Safari vulnerability exposed in MacBook Pro hacking contest

Summary:If you bought a Mac because you thought that it was an impenetrable fortress immune from being hacked, you may want to think again.Hackers Dino Dai Zovi and Shane Macaulay were able to hijack a MacBook Pro as part of the "PWN to OWN" contest at the CanSecWest security conference in Vancouver, British Columbia.

If you bought a Mac because you thought that it was an impenetrable fortress immune from being hacked, you may want to think again.

Hackers Dino Dai Zovi and Shane Macaulay were able to hijack a MacBook Pro as part of the "PWN to OWN" contest at the CanSecWest security conference in Vancouver, British Columbia.

From the conference Web site

We've announced that we will be having a contest "PWN to OWN" where two, pimp, loaded up, Apple Macbook Pro's will be set up on their own AP (with security updates but otherwise default) and attendees will be able to connect to the ethernet or WiFi. The first to exploit it (there are victory conditions, and progressive rules over the three days) gets to go home with it. (Limit one per person, Can't use the same vuln on both.) If they survive the three days in the "jungle," they become prizes for best lightning talk and best speaker.

The duo was only successful after the contest rules were relaxed after nobody had breached either of the Macs on the first day. Dai Zovi found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said. News.com's Joris Evers quoted Dai Zovi in a telephone interview from New York as saying "The vulnerability and the exploit are mine... Shane is my man on the ground."

Macaulay will take home the loaded MacBook Pro while Dai Zovi has his eye on a larger prize. He plans to apply for TippingPoint's Zero Day Initiative bug bounty program which is offering a US$10,000 prize for a previously unknown Apple bug.

Apple isn't saying anything about the exploit but you can probably expect another security update to address the Safari vulnerability in the coming weeks. 

Topics: Security

About

Jason D. O'Grady developed an affinity for Apple computers after using the original Lisa, and this affinity turned into a bona-fide obsession when he got the original 128 KB Macintosh in 1984. He started writing one of the first Web sites about Apple (O'Grady's PowerPage) in 1995 and is considered to be one of the fathers of blogging.... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.