04/21/2007, 10:10am, EDT
Saturday, April 21stMacBook hacked in security contest
One of two "honeypot" MacBook Pros at the CanSecWest security conference has been successfully hacked, according to officials. The Vancouver, British Columbia event had established a contest to try and gain user-level shell access in Mac OS X over a wireless network, which was successfully accomplished after contest hosts eased rules and allowed security experts to attack through code sent through malicious websites instead of directly compromising the OS itself.
The successful hack had been written by Matasano Security researcher Dino Dai Zovi and implemented by engineer Shane Macaulay, the combined team of which took nine hours to craft an exploit for Apple's built-in Safari browser. CanSecWest managers wouldn't elaborate on details but confirmed that the hack had been genuine.
"At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page," they wrote. "Of course all of the latest security patches have been applied. This one is 0day folks."
Macaulay is expected to win the MacBook Pro in question as part of the contest rules, while Dai Zovi is claiming a $10,000 prize established by 3Com for any exploit used during the challenge that was confirmed as a zero-day attack, which meant it would be exploitable before the software developer could react. A remaining system had yet to be broken and required that any successful compromise gain complete root-level access to qualify for a prize.
Apple has turned down an opportunity to comment on the Safari flaw and has so far only issued its common response to exploits that appear before their related patches. "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users," said company spokeswoman Lynn Fox.
Despite a lack of known examples of "in the wild" malicious exploits, Mac OS X has recently come under increasing pressure by security teams discovering previously unknown exploits. The now well-known Month of Apple Bugs successfully discovered then-fresh vulnerabilities in QuickTime, Safari, and other components, all of which have forced Apple to release multiple patches to address the security holes in its software.
The April security update released by the Mac maker touches on further Month of Apple Bugs issues, but doesn't contain any fixes for Safari and thus leaves the CanSecWest exploit viable in the foreseeable future. (Photo via CNET)
, 
, 32
, 
, 
, 
, 
, 
Top
subscribe to comments
for this article
It is good that Mac OS X is well protected against active direct attack but this Safari issue is real and can result in system being compromised.
It is amazingly easy to get folks to visit a website and it really is something that users should expect to be safe and do expect to be safe... the web of blogs, discussion forums, ad content, etc. allows for all kinds of easy ways to get a user to visit a malicious page that could attack this vulnerability.
I am glad they are reporting it to Apple responsibly but it is too bad that Apple (and possibly WebKit open source review) didn't find it first. ...but things do get missed in complex software.
A windows machine put on the internet in the default configuration prior to XP SP1 would have been owned within seconds.
Customers are never presented with alternatives. Fixing the flaws in Safari wouldn't cause customers any problems: using a download manager that gives you the option of opening the file, examining it, viewing it in Finder, and so on would be more convenient for the user since they wouldn't be presented with the necessity of making spot decisions about whether to open files or allow installers to run... they could examine and open downloaded files at their leisure. In addition applications could provide sandboxed versions to be used when opening documents from the download manager... for example, back when word macros were the usual medium of attack we used to use "Word Viewer" as a sandbox for opening Word documents since it didn't support macros, and one of the nice things about Netscape at the time was that it used its own application dataase so we could have Word files in web pages opened in this sandbox.
Fixing these problems would actually improve the user experience and give them more *justifiable* confidence in the security of the system.
Makes my "win-win" message confusing.
In it I described a couple of simple things that could be done to improve the security of web browsers on Mac and Windows, by changing from a model where desktop applications are assumed to be able to handle untrusted documents to one where only applications that explicitly register themselves for use on untrusted documents would be available from browsers.
I will try and reconstruct the whole message from memory because it's gone from my browser cache.
So, first... a side comment: Apple's preferred codec for music is what they call AAC but everyone else calls MPEG-4. Internally, Apple's file extensions are "m4a" for MPEG-4 audio (AKA unencrypted AAC), "m4v" for MPEG-4 video, and "m4p" for Fairplay-encrypted MPEG-4 (AKA encrypted AAC). Apart from "m4p" none of these are Apple-proprietary and anyone *could* implement them. In fact, I have played unprotected AAC music in MPEG-4 players just by changing the file extension from "m4a" to "mp4".
Obviously, none of the other players were iTunes-compatible to the extent of beng able to play "protected AAC"... but almost none of them could play MP4 music at all. Only two of the flash-based players supported anything but Microsoft's proprietary codec (WMA) and MP3. One also supported Ogg-Vorbis, and another by Sony supported AAC as well as Sony's proprietary format. I've got a few hundred tracks from the iTunes music store. I've got thousands of tracks from my own CD collection (which is perfectly legal, this is not "stolen music" thank you very much). I can handle re-encoding a few hundred tracks (in fact I've already done that), but not to throw away all the time I've already spent rippng my CD collection.
I didn't care for the Sony player, so I didn't buy any of them. Why should I? Even if I was willing to go through the work of re-ripping all my CDs, I'd have to (legally) re-encode most of my (legally purchased) CDs into the lower quality or bulkier MP3 format, or switch to Microsoft's music software (with its inherent security holes).
So the real "lock in" to the iPod has nothing to do with Fairplay. It's due to the decision of the people making the players not to include MPEG-4 capability in their players... instead, they've bought Microsoft's promises and are suffering buyer's remorse.
Until they start shipping players that play (non-proprietary) MP4 (AAC, M4A) files they have no business complaining about Apple's format "locking them in". They did it to themselves.
These are the kinds of example I meant when I said that customers wouldn't stand for it. Yes, you and me and other "power users" would benefit but the millions and millions of "regular" computer users (on all platforms, not just Mac OS) don't want to have to open their files in a "sandboxed" app. They don't want to be presented with dialog boxes where they have to make a choice every time they want to do something. They don't want to put their admin passwords in each time they go to a different website. This is reality. This is why hacking via the internet bwoser will always be an issue no matter what OS a person uses. There are always going to be expolits that haven't been thought of.