MacBook hacked in seconds, again - via Safari exploit

Many people may remember Charlie Miller from last year's event where he successfully hacked a MacBook and was able to take control over it within seconds, walking away with the MacBook and the grand prize.

Charlie Miller once again successfully hacked the fully patched MacBook by exploiting a security vulnerability in Safari, Apple's web browser. The hack was accomplished by the team clicking on a link that took control of the machine within seconds. Charlie Miller walked away with the MacBook and the $10,000 top prize after successfully hacking the MacBook the fastest.

TippintPoint Zero Day Initiative has acquired exclusive rights to the vulnerability, and will work with Apple to patch the flaw. Details about the attack will not be disclosed until the patch is ready.

Charlie Miller wasn't the only successful hacker, but a security researcher nicknamed "Nils" was able to hack into a Sony Vaio laptop running an updated Windows 7 and Internet Explorer 8. "Nils" walked away with the cash prize and got to keep the hardware after successfully hacking it. "Nils" was also successfully able to hack into Apple's Safari browser being the second hacker of the day to exploit it.

Report a problem with article
Previous Story

USB tethering working in iPhone 3.0

Next Story

Microsoft announces availability of Internet Explorer 8

94 Comments

Commenting is disabled on this article.

i guess it's a bit stupid to see this kind of comments. No OS is secure, and a lot of people know that. If viruses/malware and trojans are distributed the way they are today it's because of the endless average joe's in front of the computer that doesn't understand a thing and just want things done. He doesn't care if he has to install another program to view a website and if that comes with viruses. In the other hand, the tech savvy ppl have knowledge of what to and not to install and what it does.

In the end, as someone else have said, the problem is on the END USER

Apple has the least secure OS, no Microsoft has the least secure OS... no wait... who cares? At the end of the day, the biggest threat to any computer's security is the end-user.

Funny how they also seem to miss this bit off the news posting

"Nils" also scored a clean hit against Apple's Safari (he was the second hacker to exploit Safari) and, later in the afternoon, he exploited a Firefox zero-day flaw to claim the trifecta.

TippintPoint's Zero Day Initiative has acquired exclusive rights to the vulnerability

WTF is up with that? IS this the new thing, acquiring exclusive rights to stuff like this? What are they going to do, hold it over a companies head for ransom or something?

No. They're keeping it private between themselves and the company who's product was hacked into until patches can be developed.

I'm not a hacker but I'm computer-literate and intellectually curious - is there anywhere that contains a good description of how these hacks work?
I remain mystified that although OS designers have long been well aware of the dangers of hacking, nonetheless new patches arrive month after month in order to address newly-discovered security vulnerabilities. How is it that these continue to exist and are still being discovered? Is there some common feature to them all? I can understand how a newly-written OS may have some vestigial problems, but surely they must ultimately be found and patched?
Apparently not - but is there some accessible but technically accurate explanation of what underlies the problem that the interested but non-specialist reader could review?

Dunno why this articles headline is concentrating on the Mac angle.

To show what actually happened:

OS X Was Hacked via Safari
Windows Vista was hacked via Firefox
Windows 7 was hacked via Internet Explorer 8

Which means all the Browsers let there Operating System down. And as all 3 were hacked on Day one of the contest Flash, Java, .Net and QuickTime were not installed on the System as Browser plugins. They would be installed on Day 2 followed by Adobe PDF Reader on Day 3.

What the headline should really say is 'Day 1 of security conference sees OS X, Vista and 7 hacked in mere Hours'

+10

I agree with you but i like the current title as it attracts anti-apple people making this thread insanely fun to read. It's pure comedy to read anti-apple people ridicule themselves.

I think the article concentrates on the Mac angle because Apple's the only company that rails on about their security and safety and how insecure Windows is. At least Windows Vista and 7 pop up a notice when you install them that recommends you install some sort of protection software. OSX doesn't even mention it.

LaP said,
+10

I agree with you but i like the current title as it attracts anti-apple people making this thread insanely fun to read. It's pure comedy to read anti-apple people ridicule themselves.


+1 dude, its mainly why I visit these stories. Everyone gets in such a tizz all the time, but when you look at the long run, no news story has created a "staggering shift" in the "technology balance" lol. Its all relative.

shakey_snake said,
The Safari-Mac was hacked first.

The ZDnet blog posted about it before the other exploits were done. Hence the emphasis.

Maybe this new article should be updated like the ZDnet article was? More objective, no?

ccuk said,
Maybe this new article should be updated like the ZDnet article was? More objective, no?

Maybe it could. Have you submitted an update to the newsdesk?


Actually any update should probably include this interview in which Charlie Miller talks about how easy it is to crack OSX.

