TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... At the 2007 Black Hat Briefings in Las Vegas, TippingPoint DVLabs had five speakers presenting on a variety of topics.

PWN to OWN Day Two: First Winner Emerges! (updated)

Congratulations to our first winner of the CanSecWest PWN to OWN contest!  At 12:38pm local time, the team of Charlie Miller, Jake Honoroff, and Mark Daniel from Independent Security Evaluators have successfully compromised the Apple MacBook Air, winning the laptop and $10,000 from TippingPoint's Zero Day Initiative.  They were able to exploit a brand new 0day vulnerability in Apple's Safari web browser.  Coincidentally, Apple has just started to ship Safari to some Windows machines, with its iTunes update service. The vulnerability has been acquired by the Zero Day Initiative, and has been responsibly disclosed to Apple who is now working on the issue.  Until Apple releases a patch for this issue, neither we nor the contestants will be giving out any additional information about the vulnerability.  You can track the vulnerability on the Zero Day Initiative upcoming advisories page under ZDI-CAN-303.

Here's a picture of Charlie (in the foreground) exploiting the MacBook Air from his own laptop, while Aaron from TippingPoint verifies the pwnage in real time.



We'll update this blog posting in the event another winner emerges today for the Vista or Ubuntu laptops that remain standing.  Stay tuned...

Update 5:45pm PST - The contest is officially over for today.  Check back tomorrow to see how the Vista and Ubuntu laptops fare.

Update March 28th - The third and final day's PWN to OWN contest updates will be available here.

Update March 31st - added the below YouTube video link:

Tags: cansecwest,pwn2own
Published On: 2008-03-27 16:40:05

Comments post a comment

  1. John commented on 2008-03-27 @ 18:06

    Are all three laptops being hacked at the same time or one by one?

  2. ZDI commented on 2008-03-27 @ 18:41

    Each of the laptops are open to contestants to exploit in parallel. The full rules are available here: http://tinyurl.com/yqucbf

  3. Ed commented on 2008-03-27 @ 19:02

    I looked at front page but could not find this question. Was the Mac platform on the CURRENT version (3.1) of Safari?

  4. ZDI commented on 2008-03-27 @ 19:04

    Ed, yes, each machine is fully patched and the applications on them are the latest versions.

  5. Anonymous commented on 2008-03-27 @ 22:31

    Ok, this is a new vulnerability, but looking at that list there are many listed unfixed vulnerabilities. Does that mean that there are known vulnerabilities on the platforms that are not candidates for the contest because they are old but unfixed?

  6. java.ph commented on 2008-03-27 @ 22:41

    Hi,
    Is it right to assume that the MBA was running Leopard (10.5.2)?
    Thanks.

  7. Vulto commented on 2008-03-28 @ 06:38

    I Think many people was expecting that already. I think difficult will be to hack the vista machine recently new and IE 7 looks that is more secure then ever... I will probably put a bet that for every contest like this the Mac will be always the first to beat.

  8. Igor commented on 2008-03-28 @ 06:40

    Did he not work on this vulnerability for three(?) weeks and just waited for the competition to show it? Doesn't sound like "on the spot cracking" really!

  9. NecroMage commented on 2008-03-28 @ 09:07

    Will be interesting to see if the compromise, was like last year's with Safari, using Java and I believe Quicktime. Not sure on the Quicktime part. Someone correct me, if I am wrong.

  10. Anonymous commented on 2008-03-28 @ 12:21

    According to TheRegister.com the second day of the competition it was opened up to browsers, mail applications and other core applications. And that on day 3 it will be opened up to other software such as Skype, QuickTime and browser plugins.

  11. Garrett Gee commented on 2008-03-28 @ 12:36

    Check out my picture of Charlie in hacking mode at http://infosecevents.net/2008/03/27/cansecwest-day-2-recap/

  12. rsfinn commented on 2008-03-28 @ 12:38

    Your photo caption is not very clear: I don't know what Charlie Miller looks like, but the person in the foreground is clearly not sitting at a MacBook Air.

  13. ZDI commented on 2008-03-28 @ 12:39

    rsfinn, sorry for the caption confusion, we modified it accordingly. Charlie was using his own laptop to exploit the MacBook Air - Aaron from TippingPoint is actually verifying the exploitation on the MBA itself.

  14. Claude commented on 2008-03-28 @ 15:47

    Its PWN to OWN afterall, of course the Mac will go first, no one wants to OWN a PC when you can have the latest Mac!

  15. JustMe commented on 2008-03-28 @ 21:23

    [SNIP]
    I Think many people was expecting that already. I think difficult will be to hack the vista machine recently new and IE 7 looks that is more secure then ever... I will probably put a bet that for every contest like this the Mac will be always the first to beat.
    [/SNIP]

    Yeah I agree with the above - Vista + IE 7 will be much harder to hack. However, the reason will be due to hacker frustration when Vista's UAC relentlessly keeps asking:

    "You are about to exploit a critical Vista security flaw ... Cancel or Allow?"

  16. Anonymous commented on 2008-03-29 @ 11:14

    Can anyone say whether Ubuntu was actually attacked at any point or was it a case of going for the for the more known exploit?

  17. Anonymous commented on 2008-03-29 @ 14:13

    I'm not seeing any details about how the hacker "tricked" someone into visiting a malicious website. Considering that was the instrumental to the hack, I feel we need more details. I don't think I've ever been tricked into visiting websites; I read the same few reliable sites every day (other than this one :).

  18. Anonymous commented on 2008-04-05 @ 04:35

    What exactly did they accomplish? "hacked" is quite a broad term. I can hack a cigarette machine into giving me a free pack of smokes.

    What was hacked? What did they get? There isn't much information posted.

