Researchers who hack the Mac OS
Dino Dai Zovi
(Credit: Tehmina Beg)It was summer 2005. Dino Dai Zovi walked into a Manhattan Starbucks, ordered a coffee, sat down, and opened up his laptop.
Before his coffee was cold he had found a local privilege escalation vulnerability in Mac OS X Tiger, which could allow people to elevate from normal user to full super user, and had written code that could exploit the hole.
"I just think that I got lucky, but that's what I always think when I find a bug that quickly," he said in an interview on Wednesday.
Dai Zovi has been exploiting Macs for a long time, publishing his first Mac OS X shellcode (code used as the payload in an exploitation of a vulnerability) for the PowerPC in July 2001. He said he has reported more than 10 vulnerabilities to Apple over the years and does so out of love for the platform.
"I'm an avid Mac user," he said. "So I have a vested interest in them being more secure."
The 29-year-old got an early start in computers, using bulletin boards in second grade and accessing the Internet through a computer running VAX at 13. He taught himself to program and got a computer science degree from the University of New Mexico. While still in college, Dai Zovi worked for the Information Design Assurance Red Team at Sandia National Laboratories, which performs security assessments for the government, military, and commercial industry.
Since then he's worked for consultancies @Stake and Matasano Security, Bloomberg, been director of security at a hedge fund in New York, and now works as chief scientist at Endgame Systems, an information security start-up.
Dai Zovi's Mac hacking hobby has won him some measure of fame. He won the first ever PWN2OWN hacking contest at the CanSecWest security conference in 2007, exploiting a vulnerability in Apple's QuickTime that affected not only Mac-based computers but also those running Windows and for which Safari, Internet Explorer Firefox were vulnerable. (In the contest, participants show up with exploits ready to go. The exploits do not require local access to the systems; they only require that the user visit a web page to simulate a drive-by web exploit, as is common on the Internet today.)
He co-authored a book, The Mac Hacker's Handbook this year with security expert Charlie Miller that argues that contrary to popular belief, the Mac platform is not more secure than Windows, it's just not targeted by malware writers--yet.
"The sky is not falling," Dai Zovi said. But also, "the Mac is not magically protected from malware."
If security features are added to the new version of Mac OS X, Snow Leopard, which is due out on Friday, that could change Dai Zovi and Millers' opinion. (The CNET review of the product is here.)
Charlie Miller
(Credit: Charlie Miller)Miller has won the PWN2OWN contest the past two years. In 2008, he was able to gain control of a Leopard-based MacBook Air using a newly discovered vulnerability in Safari. That took him less than two minutes. This year, it only took him 10 seconds or so to exploit a hole in Safari on a MacBook running Leopard.
Miller is probably best known, though, for being the first to hack the iPhone, discovering a hole in the mobile version of Safari in 2007.
One of the reasons he entered the PWN2OWN contest was to prove that Mac OS security was lacking.
"I had a feeling that Mac was easier (to hack) than Windows," he said. "If I can find the Safari bug or exploit in a few days and it would take me 10 times as long for IE, why would I do that? I go after the easiest guy."
Miller comes from a Linux and Windows background and is relatively new to the Mac platform because he worked in the financial and government sector before becoming a security whiz.
After getting a Ph.D. in mathematics at the University of Notre Dame, Miller worked at the U.S. National Security Agency for five years. Hired as a cryptographer, Miller pushed for computer security training because he was "looking for something else to do."
He then worked at a financial-services firm before moving back to his home town of St. Louis and taking a job as principal analyst at consultancy Independent Security Evaluators, where Macs are standard.
"I hack products I own and use and like," he said. "I want to know how they work and play around with them...I thought the Mac OS and the iPhone were cool."
Updated at 6:58 a.m. PDT with more details about the PWN2OWN contest.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
"I had a feeling that Mac was easier (to hack) than Windows," he said. "If I can find the Safari bug or exploit in a few days and it would take me 10 times as long for IE, why would I do that? I go after the easiest guy." Now that's FUNNY
After the initial OS fan-war inspiring headlines always generated, you read the details and find out it required you to have security settings a certain way, go to a certain website, click a certain link, stars alined a certain way ........ One of the articles I read about these events described in detail what was required on the users part to have all the conditions met for a particular security hole and after the second item out of six listed I decided that anyone that did all of the things required either wanted their computer hacked or was just dumb enough to deserve to be hacked.
BTW my response was non-OS specific as I kind of think a lot of these articles are more PR for security firms that do things in the lab than they are for offering anything of value to the consumer.
"was only accomplished after they changed the parameters of the completion because the initial day nobody was able to hack it. " .. yes in the first day, none was able to hack mac,windows,and linux. on the second day, they lower the level of security on the 3 machines, and guess what MAC WAS HACKED IN 2 minutes. windows and linux were not hacked in the 2nd day. in the 3rd day, they even lower the security, windows was hacked first then linux.
so please stop pretending that MAC is more secure than windows. these two people are security experts that spent most of there hours in security research for mac,windows,linux and even vax systems. i therefore disagree with your claims than disagreing in the two people who are experts on this fields.
Basically it was a contest to see who could get a local exploit going the fastest at that point.
I'm sure they do... or maybe they're just trying to sell that book that keeps getting mentioned up there?
You are a Windows fanboy with his head so far up his ass that he cant even read a simple post without re-writing it to suit your agenda. Which is the case with 90% of the Stupid (notice the capital S) posts made by Apple and Microsoft fanboys in all these articles. Me personally am not a fanboy of any OS, as I have stated in previous posts on many articles. Software and Hardware are tools, and should be selected as such. You want to play games you definitely buy a windows machine, you want to outfit the office at an insurance agency you probably buy a windows machine, You want to do professional video editing you might buy a OSX machine, You want to run a web server you might buy a linux machine, You want to outfit an office for a new magazine you probably buy a OSX machine.
There is no fanboy angle to that.
Nobody had local access to the machines. Local access is always considered "game over" in security terms -- with the exception of drive-encryption technologies such as Bitlocker etc. that are supposed to protect your data even after your machine has been stolen (i.e. even after an attacker has local access).
All successful exploits at Pwn2Own have required "drive by" attacks as far as I know. i.e. the attacker (Miller or Zovi in this case) could have the machine browse to their (malicious) website -- and nothing more.
The 10-second hack is somewhat sensational. Miller spent days/weeks before the contest preparing it.
you didnt attacked directly an OS,rather you critisized the whole article(since it clearly shows how vulnerable MAC is) and security firms which is more reliable and had the full rights to make conclusions on which what OS is more vulnerable and what is not.. now who's the dumb-ass...let just be honest, shall we?even just to ourselves...
I crafted my comment exactly what the post says in plain english, that its my personal opinion that articles are in my opinion more about promoting the security experts/researchers and less about real world users.
'Basically it was a contest to see who could get a local exploit going the fastest at that point.'
>>>>There is no such thing as a "local exploit." How many times have you been corrected on this now? It's as if you're covering your ears and screaming, "LA, LA, LA, LA, LA, LA, LA..." every time someone mentions Pwn2Own, as you simply can't bear to hear that your god is not invincible.
'The exploits do not require local access to the systems; they only require that the user visit a web page to simulate a drive-by web exploit, as is common on the Internet today.'
>>>>Read it and weep.
Random_Walk (a.k.a. Penguinisto) has known this for months, having debated back and forth with me until I explained to him how these attacks work. Yet he continues to rampage the forums in security articles, talking about Charlie Miller "plugging his geek stick" into the target machine and attacking locally with sudo. Yet, as I pointed out in my above post, even this article here clearly explains that 'The exploits do not require local access to the systems; they only require that the user visit a web page to simulate a drive-by web exploit, as is common on the Internet today.'
What Penguinisto is exhibiting here is denial to the point of desperation. Take an example from it, and avoid religious attachment to software programs. As zealous as Mac users are, they'll have their own rendition of al-Qa'ida before you know it!
I won't say you're mistaken, but could you link me to an article that says Nils exploited Firefox on OS X, and not Windows? I can't seem to find one. Thanks.
That's a bit like saying he accessed the internet through a computer running Inspiron or Pavilion. VAX was a hardware series developed by Digital Equipment in the 70's and 80's. Vaxes ran VMS or Unix. Nothing "ran VAX"
compare to windows 1,000,000 vulnerabilities found buy 10,000,000 millions people to keep researching for windows vulnerabilities since windows 1.0
now do some simple matthematics so you can bury your head the next time you comment. this article is stronly supported by two experts who are well known on their field, so why cant you just MAC people listen!!!!
Charlie Miller has been at this for years... and his CanSecWest exploit was one that he sat on for over a year before the contents... so what on Earth are you babbling about?
yea, 10 vulnerabilities found in just a few days by only 2 people who just recently care to research about MAC vulnerabilities."
If you honestly believe that there are only two people researching mac vulnerabilities, then you are as ignorant as the people who think that Mac OS X is invulnerable.
@The_happy_switcher:
Exactly. Only 999,990 more for you to patch, before you catch up with MS. The past isn't what will infect your machine, steal your identity and loved ones' e-mail addresses for spamming, and clean out your bank account; the future is. That said, there are more vulnerabilities coming out for OS X than there are for Windows, and you've read here (assuming you DID read the article) that security researchers find Mac bugs 10 times faster than they do for Windows. Admirable is your devotion to your religion, but foolish as well.
Are you running Leopard now? Then I believe it would only cost you 30 bucks to upgrade to Snow Leopard, which I understand will add speed as well as security. What do you have to lose? If you can afford to spend over $1,000 on a computer, surely you can afford that!
He intentionally targeted the Mac because he wanted the prize money, and the Mac
(the person "hacking" gets the system they successfully compromise.)
The details about the contest are easy to find.
In at least one interview he said he could have used it on any of the systems (although I'm not sure if that was from 2008 or 2009), but wanted the Mac.
>>>>Where do you get this information? Did you not read the article? 'The exploits do not require local access to the systems; they only require that the user visit a web page to simulate a drive-by web exploit, as is common on the Internet today.'
On day 1, contestants are limited to vulnerabilities in the operating system itself. On day 2, you attack a Web browser, e-mail client, or other factory-installed, Internet-facing application. On day 3, you can attack popular third-party applications, such as Java and Adobe Flash, or an alternative browser. ALL of these are remote attacks. The only user interaction involved is when the assistant visits the URL hosting the contestant's code. And this is necessary; if the contestant doesn't give the URL to his assistant, and expects him to find it via random Google queries out of the billions upon billions of Web pages out there, then the contest would never end.
This contest is not about Trojan horses, Brian. There is no trick to installing a Trojan with local access and password. Do you think Trojans and viruses are jumbled lines of code, intended to confuse the computer and make it go haywire? No, malware are PROGRAMS just like any legitimate PROGRAM, and do exactly what they are designed to do. And as long as you can install SOFTWARE on your computer, you can install MALICIOUS software on your computer. '"The sky is not falling," Dai Zovi said. But also, "the Mac is not magically protected from malware."'
'He intentionally targeted the Mac because he wanted the prize money, and the Mac
(the person "hacking" gets the system they successfully compromise.)'
>>>>Sources, please. In every interview I have seen, Miller says he attacks the Mac because it's the easiest target. '"I had a feeling that Mac was easier (to hack) than Windows," he said. "If I can find the Safari bug or exploit in a few days and it would take me 10 times as long for IE, why would I do that? I go after the easiest guy."'
I'm sorry, but I don't think you got a single point right. Understandable; when someone is subjectively defending what amounts to their deity, close-mindedness tends to block out common sense and realism. But science trumps religion here. Again, sorry.
As for real world... I really don't care what the 'experts' say, or which is technically more secure, etc. What I care about is which is the safest for me to use day to day. That is clearly OSX.
Depends on whether we're talking OS X vs. XP or OS X vs. Vista (Windows 7 in October). We don't have drive-by downloads in the wild for Vista. There are vulnerabilities, but DEP and ASLR make them hard to reliably exploit. And Windows 7 will make it even harder, with the introduction of Safe Unlinking and XP Mode (hinders rootkits from installing their own emulators), among other things.
All Vista users actually deal with are Trojans (unless one opens attachments in e-mails from strangers), including those in "codecs" that target your platform as well. So OS X really isn't any "safer" than Vista, either. As far as Windows 7 goes, I've seen two theories on what will happen as W7 erodes XP's massive market share domination:
1) Bot herders will turn their attention to the most vulnerable platform remaining... Mac OS.
2) The threat landscape will revert back to social engineering tactics. And since we already have Linux and OS X as well as Windows, you can bet bot herders will enlist them quickly, in effort to make up for huge losses in remotely exploitable machines.
Any way you slice it, you're next. If I were a Mac user, I would not be able to just sleep on it. I suggest you gird your loins and upgrade to Snow Leopard, which introduces Apple's first functional implementation of ASLR (no DEP or other mitigations yet, but it's a start). You cannot depend on status quo; it DOES change. It already changed once, when Windows became the target. Don't forget that the very first antivirus was launched for the Mac in 1987.
Aren't your upgrades cheaper than ours (not for hardware, but for the OS itself)? Take advantage of it! You can bet that both my sisters will. Members of my family don't say, "It'll never happen to me" on the freeway; we drive defensively, keeping a sharp eye out for the idiots on the road. And I recommend no less vigilance on the information superhighway. BTW, I understand Snow Leopard is also supposed to be faster than Leopard, as well as more secure. What do you have to lose, 30 bucks? Be smart!
As for Vista and Windows 7... I just don't know. You may well be correct, but frankly, not that many people I know are running Vista. I think I've mentioned it before in other threads we've interacted in, but nearly every non-IT or non-corporate Windows user I know has at one point (or several times) been attacked. I know of no such attack on any OSX user, despite the fact that most of them probably don't have any anti-virus, etc. installed. I'm NOT saying either shouldn't be careful... just stating the reality of things so far. You might be correct that things are going to change... and if VIsta and Win7 really are that much more secure in actual use (not just on paper), then I'd give it a high likelihood that you are absolutely correct in your prediction. If and when it starts to happen, you can bet Mac users will start installing the protection apps by the droves. Currently, I don't think I'd recommend more than a passive scanner that one can run from time to time. The active scanners, while maybe offering protection, do a lot of damage as well (from my experience on the Windows and pre-OSX platforms, as well as a bit of experience on OSX with them). It is kind of a risk/reward trade-off at this point.
>>>>As I've mentioned in the past, I am a service technician. I didn't say I've never seen Vista infected; I said I've never seen Vista infected in a remote exploit. In every instance, the infection was not an exploit, but a Trojan horse. And in a vast majority of cases, one would find LimeWire, FrostWire, or Ares on the machine; along with what was probably the original culprit file in the P2P downloads folder. To this day, I've yet to see Conficker on a Vista machine, including machines with Windows Defender turned off and no third-party security software at all.
'The active scanners, while maybe offering protection, do a lot of damage as well (from my experience on the Windows and pre-OSX platforms, as well as a bit of experience on OSX with them). It is kind of a risk/reward trade-off at this point.'
>>>>I agree with that. The scanner in Snow Leopard is not a full system monitor, but just a simple scanner for disk images and other packages downloaded through Safari and a few other common programs. At this time, I believe it only checks for two Mac Trojans that are presently circulating in the wild.
Hopefully, there won't ever be a need for real-time monitors in OS X. Like I said, I don't see any real threat to other platforms until unpatched, unprotected XP machines become too few, and who knows? That could take years. Both of my sisters use Macs; believe me when I say I'm not hoping to see Macs get bombarded, and either of them run into problems, just so I can say, "I told you so" to the fanboys. Hopefully, by the time Windows 7 overtakes XP, Apple will have raised the bar. And there are people far more important than me who are pushing for just that.
'Windows Vista is technically vulnerable in this way, but the exploit is almost impossible to execute on it. Conficker is basically an XP problem.'
As very few businesses have been willing to switch to Vista, even after three years, I presume that your arena consists mainly or exclusively of XP machines. As long as Mac users continue to compare their latest operating system with an eight-year-old, competing operating system; and one that was released BEFORE there was any such thing as a drive-by download, your grasp of the big picture will continue to be incomplete.
I can't fix the XP problem; all I can do is hope more people will visit Invincible Windows and share the info with others, and that more security vendors will add browser protection and Artemis-like tools to detect new samples faster. Three of the vendors with the largest install bases are Symantec, McAfee, and Grisoft; all of their products include browser protection. And I think a majority of American ISPs have opted for McAfee (over Norton and CA), whose Artemis engine can detect new threats in seconds, not hours or days. For those who don't want antivirus, we have sandbox products like GeSWall and SandboxIE.
The XP scenario is less than perfect for non-technical users, but ever improving. Remember that a botnet as large as the Conficker botnet is still small compared to the nearly 1 billion PCs worldwide, and even the 750 million of them that run XP. That having been said, anyone who buys a new laptop or desktop PC (netbooks still use XP, though they will probably be running with the adequately light W7 in the near future) is just as safe as a Mac user, with or without antivirus. And since most American Windows users use antivirus these days, I'd be inclined to say they're actually safer than you are.
- by jwoolmanq September 2, 2009 8:34 AM PDT
- The market share is misleading because computers are used for different purposes. So certain groups use macs much more than 5% for the kinds of things I myself am interested in.
- Like this Reply to this comment
-
-
- by SteveW928 September 8, 2009 11:28 PM PDT
- You're right on market share. There are a couple issues with it.
- Like this
-
(47 Comments)Haven't kept up with the numbers, but back last century half US engineers and scientists used macs, along with at least 1/4 of translators judging from a poll at at a translator watering hole (I'm a scientist and a scientific translator), and some huge number of graphic artists (85% or more). One physicist gave the example of his lab: 20 computers crunching numbers attached to equipment were Windows-based, but the one computer in his office (which he used for word processing and e-mail and net surfing and everything else) was a mac. I remember when the American Physical Society started its online physics research journal program back when proprietary software was needed (back in the days when 2400 baud was fast). It made a huge mistake when it developed the Windows/DOS software for access first and delayed developing the mac version - really delayed the whole online journal program big time, because not only was at least half their target audience using macs for such things, but it was the more internet-friendly half because at the time, Windows apps for the net were a pain to install and use compared to the mac versions. The problem vanished when they switched to web-based access.
