On TV.com: How to Save HEROES
BNET Business Network:
BNET
TechRepublic
ZDNet

March 27th, 2008

MacBook Air falls in two minutes at PWN 2 OWN

Posted by Larry Dignan @ 2:24 pm

Categories: Apple, Exploit code, Zero-day attacks

Tags: Minute, Apple MacBook, Charlie Miller, Notebooks, Hardware, Notebooks & Tablets, Larry Dignan

The MacBook Air fell in two minutes at the CanSecWest security conference’s PWN 2 OWN.

According to Infoworld, Charlie Miller won the $10,000 prpwn2own.jpgize. Under the contest rules, organizers offered Sony Vaio, Fujitsu U810, and the MacBook as prizes. On day 1 no one won because they couldn’t hack into the laptops with a zero day attack. The MacBook runs OS X 10.5.2. The Vaio runs on Ubuntu 7.10 and the Fujitsu runs on Vista Ultimate. Those two laptops are still standing, but that may be because there’s more hacker glory in taking down the MacBook Air.

On Day 2, the rules are relaxed. Two minutes later Miller had his prize. Miller is the researcher behind the first iPhone hack.

Chatter on Twitter indicates that Miller’s winning hack was a browser exploit. However, the Zero Day Initiative owns the code so details were sparse.

Ryan Naraine reports:

According to sources at the conference, Miller used an exploit against the Safari browser that ships standard with Mac OS X. Details of the vulnerability and the attack vector are now the property of TippingPoint’s ZDI (Zero Day Initiative), the sponsor of the Pwn2Own challenge.

The Zero Day Initiative has confirmed the winner. In a post, ZDI said:

At 12:38pm local time, the team of Charlie Miller, Jake Honoroff, and Mark Daniel from Independent Security Evaluators have successfully compromised the Apple MacBook Air, winning the laptop and $10,000 from TippingPoint’s Zero Day Initiative.  They were able to exploit a brand new 0day vulnerability in Apple’s Safari web browser.  Coincidentally, Apple has just started to ship Safari to some Windows machines, with its iTunes update service. The vulnerability has been acquired by the Zero Day Initiative, and has been responsibly disclosed to Apple who is now working on the issue.  Until Apple releases a patch for this issue, neither we nor the contestants will be giving out any additional information about the vulnerability.

