MacBook Hacked In Contest Via Zero-Day Hole in Safari

← Back to Stories (view on slashdot.org)

MacBook Hacked In Contest Via Zero-Day Hole in Safari

Posted by Zonk on Friday April 20, 2007 @05:22PM from the and-the-winner-is dept.

EMB Numbers writes "Shane Macaulay just won a MacBook as a prize for successfully hacking OS X at CanSecWest conference in Vancouver, BC. The hack was based on a Safari vulnerability found by Dai Zovi and written in about 9 hours. CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions. 'Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said in a telephone interview from New York. TippingPoint runs the Zero Day Initiative bug bounty program.'"

30 of 156 comments (clear)

Min score:

Reason:

Sort:

switcher by BorgCopyeditor · 2007-04-20 17:25 · Score: 5, Funny

that's it! I'm switching back to Windows!

--
Shop as usual. And avoid panic buying.
1. Re:switcher by Paradise+Pete · 2007-04-21 08:45 · Score: 2, Informative
  
  Lets see how quickly Apple responds to this hack.
  Well in the nightly Webkit builds the javascript engine has been overhauled, so chances are it's "already" fixed, in a sense. Up until now it's looked like Apple's been prepping that for a Leopard release, but maybe this will prompt them to move it up.
  By the way, those Webkit nightlies are really looking strong.
So, if I reaf TFA correctly: by noewun · 2007-04-20 17:29 · Score: 4, Insightful

The machine couldn't be hacked, so they relaxed the rules so it could be? I wish they'd been more explicit as to what 'relaxing the rules' meant. But maybe that would've spoiled the story.

--
I am a believer of momentum and curves.
1. Re:So, if I reaf TFA correctly: by richdun · 2007-04-20 17:39 · Score: 4, Informative
  
  If I recall correctly, originally the requirement was remote access, but when that went nowhere, they allowed entrants to submit URLs that would be navigated to via Safari. Check out Engadget for more details...
2. Re:So, if I reaf TFA correctly: by RalphBNumbers · 2007-04-20 17:42 · Score: 5, Informative
  
  As I understand it:
  
  The rules originally required getting a user shell on a macbook connected to a wireless router without any other access, or getting a root shell under the same conditions on a second macbook without using the same bug.
  The prize was the macbook(s) you hacked.
  
  But they decided not enough people were interested, so 3Com added a $10,000 bounty for a winning bug.
  
  But no one could crack it, so they set the machine up to visit malicious web pages submitted by email.
  
  Then someone found a bug in Safari, and successfully crafted a webpage to exploit it to get user shell access.
  
  --
  "The worst tyrannies were the ones where a governance required its own logic on every embedded node." - Vernor Vinge
3. Re:So, if I reaf TFA correctly: by Phil246 · 2007-04-20 17:46 · Score: 4, Informative
  
  The Register is a little more informative in that regard, from http://www.theregister.co.uk/2007/04/20/pwn-2-own_ winner/
  The pwn-2-own contest got off to a slow start on Thursday. The rules originally mandated an exploit that required no action on the part of the user. The reward for a successful hack was the machine that had been compromised. Conference attendees were underwhelmed, reasoning a Mac exploit that required no end-user interaction could be sold for upwards of $20,000. Things changed significantly on Day 2. That's when Tipping Point upped the ante with its promise of a $10,000 bounty. Contest organizers also relaxed the rules so exploits could include malicious websites that attacked Safari.
4. Re:So, if I reaf TFA correctly: by Divebus · 2007-04-20 17:46 · Score: 2, Funny
  
  Relaxed rules = they gave out the root password and let them sit at the keyboard for a while.
  
  --
  
  Most of the stuff on /. won't survive first contact with facts.
5. Re:So, if I reaf TFA correctly: by biftek · 2007-04-21 00:30 · Score: 2, Informative
  
  The intent was always that the rules would be progressively relaxed - see http://www.securityfocus.com/archive/142/464216/30 /0/threaded from last month.
Konqueror by Anonymous Coward · 2007-04-20 17:40 · Score: 5, Interesting

Safari's rendering engine is based on KHTML. So is Konqueror affected by this flaw as well?
1. Re:Konqueror by Fooker · 2007-04-20 17:47 · Score: 2, Interesting
  
  Thats a good question. There's a good chance it could be. Then again with the speed that updates/patch's/fix's come out for Linux, if it does it'll be fixed in a relatively short time.
2. Re:Konqueror by Tickletaint · 2007-04-21 00:34 · Score: 2, Interesting
  
  Why say "Linux" rather than open source? KHTML has nothing to do with Linux. Anyway, from what I've been reading, it seems more likely related to a bug in JavaScriptCore, derived from KJS and which is also open source.
  
