Hacker breaks into Mac at Security Conference Via Zero-Day Hole in Safari

Apple's MacBook

Hackers Dino Dai Zovi and Shane Macaulay teamed up to successfully break into a Mac, and won themselves a booty of US$10,000 prize as part of a contest organized at the CanSecWest security conference in Vancouver.

Macaulay, a software engineer, was able to hack into a MacBook through a zero-day security hole in Apple’s Safari browser. The computer was one of two offered as a prize in the “PWN to Own” hack-a-Mac contest at the CanSecWest conference here.

The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook–a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.

Macaulay teamed with Dino Dai Zovi, a security researcher until recently with Matasano Security. Dai Zovi, who has previously been credited by Apple for finding flaws in Mac software, found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said.

“The vulnerability and the exploit are mine,” Dai Zovi said in a telephone interview from New York. “Shane is my man on the ground.”

The main intention behind the conference organizer to offer the contest in part was to pull the attention to possible security shortcomings in Macs. Dragos Ruiu, the organizer of security conferences including CanSecWest said, “You see a lot of people running OS X saying it’s so secure and frankly Microsoft is putting more work into security than Apple has.”

Initially, the contest originally was open just to conference attendees, who were invited to try to break into the machines through a wireless access point. However on Thursday evening, 3Com Corp.’s TippingPoint division put up the cash prize and put the machines online so that anyone could participate.

The name of the winner has not yet been announced; however it is surely someone amongst the ones attending the conference in Vancouver.

The contest was an opportunity for hackers to showcase techniques they may have boasted about. “I hear a lot of people bragging about how easy it is to break into Macs,” Ruiu said.

On Thursday, Apple released a patch for 25 vulnerabilities in OS X and a few attendees didn’t consider the release a coincidence.

For a fact, Macs haven’t been targets for hackers and malicious code writers nearly to the degree that Windows machines have historically. One major reason for the same is that fewer Macs are in use, thus making the potential impact of malicious code smaller than on the more widely used PCs.

Further more, Apple is “extremely litigious when people do find stuff,” noted Theo de Raadt, OpenBSD project leader and an attendee at the conference. He suspects that will backfire on Apple, which could begin to “look evil” if hackers begin to publish potentially threatening letters from the company.