April 20, 2007 4:03 PM PDT

MacBook hacked in contest at security event

Related Stories

Offering a bounty for security bugs

July 24, 2005
VANCOUVER, B.C.--Shane Macaulay just got himself a free MacBook.

Macaulay, a software engineer, was able to hack into a MacBook through a zero-day security hole in Apple's Safari browser. The computer was one of two offered as a prize in the "PWN to Own" hack-a-Mac contest at the CanSecWest conference here.

MacBook hacker
Credit: Joris Evers
Hack-a-Mac winner Shane Macaulay
attacks a MacBook at the
CanSecWest conference.

The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook--a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.

Macaulay teamed with Dino Dai Zovi, a security researcher until recently with Matasano Security. Dai Zovi, who has previously been credited by Apple for finding flaws in Mac software, found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said.

"The vulnerability and the exploit are mine," Dai Zovi said in a telephone interview from New York. "Shane is my man on the ground."

Apple spokeswoman Lynn Fox declined to comment on the MacBook hack specifically, but provided Apple's standard security comment: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."

Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said. TippingPoint runs the Zero Day Initiative bug bounty program.

A TippingPoint representative said the company would pay, after looking at the vulnerability. "If it is an actual zero-day in Safari that's fine with us," said Terri Forslof, manager of security response at TippingPoint.

The successful hack comes a day after Apple release its fourth security update for Mac OS X this year. The update repairs 25 vulnerabilities.

CanSecWest organizers set up the MacBooks connected to a wireless router and with all security updates installed, but without additional security software or settings.

See more CNET content tagged:
TippingPoint Technologies, Apple MacBook, contest, organizer, vulnerability


Join the conversation!
Add your comment
Safari got hacked.
Still no root level hack. But Cnet will be cnet, so we get this title.
Posted by Macsaresafer (802 comments )
Reply Link Flag
But IE hacks are always linked with Windows so it is fair. It comes with Mac OS, just like IE is, so it is part of Mac OS. Furthermore, the recent DNS problem with Server03 and Server2K are labeled as Windows problems when they are actually just DNS problems.

What can't be denied is this is a new hack, and the guy spent under a day on it. Surely this proves that with sufficient motivation Apple software is vulnerable?
Posted by Siegfried Schtauffen (269 comments )
Link Flag
Indeed the Mac got hacked.
Your assumption that root level was not breached is unwarranted. The article says nothing about that. The breach could have been at root level or not. It makes no difference. The hacker got into the Mac threw a vulnerability in Mac?s Safari when accessing a malicious site set up for the purpose. That is exactly the kind of scenario that gets Windows hacked when using its browser, IE.

That is exactly what would have happened to you if you had gone to that site using Safari because Safari has a vulnerability no one knew about except the man who collected the award. He knew about it and put the exploit on the malicious site to take advantage of the security hole in Safari.

The article is somewhat obtuse in that it doesn?t say what damage the hacker could have done to the Mac with this exploit, but whatever he might have been able to do with it would not have been a pleasant experience for the user. In the ordinary course of events, Apple would now get busy writing up a patch for it. That could take some days. We will have to see how long it takes. In the meantime an AV vendor would only have to examine the exploit itself, a simple process and quickly done. The AV vendor?s definition for the hack could be released in hours.

All this proves that writing an exploit for the Mac is easy if anyone wants to bother doing it. But of course we all knew that ? except you Mac fanatics with your nonsensical claims about Mac invulnerability because it is based on Unix or the other nonsensical claim that somehow operating at a non-root level protects against attacks. If the hacker was sufficiently good at it, he could easily have written a hack that would have raised the level of privileges and gone to root level. That is what happens to Windows and can happen to a Mac as well. You have been proven to be wrong in every argument you have made about the alleged invulnerability of Macs.
Posted by gmcaloon--2008 (72 comments )
Link Flag
Safari is bundled with OSX
and web browser vulnerabilities are used a lot in Windows hacking attempts as well. Usually an IE or Firefox bug is used to execute code to install a virus or break into the system.

