On CBS MoneyWatch: Why Debit Cards Are Dangerous
BNET Business Network:
BNET
TechRepublic
ZDNet

April 20th, 2007

MacBook Pro hijacked with Safari zero-day

Posted by Ryan Naraine @ 10:05 pm

Categories: Apple, Browsers, Data theft, Exploit code, Firefox, Hackers, Metasploit, Patch Watch, Pen testing, Responsible disclosure, Vulnerability research, Zero-day attacks

Tags: Apple Macintosh, Flaw, Apple MacBook, Apple MacBook Pro, Ryan Naraine

VANCOUVER, BC — Hackers Dino Dai Zovi and Shane Macaulay teamed up to hijack a MacBook Pro laptop at the CanSecWest security conference here, effectively pouring cold water on the Mac faithful's belief that the machines aDino Dai Zovire impenetrable.

Dai Zovi (pictured left), a former Matasano researcher who has been credited in the past with finding Mac OS X vulnerabilities, exploited a zero-day flaw in the built-in Safari browser to take complete control of the machine.

The MacBook hijack required that Safari opened a specially rigged Web site (Techmeme discussion).

Dai Zovi is credited with finding the flaw and writing the exploit.   Macaulay, who was at the conference and served as the man on the ground, keeps the hijacked MacBook while Dai Zovi will put in a claim for the $10,000 bounty offered by TippingPoint's Zero Day Initiative.
 
Here's the formal announcement from CanSecWest organisers:

At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page. Of course all of the latest security patches have been applied. This one is 0day folks. Technical details will be forthcoming as the winner works out the release. There is still one more Mac to go. (the same flaw cannot be used again, but other Safari bugs are allowed)

Just to review the rules, the first box required a flaw that allows the attacker to get a shell with user level privilages. The second box, still up for grabs, requires the same, plus the attacker needs to get root.

More from Matasano Security and Joris Evers.  

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 194 Talkback(s)
Here's the transcript
of Muglia's remarks:

