Printed from http://www.electronista.com

MacBook hacked in security contest

updated 10:10 am EDT, Sat April 21, 2007

MacBook Hacked in Contest

One of two "honeypot" MacBook Pros at the CanSecWest security conference has been successfully hacked, according to officials. The Vancouver, British Columbia event had established a contest to try and gain user-level shell access in Mac OS X over a wireless network, which was successfully accomplished after contest hosts eased rules and allowed security experts to attack through code sent through malicious websites instead of directly compromising the OS itself.

The successful hack had been written by Matasano Security researcher Dino Dai Zovi and implemented by engineer Shane Macaulay, the combined team of which took nine hours to craft an exploit for Apple's built-in Safari browser. CanSecWest managers wouldn't elaborate on details but confirmed that the hack had been genuine.

"At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page," they wrote. "Of course all of the latest security patches have been applied. This one is 0day folks."

Macaulay is expected to win the MacBook Pro in question as part of the contest rules, while Dai Zovi is claiming a $10,000 prize established by 3Com for any exploit used during the challenge that was confirmed as a zero-day attack, which meant it would be exploitable before the software developer could react. A remaining system had yet to be broken and required that any successful compromise gain complete root-level access to qualify for a prize.

Apple has turned down an opportunity to comment on the Safari flaw and has so far only issued its common response to exploits that appear before their related patches. "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users," said company spokeswoman Lynn Fox.

Despite a lack of known examples of "in the wild" malicious exploits, Mac OS X has recently come under increasing pressure by security teams discovering previously unknown exploits. The now well-known Month of Apple Bugs successfully discovered then-fresh vulnerabilities in QuickTime, Safari, and other components, all of which have forced Apple to release multiple patches to address the security holes in its software.

The April security update released by the Mac maker touches on further Month of Apple Bugs issues, but doesn't contain any fixes for Safari and thus leaves the CanSecWest exploit viable in the foreseeable future. (Photo via CNET)



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

  1. Feathers

    Grizzled Veteran

    Joined: Oct 1999

    0

    eased rules!

    So it couldn't be hacked until they moved the goalposts? Don't know if i'd want to play football against any of these guys!

  1. appleisgreat

    Fresh-Faced Recruit

    Joined: Feb 2006

    0

    So what?

    Let them try to hack a Mac under REAL WORLD circumstances. No computer platform is 100% secure. It's easy to hack a Windows PC.

  1. shawnce

    Fresh-Faced Recruit

    Joined: Nov 2000

    0

    missing the point folks..

    This CAN happen under real world situations.

    It is good that Mac OS X is well protected against active direct attack but this Safari issue is real and can result in system being compromised.

    It is amazingly easy to get folks to visit a website and it really is something that users should expect to be safe and do expect to be safe... the web of blogs, discussion forums, ad content, etc. allows for all kinds of easy ways to get a user to visit a malicious page that could attack this vulnerability.

    I am glad they are reporting it to Apple responsibly but it is too bad that Apple (and possibly WebKit open source review) didn't find it first. ...but things do get missed in complex software.

  1. shmoolie

    Junior Member

    Joined: May 2002

    0

    re: missing the point...

    Fact is that computers are vulnerable to malicious attacks via internet browsers because customers would never accept the alternatives. This mis a basic point about social interactions and has nothing to do with a specific computer platform. As long as there is an open internet there will be major vulnerabilities capable of wreaking havoc on a system. Deal with it.

  1. aristotles

    Grizzled Veteran

    Joined: Jul 2004

    0

    All OS vulnerable to user

    But I think shawnce is glossing over the fact that once again OS X in its default configuration was invulnerable to remote exploits and attacks. This has been true since 10.2 at least.

    A windows machine put on the internet in the default configuration prior to XP SP1 would have been owned within seconds.

  1. resuna

    Fresh-Faced Recruit

    Joined: Jan 2005

    0

    it's a win-win solution

    "Fact is that computers are vulnerable to malicious attacks via internet browsers because customers would never accept the alternatives."

    Customers are never presented with alternatives. Fixing the flaws in Safari wouldn't cause customers any problems: using a download manager that gives you the option of opening the file, examining it, viewing it in Finder, and so on would be more convenient for the user since they wouldn't be presented with the necessity of making spot decisions about whether to open files or allow installers to run... they could examine and open downloaded files at their leisure. In addition applications could provide sandboxed versions to be used when opening documents from the download manager... for example, back when word macros were the usual medium of attack we used to use "Word Viewer" as a sandbox for opening Word documents since it didn't support macros, and one of the nice things about Netscape at the time was that it used its own application dataase so we could have Word files in web pages opened in this sandbox.

    Fixing these problems would actually improve the user experience and give them more *justifiable* confidence in the security of the system.

  1. resuna

    Fresh-Faced Recruit

    Joined: Jan 2005

    0

    lost message?

    Damn, my first post didn't get posted... and this stupid page has broken "back".

    Makes my "win-win" message confusing.

    In it I described a couple of simple things that could be done to improve the security of web browsers on Mac and Windows, by changing from a model where desktop applications are assumed to be able to handle untrusted documents to one where only applications that explicitly register themselves for use on untrusted documents would be available from browsers.

    I will try and reconstruct the whole message from memory because it's gone from my browser cache.

  1. resuna

    Fresh-Faced Recruit

    Joined: Jan 2005

    0

    open up your players!

    The other day I happened to be in Frys Electronics and I decided, since I'd given my daughter my iPod after she broke hers and the store I bought it from refused to honor their extended warranty because the sales-clerk had made a mistake in copying down the serial number and I hadn't caught it (my eyes are not good enough to easily make out those teeny letters on the back of the iPod).

    So, first... a side comment: Apple's preferred codec for music is what they call AAC but everyone else calls MPEG-4. Internally, Apple's file extensions are "m4a" for MPEG-4 audio (AKA unencrypted AAC), "m4v" for MPEG-4 video, and "m4p" for Fairplay-encrypted MPEG-4 (AKA encrypted AAC). Apart from "m4p" none of these are Apple-proprietary and anyone *could* implement them. In fact, I have played unprotected AAC music in MPEG-4 players just by changing the file extension from "m4a" to "mp4".

    Obviously, none of the other players were iTunes-compatible to the extent of beng able to play "protected AAC"... but almost none of them could play MP4 music at all. Only two of the flash-based players supported anything but Microsoft's proprietary codec (WMA) and MP3. One also supported Ogg-Vorbis, and another by Sony supported AAC as well as Sony's proprietary format. I've got a few hundred tracks from the iTunes music store. I've got thousands of tracks from my own CD collection (which is perfectly legal, this is not "stolen music" thank you very much). I can handle re-encoding a few hundred tracks (in fact I've already done that), but not to throw away all the time I've already spent rippng my CD collection.

    I didn't care for the Sony player, so I didn't buy any of them. Why should I? Even if I was willing to go through the work of re-ripping all my CDs, I'd have to (legally) re-encode most of my (legally purchased) CDs into the lower quality or bulkier MP3 format, or switch to Microsoft's music software (with its inherent security holes).

    So the real "lock in" to the iPod has nothing to do with Fairplay. It's due to the decision of the people making the players not to include MPEG-4 capability in their players... instead, they've bought Microsoft's promises and are suffering buyer's remorse.

    Until they start shipping players that play (non-proprietary) MP4 (AAC, M4A) files they have no business complaining about Apple's format "locking them in". They did it to themselves.

  1. shmoolie

    Junior Member

    Joined: May 2002

    0

    re: missing the point...

    "Customers are never presented with alternatives. Fixing the flaws in Safari wouldn't cause customers any problems: using a download manager that gives you the option of opening the file, examining it, viewing it in Finder, and so on would be more convenient for the user since they wouldn't be presented with the necessity of making spot decisions about whether to open files or allow installers to run... they could examine and open downloaded files at their leisure. In addition applications could provide sandboxed versions to be used when opening documents from the download manager... for example, back when word macros were the usual medium of attack we used to use "Word Viewer" as a sandbox for opening Word documents since it didn't support macros, and one of the nice things about Netscape at the time was that it used its own application dataase so we could have Word files in web pages opened in this sandbox."

    These are the kinds of example I meant when I said that customers wouldn't stand for it. Yes, you and me and other "power users" would benefit but the millions and millions of "regular" computer users (on all platforms, not just Mac OS) don't want to have to open their files in a "sandboxed" app. They don't want to be presented with dialog boxes where they have to make a choice every time they want to do something. They don't want to put their admin passwords in each time they go to a different website. This is reality. This is why hacking via the internet bwoser will always be an issue no matter what OS a person uses. There are always going to be expolits that haven't been thought of.

  1. shmoolie

    Junior Member

    Joined: May 2002

    0

    re: opening up your playe

    ..and you are posting this here why?

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

ActvContent Sync Smartband

Smartbands of all sorts are hitting the market. Some build on the buzz around fitness trackers, while others offer simpler features fo ...

RocketStor 6324L Thunderbolt 2 eSATA bridge

Like it or not, the shift to Thunderbolt is underway. The connection is extremely flexible, allowing for video and data to co-habitate ...

Patriot Stellar Boost XT 64GB USB 3.0 drive

A vast selection of USB memory sticks means that consumers can often find exactly the size drive they need in a configuration that can ...

Sponsor

toggle

Most Commented

 
toggle

Popular News