Slashdot Mirror

← Back to Stories (view on slashdot.org)

MacBook Air First To Be Compromised In Hacking Contest

Posted by Soulskill on from the potential-reality-tv-show dept.

Multiple readers have written to let us know that the MacBook Air was the first laptop to fall in the CanSecWest hacking contest. The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000. We covered the contest last year, and the results were similar.

29 of 493 comments (clear)

  1. Ouch, that didn't take long. by Anonymous Coward · · Score: 3, Insightful

    There goes their geek cred. Hey, at least they still sell a metric crap load of iPods!

  2. Re:Identical articles by Anonymous Coward · · Score: 5, Insightful

    No, this year Vista and Ubuntu were in the contest as well. But the mac got hacked in two minutes and the Vista and Ubuntu machines resisted every hack. Big difference there. Oh, and I'd like to say, HA HA /nelson - now tell us again how absense of mac malware is not because of small market share.

  3. Re:I think this section is relevant by chubs730 · · Score: 5, Insightful

    Pretty much says that a laptop widely meant for home users was only compromised when allowed access to some of the most widely used applications? I'm not sure what you're trying to say (or not, rather) but a hole in safari is a bit of an issue; unless of course you're just concerned with that server running on your Air ;).

  4. Users == the problem by ashridah · · Score: 3, Insightful

    Well. Big shock there. These days, most vulnerabilities require the user to be at the helm.

    Good to see that social engineering is still all it requires to compromise something.

    1. Re:Users == the problem by recoiledsnake · · Score: 5, Insightful

      Good to see that social engineering is still all it requires to compromise something. So why weren't the Windows and Linux machines be able to be hacked inspite of the social engineering and users being at the helm all day?
      --
      This space for rent.
    2. Re:Users == the problem by ashridah · · Score: 3, Insightful

      That's the thing. It wasn't unix that they broke, It was the relatively new code. OSX may look like a unix from the outside in, but it's not one from the desktop down. It may resemble it, but it's not complete. Unix may be convenient for Apple, but it's not a mantra.

      That said, ubuntu (and linux in general) are heading that way too, just not quite with the same fevered pitch.

      It's the same basic premise that windows was based on: The user is in control. OSX and linux both have fairly strong boundaries between admin and user, but things are slowly wearing down, in the name of convenience. The difference being that things started out far more secure, and there's a bit more separation at the display itself, whereas win9x was not designed with this security in mind, and while NT was, it also inherited parts from win9x's shell and there were compromises at the display, etc.

      Microsoft gets this now though. SQL Server's a great example of that. Hundreds of thousands of man-hours have gone into making that thing far more secure than the slammer days, just compare critical vulnerability counts from SQL-server to Oracle. Microsoft's biggest curse is legacy code now, plus a fair amount of ongoing training, and they will only shrink with time. This is mainly shifting market pressure, of course, it costs money to have negative press regarding security nowadays. It didn't in the past, and it will only increasingly have negative press for the next couple of decades at least. It's surprising that Oracle is now doing what Microsoft used to do: treat security as a marketing buzz word (Unbreakable on linux took how long to break?)

      But who knows how many holes were in the old X11R6. But you didn't run that on servers, for a good reason. Guess what, there are probably lots of applications that don't handle the Windows messaging system securely and buffer-over/underrun free either.

      These days, things like IE operate in Limited user mode. This goes even further than ordinary users (far more than a "power" user, and lightyears away from Administrator or SYSTEM). It's restricted to \users\%USER%\AppData\LocalLow\ and one or two other locations, and that's it (Favorites spring to mind. It gets to be a pain if those accidentally wind up back with normal ACLs, as I mentioned here.)
      So you need to work harder to break out of internet explorer, and IIRC, it takes permission from a privileged application to do it. Outlook's probably a juicier target, but it's been subject to the fabled crucible for a long long time, so again, it's harder.

