Comments on: MacBook hacked in contest at security event

Zero-day vulnerability in Safari Web browser used to commandeer a MacBook in hack-a-Mac contest at CanSecWest conference.

[Macsaresafer]

Safari got hacked.

Still no root level hack. But Cnet will be cnet, so we get this title.

[Siegfried Schtauffen]

True

But IE hacks are always linked with Windows so it is fair. It comes with Mac OS, just like IE is, so it is part of Mac OS. Furthermore, the recent DNS problem with Server03 and Server2K are labeled as Windows problems when they are actually just DNS problems.

What can't be denied is this is a new hack, and the guy spent under a day on it. Surely this proves that with sufficient motivation Apple software is vulnerable?

[gmcaloon--2008]

Indeed the Mac got hacked.

Your assumption that root level was not breached is unwarranted. The article says nothing about that. The breach could have been at root level or not. It makes no difference. The hacker got into the Mac threw a vulnerability in Mac?s Safari when accessing a malicious site set up for the purpose. That is exactly the kind of scenario that gets Windows hacked when using its browser, IE.

That is exactly what would have happened to you if you had gone to that site using Safari because Safari has a vulnerability no one knew about except the man who collected the award. He knew about it and put the exploit on the malicious site to take advantage of the security hole in Safari.

The article is somewhat obtuse in that it doesn?t say what damage the hacker could have done to the Mac with this exploit, but whatever he might have been able to do with it would not have been a pleasant experience for the user. In the ordinary course of events, Apple would now get busy writing up a patch for it. That could take some days. We will have to see how long it takes. In the meantime an AV vendor would only have to examine the exploit itself, a simple process and quickly done. The AV vendor?s definition for the hack could be released in hours.

All this proves that writing an exploit for the Mac is easy if anyone wants to bother doing it. But of course we all knew that ? except you Mac fanatics with your nonsensical claims about Mac invulnerability because it is based on Unix or the other nonsensical claim that somehow operating at a non-root level protects against attacks. If the hacker was sufficiently good at it, he could easily have written a hack that would have raised the level of privileges and gone to root level. That is what happens to Windows and can happen to a Mac as well. You have been proven to be wrong in every argument you have made about the alleged invulnerability of Macs.

[Orion Blastar]

Safari is bundled with OSX

and web browser vulnerabilities are used a lot in Windows hacking attempts as well. Usually an IE or Firefox bug is used to execute code to install a virus or break into the system.

I recall this happened before and someone used an Applescript flaw to infect a Mac system with a virus, and it was called a non-virus because Applescript was used. I guess all of those Word VBA macro viruses are non-viruses as well on Windows, eh?

Funny how Apple and the Mac fans like to cover up the Mac's security flaws in that way.

Nope it was a Safari bug, not a Mac OSX one. But isn't Safari included as part of the OSX package like Internet Explorer is part of the Windows package? Why do you call an IE flaw a security hole in Windows but a Safari security flaw in OSX is not a hole in Mac OSX?

Actually a stripped down Linux box with the minimal features and the most recent security fixes is more secure than a default OSX (or even default Linux) box, plus it runs faster too without all of that bloat holding it down. Just one thing, it is not as easy to use as OSX (or a fully loaded Linux box) most likely because GNOME/KDE and possibly the X-Window system might not be installed. When you add in a lot of GUI features to make the OS easier to use, it opens up a lot of possible attack points for a hacker.

[Fil0403]

Macs got hacked (again).

Still Macs can be hacked (regardless of how). Apple fanboys will be Apple fanboys, so we get these excuses too.

[sanenazok]

Shine some light on anything

and you'll find flaws. I feel bad for the guy who wasted perfectly good 9 hours to hack into this platform.

[calpundit]

Wasted nine hours?

You must be pretty well off to think that $10,000 for nine hours
work is "wasted" time.

[Dachi]

Why?

The guy probably works in the security industry and legal competitions like this are a good way to separate the men from the boys.

Also, he spent 9 hours on it, and got a ~$2500 laptop.

I am not sure about you, but $280/hour is certainly more money than I make.

