OSNews

It's worth remembering that when it came to attacks based directly at the platform rather than applications running on it, there were no contenders which bodes well for the default security posture of all three platforms.

Was this a case of OSX really going down, or was it related entirely to the flaw in Safari that opened the system to remote access?

I think it's an important distinction because this is the direction the blackhats are moving in. The days of open ports in Windows are over, even Microsoft has taken to a more responsible security design. Linux and OSX already had a natural advantage in this area. So attacks will no longer be against the platform, necessarily, but more against the applications running on top of them. Browsers, plugins, media players etc. will all be the focus of blackhat activity, and that is disconcerting because it means that vulnerabilities in an application on one platform could be easily transferable to other platforms. A flaw in firefox is often a flaw in firefox Win/OSX/*nix. The flaw in Safari that broke OSX could easily apply to the Windows version as well, hard to know without disclosure yet.

It's good that we have a choice of secure platforms to use, but now there is the whole issue of needing ISV's to take the same security approach that the OS vendors have often been forced to take, otherwise it will all be for naught. The platform can certainly help minimize the damage a rogue app exploit can occur in a cross-platform app, but it's still an issue that will need to be addressed.

As much as I'm tempted to giggle at bit at the fact that OSX was the first to go down, I don't think it's Apple the OSX vendor that should be blushing. It's Apple the software company that should be concerned, but that could just as easily have been Adobe or someone else. In fact, I was kind of expecting it to be Adobe with all of the flash issues they've had lately.

Anyways, will be interesting to watch and see what happens over the rest of the contest.

From the Register:

"Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. "

http://www.channelregister.co.uk/2008/03/28/mac_hack/

Do I understand this correctly? An interaction of the user has been required to achieve the goal of hacking?

From the description above: "Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages." - Is this still hacking? Relying on user interaction can help you to compromize any system. I always thought this is nothing spectacular because nearly anyone can do such "easy" stuff (faked maintenance websites, faked system alerts etc.). The same techniques could have been used to hack into the Linux and "Vista" boxes as well, just if the user replies to a mail like "Dear Bob, please send me your root password back. thanks!" :-)

I believe that the user had simply to visit the site with the exploit. That site might as well have been a Google search result.

Apple is already working on a fix, as they always do when these things come out so publicly.

"I'm a MAC"

"I'm, a PC"

"And I'm a cracker. Bang! Bang! You're dead!"

From the same link: "Not a single attendee entered the contest on day one, when all vulnerabilities had to reside in the machine's operating system, drivers or network stack."
Nobody even tried under 1st day rules, because exploits are were very unlikely. As Elseware already mentioned, the days of zero user interaction remote exploits are pretty much over. Even XP-SP2 can withstand that.


Yes it is. Because visiting an unknown website or opening an email is not supposed to be able to execute arbitrary commands on your computer.


You though wrong, because the Ubuntu and Vista laptops were still being attacked under the same rules when the Mac was down (each had their own cash prizes), but they withstood the rest of the day.

Of course it is still classed at hacking. How do you think a Trojan horse operates ? Exactly like the Trojan horse of legend. It would just sit there doing nothing until the people of Troy interacted with it, in their case, pulled it inside their town.

A computer Trojan horse is useless unless the user allows that into the system.

If that is true, the following observations come to mind:

1) telnet itself is obsolete because of security reasons, and sshd should be off by default in desktop systems (and regular user should not be able to turn it on).

2)Only root should be able to open a port.

3) Even if arbitrary code is executed as regular user, it shouldn't be able to get root account, except, maybe , by privilege escalation. Privilege escalation is an issue in Linux as well (as discussed in the "fakesudo" thread in Ubuntu forums), but I think the risk can be avoided if you never su or sudo from your regular user account. Instead, create a new user from whom you su or sudo, and run a lightweight DE with this user in another tty, just to run synaptic and things like that. I'm assuming a user program can run a fake kde session fullscreen, but it can't capture CTRL+ALT+f8. I have to check that one, though.

So, even if it was a vulnerability in Safari, it was the OS fault if this led to a remote root login without the user entering its password. Not to mention that Safari is an Apple program, installed by default in OS-X, so there are no palliatives.

