CanSecWest’s $10,000 ‘Hack a Mac’ challenge relaxes barriers, finds exploitable hole in Safari

Apple StoreAfter two Apple MacBook Pros survived the first day of CanSecWest’s ‘PWN to OWN’ contest that dared hackers to take control of default Mac OS X installations, CanSecWest earlier today lowered the barriers as planned since “there has not been a successful attack.” Both MacBook Pros were connected to a wireless router and with all security updates installed, but without additional security software or settings. The contest’s second-day relaxed rules allowed attackers will be allowed to place exploit code online and launch drive-by exploits on the Mac’s built-in Safari browser.

“Time to expand your attack surface,” CanSecWest’s contest organizers stated. Hackers were invited to email links to organizers who would then visit the hackers’ exploit attempts from the target machines using Safari.

Two hours and 24 minutes later, CanSecWest reported, “One OSX box has been owned! At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page. Of course all of the latest security patches have been applied. This one is 0day folks. Technical details will be forthcoming as the winner works out the release. There is still one more Mac to go. (the same flaw cannot be used again, but other Safari bugs are allowed).”

“Just to review the rules, the first box required a flaw that allows the attacker to get a shell with user level privilages [sic]. The second box, still up for grabs, requires the same, plus the attacker needs to get root,” CanSecWest reported.

Full article here.

Joris Evers reports for CNET News, “Shane Macaulay just got himself a free MacBook [Pro]. Macaulay, a software engineer, was able to hack into a MacBook through a zero-day security hole in Apple’s Safari browser… The successful attack on the second and final day of the contest required participants to surf to a malicious Web site using Safari–a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.”

Evers reports, “Macaulay teamed with Dino Dai Zovi, a security researcher until recently with Matasano Security. Dai Zovi, who has previously been credited by Apple for finding flaws in Mac software, found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said.The vulnerability and the exploit are mine, Dai Zovi said. Shane is my man on the ground.

“Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. ‘Shane can have the laptop, I want the money,’ Dai Zovi said in a telephone interview from New York,” Evers reports.

Evers reports, “Apple spokeswoman Lynn Fox declined to comment on the MacBook hack specifically, but provided Apple’s standard security comment: ‘Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users.'”

Full article here.

“The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said. An attacker could use the vulnerability in a number of ways, but Di Zovie used it to open a back door that gave him access to anything on the computer, Comeau said,” Nancy Gohring reports for IDG News Service. “The vulnerability won’t be published. 3Com’s TippingPoint division, which put up the cash prize, will handle disclosing it to Apple.”

“‘Currently, every copy of OS X out there now is vulnerable to this,’ said Sean Comeau, one of the organizers of CanSecWest,” Gohring reports.

Full article here.

MacDailyNews Take: Our headline is accurate. Some of the articles to which we’ve linked above have sensationalist headlines and/or contain the usual “Security via Obscurity” myth. As we’ve seen recently, a proof-of-concept piece of malware exists for a handful of iPods running Linux. Now, that’s real obscurity. Obviously, 22 million Mac OS X installs are not “obscure.” We expect other articles to incorrectly headline and/or incorrectly report on this story. Prepare for a deluge of FUD, as the thirst in some quarters for Mac OS X to be “hacked” is insatiable.

The bottom line: Apple’s Safari web browser has a hole (not the first and probably not the last, by the way) that will not be published and will be disclosed to Apple to fix. That is the extent of this story as it currently stands.

Presumably, if you use browsers other than Safari (Firefox, for one example) on your Mac or don’t visit Dai Zovi’s particular web page with Safari, you’re invulnerable to this exploit.

We would expect Apple to issue a update for Safari to close this hole ASAP. CanSecWest’s contest has helped to make Safari more secure.

Reminder: Apple’s Mac OS X Security Configuration Version 10.4 Tiger or Later Second Edition (PDF) provides an overview of features in Mac OS X that can be used to enhance security. It is available here.

Related articles:
Apple MacBooks hold strong, remain unhacked after first day of $10,000 ‘Hack a Mac’ challenge – April 20, 2007
CanSecWest sweetens ‘Hack a Mac’ contest pot to $10,000 – April 20, 2007
CanSecWest to hold ‘PWN to OWN’ contest: pits Apple MacBook Pros vs. hackers – March 26, 2007
Microsoft’s oft-delayed, much-pared-down Windows Vista hacked at Black Hat – August 07, 2006
Microsoft publicity stunt asks hackers to attack Windows Vista – August 04, 2006
Apple Mac remains ‘unhacked’ as University of Wisconsin’s Mac OS X Security Challenge ends – March 08, 2006
Mac OS X ‘unhacked’ over 24 hours and counting in genuine security challenge – March 07, 2006

176 Comments

  1. They should run contests like this more often. It proves that Macs are completely secure. The only way this exploit could be used is through a phishing email to get you to go to a bad website. The more holes Apple plugs the better it will be for everyone, and these contests certainly bring out the exploits.

