Mac hacked in two minutes flat
PWN to OWN contest breaches Apple security
A $10,000 PRIZE and a free laptop encouraged security experts Charlie Miller, Jake Honoroff, and Mark Daniel to expose a brand new vulnerability in Apple's Safari web browser within two minutes according to a report from Softpedia.
In the CanSecWest contest, hackers had a go at three machines: a VAIO VGN-TZ37CN running Ubuntu 7.10, a Fujitsu U810 running Vista Ultimate SP1 and a MacBook Air running OSX 10.5.2.
In the first day of the challenge, sponsored by TippingPoint's Zero Day Initiative, no computer could be breached, as the organizers only allowed attacks over a network. The second day of the hacking contest allowed attackers to direct CanSecWest organisers to visit Web pages or open messages in e-mail clients.
Charlie Miller, the security expert who hacked the iPhone in 2007, breached the MacBook Air via a zero-day vulnerability that was disclosed only to Apple. It took Miller just two minutes to hack OS X Leopard.
The vulnerability has been acquired by the Zero Day Initiative, and has been 'responsibly disclosed' to Apple which is now working on the issue. µ
Comments
hardly
using an exploit you already know about to hack a computer hardly justifies the title "hacked in two minutes flat" i'll bet they spent a while longer than that finding the exploit in the first place. what's happening to the inquirer? you didnt use to just copy + paste non-news from other sites!Security
As a Mac user (albeit only for a few months) I have to say I find the hardcore Mac fan's attitude to the security of their OS quite alarming. A lot of them seem to think that Apple's programmers are somehow immune for making mistakes. They're not. No programmer is, there is no non-trivial program in existence that can possibly be free of defects. Apple have had it easy for a long time due to the tiny market share of their product making it not really worthwhile for crackers, who are these days more motivated by profit than the desire to cause petty vandalism, to try and find exploits in MacOS. But with Apple's resurgence there will come a point where crackers start deciding that it really is worthwhile after all.Apple have designed a good OS, it's better thought out in a lot of ways than Windows, and is certainly better designed from a security point of view, but there are unquestionably flaws in it that nobody currently knows about that could be used to root the machine when discovered. Apple's advertising demonstrate their smug attitude to Mac security compared to Windows security and I just know that one day those commercials are going to come back to haunt them.
How'd the others do?
I know this article is meant to take a jab at Apple (I'm all for it), but how did the other two notebooks fair?MAC os better laid out??
Fools yes if u go from windows to mac its way easier to deal with i am sure ITS SIMPLY thats the way MACS have beem designed for how many YEARS????? And yes as they grow so will the amount of hackers that want peeps money using a mac!Point SIMPLY most hacks accure because of THE USER!!! opeing up emails, clicking on Free advertisments or going to bad web pages! (in our local paper Old people have been turning those email check scams, and Private shopper scams! They state right there and its a good point! People are affect by there GREED!! something for freee heck ya! click click and blam VIRUS ALERT or ur hole LIFE is hacked depending on what U gave them)
So Why FLAME WINDOWS CAUSE A USER HAS LOW COMPUTING SKILLS! IF u can't work windows GO TO A MAC and ENJOY THE VAST AMOUNT OF SOFTWARE! hahahaha
In a article they stated that WINDOWS is the largest software maker for Mac's
Personally i like both they have there points up and down just so tired OF FLAMERS
Interesting article.
Well I must say, an interesting article. Since Safari is an application, not an operating system component, it is not considered hacking the operating system. It is only merely exploiting an application. In order to hack the Mac OS, one needs to try breaking in through the actual operating system components, such as the kernel and the key parts of the userland, not just break into an application.We do not forgive.
We do not forget.
Expect us.
has the wool been lifted?
Finally the not popular enough to be a target crowd is facing the sad truth, evolution proved years ago there is safety in numbers. Being the small herd does nothing more than decrease your chances of survival when the wolves turn to you…Albeit the cracker had previous knowledge of the attack, the title was to demonstrate not that the attack was constructed in two minutes, only that the individual successfully executed it in two minutes. By in large the majority of the attacks on web browsers and mail clients you will find in the wild are indeed those that have been around for a long time. Sheeple that do not update are prime targets, they want footholds that can be kept. No surprise here as Gordon pointed out, the vulnerabilities have always been there, just no one was interested, for example why build a virus where the target is a mac os knowing the likelihood of any given mac finding enough other macs at random to propagate is virtually null?
What?
I hate to say this but, that type of hacking really shouldn't even be considered a hack. You have to be at the workstation to do it. Given enough time anyone could hack anything to gain access or put whatever type of software on a PC/Mac. They couldn't do it via network only. So they had to go to a website or check emails that had "known" ways of breaking into the Mac or PC. How long did the PC take? I have NEVER in over 10 years of owning a Mac (8.6 all the way to today and more to come I am sure) seen, or have heard a friend that uses a Mac ever say they had a Virus or they were hacked. I don't even hear of "pop ups"I had antivirus software on my Mac once. I deleted it cause I didn't need it and it was slowing me down. Searching for windows viruses I am sure. LOL
"not part of the OS" post
***QUOTE***"Since Safari is an application, not an operating system component, it is not considered hacking the operating system. It is only merely exploiting an application. In order to hack the Mac OS, one needs to try breaking in through the actual operating system components, such as the kernel and the key parts of the userland, not just break into an application"
***END***
Last I heard Safari shipped with OSX and was installed by default. Making the fact that its an app that runs on the OS moot.
By that logic, any vulnerability in Internet Explorer is an application vulnerability and not a problem with the OS.
Come back with a better argument next time.
The Truth is in the Pudding
No amount of spin is going to make it safer TODAY to use a PC over a Mac. Those truly interested in this contest might want to read this...http://www.roughlydrafted.com/2008/03/28/cansecwest-and-swiss-federal-institute-of-tech-deliver-attacks-on-the-reality-of-mac-security/
mac security
For those that dont quite get it, day one, no one hacked either the Mac, the linux or windows based system.day two, the end user was added to the equation and within a few min the mac was hacked the fastest
There is a couple of things to learn from this, firstly, by and large a PC or Mac sitting still is virtually safe, or at least as safe as its going to be
secondly, all 3 OS's did a good job
right up to the point a user got on them at which point it was the mac that was cracked the fastest.
Its not hard to work this one out but just incase, its the END user thats the weak link, yes they got in by exploiting the macs web browser but thats no different to IE in windows or Firefox on linux, to say its not fair because they used a browser is pointless and has been the prime target on Windows for years, the OS is for the most part SAFE but mostly people use there PC or Mac to do things and that means software, which in-turn lets hackers in.
60,000 is better than 15,000!
The number of employees that Microsoft employees (60,000+) versus Apples not even close 15,000. And Windows is just software, and Apple is software and hardware. Foolish to think Mac will ever be as secure as the world's most used OS. Maybe Apple should just focus it small group in one area and maybe it could do something of value and be worth their over inflated pricing.Not exactly two minutes...
It happened on the second day of the challenge. Day One was remote exploits that required no end user interaction. Day Two was exploits in bundled application.So, one day and two minutes.
eb1l hac0rz wake up!
I've been hearing that h4xorz were about to pwn OSX for about eleventy-seven years now. Still nothing out there. Dem hax0rz must be asleep. Wake up ebi1 h4ckx0rz!Unix '60 and MS-DoS united - wow
To make the event a sensible challenge TippingPoint's Zero Day Initiative should have added an OpenVMS system. But like the cowards who organize DefCon (and no longer allow OpenVMS to compete with toy PC operating systems), they are not really interested in security.http://wiz.openvms.org/pages.php?page=DefCon9
Lessons
First off... I love Apple. But the reality is that there are flaws that need to be fixed and fast.I cant believe the comments I have read from fan boys claiming that the hack was unfair. This attack was truly remote, no tampering with the target machine and could affect anyone following a link to a web site - something we all do every day. Think. Do you really know what awaits you when you browse to a new site?
And please stop saying the hack only took 2 minutes... it took at least a week to develop and set up.
The windows and linux machines remain un-breached... but they were not targeted by Charlie Miller who claims he could have just as easily targeted them instead.
Bullshit Hack
The hack in question required user intervention, in simple terms it wasn't the OS at fault, it was the user. User based attacks can get by any operating system.Macs are still safer to operate, the Unix security model works well.
Oh, and of course no one would regard hacking a Windows box as noteworthy.
applers
The worst thing about Apple is its USERS.Apple computers arent all that bad but the unbelievable idiots that use them give Apple an even worse name.
They are like religious fundamentalists, Rose, i mean Apple colored glasses.
Apple users, please wear T-Shirts that say APPLE so that i know who to never bother trying to have a logical conversation with.
What about Windows?
I was surprised the other day when I left IE7 open on a popular bittorrent website, that it had been infected by viruses and spyware. And I hadn't even downloaded anything yet!It was a new system and I had just finished installing XP SP2 and IE7 at this point, and hadn't put any AV software on yet. But it still shouldn't be this easy to infect Windows.
User Intervention?
Ha. All computers require user intervention. As of 2007, there are 6 billion people using the internet. So whether it was the browser that was hacked, or the OS, or the OS via the browser is irrelevant. It was hacked, period.LOL @ mac users.
Perfect for you fanbois:http://www.ctrlaltdel-online.com/comic.php?d=20021126
http://www.ctrlaltdel-online.com/comic.php?d=20060513
And of course, the BEST PAGE IN THE UNIVERSE!:
http://www.thebestpageintheuniverse.net/c.cgi?u=macs_cant
And the real lesson is....
No matter what OS you use, Safari is a useless piece of crap.With a hacksaw?
I'll do a mac air in less than 60 seconds. Right in two.*Yawn* Macs...What a waste of time!
Why would I want Data that is on a MAC? WOW...Let me hack a MAC to steal your pretty MP3s, JPGs and Artwork which I can steal once you show it off online in some dumb site....Seriously...No serious hacker in the world cares about hacking through a MAC....just to get nothing important...
However financial data is kept in Windows Systems...which is so high in numbers that the nation has to defend through cyberattacks going through windows which are millions per day.
80% of Important Data in Servers we see Online are in Unix/Linux Servers...The kind of data, such as military and trade secrets...The real data people can sell to a foreign nation for millions.....
MACs are a joke...You pay 2000 - 3000 for a MAC and they call themselves developers and they can't even get SCSI drive to come with the system or a highest end video card. For 2000, I can make a 9800 GX2 SLI machine, Overclock the hell out of it, combine it with an OCed G0 stepping Q6600 to around 3600 - 4000mhz and completely blow any MAC away performancewise...look in the mac website right now and the hardware does not match up for the price paid for it.
Oh yeah, last time I Checked, leopard is 64 bit, but all the programs there are 32 bit...*laughs*