Security Bytes - A SearchSecurity.com blog

Security Bytes:

 

A SearchSecurity.com blog


The information security blog for the latest buzz on data security, privacy and regulatory compliance issues, information security threats, software security updates, flaws and more.

New Apple Air notebook vaporized in PWN2OWN contest

March 28th, 2008 by Dennis Fisher

Apple is claiming that it’s new Air is the world’s thinnest notebook PC. Luckily, it didn’t make any claims about the new machine’s security, because it only took Charlie Miller of Independent Security Evaluators a few minutes on Thursday to gain control of a new Air in the annual Pwn2Own hacking contest at CanSecWest. Miller was able to exploit an unpatched vulnerability in Apple’s Safari browser to compromise the notebook, winning himself a $10,000 prize, as well as the Air itself. Not a bad haul for a few minutes of work.

This year’s contest is a bit different from last year’s edition, in that there are three separate machines up for grabs. In addition to the Air, TippingPoint, which sponsors the contest, put up two other machines, one each running Vista and Ubuntu. After Miller cracked the laptop, he turned over details of the attack to TippingPoint, which disclosed it to Apple.

Posted: March 28th, 2008 under Application Security, Information Security Threats.

2 Comments »

  1. “A few minutes of work” is quite the overstatement. While an exploit may run within a few minutes, the preparation behind it is generally not trivial. You might also mention that the exploit came on the second day of the contest, after the rules were relaxed. Or you might not, since it seems there isn’t a great deal of concern for responsible journalism.

    It’s easy to write and gloat about successful exploits. However, it may interest you to know that the actual vulnerability was part of the PCRE project (pcre.org) and not Apple-written code. I’m sure they’re miffed that they missed the exploit regardless, but it’s still an interesting detail that nobody has cared to learn or report. Huh.

    At any rate, putting “vaporized” in the headline should bring some sensationalism and drive web traffic. Well done you.

    Comment by Quinn Taylor — April 17, 2008 @ 1:57 pm

  2. No suprices here given the complete denial of security risks by Apple. We are just waiting for a major virus to target Apple and the class action lawsuit following that. I will have my recording of the Apple store guys saying “Security is not an issue on a Mac” ready to cash in.

    Comment by Fred Okum — April 21, 2008 @ 3:36 pm

TrackBack URL

Leave a comment