China Electronics Wholesaler

MacBook Air Hacked -- But It Was the Browser's Fault

Jennifer LeClaire, newsfactor.com Fri Mar 28, 1:56 PM ET

First he hacked Apple's iPhone. Now he's hacked Apple's MacBook Air. But some analysts are warning not to be quick to judge security based on Charlie Miller's work. ADVERTISEMENT

Miller, a researcher at Independent Security Evaluators, won $10,000 and a laptop Thursday at the CanSecWest security conference's Pwn 2 Own hacking contest. He did it by hacking the MacBook Air -- and it took him all of two minutes.

CanSecWest organizers offered a Sony Vaio, Fujitsu U810 and a MacBook as booty for hackers who could find a way to breach security and gain access to the contents of system files using a previously undisclosed zero-day attack. A zero-day attack is the exploitation of unpatched software vulnerabilities.

Picking on Apple

The first day of the contest, hackers were only allowed to hack into the computers over a network. No one was able to claim the prizes. On the second day, the rules changed. Contestants were allowed to use the machines to visit Web sites and open e-mail messages. The new rules were a game-changer for Miller, who almost immediately found a way in.

Miller is familiar with Apple's architecture. He is perhaps best known as one of the first researchers to hack Apple's iPhone. This time around, he hacked the MacBook Air by visiting a Web site with exploit code he created. That code allowed him to take control of the computer as onlookers enjoyed the show. Jake Honoroff and Mark Daniel were on the Miller team from Independent Security Evaluators.

"They were able to exploit a brand-new zero-day vulnerability in Apple's Safari Web browser. Coincidentally, Apple has just started to ship Safari to some Windows machines through its iTunes update service. The vulnerability has been acquired by the Zero-Day Initiative, and has been responsibly disclosed to Apple, who is now working on the issue," according to the TippingPoint DVLabs blog. TippingPoint sponsored the contest.

Until Apple releases a patch for this issue, TippingPoint said neither the company nor the contestants will offer additional information about the vulnerability. Apple could not immediately be reached for comment.

Missing the Security Point?

"Contest results like these are not indicative of how generally secure any of these devices or their respective browsers are," said Mike Haro, a senior security analyst at Sophos, referring to Windows Vista and Ubuntu machines that were also part of the contest. "Anyone looking to draw conclusions about the inherent security of Apple's MacBook Air based on this contest is missing the point."

The point is that browsers continue to be a major security issue. Browsers are the vector through which attackers lure victims to Web sites that contain malicious code. And the Safari browser is coming up with dangerous flaws lately -- for both Mac and Windows.

Indeed, Miller's hack into a MacBook Air could have just as easily have been a PC running Windows and Safari. Just this week, Argentinian hacker Juan Pablo Lopez Yacubian discovered two critical flaws in Apple's Safari 3.1 browser for Windows.