madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Pwn2Own MacBook attack: Charlie Miller hacks Safari again

By | March 24, 2010, 5:03pm PDT

Summary: For the third year in a row, Charlie Miller has hacked into a MacBook by exploiting a critical Safari browser vulnerability.

VANCOUVER, BC — For the third year in a row, Charlie Miller has hacked into a MacBook by exploiting a critical Safari browser vulnerability.

At the CanSecWest Pwn2Own hacker contest here, Miller performed a clean drive-by download against Safari to get a full command shell on the MacBook.

[ ALSO SEE: Hacker exploits IE8 on Windows 7 to win Pwn2Own ]follow Ryan Naraine on twitter

In the attack, Miller set up a special Web page with the exploit.  Using Safari, a conference organizer surfed to the Web page and watched and Miller took control of the machine.

Details of the vulnerability are being kept under wraps until Apple releases a fix.  TippingPoint Zero Day Initiative (ZDI), the contest sponsors, will handle the process of reporting the issue to Apple.

Miller, who uses fuzzers to find security vulnerabilities, is slated to deliver a conference presentation on fuzzing techniques against popular software products.

[ ALSO SEE: Pwn2Own 2010: iPhone hacked, SMS database hijacked ]

More to come…

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Apple Safari, Apple MacBook, Attack, Notebooks, Security, Hardware, Notebooks & Tablets, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 80 Talkback(s)

  • Hackers always go after low hanging fruit first
    We are told this time and time again. So, using
    Apple cultist logic, the easiest mobile
    phone to hack is the iPhone and the easiest
    browser to hack is Safari. Makes me glad I don't
    use either of those security sieves.
    ZDNet Gravatar
    NonZealot
    24th Mar 2010
  • Great Point Except...
    They had a lottery as which order they would take the machines down.
    They say lottery but the iPhone came out first in line... which is
    convenient for them from a publicity point of view...
    ZDNet Gravatar
    john@...
    24th Mar 2010
  • Please see 2.1 {nt}
    wink
    ZDNet Gravatar
    WinTard
    24th Mar 2010
  • RE: Pwn2Own MacBook attack: Charlie Miller hacks Safari again
    @john@... That's true but NonZealot's point is still true. By Charlie M's own admission they take the low hanging fruit first regardless of which device is first to be hacked. Charlie M considers Apple's safari an easy hack.
    ZDNet Gravatar
    DevGuy_z
    3rd Feb 2011
  • These are not hackers, they are security experts - are you that dumb
    Hackers always go after low hanging fruit first
    We are told this time and time again. So, using
    Apple cultist logic, the easiest mobile
    phone to hack is the iPhone and the easiest
    browser to hack is Safari. Makes me glad I don't
    use either of those security sieves.

    Yet again you obviously miss the point and make outrageous claims.

    Hackers go after the money.

    Pwn2Own contestants are not hackers, they are the people who work
    to stop hackers.

    A bit like the difference between an Anti-Terrorism consultant and a
    terrorist.

    Terrorists blow people up, they go after those they wish to blow up,
    and target those they can blow up easiest.

    Anti-Terrorism consultants get paid big money to find ways to stop
    the hard to reach targets from being hit.

    So if this was a terrorism related competition, the big prize would be
    to hit the target with the best security.

    And this outcome would not validate any statements about the targets
    of suicide bombers.

    You are either a fool, or have an agenda in these statements, which is
    it?

    And your clever security threat assessment is clearly borne out by the
    number of infected PCs, and the lack of infected Macs, isn't it?
    ZDNet Gravatar
    richardw66
    25th Mar 2010
  • You completely missed the point... by a country mile.
    The thing is - it doesn't matter WHO or WHY it got hacked.

    The point is - The bloody thing got HACKED. Period.

    Yes, it's all very well and good that the folks who hack at CanSecWest are security researchers and not some Romanian or Russian bad guys who are out to build a botnet or some such. God help you guys if you they weren't quite so honest.

    You'd be making a royal mess in your undies if this stuff ever got out into the wild and got into a crimeware gangs' collective hands - AND if anyone in one of those gangs ever gave a flying fig about the Mac.

    What's even worse... Apple released a slew of patches in the past couple of weeks that were all security related. And it STILL got pwned!

    The bottom line of the article obviously didn't sink in all the way -

    "At the CanSecWest Pwn2Own hacker contest here, Miller performed a clean drive-by download against Safari to get a full command shell on the MacBook."

