Hacking OSX!!!
"Shane Macaulay just won a MacBook as a prize for successfully hacking OS X at CanSecWest conference in Vancouver, BC. The hack was based on a Safari vulnerability found by Dai Zovi and written in about 9 hours. CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions. 'Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said in a telephone interview from New York. TippingPoint runs the Zero Day Initiative bug bounty program.'"
http://news.com.com/2100-7349_3-6178...-0-5&subj=news
http://news.com.com/2100-7349_3-6178...-0-5&subj=news
Comments
Great summary comment, courtesy RalphBNumbers:
As I understand it:
The rules originally required getting a user shell on a macbook connected to a wireless router without any other access, or getting a root shell under the same conditions on a second macbook without using the same bug.
The prize was the macbook(s) you hacked.
But they decided not enough people were interested, so 3Com added a $10,000 bounty for a winning bug.
But no one could crack it, so they set the machine up to visit malicious web pages submitted by email.
Then someone found a bug in Safari, and successfully crafted a webpage to exploit it to get user shell access.
More details from The Register, including that the exploitable flaw was actually in JavaScript.