The Mac has been hacked. For 10k.
By Charles Jade | Published: April 21, 2007 - 10:18AM CT
From Computerword, the bad news is a MacBook Pro has successfully been compromised through Safari. At CanSecWest, a security conference held in Vancouver this week, a contest was organized by Dragos Ruiu to break into a pair of MacBook Pros, the prize being a MacBook Pro.
Just to review the rules, the first box required a flaw that allows the attacker to get a shell with user level privileges. The second box, still up for grabs, requires the same, plus the attacker needs to get root.
There were was apparently little interest, and that's the good news. Today's hackers appear to be entrepreneurs first, and bad boy nerds second. According to this thread at SecurityFocus, the contest was progressive, and on the first day no one managed meet the stringent conditions set forth by the contest.
First day you have to go in over ethernet or wifi. On the first box default user compromise is enough. You'll need priviledge escalation and a root compromise for the second one. The victory conditions are to scp a specific file on the disk using the preshared key stored there to a server.
Where are David Maynor and Jon Ellch when you need them? At any rate, the second day of the contest relaxed the requirements for a successful exploit.
If they last to the second day... then the second day brings browser bugs into scope. Safari will be set up to scrape a wiki page every five minutes or so (and to follow a changeable link there).
Possibly more importantly, 3Com's TippingPoint Division stepped in with a $10,000 bounty. That got some love, and the paramour of the day turned out to be one Dino Dai Zovi. As for the exploit, details are sketchy.
At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page. Of course all of the latest security patches have been applied. This one is 0day folks. Technical details will be forthcoming as the winner works out the release.
This does not appear to be the related to opening "safe" files upon download—which shouldn't even be an option in Safari. According to Sean Comeau, one of the organizers of CanSecWest, the latest Security Update from Apple does not protect users.
“Currently, every copy of OS X out there now is vulnerable to this”. You are. So, uh, switch to Firefox until the patch comes out? Or live dangerously like me."
So, what happens now? Well, a huge numbers of pundits and anonymous nerds on the Internet will decry Apple's lack of security and how unfair it is that Microsoft, which expands so much effort on security, is perceived as having a less secure OS. Meanwhile, Mac users will rationalize the situation, including me. I've never thought OS X was more secure than Windows, just safer, my reasoning being similar to that espoused by security experts like Terri Forslof of TippingPoint.
"It's an incentive issue. The Mac is not as widely deployed of a platform as say Windows."
Start handing out $10,000 checks to hackers for breaking OS X, and that may change. Until then, I will "live dangerously" with the Mac. Oh, and lost amidst the screaming match between Apple supporters and detractors, TippingPoint will turn over the details to Apple and a security patch will be released, not that anyone will care.
Proud Canadian, Enlightened Atheist, Gaming God.