      OSX hasn't been subject to it for long at all. Safari's new. *Really* new, and you know what, it wasn't even webkit that broke, but the url bar (if memory of the bugtraq post serves.) Where did webkit come from? Oooh. that's right. KDE.

      We're all in for it if apple really do gain significant market share (we being administrators, not we being "the general populace"). It may or may not be as big a problem as windows has been, but I'm willing to bet that the effects will be as dire, and apple doesn't really have a fantastic track record here, as other articles have pointed out. The momentum of not having security as a primary goal is one that takes a *long* time to turn around.

  5. Re:Keep the laptop by MobileTatsu-NJG · · Score: 4, Insightful

    You mean like when your airplane flight is cancelled and the airline offers you a free ticket. Or when the food at a restaurant is crappy and they give you a coupon to eat there again. Well.. sorta. It's more like when a company loans you a laptop to hack, then they let ya keep it, then they give ya ten thousand dollars on top of that.
    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  6. Re:right by recoiledsnake · · Score: 5, Insightful
    And the karma-whoring RDF sets in.

    anyone who either has physical access to the computer being attacked or can convince the user running the machine to install/download anything is capable of breaking pretty much any OS they want. So no one wanted 20k of cash and expensive windows and linux laptops? Why weren't anyone able to hack the Windows and Linux laptops? They did not have physical access to the machine. Nothing was downloaded or installed manually. Only a website hosted by the attacker was just visited by the organizers on the browsers and mails were opened(attachemnts were not) and read.

    The fact that they had to relax the rules so that the Mac could be broken into illustrates this nicely. The fact that inspite of the relaxed rules, the Windows and Linux laptops were not broken into, illustrates totally something else. I will let you guess it. They are going to further relax the rules tomorrow to include third party applications to make it even easier to hack. Unfortunately, the Mac won't be there because it didn't make it to the third day.
    --
    This space for rent.
  7. And, in this case, the attacker deliberately chose by reiisi · · Score: 3, Insightful

    Miller, best known as one of the researchers who first hacked Apple's iPhone last year, didn't take much time. Within 2 minutes, he directed the contest's organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on.

    He was the first contestant to attempt an attack on any of the systems.

    But the issue is really not which is more vulnerable, it is that you can't run a secure browser and a convenient browser unless they are two separate browsers.

    It's time to abandon the general purpose browser. It's also time to quit surfing as your log-in user. You need a browser for surfing that you run (sudo or something) as a strictly limited privilege user without log-in capabilities.

    --
    Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
  8. Maybe it's major, or maybe no big deal by jht · · Score: 4, Insightful

    To me, a web hack to worry about (on any platform/browser) is one that can just be triggered by viewing a compromised page (like happens to most unpatched Windows machines that get nailed by drive-bys). I'm not nearly as worried about ones that require user intervention - clicking on a link, button, or something of the sort.

    So if the Mac was tagged by just loading a page that delivered the hack, that's bad. Quite bad. If he had to click and download something (and perhaps defeat the auto-quarantine they use), that's not so much a big deal, though still a hole that needs patching.

    One of the things about vulnerabilities on all platforms is that a significant part of the magnitude depends on how difficult it is to exploit. Remote connections to a system that avoid/defeat a firewall are really dangerous. Attacks that require the user to do something stupid are inevitable, but far less dangerous.

    Thus far most of the Mac vulnerabilities have been the second type. Luckily.

    --
    -- Josh Turiel
    "2. Do not eat iPod Shuffle."
  9. Re:Identical articles by Whiney+Mac+Fanboy · · Score: 4, Insightful

    because of Apple's rep., people would be eager to take on the Mac first.

    Hold on - are you saying that Mac's have a better reputation for security than linux?

    Congratulations sir. Apple fanboy's capacity for self-delusion never ceases to amaze me.

