A team of security researchers has won US$10,000 for hacking a MacBook Air in two minutes using an undisclosed Safari vulnerability.
IDG News Service is camped out at CanSecWest in Vancouver, Canada, and has chronicled the exploits of Charlie Miller, Jake Honoroff, and Mark Daniel of Independent Security Evaluators during the Pwn to Own contest sponsored by TippingPoint. The team was able to gain control of a MacBook Air on the second day of the hacking competition, which pitted the Air against Windows Vista and Ubuntu machines.
No one was able to execute code on any of the systems on Wednesday, the first day of the contest, when hacks were limited to over-the-network techniques on the operating systems themselves. But on the second day, the rules changed to allow attacks delivered by tricking someone to visit a maliciously crafted Web site, or open an e-mail. Hackers were also allowed to target "default installed client-side applications", such as browsers.
The team had attack code already set up on a Web site, and was able to gain access to the MacBook Air and retrieve a file after judges were "tricked" into visiting the site. According to the TippingPoint DVLabs blog, a newly discovered vulnerability in Safari was used to gain control of the Air.
The contest rules stipulated that winners immediately sign a nondisclosure agreement relating to their technique, so that the vulnerability could be disclosed to the vendor, and TippingPoint said Apple has been informed of the vulnerability.
Last year's contest was won by exploiting a QuickTime vulnerability, which was patched by Apple in less than two weeks. No one had gained control of the Vista or Ubuntu machines at the time of writing.
This article was first published as a blog on CNET News.com.
Play video
There are currently no comments for this post.