MacBook Air hacked in less than 2 minutes
Mac OS X’s reputation for security was tarnished Thursday when a team of researchers from Independent Security Evaluators (ISE) managed to hack a MacBook Air in two minutes using a zero-day vulnerability in Apple’s Safari 3.1 Web browser. The ISE security researchers — Charlie Miller, Jake Honoroff, and Mark Daniel — were participating in the “PWN to OWN” competition at the CanSecWest security conference, which began Wednesday in Vancouver, British Columbia. “Pwn” is computer gaming slang for “own,” as in conquer. The “p” typo serves to heighten the humiliation of defeat by emphasizing that the loss came at the hands of a youth who can’t even spell or type correctly. The term has also come to be used in security circles.
Contest participants had their choice of trying to hack an Apple MacBook Air running OS X 10.5.2, a Sony Vaio VGN-TZ37CN running Ubuntu 7.10, or a Fujitsu U810 running Vista Ultimate SP1. During the first day, when attacks were limited to network attacks on the operating system, no one managed to compromise any of the systems. That changed Thursday when attacks on default client-side applications — Web browser, e-mail, IM — were allowed. The ISE team won $10,000 from security firm TippingPoint Technologies for compromising the MacBook Air. The undisclosed vulnerability in Safari 3.1 has been shown to Apple and no further information about it will be revealed until Apple can issue an update, TippingPoint said.
Source: CRN, InfoWeek
First 1?
Martin: BANNED (81.233.165.201, Ängelholm, Sweden)
interesting ,
just wondering again , why is there Tech news on this site again ?
not asking to be a prick - i really wonder . why…?
the one they hacked first they could take home, so of course they hacked the macbook air first.
Ok a Mac hacked…in the first 20 years of release. Not to shabby
Last years contest the Mac got hacked first as well due to a Quicktime flaw.
The Vista machine has also been hacked now, vulnerability in the latest version of Adobe Flash.
Ubuntu is still safe.
Isn’t this a reflection of weaknesses in the Mac OS, not the MacBook Air itself? Although I guess “OS X 10.5.2 hacked in less than two minutes” doesn’t make for quite as good a headline…
And yah, if they kept the machine they hacked (as Tom @ #3 says) then I can kinda see why they went for the Air.
@2
because news i goof when you dont check after them on other sites….
well i like we have news here
and i guess im not the only 1
i read other pages dedicated for tech news. annoying to have a random selection of these repeated here day(s) later.
fyi, the app exploited is supposed to be safari, but no details due NDA (this info is of yesterday and may be outdated by now)
I guess the problem still remains between the chair and the keyboard. The way they hacked it was to lure the person on the macbook air in to a site with some code on it. And the 2 mins it took to hack the macbook air was simply the time it took the judges to go in to the site. The actually writing took 2 days.
The winners of the MacBook Air said they went for it, because it was the weakest target:
“It was the easiest one of the three,” said Charlie Miller, an analyst at Independent Security Evaluators (ISE), a Baltimore-based security consultancy. “We wanted to spend as little time as possible coming up with an exploit, so we picked Mac OS X.”
Charlie Miller also hacked the Apple Iphone. So I guess he has the most experience with their flaws.
I think that in some years we will have more flaws in mac than in Windows. Most of the statistic from 2007 shows this.
hahaha! Macinto$h got pwned hardcore! the apple is rotten! fu*k mac!
pwn isnt to do with a youth who cant spell
its cos “P” is next to “O” in the keyboard, so when gaming, and typing fast the word is missspelled by accident
Another OS X myth was busted!
BTW: QuickTime especially for PC is malware! I think Apple did this on purpose to show that windows is not safe! That’s lame! De careful when watching quicktime movies on Internet!
That’s got hurt in their asses
what a mistake man 
too shay
this isnt the first time macs got hacked or vulnerablities were exposed. there is a new breed of hackers targeting macs, to show they are not safe either.
the reason mac looked safe until now is because most hackers use mac themselves and they never targeted macs,….. tey are not going to sheeet in their own lawn… but that has changed now
i am member on 2 private forms were we are “discussing” this all and expect more in a year orso, macs are as easy to hijack/hack/inplant viruses etc as pcs and we will show it
Heard about this a couple of days ago. Cant believe it only took 2 minutes to break into the mac.
