Looks legit. The other 2 machines (Vista and Ubuntu) are still running on day 3.

Am I worried? No, but it will make me a little more careful about what I do on my Mac in the future.

Clicking a link in a phishing email is something that even very experienced user might do if the email is convincing enough.

...wanted the MB Air so that's what they attacked. I wouldn't bother hacking the Sony Vaio or Fujitsu U810 either if they were going to make me take them home.

Until the details can be published, it's hard to say if the test was valid, but it sounds like it. Because the Safari browser is the default browser supplied by Apple, it is a valid security target. The fact that the site was designed to exploit the hole does not make this an invalid test. When you search Google, and click a link, do you know the site is legitimate before you click the link? If people used their computers that way, we wouldn't need search engines.

I think they should change the rules of the contest though. If you crack one machine, you have to pick one of the others for your prize. Of course everyone wants the Air and that's the one they targeted. The other machines are probably sitting there with no network traffic coming in. ;-)

This one is not like many others reported by MacNN, it is a real exploit.

I applaud mr Miller for doing his brilliant and important work. Of course, the vulnerability had to be known in advance and you have to keep exploit script prepared and ready on your site. But reported "2 minutes" period is only relevant in view of the contest terms - the first to finish will take the prize. Nevertheless, mr Miller did a good job by demonstrating that Mac can be hacked given enough time and determination.

And if you are wondering, no, it is not a good time to buy antivirus software. It is time to change your browsing habits.

And it took physical access to the computer to hack it. They could not hack it over the network at all!

Thus the contest is a crock.

No, they had physical access just so they could set up an 'automated' user, a user that would do what most normal users would do. They did not NEED access to get it to work. They could have just gotten some guy to sit at his machine and perform normal daily routines to get it to work.

I smelled something fishy with this when it was pointed out that the hack was a browser redirect/malicious link dealie. Someone had to be using the machine and directed to click said link. It wasn't an "unattended" machine being hacked.

Most computers are not 'hacked' unattended anymore. They're usually gained access by social engineering means. You all always point out about the malware problem with Windows. How do you think that stuff gets around? (Hint: It's not by accessing an unattended computer).

So...he had to use the browser to do it? Use the OS then get back to me with any serious claims of security flaws etc. with OS X.

Since when is using a browser all of a sudden doesn't make it serious?

And I love how flippant so many people are about security. So, the thought that just by clicking on a link in an email (or on MacNN, even) could allow someone to read files off your computer. And it's "Talk to me when it is a 'real' threat!".

Excuse me, but since when is having a browser being able to read your files off your computer not a threat? (Besides when it occurs with Apple).

I think they should change the rules of the contest though. If you crack one machine, you have to pick one of the others for your prize. Of course everyone wants the Air and that's the one they targeted. The other machines are probably sitting there with no network traffic coming in. ;-)

So, then that would just mean no one was trying to crack the Air, and, as such, be just useless a test. But these contests tend to be really pointless anyway. Like anyone who knew a good zero-day exploit would waste it on this lousy prize, when you could make so much more money using it in nefarious ways.

But the prize was $10000 and the laptop. I think if people could easily, they would've just broke into the Linux or Windows machine, won the prize, ebayed the laptop, and spent $2000 of that money on a new Air.

Time to wake up a little, folks.

None of the machines were hacked on day one. Attempts were made but no one could hack into the machines remotely - which is definitely good news in my book.

The bad news is that the hacked into. The others were not.

It doesnʼt matter how long it does to craft an exploit. People who make exploits for Windows donʼt do that as a whim and makes them up on the spot.

Neither does it matter whether it was by sending a user to a website. That happens. Phishing is an art under development. Bad websites donʼt advertise that they are just that, on the contrary.

What I understand, is that nothing was downloaded or installed by the user. It was enough to visit the site to get control over the Mac.

That is definitely a problem.

This was on the second day of the contest. On the first day none of the systems were hacked.

