Home Phone and Internet $60/mo
- Related Stories
-
Offering a bounty for security bugs
July 24, 2005
Macaulay, a software engineer, was able to hack into a MacBook through a zero-day security hole in Apple's Safari browser. The computer was one of two offered as a prize in the "PWN to Own" hack-a-Mac contest at the CanSecWest conference here.
attacks a MacBook at the
CanSecWest conference.
The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook--a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.
Macaulay teamed with Dino Dai Zovi, a security researcher until recently with Matasano Security. Dai Zovi, who has previously been credited by Apple for finding flaws in Mac software, found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said.
"The vulnerability and the exploit are mine," Dai Zovi said in a telephone interview from New York. "Shane is my man on the ground."
Apple spokeswoman Lynn Fox declined to comment on the MacBook hack specifically, but provided Apple's standard security comment: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."
Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said. TippingPoint runs the Zero Day Initiative bug bounty program.
A TippingPoint representative said the company would pay, after looking at the vulnerability. "If it is an actual zero-day in Safari that's fine with us," said Terri Forslof, manager of security response at TippingPoint.
The successful hack comes a day after Apple release its fourth security update for Mac OS X this year. The update repairs 25 vulnerabilities.
CanSecWest organizers set up the MacBooks connected to a wireless router and with all security updates installed, but without additional security software or settings.
See more CNET content tagged:
TippingPoint Technologies,
Apple MacBook,
contest,
vulnerability,
Apple Safari
What can't be denied is this is a new hack, and the guy spent under a day on it. Surely this proves that with sufficient motivation Apple software is vulnerable?
That is exactly what would have happened to you if you had gone to that site using Safari because Safari has a vulnerability no one knew about except the man who collected the award. He knew about it and put the exploit on the malicious site to take advantage of the security hole in Safari.
The article is somewhat obtuse in that it doesn?t say what damage the hacker could have done to the Mac with this exploit, but whatever he might have been able to do with it would not have been a pleasant experience for the user. In the ordinary course of events, Apple would now get busy writing up a patch for it. That could take some days. We will have to see how long it takes. In the meantime an AV vendor would only have to examine the exploit itself, a simple process and quickly done. The AV vendor?s definition for the hack could be released in hours.
All this proves that writing an exploit for the Mac is easy if anyone wants to bother doing it. But of course we all knew that ? except you Mac fanatics with your nonsensical claims about Mac invulnerability because it is based on Unix or the other nonsensical claim that somehow operating at a non-root level protects against attacks. If the hacker was sufficiently good at it, he could easily have written a hack that would have raised the level of privileges and gone to root level. That is what happens to Windows and can happen to a Mac as well. You have been proven to be wrong in every argument you have made about the alleged invulnerability of Macs.
I recall this happened before and someone used an Applescript flaw to infect a Mac system with a virus, and it was called a non-virus because Applescript was used. I guess all of those Word VBA macro viruses are non-viruses as well on Windows, eh?
Funny how Apple and the Mac fans like to cover up the Mac's security flaws in that way.
Nope it was a Safari bug, not a Mac OSX one. But isn't Safari included as part of the OSX package like Internet Explorer is part of the Windows package? Why do you call an IE flaw a security hole in Windows but a Safari security flaw in OSX is not a hole in Mac OSX?
Actually a stripped down Linux box with the minimal features and the most recent security fixes is more secure than a default OSX (or even default Linux) box, plus it runs faster too without all of that bloat holding it down. Just one thing, it is not as easy to use as OSX (or a fully loaded Linux box) most likely because GNOME/KDE and possibly the X-Window system might not be installed. When you add in a lot of GUI features to make the OS easier to use, it opens up a lot of possible attack points for a hacker.
work is "wasted" time.
Also, he spent 9 hours on it, and got a ~$2500 laptop.
I am not sure about you, but $280/hour is certainly more money than I make.
Which version of MAC OSX was on the MacBook? OSX 10.4.9 with latest security updates?
Mac & PCS both are not hack proof & Apple has never said it was, but Apple & MacOSX has a loooooooooooooooong way to go before ever catching up to Windows security problems ( even VISTA OS ).
"The successful attack on the second and final day of the contest
required participants to surf to a malicious Web site using
Safari--a type of attack familiar to Windows users. CanSecWest
organizers relaxed the rules Friday after nobody at the event had
breached either of the Macs on the previous day."
So its considered to be hacked to simply surf to a web site?
Also, how were the rules relaxed???? It seem they COULDN'T
hack it as originally set up???
Why can't CNET at least provide a link to the real story.
yesterday.
From the site:
http://cansecwest.com/post/
2007-04-20-14:54:00.First_Mac_Hacked_Cancel_Or_Allow
"Just to review the rules, the first box required a flaw that allows
the attacker to get a shell with user level privilages. The second
box, still up for grabs, requires the same, plus the attacker
needs to get root."
