PDA

View Full Version : Mac hacked in under 10 seconds at PWN2OWN


MacBytes
Mar 19, 2009, 08:03 AM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: Apple Hardware
Link: Mac hacked in under 10 seconds at PWN2OWN (http://www.macbytes.com/link.php?sid=20090319090302)
Description:: So just how secure is your Apple computer now that Mac hacker supremo Charlie Miller has broken into a MacBook in less than 10 seconds?

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

r.j.s
Mar 19, 2009, 08:05 AM
But the under 10 seconds thing was only achieved because Miller simply provided a URL that took the user to the site where the exploit code was hosted. The donkey work had all been done beforehand, in accordance with PWN2OWN rules, which enabled the speed to be achieved.

So, how long did it really take?

MistaBungle
Mar 19, 2009, 08:06 AM
Code was loaded through an unsafe website. All he did was type a url. Absolute hollywood hogwash.

r.j.s
Mar 19, 2009, 08:08 AM
Code was loaded through an unsafe website. All he did was type a url. Absolute hollywood hogwash.

Exactly. The PWN2OWN is stacked against Macs to begin with ... the "competition" was IE8 and FF3 running Windows 7.

No IE7, no Vista, no XP ... how many people are running IE8 or FF3 on W7?

MistaBungle
Mar 19, 2009, 08:12 AM
Whaaat, that's crazy. But really, if that is how my computer needs to get exploited, I'm cool with that.

munson
Mar 19, 2009, 08:16 AM
So, how long did it really take?

Two minutes.

thejadedmonkey
Mar 19, 2009, 08:26 AM
Exactly. The PWN2OWN is stacked against Macs to begin with ... the "competition" was IE8 and FF3 running Windows 7.

No IE7, no Vista, no XP ... how many people are running IE8 or FF3 on W7?

Everybody I know who uses Firefox has been automatically upgraded to FF3. It's been out for quite some time now.

r.j.s
Mar 19, 2009, 08:26 AM
Everybody I know who uses Firefox has been automatically upgraded to FF3. It's been out for quite some time now.

But are they running it on Win7? That's the point. OS X is up against a beta OS, there hasn't been any time to find vulnerabilities, much less exploits.

nick9191
Mar 19, 2009, 08:27 AM
How old is this now? At least a year.

At an event sponsored by Microsoft nonetheless.

r.j.s
Mar 19, 2009, 08:28 AM
How old is this now? At least a year.

At an event sponsored by Microsoft nonetheless.

No, this is this year's event.

Full of Win
Mar 19, 2009, 08:30 AM
Code was loaded through an unsafe website. All he did was type a url. Absolute hollywood hogwash.

Hey - my favorite show is Hollywood Hogwash; you better not be ragging on it!

clevin
Mar 19, 2009, 08:34 AM
it shows apple's products aren't any better, if not obviously worse, security-wise.

Now, clock is ticking! lets see how long it take for vendors to patch it!

thejadedmonkey
Mar 19, 2009, 08:35 AM
And also according to Engadget, Microsoft is releasing IE8 today at noon.

Using a beta OS versus a shipping OS is moot when the exploit was done using a web browser and not the OS. Sure there's a connection, but I don't think it's significant - especially between Vista and Win7.

cnorth3
Mar 19, 2009, 08:35 AM
Utter nonsense.

parapup
Mar 19, 2009, 08:35 AM
Code was loaded through an unsafe website. All he did was type a url. Absolute hollywood hogwash.

Well, not really a hogwash by any means. It wasn't like the user had to click through to run a malicious binary after heeding to all the security warnings. It was more of a "click-a-link and you are pwned" thing.

The code on the site was run to exploit the holes in Safari. Ideally Safari should not be executing it but the flaw means that it does and user is pwned.

MistaBungle
Mar 19, 2009, 08:40 AM
I understand that.

A)I was quoting The Simpsons
B)I think it's cheap that the claim is 'under 10 seconds' when in fact he did the work beforehand. That's what I think is brutal.

Koronis
Mar 19, 2009, 08:43 AM
Better they found it now, during a security contest, than someone actually using it for malicious purposes.

clevin
Mar 19, 2009, 08:55 AM
Better they found it now, during a security contest, than someone actually using it for malicious purposes.

thats the real truth, sadly somebody here are just so defensive that they choose to deny everything...

Holes are everywhere!, stop denying it, better just goto apple and file a bug report and demand they fix it ASAP.

ttopp
Mar 19, 2009, 08:57 AM
they should have used safari 4 beta on a snow leopard build to make it an equal footing lol

though it should b the same result unless apple know of the exploit...

notjustjay
Mar 19, 2009, 09:13 AM
Well, I'm glad people are finding these bugs and Apple is fixing them.

It just proves that the Mac isn't 100% bulletproof. Well, OK, we already knew that. Nobody really expected that there would NEVER be exploitable security flaws on OS X.

I do think it's kind of childish that people are going "In your face! We found one! We found one! That proves you suck!" when the predominant competition is absolutely chock-full of viruses and vulnerabilities. But, I can understand why they would be waving it in the face of anyone equally childish enough to try to rub into the Windows users that "Macs are perfect, they have no viruses, so nyaaa!"

roach
Mar 19, 2009, 09:24 AM
Exactly. The PWN2OWN is stacked against Macs to begin with ... the "competition" was IE8 and FF3 running Windows 7.

No IE7, no Vista, no XP ... how many people are running IE8 or FF3 on W7?

Anybody who downloaded Win7 Beta, gets IE8 automatically. I have Win7/IE8 installed on my 4 year old tablet PC for over a month now.

