Gone in 2 minutes: Mac gets hacked first in contest (website-based exploit)

MacWorld ^ | 3/27/08 | Robert McMillan

[Yossarian]

Gone in 2 minutes: Mac gets hacked first in contest

by Robert McMillan

It may be the quickest US$10,000 Charlie Miller ever earned.

He took the first of three laptop computers -- and a $10,000 cash prize -- Thursday after breaking into a MacBook Air at the CanSecWest security conference's PWN 2 OWN hacking contest.

Show organizers offered a Sony Vaio, Fujitsu U810 and the MacBook as prizes, saying that they could be won by anybody at the show who could find a way to hack into each of them and read the contents of a file on the system, using a previously undisclosed "0day" attack.

Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.

Miller, best known as one of the researchers who first hacked Apple's iPhone last year, didn't take much time. Within 2 minutes, he directed the contest's organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on.

He was the first contestant to attempt an attack on any of the systems.

Miller was quickly given a nondisclosure agreement to sign and he's not allowed to discuss particulars of his bug until the contest's sponsor, TippingPoint, can notify the vendor.

Contest rules state that Miller could only take advantage of software that was preinstalled on the Mac, so the flaw he exploited must have been accessible, or possibly inside, Apple's Safari browser.

Last year's contest winner, Dino Dai Zovi, exploited a vulnerability in QuickTime to take home the prize.

[Yossarian]

Well, I hate to be the bearer of bad news to the Mac crew - but it seems there's yet another vulnerability Apple has to patch ASAP to our favorite OS.

One thing to remember: The victim has to visit a website for it to work. Perhaps it would be wiser to use Firefox until Apple comes out with a Safari patch - that's no guarantee of security, but at least it takes out one possible vector for the attack.

[Yossarian]

Mac ping, please!

[CarrotAndStick]

The Fujitsu U810 is one neat, portable computer/ tablet PC.

[johna61]

Guess the cyber alqueda is out there and needs to go to Camp Gitmo with the other scum too.

[aruanan]

Well, I hate to be the bearer of bad news to the Mac crew - but it seems there's yet another vulnerability Apple has to patch ASAP to our favorite O

"...the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages."

I'll remember that the next time a hacker directs me on what to do and when to do it on my computer.

[Yossarian]

Guess the cyber alqueda is out there and needs to go to Camp Gitmo with the other scum too.

Well, just to be crystal clear, Mr. Miller is a good guy - doing "white hat" hacking. He signed a non-disclosure agreement, and the OS vendors - in this case, Apple - will be notified of the security hole.

Thanks to guys like Charlie Miller, we have a much safer computing environment - (white) hats off to them!

[Yossarian]

I'll remember that the next time a hacker directs me on what to do and when to do it on my computer.

Visiting a website - if that's all it is - isn't much of a difficult social exploit.

[Bloody Sam Roberts]

I'll remember that the next time a hacker directs me on what to do and when to do it on my computer.

But there are tons of people who won't when they get a link in an email and think, "Hey, I'm using a Mac. I'm bulletproof" right before they click it.

[aruanan]

But there are tons of people who won't when they get a link in an email and think, "Hey, I'm using a Mac. I'm bulletproof" right before they click it.

Remember, though, this was done by someone who directed what was being used, when it was used, and knew where it was being used. But good for him in finding the problem. In anything that complex, there are bound to be unexpected connections that can be exploited in unexpected ways. The funny thing is, though, that some folks seem to believe the advent of the few and far between instances is but a harbinger of a flood of attacks that will render the Mac OS as Swiss cheesed as Windows.

[tacticalogic]

The funny thing is, though, that some folks seem to believe the advent of the few and far between instances is but a harbinger of a flood of attacks that will render the Mac OS as Swiss cheesed as Windows.

Do you think the constant littany of claims that an Windows OS is full of holes, and MACS aren't had anything to do with the obvious complacency that let this happen?

[hamboy]

It must be some Microsoft-paid show, a super tweaked Windows OS versus a OS X with no user password, vulnerable services all opened! Long time ago was a super tweaked NT versus an unpatched Linux.

[aruanan]

Do you think the constant littany of claims that an Windows OS is full of holes, and MACS aren't had anything to do with the obvious complacency that let this happen?

Ha ha ha. Complacency?

[tacticalogic]

All three computers were tested under the same rules, and the MAC went down. And it went down first. Whatever they did to compromise that machine is apparenly known, and the production OS is vulnerable.

Whatever "holes" are in the Windows OS, it doesn't fix what's wrong with that MAC OS. As long as the idea persists that simply complaining that Windows is worse is the way to address it, it's going to stay broken.

[Swordmaker]

The Mac falls first in Hacking contest of OS X, Linux, and Vista... but only after the rules were relaxed and a file was downloaded from a website and executed. Note also that the rules allowed the hackers to use anything already installed on the computers - and the contest operators installed a package of "typical" third party applications on each. At this point it is unknown what vulnerability was used to breach the Mac... OS X or third party... as the contest requires the successful hacker to sign a non-disclosure contract until the vendor of the vulnerable software/hardware has a chance to fix it.

Mac hacked Ping!

If you want on or off the Mac Ping List, Freepmail me.

[Swordmaker]

. . . in this case, Apple - will be notified of the security hole.

Not necessarily. In this year's contest, the computers being targeted were not just out-of-the-box fresh start-ups. The operators of the contest installed a selected set of "typical" applications for each OS. Contestants were permitted to use any installed software to accomplish their attacks.

Last year, the Mac was breached in the same manner... requiring a referee to navigate the Mac using Safari to a prepared website and download a specific file. That was a fresh install of only Apple supplied applications and the vulnerability that allowed the exploit was actually in Java, accessed through Quicktime.

This year, the same directions resulted in a similar result... but we do not yet know what apps were installed or required by the hacker to be used. Therefore, both Apple and possible third party vendors may be notified.

It strikes me that Firefox may have been included in the "typical" software installation. That doesn't mean that it wasn't a purely OS X vulnerability.

As last year, Root was not achieved. The successful hacker only breached a user account.

My hat is off to Mr. Miller as well.

[Richard Kimball]

I’ve visited several web sites that tried to download software on my mac, but it always pops up and tells me it’s an executable. Do you know if the exploit was exploited by directing the user to override an execute command, or did just visiting the web site allow the code to download and execute?

[antiRepublicrat]

Given that he’s a long-time Apple hacker and the speed of which he did it, he already knew about the flaw and had the code ready to exploit it.

[vox_freedom]

stunt:

noun
an action displaying spectacular skill and daring.
• something unusual done to attract attention

[null and void]

Maybe. I didn’t see anything, beyond speculation, that said it was a Safari problem.

It might be in the OS itself.

[Gone_Postal]

I have a mac mini and love it...I just hate Safari...I use Firefox and it works great...