Security Bytes

Mar 28 2008   11:24AM GMT

New Apple Air notebook vaporized in PWN2OWN contest

David Schneier David Schneier Profile: David Schneier

Apple is claiming that it’s new Air is the world’s thinnest notebook PC. Luckily, it didn’t make any claims about the new machine’s security, because it only took Charlie Miller of Independent Security Evaluators a few minutes on Thursday to gain control of a new Air in the annual Pwn2Own hacking contest at CanSecWest. Miller was able to exploit an unpatched vulnerability in Apple’s Safari browser to compromise the notebook, winning himself a $10,000 prize, as well as the Air itself. Not a bad haul for a few minutes of work.

This year’s contest is a bit different from last year’s edition, in that there are three separate machines up for grabs. In addition to the Air, TippingPoint, which sponsors the contest, put up two other machines, one each running Vista and Ubuntu. After Miller cracked the laptop, he turned over details of the attack to TippingPoint, which disclosed it to Apple.

2  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • David Schneier
    "A few minutes of work" is quite the overstatement. While an exploit may run within a few minutes, the preparation behind it is generally not trivial. You might also mention that the exploit came on the second day of the contest, after the rules were relaxed. Or you might not, since it seems there isn't a great deal of concern for responsible journalism. It's easy to write and gloat about successful exploits. However, it may interest you to know that the actual vulnerability was part of the PCRE project (pcre.org) and not Apple-written code. I'm sure they're miffed that they missed the exploit regardless, but it's still an interesting detail that nobody has cared to learn or report. Huh. At any rate, putting "vaporized" in the headline should bring some sensationalism and drive web traffic. Well done you.
    0 pointsBadges:
    report
  • David Schneier
    No suprices here given the complete denial of security risks by Apple. We are just waiting for a major virus to target Apple and the class action lawsuit following that. I will have my recording of the Apple store guys saying "Security is not an issue on a Mac" ready to cash in.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: