MacBook Air First To Be Compromised In Hacking Contest

Multiple readers have written to let us know that the MacBook Air was the first laptop to fall in the CanSecWest hacking contest. The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000. We covered the contest last year, and the results were similar.

0wnership

[Anonymous Coward]

Ah, the pride of 0wnership.

Re:Owning Beauty

[recoiledsnake]

You forgot to factor in the $10,000 cash prize.

Re:

[goombah99]

You forgot to factor in the $10,000 cash prize.

And you forgot the prospect for employment. Hack a mac and you put it on your resume, hack a PC and no one cares or worse thinks your are a script kiddie.

More to the point, what you can't measure here is the real world vulnerability. I cringe at keeping my Linux machines up-to-date and protected. I rely on firewalls not themachines. With the machines, which are production machines, it's huge roll of the dice to try to apply a patch and descend into dependency hell and discover over the next week which

Re:Owning Beauty

[recoiledsnake]

You first said:

instead you got a beauty contest. Which apple apparently won.

Any contestant with half a brain knows that he can get 4+ Macbook Airs for the $10,000 cash prize and then ebay or install hackintosh on the "non-beautiful" laptops if they really hate Ubuntu or Vista that much. Seriously, if it was easier to compromise Ubuntu or Vista why not do that instead of going to the trouble of hacking the more secure(your implied claim) Apple laptop?

And you forgot the prospect for employment. Hack a mac and you put it on your resume, hack a PC and no one cares or worse thinks your are a script kiddie.

If the company really thinks in that way, I don't think you want to be working there in the first place. And what about Linux? Why wasn't it hacked?

More to the point, what you can't measure here is the real world vulnerability. I cringe at keeping my Linux machines up-to-date and protected. I rely on firewalls not themachines. With the machines, which are production machines, it's huge roll of the dice to try to apply a patch and descend into dependency hell and discover over the next week which parts of your production got broken and which need compat libs and so on. With my fleet of macs, I don't hesistate to software update (well actually, unless the vulnerability is rampant I wait a week cause even apple screws the pooch. But just a week, and then you know it's safe.) SO in the real world macs are highly patched. MS can be and it's only a wee bit harder. (And when they fuck up (SP1) they go big, but it's mainly a function of your hardware.) Linux requires real expertise and knowledge of how your specific magic mixture of packages will be affected.

That's more besides the point than to the point. All the Apple patches in the world won't save you from this exploit, since they don't have a patch for it out, yet. Besides, are you comparing updating production servers on Linux to Mac desktops? That's not a fair comparison at all. Desktop Ubuntu can also be updated without a hitch. Also, I've never seen a Windows Server 2003 production server have any problems with any of Microsoft's updates. And if you're using Debian stable on your server, you will be pretty stable with installing all the security fixes and updates because they do a really good job of testing the fixes.

Re:

[el americano]

All the Apple patches in the world won't save you from this exploit

How about Firefox + NoScript? Actually I was hoping for an OS vulnerability, something where you can be targeted, but I suppose everyone deserves credit this time around.

Too bad David Maynor wasn't there. He woulda hacked the MacBook Air in 5 minutes!

Re:

[zootm]

To be completely fair, though, the Vista and Ubuntu machines are, according to all sources I've found, still up and still unhacked. If you can still win those (which I think you can?) even though there's no longer a cash prize there's at least incentive for someone to hack them. If it were a case of people coming prepared with vulnerabilities on all three machines you'd expect one of the other two would have been brought down by now.

I do agree, though. The bottom line is that no OS is completely secure and

Re:Owning Beauty

[Cyberax]

I cringe at keeping my Linux machines up-to-date and protected

What's so hard in it?

"apt-get update; apt-get upgrade;" on a Debian Stable works like a charm (because they push ONLY security and major bugfixes). I manage a farm of 30 servers for about 2 years and Debian update ALWAYS worked without any problem.

Re:Owning Beauty

[Anonymous Coward]

Oh sweet jesus... Apple owners... spinning a truly piss-poor performance into a plus.

Re:Owning Beauty

[Mister Whirly]

But it was hacked remotely. All it took was a visit to one website, and from that point on it was owned remotely.

do you hear that ?

[Anonymous Coward]

the sound of a million fanbois as they screamed Nooooooooooooo i sense i disturbance in the reality distortion generator set comments to flamebait and activate the extra moderation modules captain taco

Re:do you hear that ?

[Lovat]

You are correct, sir. Flaimbait tags on both the story and half the comments here in 3 . . . 2 . . . 1 . . .

Re:Get the Facts is a better tag.

[Anonymous Coward]

Yes. The totally unbiased facts from a guy with "Mac" in his username.

Re:Get the Facts is a better tag.

[recoiledsnake]

Let's face it: if the prize is the laptop you hack then everyone would be trying to hack the Mac: who the fuck wants the shame of walking away with a Dell under their arm?

Uhh? Can't they ditch the Dell in the nearest trashcan and run to the Apple store with the $10,000 in cash? Or did you miss reading about the cash prize under the influence of some kind of field.

Dell is actually starting to not suck.

[Cordath]

I was pretty surprised when Dell finally started putting some effort into their laptop designs. For example, take the XPS m1330 that came out last year. It's actually really nice. I wanted an near-ultra-portable but *powerful* Ubuntu laptop and was within a hair's breadth of getting a macbook pro. (The air is a slick design, but the power just isn't there.) Then I found out I could get something every bit as powerful as a high-end macbook pro in the form-factor of a 13" macbook, only lighter, and for less money. (Caveat to follow.) Then I found out that the design actually looked nice. Nicer than the macbooks to my tastes. (Seriously, it's time for a design update Apple.) On top of that, the m1330's design makes a fair bit of ergonomic sense too. The laptop tapers down towards your wrists, rather than the tendinitis-inducing edge on macbooks.

