Posted on 04/20/2007 9:26:48 PM PDT by Swordmaker
After two Apple MacBook Pros survived the first day of CanSecWest's 'PWN to OWN' contest that dared hackers to take control of default Mac OS X installations, CanSecWest earlier today lowered the barriers as planned since "there has not been a successful attack." Both MacBook Pros were connected to a wireless router and with all security updates installed, but without additional security software or settings. The contest's second-day relaxed rules allowed attackers will be allowed to place exploit code online and launch drive-by exploits on the Mac's built-in Safari browser.
"Time to expand your attack surface," CanSecWest's contest organizers stated. Hackers were invited to email links to organizers who would then visit the hackers' exploit attempts from the target machines using Safari.
Two hour and 24 minutes later, CanSecWest reported, "One OSX box has been owned! At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page. Of course all of the latest security patches have been applied. This one is 0day folks. Technical details will be forthcoming as the winner works out the release. There is still one more Mac to go. (the same flaw cannot be used again, but other Safari bugs are allowed)."
"Just to review the rules, the first box required a flaw that allows the attacker to get a shell with user level privilages. The second box, still up for grabs, requires the same, plus the attacker needs to get root," CanSecWest reported.
Full article here.
Joris Evers reports for CNET News, "Shane Macaulay just got himself a free MacBook [Pro]. Macaulay, a software engineer, was able to hack into a MacBook through a zero-day security hole in Apple's Safari browser... The successful attack on the second and final day of the contest required participants to surf to a malicious Web site using Safari--a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day."
Evers reports, "Macaulay teamed with Dino Dai Zovi, a security researcher until recently with Matasano Security. Dai Zovi, who has previously been credited by Apple for finding flaws in Mac software, found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said.The vulnerability and the exploit are mine, Dai Zovi said. Shane is my man on the ground.
"Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. 'Shane can have the laptop, I want the money,' Dai Zovi said in a telephone interview from New York," Evers reports.
Evers reports, "Apple spokeswoman Lynn Fox declined to comment on the MacBook hack specifically, but provided Apple's standard security comment: 'Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users.'"
Full article here.
"The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said. An attacker could use the vulnerability in a number of ways, but Di Zovie used it to open a back door that gave him access to anything on the computer, Comeau said," Nancy Gohring reports for IDG News Service. "The vulnerability won't be published. 3Com's TippingPoint division, which put up the cash prize, will handle disclosing it to Apple."
"'Currently, every copy of OS X out there now is vulnerable to this,' said Sean Comeau, one of the organizers of CanSecWest," Gohring reports.
Full article here.
MacDailyNews Take: Our headline is accurate. Some of the articles to which we've linked above have sensationalist headlines and/or contain the usual "Security via Obscurity" myth. As we've seen recently, a handful of iPods running Linux have a proof-of-concept piece of malware. Now, that is "obscure." Obviously, 22 million Mac OS X installs are not "obscure." We expect other articles to incorrectly headline and/or incorrectly report on this story. Prepare for a deluge of FUD, as the thirst in some quarters for Mac OS X to be "hacked" is insatiable.
The bottom line: Apple's Safari web browser has a hole (not the first and probably not the last, by the way) that will not be published and will be disclosed to Apple for fixing. That is the extent of this story as it currently stands.
Presumably, if you use browsers other than Safari (Firefox, for one example) on your Mac or don't visit Dai Zovi's particular web page with Safari, you're invulnerable to this exploit.
We would expect Apple to issue a update for Safari to close this hole ASAP.
Reminder: Apple's Mac OS X Security Configuration Version 10.4 Tiger or Later Second Edition (PDF) provides an overview of features in Mac OS X that can be used to enhance security. It is available here.
Both Macs survive first 24 hours... Next 24 hours allows hackers to send a URL to the Mac users who will then navigate to that site. Almost 3 hours into the new rules, one Mac allowed a hacker a current user level access!
Exploit requires navigation to a malicious website... no other information being released. All versions of Safari and OS X are vulnerable.
If you want on or off the Mac Ping List, Freepmail me.
