Utility software

Hacker breaks into Mac at security conference

VANCOUVER—A hacker managed to break into a Mac and win a $10,000 prize as part of a contest started at the CanSecWest security conference here.

According to the security blog Matasano Chargen, Shane Macaulay and Dino Dai Zovi won the contest by gaining shell access to a Mac by pointing the Mac’s Safari browser at a specially-constructed Web page.

“Currently, every copy of OS X out there now is vulnerable to this,” said Sean Comeau, one of the organizers of CanSecWest.

The conference organizers decided to offer the contest in part to draw attention to possible security shortcomings in Macs. “You see a lot of people running OS X saying it’s so secure and frankly Microsoft is putting more work into security than Apple has,” said Dragos Ruiu, the principal organizer of security conferences including CanSecWest.

Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.

Dai Zovi, who lives in New York, developed the exploit that exposed the hole on Thursday night. Since the contest was only open to conference attendees, he sent it to his friend Macaulay in Vancouver, who claimed the prize.

The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said. An attacker could use the vulnerability in a number of ways, but Dai Zovi used it to open a back door that gave him access to anything on the computer, Comeau said.

The vulnerability won’t be published. 3Com Corp.’s TippingPoint division, which put up the cash prize, will handle disclosing it to Apple.

The prize for the contest was originally one of the Macs. But on Thursday evening, TippingPoint put up the cash award, which may have spurred a wider interest in the contest. According to Matasano Chargen, Macaulay will keep the MacBook while Dai Zovi will pocket the cash prize.

One reason Macs haven’t been much of a target for hackers is that there are fewer to attack, said Terri Forslof, manager of security response for TippingPoint. “It’s an incentive issue. The Mac is not as widely deployed of a platform as say Windows,” she said. In this case, the cash may have provided motivation.

Jason Snell contributed to this report.

Subscribe to the Help Desk Newsletter

Comments