[pithenumber]

10k in cash + $2500 laptop
9 hours well spent

[Llib Setag]

Security Software Updates?

Did this MacBook have the latest Mac OSX Security Software updates that CNET reported very recently about on this site?

Which version of MAC OSX was on the MacBook? OSX 10.4.9 with latest security updates?

Mac & PCS both are not hack proof & Apple has never said it was, but Apple & MacOSX has a loooooooooooooooong way to go before ever catching up to Windows security problems ( even VISTA OS ).

[bobmarksdale]

Yes, Yes, and I agree

Yes it did have the updates, it was running 10.4.9, and it is a very long way from having as many security problems as Microsucks.

[dscottbuch]

What got Hacked

Once again typical CNet reporting. What exactly got hacked.

"The successful attack on the second and final day of the contest
required participants to surf to a malicious Web site using
Safari--a type of attack familiar to Windows users. CanSecWest
organizers relaxed the rules Friday after nobody at the event had
breached either of the Macs on the previous day."

So its considered to be hacked to simply surf to a web site?
Also, how were the rules relaxed???? It seem they COULDN'T
hack it as originally set up???

Why can't CNET at least provide a link to the real story.

[Macsaresafer]

The hack.

They relaxed the rules because nobody could hack the Mac
yesterday.

From the site:
http://cansecwest.com/post/
2007-04-20-14:54:00.First_Mac_Hacked_Cancel_Or_Allow

"Just to review the rules, the first box required a flaw that allows
the attacker to get a shell with user level privilages. The second
box, still up for grabs, requires the same, plus the attacker
needs to get root."

So to say the Mac is owned is an overstatement. It is however, a
good reason why you shouldn't log in as an administrator for
your normal use. If you are doing that, here's how to correct
your setup. First, create a new account (System Prefs, Accounts)
and give it administrator rights. Next, log out of your old
account and log into your new admin account. From there,
change your old account to a standard user by removing
administrator rights from it. Now you can log into your old
account as you normally do, but it won't be an administrator.
You will need to provide the admin user name and password
when installing/removing software.

Still no need for AV software!

[tanis143]

Oh puh-lease!

Come on! The mac was hacked, regardless on how the hack was done. Most windows hacks now days are done through malicious web code. You mac fans will not be happy until some hacker finally gets annoyed by your repeated statements that mac's are more safe and he writes a virus to wipe out your hard drives.

[System Tyrant]

I wonder...

what people will say if the Mac is every hacked and root access is gained?

That's a rhetorical question because if the Mac is successfully hacked someday like that Mac fanboys will find some way that it wasn't really a hack. On the other hand Windows and maybe Linux fanboys will be pointed and saying we told you so.

The reality is that all software has flaws and some flaws in some software will allow the hacker to gain full control over a entire system. I think it's a much safer and less arrogant statement to say that the Mac could possibly be hacked, but due to flaws being fixed quickly and the fact that it has a good platform under it it's less likely to be hack in any meaning full manner.

But that's probably asking to much. :-P

[Macsaresafer]

Contests like this are interesting, but

they can only demonstrate what is an already accepted theory:
no system is 100% secure. This applies to more than just
computers. In theory, you could rob Fort Knox of its gold.

In reality, Fort Knox is safe enough and the Mac is nearly safe
enough. Plenty safe, as this test demonstrated, unless the
hacker has direct access to the machine and can take it through
the right steps on a malicious site. It may be possible to design
a site to trick a user into taking those steps, but that remains to
be seen. That's the final hurdle that would make this a real
exploit. Well, that and the not so small feat of gaining root
access.

[keaggy220]

Not correct

Go back and read the article...

The article states the hack occured on the second day and only
after the rules were relaxed. Personally, I can't believe how tight
OSX is...

i imagine a lot of Mac haters that participated are having a bad
weekend - haha...

[keaggy220]

Dude don't let your Mac hate

screw up your logic... It was hacked at user level and only after the
people running the contest realized they were about to be totally
embarrassed because nobody was even able to do that - so bent
the rules... This, to me, is priceless... haha

[rwahrens]

get it right

The contest rules were NOT relaxed, they were set up that way to begin with. Three levels, three different types of attacks. 24 hours of exposure for each.