I recall this happened before and someone used an Applescript flaw to infect a Mac system with a virus, and it was called a non-virus because Applescript was used. I guess all of those Word VBA macro viruses are non-viruses as well on Windows, eh?

Funny how Apple and the Mac fans like to cover up the Mac's security flaws in that way.

Nope it was a Safari bug, not a Mac OSX one. But isn't Safari included as part of the OSX package like Internet Explorer is part of the Windows package? Why do you call an IE flaw a security hole in Windows but a Safari security flaw in OSX is not a hole in Mac OSX?

Actually a stripped down Linux box with the minimal features and the most recent security fixes is more secure than a default OSX (or even default Linux) box, plus it runs faster too without all of that bloat holding it down. Just one thing, it is not as easy to use as OSX (or a fully loaded Linux box) most likely because GNOME/KDE and possibly the X-Window system might not be installed. When you add in a lot of GUI features to make the OS easier to use, it opens up a lot of possible attack points for a hacker.
Posted by Orion Blastar (590 comments )
Link Flag
Macs got hacked (again).
Still Macs can be hacked (regardless of how). Apple fanboys will be Apple fanboys, so we get these excuses too.
Posted by Fil0403 (1303 comments )
Link Flag
Shine some light on anything
and you'll find flaws. I feel bad for the guy who wasted perfectly good 9 hours to hack into this platform.
Posted by sanenazok (3449 comments )
Reply Link Flag
Wasted nine hours?
You must be pretty well off to think that $10,000 for nine hours
work is "wasted" time.
Posted by calpundit (69 comments )
Link Flag
The guy probably works in the security industry and legal competitions like this are a good way to separate the men from the boys.

Also, he spent 9 hours on it, and got a ~$2500 laptop.

I am not sure about you, but $280/hour is certainly more money than I make.
Posted by Dachi (797 comments )
Link Flag
10k in cash + $2500 laptop
9 hours well spent
Posted by pithenumber (1206 comments )
Link Flag
Security Software Updates?
Did this MacBook have the latest Mac OSX Security Software updates that CNET reported very recently about on this site?

Which version of MAC OSX was on the MacBook? OSX 10.4.9 with latest security updates?

Mac & PCS both are not hack proof & Apple has never said it was, but Apple & MacOSX has a loooooooooooooooong way to go before ever catching up to Windows security problems ( even VISTA OS ).
Posted by Llib Setag (951 comments )
Reply Link Flag
Yes, Yes, and I agree
Yes it did have the updates, it was running 10.4.9, and it is a very long way from having as many security problems as Microsucks.
Posted by bobmarksdale (29 comments )
Link Flag
What got Hacked
Once again typical CNet reporting. What exactly got hacked.

"The successful attack on the second and final day of the contest
required participants to surf to a malicious Web site using
Safari--a type of attack familiar to Windows users. CanSecWest
organizers relaxed the rules Friday after nobody at the event had
breached either of the Macs on the previous day."

So its considered to be hacked to simply surf to a web site?
Also, how were the rules relaxed???? It seem they COULDN'T
hack it as originally set up???

Why can't CNET at least provide a link to the real story.
Posted by dscottbuch (14 comments )
Reply Link Flag
The hack.
They relaxed the rules because nobody could hack the Mac

From the site:
<a class="jive-link-external" href="http://cansecwest.com/post/" target="_newWindow">http://cansecwest.com/post/</a>

"Just to review the rules, the first box required a flaw that allows
the attacker to get a shell with user level privilages. The second
box, still up for grabs, requires the same, plus the attacker
needs to get root."

So to say the Mac is owned is an overstatement. It is however, a
good reason why you shouldn't log in as an administrator for
your normal use. If you are doing that, here's how to correct
your setup. First, create a new account (System Prefs, Accounts)
and give it administrator rights. Next, log out of your old
account and log into your new admin account. From there,
change your old account to a standard user by removing
administrator rights from it. Now you can log into your old
account as you normally do, but it won't be an administrator.
You will need to provide the admin user name and password
when installing/removing software.