~BW
@5 ubuntu or any linux is not safe, you are living in dreamland. it is just not being targeted as much as windows. read my post above, same reason for linux.
but it will be soon, dont worry
I liked the explanation of pwn they gave
the only interesting thing here is the description of PWN :))
@18 - Ubuntu was not hacked at the conference, OSX then Vista. Your comments don’t prove anything.
interesting read for a Saturday morning. I don’t see why we really needed needed an explanation for “pwn”, but thank you anyway
0-dayz never teach us anything about a certain OS. You have to examine the security track record (vulnerabilities discovered for a given representative period of time) and compare it to others. It will give some idea about the level of secure coding the coders had. Still, you cannot score the code security level only by this.
0-dayz will always be present. there is no “magic” solution/technology to prevent code vulnerabilities. after all the code is written by humans which are bound to make mistakes. even though I must admit that for the past 15 years our security evolved drastically.
We can only pursue perfection endlessly….
Their is no need to go out and prove that OS X is hackable, anything is hackable, the difference with OS X is that is behaves a lot lie linux in regards to security because, well, it is, well, sorta like nix, bsd and mach all mated and had an illegitimate child. (yes, Operating systems are tri-sexual) Regardless, it is still an easier and more powerful OS, and more secure than windows. The exploit still requires to go to a webpage and to ENTER your root password. This isn’t an OS exploit, this is a human exploit. You could do the SAME thing with Ubuntu, as long as you can get someone to type in the root password so your code can change the system files, your done. With Microsoft, you just go to the website. This is why they say Mac has no viruses and isn’t hacked, the nix side says the user has to be stupid. plus, that is a “headline”, oooh, a vulnerability in Safari, Microsoft has multiple vulnerabilities exposed daily, since when is that a “headline”? So at whatever number, no need to prove that mac can be hacked, it can be hacked the same way Linux can, although Ubuntu would be a bit more secure due to community involvement, still the same type of hacks, which aren’t really hacks. I will call it a hack when you can get in to a properly configured system WITHOUT ANY help from the user. But even after that hack, I will still use it for it’s securit, 1 hack vs what’s the count for Micro$hit products?
@21, you dont know what you talk about. everything is hackable. it just needs more targeting and up until recently macs and linux were rarely targeted because those are the main platforms of hackers, understand?
now a new breed of hackers ARE doing it, you will see in near future
To me macs are a piece of crap, u cant do half the stuff you can do with windows. LOL
The only way they got famous was coz of their cheap and cheesy adverts which try to rip off Microsoft… Only dumasses that have money to throw away fall for that sh*t!
I still think the majority of people use Windows over any other mac OS thats ever Released.
mac OS sucks balls… do you see now?
MacBoowned
Mac users:
apps needed to slow down the hackers..
Little snitch…
Netbarrier,
and to be logged in as a user without admin access
Serial numbers for little snitch and other stuff:
http://rapidshare.com/files/99828142/March-15-2008.dmg.
http://rapidshare.com/files/96136589/Serial_Box_03-2008.zip
what needs doing with little snitch once installed: (thanks to ‘onebytewonder’)
[b]Avoid Little Snitch 2.0 Calling Home[/b]
After a few reboots, I found only 1 file needs to be blocked, the others 3 files installed will cause side effects you don’t want if blocked.
[Block all outgoing connections to [b]Little Snitch UIAgent.app
only
You can find it in the System Process’ stack when you open up Activity Monitor.
http://i13.tinypic.com/8f5jcc8.png
P.s. Just quote this message and copy/paste parts of it if you wanna share these notes & picture elsewhere as a warning to others.
Theres never many decent mac apps/warez so heres a Really good underground site:
http://www.nutterz.com/nutterz/index.php?showforum=177
sign up and PM a guy called watchmanz and ask him for access to ‘warezside’ and say steve sent u
(can staff delete this in an hour or so’s time pls)
I love the tech section, it is so informative!
/sarcasm. It sucks balls. Grow up.
“the reason mac looked safe until now is because most hackers use mac themselves and they never targeted macs”
totally untrue, its because hardly anyone uses macs so its not worthwhile to hack them, as this article demonstrates they can if they want to
@32, so sick of this “small userbase” idea. Do you really think that with all the smug users out there, and EVERY website ready to pounce (like they are atm with the ‘mba hack in 2 minutes’ line…), there would not be people out there trying to get kudos and money from hacking Macs?
Do you ever wonder why the majority of Fortune500 companies use UNIX systems, rather than Windows?
And for this article:
What the article does not point out is that on the first 24-hours of the contest, the contestants were suppose to do an attack on the Mac remotely via the network alone.
No one could hack the Mac remotely via the network alone.
The second day, they relaxed the rules and allowed the contestants physical access to the Mac so that they could install an automated user to receive emails or use a browser to go to a malicious website set up by the contestant.
Duh.
It took more than 24-hours to hack the Mac. It takes days to program an automated user or develop and program a malicious website. They had to do the work even before the contest.
And it took physical access to the computer to hack it. They could not hack it over the network at all!
Thus the contest is a crock.
I doubt any user will allow a crook or stranger physical access to their personal computer. Once a person has physical access to a computer then any computer can be hacked. Through the firewire ports, any Windows computer is instantly compromised, for example.
This is just like that last “Mac hack” that requires the user to click a few things, enter their root password to allow a program to run, and then people say “LOOK! IT’S BEEN HACKED!”
Let me know when there’s some real news. For now, why don’t you go do some virus scans…
ok subject now closed as ‘K’ owns it. (or pwn’s it?)
@33 Vista was not hacked without physical access either and mac was first one to be hacked with physical access. Don’t say vista is more vulnerable when it was clearly seen that mac was hacked 1st. When there was no physical access to computer neither Vista or Mac weren’t hacked.
who cares mac are sh*t
what’s a mac?
Why do u think most people hack other systems? Yes, they want something. Most likely money or informations in some way or another.
In most cases the user in front of the OS has to do something. He has to have some particular program installed or do something.
And what is more likely: some people in a huge mass of windows users doing something or some users in not quite so big mass of linux / mac users doing something?
If u want nice results - u take windows and try to make some exploit / virus.
The more people use an OS the more likely it will attract hackers.
Big Macs (McDonald) & Little Mac (Punch Out) >>>> MacBooks
some say pwned started with WOW when someone missplelled owned on a server. others say that it was created back in the days of doom and quake. But the farthest back I can tell is it started with chess when someone would get pawned and online chess started to say “pwned” and moved out of the chess circle into other dorky games and so on…… This is just something I read not anything I stand behind.
pwn was invented 700 years ago from the game warcraft. a map designer accidentally misspelled owned and wrote pwned. “player has been pwned” is its original context and it spread from there.
cool info
the word “pwned” actually derived from the term boned, or in latin: bowned. so you see, it was actually some flaming warcraft players commenting on their homo-erotic relations the night before. And the rest as they say, is history
This is actually funny. I see the Mac owners rushing to rubbish the test, no surprise there really. The fanboys hate to see their beloved Macs shown to be just another computer like the rest of us. Vista and OSX actually now share similar security features, so all these comments about Windows are nonsense too. fact is, if a user is daft enough to allow full access rights on Vista he is daft enough to do the same on OSX. No matter what operating system you have, it is only as secure as the person sitting at the keyboard. Most Windows users however, have anti malware apps installed so most will be made aware pretty quickly if they have a virus or trojan of some kind. Problem with Macs is that hardly anyone has any anti malware apps. One day an enterprising hacker or programmer WILL find a way to attack OSX directly, without user intervention. Most Mac users wont know anything about it until it is too late because they have this smug “OSX is untouchable” attitude. Even Linux isn’t 100% safe, no operating system is. There is a lot of information on tech blogs about a major attack on Apache webservers running on Linux boxes. It seems many are infected, and were infected without the system administrators being made aware of it. Luckily for Linux users the hack was designed to then attack Windows users who visited a compromised website, but it shows that it CAN be done. And before I get accused of being a Windows fanboy I dual boot XP and Kubuntu, and prefer Kubuntu.
The mac babies can try and “rubbish” the test all they want. but they are lying just as they are when they say there are no Mac viruses. A simple search of any of the Av webpages clearly shows that while Mac does not have as much as Windows, there ARE clearly mac viruses and some of them are more deadly then anything on Windows.
Not to mention 2600 magazine has mac hacks in it on almost every issue. You try and tell 2600 that mac is safe and secure and has no viruses and I would bet that after they get done laughing at your gullability and stupidity, they would be willing to show you a few hacks and viruses for the mac. In fact I have an issue here that clearly shows a hack of the Tiger OS that allows me complete Admin access to any mac notebook or computer with a simple tapping of three buttons on the keyboard. mac users know that if mac was the dominate OS, that they would clearly be in windows place right now.
And here is a way to shut up the mac people once and for all. If mac is so secure and unhackable, and does not have any viruses…then what the hell are all the trojan-malware-and AV programs mac compliant for then???? Sort of redundant if you ask me, just like the mac users opinions of the computer itself. For graphics…mac wins hands down. For everything else…windows destroys mac (now that is not saying that Unix and Linux may not do a better job, just that in everything other then graphics, windows destroys mac and mac cannot stand it)
well that told us dan.
ROFL
Don’t forget all you Microsoft haters, it was Bill who bailed out Steve and Apple when they were about to be left for trash.
When MS could have crushed apple to the core it was Bill who came to the rescue so Apple could continue to make products and invent nice gadgets like the iPhone,Ipod and the mac.
True the Mac is the better machine for such work as destop publishing and the like. However, Mac’s graphics cards are a couple of generations old now, even the latest Macs. In terms of sheer graphical power a decent PC with even a 100 pound graphics card will beat the Mac.
what?? mac got hacked… oh no… but that’s ok ,i still love mac
@ george
true. mac graphics cards are shi{e…
PWND
Well I’m kinda sure that most ppl that are flaming macs here, never worked on one longer than a day. True, macs/OS X arent perfect, not a single OS system actually is. If hackers couple up and put their brains 2gtr everything can be hacked. Nonetheless if you give the mac system a small chance you’ll notice its alot more users friendly than windows.
Thats just my opinion, used windows for years, switched to mac 6 years ago, no way I’m ever going back, even if its get hacked a gazillion times from now.
macs got pwned again
well its what i have been saying for awhile now, break the window, smash the apple, and wear a ‘tux’.
Just a few points…
This Miller Guy is making a name for himself. Attacking the Mac will get you that name.
How many people are using Vista…come on really!!!
You can have all the secureity in the world… The biggest security issues is between the keyboard and the chair.
Most hackers don’t use macs. but out on the web targeting windows users is Waaaaay easier, it is a numbers game trust me I have done it. many game exploits out there folks.
All code is crackable in time, thats a given, and there are far more programs (good and bad) for windows then for Mac.
I disagree to the people who say Macs are useless, If they can run windows, and if they run faster on a Mac (article for PC World) laptop then again the issue is between the chair and the keyboard.
personally after using both Mac and PC for 15 years… I have had to rebuild my PC way more then my mac. But I make money on my personal Mac. I get hire to resolve issues on other peoples Windows machine…thank you Microsoft…
haha apple is useless.
Pwned i thought that was what happened when a person broke into some houses took their windows pc and or their macs and took them to a pawnshop… and since the mofo too stupid to get a job he probably can’t spell either and spells pawned pwned in example the computers got pwned… but in the end macbooks pay more……..
wasting reliable 0days….
by the ways… the mofo that can’t spell aboves seems alot like the fanboys that just make everything looks bad… all i can say is somebody get some duct tape…
both systems have there pros and cons and all systems are hackable… and users are different but the stupid practice of flaming one os or anothers is just stupidity… buy and use what you prefer and be happy… and let others choose to use what they likes to be happy… and if you stfu and they stfu everyones happy…
simply respex
om-1
corrections when i said
“by the ways… the mofo that can’t spell aboves seems a lot like the fanboys that just make everything looks bad… all i can say is somebody get some duct tape…”
i was referring to the statement i mads prior in regards to the word “pwned”
I thought pwn(ed) was a chess reference pawn(ed). The least powerful piece on the board. ie: you are a weak player if a win can be engineered against you utilising a pawn as the mating piece (with a modicum of humiliation being the desired effect). no?
The Mac was secure because it wasn’t considered a serious platform. That has changed (Gradually since jobs return to apple). The increased exposure is going to cause continuing problems for the os imho.