So to say the Mac is owned is an overstatement. It is however, a
good reason why you shouldn't log in as an administrator for
your normal use. If you are doing that, here's how to correct
your setup. First, create a new account (System Prefs, Accounts)
and give it administrator rights. Next, log out of your old
account and log into your new admin account. From there,
change your old account to a standard user by removing
administrator rights from it. Now you can log into your old
account as you normally do, but it won't be an administrator.
You will need to provide the admin user name and password
when installing/removing software.
Still no need for AV software!
That's a rhetorical question because if the Mac is successfully hacked someday like that Mac fanboys will find some way that it wasn't really a hack. On the other hand Windows and maybe Linux fanboys will be pointed and saying we told you so.
The reality is that all software has flaws and some flaws in some software will allow the hacker to gain full control over a entire system. I think it's a much safer and less arrogant statement to say that the Mac could possibly be hacked, but due to flaws being fixed quickly and the fact that it has a good platform under it it's less likely to be hack in any meaning full manner.
But that's probably asking to much. :-P
no system is 100% secure. This applies to more than just
computers. In theory, you could rob Fort Knox of its gold.
In reality, Fort Knox is safe enough and the Mac is nearly safe
enough. Plenty safe, as this test demonstrated, unless the
hacker has direct access to the machine and can take it through
the right steps on a malicious site. It may be possible to design
a site to trick a user into taking those steps, but that remains to
be seen. That's the final hurdle that would make this a real
exploit. Well, that and the not so small feat of gaining root
access.
The article states the hack occured on the second day and only
after the rules were relaxed. Personally, I can't believe how tight
OSX is...
i imagine a lot of Mac haters that participated are having a bad
weekend - haha...
people running the contest realized they were about to be totally
embarrassed because nobody was even able to do that - so bent
the rules... This, to me, is priceless... haha
As a long time Mac user, tho, I am encouraged that admin level was not obtained.
1) The Mac was exploited which means that it is one more flaw that will be corrected by Apple.
2) The first day went by without a successful attack. Macs will be able to continue to fend off attacks.
3) The root level test is still not won. This is very good because the hierarchy within OSX is robust.
4) No successful wild viruses or Trojans for OSX (so far). It continues to be the case for the ~22 million OSX users (and five years of OSX) that there is not a virus in the wild that exploits OSX. Impressive.
There are flaws in all software, but the fact remains that OSX (and Linux) is far more secure than any Windows operating system.
was hacked after, and only after the rules were changed. If the
rules stayed the same, there could of been a very good chance the
MacBook Pro may never of been hacked. I'd like to know what rules
they changed, and how it affected the end results.
Suddenly there was incentive to the contest.
I just want to say this flys in the face of all the mac users who beleive that hacking a mac is some kind of glorious event that will make the hacker famous. It won't. It wasn't until after the event offered the $10,000 did this hacker enter the contest and used a web-based exploit. The guy did it for the $10K. That was all.
http://www.macworld.com/news/2007/04/20/machack/index.php
challenge slightly by writing the root password on a Post-It note
and taping it to the contestant's monitors.
practical test?
I consider myself an "average" Mac user, OS 10.4.9 with all updates,
OS X firewall on (default), one user with admin privileges, always-
on DSL connection with firewall enabled in DSL router (default).
Can you reach my Mac? If so, can you do any meaningful harm?
Jay
No, your computer cannot be reached. That is not what is at question here. In this kind of hack, you have to be enticed or steered to the malicious site that harbors the hack. To trick you into going there is what phishing is all about. Once there, in many cases simple access will automatically download an infection to your computer. A firewall is useless in this kind of situation.
An AV might block the install on your computer if the AV vendor is already aware of it and has issued an update to its definitions. Or possibly Apple is already aware of the nature of the hack and has issued a patch that blocks whatever vulnerability in the Mac that the hack uses.
The whole point of this kind of attack is that to be successful the user must access the site. Unfortunately, even some of the stuff loaded by users on the popular so-called social sites may contain a virus and simply clicking on perhaps a video can infect you. Fortunately so much stuff is uploaded to such sites, your chances of clicking on the one that contains a virus is not very likely.
I'd say the conditions for this were pretty good. They allowed access to the same subnet to keep from slowing down the contest. Any competent hacker can get through your router firewall if he knows your WAN IP. So they just eliminated that part of the process.
Remember, in the first part of the contest, there were NO remote attacks that succeeded. So even if you have NO router and are directly connected to the internet, you may be safer than you think.
2) MACs are more stable, crash less, and have very little security concerns to date. It helps that OS-X runs on only ONE SET of hardware configs (By Apple), as opposed to Windows that runs (well, most of the time) on everything. Have Apple open up and run on Gateway, Dell, HP, Lenovo, PC's, with all types of video cards, TV capture cards, sound etc... and then we will see how stable it is. Be real about it.