Still no need for AV software!
Posted by Macsaresafer (802 comments )
Link Flag
Oh puh-lease!
Come on! The mac was hacked, regardless on how the hack was done. Most windows hacks now days are done through malicious web code. You mac fans will not be happy until some hacker finally gets annoyed by your repeated statements that mac's are more safe and he writes a virus to wipe out your hard drives.
Posted by tanis143 (122 comments )
Link Flag
I wonder...
what people will say if the Mac is every hacked and root access is gained?

That's a rhetorical question because if the Mac is successfully hacked someday like that Mac fanboys will find some way that it wasn't really a hack. On the other hand Windows and maybe Linux fanboys will be pointed and saying we told you so.

The reality is that all software has flaws and some flaws in some software will allow the hacker to gain full control over a entire system. I think it's a much safer and less arrogant statement to say that the Mac could possibly be hacked, but due to flaws being fixed quickly and the fact that it has a good platform under it it's less likely to be hack in any meaning full manner.

But that's probably asking to much. :-P
Posted by System Tyrant (1453 comments )
Reply Link Flag
Contests like this are interesting, but
they can only demonstrate what is an already accepted theory:
no system is 100% secure. This applies to more than just
computers. In theory, you could rob Fort Knox of its gold.

In reality, Fort Knox is safe enough and the Mac is nearly safe
enough. Plenty safe, as this test demonstrated, unless the
hacker has direct access to the machine and can take it through
the right steps on a malicious site. It may be possible to design
a site to trick a user into taking those steps, but that remains to
be seen. That's the final hurdle that would make this a real
exploit. Well, that and the not so small feat of gaining root
Posted by Macsaresafer (802 comments )
Link Flag
Not correct
Go back and read the article...

The article states the hack occured on the second day and only
after the rules were relaxed. Personally, I can't believe how tight
OSX is...

i imagine a lot of Mac haters that participated are having a bad
weekend - haha...
Posted by keaggy220 (57 comments )
Reply Link Flag
Dude don't let your Mac hate
screw up your logic... It was hacked at user level and only after the
people running the contest realized they were about to be totally
embarrassed because nobody was even able to do that - so bent
the rules... This, to me, is priceless... haha
Posted by keaggy220 (57 comments )
Reply Link Flag
get it right
The contest rules were NOT relaxed, they were set up that way to begin with. Three levels, three different types of attacks. 24 hours of exposure for each.

As a long time Mac user, tho, I am encouraged that admin level was not obtained.
Posted by rwahrens (44 comments )
Link Flag
Good News!
This is good news on several levels.

1) The Mac was exploited which means that it is one more flaw that will be corrected by Apple.

2) The first day went by without a successful attack. Macs will be able to continue to fend off attacks.

3) The root level test is still not won. This is very good because the hierarchy within OSX is robust.

4) No successful wild viruses or Trojans for OSX (so far). It continues to be the case for the ~22 million OSX users (and five years of OSX) that there is not a virus in the wild that exploits OSX. Impressive.

There are flaws in all software, but the fact remains that OSX (and Linux) is far more secure than any Windows operating system.
Posted by jypeterson (181 comments )
Reply Link Flag
and bad news
The fact that it only took 9 hours to write a successful hack is not good news. Any successful hacks are not good news. As you said, it "was exploited." And you call this good? If I use your logic, I can call XP absolutely thrilling!
Posted by Seaspray0 (9714 comments )
Link Flag
Hacked only after rules were relaxed...
You notice something, the caveat to the entire hack issue is that it
was hacked after, and only after the rules were changed. If the
rules stayed the same, there could of been a very good chance the
MacBook Pro may never of been hacked. I'd like to know what rules
they changed, and how it affected the end results.
Posted by Matthew R. (37 comments )
Reply Link Flag
From another news source...
I read this story from another news source. The way Macworld reported says that the initial rules required participants to have to break into the macs via wireless networking (only). No one was successful. So the event organizers changed the rules to allow *any* method which allows an outsider shell-level access to a remote mac. Also, they were now offering a $10,000 reward. (There was no cash reward when the event started.)

Suddenly there was incentive to the contest.

I just want to say this flys in the face of all the mac users who beleive that hacking a mac is some kind of glorious event that will make the hacker famous. It won't. It wasn't until after the event offered the $10,000 did this hacker enter the contest and used a web-based exploit. The guy did it for the $10K. That was all.

<a class="jive-link-external" href="http://www.macworld.com/news/2007/04/20/machack/index.php" target="_newWindow">http://www.macworld.com/news/2007/04/20/machack/index.php</a>
Posted by Richard G. (137 comments )
Link Flag
OS X Root Level Hack Acheieved
Of course the contest organizers had to relax the conditions of the
challenge slightly by writing the root password on a Post-It note
and taping it to the contestant's monitors.
Posted by GatesOfHell (210 comments )
Link Flag
How about a truly meaningful "real world" hack?
Rather than creating an artificial set of conditions, how about a
practical test?

I consider myself an "average" Mac user, OS 10.4.9 with all updates,
OS X firewall on (default), one user with admin privileges, always-
on DSL connection with firewall enabled in DSL router (default).

Can you reach my Mac? If so, can you do any meaningful harm?
Posted by drdocument (17 comments )
Reply Link Flag
I think that this is a real world hack. This is the common way a windows machine gets screwed up. Lets also remember that Linux machines also use the khtml engine with some of the web browsers like konqueror.

Posted by Astinsan (132 comments )
Link Flag
There are lots of "real world" hacks.
?Can you reach my Mac? If so, can you do any meaningful harm??

No, your computer cannot be reached. That is not what is at question here. In this kind of hack, you have to be enticed or steered to the malicious site that harbors the hack. To trick you into going there is what phishing is all about. Once there, in many cases simple access will automatically download an infection to your computer. A firewall is useless in this kind of situation.

An AV might block the install on your computer if the AV vendor is already aware of it and has issued an update to its definitions. Or possibly Apple is already aware of the nature of the hack and has issued a patch that blocks whatever vulnerability in the Mac that the hack uses.

The whole point of this kind of attack is that to be successful the user must access the site. Unfortunately, even some of the stuff loaded by users on the popular so-called social sites may contain a virus and simply clicking on perhaps a video can infect you. Fortunately so much stuff is uploaded to such sites, your chances of clicking on the one that contains a virus is not very likely.
Posted by gmcaloon--2008 (72 comments )
Link Flag
The firewall in OS X is NOT enabled by default. You must enable it yourself. If you think yours is on, and YOU didn't turn it on yourself, you'd better check!

I'd say the conditions for this were pretty good. They allowed access to the same subnet to keep from slowing down the contest. Any competent hacker can get through your router firewall if he knows your WAN IP. So they just eliminated that part of the process.