The only reason the MAC has not been hacked; all the hacking resources have been aimed toward MS. Sounds like life as we know it is about to change.
Yes and a Saab is more safe than a yugo because more people drive yugo’s. /sarc
Sheesh why in the wordl do people think engineering matters in buildings, car, or briges but not in software...
Only thing I can say … welcome to he wonderful world of “hacking” … no OS is immune.
It actually was not the OS that was hacked. Both target MacBook Pros fended off the hackers until the rules were relaxed and the USERS of those computers were required to navigate to a hacker setup malicious webpage... and a newly discovered security vulnerability in the browser application was exploited.
This is being reported to Apple and the application will be patched.
And your saying that the MAC OS is not hackable? It is totally immune to hacking?
What he's saying is that the Mac users had to roll down their windows, unlock their doors, close their eyes, and drive into a bad neighborhood... where the bad guys got into their car. Hey, did I say 'roll down their windows'? Bwa hahahhhahahhhaha....
No. But we have six years and 23,000,000 OS X Macs that have gone unhacked as a statistical population to test against. We now have one Mac that, through an artificial, deliberate set up website, that has been breeched at the user level access... not root level... through an included application. Is this bad... of course. But the vulnerability will be patched. It has already been transmitted to Apple for correction.
It is important to note that this is an example of why all users should not be running in administrator mode as the default user. If this breeched Mac's user was in a standard user mode, then the hacker still would not be able to alter the OS, add or remove applications without the name and password of an administrator, nor, even with the name and password, access any other user's accounts. If the breeched Mac's user was in an administrator mode, they still would need the administrator's password to add applications... and even administrator level access would not allow any access to other user's files or accounts.
Should the user have been operating in root mode, which is turned off by default in OSX, then all hell would be out for noon (that's a weird expression, isn't it?) and the hacker would really Pwn to Mac.
Some are more sikly than others..
I stated earlier I thought someone would be successful, given the gradual widening of the attack surface. Only got User though, my prediction is that nobody gets root unless they seriously relax the security on the target box that’s left.
What are the details on this malicious URL? What if it turns out it is nothing more than an HTML form asking for username and password. If the facilitator on the Mac then dutifully types the information in, is that a hack? I don't think so.
This whole contest is little more than a publicity stunt.
Nobody said that it is totally immune to hacking.
While it is true that the shell was accessed, the access is only for THAT account. Not the whole machine. And, if you read the article, definitely not as root. So, if you use Safari and you have a ‘regular’ user account that does not have ‘administrator rights’, the damage will be kept to that account and not compromise the entire OS.
In the contest - there are 2 macs up for grabs. The second is still not hacked. Which, if these were windows machines, the machines would have been compromised long ago.
The security updates the article talks about have nothing (unfortunately) to do with Safari. Well, directly anyway.
The article also mentions that while the macs were on the LAN only - they couldn’t be hacked. They had to allow the macs to the internet and then to a specifically crafted website. They don’t specify if popups were being blocked etc.
To conclude - I do think this is an issue. But to compare it to the security of windows - PLEASE...
So, don’t enable root - most folks don’t
Don’t use an ‘admin enabled’ account and do backups.
Don’t use Safari! LOL
Configure and use those three things - the average Mac user is still much more secure than Vista/XP. My two cents anyway.
If you live in Bryn Mawr, Pa. you can be murdered, robbed or raped. So those living there are no safer than those living in Camden, N.J. right?
How do you know a fully patched Windows box would have been compromised quicker? Windows Vista so far has a very impressive record when it comes to vulnerabilities, especially when compared to the first 90 days of other operating systems including OSX.
My ex does this too. Because he makes a statement, it becomes “true”.
Just like you.
You were quite right to call me out on that. That was a gratuitous thing to write.
That was simply a lazy thing to write. I have not had a lot of exposure yet to Windows Vista, so in that respect, I was talking out my butt.
Of course, I don’t see anyone in industry tripping over themselves to get it installed onsite, which tells me it must be offerering simple incremental increases in security over XP, or they would be jumping on it.
