dcsimg
 

Macs Not Bulletproof, Security Researcher Proves

By Charlene O'Hanlon  |  Print this article Print
 
 
 
 
 
 
 

WEBINAR:
On-Demand

Re-Imagining Linux Platforms to Meet the Needs of Cloud Service Providers


Security researcher Charlie Miller successfully takes control of a Mac using a known vulnerability in Safari, Apple's default browser.

Macintosh users have the distinction of being the only group of computer users who honestly believe their computers are secure from malware and attacks.

And then every once in a while, someone comes along and blows that belief right out of the water.

At the CanSecWest conference in Vancouver, British Columbia, March 18, security researcher Charlie Miller exploited a vulnerability in Safari, the default Web browser in Macs, that enabled him to take control of the computer via a malicious link—he just needed a vulnerable user on the other side to click on the link, and bam! He was in.

Miller showed his chops at the conference’s PWN2OWN competition, which he also won last year by exploiting a vulnerability he had already discovered but hadn’t yet alerted Apple about (in truth, all contestants start the competition with knowledge of a vulnerability that they previously discovered—it saves time). As the winner, he takes home $5,000 and the machine he successful hacked.

This year’s PWN2OWN competition pitted two machines—a Sony Vaio PC running a prerelease Windows 7 beta with Internet Explorer 8, Firefox and Google's new Chrome browsers; and a MacBook running Safari and Firefox.

The contest, which was sponsored by TippingPoint, actually helps the vendors by alerting them of vulnerabilities. Winners are asked to sign a confidentiality agreement regarding the vulnerabilities, and TippingPoint then turns over the information to the vendors for patching.

A second security researcher, "Nils," successfully hacked Internet Explorer 8, performing a download attack to take full control of the Sony Vaio PC. Nils also had successfully hacked Safari shortly after Miller through a separate vulnerability. For both hacks—and one on Firefox through a zero-day flaw—he walked away with $15,000 total.

The competition continues March 19, with contestants trying to exploit vulnerabilities in other technologies such as Flash, Java, .NET and QuickTime.

 


 
 
 
 
 
 
 
 
 
























By submitting your information, you agree that channelinsider.com may send you channelinsider offers via email, phone and text message, as well as email offers about other products and services that channelinsider believes may be of interest to you. channelinsider will process your information in accordance with the Quinstreet Privacy Policy.

 
 
 
 
 
 

Submit a Comment

Loading Comments...
























By submitting your information, you agree that channelinsider.com may send you channelinsider offers via email, phone and text message, as well as email offers about other products and services that channelinsider believes may be of interest to you. channelinsider will process your information in accordance with the Quinstreet Privacy Policy.

 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date