Canadian Mac Forums at ehMac banner
1 - 20 of 38 Posts

·
Registered
Joined
·
898 Posts
What's absolutely funny is, where are all the $10,000 to break in to a Vista or XP box contests? Or even more comparatively who is offering up $10,000 to find a hole in Explorer?

The article is ridiculous, and the contest looks strangely suspect. Isn't a line like this
Macs haven't been targets for hackers and malicious code writers nearly to the degree that Windows machines have historically. That's in part because there are fewer Macs in use
kind of indictative of the reportage you are getting. The fact that Macs haven't been targets of hackers has nothing to do with it being harder to break the unix under pinnings, right? And the same reason why so many people would rather go the harder route of working their way up for years and years building a fortune as opposed to buying a lottery ticket or suing McDonalds for a crotch burn, from coffee…
 

·
Premium Member
Joined
·
1,481 Posts
Not only did the hack need user intervention (someone had to navigate to a malicious web site in Safari), but they also had local wireless network access. This does not mean that people can hack your Mac over the internet. Without having all the details, it's hard to say exactly under what conditions this could occur.

Bottom line is no OS or software is perfect, and almost anything is possible if you can trick the user into doing something for you. The great news is this:
  • This exploit will be reported to Apple, who will patch it in due time.
  • Mac OS X was still not remote exploitable without intervention, even with a $10,000 cash prize being offered. This means it's still not possible to get hacked/infected by just being connected to the internet. Something that can't be said for Windows.

Unfortunately, Windows blowhards will be jumping all over this as some sort of justification to claim that Macs are just as insecure as Windows. Somehow 1 exploit which requires user intervention will be equated to the hundreds or thousands that have been found for Windows which any script kiddie can utilize, or the hundreds of thousands of in the wild viruses for Windows, which as of yet not a single has appeared for Mac OS X, after more than six years on the market and over 20 million users.
 

·
Registered
Joined
·
376 Posts
Since a default Mac could have been "rooted" using very unsophisticated methods just by visiting a malicious website, and that situation existed for years - the entire shipping life of Panther plus almost a year of Tiger, it wouldn't surprise me if more sophisticated methods could be used now to do the same thing.

Sure it requires user intervention, but who here hasn't clicked on a link before? Ok, so still no comparison to windows, and it took a cash prize to motivate someone to come forward with it but it's still an exploit and I don't think it should be downplayed.
 

·
Premium Member
Joined
·
9,103 Posts
Discussion Starter · #5 ·
I find the factual information in the article very poor. It's mostly sizzle and no steak.
The feedback comments there and also here on ehMac raise a lot of questions that are not answered.
The way I read it, you need to

a. Open a 'spam' email
b. Click on a link sent to you in an email where you don't know the sender
c. Be running Safari

For me personally - I would never do a. or b, and I use mostly Firefox and Camino. I'm sure they have their own problems.

But in general - how does this differ from the "proof of concept" vulnerabilities that were demonstrated in the lab and for which Apple issued several security updates that it warrants any prize?
Seems to me this is more of a publicity stunt than anything else.
 

·
Registered
Joined
·
781 Posts
Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.
So when nobody could do what was asked, they simply made it easier. Sounds to me like the contest's goal was to prove an insecurity in the Mac OS. That said, I suppose this could be a big deal if someone were to send out a fake credit card/PayPal/whatever email which linked to a malicious site.

Of course, I run Firefox, so Safari problems aren't gonna bite me. ;)
 

·
Registered
Joined
·
804 Posts
I question the security threat. Must be nice to say that you hacked something and not tell anyone how you did it.
The stunt was further contaminated by the fact that they couldn't hack into it remotely, so they changed the rules so someone would be successful.
Then the only way they claim to have done it is by allowing a URL and script to penetrate the system using Safari. That doesn't sound like hacking to me.
Someone paid $10,000 to get international publicity. It was a good buy.

It will come out eventually.
 

·
Premium Member
Joined
·
9,103 Posts
Discussion Starter · #8 ·
Demosthenes X said:
........... I suppose this could be a big deal if someone were to send out a fake credit card/PayPal/whatever email which linked to a malicious site.
I doubt it.
Unless you have been living on the moon, you should be able to spot a fake credit card/bank/paypal email a mile away.

If in doubt, copy the actual URL and paste it into word or some text program - then it becomes painfully obvious where you are linked to if you click on this URL.
 

·
Registered
Joined
·
376 Posts
All you would have to do is be running Safari, and eg. researching something and clicking on a web search result that pointed to a malicious site. Or if hackers manage to take over a dns server or a legitimate site that you happen to routinely go to - maybe some of those sites are even running on sloppily administered windows boxes.

Then it uploads all of your personal data somewhere, and mails copies of itself to everyone in your addressbook. All of those relatives that you convinced to buy Macs are probably going to open an e-mail they get from you. And if you or any of the recipients happen to be using an admin account, then the personal information and addressbooks of all of the people with accounts on the infected machine are up for grabs as well.

One thing that I think makes this exploit worth noting is that it didn't just cause a crash - the descriptions are vague but it looks like code was executed to the point that a backdoor was installed. Another thing that stands out is that it isn't a case of a malicious local user using a local exploit, actively trying to take over the machine (a problem eg. in schools, though not the type of threat most home users don't have to worry about), but rather anyone innocently surfing the web can be hit. User interaction is required, but I draw a line between downloading and running an untrusted application, and clicking a web link in a browser - something that should be more of a "viewer" of content than something that executes it.

Apple will patch it, then we can forget about it, though another will no doubt come along at some point. But don't be distracted by the manner in which this came to light - because there is a known working exploit out there, as of this moment, using Safari can be considered to be risky behaviour.
 

