Macaulay, a software engineer, was able to hack into a MacBook through a zero-day security hole in Apple’s Safari browser. The computer was one of two offered as a prize in the ‘PWN to Own’ hack-a-Mac contest at the CanSecWest conference. The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook – a type of attack familiar to Windows users.
I have to admit that I am quite surprised by the outcome of this. I assumed that someone would find a way of breaking the security with the original contest rules, before they had relaxed them.
Some will argue that this does not constitute a proper hack since it requires visiting a particular URL with Safari. But, let’s face it, it really isn’t that hard to convince at least some percentage of users to have a quick look at a URL.
Also, people will complain about the lack of root access – last time I checked you could still do a significant amount of damage to the user’s files without being root!
However, what I am really quite interested in is if this is technically a bug in Safari itself or WebKit that causes the security failure. There are quite a lot of programs on the Mac using WebKit these days and could all potentially be vulnerable. Also, if the issue is with WebKit it would be interested to know if this has been fixed somewhere between the Tiger release of Safari and the current WebKit nightlies.
In addition to your questions; if it is a drive-by zero-day exploit for Safari – does it rely on the “automatically open files” preference (which should be turned off by default, but isn’t, and most knowledgable users disable)? They also didn’t get root either, nor was any remote exploit found, so this is not much unlike a mediumly critical drive-by IE exploit.
All OSes have security flaws, OS X managed to hold up quite well against a concentrated effort; unlike a Windows machine with the firewall off and all ports open (hello Blaster32)
“””
All OSes have security flaws, OS X managed to hold up quite well against a concentrated effort
“””
Indeed. I’m a Linux advocate. And the last Apple I owned was a II+. But I am impressed with MacOS X’s performance in this contest.
Basically, my summary of the article would be that if you offer a bunch of people $10,000 and give them 2 days to hack into one of 2 Macs with known configurations, and then relax the rules on the second day, after no one was able to do it on the first, then one person, with an accomplice, can gain non-root access to one of them using a method which invokes social engineering in its method.
Of course, the OSNews headline reads “MacBook Hacked in Contest at Security Event”. One wonders if they pondered using exclamation points. ๐
Apple really should do an “I’m a Mac, I’m a PC” commercial in which people drive by in cars periodically and shoot bullets into the PC guy. The Mac guy could casually reveal at the end that he is wearing a very stylish kevlar undershirt.
Edited 2007-04-21 18:18
They offered $10,000 for a zero day exploit. For “merely” hacking the ibook you were given one.
LOL!
It’s Safari. If it were WebKit he’d have the brass to state it. He should svn the webkit and test the exploit.
“If it is an actual zero-day in Safari….”
My first thoughts were, “It took two days and not just minutes like a McSoft product?”
I am an academic so I have to see how it was done, usually with documentation, before I would make a claim it was an actual zero-day exploit.
There is also money involved so I hope we don’t have two goober heads trying to cash in.
You’re an academic and yet you don’t seem to have read or comprehended what you read. This was not some script kiddie using a know exploit. It was a brand new exploit.
Do you honestly think someone can find a new bug in a Windows install and develop an exploit for it in 2 days. Thats what happened to the Mac install. I doubt it can be done much faster than that.
“My first thoughts were, “It took two days and not just minutes like a McSoft product?””
“..and wrote the exploit overnight in about 9 hours, he said.”
“I am an academic so I have to see how it was done, usually with documentation, before I would make a claim it was an actual zero-day exploit.”
as an academic: ask him or wait for Apple’s patch and ask him (the information will no be released before patch, which is quite normal).
as an academic, you should know how things works (with information release)
In other news, I hacked into your linux box today, w00t!
Seriously, I don’t accept the definition “hacked into a Macbook”. What exactly did he achieve? Full control? Safari crash? Kernel panic? This is just pathetic news. We can leave out the details about the actual exploit, but please at least let us know about the impact. Otherwise this news item looks extremely childish.
“CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.” – now what’s THAT supposed to mean?
Found this info at CanSecWest:
http://cansecwest.com/post/2007-04-20-14:54:00.First_Mac_Hacked_Can…
“the first box required a flaw that allows the attacker to get a shell with user level privilages”
Edited 2007-04-21 17:49
Even so, OSX is still light years more secure than windows XP and probably vista as well.
It doesn’t matter if there are some security holes in any OS, as a matter of fact the important thing is that who is better in security than the other player, not who is perfect or who is not.
Almost all Unix based systems are light years more secure than Windows and more important Unix appz are more rock solid runner than Windows due to low amount of serious bugs in those appz than those written for a closed source OS (windows). Actually I cannot see any application that is rock solid running on windows except being Microsoft produced, because they can track their errors to windows source, which open for them only.
Even so, OSX is still light years more secure than windows XP and probably vista as well.
I disagree. This test doesn’t prove anything. Nor do blind assertions of better security. Apple just patched a ton of security holes yesterday. I wouldn’t be too quick with such assertions.
Well, the number of security holes fixed by Apple this time is no larger than an average update with Windows Update – and that happens every month
“Apple just patched a ton of security holes yesterday.”
Ton=1000
Yesterday=1 day
So you said 1000 fixes in just one day!!!
Who is exagurating now!!
Ton=1000
Yesterday=1 day
1 Ton = 2000.
A metric ton is 1000kg.
“Even so, OSX is still light years more secure than windows XP and probably vista as well.”
“I disagree. This test doesn’t prove anything. Nor do blind assertions of better security. Apple just patched a ton of security holes yesterday. I wouldn’t be too quick with such assertions.”
Disagree all you want…. a fact is a fact!!!! OSX is more secure then XP…
Read the article. The guy found the vulnerability on the first day, wrote the exploit over night in 9 hours and had it demonstrated the next day.
If someone can find a NEW bug in MacOS that quickly imagine what will happen when Mac gets significant market share. It is no wonder Apple is looking for a security expert to head up a NEW security division within Apple. Actually they are trying to follow Microsofts lead in this regard but before it becomes a big problem as with Windows.
If this story had come out about Vista people would be bad mouthing Microsoft. Yet because its Apple most people jump to any defence they can think of.
Firefox has exactly the SAME security holes. Just take a look at the changelog each time a patch is released from the Mozilla fondation.
So what ? Linux will be the same as windows if it gains market share ?
So what ? Linux will be the same as windows if it gains market share ?
Yes, that may be so, but not for the reason you might think.
The problem is that when an OS reaches a wider audience is that, it then will also reach people who will do all sorts of stupid things. E.g. how many Fedora or Red Hat users haven’t already turned off SELinux, instead of fixing the policy (or report a bug) when some of their programs runs into trouble.
There are no such thing as a secure OS. The only difference between different OSes is the level of assistance they can give to a sysadmin that want to keep his system safe.
In Linux there are a lot of tools like that e.g. SELinux, iptables, chroot, various intrusion detection systems, it is quite easy to set up one time passwords, binary files can be mounted read only,…
Then there are passive systems that are there always regardless the action of the user or sysadmin such as ExecShield and randomization of addresses.
In fact there are so many ways to keep Linux safe, that the proper question is not if Linux is secure, but rather how secure should your system be. You migt find that correct answer is not always as secure as possible as secure systems regardless of OS have a tendency to get inconvenient to use. This is by the way why people turn off SELinux.
Instead you must evaluate the value and threat matrix to make the security fit your needs.
I mostly agree to your post, but let me comment the following statements:
“The problem is that when an OS reaches a wider audience is that, it then will also reach people who will do all sorts of stupid things.”
And these people will (indirectly) assist those who see Linux as a new target for spreading spam, for data espionage or other annoying or criminal intends. So the question is: How much will the OS allow actions to override intended security barriers?
“E.g. how many Fedora or Red Hat users haven’t already turned off SELinux, instead of fixing the policy (or report a bug) when some of their programs runs into trouble.”
This is one example. Another one could be people usually working as root, because they don’t want to be bothered with dialog boxes asking for the root password if they want to install or set something. Passwordless root accounts can turn nearly every secure Linux installation (as it is assumed to be by default after installation) into a mail relay, an automated port scanner or a storage facility for… you know.
“There are no such thing as a secure OS.”
I’d say the level of security is determined by what the OS allows in regards of unsafe actions, or, how many means they offer to protect the system (firewall, packet filter, diagnostic tools etc.).
“The only difference between different OSes is the level of assistance they can give to a sysadmin that want to keep his system safe.”
Here we’re getting into real trouble. There is no such thing like a sysadmin. The average home user is “dumb user” and “skilled admin” in one person, tending to fit the one or the other description. (Of course, the same is correct for MICROS~1 OSes.) If Linux is going to reach more oh joy oh market share, it needs to be “dumbed down” in order to be more appealing to the first description. Here, only a good preconfiguration that is hard to override can be considered to be a secure solution here.
“In Linux there are a lot of tools like that e.g. SELinux, iptables, chroot, various intrusion detection systems, it is quite easy to set up one time passwords, binary files can be mounted read only,…”
It is, but who does this (if it’s not pre-done by the distributor)? Users tend to turn off security barriers instead of rising them.
“In fact there are so many ways to keep Linux safe, that the proper question is not if Linux is secure, but rather how secure should your system be. You migt find that correct answer is not always as secure as possible as secure systems regardless of OS have a tendency to get inconvenient to use. This is by the way why people turn off SELinux.”
You’ve described this phenomenon in a good way. But please mind my comment: If the means of security can be turned off, they are nearly useless. I hope further Linux distributions will not permit too much “customization” in regards of turning off security aspects.
it wasn’t a bug in Mac OS, it was a bug in safari. Safari does ship with OS X and if the default browser, so this is news, on the other hand, Safari is far from the only OS X browser, (no source, but i seem to recall it having a 65% user base with mac owners, but those numbers may be completely pulled from my ass, so huge grains of salt).
The bug was found on the first day but wouldn’t have worked with the initial rules of the contest, nothing anyone did worked with the initial rules of the contest, which is why they changed the rules to allow URL’s to be submitted.
Me? I’m glad, Safari is my browser of choice, and people finding bugs and getting them fixed just makes it more secure.
EDIT: Just read over on ars, that firefox is also effected, so this leads me to believe it isn’t the browser, but the actual OS, guess we’ll see
Edited 2007-04-21 19:55
I’ve read rumours that it was actually Java that was exploited (which would make sense, as it’d be one of the shipped-as-standard components utilised by all of the Mac OS X browsers), though the author of the exploit won’t confirm or deny until Apple releases a patch. He did state that it wasn’t anything to do with the (brain-dead) โOpen safe files automaticallyโ preference, though.
If this story had come out about Vista people would be bad mouthing Microsoft. Yet because its Apple most people jump to any defence they can think of.
.. and that is precisely why this has happened. If the Mac fans weren’t so quick to act as human shields as soon as someone criticizes the temple of Mac, then Apple would not be able to sit on its can, and allow this to have occurred.
Anyway, there is a bigger issue here.
Until the $10,000 reward was announced, no-one stepped up to take up the challenge. Seems to prove that these days, there has to be money in writing an exploit for folk to actually spend nine hours to do it.
So is ‘fame’ enough of an incentive to crack a Mac; on its own, apparently not.
I’m cynical. If it’s an actual exploit in Safari then so be it. It must be open to public review, repeatable and open to final criticism.
Edited 2007-04-21 18:15
we all know windows is as secure against hackers like paper against fire.
but that’s the funny site.
The UAC is new in Vista. OS X is doing this for years now.
