If you take those published reports at face value, the vaunted security of the Mac OS is just an illusion. During the annual Pwn2Own hacking contest this past week, someone easily exploited a supposedly unknown vulnerability in Apple’s Safari on a MacBook Air within a mere two minutes, earning a ten thousand dollar paycheck for his efforts.
Now, because of a nondisclosure agreement, we don’t know just what vulnerability was present in Safari that was handled so easily, but it sounds to me like a put up job. If you believe the claim, the security flaw was so blatant that it was easily discovered, and that’s extremely unlikely.
Consider that, on the first day of the contest, nobody could attack any of the test computers, running the Mac OS, Windows Vista, and Ubuntu Linux, remotely. Thus the original $20,000 prize went unclaimed. On day number two, the terms were relaxed, so the participants could actually work directly on the computers to locate and exploit possible vulnerabilities.
Now that severely lessens the seriousness of the flaws, because it means that you are granted direct access to the computer you’re going to infect. That severely lessens the danger. No direct access, no exploit, at least under the terms of this contest.
Although he’s not talking, I really doubt that security researcher Charlie Miller had a sudden flash of inspiration from upon high to access a hostile site in Safari and win his ten grand. No way could that possibly happen in a mere two minutes except by a divine or paranormal event. Instead, it’s clear to me that he had previously investigated possible flaws in Mac OS X and had discovered a security leak he could exploit on the spot when the time arrived.
So call it a good sense of timing.