Slashdot Mirror
MacBook Hacked In Contest Via Zero-Day Hole in Safari
EMB Numbers writes "Shane Macaulay just won a MacBook as a prize for successfully hacking OS X at CanSecWest conference in Vancouver, BC. The hack was based on a Safari vulnerability found by Dai Zovi and written in about 9 hours. CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions. 'Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said in a telephone interview from New York. TippingPoint runs the Zero Day Initiative bug bounty program.'"
The machine couldn't be hacked, so they relaxed the rules so it could be? I wish they'd been more explicit as to what 'relaxing the rules' meant. But maybe that would've spoiled the story.
I am a believer of momentum and curves.
It's pretty difficult to fix a bug for which no details are available. As of yet zero information has been released other than that a "JavaScript" flaw in Safari was used in the exploit. The Ubuntu flaw you reference was reported directly to Ubuntu with all the information necessary to fix it. We'll start our timing from when Apple is informed of the details, shall we?
You know, a Macbook isn't supposed to be a network server, but a client computer. It's a frigging LAPTOP. Which port DO need to be listening on the network for a client computer to be 100% useful to the average user? Not that many...
As a longtime Mac user and a fan of Apple products in general, I'd like to congratulate the winner of this contest. Too many Mac users now seem lost in willful ignorance of the fact that tasteful, thoughtful design alone doesn't render a system bulletproof. Thus, I applaud any honest efforts to increase the public awareness that yes, shit-happening potential exists, even on a Mac.
(I said honest efforts. That guy who claimed the AirPort hack is still a raging tool.)
Another point to emphasize—and which, curiously, seems always to be overlooked on Slashdot—is that an uninvited guest doesn't need root to ruin your day. As long as he or she can rm -rf ~, or better yet, yank all your most intimate personal documents and send them flying across the internets, root's just gravy. So let's not pretend this Safari vuln is harmless.
Really though, how on earth are you supposed to guard against attack through vectors not yet publicly known, without either (a) suffering a crippled functionality, or (b) being badgered into clicking "Continue" out of habit? The best approach I've seen is the one adopted by Google's anti-phishing plugin (and for those of us who can't stand Firefox, Leopard can't come soon enough). It's intuitive, unobtrusive, and cuts straight to the heart of the problem: making sure you're visiting the wholesome, trustworthy site you think you're visiting.
But even with the Google phish alarm installed, if you make one little mistake—if you step out of line for just a second—you could be hosed. Or what if someone figures out how to inject an attack on a "safe" bulletin board? You're hosed. Hell, maybe someday Google blows it like a Taco Bell restaurant inspector. Hosed.
So can it even be done, this cake thing, with the eating? Or is our best hope to just pray to Jobs the Mac never becomes mainstream enough to attract attention from the big-league black hats?
Make Slashdot readable! See journal.
From one Mac user to (presumably) another, please get your head out of the sand. These "stupid people" to whom you refer you might otherwise know as "The Rest of Us." It doesn't matter how technically competent you are, we are all "stupid" every now and then—or do you only ever visit the same two or three well-known sites every day? Even if you do, how can you be sure they haven't been compromised by, say, some sort of injection attack? Or even by an unscrupulous advertiser in an iframe?
And why on earth does it make a difference whether the user account was admin or regular? If an intruder has access to your personal documents, you're just as fucked either way.
Make Slashdot readable! See journal.
You don't need root to rm -rf ~.
Or to osascript -e 'tell application "Mail" to send contents of folder "~" to everyone in Address Book'.
Make Slashdot readable! See journal.
Okay, maybe a black hat tendency, but there might be alternatives.
There are plenty of security companies out there legitimately trying to sell their software, plenty of people who would love to be the only ones who have a defense against some secret hack. If you want me to spend time finding a vulnerability and then into writing an exploit, my time would not come cheap. I'm not even talented in that direction. Imagine that you're a security researcher who gets paid for your time investigating and resolving potential security breaches, what kind of payoff makes it worth investing your time in that gamble? It has to be a pretty penny or else you're better served doing what you do for a living.
"Give me the money" is a legit response when you've invested your time and effort into something with that as your goal. If he'd said "I don't hack for fun or evil, I only did this for the contest and expect to be given what I was promised" then I don't think you'd have the same take. There is a good chance that is exactly what he meant too. You might be shocked to learn that a lot of us who are considered computer geeks are not the world's foremost verbal communicators.
I love my job, but I won't work here long after they stop paying me.
B) Eliminate all the stupid users. This is frowned upon by society.
In other words, nobody was able to remotely hack the machine, so they allowed for local exploits, which someone used in a Safari URL.
Expect Apple-haters and other FUDmeisters to completely ignore the difference, like InfoWorld did yesterday in their breathless headline about "remotely breaking in."
"Sufferin' succotash."
(1) FileVault won't help you here, since an intruder gaining Safari's privileges (e.g.) has access to everything Safari has access to, namely, your entire home directory. Besides, do you encrypt your entire home directory?
(2) You don't need root to launch an application (like a bot) or even install a keylogger (suid isn't set for KeyboardViewerServer, for example).
Make Slashdot readable! See journal.
I'm not exactly sure what the default settings are like, because honestly it's been years since I've used a Mac that was in its out-of-the-box, default state, but the way I have it right now, the only warning I get is when I'm about to open an application that's never been run before.
This, IMO, is a Good Thing. It's only a half a second delay when I really do want it to launch a new application, and it's a nice heads-up that the computer is doing something that I've never done with it before. More than once I've hit "Cancel" and decided to take a second look at exactly what's going on, which in my mind means that the dialog is useful.
If a dialog pops up, and you never, ever click anything but 'yes,' then it's a stupid warning, and you're right to say that it's just ass-covering on the part of the OS manufacturer. However, if you find yourself using both options, then it's probably a good thing to have it there.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."