Friday, March 28, 2008

MacBook Hacked in 2 Minutes...

From arstechnica.com

MacBook Air compromised in 2 minutes for $10,000 (Updated)

By Jacqui Cheng Published: March 28, 2008 - 09:54AM CT

Many of you remember last year's CanSecWest conference, where a MacBook Pro was compromised for a $10,000 prize. Well... take that, replace the MacBook Pro with a MacBook Air, and repeat it again for 2008. We learned in February that this year's CanSecWest would still involve a Mac, but also a laptop running Vista and some flavor of Linux.

That's exactly how it played out this week in Vancouver when security teams were presented with the three machines for the PWN2OWN contest. Unfortunately for Mac fanboys, the MacBook Air was the first to go down, thanks to security researcher Charlie Miller.

Miller is now the proud owner of $10,000 in cold, hard cash. Charlie Miller's name might sounds familiar to you, and that's because he was among the first to discover an exploit in mobile Safari on the iPhone.

According to IDG News Service, Miller took less than two minutes to compromise the MacBook Air. "Within 2 minutes, he directed the contest's organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on," wrote IDG.

Part of the rules for the contest were that hackers could only use software that was preinstalled on the machines. DVLabs says that it is privvy to the exploit, and that it was through Safari. The exploit itself, however, is not being revealed for now in order to give Apple time to patch it (DVLabs says that the vulnerability has been "responsibly disclosed" to the company and that Apple is already working on it). The contest ends sometime today. It's expected that the Vista and Linux (Ubuntu) laptops are expected to go down today, but no news has come down yet about how they fared.

Update: As many of our commenters have pointed out, the MacBook Air was, in fact, hacked after the first day of the conference passed. None of the machines had been hacked on the first day, which prompted the PWN2OWN organizers to relax the rules on the second day. Regardless, the Safari exploit is still serious enough to allow someone to compromise the machine, whereas the other two machines (under the same, new set of rules) have yet to be compromised.