The net was abuzz over the weekend with news that a zero day flaw had been found in Apple’s Safari web browser. The flaw was discovered as part of the CanSecWest conference whose organizers offered a simple challenge: successfully hack a Macbook and win it as a prize.
However, one thing that seems to have been overlooked in most of the coverage is that the organizers had to change the contest rules in order for the Macbook to be successfully hacked.
The original rules said that the attack must required no action on the part of the user. After security firm Tipping Point offered to throw in a $10,000 bounty, the rules were changed so that exploits could include malicious websites and other user-initiated actions.
In fact, the “hack” required opening Safari on the Mac, entering a url and navigating to a “website” which was created a few minutes earlier just to attack this machine. So, does this mean these “security experts” are returning to the networks they oversee – to setup all browsers to run any script without permission – and, by the way, tell users to click on the links in any emails they receive!
There is no patch for stupidity. Or intellectual dishonesty.
I think it’s more likely that with no cash reward, whats the point? You could sell the exploits on the open market for a lot more than nothing.
#1 – The person who demonstrated the Safari “hack” got one of the MacBooks, and the person behind the “hack” is in line for a $10,000 reward through another group.
That being said, the word hack is clearly losing its value. To me, a hack involves taking over a machine when the user doesn’t do something to start the process.
All of these “Do X in browser, watch as Y happens.” things are best qualified as vulnerablities. Yes, they’re bad, but far from “hacks”.
I guess you’d call this a
Big Mac Hack Attack!
Sorry for that…
So basically, the Mac is now officially less secure than a windows xp box because the Mac hasn’t yet been hardened to all these types of exploits the way it has been on XP and Vista with the sandboxs etc.
RIP Macintosh computer, we hardly knew yah!
2,
Well, if browsing to a site causes your system to allow for a rogue process to overtake it, then yes, that’s a hack. As James Brown once said Nothing from Nothing leaves nothing…
Browsing to a site is passive. What happens behind the screen is anything but.
Most (well, all actually) of the exploits I encounter these days require some degree of social engineering. I agree with changing the rules of the contest to reflect today’s reality. To ignore “bad” behavior just propagates more false security.
Being “secure” is a moving target — the only way to be truly secure is to unplug the machine. Anything else is a calculated risk combined with a degree of faith (and a good backup).
#4 – You continue to impress of with your complete lack of knowledge on anything.
#5 – No, that’s an exploit. If it were a hack, then I wouldn’t have had to go to the site. As #6 states, this would not be an issue if people simply stopped going to such sites.
It’s time to stop confusing true technology issues with issues that can be defined as PEBCAK.
That being said, there’s no motive for the industry to make the distinction: The vast majority of money being made in the security realm comes from protecting users from themselves.
#7 – James Hill
“That being said, there’s no motive for the industry to make the distinction: The vast majority of money being made in the security realm comes from protecting users from themselves.”
And just think of how they’d just love to convince Mac users that they need their “security” products….
#5 – Named
“As James Brown once said Nothing from Nothing leaves nothing…”
Actually, that would be Billy Preston… 🙂
Thanks Lauren…all the way down the thread I kept hearing that song in my head and thinking…that’s not JB…
#8 – That puts me in quite the spot, since I am a Mac user and the lead of a Mac development team at a shop you qualified as “they”.
That gravitational change you’re feeling right now is James Hill’s ego… try to resist, I managed to make this comment from orbit.
Anyway, the biggest problem right now is Microsoft’s fault, both directly and indirectly. Points:
1. Much of their software is faulty and plagued with security holes
2. Their software runs on the majority of the world’s connected PCs
3. Their software is heavily pirated, with duplicate keys and keygens used to activate it, China leads the way
4. The keys are validated against a database of legitimate keys before Microsoft allows updates
4. They will not allow users with illegitimate keys to close security holes in their illegal systems
So, if they have majority market share, composed of vulnerable systems, but don’t allow 100% of those users to at least get free security patches, then isn’t Microsoft somehow culpable?
I mean, sure, users shouldn’t be copying their software illegally, but they do and will, and Microsoft knows this. So, in restricting updates, Microsoft directly contributes to the insecurity of the internet, and they know it.
Who’s in the wrong? Microsoft as a whole, and users of illegitimate software as well.
Who suffers? Microsoft, as they continuously get black-eyes from reported security holes; and everybody that uses the web, legit or not.
Fair? No, life isn’t fair.
Yahoo! The cowboy’s back!!!
#11 – There’s something wrong with your orbital trajectory, because that post wasn’t tied in to how M$’s viewpoint on the matter impacts Apple.
(he’s so cute when you rile him up a bit)
I viewed the Apple thing as a non-story. For JH, I’ll clarify my perspective: the Microsoft security issues prevalent on a global scale are a more interesting subject to the rest of us who work in the real world, not as “a Mac user and the lead of a Mac development team…”
First, the big glaring problems should be fixed. Afterward, we can work on the remaining 10% of the world’s systems.
Geee, why don’t all of you gp get the newest copy of Firefox?
You know the one with the MS trojan horse in it!
Have you ever seen the source to Firefox?
It’s a big dangerous world out there with all of this ‘freeware’
Something I heard once about Geeks bearing ‘free gifts’ or freeware!
