Just give us a call or send us an e-mail, we'll help you get started.
Blog Index

Mac Hacked through Safari, Windows through Flash

added by Michael on 31 Mar 2008

Jennifer LeClaire from NewsFactor.Com reports on the Pwn to Own challenge at CanSecWest:

Microsoft's Vista Ultimate SP1 and Apple, Inc.'s MacBook Air have been hacked through applications, with only Ubuntu unbreached in the Pwn to Own challenge at CanSecWest. The zero-day vulnerabilities in Microsoft and Apple's systems have been reported. Shane Macaulay won a laptop and $5,000 for hacking Microsoft Windows Vista.

Some more details about the contest:

The first day of the contest, hackers were only allowed to hack into the computers over a network. No one was able to claim the prizes. On the second day, the rules changed. Contestants were allowed to use the machines to visit Web sites and open e-mail messages.

That rule change made it possible for Charlie Miller, a researcher at Independent Security Evaluators, to hack the MacBook Air using the Safari browser within two minutes.

But the Vista and Ubuntu laptops seemingly remained airtight. On the third day of the contest, the judges again broadened the rules, opening up the scope beyond just default installed applications on those laptops to any popular third-party application, such as Adobe's Acrobat Reader, the Firefox browser, and voice-over-IP program Skype.

Macaulay installed Adobe Flash on the laptops and proceeded to compromise the system. Macaulay had some help from Security Objectives colleague Derek Callaway and independent researcher Alexander Sotirov.

According to ComputerWorld.Com, Adobe already knew about the bug, and had planned on releasing a patch later this month.

"After some internal investigation, we found that via our ongoing response and security testing process, we were aware of the issue and had fixed it for our security update coming in the next Flash Player update later this month," said Erick Lee, the manager of Adobe's secure software engineering team, in a post to the group's blog.