Again, I don't know if this is still true - but many schools and small business owners back last century found that macs were much more suitable for them simply because upkeep and peripheral/software installation was simpler and they didn't have the resources for extensive tech support (a moot point in big companies that can afford a full-time tech support staff and also can switch people to other working computers when a computer is down). People who actually serviced mixed networks (mac and windows pc) said most of their time was spent on the Windows machines rather than the macs even when equal numbers were present. Tech support lines for cdroms said the same thing - mac versions of their software were more profitable because they got so few tech support calls from mac'ers. Most mac problems were just solved by restarting the machine or other simple maneuvers that non-techies could handle without being a member of the priesthood. In my translation work (full-time freelancer since 1979), I've certainly seen this to be true - I've seen Windows-based colleagues struggle with things I can do easily on my macs, and also the non-mac'ers seem to rely on tech support while I don't. Also messages on discussion lists about Windows problems still seem much more involved than I encounter on my macs.
Many people use Windows machines at work, but then go home to a mac. Macs have been able to handle files from Windows pc's pretty well in major applications for many years, and also DOS/Windows emulators for macs have been around for a very long time (I've used many of them for games primarily, since I really don't seem to have trouble dealing with clients on non-macs in my work).
I'm not a big OS X fan myself mainly because troubleshooting is more arcane than in the previous OS's and also it broke too many things I need but can't be updated. But I must admit that I haven't had big problems with my OS X machine that I keep updated for web surfing purposes (while working in comfy OS 9 on another machine). So maybe things haven't changed so much and I'm just cranky because my favorite ancient Cyrillic font won't work in OS X...
Anyway - even though the percentage of business computers that can be taken down with a Windows-based attack might also be attractive, another aspect of malware targeting Windows machines might just be that so far, the disgruntled hackers might be just more ticked at Microsoft's megalomania and indifference to long-term problems with their software. Apple's sins seem rather minor in comparison (although I might think differently if an ipod exploded on me!). Of course, the hackers' reasoning is flawed in this case, since it's not Microsoft that's hurting from their attacks but rather all the regular folk stuck using their software.... But the anger factor shouldn't be ignored.
1) they are usually based on quarterly sales, not actual computers in-use out there in the market. Mac users tend to keep their computers longer before upgrading, so of course many more PCs will sell and be retired, etc.
2) as you mentioned, computers for 'dumb' use are often included. Machines hooked to lab equipment, point of sales terminals, etc. It doesn't give an accurate estimate for computers with a real user behind them who might purchase software. It really gets misleading when thinking about less standard apps than things a typical office user might purchase (or their company purchase) as many PCs just sit at employee desks where they don't even make a decision on what to buy. In that case, the percentage of Mac users who might buy an app vs Windows users could be MUCH different than 5% vs 95%.
I think the most accurate numbers we'll probably get anywhere are those that look at which OSs visit general interest type web sites. Most of these that I have seen put Mac market share at roughly 10% and climbing.
I also agree with you on the 'ease of use' history... but also the 'get more done' history of using a Mac over a Windows machine. I've had a number of clients over my years of consulting working in fairly similar businesses (both scale, industry, etc.) using either primarily Macs or PCs. For the most part, the Mac using companies were WAY ahead of the PC using companies in the type of things they were doing with their computers. I don't think the divide is quite as pronounced today as it was 10-15 years ago, but I still find Macs require less maintenance but some amount and user productivity to be higher.
As for hackers.... I think you need to realize there are three types:
1) hackers who do it for the challenge... I'd think it might be hard to say what these people will target. They are in it for the fun of it. I suppose M$ would make an interesting target for them if they don't like them and want to cause trouble.
2) hackers with an axe to grind.... yea, I'm sure M$ ranks right up there as a target for these people.
3) hackers in it for the money.... this category (probably now, by far, the biggest) just wants to set-up as big of bot-net as possible to sell services to whoever will pay. They will go after whoever will help them establish that. M$ has been a good target, because there were lots of machines and lots of holes. If enough people upgrade to M$'s more secure OSs, the task will become harder and they are likely to start considering other platforms with fewer numbers. OSX, phone OSs, video-game consoles, etc. could all become future targets for these people. I doubt they have any particular loyalty or axe to grind with any OS. It is simply business to them, albeit dark, underground business.