Hacking OSX!!!

feartecfeartec
Posted:
in macOS edited January 2014
"Shane Macaulay just won a MacBook as a prize for successfully hacking OS X at CanSecWest conference in Vancouver, BC. The hack was based on a Safari vulnerability found by Dai Zovi and written in about 9 hours. CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions. 'Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said in a telephone interview from New York. TippingPoint runs the Zero Day Initiative bug bounty program.'"



http://news.com.com/2100-7349_3-6178...-0-5&subj=news

Comments

  • Reply 1 of 4
    gwoodpeckergwoodpecker Posts: 367member
    And your own comment to this story is??? Mac OS X is not safe?
  • Reply 2 of 4
    toweltowel Posts: 1,479member
    There was a nice discussion over on /. where it was noted that the "relaxed restrictions" included having the target computer navigate to malicious web pages created by the entrants. This is how the winner eventually won. But we've seen security holes in Safari before that could have been exploited to run arbitrary code (since fixed by Apple), so this is really nothing new. It is categorically not a remote exploit.



    Great summary comment, courtesy RalphBNumbers:
    Quote:

    As I understand it:



    The rules originally required getting a user shell on a macbook connected to a wireless router without any other access, or getting a root shell under the same conditions on a second macbook without using the same bug.

    The prize was the macbook(s) you hacked.



    But they decided not enough people were interested, so 3Com added a $10,000 bounty for a winning bug.



    But no one could crack it, so they set the machine up to visit malicious web pages submitted by email.



    Then someone found a bug in Safari, and successfully crafted a webpage to exploit it to get user shell access.



    More details from The Register, including that the exploitable flaw was actually in JavaScript.
  • Reply 3 of 4
    hirohiro Posts: 2,663member
    You couldn't have used any of the other four threads that talked about this since yesterday?
  • Reply 4 of 4
    feartecfeartec Posts: 119member
    NO, I wanted one of my own. Hacking was a passion for me back in the day before I got a life, therefore I felt it deserved a thread all it's own.
Sign In or Register to comment.