VANCOUVER, B.C.--Shane Macaulay just got himself a free MacBook.
Macaulay, a software engineer, was able to hack into a MacBook through a zero-day security hole in Apple's Safari browser. The computer was one of two offered as a prize in the
"PWN to Own" hack-a-Mac contest at the CanSecWest conference here.
Credit: Joris Evers
Hack-a-Mac winner Shane Macaulay attacks a MacBook at the CanSecWest conference.
The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook--a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.
Macaulay teamed with Dino Dai Zovi, a security researcher until recently with Matasano Security. Dai Zovi, who has previously been credited by Apple for finding flaws in Mac software, found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said.
"The vulnerability and the exploit are mine," Dai Zovi said in a telephone interview from New York. "Shane is my man on the ground."
Apple spokeswoman Lynn Fox declined to comment on the MacBook hack specifically, but provided Apple's standard security comment: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."
Dai Zovi plans to apply for
a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said. TippingPoint runs the Zero Day Initiative bug bounty program.
A TippingPoint representative said the company would pay, after looking at the vulnerability. "If it is an actual zero-day in Safari that's fine with us," said Terri Forslof, manager of security response at TippingPoint.
CanSecWest organizers set up the MacBooks connected to a wireless router and with all security updates installed, but without additional security software or settings.
But IE hacks are always linked with Windows so it is fair. It comes with Mac OS, just like IE is, so it is part of Mac OS. Furthermore, the recent DNS problem with Server03 and Server2K are labeled as Windows problems when they are actually just DNS problems.
What can't be denied is this is a new hack, and the guy spent under a day on it. Surely this proves that with sufficient motivation Apple software is vulnerable?
Your assumption that root level was not breached is unwarranted. The article says nothing about that. The breach could have been at root level or not. It makes no difference. The hacker got into the Mac threw a vulnerability in Mac?s Safari when accessing a malicious site set up for the purpose. That is exactly the kind of scenario that gets Windows hacked when using its browser, IE.
That is exactly what would have happened to you if you had gone to that site using Safari because Safari has a vulnerability no one knew about except the man who collected the award. He knew about it and put the exploit on the malicious site to take advantage of the security hole in Safari.
The article is somewhat obtuse in that it doesn?t say what damage the hacker could have done to the Mac with this exploit, but whatever he might have been able to do with it would not have been a pleasant experience for the user. In the ordinary course of events, Apple would now get busy writing up a patch for it. That could take some days. We will have to see how long it takes. In the meantime an AV vendor would only have to examine the exploit itself, a simple process and quickly done. The AV vendor?s definition for the hack could be released in hours.
All this proves that writing an exploit for the Mac is easy if anyone wants to bother doing it. But of course we all knew that ? except you Mac fanatics with your nonsensical claims about Mac invulnerability because it is based on Unix or the other nonsensical claim that somehow operating at a non-root level protects against attacks. If the hacker was sufficiently good at it, he could easily have written a hack that would have raised the level of privileges and gone to root level. That is what happens to Windows and can happen to a Mac as well. You have been proven to be wrong in every argument you have made about the alleged invulnerability of Macs.
and web browser vulnerabilities are used a lot in Windows hacking attempts as well. Usually an IE or Firefox bug is used to execute code to install a virus or break into the system.
I recall this happened before and someone used an Applescript flaw to infect a Mac system with a virus, and it was called a non-virus because Applescript was used. I guess all of those Word VBA macro viruses are non-viruses as well on Windows, eh?
Funny how Apple and the Mac fans like to cover up the Mac's security flaws in that way.
Nope it was a Safari bug, not a Mac OSX one. But isn't Safari included as part of the OSX package like Internet Explorer is part of the Windows package? Why do you call an IE flaw a security hole in Windows but a Safari security flaw in OSX is not a hole in Mac OSX?
Actually a stripped down Linux box with the minimal features and the most recent security fixes is more secure than a default OSX (or even default Linux) box, plus it runs faster too without all of that bloat holding it down. Just one thing, it is not as easy to use as OSX (or a fully loaded Linux box) most likely because GNOME/KDE and possibly the X-Window system might not be installed. When you add in a lot of GUI features to make the OS easier to use, it opens up a lot of possible attack points for a hacker.
Did this MacBook have the latest Mac OSX Security Software updates that CNET reported very recently about on this site?
Which version of MAC OSX was on the MacBook? OSX 10.4.9 with latest security updates?
Mac & PCS both are not hack proof & Apple has never said it was, but Apple & MacOSX has a loooooooooooooooong way to go before ever catching up to Windows security problems ( even VISTA OS ).
Once again typical CNet reporting. What exactly got hacked.
"The successful attack on the second and final day of the contest required participants to surf to a malicious Web site using Safari--a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day."
So its considered to be hacked to simply surf to a web site? Also, how were the rules relaxed???? It seem they COULDN'T hack it as originally set up???
Why can't CNET at least provide a link to the real story.
They relaxed the rules because nobody could hack the Mac yesterday.
From the site: <a class="jive-link-external" href="http://cansecwest.com/post/" target="_newWindow">http://cansecwest.com/post/</a> 2007-04-20-14:54:00.First_Mac_Hacked_Cancel_Or_Allow
"Just to review the rules, the first box required a flaw that allows the attacker to get a shell with user level privilages. The second box, still up for grabs, requires the same, plus the attacker needs to get root."
So to say the Mac is owned is an overstatement. It is however, a good reason why you shouldn't log in as an administrator for your normal use. If you are doing that, here's how to correct your setup. First, create a new account (System Prefs, Accounts) and give it administrator rights. Next, log out of your old account and log into your new admin account. From there, change your old account to a standard user by removing administrator rights from it. Now you can log into your old account as you normally do, but it won't be an administrator. You will need to provide the admin user name and password when installing/removing software.
Come on! The mac was hacked, regardless on how the hack was done. Most windows hacks now days are done through malicious web code. You mac fans will not be happy until some hacker finally gets annoyed by your repeated statements that mac's are more safe and he writes a virus to wipe out your hard drives.
what people will say if the Mac is every hacked and root access is gained?
That's a rhetorical question because if the Mac is successfully hacked someday like that Mac fanboys will find some way that it wasn't really a hack. On the other hand Windows and maybe Linux fanboys will be pointed and saying we told you so.
The reality is that all software has flaws and some flaws in some software will allow the hacker to gain full control over a entire system. I think it's a much safer and less arrogant statement to say that the Mac could possibly be hacked, but due to flaws being fixed quickly and the fact that it has a good platform under it it's less likely to be hack in any meaning full manner.
they can only demonstrate what is an already accepted theory: no system is 100% secure. This applies to more than just computers. In theory, you could rob Fort Knox of its gold.
In reality, Fort Knox is safe enough and the Mac is nearly safe enough. Plenty safe, as this test demonstrated, unless the hacker has direct access to the machine and can take it through the right steps on a malicious site. It may be possible to design a site to trick a user into taking those steps, but that remains to be seen. That's the final hurdle that would make this a real exploit. Well, that and the not so small feat of gaining root access.
screw up your logic... It was hacked at user level and only after the people running the contest realized they were about to be totally embarrassed because nobody was even able to do that - so bent the rules... This, to me, is priceless... haha
The contest rules were NOT relaxed, they were set up that way to begin with. Three levels, three different types of attacks. 24 hours of exposure for each.
As a long time Mac user, tho, I am encouraged that admin level was not obtained.
1) The Mac was exploited which means that it is one more flaw that will be corrected by Apple.
2) The first day went by without a successful attack. Macs will be able to continue to fend off attacks.
3) The root level test is still not won. This is very good because the hierarchy within OSX is robust.
4) No successful wild viruses or Trojans for OSX (so far). It continues to be the case for the ~22 million OSX users (and five years of OSX) that there is not a virus in the wild that exploits OSX. Impressive.
There are flaws in all software, but the fact remains that OSX (and Linux) is far more secure than any Windows operating system.
The fact that it only took 9 hours to write a successful hack is not good news. Any successful hacks are not good news. As you said, it "was exploited." And you call this good? If I use your logic, I can call XP absolutely thrilling!
You notice something, the caveat to the entire hack issue is that it was hacked after, and only after the rules were changed. If the rules stayed the same, there could of been a very good chance the MacBook Pro may never of been hacked. I'd like to know what rules they changed, and how it affected the end results.
I read this story from another news source. The way Macworld reported says that the initial rules required participants to have to break into the macs via wireless networking (only). No one was successful. So the event organizers changed the rules to allow *any* method which allows an outsider shell-level access to a remote mac. Also, they were now offering a $10,000 reward. (There was no cash reward when the event started.)
Suddenly there was incentive to the contest.
I just want to say this flys in the face of all the mac users who beleive that hacking a mac is some kind of glorious event that will make the hacker famous. It won't. It wasn't until after the event offered the $10,000 did this hacker enter the contest and used a web-based exploit. The guy did it for the $10K. That was all.
Of course the contest organizers had to relax the conditions of the challenge slightly by writing the root password on a Post-It note and taping it to the contestant's monitors.
Rather than creating an artificial set of conditions, how about a practical test?
I consider myself an "average" Mac user, OS 10.4.9 with all updates, OS X firewall on (default), one user with admin privileges, always- on DSL connection with firewall enabled in DSL router (default).
Can you reach my Mac? If so, can you do any meaningful harm?
I think that this is a real world hack. This is the common way a windows machine gets screwed up. Lets also remember that Linux machines also use the khtml engine with some of the web browsers like konqueror.
?Can you reach my Mac? If so, can you do any meaningful harm??
No, your computer cannot be reached. That is not what is at question here. In this kind of hack, you have to be enticed or steered to the malicious site that harbors the hack. To trick you into going there is what phishing is all about. Once there, in many cases simple access will automatically download an infection to your computer. A firewall is useless in this kind of situation.
An AV might block the install on your computer if the AV vendor is already aware of it and has issued an update to its definitions. Or possibly Apple is already aware of the nature of the hack and has issued a patch that blocks whatever vulnerability in the Mac that the hack uses.
The whole point of this kind of attack is that to be successful the user must access the site. Unfortunately, even some of the stuff loaded by users on the popular so-called social sites may contain a virus and simply clicking on perhaps a video can infect you. Fortunately so much stuff is uploaded to such sites, your chances of clicking on the one that contains a virus is not very likely.
The firewall in OS X is NOT enabled by default. You must enable it yourself. If you think yours is on, and YOU didn't turn it on yourself, you'd better check!
I'd say the conditions for this were pretty good. They allowed access to the same subnet to keep from slowing down the contest. Any competent hacker can get through your router firewall if he knows your WAN IP. So they just eliminated that part of the process.
Remember, in the first part of the contest, there were NO remote attacks that succeeded. So even if you have NO router and are directly connected to the internet, you may be safer than you think.
