“An Apple Mac was the first victim in a hacker shoot-out to determine which operating system is the most secure. A former US National Security Agency employee has trousered USD 10000 for breaking into a MacBook Air at CanSecWest security conference’s PWN 2 OWN hacking contest. The MacBook was lined up against Linux and Vista PCs – which have so far remained uncracked. Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages. The MacBook was the only system to be hacked by Thursday. Miller didn’t need much time. He quickly directed the contest’s organisers to visit a website that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on. He was the first contestant to attempt an attack on any of the systems.” There is more bad news for Apple: “If you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple.” Update: The contest is over. Vista got hacked using Adobe’s Flash, Ubuntu was left standing.
LMFAO THIS IS HILARIOUS….
OSX the first to go down in flames, Vista and Linux standing strong thats just funny with all of OSX’s flogging that its so safe and secure.
The real challenge will be to see if vista or linux gets hit next
It’s worth remembering that when it came to attacks based directly at the platform rather than applications running on it, there were no contenders which bodes well for the default security posture of all three platforms.
Was this a case of OSX really going down, or was it related entirely to the flaw in Safari that opened the system to remote access?
I think it’s an important distinction because this is the direction the blackhats are moving in. The days of open ports in Windows are over, even Microsoft has taken to a more responsible security design. Linux and OSX already had a natural advantage in this area. So attacks will no longer be against the platform, necessarily, but more against the applications running on top of them. Browsers, plugins, media players etc. will all be the focus of blackhat activity, and that is disconcerting because it means that vulnerabilities in an application on one platform could be easily transferable to other platforms. A flaw in firefox is often a flaw in firefox Win/OSX/*nix. The flaw in Safari that broke OSX could easily apply to the Windows version as well, hard to know without disclosure yet.
It’s good that we have a choice of secure platforms to use, but now there is the whole issue of needing ISV’s to take the same security approach that the OS vendors have often been forced to take, otherwise it will all be for naught. The platform can certainly help minimize the damage a rogue app exploit can occur in a cross-platform app, but it’s still an issue that will need to be addressed.
As much as I’m tempted to giggle at bit at the fact that OSX was the first to go down, I don’t think it’s Apple the OSX vendor that should be blushing. It’s Apple the software company that should be concerned, but that could just as easily have been Adobe or someone else. In fact, I was kind of expecting it to be Adobe with all of the flash issues they’ve had lately.
Anyways, will be interesting to watch and see what happens over the rest of the contest.
From the Register:
“Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. “
http://www.channelregister.co.uk/2008/03/28/mac_hack/
Do I understand this correctly? An interaction of the user has been required to achieve the goal of hacking?
From the description above: “Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages.” – Is this still hacking? Relying on user interaction can help you to compromize any system. I always thought this is nothing spectacular because nearly anyone can do such “easy” stuff (faked maintenance websites, faked system alerts etc.). The same techniques could have been used to hack into the Linux and “Vista” boxes as well, just if the user replies to a mail like “Dear Bob, please send me your root password back. thanks!”
I believe that the user had simply to visit the site with the exploit. That site might as well have been a Google search result.
Apple is already working on a fix, as they always do when these things come out so publicly.
“I’m a MAC”
“I’m, a PC”
“And I’m a cracker. Bang! Bang! You’re dead!”
From the same link: “Not a single attendee entered the contest on day one, when all vulnerabilities had to reside in the machine’s operating system, drivers or network stack.”
Nobody even tried under 1st day rules, because exploits are were very unlikely. As Elseware already mentioned, the days of zero user interaction remote exploits are pretty much over. Even XP-SP2 can withstand that.
Yes it is. Because visiting an unknown website or opening an email is not supposed to be able to execute arbitrary commands on your computer.
You though wrong, because the Ubuntu and Vista laptops were still being attacked under the same rules when the Mac was down (each had their own cash prizes), but they withstood the rest of the day.