@61, “The Mac was secure because it wasn’t considered a serious platform.” by only you I would guess.
you kno, for all those ppl thinkin that the ONLY reason linux is safe is just because its not targetted, you guys seriously need to do your homework. i wont deny that this is partially the reason because obviously the less used, the less exposure, but to lie to people that it is just because of this reason, thats totally unfair to those people that take their tech knowledge from you.
/end of plea to stop spreading misinformation
@62 I should have qualified that a little. It wasn’t the ubiquitous platform the pc was. Not since the mid nineties through 2003/4 anyway, it’s market share (and decline of therein) during the period says it all. I am not anti mac in any sense. I have fond memories of my apple II and the fantastic inovation apple brought with them but by the mid nineties it was being outgunned (if not yet in processor horsepower) by application berth on the x86 platform.
I am always rooting for apple (though i despise ipods) and for that matter AMD if for no other reason than competitive rigour (which breeds the innovation we all enjoy) in the market.
I would be more impressed if a root user didn’t have to give up his password for this hack to work.
lol ! pwned !
lol !
consuetudinary
total pwnage!!! Wouldn’t of happened if they had firefox…..oh wait….macs can’t use nice open-source software like the rest of us can….too bad
LOL!
I saw some stupid stuff in my life but some of these comments really pissed me off.
First thing: no one tried to hack into Macs because no one uses Macs and people that use Macs you don`t want anything from them. No one will try to hack a program that very few people are using because its a waste of time.
Secondly: hackers don`t use apple software, they use linux or windows
Thirdly: they had to bribed them with money to hack a Mac because no one wants to do it willingly, and i don`t believe that they did it in 2 minutes, they probably hacked it by mistake some time back and they where to embarrassed to admit it.
MAC SUKS
It’s good that so many of the kids that post comments here believe Macs blow. That means they won’t have to be asking mom & dad to buy one for them. Broke asses.
LOL. The fishe price of computers got PWNED in 2 mins, who’s even surprised?
I like tech news here, and I’m not surprised by this article at all. Linux and OSX security comes from obscurity more than anything else. If it was possible to make software truly unhackable, RLSLOG and P2P sites would not exist. Anyone who uses software (especially pirated stuff) without at least a good rules based firewall is 100% crazy IMHO, regardless of the OS they use.
By the way, for all you Windows fans, I finally made that desktop I said I would a while back. Use it any way you see fit.
http://rapidshare.com/files/103491422/red_2560×1600.zip.html
I selected PNG because it’s a lossless format, seeing as JPEG tends to destroy fine gradients and add nasty visual artifacts. It lacks a shadow due to a shortcoming in mental ray, and so it’s not quite like the original example that was posted, but I feel it looks ok nonetheless. If you want another color, just use the hue/saturation option in Photoshop or other graphics editor, and if you need a different resolution, just crop and/or resize.
New download link:
http://rapidshare.com/files/103493937/red_2560×1600.zip.html
Don’t no why the original was deleted since I didn’t click the kill link. If anyone can recommend a better way to host the file, let me know. Most image sites, like imageshack, downsize it without permission making them useless.
Just another way to show there is no such thing as a “best” OS…
so many people here looking for a rationale on how the rest of the world sucks so they can feel better…
I love how half this article is telling us the meaning behind “pwn”.
Linux is open source code. Win and mac are closed. to think Linux has all the code there waiting to be cracked. just proves its more secure then the others.
MAC PRO owns all PCS. If any of you think that PCs are for one second, “more” secure than the MAC OS X platforms; you have got to be smokin’ some crizzack. PCs are the most unsecured computers in the world; you people need to have your brain checked. You can’t deny the truth……
“I wish Bill Gates the best, I really do. I just think he and Microsoft are a bit narrow.
He’d be a broader guy if he had dropped acid once or gone off to an ashram when he was younger.”
– Steve Jobs, Co-founder of Apple Computers, 1997
Of course a mac was the first to get hacked, thats why I don’t let my company implement mac’s. mac my not have as many viruses and known has as a Windows based platform but thats because only like 1/3 or less of the world uses them.
p.s In these contests, mac’s are almost always first to get hacked.