Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MacBook Hacked In Contest Via Zero-Day Hole in Safari

Zonk posted more than 7 years ago | from the and-the-winner-is dept.

Security 156

EMB Numbers writes "Shane Macaulay just won a MacBook as a prize for successfully hacking OS X at CanSecWest conference in Vancouver, BC. The hack was based on a Safari vulnerability found by Dai Zovi and written in about 9 hours. CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions. 'Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said in a telephone interview from New York. TippingPoint runs the Zero Day Initiative bug bounty program.'"

Sorry! There are no comments related to the filter you selected.

switcher (5, Funny)

BorgCopyeditor (590345) | more than 7 years ago | (#18821365)

that's it! I'm switching back to Windows!

Re:switcher (1)

anonymous_but_brave (1075911) | more than 7 years ago | (#18821411)

Lets see how quickly Apple responds to this hack. I recall an Ubuntu vulnerability [securityfocus.com] being patched within the week that it was reported - I don't think Apple (or MS for that matter) could respond so quickly.

Re:switcher (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18821547)

It's pretty difficult to fix a bug for which no details are available. As of yet zero information has been released other than that a "JavaScript" flaw in Safari was used in the exploit. The Ubuntu flaw you reference was reported directly to Ubuntu with all the information necessary to fix it. We'll start our timing from when Apple is informed of the details, shall we?

Re:switcher (1)

gerrysteele (927030) | more than 7 years ago | (#18822021)

Don't they read teh internets like us too?

Re:switcher (0)

Anonymous Coward | more than 7 years ago | (#18822203)

Don't they read teh internets like us too?

Of course not. Apple-users and -developers exclusively use the proprietary Elitistnet which once more proves how advanced and superior they are to us FOSS-losers.

Re:switcher (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18821827)

Nah, Windows is even worse.

I switched from XP to Linux to BSD to Mac OS in 2003. Early this year I switched back to Linux. Can't beat power and usability (Ubuntu with Gnome), especially not with crap like Finder and the Mac OS window manager.

Re:switcher (1)

alittlespice (934609) | more than 7 years ago | (#18821865)

it's not a story if it's not hacked, so they made it easier to hack? wtf?

Re:switcher (0)

Anonymous Coward | more than 7 years ago | (#18823767)

No. It's just that $10k is crap for a remote exploit, even on a Mac. But any moron can find a Mac local pretty quickly, so as soon as that door opened it just came down to who jumped on it first. It's good that they changed it though, because the local exploit case is far more realistic than the server one. After all, the average user faces the highest risks from their browsing habits, not the networks they connect to.

Re:switcher (0, Troll)

Tickletaint (1088359) | more than 7 years ago | (#18822635)

You know what's scary? I could tell you're a Mac user from the "oh-so-indie" [urbandictionary.com] spelling of "ur."

Re:switcher (0)

Anonymous Coward | more than 7 years ago | (#18824729)

You know what's scary? I could tell you're a Mac user from the "oh-so-indie" [urbandictionary.com] spelling of "ur."
Ha! you stupid fuck, you spelled "yr" wrong. Preview and proofread your comment before submitting.

Re:switcher (-1, Offtopic)

jb.hl.com (782137) | more than 7 years ago | (#18823023)

That "switcheur" troll springs readily to mind. ;)

Explanatin of rules relaxation (4, Insightful)

Overly Critical Guy (663429) | more than 7 years ago | (#18824335)

CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions.


In other words, nobody was able to remotely hack the machine, so they allowed for local exploits, which someone used in a Safari URL.

Expect Apple-haters and other FUDmeisters to completely ignore the difference, like InfoWorld did yesterday in their breathless headline about "remotely breaking in."

wtf? (0)

Anonymous Coward | more than 7 years ago | (#18821373)

I don't get it. Hack the OS, and win the Macbook you just pwned? Is that really a prize?

Re:wtf? (0)

Anonymous Coward | more than 7 years ago | (#18821507)

"Is that really a prize?"

Yeah. You can sell it or use it. Who says you have to use Safari?

Re:wtf? (1)

i kan reed (749298) | more than 7 years ago | (#18821635)

Yes, it's several hundred dollars worth of hardware. I can still find uses for old Pentium one machines for running a network raid drive.

So, if I reaf TFA correctly: (4, Insightful)

noewun (591275) | more than 7 years ago | (#18821397)

The machine couldn't be hacked, so they relaxed the rules so it could be? I wish they'd been more explicit as to what 'relaxing the rules' meant. But maybe that would've spoiled the story.

Re:So, if I reaf TFA correctly: (4, Informative)

richdun (672214) | more than 7 years ago | (#18821435)

If I recall correctly, originally the requirement was remote access, but when that went nowhere, they allowed entrants to submit URLs that would be navigated to via Safari. Check out Engadget for more details...

Re:So, if I reaf TFA correctly: (5, Informative)

RalphBNumbers (655475) | more than 7 years ago | (#18821449)

As I understand it:

The rules originally required getting a user shell on a macbook connected to a wireless router without any other access, or getting a root shell under the same conditions on a second macbook without using the same bug.
The prize was the macbook(s) you hacked.

