Slashdot Mirror
MacBook Hacked In Contest Via Zero-Day Hole in Safari
EMB Numbers writes "Shane Macaulay just won a MacBook as a prize for successfully hacking OS X at CanSecWest conference in Vancouver, BC. The hack was based on a Safari vulnerability found by Dai Zovi and written in about 9 hours. CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions. 'Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said in a telephone interview from New York. TippingPoint runs the Zero Day Initiative bug bounty program.'"
that's it! I'm switching back to Windows!
Shop as usual. And avoid panic buying.
I don't get it. Hack the OS, and win the Macbook you just pwned? Is that really a prize?
The machine couldn't be hacked, so they relaxed the rules so it could be? I wish they'd been more explicit as to what 'relaxing the rules' meant. But maybe that would've spoiled the story.
I am a believer of momentum and curves.
Safari's rendering engine is based on KHTML. So is Konqueror affected by this flaw as well?
I'm using discussion2 and my floating bar and the expand comment links aren't working. anyone else see this?
Also getting 503's for my personal page. huh.
man, I feel like mold.
Yes, I got the 503 "Service Not Available" error on the personal page (~/Username) also. Maybe they're doing work on the database or something, and don't want the extra load...? When I saw that, I was actually a little surprised that comments were working at all.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I wish they'd been more explicit as to what 'relaxing the rules' meant. But maybe that would've spoiled the story.
They allowed user activity, aka he browsed to a site he created for the purpose. It seems this is not a full auto worm type exploit of the kind common in the Windoze world. See here. It's hard to say if the problem was javascript of something like Flash called by it.
All the M$ tools are going to be underlining their popularity arguments and slinging mud at all the more secure OS. Even the Register indulged in a little of that kind of flamage.
Friends don't help friends install M$ junk.
was the macbook actually running any services that were listening on the network? if so what where they. it easy to claim security when all your ports are closed up. but it also means your useless, like a computer in a box.
If you mod me down, I will become more powerful than you can imagine....
The MacBook was actually only hacked because they lessened the rules and actually had someone open Safari and use a malicious website. No ports were closed nor was the firewall running.
I'm a Mac user and as such I'm not claiming invincibility although the "Unix" like foundation makes me more secure its still the end user's responsibility to not run as admin or God forbid root. Not to mention using a good firewall or correctly configuring the one that's already built in is vital and just practicing caution on the web. That aside I just don't think this is entirely honest, I wish they would disclose all the variables involved to include all settings used. But as others here have said considering Apples foresight using open source means the between Apple and the Konqueror devs this will be quickly addressed. But my gut feeling here is that something stinks in Denmark!
Die First, Then Quit
I wish they would say if the user that safari was running under was admin or regular. If it was admin then this is even less of a hack than it already is. Also I wonder if they disabled the safari feature to automatically "open safe files after downloading". That option puts a lot of trust in other programs not to have holes. indeed it's not really safe at all. Only stupid people or people that don't do stupid things leave it on.
Bottom line no remote hacks.
Some drink at the fountain of knowledge. Others just gargle.
So they couldn't get in directly and had to use a hole in an Application. Just remind me how many holes have IE and Firefox had in the past?
OS-X is essentially BSD with a second layer on the top being the frameworks from Next and Apple and the applications. If they find vunerabilities in the lowest layer of code then Linux is in trouble too because there's an awful lot of shared code there. Anyone remember the ssh hole which allowed you to root a box? So the issue would be in the Apple provided layers.
As anyone who has designed, or worked at a high level, on a complete system knows you design as much as you like and you can use defensive coding as much as you can but there will always be edge cases and unfortunately the only way to find them is when something breaks or is broken. Then what you must do is fix them asap and not do what a certain OS company does is first deny they exist, then admit they exist and say it will be patched, and then finally release a patch some months later. Having said that they have been a bit better lately.
I get anoyed at people saying how secure OS-X is or Linux or what ever. There is no one true OS. All this my macho my OS is better that your OS pisses me off. People use different OSs because of the applications they want to use and their working style.
I have several requirements for my personal laptop (compared to my office one). It must be small and lightweight, easy to use, manage my arty hobbies (films, photography, music and other media), but also allow me to do my consultancy work if needed which is mainly *NIX development (C, C++ and Java) and writing reports, feasibility studies and the like. I don't play games that much and I have consoles for that (although since I now travel a lot a DS may be appear in my purse in the near future). So I have a Mac. It does all that I need.
I could use my works Dell but having to occasionally reboot from Linux in to XP and back again would anoy the hell out of me. Also its huge.
It says a lot about you and about Slashdot that you can hop on an article about someone hacking OS X, do your "M$ Windoze" routine and then get modded up for it. Seriously though, I'm sure that once Taco figures out his MySQL problems he'll have a tasty Microsoft FUD story for you to comment on. I suggest you wait for that?
It appears on the Cansec website that the contest was for shell access on a regular users account.
l ow
2007-04-20-14:54:00.First_Mac_Hacked_Cancel_Or_Al
Just to review the rules, the first box required a flaw that allows the attacker to get a shell with user level privilages. The second box, still up for grabs, requires the same, plus the attacker needs to get root.
http://cansecwest.com/
Normally we make fun of Slashdot editors for not being able to spell simple English terms familiar to a mass audience correctly. They loose there audience when they do that. Usually they can get their terms of art correct. Not this time.
Guys, it's spelled "0day", and it has been since before you l33ch3d Karateka on a catfur. Do have some sense of perspective.
I mean - I can only assume this was a 'white hat' hackers conference, given there was actual publicity given and a public bounty and such. But then things like these pop up?
Makes me think.. black hat, white hat.. what's the difference these days? I thought a white hat hacker was the 'good guy' (albeit still a hacker).. the kind of person who hacks for fun / curiosity.. the kind of person who notifies the developer of the bug or, at least, just makes the bug known to the world at no charge. Not the kind of person who hacks, then scours the 'security conferences' for a bounty, and when that bounty is lower than what they could get off of actual 'bad guys', complain that the bounty is too low. To me, that just sounds like the person is a black hat, but dons a white hat on top in an attempt to fool us into thinking they're white hat.
Pretty sure BSD is Unix, not Linux. Funny it's called OSX, it ought to be called OSomeone else made this shit.
How I miss the Apple-Cat.
And he's right. It's 0day.
And by the way, a "crack" is a copy protection defeat. A "cracker" is someone who removes the copy protection. It is not, no matter how much you want it to be, the same thing as a "hacker".
As a longtime Mac user and a fan of Apple products in general, I'd like to congratulate the winner of this contest. Too many Mac users now seem lost in willful ignorance of the fact that tasteful, thoughtful design alone doesn't render a system bulletproof. Thus, I applaud any honest efforts to increase the public awareness that yes, shit-happening potential exists, even on a Mac.
(I said honest efforts. That guy who claimed the AirPort hack is still a raging tool.)
Another point to emphasize—and which, curiously, seems always to be overlooked on Slashdot—is that an uninvited guest doesn't need root to ruin your day. As long as he or she can rm -rf ~, or better yet, yank all your most intimate personal documents and send them flying across the internets, root's just gravy. So let's not pretend this Safari vuln is harmless.
Really though, how on earth are you supposed to guard against attack through vectors not yet publicly known, without either (a) suffering a crippled functionality, or (b) being badgered into clicking "Continue" out of habit? The best approach I've seen is the one adopted by Google's anti-phishing plugin (and for those of us who can't stand Firefox, Leopard can't come soon enough). It's intuitive, unobtrusive, and cuts straight to the heart of the problem: making sure you're visiting the wholesome, trustworthy site you think you're visiting.
But even with the Google phish alarm installed, if you make one little mistake—if you step out of line for just a second—you could be hosed. Or what if someone figures out how to inject an attack on a "safe" bulletin board? You're hosed. Hell, maybe someday Google blows it like a Taco Bell restaurant inspector. Hosed.
So can it even be done, this cake thing, with the eating? Or is our best hope to just pray to Jobs the Mac never becomes mainstream enough to attract attention from the big-league black hats?
Make Slashdot readable! See journal.
Wait, wait, wait, wait. Where does one go to sell operating system exploits? And how hard would they be to shut down?
We may be onto something here: there may be a social solution to a technological problem.
You cannot truly appreciate Dilbert until you read it in the original Klingon.
What? Who gives a shit about Windows? Any vulnerability is bad news; don't trivialize it with your "oh but M$Windoze!1!!" because, in all honesty, whatever flaws exist in Windows have zero relevance to me as a Mac user.
Make Slashdot readable! See journal.
I think another very simple factor to take in to consideration is that there aren't hundreds of thousands of Romanians who are out there trying to hack OS X.. they're targeting Windows.. if people actually gave a shit about hacking a Mac, then there'd probably be a lot more vulnerabilites.. just because there's hardly any hacks, doesn't mean OS X is unhackable.. it just means people don't care..
*plays the Apogee theme song music*
> I get anoyed at people saying how secure OS-X is or Linux or what ever.
Why do you get annoyed? Does it make you feel inferior or something?
Here's a quick lesson: learn to ignore it and get on with your life. If you don't have the time figure out Linux, or you don't have the money to spend on a Mac, no-one will begrudge you that. Just be proud with what you have and don't let anyone get you down. Seriously, it's not worth getting annoyed over.
I'll probably be modded down for this...
This is why your browser ideally shouldn't be able to read your entire home directory. People talk about running as admin or not, but your most sensitive data is your personal files that you have read access to as your limited user. Running as admin or root is bad mainly because it can open security holes which can cause further mischief, but if your most personal information, and your most important files, are right there for your browser to read, it won't matter if the exploit hits the kernel or simply your browser. The way I have it set up my browser runs as a separate user which connects as an un-trusted X-client. Files that I don't care about are in a directory with the group set so that the browser can read them, while personal documents, e-mail... etc is readable by my user only.Now, in practice I am not very secure. I still trust google with my e-mail, I allow sites to set cookies etc... I set this up mainly as a proof of principle thing. There isn't any good reason why your browser, which is arguably the most exposed part of your system, should be able to fuck up your entire home directory and send your most private data somewhere it doesn't belong.
In my expeience, managers of large organizations do not take Zero Day risks seriously, and often don't really understand them. The risks appear to be quite real, and growing however. Has this Safari defect been independently discovered by one or more black-hats? How long ago?
The security industry should start tracking the ship date of the vulnerable software, so that organizations can get a better understanding of their exposure. The risk period wasn't just one day, the "Zero Day" but rather could be as long as "every day since the shipment (or installation) of the version of the product with the defect."
For every defect it might be interesting to have a small chart showing the versions of the products, the dates they shipped, the date the vulnerability was discovered by the vendor or security industry, the date it was patched, and whether or not there are indications or confirmation that the defect was exploited by or known to the underground prior to the Zero Day. The chart could be color coded.
If you mod me down, I shall become more powerful than you could possibly imagine.
Safari lets you include local files, for example...
i told apple (and got a lame reply that it would be fixed eventually) month ago, yet it still works.
see http://destabili.zation.eu/ for a quick harmless example that can check what applications you got installed.
and then there is a way to crash Safari which exists for more than a year - again i had an email conversation where they wanted more info and crashreports - yet nothing was ever done about it.
http://lixlpixel.org/safaricrash/ and follow the instructions - but make sure you don't have any important tabs open...
How was the machine configured relative to an off-the-shelf OSX installation?
While I understand that for the purposes of the contest it might have been necessary to reduce those protections, I think that before something becomes "news" we should know what the real risk is.
Does this hack require the user to manually disable protections the OS ships with, or manually enable services that default to off? The article seems light on detail.
What are you talking about? There really shouldn't be any code overlap between Linux and OSX in terms of the operating system itself. Linux is complete rewrite of Minix and isn't derived from any of the Pre-OSX Mach kernels. In fact I don't think OSX could legally incorporate any of Linux code as it would violate the GPL license.
The only time you see exploits common to both OSes is in userland applications that are common to both OSes (like openSSH).
In other words, nobody was able to remotely hack the machine, so they allowed for local exploits, which someone used in a Safari URL.
Expect Apple-haters and other FUDmeisters to completely ignore the difference, like InfoWorld did yesterday in their breathless headline about "remotely breaking in."
"Sufferin' succotash."
It is a fallacy, because it would mean that OSX was developed with the same people whodeveloped Windows. USed the same management team, and made all the same decesions. None of which is true.
They're different, so you can't compare them like that.
Also, it is very obvious that if someone did find an exploit, they would be on the front page of every geek site on the web. So anyone doing it for ego would spend all their time trying to break OSX in some meaningfull way, which this wasn't.
The Kruger Dunning explains most post on
What? Who gives a shit about Windows?
Apparently, the world. Look, you're a Mac user like me but obviously you're much farther up your own bum than I am -- the world operates on a very leaky, dangerous, hackable OS. That's a problem whether YOU PERSONALLY use Windows or not.
The point of the original post was that the Mac STILL doesn't have a real-world exploit worth worrying about. STILL. AFTER SEVEN YEARS. They had to CHEAT to INVENT this one!
Hospitals, the government, planes in the sky, our national defenses -- they are running on a very leaky, dangerous, hackable OS in many cases. Let's take this talent and use it to FIX THAT PROBLEM instead of inventing mountains out of flea armpits by trying to find the First Actual Mac Exploit (which, like Bigfoot, still eludes us).