  By the way—
  updates/patch's/fix's
  Should be "update's," for consistency.
  
  --
  Make Slashdot readable! See journal.
3. Re:Konqueror by TheRaven64 · 2007-04-22 03:40 · Score: 2, Informative
  
  WebKit was forked from KHTML and developed internally at Apple for about a year before Safari was released. Then the patches were all sent back in one big lump. During this time, the KHTML team cleaned up the code a lot, and had to go to a lot of effort to re-import all of the WebKit patches (some weren't needed, since the same functionality had been re-imported). This continued in the run-up to OS X 10.4, where large blobs of patches were released in one go, making it very hard for the KHTML team to keep up.
  Now, WebKit is developed in a public repository, and used by Nokia and others, as well as Apple. There has been some discussion of KDE abandoning KHTML and using WebKit for Konqueror, but this was met with mixed reactions. WebKit and HTML are now very different systems, although they share a common heritage and often import each others' changes when possible.
  
  --
  I am TheRaven on Soylent News
Read a better article than the one linked. by Anonymous Coward · 2007-04-20 18:38 · Score: 5, Informative

The MacBook was actually only hacked because they lessened the rules and actually had someone open Safari and use a malicious website. No ports were closed nor was the firewall running.
This seems a little sensationalized... by Rod76 · 2007-04-20 18:40 · Score: 4, Informative

I'm a Mac user and as such I'm not claiming invincibility although the "Unix" like foundation makes me more secure its still the end user's responsibility to not run as admin or God forbid root. Not to mention using a good firewall or correctly configuring the one that's already built in is vital and just practicing caution on the web. That aside I just don't think this is entirely honest, I wish they would disclose all the variables involved to include all settings used. But as others here have said considering Apples foresight using open source means the between Apple and the Konqueror devs this will be quickly addressed. But my gut feeling here is that something stinks in Denmark!

--
Die First, Then Quit
1. Re:This seems a little sensationalized... by Tickletaint · 2007-04-20 23:01 · Score: 2, Insightful
  
  You don't need root to rm -rf ~.
  
  Or to osascript -e 'tell application "Mail" to send contents of folder "~" to everyone in Address Book'.
  
  --
  Make Slashdot readable! See journal.
Admin user or regular user? by goombah99 · 2007-04-20 18:44 · Score: 4, Interesting

I wish they would say if the user that safari was running under was admin or regular. If it was admin then this is even less of a hack than it already is. Also I wonder if they disabled the safari feature to automatically "open safe files after downloading". That option puts a lot of trust in other programs not to have holes. indeed it's not really safe at all. Only stupid people or people that don't do stupid things leave it on.

Bottom line no remote hacks.

--
Some drink at the fountain of knowledge. Others just gargle.
1. Re:Admin user or regular user? by Tickletaint · 2007-04-20 22:52 · Score: 5, Insightful
  
  From one Mac user to (presumably) another, please get your head out of the sand. These "stupid people" to whom you refer you might otherwise know as "The Rest of Us." It doesn't matter how technically competent you are, we are all "stupid" every now and then—or do you only ever visit the same two or three well-known sites every day? Even if you do, how can you be sure they haven't been compromised by, say, some sort of injection attack? Or even by an unscrupulous advertiser in an iframe?
  
  And why on earth does it make a difference whether the user account was admin or regular? If an intruder has access to your personal documents, you're just as fucked either way.
  
  --
  Make Slashdot readable! See journal.
2. Re:Admin user or regular user? by Tickletaint · 2007-04-21 00:12 · Score: 3, Interesting
  
  Interesting that your sig:
  You are coming to a sad realization. Cancel or allow?
  skewers that very behavior of Safari you describe. Of course, if you have "open safe files after downloading" turned off, it's even more obnoxious—you have to find the file on your desktop and open it manually. Exactly the sort of repetitive task I thought my computer should be doing on my behalf.
  
  --
  Make Slashdot readable! See journal.
3. Re:Admin user or regular user? by NickFitz · 2007-04-21 01:50 · Score: 2
  
  ...you have to find the file on your desktop and open it manually. Exactly the sort of repetitive task I thought my computer should be doing on my behalf.
  
