Mac Security In Spotlight

[MacRumors]

A MacBook Air running an up to date installation of Mac OS 10.5 Leopard was the first laptop to fall in last week's CanSecWest PWN2OWN contest, casting the spotlight once again on the Mac's security.

The contest pitted a MacBook Air against a Vista laptop and a Ubuntu Linux laptop, all fully patched. While all 3 laptops did not fall the first day which only allowed attacks against the base OS for a prize of $20,000 (+laptop), the MacBook Air reportedly took only 2 minutes to fall on day 2 when conference rules were relaxed to include all OS-bundled software for a prize of $10,000 (+ laptop).

While details of the exploit are under non-disclosure while Apple works on the issue, the sponsor's blog does note that the attack was levied against Safari, after the user was directed to a specially crafted website (as allowed by the rules). The exploit appears to be an overflow bug in Webkit.

The remaining two laptops survived the rest of the second day, but the Vista laptop fell the following day when Adobe Flash player was installed as the rules were further relaxed to allow for attack of popular 3rd party applications. The Linux laptop was not exploited.

While Apple is aware of and working on the vulnerability, a recent study has claimed that Apple's response time to such 0-day vulnerability patches lags significantly behind that of Microsoft.

The study, conducted by the Swiss Federal Institute of Technology, analyzed 658 vulnerabilities affecting Microsoft products and 738 affecting Apple, all of which were high and medium risk according to the National Vulnerability Database.

Quote:

"Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005," [said researcher Stefan Frei]. "Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple." [...]

"We think that Apple had fewer vulnerabilities early on, and they were just surprised or not as ready or not as attentive," Frei said. "It looks like Microsoft had good relationships earlier with the security community."

Over the past few years, Microsoft has tried to cultivate a closer relationship with the security community in order to encourage researchers to give it a heads-up about software problems. Apple, however, doesn't appear to have that same sort of engagement yet, and, "based on our findings, this is hurting them," Frei said.

A spot-check of security firm Secunia's statistics show that 6% of 113 bugs found in Apple's Mac OS X operating system from 2003 to 2008 remain unpatched.

Article Link

[Jetson]

If Apple's OS X is so secure, why are these hackers saying that it's the easiest OS to hack?

[HailToTheVictor]

Not cool

[beppo]

I would expect apple to fix this now that its out in the open

[pdpfilms]

Quote:

Originally Posted by Jetson

If Apple's OS X is so secure, why are these hackers saying that it's the easiest OS to hack?

Because OSX's "security" relies on the fact that it takes up only about 7% (or is it 8% now?) marketshare.

A man in camouflage is less likely to be shot than a man in a neon jumpsuit.

EDIT: aaaaand start the flame wars. (Just reread my post and realized it's going to offend 90% of the people reading it.)

[shigzeo]

i posted about this in macnn.com and got slathered in hot boiling oil. it seems that they with a cooler website are a bit more scathing. anyway, yeah i am upset.

some people are using many different excuses for this but the fact is that no excuse can excuse the fact that our osx is not that secure. i don't care if the guy spent two years finding this hole, he found it and it made safari fall and that led to osx going down.

i hope that apple stop this silly advertising smere campaign to make their os look bulletproof when it has been shown time and time again to not be bulletproof but rather just well done.

the numbers that come in are more and nore scary - we need less focus on just designability and usability but proper security, proper security, not advertising security.

[brop52]

These things should be fixed and there is no excuse for it now that they know the problems. A lot of these have been known in the past and still haven't been fixed. I'm hoping for some improvement.

Personally though, I have no anxiety over someone hacking into my machine.

[LaDirection]

Well, it's no secret that Mac OS X is the least secure OS on the market today.

Apple has been making **** software and **** computers ever since they decided to put all their focus on the iPod and the impressive iPhone. They have limited resources. Since iPod became huge not ONE SINGLE hardware release did not have at least one recall on one of its part in the following 15 months.

10.5 was a colossal technical failure. Every softwares are buggy. Maybe it's time they separated the 2 businesses and star making really good computers that works for years again.

[socamx]

This just goes to show you that the OS itself is secure but what the user does in applications can bring the security down.

The lesson learned as I see it (and always have).
Don't go to sites that look seedy and don't download/open things you don't trust.

I will still stand by OS X as a very secure OS. User error and applications are the weak point.

[applefan69]

Quote:

Originally Posted by pdpfilms

Because OSX's "security" relies on the fact that it takes up only about 7% (or is it 8% now?) marketshare.

A man in camouflage is less likely to be shot than a man in a neon jumpsuit.

EDIT: aaaaand start the flame wars. (Just reread my post and realized it's going to offend 90% of the people reading it.)

i hear the only 8% arguement So mcuh... it may have some credibility.

BUT... ok so the MAJORITY of hackers wont bother to hack macs simply because they can only attack a small 8% marketshare. Thing is, EVENTUALLY a hacker is gonna say "im gonna hack OS X for fun!"

in THAT case... dont you think we'd begin hearing problems of macs being hacked? Honestly other then in hacking contests and such, I've NEVEr heard of a mac being hacked in a normal-life situation. Can anyone explain that? Considering AT LEAST one hacker would decide to either try to challenge himself, or try to be one of the only hackers attacking macs.

[longofest]

Quote:

Originally Posted by shigzeo

i posted about this in macnn.com and got slathered in hot boiling oil. it seems that they with a cooler website are a bit more scathing. anyway, yeah i am upset.

pretending I didn't hear the "cooler website" part, but either way, no burning hot oil should be poured here.

[tveric]

The first 7 posts are all (basically) correct. What shocked me was the lack of (so far) Mac fanboy posts protesting whatever they can think of in defending their choice of computer to the death. Maybe this site is actually attracting some critical thinkers, though!

Nah, the flames will start in 3.... 2..... 1.......




PS I own 3 Macs and won't go back to Windows in the near future, but this latest hole is still an embarrassment.

[EagerDragon]

This guy been practicing at home/work for weeks on end. No way any hacvker Pwn a system in 2 minutes flat with a new unknown vulnerability. This guy knew the vulnerability was there and unpatch weeks ahead and then sat down and worked the details prior to the competition. Seems to me this was completly unfair as the other hackers did not do the same prior to coming to the competition. Sorry but this is bull.

I have 12 full time hackers in my team and we bring the best and brightest to come show us how they do it and show our hackers their best tricks (for pay), none (internal hackers or 3rd parties) can do that in 2 minutes with zero preparation.

This was researched and was ready prior to getting there.

This is flat out unfair and a bunch of bull.

Had he gone thru the same preparations in another OS, he would have pwn any of the systems in about the same amount of time.

This was likely an issue with image or some multimedia malformed file, NONE OF THE BROWSER do a good job of properly parsing multimedia, they all have issue in this area.

We send our people to these competitions from time to time and beleive me there are all sorts of preparations by some and no preparation by others. They all know what they will be hacking well ahead of time.

The chain breaks at the weakest link. The weakest link is ussualy the browser, anyone in security knows that they are the most vulnerable programs.

These new HTML-5 features that WebKit and Safari are implementing ahead of everyone else are going to be a nightmare for users, these new HTML-5 features are very unsecured. Have you heard about the ability to store information using SQL at your workstation, have you heard how another program or javascript can read and steal that data off your workstation? Same thing withthe new animations. Horrible.

[tveric]

Quote:

Originally Posted by socamx

I will still stand by OS X as a very secure OS. User error and applications are the weak point.

So why didn't the same-type exploit result in the Vista machine getting hacked in 2 minutes, like the Mac?

You can blame users and apps all you want - bottom line, if someone got remote access to an entire machine thru a user clinking on a link in an app, that's still not as secure as the OS should be. And CAN be.

[longofest]

Quote:

Originally Posted by applefan69

in THAT case... dont you think we'd begin hearing problems of macs being hacked? Honestly other then in hacking contests and such, I've NEVEr heard of a mac being hacked in a normal-life situation. Can anyone explain that? Considering AT LEAST one hacker would decide to either try to challenge himself, or try to be one of the only hackers attacking macs.

for what it's worth, the first known instance of OSX Malware was posted to MacRumors

Story Link

[Full of Win]

Apple really needs a kick in their complacency.