3) About 90% of my fellow mac users (peeps I know) run Parallels with XP because they could not do EVERYTHING with OSX. I was just at the 5th Ave store in NY and they were doing a demo for everyone. Seriously, look at the revenue for the company. Look at VMware. If there wasn't a need for Windows, then they wouldn't touch it. Where is that in the commercial?
4) Where is Apples R&D Answer? Give me an alternative to Exchange (As an Actual Alternative, Leopard makes great strides, as marketed, but is not there). Give me an alternative to Office (I dont want that crappy Open/StarOffice) I want a innovative Apple solution, that WE ALL KNOW they can do.
5) Building on 4. Software Development. For Mom & Pop and Niche users, OS X (Native) is great. But for other enterprises (Medical/Finance/RealEstate) there are no OS-X solutions. Believe me, I've looked. I wish Apple would get a better hand in those industries, then maybe OSX could be an end-to-end alternative. OSX does not count as an alternative if you still need to run windows or IE people!!!!
6) Market Share. What will we do when Windows goes away? (It will people & thanks to Vista, it can come quicker than you think)Do think hackers and virus makers will just find something else to do? Of course not, they will turn to whatever else the main stream is working on. There were viruses and hacks before Windows came out my friends, and those systems were Unix based.
7) You stupid FanBoys (M$ & crApple) are a constant amazement to me. Nothing is said short of the fact that you each hate each other's side. Half of you have no idea what your talking about and basically are regurgitating media press. Gates does not care about you and neither does Jobs, so stop freakin defending them!!!
8) Not everyone is tech savvy. A majority of these people that use computers now did not grow up with them like we have. These are the same people that can't use their DVR/VCR/TV correctly, and you want them to be smart about computing??
I run my MacBook Pro (2.33/2GB) with Parallels, and it runs great. Probably one of the better computer solutions I have had. The regular MacBooks suck (as I traded up for the Pro after 2 weeks). I love my MBPro and think there is a way for Windows and OS-X to finally coexist in harmony on one hardware platform. The credit for this has to go to Apple. Sorry M$, but you guys have missed the boat....ran of the dock....and drowned.
Nicely put. The only quibble I might have is the part that half of them don?t know what they are talking about. I would say most of them don?t. Or perhaps I get that impression because the ones who obviously don?t know what they are talking about tend to post the most. The more fanatical they are, the more ignorant they seem to be. But then that is the definition of fanaticism, isn't it? Any knowledgeable person wouldn?t be a fanatic. His knowledge alone would prevent it.
is a bad thing because...? First, Apple is a complete computing
solution, not just a software company or hardware company.
This means that if it ran on other equipment it would cannibalize
their own sales. Second, by this very limitation it has kept OS X
a rock-solid, secure operating system. The security bulit into
OS X is often enough for most users to remain secure. The
effective Windows security is almost completely third party.
Oddly, if you buy a Dell (or IBM, Toshiba,Gateway, et al)
computer, keep it all Dell from top to bottom, and never
upgrade or replace anything - it's still prone to crashing
applications, attacks, and the BSD. So it's not (necessarily) the
hardware - it's the OS.
And does a WIndows machine run everything? No. There's tons
of applications that run on servers that require clients and
emulators. And you can't run - ever - any of the iLife or Final
Cut or a number of other professional apps like Aperture or
Shake on Windows. While you can now get a lot of the great
programs that were originally Apple-only, virtually every test
tells us they still run faster and better on Macs.
Here's a real illustration of the quality of Apple versus the quality
of Microsoft: FileMaker vs. Access. Granted, Apple spun off
Claris/FileMaker, but it's still built from and by the same Apple
code and programmers. The price is about the same (250 vs
200), but FileMaker runs circles around Access.
And when you stop to consider, you CAN run almost everything
on a Mac (with Parallels). You CAN'T on Windows. Period.
but not sure what it fixed exactly.
you can go here and figure out if it fixed the safari problem (im no
tech-savvy, so you tell me) :
http://www.apple.com/support/downloads/
securityupdate2007004ppc.html
in the test.
It will be closed soon enough.
Blank affirmations such as "Vista sucks" don't actually help getting to the bottom of the discussion.
Contrary to Apple's brainwashing campaigns, you'll find out that Mac has been showing quite a few more vulnerabilities than Vista so far.
There are good discussions in security forums about the degree of such vulnerabilities. That's a quite more subjective point. Some people say that although Vista security holes are less common than OSX, they are more dangerous.
I sincerily can't discuss this because I'm not a security expert. But, for me, any vulnerability that causes your computer to be owned is as bad as it gets... And all you need is one unpatched vulnerability to be screwed... So even a smaller number is not that much of a guarantee for me.