As a long time Mac user, tho, I am encouraged that admin level was not obtained.

[jypeterson]

Good News!

This is good news on several levels.

1) The Mac was exploited which means that it is one more flaw that will be corrected by Apple.

2) The first day went by without a successful attack. Macs will be able to continue to fend off attacks.

3) The root level test is still not won. This is very good because the hierarchy within OSX is robust.

4) No successful wild viruses or Trojans for OSX (so far). It continues to be the case for the ~22 million OSX users (and five years of OSX) that there is not a virus in the wild that exploits OSX. Impressive.

There are flaws in all software, but the fact remains that OSX (and Linux) is far more secure than any Windows operating system.

[Seaspray0]

and bad news

The fact that it only took 9 hours to write a successful hack is not good news. Any successful hacks are not good news. As you said, it "was exploited." And you call this good? If I use your logic, I can call XP absolutely thrilling!

[Matthew R.]

Hacked only after rules were relaxed...

You notice something, the caveat to the entire hack issue is that it
was hacked after, and only after the rules were changed. If the
rules stayed the same, there could of been a very good chance the
MacBook Pro may never of been hacked. I'd like to know what rules
they changed, and how it affected the end results.

[Richard G.]

From another news source...

I read this story from another news source. The way Macworld reported says that the initial rules required participants to have to break into the macs via wireless networking (only). No one was successful. So the event organizers changed the rules to allow *any* method which allows an outsider shell-level access to a remote mac. Also, they were now offering a $10,000 reward. (There was no cash reward when the event started.)

Suddenly there was incentive to the contest.

I just want to say this flys in the face of all the mac users who beleive that hacking a mac is some kind of glorious event that will make the hacker famous. It won't. It wasn't until after the event offered the $10,000 did this hacker enter the contest and used a web-based exploit. The guy did it for the $10K. That was all.

http://www.macworld.com/news/2007/04/20/machack/index.php

[GatesOfHell]

OS X Root Level Hack Acheieved

Of course the contest organizers had to relax the conditions of the
challenge slightly by writing the root password on a Post-It note
and taping it to the contestant's monitors.

[drdocument]

How about a truly meaningful "real world" hack?

Rather than creating an artificial set of conditions, how about a
practical test?

I consider myself an "average" Mac user, OS 10.4.9 with all updates,
OS X firewall on (default), one user with admin privileges, always-
on DSL connection with firewall enabled in DSL router (default).

Can you reach my Mac? If so, can you do any meaningful harm?

[Astinsan]

re

I think that this is a real world hack. This is the common way a windows machine gets screwed up. Lets also remember that Linux machines also use the khtml engine with some of the web browsers like konqueror.


Jay

[gmcaloon--2008]

There are lots of "real world" hacks.

?Can you reach my Mac? If so, can you do any meaningful harm??

No, your computer cannot be reached. That is not what is at question here. In this kind of hack, you have to be enticed or steered to the malicious site that harbors the hack. To trick you into going there is what phishing is all about. Once there, in many cases simple access will automatically download an infection to your computer. A firewall is useless in this kind of situation.

An AV might block the install on your computer if the AV vendor is already aware of it and has issued an update to its definitions. Or possibly Apple is already aware of the nature of the hack and has issued a patch that blocks whatever vulnerability in the Mac that the hack uses.

The whole point of this kind of attack is that to be successful the user must access the site. Unfortunately, even some of the stuff loaded by users on the popular so-called social sites may contain a virus and simply clicking on perhaps a video can infect you. Fortunately so much stuff is uploaded to such sites, your chances of clicking on the one that contains a virus is not very likely.

[rwahrens]

correction

The firewall in OS X is NOT enabled by default. You must enable it yourself. If you think yours is on, and YOU didn't turn it on yourself, you'd better check!

I'd say the conditions for this were pretty good. They allowed access to the same subnet to keep from slowing down the contest. Any competent hacker can get through your router firewall if he knows your WAN IP. So they just eliminated that part of the process.

Remember, in the first part of the contest, there were NO remote attacks that succeeded. So even if you have NO router and are directly connected to the internet, you may be safer than you think.

