Slashdot Mirror
MacBook Air First To Be Compromised In Hacking Contest
Multiple readers have written to let us know that the MacBook Air was the first laptop to fall in the CanSecWest hacking contest. The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000. We covered the contest last year, and the results were similar.
Ah, the pride of 0wnership.
the sound of a million fanbois as they screamed Nooooooooooooo i sense i disturbance in the reality distortion generator set comments to flamebait and activate the extra moderation modules captain taco
Safari browser has massive security hole.
It's funny how they turned a huge hole in the Safari browser into a commercial for the Mac Air.
"Small size, big holes"
They're nearly perfect mirrors of one another. Really the only difference between this year and lasts was the word "Air."
There goes their geek cred. Hey, at least they still sell a metric crap load of iPods!
Pretty much says that a laptop widely meant for home users was only compromised when allowed access to some of the most widely used applications? I'm not sure what you're trying to say (or not, rather) but a hole in safari is a bit of an issue; unless of course you're just concerned with that server running on your Air ;).
Well. Big shock there. These days, most vulnerabilities require the user to be at the helm.
Good to see that social engineering is still all it requires to compromise something.
Depends if it was a "view this page and you're 0wned" exploit or a "view this page, click accept through some requests, etc" exploit as to how dangerous it is.
.. will be using FF for a while until apple patch ;)
But as a mac user
"The winner, Charlie Miller, gets to keep the laptop and $10,000."
You mean like when your airplane flight is cancelled and the airline offers you a free ticket. Or when the food at a restaurant is crappy and they give you a coupon to eat there again.
Yes. The totally unbiased facts from a guy with "Mac" in his username.
This space for rent.
But the issue is really not which is more vulnerable, it is that you can't run a secure browser and a convenient browser unless they are two separate browsers.
It's time to abandon the general purpose browser. It's also time to quit surfing as your log-in user. You need a browser for surfing that you run (sudo or something) as a strictly limited privilege user without log-in capabilities.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
To me, a web hack to worry about (on any platform/browser) is one that can just be triggered by viewing a compromised page (like happens to most unpatched Windows machines that get nailed by drive-bys). I'm not nearly as worried about ones that require user intervention - clicking on a link, button, or something of the sort.
So if the Mac was tagged by just loading a page that delivered the hack, that's bad. Quite bad. If he had to click and download something (and perhaps defeat the auto-quarantine they use), that's not so much a big deal, though still a hole that needs patching.
One of the things about vulnerabilities on all platforms is that a significant part of the magnitude depends on how difficult it is to exploit. Remote connections to a system that avoid/defeat a firewall are really dangerous. Attacks that require the user to do something stupid are inevitable, but far less dangerous.
Thus far most of the Mac vulnerabilities have been the second type. Luckily.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
If you look at their blog it seems the Vista and Ubuntu laptops are still not hacked yet at the end of day 2:
http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture
the security flaw was in Safari- probably a buffer overflow allowing arbitrary code to be executed. had safari been on any other OS with that flaw the other OSes would be fscked as well no questions asked. something like SElinux or Apparmor on the *nixes can help defend against things like that to a point but it won't stop them all. bottom line: the OS is a big chunk of the problem but software flaws and help from PEBKAC makes things a whole lot worse.
Sigs are too short to say anything truly profound so read the above post instead.
This space for rent.
So it is just coincidence that Apple are now pushing an unsafe Safari to Windows users (http://apple.slashdot.org/article.pl?sid=08/03/27/129236)?
;)
Or am I being a conspiracy nut?
--I thought I was wrong once, but I was mistaken.
It's Twitter imitating Macthorpe.
The Mac was hacked 2 minutes into day 2. After day 2 was over no other OSs or browsers had been hacked. Period. Give it up. Safari sucks. The web is a jungle. Tame it by not using Safari on your Mac.
This space for rent.
I haven't RTFA but from the surface it sounds like a fair exploit test, and sure it only fell over with user interaction, but it still fell first. So good on them, they'll enjoy their prize of a macbook air and a sweet $10k.
Wow, at +4 already for just quoting the summary and tossing in a vague and meaningless sentence.
So anyway, what exactly is it saying? The only thing I see there is that a completely passive attack (that is, absolutely no user interaction, like many well-known worms worked) failed. Once this part of the test was passed they allowed interactive attacks (where the user must assist the attacker in some way). Since this is how nearly all malware and malicious software spreads these days, I don't see anything wrong with this. Aside from just attaching hardware to the network, a web browser and email client are the two applications with the most Internet "surface area". As all major operating systems come bundled with a primary browser (IE, Safari, Firefox) a flaw in the browser essentially amounts to a flaw in the OS. It seems natural and obvious to put them to the test.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
Here is your linkey http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx
Quote from the linkey
In IE7's Protected Mode--which is the default in other than the Trusted security zone--the IE process runs with Low rights, even if the logged-in user is an administrator. Since add-ins to IE such as ActiveX controls and toolbars run within the IE process, those add-ins run Low as well. The idea behind Protected Mode IE is that even if an attacker somehow defeated every defense mechanism and gained control of the IE process and got it to run some arbitrary code, that code would be severely limited in what it could do. Almost all of the file system and registry would be off-limits to it for writing, reducing the ability of an exploit to modify the system or harm user files. The code wouldn't have enough privileges to install software, put files in the user's Startup folder, hijack browser settings, or other nastiness.
In Protected Mode IE writes/reads special Low versions of the cache, TEMP folder, Cookies and History:
Cache: %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
Temp: %userprofile%\AppData\Local\Temp\Low
Cookies: %userprofile%\AppData\Roaming\Microsoft\Windows\Cookies\Low
History: %userprofile%\AppData\Local\Microsoft\Windows\History\Low
This space for rent.
According to secunia Vista has 2 minor vulnerabilities unpatched, Ubuntu 0, and OS X 6 vulnerabilities.
This space for rent.
Sudo runs things as the super user, hence the name......this is not what you want if you are going for higher security.
Actually "su" stands for "switch user". You can just as easily sudo to _any_ user.
There's no conceivable way that the exploit was discovered and attack code written in two minutes. Hell, I could barely write a slightly sophisticated 'hello world' app in that time (maybe I'm just a slow typist, or he's an android.)
From what I've seen, (correct me if I'm wrong) the rules stated that no previously disclosed vulnerabilities could be used. So, if this guy kept quiet for a few weeks, he could have used exploit code he had already developed.
What the parent was suggesting is to create an account with very limited access and to run the browser as that account using something like: `sudo -u sandboxaccount browserbin`.
The contest was also sponsored by the likes of Google, Cisco, Adobe, some security folk... They must all have it in for Apple, oh no Apple is screwed! Plus if you read how the contest was run, it's hard to make the case that this was all pro-MS.
Get the facts... Up to the point where they support your agenda and then punt.
try doing that when you don't have physical access to the machine in question. It seems that Safari is Mac's equivalent of Internet explorer in that it can be a major security problem. it's something Apple really needs to get under control lest they actually become as fubared as Windows often is. It's inevitable as it stands as Mac gets more popular and its users less knowledgeable about how to secure their systems.
Sigs are too short to say anything truly profound so read the above post instead.
I'm typing this on a Macbook Pro running Safari, and I'm happy about the results of this competition. As Apple computers (slowly?) gain market share, they will eventually be forced to significantly adjust their terrible attitude in terms of security.
I would rather have Apple "shamed" into providing me (and other OS X users) a more secure web browser/operating system than gain some pathetic "my system is more secure than yours" bragging rights.
There needs to be a "-1, Divorced From Reality" mod. That's a powerful persecution complex you have going there.
Ownership (no pun) was the key to understanding this. I real contest would have let the winner (the first to hack in) keep one of the computers they did not break. The contest doesn't measure much when the competitors target the one they want to win: the sexiest machine so they attack it.
Instead if they had a choice they would attack the weakest machine and you'd see people voting with their feet as to which machine was the weakest. An actually measurement.
instead you got a beauty contest. Which apple apparently won.
Some drink at the fountain of knowledge. Others just gargle.
Are you for real? Did you bother reading that article and seeing the fine print? The laptops were tested in parallel all day and Mac fell first, the other two were tested for the rest of the day and weren't hacked so they go to the next round with relaxed rules(3rd party s/w installed). It's extremely funny that you did exactly what you're accusing others of doing. Nice self-pwnage.
This space for rent.
In other words, the first to hack it gets it! Who wants a Vaio or a Fujitsu anyway? Given a choice between the three, I'm sure everybody wanted the MacBook Air. Naturally, the only machine getting the pounding is going to be the first to crack.
