MacBook hacked in seconds, again

Many people may remember Charlie Miller from last year’s event where he successfully hacked a MacBook and was able to take control over it within seconds, walking away with the MacBook and the grand prize.

Charlie Miller once again successfully hacked the fully patched MacBook by exploiting a security vulnerability in Safari, Apple’s web browser. The hack was accomplished by the team clicking on a link that took control of the machine within seconds. Charlie Miller walked away with the MacBook and the $10,000 top prize after successfully hacking the MacBook the fastest.

TippintPoint Zero Day Initiative has acquired exclusive rights to the vulnerability, and will work with Apple to patch the flaw. Details about the attack will not be disclosed until the patch is ready.

Charlie Miller wasn’t the only successful hacker, but a security researcher nicknamed “Nils” was able to hack into a Sony Vaio laptop running an updated Windows 7 and Internet Explorer 8. “Nils” walked away with the cash prize and got to keep the hardware after successfully hacking it. “Nils” was also successfully able to hack into Apple’s Safari browser being the second hacker of the day to exploit it.

by Andrew Lyle

Pwn2Own: IE8 hacked & Microsoft responds in less than 12hrs

                        

TippingPoint’s 3rd annual Pwn2Own contest has already shown significant security breaches on Apple’s Safari, Mozilla’s Firefox and Microsoft’s Internet Explorer 8, but Google’s Chrome was the only browser that made it through the first day of testing this year.

One of the contestants, Nils was able to exploit the latest Internet Explorer 8 which was released just few days back. The blogosphere and news websites picked it up and very soon it became a hot news around. When people were worried about IE8’s security, MSRC (Microsoft Security Response Center) had already reproduced and validated the IE8 vulnerability in less than 12 hours.

Microsoft is expected to release a security patch for this vulnerability very soon. It is infact surprising to see that IE team acted so fast even when they were busy at MIX09!

You can visit TippingPoint’s blog for more information.

Related Post Chrome last browser standing after day one of Pwn2Own

Researcher cracks Mac in 10 seconds at PWN2OWN, wins $5K

Charlie Miller defends his title; IE8 also falls on Day 1 of hacking contest

March 18, 2009 (Computerworld) Charlie Miller, the security researcher who hacked a Mac in two minutes last year at CanSecWest’s PWN2OWN contest, improved his time today by breaking into another Mac in under 10 seconds.

Miller, a principal analyst at Independent Security Evaluators LLC, walked off with a $5,000 cash prize and the MacBook he hacked.

“I can’t talk about the details of the vulnerability, but it was a Mac, fully patched, with Safari, fully patched,” said Miller Wednesday not long after he had won the prize. “It probably took 5 or 10 seconds.” He confirmed that he had researched and written the exploit before he arrived at the challenge.

The PWN2OWN rules stated that the researcher could provide a URL that hosted his or her exploit, replicating the common hacker tactic of enticing users to malicious sites where they are infected with malware. “I gave them the link, they clicked on it, and that was it,” said Miller. “I did a few things to show that I had full control of the Mac.”

Two weeks ago, Miller predicted that Safari running on the Mac would be the first to fall.

PWN2OWN’s sponsor, 3Com Inc.’s TippingPoint unit, paid Miller the $5,000 for the rights to the vulnerability he exploited and the exploit code he used. As it has at past challenges, it reported the vulnerability to on-site Apple representatives. “Apple has it, and they’re working on it,” added Miller.

According to Terri Forslof, the manager of security response at TippingPoint, another researcher later broke into a Sony laptop that was running Windows 7 by exploiting a vulnerability in Internet Explorer 8. “Safari and IE both went down,” she said in an e-mail.

TippingPoint’s Twitter feed added a bit more detail to Forslof’s quick message: “nils just won the sony viao with a brilliant IE8 bug!”

Forslof was not immediately available to answer questions about the IE8 exploit.

TippingPoint will continue the PWN2OWN contest through Friday, and will pay $5,000 for each additional bug successfully exploited in Apple Inc.’s Safari, Microsoft Corp.’s Internet Explorer 8, Mozilla Corp.’s Firefox or Google Inc.’s Chrome. During the contest, IE8, Firefox and Chrome will be available on the Sony, while Safari and Firefox will be running on the MacBook. The researcher who exploited IE8 will, like Miller, be awarded not only the cash, but also the laptop.

“It was great,” said Miller when asked how it felt to successfully defend his title. “But I was really nervous for some reason this time. Maybe it was because there were more people around. Lucky [the exploit] was idiot-proof, because if I had had to think about it, I don’t know if I’d had anything.”

This year’s PWN2OWN also features a mobile operating system contest that will award a $10,000 cash prize for every vulnerability successfully exploited in five smartphone operating systems: Windows Mobile, Google’s Android, Symbian, and the operating systems used by the iPhone and BlackBerry.

Miller said he won’t enter the mobile contest. “I can’t break them,” said Miller, who was one of the first researchers to demonstrate an attack on the iPhone in 2007, and last year was the first to reveal a flaw in Android. “I don’t have anything for the iPhone, and I don’t know enough about Google.”