I read this article twice to be sure I didn't miss anything. Who the heck is Shane? You can't just call out someone's name without saying who they are. Was this two people working on the flaw? Is Shane the one at the conference? What about this McCauley person? And what's going on with this Dai whatever guy who wants the credit and the money? Revise your article!
1) XP Can be as safe as you want it. I have Run XP & 2000 before that, without any virus problems. Why? Because I am not an idiot who does not know how to use my Windows PC. Is Windows any less safe than OSX? Yes and No. Windows does a lot of things that make it easier to hack, but all of that is mostly related to the compatibility it provides. 2) MACs are more stable, crash less, and have very little security concerns to date. It helps that OS-X runs on only ONE SET of hardware configs (By Apple), as opposed to Windows that runs (well, most of the time) on everything. Have Apple open up and run on Gateway, Dell, HP, Lenovo, PC's, with all types of video cards, TV capture cards, sound etc... and then we will see how stable it is. Be real about it. 3) About 90% of my fellow mac users (peeps I know) run Parallels with XP because they could not do EVERYTHING with OSX. I was just at the 5th Ave store in NY and they were doing a demo for everyone. Seriously, look at the revenue for the company. Look at VMware. If there wasn't a need for Windows, then they wouldn't touch it. Where is that in the commercial? 4) Where is Apples R&D Answer? Give me an alternative to Exchange (As an Actual Alternative, Leopard makes great strides, as marketed, but is not there). Give me an alternative to Office (I dont want that crappy Open/StarOffice) I want a innovative Apple solution, that WE ALL KNOW they can do. 5) Building on 4. Software Development. For Mom & Pop and Niche users, OS X (Native) is great. But for other enterprises (Medical/Finance/RealEstate) there are no OS-X solutions. Believe me, I've looked. I wish Apple would get a better hand in those industries, then maybe OSX could be an end-to-end alternative. OSX does not count as an alternative if you still need to run windows or IE people!!!! 6) Market Share. What will we do when Windows goes away? (It will people & thanks to Vista, it can come quicker than you think)Do think hackers and virus makers will just find something else to do? Of course not, they will turn to whatever else the main stream is working on. There were viruses and hacks before Windows came out my friends, and those systems were Unix based. 7) You stupid FanBoys (M$ & crApple) are a constant amazement to me. Nothing is said short of the fact that you each hate each other's side. Half of you have no idea what your talking about and basically are regurgitating media press. Gates does not care about you and neither does Jobs, so stop freakin defending them!!! 8) Not everyone is tech savvy. A majority of these people that use computers now did not grow up with them like we have. These are the same people that can't use their DVR/VCR/TV correctly, and you want them to be smart about computing??
I run my MacBook Pro (2.33/2GB) with Parallels, and it runs great. Probably one of the better computer solutions I have had. The regular MacBooks suck (as I traded up for the Pro after 2 weeks). I love my MBPro and think there is a way for Windows and OS-X to finally coexist in harmony on one hardware platform. The credit for this has to go to Apple. Sorry M$, but you guys have missed the boat....ran of the dock....and drowned.
?You stupid FanBoys (M$ & crApple) are a constant amazement to me. Nothing is said short of the fact that you each hate each other's side. Half of you have no idea what your talking about and basically are regurgitating media press. Gates does not care about you and neither does Jobs, so stop freakin defending them!!!?
Nicely put. The only quibble I might have is the part that half of them don?t know what they are talking about. I would say most of them don?t. Or perhaps I get that impression because the ones who obviously don?t know what they are talking about tend to post the most. The more fanatical they are, the more ignorant they seem to be. But then that is the definition of fanaticism, isn't it? Any knowledgeable person wouldn?t be a fanatic. His knowledge alone would prevent it.
Apple is faulted for only running OS X on Apple hardware? This is a bad thing because...? First, Apple is a complete computing solution, not just a software company or hardware company. This means that if it ran on other equipment it would cannibalize their own sales. Second, by this very limitation it has kept OS X a rock-solid, secure operating system. The security bulit into OS X is often enough for most users to remain secure. The effective Windows security is almost completely third party. Oddly, if you buy a Dell (or IBM, Toshiba,Gateway, et al) computer, keep it all Dell from top to bottom, and never upgrade or replace anything - it's still prone to crashing applications, attacks, and the BSD. So it's not (necessarily) the hardware - it's the OS.
And does a WIndows machine run everything? No. There's tons of applications that run on servers that require clients and emulators. And you can't run - ever - any of the iLife or Final Cut or a number of other professional apps like Aperture or Shake on Windows. While you can now get a lot of the great programs that were originally Apple-only, virtually every test tells us they still run faster and better on Macs.
Here's a real illustration of the quality of Apple versus the quality of Microsoft: FileMaker vs. Access. Granted, Apple spun off Claris/FileMaker, but it's still built from and by the same Apple code and programmers. The price is about the same (250 vs 200), but FileMaker runs circles around Access.
And when you stop to consider, you CAN run almost everything on a Mac (with Parallels). You CAN'T on Windows. Period.
Yesterday there was a security update for all PPCs. I downloaded it, but not sure what it fixed exactly. you can go here and figure out if it fixed the safari problem (im no tech-savvy, so you tell me) :
Then we can discuss which system is more secure... Blank affirmations such as "Vista sucks" don't actually help getting to the bottom of the discussion.
