MacBook pwned in two minutes (and fly me!)

It's IT Blogwatch: in which a MacBook Air gets hacked in a hacking competition (for hackers). Not to mention how to make dangerous-looking paper airplanes...

Robert McMillan McReports:

It may be the quickest $10,000 Charlie Miller ever earned. He took the first of three laptop computers -- and a $10,000 cash prize -- Thursday after breaking into a MacBook Air at the CanSecWest security conference's PWN 2 OWN hacking contest. Show organizers offered a Sony Vaio, Fujitsu U810 and the MacBook as prizes, saying that they could be won by anybody at the show who could find a way to hack into each of them and read the contents of a file on the system, using a previously undisclosed "0day" attack ... Miller, best known as one of the researchers who first hacked Apple's iPhone last year, didn't take much time. Within 2 minutes, he directed the contest's organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on. more

The contest's anonymous blogger adds:

Congratulations to our first winner ... At 12:38pm local time, the team of Charlie Miller, Jake Honoroff, and Mark Daniel from Independent Security Evaluators have successfully compromised the Apple MacBook Air ... Coincidentally, Apple has just started to ship Safari to some Windows machines, with its iTunes update service. The vulnerability has been acquired by the Zero Day Initiative, and has been responsibly disclosed to Apple who is now working on the issue. Until Apple releases a patch for this issue, neither we nor the contestants will be giving out any additional information about the vulnerability. You can track the vulnerability on the Zero Day Initiative upcoming advisories page under ZDI-CAN-303. more

Darren Murph compares with last year:

And just think -- last year you were singing Dino Dai Zovi's praises for taking control of a MacBook Pro in nine whole hours ... This year ... famed iPhone hacker Charlie Miller showed the MacBook Air on display who its father really was ... he was forced to sign a nondisclosure agreement that'll keep him quiet until "TippingPoint can notify the vendor," but at least he'll have $10,000 and a new laptop to cuddle with during his silent spell. more

Farhad Manjoo worries about Safari for Windows:

Last week millions who were only marginally connected to Apple -- because they'd downloaded iTunes -- were prompted to "update" to Safari, even though they'd never expressed an interest in the thing ... There are also some reports of the thing crashing, and now there are security flaws, too. The tech security firm Secunia says it has found two "highly critical" holes in Safari for Windows that allow untrusted Web sites to gain access to a user's system. There are no known fixes for the holes yet, other than Secunia's advisory to refrain from browsing "untrusted Web sites" with Safari. Not that other browsers don't suffer the same flaws, of course. But this was supposed to be the best browser in the world. more

David Maynor sighs:

Out of the three machines (OSX, Linux, Vista) OSX was the first to fall. I hope this puts to rest the myth that OSX is more secure but I am sure the zealots will have a million reasons why this is a fixed or rigged contest ... even with the updates that Apple has released for Safari there are still tons of flaws in it that are exploitable ... Apple bundles open-source, but patches it late. It takes them weeks to as long as a year to patch their version of the code after it was patched in open-source. It's fairly straightforward to keep track of the open-source (and other 3rd party) code that Apple uses it, and when a vulnerability is announced for the open-source version, write exploits for the Mac version. more

So Daniel Eran Dilger polishes his fanboi credentials:

While the quick win makes for a perfect headline and reflects the Hollywood image of “hackers” that twiddle on a keyboard and almost instantly “access the mainframe” ... a more intelligent question is: why did the Mac get hacked first, and why was the attack so quick? The easy answer is that nobody had any political reason to attack Windows at an event sponsored by Microsoft ... It is an uncontroversial fact that Windows PCs suffer under the threat of tens of thousands of real world viruses, are routinely infected by malware and often unwittingly participate in spam and adware botnets, while Mac systems have no [such] problems. However, there is a constant din of pundits, researchers, and security product salesmen who insist that Macs not only have serious security problems, but may actually suffer from more vulnerabilities than Windows PCs. more

But brainfsck cheers:

I'm typing this on a Macbook Pro running Safari, and I'm happy about the results of this competition. As Apple computers (slowly?) gain market share, they will eventually be forced to significantly adjust their terrible attitude in terms of security. I would rather have Apple "shamed" into providing me (and other OS X users) a more secure web browser/operating system than gain some pathetic "my system is more secure than yours" bragging rights. more

While EraserMouseMan is briefer and to the point:

The Mac was hacked 2 minutes into day 2. After day 2 was over no other OSs or browsers had been hacked. Period. Give it up. Safari sucks. The web is a jungle. Tame it by not using Safari. more

And finally...

Buffer overflow:

Other Computerworld bloggers:

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You too can pretend to be Richi's friend on Facebook, or just use boring old email:

Previously in IT Blogwatch:

Copyright © 2008 IDG Communications, Inc.

Shop Tech Products at Amazon