Jump to content

MacBook Air Hacked In Two Minutes,,,,,,,,,,,,,,,,,,,,,,,


Tigermike

Recommended Posts

MacBook Air Hacked In Two Minutes

Security researchers from Independent Security Evaluators managed to hack a MacBook Air using a zero-day vulnerability in Apple's Safari 3.1 Web browser.

By Thomas Claburn

InformationWeek

March 28, 2008 02:00 PM

Mac OS X's reputation for security was tarnished Thursday when a team of researchers from Independent Security Evaluators (ISE) managed to hack a MacBook Air in two minutes using a zero-day vulnerability in Apple's Safari 3.1 Web browser.

The ISE security researchers -- Charlie Miller, Jake Honoroff, and Mark Daniel -- were participating in the "PWN to OWN" competition at the CanSecWest security conference, which began Wednesday in Vancouver, British Columbia.

"Pwn" is computer gaming slang for "own," as in conquer. The "p" typo serves to heighten the humiliation of defeat by emphasizing that the loss came at the hands of a youth who can't even spell or type correctly. The term has also come to be used in security circles.

Contest participants had their choice of trying to hack an Apple MacBook Air running OS X 10.5.2, a Sony Vaio VGN-TZ37CN running Ubuntu 7.10, or a Fujitsu U810 running Vista Ultimate SP1. During the first day, when attacks were limited to network attacks on the operating system, no one managed to compromise any of the systems.

That changed Thursday when attacks on default client-side applications -- Web browser, e-mail, IM -- were allowed. The ISE team won $10,000 from security firm TippingPoint Technologies for compromising the MacBook Air.

The undisclosed vulnerability in Safari 3.1 has been shown to Apple and no further information about it will be revealed until Apple can issue an update, TippingPoint said.

In a blog post on Friday, TippingPoint said, "ince the Vista and Ubuntu laptops are still standing unscathed, we are now opening up the scope of the targets beyond just default installed applications on those laptops; any popular third-party application (as deemed 'popular' by the judges) can now be installed on the laptops for a prize of $5,000 upon a successful compromise."

Apple did not respond to a request for comment.

http://www.informationweek.com/news/showAr...cleID=207000434

Link to comment
Share on other sites





Not surprising despite the false advertising from Apple and constant unending bleat from their fanboi's. Last year it was QT and this year it was Safari.

Couple that with what Apple did last week pushing out Safari to Windows users via their iTunes software update. Apple has benefitted from being insulated in its own little sandbox but as their market share increases the engineers at Cupertino will have to stop drinking their own Kool Aid and take security seriously.

Btw, "Vista-Sux' finally went down....

"The flaw [for Vista] is in something else, but the inherent nature of Java allowed us to get around the protections that Microsoft had in place," he said in an interview shortly after he claimed his prize Friday. "This could affect Linux or Mac OS X."

Some of the show's 400 attendees had found bugs in the Linux operating system, she said, but many of them didn't want to put the work into developing the exploit code that would be required to win the contest.

Earlier, Miller said that he chose to hack the Mac because he thought it would be easiest target. Vista hacker Macaulay didn't dispute that assertion: "I think it might be," he said.

Link to comment
Share on other sites

The fuller picture tells something slightly different. For one, the headlines are sensationalistic. It wasn't "hacked" in two minutes. The first day, no one could hack into any of the machines. No one hacked into it remotely. For the second day, the rules of the contest were relaxed, which led to this social engineering attack. The exploit happened two minutes into the second day after the relaxing of the rules. That's a tad different.

Some other interesting tidbits:

John Gruber of the Daring Fireball says the “contest-winning exploit took advantage of an overflow bug in the PCRE regex library used by WebKit’s JavaScript engine.” That means that Miller reused his same vector of attack on the iPhone last fall, and suggests that Miller knows a lot about PCREL and identified a new bug. Gruber says the issue has been immediately addressed within WebKit’s JavaScriptCore. This suggests that the entire contest was about Miller proving he could temporarily outsmart an open source development project for a few days, rather than having anything significant to do with relative platform security between Macs, Windows, and Linux.

...The researcher who cracked the Vista machine was stymied by the fact that he didn’t expect it to have SP1 installed, according to a follow up report by IDG’s Robert McMillan. So Miller was better prepared than the second place winner. That’s a positive reflection on Miller more than a negative reflection on Mac OS X.

Incidentally, last year Apple released a Mac OS X update prior to CanSecWest that similarly addressed several exploits contestants were planning to use. This year, Mozilla also pushed out Firefox 2.0.013 the day before the contest, patching flaws that might otherwise have been used to attack the Ubuntu installation.

The date CanSecWest is held, relative to release of security updates by each vendor, results in a variable that can have a big impact on the contest but doesn’t really say anything about the overall security of each platform. Had the contest been held prior to the release of Vista SP1 (which was released a full year after Vista arrived), it would have reflected the actual level of security Vista users enjoyed throughout 2007. Instead, it only reflects the state of Vista for users who have elected to install SP1, which has been dogged by problems of its own.

http://www.roughlydrafted.com/2008/03/29/m...-targets-apple/

What's funny is, no matter how many of these contests they run, they never seem to crack it remotely and even as Apple's profile and Mac marketshare continues to rise, there never seems to be any kind of outbreak or anything happening in the wild.