Contrary to Apple's brainwashing campaigns, you'll find out that Mac has been showing quite a few more vulnerabilities than Vista so far. There are good discussions in security forums about the degree of such vulnerabilities. That's a quite more subjective point. Some people say that although Vista security holes are less common than OSX, they are more dangerous. I sincerily can't discuss this because I'm not a security expert. But, for me, any vulnerability that causes your computer to be owned is as bad as it gets... And all you need is one unpatched vulnerability to be screwed... So even a smaller number is not that much of a guarantee for me.
In other words, even if Vista is quantitatively more secure than OSX, or if OSX has less critical flaws, the fact that both have any vulnerability that could cause the system to be compromised is what needs to be addressed. So drop the "MS this" or "Apple that" and let's push both companies (that make a lot of money out of us) to be better. That's what will help US in the long run.
So basically as of today: Unpatched Vista = Safe. Patched OSX = Hacked.
I post this merely to illustrate that no OS is completely secure; not to imply that one is. Apple Zealots should wise up to this. Don't learn it the hard way like MS and others have had to.
After reading the "sensationalistic" slant to this story. I decided to go and find out about the "relaxed rules".
The rules, aren't rules at all. It's a joke. This is what I have found out. The computers were set up practically "out of the box". The security updates that have been recently released, were not used. The following is a quote ... "CanSecWest organizers will set up the MacBooks with their own access point and all security updates installed, but without additional security software or settings. Attendees will be able to connect to the machines via the access point through Ethernet or Wi-Fi, according to the CanSecWest Web site."
This is how everyone, who gets a Mac, will have their computer "configured". This means, the computers were set up the same way anybody elses MacBook would be set up. After only one day, they decided to relax the "rules". Once again, the statement is deliberately misleading, because it has nothing to do with rules. This is what they did next. I need to make space for this:
"As originally planned, the rules for the hack a mac contest were relaxed on Friday after nobody had won the contest on the previous days. In the relaxed set of rules, a URL was provided that exposed Safari to a "specially-constructed Web page" which allowed the hacker to gain shell access to the MacBook. The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said. An attacker could use the vulnerability in a number of ways, but Di Zovie used it to open a back door that gave him access to anything on the computer, Comeau said.
According to Matasano, Apple's most recent Security update does not address this specific issue with Safari."
Am I to understand, that the person hacking the computer, is the person using the said SAME computer?! Whatever, seems to me the a lot more than a helping hand was needed to create this "hack". Technically it is a hack. But if local access is required, I think I'll take the blue pill.
He writes, "I will say that applying slightly paranoid web browser configuration changes will prevent this vulnerability from being exploited. And no, I have not been sitting on this exploit, I really did find the vulnerability and write the exploit that night. I got lucky."
Of course, any javascript vulnerability that can lead to control of the local user account has to be taken seriously. It's just that they hyperventilating from anti-Mac people is just too much. For all we know, this vulnerability has cross-platform implications.
The people organizing this contest set out with the mission to demonstrate that Macs were vulnerable to a remote attack. When that challenge appeared to be going down in flames, they changed the rules of the contest. The last thing they wanted to do was actually reinforce the idea that Macs are pretty secure.
Let's be realistic. The same challenge with a Windows machine as a target would not be newsworthy, and the machine would not last 10 minutes. That said, of course there are vulnerabilities in the Mac OS, as there are with any operating system. This exploit demonstrates that fact, but it does not "puncture" the notion that Macs are relatively more secure. Without the rules change, the contest would probably have passed with no successful hacks. One of the two Macs was not hacked at all.
Leaving out for the moment the OS X/Windows fanboys flinging dog dung at each other I'd like to see the following occur. Let one of these "security researchers" sit down and write an operating system or an application from scratch with the requirement that it be 100% secure before it is released to the public. Does anyone think said os or app would EVER get released? As the old saying goes, "At some point you have to shoot the engineers and start production." As long as the os and app makers fix things brought to their attention that's good enough for me.
i know it's the same OS but the architecture is different and the updates for the OS are a bit different. seems to me that macs have gained (hacker) attention after the intel switch. nobody would bother to hack or disapprove that a mac was insecure when they were PPCs.
Seems like this is a software-only hack for OS-X and the current variant of Safari. If you can run OS-X on the PPC-Mac, it might have the same effect. The chipset is not relevant here.
I agree with you. Setting up a Mac-Hack in a custom environment, and then saying "AH HAH!" is like going to the zoo, and assuming that animals in the wild exhibit the same behavior.
He found the vulnerability when? How long has he been a security researcher?
What he wrote in under a day was something that exploited this vulnerability on a website.
I myself object to the carnival atmosphere and the reward. You'd almost think that security firms, having made a bundle on Windows but now being excluded from getting similar claws on Vista, are just developing a new market for themselves on the Mac through brute force.
As it happens, I run Virex, and I'm behind a NAT firewall, so I'm not among any straw man group of people who supposedly maintain that the Mac CAN'T be infected, just that it wasn't. And it isn't, yet.
At work, I have to use Explorer. The pop-ups and the obvious phishing attacks are extraordinary. I hope that day never comes on the Mac.
Nobody hacks the mac because it isn't worth it. There aren't enough of them to cause real damage. So no hacker wastes his time writing code for them. If you apple heads think that you have some superior machine and os that can't be hacked, you're not only naieve but you're iTards. If the day ever comes that macs grab a significant market share, you can rest assured that your macs will be hacked and infected right along with the windows machines.
I think the funniest thing about this topic is that everyone is like AHHH! Mac Got hacked!.. and some people are in denial, some people are claiming it was a conspiracy. Some people are saying this is why Macs are worse than Windows machines.