So Apple know better about possible security flaws in this system than microsoft, because they have more experience with it.
But everybody here knows: no software is really secure. (Maybe OpenBSD with 2 expoits in 20 years, huh?)
“But everybody here knows: no software is really secure. (Maybe OpenBSD with 2 expoits in 20 years, huh?)”
That’s correct. Even if there was a 100% secure software, there are the users. “User security” cannot be measured in percent or anything else. If a mail goes around telling “just switch of this and that feature, click here and there, then reboot”, be best means of security could be overridden.
So, one goal of security should be to make it complicated for the user to abandon the means of protection provided by the OS of by installed programs. Security is intended. “Hackers” only succeed where (a) there are “hidden” holes or (b) where they are “invited”.
Oh? I did not know OSX had something as advanced as UAC, and I’ve been using OSX for years now.
You make the mistake of comparing UAC to OS X’ root/user divide, but this is like comparing a paper airplane to a Boeing 747 (with UAC being the Boeing). UAC is a *lot* more advanced than ANYTHING OSX has to offer.
Now, you can absolutely argue that UAC came 8 years too late (and you’d be right), and that OSx probably does not need something as advanced as UAC, but you cannot argue that OSX has anything as advanced UAC.
Sophistication is a flaw when it comes to security systems, not an advantage. I want my kernel to be advanced, I want my compiler to be advanced. I want my security system to be so simple that its self-evidently correct.
I would argue that UAC’s sophistication provide very few practical advantages over the sudo-mechanism used in Linux and OS X. In any case, most of that sophistication is there to get around the fact that the existing base of Windows software (particularly installers) really aren’t written to interact well with a non-priveleged user.
Mostly agreed, as I wasn’t contesting the above.
It’s Microsoft’s own fault they needed to come with UAC in the first place– Microsoft had a perfect base for an extremely secure OS ever since NT made it onto the scene (long before Apple even dreamt of OSX), but they blew it big time. Which is sad.
I’d be pretty pissed off if I were Dave Cutler.
“””
Microsoft had a perfect base for an extremely secure OS ever since NT made it onto the scene (long before Apple even dreamt of OSX), but they blew it big time. Which is sad.
“””
Sad, perhaps. But not unexpected. Microsoft has never had the right philosophical outlook to make security work well, regardless of the technical base they may or may not have had. Whenever they have had to choose between user friendliness and security, they’ve gone with user friendliness. By applying the same philosophy to attracting “developers, developers, developers!”, they’ve gotten to where they are today.
Sure, as of XP SP2 they started paying slightly more than just lip service to security. But at this point its like trying to raise the Titanic with a row boat and some fishing line.
Note that I did not choose the Titanic for this example simply because it is massive. But also because its structural integrity at this point is such that if one were able to latch on and apply lifting force, it would simply fall apart.
I think Microsoft’s focus was totally correct, from both a marketing and sociological perspective.
I’ve always personally been an advocate of ignoring security in favor of usability unless security in fact threatens usability. Home users want a tool that will do a bunch of things, they don’t want a tank that’s hard to steer and manage. If we were more active in using legal means to thwart virus distributors, we could have much simpler home computers. Multi-user systems are really not great for home use because there is no “admin” in the place to configure everyone’s rights and deal with security. No one wants to mess with this stuff unless they’re computer enthusiasts like us.
Microsoft and desktop computing would not have been as dominant as it is now, if security and it’s necessary usability horrors had been in it from the get-go. Part of the reason Microsoft has such a monopoly is that they pretty much created the market around them through low prices, ease of use, and “good-enough” software. The costs of “good-enough” are starting to mount, but I still think it’s a historical net benefit.
“””
I think Microsoft’s focus was totally correct, from both a marketing and sociological perspective.
I’ve always personally been an advocate of ignoring security in favor of usability unless security in fact threatens usability.
“””
Presumably, the wolf had not moved into the neighborhood when the first little pig built his house of straw.
