First Mac hacked at CanSecWest

[johnee]

Is OS X secure? Yes.

The argument can be made that OS X is a more secure os than Windows.​

Does it have vulnerabilities? Yes.

I think we have seen here, and it other reports throughout the years that it's not impenetrable. The mac community should own up to that.​

Are these vulnerabilities exploited on a daily basis? No.

The reason? money. Hackers hack for money. The idea of "being the first to hack a mack" is ridiculous, I think the only group keeping that argument alive is the mac community. Hackers know there are vulnerabilities, but they don't care because the return on investment for them is paltry. Less fish in the ocean means less caught fish. However the other reason is the mac community is SMARTER than the average pc user. You know more about the computer, the internet, and you pay close attention to your system, and are probably less susceptible to "click on this icon for male enhancement". Give yourself a pat on the back.​

Will these vulnerabilities be exploited on a daily basis in the future?

dunno, if market share gets large enough, sure.​

 

[displaced]

This article seems to point to a Javascript exploit. So, it's a problem within Webkit's JavaScriptCore.

As a point of interest, the code for JavaScriptCore, as found on the exploited Mac (and, indeed our Macs too) is here.

I'd imagine the Webkit crew will be all over that code in the coming days.

I wonder how much of this code is also part of Konqueror, with which Webkit shares much code.

 

[richinspace]

Oh well. When all details on this hackorama have been sorted out, and when all opinions about it have been expressed, the facts at our company will still remain – the entire park of Windows machines continously gets hit by hacks and viruses, but not a single one of all our Macs (>25) has been struck ever (first one bought in 2001)!

 

[nplima]

basically..just use firefox and you're unhackable?

no, but NoScript firefox extension prevents many attacks that's for sure.

 

[EagerDragon]

Is OS X secure? Yes.

The argument can be made that OS X is a more secure os than Windows.​

Does it have vulnerabilities? Yes.

I think we have seen here, and it other reports throughout the years that it's not impenetrable. The mac community should own up to that.​

Are these vulnerabilities exploited on a daily basis? No.

The reason? money. Hackers hack for money. The idea of "being the first to hack a mack" is ridiculous, I think the only group keeping that argument alive is the mac community. Hackers know there are vulnerabilities, but they don't care because the return on investment for them is paltry. Less fish in the ocean means less caught fish. However the other reason is the mac community is SMARTER than the average pc user. You know more about the computer, the internet, and you pay close attention to your system, and are probably less susceptible to "click on this icon for male enhancement". Give yourself a pat on the back.​

Will these vulnerabilities be exploited on a daily basis in the future?

dunno, if market share gets large enough, sure.​

I agree almost 100% with you. Nothing is secured if it has vulnerabilities even if they are not exploited. I am not aware of any OS that is secured.

Is OSX a heck of a lot more secured than windows??? ..... You bet, and by a long shot.

Can we sleep in our laurels? Nope, there are vulnerabilites, if they are discovered by White Hats we are good, if they are discovered by BlackHats we are in trouble. Apple should encourage more of this so they are found by responsible people even if there is publicity.

As more vulnerabilites are discovered the better the OS gets.

I had some of the most senior code reviewers from Microsoft at my company briefing us and we them, on how code reviews for security is conducted. I can tell you that they are good and that most of the new code is being properly code reviewed, however they have two major issues:
a) A big ass backlog of old code from previous versions that they can not review and even if they could, changing it would break applications
b) Design functionalities to provide all sorts of flash that they can not make secured otherwise they miss too many deadlines or have to remove the feature because it can not be secured. Management wants those features and are willing to take the risk. They perform what is called "Risk Management".

They could be better but they are good and they deserve praise for the window users.

Besides looking at our own code, I and my team also review a lot of Open Source code (some used by OSX) and we find issues there also. To date, we have probably looked at 30 million lines of open source. However by policy we fork the code and fix the issues in our own copy but never tell the original developers of the code about the problems we found. Sometimes we have to fix the same issues multiple times as newer versions come out because we do not let the developers know. It is up to management and Legal to do so or not. Sometimes we do not allow our developers to use some of the open source because the functionality or the code is really bad and not worth for us to fix in the current version. Sometimes we wait until it has matured more.

While I don't like it I have to live with it.

Don't flame me for the sins of those I work for.

 

[ElderBrE]

Might be wrong but it sounded like the page was hosted at the Macbook? In that case, this whole ordeal is minimal isn't it?

Maybe I'm just imagining things.