The best part about this, is that if someone was to turn around tomorrow and say 'There is a security flaw in Windows which allows administrative control of your machine to mindlessly send out mass spam email'... its like 'Wow ... like this hasn't happened before ..' *sarcasm*
Moral of this comment: Mac gets exploint.. windows users go HAHA. Mac users go IT DIDNT HAPPEN.
Windows gets exploit... everyone goes 'meh, nothing new.'
These games tend to lag behind the PC games industry and its really only going to get worse with the adoption of DX10. The depth and breadth of the games available on the PC are, simply put, unmatched on the alternative desktop/laptop platforms. This is frankly undeniable. This isn't to say OS X couldn't be a good game platform, OpenGL is suitable for many games, but the market isn't there for it (considering how much it costs to develop a top shelf game the development companies generally play to the numbers). Even if Apple really pushed to become a gaming platform I don't think it could catch up inside of the next 5 years.
that the stupid little card games on your mac are what anyone is talking about when they say there aren't games for a mac. It is undisputed that the games that are popular on regular platforms like xbox, ps2 and pc are not offered on a mac when they are initially released, and unless they are hugely popular they never get ported to a mac. So please stop pretending that you can have the same gaming experience on a mac as you can on a PC. You can't (unless you install windows xp on another partition of your hard drive and run them there...)
What kind of games are we talking about here? minesweeper and pinball? If you are talking cutting edge games PC's have access to the list is short indeed for Mac choices.
The two telecom carriers will carry a next-generation iPad running on the fast, next-generation wireless technology, sources tell The Wall Street Journal.
Google creates an animated doodle that features a boy, a girl, Google's search engine, and a jump rope. But might there be darker, more analytical, more troubling interpretations to this tale?
Hamza Kashgari's tweets of an imaginary conversation with the Prophet Mohammad are viewed as blasphemous by the Saudi Arabian government. Now he faces trial with a possible death sentence.
The Silicon Valley online payments startup grew by 1,000 percent last year and is hopeful it can repeat that level of growth this year. To do that, it's had to move away from its early friends-and-family roots and embrace small businesses.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
What can't be denied is this is a new hack, and the guy spent under a day on it. Surely this proves that with sufficient motivation Apple software is vulnerable?
That is exactly what would have happened to you if you had gone to that site using Safari because Safari has a vulnerability no one knew about except the man who collected the award. He knew about it and put the exploit on the malicious site to take advantage of the security hole in Safari.
The article is somewhat obtuse in that it doesn?t say what damage the hacker could have done to the Mac with this exploit, but whatever he might have been able to do with it would not have been a pleasant experience for the user. In the ordinary course of events, Apple would now get busy writing up a patch for it. That could take some days. We will have to see how long it takes. In the meantime an AV vendor would only have to examine the exploit itself, a simple process and quickly done. The AV vendor?s definition for the hack could be released in hours.
All this proves that writing an exploit for the Mac is easy if anyone wants to bother doing it. But of course we all knew that ? except you Mac fanatics with your nonsensical claims about Mac invulnerability because it is based on Unix or the other nonsensical claim that somehow operating at a non-root level protects against attacks. If the hacker was sufficiently good at it, he could easily have written a hack that would have raised the level of privileges and gone to root level. That is what happens to Windows and can happen to a Mac as well. You have been proven to be wrong in every argument you have made about the alleged invulnerability of Macs.
I recall this happened before and someone used an Applescript flaw to infect a Mac system with a virus, and it was called a non-virus because Applescript was used. I guess all of those Word VBA macro viruses are non-viruses as well on Windows, eh?
Funny how Apple and the Mac fans like to cover up the Mac's security flaws in that way.
Nope it was a Safari bug, not a Mac OSX one. But isn't Safari included as part of the OSX package like Internet Explorer is part of the Windows package? Why do you call an IE flaw a security hole in Windows but a Safari security flaw in OSX is not a hole in Mac OSX?
Actually a stripped down Linux box with the minimal features and the most recent security fixes is more secure than a default OSX (or even default Linux) box, plus it runs faster too without all of that bloat holding it down. Just one thing, it is not as easy to use as OSX (or a fully loaded Linux box) most likely because GNOME/KDE and possibly the X-Window system might not be installed. When you add in a lot of GUI features to make the OS easier to use, it opens up a lot of possible attack points for a hacker.
work is "wasted" time.
Also, he spent 9 hours on it, and got a ~$2500 laptop.
I am not sure about you, but $280/hour is certainly more money than I make.
9 hours well spent
Which version of MAC OSX was on the MacBook? OSX 10.4.9 with latest security updates?
Mac & PCS both are not hack proof & Apple has never said it was, but Apple & MacOSX has a loooooooooooooooong way to go before ever catching up to Windows security problems ( even VISTA OS ).
"The successful attack on the second and final day of the contest
required participants to surf to a malicious Web site using
Safari--a type of attack familiar to Windows users. CanSecWest
organizers relaxed the rules Friday after nobody at the event had
breached either of the Macs on the previous day."
So its considered to be hacked to simply surf to a web site?
Also, how were the rules relaxed???? It seem they COULDN'T
hack it as originally set up???
Why can't CNET at least provide a link to the real story.
yesterday.
From the site:
<a class="jive-link-external" href="http://cansecwest.com/post/" target="_newWindow">http://cansecwest.com/post/</a>
2007-04-20-14:54:00.First_Mac_Hacked_Cancel_Or_Allow
"Just to review the rules, the first box required a flaw that allows
the attacker to get a shell with user level privilages. The second
box, still up for grabs, requires the same, plus the attacker
needs to get root."