Well I have not heard about zombie networks from macs or linux machines and still the most secure OS Windows is well known for its hospitality for worms/trojans/viruses

Faisal Islam said,
caz Windows is most popular. So virus writers don't waste time to make virus for Macs or linux.

LOL so true!

Soldiers33 said,
im surprised windows 7 got hacked quickly. Last year vista only got hacked due to the flash plug-in

It's a beta.

C++ said,
It's a beta.


Beta or not, it is still the most up to date version of Windows available to the public. "Beta" doesn't automatically excuse security vulnerabilities.

roadwarrior said,
Beta or not, it is still the most up to date version of Windows available to the public. "Beta" doesn't automatically excuse security vulnerabilities.

Actually that's the whole point of adding a beta tag to begin with.

It's a work in progress.

I dont mean to be a nasty person, but does it really matter? Any system is breakable. It doesn't matter. Just be safe on the internet, and don't do stupid things. People aren't going to stop using Apple products because of this, or at least i dont think so. It is true that Mac OS X is more secure then Windows, but not 100% safe, nothing is.

Adam_Brown said,
I dont mean to be a nasty person, but does it really matter? Any system is breakable. It doesn't matter. Just be safe on the internet, and don't do stupid things. People aren't going to stop using Apple products because of this, or at least i dont think so. It is true that Mac OS X is more secure then Windows, but not 100% safe, nothing is.

You're right on the button there. Unfortunately Apple fanboys and Microsoft fanboys seem to enjoy tearing lumps off each other and bickering over silly little stuff like this. Another day it'll be a news story about a vulnerability in Vista or something and the role will be reversed. It's the never-ending story of Neowin!

Neither OS is perfect. Both have vulnerabilities waiting to be found. As they get more and more complicated, this is going to happen more and more.

It is true that Mac OS X is more secure then Windows
That directly contradicts this article you do realise that. Windows is more secure then mac, it took longer to hack, thats the point!

You just demonstrated the problem. Mac OS X is far from "more secure" than Windows. Apple's customers, for the most part, buy into Apple's hype. They blindly believe that OS X is invincible, that nothing can go wrong with it, that it "just works". None of that is true and that's partly why demonstrations like this are made a big deal.

Mac OSX and Windows 7 are rather secure... if people just stop clicking on "Click these titties to see more boobies!!!"

Not real shocking considering that Macs are not hacked nearly as much so their issues are not revealed as quick as Windows issues are. One of the reasons Widows is more secure. Keep telling my friends who have Macs to stay protected...but they seem to know better.

Notice you have to click on a link to activate these exploits, so simple security will tell you not to click on suspicious links. I would like to see them do it without the clicking. Here are the rules for the contest, and it looks like chrome was one of the browsers as well. http://cansecwest.com/index.html

This is besides the point, because malicious links can be linked to legitimate websites that have been compromised. Clicking a link shouldn't allow an OS to be completely controlled.

It seems that the hacker "Nils" was able to take over Windows 7. Was UAC and Internet Explorer 8 running with Low Integrity Mode enabled? If so, what was so "brilliant" that bypassed this dual protection? I though IE8 in Low IL mode is immune to system-level control? This really concerns me.

A security researcher named "Nils" (he declined to provide his full name) performed a clean drive-by download attack against the world's most widely used browser to take full control of a Sony Vaio machine running Windows 7.

Integrity Levels are not a security boundary at this time, they're just an attack mitigation. However, finding holes in the Low IL boundary would of course be of great concern.

The article reports a pre-release version of Windows 7 was compromised via an IE 8 drive-by-download attack, but it doesn't specify if the machine had UAC or Protected Mode disabled. It also doesn't specify which build, and some features hadn't had all of their final security mitigations in place in time for the beta.

ZeroHour said,
Its a beta. It should not be taken truly seriously. They only did it out of interest.


Beta or not, it is still the most up to date version of Windows available to the public. "Beta" doesn't automatically excuse security vulnerabilities.

that charlie guy has a PhD in mathematics and worked for NSA (National Security Agency)

if he can't do it (that is to hack into comps), who can?

[< snipped > - Calum]

I hope these people actually help towards patching such systems instead of just bringing them home!

not true! a haker can turn on a robot remotely so that it goes and plugs in your power cord and boots it remotely!

your statement should be "safest computer is a Mac, if they try to hack it, it will beach-ball spontainiously and the hacker will get fed up and quit!" Sorry, I had to.

SK[ said,]Just like that virus a long time ago that blew your fridge and microwave up via the electricity socks?

God I remember, cost me a fortune that did to put right... :P

andrewbares said,
not true! a haker can turn on a robot remotely so that it goes and plugs in your power cord and boots it remotely!

your statement should be "safest computer is a Mac, if they try to hack it, it will beach-ball spontainiously and the hacker will get fed up and quit!" Sorry, I had to.