Firefox also have problems with cross-site scripting recently but no-script helps defeating them. It detect some attacks now.
#13 – Conveniently, everyone else views your posts as meaningless.
Apple is the story, because everyone knows M$ is swiss cheese when it comes to security.
The fact that less than 10% of the market gets about 50% of the press these days is no reason to get pissy… unless you work for M$.
You sure are cute when you get owned. Thanks for playing
Obviiously, this ia a publicity stunt. But, I think the only people it will impress are fellow travelers in the wannabe hacker and anti-Apple circles, which sometimes overlap. Apple computer users in the real world are not concerned about ‘vulnerabilities’ this contrived. Show me something that does not require settings most of us do not use and you might get our attention.
Now that there have been two ‘maybe they hacked a Mac’ publicity stunts, copy cat syndrome guarantees there will be more. However, the collective consensus among the Apple interested will be a collective yawn.
Cyber security has become a billion dollar industry, bellows inflamed to massive proportions by marketing hype and large dollops of just plain old BS. With the advent of broadband and automatic updates that claim to “protect” us from the evil worms, viruses and other larger than actual size boogy-babies most of the consumer level firewalls and anti-virus apps are slowly becoming buggy and unstable. Subscription based security software is the new scam, and after the last one of these snake-oil software lashups screwed one of our computers I tossed the whole works and installed an old version of Zone Labs (v.2.*) firewall on two of our four computers and so far, so good. And if something gets through, well, I know how to fix it.
The hack that was demonstrated is just as serious as the recent .ani hack was for Windows Vista.
The rules were not changed as some of the media reports. The rules always were for the first day the method for hacking required gaining access with zero user interaction. Of course the Mac should be secure in this state as Windows XP SP2 and Windows Vista as setup by default with all current patches are also secure from remote access with no user interaction. Also any PC or Mac behind a NAT router is alsofully protected as long as no holes are opened in the router. This was why this method of attack was only given the first day because the chance of access through this method on almost all computers is very slim. When was the last successfull self propogating worm that required zero action on a desktop computer a real threat. I am not talking servers as they clearly have open ports that can be attacked. And also if a user sets up port forwarding or disables the firewall they are also opening themselves up to attack. But clearly a fully patched computer of any stripe behind a firewall that is rejecting incoming packets is not open to remote exploit unless the firewall itself can be exploited.
The second day of the Mac challenge allowed for the user browsing to a web page that may comtain malicious code. That is the number on vector for attacking windows computers. The recent 0day attack on windows with the .ani was one such flaw. This Mac Safari hack presents almost the same risk. The only mitigating factor is they only managed to get user level access. But they did manage to get a user ssh shell session. This mean they could have done anything the user could have done on the cumputer that did not require administrative permissions. They could have used ftp to send all the users documents to a remote site without the user concenting. They could send composse and send email to everyone in the users address book. They could could delete the users files.
This is a serious exploit and provides the more risk than the recent .ani flaw provided on a default Vista install as the remote attacker could only read user documents under vista using ie7 as the new vista protected mode makes ie7 run in a protected sandbox that prevents changing files even on user accounts without expicit user permision through UAC.
I guess I am a little longwinded but before people discount this hack they should research into exactly what was accompished as the reporters reporting on the situation are clearly not properly researching their stories when they make the comments about the security being relaxed becaue the first day was too hard to hack. The change in the rules was always planned as they were meant to test different vectors of attack on different days. I believe the third day of the challenge was to allow email based atttacks and local exploitation by plugging inb a USB key.
The easiest way to know how vulnerable a computer (PC or Mac) is with this simple experiment:
Put several computers (with internet acces) with different security settings in a room and each in a private cubicle. Stick a “Free internet” paper on the wall and let ppl surf whatever they want.
See in a couple of weeks what happens.
On the hack: as soon as Apple got word of this, they put out an update that supposedly fixed about 20 holes in the OS. I know–I installed the patch yesterday on my wife’s brand new Macbook, along with similar patches to the Mac version of Microsoft Office. It’ll be interesting to see what other holes turn up in the next few months, as BSD (the version of Unix that is the basis for Mac OSX) is probably as susceptible to hacks as any other OS.
One possible exception: VMS is pretty secure, and HP maintains it to this day.
It’s too bad they couldn’t get the story accurate on TWiT.
TWiT and accurate work about as well together as Olberman, O’Rilley, and truth.
#21
“as Apple got word of this, they put out an update that supposedly fixed about 20 holes in the OS.”
So this means they knew about these security holes and did nothing to fix them until it got out in public?
[edited: duplicate]
[edited: duplicate]
Third time a charm?
Floyd, there haven’t been any new security updates since the report of the supposed hack. So, what you are saying is inpossible. You must have been installing one that predated the
setupattack. Considering that you don’t even look at the dates on the updates you install, you are not a very astute computer user.Angel, the answer to your question is ‘no.’ Floyd doesn’t know what he is talking about.
Newest developments:
•According to C/NET, the wannabe hackers are now expanding their claims to other parts of OS X. Pinnochio Syndrome, eh?
•According to PC World, the same browser vulnerability exists in Windows.
http://www.pcworld.com/article/id,131145-page,1/article.html
Same vulnerability in Firefox, as well.