Mac Flaw Exploited to Hack Computer at Vancouver Conference

Software engineer Shane Macaulay, with intimation from his pal Dino Di Zovie, who's a security researcher discovered a security hole inside Safari - Mac browser. A person could exploit the flaw and gain unauthorized access and commandeer the computer. There was also a prize of $10,000 to perform this hack in a contest at the CanSecWest security conference in Vancouver.

Di Zovie had previously found flaws in Mac for which Apple credited him. He sent instructions to his friend Macaulay through a URL that exposed the Safari flaw. Macaulay was attending the Vancouver conference at that time. By virtue of that he was a participant in the contest.

The conference organizers offered a scope to anyone capable of intruding into the system via a wireless access-point while no program ran on the computer.

The URL showed an empty page but displayed vulnerability in Safari's input handling, said Sean Comeau, an organizer of CanSecWest. Infoworld published Comeau's statement on April 20, 2007. It was possible to use the vulnerability in many different ways but Di Zovie exploited it to create a backdoor that allowed him to access anything and everything on the PC, Comeau said.

Lynn Fox, spokeswoman for Apple was reluctant to say anything about the Mac browser hack, but repeated Apple's oft-said security comment. She said Apple was very serious about security and had previously addressed potential vulnerabilities much before they could harm users.

Some conference attendees didn't believe Apple's release of a patch for 25 flaws in Mac OS X on April 19, 2007 was a sheer coincidence.

Hackers and malicious code writers have not been targeting Macs as much as they have been on Windows PCs. One major reason for this is that there is less number of users of Macs thus mitigating the potential effect of malware smaller than on Windows PC widely in use.

The conference organizers decided not to make public the exploit code applicable to hack Mac. Instead they would pass the information to Apple in order that the software firm could patch the vulnerability before any hacker exploits it.

Related article: Mac OS X Devoid of Malware, Vexing Experts

» SPAMfighter News - 4/27/2007