I know some will write this off to Mac bias and that's fine, but I read articles on such contests and purported exploits all the time and when all the facts are taken into account, it ends up rating one big "meh." The fact is, the sum total of actual viruses, trojan horses and spyware/malware infections in the wild on the OS X platform still equals zero. That's zilch, nada, none. To the point that in six years of running Macs both at home and at work, I've still never had any of those things get my computer and I've never run any antivirus or antispyware products on any of them.

Congrats on this guy picking up a cool 10 G's, but had this been anything that would really make it in the wild and benefit malicious hackers, it would be out there making somebody a lot of ill-gotten money. As it stands, it amounts to a well-paying parlor trick that didn't even involve Apple code.

Link to comment
Share on other sites

The fuller picture tells something slightly different. For one, the headlines are sensationalistic. It wasn't "hacked" in two minutes. The first day, no one could hack into any of the machines. No one hacked into it remotely. For the second day, the rules of the contest were relaxed, which led to this social engineering attack. The exploit happened two minutes into the second day after the relaxing of the rules. That's a tad different.

Some other interesting tidbits:

John Gruber of the Daring Fireball says the “contest-winning exploit took advantage of an overflow bug in the PCRE regex library used by WebKit’s JavaScript engine.” That means that Miller reused his same vector of attack on the iPhone last fall, and suggests that Miller knows a lot about PCREL and identified a new bug. Gruber says the issue has been immediately addressed within WebKit’s JavaScriptCore. This suggests that the entire contest was about Miller proving he could temporarily outsmart an open source development project for a few days, rather than having anything significant to do with relative platform security between Macs, Windows, and Linux.

...The researcher who cracked the Vista machine was stymied by the fact that he didn’t expect it to have SP1 installed, according to a follow up report by IDG’s Robert McMillan. So Miller was better prepared than the second place winner. That’s a positive reflection on Miller more than a negative reflection on Mac OS X.

Incidentally, last year Apple released a Mac OS X update prior to CanSecWest that similarly addressed several exploits contestants were planning to use. This year, Mozilla also pushed out Firefox 2.0.013 the day before the contest, patching flaws that might otherwise have been used to attack the Ubuntu installation.

The date CanSecWest is held, relative to release of security updates by each vendor, results in a variable that can have a big impact on the contest but doesn’t really say anything about the overall security of each platform. Had the contest been held prior to the release of Vista SP1 (which was released a full year after Vista arrived), it would have reflected the actual level of security Vista users enjoyed throughout 2007. Instead, it only reflects the state of Vista for users who have elected to install SP1, which has been dogged by problems of its own.

http://www.roughlydrafted.com/2008/03/29/m...-targets-apple/

What's funny is, no matter how many of these contests they run, they never seem to crack it remotely and even as Apple's profile and Mac marketshare continues to rise, there never seems to be any kind of outbreak or anything happening in the wild.

I know some will write this off to Mac bias and that's fine, but I read articles on such contests and purported exploits all the time and when all the facts are taken into account, it ends up rating one big "meh." The fact is, the sum total of actual viruses, trojan horses and spyware/malware infections in the wild on the OS X platform still equals zero. That's zilch, nada, none. To the point that in six years of running Macs both at home and at work, I've still never had any of those things get my computer and I've never run any antivirus or antispyware products on any of them.

Congrats on this guy picking up a cool 10 G's, but had this been anything that would really make it in the wild and benefit malicious hackers, it would be out there making somebody a lot of ill-gotten money. As it stands, it amounts to a well-paying parlor trick that didn't even involve Apple code.

Eh, I have to agree with Titan on this one. I have been running a Mac for four years and I don't have any anti-virus or spyware on it like I do my PC. That is one of the benefits of owning a Mac. I am not an Apple fanboi by any means. Like I have stated earlier, I still have my beefs with MS, Apple and a lot of the Open Source OS's but I would rather run OS X for my desktop than anything else out there simply b/c I don't have to clean it up that often.

Link to comment
Share on other sites

For those of you complaining about the Safari update, you should more be thankful. Safari 3 for Windows is vastly superior than IE, and is in fact faster than Firefox. Apple fixed an enormous number of bugs with memory usage and slowdown with Safari, and I'm using it right now on my XP machine. In my 15 years of Mac use, I've never experienced a virus of any kind, from a lowly 100 Mhz PowerMac 7500 up to my shiny new MacBook Pro.

Link to comment
Share on other sites

For those of you complaining about the Safari update, you should more be thankful. Safari 3 for Windows is vastly superior than IE, and is in fact faster than Firefox. Apple fixed an enormous number of bugs with memory usage and slowdown with Safari, and I'm using it right now on my XP machine. In my 15 years of Mac use, I've never experienced a virus of any kind, from a lowly 100 Mhz PowerMac 7500 up to my shiny new MacBook Pro.

