MacBook hacked in CanSecWest contest

A MacBook with all the latest security patches was hacked in a ‘PWN 2 0WN‘ hack-a-Mac contest at the CanSecWest security conference in Vancouver, Canada, on Friday. The hack made use of a vulnerability in Safari to gain user root access of the MacBook. Shane Macaulay and Dino Zovi, who came up with the hack, won a MacBook Pro and USD10,000. More info courtesy of News.com and Macworld.

Frankly, I’m quite sick of people wanting to shove it in Mac user’s faces that Macs are “insecure”. Macs aren’t invulnerable but they are certainly more secure than Windows. At last count there were zero viruses that affects Macs. And 114,000 that affects Windows. Just look at CanSecWest’s motives for the contest:

The conference organizers decided to offer the contest in part to draw attention to possible security shortcomings in Macs. “You see a lot of people running OS X saying it’s so secure and frankly Microsoft is putting more work into security than Apple has,� said Dragos Ruiu, the principal organizer of security conferences including CanSecWest.

Windows fanboy.

And finally, the MacBook was only hacked when the organisers relaxed the contest rules when no one could hack the MacBook.

Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.

(Both quotes from the Macworld story above.)

Oooh! So scary! Bad bad hacker pwned a MacBook. Seriously man, this story is overblown. Especially when the vulnerability is a problem with Java and affects other browsers like Firefox. Security blog Matasano Chargen confirms this and tells us how to defend against this zero-day exploit – turn off Java in your browser.

To PC users, just get a Mac. It’s more secure and reliable than you’ve ever known PCs to be. To you haters, get a life.

Update: Thomas Ptacek of Matasano Chargen sheds a few more details of the vulnerability. The culprit is Quicktime, and Java-enabled browser is a viable attack vector, if QuickTime is installed. This means Windows users are vulnerable too.

This post is tagged , , ,
by blogjunkie
23 Apr 2007
11 Comments
Share or Bookmark
Diggdel.icio.usFacebookStumbleUponTechnorati

11 Comments

  1. 23 Apr
    Ian

    Hehehe, I like the way you presented this story.

  2. 23 Apr
    macnonymous

    he only won a macbook, not a macbook pro. and come on, OS X has some kind of vulanerability. i use macs, love OS X but its always up to the user to determine whether his or her computer is vulnerable. i agree that OS X is safer than Windows, but every update to OS X (i.e. 10.4.8 to 10.4.9) involved a lot of security patches. so yeah, OS X has some flaws too, just that it often isn’t readily exploited.

  3. 23 Apr
    Ian

    The real difference here is that the exploits are patched almost immediately.

    Some holes are left gaping wide open for a long time after discovery in some MS products, plus the nature of their design (up till XP) makes it prone to attacks because of its features.

  4. 23 Apr
    blogjunkie

    hi macnonymous, yes I agree that OS X has vulnerabilities (I said they’re not invulnerable in my rant leh) but I wanted to point out that despite this, there are no known working viruses in the wild that affect OS X – please correct me if I’m wrong.

    Yeah, I’m really pissed at people waiting to pounce on Mac users to say “haha! OS X has a vulnerability! You’re so PWN-ed!!” Why don’t they have a Hack-a-Vista contest eh? You think they will relax the rules or tighten the rules of that contest?

    P.S. ranting is fun! :o )

  5. 23 Apr
    nvidia2008

    “Yeah, I’m really pissed at people waiting to pounce on Mac users to say “haha! OS X has a vulnerability! You’re so PWN-ed!!

  6. 24 Apr
    blogjunkie

    Hey nvidia2008, “1337 fame”?? Whoa, you must be scary hacker since you know scary haXor language.

    Been reading too much Joy of Tech :o )

  7. 12 Jun
    rolleyes

    Ruiu is no Windows fanboy – the majority of techniques discussed at his conferences are directly aimed at Windows vulnerabilities. His motivation behind the contest was to try to put some negative light on Apple and thus pressure them into being a more productive member of the security community. Apple takes a confrontational approach with securities researchers, rather than a collaborative one. To me it looks like Ruiu was trying to find some leverage to move them from that stance.

  8. 12 Jun
    blogjunkie

    hey thanks rolleyes, that really came out of nowhere :)

  9. 12 Jun
    Ian

    “His motivation behind the contest was to try to put some negative light on Apple and thus pressure them into being a more productive member of the security community.”

    Since the motivation was more to put negative light on Apple, there we have it, ladies and gentlemen.

    To get Apple to be a more productive member of the security community, he could’ve simply asked. When you want people to cooperate, the thing to do is to publicly lie about their products. That’s real smart.

  10. 12 Jun
    Ian

    I’ll withdraw my comment. I had thought this was referring to that other incident.

  11. 27 Oct
    Maclover

    this is too blogjunkie. it’s not a lecture but won’t you think its a good idea if they made a contest there too see if anyone can make a virus for OSX?

Leave a Reply


Recent Posts

Site Tags

macworld download mymacbuzz machines macfest macbook air macbook adobe apps discovery week apple macbook-pro promotion itunes iPod touch Quicklinks ipod nano iPhone youtube mac-pro .mac OSX iPhone 3G maxis epicentre Tips-and-Tricks Events wwdc rumours mymug malaysia Retail software-update leopard apple-tv Hardware imac Media cg-computers Software security microsoft price ipod steve jobs