Check out AT&T's FREE camera phones
April 20, 2007 4:03 PM PDT
MacBook hacked in contest at security event
Last modified: April 20, 2007 8:09 PM PDT
- Related Stories
-
Offering a bounty for security bugs
July 24, 2005
Macaulay, a software engineer, was able to hack into a MacBook through a zero-day security hole in Apple's Safari browser. The computer was one of two offered as a prize in the "PWN to Own" hack-a-Mac contest at the CanSecWest conference here.
attacks a MacBook at the
CanSecWest conference.
The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook--a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.
Macaulay teamed with Dino Dai Zovi, a security researcher until recently with Matasano Security. Dai Zovi, who has previously been credited by Apple for finding flaws in Mac software, found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said.
"The vulnerability and the exploit are mine," Dai Zovi said in a telephone interview from New York. "Shane is my man on the ground."
Apple spokeswoman Lynn Fox declined to comment on the MacBook hack specifically, but provided Apple's standard security comment: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."
Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said. TippingPoint runs the Zero Day Initiative bug bounty program.
A TippingPoint representative said the company would pay, after looking at the vulnerability. "If it is an actual zero-day in Safari that's fine with us," said Terri Forslof, manager of security response at TippingPoint.
The successful hack comes a day after Apple release its fourth security update for Mac OS X this year. The update repairs 25 vulnerabilities.
CanSecWest organizers set up the MacBooks connected to a wireless router and with all security updates installed, but without additional security software or settings.
See more CNET content tagged:
TippingPoint Technologies,
Apple MacBook,
contest,
vulnerability,
Apple Safari
Which version of MAC OSX was on the MacBook? OSX 10.4.9 with latest security updates?
Mac & PCS both are not hack proof & Apple has never said it was, but Apple & MacOSX has a loooooooooooooooong way to go before ever catching up to Windows security problems ( even VISTA OS ).
"The successful attack on the second and final day of the contest
required participants to surf to a malicious Web site using
Safari--a type of attack familiar to Windows users. CanSecWest
organizers relaxed the rules Friday after nobody at the event had
breached either of the Macs on the previous day."
So its considered to be hacked to simply surf to a web site?
Also, how were the rules relaxed???? It seem they COULDN'T
hack it as originally set up???
Why can't CNET at least provide a link to the real story.
That's a rhetorical question because if the Mac is successfully hacked someday like that Mac fanboys will find some way that it wasn't really a hack. On the other hand Windows and maybe Linux fanboys will be pointed and saying we told you so.
The reality is that all software has flaws and some flaws in some software will allow the hacker to gain full control over a entire system. I think it's a much safer and less arrogant statement to say that the Mac could possibly be hacked, but due to flaws being fixed quickly and the fact that it has a good platform under it it's less likely to be hack in any meaning full manner.
But that's probably asking to much. :-P
The article states the hack occured on the second day and only
after the rules were relaxed. Personally, I can't believe how tight
OSX is...
i imagine a lot of Mac haters that participated are having a bad
weekend - haha...
people running the contest realized they were about to be totally
embarrassed because nobody was even able to do that - so bent
the rules... This, to me, is priceless... haha
1) The Mac was exploited which means that it is one more flaw that will be corrected by Apple.
2) The first day went by without a successful attack. Macs will be able to continue to fend off attacks.
3) The root level test is still not won. This is very good because the hierarchy within OSX is robust.
4) No successful wild viruses or Trojans for OSX (so far). It continues to be the case for the ~22 million OSX users (and five years of OSX) that there is not a virus in the wild that exploits OSX. Impressive.
There are flaws in all software, but the fact remains that OSX (and Linux) is far more secure than any Windows operating system.
was hacked after, and only after the rules were changed. If the
rules stayed the same, there could of been a very good chance the
MacBook Pro may never of been hacked. I'd like to know what rules
they changed, and how it affected the end results.
practical test?
I consider myself an "average" Mac user, OS 10.4.9 with all updates,
OS X firewall on (default), one user with admin privileges, always-
on DSL connection with firewall enabled in DSL router (default).
Can you reach my Mac? If so, can you do any meaningful harm?
2) MACs are more stable, crash less, and have very little security concerns to date. It helps that OS-X runs on only ONE SET of hardware configs (By Apple), as opposed to Windows that runs (well, most of the time) on everything. Have Apple open up and run on Gateway, Dell, HP, Lenovo, PC's, with all types of video cards, TV capture cards, sound etc... and then we will see how stable it is. Be real about it.
3) About 90% of my fellow mac users (peeps I know) run Parallels with XP because they could not do EVERYTHING with OSX. I was just at the 5th Ave store in NY and they were doing a demo for everyone. Seriously, look at the revenue for the company. Look at VMware. If there wasn't a need for Windows, then they wouldn't touch it. Where is that in the commercial?
4) Where is Apples R&D Answer? Give me an alternative to Exchange (As an Actual Alternative, Leopard makes great strides, as marketed, but is not there). Give me an alternative to Office (I dont want that crappy Open/StarOffice) I want a innovative Apple solution, that WE ALL KNOW they can do.
5) Building on 4. Software Development. For Mom & Pop and Niche users, OS X (Native) is great. But for other enterprises (Medical/Finance/RealEstate) there are no OS-X solutions. Believe me, I've looked. I wish Apple would get a better hand in those industries, then maybe OSX could be an end-to-end alternative. OSX does not count as an alternative if you still need to run windows or IE people!!!!
6) Market Share. What will we do when Windows goes away? (It will people & thanks to Vista, it can come quicker than you think)Do think hackers and virus makers will just find something else to do? Of course not, they will turn to whatever else the main stream is working on. There were viruses and hacks before Windows came out my friends, and those systems were Unix based.
