CanSecWest’s $10,000 ‘Hack a Mac’ challenge relaxes barriers, finds exploitable hole in Safari

Apple StoreAfter two Apple MacBook Pros survived the first day of CanSecWest’s ‘PWN to OWN’ contest that dared hackers to take control of default Mac OS X installations, CanSecWest earlier today lowered the barriers as planned since “there has not been a successful attack.” Both MacBook Pros were connected to a wireless router and with all security updates installed, but without additional security software or settings. The contest’s second-day relaxed rules allowed attackers will be allowed to place exploit code online and launch drive-by exploits on the Mac’s built-in Safari browser.

“Time to expand your attack surface,” CanSecWest’s contest organizers stated. Hackers were invited to email links to organizers who would then visit the hackers’ exploit attempts from the target machines using Safari.

Two hours and 24 minutes later, CanSecWest reported, “One OSX box has been owned! At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page. Of course all of the latest security patches have been applied. This one is 0day folks. Technical details will be forthcoming as the winner works out the release. There is still one more Mac to go. (the same flaw cannot be used again, but other Safari bugs are allowed).”

“Just to review the rules, the first box required a flaw that allows the attacker to get a shell with user level privilages [sic]. The second box, still up for grabs, requires the same, plus the attacker needs to get root,” CanSecWest reported.

Full article here.

Joris Evers reports for CNET News, “Shane Macaulay just got himself a free MacBook [Pro]. Macaulay, a software engineer, was able to hack into a MacBook through a zero-day security hole in Apple’s Safari browser… The successful attack on the second and final day of the contest required participants to surf to a malicious Web site using Safari–a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.”

Evers reports, “Macaulay teamed with Dino Dai Zovi, a security researcher until recently with Matasano Security. Dai Zovi, who has previously been credited by Apple for finding flaws in Mac software, found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said.The vulnerability and the exploit are mine, Dai Zovi said. Shane is my man on the ground.

“Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. ‘Shane can have the laptop, I want the money,’ Dai Zovi said in a telephone interview from New York,” Evers reports.

Evers reports, “Apple spokeswoman Lynn Fox declined to comment on the MacBook hack specifically, but provided Apple’s standard security comment: ‘Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users.'”

Full article here.

“The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said. An attacker could use the vulnerability in a number of ways, but Di Zovie used it to open a back door that gave him access to anything on the computer, Comeau said,” Nancy Gohring reports for IDG News Service. “The vulnerability won’t be published. 3Com’s TippingPoint division, which put up the cash prize, will handle disclosing it to Apple.”

“‘Currently, every copy of OS X out there now is vulnerable to this,’ said Sean Comeau, one of the organizers of CanSecWest,” Gohring reports.

Full article here.

MacDailyNews Take: Our headline is accurate. Some of the articles to which we’ve linked above have sensationalist headlines and/or contain the usual “Security via Obscurity” myth. As we’ve seen recently, a proof-of-concept piece of malware exists for a handful of iPods running Linux. Now, that’s real obscurity. Obviously, 22 million Mac OS X installs are not “obscure.” We expect other articles to incorrectly headline and/or incorrectly report on this story. Prepare for a deluge of FUD, as the thirst in some quarters for Mac OS X to be “hacked” is insatiable.

The bottom line: Apple’s Safari web browser has a hole (not the first and probably not the last, by the way) that will not be published and will be disclosed to Apple to fix. That is the extent of this story as it currently stands.

Presumably, if you use browsers other than Safari (Firefox, for one example) on your Mac or don’t visit Dai Zovi’s particular web page with Safari, you’re invulnerable to this exploit.

We would expect Apple to issue a update for Safari to close this hole ASAP. CanSecWest’s contest has helped to make Safari more secure.

Reminder: Apple’s Mac OS X Security Configuration Version 10.4 Tiger or Later Second Edition (PDF) provides an overview of features in Mac OS X that can be used to enhance security. It is available here.

Related articles:
Apple MacBooks hold strong, remain unhacked after first day of $10,000 ‘Hack a Mac’ challenge – April 20, 2007
CanSecWest sweetens ‘Hack a Mac’ contest pot to $10,000 – April 20, 2007
CanSecWest to hold ‘PWN to OWN’ contest: pits Apple MacBook Pros vs. hackers – March 26, 2007
Microsoft’s oft-delayed, much-pared-down Windows Vista hacked at Black Hat – August 07, 2006
Microsoft publicity stunt asks hackers to attack Windows Vista – August 04, 2006
Apple Mac remains ‘unhacked’ as University of Wisconsin’s Mac OS X Security Challenge ends – March 08, 2006
Mac OS X ‘unhacked’ over 24 hours and counting in genuine security challenge – March 07, 2006

176 Comments

  1. They should run contests like this more often. It proves that Macs are completely secure. The only way this exploit could be used is through a phishing email to get you to go to a bad website. The more holes Apple plugs the better it will be for everyone, and these contests certainly bring out the exploits.

  2. “Relaxing barriers” or “lowering the bar” is not a excuse.

    Most Mac users use Safari and it’s used more often on the dangerous internet than any other program.

    Apple needs to rethink and develop a sandbox environment for internet based apps to run in.

    Also they need to demand developers treat the admin password with utmost security respect and quit demanding it for marketing code installs, “hooks” and fixes for shoddy coding practices.

    95% of exploits are application exploits, Mac OS X “hacks” enable these app exploits to gain much more power than they would normally have.

    Apple needs to also address EFI’s lack of security and normal user control and privacy issues.

    I would like to hear of some fantastic security changes in the next version of Mac OS X because we are rapidly traveling down the road Windows took security wise.

    I’ve already withheld any new Mac purchase until 6 months after 10.5’s release. If the security issue doesn’t improve and remain reliable by then, I’m not buying.

    I refuse to become like a Windows security sufferer.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.