
After two Apple MacBook Pros survived the first day of CanSecWest’s ‘PWN to OWN’ contest that dared hackers to take control of default Mac OS X installations, CanSecWest earlier today lowered the barriers as planned since “there has not been a successful attack.” Both MacBook Pros were connected to a wireless router and with all security updates installed, but without additional security software or settings. The contest’s second-day relaxed rules allowed attackers will be allowed to place exploit code online and launch drive-by exploits on the Mac’s built-in Safari browser.
“Time to expand your attack surface,” CanSecWest’s contest organizers stated. Hackers were invited to email links to organizers who would then visit the hackers’ exploit attempts from the target machines using Safari.
Two hours and 24 minutes later, CanSecWest reported, “One OSX box has been owned! At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page. Of course all of the latest security patches have been applied. This one is 0day folks. Technical details will be forthcoming as the winner works out the release. There is still one more Mac to go. (the same flaw cannot be used again, but other Safari bugs are allowed).”
“Just to review the rules, the first box required a flaw that allows the attacker to get a shell with user level privilages [sic]. The second box, still up for grabs, requires the same, plus the attacker needs to get root,” CanSecWest reported.
Full article here.
Joris Evers reports for CNET News, “Shane Macaulay just got himself a free MacBook [Pro]. Macaulay, a software engineer, was able to hack into a MacBook through a zero-day security hole in Apple’s Safari browser… The successful attack on the second and final day of the contest required participants to surf to a malicious Web site using Safari–a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.”
Evers reports, “Macaulay teamed with Dino Dai Zovi, a security researcher until recently with Matasano Security. Dai Zovi, who has previously been credited by Apple for finding flaws in Mac software, found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said.The vulnerability and the exploit are mine, Dai Zovi said. Shane is my man on the ground.
“Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. ‘Shane can have the laptop, I want the money,’ Dai Zovi said in a telephone interview from New York,” Evers reports.
Evers reports, “Apple spokeswoman Lynn Fox declined to comment on the MacBook hack specifically, but provided Apple’s standard security comment: ‘Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users.'”
Full article here.
“The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said. An attacker could use the vulnerability in a number of ways, but Di Zovie used it to open a back door that gave him access to anything on the computer, Comeau said,” Nancy Gohring reports for IDG News Service. “The vulnerability won’t be published. 3Com’s TippingPoint division, which put up the cash prize, will handle disclosing it to Apple.”
“‘Currently, every copy of OS X out there now is vulnerable to this,’ said Sean Comeau, one of the organizers of CanSecWest,” Gohring reports.
Full article here.
MacDailyNews Take: Our headline is accurate. Some of the articles to which we’ve linked above have sensationalist headlines and/or contain the usual “Security via Obscurity” myth. As we’ve seen recently, a proof-of-concept piece of malware exists for a handful of iPods running Linux. Now, that’s real obscurity. Obviously, 22 million Mac OS X installs are not “obscure.” We expect other articles to incorrectly headline and/or incorrectly report on this story. Prepare for a deluge of FUD, as the thirst in some quarters for Mac OS X to be “hacked” is insatiable.
The bottom line: Apple’s Safari web browser has a hole (not the first and probably not the last, by the way) that will not be published and will be disclosed to Apple to fix. That is the extent of this story as it currently stands.
Presumably, if you use browsers other than Safari (Firefox, for one example) on your Mac or don’t visit Dai Zovi’s particular web page with Safari, you’re invulnerable to this exploit.
We would expect Apple to issue a update for Safari to close this hole ASAP. CanSecWest’s contest has helped to make Safari more secure.
Reminder: Apple’s Mac OS X Security Configuration Version 10.4 Tiger or Later Second Edition (PDF) provides an overview of features in Mac OS X that can be used to enhance security. It is available here.
Related articles:
Apple MacBooks hold strong, remain unhacked after first day of $10,000 ‘Hack a Mac’ challenge – April 20, 2007
CanSecWest sweetens ‘Hack a Mac’ contest pot to $10,000 – April 20, 2007
CanSecWest to hold ‘PWN to OWN’ contest: pits Apple MacBook Pros vs. hackers – March 26, 2007
Microsoft’s oft-delayed, much-pared-down Windows Vista hacked at Black Hat – August 07, 2006
Microsoft publicity stunt asks hackers to attack Windows Vista – August 04, 2006
Apple Mac remains ‘unhacked’ as University of Wisconsin’s Mac OS X Security Challenge ends – March 08, 2006
Mac OS X ‘unhacked’ over 24 hours and counting in genuine security challenge – March 07, 2006
>”Hmmm. Let me get this straight. Nobody could hack the OS itself, therefore, the OS is not secure. Got it.”
Umm, the OS was hacked. They went through Safari to get to it. They got a shell with user level privileges. It would not be cool to have your entire user account wiped. No, not admin – but anyway you look at it, it’s not good. Don’t downplay it. The details will only be disclosed to Apple and they will patch it – that is the only good news.
>”We need more details. Was the account that had Safari loaded an admin account? If so, then I don’t consider this a successful attack.”
Same answer as above… Look, admin or no admin they got access and could delete files – NOT good. Like I said, the only good news is that it will be fixed. Please be realistic about it.
@Loru
Back up now. I don’t see anything new sticking out, except for the 8-core Pro.
@ no jeff,
I don’t believe that there is any OS impervious to attack.
All OS’s have vulnerabilities.I do believe that
OS X is more secure than Windows (I have used both).
So like you I am not worried & like you I am 5 years running OS X incident free (OS9, 8, &7 before that, with 2 Word viruses on OS 8 in all that time) and this exploit is not going to change that.
I do have to say that I was quoting “lowering the barrier” from CanSecWest’s own statement.
What I want to know is what would have happened if they had stuck to their own original rules! If you had read my posting properly & CanSecWest’s statement about changing the rules on day 2, you would have understood what i was saying.
I am fed up FUD.
“Who cares what the conditions of the competition were?”
Plenty of people.
“I don’t think its the end of my wonderful Mac security”
That is my point.
“Don’t run around thinking (and bragging) its the computer designed by God”
Here you totally make up a statement & I think you should go take your meds.
Another quick point: I don’t believe allowing the hackers to use Safari as an attack vector was relaxing the barriers at all. Let’s be honest, there are millions of Macs on the web every day and the majority of them are using Safari. That’s a real-world situation. It is in no way some obscure way of attacking an OS X machine. M$ was highly criticized for integrating IE so deeply with it’s OS (and all the ensuing problems it caused). While Safari in no way compares to that, the hackers were able to gain a decent level of access by exploiting a hole in it.
Bottom line: It’s bad news, and we’ll (myself included) just have to deal with it.
“Whee! I’m gonna do the Smug Dance now! Smug smug smuggy smug, I’m so smug! Woo-hoo! Eat it, Windows-lovers!
Every time someone tries to engineer a publicity stunt to show folks like me how “insecure” our Macs are, it always backfires and demonstrates just how ridiculously safe Mac OS X really is!
Smugness level at 9 and climbing!”
Name of poster witheld.
I’M SURE that a windows PC with all the latest patches probably would fare about the same as a Mac.
Little known secret about Windows… current versions, when properly patched, are similar, security wise to PCs.
Would have been fun to have run a Vista PC at the same time and compared results.
> Would have been fun to have run a Vista PC at the same time and compared results.
Except no one would want to win a Windows laptop. But I suppose $10,000 is still $10,000.
@Wiseguy…
“the dangerous internet”
“A few hundred compromised Mac boxes, perhaps.”
“I’ve already withheld any new Mac purchase until 6 months after 10.5’s release.”
Your my hero.
Security by Obscurity – Yes to exploit the mac they required Safari to visit an obscure web-site that could then exploit the machine.
Who the hell visits obscure web sites looking for someone to attack their machine ?
If Dai zovi sets up a porn website to attract ‘customers’ they deserve what they get !!!
why there are no attacks to the Mac currently.
Mac users at large, and anyone with a brain, have always said that phishing and drive-by attacks are always a possibility. This is not the point.
The point is that doing that is pretty useless to organize attacks to the Mac platform exactly because the 1st day no one has been able to compromize the two Macs.
These kind of attacks on Windows are used to then instill something that propagates and start the exponential infections we all know on Windows.
Attacks that work on single machines and then the process has to be repeated again user after user individually makes absolutely no sense. So, again, it is not obscurity that protects the Mac: pretty much the opposite. The fact that a drive-in is possible on the Mac actually reinforces the robustness of the OS: it is useless if then there is nothing in the OS that can be exploited to turn the Mac into a zombie. Not worth the effort in that, again, the results are essentially meaningless in terms of hacking and spreading: zero.
Very interesting news! I always knew Mac OS X security was not perfect, indeed nothing created by people can perfect. It’s nice to finally see an exploit, that works under real world – type conditions, and the whole incident documented and discussed in public forum. Finally, proof that OS X, despite its near impervious security, falls short of perfection.
Whenever you expect perfection in life, you set yourself up for disappointment. Small imperfections exist everywhere, and in my opinion, make life more interesting. (Giant imperfections, like IE, ActiveX, and Vista’s CD & DVD-rom format, are just a pain in the arse.)
That being said, this still is bad news for apple, and problems like this and the delay of Leopard are starting to chip away at my overall opinion on the company. Hopefully, they will redeem themselves with near perfect releases of the iPhone and Leopard, but it’s very well possible that hiccups in these products will just add to Apple’s trouble.