But they decided not enough people were interested, so 3Com added a $10,000 bounty for a winning bug.

But no one could crack it, so they set the machine up to visit malicious web pages submitted by email.

Then someone found a bug in Safari, and successfully crafted a webpage to exploit it to get user shell access.

Re:So, if I reaf TFA correctly: (0)

Anonymous Coward | more than 7 years ago | (#18821629)

3Com == Evil?

Admin user or regular user? (4, Interesting)

goombah99 (560566) | more than 7 years ago | (#18821741)

I wish they would say if the user that safari was running under was admin or regular. If it was admin then this is even less of a hack than it already is. Also I wonder if they disabled the safari feature to automatically "open safe files after downloading". That option puts a lot of trust in other programs not to have holes. indeed it's not really safe at all. Only stupid people or people that don't do stupid things leave it on.

Bottom line no remote hacks.

Re:Admin user or regular user? (1)

realthing02 (1084767) | more than 7 years ago | (#18821811)

Bottom line no remote hacks under their rules

corrected.

The prepositions are killin' people around here.

Regular User (1, Informative)

Anonymous Coward | more than 7 years ago | (#18821907)

It appears on the Cansec website that the contest was for shell access on a regular users account.

2007-04-20-14:54:00.First_Mac_Hacked_Cancel_Or_All ow
Just to review the rules, the first box required a flaw that allows the attacker to get a shell with user level privilages. The second box, still up for grabs, requires the same, plus the attacker needs to get root.

http://cansecwest.com/ [cansecwest.com]

Re:Admin user or regular user? (5, Insightful)

Tickletaint (1088359) | more than 7 years ago | (#18822539)

From one Mac user to (presumably) another, please get your head out of the sand. These "stupid people" to whom you refer you might otherwise know as "The Rest of Us." It doesn't matter how technically competent you are, we are all "stupid" every now and then—or do you only ever visit the same two or three well-known sites every day? Even if you do, how can you be sure they haven't been compromised by, say, some sort of injection attack? Or even by an unscrupulous advertiser in an iframe?

And why on earth does it make a difference whether the user account was admin or regular? If an intruder has access to your personal documents, you're just as fucked either way.

Re:Admin user or regular user? (3, Interesting)

Tickletaint (1088359) | more than 7 years ago | (#18822895)

Interesting that your sig:

You are coming to a sad realization. Cancel or allow?
skewers that very behavior of Safari you describe [third-design.net] . Of course, if you have "open safe files after downloading" turned off, it's even more obnoxious—you have to find the file on your desktop and open it manually. Exactly the sort of repetitive task I thought my computer should be doing on my behalf.

Re:Admin user or regular user? (2)

NickFitz (5849) | more than 7 years ago | (#18823351)

...you have to find the file on your desktop and open it manually. Exactly the sort of repetitive task I thought my computer should be doing on my behalf.

Or you could double-click on the file's icon in the Safari downloads window. If you really want to examine it in the Finder, then you can click on the magnifying glass icon to view it.

Exactly the sort of task your computer does on your behalf :-)

Re:Admin user or regular user? (1)

kybred (795293) | more than 7 years ago | (#18824245)

Turning off the 'open safe files' prevents drive-by downloads from being automatically executed.

Re:Admin user or regular user? (0)

Anonymous Coward | more than 7 years ago | (#18824583)

Turning off the 'open safe files' prevents drive-by downloads from being automatically executed.

It was pretty much perfectly safe, until the Dashboard widget exploit [macworld.com] came along.

Re:Admin user or regular user? (1, Troll)

Locklin (1074657) | more than 7 years ago | (#18823477)

Can you easily run safari as admin on osx? Why would this be possible? If it is, thats a security vulnerability in it's self.

It should never be easy for the user to do something completely stupid, otherwise they will!

You are about to send your credit card information over an unencrypted channel Cancel or allow?

Re:Admin user or regular user? (0)

Anonymous Coward | more than 7 years ago | (#18823773)

:: Only stupid people or people that don't do stupid things leave it on.

Apple left it on. Stupid Apple. When will they ever learn?

Re:So, if I reaf TFA correctly: (4, Informative)

Phil246 (803464) | more than 7 years ago | (#18821477)

The Register is a little more informative in that regard, from http://www.theregister.co.uk/2007/04/20/pwn-2-own_ winner/ [theregister.co.uk]

The pwn-2-own contest got off to a slow start on Thursday. The rules originally mandated an exploit that required no action on the part of the user. The reward for a successful hack was the machine that had been compromised. Conference attendees were underwhelmed, reasoning a Mac exploit that required no end-user interaction could be sold for upwards of $20,000. Things changed significantly on Day 2. That's when Tipping Point upped the ante with its promise of a $10,000 bounty. Contest organizers also relaxed the rules so exploits could include malicious websites that attacked Safari.

no such thing as a white hat... (5, Interesting)

Animaether (411575) | more than 7 years ago | (#18822115)

...is there?