 

[EagerDragon]

Might be wrong but it sounded like the page was hosted at the Macbook? In that case, this whole ordeal is minimal isn't it?

Maybe I'm just imagining things.

Very likely it was hosted internaly, they needed the proper hack, so to keep secrecy and not let others know, you host a web server in either the local machine or some other one close by so you can try the hack and different variations. Remember it is likely a very tailored hack stored and served in a web server and its location is not that important. What is important is knowledge of the weakness, so you can create the proper hack. Once it is known, someone will place a real attack in the Internet and lure users there using any pretext. They can also do what is called DNS poisoning so that when you resolve an address such as (for example) http://www.google.com or http://www.apple.com, the IP that comes back to the browser is the IP of the hacker site and not the ip of Google or Apple. This sort of things does happens even if it is hard to believe.

Not that different from what they do to get you to give them your id, password and credit card information. They lure you to the wrong site!

 

[EagerDragon]

Aww boo, was the firewall on it, as it's not on by default?

This attack is browser based and at the level of the application (browser), as such it makes no difference as long as the user can comunicate using his browser to web sites in the Internet. So if port 80 or 443 is open, and they are lured to the proper malicious site, they would get injected and become a zombi at the ready for anything the hacker wants.

Most hackers today go after weaknesses in the applications for many reasons including that the proper holes in the firewall are already open.

 

[ITR 81]

Awaits new Safari sec update coming next month to fix the hole.

 

[madog]

If a Mac gets hacked and nobody is around, does anybody even care?

 

[shawnce]

Awaits new Safari sec update coming next month to fix the hole.

I give it 2 weeks or less.

 

[Dokter_Mac]

I have a question for the smart people here

What if you use FileVault to secure your files? (With a realy strong password)
What if you use protected virtual memory and other stuff that you can use with OS X?
Does it make your account more safely for remote attacks?

My 2 cents on the story:
I think they made it the hackers extremely easy. If this "contest" would be on a PC, the PC would be hacked in minutes
And yes, this could be a serious exploit. But I think this got nothing to do with Safari or OS X. We live in world with Internet. Closing all those so called "holes" on a computer that could make it possible for a hacker to get in your machine is not realistic. This counts for Windows, OS X, Linux, etc.
Only Windows is realy easy to hack. The rest, and this got nothing to do with the market share, are just more secure and harder to hack.

Regards

PS:Sorry for my poor English

 

[inkswamp]

This is such an eye-opening thing. I mean, think about the implications in the real world. I didn't realize my bank was so insecure... if they stopped locking their doors at night. And I didn't realize it would be so easy for someone to steal my car... if I left the keys in the ignition. Oh, and OS X can be hacked... if you sufficiently lower the bar.

What a shocking turn of events. OS X is a security nightmare!!! Newspapers all over America are stopping the presses even as we speak.

 

[donlphi]

I set up the same relaxed rules for my 4 year old nephew and watched him accomplish the same thing. What a joke. This proved NOTHING in my opinion.

 

[Dokter_Mac]

Less fish in the ocean means less caught fish.

I don't agree with the "less fish" or "market share" theory.

On a Mac (or Linux) you put the same information (music, files, videos, mails, etc.) like on a PC running Windows. (maybe even more important)
So the "fish" is for all computers the same!

On Macs, and that's my experiance, you put more confidential files then on a PC running Windows.
Because it's just safer and common sense. Don't put your confidential information on a Windows PC which is connected to the Internet! That is just stupid

Regards

 

[stainlessliquid]

A vast majority of pc hacks are done through malicious websites, why is it such a big deal that they had to "lower" the difficulty to use a website? If anyone ever gets hacked it is highly likely it will be from a website, windows or mac.

 

[Cult Follower]

This is waay overblown, this happens to windows every single day and you don't get a headline, I think people just want to hate OSX because they are jealous.

 

[EagerDragon]

I have a question for the smart people here

What if you use FileVault to secure your files? (With a realy strong password)
What if you use protected virtual memory and other stuff that you can use with OS X?
Does it make your account more safely for remote attacks?

My 2 cents on the story:
I think they made it the hackers extremely easy. If this "contest" would be on a PC, the PC would be hacked in minutes
And yes, this could be a serious exploit. But I think this got nothing to do with Safari or OS X. We live in world with Internet. Closing all those so called "holes" on a computer that could make it possible for a hacker to get in your machine is not realistic. This counts for Windows, OS X, Linux, etc.
Only Windows is realy easy to hack. The rest, and this got nothing to do with the market share, are just more secure and harder to hack.