No problem, correct me anytime if I need it. But it just goes to show that security isn’t the #1 purchasing decision for most users, price and access to what they want is. There are many people that think using the word “password” for their password is actually genius.
Agreed, and that was a gracious response.
However, I did delve further into this to find out exactly how the exploit was utilized, and I came across this article. (BTW...I am NOT someone who thinks Macs are immune to viruses, spyware and such. I simply think they are, in general, safer than Windows boxes, expecially in the hands of an inexperienced person...) This is a long and biased viewpoint, but I agree with the general truth of what this person says.
******************************************
Nancy Gohring, writing for InfoWorld, delivered a misleading report yesterday on a Mac security exploit contest held at the CanSecWest conference in Vancouver, BC.
In her defense, it appears likely that Gohring did not write the headline for her InfoWorld article, which described the contest winner as being “able to remotely break into a Mac as part of a contest designed to illustrate security flaws in OS X.” That part was simply wrong.
Whoever did write the headline must have been smoking weed in celebration of 4/20, because Gohring’s article clearly described a local exploit. There’s a big difference between the remote exploits that made Windows infamous for its insecurity and a local exploit of an application.
Gohring reported that “contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.”
Opening an email URL that exposes a security flaw in Safari is both news to report and a problem for Apple to tackle, but reporting it as a remote exploit is inaccurate, irresponsible, and sloppy journalism, particularly for IDG’s InfoWorld, which purports to be an authority on computing.
Gohring’s Mac Security Myths.
Beyond the glaring error of conflating a remote exploit with something that requires a concerted effort between a user acting locally on the machine and an outside party, Gohring’s article perpetuated a number of myths about Mac security.
Gohring quoted Dragos Ruiu, the principal organizer of the security conference, as saying, “You see a lot of people running OS X saying it’s so secure, and frankly, Microsoft is putting more work into security than Apple has.”
Of course, the reason why Microsoft has been forced to ‘put so much work into security’ is because of the infamous reputation the Windows platform has earned as a security nightmare. Microsoft was entirely blind-sided by the Windows security crisis, and was forced to attack its security problems out of embarrassment.
Microsoft’s Security Embarrassment.
Microsoft originally designed Windows to work in isolated office environments where there were few nefarious threats present. Mac OS X is based on a Unix foundation, which grew a hardened security callous along with development of the Internet. Unix security has been exhaustively researched by experts for decades.
Until just a few years ago, Microsoft shipped every copy of Windows wide open and listening to various ports for local network broadcast traffic. That’s fine if a PC is being deployed as a test server on a chatty LAN Manager network, exchanging files with other PCs via Microsoft’s insecure, proprietary SMB protocol. However, give it access to the Internet and it will be relaying spam in a matter of minutes.
Microsoft’s applications, from its IE browser to Outlook mail, appeared to be designed specifically to accept and spawn malicious viral spores, and famously dragged Windows systems into one massive security crisis after another.
The vast majority of the world’s spam is being distributed by Windows PCs serving as botnets, and Consumer Reports described Windows’ antivirus/malware/spyware mess cleanup as a $9 billion problem.
Mac OS X and Security.
In contrast, there are currently zero real viruses for Mac OS X. It’s not that it is impossible to infect or exploit a Mac, it’s that Apple hasn’t shipped millions of Macs listening wide open for commands to act upon, or shipped a web browser designed to naively run programs like Microsoft’s ActiveX did, or installed an email program designed to automatically run commands that arrive as attachments as Outlook did.
Given Microsoft’s nearly complete lack of regard for security prior to about 2003, it’s more than a little suspicious for a so-called security expert like Ruiu to inflate an obscure local vulnerability in Safari into the scale of the gross incompetence and negligence demonstrated by Microsoft over the previous decade.
It’s also bizarre for Ruiu to backwardly complement Microsoft for solving some of its own problems while also dragging in a tired allusion to Artie McStrawman, the fanciful character who not only thinks Mac OS X is invulnerable to security issues, but also writes all those angry letters to Dvorak insisting it.
