Posted on 03/25/2010 10:42:55 AM PDT by ShadowAce
It was another grim day for internet security at the annual Pwn2Own hacker contest Wednesday, with Microsoft's Internet Explorer, Mozilla's Firefox and Apple's Safari and iPhone succumbing to exploits that allowed them to be remotely commandeered.
Like dominoes falling in rapid succession, the platforms were felled in the fourth year of the contest, which has come to underscore the alarming insecurity of most internet-facing software. To qualify for the big-money prizes, the exploits had to attack previously undocumented vulnerabilities to expose sensitive system data or allow the remote execution of malicious code.
The exploits were all the more impressive because they bypassed state-of-the-art security mitigations the software makers have spent years implementing in an attempt to harden their wares. That included DEP, or data execution prevention, and ASLR, or address space layout randomization and in the case of the iPhone, code signing to prevent unauthorized applications from running on the device.
"Code signing by Apple is tough, though I'm not sure if they do it for security or just to lock people into their platform," said Halvar Flake, a security researcher for Germany-based Zynamics. He compromised the iPhone using an exploit written by his colleague Vincenzo Iozzo. University of Luxemburg student Ralf-Philipp Weinmann was also instrumental in developing the attack.
The iPhone's code signing mechanism requires code loaded into memory to carry a valid digital signature before it can be executed. To get around it, the researchers used a technique known as return-oriented programming, which takes pieces of valid code and rearranges them to form the malicious payload.
As a result, the hackers were able to create a website that when visited by the Apple smartphone forced it to spill a copy of its SMS database. The file includes a list of contacts as well as complete copies of messages that have been sent and received. The database also contains deleted messages unless a user has gone through the trouble of manually erasing them.
The hacks came on day one of the contest, which offers a total of $100,000 in prizes and coincides with the CanSecWest conference in Vancouver. It comes three months after criminal hackers pierce the defenses of Google, Adobe and about 33 other large companies using similar vulnerabilities in an older version of IE. The relative ease contestants had in exploiting other platforms suggested that they are susceptible to the same types of attacks when there is the financial incentive to develop them.
DEP and ASLR, which Microsoft began implementing with the release of Service Pack 3 for Windows XP, didn't fare much better. Peter Vreugdenhil, a researcher with Netherlands-based Vreugdenhil Research, was able to hijack a laptop running IE 8 running on Windows 7, a combination widely considered by white hat hackers as among the hardest to compromise.
Unlike previous DEP- and ASLR-busting techniques, Vreugdenhil's exploit didn't use Adobe Flash, or any other third-party software to accomplish the feat. Rather, it relied on an information-disclosure exploit that allowed him to identify the memory location of a core module that was loaded by the Microsoft browser.
"I used that knowledge to create a DEP bypass by reusing code in that module to change the protection," he said a few minutes after causing Windows 7 to spontaneously open a calculator program. "The vulnerability that I found allowed me to lay out the heap exactly as I wanted to, which is not always possible."
A pdf with additional details of the IE 8 exploit is here.
Firefox running on Windows 7 was also smitten. The author of that exploit was Nils, the same hacker who successfully compromised machines running IE, Firefox and Safari at last year's Pwn2Own contest. As was the case then, he asked that his last name not be printed, but this time the 26-year-old said he is the head of research at MWR InfoSecurity, a security consultancy in Basingstoke, UK.
Microsoft researchers, who were present en masse at the contest, are investigating the report and will issue a patch if their findings warrant it, said Pete LePage, a senior product manager for IE. He said Microsoft isn't aware of attacks in the wild that target the vulnerability.
Safari was also part of the spoils, making this the third consecutive year contestant Charlie Miller has compromised the Apple browser. Miller, 36, who is principal security analyst at Independent Security Evaluators, said he came to this year's contest armed with close to 20 working attacks that in virtually every case allow him to seize control of the Mac running the program.
He said he found all of them using the same rudimentary, five-line script written in Python, raising the very legitimate question: If he can find them, why haven't people working on Apple's security team found them, too?
"Tomorrow, I'm going to describe exactly how I found them, so hopefully that means Apple will replicate what I did and they'll find my 20 [bugs] and probably a lot more," Miller said. "Hopefully, they'll keep doing that and improve their mechanisms of finding bugs as opposed to just slapping band-aids every time I send them email about what bug I have."
The iPhone hack fetched $15,000 and the browser exploits were awarded $10,000 each.
The genius of a contest like Pwn2Own is that it exposes the insecurity of software that rarely gets exploited by criminals. Plenty of Linux and Mac fans cite the absence of real-world exploits on those platforms as proof positive that they are inherently safer than the prevailing Microsoft operating system. It's an argument that carried little weight in Vancouver.
"The problem Microsoft has is they have a big market share, said Vreugdenhil, the hacker who attacked IE. "I use Opera, but that's basically because it has a tiny market share and as far as I know, nobody is really interested in creating a drive-by download for opera. The web at the moment is pretty scary, actually." ®
“Safari was also part of the spoils, making this the third consecutive year contestant Charlie Miller has compromised the Apple browser. Miller, 36, who is principal security analyst at Independent Security Evaluators, said he came to this year’s contest armed with close to 20 working attacks that in virtually every case allow him to seize control of the Mac running the program.”