Larry DignanLarry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 183 Talkback(s)
A Virus is not the same a hack to PWN
Only stupid mac users claim that a mac is not vulnerable to hacks and
viruses.
If it is a computer it runs code so it can be hit by a virus and it more
then likely has security flaws that c... (Read the rest)
Posted by: Michael Fournier Posted on: 03/25/09 You are currently: a Guest | | Terms of Use
the details  mail123list | 03/27/08
Questions  Userama | 03/29/08
RE: MacBook Air falls in two minutes at PWN 2 OWN  IX | 03/27/08
Oh the agony  Chiatzu | 03/27/08
security through obscurity  Scubajrr | 03/28/08
Your valuable time formula revisited.  Joel R | 03/28/08
Don't be disappointed  frgough | 03/28/08
Please...  M.R. Kennedy | 03/28/08
well  evilkillerwhale@... | 03/28/08
A Virus is not the same a hack to PWN  Michael Fournier | 03/25/09
a little misleading...  doh123 | 03/27/08
Not really misleading...  storm14k | 03/27/08
But he setting up the website took him more than two minutes.  sigma2 | 03/27/08
enough with the excuses  Paul Fletcher | 03/28/08
...  evilkillerwhale@... | 03/28/08
no...  doh123 | 03/28/08
Re: a little misleading...  silent.griffin | 03/28/08
No matter how you spin this  NonZealot | 03/28/08
Have yet too see you post on a MS or Linux discussion?  James Quinn | 03/28/08
Where's OLE MAN?  tubr0 | 03/28/08
He is trying to find his book  Chippolus | 03/28/08
LOL...nt  ItsTheBottomLine | 04/03/08
so...  evilkillerwhale@... | 03/28/08
check your facts  russguill | 03/28/08
Spin  M.R. Kennedy | 03/28/08
Spun...  Wolfie2K3 | 03/28/08
Also...  evilkillerwhale@... | 03/28/08
re: Also...  M.R. Kennedy | 03/28/08
Also . . .  JLHenry | 03/29/08
re: Spun...  M.R. Kennedy | 03/28/08
Now can I bray?  NonZealot | 03/28/08
re: Now can I bray?  M.R. Kennedy | 03/28/08
Grand Prize won, also-ran prizes pwnd later  grail@... | 04/01/08
Wanted the $10,000, not the Mac  KTLA | 03/28/08
Ooh! That's gotta hurt happy  ye | 03/28/08
Misunderstanding the hacker  KTLA | 03/28/08
dont think so...  doh123 | 03/28/08
Do Macs ship with that recommendation?  NonZealot | 03/29/08
Zero Day Initiative irresponsible  vi0l3t1975@... | 03/27/08
Well  DannyO_0x98 | 03/27/08
True and not irresoponsible...  cornpie | 03/28/08
Re: True and not irresoponsible...  none none | 03/28/08
What's the problem?  Wolfie2K3 | 03/28/08
And which browser IS safe for Joe Public?  MinorityReport | 03/28/08
Excellent question!  NonZealot | 03/28/08
Responsible Disclosure  grail@... | 04/01/08
Misleading Title  Stuka | 03/27/08
lol  Badgered | 03/28/08
Exactly  Stuka | 03/28/08
not necessarily  Paul Fletcher | 03/28/08
Then why wasn't it done on Windows?  ye | 03/28/08
Because they have to be base installs  Stuka | 03/28/08
You said it was a "browser" issue, not...  ye | 03/28/08
I don't think you can go that far  Shagbag | 03/28/08
Its possible  Stuka | 03/28/08
It was a faulty contest  Mikael_z | 03/29/08
so...  evilkillerwhale@... | 03/28/08
Why not done on Windows  levinson | 03/28/08
The contest continued after the Mac fell.  ye | 03/28/08
re: Exactly  M.R. Kennedy | 03/28/08
We don't really know how long it took to fall.  ye | 03/28/08
unless...  evilkillerwhale@... | 03/28/08
Time to pwn: 2 minutes  M.R. Kennedy | 03/28/08
The luck of the draw  grail@... | 04/01/08
not worth the press time because...  doh123 | 03/28/08
well  evilkillerwhale@... | 03/28/08
RE: MacBook Air falls in two minutes at PWN 2 OWN  romph | 03/27/08
RE: MacBook Air falls in two minutes at PWN 2 OWN  silent.griffin | 03/28/08
Just waiting for the usual suspects to come in and try and spin this one!  Scrat | 03/28/08
So what do you do about IE exploits?  Robert Crocker | 03/28/08
re: So what do you do  Badgered | 03/28/08
Per haps you missed...  Stuka | 03/28/08
I presume  Badgered | 03/28/08
Well, no  laura.b | 03/28/08
Impossible to uninstall Safari  rpmyers1 | 03/28/08
inaccurate  lostarchitect | 03/28/08
You're inaccurate as well  rpmyers1 | 03/28/08
except IE doesn't come installed on Vista...  evilkillerwhale@... | 03/28/08
IE ISN'T IN WINDOWS  evilkillerwhale@... | 03/28/08
for the last time...  evilkillerwhale@... | 03/28/08
I'm not a usual suspect...  zkiwi | 03/28/08
If you read The Register...  wolf_z | 03/28/08
No one tried on day 1?  zkiwi | 03/28/08
RE: If you read The Register...  Axsimulate | 03/31/08
Can I assume you're referring to Microsoft?  ye | 03/28/08
No, you can't assume...  zkiwi | 03/28/08
OK then who? Apple? The Linux Community?  ye | 03/28/08
Any system  zkiwi | 03/28/08
like my past experienced with other OS's and browsers  James Quinn | 03/28/08
RE: MacBook Air falls in two minutes at PWN 2 OWN  stravos@... | 03/28/08
"On Day 2, the rules are relaxed."  BitTwiddler | 03/28/08
You will notice, however  mdemuth | 03/28/08
They're still standing  frgough | 03/28/08