Of course it is still classed at hacking. How do you think a Trojan horse operates ? Exactly like the Trojan horse of legend. It would just sit there doing nothing until the people of Troy interacted with it, in their case, pulled it inside their town.
A computer Trojan horse is useless unless the user allows that into the system.
I think you made the case against, there. I for one think of “hacking” as actively breaking into a target system, without needing some unwitting assistance from the owner. Trojans and browser exploits cannot really be targeted towards a specific victim, unless you go to the trouble of performing some trick of social engineering, to get that person to run the trojan.exe or visit your poisoned website.
hacking = targeted, unaided
trojan-ing = indiscriminate, requires unwitting assistance of victim
Discussion welcome
If that is true, the following observations come to mind:
1) telnet itself is obsolete because of security reasons, and sshd should be off by default in desktop systems (and regular user should not be able to turn it on).
2)Only root should be able to open a port.
3) Even if arbitrary code is executed as regular user, it shouldn’t be able to get root account, except, maybe , by privilege escalation. Privilege escalation is an issue in Linux as well (as discussed in the “fakesudo” thread in Ubuntu forums), but I think the risk can be avoided if you never su or sudo from your regular user account. Instead, create a new user from whom you su or sudo, and run a lightweight DE with this user in another tty, just to run synaptic and things like that. I’m assuming a user program can run a fake kde session fullscreen, but it can’t capture CTRL+ALT+f8. I have to check that one, though.
So, even if it was a vulnerability in Safari, it was the OS fault if this led to a remote root login without the user entering its password. Not to mention that Safari is an Apple program, installed by default in OS-X, so there are no palliatives.
The telnet service is obsolete sure. Telnet as a client is an easy way to connect to an arbitrary service on an arbitrary port. Taking as a random example it is a good way to connect to an exploit that is listening on a port…
Uh… you are aware that if an Linux distro were so ill advised as to do this it would break many things? The idea is only root should be able to open privileged ports.
That is the definition of privilege escalation yes…
This has nothing to do with privilege escalation. this is malware.
It in theory will stop some privilege escalation attacks, but not all. In general setting up your system like that would be too inconvenient for most normal users (especially of OS X).
Well, I was assuming some firewall beyond iptables (something like firestarter) was present. I don’t know how much safer it makes the system, but I tend to use them. It doesn’t come by default in Ubuntu, though.
Right, maybe my usage of “privilege escalation” was incorrect, but “malware” is too general. What I meant is dialog spoofing and similar strategies, where you first control the user account and then get the root password from the user input. That’s what the fakesudo thread was about.
I’ve been using this setup for a few months in Linux.I expected OSX to have something more convenient and about as safe. I haven’t heard of a better way to avoid dialog spoofing attacks, but I’m open to suggestions.
Latest update, from the third day:
“2:30pm PST Update: Its been two hours so far, and both Vista and Ubuntu laptops are still standing. Stay tuned…”
Check for more updates here:
http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day…
Yeah, I agree, and this is a worse threat, in my opinion, because few applications have the scrutiny that the OSes have.
I don’t know, when webkit is considered to be a core api, it needs to be treated as such. same with ie on windows. or with khtml on kde.
Firefox is just another app as far as the os is concerned.
Standing strong? Nobody TRIED to hack them.
You’ll see that they were, on each day they relax the rules if they can’t hack them. It’s kind of like trying to shoot a target at shorter and short range.
Yup, OSX sucks hard!
Let’s see how quickly I get modded down for this
Well – according to the site the next one was Vista. They used a 0day exploit in adobe flash and cracked Vista.
Ubuntu was the surviver of the contest as far as I understood.
Seems Linux still is the most safe OS – at least in this contest. Too bad they did not included the BSD flavors and things like Solaris, but I am very pleased with this outcome…
No…they knew of vulnerabilities in Linux. Nobody wanted to go through the effort to do it.
The glitzy got hacked first.
It will be interesting to see which laptop gets pwned next.
It would be nice if Ubuntu holds it’s ground. That said, Ubuntu isn’t the most secure distribution out-of-the-box, since AppArmor or SELinux aren’t configured by default.