The telnet service is obsolete sure. Telnet as a client is an easy way to connect to an arbitrary service on an arbitrary port. Taking as a random example it is a good way to connect to an exploit that is listening on a port...



Uh... you are aware that if an Linux distro were so ill advised as to do this it would break many things? The idea is only root should be able to open privileged ports.


That is the definition of privilege escalation yes...


This has nothing to do with privilege escalation. this is malware.



It in theory will stop some privilege escalation attacks, but not all. In general setting up your system like that would be too inconvenient for most normal users (especially of OS X).

Latest update, from the third day:

"2:30pm PST Update: Its been two hours so far, and both Vista and Ubuntu laptops are still standing. Stay tuned..."

Check for more updates here:

http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day...

Yeah, I agree, and this is a worse threat, in my opinion, because few applications have the scrutiny that the OSes have.

I don't know, when webkit is considered to be a core api, it needs to be treated as such. same with ie on windows. or with khtml on kde.

Firefox is just another app as far as the os is concerned.

Standing strong? Nobody TRIED to hack them.

You'll see that they were, on each day they relax the rules if they can't hack them. It's kind of like trying to shoot a target at shorter and short range.

Well - according to the site the next one was Vista. They used a 0day exploit in adobe flash and cracked Vista.

Ubuntu was the surviver of the contest as far as I understood.

Seems Linux still is the most safe OS - at least in this contest. Too bad they did not included the BSD flavors and things like Solaris, but I am very pleased with this outcome...

No...they knew of vulnerabilities in Linux. Nobody wanted to go through the effort to do it.

The glitzy got hacked first.

I think the goal is to use common, default setups. And let's face it, Ubuntu is the common distro at this point. In other words, I think it makes sense to settle for Ubuntu.

Get over yourself. They only have one computer to equip with Linux, and only one distribution to run on it. Ubuntu is the most popular, whether you like it or not.

Get over yourself. They only have one computer to equip with Linux, and only one distribution to run on it. Ubuntu is the most popular, whether you like it or not. "

Well, to be honest Mollinneuf was somewhat correct when pointing out that the EeePC has been very successful and probably is about to turn Xandros THE layman Linux distro. Ubuntu has a large mindshare within geeks and earlier adopters and the fact that ShipIt will send free CDs free of charge to whomever asks for it certainly has something to do with it but I still think that you're jumping the gun a little when saying that Ubuntu is Linux for all intents and purposes. It isn't for me and for a lot of people that I know (and I DO know personally lots of Linux users, mind you!)

If the deciding factor for most appropriate distro to represent Linux was "most vocally present group" then Ubuntu might have been the correct choice. Meanwhile, back in the real world, Redhat has been around far far longer than Ubuntu, is installed in the enterprise around the world and used by thousands daily for real world computing not just the "lookit ma I can install Linux now too" crowd.

Yes. It is a well known fact that Ubuntu cannot be used in the enterprise, or for real world computing. Just ask Google.

Normally I won't call somebody an idiot until they've posted at least twice, but you can only be so flagrantly wrong before you deserve it.

These are laptops, Ubuntu is the most common desktop/laptop Linux distro currently.

Before I get accused of fanboyism or anything I've recently started moving my desktop / laptop to Debian.

[Edited for clarity]

Edited 2008-03-29 17:09 UTC

Nobody has said the Mac is invulnerable. The biggest claim is in the virus related arena. As a Mac user, I am glad that the exploit was found. Now it can be fixed. That is good.

C'mon, the Mac vs PC commercials imply as much. Mac users live in glass houses, and they really shouldn't be throwing stones.

Edited 2008-03-29 01:15 UTC

Where is it implied that they are vulnerable?

I really would like to see where this is stated.

Read for comprehension. I said they implied they were invulnerable compared to a PC.

Do you even hear yourself? OS X is BSD, as opposed to Linux. And it's not even OS X that has a problem, it's Safari.

Wrong. If OS X ships with a particular piece of software, it's OS X, by definition.

And it's not even OS X that has a problem, it's Safari.

I don't know about that, if a user application exposes a back door into the core OS, isn't that the OS's fault for having a back door? Seems that an OS should have a failsafe core design that prevents a compromise in the case of a problem on the user's end.

bsd running a apple made DE and other bits. and it was one of those other bits that got hit, not the bsd bit.

OpenBSD is indeed very secure by default, but once you install stuff on it, it is vulnerable like anything else.

actually it is not if you install software from OBSD ports.

Please, what a load of non-sense. Anything in ports is just as insecure as it is on any other operating system.

Clearly you have had no experience with a BSD system then.

Even if the piece of software IS insecure, most attacks won't have any chance in OpenBSD.

Read this.
http://en.wikipedia.org/wiki/OpenBSD_security_features

Agreed...

It'd be good to see all of the BSDs included, really. It'd make for some interesting comparisons.
- latte

At work, I speak to a lot of average users every day. Some of the with their "Very First PC (tm)".

These people might not know a lot about computers, but the ones who have used computers at their friends house or workplace all complain that they HAD to take the machine with Vista and that it was a pile of poo.

The other people with no actual computing experience cannot believe how much hassle their systems are, as they believed the advertising that Vista is amazing. etc etc

So, in MY experience, you are correct. No-one wants Vista.

i suspect it needs to go deep, hardware deep...

What percentage of Windows users use Internet Explorer rather than something else?

They're probably around the same mark. Although some might argue that the average Mac user is more likely to know about other browsers than the average Windows user.

Meh, clutching at straws. Apple's attitude to security is lax... almost complacent, and Microsoft, while they have a poor record in the past, they have at least learned from it.

Posted from Mac OS X, using Safari.

I remember reading somewhere that it was close to 80%. Don't take my word for it though, cause i don't even remember the source, and it was a long time ago.

Your comment just shows a total misunderstanding of the article and the state of security in modern desktop operating systems.
XP can be hosed within seconds by simply exploiting its default security holes and open ports.
No wonder your kid hosed your machine, it was simply by letting it onto the net.

Whereas the article stated that none of the machines was compromised remotely, the first one being compromised over the net was the mac due to an unpatched safari security hole.

I agree with others that Vistas approach makes the most sense, they simply sandbox the browser which is probably the best approach you can do, every application which goes into the internet should be sandboxed, period!

Actually, my son wanted to validate what fellow Linux users were telling him about Windows security.

He followed the instructions at UbuntuGeek on setting up a VMWare server. Then he installed the original Win XP install CD that came with his Alienware box.

I suggested he go to a game emulator site. Sure enough, within minutes, his virtual XP instance was being set up to be remotely controlled.

After powering off and deleting the contaminated Windows container we booted up a clean-and-pristine backup and I showed him how to harden a Windows system.

He's been running Linux for well over a year now after learning how to install it on his own at 12. He was less than impressed with the POS called Windows XP.

Since I religiously monitor my internal network I can say that under normal Internet activities our Linux and OS X systems are rock solid. Even our lowly XP system has yet to be compromised due to extensive hardening and teaching the users to be safe.

I think Apple takes security pretty seriously when it comes to the OS, but there is definitely work to be done with Safari and Quicktime.

Why are you surprised? I do not use Vista and am not particularly impressed with what I have seen of it but it has had a decent security record. Not outstanding, but quite decent, especially for Microsoft.



Again why?
1) Ubuntu has no services listening on an external address by default. This somewhat limits the utility or need for a firewall.
2) SELinux is not a miracle cure acting as the only line of defense on a Linux system. Properly configured SELinux makes a system more secure, no argument there. But if all applications running on the system are patched and do not have known buffer overrun or privilege escalation vulnerabilities then a system without SELinux can still be quite secure. The dire security need for SELinux is predicated on there being exploitable vulnerabilities on a system and an attempt to be made to use the exploit.

The trend I have been seeing on SELinux going from being seen as a tool to increase security to people arguing that a system is not secure without it is bothersome. The absence of SElinux does not make a system inherently vulnerable to attack. SELinux makes a system which has an exploit in need of being patched less likely to be compromised. The key here is the application with the exploit should be patched in any case.

Hear! Hear!

I would have further described it as "damned irritating", as well. But you really hit the nail on the head, there.

Flash doesn't even come with Windows by default, so should that even count?

I will never understand people who have vendettas against Macs. It is like having a vendetta against fuzzy bunnies.

Edited 2008-03-29 23:55 UTC

Geez, is it that hard to read sarcasm?

That was awsome.