$10K Prize Nets Apple Vulnerability
It is often said that hackers eschew exploiting security holes in Apple's Mac OS X operating system in favor of researching flaws in Microsoft Windows computers due to the fact that most of the world runs Microsoft machines. Thus, finding unpatched security flaws in Apple's software simply doesn't offer as much return on investment for attackers.
But what if that investment was limited to 72 hours and the return was more than guaranteed?
Spurred by a $10,000 purse and the prize of a brand new Apple MacBook Pro computer, security researchers at the annual CanSecWest hacker conference in Vancouver, British Columbia, reportedly found a previously undocumented security hole in a fully patched OS X software package running on a MacBook Pro.
CanSecWest founder Dragos Ruiu had sought to liven up the conference with a hacking challenge for attendees. Organizers set up two MacBook Pro computers on the conference network and challenged attendees to find a way to remotely compromise the machines. One machine would be given to the first person to compromise it with an exploit that allowed the attacker to assume the same level of access on the computer as the default user account. The second MacBook would only be awarded to a hacker who could find a way to seize complete control over the machine by finding a security flaw that would allow "root" access on the MacBook.
The challenge initially failed to interest many attendees, most of whom were apparently unaware that Apple had just shipped patches to plug some 25 separate security vulnerabilities. By the time a group of researchers decided to try and exploit the vulnerabilities, the conference staff had patched the systems, according to Rob Lemos, a reporter for SecurityFocus.com, a publication owned by security giant Symantec Corp.
With few takers on the first day of the conference, security vendor TippingPoint sought to liven things up a bit by offering a $10,000 bonus to the first attendee to successfully hijack the machines. According to the CanSecWest blog, one attendee rose to the challenge, finding an unpatched bug in Safari, Apple's default Web browser. Conference organizers said the bug can be triggered by merely convincing a Mac user to visit a specially crafted Web page.
From the CanSec site: "At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page. Of course all of the latest security patches have been applied. This one is 0day folks. Technical details will be forthcoming as the winner works out the release."
Details of the vulnerability are sketchy, but the folks over at the Matasano Security blog appear to have a tiny bit more information, such as that the bug was found by Dino Dai Zovi, a security researcher who has previously found and reported flaws in Apple's software.
April 21, 2007; 9:15 AM ET
Categories: From the Bunker
Save & Share: Previous: Rogue Networks Stir Trouble for Firms of All Sizes
Next: Virus Writers Taint Google Ad Links
The comments to this entry are closed.