  Or you could double-click on the file's icon in the Safari downloads window. If you really want to examine it in the Finder, then you can click on the magnifying glass icon to view it.
  
  Exactly the sort of task your computer does on your behalf :-)
  
  --
  Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
4. Re:Admin user or regular user? by geekoid · 2007-04-21 05:19 · Score: 3, Funny
  
  because you can encrypt your personal documents, and if many users are on it only one of them gets hit.
  
  However, if someone has access to root, they can do a lot more malicous things. bots, keloggers, etc...
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
5. Re:Admin user or regular user? by Tickletaint · 2007-04-21 05:40 · Score: 3, Insightful
  
  (1) FileVault won't help you here, since an intruder gaining Safari's privileges (e.g.) has access to everything Safari has access to, namely, your entire home directory. Besides, do you encrypt your entire home directory?
  
  (2) You don't need root to launch an application (like a bot) or even install a keylogger (suid isn't set for KeyboardViewerServer, for example).
  
  --
  Make Slashdot readable! See journal.
Re:editors ftl by Anonymous Coward · 2007-04-20 20:46 · Score: 2, Funny

Normally we make fun of Slashdot editors for not being able to spell simple English terms familiar to a mass audience correctly. They loose there audience when they do that. Usually they can get their terms of art correct. Not this time. (Not a sentence)

Guys, it's spelled "0day", and it has been since before you l33ch3d Karateka on a catfur. Do have some sense of perspective. (Question mark?)
See me.
no such thing as a white hat... by Animaether · 2007-04-20 20:47 · Score: 5, Interesting

...is there?

I mean - I can only assume this was a 'white hat' hackers conference, given there was actual publicity given and a public bounty and such. But then things like these pop up?
"'Shane can have the laptop, I want the money,' Dai Zovi said in a telephone interview from New York"
"Conference attendees were underwhelmed, reasoning a Mac exploit that required no end-user interaction could be sold for upwards of $20,000."

Makes me think.. black hat, white hat.. what's the difference these days? I thought a white hat hacker was the 'good guy' (albeit still a hacker).. the kind of person who hacks for fun / curiosity.. the kind of person who notifies the developer of the bug or, at least, just makes the bug known to the world at no charge. Not the kind of person who hacks, then scours the 'security conferences' for a bounty, and when that bounty is lower than what they could get off of actual 'bad guys', complain that the bounty is too low. To me, that just sounds like the person is a black hat, but dons a white hat on top in an attempt to fool us into thinking they're white hat.
1. Re:no such thing as a white hat... by ancientt · 2007-04-21 02:21 · Score: 3, Insightful
  
  Okay, maybe a black hat tendency, but there might be alternatives.
  
  There are plenty of security companies out there legitimately trying to sell their software, plenty of people who would love to be the only ones who have a defense against some secret hack. If you want me to spend time finding a vulnerability and then into writing an exploit, my time would not come cheap. I'm not even talented in that direction. Imagine that you're a security researcher who gets paid for your time investigating and resolving potential security breaches, what kind of payoff makes it worth investing your time in that gamble? It has to be a pretty penny or else you're better served doing what you do for a living.
  
  "Give me the money" is a legit response when you've invested your time and effort into something with that as your goal. If he'd said "I don't hack for fun or evil, I only did this for the contest and expect to be given what I was promised" then I don't think you'd have the same take. There is a good chance that is exactly what he meant too. You might be shocked to learn that a lot of us who are considered computer geeks are not the world's foremost verbal communicators.
  
  I love my job, but I won't work here long after they stop paying me.
  
  --
  B) Eliminate all the stupid users. This is frowned upon by society.
Hey, good! by Tickletaint · 2007-04-20 21:55 · Score: 2, Insightful

As a longtime Mac user and a fan of Apple products in general, I'd like to congratulate the winner of this contest. Too many Mac users now seem lost in willful ignorance of the fact that tasteful, thoughtful design alone doesn't render a system bulletproof. Thus, I applaud any honest efforts to increase the public awareness that yes, shit-happening potential exists, even on a Mac.

(I said honest efforts. That guy who claimed the AirPort hack is still a raging tool.)

