At the CanSecWest security conference currently taking place in Vancouver, British Columbia, a contest is taking place to see if two MacBook Pro’s with the latest OS X version and patches installed can be hacked. There is a $10,000 bounty for successful attacks. The rules are:
1. The first winning hack requires a attacker to get a shell with user level privileges.
2. The second winning hack requires the same plus the attacker needs to get root privileges. The second hack cannot use the same exploit as the first.
Results:
The first MacBook Pro has been successfully attacked by taking advantage of a flaw in Safari which can be triggered with a malicious web page. It appears this is a zero-day exploit with no known patch at this time.
No word yet of a successful attack gaining root level access.
UPDATE: Apple released a version/patch today (Quicktime 7.1.6), 1 May 2007, that plugged the security flaw of Quicktime, not Safari as originally reported, that allowed the successful attacked noted above.
Technorati Tags: apple, hacked, mac, osx, security