I've had a Mac for a few months and I don't remember the last time I saw the beach ball *shrug*

Righttt, there would be a lot of beach-ball suicides that the police would have to deal with.

And dealing with a mac would be terrible for many users. They wont even know how to get to a window that's behind another, because you have to minimize the one in front. Also, what would happen to a basic user when they accidently click on the background and all their options for Word disapear since Mac's keep the context menu's up at a top bar? They would be very confused.

What you're saying, that Macs are simple, is purely based off of Apple's OWN marketing.

Regardless of what platform you choose there will always be someone out there who can exploit the system. So for all you who say that you are on a secure system, and no one can break your code; "THINK TWICE."

In before people claim that Macs 'just work'. Which they don't. As we Mac users have said over and over again.

Mr. Andrews said,
In before people claim that Macs 'just work'. Which they don't. As we Mac users have said over and over again.

Damn straight. Every OS has vulnerabilities, regardless.

It keeps your Mac safe in the same way a life preserver keeps you safe. It isn't guaranteed to save you, but it helps.

Exactly. Man, if that was false advertising, better stop saying anything absolute and start be vague all the way.
The next homepage of Apple : OS X is... kind of secure!
The next homepage of Microsoft : Windows is... somwhat secure!
The next announcements of Duracell : Our batteries last for... quite a long time!
The next announcements of Intel : Our brand new processors are... quite faster than the previous model!
The next announcement of a popular bread trend : Our bread is much better than the other breads... if it's your taste!

Forget it.

"The next announcements of Duracell : Our batteries last for... quite a long time!"
Followed by the small print...
"...depending on what your doing" lol

PsykX said,
Exactly. Man, if that was false advertising, better stop saying anything absolute and start be vague all the way.
The next homepage of Apple : OS X is... kind of secure!
The next homepage of Microsoft : Windows is... somwhat secure!
The next announcements of Duracell : Our batteries last for... quite a long time!
The next announcements of Intel : Our brand new processors are... quite faster than the previous model!
The next announcement of a popular bread trend : Our bread is much better than the other breads... if it's your taste!

Forget it.

ROFL!!! Man, you made my afternoon

PsykX said,
Exactly. Man, if that was false advertising, better stop saying anything absolute and start be vague all the way.
The next homepage of Apple : OS X is... kind of secure!
The next homepage of Microsoft : Windows is... somwhat secure!
The next announcements of Duracell : Our batteries last for... quite a long time!
The next announcements of Intel : Our brand new processors are... quite faster than the previous model!
The next announcement of a popular bread trend : Our bread is much better than the other breads... if it's your taste!

Forget it.

That's exactly correct. I never thought about it that way either!

andrewbares said,
Well I guess I'm not going to install Safari for Windows.

JAJAJA, And Dont u think that IE is full of Flags>?

LoL

According to the article, Safari was the easiest to hack. And, Vista is actually the most secure operating system, more secure than Apple's. Neowin had an article that said exactly that. Yes, I'm sure.

Vista had about 5% of the vulnrabilities in all of the OS's, Apple's OS had 15% of the vulnrabilities. Straight up facts doing the talking.

andrewbares said,
According to the article, Safari was the easiest to hack. And, Vista is actually the most secure operating system, more secure than Apple's.

Where did you read that part about Vista?

andrewbares said,
According to the article, Safari was the easiest to hack. And, Vista is actually the most secure operating system, more secure than Apple's. Neowin had an article that said exactly that. Yes, I'm sure.

Vista had about 5% of the vulnrabilities in all of the OS's, Apple's OS had 15% of the vulnrabilities. Straight up facts doing the talking.


I think in the last contest, the Ubuntu was uncracked. I didn't see mention of them including any Linux flavor this time. Maybe I just overlooked the mention of it?

But your assertion that "Vista is the most secure operating system" was never made by any reputable authority. It is the best Windows OS, and it includes features that had been sorely lacking on the Windows platforms for years.

andrewbares said,
According to the article, Safari was the easiest to hack. And, Vista is actually the most secure operating system, more secure than Apple's. Neowin had an article that said exactly that. Yes, I'm sure.

Vista had about 5% of the vulnrabilities in all of the OS's, Apple's OS had 15% of the vulnrabilities. Straight up facts doing the talking.


FUD

http://blogs.zdnet.com/security/?p=2941

"It̢۪s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for exploit to work), Macs don̢۪t do. Hacking into Macs is so much easier. You don̢۪t have to jump through hoops and deal with all the anti-exploit mitigations you̢۪d find in Windows.

It̢۪s more about the operating system that the (target) program is running on. Firefox on Mac is pretty easy too. The underlying OS doesn̢۪t have anti-exploit stuff built into it."