I mean - I can only assume this was a 'white hat' hackers conference, given there was actual publicity given and a public bounty and such. But then things like these pop up?

"'Shane can have the laptop, I want the money,' Dai Zovi said in a telephone interview from New York"
"Conference attendees were underwhelmed, reasoning a Mac exploit that required no end-user interaction could be sold for upwards of $20,000."


Makes me think.. black hat, white hat.. what's the difference these days? I thought a white hat hacker was the 'good guy' (albeit still a hacker).. the kind of person who hacks for fun / curiosity.. the kind of person who notifies the developer of the bug or, at least, just makes the bug known to the world at no charge. Not the kind of person who hacks, then scours the 'security conferences' for a bounty, and when that bounty is lower than what they could get off of actual 'bad guys', complain that the bounty is too low. To me, that just sounds like the person is a black hat, but dons a white hat on top in an attempt to fool us into thinking they're white hat.

Re:no such thing as a white hat... (3, Insightful)

ancientt (569920) | more than 7 years ago | (#18823507)

Okay, maybe a black hat tendency, but there might be alternatives.

There are plenty of security companies out there legitimately trying to sell their software, plenty of people who would love to be the only ones who have a defense against some secret hack. If you want me to spend time finding a vulnerability and then into writing an exploit, my time would not come cheap. I'm not even talented in that direction. Imagine that you're a security researcher who gets paid for your time investigating and resolving potential security breaches, what kind of payoff makes it worth investing your time in that gamble? It has to be a pretty penny or else you're better served doing what you do for a living.

"Give me the money" is a legit response when you've invested your time and effort into something with that as your goal. If he'd said "I don't hack for fun or evil, I only did this for the contest and expect to be given what I was promised" then I don't think you'd have the same take. There is a good chance that is exactly what he meant too. You might be shocked to learn that a lot of us who are considered computer geeks are not the world's foremost verbal communicators.

I love my job, but I won't work here long after they stop paying me.

Re:no such thing as a white hat... (1)

doggo (34827) | more than 7 years ago | (#18823661)

"You might be shocked to learn that a lot of us who are considered computer geeks are not the world's foremost verbal communicators."

Well, only if you disregard grammar, spelling, and vocabulary.

Re:no such thing as a white hat... (0)

Anonymous Coward | more than 7 years ago | (#18824625)

This person does sound like a black hat, although I am not sure he sold his exploit to the good guys. TippingPoint sells intrusion prevention systems. What they did seems awfully close to the rumors of anti-virus companies hiring people to write viruses.

Would the Department of Homeland Security hire a security company that is actively soliciting the public for ways to send anthrax undetected through the mail? Hiring experts under non-disclosure after a thorough security check sounds like a better plan.

I understand that security through obscurity doesn't work and I am happy that the vulnerability has been disclosed to Apple, but maybe the best way to discourage armed robbery is not to outbid the local fence.

On the upside, a company like TippingPoint would be a great front for the Russian mafia or the NSA. Creating a good rolodex of capable hackers has got to be worth something.

Warez-R-who??? (1)

Crash Culligan (227354) | more than 7 years ago | (#18822485)

The Register: reasoning a Mac exploit that required no end-user interaction could be sold for upwards of $20,000

Wait, wait, wait, wait. Where does one go to sell operating system exploits? And how hard would they be to shut down?

We may be onto something here: there may be a social solution to a technological problem.

Re:So, if I reaf TFA correctly: (2, Funny)

Divebus (860563) | more than 7 years ago | (#18821481)

Relaxed rules = they gave out the root password and let them sit at the keyboard for a while.

The Register is more informative. (1, Informative)

twitter (104583) | more than 7 years ago | (#18821557)

I wish they'd been more explicit as to what 'relaxing the rules' meant. But maybe that would've spoiled the story.

They allowed user activity, aka he browsed to a site he created for the purpose. It seems this is not a full auto worm type exploit of the kind common in the Windoze world. See here [theregister.co.uk] . It's hard to say if the problem was javascript of something like Flash called by it.

All the M$ tools are going to be underlining their popularity arguments and slinging mud at all the more secure OS. Even the Register indulged in a little of that kind of flamage.

Re:The Register is more informative. (0)

Anonymous Coward | more than 7 years ago | (#18821699)

Have you seen my monitor? [slashdot.org]

Re:The Register is more informative. (-1, Troll)

toadlife (301863) | more than 7 years ago | (#18821753)

"All the M$ tools are going to be underlining their popularity arguments and slinging mud at all the more secure OS."

What "more secure OS" are you talking about?

The bounty on Vista vulnerabilities was reportedly $25,000 when is was RTM, and in five months only eight vulnerabilities have been exposed. The bounty on the OSX vulnerability was $10,000, and it took less than half a day for someone to collect it.

Wake me up when OSX (or linux or *BSD) are subjected to the same conditions as Windows and then we'll see which is the most secure OS.

The fact that people can be malware-free by using OSs like Linux, *BSD and OSX is a testament to the real value in security by obscurity.

Re:The Register is more informative. (0, Troll)

jcr (53032) | more than 7 years ago | (#18821807)

There's a market for Vista vulnerabilities that pays far more than $25K for a zero-day exploit. You can bet than many more have been found, and are in use by zombie-net operators right now.

-jcr

Re:The Register is more informative. (0)

toadlife (301863) | more than 7 years ago | (#18821847)

"You can bet than many more have been found, and are in use by zombie-net operators right now."

Common sense says that's not true. Aside from posting it on full disclosure, the best way to expose a vulnerability to the public is to use it to exploit a massive numbers of computers. There almost certainly are '0day' vulns for Vista out there, but in order to remain 0day, they cannot be used on a mass scale.

If I were a bot-net herder, I would probably just focus on the vulnerability between the keyboard and chair.

Re:The Register is more informative. (1)

LordSnooty (853791) | more than 7 years ago | (#18822217)

If you're talking about Vista, maybe it makes more sense from their perspective to sit on the exploits until Vista is more widespread, if they can keep a secret that long.

Re:The Register is more informative. (0, Troll)

toadlife (301863) | more than 7 years ago | (#18822353)

Nah. Everyone knows marketshare has nothing to do with which platforms hackers target. If anything hackers would want to crack Vista just for the the notoriety. /offtopic rant: To the asshole that follows me around modding all my posts down: Keep wasting your mod point shithead. I've got more Karma than you'll ever have mod-points.

Re:The Register is more informative. (1)

jdbartlett (941012) | more than 7 years ago | (#18822795)

Is greater market share the only reason penetration of a system is attempted? No, of course it's not; but a vulnerable system with greater market is more appealing when planning a malicious attack.

Notoriety is pretty low down on a penetration expert's priorities, especially if he's targeting Windows (imagine the headline: "Shock! Horror! Windows MAY be vulnerable!") Even in the case of this competition, I'd be surprised if any of the entrants believed they would gain fame/infamy outside a niche maligned community.

There is no single reason why penetrations take place, but script kiddies and malicious attackers are more likely to attack the easiest to penetrate, most common systems: unprotected windows machines. In other words: market share is the most common reason.

Re:The Register is more informative. (1)

squiggleslash (241428) | more than 7 years ago | (#18823251)

Marketshare has a significant role in the success of a virus. If a virus is going to be rejected by 95% of the computers it hits, frequently (such as with e-mailed viruses) in some way that draws attention to the issue on the computers it fails, it's likely to be detected far earlier and stamped out than if it is rejected by only 5% of the computers.

In other words: One of the reasons its so difficult to write a virus for Mac OS X is that it would have immense difficulty finding other Macs to spread to.

There are a whole host of reasons why there aren't Mac viruses. I've touched on them in various posts and suffered the karma loss that goes with stating the obvious. Both Macs and Windows have had significant security holes and presumably continue to do so. The major reasons that help the Mac over the PC are the marketshare/inability for hackers to use a network effect, the unfamiliarity the existing virus writers have with the platform, and an easily understood UI that helps the user understand what it is they're doing (Most Mac users may be no more clueful, but they have a better understanding of what their computer is doing than most Windows users thanks to the UI.)

Re:The Register is more informative. (1)

NickFitz (5849) | more than 7 years ago | (#18823399)

To the asshole that follows me around modding all my posts down: Keep wasting your mod point shithead. I've got more Karma than you'll ever have mod-points.

It's actually a swarm of mod-bots doing it.

Zero Day misnomer (1)

Gary W. Longsine (124661) | more than 7 years ago | (#18824005)

Smarter botnet herders may protect their zero-day exploits and use them sparingly, as you suggest. Within the past year, more than once, zero day exploits were discovered in the wild by security researchers. In one case the exploit discovered was apparently directed at a single user in a U.S. Federal government agency, suggesting that at least some of them do just that.

In my expeience, managers of large organizations do not take Zero Day risks seriously, and often don't really understand them. The risks appear to be quite real, and growing however. Has this Safari defect been independently discovered by one or more black-hats? How long ago?

The security industry should start tracking the ship date of the vulnerable software, so that organizations can get a better understanding of their exposure. The risk period wasn't just one day, the "Zero Day" but rather could be as long as "every day since the shipment (or installation) of the version of the product with the defect."

For every defect it might be interesting to have a small chart showing the versions of the products, the dates they shipped, the date the vulnerability was discovered by the vendor or security industry, the date it was patched, and whether or not there are indications or confirmation that the defect was exploited by or known to the underground prior to the Zero Day. The chart could be color coded.

  • Pink: The vulnerability existed in a shipping product, but was unknown to the vendor, the customers, and security researchers.
  • Red: The vulnerability was exploited by the underground and unknown to the security community.
  • Orange: The vulnerability was known to exist by the vendor and public, but a patch was not yet available.
  • Yellow: A patch is available.

Re:The Register is more informative. (0)

Anonymous Coward | more than 7 years ago | (#18821885)

Looks like the zealots with mod-points are out in force tonight. Twitter even got modded up.

