After two Apple MacBook Pros survived the first day of CanSecWest’s ‘PWN to OWN’ contest that dared hackers to take control of default Mac OS X installations, CanSecWest earlier today lowered the barriers as planned since “there has not been a successful attack.” Both MacBook Pros were connected to a wireless router and with all security updates installed, but without additional security software or settings. The contest’s second-day relaxed rules allowed attackers will be allowed to place exploit code online and launch drive-by exploits on the Mac’s built-in Safari browser.
“Time to expand your attack surface,” CanSecWest’s contest organizers stated. Hackers were invited to email links to organizers who would then visit the hackers’ exploit attempts from the target machines using Safari.
Two hours and 24 minutes later, CanSecWest reported, “One OSX box has been owned! At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page. Of course all of the latest security patches have been applied. This one is 0day folks. Technical details will be forthcoming as the winner works out the release. There is still one more Mac to go. (the same flaw cannot be used again, but other Safari bugs are allowed).”
“Just to review the rules, the first box required a flaw that allows the attacker to get a shell with user level privilages [sic]. The second box, still up for grabs, requires the same, plus the attacker needs to get root,” CanSecWest reported.
Full article here.
Joris Evers reports for CNET News, “Shane Macaulay just got himself a free MacBook [Pro]. Macaulay, a software engineer, was able to hack into a MacBook through a zero-day security hole in Apple’s Safari browser… The successful attack on the second and final day of the contest required participants to surf to a malicious Web site using Safari–a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.”
Evers reports, “Macaulay teamed with Dino Dai Zovi, a security researcher until recently with Matasano Security. Dai Zovi, who has previously been credited by Apple for finding flaws in Mac software, found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said.The vulnerability and the exploit are mine, Dai Zovi said. Shane is my man on the ground.
“Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. ‘Shane can have the laptop, I want the money,’ Dai Zovi said in a telephone interview from New York,” Evers reports.
Evers reports, “Apple spokeswoman Lynn Fox declined to comment on the MacBook hack specifically, but provided Apple’s standard security comment: ‘Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users.'”
Full article here.
“The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said. An attacker could use the vulnerability in a number of ways, but Di Zovie used it to open a back door that gave him access to anything on the computer, Comeau said,” Nancy Gohring reports for IDG News Service. “The vulnerability won’t be published. 3Com’s TippingPoint division, which put up the cash prize, will handle disclosing it to Apple.”
“‘Currently, every copy of OS X out there now is vulnerable to this,’ said Sean Comeau, one of the organizers of CanSecWest,” Gohring reports.
Full article here.
MacDailyNews Take: Our headline is accurate. Some of the articles to which we’ve linked above have sensationalist headlines and/or contain the usual “Security via Obscurity” myth. As we’ve seen recently, a proof-of-concept piece of malware exists for a handful of iPods running Linux. Now, that’s real obscurity. Obviously, 22 million Mac OS X installs are not “obscure.” We expect other articles to incorrectly headline and/or incorrectly report on this story. Prepare for a deluge of FUD, as the thirst in some quarters for Mac OS X to be “hacked” is insatiable.
The bottom line: Apple’s Safari web browser has a hole (not the first and probably not the last, by the way) that will not be published and will be disclosed to Apple to fix. That is the extent of this story as it currently stands.
Presumably, if you use browsers other than Safari (Firefox, for one example) on your Mac or don’t visit Dai Zovi’s particular web page with Safari, you’re invulnerable to this exploit.
We would expect Apple to issue a update for Safari to close this hole ASAP. CanSecWest’s contest has helped to make Safari more secure.
Reminder: Apple’s Mac OS X Security Configuration Version 10.4 Tiger or Later Second Edition (PDF) provides an overview of features in Mac OS X that can be used to enhance security. It is available here.
Related articles:
Apple MacBooks hold strong, remain unhacked after first day of $10,000 ‘Hack a Mac’ challenge – April 20, 2007
CanSecWest sweetens ‘Hack a Mac’ contest pot to $10,000 – April 20, 2007
CanSecWest to hold ‘PWN to OWN’ contest: pits Apple MacBook Pros vs. hackers – March 26, 2007
Microsoft’s oft-delayed, much-pared-down Windows Vista hacked at Black Hat – August 07, 2006
Microsoft publicity stunt asks hackers to attack Windows Vista – August 04, 2006
Apple Mac remains ‘unhacked’ as University of Wisconsin’s Mac OS X Security Challenge ends – March 08, 2006
Mac OS X ‘unhacked’ over 24 hours and counting in genuine security challenge – March 07, 2006
now the know how many holes it takes to fill the Albert Hall
Forget Leopard’s Time Machine, there are many backup programs available. Give me a more secure OS, Apple.
