Linked by Thom Holwerda on Fri 28th Mar 2008 20:39 UTC, submitted by irbis
Privacy, Security, Encryption "An Apple Mac was the first victim in a hacker shoot-out to determine which operating system is the most secure. A former US National Security Agency employee has trousered USD 10000 for breaking into a MacBook Air at CanSecWest security conference's PWN 2 OWN hacking contest. The MacBook was lined up against Linux and Vista PCs - which have so far remained uncracked. Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages. The MacBook was the only system to be hacked by Thursday. Miller didn't need much time. He quickly directed the contest's organisers to visit a website that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on. He was the first contestant to attempt an attack on any of the systems." There is more bad news for Apple: "If you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple." Update: The contest is over. Vista got hacked using Adobe's Flash, Ubuntu was left standing.
Thread beginning with comment 307109
To read all comments associated with this story, please click here.
Here you go!1
by Hakime on Sat 29th Mar 2008 06:19 UTC
Hakime
Member since:
2005-11-16

"Once again, OS X had been PROVEN UNDOUBTEDLY to be the most insecure OS ever created. "

Really? How it comes that you conclude that?

What i see is just that a given security researcher made his job, that is, looking for security holes. Miller has been doing that for several months in order to find problems with Safari (thanks for his work!) and i find it no surprising that he came up with an exploit.
I mean, come on, who here can believe that he came just like that and pull out an exploit magically. He prepared that exploit well before, he knew about it, and he was just waiting the moment that they relax the exploit methods to show up. No way that i can believe that he was not targeting the mac well before the context begins.

And no way that i can believe that the same thing could not gave been done for linux or windows. I mean there are a lot of researchers looking for exploits in Linux and associated softwares, so i can't believe that no one could not use one exploit and make it work if he/she would really wants it. The point is that the mac was the primarily target during this context, that's a matter of fact. Lets face it, that sounds well more sexy to say that the mac was hacked than to say it for linux or windows.

This context does not prove anything, he just shows that security researchers make their job and that they got more exited when hacking the mac.

"Apps like Safari and Quicktime have gotten a free pass for too long"

Well if i look at secunia data, Safari does actually better than Firefox.....

http://secunia.com/product/12434/?task=statistics

http://secunia.com/product/5289/?task=statistics

"As Elseware already mentioned, the days of zero user interaction remote exploits are pretty much over. Even XP-SP2 can withstand that. "

Oh really, so tell me how to you call then what happened to Graduate School of Arts and Sciences last month?

http://www.devicepedia.com/security/harvard-site-hacked-and-then-le...

Their web site got just hacked and student data were stolen and then exposed to Bittorrent. And guess which system they are running? Oh, oh.... So please don't come up with nonsense.

"Well the real issue here is that this is not the first time that here has been a comprimising exploit for safari. Anyone here remember the exploit used to jailbreak the iphone?"

That's nothing do do with the case now. Even during context, he could get to the mac but he can't do a lot of things beside of course accessing your data, but putting down the system will be difficult, he is not in root or does not have a admin password.

"I rarely use safari on my mac. I use firefox because I don't like the way safari automatically mounts all of your downloaded content which i think is a huge security risk. "

You can deactivate this in the preference. Also in Leopard, files downloaded using Safari, Mail, and iChat are automatically tagged
with metadata indicating that they are downloaded files and referring to the URL, date, and time of the download. The first time you try to run an application that has been downloaded, you are prompted by a warning asking whether you want to run the application and displaying the information on the date, time, and location of the download.

"I don't know about that, if a user application exposes a back door into the core OS, isn't that the OS's fault for having a back door? Seems that an OS should have a failsafe core design that prevents a compromise in the case of a problem on the user's end."

Well Leopard does that as it supports Mandatory access controls and applications sandboxing. But well yes its a pity that Safari is not sandboxed yet, that would have made the exploit much more difficult to apply.

Hey Apple please sandbox Safari, Quicktime, and Java.....

Reply Score: 2

RE: Here you go!1
by pxa270 on Sat 29th Mar 2008 09:03 in reply to "Here you go!1"
pxa270 Member since:
2006-01-08

Oh really, so tell me how to you call then what happened to Graduate School of Arts and Sciences last month?

http://www.devicepedia.com/security/harvard-site-hacked-and-then-le.....

Ok, why don't you tell me how exactly it got hacked, since you seem to know so well?

Their web site got just hacked and student data were stolen and then exposed to Bittorrent. And guess which system they are running? Oh, oh.... So please don't come up with nonsense.

So they were running a webserver on XP, which got hacked? Was it Apache or IIS? Hacked trough a software vulnerability or a leaked password? Not that it matters, since a default XP install does not run any webserver, so this would be an impossible attack angle in this contest anyway.