Karma be dammned (0, Troll)

The Bungi (221687) | more than 7 years ago | (#18821893)

It says a lot about you and about Slashdot that you can hop on an article about someone hacking OS X, do your "M$ Windoze" routine and then get modded up for it. Seriously though, I'm sure that once Taco figures out his MySQL problems he'll have a tasty Microsoft FUD story for you to comment on. I suggest you wait for that?

Re:Karma be dammned (0)

Anonymous Coward | more than 7 years ago | (#18824789)

It says a lot about you and about Slashdot that you can hop on an article about someone hacking OS X, do your "M$ Windoze" routine and then get modded up for it. Seriously though, I'm sure that once Taco figures out his MySQL problems he'll have a tasty Microsoft FUD story for you to comment on. I suggest you wait for that?
Poor baby - you go poopy in your didy?

Konqueror (5, Interesting)

Anonymous Coward | more than 7 years ago | (#18821437)

Safari's rendering engine is based on KHTML. So is Konqueror affected by this flaw as well?

Re:Konqueror (2, Interesting)

Fooker (656693) | more than 7 years ago | (#18821483)

Thats a good question. There's a good chance it could be. Then again with the speed that updates/patch's/fix's come out for Linux, if it does it'll be fixed in a relatively short time.

Re:Konqueror (2, Interesting)

Tickletaint (1088359) | more than 7 years ago | (#18822985)

Why say "Linux" rather than open source? KHTML has nothing to do with Linux. Anyway, from what I've been reading, it seems more likely related to a bug in JavaScriptCore [webkit.org] , derived from KJS and which is also open source.

By the way—

updates/patch's/fix's
Should be "update's," for consistency.

Re:Konqueror (0)

Anonymous Coward | more than 7 years ago | (#18823281)

I know at one point they made a webserver for Linux, but are you now saying they've integrated the web browser engine into that kernel as well?

Re:Konqueror (1)

makomk (752139) | more than 7 years ago | (#18822639)

Safari's rendering engine is based on KHTML. So is Konqueror affected by this flaw as well?

It could be, though IIRC most of the past security holes have only affected one and not the other, for some reason.

Re:Konqueror (1)

failedlogic (627314) | more than 7 years ago | (#18823609)

Wonder then if the flaw is fixed in latest Konquerer, that Webkit is also safe. I'm using Webkit and its a whole lot faster than Safari so I'm using it almost exclusively.

OT: Discussion2 down? (0, Offtopic)

pintpusher (854001) | more than 7 years ago | (#18821503)

I'm using discussion2 and my floating bar and the expand comment links aren't working. anyone else see this?

Also getting 503's for my personal page. huh.

Re:OT: Discussion2 down? (0)

Anonymous Coward | more than 7 years ago | (#18821529)

Well I haven't been able to log in for the last 2 hours...

OT: Same here. (1)

Kadin2048 (468275) | more than 7 years ago | (#18821539)

Yes, I got the 503 "Service Not Available" error on the personal page (~/Username) also. Maybe they're doing work on the database or something, and don't want the extra load...? When I saw that, I was actually a little surprised that comments were working at all.

Re:OT: Same here. (0, Offtopic)

pintpusher (854001) | more than 7 years ago | (#18821603)

right. time for bed then. 'night all

Re:OT: Discussion2 down? (0)

Anonymous Coward | more than 7 years ago | (#18821555)

Same here.

Re:OT: Discussion2 down? (1)

ystar (898731) | more than 7 years ago | (#18821911)

me too, on osx (firefox). hope its something easy to fix on /.'s side

disconnected computer in a box attempt (1)

timmarhy (659436) | more than 7 years ago | (#18821653)

was the macbook actually running any services that were listening on the network? if so what where they. it easy to claim security when all your ports are closed up. but it also means your useless, like a computer in a box.

Re:disconnected computer in a box attempt (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18822175)

You know, a Macbook isn't supposed to be a network server, but a client computer. It's a frigging LAPTOP. Which port DO need to be listening on the network for a client computer to be 100% useful to the average user? Not that many...

Read a better article than the one linked. (5, Informative)

Anonymous Coward | more than 7 years ago | (#18821711)

The MacBook was actually only hacked because they lessened the rules and actually had someone open Safari and use a malicious website. No ports were closed nor was the firewall running.

Re:Read a better article than the one linked. (0, Flamebait)

Anonymous Coward | more than 7 years ago | (#18822207)

The MacBook was actually only hacked because they lessened the rules and actually had someone open Safari and use a malicious website.

Good point! It's well known that Mac users never open Safari nor do they ever use web sites.

This seems a little sensationalized... (4, Informative)

Rod76 (705840) | more than 7 years ago | (#18821723)

I'm a Mac user and as such I'm not claiming invincibility although the "Unix" like foundation makes me more secure its still the end user's responsibility to not run as admin or God forbid root. Not to mention using a good firewall or correctly configuring the one that's already built in is vital and just practicing caution on the web. That aside I just don't think this is entirely honest, I wish they would disclose all the variables involved to include all settings used. But as others here have said considering Apples foresight using open source means the between Apple and the Konqueror devs this will be quickly addressed. But my gut feeling here is that something stinks in Denmark!

