Mac is the first to fall in Pwn2Own hack contest

[HEXUS]

A brand-new MacBook Air running a fully patched version of Leopard was the first to fall in a contest that pitted the security of machines running OS X, Vista and Linux. The exploit took less than two minutes to pull off.

Read more.

[Mike Fishcake]

What's that strange cracking noise?

I think it's the sound of backlash

[dangel]

I hear the distant roar of approaching excuses.

[pollaxe]

I feel a giggle coming on....

[badass]

Interesting.

Miller's win came on day two of the contest, which gradually eases the rules for what constitutes as qualifying exploit. Not a single attendee entered the contest on day one, when all vulnerabilities had to reside in the machine's operating system, drivers or network stack. Winners were eligible for a $20,000 prize.

On day two, the attack surface was expanded to include browsers, mail applications and other common applications, and the bounty was reduced to $10,000. Contestants on day three will be allowed to attack still more applications, such as Skype, QuickTime and browser plugins for a $5,000 prize.

No one tried to attack any of the core OS parts on any of the OS's

[TheAnimus]

A couple of points, 2 minuites isn't really the issue, because this obviously had taken some crafting beforehand.

what is serious is what the hell is a browser doing running as a super user, or in a way that it can jail break to become. I can't help but feal that little has been done to prevent it.

Yes it will always be possible to find a hole in any OS odds are, as all it takes is ONE bug in MILLIONS of lines of code.

But here is where the big but comes. As a kernel NT has always been well designed from a security point of view, then with the wake up call of mostly harmless things like blaster and the more playfully malicous exploits for sql server and backorafice etc. as well as the IIS exploits of old. This really was a wake up call for most people (those who remeber linux back in the 2000 erea days won't begin to say it was secure, root hat anyone!).

But this is why i dislike apple, they've made no efforts to recognise that people will do this sort of thing, their market share is a bizzare mix of people who normally don't seam to use much rational logic in their choice of system, as such they've no need to worry about security. As apple don't try to make anything thats remotely enterprise, they've got no one demanding security. Whilst they have the ordasity to run adds that suggest they have no viruses (anyone who says their OS dosen't have a virus, deserves someone to write one then and there to shut them up).

But in all honesty apple lost because so few people spend time looking for bugs in their code normally, that when someone does on an equal market share platform, people will find them. If this was to be remotely realistic, the price for vista should of been well into the 7 digits, mabye scraping 6 for ubunto and perhaps 50p for OSX. Then you'd find the Vista box would probably of fallen just as quickly.

[Zadock]

A couple of points, 2 minuites isn't really the issue, because this obviously had taken some crafting beforehand.

what is serious is what the hell is a browser doing running as a super user, or in a way that it can jail break to become. I can't help but feal that little has been done to prevent it.

Yes it will always be possible to find a hole in any OS odds are, as all it takes is ONE bug in MILLIONS of lines of code.

But here is where the big but comes. As a kernel NT has always been well designed from a security point of view, then with the wake up call of mostly harmless things like blaster and the more playfully malicous exploits for sql server and backorafice etc. as well as the IIS exploits of old. This really was a wake up call for most people (those who remeber linux back in the 2000 erea days won't begin to say it was secure, root hat anyone!).

But this is why i dislike apple, they've made no efforts to recognise that people will do this sort of thing, their market share is a bizzare mix of people who normally don't seam to use much rational logic in their choice of system, as such they've no need to worry about security. As apple don't try to make anything thats remotely enterprise, they've got no one demanding security. Whilst they have the ordasity to run adds that suggest they have no viruses (anyone who says their OS dosen't have a virus, deserves someone to write one then and there to shut them up).

But in all honesty apple lost because so few people spend time looking for bugs in their code normally, that when someone does on an equal market share platform, people will find them. If this was to be remotely realistic, the price for vista should of been well into the 7 digits, mabye scraping 6 for ubunto and perhaps 50p for OSX. Then you'd find the Vista box would probably of fallen just as quickly.