A perfectly legit hack that could happen to any user on any platform/browser, previously unknown bug that compromises the users computer when a web link is clicked on.

So lets say this is legit.

What would the hcaker have to do on their end? They send an email and the user clicks on the link. The sender now has complete control.

A few questions:

does it work over the internet or do they have to be on the same network?

What does control mean?? Root access? ability to install apps or just control the machine?

Does the hacker have to wait around and watch the machine 24/7 until someone clicks on the link?

MUCH more facts are needed before coming to a solid conclusion

San Francisco - It may be the quickest $10,000 Charlie Miller ever earned. He took the first of three laptop computers -- and a $10,000 cash prize -- Thursday after breaking into a MacBook Air at the CanSecWest security conference's PWN 2 OWN hacking contest.

Show organizers offered a Sony Vaio, Fujitsu U810, and the MacBook as prizes, saying that they could be won by anybody at the show who could find a way to hack into each of them and read the contents of a file on the system using a previously undisclosed "0day" attack.

Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday, the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.

Miller, best known as one of the researchers who first hacked Apple's iPhone last year, didn't take much time. Within 2 minutes, he directed the contest's organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on.

He was the first contestant to attempt an attack on any of the systems.

Miller was quickly given a nondisclosure agreement to sign, and he's not allowed to discuss particulars of his bug until the contest's sponsor, TippingPoint, can notify the vendor.

Contest rules state that Miller could only take advantage of software that was preinstalled on the Mac, so the flaw he exploited must have been accessible by, or possibly inside, Apple's Safari browser.

Last year's contest winner, Dino Dai Zovi, exploited a vulnerability in QuickTime to take home the prize.

Dai Zovi, who congratulated Miller after his hack, didn't participate in this year's contest, saying it was time for someone else to win.

(Infoworld)

All very good questions. Another one is, did the user need to do anything other than just visiting the hacker's web site? They probably can't say without revealing too many details about the exploit, and I applaud them for giving Apple a chance to fix it before releasing any details about how it was done.

So I'm curious if he came up with a way to get Safari to automatically run malicious code just by browsing to a web site, or if the user must also click to download a file. Then that brings up the whole question about whether the hacker was allowed to dictate what Safari's securty settings are (automatically opening downloaded files, etc), or if the user was required to open a downloaded file (ie, a trojan buried in a quicktime movie or something).

Granted, once you have a user whose been tricked into going to a malicious web site, getting them to click on a link on that site probably is isn't that big of a stretch. But if you then require them to download and manually open a file it's really getting into user responsibility at that point.

So I'm curious if he came up with a way to get Safari to automatically run malicious code just by browsing to a web site, or if the user must also click to download a file.

Browsing to a web site can also automatically cause a file to download.

Then that brings up the whole question about whether the hacker was allowed to dictate what Safari's securty settings are (automatically opening downloaded files, etc), or if the user was required to open a downloaded file

Well, since the rules were that they were using a machine and pre-installed software, then they wouldn't need to muck with security settings, as Apple seems to think downloading and auto-opening files is the bees-knees. Even with all the other security issues that were found with that 'feature', they still have it on by default.

Seriously, what's next? Are we going to start being astounded when people get hit by busses and die when they cross the street without looking?

I remember hearing someone who had just gotten released from prison after being convicted for hacking defense department computers and he said the easiest way to infect a company with a virus had nothing to do with hacking into the machine. Simply leave a floppy disc with the words "SALARY INFORMATION" in the restroom and someone is going to put it into a computer, either the curious employee, or the HR person when the floppy disc is turned in to them.

I suppose all of the people who respond to the emails from the Nigerian oil minister's widow are going to claim that their computer was hacked and that's how all the money was drained from their bank accounts.

So the user has to click a malicious link, download a app, click OK when Safari warns its an application. Then start that application or did Safari start it?

Did osX warn the user that the app ran for the first time?

Did it have root access? If not, what is the difference with a simple Applescript clearing the user documents?