Re:This seems a little sensationalized... (2, Insightful)

Tickletaint (1088359) | more than 7 years ago | (#18822579)

You don't need root to rm -rf ~.

Or to osascript -e 'tell application "Mail" to send contents of folder "~" to everyone in Address Book'.

Re:This seems a little sensationalized... (1)

blibbler (15793) | more than 7 years ago | (#18822679)

From the article it appears they used the default settings that came with the machine. They later allowed people to send them URLs that they would load into Safari. It sounds like the reason they did not release the settings used was to keep this exploit contained, and that they will provide the settings to Apple.
I have been a dedicated mac user for more than 10 years, but I find it ludicrous that people believe that macos is invulnerable or any discovered exploits must be fake.

So not the OS then! (1, Interesting)

Goth Biker Babe (311502) | more than 7 years ago | (#18821763)

So they couldn't get in directly and had to use a hole in an Application. Just remind me how many holes have IE and Firefox had in the past?

OS-X is essentially BSD with a second layer on the top being the frameworks from Next and Apple and the applications. If they find vunerabilities in the lowest layer of code then Linux is in trouble too because there's an awful lot of shared code there. Anyone remember the ssh hole which allowed you to root a box? So the issue would be in the Apple provided layers.

As anyone who has designed, or worked at a high level, on a complete system knows you design as much as you like and you can use defensive coding as much as you can but there will always be edge cases and unfortunately the only way to find them is when something breaks or is broken. Then what you must do is fix them asap and not do what a certain OS company does is first deny they exist, then admit they exist and say it will be patched, and then finally release a patch some months later. Having said that they have been a bit better lately.

I get anoyed at people saying how secure OS-X is or Linux or what ever. There is no one true OS. All this my macho my OS is better that your OS pisses me off. People use different OSs because of the applications they want to use and their working style.

I have several requirements for my personal laptop (compared to my office one). It must be small and lightweight, easy to use, manage my arty hobbies (films, photography, music and other media), but also allow me to do my consultancy work if needed which is mainly *NIX development (C, C++ and Java) and writing reports, feasibility studies and the like. I don't play games that much and I have consoles for that (although since I now travel a lot a DS may be appear in my purse in the near future). So I have a Mac. It does all that I need.

I could use my works Dell but having to occasionally reboot from Linux in to XP and back again would anoy the hell out of me. Also its huge.

Re:So not the OS then! (1)

feranick (858651) | more than 7 years ago | (#18821859)

What does Firefox have to do with it? I hope you are not saying that IE AND Firefox are equally responsible for the security problems under Windows...

Re:So not the OS then! (0)

Anonymous Coward | more than 7 years ago | (#18821941)

Apple is the one to claim OS X is perfect. Microsoft claims the security on windows is 'adequate'.

BSD (1)

Coolhand2120 (1001761) | more than 7 years ago | (#18822155)

Pretty sure BSD is Unix, not Linux. Funny it's called OSX, it ought to be called OSomeone else made this shit.

Re:BSD (0)

Anonymous Coward | more than 7 years ago | (#18822529)

"... it ought to be called OSomeone else made this shit."

That's funny. That's just how I feel about some generic Linux running on commodity hardware - someone else made the shit it's running on.

As Alan Kay said, "People who are serious about software make their own hardware".

Apple is nothing is not serious about its software. None of the Linux vendors is, apparently.

Why are you annoyed? (1)

MarkByers (770551) | more than 7 years ago | (#18823133)

> I get anoyed at people saying how secure OS-X is or Linux or what ever.

Why do you get annoyed? Does it make you feel inferior or something?

Here's a quick lesson: learn to ignore it and get on with your life. If you don't have the time figure out Linux, or you don't have the money to spend on a Mac, no-one will begrudge you that. Just be proud with what you have and don't let anyone get you down. Seriously, it's not worth getting annoyed over.

Re:Why are you annoyed? (0)

Anonymous Coward | more than 7 years ago | (#18824527)

What a snotty, selfrighteous post that was. Pleasing neither in content, nor form, utterly lacking in any insight.

Re:So not the OS then! (1, Informative)

Anonymous Coward | more than 7 years ago | (#18823711)

OS-X is essentially BSD
No, it's not. OS X has some modified BSD user land tools and that's the only thing they truly have in common.

Um, no. (1)

eli pabst (948845) | more than 7 years ago | (#18824327)

If they find vunerabilities in the lowest layer of code then Linux is in trouble too because there's an awful lot of shared code there.

What are you talking about? There really shouldn't be any code overlap between Linux and OSX in terms of the operating system itself. Linux is complete rewrite of Minix and isn't derived from any of the Pre-OSX Mach kernels. In fact I don't think OSX could legally incorporate any of Linux code as it would violate the GPL license.

The only time you see exploits common to both OSes is in userland applications that are common to both OSes (like openSSH).

When You Can't Win, Cheat (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#18821799)

CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions.

Says it all, really.

Next time you wonder why Mac users are so arrogant about security, read the above passage till you get it.

The folks at CanSecWest miss the point as well: it's not that the Mac is perfect. It's only perfect compared to Windows. Compared to anything else, it's quite nice but not bulletproof.

Stop wasting people's time trying to find a pinprick in OS X and boycott MS until they plug the freakin' levee breaches in Windows. Until you do that, you're just encouraging Microsoft.

Re:When You Can't Win, Cheat (1)

Tickletaint (1088359) | more than 7 years ago | (#18822615)

What? Who gives a shit about Windows? Any vulnerability is bad news; don't trivialize it with your "oh but M$Windoze!1!!" because, in all honesty, whatever flaws exist in Windows have zero relevance to me as a Mac user.

mBo3 down (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18821805)

editors ftl (0)

Jay Carlson (28733) | more than 7 years ago | (#18822063)

Normally we make fun of Slashdot editors for not being able to spell simple English terms familiar to a mass audience correctly. They loose there audience when they do that. Usually they can get their terms of art correct. Not this time.

Guys, it's spelled "0day", and it has been since before you l33ch3d Karateka on a catfur. Do have some sense of perspective.

Re:editors ftl (2, Funny)

Anonymous Coward | more than 7 years ago | (#18822113)

Normally we make fun of Slashdot editors for not being able to spell simple English terms familiar to a mass audience correctly. They loose there audience when they do that. Usually they can get their terms of art correct. Not this time. (Not a sentence)

Guys, it's spelled "0day", and it has been since before you l33ch3d Karateka on a catfur. Do have some sense of perspective. (Question mark?)

See me.

Re:editors ftl (0)

Anonymous Coward | more than 7 years ago | (#18822123)

you missed "spelled" , which should be "spelt" and "do have some sense of perspective" should be "do you have a sense of perspective" There are other various grammatical errors such as missing commas as well.

Re:editors ftl (1)

Jay Carlson (28733) | more than 7 years ago | (#18822277)

you missed "spelled" , which should be "spelt"

Orthographic reform, do you speak it?

I'll show you a Royale.

Re:editors ftl (1)

WhatAmIDoingHere (742870) | more than 7 years ago | (#18822315)

Don't forget to remind the editors to tighten up there spellud.

You've got an excuse for "Spelled/Spelt" but what about everything else? When you're slamming the editors for misspelling common simple words, and in your post you do the exact same thing.

I think you should step away from the keyboard and reevaluate your life.

Re:editors ftl (1)

Psychotria (953670) | more than 7 years ago | (#18822423)

"Spelled" is perfectly acceptable. Go read the Oxford Dictionary... If you're going to correct somebody, at least make sure you're correct yourself.

Re:editors ftl (1)

Jay Carlson (28733) | more than 7 years ago | (#18822325)

They loose there audience when they do that.

[...]See me.


I can't believe my TAs for Intermediate Slashdot Trolling For The Playstation Generation are actually deducting points for such an accurate depiction of them.

Ah cat-fur ][... (0)

Anonymous Coward | more than 7 years ago | (#18822281)

How I miss the Apple-Cat [wikipedia.org] .

And he's right. It's 0day.

And by the way, a "crack" is a copy protection defeat. A "cracker" is someone who removes the copy protection. It is not, no matter how much you want it to be, the same thing as a "hacker".

Re:Ah cat-fur ][... (1)

Aladrin (926209) | more than 7 years ago | (#18822445)

Oddly enough, the distinction isn't so fine as you make it sound.

http://dict.die.net/hacker/ [die.net]

2. One who programs enthusiastically (even obsessively) or who
      enjoys programming rather than just theorizing about
      programming.

8. (Deprecated) A malicious meddler who tries to discover
      sensitive information by poking around. Hence "password
      hacker", "network hacker". The correct term is cracker.
http://dict.die.net/cracker/ [die.net]

jargon An individual who attempts to gain unauthorised
      access to a computer system. These individuals are often
      malicious and have many means at their disposal for breaking
      into a system.

While it is expected that any real hacker will have done some
      playful cracking and knows many of the basic techniques,
      anyone past larval stage is expected to have outgrown the
      desire to do so except for immediate practical reasons (for
      example, if it's necessary to get around some security in
      order to get some work done).
So while most hackers are crackers, most crackers are not hackers. (Sort of like 'all panthers are cats, but not all cats are panthers.')

Re:editors ftl (1)

1u3hr (530656) | more than 7 years ago | (#18822647)

Normally we make fun of Slashdot editors for not being able to spell simple English terms familiar to a mass audience correctly. They loose there audience...

Hey, good! (2, Insightful)

Tickletaint (1088359) | more than 7 years ago | (#18822343)

As a longtime Mac user and a fan of Apple products in general, I'd like to congratulate the winner of this contest. Too many Mac users now seem lost in willful ignorance of the fact that tasteful, thoughtful design alone doesn't render a system bulletproof. Thus, I applaud any honest efforts to increase the public awareness that yes, shit-happening potential exists, even on a Mac.

(I said honest efforts. That guy who claimed the AirPort hack is still a raging tool.)

