Macs Not Bulletproof, Security Researcher ProvesBy Charlene O'Hanlon | Posted 2009-03-19 Email Print
Security researcher Charlie Miller successfully takes control of a Mac using a known vulnerability in Safari, Apple's default browser.
Macintosh users have the distinction of being the only group of computer users who honestly believe their computers are secure from malware and attacks.
And then every once in a while, someone comes along and blows that belief right out of the water.
At the CanSecWest conference in Vancouver, British Columbia, March 18, security researcher Charlie Miller exploited a vulnerability in Safari, the default Web browser in Macs, that enabled him to take control of the computer via a malicious link—he just needed a vulnerable user on the other side to click on the link, and bam! He was in.
Miller showed his chops at the conference’s PWN2OWN competition, which he also won last year by exploiting a vulnerability he had already discovered but hadn’t yet alerted Apple about (in truth, all contestants start the competition with knowledge of a vulnerability that they previously discovered—it saves time). As the winner, he takes home $5,000 and the machine he successful hacked.
This year’s PWN2OWN competition pitted two machines—a Sony Vaio PC running a prerelease Windows 7 beta with Internet Explorer 8, Firefox and Google's new Chrome browsers; and a MacBook running Safari and Firefox.
The contest, which was sponsored by TippingPoint, actually helps the vendors by alerting them of vulnerabilities. Winners are asked to sign a confidentiality agreement regarding the vulnerabilities, and TippingPoint then turns over the information to the vendors for patching.
A second security researcher, "Nils," successfully hacked Internet Explorer 8, performing a download attack to take full control of the Sony Vaio PC. Nils also had successfully hacked Safari shortly after Miller through a separate vulnerability. For both hacks—and one on Firefox through a zero-day flaw—he walked away with $15,000 total.
The competition continues March 19, with contestants trying to exploit vulnerabilities in other technologies such as Flash, Java, .NET and QuickTime.