“In a repeat performance of last year, security researcher Charlie Miller arrived at the CanSecWest conference this week with a prepared exploit to use in cracking Safari running on Mac OS X,” Prince McLean reports for AppleInsider.
“Unsurprisingly, Miller was able to use his exploit to immediately win the event’s ‘Pwn2Own’ contest, generating headlines that suggested that Macs are inherently less secure, despite the fact that every browser involved in the contest failed on the first day,” McLean reports.
MacDailyNews Take: Wait a sec. You mean that Miller had months beforehand to find a hole and prepare his exploit, then just set it up and ran it when the “contest” began? And that he picked a Mac because any “Mac security issue” would, of course, generate 100x the headlines of any other platform? Even though this same thing plays out year after year, affects no real users, and Apple will plug whatever hole Miller found in a Security Update due soon? Say it ain’t so. (dripping sarcasm)
McLean continues, “This year’s contest arranged for two test computers. According to the CanSecWest event’s official website, which is oddly littered with typos, the ‘Browsers and Associated Text PAltform’ [sic] were a Sony Vaio PC running a prerelease Windows 7 beta with Internet Explorer 8, Firefox, and Google’s new Chrome browser, and a MacBook running Safari and Firefox. “
“In each of the three days of the contest, the exploit rules were intended to be progressively relaxed, starting only with exploits that attacked the browser itself, then adding Flash, Java, .Net and QuickTime to the mix on day two, and then ‘popular apps such as Acrobat Reader’ on the third day,” McLean reports. “…In reality, the platforms and browsers involved aren’t targeted by a series of equal attacks. Instead, researchers arrive with exploits they hope to use against vulnerabilities they are aware of in specific platforms or browsers, but have not yet reported. Were they to report the exploits in advance, they would be patched by the vendor. There’s no money in that, so the contest provides an incentive to report vulnerabilities.”
MacDailyNews Note: Last year, Miller took two minutes to win. This year, he was more efficient – probably a good thing for him, since Window 7 running IE fell soon after – and did it in 10 seconds. Again, the work had all been done beforehand. As with last year’s exploit, Miller simply provided a link, the judges clicked it, and he showed them he had full control of the MacBook. Quick, type up those “Mac hacked in 10 seconds!!!” headlines.
McLean reports, “In exchange for the winning prize, Miller granted the reporting rights to the discovered flaw in Safari to TippingPoint’s Zero Day Initiative, which will coordinate the handling of the disclosure and the patch release process with Apple. When a vulnerability is reported to Apple, the company credits the discoverer with finding the problem when issuing a patch for it.”
McLean reports, “The contest is also somewhat removed from reality due to the fact that it pits the current release of Mac OS X with new versions of Windows that do not reflect what the vast majority of Windows PC users are actually running… This year, the use of the prerelease Windows 7 operating system, which security researchers have had limited access and time to study, combined with the fact that Microsoft expressly warns users not to use it in production environments, tends to create the impression that Pwn2Own is more about theoretical games than real world security issues relevant to end users.”
“The real world security problems that affect today’s Windows users relate to the fact that there are not only more discovered flaws on Windows, but that these flaws are being actively exploited to develop viruses, spyware, adware, and other malware. Further, there are vast numbers of machines that are not promptly updated with the patches that do exist, resulting in fleets of vulnerable botnets that actively distribute new attacks to other systems. These two problems aggravate each other to create the Windows security crisis… Mac OS X continues to have no real viruses, while Windows users continue to be plagued by viruses, adware, and other security problems,” McLean reports.
There’s much more in the full article – highly recommended – here.
MacDailyNews Take: The bad news is that these contests twist reality in order to generate publicity for their sponsors and provide headlines for the beleaguered to latch onto; headlines that give false impressions to the sufferers and further bind them to their miserable existence. It’s feeding day for the Windows sufferers’ potent combo of Stockholm Syndrome and Cognitive Dissonance. It’s a boringly predictable annual charade. We wouldn’t even bother posting about this contest if people would simply report the facts and not try to create fantasies that do not exist in the real world. The fact is that using any version of Windows online remains a risky joke. Please see related articles below.
The good news is that this contest has helped identify issues which OS and software vendors, including Apple, can now plug. In the meantime, as always, relax: Mac users surf the ‘Net with impunity.
That said, here’s our usual reminder for Mac users and anyone who’s trying to use any other platform: Do not download and authorize the install of applications (Trojans) from untrusted websites. No OS can protect users from themselves (or we wouldn’t be able to install any software).