MacBook Hacked in Seconds in Pwn2Own Contest

| News

The CanSecWest Pwn2Own hacking contest had barely begun before an Apple MacBook running the Safari Web browser was compromised. The successful security attack was carried out by Charlie Miller -- the same contestant that hacked into a MacBook last year.

According to ZDNet, Mr. Miller was able to breach the Mac's security with a remote attack that only required the MacBook user to click a specific link in the Safari Web browser. "It took couple of seconds," Mr. Miller said. Mr. Miller's exploit last year took advantage of a security flaw in the Safari Web browser, too.

Another hacker going by the name "Nils" also executed a successful exploit against Safari, and also managed to hack through Microsoft's Internet Explorer 8 as well as the Firefox Web browser running on a Sony Vaio with Windows 7.

While the hackers did win prizes for their successful exploits, they don't get to share their code with the public. The contest rules give ownership of the hacks to TippingPoint's Zero Day Initiative who will provide information to Apple, Microsoft and Mozilla to help patch the security flaws.

 

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

14 Comments Leave Your Own

JulesLt

The good news here is that they’ve basically given up on the first day event - when people had to try and hack into the computers remotely - as all O/S now pass in shipped configuration.

B9robot

The whole thing is fake. And physical access to the machine isn’t a real test of any security. Have him try over a network with no admin rights, no passwords.
He won’t get in, PERIOD!!!

vasic

Not to mention that he had as much time as he needed to develop the hack. He didn’t write the exploit then and there; he gave them a link to a web site which he developed and tested. For all we know, he could have been working on that site since last year and only finally succeeded in making it work yesterday.

Let the Windows sufferers rejoice for one day in the year (“Your OS is just as bad as mine!”). Tomorrow, it’s back to the virus-laden, antivirus-CPU-hogging reality…

Dean Lewis

It’s pretty telling, also, that IE8 and Firefox failed pretty much just as fast, and yet they always attack the Mac first. What gets headlines and notoriety? Attacking the Mac. Which computer do they want to win? The Mac.

I agree with Jules and B9. The real news here is that they’ve all given up on actual hacking and resort to user ignorance exploits. Users clicking on any old links will always be a problem, and patches to the browsers will be necessary, but getting a user to click on your link is a whole different animal than hacking through security.

Lee Dronick

Question. I understand that we don’t any details of the hack, but did he have access to the MacBook, did he install something on it that allowed the hack to work? If one of us were to click on the link would he be able to take over the Mac?

mrhooks

The report says “remote attack.”  Sounds like a malicious website that depends on user stupidity to be effective.

Lee Dronick

The report says ?remote attack.?? Sounds like a malicious website that depends on user stupidity to be effective.

Well if that is the case the mere clicking on a link allowed the take-over, he must have had some java code or whatever in the link. I hope that Apple gets a fix soon. I wonder if Safari 4 is vulnerable?

drew

The report says ?remote attack.?? Sounds like a malicious website that depends on user stupidity to be effective.

The report doesn’t mention any user stupidity, but it does state?

?a remote attack that only required the MacBook user to click a specific link in the Safari Web browser

This is bad news - a malicious site can gain access to your files. I love using a Mac, but don’t be fooled into thinking this is not a real security issue. It requires a user to navigate to a page & click a link, when was the last time you did that?

deasys

Miller was able to breach the Mac’s security with a remote attack that only required the MacBook user to click a specific link in the Safari Web browser

Since when is sitting at a computer you intend to compromise considered a “remote attack?”

daemon

Since when is sitting at a computer you intend to compromise considered a ?remote attack??

When you’re demonstrating a proof of concept.

Drew

Since when is sitting at a computer you intend to compromise considered a ?remote attack?

The attack comes from a webserver (that is the remote bit). Physical access isn’t required, but a user is required to click a link on a malicious site. It is a basic ‘phishing’ scam that has been compromising Windows machines for years, it isn’t good news if it can be performed on a Mac too.

It may be possible to deliver the attack via other methods, such as Flash movies or Quicktime files that contain links to the hack method.

It’s really easy to assume the mac is safe & secure, but this shows it isn’t, and Apple should be embarrassed that these flaws exist.

JulesLt

I understand from further interviews that he actually knew about the vulnerability over 12 months ago - i.e. it’s one he saved from last time, so he could win another Mac this year.

It’s a good enough prize to encourage you to try. There is the moral question on whether it should have been reported anyway, but I can’t blame the guy for winning a MacBook AND generating lots of publicity for himself as a security consultant . . and, crucial point, one who uses OS X, not Windows or Linux, as his main platform.

I also think that clicking on a link to a ‘bad’ page is a valid approach.  Hijacking reputable sites is something that hackers do (even part of apple.com was defaced by hackers at some point in the past 2 years).
Equally, it’s ridiculous to pretend that people aren’t going to visit ‘less safe’ parts of the Internet.
 
As regards needing Java code, etc, on the link - as I understand it, plugins are disabled on the first day - i.e. it cannot be a problem in Flash, Java, etc.

From a hacking point of view, what you try to do is get the processor to ‘jump the tracks’ and execute something that was hidden as data - which could be anything from images to XML data to JavaScript code.

HOWEVER . . . . and this is a big however . . . . looking on the CanSecWest website the definition of ‘owned’ is ‘code execution within context of application’.

Now, that ignores the difference on what you can do once you gain ownership of the browser - i.e. do wider security features of the operating system prevent bad things happening?
(As it happens OS X isn’t as good as people think it is - if you look at the improvements in Leopard and Snow Leopard you can see how much better they are than 10.4)

JulesLt

Drew - none of the browsers escaped unscathed, and realistically software flaws will be with us for a long time (certainly while we write code in C++).

The key thing with security is defence in depth - if we presume the browser code has problems, what can we do to protect against them?

We can ensure that the processor cannot evaluate data as code - Snow Leopard does this better than Leopard, and Tiger/Leopard did it better than XP. That will eliminate the single most common category of security problems, with

The other big thing is sandboxing processes at the O/S level - we presume the hackers are still going to pown Safari, so we make sure that rather than being able to do anything a user can do, the Safari process is restricted as far as possible.

I trust that a lot more than hoping automated code analysis and manual code reviews will find all the possible bugs.

Drew

HOWEVER . . . . and this is a big however . . . . looking on the CanSecWest website the definition of ?owned? is ?code execution within context of application?.

The problem is that browsers are allowed to access keychain items to make autofill convenient. Permission is set on a per keychain item basis, so gaining user account passwords should be difficult, but obtaining site passwords & usernames is possible. It could contain a lot of sensitive data if the details for a webmail account are accessed etc.

Log-in to comment