Even more surprising, the m1330 is really well supported in Ubuntu. (Dell actually sells the m1330 with Ubuntu pre-installed, although the discount is rather pathetic.) More things just work in a default install of Ubuntu on the m1330 than in Vista! (The only thing that doesn't work as well in Ubuntu as it does in Vista is the fingerprint reader, but that's just because biometric password support in Linux, and KDE especially, sucks dingo balls at present.) And yes, if I bought a macbook I probably would have tossed the OSX disks and reformated the drive first thing. I've had to develop under OSX and, while I don't mind it, I definitely prefer Ubuntu.

Caveat time. Dell's customization options are still royally borked. You can pick up a lot of accessories, like bluetooth mice, fairly cheap when buying a laptop, but other components are just insanely expensive. Anyone who maxes out the memory on a Dell while ordering it and then complains about the price is an idiot. Upgrading the memory on a Dell won't void the warranty. You want 4GB? Get 1GB from Dell and, toss it, and buy a couple 2GB sticks yourself. You'll save at least a couple hundred dollars. If Dell would smarten up about that kind of thing I'd have no complaints.

Still, one thing is pretty clear. You can no longer mindlessly slag Dell for epitomizing bland and crappy laptop designs. They do still have ultra-cheap crap and bland bricks built like tanks for the corporate types, but they're also gunning for the sexier end of the market now.
 

Re:Get the Facts is a better tag.

[The Evil Couch]

Yes, the walk of shame with a $3,000 laptop that's highly ebay-able and $10,000 in prize money. I wish someone shamed me like that.

Re:Get the Facts is a better tag.

[exley]

The contest was also sponsored by the likes of Google, Cisco, Adobe, some security folk... They must all have it in for Apple, oh no Apple is screwed! Plus if you read how the contest [itworld.com] was run, it's hard to make the case that this was all pro-MS.

Get the facts... Up to the point where they support your agenda and then punt.

I say well done.

[catwh0re]

In the past I've written replies which effectively defended the mac platform, not due to some loyalty, but because most of the feedback people write is pure b/s. I prefer factual arguments, not near-random fear mongering.

I haven't RTFA but from the surface it sounds like a fair exploit test, and sure it only fell over with user interaction, but it still fell first. So good on them, they'll enjoy their prize of a macbook air and a sweet $10k.

Alternate headline: Mac last hacked IRL

[sootman]

My teenage son can demolish any PC in an afternoon of unsupervised surfing. My neighbor's Vista box barely runs; God knows what they've got on it. (Unlike the Ubuntu box I let them borrow for two years before they bought their new Dell 3 months ago.) The Mac mini my son uses to surf (when he's allowed) runs as well as it did two years ago and I haven't even run software updates on it. (No sense mentioning it has no antivirus software either.)

I don't care if it's spyware, adware, a virus, a tray icon, or or even just a simple browser toolbar or homepage or search-engine hijacking; or if it's installed manually or via drive-by methods--whether its due to small market share, inherent (UNIX) security, or something else, I will continue to argue that Mac and Linux are the better platforms, IN PRACTICE, for the average user.

Re:

[__aagmrb7289]

Paraphrased: "I don't care what the verifiable FACTS are - I only care about my unverified anecdotal stories." (a) Please don't ever consider going into science as a career field; (b) Hopefully it's clear (at least to the majority of readers out there), that personal, unverifiable anecdotal "evidence" is not a valid counterargument to factual data. That ISN'T to say that there aren't problems with the facts in this case - just saying that this "evidence" isn't worth anything in response to those facts.

Re:

[Mister Whirly]

I can summarize your post -

"I have no idea why some of my boxes fall prey to security holes, so I am just going to blindly assume that X operating system is more secure than Y operating system."

There is no such thing as a "secure OS". Security is a process that is ongoing and the principles of securing a system apply to ALL operating systems. If you want a real explanation as to why your Windows machines are attacked more often than your Macs or Linux machines, try the concept of "marketshare" out. Reme

Re:I think the relevant part is:

[vux984]

In other words, the first to hack it gets it! Who wants a Vaio or a Fujitsu anyway? Given a choice between the three, I'm sure everybody wanted the MacBook Air. Naturally, the only machine getting the pounding is going to be the first to crack.

Yes, that sounds logical, if your genitals are hooked up to a car battery.

The winner got to keep the unit AND 10,000. So OBVIOUSLY they should crack the easiest unit, flip it on ebay, and then buy whatever they actually want, while pocketing the remaining 8-9 grand...

So... the moral of this story? Never underestimate the ability of an Apple fan to rationalize how the Mac could be the first to fail, yet still be the finest computer in the competition. d(^_~) [Thumbs up!]

I ... Zzzzzzzap.... couldn't.... Zzzzzzzzzap. ... agree... Zzzzzzzzzzap.... more. ;)

Re:I think the relevant part is:

[recoiledsnake]

The winner got to keep the unit AND 10,000

Don't forget that the prize was 20,000 each for the first day. And none of the machines got compromised. Including the Vista and Ubuntu machines. So, the GP is even more wrong than you think.

Re:I think the relevant part is:

[catwh0re]

While this does make sense on the surface, the point of failure is that the hackers are not just entering the competition and trying their luck with random keystrokes. Each person is coming to the event with something they have prepared earlier. (Hence why the machine fell in 2 minutes, it fell with the first attempt.) This hacker targeted the mac for the follow-on benefits, it's a valuable prize and it'll earn him a lot of press. Now he can charge more per hour for his security consulting.

No one is going to be interested in the fact that it required user-assistance and can't be executed remotely (which are by far the most worrisome.)

Re:

[ta bu shi da yu]

The assumption that I was criticising him is all yours, good sir.

Better headline

[BadAnalogyGuy]

Safari browser has massive security hole.

It's funny how they turned a huge hole in the Safari browser into a commercial for the Mac Air.

"Small size, big holes"

Re:Better headline

[ilikejam]

There's a 'yo mama' joke in there somewhere.

Identical articles

[Robert1]

They're nearly perfect mirrors of one another. Really the only difference between this year and lasts was the word "Air."

Re:Identical articles

[Anonymous Coward]

No, this year Vista and Ubuntu were in the contest as well. But the mac got hacked in two minutes and the Vista and Ubuntu machines resisted every hack. Big difference there. Oh, and I'd like to say, HA HA /nelson - now tell us again how absense of mac malware is not because of small market share.

Re:Identical articles

[Anonymous Coward]

The Vista machine would have been hacked quicker if it ran faster

Re:

[drsmithy]

Well, they let them use a Vista laptop because Windows 7 isn't available yet (not sure it means anything, but Microsoft is still an OS generation behind Apple).

You seem to have that arse-about-face. In every way except the display system, even Windows NT 3.51, dating from the early '90s, was a generation ahead of OS X until about 10.4/10.5. Vista leapfrogged ahead with the display system, while 10.4 and 10.5 brought in parity with lower level aspects like fine-grained locking and an ACL-based security s

And, in this case, the attacker deliberately chose

[reiisi]

Miller, best known as one of the researchers who first hacked Apple's iPhone last year, didn't take much time. Within 2 minutes, he directed the contest's organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on.

He was the first contestant to attempt an attack on any of the systems.

But the issue is really not which is more vulnerable, it is that you can't run a secure browser and a convenient browse

Re:And, in this case, the attacker deliberately ch

[recoiledsnake]

It's time to abandon the general purpose browser. It's also time to quit surfing as your log-in user. You need a browser for surfing that you run (sudo or something) as a strictly limited privilege user without log-in capabilities.

If you pulled your head out of the sand and informed yourself beyond the anti-Vista tripe that's posted on here, you might have known that IE7 on Vista does exactly what you described ever since it came out more than a year ago.

Re:linky, pleasey

[Chokolad]

Here is your linkey http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx [msdn.com]

Quote from the linkey

  In IE7's Protected Mode--which is the default in other than the Trusted security zone--the IE process runs with Low rights, even if the logged-in user is an administrator. Since add-ins to IE such as ActiveX controls and toolbars run within the IE process, those add-ins run Low as well. The idea behind Protected Mode IE is that even if an attacker somehow defeated every defense mechanism and gained control of the IE process and got it to run some arbitrary code, that code would be severely limited in what it could do. Almost all of the file system and registry would be off-limits to it for writing, reducing the ability of an exploit to modify the system or harm user files. The code wouldn't have enough privileges to install software, put files in the user's Startup folder, hijack browser settings, or other nastiness.

In Protected Mode IE writes/reads special Low versions of the cache, TEMP folder, Cookies and History:

Cache: %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
Temp: %userprofile%\AppData\Local\Temp\Low
Cookies: %userprofile%\AppData\Roaming\Microsoft\Windows\Cookies\Low
History: %userprofile%\AppData\Local\Microsoft\Windows\History\Low

Re:

[makomk]

The trouble is, they didn't implement the Biba security model - they only implemented part of it. More specifically, they implemented the "no write up" rule which prevents low integrity processes writing to high integrity stuff (well, most of the time - I think there are ways for low integrity process to talk to high integrity ones). However, they didn't implement the "no read down" rule at all - high integrity apps can and do read low integrity data.

Why does this matter? Well, suppose you have something

Safe Browsing for real

[Heembo]

Parents are still in safe browsing grade school. Let me help you get right to the PhD level of safe browsing - http://www.tssci-security.com/archives/2008/03/25/security-and-safe-browsing-for-firefox/ [tssci-security.com]

Re:browse one site

[recoiledsnake]

As long as the browser has the ability to be re-directed to any site but the site it was defined for, you're going to have spoofing. As long as you have spoofing, you're going to be losing your tokens.

Repeat after me. Security is not a product or a program. Security is all about layers. Vista's sandbox model for IE is another security layer that Safair is lacking. The anti-phishing features in IE and other browsers are another are another layer. None of the layers are perfect, but they stop a class of attacks. The sandbox won't prevent spoofing(even the antiphishing filter is useless against zero day phishing sites), but it can easily stop or mitigate the very kind of vulnerability we are discussing that took down the Mac in the contest. You can use VMs to browse if you're that paranoid about security(the recent security holes found in VMWare not withstanding).

Re:And, in this case, the attacker deliberately ch

[Psychotria]

Sudo runs things as the super user, hence the name......this is not what you want if you are going for higher security.

Actually "su" stands for "switch user". You can just as easily sudo to _any_ user.

