Up north in Vancouver, the well known computer security conference CanSecWest got off to an impressive start with its famous Pwn2Own competition. The goal each year is to take down various different platforms to highlight their security holes. And this year showed that no matter what you run, you probably are not safe.
For example, German hacker “Nils” managed to take down a Windows 7 PC which was running Firefox. Using a previously unknown hole, he took total control over the PC. Before this, Charlie Miller managed to take down a Mac OS X machine running on Safari, and Dutchman Peter Vreugdenhil took down another Windows 7 PC using Internet Explorer 8.
Most disturbing, however, was probably the attack against iPhone users. Two Europeans by the names of Vincenzo Iozzo and Ralf Phillipp Weinmann managed to lead an iPhone to a webpage where in 20 seconds the entire SMS database, including previously deleted messages, was stolen. All of the bugs were reported to the software’s creators by Pwn2Own and won’t be released until they are fixed.
Hacker Charlie Miller has been snooping around Mac OS X, poking at its core elements to see if there are any major flaws in Apple’s security net. In his attempts to remotely control OS X machines and steal various files from them, it appears he has racked up quite a list of problems. Rounding up no less than 20 holes, he is planning on reporting at the upcoming CanSecWest security conference in Canada. He has made several appearances there before, showing multiple flaws in Apple’s OS.
Ultimately, Miller points out that there are multiple elements in Mac OS X that put it at risk: a combination of open-source components, 3rd party closed-sourced apps, and Apple’s closed sourced pieces. He sums it up with the sentiment, “Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.” Read, Mac users: be grateful you are such a small demographic, because otherwise you would run a serious risk of being hacked.