Filed under: Security
One Mac hack bounty claimed, one to go
No sooner said... the first half of the CanSecWest MacBook Pro hack challenge has been won, with an exploit that uses a malicious webpage to gain a user-level shell via Safari. The second challenge, requiring root access on the target machine, has yet to be won (and requires the use of a different exploit). As far as we know right now, this is a zero-day exploit without a known patch. (Grrr.)It's worth mentioning the elephant in the room for this contest: where was the $10,000 bounty for a similar takeover of a Windows XP or Vista stock patched configuration? It wouldn't have taken a day, that much is certain.
More news as it comes... thanks to our vigilant commenters for the link.
graphic: Sebastiaan de With
[via Matasano]
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 1)
derek said 9:02PM on 4-20-2007
#1... this dude could be full of bull shit
#2... it just downloads a file, any idiot who downloads an unknown file from any unknown site deserved to get a viruses
#3... it isn't a hack!!!!!!!!!!!!! wtf its just like a script that can hack it. it doesn't even have what it does!!!!!
Reply
Michael Rose said 9:16PM on 4-20-2007
Hey Derek --
#1, the conference organizers have confirmed the exploit and awarded the MacBook Pro + $10,000. http://www.cansecwest.com
#2, this was part of the contest rules: URLs could be sent that would be opened in Safari in 'stock' configuration. No word yet on whether this is a variant on the 'Open Safe Files' vulnerability, but Gruber says not: http://daringfireball.net
#3, in order to win the challenge he had to get access to the filesystem (specifically the user's home folder) and follow instructions there. The posting indicates that he got shell access, which would involve turning on SSH (it's off by default) via the Safari exploit.
For all of this, I can't imagine that a stock configuration of Windows XP or Vista would have lasted a day in a similar contest. Probably not even an hour.
Reply
derek said 9:44PM on 4-20-2007
an update just came out... maybe it fixes it?
Reply
nathanh said 9:51PM on 4-20-2007
Michael Rose wrote: "The posting indicates that he got shell access, which would involve turning on SSH"
That's not what they're talking about here. This is an overflow in Safari and Safari itself fork/execs the shell. The shell is available over the existing HTTP connection that Safari made to the website.
Reply
Michael Rose said 10:06PM on 4-20-2007
Nathan, sorry, my mistake.
Derek, these machines were patched with Thursday's update prior to the challenge.
Also answering a comment from Derek that hasn't cleared yet: This isn't a virus, it's an exploit. Most definitions of 'virus' imply self-replication capability, which this code doesn't have. Moreover, it's not the first such exploit.
Reply
Pete said 10:17PM on 4-20-2007
Once again Safari is the weak link. I much prefer it to any other browser (yes, even Firefox), but it is by far the most problematic app on my Mac right now.
Reply
Macskeeball said 11:54PM on 4-20-2007
A few simple preventative steps can go a long way.
It's best to not run as admin for your everyday user, because you can almost always authenticate when you actually need admin privileges. The greater your user level, the greater potential for damage caused by malicious code.
Definitely turn off automatic opening of "safe" downloaded files in your browser preferences, whichever browser you use.
Reply
Dina said 12:20AM on 4-21-2007
Dude! Check this out: http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore
Reply
Ryan said 1:40AM on 4-21-2007
Apple Store is down!
Reply
Steve Shickles said 8:05AM on 4-21-2007
$10,000 + MacBook Pro.. Wow!
Reply
Robert Paege said 10:50AM on 4-21-2007
Please show me where it says "...these machines were patched with Thursday's update prior to the challenge."
All I can find in the article is where it says "...the latest security patches have been applied." Whatever that means.
In any case I'm really glad I rarely if ever use Safari.
Reply
Chris said 10:56AM on 4-21-2007
oh no! The precious Mac OS X image is being tainted, throw out some irrelevent comment about Windows to make us all feel better.
Dont get me wrong, Mac OS X is a better OS all around, but does anyone really believe any OS is perfect. With greater market share and popularity comes greater interest in exploit. I predict this is only the beginning.
Welcome to the social.
Reply
Sebastiaan de With said 12:51PM on 4-21-2007
I emailed you guys about the icon used for the article, please read it ;)
Anyway, I did some commenting on digg about this. I am quite unsatisfied with the quality that goes into these 'hackathons' lately. I find it a good example of the security of a Mac. Although details are sparse, I hope this gets some documentation soon.
Reply
mitcho said 3:52PM on 4-21-2007
"Where was the $10,000 bounty for a similar takeover of a Windows XP or Vista stock patched configuration? It wouldn't have taken a day, that much is certain."
What is your source for this? An identical competition was not set up for Vista, so we wouldn't know. And even if you have a good reason to say this, you've got to cite your source--this is just poor journalism.
These are the kinds of comments that get us loyal Mac users blanketed as idolaters. Michael Rose, I'm very disappointed.
Reply
Danno said 10:52AM on 4-22-2007
What surprised me in reading up on the attack is that this is supposedly a Firefox vulnerability too.
Reply
Michael Rose said 12:03PM on 4-22-2007
Mitcho --
a) I'm a blogger, not a journalist; I'm sorry you don't approve of my failure to cite sources, but that line about XP and Vista was something we bloggers call "opinion & hyperbole."
b) http://www.google.com/search?q=vista+exploit
c) The reason for the contest in the first place was to gain publicity and point out security weaknesses in the Mac platform. There's no publicity boost for doing the same on Windows because there's nothing special or unusual about a Windows exploit; they are tragically common.
It may be tired and hackneyed to mention Windows security in the same breath as Mac OS X security, but these are the top two consumer platforms and it's the only comparison in town. If Microsoft's increased investment in security pays off and malware becomes extinct on that platform -- or if there's parity between Mac and Windows risk profiles -- we'll cover that too.
Reply