Vancouver, CANADA -- In the first attempted attack in the PWN2OWN contest, a security analyst breached the defenses of Apple's Mac OS X using a bug in the Safari browser and won $10,000 as well as the computer that he compromised.
Charlie Miller, principal analyst with Independent Security Evaluators and the researcher who found some significant flaws in Apple's iPhone last summer, compromised the Apple MacBook Air in less than a minute. While he refrained from describing the flaw, SecurityFocus learned that the issue affected the Safari browser. Contest officials said that the MacBook Air was running the latest version of Mac OS X, version 10.5.2 or "Leopard."
Miller -- and two colleagues from ISE, Jake Honoroff and Mark Daniel -- worked on the code for exploiting the security issue for about three weeks, he told SecurityFocus.
"I was sort of looking for a while, but as soon as we started looking in a particular (code) area, it didn't take too long," Miller said.
This year's PWN2OWN competition allows contestants the chance to attack one of three laptop computers. ("Pwn" -- slang which means to compromise a system -- is pronounced like "pon" in pony.) Under the competition rules, the attacker selects one of the systems -- running the latest versions of Apple's Mac OS X, Microsoft Windows Vista and Ubuntu Linux -- and gets 30 minutes to compromise the computer. The attacker gets both the system and a cash prize depending on the type of vulnerability they used. The vulnerability exploited by Miller required some user interaction, so he did not qualify for the highest prize of $20,000.
The bug is still very serious, however, resembling the vulnerabilities currently used by many fraudsters to infect the systems of unwary victims with bot software and root kits. The vulnerability requires the same amount of interaction as the flaw in QuickTime's handling of Java that allowed researchers Shane Macaulay and Dino Dai Zovi to win the competition last year. They also got to take home $10,000 and a MacBook.
Terri Forslof, manager of security response for TippingPoint, which sponsored the competition, stated that the company would post more information about the vulnerability on its blog.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos