Apple Mac HQ

A new 0day vulnerability was recently discovered in Safari at the CanSecWest security conference in Vancouver, Canada. Charlie Miller, Jake Honoroff, and Mark Daniel of Independent Security Evaluators were able to gain control of a MacBook Air on the second day of the hacking competition. In addition to trying to Hack OS X, teams were also trying to hack Windows Vista and Ubuntu Linux. The Macbook Air was the first of the three systems to be hacked.

The hacking contest began Wednesday where hacks were limited to over the network techniques. On that first day, no computers were hacked. It wasn’t until the second day when the Macbook Air was hacked in less than two minutes. On the second day, the rules were changed to allow attacks delivered via a website or email.

The vulnerability in Safari involved having the judges browse to a website with the malicious code installed. Once the judges visited the website, the team was able to retrieve a file from the Macbook Air.

The ISE team immediately signed a nondisclosure agreement relating to the vulnerability. TippingPoint, the contest sponsor, said Apple has been informed of the vulnerability. Last year’s contest was won by a QuickTime vulnerability, which was patched by Apple within two weeks. No word on what version of Safari was used in the attack.

[Via CNET]