Security Researchers Hack Safari in Contest
For the second year running, security researcher Charlie Miller has taken home the top prize at security conference CanSecWest in Vancouver, after successfully hacking a MacBook via Safari. Miller exploited a vulnerability in Safari that allowed him to take control of the computer by having the user click on a malicious link.
Miller had first crack at the MacBook in the PWN2OWN competition, using a vulnerability that he'd previously discovered and tested on his own to compromise the machine, and the contest was over just moments after it had begun on Wednesday. By doing so, Miller takes home a US$5,000 prize and gets to keep the MacBook that he hacked. At the 2008 CanSecWest conference, Miller also won himself a MacBook by hacking Safari, though it wasn't until the second day of the conference, when the rules were relaxed.
Subsequently, a second hacker by the name of Nils managed to exploit Safari with a different vulnerability, netting himself $5,000 (he managed to snag an additional $10,000 for also hacking Internet Explorer 8 and Firefox).
Besides attacking Safari, Firefox, Internet Explorer 8, and Chrome, contestants also have a shot at compromising a variety of mobile platforms for $10,000 per exploit, including Blackberry, Android, Nokia/Symbian, Windows Mobile, and the iPhone.
Security company TippingPoint, one of the conference's sponsors, asks all winners to sign an NDA for the vulnerabilities, then turns the bugs over to the vendors for patching. Plus, as with the computers, the winner gets to keep the hacked device along with a one-year service contract (that's a great angle: congratulations, you've compromised the security of this device; now you get to keep it!).
Thursday is the second day of the competition, in which the rules are opened up to allow exploits by popular technologies such as Flash, Java, .NET, and QuickTime. Day one allowed only exploits via software installed by default with the browsers, though it does include all the most recent patches.