AH HAHAHAHAHAHA!!!!! Where are all of the devout Mac users who say that it is invulnerable????? 20 “holes”?????
The genius of a contest like Pwn2Own is that it exposes the insecurity of software that rarely gets exploited by criminals. Plenty of Linux and Mac fans cite the absence of real-world exploits on those platforms as proof positive that they are inherently safer than the prevailing Microsoft operating system. It's an argument that carried little weight in Vancouver.
"The problem Microsoft has is they have a big market share, said Vreugdenhil, the hacker who attacked IE. "I use Opera, but that's basically because it has a tiny market share and as far as I know, nobody is really interested in creating a drive-by download for opera. The web at the moment is pretty scary, actually."
I don't know. Perhaps you could find us an example of one of those posts by a "devout Mac users who say that it is invulnerable".
No software is invulnerable. Some (OSX/Linux) is more resistant to such attacks than others (MS-Windows).
I did not see indications that any of the hacks displayed here were able to escalate the privilages of the attackers. That makes a big difference as to whether the attack is useful to criminals and those who run botnets. being able to dump some of your personal information is bad enough. Having your computer turn into a zombie is something entirely different.
You must not be around here much. For years that what Mac users claim. If you really want to find them look way way back in my post history.
That's the mac security model. Just keep people from knowing about it and you'll be secure. But many of these guys are white hats where they find holes and then tell the companies about them so they can make the product secure.
“I don’t know. Perhaps you could find us an example of one of those posts by a “devout Mac users who say that it is invulnerable”.”
As for-q-clinton said in post # 26, although you have been a member since ‘98, you mustn’t visit the site very much.
There have been marathon threads about how wonderful Mac is and Microsoft Windows is trash. :-)
All of the rest that you have said is true. I know this because I have been in the computer business since 1962. :-)
Please post an example of one of those posts by a “devout Mac users who say that it is invulnerable”.”
I thought that was fairly specific. You made the claim, I asked for proof of same. You respond with generalities. Try again.
Sure. Feel free to post any comments as I said in my original post
I don't know. Perhaps you could find us an example of one of those posts by a "devout Mac users who say that it is invulnerable".
Surely if it's as common as you think, you should be able to find lots of them.
If you think that I am going to back track over years of posts to give you one example you are very sadly mistaken.
I believe I played this game with you once before (but I may be mistaken and it may have been a different Mac zealot).
But I did provide a post and the response was well he was wrong or he isn’t really a Mac zealot and was just someone who didn’t know what he was talking about.
So instead of wasting my time proving my point again...let’s just cut to the case and pretend you saw such a post. What would your response be? Give me your response then I will see if it’s worth proving my point.
Thought so.
If it were as common as you were claiming, it'd take you 5 minutes.
You lose.
As I said in an earlier post on this very thread - No software is invulnerable. Some (OSX/Linux) is more resistant to such attacks than others (MS-Windows).
The sad thing is, you guys have to invent some mythical "all Macs are invulnerable" straw man to make the same point. I'm merely asking you to put up or shut up. This claim is repeated on almost every thread, along with the insults against both Linux and Mac users.
I suppose, though, it makes sense that someone who is a strong proponent of MS-Windows would be defensive, what with thousands of known and active threats to their operating system of choice.
As I've said before on other threads here, I don't even own a Mac. My MIL recently bought a Mac Mini so I guess I'll probably be able to beat off the keyboard someday to get some time to play with it. I just get tired of the insults and strawmen thrown at fellow freepers just because they choose something different that works well for them.
I don’t lose anything. You have three years seniority on me on FR and know how to use the search engine. USE IT! I’m not going to do your legwork for you. :-)
Sorry, you still lose. You’re the one who made the claim, not me. If you can’t search by now, perhaps you really shouldn’t be posting here. :-)
So you’re going with the...even if you find it the guy doesn’t know what he’s saying. Although earlier you said no such idiot exists.
Ahhh...I see you can’t lose with that type of “logic”. Plus all this proves is that since OS X has such a small user base the OS isn’t attacked as much as it would be if it was #1 by a huge margin.
How utterly predictable y’all are.
Well here’s a thread. And there are many more:
http://www.freerepublic.com/focus/f-chat/2352669/posts
But you already gave me your answer..that guy wasn’t a knowledgable mac zealot so he doesn’t count. Just like the known vulnerabilities don’t count until someone in the wild uses it to exploit a system with no user interaction and it must be a well maintained system with all patches applied and only plugged into the network when needing networked resources and the moon must not be full and Steve Jobs must be healthy. But once you find that then it will count.
Yes, I made a claim. Isn’t it wonderful that we live in a country where you get to read something, form an opinion and reach a conclusion.
You can then decide whether or not that person is telling the truth or lying. I don’t care at all as to whether or not you believe me.
Besides, I didn’t post to you. I posted to the person who started the thread. Therefore, I wasn’t obligated to answer you and I certainly am not going to do your searching for you.
Only democrats want everything to be handed to them and to be spoon-fed. Are you a democrat? :-)
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.