“Nancy Gohring, writing for InfoWorld, delivered a misleading report yesterday on a Mac security exploit contest held at the CanSecWest conference in Vancouver, BC,” Daniel Eran writes for RoughylDrafted.
Eran writes, “In her defense, it appears likely that Gohring did not write the headline [“Myth crushed as hacker shows Mac break-in”] for her InfoWorld article, which described the contest winner as being ‘able to remotely break into a Mac as part of a contest designed to illustrate security flaws in OS X.’ That part was simply wrong.”
“Whoever did write the headline must have been smoking weed in celebration of 4/20, because Gohring’s article clearly described a local exploit. There’s a big difference between the remote exploits that made Windows infamous for its insecurity and a local exploit of an application,” Eran writes.
Eran writes, “Gohring reported that ‘contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.'”
“Opening an email URL that exposes a security flaw in Safari is both news to report and a problem for Apple to tackle, but reporting it as a remote exploit is inaccurate, irresponsible, and sloppy journalism, particularly for IDG’s InfoWorld, which purports to be an authority on computing,” Eran writes.
Much, much more in the full article here.
Related articles:
CanSecWest’s $10,000 ‘Hack a Mac’ challenge relaxes barriers, finds exploitable hole in Safari – April 20, 2007
Apple MacBooks hold strong, remain unhacked after first day of $10,000 ‘Hack a Mac’ challenge – April 20, 2007
CanSecWest sweetens ‘Hack a Mac’ contest pot to $10,000 – April 20, 2007
CanSecWest to hold ‘PWN to OWN’ contest: pits Apple MacBook Pros vs. hackers – March 26, 2007
Microsoft’s oft-delayed, much-pared-down Windows Vista hacked at Black Hat – August 07, 2006
Microsoft publicity stunt asks hackers to attack Windows Vista – August 04, 2006
Apple Mac remains ‘unhacked’ as University of Wisconsin’s Mac OS X Security Challenge ends – March 08, 2006
Mac OS X ‘unhacked’ over 24 hours and counting in genuine security challenge – March 07, 2006
Ha! Those cretins have no idea how many billions I spend to ensure these lies are spread all overy my interweb!
The fact that such a contrived and artificial situation had to be resorted to in order to be able to report something resembling some sort of successful attack on OSX, in itself speaks volumes about just how buttoned down OSX really is.
OK CanSecWest, equal time, fair play. Pleasedo the same sort of thing with Vista!
Assuming some a degree of intelligence (atl least she can spell), I wonder from where InfoWorld derives its funding or sources of Revenue. This type of continued FUD is getting boring.
Misleading or not, that isn’t the point. It’s very disconcerting that this actually happened and doesn’t sit very well with me. Personally, I would have laughed to think that this was even possible before this contest. 11 hours of one person’s time wasn’t a lot of effort to exploit and hijack the computer. Apple needs to pause their “Shiny Gadgets for Teens” production and perform a thorough code review in light of this. Despite a secure core, OS X can only be as strong as its weakest link. Sadly, this example will be referenced for years to come by MS apologists. While I realize no software will be perfect, I still hold Apple to a higher standard and expect better. Drive-by hijacking of OS X is NOT acceptable.
So if you have my email address, and know I am running safari, and if I am stupid enough to click on your link, I may be infected.
Next thing you will say is you have to enter the admin PW…
Yet another controversial demonstration of a Mac vulnerability.
Couldn’t the organizers have found another venue other than a Microsoft sponsored event like CanSecWest? It would have demonstrated impartiality.
The MacBook was destined to be hacked because Microsoft wasn’t going to allow being embarrassed. So they lowered the bar further and further until they found a browser exploit that’s triggered when one is suckered into clicking on a link like ‘click here for h0t iPh0ne picktures’.
Of course, Microsoft now has what they wanted, talking points for Bill Gates to use whenever he’s ambushed during a Vista interview. Whenever anyone mentions Mac OS X’s superiority to him he can retort that Macs have countless vulnerabilities. He wouldn’t be lying necessarily, because there could be potentially countless web sites hosting the Zovi file.
Disappointed, you’re an idiot if you think Mac OS X was unhackable. But just because it’s hackable under certain specific circumstances does not mean it’s suddenly just as insecure as Windows. EVERY operating system has security holes that can be exploited. But not all exploits are created equal, and the more conditions that have to be present for a bug to be exploitable, as well as the lower the likeliness of those conditions to exist at the same time, the lower the likeliness that it poses a real risk.
You hold Apple up to unrealistic expectations and are setting yourself up for more disappointment in the future if you continue to do so. In the meantime, be satisfied that Mac OS X is still far more secure than Windows, and probably always will be.
There is nothing new about the Safari exploit. Anyone who uses that browser, though, should have his head examined, especially with the ridiculous and dangerous “trust safe sites,” or whatever the hell it is, turned on in the Preferences.
I use Firefox, not because it is inherently safer, though it is, but because Apple didn’t design it. Firefox doesn’t have the any of OS X’s common-code crap in it, à la MS and IE.
Great article with real facts not FUD about Mac security. The only way anyone could win this contest is by cheating once again. Lowering the security that is not the norm on OSX systems. Mac OSX has proven once again it is the king in security and real world hackers can’t break in without cheating or lowering the normal security threshold.
