Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
First Mac hacked at CanSecWest
- Thread starter kiwi-in-uk
- Start date
- Sort by reaction score
This kind of stuff makes me laugh. 
Ok people, try and break into the house. By the way, we've left this window open and the alarm is switched off.
RULE CHANGE:
If thats too hard for you theres a key under the doormat.
Ok people, try and break into the house. By the way, we've left this window open and the alarm is switched off.
RULE CHANGE:
If thats too hard for you theres a key under the doormat.
Vulnerable web pages will always be a problem. Apple can't do anything if the web site itself was designed in the wrong way which leads to buffer overflows, cross-site scripting, code injection or any other thing. The O.S. is "dumb", as it should be. It is the responsibility of the Web developer to have proper input validations before doing anything the user-supplied input. This is true for Windows, Macs, Linux, Unix, Mainframes, and Space stations alike .
.
This kind of stuff makes me laugh.
Ok people, try and break into the house. By the way, we've left this window open and the alarm is switched off.
RULE CHANGE:
If thats too hard for you theres a key under the doormat.
Thank you. This is exactly how I feel about the contest.
Step 1: All windows and doors are locked. Alarm is activated.
What? Nobody broke in?
Step 2: Alarm is now off and at least one window or door is now unlocked.
Hahahaha!!!!! We broke into your precious Beverly Hills home!! You said nobody could break in.
I always knew OS X would be vulnerable to some degree if I turned any or all security off. That's just stupid.
Ha ha ha! Exactly.
The fact that they have to have an expo to do this, and the fact that it's "reward" worthy is hilarious.
I'd like to see one of these with a Windows machine set up. I wonder if they would have to lower the bar? Doubt it.
And this Dino guy sounds like an arrogant jerk. Of course if I was named after a cartoon dinosaur I probably wouldn't be too happy either.
I Love It When Hackers Find Holes
Finding holes like this in the system only help Apple progress toward security perfection. It's definitely a good thing. Congrats to the winners.
Finding holes like this in the system only help Apple progress toward security perfection. It's definitely a good thing. Congrats to the winners.
Righty...
From the looks of it, this is a genuine remote privilege escalation exploit. Details are terse, but if simply opening a specially-crafted website in Safari is enough to trigger the exploit with no further user interaction, then we're looking at the real deal here.
If the specially-crafted page was itself being served by the Mac, then that's a different matter.
But let's assume this is the first scenario. I'm not particularly surprised. The web browser is a real 'crunch-point' for security. Think for a bit how many different chunks of code on your system can get utilised by a single page -- image renderers, decompression engines, plugin architectures and the plugins themselves, javascript parsers, Java... Safari's been designed to be quite a 'sandbox', with extremely limited ability to interact with the rest of the system (unlike IE) .... but it's a big and complex sandbox with a whole stack of technology inside it.
I'm very glad to hear that Cisco, the sponsor of the competition are handling the disclosure of the bug to Apple. I'm hoping we'll see some comment from the WebKit team on their site -- I'm curious whether the exploitable bug is contained within the open-source WebKit or the Safari 'chrome'. A good indicator would be whether apps such as Shiira and OmniWeb are susceptible -- if they are, it's probably a WebKit problem.
For the time being, I've got a horrible feeling that the tech news web will be unbearable to read for the next week or so. There's going to be mud-slinging... I wish hackers would drop the crappy cult-of-personality they try to foster and behave like the software engineers they really are. Likewise, computer users of all stripes need to stop being so damn childish.
If Apple have not already done so, some manpower needs to be allocated to some thorough auditing of key codebases. They're in a fortunate position: OS X is a relatively clean design -- they just need to ensure that the implementation is as sound as it can be at these security-critical points.
[edit: a few notes...]
The firewall would make no difference. -- The exploit appears to rely on a bug with how Safari interprets malformed pages. The firewall would do nothing to prevent this - only using a different browser.
The rules of the contest -- Initially, the Mac could not be exploited via a local connection. This is good news. It indicates what we've always thought: there's no risk unboxing a new Mac and plugging it straight into a broadband connection. A stock Mac is safe from external attack. However, allowing the hacker to provide a URL for the Mac to visit is not somehow negating the point of the contest. The security of the Mac's default browser is a valid thing to test and in this case, it appears Safari or WebKit has failed. Somewhere along the line, Safari is not validating its input (the page source) correctly and it's getting exploited. If your app is dealing with data you do not create yourself, you validate, validate and validate again.
