MacBook Pro hijacked with Safari zero-day

Summary:Hackers Dino Dai Zovi and Shane Macaulay teamed up to hijack a MacBook Pro laptop at the CanSecWest security conference here, effectively pouring cold water on the Mac faithful's belief that the machines are impenetrable.

VANCOUVER, BC -- Hackers Dino Dai Zovi and Shane Macaulay teamed up to hijack a MacBook Pro laptop at the CanSecWest security conference here, effectively pouring cold water on the Mac faithful's belief that the machines a
Dino Dai Zovi
re impenetrable.

Dai Zovi (pictured left), a former Matasano researcher who has been credited in the past with finding Mac OS X vulnerabilities, exploited a zero-day flaw in the built-in Safari browser to take complete control of the machine.

The MacBook hijack required that Safari opened a specially rigged Web site (Techmeme discussion).

Dai Zovi is credited with finding the flaw and writing the exploit.   Macaulay, who was at the conference and served as the man on the ground, keeps the hijacked MacBook while Dai Zovi will put in a claim for the $10,000 bounty offered by TippingPoint's Zero Day Initiative.
 
Here's the formal announcement from CanSecWest organisers:
At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page. Of course all of the latest security patches have been applied. This one is 0day folks. Technical details will be forthcoming as the winner works out the release. There is still one more Mac to go. (the same flaw cannot be used again, but other Safari bugs are allowed)

Just to review the rules, the first box required a flaw that allows the attacker to get a shell with user level privilages. The second box, still up for grabs, requires the same, plus the attacker needs to get root.
More from Matasano Security and Joris Evers.  

Topics: Apple, Hardware

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.