    That sounds to me a lot like ROOT level access. We keep hearing that's supposed to be impossible. And yet, it still happened.
    ZDNet Gravatar
    Wolfie2K3
    25th Mar 2010
  • lol wow
    Since when the hell was a "hacker" defined as someone who takes advantage of security exploit only for the money? A hacker is anyone that takes advantage of a machine or network by using vulnerabilities in software.
    ZDNet Gravatar
    ChrisHacken
    25th Mar 2010
  • RE: Pwn2Own MacBook attack: Charlie Miller hacks Safari again
    @richardw66 1) They themselves will call themselves hackers. White hat hackers but hackers none the less. If they call themselves hackers, then NonZealot can too.
    2) Charlie Miller explicitly claims to go after low hanging fruit. Search around and you won't find interviews with him hard to find.
    3) The reason they go after the low hanging fruit is that there is money in finding an exploit (again this based on interviews with the contestants) and they save their best exploits for where they can get money.
    4) There have been successful in the wild attacks against macs and linux. Many years ago a guy challenged the world by putting a fully patched Mac outside a firewall and challenged the world to hack it. It fell within 30 minutes.
    5) Macs are not as interesting targets because Apple really doesn't do servers and servers are the primary targets of hacks.
    6) BSD on which OS-X based was found to have a back door that went un-noticed for over a year.
    ZDNet Gravatar
    DevGuy_z
    3rd Feb 2011
  • "Hacker exploits IE8 on Windows 7 to *win* Pwn2Own" so yes you're right.
    http://blogs.zdnet.com/security/?p=5855&tag=col1;post-5836

    You're awfully quiet on that thread. Wonder why.
    ZDNet Gravatar
    macgroover
    25th Mar 2010
  • good catch, you found an incorrect title
    This hack didn't "win" pwn2own, for starters the prize won is only 10k, compared to 15k for the iPhone SMS hack.

    http://blogs.zdnet.com/security/?p=5836
    ZDNet Gravatar
    rtk
    26th Mar 2010
  • That is why Windows 7 fell the fastest.
    Sorry NonZealot. Charlie did not win. The win went to IE 8
    and Windows 7 (64 bit).

    Yep, lowest hanging fruit did win.
    ZDNet Gravatar
    Bruizer
    24th Mar 2010
  • Quote you Bruizer, "Yep, lowest hanging fruit did win."
    Sorry Bruizer but this is exactly how it happened:

    http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010

    Here are the results, in order:

    1.PWNED! Vincenzo Iozzo and Ralf Philipp Weinmann - iPhone
    2.PWNED! Charlie Miller - Safari
    3.Nils - Safari (Prize Claimed)

    4.PWNED! Peter Vreugdenhil - Internet Explorer 8
    5.MemACCT - Internet Explorer 8 (Prize Claimed)

    6.Anonymous - Nokia
    7.Anonymous - iPhone (Prize already won)
    8.PWNED! Nils - Firefox
    Competition Results (still in progress)

    Vincenzo Iozzo and Ralf Philipp Weinmann succeeded in exploiting the iPhone in the first time slot. They exploited a 0day Safari vulnerability with a payload which retrieved the text messages from the device.

    As the luck of the draw would have it Nils on Safari, MemACCT on IE 8 and Anonymous on iPhone lost their time slots as the prizes had already been claimed. Their vulnerabilities are still eligible for submission through the Zero Day Initiative.
    Tags:
    Published On: 2010-02-15 16:41:27

    Incredible the FUD+BS Apple zealots spew... But it only works on imbeciles.

    Like you say Bruizer: "Yep, lowest hanging fruit did win".

    ~~~~~~~~~~~
    The game of life is the game of boomerangs. Our thoughts, deeds and words return to us sooner or later, with astounding accuracy.
    ~ Florence Scovel Shinn
    ZDNet Gravatar
    WinTard
    24th Mar 2010
  • Fell the fastest...
    Not in the order. The order was already picked and the iPhone was up
    first. Perhaps you didn't read the rules you linked to?
    ZDNet Gravatar
    john@...
    24th Mar 2010
  • Safari Easier to Hack Than IE8
    According to interviews with the hackers, Miller wrote his Safari exploit in "less than a week" while it took Vreugdenhil "about two weeks" to write the IE exploit.

    It's not how quickly the exploit acts that determines how secure a system is, it's how hard it is to write the exploit that hacks the system.

    But why burden yourself with facts when uninformed opinion is much more aligned with your personal views.
    ZDNet Gravatar
    NameRedacted
    25th Mar 2010
  • er, miller does this for a living...
    I suppose you won't count the 3 years he's been doing this as going
    against his 1 week exploit as opposed to 2 weeks from someone coming
    at this fresh then?
    ZDNet Gravatar
    john@...
    25th Mar 2010
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources