A bummer for Apple

[antiaircraft]

Mac OS X's reputation for security was tarnished Thursday when a team of researchers from Independent Security Evaluators (ISE) managed to hack a MacBook Air in two minutes using a zero-day vulnerability in Apple's Safari 3.1 Web browser.

 

The ISE security researchers -- Charlie Miller, Jake Honoroff, and MarkDaniel -- were participating in the "PWN to OWN" competition at the CanSecWest security conference, which began Wednesday in Vancouver, British Columbia.

 

Contest participants had their choice of trying to hack an Apple MacBook Air running OS X 10.5.2, a Sony Vaio VGN-TZ37CN running Ubuntu 7.10, or a Fujitsu U810 running Vista Ultimate SP1. During the first day, when attacks were limited to network attacks on the operating system, no one managed to compromise any of the systems.

 

That changed Thursday when attacks on default client-side applications -- Web browser, e-mail, IM -- were allowed. The ISE team won $10,000 from security firm TippingPoint Technologies for compromising the MacBook Air.

 

The undisclosed vulnerability in Safari 3.1 has been shown to Apple and no further information about it will be revealed until Apple can issue an update, TippingPoint said.

 

In a blog post on Friday, TippingPoint said, "ince the Vista and Ubuntu laptops are still standing unscathed, we are now opening up the scope of the

targets beyond just default installed applications on those laptops; any popular third-party application (as deemed 'popular' by the judges) can now be installed on the laptops for a prize of $5,000 upon asuccessful com promise."

 

Apple did not respond to a request for comment.

 

Article from: http://www.informationweek.com/software/sh...cleID=207000434

 

I removed one paragraph from the article that was pretty much pointless and just trying to poke fun at Apple.

 

But despite the bias present, this article does outline a pretty bad vulnerability in Mac. :ohno:

[crxsnochic]

I wonder if that matters if you never use safari? I don't know anyone that uses safari, everyone seems to be on firefox. Safari was one of two things I didn't like about my Mac, the other was the limitations in numbers for graph making... I can never do exactly what I need to do for the graphs I need for my science classes. Neither issue mattered much though, as I can run excel on my mac and I use firefox anyways.

[Ashley Rose]

Well that's not good at all! Thanks, that helps me figure out what I might want to get when I do get a new computer....I have never been a big fan of macs and this just helps a bit. Hopefully they can figure out a way to fix the issue!

[antiaircraft]

@crx: Well I suppose it depends on how deeply Safari is integrated into the system (could somebody who knows the Mac system well enlighten me on this?). Take Windows and IE for example: a security breach in IE is a major thing because Windows uses parts of IE as the backend for a lot of its internet tasks. :yes: Besides, you'd have to use Safari in order to install Firefox right? :P

 

@Ashley: Mac OS X is still a good system (better than Windows in many ways). Don't let me influence your choice too much.

[Ashley Rose]

HAHA I won't! I have just always had the same kinds of computers and always had windows and I am just sort of stuck on that, I don't know if I have the energy to learn a completely different OS...granted I kind of had to do that with vista but since it's windows there isn't a huge difference!

[antiaircraft]

Mac's not that different from Windows (neither is Linux), most operating systems try to make themselves as easy to switch to as possible (i.e. as familiar to Windows users as possible :P ).

[crxsnochic]

I'm not a computer whiz by any means, but one of the advantages of macs is supposed to be that none of the programs really run in the background.. how true that is... I don't know cause, like I said, I'm no computer whiz. Though my mac turns on and completely loads up in literally about 2 seconds, so guess I believe them when they say theres not any background programs booting up.

 

Ashley... I used to feel the same way about PCs, but then I bought a top end PC laptop about 1 1/2 yrs ago and spent a fortune on anti-virus software. Then the hard drive crapped out for no apparent reason, and though I took it to 5 different computer places that all confirmed that it was a hard drive malfunction and not a virus issue... the only response I got from the manufacturer was that 'It must be a virus, all PC's get viruses/spyware no matter what, too bad you spent the extra $300 on insurance, viruses aren't covered.' So I switched to mac. I still have the PC.. I just make sure to back up everything on discs because the hard drive dies every few months, so i have to totally reconfigure the computer... as in completely re-install all the software, windows, etc. I lost so many irreplaceable pics, etc., not to mention all my school papers I had written. Lesson learned: back up everything and my mac is great cause I can automatically upload and save everything to .mac if I want to. I'll still own a PC for the time being, at least until all programs, etc. are mac OS compatible... but even if they aren't, I can still opt to run windows on my mac if I want to... but then it gets opened up to all those nasty viruses... so no thanks. I've officially become a mac geek.

[antiaircraft]

Theoretically speaking, there have to be components of the OS itself running in the background in order to work stuff. *shrug* I haven't used a Mac system in a while, so I have no idea if any components of the system use Safari as a backend...

[Guest Levy]

YAY!!! More proof that Windows is better than Mac :P

[Guest Sloth Von Karma]

YAY!!! More proof that Windows is better than Mac :P

 

Well, yes, this is technically correct. It came as a surprise to me, too.

[Matt]

Now let's not get too held up in such a "He did this, but she did this and it's MUCH WORSE" sort of argument. That doesn't solve anything. Just look at that example from Friends. :P

 

Just goes to show that Macs aren't as secure and virus-free as most people claim they are. Nothing's perfect. Everything needs improving at some point. More people target Windows because more people use it. Simple as.

 

Anyway, reading another version of the story, it read as if the laptop was left alone and was directed using Safari to a bad website. Uh-oh.

[antiaircraft]

UPDATE: Mac and Windows hacked, Linux still intact!

 

The MacBook Air went first; a tiny Fujitsu laptop running Vista was hacked on the last day of the contest; but it was Linux, running on a Sony Vaio, that remained undefeated as conference organizers ended a three-way computer hacking challenge Friday at the CanSecWest conference.

 

Earlier this week, contest sponsors had put three laptops up for grabs to anyone who could hack into one of the systems and run their own software. A US$20,000 cash prize sweetened the deal, but the payout was halved each day as contest rules were relaxed and it became easier to penetrate the computers.

 

On day two, Independent Security Evaluators' Charlie Miller took the Mac after hitting it with a still-undisclosed exploit that targeted the Safari Web browser. After about two minutes work, Thursday, Miller took home $10,000, courtesy of 3Com's TippingPoint division, in addition to his new laptop.

 

It took two days of work, but Shane Macaulay, finally cracked the Vista box on Friday, with a little help from his friends.

 

Macaulay, who was a co-winner of last year's hacking contest, needed a few hacking tricks courtesy of VMware researcher Alexander Sotirov to make his bug work. That's because Macaulay hadn't been expecting to attack the Service Pack 1 version of Vista, which comes with additional security measures. He also got a little help from co-worker Derek Callaway.

 

Under contest rules, Macaulay and Miller aren't allowed to divulge specific details about their bugs until they are patched, but Macaulay said the flaw that he exploited was a cross-platform bug that took advantage of Java to circumvent Vista's security.

 

"The flaw is in something else, but the inherent nature of Java allowed us to get around the protections that Microsoft had in place," he said in an interview shortly after he claimed his prize Friday. "This could affect Linux or Mac OS X."

 

Macaulay said he chose to work on Vista because he had done contract work for Microsoft in the past and was more familiar with its products.

 

Although several attendees tried to crack the Linux box, nobody could pull it off, said Terri Forslof, a manager of security response with TippingPoint. "I was surprised that it didn't go," she said.

 

Some of the show's 400 attendees had found bugs in the Linux operating system, she said, but many of them didn't want to put the work into developing the exploit code that would be required to win the contest.

 

Earlier, Miller said that he chose to hack the Mac because he thought it would be easiest target. Vista hacker Macaulay didn't dispute that assertion: "I think it might be," he said.

Article from: http://www.pcworld.com/article/id,143962-c...rs/article.html

 

If I read the article correctly, it seems that Linux was simply so tough to hack that people didn't want to make the effort (no system is uncrackable after all). :P Either that or they just don't think Linux is worth hacking...