And just think -- last year you were singing Dino Dai Zovi's praises for taking control of a MacBook Pro in nine whole hours. This year, the PWN 2 OWN hacking competition at CanSecWest was over nearly as quickly as the second day started, as famed iPhone hacker Charlie Miller showed the MacBook Air on display who its father really was. Apparently Mr. Miller visited a website which contained his exploit code (presumably via a crossover cable connected to a nearby MacBook), which then "allowed him to seize control of the computer, as about 20 onlookers [read: unashamed nerds] cheered him on." Of note, contestants could only use software that came pre-loaded on the OS, so obviously it was Safari that fell victim here. Nevertheless, he was forced to sign a nondisclosure agreement that'll keep him quiet until "TippingPoint can notify the vendor," but at least he'll have $10,000 and a new laptop to cuddle with during his silent spell.

It's difficult to tell if this is just a little fear-mongering, or cause for real concern, but it looks like there's another iPhone / touch exploit out there lurking on the unseen horizons of those device's browsers. According to reports, a memory exploit -- similar to the previously-patched TIFF exploit -- has been discovered which affects units with firmware 1.0.2 all the way up to 1.1.3, thus carrying over to new 16GB iPhones and 32GB touches. Apparently, all you have to do is browse over to a site containing the malicious code, and it triggers a memory-exhausting script which causes the phone or iPod to crash. At this point, it doesn't appear to be anything more than a nuisance which can be easily circumvented by disabling JavaScript for Safari, though that hardly qualifies as a fix. To date, Apple hasn't issued a patch for the problem, but keep in mind it's only been a known issue since January 24th.

[Via iPhone World]

Devices supporting Vista's SideShow functionality aren't exactly flowing like water yet (seriously, when's the last time you saw someone sporting a W5Fe?), though that's not necessarily for a lack of interest. The functionality's plenty cool, it's just not really an overnight job getting enough manufacturers on board to support the concept and transform the consumer electronics landscape into a Vista-interfacing armada of small screens. If you had to boil it all down to exactly two things Microsoft could do to take SideShow from an ultra-niche market to ubiquity, though, let's be honest: they'd have to be to add Windows Mobile and iPhone support. Indeed, official WinMo support is a standing rumor, but in the meantime you can grab Ikanos Consulting's Go Gadgets beta, which supports installation and control of SideShow gadgets over pretty much any form of mobile connectivity you can throw at it. Turns out these guys have been hard at work making a general HTML renderer for gadgets, too, and have specialized it to look snappy on mobile Safari -- hence the iPhone and iPod touch support. This one isn't quite ready for public consumption yet, but if WinMo's how you roll, you can sign up for the beta now.

Read - SideShow on the iPhone
Read - Go Gadgets for Windows Mobile

Oops, researchers just unveiled a pretty serious security vulnerability in the iPhone. More specifically, it's Apple's Safari web browser which exhibits the vulnerability. Researchers at Independent Security Evaluators have used the vulnerability to take malicious control of the iPhone from rogue websites loaded with the exploit. Once in, researchers have full administrative access over the phone allowing them to listen in on room audio or snatch the SMS log, address book, call history, email passwords and more -- we're talking full access to your phone. Researchers note that the only way to stay safe is to check those URLs and only visit sites that you trust (which isn't very reassuring) and "may or may not be exploitable" from Mac and PC versions of Safari -- the same vulnerability exists only they haven't written the proof-of-concept exploit to test it yet. Apple has been notified of the vulnerability and a proposed fix with full public disclosure coming at the BlackHat conference on August 2nd. You listening InfoSec Sellout? That's how you report a bug. Check the exploit in video form after the break.

[Via MacRumors]

Looks like Apple's issued a new version of the public beta of Safari for Windows today -- highest on the list of fixes were patches for thee three separate security vulnerabilities that cropped up mere hours after launch. There's never any software that's 100% secure, but at least now it's that much safer for Windows users to go hunting wild internet on Safari 3.0.1. (Details on the fixes after the break.)

Update: Wow, just 48 hours after launch and already Apple's clocked in over a million Safari for Windows downloads. Info here. Let's just hope the next million downloads are from users snagging the 3.0.1 update.

As you've probably heard by now, Apple has rekindled the browser wars by releasing a beta of their Safari web browser for Microsoft Windows. Already, security vulnerabilities have been revealed within just a few hours of release. So far we're seeing a handful of denial-of-service bugs and at least two issues with Apple's code that would allow remote execution by a rogue host. Sure, some of the most visible claims come from the David Maynor who (in)famously called-out Apple with a MacBook WiFi hack only to be disemboweled by the hordes of Mac faithful. Still we're talking pre-release code so what do you expect? Besides, what better way to undermine an enemy than to present a concealed weapon in the form of a gift?

Sign one more up for the browser war, Apple is shipping the third version of its well received Safari WebKit-based browser over to foreign shores to duke it out with the likes of IE, Firefox and Opera... on Windows. The Mac-only browser has already attained a 5% market share, and it seems the Apple folks plan to use it in much the same way they've used iTunes to grow the Mac fanbase by giving Windows users "a glass of ice water to somebody in hell!" Apple claims their browser is up to twice as fast as the competition, and the public beta of Safari 3 is being released today as a free download for Mac OS X, Windows XP and Windows Vista.

Just over a week after a dubious duo found a way to commandeer a Mac thanks to an elusive flaw in QuickTime (of all things), Apple's security police have purportedly fixed the flaw and issued an update. Apparently, the hole could be "exploited through a rigged website and let an attacker control computers running both Mac OS X and Windows," and the firm elaborated by stating that a "maliciously crafted Java applet could lead to arbitrary code execution" if users didn't apply the patch. The newest version of QuickTime now sits at 7.1.6, and reportedly "repairs the problem by performing additional checking," and interestingly enough, Apple seemingly tipped its hat to Dino Dai Zovi and the TippingPoint Zero Day Initiative for reporting the issue. So make sure you fire up that Software Update today if you haven't already -- a presumably small bundle of downloadable joy should be waiting.

Shane Macaulay and Dino Dai Zovi, a software engineer and security researcher taking part in the brilliantly named "PWN to Own" Hack-a-Mac contest at the CanSecWest conference in Vancouver, managed to hack into and take control of a MacBook by finding a security exploit that takes advantage of an open Safari browser window. Shane and his teammate Dino won the prize of a brand new MacBook -- presumably loaded with Firefox or some other browser variant -- for managing to find the hole on the second and final day of the contest. The hack wasn't exactly a breeze, since the pair admitted to a total of 9 hours in order to find and exploit the weakness. Apple has patched OS X four times over the last year to fix dozens of security updates, and only regurgitated the corporate line when asked for comment on this particular vulnerability. ("Apple takes security very seriously", well duh!) Even with the recent arousal of interest in Mac OS security, the world has yet to see any kind of exploit released into the wild world web; when / if one does, we'd probably expect the most damaging exploit to use good ol' social engineering rather than a complicated hack like this. Still, Mac users should take some form of satisfaction from knowing that the issue of Mac security is being investigated, rather than being taken for granted.