Once trouble came to town, it was too late. One imagines that the little pig took some steps to try to reinforce the straw once he had heard about the danger. But if so, the efforts were ultimately ineffectual.
I’ll take a brick house, any day. But I’ll leave the chimney damper open for you. ๐
Not bad analogy. So when you see a wolf coming, you patch up what you’ve got an look seriously into building a stronger house…
But it’s not really a perfect analogy, because we don’t have a ton of “wolves” attacking human beings normally.
I prefer to think of viruses like terrorists. If we had nearly as many terrorists in the world as we have viruses, and if they could get away with as much impunity as virus writers, then it would be impossible to have shopping malls or any other large-scale public places. The problem with the PC is that you have to let people (programs) in, but while they’re doing business with you, you need to make sure they don’t blow the whole place up. Trying to live in the security world is tough. It’s absolutely necessary to have secure facilities, but I don’t think it would have been great growing up inside a high security military base.
Mmmm … can’t say I agree, but an interesting point of view nonetheless.
I guess the real point is it is easy to say ‘Microsoft should have done this’ or ‘Gates should have done that’, but we’re all speaking with two decades’ worth of hindsight.
Nothing humans code can be 100% secure.
Even those things not programmable. I used to say a powered-off computer was secure, but some ants eating my ps2 mainboard proved me wrong!
I read it and doubt its legitimacy. A well-documented `how-to` would go a long way in reversing my cynicism.
I do think – someone can find a new `bug` in a McSoft install and develop an exploit in minutes since most Wind exploits are based on the same foundation.
BTW, make sure to turn off your animated cursor.
Yes, there are tools designed to make Windows hacking easier… most notably the MetaSploit framework. It’s also a quite well-understood system, in that every hacker has spent time reading about the system design and the general structure of Windows. Once you can get an exploitable bug in in “Wind,” then there are a lot of things to help you widen that crack into a hole.
I don’t know why you’re advocating a well-documented HOWTO. The way these things usually work is that Apple releases a patch and a few days later the discoverer publishes what the flaw was. Wait a couple months for the patch to come out and then you can see the demo. Try it out on the unpatched system if you really don’t believe it.
I really can’t tell what kind of academic you are. I find your posts about “McSoft” pretty amusing, but not really indicative of a professor or researcher. A quick jaunt through your posting history doesn’t really reveal much understanding about computers… just a bunch of anti-MS propaganda, Mac-defensiveness, and declarations that you don’t use Wind or anything else by McSoft.
Your beloved system got “pwned,” so to speak… just like Windows boxes for many years. Get over it and just accept the facts.
As far as I’m concerned, it still seems to be a bug in safari, which is why I wouldn’t go for the Mac-vs-PC comparison, but rather for a vs. IE comparison.
Besides, seeing Vista’s slow ascension, the marketshare of OS X is probably quite comparable to that of Vista, besides OS X being significantly older.
Now let’s see how many Internet Explorer versions it will take before we will see a Cancel-or-Allow dialog before entering a website.
Seems to me that UAC is conceptually inferior to Sudo.
Hitting an “Accept” or “OK” button is Not Authentication.
So, in my book, Microsoft has screwed up another Better Unix concept.
What do you think the threat is that UAC tries to mitigate?
As I see it, UAC is about preventing applications from taking administrative actions on the machine without the user knowing. In that sense, it “authenticates” that the user is actually taking this action and not some program hijacking the user’s session.
It is also a way for Microsoft to force application devs to prepare their products for low user rights. It doesn’t make using a program impossible, but it does give ISVs an incentive to do things the smart way to avoid annoying their users.
Sudo has largely different purposes, which are rather similar to the “runas” utility in Windows. In light of this argument, why is sudo better?
Any OS is hackable. Some are just harder than others, but nothing is completely secure.
Yes, I am an academic. I am also human.
We cannot park our humanity at the door and there is nothing perfect in this world.
Especially operating systems.
Why am I a cynic when it comes to anything `McSoft`.
I spent six years as a `McSoft` only systems administrator at the college level. It was a Wind only environment. I’ve experienced the pain, yes pain, of the constant `churn` McSoft puts IT shops through.
Now at the university level I observe the same pain my McSoft counterparts in IT go through daily. The most recent was the completion of an AD migration and the death of an older Extra-Change server.
Talk about a convoluted process migration process and the tools were just adequate for the job. I don’t expect anything different from the marketing company in Redmond.
I’m flattered you took the time to page through all my posts. I sure don’t have the extra time to do that. I’m not going to chase all your posts on a site. That would be a rather strong obsessive compulsion.
As-far-as the yet unproven or unverified zero day crack of an OS X machine – I want to know specifics.
Anyone who works in IT likes to see well-documented subject matter and issues. Documentation includes specific `how-tos` or proof-of-concept notes.
Until then, I will assume this article is a hoax. It’s just like the one which states only 244 copies of Wind NT 5.x (whatever it marketing name is) were sold in China.
Ultimately, I like making fun as-well-as poking fun at software makers as-well-as marketing companies which pass themselves of as a software maker.
McSoft is selling its shoddy goods in China for the price of a “Big Mc” so there may be some degree of comedic irony in calling the Redmond marketing machine – McSoft.
For all intends and purposes – McSoft has killed itself. It will take a while for the marketing leviathan to die. It is not a mater of if – just when and in what stage. I predict in five years McSoft and it’s dancing clown CEO will be struggling for market share.
Linux, BSD and OS X are the future. You may want to move your McSoft and Dull stocks to others before these companied Focus Shift.
So help me out here. No one was able to remotely just hack the Mac on the same LAN or across the net coincidently we all know this is how the majority of Windows PC’s are hacked by just being on they are transformed to spambots. In any case they change the rules of the competition and allowed people to use the Mac to hack the same Mac and included any applications they custom created as well to go to any URLs with hacks wrote to break into that same Mac. Yeah that makes sense because that type of scenario happens everyday. (Let me borrow your mac to hack it) Hell I can break into a house if I am already in the house and have the disable alarm code.
FYI in true Linux/OSX and Unix fashion only the user was affected not the system and not he root account. There was no elevation of privileges so was it hacked?
So help me out here. No one was able to remotely just hack the Mac on the same LAN or across the net coincidently we all know this is how the majority of Windows PC’s are hacked by just being on they are transformed to spambots.
Actually most Windows based systems are hacked or exploited the same way as what happened in this contest, someone goes to a website and something bad happens.
Its a rare gem that spreads with no interaction and causes widespread damage without the user doing anything.
Apple users are astounding! Now, there apparently is a security vulnerability in Safari and they have nothing better to do than to downplay it… astounding. In a bad way.
Though the discovered flaw is serious enough as it allows to compromise a user visiting a malicious web site, this is not hacking per say because they could not compromise and take a root access of the sitting mac, so well by definition it was not hacked.
However ther is a security hole affecting mac users now and from the last news concerning the exploit, it seems that the security hole affects Java. So turning off Java in the Preferences in Safari should protect users. Also not that because it affects Java it seems that Firefox is also affected, this is not specific to Safari.
http://www.matasano.com/log/806/hot-off-the-matasano-sms-queue-cans…
Given the conditions of the test I am not at all surprised. I would have to say I think any OS would have been hacked under those conditions. All they really proved is that if the conditions are right it is relatively simple to hack a computer.
And I would also say that the way I have my OS X, Linux and BSD machines set up I doubt that any of them would have been hacked in the alloted time. For one thing, they would not have access to any of the machines unless they were to break into my house. ๐
The good thing to come out of this is that it demonstrates the need for good security practices no matter what OS you use. The sad part is that the people who really need to take note of this will not do so and so nothing will change.
Let me know when a hacker exploits something from the internet without being given access to so much.