xerox

Win a color printer!

By using solid ink technology only from Xerox, you could save up to 65% by printing color for the cost of black and white. Enter for a chance to WIN a PhaserTM 8860 network color printer!

Microsoft

Upgrade to Internet Explorer 8 today.

Save time and mitigate security risk. Deploy it now.

Sybase

NEXT-GENERATION MOBILITY PLATFORMS

In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions.

Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.