Safari/MacBook first to fall at Pwn2Own 2011

[Joe Average]

http://www.zdnet.com/blog/security/safarimacbook-first-to-fall-at-pwn2own-2011/8358

I can't say I'm surprised, I really can't.

At least Apple is all over it this time:

http://www.zdnet.com/blog/security/pwn2own-2011-on-cue-apple-drops-massive-safari-ios-patches/8348

But note, the machine that fell was patched with those updates released before the event took place and it still was hacked in 5 seconds...

And yes, IE8 fell as well, which was to be expected:

http://www.zdnet.com/blog/security/...indows-7-hijacked-with-3-vulnerabilities/8367

 

[Terpfen]

I can't say I'm surprised, I really can’t.

Neither can I, inasmuch as these researchers are sitting on vulnerabilities for months, if not years, beforehand. But hey, anything goes when sites need headlines and forums need pot-stirring fodder.

Still waiting for my Safari sessions to get hijacked, let alone my install of OS X to be taken over by malware. Three years and counting. Emphasis on counting: ASLR is coming in Lion and already in iOS 4.3.

 

[Joe Average]

Still waiting for my Safari sessions to get hijacked, let alone my install of OS X to be taken over by malware. Three years and counting. Emphasis on counting: ASLR is coming in Lion and already in iOS 4.3.

You did catch this, right:

The exploit bypassed ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two key anti-exploit mitigations built into Mac OS X.

Anti-exploit mitigations... what an interesting way of saying it... and DEP is in Windows 7 as well, has been since XP iirc, and apparently all these newfangled "protection" technologies mean Jack Squat when someone really wants to get by 'em. Go figure.

I'm sure you caught it. Eh... no pun intended.

 

[Terpfen]

You did catch this, right

I did, and the ZDNet article predictably fails to elaborate on which specific version of OS X was used. If it’s 10.6.6 (which would make sense, since the Lion NDA likely excludes it from being used in security competitions), then, uh, Snow Leopard doesn’t have ASLR. Pretty easy to bypass something that’s not there!

Speaking of missing things:

In an interview with ZDNet, Bekrar said the vulnerability exists in WebKit, the open-source browser rendering engine

Turns out not to be a problem with OS X at all. So much for the “MacBook” part of your thread title.

 

[Joe Average]

The thread title is taken directly from the article itself, so... that's two-for-two for ZDNet.

But you knew that too.

 

[Terpfen]

The thread title is taken directly from the article itself, so... that's two-for-two for ZDNet.

But you knew that too.

I apparently know more than ZDNet does.

I wonder if they’d claim a security flaw in the Gecko engine constitutes an iMac vulnerability.

 

[pwrusr]

Any word on Linux testing?

 

[MrGuvernment]

Again, and yet Apple will still claimn they are so safe , sorry, why was it they took off of THEIR website that one should run at least 2 antivirus products...

 

[Terpfen]

Again, and yet Apple will still claimn they are so safe , sorry, why was it they took off of THEIR website that one should run at least 2 antivirus products...

Try reading the articles and the thread.

Spoilers: WebKit != OS X. But putting “Apple” in a headline generates clicks, so as far as ZDNet is concerned, a vulnerability in an open source browser backend qualifies as an OS X vulnerability.

By the way, no viruses in the wild for OS X. Fact. The handful of virus scanners available for the platform scan for Windows viruses and are meant for use in mixed-OS LAN environments.

 

[MrGuvernment]

So why did apple remove it from their website then if ti had nothing to do with OSX?

When people hear Safari, they think Apple,why, because Apple makes Safari, funny how OSX users always go back to the "it was some 3rd party that let the issue occur", now can they use this same exploit on windows and linux if it does / can run safari? So now blame it on open source.... Apple= Safari, period. So try to blame it on someone else, but if Apple can make a "flawed" browser, you can not deny they may have a flawed OS.

it was the same thing last year, Apple was the first to go down, sorry, but the issue is , false sense of security, all of those people use Apple product thinking they are %100 safe from any problems.

 

[kllrnohj]

Try reading the articles and the thread.

Spoilers: WebKit != OS X. But putting “Apple” in a headline generates clicks, so as far as ZDNet is concerned, a vulnerability in an open source browser backend qualifies as an OS X vulnerability.

You're right, WebKit != OS X - good thing you cleared that up for the 0 people who confused the two. Oddly enough, there were two WebKit browsers in Pwn2Own, yet only one of them fell. Safari was hacked ridiculously fast, Chrome was unscathed. Guess all WebKit isn't created equally (which port of webkit plays a *huge* role, as does which features it is using).

Oh, and guess who is one of the largest developers and the creators of the WebKit project (a fork of KHTML)? APPLE. No matter how you slice it, it is Apple that got owned. Their browser (Safari) fell running their library (WebKit) running on top of their OS (OS X) on their hardware (Macbook). Yup, Apple from top to bottom.

 

[ryken]

I haven't launched safari on my mac in over a year...

 

[DamienThorn]

You're right, WebKit != OS X - good thing you cleared that up for the 0 people who confused the two. Oddly enough, there were two WebKit browsers in Pwn2Own, yet only one of them fell. Safari was hacked ridiculously fast, Chrome was unscathed. Guess all WebKit isn't created equally (which port of webkit plays a *huge* role, as does which features it is using).

Oh, and guess who is one of the largest developers and the creators of the WebKit project (a fork of KHTML)? APPLE. No matter how you slice it, it is Apple that got owned. Their browser (Safari) fell running their library (WebKit) running on top of their OS (OS X) on their hardware (Macbook). Yup, Apple from top to bottom.

The WebKit bug that was taken advantage of in Safari had already been patched in Chrome; there was an exceptionally long discussion this year at CanSec about whether or not going after a patched bug could give you the pwn. In effect, Google's highly aggressive patch cycle protected their products whereas Apple's system left them vulnerable. Same questions were raised around the mobile devices that were pwned.

 

[Harry1969]

I haven't launched safari on my mac in over a year...

Safari is god awful, I don't think anybody uses it except maybe Terpfen.

 

[InorganicMatter]

This was a WebKit bug...that means every WebKit-powered platform with the bug could be compromised, which includes old versions of Chrome and every single Linux distro that uses a browser besides Firefox.

I'm actually pretty amazed that this conference continues to allow people to use fixed exploits. It pretty much takes away all talent and credibility, and essentially turns the "competition" into a race to see who can run to the booth fastest and load their known exploit.

 

[Terpfen]

So why did apple remove it from their website then if ti had nothing to do with OSX?

Why did Apple remove what from their site?

When people hear Safari, they think Apple,why, because Apple makes Safari, funny how OSX users always go back to the "it was some 3rd party that let the issue occur”,

This is nonsensical. The exploit is in WebKit, not Safari. Safari uses Webkit, but so does Chrome, Mobile Safari, Android, BBOS6’s browser, and several other platforms.

Why isn’t the headline blaring “BlackBerry first to fall at Pwn2Own”? Simple: BlackBerry generates less headline clicks (and thus less ad revenue) than Apple/OS X/iOS/Safari.

You're right, WebKit != OS X - good thing you cleared that up for the 0 people who confused the two.

Read the article. ZDNet conflates WebKit with OS X.

 

[phide]

Again, and yet Apple will still claimn they are so safe , sorry, why was it they took off of THEIR website that one should run at least 2 antivirus products...

When did Apple ever suggest to use two anti-virus products? Do you have a screengrab of this?

Safari is god awful, I don't think anybody uses it except maybe Terpfen.

It's on par with IE9 at this point in my opinion. In other words, it's usable, but why settle for "usable" when you can have "great" from Chrome? Doesn't make much sense the way I see it.

 

[KaosDG]

I'm actually pretty amazed that this conference continues to allow people to use fixed exploits. It pretty much takes away all talent and credibility, and essentially turns the "competition" into a race to see who can run to the booth fastest and load their known exploit.

^^^This. It's why I haven't taken part in these in a while. Besides the fact that a lot of "exploiters" sit on their exploits specifically for competitions without informing developers of even the EXISTENCE of an exploit is kind of sad. And most of these guys will call themselves security professionals.

 

[jrdonnaruma]

^^^This. It's why I haven't taken part in these in a while. Besides the fact that a lot of "exploiters" sit on their exploits specifically for competitions without informing developers of even the EXISTENCE of an exploit is kind of sad. And most of these guys will call themselves security professionals.

I have to agree here, Pwn2Own's competition isn't really a realistic example of the difficulty of breaking into a system through a vulnerability. These exploits are ready to go, and just need to be loaded onto the system, and executed. In reality, the time it takes to breach a system like that is quite extensive, in this particular case, writing a significant amount of code for the exploit, from a debugger, to shellcode, and a ROP technique.

The length of time it took to do all of this was likely months, if not a year+.

 

[MrGuvernment]

When did Apple ever suggest to use two anti-virus products? Do you have a screengrab of this?


It's on par with IE9 at this point in my opinion. In other words, it's usable, but why settle for "usable" when you can have "great" from Chrome? Doesn't make much sense the way I see it.

Will try to find the article about it, was a big mess, it got public, it was on apples support site, someone found it and once it went public, apple removed it from their site.

In the end, it was still Apple that failed no matter how you try and twist it versus others, again proving Apple is not some untouchable company in terms of their products security.

^^^This. It's why I haven't taken part in these in a while. Besides the fact that a lot of "exploiters" sit on their exploits specifically for competitions without informing developers of even the EXISTENCE of an exploit is kind of sad. And most of these guys will call themselves security professionals.

Shouldnt these companies have QA teams that find these things out? how is it sad, what is sad is companies release unsecured products and claim they are.

 

[Joe Average]

http://news.cnet.com/8301-1009_3-10111958-83.html

Two antivirus recommendation pulled from Knowledge Base, which was mentioned in a previous article at:

http://news.cnet.com/8301-1009_3-10110852-83.html

It was a mistake, and it was rectified as soon as it was discovered, within reason.

From the info gathered, the exploit used for the Safari/Webkit fall was patched earlier in the day on that target machine and yet the apparent patching was useless since the exploit still worked - that's why this is a big hubbub I suppose. And also as noted, other products use Webkit as the basis for their browser and none of them suffer from the exploit so it stands to reason that Safari itself is where the problem lies, not in Safari's implementation of Webkit which the competing products use.

The target machine was updated with the patches released by Apple that very morning and yet later in the afternoon the same updated and fully patched machine fell to the very exploit that patch was designed to nullify. It fell even though it was patched to prevent the fall...

Seems pretty simple to me.

 

[Terpfen]

From the info gathered, the exploit used for the Safari/Webkit fall was patched earlier in the day on that target machine and yet the apparent patching was useless since the exploit still worked - that's why this is a big hubbub I suppose.

Safari 5.0.4 was not used in Pwn2Own. The browser versions used in the contest were frozen two weeks ahead of time. 5.0.4 also did not patch the specific vulnerabilities used because they hadn’t been disclosed to Apple. The hackers waited until after they won their $15,000 dollars.

And also as noted, other products use Webkit as the basis for their browser and none of them suffer from the exploit so it stands to reason that Safari itself is where the problem lies, not in Safari's implementation of Webkit which the competing products use.

If the flaw is in WebKit, then the flaw is in all of those browsers. Safari is getting headlines because Apple references generate clicks.

This topic is starting to tread into FUD territory.

 

[C7J0yc3]

Everyone is bickering about viruses which makes me laugh because you have missed the point of the Pwn2Own competition. The point is to Own the box, not to fill it with viruses and spyware that steal your credit card numbers and tell you where to get cheap viagra.

Are there viruses for Mac? Yes there are, but they really don't exist in the wild. Remember the average virus isn't about allowing a hacker into your computer to steal your files, the reality is that we aren't interested. They are developed for two major reasons, 1 phishing, and 2 botnet. Hacking (both white hat and black hat) has become less about freedom of information and more about making money, and there isn't any money to be made by getting into your computer to look at your 4GB folder of LOLcats.

I can tell you as a pentester that I love coming up against mac networks. They are usually fairly unguarded because "Mac's don't get viruses" and thus many of the standard payloads for a popular penetration tool work on the first try. I have a few custom ones for when people have patched the holes that are exploited by the standard payloads, but for the most part I can get into a Mac faster then I can get into a WEP encrypted network. And as any good pentester will tell you, when you are going for access you target the workstations, not the servers. IT usually does a good job of hardening the servers, but desktops and laptops usually get forgotten about.

So lets give an example. I am doing a pentest for company A which has some very sensitive engineering specs for a new device awaiting patent and they want to be sure that the competition can't hire a black hat to steal them. Lets say that I get onto the network, most likely by exploiting their wireless network (or with a bit of social engineering get in and drop off my own AP). So now I am on the network and pop open nmap just to see what we are working with. And I find a Mac, so I fire up my various tools, and I get myself a shell, AWESOME! Now I find that this Mac has been joined to the company's active directory, which means that there is a trust between the servers that house the super sensitive data and this Mac. Who knows, maybe those drives with the super sensitive data are already mapped as network shares and all I have to do is just cd to the directory SCP what I need, and I am gone. IT is none the wiser because there is a trust with the Mac already so it just looked like the person logged into the mac grabbed some files off the server, no harm to them.

And that is the point of the article that all of you seem to be missing. The point is not to try to infect the computers with spyware and popups of people who are lonely in *insert geoIP regin here* it is to gain access to the system to allow it to be your slave on a network.

TL: DR Macs are insecure because of security through obscurity, Macs are becoming more mainstream, macs are becoming a target. Educate yourself accordingly.

 

[Terpfen]

Everyone is bickering about viruses which makes me laugh because you have missed the point of the Pwn2Own competition. The point is to Own the box, not to fill it with viruses and spyware that steal your credit card numbers and tell you where to get cheap viagra.

Viruses were brought up because the Pwn2Own route is a dead end, and some people will attempt to denigrate what they dislike no matter what. Facts mean little to some people.

TL: DR Macs are insecure because of security through obscurity, Macs are becoming more mainstream, macs are becoming a target. Educate yourself accordingly.

False. Apple and Macs are not obscure. This isn’t 1996.

 

[phide]

Two antivirus recommendation pulled from Knowledge Base, which was mentioned in a previous article at:

http://news.cnet.com/8301-1009_3-10110852-83.html

Yet they still 'recommend' anti-virus software:

The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box. However, since no system can be 100 percent immune from every threat, antivirus software may offer additional protection.

From: http://www.apple.com/macosx/security/

 

[Terpfen]

Yet they still 'recommend' anti-virus software:

From: http://www.apple.com/macosx/security/

Still worth noting that the few antivirus apps on OS X scan for Windows viruses and are meant for mixed-OS LAN environments.

 

[C7J0yc3]

False. Apple and Macs are not obscure. This isn’t 1996.

I'm not saying that they are obscure in the sense that you never see them in the wild. I am saying that because there is the common belief that "Macs don't get viruses" users tend not to have the same security mindset that PC users do and thus leave themselves open to attack.

It is similar to turning off your SSID on your wireless. It is going to keep your 13 year old "hacker" neighbor out of your wireless, but someone who wants to get in will.

 

[phide]

The majority of PC users tend to have zero security mindset. If it weren't for the Action Center constantly nagging them about their anti-virus being out of date or completely absent, most PC users wouldn't concern themselves with it. Even many [H] members are somehow blind to the risks of disabling User Account Control and adhering to a decent level of security-centric behavior.

 

[C7J0yc3]

The majority of PC users tend to have zero security mindset. If it weren't for the Action Center constantly nagging them about their anti-virus being out of date or completely absent, most PC users wouldn't concern themselves with it. Even many [H] members are somehow blind to the risks of disabling User Account Control and adhering to a decent level of security-centric behavior.

Disabling UAC isn't really a bad thing as long as you understand the risks and take appropriate action. I personally always disable UAC on my stuff and have not been infected in years (lots of false alarms on my security tools though).

And you are right that most PC users are completely oblivious to good security practice, other then to meet the minimum requirements to shut up action center, but it doesn't change the fact that having a half way decent AV / firewall suite and keeping it up to date (usually through auto updates) is still better then having absolutely nothing).

 

[Terpfen]

I'm not saying that they are obscure in the sense that you never see them in the wild. I am saying that because there is the common belief that "Macs don't get viruses" users tend not to have the same security mindset that PC users do and thus leave themselves open to attack.

I don’t think anyone ever had a “my Windows installation is totally secure” mindset. Unless we’re still harkening back to the mid-90s, that is.

And it’s pretty telling that an OS that’s been around for a decade with seven major versions and an eighth on the way still has no viruses in the wild. At some point, “security through obscurity” falls by the wayside, because nothing that’s 10 years old and still in active use is obscure or unknown.

Hell, Android had viruses within a year.

 

[dropadrop]

This was a WebKit bug...that means every WebKit-powered platform with the bug could be compromised, which includes old versions of Chrome and every single Linux distro that uses a browser besides Firefox.

I'm actually pretty amazed that this conference continues to allow people to use fixed exploits. It pretty much takes away all talent and credibility, and essentially turns the "competition" into a race to see who can run to the booth fastest and load their known exploit.

I guess it was not fixed since they managed to own the computer. I'm also surprised Apple let it go unfixed when they must have known the competition is coming, and that they will get owned.

Don't know what's right or wrong. I'm content enjoying my virus free life with OSX and Linux, but competitions like this should remind people that risks still exist. Apple is the one that failed here, not the competition. Sure if the rules forbid fixed exploits it would raise my appreciation of the people managing the hack, but on the other hand having known open exploits in your browser is a huge risk so I say Apple get's what they deserve for being slow.

 

[Terpfen]

I guess it was not fixed since they managed to own the computer. I'm also surprised Apple let it go unfixed when they must have known the competition is coming, and that they will get owned.

Read the thread.

1. Pwn2Own froze browser versions two weeks ahead of the competition. Safari 5.0.3, not 5.0.4, was used.

2. Apple did not fix the exploit in 5.0.4 because details had not been submitted; the “researchers” wanted to win their $15,000 dollars first.

There’s no “there” there, no matter how hard ZDNet tries to spin it to generate ad revenue through clicks. And you’ll notice the OP, who has demonstrated a willingness to criticize Apple for just about anything, has disappeared from his own thread.

WebKit will get patched, probably through a check-in from Apple or Google, but we’ll hear about how “a vulnerability in Safari” has been “fixed”. We won’t hear about whether or not the same vulnerability in BBOS6 or Chrome will get fixed. Neither of those get as much click-throughs as headlines related to Apple.

 

[dropadrop]

Obviously the "researchers" wanted their money first, I understood they wrote the exploit for the competition (and spent a few weeks at it).

I'll admit I did not read everything, but I understood Chrome did not fall for the same exploit (or didn't they try it on that platform?).

Of course everyone will try to make it seem like there is a problem in OsX, and since the default browser is Safari and it ships with the OS I can even understand why. The more people defend OSX security and paint an untouchable picture of it, the more other people will rejoice from any news of that security being compromised. For online services; I imagine they are just happy for the clicks.

What browser should they have tested with on OSX if not Safari?

 

[SuX0rz]

Use chrome for mac = problem solved. Been using it for six months now, no looking back.

And if you think you are completely safe from the internet (on a Mac or PC) then get educated. If you know someone who thinks the interent is safe (on a Mac or PC), educate them.

 

[InorganicMatter]

What browser should they have tested with on OSX if not Safari?

The only browser worth using on any platform: Firefox.

2. Apple did not fix the exploit in 5.0.4 because details had not been submitted; the “researchers” wanted to win their $15,000 dollars first.

This is how every one of these competitions ends, the same guy spends weeks/months hunting down then hiding an exploit, and sits on it until he can grab his $15k. Meanwhile he could have reported it right away and got it fixed, to prevent someone from finding the exploit and using it. Hoarding exploits for profit is universally considered a dick move and terrible security practice among security and OS vendors.

 

[Terpfen]

Obviously the "researchers" wanted their money first, I understood they wrote the exploit for the competition (and spent a few weeks at it).

They spend months and months trying to come up with vulnerabilities for Pwn2Own and any other similar contests. After they win their cash, sometimes they report the vulnerability to the appropriate group, sometimes they don’t.

I'll admit I did not read everything, but I understood Chrome did not fall for the same exploit (or didn't they try it on that platform?).

If it’s a flaw in WebKit, then it’s a flaw in Chrome. I have not seen it reported that anyone tried the same exploit with Chrome on OS X.

What browser should they have tested with on OSX if not Safari?

The issue isn’t which browser should or should not have been tested, the issue is the way the event and specific exploit was reported and spun. A flaw in WebKit is not a flaw in OS X even if Safari on OS X was used to demonstrate the vulnerability. Again, this is analogous to saying that a vulnerability found in Firefox’s Gecko engine means that OS X is insecure.

 

[dropadrop]

The only browser worth using on any platform: Firefox.

Yeah, this is what I use too, but it's not really the point. From what I observer at work a majority of non tech-oriented mac users use Safari, and it is the default browser is OsX and made by Apple.

This is how every one of these competitions ends, the same guy spends weeks/months hunting down then hiding an exploit, and sits on it until he can grab his $15k. Meanwhile he could have reported it right away and got it fixed, to prevent someone from finding the exploit and using it. Hoarding exploits for profit is universally considered a dick move and terrible security practice among security and OS vendors.

If there was no competition he would probably not have searched for the vulnerability. The only loss for Apple here was PR related, the details of the vulnerability where not released to general public.

I do understand the vulnerability is there if information about it is released or not, but in this case it would not be patched (or officially found) yet if there was no competition. So what do you suggest the people taking part in the competition do? Start preparing two months in advance, spend weeks finding a winning exploit and then inform the vendor (resulting in them patching it) and then start looking for another exploit finally hoping they find it so late that the vendor does not have time to patch it? Sounds a bit futile... Or maybe just end the whole competition?

IMO a competition like this raises awareness. Even if the vulnerability was in webkit the fact is that through it anyone could get local access to the machine with user rights and it would be completely transparent to the user. Combine that with a rights elevation exploit and things would be really grim (and if you look at the change logs of OSX security updates within the last year or two there have been rights elevation bugs. Sure news sites will try to get the juiciest headlines out of this, but there was a recipe for disaster and the security researcher who found it has also made sure it will be patched before being exploited. Everyone seems to be angry at him and concentrating on whatever they feel was morally wrong, but the fact is that the hole he found could have caused far bigger problems then having OSX pwned in a competition (once again).

 

[Terpfen]

Real, actual Pwn2Own fallout: RIM advises Blackberry users to disable Javascript

It's not just desktop web browsers getting hacked at this year's Pwn2Own challenge -- mobile browsers have also been targeted for vulnerabilities, and a fairly big one has now been found in RIM's browser for BlackBerry OS 6. Apparently, there's a JavaScript-related bug that could let a "maliciously designed" website gain access to data stored on both the phone's media card and built-in storage, but not data stored in the storage portion for applications (such as email or contact information). For its part, RIM says that it hasn't actually seen any evidence of anyone exploiting the vulnerability, but it's nonetheless urging folks to disable JavaScript on affected devices, and it's now busy providing IT departments everywhere with guidelines on how to do so. If that proves to be complicated, it's suggesting that you simply disable the BlackBerry Browser altogether until it can be patched.