  2. “Relaxing barriers” or “lowering the bar” is not a excuse.

    Most Mac users use Safari and it’s used more often on the dangerous internet than any other program.

    Apple needs to rethink and develop a sandbox environment for internet based apps to run in.

    Also they need to demand developers treat the admin password with utmost security respect and quit demanding it for marketing code installs, “hooks” and fixes for shoddy coding practices.

    95% of exploits are application exploits, Mac OS X “hacks” enable these app exploits to gain much more power than they would normally have.

    Apple needs to also address EFI’s lack of security and normal user control and privacy issues.

    I would like to hear of some fantastic security changes in the next version of Mac OS X because we are rapidly traveling down the road Windows took security wise.

    I’ve already withheld any new Mac purchase until 6 months after 10.5’s release. If the security issue doesn’t improve and remain reliable by then, I’m not buying.

    I refuse to become like a Windows security sufferer.

  3. Just putting here what I posted elsewhere on MDN tonight.

    It’s 5.25am in the morning in Ireland (& yes tonight, it’s sad, I’ve nothing better to do!)

    I came across this story of which we on MDN forums were following earlier today.
    The majority of us were right in our assumptions about the “Hack a Mac” competition!

    I sent the following to MDN:

    Dear MDN,

    I don’t often swear, but please read this fu*kin crap:

    Link:
    http://www.macworld.com/news/2007/04/20/hacker/index.php

    Just as we all predicted on MDN! & after CanSecWest stated:

    “On the second day, the barrier will be lowered a bit and the attackers will be allowed to put exploit code on a special wiki and launch drive-by exploits on the Mac’s built-in Safari browser.

    “the barrier will be lowered”

    Of coarse the above is not stated in the released statment, as we all knew would be the case!

    FUD, FUD & again I say FUD!!

    “According to the security blog Matasano Chargen, Shane Macaulay and Dino Dai Zovi won the contest by gaining shell access to a Mac by pointing the Mac’s Safari browser at a specially-constructed Web page.”

    “You see a lot of people running OS X saying it’s so secure and frankly Microsoft is putting more work into security than Apple has,” said Dragos Ruiu, the principal organizer of security conferences including CanSecWest.

    !!!!

    If your going to exploit OS X, do it for real & don’t lower the barrier. Then I will Listen.

    From,
    A not surprised, but really annoyed,

    Another Irish Dude

    PS:Link
    http://www.matasano.com/log/806/hot-off-the-matasano-sms-queue-cansec-macbook-challenge-won/

    Quote:
    More details as they become available. In the meantime, a drinking game: predict the rationalizations given by Mac zealots for why this finding “doesn’t count”.

    I’ll start: “It took $10,000 to break a Mac, but people break Windows machines for free every day!”

    PPS,
    An exploit in Safari, yes, but I fail to see how you can claim that a MacBook has been hijacked (the original term in the rules of “Hack a Mac”) when you had to lower the barrier.

  4. Whatever. Your brother-in-law has probably cleaned out numerous viruses and spyware over the last number of years, whereas I’m STILL running without any anti-anything software since 10.1. He can laugh all he wants but is is irrelevant.

  5. > I wonder why this hole wasn’t exploited before. Security via obscurity seems to be the true explanation, whatever some Apple users say.

    It’s not a virus. It doesn’t self-replicate and infect other Macs (it doesn’t even infect the target Mac). The user would have to be “lured” into visiting the malicious web site, and the end result is that the hacker has some user-level access to the target Mac, not root-level access. Can’t do too much with the exploit; a lot of effort for not much “profit.” It’s not security via obscurity, but security via Internet Explorer and Windows being much easier and more profitable targets.

    If that other MacBook gets “owned” (root-level access), now that would be something…

  6. Exactly. Apple has a better track record because it’s security is better. Sure, if you turn it off and run special attacks against it, you’re bound to find something.

    Drive through any well-to-do neighborhood. Most of those houses don’t get robbed due to alarm systems and the like. However, I guarantee there are some in those neighborhoods that still get hit because they are smug and think they can leave their car doors unlocked. Same thing. Regardless of how good things seem, keep your security on at all times.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.