In other words, even if Vista is quantitatively more secure than OSX, or if OSX has less critical flaws, the fact that both have any vulnerability that could cause the system to be compromised is what needs to be addressed.
So drop the "MS this" or "Apple that" and let's push both companies (that make a lot of money out of us) to be better. That's what will help US in the long run.
2 unpatched.
Worst of them is rated as "Not Critical" by 3rd parties. (local only, no privlidge elevation, can't execute code)
http://secunia.com/product/13223/?task=advisories
So basically as of today:
Unpatched Vista = Safe.
Patched OSX = Hacked.
I post this merely to illustrate that no OS is completely secure; not to imply that one is. Apple Zealots should wise up to this. Don't learn it the hard way like MS and others have had to.
to go and find out about the "relaxed rules".
The rules, aren't rules at all. It's a joke. This is what I have
found out. The computers were set up practically "out of the
box". The security updates that have been recently released,
were not used. The following is a quote ... "CanSecWest
organizers will set up the MacBooks with their own access point
and all security updates installed, but without additional security
software or settings. Attendees will be able to connect to the
machines via the access point through Ethernet or Wi-Fi,
according to the CanSecWest Web site."
This is how everyone, who gets a Mac, will have their computer
"configured". This means, the computers were set up the same
way anybody elses MacBook would be set up. After only one
day, they decided to relax the "rules". Once again, the statement
is deliberately misleading, because it has nothing to do with
rules. This is what they did next. I need to make space for this:
"As originally planned, the rules for the hack a mac contest were
relaxed on Friday after nobody had won the contest on the
previous days. In the relaxed set of rules, a URL was provided
that exposed Safari to a "specially-constructed Web page" which
allowed the hacker to gain shell access to the MacBook.
The URL opened a blank page but exposed a vulnerability in
input handling in Safari, Comeau said. An attacker could use the
vulnerability in a number of ways, but Di Zovie used it to open a
back door that gave him access to anything on the computer,
Comeau said.
According to Matasano, Apple's most recent Security update
does not address this specific issue with Safari."
Am I to understand, that the person hacking the computer, is
the person using the said SAME computer?! Whatever, seems to
me the a lot more than a helping hand was needed to create this
"hack". Technically it is a hack. But if local access is required, I
think I'll take the blue pill.
exploit, otherwise, why would they need to supply a custom url?
Can someone say RIGGED! And people why I get so disgusted with
them.
http://www.matasano.com/log/806/hot-off-the-matasano-
sms-queue-cansec-macbook-challenge-won/
He writes, "I will say that applying slightly paranoid web browser
configuration changes will prevent this vulnerability from being
exploited. And no, I have not been sitting on this exploit, I
really did find the vulnerability and write the exploit that night. I
got lucky."
Of course, any javascript vulnerability that can lead to control of
the local user account has to be taken seriously. It's just that
they hyperventilating from anti-Mac people is just too much.
For all we know, this vulnerability has cross-platform
implications.
The people organizing this contest set out with the mission to
demonstrate that Macs were vulnerable to a remote attack.
When that challenge appeared to be going down in flames, they
changed the rules of the contest. The last thing they wanted to
do was actually reinforce the idea that Macs are pretty secure.
Let's be realistic. The same challenge with a Windows machine
as a target would not be newsworthy, and the machine would
not last 10 minutes. That said, of course there are
vulnerabilities in the Mac OS, as there are with any operating
system. This exploit demonstrates that fact, but it does not
"puncture" the notion that Macs are relatively more secure.
Without the rules change, the contest would probably have
passed with no successful hacks. One of the two Macs was not
hacked at all.
dog dung at each other I'd like to see the following occur. Let one
of these "security researchers" sit down and write an operating
system or an application from scratch with the requirement that it
be 100% secure before it is released to the public. Does anyone
think said os or app would EVER get released? As the old saying
goes, "At some point you have to shoot the engineers and start
production." As long as the os and app makers fix things brought
to their attention that's good enough for me.
updates for the OS are a bit different. seems to me that macs have
gained (hacker) attention after the intel switch. nobody would
bother to hack or disapprove that a mac was insecure when they
were PPCs.
be only an Apple problem.
variant of Safari. If you can run OS-X on the PPC-Mac, it might have
the same effect. The chipset is not relevant here.
- "If it is an actual zero-day in Safari that's fine with us"
-
by Gunady
April 22, 2007 6:47 PM PDT
- "If it is an actual zero-day in Safari that's fine with us"
-
Reply to this comment
-
-
- They're talking about TippingPoint's bounty
-
by mbenedict
April 23, 2007 5:33 AM PDT
- TippingPoint is offering money for anyone who discovers new zero-day exploits.
-
-
See all 194 Comments >>What does that statement mean? Security is not important?, because they're just feeling confident.
The statement was explaining, if the problem turns out to be a new zero-day exploit, then TippingPoint is ok with paying money for the find.