Remember, in the first part of the contest, there were NO remote attacks that succeeded. So even if you have NO router and are directly connected to the internet, you may be safer than you think.
Posted by rwahrens (44 comments )
Link Flag
Who is Shane?
I read this article twice to be sure I didn't miss anything. Who the heck is Shane? You can't just call out someone's name without saying who they are. Was this two people working on the flaw? Is Shane the one at the conference? What about this McCauley person? And what's going on with this Dai whatever guy who wants the credit and the money? Revise your article!
Posted by elektroboi (2 comments )
Reply Link Flag
Time for the Bottom Line...
1) XP Can be as safe as you want it. I have Run XP &#38; 2000 before that, without any virus problems. Why? Because I am not an idiot who does not know how to use my Windows PC. Is Windows any less safe than OSX? Yes and No. Windows does a lot of things that make it easier to hack, but all of that is mostly related to the compatibility it provides.
2) MACs are more stable, crash less, and have very little security concerns to date. It helps that OS-X runs on only ONE SET of hardware configs (By Apple), as opposed to Windows that runs (well, most of the time) on everything. Have Apple open up and run on Gateway, Dell, HP, Lenovo, PC's, with all types of video cards, TV capture cards, sound etc... and then we will see how stable it is. Be real about it.
3) About 90% of my fellow mac users (peeps I know) run Parallels with XP because they could not do EVERYTHING with OSX. I was just at the 5th Ave store in NY and they were doing a demo for everyone. Seriously, look at the revenue for the company. Look at VMware. If there wasn't a need for Windows, then they wouldn't touch it. Where is that in the commercial?
4) Where is Apples R&#38;D Answer? Give me an alternative to Exchange (As an Actual Alternative, Leopard makes great strides, as marketed, but is not there). Give me an alternative to Office (I dont want that crappy Open/StarOffice) I want a innovative Apple solution, that WE ALL KNOW they can do.
5) Building on 4. Software Development. For Mom &#38; Pop and Niche users, OS X (Native) is great. But for other enterprises (Medical/Finance/RealEstate) there are no OS-X solutions. Believe me, I've looked. I wish Apple would get a better hand in those industries, then maybe OSX could be an end-to-end alternative. OSX does not count as an alternative if you still need to run windows or IE people!!!!
6) Market Share. What will we do when Windows goes away? (It will people &#38; thanks to Vista, it can come quicker than you think)Do think hackers and virus makers will just find something else to do? Of course not, they will turn to whatever else the main stream is working on. There were viruses and hacks before Windows came out my friends, and those systems were Unix based.
7) You stupid FanBoys (M$ &#38; crApple) are a constant amazement to me. Nothing is said short of the fact that you each hate each other's side. Half of you have no idea what your talking about and basically are regurgitating media press. Gates does not care about you and neither does Jobs, so stop freakin defending them!!!
8) Not everyone is tech savvy. A majority of these people that use computers now did not grow up with them like we have. These are the same people that can't use their DVR/VCR/TV correctly, and you want them to be smart about computing??

I run my MacBook Pro (2.33/2GB) with Parallels, and it runs great. Probably one of the better computer solutions I have had. The regular MacBooks suck (as I traded up for the Pro after 2 weeks). I love my MBPro and think there is a way for Windows and OS-X to finally coexist in harmony on one hardware platform. The credit for this has to go to Apple. Sorry M$, but you guys have missed the boat....ran of the dock....and drowned.
Posted by ZeroJCF (51 comments )
Reply Link Flag
Bottom lines
?You stupid FanBoys (M$ &#38; crApple) are a constant amazement to me. Nothing is said short of the fact that you each hate each other's side. Half of you have no idea what your talking about and basically are regurgitating media press. Gates does not care about you and neither does Jobs, so stop freakin defending them!!!?

Nicely put. The only quibble I might have is the part that half of them don?t know what they are talking about. I would say most of them don?t. Or perhaps I get that impression because the ones who obviously don?t know what they are talking about tend to post the most. The more fanatical they are, the more ignorant they seem to be. But then that is the definition of fanaticism, isn't it? Any knowledgeable person wouldn?t be a fanatic. His knowledge alone would prevent it.
Posted by gmcaloon--2008 (72 comments )
Link Flag
Uh, your complaining because it's safe?
Apple is faulted for only running OS X on Apple hardware? This
is a bad thing because...? First, Apple is a complete computing
solution, not just a software company or hardware company.
This means that if it ran on other equipment it would cannibalize
their own sales. Second, by this very limitation it has kept OS X
a rock-solid, secure operating system. The security bulit into
OS X is often enough for most users to remain secure. The
effective Windows security is almost completely third party.
Oddly, if you buy a Dell (or IBM, Toshiba,Gateway, et al)
computer, keep it all Dell from top to bottom, and never
upgrade or replace anything - it's still prone to crashing
applications, attacks, and the BSD. So it's not (necessarily) the
hardware - it's the OS.

And does a WIndows machine run everything? No. There's tons
of applications that run on servers that require clients and
emulators. And you can't run - ever - any of the iLife or Final
Cut or a number of other professional apps like Aperture or
Shake on Windows. While you can now get a lot of the great
programs that were originally Apple-only, virtually every test
tells us they still run faster and better on Macs.

Here's a real illustration of the quality of Apple versus the quality
of Microsoft: FileMaker vs. Access. Granted, Apple spun off
Claris/FileMaker, but it's still built from and by the same Apple
code and programmers. The price is about the same (250 vs
200), but FileMaker runs circles around Access.

