Guess what? He’s done it again! This time though he’s even faster clocking in at under 10 seconds. No one else stood a chance. He walked off with the prize again, $5000 and the MacBook that he hacked.

Of course he wrote the exploit before hand, but still impressive!

Charlie Miller, a security researcher who hacked a Macintosh in two minutes last year at CanSecWest’s PWN2OWN contest, improved his time today by breaking into another Macintosh in under 10 seconds.

Miller, an analyst at Independent Security Evaluators in Baltimore, walked off with a $5,000 cash prize and the MacBook he hacked.

“I can’t talk about the details of the vulnerability, but it was a Mac, fully patched, with Safari, fully patched,” said Miller on Wednesday, not long after he had won the prize. “It probably took five or 10 seconds.” He confirmed that he had researched and written the exploit before he arrived at the challenge.

It guess it might be a Safari exploit, but I guess if you keep your ears open you’ll hear about it soon enough.

I wonder if he’ll be able to pull the same trick again next year, with his record so far I’d say it wouldn’t be a large stretch of imagination.

The PWN2OWN rules stated that the researcher could provide a URL that hosted his exploit, replicating the common hacker tactic of enticing users to malicious sites where they are infected with malware. “I gave them the link, they clicked on it, and that was it,” said Miller. “I did a few things to show that I had full control of the Mac.”

Two weeks ago, Miller predicted that Safari running on the Macintosh would be the first to fall.

PWN2OWN’s sponsor, 3Com Corp.’s TippingPoint unit, paid Miller $5,000 for the rights to the vulnerability he exploited and the exploit code he used. As it has at past challenges, it reported the vulnerability to on-site Apple representatives. “Apple has it, and they’re working on it,” added Miller.

Interestingly another researcher later broke into a Sony laptop that was running Windows 7 by exploiting a vulnerability in Internet Explorer 8. So Safari and IE8 both fell!

What with all the claims from Microsoft that IE8 is so secure…I guess that pissed on their bonfire didn’t it?

This year’s PWN2OWN also has a section for mobile operating systems, the prize is larger too at $10,000. If you want to join you can have a crack at Windows Mobile, Google’s Android, Symbian, and the operating systems used by the iPhone and BlackBerry.

Source: Computer World (Thanks Navin)

Once again the Safari option “open ’safe’ files automatically after download” bears the blame. If this facility runs across a shell script that is missing the so-called Shebang-row, the system won’t ask the user whether to execute the file automatically anymore – it’ll just execute it anyways. Unfortunately you can simply rename a shellscript without a Shebang-row to known-good filetype extensions like JPG or PNG and put that renamed script into a ZIP file – zipping as well an administrative file that’ll connect that file with the shell. A target Mac then “knows” automatically how to open that file if it receives that ZIP – it’ll take it as totally normal to execute the “jpg file” with the shell.

To circumvent this issue immediately, you can exercise two countermeasures – the first one is to disable that unsafe option in Safari, the second one is to move the terminal to another place, as the connection between shellscript and terminal has a hardcoded file path to the terminal. Additionally, you should never ever work with administrator privileges – as one should be used to with windoze, this rule of thumb has the same virtues on a Mac as well

Source: 4null4.de

A rare exploit for Mac eh, it is possible to exploit, it’s not just a theory, you can find a proof of concept here:

http://www.mathematik.uni-ulm.de/numerik/staff/lehn/macosx.html

With a Babelfish Translation.