Regards

PS:Sorry for my poor English

your system would be more secured. However ... If you are login into the system, you are less secured as you probably unlocked the vault and stuff. If they can take over your process and the vault is unlocked then the vault is theirs.

The seting for virtual memory would wipe your memory when you logout and the vault would close when you logout. Making your data a lot more secured.

As to your 2 cents, I mainly agree with you. Browsers by design are a security risk. If you turn off thing like java, javascript, cookies and others, the browser is not very usefull since most good sites like your bank and others expect those settings to be somewhat relaxed in order to give you a "good user experience".

A lot of the protocols and Internet utilities were shoe-in on top of protocols that were not designed to be secured. They were designed at a time when we were a little more naive. Now we are working hard to close the door but the door can not be fully closed.

Browsers, email servers, email browsers, DNS, and others have been designed to do jobs that sometimes are not secured by their own nature. Even the way certificates that protect the customers are not used correctly. Many users browsers have weak security settings and you can not easily tell if you are at your bank or a hacker site when you are entering data.

I am glad that the main targets are windows machines and not Macs. While Macs are a heck of a lot more secured there is no perfection.

We should be glad that the weakness was found by a responsible party (WhiteHat) and not a BlackHat. This makes OSX stronger and in a way we should be glad.

 

[localoid]

... Browsers by design are a security risk. If you turn off thing like java, javascript, cookies and others, the browser is not very usefull since most good sites like your bank and others expect those settings to be somewhat relaxed in order to give you a "good user experience".
...

True, but one of Safari's "features" has been the automatic execution of downloaded files, something Firefox and other OS X browsers don't do. This "feature" has seen several proof-of-concept exploits in recent months, so this prize-winning exploit shouldn't really come as a total surprise...

 

[EagerDragon]

This is waay overblown, this happens to windows every single day and you don't get a headline, I think people just want to hate OSX because they are jealous.

Correct, this happens to windows and IE almost on a weekly basis.

It is because it is rare for an OSX or Safari vulnerability that it makes news.

A lot of researchers are biased against one platform or another (me windows), so they look harder at those. But most researchers will look hard at systems they know well, because their knowledge is more extensive in that platform, making them more likely to uncover a fault and as such be sucesful.

Linux vulnerabilites are easy to find if you look at the source code and think about the repercussions or side effects of how the code was written.

Windows issues are easy for a different reason .... lots of old code, lots of half baked functionality for flash (user experience), and lots of security by obscurity. Also is a bigger market so lots more machines to hack so well worth it for BlackHats to work hard at it.

Yes, this is not at all rare in windows, and rare in OSX so the headlines are bigger.

I love my Mac

 

[SMM]

Look, I (cover your ears, kiddies) swear I'm not usually a conspiracy nut, but I am almost certain the virus protection software companies directly or indirectly fund much of the virus development work. Like they say, follow the money...

Think about it. Obviously, they have the most to gain. The money you could make on selling time on legions of zombie computers is peanuts compared to what those corporations are pulling in.

And why has the Mac been so free from infection? If viruses were written by hackers looking to make themselves feel important or win bragging rights, they would have been all over the Mac for years. There would be at least some wild viruses, roughly in proportion to Mac market share. But they haven't been.

A company, though, would do a careful market analysis and determine that they want their 100K/yr security researcher working on stuff that will impact 97% of consumers rather than the other 3%. Let's keep those people scared so they keep their subscription up to date!
Mac market has been growing though... 6% looks better 3%. I think the companies will feel it's worth the effort at around 10%.

Now Windows has "tens of thousands" of viruses, but there are a much smaller number of "root" viruses. An exploit, with code, will be posted somewhere and then "script kiddies" will copy it or combine it with another virus, etc. and try to distribute it. But where did the original posts come from in the first place? From a trained, working professional, perhaps?

And why do security researchers spend so much time hacking things rather than fixing them?

I agree with you 100%. I am usually not one to promote new laws, or more government intervention. However, I definitely believe that any company, or individual, who provides help to those engaged in any form of technology attacks, should be guilty of felonious facilitation. That includes officers of the company. I am not suggesting fines. I am talking prolonged relationships with Bubba.

 

[localoid]

Correct, this happens to windows and IE almost on a weekly basis.

It is because it is rare for an OSX or Safari vulnerability that it makes news.

...

This most recent exploit is most likely a Safari specific exploit...

Try this safe demo page with Safari, and then with Firefox. If you're patched with the latest updates, Safari will not automatically execute the download -- however, if you tell Safari to open the downloaded and "unzipped' file, the file will be executed, and Calculator should pop up on your screen. On the other hand -- try this test in latest ver. of Firefox, and when you try to open up the file Calculator will not be opened.

