Hacking stories bore me to tears, but the cleverly named “pwn-2-own” hacking competition (Hack a honeypot MacBook, get it as the prize) is getting such attention, it’s worth pointing to some of the better reporting on the subject:
Dan Goodin at The Register:
A New York-based security researcher spent less than 12 hours to identify and exploit a zero-day vulnerability in Apple’s Safari browser that allowed him to remotely gain full user rights to the hacked machine. The feat came during the second and final day of the CanSecWest “pwn-2-own” contest in which participants are able to walk away with a fully-patched MacBook Pro if they are first able to hack it.
…Dai Zovi, who is not attending the conference, was recruited on Thursday night by Shane Macaulay, a friend and conference attendee. The ease Dai Zovi found in pwning the machine was all the more remarkable, given an update Apple pushed out yesterday patching 25 Mac security holes. Macaulay described Dai Zovi’s vulnerability as a client-side javascript error that executed arbitrary code when Safari visited a booby-trapped website.
Turn off Java; to be safe, until Dino lets us say more, turn off everything else too. Or live dangerously like me.
… huge numbers of pundits and anonymous nerds on the Internet will decry Apple’s lack of security and how unfair it is that Microsoft, which expands so much effort on security, is perceived as having a less secure OS. Meanwhile, Mac users will rationalize the situation, including me.