I guess I should have qualified my statement: non-user interaction exploits are pretty much over for the default setup of end user desktop systems. Vista and XP-SP2 run a firewall by default, OS X and Linux run few to no net exposed servers. How are you going to exploit them? Of course it's possible that you discover a hole in the Windows firewall and a vulnerability in one of the services behind the firewall, but that probability is pretty low. That should be pretty clear from this contest: nobody even made an attempt on the first day. Even XP-SP2 in its default setup would probably do just as well.

Of course, it's an entirely different matter if you're talking about systems running servers exposed to the network, which are course much riskier. Claiming that non user interaction exploits or over in that scenario is of course foolish, since vulnerabilities in permanent running net exposed software (not just webservers, but also things like skype and instant messengers) are discovered all the time. But in that scenario it isn't clear at all that OS X or Ubuntu with Apache would fare much better than, say Vista with IIS.

But that was not the point of the first day contest, where you're asked to remotely compromise a default setup without user interaction. Pretty much all modern systems are hardened enough for that.

Reply Parent Score: 5

RE: Here you go!1
by pxa270 on Sat 29th Mar 2008 09:36 in reply to "Here you go!1"
pxa270 Member since:
2006-01-08

I mean, come on, who here can believe that he came just like that and pull out an exploit magically. He prepared that exploit well before, he knew about it, and he was just waiting the moment that they relax the exploit methods to show up. No way that i can believe that he was not targeting the mac well before the context begins.

Nobody is asking you to believe that. Miller stated in his interview afterwards that it took him about 3 weeks to prepare the exploit. All teams were informed of the rules well in advance for all system. The whole point of the contest was to encourage researchers to find previously unknown or undisclosed holes. Miller found one in OS X. No other team found any in Vista or Ubuntu.

And no way that i can believe that the same thing could not gave been done for linux or windows. I mean there are a lot of researchers looking for exploits in Linux and associated softwares, so i can't believe that no one could not use one exploit and make it work if he/she would really wants it. The point is that the mac was the primarily target during this context, that's a matter of fact. Lets face it, that sounds well more sexy to say that the mac was hacked than to say it for linux or windows.

You should read the rules of the contest that others have conveniently summarized. All 3 systems were equally attacked. The contest wasn't over after the Mac went down, it continued for the rest of the day on the Vista and Ubuntu under the same rules, both had their own cash prizes to win, and both survived the day. So you can choose to believe that the teams attacking Vista and Ubuntu weren't interested in $10,000 and a free laptop or were plain incompenent (although one of the Vista attackers exploited the Mac through Quicktime last year, oops). Or you can stop trying to find excuses and just accept that OS X + Safari was just easier to crack than Vista + IE7 or Ubuntu + Firefox.

This context does not prove anything, he just shows that security researchers make their job and that they got more exited when hacking the mac.

Well, it also proves that some people will engage in silly rationalizations when reality clashes with their preconceived notions.

The rules were fair. The Mac lost. It's just that simple.

Reply Parent Score: 12

RE[2]: Here you go!1
by h3rman on Sat 29th Mar 2008 13:05 in reply to "RE: Here you go!1"
h3rman Member since:
2006-08-09

Or you can stop trying to find excuses and just accept that OS X + Safari was just easier to crack than Vista + IE7 or Ubuntu + Firefox.


Please stop trying to iHurt people's iReligious iFeelings.

Reply Parent Score: 7

RE[2]: Here you go!1
by tweakedenigma on Sat 29th Mar 2008 16:14 in reply to "RE: Here you go!1"
tweakedenigma Member since:
2006-12-27

I agree the Mac lost hands down, Although I would like to see what the exploit involved before I pass judgment. Vista was eventually broken after adding Java(or Flash I can't remember) to the mix and Apple has that software pre-installed on the OS. But time will tell and we will know when its all out in the open.

Reply Parent Score: 2

RE: Here you go!1
by senornoodle on Sat 29th Mar 2008 13:09 in reply to "Here you go!1"
senornoodle Member since:
2005-07-12

Did you read the part of my post saying I'd have to update my "Mac antivirus and spyware removal software"?
I wasn't being entirely serious, my point being, who cares about a few obscure security holes no one uses when no one exploits them, and even if they did, wouldn't work too well anyway?

Reply Parent Score: 1

RE[2]: Here you go!1
by WereCatf on Sat 29th Mar 2008 13:42 in reply to "RE: Here you go!1"
WereCatf Member since:
2006-02-15

I wasn't being entirely serious, my point being, who cares about a few obscure security holes no one uses when no one exploits them, and even if they did, wouldn't work too well anyway?

If you care about files on your computer then you should care about security holes.. Even if the bug didn't allow the attacker to modify any system files, he/she would still be able to read any of your files or delete them. Besides..You don't know if anyone exploits those holes before you are hosed already.

Reply Parent Score: 3

RE: Here you go!1
by _txf_ on Sat 29th Mar 2008 18:16 in reply to "Here you go!1"
_txf_ Member since:
2008-03-17

I believe he was being sarcastic, well that's the way I read it

Reply Parent Score: 1