Friday, April 20, 2007

Myth crushed as hacker shows Mac break-in

Dino Dai Zovi was able to remotely break into a Mac as part of a contest designed to illustrate security flaws in OS X

By Nancy Gohring, IDG News Service
April 20, 2007 Talkback E-mail Printer Friendly Reprints
A hacker managed to break into a Mac and win a $10,000 prize as part of a contest started at the CanSecWest security conference in Vancouver.

The conference organizers decided to offer the contest in part to draw attention to possible security shortcomings in Macs. "You see a lot of people running OS X saying it's so secure, and frankly, Microsoft is putting more work into security than Apple has," said Dragos Ruiu, the principal organizer of security conferences including CanSecWest

Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.

Dino Dai Zovi, who lives in New York, sent along a URL that exposed the hole. Because the contest was only open to attendees in Vancouver, he sent it to a friend who was at the conference and forwarded it on.

The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said. An attacker could use the vulnerability in a number of ways, but Dai Zovi used it to open a back door that gave him access to anything on the computer, Comeau said.

The vulnerability won't be published. 3Com's TippingPoint division, which put up the cash prize, will handle disclosing it to Apple.

The prize for the contest was originally one of the Macs. But on Thursday evening, TippingPoint put up the cash award, which may have spurred a wider interest in the contest.

One reason Macs haven't been much of a target for hackers is that there are fewer to attack, said Terri Forslof, manager of security response for TippingPoint. "It's an incentive issue. The Mac is not as widely deployed of a platform as, say, Windows," she said. In this case, the cash may have provided motivation.

The contest was a chance for hackers to demonstrate techniques they may have boasted about. "I hear a lot of people bragging about how easy it is to break into Macs," Ruiu said.

Some attendees didn't think it was a coincidence that on late Thursday Apple released a patch for 25 vulnerabilities in OS X.

Macs haven't been targets for hackers and malicious code writers nearly to the degree that Windows machines have historically. That's in part because there are fewer Macs in use, thus making the potential impact of malicious code smaller than on the more widely used PCs.

Also, Apple is "extremely litigious when people do find stuff," noted Theo de Raadt, OpenBSD project leader and an attendee at the conference. He suspects that will backfire on Apple, which could begin to "look evil" if hackers begin to publish potentially threatening letters from the company.

This story was updated on April 20, 2007

tenelenven 2007-04-20 18:13:06 flag as inappropriate
This is not a hack to the OS, it's just a hack to Safari and offers no breach of the OS once the blank page appears. Nice try, but another yawner.
riquiscott 2007-04-20 19:14:15 flag as inappropriate
From the article: "The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said. An attacker could use the vulnerability in a number of ways, but Di Zovie used it to open a back door that gave him access to anything on the computer, Comeau said." Sounds to me like the OS was in fact breached...
MattInChicago 2007-04-20 19:42:59 flag as inappropriate
Funny, to me it seems to prove the point of just ho secure "Mac OSX" really is! They couldn't crack it! Try as they might it was a non-starter. So rather than be embarrassed they changed the rules and opened a browser, the least secure app of any OS (made to read/write over internet) and they found a hole there! Ok fair enough! The headlines and stories should then be factual. This one should have read: "Myth proven as hackers are unable to perform Mac break-in Dino Di Zovie was only able to remotely break into a Mac when allowed access to a running browser, Safari, as part of a contest designed to illustrate security flaws in OS X, that had until then yielded no winners".
riquiscott 2007-04-20 20:32:19 flag as inappropriate
Di Zovie was still able to inappropriately gain root access through an application, something that a totally-secure OS would not allow.
MacKTHeRIPper 2007-04-20 20:40:28 flag as inappropriate
You may be right as long as the Mac was sitting there doing nothing it was not cracked. Once they started using it, things changed. It was cracked as though it was hit with a ton of bricks. Seems to me that it cost a lot not to use though??
tenelenven 2007-04-20 20:59:47 flag as inappropriate
InfoWorld might want to pull this story, since it has now been reported, they bent the rules to make this hack work: From CNET: "The successful attack on the second and final day of the contest required participants to surf to a malicious Web site using Safari--a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day." So it wasn't a break-in as first believed... which is "priceless" since it shows OSX remains unhacked.
MattInChicago 2007-04-20 21:24:57 flag as inappropriate
First of all...I did NOT say OS X was "totally secure". All one has to do is check software updater today! What I am saying is that it's one thing to have some vulnerability and another to actually exploit it in the wild. So many OS X issues are local in nature or require a set-up that's "just right". This is why attacks, even if they were to happen, would even be more limited than the Mac's market share. Will some hole be found one day in OS X as it ships by default? Maybe, I wouldn't be surprised. But in the meantime the Windows fan boys need displays such as this, for what, I guess to post stuff like I've read here. It's really got to bother them that OS X itself wasn't hacked especially when a similar contest using Windows will never happen...I mean who wants to loose $10K on a sucker bet! ;-)
tenelenven 2007-04-21 07:44:19 flag as inappropriate
InfoWorld publishes FALSE report: "Opening an email URL that exposes a security flaw in Safari is both news to report and a problem for Apple to tackle, but reporting it as a remote exploit is inaccurate, irresponsible, and sloppy journalism, particularly for IDG's InfoWorld, which purports to be an authority on computing." More Here: oops!
TomH 2007-04-21 09:27:29 flag as inappropriate
First, they change the rules, then they forget to mention the OS X Leopard is axing input manager hacks. Don't tell us Microsoft is doing more. What a lame attempt at making Macs look less secure than Windows as the Leopard release approaches. complete reporting would have been, well, more complete. And lets just do away with this whole there aren't enough macs to make it worthwile. John Gruber took Larry Seltzer to task on this one a while back.
Dragon76 2007-04-21 09:30:26 flag as inappropriate
If you read what actually happened, instead of just this article, they were not able to achieve root, just user access to the system.
millenium 2007-04-21 09:48:19 flag as inappropriate
thous are very, very big lies - did you follow the contest???? - now i know that we can't trust no more to InfoWorld - or you just need to change your Reporters - Nancy Gohring you are unacurate and uneducated and you're a big lier - you write, but you don't follow ( what you're writing about )
DarekMeridian 2007-04-21 15:36:34 flag as inappropriate
So your mac is secure as long as you don't use any browsers. That's useful in this age.
tenelenven 2007-04-21 16:03:34 flag as inappropriate
For DarekMeridian: No. It only affects Safari, using Camino or FireFox or one of about 30 other Mac browsers you'll be fine. The Mac is still 100% secure, it's just a demo of a weakness in javascipt/safari if you have physical access over both sides of the equation. This hack can't do anything, so relax.
Info4 2007-04-21 19:04:22 flag as inappropriate
They couldn't do as they wished, crack OSX, so the changed the rules and made it simple. What they did was more like a home owner who puts a neon-sign on their roof that states: 'Valuables Inside; No one Home; Back-Door Unlocked; Come In and Help Yourself!" I'm not really impressed with people claiming that they did this or that, but then say that they won't publish the details to prove their point. When they show their exploit to Apple and they confirm it, then BIG DEAL... one exploit in six-years compared to the over 114,000 virus's, plus other Window exploits, the fact remains.... Macs are still, by far, more secure than Windows. I rest my case.
1macgeek 2007-04-22 05:27:07 flag as inappropriate
Hold on just a cotton-pickin' minute! Everyone please re-read this : "Di Zovie used it to open a back door that gave him access to anything on the computer, Comeau said." Having access and having ROOT are very far apart. I can put any Mac into firewire target disk mode and have "access" to everything on the drive, but I do not have root access. Should it be counted as a "hack" if I can access everything, do everything the "hack" can do if I can do it without writing one line of code? It should be simple to confirm if root was attained by submitting the Mac to a disinterested third-party and looking at the logs. Even then, there is another problem - this one being a problem of time. If you look at the CanSecWest web site, there is an (almost) three hour gap between the announcement of the rule change and the hack. Yet, in media reports thus far, Di Zovie claims it took nine hours to write the "hack". Why the time difference? On top of that, is it really a "hack"? Remember, the original terms said the "hackers" had to come in, but under the revised "rules" they used the target computer to visit the web site which compromised Safari. Would this not ultimately be a social engineering "hack" to get a user to visit the site? Somebody isn't being completely honest about the whole mess. I am not denying the flaw in Safari, but I think the debate is wide open if this is a "hack" in the true sense of the word. And remember - we do not have independent confirmation that root was attained. Smells like a set-up to me.
mack520 2007-04-22 06:28:50 flag as inappropriate
Don't you think its about time to modify this article so it is factual rather than the utter fantasy it now is? Or are you happier lying?
QueQueg72 2007-04-22 10:59:09 flag as inappropriate
Wow, the mac fanboys sure do come out of the wood-work.
mblort 2007-04-22 14:03:57 flag as inappropriate
Microsoft is a sponsor of CanSecWest
QuadraHex 2007-04-22 14:47:16 flag as inappropriate
Windows is suppose to have 90% of the market and Apple less than 10% of the market while Linux has a fraction of 1% of the market. Windows malware has 90+% of the breaches of their operating system while Linux malware has near 10% of the breaches. Apple has ZERO % of the breaches because there is no malware that can or does exploit any known vulnerability. OS-X was first exposed to hackers in March 1999 and is open source so they can hack away any time to their hearts content. OS-X is based on BSD known for decades as the MOST SECURE OS in existence. OS-X has held that title for six years since it's open release in March 2001. Tens of millions of Macs are in use daily for over half a decade and not a single one has been infected with any form of malware. During this time there have been hundreds of trillions of successful malware breaches of Windows. If this vulnerability was proportional, under the assumption that OS-X is as vulnerable as Windows, then Apple should have had tens of trillions of breaches during this time but they have had none. If the Apple share argument was valid then there would have been ZERO breaches of Linux just like the Mac but this is NOT the case. Since so many zealots have such trouble with proportions and reality let me ask a simple question to illustrate this proportional reality with an example where proportion may have some meaning: Which is a more desirable prise, $900,000,000,000,000.00 or $0.00. If you chose $0.00 your a hopeless moron and zealot and shouldn't be commenting here. If you chose the hundreds of trillions then you understand that lots of good stuff is desirable and by extrapolation lots of bad stuff is not desirable. I know Microsoft wants you to believe that trillions of breaches of your computer is good and no breaches like on the Mac is bad so perhaps you'll have enough insight to realize Microsoft is simply lying. Got it? To further elucidate this point if you use Windows for any time you will be PWN'd by some malware and it will take longer by at least ten times in Linux or your a tenth less likely, while history would show it is not going to happen in Mac OS-X, At least not until some malware exploit is in the wild and only until Apple closes the vulnerability. This situation does NOT currently exist and if it comes to pass Apple will foreclose it quickly. It will be impossible to miss this event since it will be part of every news program and article related to technology for months if not years after it happens. Nobody is now making any money from exploiting Macs and it is near to zero chance they will in the future since the Mac community would never allow the situation to develop where one is even one trillionth as vulnerable as Windows. Until then all Mac users can relax and all Windows drones can live in perpetual fear as always.
jill129 2007-04-22 18:11:38 flag as inappropriate
But what happened to the second Mac laptop? Was it hacked or was it given away?
malcolmross 2007-04-23 08:04:29 flag as inappropriate
Perhaps InfoWorld will set up an authoritative, unbiased and objective challenge, along the lines of a serious lab evaluation, and report accordingly? That would be much more useful than this kind of hyped up, biased "tabloid" reportage. I expect better from InfoWorld.
ExiMod 2007-04-23 09:28:22 flag as inappropriate
Computer security experts are hackers that are on the light side of the force. The line between the light side and the dark side gets blurred sometimes. It's interesting to see how these hackers have moved into social engineering and have hacked the news media (with the help of 3com, Microsoft, IDG, and Nancy Gohring).
newguy20070423 2007-04-23 09:41:03 flag as inappropriate
So I assume you mean I have to visit some stranger's link by my own choice? And if I went via another browser it would not hack the OS? Do I also have to allow Safari to execute code? (Perhaps JavaScript which I would probably normally allow). Sounds like a breach through Safari iff (if and only if) I choose to visit some stranger's URL. Why don't I just ask some stranger to execute my code I attach in an email and if he does, Mac OSX has been hacked?
markatosu 2007-04-23 11:12:37 flag as inappropriate
Amazing! There are actually people out there who think that it is possible to make an operating system which is unhackable. Sorry, humans make mistakes ... and operating systems. Last fall one of my Mac servers only used as a failover XSAN metadata controller was hacked. It was fully patched and not used for anything but that limited function (not email, web browsing, etc). However, i unfortunately failed to enable the firewall to deny outside access. i reported the problem to Apple and they did not seem surprised. The bottom line, don't kid yourself, everyone is vulnerable.