[elektroboi]

Who is Shane?

I read this article twice to be sure I didn't miss anything. Who the heck is Shane? You can't just call out someone's name without saying who they are. Was this two people working on the flaw? Is Shane the one at the conference? What about this McCauley person? And what's going on with this Dai whatever guy who wants the credit and the money? Revise your article!

[ZeroJCF]

Time for the Bottom Line...

1) XP Can be as safe as you want it. I have Run XP & 2000 before that, without any virus problems. Why? Because I am not an idiot who does not know how to use my Windows PC. Is Windows any less safe than OSX? Yes and No. Windows does a lot of things that make it easier to hack, but all of that is mostly related to the compatibility it provides.
2) MACs are more stable, crash less, and have very little security concerns to date. It helps that OS-X runs on only ONE SET of hardware configs (By Apple), as opposed to Windows that runs (well, most of the time) on everything. Have Apple open up and run on Gateway, Dell, HP, Lenovo, PC's, with all types of video cards, TV capture cards, sound etc... and then we will see how stable it is. Be real about it.
3) About 90% of my fellow mac users (peeps I know) run Parallels with XP because they could not do EVERYTHING with OSX. I was just at the 5th Ave store in NY and they were doing a demo for everyone. Seriously, look at the revenue for the company. Look at VMware. If there wasn't a need for Windows, then they wouldn't touch it. Where is that in the commercial?
4) Where is Apples R&D Answer? Give me an alternative to Exchange (As an Actual Alternative, Leopard makes great strides, as marketed, but is not there). Give me an alternative to Office (I dont want that crappy Open/StarOffice) I want a innovative Apple solution, that WE ALL KNOW they can do.
5) Building on 4. Software Development. For Mom & Pop and Niche users, OS X (Native) is great. But for other enterprises (Medical/Finance/RealEstate) there are no OS-X solutions. Believe me, I've looked. I wish Apple would get a better hand in those industries, then maybe OSX could be an end-to-end alternative. OSX does not count as an alternative if you still need to run windows or IE people!!!!
6) Market Share. What will we do when Windows goes away? (It will people & thanks to Vista, it can come quicker than you think)Do think hackers and virus makers will just find something else to do? Of course not, they will turn to whatever else the main stream is working on. There were viruses and hacks before Windows came out my friends, and those systems were Unix based.
7) You stupid FanBoys (M$ & crApple) are a constant amazement to me. Nothing is said short of the fact that you each hate each other's side. Half of you have no idea what your talking about and basically are regurgitating media press. Gates does not care about you and neither does Jobs, so stop freakin defending them!!!
8) Not everyone is tech savvy. A majority of these people that use computers now did not grow up with them like we have. These are the same people that can't use their DVR/VCR/TV correctly, and you want them to be smart about computing??

I run my MacBook Pro (2.33/2GB) with Parallels, and it runs great. Probably one of the better computer solutions I have had. The regular MacBooks suck (as I traded up for the Pro after 2 weeks). I love my MBPro and think there is a way for Windows and OS-X to finally coexist in harmony on one hardware platform. The credit for this has to go to Apple. Sorry M$, but you guys have missed the boat....ran of the dock....and drowned.

[gmcaloon--2008]

Bottom lines

?You stupid FanBoys (M$ & crApple) are a constant amazement to me. Nothing is said short of the fact that you each hate each other's side. Half of you have no idea what your talking about and basically are regurgitating media press. Gates does not care about you and neither does Jobs, so stop freakin defending them!!!?

Nicely put. The only quibble I might have is the part that half of them don?t know what they are talking about. I would say most of them don?t. Or perhaps I get that impression because the ones who obviously don?t know what they are talking about tend to post the most. The more fanatical they are, the more ignorant they seem to be. But then that is the definition of fanaticism, isn't it? Any knowledgeable person wouldn?t be a fanatic. His knowledge alone would prevent it.

[qprize]

Uh, your complaining because it's safe?