Couldn't have put it better myself...

Amen!

[kris118212]

Thats hilarious

[Whiternoise]

Maybe he just wanted to win the Mac rather than the pc

[Spud1]

I don't see this as being a serious problem in the slightest.

It is nothing to do with the security of OSX or apple machines compared to Windows based machines, this is again a case of exploiting user error and stupidity rather than simply a software bug or problem.

"The exploit involved getting an end user to click on a link" - this is no different then getting the user to click a link that installs a trojan, or runs a remote command..its user and security policy issues rather than a problem with OSX itself. Its not like a cracker can just break into an OSX box runnig safari themselves, it has to involve a user doing something they shouldnt (ie in this case, clicking on a malicious link).

The same issue would come up with a misconfigured windows or linux box just as easily..it just happens that OSX is a popular target these days, due largely im sure to all the idiotic claims that OSX has no viruses or is more secure than windows.

[TheAnimus]

Spud1, the point is that a machine thats fully patched, should not be infected by going to a link.

If a security warning came up and they clicked yes, then that would be a different matter.

The intresting thing this test proved is that none of the boxes could be broken into remotely in 1 day. Either that or the people there wheren't that good, make your own conclusions.

Also that none of the other OS's in an out of the box auto patched state, could be compramised, only the OSX. That in itself is pretty damning.

[Spud1]

Yes your right - but most people will just read that "OMG OSX was haxored lol!!11!" or similar, whereas I think its important to point out that it needs a user to initiate the exploit..which is a totally different thing.

Anyway as you say the most interesting thing is that none of the boxes were hacked at all on day one, which is a really good thing - a few years ago things would have been totally different there accross the board, so hopefuly thats a sign that our OS's are getting safer

[TheAnimus]

i'd be tempted to say that actually its probably a sign of how low par the attendes where, or how little the prizes temtped them.

The point is that browsing to a site is hardly something that can be considered a user attack. Users should be able to browse to any damn website without it compramising the entire machine. Do you trust every hop thats between here and hexus forums?

Its a VERY serious flaw, make no mistake. OSX was broken and it was the only OS to be. Surely thats an incredibly bad sign?

[Nookster]

"He said he didn't test the exploit on any other platform. As a Mac user, he added, he felt an incentive to exploit the system because he believes it will help make the platform stronger."

That should give him a credit in a future Security Update.

Also, mondo geek-points, knowing glances amongst the 733† crowd, and a warehouse full of Hentai are belong to him, presumably.

[Whiternoise]

@TheAnimus I think that's a rather unfair comment and it's important to note that this isn't just some random person going in and crippling the system in a couple of minutes, it's some guy who knows what he's doing and has spent the time searching for exploits so that he can crack the system.

And also, windows has just been broken as well (from engadget news) so OSX is not the only one.

[TheAnimus]

@TheAnimus I think that's a rather unfair comment and it's important to note that this isn't just some random person going in and crippling the system in a couple of minutes, it's some guy who knows what he's doing and has spent the time searching for exploits so that he can crack the system.

Perfectly fair comment, he did it in 2 minuties, meaning his design needed little or no adjustment to get it to work. Odds are it could easily of been executed by a script kiddie rather than the whitehat.

And also, windows has just been broken as well (from engadget news) so OSX is not the only one

It hadn't at the time of my writing, its also intresting to note it took a lot longer to get it to work, colabreration between two researchers in the end on day 3. Now security protection paradigms like DEP et al can often be worked around, they do add this extra bit of effort. Regretably on a platform with a market share like windows, its well worth the extra effort to get round it.

What really grinds my gears about OSX, is they've no excuse, they've taken a really good OS and screwed it up. Yes the people at OpenBSD are w**kers who'll never know true love, but look how few vunerabilities their anal retentiviness has given that distro, whilst there will be bugs that could compramise the system outstanding almost certainly, at least they have some reason to be arogant about security (still obviously its stupid to be). OSX on the other hand really should hang its head in shame, at least MS can pass the buck to adobe slightly.