Or is bragging rights all this is about, rather than "security"?
Conscience is that little voice that says that someone may be watching. (I think that was Robert A Heinlein.)
Crap. What did the new CSS do with the "Post anonymously" option??
This is such an eye-opening thing. I mean, think about the implications in the real world. I didn't realize my bank was so insecure... if they stopped locking their doors at night. And I didn't realize it would be so easy for someone to steal my car... if I left the keys in the ignition. Oh, and OS X can be hacked... if you sufficiently lower the bar and have Microsoft sponsor a "contest" that rewards you 10K...
There's no reason to reduce the default permissions to open up all kinds of potential for security holes in Safari, thanks to Apple's poor choice of defaults.
To increase the security of Safari significantly:
* Turn off 'Open "safe" files after downloading'.
This option shouldn't even be there. If Apple wants to make it easier for the user, Safari should provide a download manager that makes it convenient for the user to request that files be opened with safe applications.
* Change the FTP: URI handler in Launchservices to something other than Finder.
Bringing an entire hierarchy untrusted objects into the file system by using Finder to open them is unacceptable.
* Change the handler for archives from BOMArchiver to something that doesn't support Apple's "Internet Enabled" archives and HFS extensions.
There's just too many opportunities for exploits there.
In addition, Apple should do a couple more things, changing the approach from "some files are safe" to "soem applications are safe to use on unsafe files".
* Separate the list of safe applications (the ones that handle URIs and files that are untrusted) from the one that is used by local applications.
The choice of which list of LaunchServices to use would be made by the application calling LaunchServices, and would default to whichever list the application itself was launched from. An application could override this for (for example) a web browser (that would call the 'safe applications' list for objects loaded by web pages), or for an application to pull up its own help pages.
* Stop treating installers as "safe" applications.
A web page should never be able to request the installtion of a widget, plugin, or application... whether or not that object will subsequently be automatically run or whether the user is presented with a dialog. Safe applications must be limited to those where there is no mechanism for the object to execute code or request the installation of code that might be subsequently executed by the user.
These changes would dramaticaly increase the inherent security of Safari (and Firefox, Internet Explorer, and many other major browsers that have similar design flaws), AND allow the browser to provide the user with a better experience, with fewer annoying popups and more ability to control their environment and be confident that they're not making bad decisions.
This shouldn't be rocket science. Any time a web page can cause an application to run, the security of the browser is reduced to a lower level than that of either the browser or that application... since any security flaws in the application OR in the browser are available for attack. Applications run from a browser MUST be as simple as possible, they MUST be designed with security as a primary concern, and the MUST be as few as possible. Applications run from the desktop (or via LaunchServices, or equivalent mechanisms in Windows) are normally designed to provide as rich an experience as possible, most of them are not safe...
I don't know if this exploit used any of these kinds of attacks, but the assumption that the default settings for Safari are "safe" is simply not a good one.
If you read the announcement, there's an update confirming Firefox on Mac OS X is also at risk because the problem is with the JVM and not Safari or Webkit.
I'm not exactly sure what the default settings are like, because honestly it's been years since I've used a Mac that was in its out-of-the-box, default state, but the way I have it right now, the only warning I get is when I'm about to open an application that's never been run before.
This, IMO, is a Good Thing. It's only a half a second delay when I really do want it to launch a new application, and it's a nice heads-up that the computer is doing something that I've never done with it before. More than once I've hit "Cancel" and decided to take a second look at exactly what's going on, which in my mind means that the dialog is useful.
If a dialog pops up, and you never, ever click anything but 'yes,' then it's a stupid warning, and you're right to say that it's just ass-covering on the part of the OS manufacturer. However, if you find yourself using both options, then it's probably a good thing to have it there.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Funny it's called OSX, it ought to be called OSomeone else made this shit.
Well, I always assumed that part of the reason for calling it "OS X" (instead of MacOS 10) was because the 'X' references the 'X' in NeXT, who did a lot of the work on what we now call Darwin. So they were the "someone."
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
which you shine on a thing to decide whether it is right or wrong. After you decide one way or another, then you have to decide whether you care that someone might be watching.
Whatever Heinlein might have said at various times, that voice that says someone might be watching can derive from a number of sources, many of them anything but benificent. That voice that says fear the watcher is pretty often working at odds with conscience (and freedom), the opinions of some of Heinlein's characters notwithstanding.
s/Windows/Internet Explorer/ - let's see more people switching to Firefox
Follow me