Apple is faulted for only running OS X on Apple hardware? This
is a bad thing because...? First, Apple is a complete computing
solution, not just a software company or hardware company.
This means that if it ran on other equipment it would cannibalize
their own sales. Second, by this very limitation it has kept OS X
a rock-solid, secure operating system. The security bulit into
OS X is often enough for most users to remain secure. The
effective Windows security is almost completely third party.
Oddly, if you buy a Dell (or IBM, Toshiba,Gateway, et al)
computer, keep it all Dell from top to bottom, and never
upgrade or replace anything - it's still prone to crashing
applications, attacks, and the BSD. So it's not (necessarily) the
hardware - it's the OS.

And does a WIndows machine run everything? No. There's tons
of applications that run on servers that require clients and
emulators. And you can't run - ever - any of the iLife or Final
Cut or a number of other professional apps like Aperture or
Shake on Windows. While you can now get a lot of the great
programs that were originally Apple-only, virtually every test
tells us they still run faster and better on Macs.

Here's a real illustration of the quality of Apple versus the quality
of Microsoft: FileMaker vs. Access. Granted, Apple spun off
Claris/FileMaker, but it's still built from and by the same Apple
code and programmers. The price is about the same (250 vs
200), but FileMaker runs circles around Access.

And when you stop to consider, you CAN run almost everything
on a Mac (with Parallels). You CAN'T on Windows. Period.

[kyler]

Already fixed?

Yesterday there was a security update for all PPCs. I downloaded it,
but not sure what it fixed exactly.
you can go here and figure out if it fixed the safari problem (im no
tech-savvy, so you tell me) :

http://www.apple.com/support/downloads/
securityupdate2007004ppc.html

[Macsaresafer]

Probably not.

The claim was that this patch was applied to the Macs being used
in the test.

It will be closed soon enough.

[Considerate One]

Please list Vista vulnerabilities

Then we can discuss which system is more secure...
Blank affirmations such as "Vista sucks" don't actually help getting to the bottom of the discussion.

Contrary to Apple's brainwashing campaigns, you'll find out that Mac has been showing quite a few more vulnerabilities than Vista so far.
There are good discussions in security forums about the degree of such vulnerabilities. That's a quite more subjective point. Some people say that although Vista security holes are less common than OSX, they are more dangerous.
I sincerily can't discuss this because I'm not a security expert. But, for me, any vulnerability that causes your computer to be owned is as bad as it gets... And all you need is one unpatched vulnerability to be screwed... So even a smaller number is not that much of a guarantee for me.

In other words, even if Vista is quantitatively more secure than OSX, or if OSX has less critical flaws, the fact that both have any vulnerability that could cause the system to be compromised is what needs to be addressed.
So drop the "MS this" or "Apple that" and let's push both companies (that make a lot of money out of us) to be better. That's what will help US in the long run.

[Jesus#2]

vulerablilties

Isn't Vista susceptible to the same malware as XP?

[smilin:)]

Ok, here they are. :P

8 Vulnerabilities.
2 unpatched.
Worst of them is rated as "Not Critical" by 3rd parties. (local only, no privlidge elevation, can't execute code)

http://secunia.com/product/13223/?task=advisories

So basically as of today:
Unpatched Vista = Safe.
Patched OSX = Hacked.

I post this merely to illustrate that no OS is completely secure; not to imply that one is. Apple Zealots should wise up to this. Don't learn it the hard way like MS and others have had to.

[Thomas, David]

Hacked?! Oh Really! NOT!

After reading the "sensationalistic" slant to this story. I decided
to go and find out about the "relaxed rules".

The rules, aren't rules at all. It's a joke. This is what I have
found out. The computers were set up practically "out of the
box". The security updates that have been recently released,
were not used. The following is a quote ... "CanSecWest
organizers will set up the MacBooks with their own access point
and all security updates installed, but without additional security
software or settings. Attendees will be able to connect to the
machines via the access point through Ethernet or Wi-Fi,
according to the CanSecWest Web site."