@ tt: You’re not thinking this through.
They sent the URL by email because they (obviously) had no remote access to point Safari to the web page with the exploit on it. The organizers would then visit the web page to see the machine coul be compromised. It was a condition of the updated contest rules, which by that point had implicitly acknowledged that a remote attack couldn’t gain access to the system.
Depending on how easy the exploit was to create, you don’t NEED to be sent an email to visit a website that’s been compromised. A flaw in how Windows handled images allowed some banner ads to carry the attack vector, even on trusted sites.
@ john:
If I read the contest correctly, they did not “lower the security” on the Mac. They visited a URL. How they came across that URL is irrelavent; it could be a link on a blog or other website, encapsulated in a tinyurl.com link, whatever.
What the contest DID do was lower the requirements for winning. By doing so they implicitly admitted that remote attacks could not result in remote shell access to the machines. Did they “cheat?” I’d say no, but they should have reduced the prize amount accordingly to reflect the fact that the hardest method of gaining access couldn’t be done.
The press IS making too much hay over this, but as far as exposing a real exploit (as opposed to something stupid like a user-run shell script, or a flaw in VideoLan Client), the contest succeeded. It’s a bit worse than previous exploits that used Safari’s “open safe files after downloading” because it seems the user has no obvious odd behaviour to go on, like an unasked-for download suddenly starting.
I, and many people who post here, have never said that OS X is perfect or without security flaws as the trolls would have you think otherwise. I still maintain that OS X is more secure as a whole, and more difficult to write a virus for, than Winblows of any flavor, including Fista.
The holes are there – they are just fewer and far between. Also, based upon this contest and the month of Apple bugs I would say that most of the security flaws are with how the OS handles applications and not the kernel itself.
Unlike another OS out there.
http://blogs.zdnet.com/security/?p=161
Although the information published is sketchy it seem even with local access all they managed was a user shell. that is NOT pwn’ing a box. (from the contest rules “the first box required a flaw that allows the attacker to get a shell with user level privilages”<sic> ) They have no way to execute anything at root (system level) They could delete user files but no system execution or file access is achieved, so the remedy to this “takeover” would be to simply log off and then log back on (or restart the Mac)
I don’t understand why some people think this is a cheat, or not a real world scenario. Windows gets hacked quite often by visiting a malicious web site and no one says that’s a cheatin way of doing it. It’s what we all do – browse web sites. Every day. And who ONLY goes to known trusted sites? How do you know? I go to web sites I’ve never heard of every day (and no, not porn sites).
From what I can tell so far, the BIG difference is that while the attacker can do whatever he wants to the user’s files, if he doesn’t have admin rights he can’t install any software. So at the very least he’s got all your stuff but he can’t spread this ability from your machine to another or become part of a botnet. Every machine that is to be affected must visit the originating web site. Does anyone know any different?
If Windows could go as long as Mac OSX before getting poned, they would be flaunting it in Redmond as we speak….
Oh yeah, remember, they only got user level privileges. The next requires root access.
I am assuming all of the people that point out that it affect Safari never receive any HTML code in any application that use Apple’s web rendering. No, it is not a huge issue, but it is larger than just Safari and therefore is remotely exploitable. Think about it the next time you open an HTML message in Apple Mail
@Wingsy,
Once you have shell access, even as a non-admin, you can run Applescripts using the osascript shell command. Anything Applescript can do as a non-admin, the remote attacker could do as well–like email a message with a link to everyone in the user’s address book. Fortunately, such an action is, AFAIK, immediately visible to the user.
They could also use the built-in “curl” command to download other precompiled shell applications (say from the attacker’s own website), and as long as they don’t need to be installed to a system folder, can be made executable and run without an admin prompt. I don’t know if a keylogger *has* to be installed and run as an admin, just to record a local user’s keystrokes.
This is not to say I’m worried. I still use my Macbook gladly over any POS Windows machine; a work laptop I was using got infected with malware despite despite being fully updated, was using Firefox, firewall on, and visiting only innocuous websites.
Apple corporate would like to take this opportunity to thank our customers for their wide array of excuses and justifications. This allows us to continue our focus on cell phones. We’ll get back to you in July.
Until then, please refrain from downloading anything.
Thanks!
Love the spoofed InfoWorld graphic RoughylDrafted leads there story with.
” width=”19″ height=”19″ alt=”grin” style=”border:0;” />
Worth clicking on the story.
“Ha! Those cretins have no idea how many billions I spend to ensure these lies are spread all overy my interweb!”
We have a pretty good idea.
Local or remote exploit, we’re splitting hairs on this one.
Basically a hole was found in Safari.
You can exploit this hole by sending some unsuspcting user (most are) an e-mail with a link to a malicious website.
Poof you have command line access to the user’s computer.
Give me the comand line and he bitch is mine.
Apple would be wise to “Embrace and fix” this.
To be fair though. I have maintained and will always maintain that the Mac is vulnerable to exploits that require user assistance.
Every computer is.
End of story.
AND how all this is any different from what MOAB has shown?
It is a MOAB kind of security weakness. ACTUALLY, the MOAB had some more serious than this in Safari.
AGAIN, MOAB ANYONE?
MDN:
Doesn’t this type of irresponsibility beg for contact information?
You usually provide it is grevious cases such as this….