Security has not been 'turned off' to allow the exploit to happen. The point is: according to this hack, any website with malicious intent can gain remote access to your Mac via Safari. Hell, it doesn't even have to be a malicious site. Several similar Internet Explorer exploits have been unwittingly served by respectable sites whose advertising service has served an exploit-laiden chunk of html. But, thankfully, that's all a long way down the road. For the moment, the detail of the exploit is staying private between the hackers, Cisco and Apple.
From the looks of it, this is a genuine remote privilege escalation exploit. Details are terse, but if simply opening a specially-crafted website in Safari is enough to trigger the exploit with no further user interaction, then we're looking at the real deal here.
If the specially-crafted page was itself being served by the Mac, then that's a different matter.
But let's assume this is the first scenario. I'm not particularly surprised. The web browser is a real 'crunch-point' for security. Think for a bit how many different chunks of code on your system can get utilised by a single page -- image renderers, decompression engines, plugin architectures and the plugins themselves, javascript parsers, Java... Safari's been designed to be quite a 'sandbox', with extremely limited ability to interact with the rest of the system (unlike IE) .... but it's a big and complex sandbox with a whole stack of technology inside it.
I'm very glad to hear that Cisco, the sponsor of the competition are handling the disclosure of the bug to Apple. I'm hoping we'll see some comment from the WebKit team on their site -- I'm curious whether the exploitable bug is contained within the open-source WebKit or the Safari 'chrome'. A good indicator would be whether apps such as Shiira and OmniWeb are susceptible -- if they are, it's probably a WebKit problem.
For the time being, I've got a horrible feeling that the tech news web will be unbearable to read for the next week or so. There's going to be mud-slinging... I wish hackers would drop the crappy cult-of-personality they try to foster and behave like the software engineers they really are. Likewise, computer users of all stripes need to stop being so damn childish.
If Apple have not already done so, some manpower needs to be allocated to some thorough auditing of key codebases. They're in a fortunate position: OS X is a relatively clean design -- they just need to ensure that the implementation is as sound as it can be at these security-critical points.
[edit: a few notes...]
The firewall would make no difference. -- The exploit appears to rely on a bug with how Safari interprets malformed pages. The firewall would do nothing to prevent this - only using a different browser.
The rules of the contest -- Initially, the Mac could not be exploited via a local connection. This is good news. It indicates what we've always thought: there's no risk unboxing a new Mac and plugging it straight into a broadband connection. A stock Mac is safe from external attack. However, allowing the hacker to provide a URL for the Mac to visit is not somehow negating the point of the contest. The security of the Mac's default browser is a valid thing to test and in this case, it appears Safari or WebKit has failed. Somewhere along the line, Safari is not validating its input (the page source) correctly and it's getting exploited. If your app is dealing with data you do not create yourself, you validate, validate and validate again.
Security has not been 'turned off' to allow the exploit to happen. The point is: according to this hack, any website with malicious intent can gain remote access to your Mac via Safari. Hell, it doesn't even have to be a malicious site. Several similar Internet Explorer exploits have been unwittingly served by respectable sites whose advertising service has served an exploit-laiden chunk of html. But, thankfully, that's all a long way down the road. For the moment, the detail of the exploit is staying private between the hackers, Cisco and Apple.
*sits and wonders why his machine hasn't been hacked yet*
I wanna be hacked!!
*disables firewall*
*waits*
*disables Stealth Mode*
*waits*
*installs several GB's worth of shareware and freeware apps from dodgy websites*
*while looking at porn*
*and those sites that bring up Googles malware warning*
*waits*
*sigh*
I wanna be hacked!!
*disables firewall*
*waits*
*disables Stealth Mode*
*waits*
*installs several GB's worth of shareware and freeware apps from dodgy websites*
*while looking at porn*
*and those sites that bring up Googles malware warning*
*waits*
*sigh*
Drive by
Great post, displaced
IMHO all "drive-by" exploits are a serious problem, because getting people to click on unsolicited links is actually quite easy: remember Anna Kournikova?
Indeed; there will be a lot of "I told you so's" -- but, as some other posters have said, the good news is that the problems are being found and reported to Apple.
If and when criminals exploit vulnerabilities before the security community discovers them, then we are all doomed
Great post, displaced
IMHO all "drive-by" exploits are a serious problem, because getting people to click on unsolicited links is actually quite easy: remember Anna Kournikova?
Indeed; there will be a lot of "I told you so's" -- but, as some other posters have said, the good news is that the problems are being found and reported to Apple.
If and when criminals exploit vulnerabilities before the security community discovers them, then we are all doomed
Great post, displaced
Ta!
I think I'll set up a blog. Gruber's got Daring Fireball ... I think I'll start Timid Kindling.Indeed. I hope someguy noticed that I rounded off my post by saying we're nowhere near that kind of situation at this point and I'm really not trying to set off sirens of panic or bells of doom. It's exactly that sort of snippiness that I think makes the wider security community roll their eyes at some of the Mac population.
I was only trying to underline how this sort of exploit makes the web such a minefield for Windows machines. Even respected sites can sometimes inadvertently serve malicious content. Bear in mind that a commercial web page often serves content from numerous sources, notably several different advertising agencies which may not have the most stringent checks on the content they serve.
Absolutely. In fact the more I think about this, the more likely it seems to me that this is a WebKit bug. Note that the actual developer of the exploit wasn't at the conference -- he mailed details of the exploit to an attendee. Now, I wonder if that other guy had been perusing the publicly-available WebKit source code? That's actually quite reassuring. It means people with the right skills can be looking at the code now. Apple can easily get third-party coders to trawl the WebKit source without NDA problems. Sometimes it's a great advantage for someone not involved in the project to evaluate the code. As a programmer myself, I know that the person who wrote it is not always the best person to critique the implementation. Because the original coder knows what the code's meant to do, he or she often overlooks the way it might behave in edge-cases which exploits take advantage of.
If and when criminals exploit vulnerabilities before the security community discovers them, then we are all doomed
Again, there's the beauty of having the source open. A good Mac developer can grab the WebKit source, run the hack and watch exactly what happens inside the code. Right then, the point in the code which makes the exploit possible is revealed. Write a patch, get it submitted, regression tested and released. Job done.
('tho all that depends on my assumption that WebKit's the source of the bug... oh, and of course the exploit isn't public, so someone at Apple will be doing the testing and patching).
The funny thing is..
The latest security patch was executed during the contest:
Nice article about this:
Unpatched Macs Snatched from Hackers' Clasp (eWeek)
The latest security patch was executed during the contest:
Nice article about this:
Unpatched Macs Snatched from Hackers' Clasp (eWeek)
Finding holes like this in the system only help Apple progress toward security perfection. It's definitely a good thing. Congrats to the winners.
My thoughts exactly! I have few schools of thought for these contests. Yes, it may be a bogus win for that person, but its still possible it could happen to an everyday user. It helps Apple because they find these exploits in the system and can use this to create a patch. I've always thought Apple should hire a top notch hacker (agreeing to an NDA) to try and hack into OS X every once in a while just to see if they can do it. Then as part of the agreement, have to explain exactly how they got in so Apple can patch it. Don't wait to find out the hard way and then have to scramble to create a patch for it.
The thing I hate about these contests is that all the PC fanboys who know nothing about Macs and just want to bash them will do just that, bash them. They don't care that the bar had to be lowered, or how bogus of an idea some of us think it is.
On the other hand, the fact of the matter is, OS X got hacked and we Mac fan boys don't want to admit it! Some of us have to come and realize that Mac OS X isn't perfect. It can be hacked, it can get spyware, and it can get viruses. Its only a matter of time before it happens. The more we face denial, the more dangerous we are to ourselves and others in the Mac community. Why, because we always think, awe thats a bunch of crap and do nothing about it. Well, one day this isn't going to be a bunch of crap and its going to bite a ton of Mac users in the arse.
So go ahead and call be a troll who uses a PC all day long, or whatever. Call me what you want. I've been using Macs since I was 16 yrs old and I currently own over $5,000 worth of Mac equipment. You can visit my website in my signature and see all of my Macs if you don't believe me. BTW, that website is nearly 100% all about Macs and is a slow work in progress...
In other words, this is just a NON-ISSUE...they HAD to lower the bar in order to allow a bunch of hacking kids to enter the machine...read it as "it DOESN'T HAPPEN in the normal world".
Macs remain practically impervious to any attacks in the wild, without need for antivirus or anti-whatever crap. So this news is just ******** FUD, as usual.
GO APPLE!
Just to make sure there's no confusion: the exploit was performed after that Macs in question had had the latest Security Update applied.
From matasano.com:
The suggestion to use Firefox is an interesting one. It gave me an idea on how to put this Safari exploit in perspective (once more, assuming this is a WebKit bug). It's basically a similar bug to the variety which the Mozilla team patch in their 'point-release' updates to Firefox. Check out this page of Firefox release notes.
Once again -- if this is a WebKit bug, claiming the 'Macintosh' or 'OS X' has been exploited because of a bug in the browser engine is just as silly as claiming Linux has been exploited because Firefox has a vulnerability.
No. You're misrepresenting the nature of the exploit. From available information, if the details of the exploit were known, it could very easily happen in the real world.
The bug is apparently inside Safari, not OS X itself. Safari seems to have a bug in how it interprets page content, allowing a malformed web page or javascript to run arbitrary code on the machine. This requires the user to do nothing other than browse a web site. This is an unpleasant bug, the kind which has ravaged Internet Explorer's reputation. A hard-and-fast rule of a web browser should be: no matter what is viewed, the local machine should not be exposed. Please re-read my earlier posts.
It is not FUD. Safari has a bug. Try not to reply to the misinformed idiots who claim this is an OS X hack with rants about viruses which are irrelevant to this particular bug. The bottom line is: if this exploit were in the wild, every single shipped copy of Safari would expose the machine it was running on if it encountered the malicious page. Don't try to gloss over that fact -- it doesn't do the Mac world's reputation any good.
Ok ... I think I've managed to get a handle on how to explain the 'bar being lowered' thing.
We should not try to pass this off as 'yeah, but they made it easier...'
Initially, the competition was to exploit an out-of-the-box Mac, fully patched, via a local network connection. This failed, which isn't particularly surprising. Securing a machine from network-based attack is actually pretty easy. Just don't have any services listening on any ports. You don't even need a firewall if there's nothing listening. Macs, by default, don't have any accessible TCP/IP services running.
But let's imagine the implications of what a successful hack of that nature would've meant. A hacker would have to have connected directly to my machine. Most Macs probably connect to the internet via a router of some description, so that'd be a difficult challenge in and of itself. If it was an AirPort exploit, the hacker would need to be physically near me.
Overall, not too concerning. Nothing a bog-standard firewall or router wouldn't fix.
Now, look at the actual exploit that's taken place. All that's required is that I visit a particular page with Safari. Firewalls, routers, whatever. None of that would prevent this hack. There's multiple ways of driving traffic to such a malformed page: Spam email featuring the link, subverted advertising service, DNS poisoning, link spamming of forums...
They did not 'lower the bar'. They simply allowed a different form of attack. If anything the second form of attack is actually more of a concern. It's easier for the hacker to deploy and tougher for the Safari user to guard against.
But just a few points to round off:
- OS X was not remotely hacked.
- Safari has a client-side bug which is remotely accessible
- This is not surprising. Just ask any other browser vendor
- Although this bug is a possible vector for the installation of spyware, viruses, etc., the bug is not currently in the wild.
- Apple need to deal with this promptly. The bug is the 'real deal', and as such, Apple need to show they can respond adequately.
We should not try to pass this off as 'yeah, but they made it easier...'
Initially, the competition was to exploit an out-of-the-box Mac, fully patched, via a local network connection. This failed, which isn't particularly surprising. Securing a machine from network-based attack is actually pretty easy. Just don't have any services listening on any ports. You don't even need a firewall if there's nothing listening. Macs, by default, don't have any accessible TCP/IP services running.
But let's imagine the implications of what a successful hack of that nature would've meant. A hacker would have to have connected directly to my machine. Most Macs probably connect to the internet via a router of some description, so that'd be a difficult challenge in and of itself. If it was an AirPort exploit, the hacker would need to be physically near me.