Code was loaded through an unsafe website. All he did was type a url. Absolute hollywood hogwash.

Welcome to Window web surfing Apple. This is the kind of stuff Window user goes through when surfing the web. Good thing this guy is doing it for this competition and there's not a hundred of him pumping out these codes.

munkery
Mar 19, 2009, 10:00 AM
Often for these competitions the macs are set to run with constant root privileges which is not the default configuration for a mac. But the default configuration for an admin account on a windows pc is to have constant root privileges.

If this is true in this case, then they are not comparing the default mac configuration to the default windows configuration. So, in the end it is just propoganda.

andyone
Mar 19, 2009, 10:39 AM
The goal in this contest was to run code in the context of the application (i.e., Safari). Root or not root is an entirely different issue. And anyway, on typical single user systems it really does not matter that much if code is executed as root or not.

EmperorDarius
Mar 19, 2009, 11:20 AM
Really, P2O proves nothing about real-world situations.
The only good thing is that the bugs present in the browsers will be patched.

ewilson6
Mar 19, 2009, 01:56 PM
Every version of Safari from day 1 has had the same issue and Apple always fixes vunerabilities.

This does not mean that a virus, malware or spyware got installed on your system.

People worry about a few vulnerabilities when new code is written for Macs but what about the 300,00 viruses addware and spyware affecting the World Of Windows?

Microsoft has been at risk since 1974!

--Eric

waiwai
Mar 19, 2009, 02:06 PM
oh so very pathetic... whatever i still love my mac. :)


NEXT!

steveza
Mar 19, 2009, 02:09 PM
"I don't really care for 'hack the box' contests. If a machine doesn't get hacked, it does not mean it isn't breakable. If it does get hacked, it just shows us what we already know - any machine can be broken under the right circumstances. So, don't read too much into the PWN 2 OWN results. I don't."Jeff Jones - Director of Microsoft's security group.

Other interesting securtiy stuff in this article: http://www.appleinsider.com/articles/09/03/19/mac_security_researcher_wins_pwn2own_contest.html

EmperorDarius
Mar 19, 2009, 02:36 PM
Every version of Safari from day 1 has had the same issue and Apple always fixes vunerabilities.

This does not mean that a virus, malware or spyware got installed on your system.

People worry about a few vulnerabilities when new code is written for Macs but what about the 300,00 viruses addware and spyware affecting the World Of Windows?

Microsoft has been at risk since 1974!

--Eric

300,000?!

No way man, it's around 3,500,000 - 4,000,000 KNOWN pieces of malware! And I'm not counting undetectable threats, which may add up some other few thousands.

munkery
Mar 19, 2009, 04:23 PM
The goal in this contest was to run code in the context of the application (i.e., Safari). Root or not root is an entirely different issue. And anyway, on typical single user systems it really does not matter that much if code is executed as root or not.

Are you sure about that. The last time I read about the use of a browser vulnerability to hack a mac in one of these competitions it was shown, once the details of the vulnerability were released, that the mac had to be set to run with root privileges for the hack to work.

I concede that this may not be true in this case. But, as this hack allows another user to control the hacked mac, the user whom has taken control of the mac is somewhat limited by the mac not running with constant root privileges as a windows pc does.

And anyway, on typical single user systems it really does not matter that much if code is executed as root or not.

Yes, it matters, it is the reason why windows has so many viruses and security threats.

HyperZboy
Mar 19, 2009, 07:10 PM
I think I speak for EVERYONE in the Mac community when I say...

Anyone who thinks this was a fair competition and not totally staged for the desired results should just go BACK to the HELL of WINDOWS that you CAME FROM AND PLEASE STOP POSTING HERE AT MacRumors.com!

Thank you.

PS: An honest comparison would be shipping versions of similar products,
NOT AN APPLES TO ORANGES OR SHIPPING TO BETA COMPARISON.


DUH!!!!!!!!!!!

TwitchOSX
Mar 19, 2009, 08:11 PM
He had full root control of the computer via Safari? Doubtful. Either way, this translates to crap in the real world.

clevin
Mar 19, 2009, 08:25 PM
He had full root control of the computer via Safari? Doubtful. Either way, this translates to crap in the real world.

lol, who said you need to lose full root control to be annoyed, defraud, spied, harmed financially, etc?

Translates to crap in real world? You know absolutely NOTHING about the detail of this hack, and you are making that type of statement? Other than fanboyism, I just dont know how to describe your reasoning logic here.

TwitchOSX
Mar 19, 2009, 08:32 PM
lol, who said you need to lose full root control to be annoyed, defraud, spied, harmed financially, etc?

Translates to crap in real world? You know absolutely NOTHING about the detail of this hack, and you are making that type of statement? Other than fanboyism, I just dont know how to describe your reasoning logic here.

Sure, you don't need to lose full root control to be annoyed, etc, etc.... but they said he had control of the machine. That makes me think "root control".

As for "real world stuff"... I don't see somebody taking over your computer without root access. Unless somebody is sitting at the other end of a computer waiting for every person to access their website and they can somehow remotely use that to hack in.... It's just not gonna happen all that much. The problem is with Safari, not the OS as far as I can tell.

kevin j
Mar 19, 2009, 08:43 PM
I don't understand why people said the contest was bias. Both systems were in default state (neither system offer root control at default) and were hacked through their browser so the state of the OS (beta or not) would not matter. In each case the browser was directed to a website which is a common real life situation.

munkery
Mar 19, 2009, 08:57 PM
lol, who said you need to lose full root control to be annoyed, defraud, spied, harmed financially, etc?

Absolutely correct! But these things could only happen while you are connected to the malicious URL as seriously malicious software could not be installed remotely without root privileges.

Unless the hack was transparent to the mac user such that they didn't know someone accessed their system, a hard reset would remedy the situation upon discovering the URL was malicious. Admittedly, the mac users sensitive files could be at risk if they were not encrypted while connected to the malicious URL.

munkery
Mar 19, 2009, 09:13 PM
I don't understand why people said the contest was bias. Both systems were in default state (neither system offer root control at default) and were hacked through their browser so the state of the OS (beta or not) would not matter. In each case the browser was directed to a website which is a common real life situation.

Please provide a source showing that both systems were in their default configuration.

The default account created in windows has constant root privileges.

Yes, user account control in vista and windows 7 limits applications access to the system root but in the default windows account where no password entry is required for authorization it is much less secure than Mac OS X. If the hacker has full remote access to the system and no password is required as in the windows default then the hacker could make the authorization remotely.

So when comparing the default set ups more damage can be done to the windows system, given that the hacker has access to root privileges.

kevin j
Mar 19, 2009, 10:08 PM
http://dvlabs.tippingpoint.com/blog/2009/02/25/pwn2own-2009

Here are the contest rules interpret what you want.

kabunaru
Mar 19, 2009, 10:16 PM
They should try to hack a PowerPC Mac (a true Mac in my opinion).

MAG.
Mar 19, 2009, 10:22 PM
To be honest, I am not surprised. Mac OS X is a great operating system, but when it comes to security I am sure there are more security holes in OS X comparing to Windows logically because hackers attempt to hack, and write viruses for Windows rather than Mac OS X. Which will make Microsoft update their OS more frequently (which they do) comparing to Apple.

iParis
Mar 19, 2009, 10:22 PM
Lol. I like how they paired it up against a computer running Windows 7 with IE8 and FireFox 3 against a computer running OS X Leopard on the current Safari. They aren't really making much of a point. The majority of PC users don't have Windows 7 or IE8. The majority of Mac users do however have OS X Leopard. They should have done this against the two current and common OS's with the full browsers. That means Windows Vista with IE7 against OS X Leopard with Safari 3. That or what would also work is OS X Snow Leopard with Safari 4 against Windows 7 with IE8.

Peace
Mar 19, 2009, 10:26 PM
Here's their reason for using Windows 7 :

"ZDI Team commented on 2009-02-26 @ 13:58
@Chas4: The underlying version of Windows won't have a significant impact on the browser exploitation. With that said we chose Windows 7 / IE8 as the platform since both are slated for release this year. Additionally, we know from experience that chances are a bug affecting IE8 will also affect IE7.

The reason they couldn't use Snow Leopard is because it it is a "closed beta". It's not available for anyone.

iParis
Mar 19, 2009, 10:29 PM
Here's their reason for using Windows 7 :

"ZDI Team commented on 2009-02-26 @ 13:58
@Chas4: The underlying version of Windows won't have a significant impact on the browser exploitation. With that said we chose Windows 7 / IE8 as the platform since both are slated for release this year. Additionally, we know from experience that chances are a bug affecting IE8 will also affect IE7.

The reason they couldn't use Snow Leopard is because it it is a "closed beta". It's not available for anyone.

Then they should have used Vista / IE7 and Leopard / Safari 3.
None of those are betas.

MAG.
Mar 19, 2009, 10:35 PM
Then they should have used Vista / IE7 and Leopard / Safari 3.
None of those are betas.

There is not much of a difference in security between Windows 7 and Vista. Who said Vista isn't secure anyways?

MasterNile
Mar 19, 2009, 10:37 PM
Shouldn't this be 'Safari hacked in under 10 seconds at PWN2OWN' since not everyone on Mac uses Safari, and Safari is also available for Windows?

NT1440
Mar 19, 2009, 10:41 PM
Shouldn't this be 'Safari hacked in under 10 seconds at PWN2OWN' since not everyone on Mac uses Safari, and Safari is also available for Windows?

Its sensationalist journalism crap any way you look at it.

iParis
Mar 19, 2009, 10:42 PM
There is not much of a difference in security between Windows 7 and Vista. Who said Vista isn't secure anyways?

Me. Who else?

NoSmokingBandit
Mar 19, 2009, 10:51 PM
I love fanboys.

Yes, the title is misleading, but the fact remains that OSX was compromised with a single click in Safari. No, it doesnt mean osx is going to explode from malware, so it doesnt mean that osx is invincible because the team worked on it prior to the competition. It means that with adequate planning one could compromise osx using nothing more than a website. I know that some of you are having a hard time hearing this through Steve's sonic wall of dilusion and pompousness, but osx is not perfect. No OS is, and telling yourself this is a fluke will do nothing to help yourselves, apple, or the rest of the computing world. An exploit was found, deal with it and move on, the world will not end, i promise.

MasterNile
Mar 19, 2009, 11:01 PM
I love fanboys.

Yes, the title is misleading, but the fact remains that OSX was compromised with a single click in Safari. No, it doesnt mean osx is going to explode from malware, so it doesnt mean that osx is invincible because the team worked on it prior to the competition. It means that with adequate planning one could compromise osx using nothing more than a website. I know that some of you are having a hard time hearing this through Steve's sonic wall of dilusion and pompousness, but osx is not perfect. No OS is, and telling yourself this is a fluke will do nothing to help yourselves, apple, or the rest of the computing world. An exploit was found, deal with it and move on, the world will not end, i promise.

I never believed OS X was invincible (obviously since there have been trojans), however I clicked on this thread because I thought there was an error or vulnerability in OS X, but being as I use Firefox it doesn't affect me. As NT1440 said, it's sensationalist journalism and hype from people just wanting to see OS X fall, obviously no OS is immune to hackers, but some programs are more prone to it than others and this is what the article should highlight, not a specific OS.

MAG.
Mar 19, 2009, 11:02 PM
Me. Who else?

Well, obviously you never used it. The only bad thing about Vista is that it uses a lot of recourses. If *you* or Apple say it's not secure, it doesn't make it like that. This is a Mac forum so I am sure you will get a lot of votes.

By the way, I have 3 PCs and 2 Macs. I also love my Macs. I am just not a fanboy. :)

MasterNile
Mar 19, 2009, 11:04 PM
Well, obviously you never used it. The only bad thing about Vista is that it uses a lot of recourses. If *you* or Apple say it's not secure, it doesn't make it like that. This is a Mac forum so I am sure you will get a lot of votes.

By the way, I have 3 PCs and 2 Macs. I also love my Macs. I am just not a fanboy. :)

Just so you know, iParis doesn't have any Macs (unless he got a new Mac Mini?), so he's either using XP, Vista or Windows 7.

PeterQC
Mar 19, 2009, 11:08 PM
They should try to hack a PowerPC Mac (a true Mac in my opinion).

Considering the OS is the same, I don't see how that would have affected the results.

MAG.
Mar 19, 2009, 11:08 PM
Just so you know, iParis doesn't have any Macs (unless he got a new Mac Mini?), so he's either using XP, Vista or Windows 7.

Then if iParis actually "feels" insecure on whatever Windows operating system he/she is using, why use it? I'd suggest giving Linux a try then. :)

MasterNile
Mar 19, 2009, 11:12 PM
Then if iParis actually "feels" insecure on whatever Windows operating system he/she is using, why use it? I'd suggest giving Linux a try then. :)

That's something I can't answer, but I'd be willing to bet it's more than just him using his computer, if so, there is a reason Linux isn't as popular for PCs as Windows is, and mostly it's because people are used to Windows, so yes it might be fairly easy for him to switch over to Linux, but how easy would it be for the rest of his family?

PurrBall
Mar 19, 2009, 11:13 PM
Well, obviously you never used it. The only bad thing about Vista is that it uses a lot of recourses. If *you* or Apple say it's not secure, it doesn't make it like that. This is a Mac forum so I am sure you will get a lot of votes.

By the way, I have 3 PCs and 2 Macs. I also love my Macs. I am just not a fanboy. :)

Nothing is secure. Something may be more secure than something else, but it's going to get hacked no matter what patches you put out. Vista could be considered secure, but it's hackable. Same goes to any other OS, including OS X.

kevin j
Mar 19, 2009, 11:14 PM
I never believed OS X was invincible (obviously since there have been trojans), however I clicked on this thread because I thought there was an error or vulnerability in OS X, but being as I use Firefox it doesn't affect me. As NT1440 said, it's sensationalist journalism and hype from people just wanting to see OS X fall, obviously no OS is immune to hackers, but some programs are more prone to it than others and this is what the article should highlight, not a specific OS.

Firefox was also hacked (on the windows side just before they finished the contest for the day). The hackers seem to choose the platform they want to hack an stick to it but firefox might also need patching on osx ...who knows.

MAG.
Mar 19, 2009, 11:19 PM
That's something I can't answer, but I'd be willing to bet it's more than just him using his computer, if so, there is a reason Linux isn't as popular for PCs as Windows is, and mostly it's because people are used to Windows, so yes it might be fairly easy for him to switch over to Linux, but how easy would it be for the rest of his family?

I agree that switching to Linux isn't easy as it takes a bit of getting used to just like anyone going from Windows to OS X, but hey it's free! :D and you can install it along with Windows. One downside with Linux is application support. Overall, it's a great OS.

MasterNile
Mar 19, 2009, 11:22 PM
Firefox was also hacked (on the windows side just before they finished the contest for the day). The hackers seem to choose the platform they want to hack an stick to it but firefox might also need patching on osx ...who knows.

and I didn't say Firefox was invincible either, but apparently it takes more work than OS X.

EDIT: the only thing this experiment confirms is that no browser is completely secure and to be careful of the links that you click on, I knew both of these things already.

MAG.
Mar 19, 2009, 11:24 PM
Nothing is secure. Something may be more secure than something else, but it's going to get hacked no matter what patches you put out. Vista could be considered secure, but it's hackable. Same goes to any other OS, including OS X.

This is exactly my point. Everything can be hacked. Think about it as a lock that hackers tend to break to open a secure door. Some locks are harder than others, but none are invulnerable. They're all breakable. All OS's, Linux, Windows, OS X can be hacked. No exception.

SeaFox
Mar 20, 2009, 12:57 AM
Code was loaded through an unsafe website. All he did was type a url. Absolute hollywood hogwash.
Yeah, because people never get lured into going to "the Wrong Site" in the real world. :rolleyes:

Better they found it now, during a security contest, than someone actually using it for malicious purposes.
It should be noted that people join this contest to win the machines being hacked on and for the glory. Would this fellow have come forward if there wasn't a prize to be won? Everyone's looking to gain something from this competition, even the "grey hat" "security reseachers" wanting nothing more than more credit in their field. Few have the interests of the computing public at heart.

Gaelinic
Mar 20, 2009, 01:11 AM
http://blogs.zdnet.com/security/?p=2941

Kind of puts a damper on the theory that Macs can't be exploited, and one of the reasons I switched over to Macs last month. He makes it sound like it was way to easy. He had this one in his reserves for a year.

Gaelinic
Mar 20, 2009, 01:14 AM
Shouldn't this be 'Safari hacked in under 10 seconds at PWN2OWN' since not everyone on Mac uses Safari, and Safari is also available for Windows?

According to the interview with the hacker, the vulnerability lies with OS X.

MAG.
Mar 20, 2009, 01:18 AM
http://blogs.zdnet.com/security/?p=2941

Kind of puts a damper on the philosophy that Macs can't be exploited. He makes it sound like it was way to easy. He had this one in his reserves for a year.

lol...He made me stick even more to Firefox on Windows. I love Firefox!

And wow, he does make it sound toooooo easy. More than I expected it to be.

sn00pie
Mar 20, 2009, 01:18 AM
These kinds of articles make me laugh.

/thread

knightlie
Mar 20, 2009, 07:38 AM
lol, who said you need to lose full root control to be annoyed, defraud, spied, harmed financially, etc?

Translates to crap in real world? You know absolutely NOTHING about the detail of this hack, and you are making that type of statement? Other than fanboyism, I just dont know how to describe your reasoning logic here.

So show us where these exploits are being used out in the real world, and not in the artificial and rigged environment of a competition where the contestant is out to win prizes. Other than the fact that you're trolling, I don't understand what you're trying to prove.

thejadedmonkey
Mar 20, 2009, 09:02 AM
http://blogs.zdnet.com/security/?p=2941

Kind of puts a damper on the theory that Macs can't be exploited, and one of the reasons I switched over to Macs last month. He makes it sound like it was way to easy. He had this one in his reserves for a year.

I was just about to post that. It sort of explains why OS X isn't quite as secure as Apple would like us to believe. Hopefully Snow Leopard can sort that out, as that's a pretty big underlying change that Apple will have to do - I think it took MS the better part of Vista's development to do the address randomization (which is how MS helps protect Windows from attacks like this)

MisterMe
Mar 20, 2009, 09:08 AM
lol...He made me stick even more to Firefox on Windows. I love Firefox!

...You may be more familiar with Firefox, but that does not make it more secure. Firefox, Safari, and Internet Explorer were all breached during the contest. They were all breached on the same day. The notion that Safari was breached in seconds is a misleading headline; it is not a statement of fact. To the contrary, the report makes it clear to all who can read that the contest winner put in a lot of preparation to setup the situation that allowed him to breach Safari during the contest.

How many minutes, hours, or days did he prepare? We don't know. Neither do we know how much time was required for the other winners to prepare the breaches for IE and Firefox.

roach
Mar 20, 2009, 09:20 AM
http://blogs.zdnet.com/security/?p=2941

Kind of puts a damper on the theory that Macs can't be exploited, and one of the reasons I switched over to Macs last month. He makes it sound like it was way to easy. He had this one in his reserves for a year.

Wow! So this hole has been opened for year. Good thing no other hacker (evil type) found it.

Gaelinic
Mar 20, 2009, 09:43 AM
You may be more familiar with Firefox, but that does not make it more secure. Firefox, Safari, and Internet Explorer were all breached during the contest. They were all breached on the same day. The notion that Safari was breached in seconds is a misleading headline; it is not a statement of fact. To the contrary, the report makes it clear to all who can read that the contest winner put in a lot of preparation to setup the situation that allowed him to breach Safari during the contest.

How many minutes, hours, or days did he prepare? We don't know. Neither do we know how much time was required for the other winners to prepare the breaches for IE and Firefox.

Actually, his interview reveals that his team worked on the others before the contest as well. For Safari, he had the answer set up a year ahead of time. Why is everyone trying to prove Mac is more secure? It's pretty conclusive that it got pwned rather easily.

steveza
Mar 20, 2009, 09:46 AM
Actually, his interview reveals that his team worked on the others before the contest as well. For Safari, he had the answer set up a year ahead of time. Why is everyone trying to prove Mac is more secure? It's pretty conclusive that it got pwned rather easily.As the guy from MS pointed out any OS/browser/machine can be compromised in the right situations. It's best to ignore these sort of competitions and "news" stories.

Evangelion
Mar 20, 2009, 10:01 AM
The spin and excuses are strong in this discussion....

NoSmokingBandit
Mar 20, 2009, 11:12 AM
How many minutes, hours, or days did he prepare? We don't know. Neither do we know how much time was required for the other winners to prepare the breaches for IE and Firefox.
The point is that it didnt matter how long he prepared for it. When everythign was in place it took 10 seconds to gain access. You could open a page in Safari today and be compromised. No matter how long it took him to prepare it still only takes 10 seconds for your mac to be exploited. Even if it took the guy 5 years of prep it still counts as a valid exploit and everyone is still at risk.

Povilas
Mar 20, 2009, 11:36 AM
The point is that it didnt matter how long he prepared for it. When everythign was in place it took 10 seconds to gain access. You could open a page in Safari today and be compromised. No matter how long it took him to prepare it still only takes 10 seconds for your mac to be exploited. Even if it took the guy 5 years of prep it still counts as a valid exploit and everyone is still at risk.

So? Does it mean Safari is less secure? No! Go download webkit source and look for security holes as long as you want. The thing is that this "contest" is aimed at "look how your Safari on OS X is secure" thing. Safari was released in 2003 and FireFox in 2004 and both are not written from ground up, but based on others code. I would say Safari is pretty secure as FireFox is.

I call BS on such "contests", because they prove nothing, only creating a big hype.

Security or insecurity can be seen only in time. We can say IE is not secure browser, because it's on market for very long time and time proved it.

And last, but not least everybody should know that no software will make you secure, but you. Look, read, think before you act.

Foggy
Mar 20, 2009, 12:27 PM
Wow! So this hole has been opened for year. Good thing no other hacker (evil type) found it.

Thats the thing that makes me wonder about these competitions. I can't believe he is the only person in the world capable of finding/exploiting this bug.

What exactly was he able to do? It says he has full access, but in what way? It says he could take over the machine, do they mean he was able to get some form of ssh tunnel in and have full root access?

MisterMe
Mar 20, 2009, 12:44 PM
The point is that it didnt matter how long he prepared for it. When everythign was in place it took 10 seconds to gain access. ...That comment does not pass the Laugh Test. It very much matters if it took a minute, an hour, a day, a week, a month, a year, or a lifetime. It appears that the preparation took a year or more. If it took a year to prepare for this exploit but takes only a day to prepare some other exploit, then clearly anyone out for gain will concentrate on the faster exploit. To users, there will be 365 exploits to worry about on the less secure browser for every exploit in Safari.

Rodimus Prime
Mar 20, 2009, 01:50 PM
I love fanboys.

Yes, the title is misleading, but the fact remains that OSX was compromised with a single click in Safari. No, it doesnt mean osx is going to explode from malware, so it doesnt mean that osx is invincible because the team worked on it prior to the competition. It means that with adequate planning one could compromise osx using nothing more than a website. I know that some of you are having a hard time hearing this through Steve's sonic wall of dilusion and pompousness, but osx is not perfect. No OS is, and telling yourself this is a fluke will do nothing to help yourselves, apple, or the rest of the computing world. An exploit was found, deal with it and move on, the world will not end, i promise.


I agree threads like this start showing some of the sear stupididy and blind following of the fanboys.

My thoughts on using the beta means generally they are going to be more open to attack and have more flaws in them that have not been fix.

Apple fan boys have problems with the image that apple is immune to attack is so full of holes that it is worse than Swiss cheese.

Go look at threads about Trojan virus hitting OSX. You see the same defenses stances with *blank* stupid argument way it is invalid or should not be a problem.

This shows that fan boys in general are idiots and should be considered worthless for any real information.

NT1440
Mar 20, 2009, 01:54 PM
http://blogs.zdnet.com/security/?p=2941

Kind of puts a damper on the theory that Macs can't be exploited, and one of the reasons I switched over to Macs last month. He makes it sound like it was way to easy. He had this one in his reserves for a year.

So that shows it wasnt merely a two second hack.....

And he wont report it to apple? What a scumbag.

NoSmokingBandit
Mar 20, 2009, 02:00 PM
http://blogs.zdnet.com/security/?p=2941

Kind of puts a damper on the theory that Macs can't be exploited, and one of the reasons I switched over to Macs last month. He makes it sound like it was way to easy. He had this one in his reserves for a year.

This was a good read. Im sure plenty of people here will read this and call BS, but this is the guy who exploited a mac using a single click in Safari, so im pretty sure he knows what he is doing.

MAG.
Mar 20, 2009, 02:24 PM
So that shows it wasnt merely a two second hack.....

And he wont report it to apple? What a scumbag.

He made a good point why he wouldn't IMO. I am pretty sure I wouldn't give it to Apple for free too.

This was a good read. Im sure plenty of people here will read this and call BS, but this is the guy who exploited a mac using a single click in Safari, so im pretty sure he knows what he is doing.

Agreed :) and of course this article will be called BS because Mac OS X is invulnerable since it's protected by god! :p

It's hard to make fanboys understand that OS X is like every OS out there.

NT1440
Mar 20, 2009, 02:26 PM
He made a good point why he wouldn't IMO. I am pretty sure I wouldn't give it to Apple for free too.




I know his reasoning, and i think if your going to spend your time hacking systems, the least you could do is report it and get if fixed so no innocent people fall victim to it. Maybe thats just me tho.

Edit: And for anyone who cannot read, the hack was IMPLEMENTED in under ten seconds, the exploit he wrote took him 9 HOURS of code writing. He didnt comment on how long he spent finding the vulnerability. Buts shady journalism is ok! Hacking a mac (or any system) is as easy as a single click!

petermcphee
Mar 20, 2009, 02:27 PM
So that shows it wasnt merely a two second hack.....

And he wont report it to apple? What a scumbag.

Agreed. If he were to report it, I suppose there is a chance he could parlay that conversation into a job. Now that he has taken the position that no one will get the details without paying him, who would want to work with him?:confused:

NT1440
Mar 20, 2009, 02:34 PM
Agreed. If he were to report it, I suppose there is a chance he could parlay that conversation into a job. Now that he has taken the position that no one will get the details without paying him, who would want to work with him?:confused:

He doesnt really need to get a job from apple, he wins plenty of money in these contests.

I just think its a sign of bad character to withold information that others could use to harm people.

Povilas
Mar 20, 2009, 02:42 PM
I agree threads like this start showing some of the sear stupididy and blind following of the fanboys.

My thoughts on using the beta means generally they are going to be more open to attack and have more flaws in them that have not been fix.

Apple fan boys have problems with the image that apple is immune to attack is so full of holes that it is worse than Swiss cheese.

Go look at threads about Trojan virus hitting OSX. You see the same defenses stances with *blank* stupid argument way it is invalid or should not be a problem.

This shows that fan boys in general are idiots and should be considered worthless for any real information.

Your an idiot. It's not about that OS X is 100% secure, or Safari is 100% secure or protected by THE GOD as some other idiots laugh, but it's about intensions to create a hype that OS X or Safari is easy or as that "pro" cracker says easier to hack than windows with other browsers by exploiting one misterious security hole. And than all the internet is full of "Safari hacked in 10 seconds" ********. Such articles mislead lots of people.

Povilas
Mar 20, 2009, 02:44 PM
He made a good point why he wouldn't IMO. I am pretty sure I wouldn't give it to Apple for free too.



Agreed :) and of course this article will be called BS because Mac OS X is invulnerable since it's protected by god! :p

It's hard to make fanboys understand that OS X is like every OS out there.

"It's hard to make fanboys understand that OS X is like every OS out there."

No, it's not ;)

MisterMe
Mar 20, 2009, 03:02 PM
I know his reasoning, and i think if your going to spend your time hacking systems, the least you could do is report it and get if fixed so no innocent people fall victim to it. ...Whatever his reasoning, the rules of the contest as I understand them are to disclose to the developer the breach vector. If he has claimed his prize without complying with the rules of the contest, then he has committed fraud. That is just a little worse than being a scumbag.

NT1440
Mar 20, 2009, 03:03 PM
Whatever his reason, the rules of the contest as I understand him is to disclose to the developer the breach vector. If he has claimed his prize without complying with the rules of the contest, then he has committed fraud. That is just a little worse than being a scumbag.

Yea I forgot thats actually the entire point of the contest.

MAG.
Mar 20, 2009, 03:10 PM
"It's hard to make fanboys understand that OS X is like every OS out there."

No, it's not ;)

Apparently, you're one of them. ;) Just look at your post above the one I quoted.

NT1440
Mar 20, 2009, 03:18 PM
Apparently, you're one of them. ;) Just look at your post above the one I quoted.

Yes, there are a good amount of posters in the wild that will defend based on no actual facts.

But it is true that OSX isnt like "every other OS" out there, besides the obvious reason of each OS being different (thats the literal duh statement that must be made lol) but being based on Unix it will be a bit safer. Unix itself was made with security in mind. No it doesnt make it some sort of godsend unhackable computer, but any computer running a Unix based system has a slight advantage security wise from the get go.

MAG.
Mar 20, 2009, 03:23 PM
Yes, there are a good amount of posters in the wild that will defend based on no actual facts.

But it is true that OSX isnt like "every other OS" out there, besides the obvious reason of each OS being different (thats the literal duh statement that must be made lol) but being based on Unix it will be a bit safer. Unix itself was made with security in mind. No it doesnt make it some sort of godsend unhackable computer, but any computer running a Unix based system has a slight advantage security wise from the get go.

I agree on that. What I meant by all OS's are the same is that they're all hackable. Just what I said before :D

Everything can be hacked. Think about it as a lock that hackers tend to break to open a secure door. Some locks are harder than others, but none are invulnerable. They're all breakable. All OS's, Linux, Windows, OS X can be hacked. No exception.

NT1440
Mar 20, 2009, 03:27 PM
I agree on that. What I meant by all OS's are the same is that they're all hackable. Just what I said before :D

Oh deffinatly, if you can get your hands physically onto the system, and have the right tools/knowhow/amount of time, you can crack just about anything.

dsharits
Mar 20, 2009, 03:33 PM
lol, who said you need to lose full root control to be annoyed, defraud, spied, harmed financially, etc?

Translates to crap in real world? You know absolutely NOTHING about the detail of this hack, and you are making that type of statement? Other than fanboyism, I just dont know how to describe your reasoning logic here.

Seems to me, you're the one guilty of fanboyism, but in the opposite direction of the accused. Why don't you go back to your Windoze forums and gloat about a staged 'victory' there?

Povilas
Mar 20, 2009, 04:59 PM
Apparently, you're one of them. ;) Just look at your post above the one I quoted.

Please save it.

Povilas
Mar 20, 2009, 05:02 PM
I agree on that. What I meant by all OS's are the same is that they're all hackable. Just what I said before :D

"What I meant by all OS's are the same is that they're all hackable."

Then say so ;) I was refering to Unix "thing".

kabunaru
Mar 20, 2009, 06:22 PM
Macs are not as secure as Apple wants us to think they are.

MasterNile
Mar 20, 2009, 06:58 PM
Macs are not as secure as Apple wants us to think they are.

And Big Macs aren't as tasty as McDonalds wants us to think they are. What's your point? That we shouldn't believe all marketing hype? People should already have known that way before this article or competition.

mateus
Mar 20, 2009, 07:23 PM
So what's the outcome of this attack? Over the forthcoming weeks are we going to find more & more attacks on Mac users as the code for this exploit is spread to malicious software writers?

The results sound alarming at first - makes a Mac sound so easy to attack. But what actually did he gain access to? Was this the equivalent of someone breaking into my house & stealing all my stuff or was it more like someone snooping around my back garden & peering in though a window? How critical it is? However, Apple should take this seriously.

This event would suggest that Apples' attempts at securing OSX have been about as useful as a cat flap in an elephant house. I hoped that, while realising OSX is far from bullet proof, it would at least be as secure as Windows.

But as far as I'm concerned, as along as malicious software writers view Apple as the 'good guys' & Microsoft the 'bad guys', I feel safer in OSX. I've been a Windows user since Windows 3.0 & only recently moved a Mac - never had a problem on either systems but then I'm careful about what I download & the websites I visit. Miller appears to be a Mac user, which is encouraging.

