Apple's Leopard lasts '30 seconds' in hack contest

Apple's Leopard lasts '30 seconds' in hack contest

Summary: Security firm Independent Security Evaluators exploited a Safari flaw to compromise the OS, with Vista and Ubuntu remaining secure

TOPICS: Security

Apple's Leopard has been hacked within 30 seconds using a flaw in Safari, with rival operating systems Ubuntu and Windows Vista so far remaining impenetrable in the CanSecWest PWN to Own competition.

Security firm Independent Security Evaluators (ISE) — the same company that discovered the first iPhone bug last year — has successfully compromised a fully patched Apple MacBook Air at the CanSecWest competition, winning $10,000 (£5,000;) as a result.

Although the competition recorded the hack taking eight minutes, Charlie Miller, a principal analyst with ISE, told that it took just 30 seconds and was achieved using a previously unknown flaw in Apple's Safari web browser.

"It might have taken eight minutes to sit down and open the computer but, when the competition started, 30 seconds later, it was over," said Miller.

Apple has been notified of the flaw, according to TippingPoint, the intrusion-detection company which provided the prize money.

Competitors in the hacking race were allowed to choose either a Sony laptop running Ubuntu 7.10, a Fujitsu laptop running Vista Ultimate SP1 or a MacBook Air running OS X 10.5.2.

"We could have chosen any of those three but had to make a judgement call on which would be the easiest and decided it would be Leopard," Miller said.

"Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows. I found the iPhone bug a year ago and that was a Safari bug as well. I've also found other bugs in QuickTime."

When the three operating systems were announced as competitors at the event a few weeks ago, ISE began looking for a bug and then spent time refining the attack to ensure it worked well on competition day.

The technique used to hack the MacBook Air was similar to a phishing attack where a victim is sent a link which they click on to visit a site containing malicious code, said Miller.

"Basically you type in something to the web browser and go to website that is controlled. In real life, you would get a link in an email and, if you clicked on it, that would be the same thing," he said.

But hacking Leopard was not meant as an attack on Apple, according to Miller: "I use a MacBook all the time and that's what I used in the contest to attack the MacBook Air. I like Macs. That's the reason I went for it; it's in my best interest for them to be as secure as possible."

Topic: Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Don't be so Naive

    I hate to rain on everyones parade but this contest is for the "good hackers". This "panel" of hackers doesn't constitute the real world wit real threats. The bad hackers aren't going to show up to win a mere $20,000 when they know they can make $200,000 or more. At best, this is just an "in your face" show.
  • That plus...

    The default setting for OS X is firewall off (I don't know why) while the default for Vista and Ubuntu is on. Ah well, it would've been nice to get one of those shiny new Macs, but no one would pay for the airfare and a nice hotel and beer for me to try my luck. Maybe I'm not as valued an employee as I thought I was!!
  • Bruising Apple's ego!

    I bet the guys at Microsoft will love that headline; "Leopard hacked in 30 seconds". In fact, after years of Apple bragging about making more secure Operating Systems, I wouldn't be suprised if the story made it into Microsoft's next keynote address!

    If you look closely however, the hacker confesses to being more familiar with macs, which he cites as the reason he chose the mac over the other 2 systems.
    Isn't it also the case that most bank roberries are carried out by people familiar with that particular branch?
  • Finding what you want the story to say.

    In the story the hacker says "I use A MacBook all the time and that's WHAT (not why) I used in the contest to attack the MacBook Air". All that tells us is that he uses A MacBook, not he only uses Mac. Even if that were the case any of the windows or Linux hackers would be proficient in the OS they were attacking.

    He also says,"Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows." which clearly shows he hacks all three OS's.
  • Security specialists, criminals, military, & backdoors

    From my point of view, I