I'll purposedly ignore (as I promised years ago) the pointless comments from "the angry fired ex-employee" virusing these forums from years.. But I see here a lot of other pointless comment not looking at the details (not counting the propaganda surrounding all of this "headline news"):

the object was to "read the contents of a file" from another machine and the winner accomplished this by redirecting a browser to somewhere else..

Well, this is no info/news at all, Just do it by yourself on OSX) with these URLs in (almost) ANY browser: file:// or http://localhost:631/ And you have won 10K USD.. (if this news mean they were running "the exploit" locally)

Guys, get a break and enjoy your weekend..

There is an extended version of the article on macworld that mentioned Apple engineers were working on a patch Thursday night. This leads me to believe that they had the MBA patched to at least Thursday. Furthermore, the extended version mentioned that a security apps rep said (in regard to Windows, at least as I interpreted it) "finding a vulnerability is one thing, creating an exploit is another". To me, that means they probably DID find a Vista vulnerability, but weren't able to create an exploit in time.

Until we know the full story and how the exploit was triggered ("visiting a malicious webpage" is still technically too vague), all we can do is speculate. I'm not losing any sleep over it.

Don't assume you have to be tricked into clicking on a bogus link to be hacked. Hackers are becoming much more sophisticated.

In 2008, web pages are being infected with malware at the average rate of 6000 pages a day.

In 2007 80% of malware infected sites were legitimate sites presumed to be trustworthy.

For example: MSNBC.COM on 3-20-2008. http://www.itbusiness.ca/it/client/en/Home/News.asp?id=47631

Approximately 65% of unsolicited e-mails contained a link to a malicious Web site.

Infection by some new "drive-by" download attacks only requires that a user visits an infected web page using an unpatched browser. They do not need to be tricked into clicking particular links or opening particular files. Their computer becomes infected simply because they have visited a site with a vulnerable browser.

You need to go actually READ the article. This guy planned this for WEEKS.

"Everyone wanted the MB Air so that's what they attacked. I wouldn't bother hacking the Sony Vaio or Fujitsu U810 either if they were going to make me take them home."

- Precisely. It was like that computer programming contest from a few years ago where the first prize was a Sony Vaio and the second prize was two Sony Vaios.

Well, this is no info/news at all, Just do it by yourself on OSX) with these URLs in (almost) ANY browser: file:// or http://localhost:631/ And you have won 10K USD.. (if this news mean they were running "the exploit" locally)

Sorry, that won't work, since redirecting to http://localhost would redirect to the user's machine, not the Air.

Plus, you'd have to turn on port 631 in the firewall, would you not?

Finally, if it was that easy, wouldn't you think you'd be completely concerned that clicking any link could open up all your files as simply as you say??

There is an extended version of the article on macworld that mentioned Apple engineers were working on a patch Thursday night. This leads me to believe that they had the MBA patched to at least Thursday.

Not necessarily. It just means that whatever hole is there, it hasn't been patched yet in 10.5.2.

Furthermore, the extended version mentioned that a security apps rep said (in regard to Windows, at least as I interpreted it) "finding a vulnerability is one thing, creating an exploit is another". To me, that means they probably DID find a Vista vulnerability, but weren't able to create an exploit in time.

Or that they couldn't figure a way to exploit it. As you see often on MacNN, there are vulnerabilities found all the time in OS X. But many people have the same response: "Wake me when someone exploits it!".

Note that Friday they were easing the rules even more to allow for third-party software to be run and be attacked.