And when you stop to consider, you CAN run almost everything
on a Mac (with Parallels). You CAN'T on Windows. Period.
Posted by qprize (237 comments )
Link Flag
Already fixed?
Yesterday there was a security update for all PPCs. I downloaded it,
but not sure what it fixed exactly.
you can go here and figure out if it fixed the safari problem (im no
tech-savvy, so you tell me) :

<a class="jive-link-external" href="http://www.apple.com/support/downloads/" target="_newWindow">http://www.apple.com/support/downloads/</a>
Posted by kyler (30 comments )
Reply Link Flag
Probably not.
The claim was that this patch was applied to the Macs being used
in the test.

It will be closed soon enough.
Posted by Macsaresafer (802 comments )
Link Flag
Please list Vista vulnerabilities
Then we can discuss which system is more secure...
Blank affirmations such as "Vista sucks" don't actually help getting to the bottom of the discussion.

Contrary to Apple's brainwashing campaigns, you'll find out that Mac has been showing quite a few more vulnerabilities than Vista so far.
There are good discussions in security forums about the degree of such vulnerabilities. That's a quite more subjective point. Some people say that although Vista security holes are less common than OSX, they are more dangerous.
I sincerily can't discuss this because I'm not a security expert. But, for me, any vulnerability that causes your computer to be owned is as bad as it gets... And all you need is one unpatched vulnerability to be screwed... So even a smaller number is not that much of a guarantee for me.

In other words, even if Vista is quantitatively more secure than OSX, or if OSX has less critical flaws, the fact that both have any vulnerability that could cause the system to be compromised is what needs to be addressed.
So drop the "MS this" or "Apple that" and let's push both companies (that make a lot of money out of us) to be better. That's what will help US in the long run.
Posted by Considerate One (30 comments )
Reply Link Flag
Isn't Vista susceptible to the same malware as XP?
Posted by Jesus#2 (127 comments )
Link Flag
Ok, here they are. :P
8 Vulnerabilities.
2 unpatched.
Worst of them is rated as "Not Critical" by 3rd parties. (local only, no privlidge elevation, can't execute code)

<a class="jive-link-external" href="http://secunia.com/product/13223/?task=advisories" target="_newWindow">http://secunia.com/product/13223/?task=advisories</a>

So basically as of today:
Unpatched Vista = Safe.
Patched OSX = Hacked.

I post this merely to illustrate that no OS is completely secure; not to imply that one is. Apple Zealots should wise up to this. Don't learn it the hard way like MS and others have had to.
Posted by smilin:) (889 comments )
Link Flag
Hacked?! Oh Really! NOT!
After reading the "sensationalistic" slant to this story. I decided
to go and find out about the "relaxed rules".

The rules, aren't rules at all. It's a joke. This is what I have
found out. The computers were set up practically "out of the
box". The security updates that have been recently released,
were not used. The following is a quote ... "CanSecWest
organizers will set up the MacBooks with their own access point
and all security updates installed, but without additional security
software or settings. Attendees will be able to connect to the
machines via the access point through Ethernet or Wi-Fi,
according to the CanSecWest Web site."

This is how everyone, who gets a Mac, will have their computer
"configured". This means, the computers were set up the same
way anybody elses MacBook would be set up. After only one
day, they decided to relax the "rules". Once again, the statement
is deliberately misleading, because it has nothing to do with
rules. This is what they did next. I need to make space for this:

"As originally planned, the rules for the hack a mac contest were
relaxed on Friday after nobody had won the contest on the
previous days. In the relaxed set of rules, a URL was provided
that exposed Safari to a "specially-constructed Web page" which
allowed the hacker to gain shell access to the MacBook.
The URL opened a blank page but exposed a vulnerability in
input handling in Safari, Comeau said. An attacker could use the
vulnerability in a number of ways, but Di Zovie used it to open a
back door that gave him access to anything on the computer,
Comeau said.

According to Matasano, Apple's most recent Security update
does not address this specific issue with Safari."

