Warning

 

Close

Confirm Action

Are you sure you wish to do this?

Confirm Cancel
Member Login

Site Notices
Arrow Left Previous Page
Page / 3
Posted: 3/19/2009 6:28:11 PM EDT
Researcher Cracks Mac in 10 Seconds
Gregg Keizer, Computerworld
Mar 19, 2009 8:41 am

Charlie Miller, the security researcher who hacked a Mac in two minutes last year at CanSecWest's PWN2OWN contest, improved his time Wednesday by breaking into another Mac in under 10 seconds.

Miller, a principal analyst at Independent Security Evaluators LLC, walked off with a $5,000 cash prize and the MacBook he hacked.

"I can't talk about the details of the vulnerability, but it was a Mac, fully patched, with Safari, fully patched," said Miller Wednesday not long after he had won the prize. "It probably took 5 or 10 seconds." He confirmed that he had researched and written the exploit before he arrived at the challenge.

The PWN2OWN rules stated that the researcher could provide a URL that hosted his or her exploit, replicating the common hacker tactic of enticing users to malicious sites where they are infected with malware. "I gave them the link, they clicked on it, and that was it," said Miller. "I did a few things to show that I had full control of the Mac."

Two weeks ago, Miller predicted that Safari running on the Mac would be the first to fall.

PWN2OWN's sponsor, 3Com Inc.'s TippingPoint unit, paid Miller the $5,000 for the rights to the vulnerability he exploited and the exploit code he used. As it has at past challenges, it reported the vulnerability to on-site Apple representatives. "Apple has it, and they're working on it," added Miller.

According to Terri Forslof, the manager of security response at TippingPoint, another researcher later broke into a Sony laptop that was running Windows 7 by exploiting a vulnerability in Internet Explorer 8. "Safari and IE both went down," she said in an e-mail.

TippingPoint's Twitter feed added a bit more detail to Forslof's quick message: "nils just won the sony viao with a brilliant IE8 bug!"

Forslof was not immediately available to answer questions about the IE8 exploit.

TippingPoint will continue the PWN2OWN contest through Friday, and will pay $5,000 for each additional bug successfully exploited in Apple Inc.'s Safari, Microsoft Corp.'s Internet Explorer 8, Mozilla Corp.'s Firefox or Google Inc.'s Chrome. During the contest, IE8, Firefox and Chrome will be available on the Sony, while Safari and Firefox will be running on the MacBook. The researcher who exploited IE8 will, like Miller, be awarded not only the cash, but also the laptop.

"It was great," said Miller when asked how it felt to successfully defend his title. "But I was really nervous for some reason this time. Maybe it was because there were more people around. Lucky [the exploit] was idiot-proof, because if I had had to think about it, I don't know if I'd had anything."

This year's PWN2OWN also features a mobile operating system contest that will award a $10,000 cash prize for every vulnerability successfully exploited in five smartphone operating systems: Windows Mobile, Google's Android, Symbian, and the operating systems used by the iPhone and BlackBerry.

Miller said he won't enter the mobile contest. "I can't break them," said Miller, who was one of the first researchers to demonstrate an attack on the iPhone in 2007, and last year was the first to reveal a flaw in Android. "I don't have anything for the iPhone, and I don't know enough about Google."

CanSecWest, which opened Monday, runs through Friday in Vancouver, British Columbia.
Link Posted: 3/19/2009 6:39:06 PM EDT

Link Posted: 3/19/2009 6:40:10 PM EDT
Mac failed?

Let the denial begin......
Link Posted: 3/19/2009 6:42:23 PM EDT
lol.... take that apple users
Link Posted: 3/19/2009 6:42:42 PM EDT
"This just in....Millions of Apple worshippers commit ritualistic suicide...Now back to Terry at the weather board"
Link Posted: 3/19/2009 6:42:48 PM EDT
Link Posted: 3/19/2009 6:46:06 PM EDT
Are Macs actually known for being secure? I thought they were just known for being "different", having less software available, being more expensive and being arguably better at some graphics.

Link Posted: 3/19/2009 6:47:09 PM EDT
Anonymity has a measure of protection, but as the Mac legend continues to grow, the commercial criminal hackers will start targeting it, and it will have just as many exploits as windows.
Link Posted: 3/19/2009 6:47:22 PM EDT
[Last Edit: 3/19/2009 6:47:39 PM EDT by flyfishnepa]

meh, only liberals use macs anyway.