Fedora or RHEL would have been better contenders because they have more security defense mechanisms by default.
I think the goal is to use common, default setups. And let’s face it, Ubuntu is the common distro at this point. In other words, I think it makes sense to settle for Ubuntu.
“And let’s face it, Ubuntu is the common distro at this point.”
Why don’t you face reality , there is no common distribution. Your comment amount to another person saying that Toyota are the only cars because they are the most common on is street where they live and the most shown on there TV channels …
It’s as if you declared Music to be only Celine Dion because she sales more records locally and worldwide then other’s …
WII are the console market as they are the most numerous sold , Xbox and PS3 don’t exist.
GNU/Linux as many distribution with millions of user’s worldwide.
BTW Ubuntu sabotaged by Dell offer is around half a million sales. Asus EEE PC have sold 10 millions worldwide , they come with Xandros. So your common argument is invalid by sales.
If the most common argument was to be used Apple would not be there as they only have 22 million user’s/clients worldwide. There are many GNU/Linux distribution with far more user’s then that.
Your argumentation is false , and flaud.
Get over yourself. They only have one computer to equip with Linux, and only one distribution to run on it. Ubuntu is the most popular, whether you like it or not.
Well, to be honest Mollinneuf was somewhat correct when pointing out that the EeePC has been very successful and probably is about to turn Xandros THE layman Linux distro. Ubuntu has a large mindshare within geeks and earlier adopters and the fact that ShipIt will send free CDs free of charge to whomever asks for it certainly has something to do with it but I still think that you’re jumping the gun a little when saying that Ubuntu is Linux for all intents and purposes. It isn’t for me and for a lot of people that I know (and I DO know personally lots of Linux users, mind you!)
The distro that the eee pc (I have one) is based upon is Xandros. It is not Xandros itself. It is thoroughly consumerised and appliancised. So it is questionable whether it is at all accurate to say that the eee pc runs Xandros. And does it really matter what OS an appliance runs anyway? Until you install a real OS, the eee pc really is just an appliance.
When I got mine, the first thing I did was install Ubuntu. I’ve since moved it to Fedora 8, not because I was unhappy with it, but because I wanted to get all my machines running the same distro.
I would wager that most of the eee pc’s out there are either still running as appliances, or are running, as real laptops, with something that isn’t Xandros.
And I’ll bet that a lot of those are eeebuntu or Ubuntu.
Edited 2008-03-29 22:45 UTC
im betting they are running windows xp for the most part…
atleast thats my experience tracking a forum thread on the topic…
Agreed that it is an appliance based on Xandros but then Xandros is the closest thing to a Linux distro that ships with EeePC. When you turn on the “advanced desktop” thing, it is an Xandros KDE desktop, isn’t it? I realize that there are lots of distros out there that have releases specifically for Eee but I’d bet that most people don’t really change what comes with the laptop by default.
Had they used a Linux for Scratch base, I’d agree with you 100% that it is not Xandros but let’s face the facts: Xandros hit the home run with this one. Canonical didn’t even see this one coming! I don’t know how this deal helps their Linux business – if it helps at all – but let’s give credit where credit is due.
Disclaimer: I use Debian Lenny so I’m not a Xandros fanboy. Just pointing out that they made a great move to promote their Linux business when they managed to get their distro installed into the EeePC…
Ubuntu has large mindshare among geeks? The geeks I know regard Ubuntu as african for “Can’t install debian”.
Actually, the only non-geeks I know that actually use Linux at home are always using Ubuntu. The Eee PC maybe gaining ground, but at least here in Norway Ubuntu us definetely the most popular distro. Espescially among non-geeks.
If the deciding factor for most appropriate distro to represent Linux was “most vocally present group” then Ubuntu might have been the correct choice. Meanwhile, back in the real world, Redhat has been around far far longer than Ubuntu, is installed in the enterprise around the world and used by thousands daily for real world computing not just the “lookit ma I can install Linux now too” crowd.
