Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Mac Security In Spotlight
- Thread starter MacRumors
- Start date
- Sort by reaction score
Worried & Switched To Camino
Prior to this competition I honestly wasn't that worried about security on the Mac. While the various media and commentators had suggested that the only reason why the Mac platform was malware-free was due to its low market share, I did think it was a secure platform because no real exploits were ever released. The MacBook wireless hack last year (?) turned into a joke and that just reinforced my feeling that the Mac was secure. This competition has destroyed that feeling.
The hack evidentially requires a degree of social engineering but being able to compromise a user's account by having them simply visit a URL using Safari is scary stuff. As some have pointed out already, it isn't that difficult to introduce a link that people will click on (hey, check out secret spy shots of OS X 10.6 here posted to me by a friend who works at Apple) and while we can try to perform "safe computing", it only takes a single lapse in judgement or a professional job and we're buggered.
On this news I have switch browser to Camino for the simple reasons that it isn't Safari (which remains my preferred browser) and it's a proper Mac application with the Firefox rendering engine. This won't protect me from other flaws in the OS but at least it should protect me from browser-based flaws due to the old low market share argument, which probably carries more weight now.
Prior to this competition I honestly wasn't that worried about security on the Mac. While the various media and commentators had suggested that the only reason why the Mac platform was malware-free was due to its low market share, I did think it was a secure platform because no real exploits were ever released. The MacBook wireless hack last year (?) turned into a joke and that just reinforced my feeling that the Mac was secure. This competition has destroyed that feeling.
The hack evidentially requires a degree of social engineering but being able to compromise a user's account by having them simply visit a URL using Safari is scary stuff. As some have pointed out already, it isn't that difficult to introduce a link that people will click on (hey, check out secret spy shots of OS X 10.6 here posted to me by a friend who works at Apple) and while we can try to perform "safe computing", it only takes a single lapse in judgement or a professional job and we're buggered.
On this news I have switch browser to Camino for the simple reasons that it isn't Safari (which remains my preferred browser) and it's a proper Mac application with the Firefox rendering engine. This won't protect me from other flaws in the OS but at least it should protect me from browser-based flaws due to the old low market share argument, which probably carries more weight now.
Right, and that's the point where you're playing with semantics. You're quibbling with me over the use of the word "physical." From my perspective, if a hacker is granted control over the user's actions on a given machine, that's pretty much the same as physical access.
You talk about this being similar to real-world exploits, but no hacker can tell me what to do on my machine as the hackers were allowed to do here. If the contest allows for the contestants to direct the behavior of someone sitting at the machine, that is physical access by proxy. You can keep quibbling over the use of the word "physical," but it's pointless. At the end of the day, the contestants were allowed to control the user behavior.
It does not wonders me. For me Leopard is more a big bug not a cat.
And if they put OS X on the iPod shuffle, I give a s... about it.
And if they put OS X on the iPod shuffle, I give a s... about it.
But it's not. What they simulated is that could you take over the machine if the user simply visit a website. And you can. But that does not equal "physical access". No matter how much you spin, that fact does not change. When security-experts talk about not expecting security if the hacker has physical access to the machine, they are talking about REAL physical access, and not some virtual pseudo-physical-access you just made up. The physical access they are talking about is the ability to plug and unplug wires, shutting the machine down, opening the case or smashing it with a hammer. None of that was possible in this case.
Maybe not for you, but for lots and lots of people it would be possible. And what if YouTube was hacked with this exploit? Or MacRumors? Or your friends machine was compromised and it sends you a link in email?
No it is not. The control in this case was limited to "hey, visit this URL". Physical access means total access to the computer, including shutting the machine down and adding peripherals.
Their control was limited to sending the target-machine email, and asking the user to visit a website, that's it. That does NOT equal "physical access" by any stretch of the imagination!. And since they point was to see that is it possible to "own" the machine by simply using a website, how exactly should they have tested that, if asking the operator to visit the website is not acceptable? How exactly do you simulate going to a website if you are not allowed to tell the operator what the website is?
Seriously: get back to me when you have something else to add to the discussion, instead of pointless spin and excuses.
This is an early April fool's joke right?
Anyway...
Apple's response time to such 0-day vulnerability patches lags significantly behind that of Microsoft.
This doesn't surprise me at all considering that MS has had so many more security issues compared to Apple prior to Vista... Those guys at MS have had years of practice regarding this issue.
While details of the exploit are under non-disclosure while Apple works on the issue, the sponsor's blog does note that the attack was levied against Safari, after the user was directed to a specially crafted website (as allowed by the rules). The exploit appears to be an overflow bug in Webkit.
Is the typical user really dumb enough to fall prey to a shady looking site? I guess in this case, yes.
Anyway...
Apple's response time to such 0-day vulnerability patches lags significantly behind that of Microsoft.
This doesn't surprise me at all considering that MS has had so many more security issues compared to Apple prior to Vista... Those guys at MS have had years of practice regarding this issue.
While details of the exploit are under non-disclosure while Apple works on the issue, the sponsor's blog does note that the attack was levied against Safari, after the user was directed to a specially crafted website (as allowed by the rules). The exploit appears to be an overflow bug in Webkit.
Is the typical user really dumb enough to fall prey to a shady looking site? I guess in this case, yes.
Just to give an example, take a look at Apple's latest Security Update notes. They just fixed an Apache cross-site scripting vulnerability that was first reported in 2005 (CVE-2005-3352), and which Ubuntu and Redhat fixed in Jan 2006.
If you dig around Apple's security notes you'll often see big lags in fixes for some of their included OSS components. Just take note of the first CVE number, which is the year the vulnerability was reported.
''microsoft sponsors the event in part''
first headline after the event: ''mac OSX gets hacked first! mac is crap!''
am i the only one not surprised about that?
And Also the 0-day thing, i am sorry but of course Microsoft gets patches out faster, THEY ARE A FECKING HUGE COMPANY! they have 10 times more engineers than apple.
oh and i dont believe about this ''no virus/hacks for macs because its only got 7% market share'' a computer is a computer, if its there it will get hacked or get a virus. either no one has been able to do it or no-ones bothered (which is very unlikely).
oh and just to make sure, who here has been hacked?
cheers
first headline after the event: ''mac OSX gets hacked first! mac is crap!''
am i the only one not surprised about that?
And Also the 0-day thing, i am sorry but of course Microsoft gets patches out faster, THEY ARE A FECKING HUGE COMPANY! they have 10 times more engineers than apple.
oh and i dont believe about this ''no virus/hacks for macs because its only got 7% market share'' a computer is a computer, if its there it will get hacked or get a virus. either no one has been able to do it or no-ones bothered (which is very unlikely).
oh and just to make sure, who here has been hacked?
cheers
While details of the exploit are under non-disclosure while Apple works on the issue, the sponsor's blog does note that the attack was levied against Safari, after the user was directed to a specially crafted website (as allowed by the rules). The exploit appears to be an overflow bug in Webkit.
Is the typical user really dumb enough to fall prey to a shady looking site? I guess in this case, yes.
But it doesn't have to be "shady looking site". Usually such websites appear 100% legit. Or they hack some genuine website in such way that it contains the exploit.
Point is (that you guys seem to be missing) that a Mac running the latest version of OS X can be exploited if the user simply visits a website. No further user-interaction is required. If Vista had been exploited in this way and not OS X, you guys would be all over it.
EDIT: As to the "Microsoft sponsors the event!"-argument.... Well, they are one of 19 sponsors. And even though they sponsor the even, their OS also failed, whereas Linux did not. And the funny thing is that Adobe is one of the sponsors as well, and they compromised Vista by using a hole in Flash....
It seems to me that you guys are just desperately trying to cling on every possible straw to minimize this.
well.. it dint fall for the first two days..!!
and besides, what grabbed the headlines, that mac os was hacked or that vista was hacked too, but a lot later.!
ha!
Does this actually change anything?
I can STILL run OS X with no virus protection and blunder from site to site with no ill effects, as has been possible since 2001.
I still CAN'T run Vista with no virus protection and blundering from site to site will either cause me problems or cause the OS to flash up warnings.
Not to mention you literally can't run a fresh install of Win XP for 60 seconds without it being hacked to pieces as soon as you connect to the internet. You actually can't get to the AVG website and install antivirus before it is attacked.
The only useful thing to come out of all this is that it should highlight some bugs Apple (and Adobe and MS etc) have to fix.
I can STILL run OS X with no virus protection and blunder from site to site with no ill effects, as has been possible since 2001.
I still CAN'T run Vista with no virus protection and blundering from site to site will either cause me problems or cause the OS to flash up warnings.
Not to mention you literally can't run a fresh install of Win XP for 60 seconds without it being hacked to pieces as soon as you connect to the internet. You actually can't get to the AVG website and install antivirus before it is attacked.
The only useful thing to come out of all this is that it should highlight some bugs Apple (and Adobe and MS etc) have to fix.
One day, not two. In the first day, none of the OS'es were compromised. In the second day, the rules were relaxed, and OS X was immediately compromised, while the others were not.
What grabbed the headlines is the fact that OS X fell, while Vista and Linux did not. Yes, Vista was compromised later, but only after the rules were further loosened.
Cut the crap. I have XP installed on my MBP which I use occasionally. It has no antivirus installed at all. And guess what? No viruses. None.
Delusional hyperbole does not help here.
This was not a lab test that aimed to prove which machine was the most secure; it was a competition. I'd be worried about security if the MacBook Air was hacked in the first day, but it wasn't, so I think without users specifically changing the Mac in order to open up a security hole (we still don't know how they did it, and won't until Apple's patched it!) the Mac is safe from these hackers. So is the Windows machine, and so is the Ubuntu machine. We don't know from this competition which machine is the most secure and none of the practices used would stand up in a lab test, that' pretty clear.
There was major sponsorship from one party involved and there were no designated hackers for each machine. People could choose which machine they wanted to hack. We don't know if this interfered with the outcome, but in a lab test you'd throw out your results if there was any ambiguity like this.
We have no indication of how much the machines are worth, but come on the thinnest computer in the world or an ugly Linux box. You get to keep the machine that you hack. Which one would you prefer to keep?
The MacBook air is also pretty expensive (more than a decent PC tower), so I wouldn't be surprised if it was by far the most valuable machine. As stated, it was sponsored by Microsoft, and a pretty sexy new Mac was used. You hack the machine, you can keep it I think there is no argument that the MacBook Air was the sexiest machine there for the taking. I would argue it was the most expensive too.
To be honest this opens up a flaw with the contest as the computers weren't all using identical hardware. We are yet to know if it was a bug in a 3rd party device driver for example. All machines should have been using identical hardware, no questions asked. Same manufacturer same hardware different OS.
Um yes we do have a rough idea but not all the details? Is that what you mean?
Okay wise guy, tell me how the machine was hacked. What was the exploit, and what are the exact steps that one could use to reproduce the hack?
The only fact that we know is that the exact exploit is unknown, and we will know once Apple has patched it.
Well Safari is still yet to be hacked in a real world situation. As I said, this was not a lab test, it was a competition where people wanted to win the sexiest machine.
The rules were relaxed to make hacking easier (we don't know how), and after a day and 2 hours of trying the Mac was hacked. Someone won the sexiest machine and shortly after someone took home the Vista machine. The competition was then closed, giving the Ubuntu machine no chance to be hacked.
No, it's related to a similar competition last year, where a Mac was hacked after they allowed access using a USB cable, and also allowed someone to install a 3rd party wireless card, with modified drivers, which gave it a security hole (same thing after time they relaxed the rules and made the machines easier to hack). Apple patched that bug as I questioned before is such a "bug" really a bug? Apple fixes even the obscure things pretty darn quickly! The article claiming they are slow has no real lab data to rely on you will notice if you read it
I suggest you look up the definition of a straw man argument. My example is a pretty accurate rendition of what happened. People had complete access to 3 computers. They could install software on all 3 machines and use all 3 machines quite freely. No attempts could be made by the machine's owners to stop any wrongdoing. If anything, it was a straw man competition and the computers were the straw men.
Lets make this clear the Mac was not hacked using factory settings. The rules were relaxed and the Mac was modified. People had access to all of its (few) I/O ports, and could play around with the Mac's software. It was the crown jewel of all the prizes (being the world's slimmest computer), and I think all that this article highlights is that people really like the MacBook Air.
People have access to the Ubuntu source code all of its security flaws are out there in the open. If somebody wanted to hack it first I believe they could have, however it was the least valuable option. It was probably similar to the Vista machine, however didn't come with a vista license so was less valuable.
There was major sponsorship from one party involved and there were no designated hackers for each machine. People could choose which machine they wanted to hack. We don't know if this interfered with the outcome, but in a lab test you'd throw out your results if there was any ambiguity like this.
We have no indication of how much the machines are worth, but come on the thinnest computer in the world or an ugly Linux box. You get to keep the machine that you hack. Which one would you prefer to keep?
The MacBook air is also pretty expensive (more than a decent PC tower), so I wouldn't be surprised if it was by far the most valuable machine. As stated, it was sponsored by Microsoft, and a pretty sexy new Mac was used. You hack the machine, you can keep it I think there is no argument that the MacBook Air was the sexiest machine there for the taking. I would argue it was the most expensive too.
To be honest this opens up a flaw with the contest as the computers weren't all using identical hardware. We are yet to know if it was a bug in a 3rd party device driver for example. All machines should have been using identical hardware, no questions asked. Same manufacturer same hardware different OS.
Um yes we do have a rough idea but not all the details? Is that what you mean?
Okay wise guy, tell me how the machine was hacked. What was the exploit, and what are the exact steps that one could use to reproduce the hack?
The only fact that we know is that the exact exploit is unknown, and we will know once Apple has patched it.
Well Safari is still yet to be hacked in a real world situation. As I said, this was not a lab test, it was a competition where people wanted to win the sexiest machine.
The rules were relaxed to make hacking easier (we don't know how), and after a day and 2 hours of trying the Mac was hacked. Someone won the sexiest machine and shortly after someone took home the Vista machine. The competition was then closed, giving the Ubuntu machine no chance to be hacked.
No, it's related to a similar competition last year, where a Mac was hacked after they allowed access using a USB cable, and also allowed someone to install a 3rd party wireless card, with modified drivers, which gave it a security hole (same thing after time they relaxed the rules and made the machines easier to hack). Apple patched that bug as I questioned before is such a "bug" really a bug? Apple fixes even the obscure things pretty darn quickly! The article claiming they are slow has no real lab data to rely on you will notice if you read it
I suggest you look up the definition of a straw man argument. My example is a pretty accurate rendition of what happened. People had complete access to 3 computers. They could install software on all 3 machines and use all 3 machines quite freely. No attempts could be made by the machine's owners to stop any wrongdoing. If anything, it was a straw man competition and the computers were the straw men.
Lets make this clear the Mac was not hacked using factory settings. The rules were relaxed and the Mac was modified. People had access to all of its (few) I/O ports, and could play around with the Mac's software. It was the crown jewel of all the prizes (being the world's slimmest computer), and I think all that this article highlights is that people really like the MacBook Air.
People have access to the Ubuntu source code all of its security flaws are out there in the open. If somebody wanted to hack it first I believe they could have, however it was the least valuable option. It was probably similar to the Vista machine, however didn't come with a vista license so was less valuable.
How exactly does the OS in the machine make it "ugly"? And the "ugly Linux-box" was a Sony Vaio VGN-TZ37. Is Sony known for making ugly computers?
And the person could easily sell the machine and use the money to buy that oh-so-gorgerous MacBook Air if he wants to.
Why are you comparing the Air to a PC-tower? Do you for some reason think that the Linux-box was some kind of generic beige-box computer or something? If your knowledge on this incident is that limited, I fail to see the point of this discussion.
It was sponsored (among others) Microsoft and Adobe. And this test wasn't really a ringing endorsement for either of them.
Sony doesn't make exactly cheap laptops....
Pray-tell: exactly what "3rd party device drives" would that be? Besides, it was a bug in WebKit.
But the successful attacks were not caused by drivers. Mac was compromised by a bug in WebKit, Vista fell to a hole in Flash. How exactly would different hardware change anything?
We know what and how the systems were hacked, but we do npot know the details. The details are only known to the relevant vendors and the winners, so that they vendors can fix the holes. But we DO know that Mac fell to a hole in WebKit that was exploited by a malicious website, and Vista's downfall was a hole in Flash.
That information is confidential (or would you like that information to be spread around the net, before Apple and Adobe could fix the hole?), but we do have general information.
Oh yes, this is the "they were all going after MacOS, no-one was hacking Vista or Linux!"-argument
Yes we do know! Sheesh!
On first day, no machine was hacked. Then rules were relaxed, and on the beginning of the second day, MacOS was hacked. On the beginning of third day, again after rules were relaxed (and not right after MacOS) Vista fell.
Except that nothing like that happened here. they used the shiiping OS with the apps that ship with it. Only on third day (the day Vista fell) they allowed third-party apps.
Oh yes, a bug in Safari's html-renderer that compromises the machine if the user goes to a wrong address is not really "a bug".....
"A straw man argument is an informal fallacy based on misrepresentation of an opponent's position.[1] To "set up a straw man" or "set up a straw man argument" is to describe a position that superficially resembles an opponent's actual view but is easier to refute, then attribute that position to the opponent (for example, deliberately overstating the opponent's position).[1] A straw man argument can be a successful rhetorical technique (that is, it may succeed in persuading people) but it carries little or no real evidential weight, because the opponent's actual argument has not been refuted.[2]"
No it's not. You made the claim that what we have here is something similar of having a UNIX-guru using your computer with all kinds of cables going to the computer, with him installing kernel-extensions for two days etc. etc.... But this was NOT like that! This was a case where the user of the Mac went to certain website using the built-in browser in OS X, and his machine was compromised!
No they did not. Sheesh!
No they could not!
And you base that assumption on what exactly?
you are completely, utterly wrong. 100% wrong.
OpenBSD is considered the most secure OS out there, and it's source is available for anyone to read. Just because the source is available does not mean that the machine is easier to crack.
What are you basing that assumption on?
Vista-machine was a Fujitsu Lifebook that has prices starting at around 1000 bucks. Linux-machine was a Sony Vaio, that propably costs a lot more than that.
It's becoming quite clear to me that you have exactly ZERO knowledge about the subject at hand.
EDIT: and regarding what is and isn't "physical access", the rules of the contest say this: "No physical access to the machines.".
So did about 20 other companies including Adobe whose product, like Microsoft's, was hacked.
What's your point exactly?
As a note, Evangelion is absolutely right in what he says and I'm afraid that some of the spin-infested and nonsensical arguments that he's having to reply to are just downright ignorant and shameful.
The basic facts are this:
1) No machine was capable of being remotely hacked under normal, secure operation.
2) Once the machines were put into 'stupid user' mode the Air fell to a prepared exploit. The other machines did not.
3) Once the rules were relaxed further the Vista machine fell to another prepared exploit.
4) The developers had worked out that the Linux machine could also be exploited but, frankly, by that point no-one could be bothered as the comprtition was over.
What does this prove?
Well, generally it means that unless you do something a bit silly you're pretty safe regardless of what OS you use. That's about it.
Take a chill pill Evangelion.
As I have continuously said, we have no idea what the reported hack did, or how to reproduce it step by step. You keep claiming that we know everything about it, and that it was directly a bug in Webkit. May I ask then why wasn't it hacked on the first day?
Your attack on my knowledge is ludicrous as you are continuously jumping to conclusions about something I, and others, are repeatedly claiming needs further examination.
No, I don't know everything about this topic, that's why I'm going to wait until something official rather than the results of a competition is released.