·
Premium Member
Joined
·
9,103 Posts
Discussion Starter · #10 ·
biovizier - I think you are jumping to a lot of conclusions.
The article I linked to is extremely vague about many things including to what degree the Mac was actually compromised.
I hope someone will eventually find an article with some facts of exactly how the Mac was set up and to what degree the "hacker" had access to the root level of the software.
 

·
Registered
Joined
·
376 Posts
There are many articles, though none are really comprehensive. In terms of susceptibility, the contest organizers had this to say after nobody demonstrated a purely remote attack:
2007-04-20-12:30:00.Attack_the_browser
There has not been a successful attack. Time to expand your attack surface. Email links to <pwn2own [at] cansecwest.com> and we will visit them from the target machines using Safari.
They aren't implying anything fancy, but are acknowleging that some user interaction is required on the target machine, and the links were to be visited from the target machine using Safari, the default browser on the Mac. According to matasano.com, firefox is vulnerable as well.

Ok, so if I'm jumping to one conclusion, it's that clicking the link downloaded enough code (javascript according to one reference) to result in arbitrary commands being executed on the computer.

But isn't a stretch to imagine that software contains bugs that can lead to arbitrary code execution - just look at any of the "About Security Update..." articles Apple puts out. And historically, - "click a link and run code" bugs have been demonstrated on OS X as well, so there is nothing surprising that another has been found.

If arbitrary code was indeed run, the degree to which the Mac was compromised doesn't really matter - the user's documents are all at risk. If the user is an admin as the majority of Mac users are, then that means a root exploit is well within reach, and that is not an assumption. Never mind the test system, it's the ones in the hands of ordinary users that matter - the ones that use their computer for surfing the web from their default admin accounts.

Perhaps I'm jumping to conclusions by assuming their claim of a hack succeeded, but then you are assuming that they are not telling the truth. The point I'm trying to make is that an exploit of this nature is well within the realm of feasibility so I would prefer to err on the side of caution.
 

·
Registered
Joined
·
781 Posts
krs said:
I doubt it.
Unless you have been living on the moon, you should be able to spot a fake credit card/bank/paypal email a mile away.

If in doubt, copy the actual URL and paste it into word or some text program - then it becomes painfully obvious where you are linked to if you click on this URL.
:confused: That's an incredibly naive way of thinking, I'd say. There are lots of people who have no reason to doubt emails that appear to come from banks/credit card companies/etc. There was a thread on this very forum a while back where the poster entered all his personal information into a phishing site because he got a legitimate-looking email.

People like you or I might not fall for it, but for the average user, if they get an email from their bank asking them to click a link, chances are they will. And that might just present a threat.
 

·
Premium Member
Joined
·
9,103 Posts
Discussion Starter · #13 ·
Demosthenes X said:
There was a thread on this very forum a while back where the poster entered all his personal information into a phishing site because he got a legitimate-looking email..
In the thread I remember, the poster realized he had made a mistake right after he sent the confidential info out......I guess he should have thought a bit more before he 'clicked' send.

I just find, with the number of warnings I have received from the bank/cc company that they would never ask for this confidential information - and the warnings all over the net - and the emails telling you that your account at a bank you never heard of before will be closed if you don't immediately send all your confidential information....with all that, that there are still people who can be conned into sending this information out.
But I suppose you're right, a s........is born every minute - I guess that hasn't changed.
 

·
Registered
Joined
·
376 Posts
CanSecWest Vancouver 2007, where the contest took place.
http://cansecwest.com/
Note the speakers include people like Mark Russinovich who alerted the world about Sony's rootkit, academics from universities, and a representative from the US Dept. of Homeland Security. So this isn't some shady gathering of pimply script kiddies - it appears to be a legitimate security conference. So if one of the organizers says "Currently, every copy of OS X out there now is vulnerable to this", I would be inclined to take their word for it (although I would ask for clarification regarding 10.0 and 10.1 which didn't have Safari).

These would fall in to the less verifiable / word of mouth category, but here they are:
Macaulay described Dai Zovi's vulnerability as a client-side javascript error that executed arbitrary code when Safari visited a booby-trapped website.
http://www.theregister.co.uk/2007/04/20/pwn-2-own_winner/
Suggesting all it would take is clicking on one bad link on a web page somewhere.

The vulnerability affects Firefox as well as Safari. More details, momentarily.
http://www.matasano.com/log/806/hot-off-the-matasano-sms-queue-cansec-macbook-challenge-won
The promised details haven't appeared yet. They also indicate that last Thursday's Security patch did not address the issue. I'm not sure what the connection is between matasano.com and Macaulay or Dai Zovi, but anyway, that's what they're saying...
 

·
Premium Member
Joined
·
8,815 Posts
Demosthenes X said:
I suppose this could be a big deal if someone were to send out a fake credit card/PayPal/whatever email which linked to a malicious site.
But those type of phishing scams use no hacking technology at all. It is a spoofed website and purely stupid-human-enduser driven, where the original, legitimate PayPal (or whatever) info is entered by the victim, goes into a database on the back-end for the hackers to break in to your account and clean you out (or sell to other nefarious individuals). The spoofed page where the victim enters new login/password settings is "a blank".
 

·
Registered
Joined
·
781 Posts
Yes... what's your point? If people fall for these scams to the point that they enter their personal information, then an exploit that requires that people simply click a link could easily target a large number of people...

All one has to do is click the link and the blow is dealt. And I can guarantee that, for a lot of users, if they get an email saying "click this link or else", they'll do it. Look at the number of people that forward stupid chain letters because if they don't someone will come out of their screen and eat their eyeballs.

Hell, there's a million ways one could exploit this particular flaw. "You have received an eCard from John, click here to see it". And bam, you're under attack.
 
1 - 20 of 38 Posts
Top