Am I to understand, that the person hacking the computer, is
the person using the said SAME computer?! Whatever, seems to
me the a lot more than a helping hand was needed to create this
"hack". Technically it is a hack. But if local access is required, I
think I'll take the blue pill.
Posted by Thomas, David (1947 comments )
Reply Link Flag
It is also evident that the attendees planned for this particular
exploit, otherwise, why would they need to supply a custom url?

Can someone say RIGGED! And people why I get so disgusted with
Posted by Thomas, David (1947 comments )
Link Flag
DUDE!! You make me want to punch a baby, relax. Go make a video or something.
Posted by baggyguy1218 (155 comments )
Reply Link Flag
Hacker says he "got lucky"
He posted a comment in this blog:

<a class="jive-link-external" href="http://www.matasano.com/log/806/hot-off-the-matasano-" target="_newWindow">http://www.matasano.com/log/806/hot-off-the-matasano-</a>

He writes, "I will say that applying slightly paranoid web browser
configuration changes will prevent this vulnerability from being
exploited. And no, I have not been sitting on this exploit, I
really did find the vulnerability and write the exploit that night. I
got lucky."

Of course, any javascript vulnerability that can lead to control of
the local user account has to be taken seriously. It's just that
they hyperventilating from anti-Mac people is just too much.
For all we know, this vulnerability has cross-platform

The people organizing this contest set out with the mission to
demonstrate that Macs were vulnerable to a remote attack.
When that challenge appeared to be going down in flames, they
changed the rules of the contest. The last thing they wanted to
do was actually reinforce the idea that Macs are pretty secure.

Let's be realistic. The same challenge with a Windows machine
as a target would not be newsworthy, and the machine would
not last 10 minutes. That said, of course there are
vulnerabilities in the Mac OS, as there are with any operating
system. This exploit demonstrates that fact, but it does not
"puncture" the notion that Macs are relatively more secure.
Without the rules change, the contest would probably have
passed with no successful hacks. One of the two Macs was not
hacked at all.
Posted by Thrudheim (306 comments )
Reply Link Flag
What I'd like to see...
Leaving out for the moment the OS X/Windows fanboys flinging
dog dung at each other I'd like to see the following occur. Let one
of these "security researchers" sit down and write an operating
system or an application from scratch with the requirement that it
be 100% secure before it is released to the public. Does anyone
think said os or app would EVER get released? As the old saying
goes, "At some point you have to shoot the engineers and start
production." As long as the os and app makers fix things brought
to their attention that's good enough for me.
Posted by lkrupp (1608 comments )
Reply Link Flag
i wonder if it applies to a PPC mac
i know it's the same OS but the architecture is different and the
updates for the OS are a bit different. seems to me that macs have
gained (hacker) attention after the intel switch. nobody would
bother to hack or disapprove that a mac was insecure when they
were PPCs.
Posted by wayland.ind (20 comments )
Reply Link Flag
If it's Java, as has been reported,
it may apply to every OS and browser that uses Java. This may not
be only an Apple problem.
Posted by Macsaresafer (802 comments )
Link Flag
Who cares about that?
Truth is today they are Intel and they too now suffer with much of the malware Windows PC's always did.
Posted by Fil0403 (1303 comments )
Link Flag
I don't think so
Seems like this is a software-only hack for OS-X and the current
variant of Safari. If you can run OS-X on the PPC-Mac, it might have
the same effect. The chipset is not relevant here.
Posted by grtgrfx (221 comments )
Link Flag
"If it is an actual zero-day in Safari that's fine with us"
"If it is an actual zero-day in Safari that's fine with us"

What does that statement mean? Security is not important?, because they're just feeling confident.
Posted by Gunady (191 comments )
Reply Link Flag
They're talking about TippingPoint's bounty
TippingPoint is offering money for anyone who discovers new zero-day exploits.

The statement was explaining, if the problem turns out to be a new zero-day exploit, then TippingPoint is ok with paying money for the find.
Posted by mbenedict (1001 comments )
Link Flag
Not really news
A mac getting hacked at a conference meant to test the mac's security isn't really news.