Link Posted: 3/19/2009 6:49:44 PM EDT
Wow, the Mac hate is strong in this thread. Personally, I could care less. Computer's just a tool. This is being posted from an iMac, but there's a PC and a home built job running Linux in the house here too.

All systems have weaknesses.
Link Posted: 3/19/2009 6:51:59 PM EDT
Link Posted: 3/19/2009 6:52:02 PM EDT
Link Posted: 3/19/2009 6:56:14 PM EDT
Forgot to mention that there's a blackberry on the desk next to me. I'm multicultural
Link Posted: 3/19/2009 7:05:31 PM EDT
Originally Posted By marksman121:
Mac failed?

Let the denial begin......


According to Terri Forslof, the manager of security response at TippingPoint, another researcher later broke into a Sony laptop that was running Windows 7 by exploiting a vulnerability in Internet Explorer 8. "Safari and IE both went down," she said in an e-mail.



Last time I checked Sonys run on Windows...

Everything can be hacked, and If you read the story everything WAS hacked at the contest.
Link Posted: 3/19/2009 7:09:37 PM EDT
[Last Edit: 3/19/2009 7:11:19 PM EDT by marksman121]
Originally Posted By PUBBOY:
Originally Posted By marksman121:
Mac failed?

Let the denial begin......


According to Terri Forslof, the manager of security response at TippingPoint, another researcher later broke into a Sony laptop that was running Windows 7 by exploiting a vulnerability in Internet Explorer 8. "Safari and IE both went down," she said in an e-mail.



Last time I checked Sonys run on Windows...

Everything can be hacked, and If you read the story everything WAS hacked at the contest.


Was never saying that it was the only to fail. Just that Mac is not the 'super protected' thing that some whore it out as. It is safer in some ways b/c less people use it for business/financial work so there is less spyware made for it. Stop reading into posts too much.
Link Posted: 3/19/2009 7:12:24 PM EDT
Originally Posted By PUBBOY:
Originally Posted By marksman121:
Mac failed?

Let the denial begin......


Everything can be hacked, and If you read the story everything WAS hacked at the contest.


Chrome wasn't last time I checked, it's also a pretty new product though.
Link Posted: 3/19/2009 7:12:35 PM EDT




Link Posted: 3/19/2009 7:13:00 PM EDT
kool aid and applesauce flying off the shelves as we speak
Link Posted: 3/19/2009 7:16:41 PM EDT
its probably an exploit in Safari
Link Posted: 3/19/2009 7:21:36 PM EDT
If everything went down I don't understand why mac is getting hammered.
Link Posted: 3/19/2009 7:25:35 PM EDT
[Last Edit: 3/19/2009 7:25:53 PM EDT by Jonny712]
Originally Posted By deadpool31:
If everything went down I don't understand why mac is getting hammered.


Because some Mac users claim that it is awesomely safe/protected
Link Posted: 3/19/2009 7:30:04 PM EDT
[Last Edit: 3/19/2009 7:32:34 PM EDT by twombly]
Mac,s are the Ferrari of computers. the rest of you may drive your
Pinto,s and Vega,s If you can't afford Mac you are just wack L.O.L.
Link Posted: 3/19/2009 7:31:31 PM EDT
I would ask for more then the $5k prize, or else....
Link Posted: 3/19/2009 7:32:36 PM EDT
Hacking a mac is like hacking an etch-a-sketch. Who gives a shit, it's not like anyone important uses them.
Link Posted: 3/19/2009 8:32:51 PM EDT
Originally Posted By Jonny712:
Originally Posted By deadpool31:
If everything went down I don't understand why mac is getting hammered.


Because some Mac users claim that it is awesomely safe/protected


Macs, by default, are more secure than windows PCs. They're built on a more secure kernel, run an OS that has been hardened by 15 years of open source development, and are configured "out of the box" to protect the users from themselves. Microsoft didn't really think about security until about XP service pack 2 –– the NT kernel by itself was a work of art, but everything built around it was a house of cards built on a beach.

That certainly doesn't mean a Mac can't be cracked –– it just means that you have to trick someone to do it effectively. That's what happened here –– they demonstrated that if you can social engineer someone with access to screw up, you can take control of their machine. No matter what OS they run.
Link Posted: 3/19/2009 8:39:56 PM EDT




I haven't laughed that hard in a while.
Link Posted: 3/19/2009 8:41:18 PM EDT
Link Posted: 3/19/2009 8:41:57 PM EDT
Originally Posted By Danielisright:
Hacking a mac is like hacking an etch-a-sketch. Who gives a shit, it's not like anyone important uses them.


OUCH!
Link Posted: 3/19/2009 8:44:34 PM EDT

Originally Posted By twombly:
Mac,s are the Ferrari of computers. the rest of you may drive your
Pinto,s and Vega,s If you can't afford Mac you are just wack L.O.L.

Obviously all Mac users are so well schooled that spelling and grammar checkers are not needed.
Link Posted: 3/19/2009 8:47:11 PM EDT
Mac's are only safe because no one gives a shit about mac users.
Link Posted: 3/19/2009 8:47:18 PM EDT
I still think of this when I hear people talk about Mac's:

Link Posted: 3/19/2009 8:48:56 PM EDT
is there a school that offers courses in hacking 101? i don't have the slightest idea how to even do it?
Link Posted: 3/19/2009 8:52:37 PM EDT
Originally Posted By armoredsaint:
is there a school that offers courses in hacking 101? i don't have the slightest idea how to even do it?
Trial and error.

Link Posted: 3/19/2009 8:53:01 PM EDT
Don't care,I still won't ever have another windows machine. Windows is still a steamin pile of shit.
Link Posted: 3/19/2009 9:01:54 PM EDT
I'll keep my mac book. At least I would have to do something stupid to make it crash, like open an attachment from someone I don't know or visit a website I don't recognize.

My windows machine self-destructs and gives me the blue screen of death all on its own. Windows is the worst virus out there.
Link Posted: 3/19/2009 9:03:54 PM EDT
Originally Posted By Cavu:
I'll keep my mac book. At least I would have to do something stupid to make it crash, like open an attachment from someone I don't know or visit a website I don't recognize.

My windows machine self-destructs and gives me the blue screen of death all on its own. Windows is the worst virus out there.


I have actually attempted to make both xp and vista blue screen and couldn't do it.
Link Posted: 3/19/2009 9:10:41 PM EDT
haha


macs suck ass
Link Posted: 3/19/2009 9:15:29 PM EDT
Originally Posted By Riply21:
Originally Posted By Cavu:
I'll keep my mac book. At least I would have to do something stupid to make it crash, like open an attachment from someone I don't know or visit a website I don't recognize.

My windows machine self-destructs and gives me the blue screen of death all on its own. Windows is the worst virus out there.


I have actually attempted to make both xp and vista blue screen and couldn't do it.


If you don't try to make it crash, and you just go about your daily usage it will crash, right when you are doing something incredibly time consuming and important.

I haven't had a problem with Vista yet, OH YEAH I HAVE NEVER USED VISTA. I will let the rest of you beta test Microshaft software for them.
Link Posted: 3/19/2009 9:16:21 PM EDT
Originally Posted By Riply21:
Originally Posted By Cavu:
I'll keep my mac book. At least I would have to do something stupid to make it crash, like open an attachment from someone I don't know or visit a website I don't recognize.

My windows machine self-destructs and gives me the blue screen of death all on its own. Windows is the worst virus out there.


I have actually attempted to make both xp and vista blue screen and couldn't do it.


I must have a gift...

It is a Dell Inspiron laptop and the stinkin' thing is the most unstable piece of trash I've ever had. Slower than molasses in winter and it locks up at least once every time I turn it on. Unfortunately for me, I had bought Photoshop CS3 for windows a few months before I decided to switch to a mac. That is the only reason I still keep it around.

Link Posted: 3/19/2009 9:18:40 PM EDT
Originally Posted By armoredsaint:
is there a school that offers courses in hacking 101? i don't have the slightest idea how to even do it?


Watch War Games, Hackers and Swordfish.
Link Posted: 3/19/2009 9:23:02 PM EDT
Originally Posted By thmsmgn:
Originally Posted By Riply21:
Originally Posted By Cavu:
I'll keep my mac book. At least I would have to do something stupid to make it crash, like open an attachment from someone I don't know or visit a website I don't recognize.

My windows machine self-destructs and gives me the blue screen of death all on its own. Windows is the worst virus out there.


I have actually attempted to make both xp and vista blue screen and couldn't do it.


If you don't try to make it crash, and you just go about your daily usage it will crash, right when you are doing something incredibly time consuming and important.

I haven't had a problem with Vista yet, OH YEAH I HAVE NEVER USED VISTA. I will let the rest of you beta test Microshaft software for them.


Never had a single crash using any Microsoft product, I did however make a crapintosh lock up simply by typing a paper on it.
Link Posted: 3/19/2009 9:26:32 PM EDT
Originally Posted By marksman121:
Mac failed?

Let the denial begin......



Hey, my Mac crashed on me just yesterday. It was the first time in over a year of moderately intense use (I run all of my work functions on a VM running XP), and it's run fine since.

Relating to the vulnerability in the OP, I do not use Safari. Never did. The first thing I did on my Mac was go to getfirefox.com.


Face it, Macs are getting more popular, thus the popularity of trying to crack them will go up. I suspect more cracks and viruses will arise in the future. This phenomenon doesn't make Macs any less great.
Link Posted: 3/19/2009 9:32:58 PM EDT
[Last Edit: 3/19/2009 9:33:33 PM EDT by turdferguson]
I always say that the reason macs don't get viruses is because no one bothers to write them for the OS because they are such a small percentage of the market, not because macs have any kind of better security than a PC.

Not that it would really matter anyway, the average computer user doesn't know jack about security regardless of their OS choice. A few hours online is enough for these people to get some kind of electronic super AIDS on their computers.

My advice for these people is just to delete the system 32 folder and save themselves some time.



Note, do not actually delete the system 32 folder. Seriously.
Link Posted: 3/19/2009 9:36:11 PM EDT
Originally Posted By joshki:

Macs, by default, are more secure than windows PCs. They're built on a more secure kernel, run an OS that has been hardened by 15 years of open source development, and are configured "out of the box" to protect the users from themselves. Microsoft didn't really think about security until about XP service pack 2 –– the NT kernel by itself was a work of art, but everything built around it was a house of cards built on a beach.

That certainly doesn't mean a Mac can't be cracked –– it just means that you have to trick someone to do it effectively. That's what happened here –– they demonstrated that if you can social engineer someone with access to screw up, you can take control of their machine. No matter what OS they run.



+1

Macs are much more difficult for your average user to fuck up than a Windows box. I only hope Win7 helps in that regard.

The open source community contributes a lot that OS X is built on, so it's core, the kernel, is very similar to many open source kernels out there. That means it's available for crackers to try to find exploits, and thus is easier to secure.
Link Posted: 3/19/2009 9:41:12 PM EDT
Web browsers and all the crap that runs in them are way too complex to be secure.
Link Posted: 3/19/2009 9:48:03 PM EDT
Link Posted: 3/19/2009 9:54:50 PM EDT
Been hearing about macs will have viruses and spyware for more than 12 years.

The mac haters are PC users and the hackers are PC users, why have the haters
not been making mac hacks and viruses all these years?

There is much more joy and internet points with mac viruses and hacks, but zero have
succeeded in this mission and that speaks volumes.
Link Posted: 3/19/2009 9:57:47 PM EDT
Awesome thread guys.


And to the nay sayers, the only reason your mac is soooo secured. Is because no one bothers to write code for it. It has been said, mac are as secure as windows. Actually windows updates more frequent than mac, so theres actually a bit of better protection with windows. Enjoy your failatosh.
Link Posted: 3/19/2009 9:58:41 PM EDT
Originally Posted By Boomer8450:
Anonymity has a measure of protection, but as the Mac legend continues to grow, the commercial criminal hackers will start targeting it, and it will have just as many exploits as windows.


Yep, I've been saying this for awhile. Increased marketshare = increased attractiveness to hackers. Plus it was only a matter of time before those gay, "I'm a mac" commercials pissed a hacker off.
Link Posted: 3/19/2009 10:02:25 PM EDT
Originally Posted By twombly:
Mac,s are the Ferrari of computers. the rest of you may drive your
Pinto,s and Vega,s If you can't afford Mac you are just wack L.O.L.


No, they are the prius of the computer world.
Link Posted: 3/19/2009 10:04:29 PM EDT
Arrow Left Previous Page
Page / 3
Top Top