http://www.microsoft.com/presspass/exec/bobmuglia/06-11TechED06.mspx
<... (Read the rest)
Posted by: Ed Bott Posted on: 08/12/08 You are currently: a Guest | | Terms of Use
What does 0day on a Mac mean?  YinToYourYang-22527499 | 04/21/07
It means it should be called a Crackintosh.  osreinstall | 04/22/07
or a Hackinto.sh. (nt)  xuniL_z | 04/22/07
Baby steps in comparison but your volunteer work will make the difference  YinToYourYang-22527499 | 04/22/07
Armagedon  YinToYourYang-22527499 | 04/22/07
People that make absolute statements have it coming.  osreinstall | 04/22/07
A hole was discovered in Safari , not Mac OS X . get over yourself .  Intellihence | 04/22/07
More spin from injured pride.  osreinstall | 04/22/07
Injured pride , what tree are you pulling these lies from .  Intellihence | 04/23/07
The tree of knowledge.  osreinstall | 04/23/07
guess you can land a punch on even the best prize fighter.  jjarman | 04/23/07
Of course that prize fighter is rarely challenged.  osreinstall | 04/23/07
double standard  wcb42ad | 04/23/07
Funny, but 'crack' is the exclusive right of Microsoft  YinToYourYang-22527499 | 04/22/07
Looks like Jobs is muscling in on it.  osreinstall | 04/22/07
Alll they found was a hole in Safari .  Intellihence | 04/22/07
What are you saying?  xuniL_z | 04/22/07
Typical M$ jumping to conclusions  YinToYourYang-22527499 | 04/22/07
Of course if this were MS & IE...  wcb42ad | 04/23/07
The Difference  fde101 | 04/24/07
Typical O$ X obsessor response  xuniL_z | 04/23/07
All they found was a hole ....  jc williams | 04/23/07
0 day  dolph0291 | 04/23/07
Zero Day  ccranfill | 04/23/07
Awaiting the rabid Mac faithful to deny CanSecWest exists...  Scrat | 04/21/07
Not surprising, considering Dino Dai Zovi was behind it...  Scrat | 04/21/07
Reality Check....  brichpmr@... | 04/21/07
So all the IE exploits are much ado about nothing?  ye | 04/21/07
Yeah  Len Rooney | 04/22/07
No, they're not more critical.  ye | 04/22/07
Tell you what , try removing IE from Windows to see what happens .  Intellihence | 04/22/07
That used to be true....  DCMann | 04/23/07
Reality CheckMATE...  justanitguy | 04/24/07
This is a sad day in history  YinToYourYang-22527499 | 04/21/07
Sad indeed, the Mac "truth" bubble just burst  Scrat | 04/21/07
Actually all we need is  Kid Icarus-21097050858087920245213802267493 | 04/21/07
Plug the patch?  Scrat | 04/22/07
He was probably correct  xuniL_z | 04/22/07
Whooaah hang on there.  Scrat | 04/22/07
I think it would be safe to guess  xuniL_z | 04/22/07
Re: I think it would be safe to guess  Kid Icarus-21097050858087920245213802267493 | 04/22/07
It's not opinion but fact  ye | 04/22/07
At least we won't be waiting until the second tuesday .of next month  Intellihence | 04/22/07
Sorry, still nonsense.  Kid Icarus-21097050858087920245213802267493 | 04/22/07
No one lowered the bar.  ye | 04/22/07
Um, yes, bar lowered.  Kid Icarus-21097050858087920245213802267493 | 04/22/07
I see you ignored the following...  ye | 04/22/07
Um casue you're the one that brought up that nonsensical question  Kid Icarus-21097050858087920245213802267493 | 04/22/07
Don't you ever tire of being wrong?  ye | 04/22/07
Don't you ever tire of posting useless Information?  Kid Icarus-21097050858087920245213802267493 | 04/23/07
It's quite relevant...  ye | 04/23/07
Oh, ok, so everything you post is 100% truth and nothing but  Kid Icarus-21097050858087920245213802267493 | 04/23/07
Jetheo  xuniL_z | 04/23/07
Funny, you don't know how to spell and aren't very bright.  Kid Icarus-21097050858087920245213802267493 | 04/23/07
jaytheo  xuniL_z | 04/24/07
Plug the Patch, Plug the hole with the patch,  Kid Icarus-21097050858087920245213802267493 | 04/22/07
Oh yeah  xuniL_z | 04/22/07
What bubble?  Bruizer | 04/22/07
This is a sad day in history  Badgered | 04/24/07
CanSecWest exist alright. And it's sponsored by Microsoft too.  YinToYourYang-22527499 | 04/22/07
you must be right  Badgered | 04/24/07
The sky is falling!!  Imaginos1892 | 04/23/07
Regardless, Mac OS X is NOT secure  Scrat | 04/23/07
"Secure" is relative.  PMDubuc | 04/23/07
Interesting thought  jc williams | 04/23/07
But then...  tangent001 | 04/26/07
This is why...  Fil0403 | 04/28/07
Yeah For Sheeit sakes  philscbx@... | 04/23/07
[yawning] nothing here to see, move along  brian ansorge | 04/24/07
Actually  rwahrens1952 | 04/21/07
User Access still very bad  frgough | 04/23/07
please  rwahrens1952 | 04/24/07
Fantastic!  IAHawkeye | 04/22/07
Market share  ye | 04/22/07
That's not the point...  IAHawkeye | 04/22/07
Yes, that is the point.  ye | 04/22/07
Your statement right here debunks your statement above.  Kid Icarus-21097050858087920245213802267493 | 04/22/07
Vista "exploit" wasn't specific to Vista.  ye | 04/22/07
HAHAHAHAHAHA!!!  Kid Icarus-21097050858087920245213802267493 | 04/22/07
Inability to address my points noted.  ye | 04/22/07
Problem is, you don't have a point  Kid Icarus-21097050858087920245213802267493 | 04/23/07
Exploits for OS's  goxk@... | 04/23/07
No, it actually is not the point...  IAHawkeye | 04/22/07
If you can't follow the discussion don't join in.  ye | 04/22/07
Uh Hum.....  IAHawkeye | 04/23/07
I was CLEARLY referring to...  ye | 04/23/07
With such an exploit like you say , you figure 200k Macs would be owned by  Intellihence | 04/22/07
They couldn't do it over a network so they gave them local access .  Intellihence | 04/22/07
Not true  AxleMunshine | 04/23/07
Impervious?!?  justanitguy | 04/24/07
Vista next?  Macathome | 04/22/07
