The Mac has been hacked. For 10k.
By Charles Jade | Published: April 21, 2007 - 10:18AM CT
From Computerword, the bad news is a MacBook Pro has successfully been compromised through Safari. At CanSecWest, a security conference held in Vancouver this week, a contest was organized by Dragos Ruiu to break into a pair of MacBook Pros, the prize being a MacBook Pro.
Just to review the rules, the first box required a flaw that allows the attacker to get a shell with user level privileges. The second box, still up for grabs, requires the same, plus the attacker needs to get root.
There were was apparently little interest, and that's the good news. Today's hackers appear to be entrepreneurs first, and bad boy nerds second. According to this thread at SecurityFocus, the contest was progressive, and on the first day no one managed meet the stringent conditions set forth by the contest.
First day you have to go in over ethernet or wifi. On the first box default user compromise is enough. You'll need priviledge escalation and a root compromise for the second one. The victory conditions are to scp a specific file on the disk using the preshared key stored there to a server.
Where are David Maynor and Jon Ellch when you need them? At any rate, the second day of the contest relaxed the requirements for a successful exploit.
If they last to the second day... then the second day brings browser bugs into scope. Safari will be set up to scrape a wiki page every five minutes or so (and to follow a changeable link there).
Possibly more importantly, 3Com's TippingPoint Division stepped in with a $10,000 bounty. That got some love, and the paramour of the day turned out to be one Dino Dai Zovi. As for the exploit, details are sketchy.
At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page. Of course all of the latest security patches have been applied. This one is 0day folks. Technical details will be forthcoming as the winner works out the release.
This does not appear to be the related to opening "safe" files upon download—which shouldn't even be an option in Safari. According to Sean Comeau, one of the organizers of CanSecWest, the latest Security Update from Apple does not protect users.
“Currently, every copy of OS X out there now is vulnerable to this”. You are. So, uh, switch to Firefox until the patch comes out? Or live dangerously like me."
So, what happens now? Well, a huge numbers of pundits and anonymous nerds on the Internet will decry Apple's lack of security and how unfair it is that Microsoft, which expands so much effort on security, is perceived as having a less secure OS. Meanwhile, Mac users will rationalize the situation, including me. I've never thought OS X was more secure than Windows, just safer, my reasoning being similar to that espoused by security experts like Terri Forslof of TippingPoint.
"It's an incentive issue. The Mac is not as widely deployed of a platform as say Windows."
Start handing out $10,000 checks to hackers for breaking OS X, and that may change. Until then, I will "live dangerously" with the Mac. Oh, and lost amidst the screaming match between Apple supporters and detractors, TippingPoint will turn over the details to Apple and a security patch will be released, not that anyone will care.
http://arstechnica.com/journals/apple.ars/2007/04/21/mac-hacked-for-10000
Enlightened Atheist, Gaming God.
- Login to post comments
Does anyone find it downright weird that someone would be so funky about Mac that they'd pay $10,000 to get someone to write a virus for it?
Atheist Books, purchases on Amazon support the Rational Response Squad server.
switch to linux; problem solved...if you don't like the security provided you can change it...if that doesn't work, you can lock it down to the point that you can barely use it..
No Gods, Know Peace.
Of course there are going to be holes in a code base that large. What is more important is the number of known holes and the severity of the holes (Here OS X is better than Windows).
"What right have you to condemn a murderer if you assume him necessary to "God's plan"? What logic can command the return of stolen property, or the branding of a thief, if the Almighty decreed it?"
-- The Economic Tendency of Freethought
I'd pay money to people to find flaws within my product.
Best to let them let me know they found something before one hundred people tell.
I like to compare OS's to organisms. Essentially, windows is the original asexually reproducing microbe (single parent producing children that vary slightly, but for the most part are clones of one another), Mac is the facultative sexual reproducer (offspring can either be made through cloning the parent or by two "parents" combing to create a hybrid) and linux is the asexual reproducer. Like traditional ecology, asexual resproducers have the advantage of being able to quickly build numbers, but have the drawback of very little in the way of diversity. Facultative sexual reproducers can take advantage of the high rate of growth that asexual reproducers enjoy, while still being able to accept changes from other individuals. While linux is the slowest growing, but most diverse due to the fact that any two individuals (distributions) can combine features to the betterment of both.
This is kind of a round about rationalization for why I use linux, but I support it philosophically. That and I like the fact that I can't get viruses, but I can infect windows machine. I can also make strange analogies about ecology and computers, for fun.
No Gods, Know Peace.
Do you think this information isn't going to 1) get the hackers so fascinated that they're going to try it just for run and 2) that the information isn't going to leak out?
Atheist Books, purchases on Amazon support the Rational Response Squad server.
You flat out crack me up!!
That's why I'm here...to bring a smile to peoples faces. Well, some people anyway.
There is a risk to everything.
It won't leak, it will spread, just like it's supposed to. The point of contests like this is to bring these issues to the public eye. Public pressure is the only kind that will get any software company to fix a major bug.
http://projects.info-pull.com/moab/
It's not really surprising the had trouble finding interested participants.