  19. How To commented on 2008-09-04 @ 23:56

    congratulations again guys, how can i participate at this?..
    regards

  20. Pedram Amini commented on 2008-09-10 @ 11:08

    @HowTo: You can participate next time we run a similar contest, check back on our blog for future announcements.


Links To This Post

  1. PWN 2 OWN over: MacBook Air gets seized in 2 minutes flat | orange tech blog
    linked on 2008-03-28 @ 00:54 Show Comment

    ... CanSecWest was over almost as swiftly as the second day started, as famed iPhone hacker Charlie Miller showed the MacBook Air on display who its father really was. Apparently Mr. Miller visited a website which contained his exploit code (presumably via a crossover cable connected to a nearby MacBook), which then “allowed him to seize control of the computer, as about 20 onlookers [read: unashamed nerds] cheered him on.” Of note, contestants could only use software that came pre-loaded on the OS, so obviously it was Safari that fell victim here. Nevertheless, he was forced to sign a nondisclosure agreement that’ll keep him quiet until “TippingPoint can notify the vendor,” but at least he’ll have $10,000 and a new laptop to cuddle with during his silent spell. ...

  2. pwn2own Confirmation: 0day in Safari « lucky13
    linked on 2008-03-27 @ 18:27 Show Comment

    PWN to OWN Day Two: First Winner Emerges!: They were able to exploit a brand new 0day vulnerability in Apple’s Safari web browser. Coincidentally, Apple has just started to ship Safari to some Windows machines, with its iTunes update service. The vulnerability has been acquired by the Zero Day Initiative, and has been responsibly disclosed to Apple who is now working on the issue.

  3. Liminal states » Blog Archive » Macbook Air pwned and owned — in two minutes!
    linked on 2008-03-27 @ 18:42 Show Comment

    Tipping Point’s Zero Day Initiave blog has more, with yet another spelling of the contest name: Congratulations to our first winner of the CanSecWest PWN to OWN contest!  At 12:38pm local time, the team of Charlie Miller, Jake Honoroff, and Mark Daniel from Independent Security Evaluators have successfully compromised ...

  4. MacBook Air hacked in security contest « IT Spot
    linked on 2008-03-27 @ 18:46 Show Comment

    The team had attack code already set up on a Web site, and was able to gain access to the MacBook Air and retrieve a file after judges were “tricked” into visiting the site. According to the TippingPoint DVLabs blog, a newly discovered vulnerability in Safari was used to gain control of the Air.

  5. CanSecWest: Day 2 Recap | Infosec Events
    linked on 2008-03-28 @ 03:22 Show Comment

    Right after the vulnerability was confirmed by TippingPoint, I posted a message to twitter. And within the hour, Robert McMillan from IDG and Dan Goodin from The Register posted articles. From there, sites like Engadget, Slashdot, TUAW, and many others picked up on the story.

  6. Mac easiest to hack, says $10,000 winner | InfoWorld | News | 2008-03-28 | By Gregg Keizer, Computerworld
    linked on 2008-03-28 @ 20:02 Show Comment

    ... Zero Day Initiative (ZDI) bug-bounty program, said yesterday that it has reported the Safari flaw to Apple. "Until Apple releases a patch for this issue, neither we nor the contestants will be giving out any additional information about the vulnerability," TippingPoint said in a statement on its company blog . writeNLBot(); Add to: Slashdot Digg del.icio.us reddit newsvine Y! MyWeb Talkback: if(url.indexOf("/baldwin/comments/") != -1 url.indexOf("/article/") != -1 url.indexOf("/articles/") != -1) init();

  7. Business Technology : Terrifying Computer Owners Part X
    linked on 2008-03-28 @ 05:04 Show Comment

    Which went first? The Mac. Two minutes after contestants were allowed to touch the computers, Charlie Miller directed the Mac to a Web site that automatically installed code on the machine that gave Miller control. Miller won $10,000 and the computer for his efforts. Second and third place will be announced later today.

  8. A tale about security
    linked on 2008-03-28 @ 06:41 Show Comment

    And then there were the bad guys (cause a tale has always bad guys), who found a way to break into someone's computer through a bug in the referenced browser. So, the company was/his installing a lock into a lot of personal computers, and someone has just found the master key.

  9. MacBook Air falls in two minutes at PWN 2 OWN | Zero Day | ZDNet.com
    linked on 2008-03-28 @ 07:44 Show Comment

    The Zero Day Initiative has confirmed the winner. In a post, ZDI said: At 12:38pm local time, the team of Charlie Miller, Jake Honoroff, and Mark Daniel from Independent Security Evaluators have successfully compromised the Apple MacBook Air, winning the laptop and $10,000 from TippingPoint’s Zero Day Initiative.  They were able to exploit a brand ...

  10. New Apple Air notebook vaporized in PWN2OWN contest — Security Bytes
    linked on 2008-03-28 @ 10:27 Show Comment

    Apple is claiming that it’s new Air is the world’s thinnest notebook PC. Luckily, it didn’t make any claims about the new machine’s security, because it only took Charlie Miller of Independent Security Evaluators a few minutes on Thursday to gain control of a new Air in the annual Pwn2Own hacking contest at CanSecWest. Miller was able to exploit an unpatched vulnerability in Apple’s Safari browser to compromise the notebook, winning himself a $10,000 prize, as well as the Air itself. Not a bad haul for a few minutes’ work.

  11. Slashdot: MacBook Air First To Be Compromised In Hacking Contest
    linked on 2008-03-28 @ 08:30 Show Comment

    Multiple readers have written to let us know that the MacBook Air was the first laptop to fall in the CanSecWest hacking contest. The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000. We covered the contest last year, and the results were similar.


Trackback