Re: They're still standing  none none | 03/28/08
Yeah, but  frgough | 03/28/08
Regardless it shows OS X is no less vulnerable than...  ye | 03/28/08
"no less vulnerable"?  3D0G | 03/28/08
re: Regardless it shows OS X is no less vulnerable than...  M.R. Kennedy | 03/28/08
@M.R. Kennedy: You don't need to convince me.  ye | 03/28/08
DAAR  Paul Fletcher | 03/28/08
also,  evilkillerwhale@... | 03/28/08
re: They're still standing  M.R. Kennedy | 03/28/08
of course...  evilkillerwhale@... | 03/28/08
First, I do not own a single Macintosh...  BitTwiddler | 03/28/08
Not modified at all.  beatphreek | 03/28/08
RE: MacBook Air falls in two minutes at PWN 2 OWN  sanchez@... | 03/28/08
"Apple is more secure because there's less of them"  brian ansorge | 03/31/08
omfgod is right.  rtk | 03/31/08
RE: MacBook Air falls in two minutes at PWN 2 OWN  SCW61 | 03/28/08
6.5 / 10 if you're a Mike Cox wanna be  Badgered | 03/28/08
5/10 (NT)  Stuka | 03/28/08
Uh huh.  rpmyers1 | 03/28/08
I wonder...  jasonp@... | 03/28/08
Did you RTFA?  3D0G | 03/28/08
Yes, I RTFA...  jasonp@... | 03/28/08
Why would you wonder?  NonZealot | 03/28/08
Never used an Apple OS...  jasonp@... | 03/28/08
all three made it to day 2  Joe_Racer | 03/28/08
Can't say as I'm surprised  jasonp@... | 03/28/08
"Apple's main focus has never been on security . . ."  brian ansorge | 03/31/08
Why the suprise?  Norcross | 03/28/08
We care because...  ye | 03/28/08
Well...  zkiwi | 03/28/08
And? (nt)  ye | 03/28/08
And...  zkiwi | 03/28/08
The systems were in their default configurations.  ye | 03/28/08
Then the firewall for the MBA was off  zkiwi | 03/28/08
Perhaps a damage causing exploit?  James Quinn | 03/28/08
Maybe you will once the Mac becomes...  ye | 03/28/08
Of course it isn't...  jasonp@... | 03/28/08
ummm... no  doh123 | 03/28/08
A challenge to you Mac fans  NonZealot | 03/28/08
Man! For someone who claims NOT to be a MS fan  James Quinn | 03/28/08
Why are Mac users so consumed about...  ye | 03/28/08
To be honest the "topic" is a big yawn for me.  James Quinn | 03/28/08
Irrelevant to the blog post.  ye | 03/28/08
Funny but I don't remember asking you for your  James Quinn | 03/28/08
Just letting you know it makes you look immature.  ye | 03/28/08
Have I ever made the claim too maturity?  James Quinn | 03/28/08
Funny but I don't remember asking you for your  James Quinn | 03/28/08
easy...  doh123 | 03/28/08
So now drive bys don't count?  NonZealot | 03/28/08
Define nearly?  James Quinn | 03/28/08
trojans?  lostarchitect | 03/28/08
RE: MacBook Air falls in two minutes at PWN 2 OWN  beatphreek | 03/28/08
doh!  beatphreek | 03/28/08
Mozilla CEO was right about Appl?? (NT)  joethemacfan | 03/28/08
Am I a usual suspect?  whisperycat | 03/28/08
It's not Air specific. It's OS X specific.  ye | 03/28/08
re: It's not Air specific. It's OS X specific.  M.R. Kennedy | 03/28/08
Since when did Safari ship with Windows?  NonZealot | 03/29/08
re: Since when did Safari ship with Windows?  M.R. Kennedy | 03/30/08
Lucky for Apple you've spent how many thousands of $ for 15 yrs of Mac?  ajole | 03/28/08
question:  lostarchitect | 03/28/08
nevermind  lostarchitect | 03/28/08
Good info...  jasonp@... | 03/28/08
RE: MacBook Air falls in two minutes at PWN 2 OWN  bw12 | 03/28/08
Pointing at them all and laughing (nt)  zkiwi | 03/28/08
RE: MacBook Air falls in two minutes at PWN 2 OWN  trutruttut | 03/28/08
RE: MacBook Air falls in two minutes at PWN 2 OWN  trutruttut | 03/28/08
An Untenable Position  DannyO_0x98 | 03/29/08
Vista laptop just fell over  mail123list | 03/28/08
re: Vista laptop just fell over  M.R. Kennedy | 03/29/08
Interesting what the hackers themselves have to say ...  George Mitchell | 03/29/08
re: Interesting what the hackers themselves have to say ...  M.R. Kennedy | 03/30/08
You misunderstood distinction between kernel and OS  NonZealot | 03/29/08
Excellent point ...  George Mitchell | 03/29/08
re: Excellent point ...  M.R. Kennedy | 03/30/08
Misunderstandings  M.R. Kennedy | 03/30/08
Ubuntu is the last one standing ...  MisterMiester | 03/28/08
Great news!  NonZealot | 03/29/08
Ubuntu Is Left Standing....No Comments From Microshills  itanalyst2@... | 03/29/08
There is no rational argurment ...  MisterMiester | 03/29/08
That Should Be A T-Shirt  itanalyst2@... | 03/29/08
Prize money  rpmyers1 | 03/30/08
One tiny flaw ...  MisterMiester | 03/30/08
Who said anything about the vendor?  rpmyers1 | 03/31/08
Just after SP1 update  macgruder | 03/31/08
True... but...  MarkHarrison | 03/31/08
RE: MacBook Air falls in two minutes at PWN 2 OWN  macgruder | 03/31/08
What I love about this story ....  Paul Fletcher | 03/31/08
So?  John Musbach | 04/01/08
Just another accurate tale,  mrOSX | 04/02/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
Click Here

Recent Entries

advertisement
Click Here

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here