    --
    There are shills on slashdot. Apparently, I'm one of them.
  10. Re:I wouldn't be surprised.. by EraserMouseMan · · Score: 4, Insightful

    The Mac was hacked 2 minutes into day 2. After day 2 was over no other OSs or browsers had been hacked. Period. Give it up. Safari sucks. The web is a jungle. Tame it by not using Safari on your Mac.

  11. I say well done. by catwh0re · · Score: 4, Insightful
    In the past I've written replies which effectively defended the mac platform, not due to some loyalty, but because most of the feedback people write is pure b/s. I prefer factual arguments, not near-random fear mongering.

    I haven't RTFA but from the surface it sounds like a fair exploit test, and sure it only fell over with user interaction, but it still fell first. So good on them, they'll enjoy their prize of a macbook air and a sweet $10k.

  12. Re:I think this section is relevant by nmb3000 · · Score: 4, Insightful

    Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.

    Pretty much says it all.

    Wow, at +4 already for just quoting the summary and tossing in a vague and meaningless sentence.

    So anyway, what exactly is it saying? The only thing I see there is that a completely passive attack (that is, absolutely no user interaction, like many well-known worms worked) failed. Once this part of the test was passed they allowed interactive attacks (where the user must assist the attacker in some way). Since this is how nearly all malware and malicious software spreads these days, I don't see anything wrong with this. Aside from just attaching hardware to the network, a web browser and email client are the two applications with the most Internet "surface area". As all major operating systems come bundled with a primary browser (IE, Safari, Firefox) a flaw in the browser essentially amounts to a flaw in the OS. It seems natural and obvious to put them to the test.
    --
    "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
    /)
  13. Re:And in other news..... by recoiledsnake · · Score: 3, Insightful

    All Apple products cause herpes. Maybe the articles are just pointing out that the Apple products you worship are not without their faults?

    Come on guys the Mac/Apple bashing articles are really getting silly. Yea lets bury this news article then just because it's anti-Apple? You're the one blaming the messenger(Slashdot) for posting news. Maybe you should blame reality for all the 'Mac bashing'.
    --
    This space for rent.
  14. Good. by brainfsck · · Score: 5, Insightful

    I'm typing this on a Macbook Pro running Safari, and I'm happy about the results of this competition. As Apple computers (slowly?) gain market share, they will eventually be forced to significantly adjust their terrible attitude in terms of security.

    I would rather have Apple "shamed" into providing me (and other OS X users) a more secure web browser/operating system than gain some pathetic "my system is more secure than yours" bragging rights.

  15. Re:And in other news..... by Cairnarvon · · Score: 3, Insightful

    There needs to be a "-1, Divorced From Reality" mod. That's a powerful persecution complex you have going there.

  16. Re:Owning Beauty by recoiledsnake · · Score: 3, Insightful

    You forgot to factor in the $10,000 cash prize.

    --
    This space for rent.
  17. Re:I think the relevant part is: by vux984 · · Score: 5, Insightful

    In other words, the first to hack it gets it! Who wants a Vaio or a Fujitsu anyway? Given a choice between the three, I'm sure everybody wanted the MacBook Air. Naturally, the only machine getting the pounding is going to be the first to crack.

    Yes, that sounds logical, if your genitals are hooked up to a car battery.

    The winner got to keep the unit AND 10,000. So OBVIOUSLY they should crack the easiest unit, flip it on ebay, and then buy whatever they actually want, while pocketing the remaining 8-9 grand...

    So... the moral of this story? Never underestimate the ability of an Apple fan to rationalize how the Mac could be the first to fail, yet still be the finest computer in the competition. d(^_~) [Thumbs up!]

    I ... Zzzzzzzap.... couldn't.... Zzzzzzzzzap. ... agree... Zzzzzzzzzzap.... more. ;)

  18. Re:right by moderatorrater · · Score: 3, Insightful

    people simplify the problem to "Mac suxorz" when it really isn't that simple. Really? Because I see the Mac having come out as the clear loser in a head to head contest on a level playing field against the two biggest competitors it has in the laptop market. Seems pretty simple to me.
  19. Can't wait to find out what and how by SpeedyG5 · · Score: 5, Insightful

    I am an apple fan and enjoy a lot of their products.