Re:

[WK2]

Actually, "su" does indeed stand for "super user". Originally, it could only switch to root. The capability to switch to arbitrary users was added later, and "switch user" is a backronym.

While we're on the subject, guess what "dd" stands for? It's not "direct dump" or "disk destroy". It's "character copy".

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Identical articles

[recoiledsnake]

You aren't totally correct on that. The article says "He was the first contestant to attempt an attack on any of the systems." (on the second day). None of the systems fell on the remote only side but when it came to test user interaction the Mac was the first one tested. I'm still waiting for the result on the other machines. It is what a lot of us suspected... because of Apple's rep., people would be eager to take on the Mac first. It is still not to say it isn't bad... oh, it is. But the contest isn't over yet.

Sorry, that's just plain wrong. Every laptop had different contestants going on about it in 30 minute slots all day.

Day 1: March 26th: Remote pre-auth All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize. The pwned machine(s) will be taken out of the contest at that time. Day 2: March 27th: Default client-side apps The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize. The pwned machine(s) will be taken out of the contest at that time. Day 3: March 28th: Third Party apps Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize

So the Macbook is out of the race since it finished last. Tomorrow, the Ubuntu and Vista machines will have a prize of $5000 on them being cracked with lots of third party apps installed.

Re:Identical articles

[recoiledsnake]

So is it official that the Vista and Ubuntu machines have survived day 2??! Judging from the blog... it isn't: Update 5:45 PST - The contest is officially over for today. Check back tomorrow to see how the Vista and Ubuntu laptops fare. Do you have an inside scoop??

You misunderstod the contest rules. No inside scoop. Just the blog.

Day 1: March 26th: Remote pre-auth
All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 2: March 27th: Default client-side apps
The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 3: March 28th: Third Party apps
Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize.

So the security will be even more relaxed on the third day because Ubuntu and Vista survived the first two days without a hack. The Mac finished last and is out of the race.

Re:

[Basehart]

"So the security will be even more relaxed on the third day because Ubuntu and Vista survived the first two days without a hack. The Mac finished last and is out of the race."

The Mac actually won because it was the first one to be exploited.

Re:Identical articles

[Whiney Mac Fanboy]

because of Apple's rep., people would be eager to take on the Mac first.

Hold on - are you saying that Mac's have a better reputation for security than linux?

Congratulations sir. Apple fanboy's capacity for self-delusion never ceases to amaze me.

Re:

[daBass]

No, he said it had a reputation, not what that reputation was nor wether he agreed with it.

Congratulations sir. Apple hating Slashdotters' capacity for misquoting for libelous use and getting modded "insightful" for it never ceases to amaze me.

Re:Identical articles

[Nightspirit]

The results for the other machines are in, at the end of day 2 the Vista and Ubuntu laptops have yet to be compromised:
http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture [tippingpoint.com]

Re:Identical articles

[E IS mC(Square)]

"Maybe I'm being ignorant" he says. Give him a chance. Give him one. ..."but was the same attention devoted to hacking the other systems?" Naah.. he lost it, the ignorant fool.

Re:

[Anonymous Coward]

Something else the same that should be pointed out: Microsoft sponsored the contest both times. It is important to know where the money is coming from [slashdot.org] (and who is writing the rules [wired.com]).

Re:

[Allador]

Last year was QT, this year was Safari.

Ouch, that didn't take long.

[Anonymous Coward]

There goes their geek cred. Hey, at least they still sell a metric crap load of iPods!

Re:

[Almahtar]

The crap load is a metric unit?

Re:

[Anonymous Coward]

Sorry, you are confusing the Fuck-ton with the Ass-Load. The Imperial Ass-Load is the comparable unit. Fuck-ton is for measuring mass, not volume.

Users == the problem

[ashridah]

Well. Big shock there. These days, most vulnerabilities require the user to be at the helm.

Good to see that social engineering is still all it requires to compromise something.

Re:Users == the problem

[recoiledsnake]

Good to see that social engineering is still all it requires to compromise something.

So why weren't the Windows and Linux machines be able to be hacked inspite of the social engineering and users being at the helm all day?

Re:

[ashridah]

Bigger hoops to jump through? Linux has fairly high levels of user/admin separation, and windows has been burned enough times that the sandbox that IE runs with is effective enough to slow people down, far more than it was back in the ie6 or ie5.5 days.

I doubt it'll take much longer for all three to get taken over. There'll be some office bug, or a local service vulnerability that hasn't been patched yet, and it'll be game over, sooner rather than later.

There's a lot to be said for being exposed, it does gi

Re:Users == the problem

[ashridah]

That's the thing. It wasn't unix that they broke, It was the relatively new code. OSX may look like a unix from the outside in, but it's not one from the desktop down. It may resemble it, but it's not complete. Unix may be convenient for Apple, but it's not a mantra.

That said, ubuntu (and linux in general) are heading that way too, just not quite with the same fevered pitch.

It's the same basic premise that windows was based on: The user is in control. OSX and linux both have fairly strong boundaries between admin and user, but things are slowly wearing down, in the name of convenience. The difference being that things started out far more secure, and there's a bit more separation at the display itself, whereas win9x was not designed with this security in mind, and while NT was, it also inherited parts from win9x's shell and there were compromises at the display, etc.

