Conference Holds Competition to Hack MacBook
Macaulay, an engineer of software successfully exploited a zero-day flaw in Apple's browser Safari to hack into a Mac OS X. The computer system was a part of the prize offered in the contest named 'PWN to Own Hack-a-Mac' at the CanSecWest conference in Vancouver. News published this on April 23, 2007.
The attack turned out successful on the contest's second and final day with the conference organizers browsing a malicious site via Safari on the MacBook. Windows users are likely to be familiar with this attack. CanSecWest organizers eased the contest rules on Friday as nobody attending the event could break into any of the two Mac systems a day earlier.
The organizers decided to hand over the prize partially to bring to light the possible security gaps in Macs. Many people used OS X believing it to be secure but frankly Microsoft is much ahead in its security than Apple, said Dragos Ruiu, the key organizer of security conferences as also CanSecWest. PCretailmag published this in news on April 23, 2007.
Dino Di Zovi, a security researcher and until now with Matasano Security joined Macaulay in winning the competition. Di Zovi had earlier found flaws in Mac software for which Apple credited him. This time Di Zovi detected the Safari hole and jotted down the exploit in nine hours overnight.
When Di Zovi exposed the vulnerability in Apple's Safari, he helped Macaulay with it for the contest. As a result every computer running Mac OS X at the contest became vulnerable to the flaw, said Sean Comeau, an organizer of CanSecWest. Computerworld published this in news on April 20, 2007.
After testing the exploit, Safari, Camino and Firefox all seem to be vulnerable. There are intense online debates on patches and security fixes. Some say that the systems are still exposed with no proper patch in place. But according to the conference experts, the patches and updates to the systems were complete. However, the set of patches issued over the past few days were not placed on the systems. The exploit would work regardless of their presence.
Related article: Compromise of Personal Information of UI Employees
» SPAMfighter News - 30-04-2007