Posted on 12/17/2010 12:55:29 PM PST by Swordmaker
Despite what you may have heard, Apple products are not immune to viruses and other computer attacks. In 2007 an annual computer security conference called CanSecWest sought to prove this point by hosting a hacking contest called Pwn2Own. They offered $10,000 plus the MacBook being used to anyone who could successfully break into the brand new, fully patched MacBook running Tiger. (The name Pwn2Own comes from the hacker word "Pwn" which means to take over a computer, so you Pwn the computer to own the computer). Any vulnerabilities used in the contest would have to be given to the organizers who would then give the information to the vendor, in this case Apple.
Researcher Dino Dai Zovi managed to win this contest by exploiting a flaw in QuickTime that was researchable through the Safari web browser. The victim merely had to surf to the malicious web page and Dai Zovi was able to take control of the victim machine and run any commands he wanted. In real life, this would have allowed him to read the victim's email, watch the victim log into their banking site, send spam, perform attacks against other computers, etc.
In 2008, the contest returned and while still offering up $10,000 and the victimized laptop to the winner, included three targets: a MacBook Air running Leopard, as well as laptops running Windows Vista and Ubuntu Linux. That year, I won by exploiting a Safari browser vulnerability. Again, by getting the victim to visit a malicious site I was able to take over their computer and do whatever I want. The victim would have no idea that anything had gone wrong. Apple enthusiasts who felt that the 2007 contest was a fluke were starting to see that their Macs were just as vulnerable as Windows computers. For the record, researchers Alex Sotirov and Shane Macaulay took out the Vista laptop while the Linux laptop remained untouched.
Things were changed again for the 2009 Pwn2Own contest. In 2009, the prize for browser exploits was reduced to $5000, but new targets were provided, smartphones. $10,000 (and the phone) would be given to any researchers who could hack into one of the smartphones which included BlackBerrys, Android, Symbian, Windows Mobile, and of course iPhones. As in 2008, I managed to exploit the computer running Safari, this time an up-to-date Leopard install on a MacBook Pro. A previously unknown researcher named Nils pulled off a trifecta and exploited both Safari and Firefox running on Mac OS X, as well as Internet Explorer 8 running on Windows Vista. No one managed to successfully attack the smartphones, but that would change this year.
This year the contest was back and featured $10,000 for browser exploits and $15,000 for smartphone exploits. I won another MacBook Pro (yes, I have a pile of computers sitting in the corner of my office) and the prize money for exploiting Safari, this time against a laptop running Snow Leopard. Nils was back and exploited Firefox running on Windows 7. A researcher named Peter Vreugdenhil exploited Internet Explorer 8 running on Windows 7. The only browser that wasn't defeated was Chrome. On the smartphone side of the competition, Vincenzo Iozzo and Ralf Philipp Weinmann succeeded in exploiting the iPhone. This was an iPhone right out of the box, not jailbroken. They used a vulnerability in the MobileSafari web browser in order to steal the SMS text messages stored on the device, although they could have performed a number of different actions.
The Pwn2Own contest provides a venue for top researchers to showcase their skills as well as provides free research for vendors who can patch critical vulnerabilities in their software. It also provides some insight into the relative security of different browsers and operating systems. While Mac OS X has led a charmed life from a security perspective, it should be clear that it is not because it is fundamentally more secure than its competitors, as proved in it being exploited each of the last four years. Rather, its relative obscurity has protected it from wide scale attack.
This leads to the main conclusion regarding Mac OS X security, it is safer but not any more secure than Windows.
Charlie Miller is Principal Analyst at Independent Security Evaluators, a Baltimore based computer security consulting company. http://securityevaluators.com
The question still needs to be asked of Miller and the others who claim the Security by Obscurity canard: if 55 million OSX Macs and 110 million iOS devices aren't enough to attract malware authors to the platform, when malware writers were attracted to the 12,000 BlackIce protected Windows computers when they wrote the Witty Worm in 2006, just how many will it take??? When WILL the malware writers be attracted to the millions of Macs sitting out there running bare naked without anti-virus of any kind, sitting ducks, just waiting to be fleeced? When???