Microsoft gets this now though. SQL Server's a great example of that. Hundreds of thousands of man-hours have gone into making that thing far more secure than the slammer days, just compare critical vulnerability counts from SQL-server to Oracle. Microsoft's biggest curse is legacy code now, plus a fair amount of ongoing training, and they will only shrink with time. This is mainly shifting market pressure, of course, it costs money to have negative press regarding security nowadays. It didn't in the past, and it will only increasingly have negative press for the next couple of decades at least. It's surprising that Oracle is now doing what Microsoft used to do: treat security as a marketing buzz word (Unbreakable on linux took how long to break?)

But who knows how many holes were in the old X11R6. But you didn't run that on servers, for a good reason. Guess what, there are probably lots of applications that don't handle the Windows messaging system securely and buffer-over/underrun free either.

These days, things like IE operate in Limited user mode. This goes even further than ordinary users (far more than a "power" user, and lightyears away from Administrator or SYSTEM). It's restricted to \users\%USER%\AppData\LocalLow\ and one or two other locations, and that's it (Favorites spring to mind. It gets to be a pain if those accidentally wind up back with normal ACLs, as I mentioned here [mycronite.net].)
So you need to work harder to break out of internet explorer, and IIRC, it takes permission from a privileged application to do it. Outlook's probably a juicier target, but it's been subject to the fabled crucible for a long long time, so again, it's harder.

OSX hasn't been subject to it for long at all. Safari's new. *Really* new, and you know what, it wasn't even webkit that broke, but the url bar (if memory of the bugtraq post serves.) Where did webkit come from? Oooh. that's right. KDE.

We're all in for it if apple really do gain significant market share (we being administrators, not we being "the general populace"). It may or may not be as big a problem as windows has been, but I'm willing to bet that the effects will be as dire, and apple doesn't really have a fantastic track record here, as other articles have pointed out. The momentum of not having security as a primary goal is one that takes a *long* time to turn around.

Keep the laptop

[iliketrash]

"The winner, Charlie Miller, gets to keep the laptop and $10,000."

You mean like when your airplane flight is cancelled and the airline offers you a free ticket. Or when the food at a restaurant is crappy and they give you a coupon to eat there again.

Re:Keep the laptop

[MobileTatsu-NJG]

You mean like when your airplane flight is cancelled and the airline offers you a free ticket. Or when the food at a restaurant is crappy and they give you a coupon to eat there again.

Well.. sorta. It's more like when a company loans you a laptop to hack, then they let ya keep it, then they give ya ten thousand dollars on top of that.

Maybe it's major, or maybe no big deal

[jht]

To me, a web hack to worry about (on any platform/browser) is one that can just be triggered by viewing a compromised page (like happens to most unpatched Windows machines that get nailed by drive-bys). I'm not nearly as worried about ones that require user intervention - clicking on a link, button, or something of the sort.

So if the Mac was tagged by just loading a page that delivered the hack, that's bad. Quite bad. If he had to click and download something (and perhaps defeat the auto-quarantine they use), that's not so much a big deal, though still a hole that needs patching.

One of the things about vulnerabilities on all platforms is that a significant part of the magnitude depends on how difficult it is to exploit. Remote connections to a system that avoid/defeat a firewall are really dangerous. Attacks that require the user to do something stupid are inevitable, but far less dangerous.

Thus far most of the Mac vulnerabilities have been the second type. Luckily.

Re:

[jerw134]

If it were in my neighborhood, I might go by and pick one or the other up (if no one beat me to it). I want a lightweight portable to take on the train.

Yeah, I'm sure you could just drop by and win one of the laptops. You dolt, these people have been preparing for this contest for the better part of a year, and the Vista and Linux laptops still weren't hacked by the end of day two. I can tell by your posts that you're not that smart, so I have no idea how you think you'd win either of the laptops.

Day 2 results

[Nightspirit]

If you look at their blog it seems the Vista and Ubuntu laptops are still not hacked yet at the end of day 2:
http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture [tippingpoint.com]

Safari holed, so Apple pushes it to Windows ;)

[Marbleless]

So it is just coincidence that Apple are now pushing an unsafe Safari to Windows users (http://apple.slashdot.org/article.pl?sid=08/03/27/129236)?

Or am I being a conspiracy nut? ;)

Good.

[brainfsck]

I'm typing this on a Macbook Pro running Safari, and I'm happy about the results of this competition. As Apple computers (slowly?) gain market share, they will eventually be forced to significantly adjust their terrible attitude in terms of security.

I would rather have Apple "shamed" into providing me (and other OS X users) a more secure web browser/operating system than gain some pathetic "my system is more secure than yours" bragging rights.

Can't wait to find out what and how

[SpeedyG5]

I am an apple fan and enjoy a lot of their products.

There is no way any system can be perfectly secure, but this is a significant hole. While they probably won't get me to click that stupid link, they might get my mom or any number of the other avg everyday users.

At least now we can get beyond the macs can't be hacked BS and move on to securing my favorite OS and keeping it that way.

Now lets see how long it takes for apple to post a patch, that is really where the rubber meets the road.

I don't get it

[CannonballHead]

Can't we admit that, for whatever reason, the Air/Safari was easier hacked than Vista/IE7? I know this is an unpopular bandwagon to be on, especially on Slashdot, but it seems there's no two ways about it. I refuse to believe that it was a conspiracy and that every hacker was actually just trying to hack the Air and make Ubuntu and Vista pass, that's stupid. If I were a hacker, I'd totally hack the EASIEST one simply to get the $10k and the laptop. And if there were known or open vulnerabilities, it should have fallen in what, 30 seconds?

