View this article at: http://dev.macnn.com/articles/06/03/07/os.x.security.challenge
Tuesday, Mar 07, 2006 9:40am

Mac OS X Security Challenge...

A new Mac OS X Security Challenge has emerged, following a report that one user was able to hack into Mac OS X within 30 minutes. Created in direct response to the "woefully misleading ZDnet article," the challenge ends on March 10 and offers no prize. The creators of the new challenge say that the reports on the previous Mac OS X Hack failed to mention an extremely important factor--that users were given an SSH account on the box. The ZDnet article, first referenced by MacNN yesterday, has since been updated to note that user were given local accounts. Some, however, have objected to the challenge, saying that it is merely a test of Apache and SSH on PowerPC-based Mac; however, Dave Schroeder, the contest creator, says that "that is how most of the world will see Mac OS X externally."

"Anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are 'unpublished'. But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction." Local accounts could allow hackers to exploit many 'unpublished' (as noted by the "gwerdna" hacker) and older known security vulnerabilities that Apple has not yet addressed. However, most users will not offer hackers these accounts, thus dramatically distorted the overall security picture of Mac OS X, according to Schroeder. The challenge invites hackers to alter the web page at test.doit.wisc.edu, hosted on PowerPC-based Mac mini running Mac OS X 10.4.5 with Security Update 2006-001 and two local accounts; the creators note that the machine has both SSH and http ports open, which is "a lot more than most Mac OS X machines will ever have open."