Now, if this hack occured in the wild and it spread like wild fire, now that would be news, but it just doesn't happen to macs like it does to pcs.
Posted by thedreaming (573 comments )
Reply Link Flag
The Zoo
I agree with you. Setting up a Mac-Hack in a custom environment,
and then saying "AH HAH!" is like going to the zoo, and assuming
that animals in the wild exhibit the same behavior.
Posted by Gromit801 (393 comments )
Link Flag
Yes Because...
There aren't enough macs around to call it a wild fire...
Posted by kmchattie (19 comments )
Link Flag
Not true
He found the vulnerability when? How long has he been a
security researcher?

What he wrote in under a day was something that exploited this
vulnerability on a website.

I myself object to the carnival atmosphere and the reward. You'd
almost think that security firms, having made a bundle on
Windows but now being excluded from getting similar claws on
Vista, are just developing a new market for themselves on the
Mac through brute force.

As it happens, I run Virex, and I'm behind a NAT firewall, so I'm
not among any straw man group of people who supposedly
maintain that the Mac CAN'T be infected, just that it wasn't. And
it isn't, yet.

At work, I have to use Explorer. The pop-ups and the obvious
phishing attacks are extraordinary. I hope that day never comes
on the Mac.
Posted by swift2--2008 (197 comments )
Reply Link Flag
Are you really that naieve?
Nobody hacks the mac because it isn't worth it. There aren't enough of them to cause real damage. So no hacker wastes his time writing code for them. If you apple heads think that you have some superior machine and os that can't be hacked, you're not only naieve but you're iTards. If the day ever comes that macs grab a significant market share, you can rest assured that your macs will be hacked and infected right along with the windows machines.
Posted by kmchattie (19 comments )
Link Flag
The Funniest Thing ...
I think the funniest thing about this topic is that everyone is like AHHH! Mac Got hacked!.. and some people are in denial, some people are claiming it was a conspiracy. Some people are saying this is why Macs are worse than Windows machines.

The best part about this, is that if someone was to turn around tomorrow and say 'There is a security flaw in Windows which allows administrative control of your machine to mindlessly send out mass spam email'... its like 'Wow ... like this hasn't happened before ..' *sarcasm*

Moral of this comment: Mac gets exploint.. windows users go HAHA. Mac users go IT DIDNT HAPPEN.

Windows gets exploit... everyone goes 'meh, nothing new.'

Posted by Bid13 (9 comments )
Reply Link Flag
I'm with you...
"Moral of this comment: Mac gets exploint.. windows users go HAHA. Mac users go IT DIDNT HAPPEN.

Windows gets exploit... everyone goes 'meh, nothing new.'"

Bid13, your post is the first to really sum it up with any semblance of sanity.
Posted by Kings X Rocks! (89 comments )
Link Flag
Contrary to windows enthusiast's commonly held belief, there are
plenty of games for the Mac. I just counted 118 on my machine!!
Posted by hriik (15 comments )
Reply Link Flag
These games tend to lag behind the PC games industry and its
really only going to get worse with the adoption of DX10. The
depth and breadth of the games available on the PC are, simply
put, unmatched on the alternative desktop/laptop platforms.
This is frankly undeniable. This isn't to say OS X couldn't be a
good game platform, OpenGL is suitable for many games, but
the market isn't there for it (considering how much it costs to
develop a top shelf game the development companies generally
play to the numbers). Even if Apple really pushed to become a
gaming platform I don't think it could catch up inside of the next
5 years.
Posted by rapier1 (2722 comments )
Link Flag
Ok please stop pretending...
that the stupid little card games on your mac are what anyone is talking about when they say there aren't games for a mac. It is undisputed that the games that are popular on regular platforms like xbox, ps2 and pc are not offered on a mac when they are initially released, and unless they are hugely popular they never get ported to a mac. So please stop pretending that you can have the same gaming experience on a mac as you can on a PC. You can't (unless you install windows xp on another partition of your hard drive and run them there...)
Posted by kmchattie (19 comments )
Link Flag
What kind of games are we talking about here? minesweeper and pinball? If you are talking cutting edge games PC's have access to the list is short indeed for Mac choices.
Posted by nystagmus (1 comment )
Link Flag
Posted by thierry.laval (4 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.