... Zzzzzzzap.... couldn't.... Zzzzzzzzzap. ... agree... Zzzzzzzzzzap.... more. ;)
Yes, that sounds logical, if your genitals are hooked up to a car battery.
The winner got to keep the unit AND 10,000. So OBVIOUSLY they should crack the easiest unit, flip it on ebay, and then buy whatever they actually want, while pocketing the remaining 8-9 grand...
So... the moral of this story? Never underestimate the ability of an Apple fan to rationalize how the Mac could be the first to fail, yet still be the finest computer in the competition. d(^_~) [Thumbs up!]
I
Yeah. A Laptop is safe, even connected to a network, provided you make no contact with the network as the user.
Like my car - very very safe as long as you don't back it out of the garage.
Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
You're right. With a stricter firewall, the browser wouldn't have been able to fetch anything over the internet at all.
I am an apple fan and enjoy a lot of their products.
There is no way any system can be perfectly secure, but this is a significant hole. While they probably won't get me to click that stupid link, they might get my mom or any number of the other avg everyday users.
At least now we can get beyond the macs can't be hacked BS and move on to securing my favorite OS and keeping it that way.
Now lets see how long it takes for apple to post a patch, that is really where the rubber meets the road.
They implemented the Biba Integrity model, which isn't exactly slapped together. The idea is that the data that comes from the web is untrusted, and therefore is of low integrity. Data from the system itself is trusted, and thus of high integrity.
A low integrity process cannot write to a high integrity process, so bad information (like malware) cannot get to the system. Likewise, it cannot write to any medium integrity objects (windows, files, processes, etc.), such as those owned by the user running the browser. This means that a buffer overflow exploit in a plug-in will not allow the code to write to the filesystem outside its sandbox, nor will it be able to do things like hijack your homepage.
Of course no security system will prevent you from entering your CC# into a fraudulent online store, so it still has to have a phishing filter.
dom
"Super user do", sounds better than "switch user do", so from here on, that's what it's going to stand for. I'm also changing the G in GNU to stand for GNU *is* Unix. Good day to you.
This space for rent.
This space for rent.
Well, there's some truth to that.
... there was one unusual rule. Only non-published exploits could be used. So, for example, if there was a published but still unpatched vuln in vista or ubuntu, those couldnt be used.
However, there's also a $10,000 prize for today.
And despite that, neither the vista box nor the ubuntu box were hacked at all on day 2.
Day 2 allowed user interaction (like browsing to a website) but only allowed targeting software that ships with the product.
That being said
So part of this was timing or withheld disclosure. For example, it seems to me that a security company could find a hole and then sit on it and never disclose and save it until cansecwest.
This space for rent.
Can't we admit that, for whatever reason, the Air/Safari was easier hacked than Vista/IE7? I know this is an unpopular bandwagon to be on, especially on Slashdot, but it seems there's no two ways about it. I refuse to believe that it was a conspiracy and that every hacker was actually just trying to hack the Air and make Ubuntu and Vista pass, that's stupid. If I were a hacker, I'd totally hack the EASIEST one simply to get the $10k and the laptop. And if there were known or open vulnerabilities, it should have fallen in what, 30 seconds?
Seriously, it's not a huge deal. If we, like good open source cronies, admit that there was a problem with *gasp* part of the Apple software/laptop combo (whether it was Safari or the OS or whatever), then maybe it will be fixed. Isn't that the main idea here? I thought the point of these things were to discover vulnerabilities so that they could be fixed, not to place bets on Microsoft falling and go up in arms if it doesn't.
Unless, of course, we really aren't interested in open source software or good software at all, but are more about claiming a company name as our own.
If a Vista machine had been first there would be a 'haha' tag on this article, as well as on yesterday's article talking about how MS issues patches faster.
Just sayin...
Parents are still in safe browsing grade school. Let me help you get right to the PhD level of safe browsing - http://www.tssci-security.com/archives/2008/03/25/security-and-safe-browsing-for-firefox/
Horns are really just a broken halo.
No other exploit came at all today. There's still thousands of dollars to be won. The motivation for the entire day less two minutes was fully on Windows or Ubuntu. But they didn't crack yet.