 

[displaced]

I agree with you 100%. I am usually not one to promote new laws, or more government intervention. However, I definitely believe that any company, or individual, who provides help to those engaged in any form of technology attacks, should be guilty of felonious facilitation. That includes officers of the company. I am not suggesting fines. I am talking prolonged relationships with Bubba.

I'd disagree (if you mean what I think you mean), depending on your definition of an attack.

The attack on the Macs at the conference are about the best way possible to have the exploit revealed. The alternative is for people to start noticing their Macs are behaving odd after browsing the web for a while, then later the news breaks that x number of Macs are already part of a bot-net.

Software should always be challenged. It's the only way it gets better. All companies should have good procedures in place to receive exploit and bug reports from the general public and security researchers alike. They should be commissioning third-party audits on security-critical code at regular intervals. Patches and additions to security-critical code should be beaten to a thorough pulp in testing before it becomes part of the shipping application. In my opinion, Safari/Webkit has done very well so far with this only happening now. But it's now been shown that Apple's coders do make mistakes and exploitable mistakes at that.

Of course, some security researchers need to stop being such asses. Note that the two in this hack are doing the right thing. The guy who identified the weakness and exploited it could have run off screaming to the hills, or worse, surreptitiously leaked the knowledge into shadier parts of the net. However, details of the exploit have gone straight to Apple, where hopefully some realisations are taking place.

If the exploit is, as is thought, located in the code for JavaScriptCore or another area of Webkit, the Webkit team and their contributors are looking at it now. Importantly, anyone with any interest in the code can look at it too and comment on suggested patches. It's how open source works.

Interestingly, the README file for the JavaScriptCore code (read it here), it is noted:

JavaScriptCore is a framework for Mac OS X that takes the cross-platform KJS library (part of the KDE project), combines it with the PCRE regular expression library and David M. Gay's floating point conversion functions, and makes it work with Mac OS X technologies.

This version of JavaScriptCore is based on the KJS library from KDE 3.0.2. The few changes that are specific to JavaScriptCore are marked with #if APPLE_CHANGES. Other changes to improve performance and web page compatibility are intended for integration into future versions of the KJS library.

So this code isn't all Apple-originated. I wonder if the exploit would in fact operate on browsers (such as Konqueror) which use KHTML and KJS. I'd strongly imagine not, but it's a thought. Now, is it a bug in the KJS-borrowed code, or in the work Apple did to bridge KJS to Mac OS X tech? Had this exploit already been fixed in KDE's current KJS and the change not backported to Apple's Webkit KJS? All very interesting stuff!

edit: looks like I'm behind the times... the latest update here implicates Java, not JavaScript. So it looks like perhaps Apple's Java Plugin is the weak-spot (?)

 

[EagerDragon]

This most recent exploit is most likely a Safari specific exploit...

Try this safe demo page with Safari, and then with Firefox. If you're patched with the latest updates, Safari will not automatically execute the download -- however, if you tell Safari to open the downloaded and "unzipped' file, the file will be executed, and Calculator should pop up on your screen. On the other hand -- try this test in latest ver. of Firefox, and when you try to open up the file Calculator will not be opened.

I do agree it is likely a Safari vulnerability.

The link you provide it is to a vulnerability that requires a user to click on a link therefore it is a little different from this current attack. In the current attack all the user has to do is visit the malicius page, but I get your point.

FYI - Instruction to the vulnerability pointed out by secunia (notice you need to click on the link to start the download):

"Introduction

Michael Lehn has discovered a vulnerability in Mac OS X, which can be exploited by malicious people to compromise a user's system.

Please use the test below, to see an example of how this vulnerability can be exploited, and also to determine whether or not your browser is vulnerable.




Test Case / Demonstration

Clicking the link below will start the test. The test will try to execute the "Calculator" application (default application on Mac OS X)."

 

[EagerDragon]

The attack on the Macs at the conference are about the best way possible to have the exploit revealed.
edit: looks like I'm behind the times... the latest update here implicates Java, not JavaScript. So it looks like perhaps Apple's Java Plugin is the weak-spot (?)

Sounds like some of this is what we call a feature .... It was designed to work this way and not a bug.

According to matasano latest, it seems that firefox has the same issue, so this is probably a feature. They are recomending to turn off java, which is not practical in all cases as it would stop some sites from working.

I so wish I had more data, including the code used in the attack.

If you get anything please post.