    There is no way any system can be perfectly secure, but this is a significant hole. While they probably won't get me to click that stupid link, they might get my mom or any number of the other avg everyday users.

    At least now we can get beyond the macs can't be hacked BS and move on to securing my favorite OS and keeping it that way.

    Now lets see how long it takes for apple to post a patch, that is really where the rubber meets the road.

  20. Re:Owning Beauty by recoiledsnake · · Score: 4, Insightful
    You first said:

    instead you got a beauty contest. Which apple apparently won. Any contestant with half a brain knows that he can get 4+ Macbook Airs for the $10,000 cash prize and then ebay or install hackintosh on the "non-beautiful" laptops if they really hate Ubuntu or Vista that much. Seriously, if it was easier to compromise Ubuntu or Vista why not do that instead of going to the trouble of hacking the more secure(your implied claim) Apple laptop?

    And you forgot the prospect for employment. Hack a mac and you put it on your resume, hack a PC and no one cares or worse thinks your are a script kiddie. If the company really thinks in that way, I don't think you want to be working there in the first place. And what about Linux? Why wasn't it hacked?

    More to the point, what you can't measure here is the real world vulnerability. I cringe at keeping my Linux machines up-to-date and protected. I rely on firewalls not themachines. With the machines, which are production machines, it's huge roll of the dice to try to apply a patch and descend into dependency hell and discover over the next week which parts of your production got broken and which need compat libs and so on. With my fleet of macs, I don't hesistate to software update (well actually, unless the vulnerability is rampant I wait a week cause even apple screws the pooch. But just a week, and then you know it's safe.) SO in the real world macs are highly patched. MS can be and it's only a wee bit harder. (And when they fuck up (SP1) they go big, but it's mainly a function of your hardware.) Linux requires real expertise and knowledge of how your specific magic mixture of packages will be affected. That's more besides the point than to the point. All the Apple patches in the world won't save you from this exploit, since they don't have a patch for it out, yet. Besides, are you comparing updating production servers on Linux to Mac desktops? That's not a fair comparison at all. Desktop Ubuntu can also be updated without a hitch. Also, I've never seen a Windows Server 2003 production server have any problems with any of Microsoft's updates. And if you're using Debian stable on your server, you will be pretty stable with installing all the security fixes and updates because they do a really good job of testing the fixes.
    --
    This space for rent.
  21. Re:Get the Facts is a better tag. by recoiledsnake · · Score: 4, Insightful

    Let's face it: if the prize is the laptop you hack then everyone would be trying to hack the Mac: who the fuck wants the shame of walking away with a Dell under their arm? Uhh? Can't they ditch the Dell in the nearest trashcan and run to the Apple store with the $10,000 in cash? Or did you miss reading about the cash prize under the influence of some kind of field.
    --
    This space for rent.
  22. I don't get it by CannonballHead · · Score: 5, Insightful

    Can't we admit that, for whatever reason, the Air/Safari was easier hacked than Vista/IE7? I know this is an unpopular bandwagon to be on, especially on Slashdot, but it seems there's no two ways about it. I refuse to believe that it was a conspiracy and that every hacker was actually just trying to hack the Air and make Ubuntu and Vista pass, that's stupid. If I were a hacker, I'd totally hack the EASIEST one simply to get the $10k and the laptop. And if there were known or open vulnerabilities, it should have fallen in what, 30 seconds?

    Seriously, it's not a huge deal. If we, like good open source cronies, admit that there was a problem with *gasp* part of the Apple software/laptop combo (whether it was Safari or the OS or whatever), then maybe it will be fixed. Isn't that the main idea here? I thought the point of these things were to discover vulnerabilities so that they could be fixed, not to place bets on Microsoft falling and go up in arms if it doesn't.