So to say the Mac is owned is an overstatement. It is however, a
good reason why you shouldn't log in as an administrator for
your normal use. If you are doing that, here's how to correct
your setup. First, create a new account (System Prefs, Accounts)
and give it administrator rights. Next, log out of your old
account and log into your new admin account. From there,
change your old account to a standard user by removing
administrator rights from it. Now you can log into your old
account as you normally do, but it won't be an administrator.
You will need to provide the admin user name and password
when installing/removing software.
Still no need for AV software!
That's a rhetorical question because if the Mac is successfully hacked someday like that Mac fanboys will find some way that it wasn't really a hack. On the other hand Windows and maybe Linux fanboys will be pointed and saying we told you so.
The reality is that all software has flaws and some flaws in some software will allow the hacker to gain full control over a entire system. I think it's a much safer and less arrogant statement to say that the Mac could possibly be hacked, but due to flaws being fixed quickly and the fact that it has a good platform under it it's less likely to be hack in any meaning full manner.
But that's probably asking to much. :-P
no system is 100% secure. This applies to more than just
computers. In theory, you could rob Fort Knox of its gold.
In reality, Fort Knox is safe enough and the Mac is nearly safe
enough. Plenty safe, as this test demonstrated, unless the
hacker has direct access to the machine and can take it through
the right steps on a malicious site. It may be possible to design
a site to trick a user into taking those steps, but that remains to
be seen. That's the final hurdle that would make this a real
exploit. Well, that and the not so small feat of gaining root
access.
The article states the hack occured on the second day and only
after the rules were relaxed. Personally, I can't believe how tight
OSX is...
i imagine a lot of Mac haters that participated are having a bad
weekend - haha...
people running the contest realized they were about to be totally
embarrassed because nobody was even able to do that - so bent
the rules... This, to me, is priceless... haha
As a long time Mac user, tho, I am encouraged that admin level was not obtained.
1) The Mac was exploited which means that it is one more flaw that will be corrected by Apple.
2) The first day went by without a successful attack. Macs will be able to continue to fend off attacks.
3) The root level test is still not won. This is very good because the hierarchy within OSX is robust.
4) No successful wild viruses or Trojans for OSX (so far). It continues to be the case for the ~22 million OSX users (and five years of OSX) that there is not a virus in the wild that exploits OSX. Impressive.
There are flaws in all software, but the fact remains that OSX (and Linux) is far more secure than any Windows operating system.
was hacked after, and only after the rules were changed. If the
rules stayed the same, there could of been a very good chance the
MacBook Pro may never of been hacked. I'd like to know what rules
they changed, and how it affected the end results.
Suddenly there was incentive to the contest.
I just want to say this flys in the face of all the mac users who beleive that hacking a mac is some kind of glorious event that will make the hacker famous. It won't. It wasn't until after the event offered the $10,000 did this hacker enter the contest and used a web-based exploit. The guy did it for the $10K. That was all.
<a class="jive-link-external" href="http://www.macworld.com/news/2007/04/20/machack/index.php" target="_newWindow">http://www.macworld.com/news/2007/04/20/machack/index.php</a>
challenge slightly by writing the root password on a Post-It note
and taping it to the contestant's monitors.
practical test?
I consider myself an "average" Mac user, OS 10.4.9 with all updates,
OS X firewall on (default), one user with admin privileges, always-
on DSL connection with firewall enabled in DSL router (default).
Can you reach my Mac? If so, can you do any meaningful harm?
Jay
No, your computer cannot be reached. That is not what is at question here. In this kind of hack, you have to be enticed or steered to the malicious site that harbors the hack. To trick you into going there is what phishing is all about. Once there, in many cases simple access will automatically download an infection to your computer. A firewall is useless in this kind of situation.
An AV might block the install on your computer if the AV vendor is already aware of it and has issued an update to its definitions. Or possibly Apple is already aware of the nature of the hack and has issued a patch that blocks whatever vulnerability in the Mac that the hack uses.
The whole point of this kind of attack is that to be successful the user must access the site. Unfortunately, even some of the stuff loaded by users on the popular so-called social sites may contain a virus and simply clicking on perhaps a video can infect you. Fortunately so much stuff is uploaded to such sites, your chances of clicking on the one that contains a virus is not very likely.
I'd say the conditions for this were pretty good. They allowed access to the same subnet to keep from slowing down the contest. Any competent hacker can get through your router firewall if he knows your WAN IP. So they just eliminated that part of the process.
Remember, in the first part of the contest, there were NO remote attacks that succeeded. So even if you have NO router and are directly connected to the internet, you may be safer than you think.
2) MACs are more stable, crash less, and have very little security concerns to date. It helps that OS-X runs on only ONE SET of hardware configs (By Apple), as opposed to Windows that runs (well, most of the time) on everything. Have Apple open up and run on Gateway, Dell, HP, Lenovo, PC's, with all types of video cards, TV capture cards, sound etc... and then we will see how stable it is. Be real about it.
3) About 90% of my fellow mac users (peeps I know) run Parallels with XP because they could not do EVERYTHING with OSX. I was just at the 5th Ave store in NY and they were doing a demo for everyone. Seriously, look at the revenue for the company. Look at VMware. If there wasn't a need for Windows, then they wouldn't touch it. Where is that in the commercial?