So far, even with relaxed restrictions, Vista is hold up. Mac OS failed miserably. Pretty laughable at this point now.

testudo, do you have an original thought anywhere or are you just happy letting others do the thinking so you can find a thought to piggy back on? if you have a take on it, post it, otherwise just shut the f up.

http://www.roughlydrafted.com/2008/03/28/cansecwest-and-swiss-federal-institute-of-tech-deliver-attacks-on-the-reality-of-mac-security/

mates, how can you ask if he has an original idea? he just mentioned among the minority here that this is a problem that needs to be addressed. how can we as users be smug enough to not care if our machines are not exhibiting secure operating conditions?

who cares that it was safari or any other part. our bulletproof (as we like to tout it) osx was hacked faster than vista or linux. i don't care that someone worked for weeks to get this to run, think about it: the prize, a laptop and 10 000. would you just spend the night before hacking to be able to crack it?

if you did, you are quite the moron. i don't care if the man spent his years away at mit or some other techy school majoring in mac cracking, it was cracked before the other systems and i assume that the other crackers were also not idiots who just spend the last two hours thinking of a way to automate a crack in windows or linux.

dammit, this scares me. for me, my parents, my gf and well, think of all those links that are just passed about here on the forums... we are very vulnerable

Shigzeo, the link is posted above, but here it is again.

http://www.roughlydrafted.com/2008/03/28/cansecwest-and-swiss-federal-institute-of-tech-deliver-attacks-on-the-reality-of-mac-security/

This is a headline grab made by a MS sponsered contest by a security expert whose focus is on the Mac. Exploiting-likely java-on a browser(undefined)a memory buffer exploit that has been known for some time. Considering the version of the browser and the method are unknown, this really is a straw dog.

This is as much of a non-story as it was last year. Your pathetic attempt at FUD is the rant of a second rate MS troll. Oh dear-what shall I do?! Heavens to Betsy, I better get that much more secure OS-Windows. Does that sound anything like what's really happening in the computing world?

Duh. Windows is still a mess, OSX is as secure as ever and this is a sensationalized non-story.

If and when a real exploit comes-the Mac community will be ablaze, you can depend on that. Until then, I can put myself to sleep counting the interminable windows viruses. 68,736, 68,735, 68,734,....zzzzz

the same drivel on every Mac-oriented site on the web. That is what is laughable at this point.

And yes, the Windows machine has also fallen. Due to a flaw in Flash.

"This is not good news for me, as an OS X user, that my machine is less secure that my wife's Windows laptop, despite the Apple rhetoric about how secure their systems are compared to Windows. Not good at all."

This person made it clear before the contest that he was going after the Mac and only the Mac. He didn't even try an exploit on Windows or Linux.

Clearly his goal was to bring Apple down a notch, oh...and to walk home with some nice hardware too.

Yes, it's a bad bug, but I'd be willing to bet a lot of money that had he set his sites on Vista, he could have achieved the same result.

He didn't have his sights set on Vista, it was OSX all the way. Miller has gained notoriety for hacking apple products. Vista is still the snake pit it was and OSX is still safe. I can believe the exploit came via flash. AS3 is a pretty versatile-full featured programing language these days. Still, working up a home brew and being able to run it the exploit is no big woop.

Adobe really aught to be more worried about this than Apple-the exploit happened over their product. The same exploit can take down any machine with a flash plugin.

This BS ran the same gamut of bs postings last year and--guess what--OSX is still the most secure OS out there-bar none.

So if you think you're more secure with Vista, then switch. It's likely you can't though as you're already-obviously-a peecee user who spreads FUD. Get lost.

HAHAHAHAHAHAHAHA.

And yet they learn nothing

An important lesson to learn is that no one can assume they are too smart to ever stumble into malware infected websites. The days of "safe" websites are over, as mentioned in my previous post, hackers are after the mainstream internet now.

In my previous post I mentioned msnbc.com had been hacked and infected. Now we can add walmart USA Today, and ABC news to the list too.

http://www.networkworld.com/news/2008/032808-hackers-expand-massive-iframe-attack.html

Really guys it doesn't matter what rules applied. Fact is the Air fell first and in only 2 minutes!!

without reading about this elsewhere - MacNN doesn't mention that this exploited only happened in the 2nd day of competition_ And the prize the day before was $20,000 + the MBA_

And that the rules were relaxed as no one was able to gain access to the computer on the 1st day_