Katie MarsalOn the first day of the competition based in Vancouver, British Columbia, Canada, researchers found a way to take advantage of Apple's Safari browser in Mac OS X 10.6 Snow Leopard, its latest operating system, according to CNet.
Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine. He's the same researcher who cracked Safari in Mac OS X last year, taking home the $5,000 prize. He also hacked a MacBook Air in 2008 at the competition.
Miller has also repeatedly said that he believes Macs are a safer alternative to Windows PCs for average users. He cited the lack of malware on the Mac platform as the principal reason for his recommendation.
Last year Miller also discovered an SMS hack in the iPhone that Apple quickly patched after it was made public. But researchers at this year's Pwn2Own found yet another SMS hack to take home a $15,000 prize.
Ralf-Phillip Weinmann, from the University of Luxembourg, and Vincenzo Iozzo, from German company gained access to an iPhone that was not "jailbroken," a procedure that allows users to run unauthorized code and unlock the handset for use on unapproved carriers.
By making a user visit a malicious Web site, the exploit allowed the researchers to access the phone's entire database of text messages, including deleted ones. The two wrote the hack in about two weeks, and the data was received in the competition in under 20 seconds.
The two said the hack could be modified to allow access to more data, such as contacts and photos. The transfer takes place without the victim ever knowing they have been hacked.
By accepting prizes at the Pwn2Own competition, put on by TippingPoint, the exploited methods are revealed only to the affected company so that they can patch the exploits.
Also hacked in this year's competition was Microsoft's Internet Explorer 8 browser. Peter Vreugdenhill, an independent security researcher from the Netherlands, took home a $10,000 prize by taking advantage of two vulnerabilities for a four-part hack that compromised the user's system.
Another person who went solely by Nils, the head of research MWR InfoSecurity in the U.K., discovered an exploit in Firefox in the 64-bit version of Windows 7. He took home a $10,000 prize.
William Gallagher
Christine McKee
AppleInsider Staff
Chip Loder
Malcolm Owen
134 Comments
It happens every year. it doesn't mean any more than it did the first time.
What counts is what's actually in the wild.
Hackers in these contests pick Apple products to attack first in order to maximize publicity. The fact that hacking a Mac is so popular at these events, combined with the fact that zero self-propagating viruses have ever successfully attacked OS X users in the wild in over 9 years speaks volumes.
It happens every year. it doesn't mean any more than it did the first time.
What counts is what's actually in the wild.
Actually, I believe this is the first year the iPhone was pwnd.
Every browser (except chrome, evidently) has been pwnd pretty much every year.
Macs are more secure by a combination of superior security architecture (vs. MS) and smaller market share (less desirable target). Security by obscurity is not security tho'.
And Macs are just as susceptible to social engineering attacks as other platforms. The nasty payloads just haven't targeted the Mac community yet.
Problem is that this isn't really a true test of how easy it is to hack a Mac. I mean it took them two weeks prior to develop the exploits. NONE of the Mac hacks were done on the spot and some of the hacks won't work anyway because the latest patches fixed that.
No, what would be a true test would be if no one was allowed to bring anything, were not allowed to access a machine for a month prior to the contest, and then perform hacks onsite only. That would be a true test.
Hackers in these contests pick Apple products to attack first in order to maximize publicity.
I thought they picked Apple products because, if you hack it, you get the hardware.
I thought they picked Apple products because, if you hack it, you get the hardware.
That's also a plus.
Anyway, if a hacker has physical access to the machine, all bets are off.