Charlie Miller, a security researcher, who hacked a Macintosh in two minutes last year at CanSecWest’s PWN2OWN contest, improved his time today by breaking into another Macintosh in under 10 seconds.
Miller, an analyst at Independent Security Evaluators in Baltimore, walked off with a $5,000 cash prize and the MacBook he hacked.
“I can’t talk about the details of the vulnerability, but it was a Mac, fully patched, with Safari, fully patched,” said Miller on Wednesday, not long after he had won the prize.
“It probably took five or 10 seconds.” He confirmed that he had researched and written the exploit before he arrived at the challenge.
The PWN2OWN rules stated that the researcher could provide a URL that hosted his exploit, replicating the common hacker tactic of enticing users to malicious sites where they are infected with malware.
“I gave them the link, they clicked on it, and that was it,” said Miller. “I did a few things to show that I had full control of the Mac.”
Two weeks ago, Miller predicted that Safari running on the Macintosh would be the first to fall.
He had called the browser developed by Apple Inc. an easy target. “It might be because I’m biased about the things I’m good at, but it’s the easiest browser [to hack].”
The main reason for this, he suggested, is that Apple’s products are really user friendly, and Safari is designed to handle a broad range of file formats. “With a lot of functionality comes the increased chance of bugs. The more complex software, the less secure it is.”
He said another factor making Safari easy pickings is Apple’s Mac OS X, which lacks the workable defenses found in Windows Vista and Windows 7, including address space randomization — which Microsoft calls “address space layout randomization,” or ASLR.
Put Safari atop Mac OS X, and the target’s too good to pass up, said Miller.
Meanwhile, on Wednesday, PWN2OWN’s sponsor, 3Com Corp.’s TippingPoint unit, paid Miller $5,000 for the rights to the vulnerability he exploited and the exploit code he used.
As it has at past challenges, it reported the vulnerability to on-site Apple representatives. “Apple has it, and they’re working on it,” added Miller.
According to Terri Forslof, manager of security response at TippingPoint, another researcher later broke into a Sony laptop that was running Windows 7 by exploiting a vulnerability in Internet Explorer 8 (IE8).
“Safari and IE both went down,” she said in an e-mail.
Interestingly, earlier this month Miller had also predicted IE8 and Firefox would escape unscathed, based on a quick cost-benefit analysis.
TippingPoint’s Twitter feed added a bit more detail to Forslof’s quick message: “nils just won the sony viao with a brilliant IE8 bug!”Forslof was not immediately available to answer questions about the IE8 exploit.
TippingPoint will continue the PWN2OWN contest through Friday, and will pay $5,000 for each additional bug successfully exploited in Safari, Internet Explorer 8, Firefox or Google’s Chrome.
During the contest, IE8, Firefox and Chrome will be available on the Sony, while Safari and Firefox will be running on the MacBook. The researcher who exploited IE8 will, like Miller, be awarded not only the cash, but also the laptop.
“It was great,” said Miller when asked how it felt to successfully defend his title. “But I was really nervous for some reason this time. Maybe it was because there were more people around. Lucky [the exploit] was idiot-proof, because if I had had to think about it, I don’t know if I’d had anything.”
This year’s PWN2OWN also features a mobile operating system contest that will award a $10,000 cash prize for each vulnerability successfully exploited in five smart phone operating systems: Windows Mobile, Google’s Android, Symbian, and the operating systems used by the iPhone and BlackBerry.
Miller said he won’t enter the mobile contest.
“I can’t break them,” said Miller, who was one of the first researchers to demonstrate an attack on the iPhone in 2007, and last year was the first to reveal a flaw in Android. “I don’t have anything for the iPhone, and I don’t know enough about Google.”
CanSecWest, which opened Monday, runs through Friday in Vancouver, British Columbia.