Too bad I don’t have any real alternative to Apple at the moment, since both Windows and Linux have offended my sensibilities. Maybe Linux will someday get their act together, and finally release an OS that will more-or-less work the way I want out of the box without making me spend hours configuring and trouble shooting. Linux at least has a chance of redemption. Windows is just dead to me. And Mac, while still on top, may be starting down a slippery slope.
Just to be on the safe side, I’m checking out the latest Ubuntu Live CD designed for Intel Macs. Here’s hoping it turns out better my other Linux experiences.
A non-story if I ever saw one.
To the guy who is witholding his purchase … who gives a fat rats ass what you are doing. Listen, assclown cry baby, go buy a Dell and shut the fuck up.
Traveler
Go travel to Ubuntu land!
One thing that pisses me off is that macs out of the box do not come with the Firewall turned on by default.
Alot of newbies wont even know its there. This is a stupid default setup.
this whole thing isnt good, but i bet it was either funded by microsoft or some windows fanboy that just couldnt take the ‘Get a Mac’ ads anymore.
As the mac gets more and more popular there will be more and more of these losers who make a specific competition to ‘advertise” the lack of security of a mac. I mean theres none of these competitions for windows, its just known that its an unsecure piece of shit.
their whole attitude is, ‘well if my windows machine it inherently less secure by design, im going to create as much FUD as possible about the mac’
and just so you can correct the pc crowd, this is NOT a virus. its a vulnerability in an application, in this case safari. Which no, isnt good enough.
lol x you took the words right outta my mouth
” width=”19″ height=”19″ alt=”raspberry” style=”border:0;” />
I really have to say to some of you, “cup half full people please!!!!”
Now the facts remain that Mac OS X is still the most secure mainstream OS out of the box. One exploit has been created by a security expert and programmer after 9 hours of work that requires you to go to a website using a vulnerability in Safari. Well who said OS X was totally secure.
They had a whole 24 hrs, a pretty big dangling carrot and a room full of security experts and hackers on a LAN with 2 macs and they couldn’t get in so the bar had to be lowered. If they didn’t change the rules there would be no winner. Try that with XP or Linux. Linux would take a while yes but with XP, I’d give them 10 minutes including a coffee break to get in.
This is not serious. 200,000 viruses is serious. Apple will patch this and it will make OS X even more inpenetrable. It’s not a virus people, OX X is still the best, let’s move on please. Oh and to Traveler, do you know if Ubuntu has no vulnarabilities? Go buy a Mac. this proves macs are fantastically secure. Use Firefox if you’re scared of being hacked. I’m sticking with Safari and I refuse to turn on my firewall!!!
Soooo many typos… Sorry
and I refuse to turn on my firewall!!!
Frankly, there is no reason not to. The firewall has nothing to do with virus, you know.
Turn that on, there is absolutely no reasons not to.
The most secure OS is STILL the most secure. No successfull exploit yet.
These exercises are one of the reasons it is so secure.
Having a competition like this for Windows would be plain pointless.
And MOST importantly of all:
The Mac community is a very different one to WIndows.
For Mac users Apple is a partner to be supported. For Windows users Microsoft is the enemy.
Enough said.
Hey can anyone explain the logic in a Windows user who refuses to switch to OS X because he believes that even though there are no viruses for OS X and 200,000 for XP, he may as well stick with XP as in his mind one day there will be loads of viruses for the Mac as well and therefore there is no point buying the more secure system.
That sort of delusional logic eludes me. It’s like saying:
“I am going to buy a make and model of car with a reputation for poor breaks and an unreliable engine even though it only costs fifty quid more for a car with a great reputation for safety and reliability. I mean, there are loads more cheapskates out there who put up with these lesser quality cars they are becoming a standard. I may as well because one day someone in one of those reliable cars will have an accident or get stuck out in the middle of nowhere. It could be me. At least with this Microsoft car I will be prepaired when it happens. “
I hear it all the time with my windows using customers when I suggest they think about switching.
Stockholm syndrome & cognitive dissonance all the way baby…
Some people are Idiots!!!
I’ll have to give em credit for this, as much as I hate to.
So the score stands at:
OSX: 1
Windows: 100,000+
I’m OK with that. But still, I cannot in all honesty say zero anymore. Knew some day that would happen.
So they had Root access and no firewall to contend with? Is that right? If I leave the keys in my car with the engine running I wouldn’t be surprise if someone had a little go (especially if I’d asked them!!). Not sure what this proves.
@ Wiseguy
Since you are postponing a new Mac purchase for 6 months, perhaps you could also refrain from posting for those 6 months? And get your friend/alterego Traveler to do the same. Many of us would really appreciate it.
Just a thought…