Apple's Leopard hacked in 30 seconds

Apple's Leopard has been hacked within 30 seconds using a flaw in Safari, with rival OSes Ubuntu and Vista so far remaining impenetrable in the CanSecWest PWN to OWN competition.

Security firm Independent Security Evaluators (ISE) — the same company that discovered the first iPhone bug last year — successfully compromised a fully patched Apple MacBook Air at the CanSecWest competition, winning them US$10,000.

Although the competition recorded the hack taking eight minutes, Charlie Miller, a principal analyst with ISE, told ZDNet.com.au that it took just 30 seconds and was achieved using a previously unknown flaw in Apple's Web browser Safari.

"It might have taken eight minutes to sit down and open the computer, but when the competition started, 30 seconds later it was over," said Miller.

Apple has been notified of the flaw, according to the intrusion detection company which offers the prize money, TippingPoint.

Competitors in the hacking race were allowed to choose either a Sony laptop running Ubuntu 7.10, a Fujitsu laptop running Vista Ultimate SP1 or a MacBook Air running OSX 10.5.2.

"We could have chosen any of those three but had to make a judgment call on which would be the easiest and decided it would be Leopard," Miller said.

"Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows. I found the iPhone bug a year ago and that was a Safari bug as well. I've also found other bugs in Quicktime."

When the three decided to enter the competition a few weeks ago, they began looking for a bug and then spent time refining the attack to ensure it worked well on competition day.

The technique used to PWN the MacBook Air was similar to a phishing attack where a victim is sent a link which they click on to visit a site containing malicious code, said Miller.

"Basically you type in something to the Web browser and go to Web site that is controlled. In real life, you would get a link an e-mail and if you clicked on it, that would be the same thing," he said.

But hacking Leopard was not meant as an attack on Apple, according to Miller: "I use a MacBook all the time and that's what I used in the contest to attack the MacBook Air. I like Macs. That's the reason I went for it — it's in my best interest for them to be as secure as possible."