Seriously, it's not a huge deal. If we, like good open source cronies, admit that there was a problem with *gasp* part of the Apple software/laptop combo (whether it was Safari or the OS or whatever), then maybe it will be fixed. Isn't that the main idea here? I thought the point of these things were to discover vulnerabilities so that they could be fixed, not to place bets on Microsoft falling and go up in arms if it doesn't.

Unless, of course, we really aren't interested in open source software or good software at all, but are more about claiming a company name as our own.

Tags?

[dreamchaser]

If a Vista machine had been first there would be a 'haha' tag on this article, as well as on yesterday's article talking about how MS issues patches faster.

Just sayin...

A real hero

[Fulkkari]

The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000.

In other words this guy most likely found a security bug in Safari, but instead of reporting it directly, made an exploit and waited for a hacking contest to get a monetary benefit out of it. A real hero. Or maybe he was just quick. Which seems more plausible?

Re:

[Weedlekin]

"In other words this guy most likely found a security bug in Safari, but instead of reporting it directly, made an exploit and waited for a hacking contest to get a monetary benefit out of it."

So what if he did? As somebody who uses a Mac (and Linux, and Windows XP), I'm much happier with him having taken this route to gaining from the exploit than the one so many Windows hackers use of putting it up for auction to the highest bidder, or the Month Of Apple Bugs tactic of making exploits public before giving

Re:

[quacking duck]

All bugs should be reported immediately to the developer. Period.

(Giving up my spent mod points to reply to this)

I agree, in principle.

From a practical POV though, who's to say this guy would even bother finding obscure (one hopes) security holes anyway, without the financial and other incentives offered by this contest?

Black hats are often funded by criminals. May as well offer a carrot to the White/gray hats so they don't get tempted by the dark side.

Re:

[quacking duck]

Personally I have been toying around with the idea of government enforced requirement of 3rd party audits for comercial software. Not only would this create a new software auditing business, but also improve software quality and not only in security.

The government should have no part in regulating software. The government is utterly incompetent when it comes to tech issues, and they can't even fund their patent system with sufficiently technical people to reject frivolous patents. A specific software audit

Maybe Apple will get serious about security now

[shatfield]

I am worried that Apple is assuming too much about the security of the Mac OS X operating system. I am a long time user (since first beta) and it has been an incredible ride, but I'd really like for Apple to "step up" and take this bull by the horns and let the world know that they are very serious about security and eliminating *any* means of intrusion, either automated or user driven... and not just rely on the FOSS community to remedy the security problems in the software that they have incorporated into the OS.

Just as long as they don't implement some Vista like "Allow or Deny?" crap... God that would drive me *nuts*!

Reality will disappoint morons.

[DECS]

While the quick win makes for a perfect headline and reflects the Hollywood image of "hackers" that twiddle on a keyboard and almost instantly "access the mainframe" while a counter runs in the background, a more intelligent question is: why did the Mac get hacked first, and why was the attack so quick?

CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security [roughlydrafted.com]

Ho-hum

[Anonymous Coward]

The thing I enjoy most about the responses to this article is the rather predictable "Ha, so Apple DOES suck!!! Take that fanbois!" responses. It's certainly true that this is an important find and that an exploit in the wild is something to be concerned about. But the point of this is really that there's no such thing as a secure OS yet (and there probably never will be). Not unless you've removed the power source from your system, encased it in concrete and sunk it to the bottom of the sea.

The perceived general level of security in a system can be directly correlated to the most recent compromise of that system. The fact that the Linux and Windows systems involved in this contest have not yet been compromised does not indicate that they are more or less secure in a general sense than the Mac. It does indicate that no one has found the vulnerability that inevitably lurks within the kernal or a piece of installed software on those system. But rest assured, the exploits are there.

"FireFox is more secure than IE", you say on Monday. Then Slashdot posts "HUGE FRIGGING HOLE FOUND IN FIREFOX: DOOM!!!" on Tuesday. And suddenly the absolute statement you've made sounds silly.

If you don't believe this is true, try this: get hold of a system exactly like the ones currently considered "unhackable" in the contest and disable any automatic updates (and don't install any manually). Wait three months and then compare that system against one with the most recent updates. You're sure to find that your unhackable system is now full of known exploits and security holes.

The systems we rely on today are very complex and in a very real sense cannot be completely understood. There are techniques that can make them generally more secure and all of the OS developers are working to bring these features online every day. Some are better than this than others (or so it seems), but they all do it. Even Microsoft. But the thing about security is this: the bad guys only need one hole and the good guys have to cover all the bases.

The only real security in a system comes from user practices, not software. If you don't install updates on your system, it will be vulnerable. If you don't consider HOW and where you use your system, it will be vulnerable. In other words, the core component in a secure system is YOU.

It's probably true that there is a "most" secure OS and a "least" secure OS right at this moment. Take a guess which is which and you might even be correct. But there's no absolute answer that will be true tomorrow. We need to stop with the absolutes and "MY FLAVA ROCKS YER FLAVA" hyperbole and start to think more like real security experts do. The next big hack for your favorite OS is just around the corner. And there's no doubt about that.

Re:I think this section is relevant

[chubs730]

Pretty much says that a laptop widely meant for home users was only compromised when allowed access to some of the most widely used applications? I'm not sure what you're trying to say (or not, rather) but a hole in safari is a bit of an issue; unless of course you're just concerned with that server running on your Air ;).

Re:

[chrome]

Depends if it was a "view this page and you're 0wned" exploit or a "view this page, click accept through some requests, etc" exploit as to how dangerous it is.

