A security researcher sent instructions to a security engineer on a zero-day vulnerability in Safari and together worked for 9 hours on an exploit to hack into a Macbook at a hack-a-Mac contest the engineer had joined.
Dino Dai Zovi, a security researcher who has found flaws in Mac software in the past, fed info to Shane Macaulay, a security engineer who had joined the two-day “PWN To Own” Mac-hacking contest at the CanSecWest Security Conference at Vancouver yesterday, to win one of two MacBooks that were being given to the first people who can hack into them. The Macs were current and up-to-date with all security patches, but had no special security software on them outside of what came with OS X.
On April 20, the second day of the contest, the rules were relaxed after no one was able to do it the day before, and Macaulay was able to hack into one of the Macbooks using Dai Zovi’s help. The hack was accomplished by having a CanSecWest organizer surf to a malicious website using Safari, upon which they used the zero-day security hole in the browser, a tactic familiar to Windows hackers. Macaulay is now the proud owner of the Macbook he hacked.
This comes (coincidentally?) on the heels of the release of the new Security Update from Apple the day before the hack.
May 3rd, 2007 at 9:55 pm
[…] Security, News. trackback Apparently that Zero Day Hole in Safari I wrote about in a previous post that allowed a coupla guys to hack into, and win, a Macbook (and US$10K) in the CanSecWest security […]