Another point to emphasize—and which, curiously, seems always to be overlooked on Slashdot—is that an uninvited guest doesn't need root to ruin your day. As long as he or she can rm -rf ~, or better yet, yank all your most intimate personal documents and send them flying across the internets, root's just gravy. So let's not pretend this Safari vuln is harmless.

Really though, how on earth are you supposed to guard against attack through vectors not yet publicly known, without either (a) suffering a crippled functionality, or (b) being badgered into clicking "Continue" out of habit? The best approach I've seen is the one adopted by Google's anti-phishing plugin (and for those of us who can't stand Firefox, Leopard can't come soon enough). It's intuitive, unobtrusive, and cuts straight to the heart of the problem: making sure you're visiting the wholesome, trustworthy site you think you're visiting.

But even with the Google phish alarm installed, if you make one little mistake—if you step out of line for just a second—you could be hosed. Or what if someone figures out how to inject an attack on a "safe" bulletin board? You're hosed. Hell, maybe someday Google blows it like a Taco Bell restaurant inspector. Hosed.

So can it even be done, this cake thing, with the eating? Or is our best hope to just pray to Jobs the Mac never becomes mainstream enough to attract attention from the big-league black hats?

--
Make Slashdot readable! See journal.
there are some weird things in Safari... by lixlpixel · 2007-04-21 03:34 · Score: 5, Informative

Safari lets you include local files, for example...

i told apple (and got a lame reply that it would be fixed eventually) month ago, yet it still works.

see http://destabili.zation.eu/ for a quick harmless example that can check what applications you got installed.

and then there is a way to crash Safari which exists for more than a year - again i had an email conversation where they wanted more info and crashreports - yet nothing was ever done about it.

http://lixlpixel.org/safaricrash/ and follow the instructions - but make sure you don't have any important tabs open...
What I want to know by HairyCanary · 2007-04-21 03:37 · Score: 3, Interesting

How was the machine configured relative to an off-the-shelf OSX installation?

While I understand that for the purposes of the contest it might have been necessary to reduce those protections, I think that before something becomes "news" we should know what the real risk is.

Does this hack require the user to manually disable protections the OS ships with, or manually enable services that default to off? The article seems light on detail.
Explanatin of rules relaxation by Overly+Critical+Guy · 2007-04-21 04:10 · Score: 4, Insightful

CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions.

In other words, nobody was able to remotely hack the machine, so they allowed for local exploits, which someone used in a Safari URL.

Expect Apple-haters and other FUDmeisters to completely ignore the difference, like InfoWorld did yesterday in their breathless headline about "remotely breaking in."

--
"Sufferin' succotash."
1. Re:Explanatin of rules relaxation by DECS · 2007-04-21 06:14 · Score: 5, Insightful
  
  InfoWorld Publishes False Report on Mac Security
  
  "Nancy Gohring, writing for InfoWorld, delivered a misleading report yesterday on a Mac security exploit contest held at the CanSecWest conference in Vancouver, BC.
  
  "In her defense, it appears likely that Gohring did not write the headline for her InfoWorld article, which described the contest winner as being "able to remotely break into a Mac as part of a contest designed to illustrate security flaws in OS X." That part was simply wrong.
  
  "Whoever did write the headline must have been smoking weed in celebration of 4/20, because Gohring's article clearly described a local exploit. There's a big difference between the remote exploits that made Windows infamous for its insecurity and a local exploit of an application."
  
  More info under a series of subheadings:
  
  Gohring's Mac Security Myths
  Microsoft's Security Embarrassment
  Mac OS X and Security
  The Mac Minority Malware Myth
  Why Macs Aren't Sending You Spam
The "never opened before" dialog is good. by Kadin2048 · 2007-04-21 19:46 · Score: 2, Insightful

I'm not exactly sure what the default settings are like, because honestly it's been years since I've used a Mac that was in its out-of-the-box, default state, but the way I have it right now, the only warning I get is when I'm about to open an application that's never been run before.

This, IMO, is a Good Thing. It's only a half a second delay when I really do want it to launch a new application, and it's a nice heads-up that the computer is doing something that I've never done with it before. More than once I've hit "Cancel" and decided to take a second look at exactly what's going on, which in my mind means that the dialog is useful.

If a dialog pops up, and you never, ever click anything but 'yes,' then it's a stupid warning, and you're right to say that it's just ass-covering on the part of the OS manufacturer. However, if you find yourself using both options, then it's probably a good thing to have it there.

--
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."