I wouldn't say it's vastly superior. Actually I can't tell much of a difference between any of the browsers at this point.

And it doesn't matter who the browsers compare...the forcible update procedure is the point of the comment.

Link to comment
Share on other sites

Forcible? Not exactly. You can easily uncheck the box by Safari and not install it. If anything it's at least more clear that you can do that with Apple Software Update than it is with Windows Update. Windows Update defaults to a screen that doesn't list what's being installed and auto-checks "Express Install" which installs everything it pulls down without listing what it is. You have to click "Custom Install" then go to the list to decide if there are things you don't want. Apple Software Update defaults to a list showing you exactly what's about to be installed before you click "OK" with the opportunity to uncheck anything you don't want.

The only thing Apple could/should have done to make it even clearer would have been to have Safari listed, but unchecked by default.

Link to comment
Share on other sites

The fuller picture tells something slightly different. For one, the headlines are sensationalistic. It wasn't "hacked" in two minutes. The first day, no one could hack into any of the machines. No one hacked into it remotely. For the second day, the rules of the contest were relaxed, which led to this social engineering attack. The exploit happened two minutes into the second day after the relaxing of the rules. That's a tad different.

Some other interesting tidbits:

John Gruber of the Daring Fireball says the “contest-winning exploit took advantage of an overflow bug in the PCRE regex library used by WebKit’s JavaScript engine.” That means that Miller reused his same vector of attack on the iPhone last fall, and suggests that Miller knows a lot about PCREL and identified a new bug. Gruber says the issue has been immediately addressed within WebKit’s JavaScriptCore. This suggests that the entire contest was about Miller proving he could temporarily outsmart an open source development project for a few days, rather than having anything significant to do with relative platform security between Macs, Windows, and Linux.

...The researcher who cracked the Vista machine was stymied by the fact that he didn’t expect it to have SP1 installed, according to a follow up report by IDG’s Robert McMillan. So Miller was better prepared than the second place winner. That’s a positive reflection on Miller more than a negative reflection on Mac OS X.

Incidentally, last year Apple released a Mac OS X update prior to CanSecWest that similarly addressed several exploits contestants were planning to use. This year, Mozilla also pushed out Firefox 2.0.013 the day before the contest, patching flaws that might otherwise have been used to attack the Ubuntu installation.

The date CanSecWest is held, relative to release of security updates by each vendor, results in a variable that can have a big impact on the contest but doesn’t really say anything about the overall security of each platform. Had the contest been held prior to the release of Vista SP1 (which was released a full year after Vista arrived), it would have reflected the actual level of security Vista users enjoyed throughout 2007. Instead, it only reflects the state of Vista for users who have elected to install SP1, which has been dogged by problems of its own.

http://www.roughlydrafted.com/2008/03/29/m...-targets-apple/

What's funny is, no matter how many of these contests they run, they never seem to crack it remotely and even as Apple's profile and Mac marketshare continues to rise, there never seems to be any kind of outbreak or anything happening in the wild.

I know some will write this off to Mac bias and that's fine, but I read articles on such contests and purported exploits all the time and when all the facts are taken into account, it ends up rating one big "meh." The fact is, the sum total of actual viruses, trojan horses and spyware/malware infections in the wild on the OS X platform still equals zero. That's zilch, nada, none. To the point that in six years of running Macs both at home and at work, I've still never had any of those things get my computer and I've never run any antivirus or antispyware products on any of them.

Congrats on this guy picking up a cool 10 G's, but had this been anything that would really make it in the wild and benefit malicious hackers, it would be out there making somebody a lot of ill-gotten money. As it stands, it amounts to a well-paying parlor trick that didn't even involve Apple code.

Eh, I have to agree with Titan on this one. I have been running a Mac for four years and I don't have any anti-virus or spyware on it like I do my PC. That is one of the benefits of owning a Mac. I am not an Apple fanboi by any means. Like I have stated earlier, I still have my beefs with MS, Apple and a lot of the Open Source OS's but I would rather run OS X for my desktop than anything else out there simply b/c I don't have to clean it up that often.

Pretty much most of the reasons I will never get a windows MACHINE again (I will get BootCamp though)

No Viruses

No worry about not starting up

No Spyware

No worries about videos corrupting my hard drive

Of course I have heard about the Mac viruses, etc.....but I have yet to have a problem with it

Link to comment
Share on other sites

I have been using Windows based PCs for many, many years with no infection or spyware. If you'd all stop downloading Russian porn and not open every email attachment it wouldn't be a problem.

Link to comment
Share on other sites

Well, it might help if people didn't pirate music, movies and software off of Limewire and BitTorrent too since people put bogus files or files with a little extra hidden something out there to nab the unsuspecting. But people do things like that. And if they aren't keeping antivirus and antispyware tools up to date and scanning their system regularly, they can get infected. And people make mistakes. They open attachments thinking they came from a friend or click a link someone sends them and then it's too late.

I just got through cleaning up my sister in law's laptop from a nasty trojan horse that she most likely caught off Limewire. But the chances of such a thing happening even with her stupidity if she had a Mac are a hair above zero if not zero exactly.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...