In addition, Apple has closed the vulnerabilities that Miller used in these contests. It was revealed, however, in the 2010 contest, that Miller's team discovered in their 2009 research a second flaw which they did not reveal to Apple for correction, apparently choosing instead to hold on to it for use in the following year's contest. Some say that was an unethical decision, that professionals have a duty to report such findings.
I think backdoors are left in these apps on purpose. Making a backdoor look like sloppy coding has become an art itself.
MS had to stop bulking up its systems so much because of competition from Apple and Linux. It would be nice if similar competition stopped the backdoors.
The worst backdoor is having USB keys automatically run executables. How can I ever trust a company that does these things?
I wont call FUD on this article because it's mostly accurate. Good read.
If you want on or off the Mac Ping List, Freepmail me.
Having just suffered a fatal virus crash on my PC, I am loathe to wish ill on anybody.
But it sure would be schadenfreude to see a “Wipe the smug grin off your face” virus shake up the Mac community.
Just sayin’.
That's the way the Iranian nuclear bomb program was derailed: a virus was spread on USB Flash drives that only infected specific nuclear engineering software for Windows computers with specific Arabic tags! So, in this instance I'm kind of glad that capability WAS there... It set back their nuclear program by at least two years I understand!
Incidentally, my understanding is that does not happen on Macs. Shhhh. Don't tell any one.
In addition, Apple has closed the vulnerabilities that Miller used in these contests. It was revealed, however, in the 2010 contest, that Miller's team discovered in their 2009 research a second flaw which they did not reveal to Apple for correction, apparently choosing instead to hold on to it for use in the following year's contest. Some say that was an unethical decision, that professionals have a duty to report such findings.
They would be wrong based on the conditions of the challenge.
Yeah - I appreciate that, and so did everyone else. It was totally cool, but it’s a one-use trick on the international level, because everyone is wise to it now.
In the meantime, all the poor saps have been getting infected with every possible virus and will continue to do so, creating massive botnets that spam and commit financial fraud for their owners, so I have to do cartwheels just to get my bank balance
We are still waiting for the first viable OSX virus to be seen in the wild. Counting OSX Server, which was released in Early 1999, we are going on 12 years and counting without one single self-replicating, self-installing, self-transmitting, self-starting malware in the wild for OSX!
There have been some candidates seen in the labs but they all failed. In those twelve years we've picked up a total of 17 known Trojan horse programs in four distinct families, all of which OSX itself will warn you about on attempted download, attempted install, or at attempted first run. It takes a particularly clueless user to ignore all those warnings to proceed with the installation of a malicious Trojan. About the ONLY time a Mac user would be at risk would be a careless user downloading from an untrusted site on the day a zero day NEW FAMILY TROJAN came out that would not yet be in OSX's database... But then, being a zero-day, it most likely would NOT be in any other anti-virus vendor's database either.
I'm just gonna lurk on this one, having only very little time tonight. But know that I'm with you on this.
It's unfortunate that anti-Apple people think that somehow the existence of a human-engineered trojan, or a local-access scripted exploit, somehow invalidates the Mac's claim to being a safer and more secure computing environment.
Of course nothing is perfect. Of course all software has flaws. Of course Mac OS-X has vulnerabilities. Big freakin' DUH. Point is, are they successfully exploited in the wild, with real users?
I'm waiting for the flood of Mac-specific viruses, now that Charlie Miller has talked about how it's no more secure than Windows.
[...crickets...]
Have a good time with this one, once the Apple-haters join up... :)
I'd rather see MSFT put out a really great program and end its dream of creating an eternal monopoly.
The market now exists, but compensation has been terrible.
From the linked article, printed last July:
"Google has paid out $14,846 for 21 reported vulnerabilities since January."
Calling that "chump change" is an insult to chumps. While Google and Mozilla have increased their payout to about $3000 per exploit, that is still very low.
I bet the black market in exploits is flourishing.
And we're supposed to believe that there aren't L33T HaX0Rz who feel the same way? That alone makes "security through obscurity" implausible.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.