Overall, not too concerning. Nothing a bog-standard firewall or router wouldn't fix.
Now, look at the actual exploit that's taken place. All that's required is that I visit a particular page with Safari. Firewalls, routers, whatever. None of that would prevent this hack. There's multiple ways of driving traffic to such a malformed page: Spam email featuring the link, subverted advertising service, DNS poisoning, link spamming of forums...
They did not 'lower the bar'. They simply allowed a different form of attack. If anything the second form of attack is actually more of a concern. It's easier for the hacker to deploy and tougher for the Safari user to guard against.
But just a few points to round off:
- OS X was not remotely hacked.
- Safari has a client-side bug which is remotely accessible
- This is not surprising. Just ask any other browser vendor
- Although this bug is a possible vector for the installation of spyware, viruses, etc., the bug is not currently in the wild.
- Apple need to deal with this promptly. The bug is the 'real deal', and as such, Apple need to show they can respond adequately.
I wonder what that URL is?
that dangerous because that means that anybody with experience can go into someones computer and sabotage it.
that dangerous because that means that anybody with experience can go into someones computer and sabotage it.
I really dont think there is anything to worry about. With so few viruses for the mac, anything that ressembles anything like one will be hitting the news. Where as with microsoft users its like "ANOTHER VIRUS!! ... oh well" they are just used to it by now, and i have talked to a lot of friends using microsoft and they dont really care at this point. Its just part of their everday life. Whilst a little thing like this is big news for a mac, even tho all security settings were probably off. Oh well...
i've love to know where this so-called "journalist" received her degree... this is the most biased, one-sided article i've read in a long time...
the rules for the hack a mac contest were relaxed on Friday after nobody had won the contest on the previous days. In the relaxed set of rules, a URL was provided that exposed Safari to a "specially-constructed Web page"
The above says it all! What a Farse!!!
Lets see you can't steal my car, but wait I'll leave me keys in the ignition and the doors unlocked! Whoa! OMG! Someone stole my car! Wow! What a shocker!
Nonsense!
The above says it all! What a Farse!!!
Lets see you can't steal my car, but wait I'll leave me keys in the ignition and the doors unlocked! Whoa! OMG! Someone stole my car! Wow! What a shocker!
Nonsense!
No. It's. Not. Deary me....
The mode of attack was changed. The attack is still valid. Opening a specially crafted page in Safari will allow the hacker to gain access to your machine as the current user. That is a hack. There are no keys being left anywhere. There is no farce. The hacker created a malicious site. The URL of which was opened on the fully patched Mac, and the Mac was exploited. This is a real hack and it's one which Apple need to fix soon in order to show their responsiveness. Luckily it is not in the wild.
[edit:] The simple fact is, a web browser should never grant a web site unfettered access to the local system. This exploit shows that Safari seems to currently have a bug which allows this. Please, everyone, stop making excuses and start looking to Apple for a fix and the WebKit/Safari teams in particular for some steps towards checking the WebKit/Safari codebase for similar bugs.
some publicity
well, it would be nice to have some publicity on this, loads more. even if it was a contest where the standards for the hack were lowered and the machine given code in order to break it - let yahoo, the register, everyone publish this. if apple can wake up even to sleeper and aided attacks - we will reap the benefits from bad press.
let's get some more hack conferences!
well, it would be nice to have some publicity on this, loads more. even if it was a contest where the standards for the hack were lowered and the machine given code in order to break it - let yahoo, the register, everyone publish this. if apple can wake up even to sleeper and aided attacks - we will reap the benefits from bad press.
let's get some more hack conferences!
Finding holes like this in the system only help Apple progress toward security perfection. It's definitely a good thing. Congrats to the winners.
Yeah and oh I wish folks would stop talking about them relaxing the rules... makes you sound foolish. I would be happy that Mac OS X is well protected against active direct attack (very good thing) but not dismiss this issue.
The simple fact of the matter is that a remote exploitable vulnerability exists that a Mac user can stumble on by visiting links say in a forum like this. I bet most folks here are comfortable visiting links posted here (you know you want to click Dance Monkey in my signature).
To bad this issue slipped thru Apple and open source review (unless the issue is outside of WebKit) but I am glad these folks will do the right thing and post the information to Apple responsibly.