Security Watch

Keeping Track of patches and hacks in the IT security world.

Unpatched Macs Snatched from Hackers' Clasp

Two shiny, new and delightfully unpatched Mac systems were sitting ducks at the CanSecWest security conference on April 19, while top-notch hackers were clustered in hotel rooms, frantically trying to remotely pwn the systems before the show organizers had a chance to apply 25 patches Apple released on the same day.

Apple released the security patches for Mac OS X and then made a beeline to the phone to inform the organizers of CanSecWest, where, as Apple was well aware, a "pwn-2-own" contest was ongoing.

To the dismay of conference hackers, CanSecWest organizers beat them to the punch, patching the systems before they were pwned.

(Pwn is a slang term; Wikipedia defines it thus: "...'to compromise' or 'to control', specifically another computer [server or PC], web site, gateway device, or application; it is synonymous with one of the definitions of hacking. An outside party who has 'owned' or 'pwned' a system has obtained unauthorized administrative control of the system." Wikipedia notes that the term is used primarily in the gaming culture, where it is sometimes used for taunting enemies and rubbing in victories; Wikipedia fails to note, however, that the same gleeful needling is employed in hacking circles.)

Winners of the pwn-2-own contest take home either a 2.3Ghz 15" Macbook Pro, for which they have to gain remote access as a default user, or a 2.3Ghz 17" Macbook Pro if they remotely gain administrative rights and dig out a file at root level. As HD Moore and other famed hackers noted, however, the value of the systems isn't near what a hacker could get by selling a Mac zero-day vulnerability. Therefore, a representative from TippingPoint announced on Thursday that the jackpot had been sweetened by a cash award of $10,000.