Date: Monday, April 23rd, 2007, 08:26
It may not be the news everyone wants to hear where Mac OS X security is concerned, but it’s useful to know either way. One of two “honeypot” (computers which are set up as challenges) MacBook Pro laptops was hacked into at the Canadian CanSecWest security conference.
According to MacNN, a team consisting of Matasano Security researcher Dino Dai Zovi and engineer Shane Macaulay were able to design an exploit for Apple’s Safari web browser and gain user-level access to the Mac OS X operating system. The duo were able to successfully run the hack after contest host eased rules and permitted attendees to attack via code sent through malicious web sites instead of trying to enter through Mac OS X itself.
“At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page,” they wrote. “Of course all of the latest security patches have been applied. This one is 0day folks.”
The pair is splitting a prize pack of the MacBook Pro used in the exploit and applying for a US$10,000 prize that’s been offered by TippingPoint’s Zero Day Initiative bug bounty program.
Additional details can be found over at the Apple Core blog.