Apple's Leopard has been hacked within 30 seconds using a flaw in Safari, with rival OSes Ubuntu and Vista so far remaining impenetrable in the CanSecWest PWN to OWN competition.
Security firm Independent Security Evaluators (ISE) — the same company that discovered the first iPhone bug last year — successfully compromised a fully patched Apple MacBook Air at the CanSecWest competition, winning them US$10,000.
Although the competition recorded the hack taking eight minutes, Charlie Miller, a principal analyst with ISE, told ZDNet.com.au that it took just 30 seconds and was achieved using a previously unknown flaw in Apple's Web browser Safari.
"It might have taken eight minutes to sit down and open the computer, but when the competition started, 30 seconds later it was over," said Miller.
Apple has been notified of the flaw, according to the intrusion detection company which offers the prize money, TippingPoint.
Want to know more?
For all the latest news, analysis and opinion on security, click here
Competitors in the hacking race were allowed to choose either a Sony laptop running Ubuntu 7.10, a Fujitsu laptop running Vista Ultimate SP1 or a MacBook Air running OSX 10.5.2.
"We could have chosen any of those three but had to make a judgment call on which would be the easiest and decided it would be Leopard," Miller said.
"Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows. I found the iPhone bug a year ago and that was a Safari bug as well. I've also found other bugs in Quicktime."
When the three decided to enter the competition a few weeks ago, they began looking for a bug and then spent time refining the attack to ensure it worked well on competition day.
The technique used to PWN the MacBook Air was similar to a phishing attack where a victim is sent a link which they click on to visit a site containing malicious code, said Miller.
"Basically you type in something to the Web browser and go to Web site that is controlled. In real life, you would get a link an e-mail and if you clicked on it, that would be the same thing," he said.
But hacking Leopard was not meant as an attack on Apple, according to Miller: "I use a MacBook all the time and that's what I used in the contest to attack the MacBook Air. I like Macs. That's the reason I went for it — it's in my best interest for them to be as secure as possible."
What the article does not point out is that on the first 24-hours of the contest, the contestants were suppose to do an attack on the Mac remotely via the network alone.
No one could hack the Mac remotely via the network alone.
The second day, they relaxed the rules and allowed the contestants physical access to the Mac so that they could install an automated user to receive emails or use a browser to go to a malicious website set up by the contestant.
Duh.
It took more than 24-hours to hack the Mac. It takes days to program an automated user or develop and program a malicious website. They had to do the work even before the contest.
And it took physical access to the computer to hack it. They could not hack it over the network at all!
Thus the contest is a crock.
I doubt any user will allow a crook or stranger physical access to their personal computer. Once a person has physical access to a computer then any computer can be hacked. Through the firewire ports, any Windows computer is instantly compromised, for example.