Another point to emphasize—and which, curiously, seems always to be overlooked on Slashdot—is that an uninvited guest doesn't need root to ruin your day. As long as he or she can rm -rf ~, or better yet, yank all your most intimate personal documents and send them flying across the internets, root's just gravy. So let's not pretend this Safari vuln is harmless.

Really though, how on earth are you supposed to guard against attack through vectors not yet publicly known, without either (a) suffering a crippled functionality, or (b) being badgered [wasuvi.com] into clicking "Continue" out of habit? The best approach I've seen is the one adopted by Google's anti-phishing plugin (and for those of us who can't stand Firefox, Leopard can't come soon enough [appleinsider.com] ). It's intuitive, unobtrusive, and cuts straight to the heart of the problem: making sure you're visiting the wholesome, trustworthy site you think you're visiting.

But even with the Google phish alarm installed, if you make one little mistake—if you step out of line for just a second—you could be hosed. Or what if someone figures out how to inject an attack on a "safe" bulletin board? You're hosed. Hell, maybe someday Google blows it like a Taco Bell restaurant inspector. Hosed.

So can it even be done, this cake thing, with the eating? Or is our best hope to just pray to Jobs the Mac never becomes mainstream enough to attract attention from the big-league black hats?

Re:Hey, good! (0, Informative)

Anonymous Coward | more than 7 years ago | (#18823401)

(I said honest efforts. That guy who claimed the AirPort hack is still a raging tool.)

No he wasn't. He was the subject of a major Apple lead smear campaign which misrepresented his claims. The bug he found was actually fixed by Apple a few months later, but the usual bunch of apologists, even at the time Apple was fixing the bug, went out of their way to lie about what both Apple and the bug finders had done.

This [zdnet.com] basically explains what happened. Anyone who reads it and continues to claim anything from "the Airport hack didn't exist" to "Maynor and Ellch faked the demo" is, frankly,to use your language, a raging tool.

Re:Hey, good! (1)

kms_md (991224) | more than 7 years ago | (#18823815)

This basically explains what happened. Anyone who reads it and continues to claim anything from "the Airport hack didn't exist" to "Maynor and Ellch faked the demo" is, frankly,to use your language, a raging tool.

referring to someone as a "tool" and then linking to george ou's blog is rich indeed.

heh (1)

Danzigism (881294) | more than 7 years ago | (#18822937)

I think another very simple factor to take in to consideration is that there aren't hundreds of thousands of Romanians who are out there trying to hack OS X.. they're targeting Windows.. if people actually gave a shit about hacking a Mac, then there'd probably be a lot more vulnerabilites.. just because there's hardly any hacks, doesn't mean OS X is unhackable.. it just means people don't care..

Re:heh (0)

Anonymous Coward | more than 7 years ago | (#18824001)

Noob. You should have paid more attention in English class. And then you should have learned to think for yourself rather than regurgitating the pablum you hear from others.

With all the hype about how secure the Macintosh OS is, imagine the fame a "hacker" (your term) would get to be the first to produce a real Macintosh virus, trojan, or whatever. Do you honestly believe that nobody cares? I pity you.

Go back to high school.

Privilege separation (1)

BlueParrot (965239) | more than 7 years ago | (#18823945)

This is why your browser ideally shouldn't be able to read your entire home directory. People talk about running as admin or not, but your most sensitive data is your personal files that you have read access to as your limited user. Running as admin or root is bad mainly because it can open security holes which can cause further mischief, but if your most personal information, and your most important files, are right there for your browser to read, it won't matter if the exploit hits the kernel or simply your browser. The way I have it set up my browser runs as a separate user which connects as an un-trusted X-client. Files that I don't care about are in a directory with the group set so that the browser can read them, while personal documents, e-mail... etc is readable by my user only.Now, in practice I am not very secure. I still trust google with my e-mail, I allow sites to set cookies etc... I set this up mainly as a proof of principle thing. There isn't any good reason why your browser, which is arguably the most exposed part of your system, should be able to fuck up your entire home directory and send your most private data somewhere it doesn't belong.

there are some weird things in Safari... (5, Informative)

lixlpixel (747466) | more than 7 years ago | (#18824043)

Safari lets you include local files, for example...

i told apple (and got a lame reply that it would be fixed eventually) month ago, yet it still works.

see http://destabili.zation.eu/ [zation.eu] for a quick harmless example that can check what applications you got installed.

and then there is a way to crash Safari which exists for more than a year - again i had an email conversation where they wanted more info and crashreports - yet nothing was ever done about it.

http://lixlpixel.org/safaricrash/ [lixlpixel.org] and follow the instructions - but make sure you don't have any important tabs open...

What I want to know (3, Interesting)

HairyCanary (688865) | more than 7 years ago | (#18824073)

How was the machine configured relative to an off-the-shelf OSX installation?

While I understand that for the purposes of the contest it might have been necessary to reduce those protections, I think that before something becomes "news" we should know what the real risk is.

Does this hack require the user to manually disable protections the OS ships with, or manually enable services that default to off? The article seems light on detail.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?