Safari, iPhone hacked on first day of Pwn2Own contest
By Lex Friedman Macworld
Apple’s Safari browser got hacked on both Snow Leopard and the iPhone during the first day of the annual Pwn2Own contest, where security specialists can win the hardware they successfully attack. As CNet reports, security analyst Charlie Miller won $10,000 after remotely exploiting Safari on a MacBook Pro.
Victory was both sweet and familiar for Miller, the principal security analyst for Independent Security Evaluators, since he had successfully exploited Safari in the contest’s 2009 and 2008 iterations. He’s keeping the exact mechanics of this year’s attack under wraps at the moment, but indicated that merely having the target computer visit a specially-crafted Website was enough to trigger the exploit, granting him command-line access to the Mac. The Pwn2Own sponsor, Tipping Point’s Zero Day Initiative, shares information on exploits with the vendors involved, to give them an opportunity to patch the vulnerabilities.
The iPhone, meanwhile, was felled by Vincenzo Iozzo from Zynamics and Ralf Philipp Weinmann from the University of Luxembourg, who will split the $15,000 prize for hacking the device. (Each should also earn an award for having uniquely challenging names.)
The iPhone hack also started with a Website containing malicious code; the attack forwards the contents of “the local SMS database of the phone to the server we control,” Weinmann told CNet.
Hackers also successfully attacked Internet Explorer 8 and Firefox—both running on Windows 7—at the event.