I wonder why this hole wasn’t exploited before. Security via obscurity seems to be the true explanation, whatever some Apple users say.
They should run contests like this more often. It proves that Macs are completely secure. The only way this exploit could be used is through a phishing email to get you to go to a bad website. The more holes Apple plugs the better it will be for everyone, and these contests certainly bring out the exploits.
How many holes in Winblows…. even Vista
How many holes in OS X…. Not so much.
Things still look good to me.
Hmmm. Let me get this straight. Nobody could hack the OS itself, therefore, the OS is not secure. Got it.
WTF?!!!!!!!!
“Relaxing barriers” or “lowering the bar” is not a excuse.
Most Mac users use Safari and it’s used more often on the dangerous internet than any other program.
Apple needs to rethink and develop a sandbox environment for internet based apps to run in.
Also they need to demand developers treat the admin password with utmost security respect and quit demanding it for marketing code installs, “hooks” and fixes for shoddy coding practices.
95% of exploits are application exploits, Mac OS X “hacks” enable these app exploits to gain much more power than they would normally have.
Apple needs to also address EFI’s lack of security and normal user control and privacy issues.
I would like to hear of some fantastic security changes in the next version of Mac OS X because we are rapidly traveling down the road Windows took security wise.
I’ve already withheld any new Mac purchase until 6 months after 10.5’s release. If the security issue doesn’t improve and remain reliable by then, I’m not buying.
I refuse to become like a Windows security sufferer.
when I hack a mac computer I don’t make more money.
?
mmmm
think abouit it
who makes money with all the IT flaws
IT
get it
IT
get it
IT
True story : My brother-in-law, a Windows PC user, just phoned to laugh at me. I guess we Apple users were a bit too smug until tonight.
@ dd
That’s what I thought.
Reporters must be held accountable for the sensationalist headlines they print.
If you see the cnet headline you would think OS X is worse than Winblows.
Lame.
Exactly. An obscure Mac “exploit” found in Safari pales in comparison to the numerous exploits that exist in Windows AND its applications.
Just putting here what I posted elsewhere on MDN tonight.
It’s 5.25am in the morning in Ireland (& yes tonight, it’s sad, I’ve nothing better to do!)
I came across this story of which we on MDN forums were following earlier today.
The majority of us were right in our assumptions about the “Hack a Mac” competition!
I sent the following to MDN:
Dear MDN,
I don’t often swear, but please read this fu*kin crap:
Link:
http://www.macworld.com/news/2007/04/20/hacker/index.php
Just as we all predicted on MDN! & after CanSecWest stated:
“On the second day, the barrier will be lowered a bit and the attackers will be allowed to put exploit code on a special wiki and launch drive-by exploits on the Mac’s built-in Safari browser.
“the barrier will be lowered”
Of coarse the above is not stated in the released statment, as we all knew would be the case!
FUD, FUD & again I say FUD!!
“According to the security blog Matasano Chargen, Shane Macaulay and Dino Dai Zovi won the contest by gaining shell access to a Mac by pointing the Mac’s Safari browser at a specially-constructed Web page.”
“You see a lot of people running OS X saying it’s so secure and frankly Microsoft is putting more work into security than Apple has,” said Dragos Ruiu, the principal organizer of security conferences including CanSecWest.
!!!!
If your going to exploit OS X, do it for real & don’t lower the barrier. Then I will Listen.
From,
A not surprised, but really annoyed,
Another Irish Dude
PS:Link
http://www.matasano.com/log/806/hot-off-the-matasano-sms-queue-cansec-macbook-challenge-won/
Quote:
More details as they become available. In the meantime, a drinking game: predict the rationalizations given by Mac zealots for why this finding “doesn’t count”.
I’ll start: “It took $10,000 to break a Mac, but people break Windows machines for free every day!”
PPS,
An exploit in Safari, yes, but I fail to see how you can claim that a MacBook has been hijacked (the original term in the rules of “Hack a Mac”) when you had to lower the barrier.
Whatever. Your brother-in-law has probably cleaned out numerous viruses and spyware over the last number of years, whereas I’m STILL running without any anti-anything software since 10.1. He can laugh all he wants but is is irrelevant.
> I wonder why this hole wasn’t exploited before. Security via obscurity seems to be the true explanation, whatever some Apple users say.