vista next  vikingbarbarian@... | 04/23/07
Indeed  Badgered | 04/24/07
You are misquoting.  msalzberg | 04/24/07
Interesting  Badgered | 05/01/07
Here's the transcript  Ed BottZDNet Moderator | 08/12/08
Load of Crap  mattjumbo | 04/22/07
9 hours is "harder"?  ye | 04/22/07
The Mac "faith" cannot be swayed ye  Scrat | 04/22/07
What's your faith?  YinToYourYang-22527499 | 04/22/07
I don't have a faith  Scrat | 04/23/07
Why are all you guys so touchy.  compsrt | 04/22/07
Look who's talking  YinToYourYang-22527499 | 04/22/07
Is this what it's all about , the ads , I never pay them any mind .  Intellihence | 04/22/07
who is defensive here?  dehan_davis@... | 04/23/07
Your Answer  xuniL_z | 04/22/07
Hey Zune-you'll-see  YinToYourYang-22527499 | 04/22/07
Hey YinYang  xuniL_z | 04/23/07
Wow.  msalzberg | 04/23/07
You have to keep it  xuniL_z | 04/24/07
Finally  dolph0291 | 04/23/07
Are you joking?  notsofast | 04/23/07
listening to mactard deniles  JABBER_WOLF | 04/23/07
Clarification  fde101 | 04/24/07
Not impossible...  justanitguy | 04/24/07
A tic for a tac & I'm back from the Poconos  Intellihence | 04/22/07
Here's the link .  Intellihence | 04/22/07
YOu are going with this story? Then you've confirmed the marketshare theory  xuniL_z | 04/22/07
That's a retarted argument  IAHawkeye | 04/22/07
Because I can target 100's of millions instead  ye | 04/22/07
Ye still hath not answered the question....  IAHawkeye | 04/22/07
Where did I say they were easier to crack?  ye | 04/22/07
Good, one thing agreed on.  IAHawkeye | 04/23/07
There is a distinction between EASIER and EASY  ye | 04/23/07
What I am posting about the .ANI exploits is that...  ye | 04/23/07
even a mac fanboy should be held to a higher standard of logic than this  JetJaguar | 04/23/07
If I were a psychologist  xuniL_z | 04/23/07
I haven't confirmed any market share theory .  Intellihence | 04/22/07
You know there are probably many Mac exploits in the wild.  xuniL_z | 04/23/07
You really believe...  msalzberg | 04/23/07
Hey does Zovi have a smirk or what?  YinToYourYang-22527499 | 04/22/07
Weeeeee!!!!! Look at the Mac zealots FREAK out!!  NonZealot | 04/22/07
It sure is interesting how you can go from saying,  Kid Icarus-21097050858087920245213802267493 | 04/22/07
Can you provide some reference for...  ye | 04/22/07
You're kidding, right?  Kid Icarus-21097050858087920245213802267493 | 04/22/07
No, I'm not kidding. What you've given...  ye | 04/22/07
Again it's statements like this that make you wonder?  Kid Icarus-21097050858087920245213802267493 | 04/22/07
Yes, Hearsay.  ye | 04/22/07
OK. How about these links?  msalzberg | 04/22/07
Where are the EXPLOIT details?  ye | 04/22/07
You can lead...  msalzberg | 04/22/07
They mention that exploits exist but provide no details...  ye | 04/23/07
What have you been...  msalzberg | 04/22/07
It turns up 512K hits about the vulnerability but  ye | 04/22/07
You didn't actually...  msalzberg | 04/23/07
I did go to the links but...  ye | 04/23/07
So I gave you...  msalzberg | 04/23/07
Well, ye, it seems to me...  msalzberg | 04/23/07
Wasting your time  slylabs13 | 04/24/07
This proves nothing...  dolph0291 | 04/23/07
does that ONLY apply to IE7, in protected mode?  mdsmedia | 04/23/07
Pull those ads Apple  TonyMcS | 04/22/07
Yo Tony... Duh argument sucks man....  IAHawkeye | 04/22/07
Keep up the good work  MacCanuck | 04/24/07
Funny how logic that supports your view  xuniL_z | 04/25/07
Still delusional and in denial as ever  MacCanuck | 04/25/07
Why must you always read MORE into what I say?  xuniL_z | 04/25/07
Sorry cannot let you get away with that  slylabs13 | 04/24/07
I both am and am not impressed  el1jones | 04/23/07
Who are the cutting-edge hackers.  THEE WOLF | 04/23/07
Huh?  dolph0291 | 04/23/07
Again?!?  justanitguy | 04/24/07
Mac Cracked - Who Cares  marinus.mellaart@... | 04/23/07
I loved my CoCo!!!!  msalzberg | 04/23/07
DID You Really Think It Wouldn't Happen!  Herc@... | 04/23/07
Another contest event, still no real world incidents on OSX  ralphrides | 04/23/07
This attack would work in real-world use.  Resuna | 04/24/07
What's the big deal???  robbyx | 04/23/07
yeah, but safari sucks anyway  zandar | 04/23/07
The fact that you "love" your computer speaks volumes...(NT)  Scrat | 04/23/07
Hope he invites me to the wedding!  NonZealot | 04/23/07
Firefox is not immune to attacks on Java  Resuna | 04/24/07
Firefox  justanitguy | 04/24/07
Driveby! Driveby!  jcg_z | 04/23/07
User interaction?  um.crouc0 | 04/23/07
Its there, you just gotta find it....  daMan25 | 04/23/07
EASY ANSWER  JABBER_WOLF | 04/23/07
It's actually called..  msalzberg | 04/23/07
Dear Children....  s_southern | 04/23/07
Well said, Apple should be commended  intrepi@... | 04/23/07
There is such a thing as secure design  Resuna | 04/24/07
Initiative, ingenuity and a reward are all good  intrepi@... | 04/23/07
An Intelligent Response!  Riphly_z | 04/24/07
Apple?  justanitguy | 04/24/07
New info: This is a Java vulnerability, not a Safari flaw  V-Train | 04/23/07
Betcha if they used Firefox it wouldnt have happened  kokuryu | 04/23/07
Read related stories...  justanitguy | 04/24/07
JAVA Did It!  CowLauncher | 04/23/07
Big eff'n deal.  3dtodd | 04/23/07
Message has been deleted.  godsfault | 04/23/07
Don't forget about plugins and helpers.  Resuna | 04/24/07
What a mischaracterization  slylabs13 | 04/24/07
sure it can  cesproles@... | 04/24/07
Mac Security  Fil0403 | 04/28/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads