Linked by Thom Holwerda on Fri 28th Mar 2008 20:39 UTC, submitted by irbis
Privacy, Security, Encryption "An Apple Mac was the first victim in a hacker shoot-out to determine which operating system is the most secure. A former US National Security Agency employee has trousered USD 10000 for breaking into a MacBook Air at CanSecWest security conference's PWN 2 OWN hacking contest. The MacBook was lined up against Linux and Vista PCs - which have so far remained uncracked. Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages. The MacBook was the only system to be hacked by Thursday. Miller didn't need much time. He quickly directed the contest's organisers to visit a website that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on. He was the first contestant to attempt an attack on any of the systems." There is more bad news for Apple: "If you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple." Update: The contest is over. Vista got hacked using Adobe's Flash, Ubuntu was left standing.
Thread beginning with comment 307047
To read all comments associated with this story, please click here.
LMFAO
by cchance on Fri 28th Mar 2008 20:50 UTC
cchance
Member since:
2006-02-24

LMFAO THIS IS HILARIOUS....

OSX the first to go down in flames, Vista and Linux standing strong thats just funny with all of OSX's flogging that its so safe and secure.

The real challenge will be to see if vista or linux gets hit next

Reply Score: 14

RE: LMFAO
by elsewhere on Fri 28th Mar 2008 21:04 in reply to "LMFAO"
elsewhere Member since:
2005-07-13

OSX the first to go down in flames, Vista and Linux standing strong thats just funny with all of OSX's flogging that its so safe and secure.


It's worth remembering that when it came to attacks based directly at the platform rather than applications running on it, there were no contenders which bodes well for the default security posture of all three platforms.

Was this a case of OSX really going down, or was it related entirely to the flaw in Safari that opened the system to remote access?

I think it's an important distinction because this is the direction the blackhats are moving in. The days of open ports in Windows are over, even Microsoft has taken to a more responsible security design. Linux and OSX already had a natural advantage in this area. So attacks will no longer be against the platform, necessarily, but more against the applications running on top of them. Browsers, plugins, media players etc. will all be the focus of blackhat activity, and that is disconcerting because it means that vulnerabilities in an application on one platform could be easily transferable to other platforms. A flaw in firefox is often a flaw in firefox Win/OSX/*nix. The flaw in Safari that broke OSX could easily apply to the Windows version as well, hard to know without disclosure yet.

It's good that we have a choice of secure platforms to use, but now there is the whole issue of needing ISV's to take the same security approach that the OS vendors have often been forced to take, otherwise it will all be for naught. The platform can certainly help minimize the damage a rogue app exploit can occur in a cross-platform app, but it's still an issue that will need to be addressed.

As much as I'm tempted to giggle at bit at the fact that OSX was the first to go down, I don't think it's Apple the OSX vendor that should be blushing. It's Apple the software company that should be concerned, but that could just as easily have been Adobe or someone else. In fact, I was kind of expecting it to be Adobe with all of the flash issues they've had lately.

Anyways, will be interesting to watch and see what happens over the rest of the contest.

Reply Parent Score: 20

RE[2]: LMFAO
by pxa270 on Fri 28th Mar 2008 21:26 in reply to "RE: LMFAO"
pxa270 Member since:
2006-01-08

From the Register:

"Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. "

http://www.channelregister.co.uk/2008/03/28/mac_hack/

Reply Parent Score: 11

RE[2]: LMFAO
by linumax on Fri 28th Mar 2008 23:11 in reply to "RE: LMFAO"
linumax Member since:
2007-02-07

Latest update, from the third day:

"2:30pm PST Update: Its been two hours so far, and both Vista and Ubuntu laptops are still standing. Stay tuned..."

Check for more updates here:

http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day...

Reply Parent Score: 4

RE[2]: LMFAO
by tomcat on Sat 29th Mar 2008 01:17 in reply to "RE: LMFAO"
tomcat Member since:
2006-01-06

So attacks will no longer be against the platform, necessarily, but more against the applications running on top of them. Browsers, plugins, media players etc. will all be the focus of blackhat activity, and that is disconcerting because it means that vulnerabilities in an application on one platform could be easily transferable to other platforms. A flaw in firefox is often a flaw in firefox Win/OSX/*nix. The flaw in Safari that broke OSX could easily apply to the Windows version as well, hard to know without disclosure yet.


Yeah, I agree, and this is a worse threat, in my opinion, because few applications have the scrutiny that the OSes have.

Reply Parent Score: 3

RE[2]: LMFAO
by google_ninja on Sat 29th Mar 2008 16:51 in reply to "RE: LMFAO"
google_ninja Member since:
2006-02-05

I don't know, when webkit is considered to be a core api, it needs to be treated as such. same with ie on windows. or with khtml on kde.

Firefox is just another app as far as the os is concerned.

Reply Parent Score: 2

RE: LMFAO
by sigzero on Fri 28th Mar 2008 22:10 in reply to "LMFAO"
sigzero Member since:
2006-01-03

Standing strong? Nobody TRIED to hack them.

Reply Parent Score: 1

RE[2]: LMFAO
by SlackerJack on Fri 28th Mar 2008 22:23 in reply to "RE: LMFAO"
SlackerJack Member since:
2005-11-12

You'll see that they were, on each day they relax the rules if they can't hack them. It's kind of like trying to shoot a target at shorter and short range.

Reply Parent Score: 3

RE: LMFAO
by Isolationist on Fri 28th Mar 2008 22:46 in reply to "LMFAO"
Isolationist Member since:
2006-05-28

Yup, OSX sucks hard!

Let's see how quickly I get modded down for this ;)

Reply Parent Score: -1

RE: LMFAO
by Jokel on Sat 29th Mar 2008 07:57 in reply to "LMFAO"
Jokel Member since:
2006-06-01

Well - according to the site the next one was Vista. They used a 0day exploit in adobe flash and cracked Vista.

Ubuntu was the surviver of the contest as far as I understood.

Seems Linux still is the most safe OS - at least in this contest. Too bad they did not included the BSD flavors and things like Solaris, but I am very pleased with this outcome...

Reply Parent Score: 5

RE[2]: LMFAO
by sigzero on Sat 29th Mar 2008 23:31 in reply to "RE: LMFAO"
sigzero Member since:
2006-01-03

No...they knew of vulnerabilities in Linux. Nobody wanted to go through the effort to do it.

The glitzy got hacked first.

Reply Parent Score: 2