Apple's Leopard has been hacked within 30 seconds using a flaw in Safari, with rival operating systems Ubuntu and Windows Vista so far remaining impenetrable in the CanSecWest PWN to Own competition.
Security firm Independent Security Evaluators (ISE) — the same company that discovered the first iPhone bug last year — has successfully compromised a fully patched Apple MacBook Air at the CanSecWest competition, winning $10,000 (£5,000;) as a result.
Although the competition recorded the hack taking eight minutes, Charlie Miller, a principal analyst with ISE, told ZDNet.com.au that it took just 30 seconds and was achieved using a previously unknown flaw in Apple's Safari web browser.
"It might have taken eight minutes to sit down and open the computer but, when the competition started, 30 seconds later, it was over," said Miller.
Apple has been notified of the flaw, according to TippingPoint, the intrusion-detection company which provided the prize money.
Competitors in the hacking race were allowed to choose either a Sony laptop running Ubuntu 7.10, a Fujitsu laptop running Vista Ultimate SP1 or a MacBook Air running OS X 10.5.2.
"We could have chosen any of those three but had to make a judgement call on which would be the easiest and decided it would be Leopard," Miller said.
"Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows. I found the iPhone bug a year ago and that was a Safari bug as well. I've also found other bugs in QuickTime."
When the three operating systems were announced as competitors at the event a few weeks ago, ISE began looking for a bug and then spent time refining the attack to ensure it worked well on competition day.
The technique used to hack the MacBook Air was similar to a phishing attack where a victim is sent a link which they click on to visit a site containing malicious code, said Miller.
"Basically you type in something to the web browser and go to website that is controlled. In real life, you would get a link in an email and, if you clicked on it, that would be the same thing," he said.
But hacking Leopard was not meant as an attack on Apple, according to Miller: "I use a MacBook all the time and that's what I used in the contest to attack the MacBook Air. I like Macs. That's the reason I went for it; it's in my best interest for them to be as secure as possible."
Talkback
I hate to rain on everyones parade but this contest is for the "good hackers". This "panel" of hackers doesn't constitute the real world wit real threats. The bad hackers aren't going to show up to win a mere $20,000 when they know they can make $200,000 or more. At best, this is just an "in your face" show.
The default setting for OS X is firewall off (I don't know why) while the default for Vista and Ubuntu is on. Ah well, it would've been nice to get one of those shiny new Macs, but no one would pay for the airfare and a nice hotel and beer for me to try my luck. Maybe I'm not as valued an employee as I thought I was!!
I bet the guys at Microsoft will love that headline; "Leopard hacked in 30 seconds". In fact, after years of Apple bragging about making more secure Operating Systems, I wouldn't be suprised if the story made it into Microsoft's next keynote address!
If you look closely however, the hacker confesses to being more familiar with macs, which he cites as the reason he chose the mac over the other 2 systems.
Isn't it also the case that most bank roberries are carried out by people familiar with that particular branch?
In the story the hacker says "I use A MacBook all the time and that's WHAT (not why) I used in the contest to attack the MacBook Air". All that tells us is that he uses A MacBook, not he only uses Mac. Even if that were the case any of the windows or Linux hackers would be proficient in the OS they were attacking.
He also says,"Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows." which clearly shows he hacks all three OS's.
From my point of view, I’d expect that pretty much ANY of the major OS’s would be reasonably secure, with a patching effort being undertaken once vulnerabilities are made aware.
This would lead me to believe that the main people involved in contests of this nature would be those security specialists who do this for a living, and that are actually GOOD at what they do.
What bothers me more, however, is the fact that there may be code out there being exploited which is kept under close purview of either criminals, or military efforts, and has not yet been brought to the attention of the vendor.
The military aspect SHOULD be ok, given that they are generally working for us, but if any employee of the military should get a hold of a disk that contains that material, and then decides to leave the military, then this would be a disaster.
On another front, I’d be most curious to know what the truth is regarding backdoors into the OS’s. Do they really exist, and if so, who really knows about them, and can they be trusted.