But as a mac user .. will be using FF for a while until apple patch ;)

Re:I think this section is relevant

[nmb3000]

Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.

Pretty much says it all.

Wow, at +4 already for just quoting the summary and tossing in a vague and meaningless sentence.

So anyway, what exactly is it saying? The only thing I see there is that a completely passive attack (that is, absolutely no user interaction, like many well-known worms worked) failed. Once this part of the test was passed they allowed interactive attacks (where the user must assist the attacker in some way). Since this is how nearly all malware and malicious software spreads these days, I don't see anything wrong with this. Aside from just attaching hardware to the network, a web browser and email client are the two applications with the most Internet "surface area". As all major operating systems come bundled with a primary browser (IE, Safari, Firefox) a flaw in the browser essentially amounts to a flaw in the OS. It seems natural and obvious to put them to the test.

Re:

[mrbluze]

Pretty much says it all.

Yeah. A Laptop is safe, even connected to a network, provided you make no contact with the network as the user.

Like my car - very very safe as long as you don't back it out of the garage.

Re:

[recoiledsnake]

Uhh what? The Air has nothing to do with it. All fully patched machines running OS X with the latest Safari 3.1 are vulnerable to this exploit. And you mean a exploit targeting fully patched Vista SP1 or Ubuntu 7.10 won't make headlines? Think again.

Re:well, tFriendlyA does mention

[recoiledsnake]

as more than one person mentions above,) ... that the attack on the mac was the first attempted hack under the relaxed rules. I think it's clear that the hacker wanted the mac, especially since there are known open vulnerabilities that could have been used on MSIE, and some highly probable directions fairly well known on Firefox.

You've lost me. Where does it say that the mac(apart from your 'persons above' handwaving) was the first attempted hack under the relaxed rules? Go read the site. It says that all three laptops were tried all day and the Mac was removed from the competition because it failed to survive the second day. The others did. Under the same rules.

especially since there are known open vulnerabilities that could have been used on MSIE, and some highly probable directions fairly well known on Firefox.

So there are known open vulnerabilities in IE7 and Firefox and no one wanted a free 10k in cash (20k in total) for just running them plus 2 expensive laptops? Are you kidding me?

We know that the browser is vulnerable. Anyone who thinks general purpose browsers are invincible is living in a dream world.

IE7 on Vista runs in a sandbox. This kind of attack on IE7 wouldn't have worked without another hole compromising the sandbox. Stop coloring all the browsers with the same color just because the one you use got pwned.

Re:

[EraserMouseMan]

Um, wtf does Safari have to do with HP (or anything but Mac)? Nobody uses Safari except Mac users. Nobody.

Re:I wouldn't be surprised..

[EraserMouseMan]

The Mac was hacked 2 minutes into day 2. After day 2 was over no other OSs or browsers had been hacked. Period. Give it up. Safari sucks. The web is a jungle. Tame it by not using Safari on your Mac.

Re:right

[recoiledsnake]

And the karma-whoring RDF sets in.

anyone who either has physical access to the computer being attacked or can convince the user running the machine to install/download anything is capable of breaking pretty much any OS they want.

So no one wanted 20k of cash and expensive windows and linux laptops? Why weren't anyone able to hack the Windows and Linux laptops? They did not have physical access to the machine. Nothing was downloaded or installed manually. Only a website hosted by the attacker was just visited by the organizers on the browsers and mails were opened(attachemnts were not) and read.

The fact that they had to relax the rules so that the Mac could be broken into illustrates this nicely.

The fact that inspite of the relaxed rules, the Windows and Linux laptops were not broken into, illustrates totally something else. I will let you guess it. They are going to further relax the rules tomorrow to include third party applications to make it even easier to hack. Unfortunately, the Mac won't be there because it didn't make it to the third day.

Re:right

[moderatorrater]

people simplify the problem to "Mac suxorz" when it really isn't that simple.

Really? Because I see the Mac having come out as the clear loser in a head to head contest on a level playing field against the two biggest competitors it has in the laptop market. Seems pretty simple to me.

Re:right

[Your.Master]

No other exploit came at all today. There's still thousands of dollars to be won. The motivation for the entire day less two minutes was fully on Windows or Ubuntu. But they didn't crack yet.

It's not a guarantee that the first to fail is the weakest, there's definite elements of chance and some complex interactions. But it was done with Safari, which is part of the default distribution of a Mac and it's not exactly easy to not use Safari for at least long enough to download Firefox.

Re:

[wizardforce]

While having physical access to a machine makes it 80% vulnerable, the rest 20% seems to be OS driven.

considering who is doing the attacking I'd bet that physical access would make these comps 100% breakable. all that needs to be done is reset the bios and pop in a live cd and it's game over.

Am surprised that Mac OS X didn't prompt the user for root password at all.

I know... it shocked me that installing software often didn't require any sort of authentication what so ever...

Bottomline: Microsoft has

Re:

[recoiledsnake]

considering who is doing the attacking I'd bet that physical access would make these comps 100% breakable. all that needs to be done is reset the bios and pop in a live cd and it's game over.

So why was a unpatched security vulnerability in Safari needed if it were so simple? There was no physical access provided. Give some credit to the organizers, they're not dumbasses to give $10k in cash and a expensive laptop to the first contestant that jogs into the competition.

I know... it shocked me that installing software often didn't require any sort of authentication what so ever...