7) You stupid FanBoys (M$ & crApple) are a constant amazement to me. Nothing is said short of the fact that you each hate each other's side. Half of you have no idea what your talking about and basically are regurgitating media press. Gates does not care about you and neither does Jobs, so stop freakin defending them!!!
8) Not everyone is tech savvy. A majority of these people that use computers now did not grow up with them like we have. These are the same people that can't use their DVR/VCR/TV correctly, and you want them to be smart about computing??
I run my MacBook Pro (2.33/2GB) with Parallels, and it runs great. Probably one of the better computer solutions I have had. The regular MacBooks suck (as I traded up for the Pro after 2 weeks). I love my MBPro and think there is a way for Windows and OS-X to finally coexist in harmony on one hardware platform. The credit for this has to go to Apple. Sorry M$, but you guys have missed the boat....ran of the dock....and drowned.
but not sure what it fixed exactly.
you can go here and figure out if it fixed the safari problem (im no
tech-savvy, so you tell me) :
http://www.apple.com/support/downloads/
securityupdate2007004ppc.html
Blank affirmations such as "Vista sucks" don't actually help getting to the bottom of the discussion.
Contrary to Apple's brainwashing campaigns, you'll find out that Mac has been showing quite a few more vulnerabilities than Vista so far.
There are good discussions in security forums about the degree of such vulnerabilities. That's a quite more subjective point. Some people say that although Vista security holes are less common than OSX, they are more dangerous.
I sincerily can't discuss this because I'm not a security expert. But, for me, any vulnerability that causes your computer to be owned is as bad as it gets... And all you need is one unpatched vulnerability to be screwed... So even a smaller number is not that much of a guarantee for me.
In other words, even if Vista is quantitatively more secure than OSX, or if OSX has less critical flaws, the fact that both have any vulnerability that could cause the system to be compromised is what needs to be addressed.
So drop the "MS this" or "Apple that" and let's push both companies (that make a lot of money out of us) to be better. That's what will help US in the long run.
to go and find out about the "relaxed rules".
The rules, aren't rules at all. It's a joke. This is what I have
found out. The computers were set up practically "out of the
box". The security updates that have been recently released,
were not used. The following is a quote ... "CanSecWest
organizers will set up the MacBooks with their own access point
and all security updates installed, but without additional security
software or settings. Attendees will be able to connect to the
machines via the access point through Ethernet or Wi-Fi,
according to the CanSecWest Web site."
This is how everyone, who gets a Mac, will have their computer
"configured". This means, the computers were set up the same
way anybody elses MacBook would be set up. After only one
day, they decided to relax the "rules". Once again, the statement
is deliberately misleading, because it has nothing to do with
rules. This is what they did next. I need to make space for this:
"As originally planned, the rules for the hack a mac contest were
relaxed on Friday after nobody had won the contest on the
previous days. In the relaxed set of rules, a URL was provided
that exposed Safari to a "specially-constructed Web page" which
allowed the hacker to gain shell access to the MacBook.
The URL opened a blank page but exposed a vulnerability in
input handling in Safari, Comeau said. An attacker could use the
vulnerability in a number of ways, but Di Zovie used it to open a
back door that gave him access to anything on the computer,
Comeau said.
According to Matasano, Apple's most recent Security update
does not address this specific issue with Safari."
Am I to understand, that the person hacking the computer, is
the person using the said SAME computer?! Whatever, seems to
me the a lot more than a helping hand was needed to create this
"hack". Technically it is a hack. But if local access is required, I
think I'll take the blue pill.
http://www.matasano.com/log/806/hot-off-the-matasano-
sms-queue-cansec-macbook-challenge-won/
He writes, "I will say that applying slightly paranoid web browser
configuration changes will prevent this vulnerability from being
exploited. And no, I have not been sitting on this exploit, I
really did find the vulnerability and write the exploit that night. I
got lucky."
Of course, any javascript vulnerability that can lead to control of
the local user account has to be taken seriously. It's just that
they hyperventilating from anti-Mac people is just too much.
For all we know, this vulnerability has cross-platform
implications.
The people organizing this contest set out with the mission to
demonstrate that Macs were vulnerable to a remote attack.
When that challenge appeared to be going down in flames, they
changed the rules of the contest. The last thing they wanted to
do was actually reinforce the idea that Macs are pretty secure.
Let's be realistic. The same challenge with a Windows machine
as a target would not be newsworthy, and the machine would
not last 10 minutes. That said, of course there are
vulnerabilities in the Mac OS, as there are with any operating
system. This exploit demonstrates that fact, but it does not
"puncture" the notion that Macs are relatively more secure.
Without the rules change, the contest would probably have
passed with no successful hacks. One of the two Macs was not
hacked at all.
dog dung at each other I'd like to see the following occur. Let one
of these "security researchers" sit down and write an operating
system or an application from scratch with the requirement that it
be 100% secure before it is released to the public. Does anyone
think said os or app would EVER get released? As the old saying
goes, "At some point you have to shoot the engineers and start
production." As long as the os and app makers fix things brought
to their attention that's good enough for me.
updates for the OS are a bit different. seems to me that macs have
gained (hacker) attention after the intel switch. nobody would
bother to hack or disapprove that a mac was insecure when they
were PPCs.
- "If it is an actual zero-day in Safari that's fine with us"
-
by Gunady
April 22, 2007 6:47 PM PDT
- "If it is an actual zero-day in Safari that's fine with us"
-
Reply to this comment
View
reply
-
-
See all 194 Comments >>What does that statement mean? Security is not important?, because they're just feeling confident.