I repeat in bold
Nobody knows what the exploit is or how they did it step by step.
Stop claiming you do, you don't. All we know is that is was made possible after the rules were relaxed on the second day. The system was changed to be more vulnerable, and before this change it was invincible.
As it was reportedly a Webkit bug, I wouldn't be surprised if the Ubuntu machine also had the bug, seeing as Webkit and Konqueror are pretty well the same thing. We'll know if this is true when the technical details come out (just incase you were ready to jump to another conclusion)
I've checked the machines. The MacBook Air was the most expensive. You could not have sold one of the other ones on the 2nd hand market and bought the MacBook air. It was definitely the crown jewel sorry, but that's all the competition shows. People wanted to win a MacBook Air.
PS - Your deconstruction's of my comments are flattering I'm glad you took the time.
As I have continuously said, we have no idea what the reported hack did, or how to reproduce it step by step. You keep claiming that we know everything about it, and that it was directly a bug in Webkit. May I ask then why wasn't it hacked on the first day?
Your attack on my knowledge is ludicrous as you are continuously jumping to conclusions about something I, and others, are repeatedly claiming needs further examination.
No, I don't know everything about this topic, that's why I'm going to wait until something official rather than the results of a competition is released.
I repeat in bold
Nobody knows what the exploit is or how they did it step by step.
Stop claiming you do, you don't. All we know is that is was made possible after the rules were relaxed on the second day. The system was changed to be more vulnerable, and before this change it was invincible.
As it was reportedly a Webkit bug, I wouldn't be surprised if the Ubuntu machine also had the bug, seeing as Webkit and Konqueror are pretty well the same thing. We'll know if this is true when the technical details come out (just incase you were ready to jump to another conclusion)
I've checked the machines. The MacBook Air was the most expensive. You could not have sold one of the other ones on the 2nd hand market and bought the MacBook air. It was definitely the crown jewel sorry, but that's all the competition shows. People wanted to win a MacBook Air.
PS - Your deconstruction's of my comments are flattering
I'm glad you took the time.The Ubuntu laptop was an 11.1" ultraportable Vaio worth around $2200. But even if it was less expensive or attractive, it doesn't even matter. Because each of the 3 machines came with its own cash price, and the attacks on the Vista and Ubuntu machines continued after the Mac was down, but nobody succeeded until the third day. Even if you're in it for the Air, you'd want to target the easiest machine, as $10,000 will buy you 5 MacBook Airs.
They aren't. Webkit is a fork from Konqueror, and has deviated significantly. There were some voices to remerge Webkit into KDE, but that hasn't happened yet. But even it they were, the test was a default Ubuntu, which doesn't include any Webkit based browsers.
Technically, this is true in much the same way that you can do this in Windows or any other OS up until the point you trip over a malicious website. What this competition has proven is that your Mac can indeed be hacked whilst running the newest versions of its software. That one person has figured out how to do this and is prevented from disclosing the details does not preclude others and the only thing preventing this really is the old "Macs have a low market share" excuse since now we know they are vulnerable.
By reports the flaw in WebKit enabled the hacker to open a port on the target Mac that enabled them to use Telnet in order to gain access. If you are using a router to connect to the Internet that employs NAT then you should (if my old networking theory is correct) be protected from this hack because while the port can be opened the hacker can't connect to it until the port connects to them and the router can map a private port to a publicly accessible one. Given this I believe this is only something to be worried about when you are connected to public network, such as a wireless hotspot or using a direct connection to the Internet.
Because Day 1 only permitted attacks to take place over the network to services already running by default on the target. Day 2 relaxed the rules to enable exploits of 1st party applications already installed on the target - in this case Safari. Day 3 allowed the hackers to exploit common 3rd party applications and that's why Vista succumbed to the Adobe Flash attack.
I will say finally that you simply don't understand what you are talking about and your efforts to make this issue sound like some sort of conspiracy against the Mac is incredible. Evangelion has been spot-on each time. You are familiar with Phishing attacks, yes?