It's not a guarantee that the first to fail is the weakest, there's definite elements of chance and some complex interactions. But it was done with Safari, which is part of the default distribution of a Mac and it's not exactly easy to not use Safari for at least long enough to download Firefox.
I was pretty surprised when Dell finally started putting some effort into their laptop designs. For example, take the XPS m1330 that came out last year. It's actually really nice. I wanted an near-ultra-portable but *powerful* Ubuntu laptop and was within a hair's breadth of getting a macbook pro. (The air is a slick design, but the power just isn't there.) Then I found out I could get something every bit as powerful as a high-end macbook pro in the form-factor of a 13" macbook, only lighter, and for less money. (Caveat to follow.) Then I found out that the design actually looked nice. Nicer than the macbooks to my tastes. (Seriously, it's time for a design update Apple.) On top of that, the m1330's design makes a fair bit of ergonomic sense too. The laptop tapers down towards your wrists, rather than the tendinitis-inducing edge on macbooks.
Even more surprising, the m1330 is really well supported in Ubuntu. (Dell actually sells the m1330 with Ubuntu pre-installed, although the discount is rather pathetic.) More things just work in a default install of Ubuntu on the m1330 than in Vista! (The only thing that doesn't work as well in Ubuntu as it does in Vista is the fingerprint reader, but that's just because biometric password support in Linux, and KDE especially, sucks dingo balls at present.) And yes, if I bought a macbook I probably would have tossed the OSX disks and reformated the drive first thing. I've had to develop under OSX and, while I don't mind it, I definitely prefer Ubuntu.
Caveat time. Dell's customization options are still royally borked. You can pick up a lot of accessories, like bluetooth mice, fairly cheap when buying a laptop, but other components are just insanely expensive. Anyone who maxes out the memory on a Dell while ordering it and then complains about the price is an idiot. Upgrading the memory on a Dell won't void the warranty. You want 4GB? Get 1GB from Dell and, toss it, and buy a couple 2GB sticks yourself. You'll save at least a couple hundred dollars. If Dell would smarten up about that kind of thing I'd have no complaints.
Still, one thing is pretty clear. You can no longer mindlessly slag Dell for epitomizing bland and crappy laptop designs. They do still have ultra-cheap crap and bland bricks built like tanks for the corporate types, but they're also gunning for the sexier end of the market now.
Actually, "su" does indeed stand for "super user". Originally, it could only switch to root. The capability to switch to arbitrary users was added later, and "switch user" is a backronym.
While we're on the subject, guess what "dd" stands for? It's not "direct dump" or "disk destroy". It's "character copy".
Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
In other words this guy most likely found a security bug in Safari, but instead of reporting it directly, made an exploit and waited for a hacking contest to get a monetary benefit out of it. A real hero. Or maybe he was just quick. Which seems more plausible?
I demand the Cone of Silence!
Many people in this thread keep praising privileges restriction (be it UNIX user management, IE7 sandboxing, virtual machines, or anything else) as the ultimate solution to desktop security.
While this can reduce the chance of being "totally r00ted", you can still get "pwned" pretty badly. As long as you use your sandboxed browser daily, and have any kind of permanent storage for bookmarks / cache / saved files / etc, you still risk to become a botnet zombie, spam machine, DDOS node, pr0n/warez share, whatever. Who cares if that all works under restricted privileges.
So, by all means, manage your privileges, but beware the fake safety feeling that gives you.
Yes, the walk of shame with a $3,000 laptop that's highly ebay-able and $10,000 in prize money. I wish someone shamed me like that.
The World's Worst Webcomic!
After all why spend so much money to develop walware or virus for a system that is being used by one half of the 5% of population who happen to surf to a website.
Costs include Apple Developer's Program, buying a Mac to develop and Test (and everyone knows its not as easy as Visual C++), and assorted tools.
Too much effort for a reasonable payoff.
And secondly Mac users tend to be richer, well-studied and well-off, so the chances of them getting angry and respond with a lawsuit is more.
"Doing what i can, with what i have." ~ Burt Gummer
I am worried that Apple is assuming too much about the security of the Mac OS X operating system. I am a long time user (since first beta) and it has been an incredible ride, but I'd really like for Apple to "step up" and take this bull by the horns and let the world know that they are very serious about security and eliminating *any* means of intrusion, either automated or user driven... and not just rely on the FOSS community to remedy the security problems in the software that they have incorporated into the OS.
