Apple's Leopard lasts '30 seconds' in hack contest

Security firm Independent Security Evaluators exploited a Safari flaw to compromise the OS, with Vista and Ubuntu remaining secure

Apple's Leopard has been hacked within 30 seconds using a flaw in Safari, with rival operating systems Ubuntu and Windows Vista so far remaining impenetrable in the CanSecWest PWN to Own competition.

Security firm Independent Security Evaluators (ISE) — the same company that discovered the first iPhone bug last year — has successfully compromised a fully patched Apple MacBook Air at the CanSecWest competition, winning $10,000 (£5,000;) as a result.

Although the competition recorded the hack taking eight minutes, Charlie Miller, a principal analyst with ISE, told ZDNet.com.au that it took just 30 seconds and was achieved using a previously unknown flaw in Apple's Safari web browser.

"It might have taken eight minutes to sit down and open the computer but, when the competition started, 30 seconds later, it was over," said Miller.

Apple has been notified of the flaw, according to TippingPoint, the intrusion-detection company which provided the prize money.

Competitors in the hacking race were allowed to choose either a Sony laptop running Ubuntu 7.10, a Fujitsu laptop running Vista Ultimate SP1 or a MacBook Air running OS X 10.5.2.

"We could have chosen any of those three but had to make a judgement call on which would be the easiest and decided it would be Leopard," Miller said.

"Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows. I found the iPhone bug a year ago and that was a Safari bug as well. I've also found other bugs in QuickTime."

When the three operating systems were announced as competitors at the event a few weeks ago, ISE began looking for a bug and then spent time refining the attack to ensure it worked well on competition day.

The technique used to hack the MacBook Air was similar to a phishing attack where a victim is sent a link which they click on to visit a site containing malicious code, said Miller.

"Basically you type in something to the web browser and go to website that is controlled. In real life, you would get a link in an email and, if you clicked on it, that would be the same thing," he said.

But hacking Leopard was not meant as an attack on Apple, according to Miller: "I use a MacBook all the time and that's what I used in the contest to attack the MacBook Air. I like Macs. That's the reason I went for it; it's in my best interest for them to be as secure as possible."