[ISN] Gone in 2 minutes: Mac gets hacked first in contest

From: InfoSec News (alerts@private)
Date: Fri Mar 28 2008 - 00:30:13 PST


http://www.infoworld.com/article/08/03/27/Gone-in-2-minutes-Mac-gets-hacked-first-in-contest_1.html

By Robert McMillan
IDG News Service
March 27, 2008 

It may be the quickest $10,000 Charlie Miller ever earned.

He took the first of three laptop computers -- and a $10,000 cash prize 
-- Thursday after breaking into a MacBook Air at the CanSecWest security 
conference's PWN 2 OWN hacking contest.

Show organizers offered a Sony Vaio, Fujitsu U810, and the MacBook as 
prizes, saying that they could be won by anybody at the show who could 
find a way to hack into each of them and read the contents of a file on 
the system using a previously undisclosed "0day" attack.

Nobody was able to hack into the systems on the first day of the contest 
when contestants were only allowed to attack the computers over the 
network, but on Thursday, the rules were relaxed so that attackers could 
direct contest organizers using the computers to do things like visit 
Web sites or open e-mail messages.

Miller, best known as one of the researchers who first hacked Apple's 
iPhone last year, didn't take much time. Within 2 minutes, he directed 
the contest's organizers to visit a Web site that contained his exploit 
code, which then allowed him to seize control of the computer, as about 
20 onlookers cheered him on.

He was the first contestant to attempt an attack on any of the systems.

Miller was quickly given a nondisclosure agreement to sign, and he's not 
allowed to discuss particulars of his bug until the contest's sponsor, 
TippingPoint, can notify the vendor.

Contest rules state that Miller could only take advantage of software 
that was preinstalled on the Mac, so the flaw he exploited must have 
been accessible by, or possibly inside, Apple's Safari browser.

Last year's contest winner, Dino Dai Zovi, exploited a vulnerability in 
QuickTime to take home the prize.

Dai Zovi, who congratulated Miller after his hack, didn't participate in 
this year's contest, saying it was time for someone else to win.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Fri Mar 28 2008 - 00:49:37 PST