Because the code ran under Safari's privileges, i.e not root but user.

you could look at it this way: cracking anything Windows is pretty much nothing special, it's being done on a massive scale botnets and zombies considered- what is perhaps a ncier target is a 2,000 dolalr macbook that claims to have a lot higher security than windows. motivation being the biggest security danger of them all.

The Sony VAIO TZ37CN Ubuntu laptop costs $2300+ You mean no one wanted that and 10k in cash when "all that needs to be done is reset the bios and pop in a liv

Re:

[wizardforce]

So why was a unpatched security vulnerability in Safari needed if it were so simple?

which is because

There was no physical access provided.

"all that needs to be done is reset the bios and pop in a live cd and it's game over."?

try doing that when you don't have physical access to the machine in question. It seems that Safari is Mac's equivalent of Internet explorer in that it can be a major security problem. it's something Apple really needs to get under control lest they actually become as fubared as

Re:

[jerw134]

It seems that Safari is Mac's equivalent of Internet explorer in that it can be a major security problem.

Except for the fact that IE7 on Vista has proven that it's not a security problem. Safari is the equivalent of IE5.5, meaning Apple is 8 years behind as far as browser security goes. Microsoft spent those 8 years learning some very tough lessons, while Apple just sat around laughing at Microsoft. Then when Apple decided to make their own browser, they made all of the same mistakes Microsoft did years ago.

Re:

[wizardforce]

the security flaw was in Safari- probably a buffer overflow allowing arbitrary code to be executed. had safari been on any other OS with that flaw the other OSes would be fscked as well no questions asked. something like SElinux or Apparmor on the *nixes can help defend against things like that to a point but it won't stop them all. bottom line: the OS is a big chunk of the problem but software flaws and help from PEBKAC makes things a whole lot worse.

Re:And in other news.....

[chubs730]

"We Love Microsoft and Hate All Things Apple."

O_O Are we on the same slashdot?

Re:And in other news.....

[linumax]

"We Love Microsoft and Hate All Things Apple."

O_O Are we on the same slashdot?

We all are on the same website; some posters though, are inside the Reality Distortion Field.

Re:

[TobyWong]

I must have missed all those pro microsoft articles here...

Re:And in other news.....

[recoiledsnake]

All Apple products cause herpes.

Maybe the articles are just pointing out that the Apple products you worship are not without their faults?

Come on guys the Mac/Apple bashing articles are really getting silly.

Yea lets bury this news article then just because it's anti-Apple? You're the one blaming the messenger(Slashdot) for posting news. Maybe you should blame reality for all the 'Mac bashing'.

Re:And in other news.....

[Cairnarvon]

There needs to be a "-1, Divorced From Reality" mod. That's a powerful persecution complex you have going there.

Re:Contest rules...

[Nightspirit]

According to secunia Vista has 2 minor vulnerabilities unpatched, Ubuntu 0, and OS X 6 vulnerabilities.

Re:

[recoiledsnake]

Are you for real? Did you bother reading that article and seeing the fine print? The laptops were tested in parallel all day and Mac fell first, the other two were tested for the rest of the day and weren't hacked so they go to the next round with relaxed rules(3rd party s/w installed). It's extremely funny that you did exactly what you're accusing others of doing. Nice self-pwnage.

Re:It Might Have Been Harder if...

[moderatorrater]

You're right. With a stricter firewall, the browser wouldn't have been able to fetch anything over the internet at all.

Re:Inquiring minds...

[moderatorrater]

Does "first to be compromised" mean the only one to be compromised?

At this time, it was the only one hacked. The contest continue tomorrow.

Is the contest completely over once one machine is cracked?

It continues tomorrow with more 3rd party apps installed that can be used to break into the system. I don't see much chance of the other two making it through tomorrow, but that depends on the programs they install.

If not, were Windows and Ubuntu cracked minutes or hours after OS X?

They're both still un-cracked.

Does using Firefox on OS X make it uncrackable?

If you plug one hole in a sieve, will it hold water?

Was each OS required to use it's own browser: IE, Safari, and Epiphany?

They had to use the software that comes pre-installed on the machine.

Since Firefox works on all 3 systems, wouldn't that be a better gauge of OS security?

Only if Firefox came preinstalled on all 3 systems.

Where did I come from?

Your mother's vagina. Hopefully you've never been back.

Why is the sky blue?

Do I look like Einstein?

Re:

[Allador]

Well, there's some truth to that.

However, there's also a $10,000 prize for today.

And despite that, neither the vista box nor the ubuntu box were hacked at all on day 2.

Day 2 allowed user interaction (like browsing to a website) but only allowed targeting software that ships with the product.

That being said ... there was one unusual rule. Only non-published exploits could be used. So, for example, if there was a published but still unpatched vuln in vista or ubuntu, those couldnt be used.

So part of this wa

Re:

[freedom_india]

because OS X has a reputation for being virus and malware free

Ahh... a slight correction: Till now no known malware exists for OS X because none was developed.
After all why spend so much money to develop walware or virus for a system that is being used by one half of the 5% of population who happen to surf to a website.
Costs include Apple Developer's Program, buying a Mac to develop and Test (and everyone knows its not as easy as Visual C++), and assorted tools.
Too much effort for a reasonable payoff.
And secondly Mac users tend to be richer, well-studied and well-off

Because the prize was 10k

[hassanchop]

You fanbois are embarrassing, the second day prize was $10,000. I know inside your reality distortion field people will give up 4+ Macbook Air's worth of prize money just to get a single Macbook Air, but the rest of us aren't rabid fanbois so we find this logic a little thin.