[tveric]

Quote:

Originally Posted by EagerDragon

This guy been practicing at home/work for weeks on end. No way any hacvker Pwn a system in 2 minutes flat with a new unknown vulnerability. This guy knew the vulnerability was there and unpatch weeks ahead and then stat down and worked the details prior to the competition. Seems to me this was completly unfair as the other hackers did not do the same prior to coming to the competition. Sorry but this is bull.

I have 12 hackers in my team and we bring the best and brightest to come show us how they do it (for pay), none can do that in 2 minutes.

This was researched and was ready prior to getting there.

That's a negative, sonny. RTFA next time before you jump in with your assumptions.

But, for the sake of argument, let's say he had the hack prepared ahead of time. Does that make it any less of a security hole? Sure doesn't.

In addition, all the hackers had their choice of which machine to hack: the OS X, Vista, or Linux box. Incidentally, the Linux box never did fall.

[DeaconGraves]

Correct me if I'm wrong, but the guy was able to hack the Mac because the user sitting at the Mac clicked a link e-mailed to him that sent him to a website with malicious code right?

I'm not going to get into an argument about whether OSX is more secure or not (I don't have enough knowledge to do so), but I'm still comforted by the fact that if the user isn't too much of an idiot and doesn't blindly click into any link he/she receives, that person's Mac is still (fairly) secure.

That being said. Fix this hole, Apple, and fix it quick.

[cloudnine]

While it sucks that the MBA got hacked in less than 2 minutes, it's not like that's the full story. The guy who hacked into it was working on the Safari exploit for something like 6 months before the competition. I realize that in hindsight, if your computer gets hacked into, it's not going to matter how long the hacker took to prepare for it... but still... it deserves mention.

If anyone can prove me wrong, please do... I read an article which stated the above, but I can't find the link to validate it.

[ChrisA]

Apple used to make great computers but then they went and changed their name to remove the word "computer" and found that their is more money to be made in iPhones and iPds.

[inkswamp]

I think it's a little ridiculous to start drawing any conclusions about this until all the details are known. However, here's something to keep in mind. All three platforms resisted network-only attacks through day one. That's actually really good news. Where OS X and Windows buckled was during days two and three when the hackers were given various degrees of access to the actual machines. For example, on day two a contestant could instruct someone at the machine to do various things (i.e., "click the link I'm emailing you.") You don't have to be a security guru to know that such a massive relaxation of the rules casts a dubious light on any conclusions drawn about it.

I write a tech blog for my publisher and put up my own thoughts on this contest for anyone interested. In short, what should have been the focus of this event was the fact that all three machines withstood the attacks on day one which was limited to network-only attacks--the kind of attacks most people are concerned about. That's pretty good news.

[bobx2001]

Quote:

Originally Posted by Full of Win

Apple really needs a kick in their complacency.

They sure do, leaving things un-patched for years is beyond being complacent. Chances are, that even when they do fix this there will be quiet about it, as it will be an embarrassment for them. It is good that it is hitting discussion websites like this. Makes it harder to pretend problems don't exist.

[inkswamp]

Quote:

Originally Posted by DeaconGraves

Correct me if I'm wrong, but the guy was able to hack the Mac because the user sitting at the Mac clicked a link e-mailed to him that sent him to a website with malicious code right?

Yes. That's exactly what happened. Once a hacker has any degree of physical access to your machine all bets are off, and drawing conclusions about one platform's security over another on that basis is pretty silly.

It's impressive that Linux withstood that and it's true that Apple needs to address whatever security hole allowed the hacker access, but I don't see the point of claiming superior security of one platform over the other when the hackers were given access to the machine itself.

[shigzeo]

Quote:

Originally Posted by longofest

pretending I didn't hear the "cooler website" part, but either way, no burning hot oil should be poured here.

haha, perhaps i should have said, 'cooler looking'. or at most, 'more colourful'. otherwise, i find them useful or buying accessories but for actual intellectual and good discussion, macrumors are far the better.

I should mention that i was called a microsoft-troll. well, maybe it is true. i use windows every day to use one app: utopia angel so that i can play utopia without getting my poor grasp of maths involved and the kindgom in a bustle.

[inkswamp]

Quote:

Originally Posted by tveric

So why didn't the same-type exploit result in the Vista machine getting hacked in 2 minutes, like the Mac?

Because the Vista machine had SP1 and the hackers weren't expecting that. It took them a while to figure it out, thus the delay.