    Unless, of course, we really aren't interested in open source software or good software at all, but are more about claiming a company name as our own.

  23. Re:Get the Facts is a better tag. by The+Evil+Couch · · Score: 4, Insightful

    Yes, the walk of shame with a $3,000 laptop that's highly ebay-able and $10,000 in prize money. I wish someone shamed me like that.

    --
    The World's Worst Webcomic!
  24. Maybe Apple will get serious about security now by shatfield · · Score: 3, Insightful

    I am worried that Apple is assuming too much about the security of the Mac OS X operating system. I am a long time user (since first beta) and it has been an incredible ride, but I'd really like for Apple to "step up" and take this bull by the horns and let the world know that they are very serious about security and eliminating *any* means of intrusion, either automated or user driven... and not just rely on the FOSS community to remedy the security problems in the software that they have incorporated into the OS.

    Just as long as they don't implement some Vista like "Allow or Deny?" crap... God that would drive me *nuts*!

    --
    "To make a mistake is only human; to persist in a mistake is idiotic." Cicero
  25. Re:Owning Beauty by Anonymous Coward · · Score: 4, Insightful

    Oh sweet jesus... Apple owners... spinning a truly piss-poor performance into a plus.

  26. Ho-hum by Anonymous Coward · · Score: 3, Insightful

    The thing I enjoy most about the responses to this article is the rather predictable "Ha, so Apple DOES suck!!! Take that fanbois!" responses. It's certainly true that this is an important find and that an exploit in the wild is something to be concerned about. But the point of this is really that there's no such thing as a secure OS yet (and there probably never will be). Not unless you've removed the power source from your system, encased it in concrete and sunk it to the bottom of the sea.

    The perceived general level of security in a system can be directly correlated to the most recent compromise of that system. The fact that the Linux and Windows systems involved in this contest have not yet been compromised does not indicate that they are more or less secure in a general sense than the Mac. It does indicate that no one has found the vulnerability that inevitably lurks within the kernal or a piece of installed software on those system. But rest assured, the exploits are there.

    "FireFox is more secure than IE", you say on Monday. Then Slashdot posts "HUGE FRIGGING HOLE FOUND IN FIREFOX: DOOM!!!" on Tuesday. And suddenly the absolute statement you've made sounds silly.

    If you don't believe this is true, try this: get hold of a system exactly like the ones currently considered "unhackable" in the contest and disable any automatic updates (and don't install any manually). Wait three months and then compare that system against one with the most recent updates. You're sure to find that your unhackable system is now full of known exploits and security holes.

    The systems we rely on today are very complex and in a very real sense cannot be completely understood. There are techniques that can make them generally more secure and all of the OS developers are working to bring these features online every day. Some are better than this than others (or so it seems), but they all do it. Even Microsoft. But the thing about security is this: the bad guys only need one hole and the good guys have to cover all the bases.

    The only real security in a system comes from user practices, not software. If you don't install updates on your system, it will be vulnerable. If you don't consider HOW and where you use your system, it will be vulnerable. In other words, the core component in a secure system is YOU.

    It's probably true that there is a "most" secure OS and a "least" secure OS right at this moment. Take a guess which is which and you might even be correct. But there's no absolute answer that will be true tomorrow. We need to stop with the absolutes and "MY FLAVA ROCKS YER FLAVA" hyperbole and start to think more like real security experts do. The next big hack for your favorite OS is just around the corner. And there's no doubt about that.

  27. Re:Owning Beauty by Cyberax · · Score: 3, Insightful

    I cringe at keeping my Linux machines up-to-date and protected What's so hard in it?

    "apt-get update; apt-get upgrade;" on a Debian Stable works like a charm (because they push ONLY security and major bugfixes). I manage a farm of 30 servers for about 2 years and Debian update ALWAYS worked without any problem.