Rodimus Prime
Mar 20, 2009, 09:00 PM
Your an idiot. It's not about that OS X is 100% secure, or Safari is 100% secure or protected by THE GOD as some other idiots laugh, but it's about intensions to create a hype that OS X or Safari is easy or as that "pro" cracker says easier to hack than windows with other browsers by exploiting one misterious security hole. And than all the internet is full of "Safari hacked in 10 seconds" ********. Such articles mislead lots of people.

I suggest you read the forums rules. What you just did is a personal attack and is an offense that can get you banned.

Apple brought on this image of being invincible and it is increased by fan boys doing things saying how great it is.

I stand by what I said. Apple and its fanboys bring on that image that just waiting to be crushed.

Syrus28
Mar 20, 2009, 09:57 PM
I think I speak for EVERYONE in the Mac community when I say...

Anyone who thinks this was a fair competition and not totally staged for the desired results should just go BACK to the HELL of WINDOWS that you CAME FROM AND PLEASE STOP POSTING HERE AT MacRumors.com!

Thank you.

PS: An honest comparison would be shipping versions of similar products,
NOT AN APPLES TO ORANGES OR SHIPPING TO BETA COMPARISON.


DUH!!!!!!!!!!!
It's comparing the most up-to-date AVAILABLE offerings of these companies...
P.S: Don't act like you speak for the rest of us at MacRumors


Lastly, the preparation time doesn't matter. It's the execution that counts. You only have to prepare once, yet execute millions of times. Besides, all had the exact same preparation time, so the measurement provided is accurate.

sn00pie
Mar 20, 2009, 10:17 PM
I suggest you read the forums rules. What you just did is a personal attack and is an offense that can get you banned.

Apple brought on this image of being invincible and it is increased by fan boys doing things saying how great it is.

I stand by what I said. Apple and its fanboys bring on that image that just waiting to be crushed.
Getting banned for calling someone an idiot? Are you sure about that? :eek:

MAG.
Mar 20, 2009, 10:28 PM
Apple brought on this image of being invincible and it is increased by fan boys doing things saying how great it is.

I stand by what I said. Apple and its fanboys bring on that image that just waiting to be crushed.

It's comparing the most up-to-date AVAILABLE offerings of these companies...
P.S: Don't act like you speak for the rest of us at MacRumors


Lastly, the preparation time doesn't matter. It's the execution that counts. You only have to prepare once, yet execute millions of times. Besides, all had the exact same preparation time, so the measurement provided is accurate.


Very true. :D

munkery
Mar 21, 2009, 01:19 AM
Here is another interesting article about pwn2own:

http://inmuscatine.com/?p=1682

In the ZDNet article, the security features miller says are lacking in Mac OS X relate to such browser exploits. Such protections should be made more prominent in Mac OS X.

What miller fails to mention is that windows needs such protections much more than Mac OS X because once in the system windows is much more vulnerable then Mac OS X. What I am referring to here is explained in my previous posts.

Microsoft and Apple are working at the problem from opposite directions. Both can learn from each other. But as they stand now, Mac OS X is more secure.

cjm3113
Mar 21, 2009, 01:22 AM
He obviously prefers Apple. It is "Hack 2 Own."

I'm sure he could have hacked any computer there without any problems, he chose the nicest one. What's the big deal?

cathyy
Mar 21, 2009, 06:53 AM
So much blatant fan-boyism here.

Belly-laughs
Mar 21, 2009, 10:08 PM
So much blatant fan-boyism here.

Never!

mateus
Mar 22, 2009, 04:39 PM
Reassuring article here on Ars Technica:

http://arstechnica.com/apple/news/2009/03/pwn2own-winners-add-mac-exploits-to-security-research-tool.ars

Dino Dai Zovi and Charlie Miller are adding the fruits of their research into Mac OS X to a security research tool known as Metasploit... "It's not really used for serious security threats," says data forensics expert Jonathan Zdziarski.... "I know a lot of top notch hackers and they don't use Metasploit... Security tools [like Metasploit] are like the 'assault rifles' of the computing industryóoften misunderstood and look evil but mostly only dangerous in the presence of ignorance."

sa gringo
Mar 22, 2009, 06:09 PM
Getting banned for calling someone an idiot? Are you sure about that? :eek:

Unfortunately yes ( I speak from experience )...but the forum rules do state no name calling and explicitly state the word idiot can not be used...so there is really not much of an argument unless you think the rule is a little bunk...

OttawaGuy
Mar 29, 2009, 09:06 AM
More from PWN2OWN winner Charlie Miller: Itís the apps, not Mac OS X (http://weblogs.baltimoresun.com/business/appleaday/blog/2009/03/more_from_pwn2own_winner_charl.html)

MikeTheC
Mar 29, 2009, 01:51 PM
More from PWN2OWN winner Charlie Miller: Itís the apps, not Mac OS X (http://weblogs.baltimoresun.com/business/appleaday/blog/2009/03/more_from_pwn2own_winner_charl.html)
I read this article, but I think the guy who wrote it didn't understand what Charlie was talking about...

Yes. Itís not about the bugs, but rather the technologies which make it difficult to go from a bug/vulnerability to a bad guy running code
on your system. Windows has it, OS X doesn't. The two technologies 
that Windows has that Mac OS X lacks, specifically, are Address Space 
Layout Randomization (ASLR) and a non-executable heap. These two 
things make it very hard to write exploits (the code that gains 
control of your computer) in Windows.

IPhone is more secure than OS X because it has a smaller attack 
surface (Mobile Safari doesn't try to do everything in the world) and
it has some anti-exploitation technologies built into it (specifically 
a non-executable heap).
Those are OS-level things he's talking about, not applications.