This is how everyone, who gets a Mac, will have their computer
"configured". This means, the computers were set up the same
way anybody elses MacBook would be set up. After only one
day, they decided to relax the "rules". Once again, the statement
is deliberately misleading, because it has nothing to do with
rules. This is what they did next. I need to make space for this:

"As originally planned, the rules for the hack a mac contest were
relaxed on Friday after nobody had won the contest on the
previous days. In the relaxed set of rules, a URL was provided
that exposed Safari to a "specially-constructed Web page" which
allowed the hacker to gain shell access to the MacBook.
The URL opened a blank page but exposed a vulnerability in
input handling in Safari, Comeau said. An attacker could use the
vulnerability in a number of ways, but Di Zovie used it to open a
back door that gave him access to anything on the computer,
Comeau said.

According to Matasano, Apple's most recent Security update
does not address this specific issue with Safari."

Am I to understand, that the person hacking the computer, is
the person using the said SAME computer?! Whatever, seems to
me the a lot more than a helping hand was needed to create this
"hack". Technically it is a hack. But if local access is required, I
think I'll take the blue pill.

[Thomas, David]

PS

It is also evident that the attendees planned for this particular
exploit, otherwise, why would they need to supply a custom url?

Can someone say RIGGED! And people why I get so disgusted with
them.

[baggyguy1218]

Dude...

DUDE!! You make me want to punch a baby, relax. Go make a video or something.

[Thrudheim]

Hacker says he "got lucky"

He posted a comment in this blog:

http://www.matasano.com/log/806/hot-off-the-matasano-
sms-queue-cansec-macbook-challenge-won/

He writes, "I will say that applying slightly paranoid web browser
configuration changes will prevent this vulnerability from being
exploited. And no, I have not been sitting on this exploit, I
really did find the vulnerability and write the exploit that night. I
got lucky."

Of course, any javascript vulnerability that can lead to control of
the local user account has to be taken seriously. It's just that
they hyperventilating from anti-Mac people is just too much.
For all we know, this vulnerability has cross-platform
implications.

The people organizing this contest set out with the mission to
demonstrate that Macs were vulnerable to a remote attack.
When that challenge appeared to be going down in flames, they
changed the rules of the contest. The last thing they wanted to
do was actually reinforce the idea that Macs are pretty secure.

Let's be realistic. The same challenge with a Windows machine
as a target would not be newsworthy, and the machine would
not last 10 minutes. That said, of course there are
vulnerabilities in the Mac OS, as there are with any operating
system. This exploit demonstrates that fact, but it does not
"puncture" the notion that Macs are relatively more secure.
Without the rules change, the contest would probably have
passed with no successful hacks. One of the two Macs was not
hacked at all.

[lkrupp]

What I'd like to see...

Leaving out for the moment the OS X/Windows fanboys flinging
dog dung at each other I'd like to see the following occur. Let one
of these "security researchers" sit down and write an operating
system or an application from scratch with the requirement that it
be 100% secure before it is released to the public. Does anyone
think said os or app would EVER get released? As the old saying
goes, "At some point you have to shoot the engineers and start
production." As long as the os and app makers fix things brought
to their attention that's good enough for me.

[wayland.ind]

i wonder if it applies to a PPC mac

i know it's the same OS but the architecture is different and the
updates for the OS are a bit different. seems to me that macs have
gained (hacker) attention after the intel switch. nobody would
bother to hack or disapprove that a mac was insecure when they
were PPCs.

[Macsaresafer]

If it's Java, as has been reported,

it may apply to every OS and browser that uses Java. This may not
be only an Apple problem.

[Fil0403]

Who cares about that?

Truth is today they are Intel and they too now suffer with much of the malware Windows PC's always did.

[grtgrfx]

I don't think so

Seems like this is a software-only hack for OS-X and the current
variant of Safari. If you can run OS-X on the PPC-Mac, it might have
the same effect. The chipset is not relevant here.

[Gunady]

"If it is an actual zero-day in Safari that's fine with us"

"If it is an actual zero-day in Safari that's fine with us"

What does that statement mean? Security is not important?, because they're just feeling confident.

[mbenedict]

They're talking about TippingPoint's bounty

TippingPoint is offering money for anyone who discovers new zero-day exploits.

The statement was explaining, if the problem turns out to be a new zero-day exploit, then TippingPoint is ok with paying money for the find.