4) Where is Apples R&D Answer? Give me an alternative to Exchange (As an Actual Alternative, Leopard makes great strides, as marketed, but is not there). Give me an alternative to Office (I dont want that crappy Open/StarOffice) I want a innovative Apple solution, that WE ALL KNOW they can do.
5) Building on 4. Software Development. For Mom & Pop and Niche users, OS X (Native) is great. But for other enterprises (Medical/Finance/RealEstate) there are no OS-X solutions. Believe me, I've looked. I wish Apple would get a better hand in those industries, then maybe OSX could be an end-to-end alternative. OSX does not count as an alternative if you still need to run windows or IE people!!!!
6) Market Share. What will we do when Windows goes away? (It will people & thanks to Vista, it can come quicker than you think)Do think hackers and virus makers will just find something else to do? Of course not, they will turn to whatever else the main stream is working on. There were viruses and hacks before Windows came out my friends, and those systems were Unix based.
7) You stupid FanBoys (M$ & crApple) are a constant amazement to me. Nothing is said short of the fact that you each hate each other's side. Half of you have no idea what your talking about and basically are regurgitating media press. Gates does not care about you and neither does Jobs, so stop freakin defending them!!!
8) Not everyone is tech savvy. A majority of these people that use computers now did not grow up with them like we have. These are the same people that can't use their DVR/VCR/TV correctly, and you want them to be smart about computing??
I run my MacBook Pro (2.33/2GB) with Parallels, and it runs great. Probably one of the better computer solutions I have had. The regular MacBooks suck (as I traded up for the Pro after 2 weeks). I love my MBPro and think there is a way for Windows and OS-X to finally coexist in harmony on one hardware platform. The credit for this has to go to Apple. Sorry M$, but you guys have missed the boat....ran of the dock....and drowned.
Nicely put. The only quibble I might have is the part that half of them don?t know what they are talking about. I would say most of them don?t. Or perhaps I get that impression because the ones who obviously don?t know what they are talking about tend to post the most. The more fanatical they are, the more ignorant they seem to be. But then that is the definition of fanaticism, isn't it? Any knowledgeable person wouldn?t be a fanatic. His knowledge alone would prevent it.
is a bad thing because...? First, Apple is a complete computing
solution, not just a software company or hardware company.
This means that if it ran on other equipment it would cannibalize
their own sales. Second, by this very limitation it has kept OS X
a rock-solid, secure operating system. The security bulit into
OS X is often enough for most users to remain secure. The
effective Windows security is almost completely third party.
Oddly, if you buy a Dell (or IBM, Toshiba,Gateway, et al)
computer, keep it all Dell from top to bottom, and never
upgrade or replace anything - it's still prone to crashing
applications, attacks, and the BSD. So it's not (necessarily) the
hardware - it's the OS.
And does a WIndows machine run everything? No. There's tons
of applications that run on servers that require clients and
emulators. And you can't run - ever - any of the iLife or Final
Cut or a number of other professional apps like Aperture or
Shake on Windows. While you can now get a lot of the great
programs that were originally Apple-only, virtually every test
tells us they still run faster and better on Macs.
Here's a real illustration of the quality of Apple versus the quality
of Microsoft: FileMaker vs. Access. Granted, Apple spun off
Claris/FileMaker, but it's still built from and by the same Apple
code and programmers. The price is about the same (250 vs
200), but FileMaker runs circles around Access.
And when you stop to consider, you CAN run almost everything
on a Mac (with Parallels). You CAN'T on Windows. Period.
but not sure what it fixed exactly.
you can go here and figure out if it fixed the safari problem (im no
tech-savvy, so you tell me) :
<a class="jive-link-external" href="http://www.apple.com/support/downloads/" target="_newWindow">http://www.apple.com/support/downloads/</a>
securityupdate2007004ppc.html
in the test.
It will be closed soon enough.
Blank affirmations such as "Vista sucks" don't actually help getting to the bottom of the discussion.
Contrary to Apple's brainwashing campaigns, you'll find out that Mac has been showing quite a few more vulnerabilities than Vista so far.
There are good discussions in security forums about the degree of such vulnerabilities. That's a quite more subjective point. Some people say that although Vista security holes are less common than OSX, they are more dangerous.
I sincerily can't discuss this because I'm not a security expert. But, for me, any vulnerability that causes your computer to be owned is as bad as it gets... And all you need is one unpatched vulnerability to be screwed... So even a smaller number is not that much of a guarantee for me.
In other words, even if Vista is quantitatively more secure than OSX, or if OSX has less critical flaws, the fact that both have any vulnerability that could cause the system to be compromised is what needs to be addressed.
So drop the "MS this" or "Apple that" and let's push both companies (that make a lot of money out of us) to be better. That's what will help US in the long run.
2 unpatched.
Worst of them is rated as "Not Critical" by 3rd parties. (local only, no privlidge elevation, can't execute code)
<a class="jive-link-external" href="http://secunia.com/product/13223/?task=advisories" target="_newWindow">http://secunia.com/product/13223/?task=advisories</a>
So basically as of today:
Unpatched Vista = Safe.
Patched OSX = Hacked.
I post this merely to illustrate that no OS is completely secure; not to imply that one is. Apple Zealots should wise up to this. Don't learn it the hard way like MS and others have had to.
to go and find out about the "relaxed rules".
The rules, aren't rules at all. It's a joke. This is what I have
found out. The computers were set up practically "out of the
box". The security updates that have been recently released,
were not used. The following is a quote ... "CanSecWest
organizers will set up the MacBooks with their own access point
and all security updates installed, but without additional security
software or settings. Attendees will be able to connect to the
machines via the access point through Ethernet or Wi-Fi,
according to the CanSecWest Web site."
