Apple's Leopard hacked in 30 seconds

Apple's Leopard hacked in 30 seconds

Summary: Apple's Leopard has been hacked within 30 seconds using a flaw in Safari, with rival OSes Ubuntu and Vista so far remaining impenetrable in the CanSecWest PWN to OWN competition.

TOPICS: Security, Browser

Apple's Leopard has been hacked within 30 seconds using a flaw in Safari, with rival OSes Ubuntu and Vista so far remaining impenetrable in the CanSecWest PWN to OWN competition.

Security firm Independent Security Evaluators (ISE) — the same company that discovered the first iPhone bug last year — successfully compromised a fully patched Apple MacBook Air at the CanSecWest competition, winning them US$10,000.

Although the competition recorded the hack taking eight minutes, Charlie Miller, a principal analyst with ISE, told that it took just 30 seconds and was achieved using a previously unknown flaw in Apple's Web browser Safari.

"It might have taken eight minutes to sit down and open the computer, but when the competition started, 30 seconds later it was over," said Miller.

Apple has been notified of the flaw, according to the intrusion detection company which offers the prize money, TippingPoint.

Competitors in the hacking race were allowed to choose either a Sony laptop running Ubuntu 7.10, a Fujitsu laptop running Vista Ultimate SP1 or a MacBook Air running OSX 10.5.2.

"We could have chosen any of those three but had to make a judgment call on which would be the easiest and decided it would be Leopard," Miller said.

"Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows. I found the iPhone bug a year ago and that was a Safari bug as well. I've also found other bugs in Quicktime."

When the three decided to enter the competition a few weeks ago, they began looking for a bug and then spent time refining the attack to ensure it worked well on competition day.

The technique used to PWN the MacBook Air was similar to a phishing attack where a victim is sent a link which they click on to visit a site containing malicious code, said Miller.

"Basically you type in something to the Web browser and go to Web site that is controlled. In real life, you would get a link an e-mail and if you clicked on it, that would be the same thing," he said.

But hacking Leopard was not meant as an attack on Apple, according to Miller: "I use a MacBook all the time and that's what I used in the contest to attack the MacBook Air. I like Macs. That's the reason I went for it — it's in my best interest for them to be as secure as possible."

Topics: Security, Browser

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Lame contest...

    What the article does not point out is that on the first 24-hours of the contest, the contestants were suppose to do an attack on the Mac remotely via the network alone.

    No one could hack the Mac remotely via the network alone.

    The second day, they relaxed the rules and allowed the contestants physical access to the Mac so that they could install an automated user to receive emails or use a browser to go to a malicious website set up by the contestant.


    It took more than 24-hours to hack the Mac. It takes days to program an automated user or develop and program a malicious website. They had to do the work even before the contest.

    And it took physical access to the computer to hack it. They could not hack it over the network at all!

    Thus the contest is a crock.

    I doubt any user will allow a crook or stranger physical access to their personal computer. Once a person has physical access to a computer then any computer can be hacked. Through the firewire ports, any Windows computer is instantly compromised, for example.
  • Lame response

    They didn't have physical access to the Mac at all, the second day rules were that the user of the Mac went to the attacker's website. Nothing more. Its the same kind of thing you might do with your next click...
  • Lame Apple software

    "any Windows computer is instantly compromised" ... but only if running the unpatched QuickTime app ... an app from Apple itself (Duh, cant blame others this time). As for remote access - itonically cause by a security patch itself - double doh.
  • lame you guys

    why are you guys don't want to admit a flaw in apple?? windows used to be sucks couple years from now, but it's getting better and better at security. i'm using windows right now and planning to move to apple within a couple of years (saving money). but i don't like stupid people that think apple's perfect. nothing's perfect you morons.
  • Lame for sure

    User intervention, arh! thats not hacking at all, get back on good old days of unix shell and really killing a server!!!!
    Its the dope pushing the keys on the other end that comprises the machine windows or mac, not the Os.
  • Truth

    So was there or was there not physical access?....

    Can we get the simple truth?
  • who cares

    who really cares...
  • Obviously people do

    duh! you're looking at a page full of people who care...are you lost?