Mac Hacked Via Safari Browser

[HardOCP News]

A zero-day vulnerability in Safari allowed two attendees of CanSecWest security conference to walk away with a 17” MacBook and $10,000 prize for exploiting two MacBooks in the Pwn-2-Own contest. Not a bad haul considering it only took the contestants nine hours to come up with a working vulnerability.

Macaulay pwned the Mac by sending it an e-mail that directed a user to a malicious site. Upon visiting the site, the user—a CanSecWest organizer perched on the machine to protect it from physical assault—was infected with malware, without clicking on anything within the site.

 

[XorCist]

not too shabby...but am i the only one who is under the impression thats its not the OS thats vulnerable, its the coding languages within it? IE, the guy won using a Javascript exploit. Most malware/spyware/younameit comes thru scripted info (my guess is 80%javascript, 20% other), so shouldnt Sun (javamakers) be the ones getting the attacks (about poor security), more than apple or ms?

 

[bashPenguin]

Javascript != Java. Java is Sun Micro's, whereas Javascript is an implementation of ECMAScript by Mozilla/Netscape.

And this would still be a vulnerability for a Mac system. Mac OSX ships with Safari browser by default, and Javascript vulnerabilities target the embedded Javascript interpreter within the browser.

 

[xX_Jack_Carver_Xx]

Is it just me, or is it unbelievable that "browser vulnerabilties" still exist in 2007.

These programmers deserve to have thier asses outsourced.

 

[pgwalsh]

And this would still be a vulnerability for a Mac system. Mac OSX ships with Safari browser by default, and Javascript vulnerabilities target the embedded Javascript interpreter within the browser.

It should be noted, which is not on the home page, that they had to turn off some essential security in the OS in order to allow the hack. The first day they were unable to perform the hack. On the second day they relaxed the security and the hack was performed. It's still a hack nonetheless. Glad my setup is far more secure then the setup they were using. In the end, I think it's a good thing to hack the mac. Keeps Apple honest.

 

[syntx]

Is it just me, or is it unbelievable that "browser vulnerabilties" still exist in 2007.

These programmers deserve to have thier asses outsourced.

It's funny how misunderstood the problem of "browser vulnerability" is. The two main reasons they are is: 1- Integration with the UI/Desktop and 2- The extensions.

Take IE for example, it's more vulnerable than Firefox because it is a desktop component and therefore a malicious program can take advantage of this integration.

 

[TechLarry]

It's kinda funny, they had to change the rules of the contest to make it hackable.

That's the second time a contest had to be altered to make a Mac Hackable.

 

[RiZnO]

Changing the rules is common though... if you had a too tough situation, that wouldnt be realistic seeing as there are 100's of millions of users out there and not everyone is aware of pc/mac security precautions regardless of how ridiculous that may sound... These corporations are trying to protect the [H] and the noobs that are out there..

 

[nilepez]

It should be noted, which is not on the home page, that they had to turn off some essential security in the OS in order to allow the hack. The first day they were unable to perform the hack. On the second day they relaxed the security and the hack was performed. It's still a hack nonetheless. Glad my setup is far more secure then the setup they were using. In the end, I think it's a good thing to hack the mac. Keeps Apple honest.

Where did you see that they turned off essential security? AFAIK, it's not in the linked article. All i saw was they allowed them to send an email to the user, which presumably contained the link to the page.

 

[RandomNY]

So are we going to see a PC/Mac commerical where the Mac guy is sitting on his couch watching tv and his home is bulgerized, while the PC guy feigns to give a rip that his buddy Mac was just assaulted?

 

[Ardrid]

But they told me Macs couldn't be hacked!!!

 

[ciparis]

Nice quotes from the hacker in that article.

"I like Macs," he said. "I use Macs for everything."

Macaulay said he uses both, but on the whole he finds Macs "a little" more secure.

The hacking duo are firm believers in responsible disclosure: i.e., taking bugs to a software vendor before going public with them.

"We're trying to make computing more secure for everyone," Dai Zovi said. "Responsible disclosure is the best way to do that."

He said that he's found Apple "very responsive" to bug reports.

"Basically they reply within the day," he said. "The one thing they've tried to do, once they've fully investigated the issue is they'll let you know they're patching it now. Their stance is to take information, work with you to identify the cause, and converge it into the development process."

As for what he'll do with the $10,000 cash prize, Dai Zovi said he's thinking of buying a MacPro.

 

[cliche]

any of you guys here use a mac ?

 

[AaronP]

I have one that I mess with when I get bored.

 

[six_storm]

any of you guys here use a mac ?

I use an iBook and an iMac right now, best computers I've ever owned.

As far as I've seen, there have been many little "challenges" to hack a Mac all around the net. This is apparently the first one that has been completed. One guy left his Mac Mini up on the net wide open and no one hacked it. I think this was over at MacRumors?

Anywho, I'm not big on security (don't know the details of certain things) but I'm glad someone could expose some holes in OSX. This will allow Apple to patch them up and make my Macs more secure. Everyone wins!

 

[CyberDeus-RagDoll]

Is it just me, or is it unbelievable that "browser vulnerabilties" still exist in 2007.

These programmers deserve to have thier asses outsourced.

I think the problem is that most of the programming already IS outsourced.

 

[CopyCat]

I have a MacPro that I use sometimes

I don't find it to be any more or less secure than my PC. In fact I have owned several PCs and a couple Macs in the past few years and none of them have been victims of anything.

Im sure this is the case with most people on this site though

 

[hl3395]

Unless your activities online can be classified as nsfw, the chances of being hacked is extremely low. Hell, you can open all sorts of spam e-mail and the chances are still low.

Virus, trojan, worms. God's punishment for your online sins.

 

[webdev511]

It's kinda funny, they had to change the rules of the contest to make it hackable.

That's the second time a contest had to be altered to make a Mac Hackable.

Sounds like this whole thread needs some context as I was under the impression that the initial rules were that the Mac had to be exploited via wireless and they changed that to any hack on day 2.

Judging from the description of the winning hack, wired or not, that mac was toast.

"Come on everyone, the internet is such a safe and trusting place, so let's turn off all of our security and just trust everyone like we used to 15 years ago...."

 

[nilepez]

Sounds like this whole thread needs some context as I was under the impression that the initial rules were that the Mac had to be exploited via wireless and they changed that to any hack on day 2.

Judging from the description of the winning hack, wired or not, that mac was toast.

"Come on everyone, the internet is such a safe and trusting place, so let's turn off all of our security and just trust everyone like we used to 15 years ago...."

That's exactly what happened. I'm not sure what that would have proven anyway. Has WPA EVER been cracked?

 

[CyberDeus-RagDoll]

That's exactly what happened. I'm not sure what that would have proven anyway. Has WPA EVER been cracked?

http://wifinetnews.com/archives/004428.html
Yep.

The length of the passphrases just indicates the amount of time it'd take.

 

[nilepez]

http://wifinetnews.com/archives/004428.html
Yep.

The length of the passphrases just indicates the amount of time it'd take.

I guess that still begs the question of whether security was turned off on the router. If not, it still seems like the first day they were testing wireless security, not the security of OSX, but I don't claim to be security expert by any stretch.