This is how everyone, who gets a Mac, will have their computer
"configured". This means, the computers were set up the same
way anybody elses MacBook would be set up. After only one
day, they decided to relax the "rules". Once again, the statement
is deliberately misleading, because it has nothing to do with
rules. This is what they did next. I need to make space for this:
"As originally planned, the rules for the hack a mac contest were
relaxed on Friday after nobody had won the contest on the
previous days. In the relaxed set of rules, a URL was provided
that exposed Safari to a "specially-constructed Web page" which
allowed the hacker to gain shell access to the MacBook.
The URL opened a blank page but exposed a vulnerability in
input handling in Safari, Comeau said. An attacker could use the
vulnerability in a number of ways, but Di Zovie used it to open a
back door that gave him access to anything on the computer,
Comeau said.
According to Matasano, Apple's most recent Security update
does not address this specific issue with Safari."
Am I to understand, that the person hacking the computer, is
the person using the said SAME computer?! Whatever, seems to
me the a lot more than a helping hand was needed to create this
"hack". Technically it is a hack. But if local access is required, I
think I'll take the blue pill.
exploit, otherwise, why would they need to supply a custom url?
Can someone say RIGGED! And people why I get so disgusted with
them.
<a class="jive-link-external" href="http://www.matasano.com/log/806/hot-off-the-matasano-" target="_newWindow">http://www.matasano.com/log/806/hot-off-the-matasano-</a>
sms-queue-cansec-macbook-challenge-won/
He writes, "I will say that applying slightly paranoid web browser
configuration changes will prevent this vulnerability from being
exploited. And no, I have not been sitting on this exploit, I
really did find the vulnerability and write the exploit that night. I
got lucky."
Of course, any javascript vulnerability that can lead to control of
the local user account has to be taken seriously. It's just that
they hyperventilating from anti-Mac people is just too much.
For all we know, this vulnerability has cross-platform
implications.
The people organizing this contest set out with the mission to
demonstrate that Macs were vulnerable to a remote attack.
When that challenge appeared to be going down in flames, they
changed the rules of the contest. The last thing they wanted to
do was actually reinforce the idea that Macs are pretty secure.
Let's be realistic. The same challenge with a Windows machine
as a target would not be newsworthy, and the machine would
not last 10 minutes. That said, of course there are
vulnerabilities in the Mac OS, as there are with any operating
system. This exploit demonstrates that fact, but it does not
"puncture" the notion that Macs are relatively more secure.
Without the rules change, the contest would probably have
passed with no successful hacks. One of the two Macs was not
hacked at all.
dog dung at each other I'd like to see the following occur. Let one
of these "security researchers" sit down and write an operating
system or an application from scratch with the requirement that it
be 100% secure before it is released to the public. Does anyone
think said os or app would EVER get released? As the old saying
goes, "At some point you have to shoot the engineers and start
production." As long as the os and app makers fix things brought
to their attention that's good enough for me.
updates for the OS are a bit different. seems to me that macs have
gained (hacker) attention after the intel switch. nobody would
bother to hack or disapprove that a mac was insecure when they
were PPCs.
be only an Apple problem.
variant of Safari. If you can run OS-X on the PPC-Mac, it might have
the same effect. The chipset is not relevant here.
What does that statement mean? Security is not important?, because they're just feeling confident.
The statement was explaining, if the problem turns out to be a new zero-day exploit, then TippingPoint is ok with paying money for the find.
Now, if this hack occured in the wild and it spread like wild fire, now that would be news, but it just doesn't happen to macs like it does to pcs.
and then saying "AH HAH!" is like going to the zoo, and assuming
that animals in the wild exhibit the same behavior.
security researcher?
What he wrote in under a day was something that exploited this
vulnerability on a website.
I myself object to the carnival atmosphere and the reward. You'd
almost think that security firms, having made a bundle on
Windows but now being excluded from getting similar claws on
Vista, are just developing a new market for themselves on the
Mac through brute force.
As it happens, I run Virex, and I'm behind a NAT firewall, so I'm
not among any straw man group of people who supposedly
maintain that the Mac CAN'T be infected, just that it wasn't. And
it isn't, yet.
At work, I have to use Explorer. The pop-ups and the obvious
phishing attacks are extraordinary. I hope that day never comes
on the Mac.
The best part about this, is that if someone was to turn around tomorrow and say 'There is a security flaw in Windows which allows administrative control of your machine to mindlessly send out mass spam email'... its like 'Wow ... like this hasn't happened before ..' *sarcasm*
Moral of this comment: Mac gets exploint.. windows users go HAHA. Mac users go IT DIDNT HAPPEN.
Windows gets exploit... everyone goes 'meh, nothing new.'
Cheers,
Windows gets exploit... everyone goes 'meh, nothing new.'"
Bid13, your post is the first to really sum it up with any semblance of sanity.
plenty of games for the Mac. I just counted 118 on my machine!!
really only going to get worse with the adoption of DX10. The
depth and breadth of the games available on the PC are, simply
put, unmatched on the alternative desktop/laptop platforms.
This is frankly undeniable. This isn't to say OS X couldn't be a
good game platform, OpenGL is suitable for many games, but
the market isn't there for it (considering how much it costs to
develop a top shelf game the development companies generally
play to the numbers). Even if Apple really pushed to become a
gaming platform I don't think it could catch up inside of the next
5 years.