Mac hacked in under 10 seconds at PWN2OWN

By Davey Winder
Thursday, 19 March 2009 17:32

Home IT

So just how secure is your Apple computer now that Mac hacker supremo Charlie Miller has broken into a MacBook in less than 10 seconds?

The annual CanSecWest PWN2OWN competition is always guaranteed to grab a few headlines and spark off another OS Wars flame. Last year security researcher Charlie Miller managed to hack a Mac in a rather astonishing two minutes flat.

This year he pulled off the same feat to win the contest, the MacBook he hacked and a US $5000 prize. Well the same feat but a lot quicker: how does Mac hacked in under 10 seconds grab you as a headline?

Although full extent of what the hack entailed remain a little sketchy, with Miller refusing to reveal the vulnerability details at this time, it is known that both the MacBook and the version of Safari upon it were fully patched and up to date.

The reason for that lack of detail would appear to wrapped up in the fact that the cash prize also took the form of a payment from the competition sponsor, TippingPoint, for the rights to both the vulnerability details and code used to exploit it. TippingPoint has passed these on to Apple for further investigation.

Obviously the whole cracked in 10 seconds thing is worrying, but just how worried should you be if you are a Mac or Safari user? Truth be told, I am not convinced that this is as big a deal as it sounds.

Yes, any vulnerability needs investigating. But the under 10 seconds thing was only achieved because Miller simply provided a URL that took the user to the site where the exploit code was hosted. The donkey work had all been done beforehand, in accordance with PWN2OWN rules, which enabled the speed to be achieved.

Miller says that he provided the link, the judges clicked it and he then showed them he had full control of the MacBook concerned.

Windows users need not feel smug, apparently Safari and IE8 on a machine running Windows 7 also fell soon after the winner.