Just as long as they don't implement some Vista like "Allow or Deny?" crap... God that would drive me *nuts*!
"To make a mistake is only human; to persist in a mistake is idiotic." Cicero
While the quick win makes for a perfect headline and reflects the Hollywood image of "hackers" that twiddle on a keyboard and almost instantly "access the mainframe" while a counter runs in the background, a more intelligent question is: why did the Mac get hacked first, and why was the attack so quick?
CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security
The trouble is, they didn't implement the Biba security model - they only implemented part of it. More specifically, they implemented the "no write up" rule which prevents low integrity processes writing to high integrity stuff (well, most of the time - I think there are ways for low integrity process to talk to high integrity ones). However, they didn't implement the "no read down" rule at all - high integrity apps can and do read low integrity data.
Why does this matter? Well, suppose you have something like the WMF vulnerability, which can be exploited if you preview the file in Windows Explorer. All a website has to do is to download the file into the sandbox and trick the victim into previewing it.
Unfortunately, the proper Biba integrity model is probably totally impractical for desktop use.
You fanbois are embarrassing, the second day prize was $10,000. I know inside your reality distortion field people will give up 4+ Macbook Air's worth of prize money just to get a single Macbook Air, but the rest of us aren't rabid fanbois so we find this logic a little thin.
No one is going to be interested in the fact that it required user-assistance and can't be executed remotely (which are by far the most worrisome.)
The thing I enjoy most about the responses to this article is the rather predictable "Ha, so Apple DOES suck!!! Take that fanbois!" responses. It's certainly true that this is an important find and that an exploit in the wild is something to be concerned about. But the point of this is really that there's no such thing as a secure OS yet (and there probably never will be). Not unless you've removed the power source from your system, encased it in concrete and sunk it to the bottom of the sea.
The perceived general level of security in a system can be directly correlated to the most recent compromise of that system. The fact that the Linux and Windows systems involved in this contest have not yet been compromised does not indicate that they are more or less secure in a general sense than the Mac. It does indicate that no one has found the vulnerability that inevitably lurks within the kernal or a piece of installed software on those system. But rest assured, the exploits are there.
"FireFox is more secure than IE", you say on Monday. Then Slashdot posts "HUGE FRIGGING HOLE FOUND IN FIREFOX: DOOM!!!" on Tuesday. And suddenly the absolute statement you've made sounds silly.
If you don't believe this is true, try this: get hold of a system exactly like the ones currently considered "unhackable" in the contest and disable any automatic updates (and don't install any manually). Wait three months and then compare that system against one with the most recent updates. You're sure to find that your unhackable system is now full of known exploits and security holes.
The systems we rely on today are very complex and in a very real sense cannot be completely understood. There are techniques that can make them generally more secure and all of the OS developers are working to bring these features online every day. Some are better than this than others (or so it seems), but they all do it. Even Microsoft. But the thing about security is this: the bad guys only need one hole and the good guys have to cover all the bases.
The only real security in a system comes from user practices, not software. If you don't install updates on your system, it will be vulnerable. If you don't consider HOW and where you use your system, it will be vulnerable. In other words, the core component in a secure system is YOU.
It's probably true that there is a "most" secure OS and a "least" secure OS right at this moment. Take a guess which is which and you might even be correct. But there's no absolute answer that will be true tomorrow. We need to stop with the absolutes and "MY FLAVA ROCKS YER FLAVA" hyperbole and start to think more like real security experts do. The next big hack for your favorite OS is just around the corner. And there's no doubt about that.
My teenage son can demolish any PC in an afternoon of unsupervised surfing. My neighbor's Vista box barely runs; God knows what they've got on it. (Unlike the Ubuntu box I let them borrow for two years before they bought their new Dell 3 months ago.) The Mac mini my son uses to surf (when he's allowed) runs as well as it did two years ago and I haven't even run software updates on it. (No sense mentioning it has no antivirus software either.)
I don't care if it's spyware, adware, a virus, a tray icon, or or even just a simple browser toolbar or homepage or search-engine hijacking; or if it's installed manually or via drive-by methods--whether its due to small market share, inherent (UNIX) security, or something else, I will continue to argue that Mac and Linux are the better platforms, IN PRACTICE, for the average user.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.