The Mac Minority Malware Myth
Gohring also repeated another myth in stating, “Macs haven’t been targets for hackers and malicious code writers nearly to the degree that Windows machines have historically. That’s in part because there are fewer Macs in use, thus making the potential impact of malicious code smaller than on the more widely used PCs.”
And while it’s true that Macs make up only a small 2% of all the PCs sold worldwide, it’s also true that Macs are commonly more valuable targets regardless of their distribution density. Further, Macs are not evenly distributed around the world.
For example, many schools are full of Macs; if they were easy targets because of wide open security flaws, school populations would see problems with Mac viruses. They do not. There are no real Mac viruses.
In Apple’s target markets of home, education, and pro users in the US, Macs not only make up a significant proportion of the installed base of PCs in actual use, but also sit in affluent households which suggest prime targets. Still, malware and real world exploits are simply not common and virus plagues are nonexistent.
Do Apple’s online Stores—and in particular the iTunes Store—all of which run WebObjects on Mac OS X Server on Xserves, ever suffer from security exploit attempts? Of course they do! We know the iTunes Store is under regular assault, because Apple has to regularly issue various fixes for iTunes.
The idea that Macs are not targets for hacking because there are not enough of them installed is laughable.
The reason why millions of botnet Windows PC are sending out spam is not because there are so many PCs, but because Windows security has been so bad for so long that all those millions of PC are easy targets to exploit. Simply plugging in a new PC to the open Internet will result in a rapid remote exploit of the machine within an hour.
For many years there have been millions of home routers running BSD and Linux, and PBXs running OS/2, and they aren’t all virus ridden nightmares that spew spam from every pore. It’s not the quantity of machines that makes exploits easy, it’s the quality of the security on them.
Any security expert who is confused on that subject really needs to inform themselves better. IDG’s InfoWorld is doing the world a disservice to offer up such rubbish information on the subject. Perhaps it should be rebranded as ConjectureWorld.
Corvettes aren’t popular targets for theft because they are ubiquitous but rather because they are valuable. Similarly, if it were easy to remotely exploit Macs, they would offer hackers valuable targets both in environments where Macs are plentiful such as education, as well as sites where Macs are high profile goldmines, such as the iTunes Store servers.
Why Macs Aren’t Sending You Spam
Macs are not magically immune from security issues. The reason there are no viruses and very little malware for the Mac platform is a combination of several factors:
•
•Apple makes responsible efforts to design security into its products. Microsoft has a proven a track record of not taking security seriously over the last decade.
•When it discovers problems, Apple has taken prompt steps to solve the issues. That includes building a simple, automated Software Update system that helps users keep their machines up to date. Microsoft’s update system is annoying and problematic, and tries to trojan in a DRM system with Windows Genuine Advantage.
•Mac OS X’s core software draws from the security experience of the open source community. Windows is closed and proprietary to the core, hiding behind obscurity for its security. Unfortunately, that only makes potential exploits harder to find by security researchers; it does not stop malicious attempts to attack systems.
•Apple has opened the source of potential exploit vectors such as its Bonjour network discovery code, allowing security researchers searching for flaws open access to its mechanisms.
•Macs users have a community that recommends good software. In the Windows world, software comes in a wide range of quality and users are commonly not very selective or informed about what they install.
The real myth that Ruiu’s CanSecWest Mac exploit contest demonstrated to be a fallacy is the idea that elite hackers attack systems for reputation and glory.
Simply offering fame and the new laptops as prizes generated little interest, according to a Security Focus report. It wasn’t until Ruiu arranged to up the ante to $10,000 and lower the security threshold to involve a locally opened URL that the prize was awarded.
Listen up security pundits: hackers aren’t after fame, they’re exploiting security systems for money. As with any business, the easiest route is always to target the low hanging fruit first. In the computing world, that means exploiting PCs running Windows, not because they are common but because they offer an easy exploit for something of value: a way to send spam.
Thanks, but I don’t agree in total with that article. There are indeed many combined reasons for Apple’s outstanding if not incredible record against viruses, but having a limited number of systems (and users) has definitely helped.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.