It’s not a virus. It doesn’t self-replicate and infect other Macs (it doesn’t even infect the target Mac). The user would have to be “lured” into visiting the malicious web site, and the end result is that the hacker has some user-level access to the target Mac, not root-level access. Can’t do too much with the exploit; a lot of effort for not much “profit.” It’s not security via obscurity, but security via Internet Explorer and Windows being much easier and more profitable targets.
If that other MacBook gets “owned” (root-level access), now that would be something…
Exactly. Apple has a better track record because it’s security is better. Sure, if you turn it off and run special attacks against it, you’re bound to find something.
Drive through any well-to-do neighborhood. Most of those houses don’t get robbed due to alarm systems and the like. However, I guarantee there are some in those neighborhoods that still get hit because they are smug and think they can leave their car doors unlocked. Same thing. Regardless of how good things seem, keep your security on at all times.
I wonder why this hole wasn’t exploited before. Security via obscurity seems to be the true explanation, whatever some Apple users say.
Panther’s Safari’s URL handler exploits were posted on Slashdot where tens of thousands of IT and hacker types visit.
Apple was notified and didn’t do squat for several months.
Was there a botnet? virus? Nope. A few hundred compromised Mac boxes, perhaps.
Why? The URL Handler exploits are just like this new Safari exploit, it requires a malicious website. So it requires a little more effort than just something that can spread on it’s own through open ports like Windows machines have “out of the box.”
However If Mac OS X and Windows market share was reversed, this would be a serious exploit because the attackers would be targeting this flaw for maximum botnet gain.
Call us back when a Mac out in the wild gets hacked and then we’ll talk….
As for the morons still spouting bullshit claims of security by obscurity, I’ve got two stats for ya….
OS X was released over 6 years ago and has 22+ MILLION users. Sorry, but that’s hardly obscure.
We need more details. Was the account that had Safari loaded an admin account? If so, then I don’t consider this a successful attack.
I would just about bet that the attack would not work on a limited user account…
Bull, only “after” the security was REMOVED did they find an exploit. OK, so how many people have opened up their machines to the world?
If I give you access to my account and turn off the “built” in firewall and allow sharing and other things, then maybe you can hack it.
OK, I might as well give you my passwords and my credit card numbers for christ sake.
” I wonder why this hole wasn’t exploited before. Security via obscurity seems to be the true explanation, whatever some Apple users say.”
PLEASE educate yourself as to what this exploit actually means!
You are embarrassing yourself.
I just discovered webkit nightly. The improved rendering engine is very robust, faster, and much more compatible. I can use Google Docs and Google Pages all within Safari. I love it. I wish I would have discovered this gem earlier.
http://nightly.webkit.org/
It makes me wonder if Leopard will use the new knoquorer engine and if this so called vulnerability still exists in it.
@bullsheet
This is a “driveby” exploit.
Meaning you would have to be using Safari and visit a malicious website.
Then it would only gain “user” access. But eventually it could gain “root” access by installing a auto-start process and wait for you to use your admin password.
“Security” wasn’t removed, this is Zero Day exploit for all Safari users. In fact the contest is rigged, the Mac’s were not on the internet, just a local network.
Big difference, there is a lot more exploits out there online.
Nobody ever uses limited user accounts. You might, but you’d be one of the very few.
And to ‘irish dude’ going on about “lowering the barrier”.. the fact remains that this is a zero-day exploit that affects all current Macs (running Tiger at least.. not sure about older) that are connected to the internet. Who cares what the conditions of the competition were?
No I’m not scared, I’m not a Windows user or Microsoft employee, and I don’t think its the end of my wonderful Mac security. 5 years running incident free and I don’t think this is going to change that.
I’m just saying you need to at least admit to yourself that the mac, like all computers, has vulnerabilities. Don’t run around thinking (and bragging) its the computer designed by God.
IN OTHER NEWS…THE STORE IS DOWN…!!!!! ????
Wiseguy;
“Apple was notified and didn’t do squat for several months.”
Pretty disengenuous, making it sound like Apple simply “chose not to fix” the problem. Do you have any idea just what it takes, and just how long, to just “throw together” a fix? Hmmm?
Mebbe you don’t, but I’ll let you in on a little secret…
If it DIDN’T take “a few months”, then I’d have been scared as s**t to install it, ‘cos the QA process ALONE takes that amount of time.
QA… like, you know… actually TESTING these things before releasing them to the public?
Hmmmm?