Yes. It is a well known fact that Ubuntu cannot be used in the enterprise, or for real world computing. Just ask Google.
Normally I won’t call somebody an idiot until they’ve posted at least twice, but you can only be so flagrantly wrong before you deserve it.
These are laptops, Ubuntu is the most common desktop/laptop Linux distro currently.
Before I get accused of fanboyism or anything I’ve recently started moving my desktop / laptop to Debian.
[Edited for clarity]
Edited 2008-03-29 17:09 UTC
Here’s a nice summary of the rules of the game in the Arstechnica forums:
http://tinyurl.com/26spyy
The important part (and most damning for Safari/OS X) is that each of the three machines had their own $10,000 cash prize, and the attacks on the Vista and Ubuntu machine continued after the Mac was down, but nobody succeeded in exploiting the other two. Which pretty much silences any objection that somehow the Mac was a more attractive target (well, apart from being easier to crack).
Oh, and if you followed my link, you would have been susceptible to these sorts of attacks
At the 24C3 ( hacker congress in Berlin ) lots of people had 0day exploits for MacOSX laying around. But at the moment nobody is buying them ( MS does buy Windows exploits, Apple does not buy OSX exploits ).
Hackers have to eat ( BTW they would/will sell to botnet people if MS does not pay )
Exploits are a big business nowadays.
…Apple is being unmasked in front of everyone. Good. This will teach them not to make false claims about their oh-so secure and infallible O.S. I’m glad that for all the criticism, Vista was able to hold its ground (hey, UAC does work after all, who knew?). So what do y’all have to say now, Apple fanboys? I guess the best thing to do here is to admit that you’ve been 0wned.
Linux I expected to do well, since it has its roots from Unix and likewise is designed to be secure by default. No O.S. this side of the Universe will beat OpenBSD in security though, and I would’ve liked to see that amazing O.S. included in this test as well.
Nobody has said the Mac is invulnerable. The biggest claim is in the virus related arena. As a Mac user, I am glad that the exploit was found. Now it can be fixed. That is good.
C’mon, the Mac vs PC commercials imply as much. Mac users live in glass houses, and they really shouldn’t be throwing stones.
Edited 2008-03-29 01:15 UTC
Where is it implied that they are vulnerable?
I really would like to see where this is stated.
Read for comprehension. I said they implied they were invulnerable compared to a PC.
Do you even hear yourself? OS X is BSD, as opposed to Linux. And it’s not even OS X that has a problem, it’s Safari.
Wrong. If OS X ships with a particular piece of software, it’s OS X, by definition.
And it’s not even OS X that has a problem, it’s Safari.
I don’t know about that, if a user application exposes a back door into the core OS, isn’t that the OS’s fault for having a back door? Seems that an OS should have a failsafe core design that prevents a compromise in the case of a problem on the user’s end.
bsd running a apple made DE and other bits. and it was one of those other bits that got hit, not the bsd bit.
OpenBSD is indeed very secure by default, but once you install stuff on it, it is vulnerable like anything else.
actually it is not if you install software from OBSD ports.
Please, what a load of non-sense. Anything in ports is just as insecure as it is on any other operating system.
Clearly you have had no experience with a BSD system then.
>Clearly you have had no experience with a BSD system then.
… Are you trying to be silly? Are _BSD developers maintaining super-duper secure forks of everyones favourite *nix programs that the rest of us aren’t aware of? I don’t think so. At best there are a custom patches for compatibility purposes.
yes, I was having a laugh, sorry there is no <sarcasm> icon here though
What he said is mostly correct, though. Just go to http://www.openbsd.org/ports.html and read the big red text if you don’t believe that.
Even if the piece of software IS insecure, most attacks won’t have any chance in OpenBSD.
Read this.
http://en.wikipedia.org/wiki/OpenBSD_security_features
Agreed…
It’d be good to see all of the BSDs included, really. It’d make for some interesting comparisons.
– latte
Flame War!
no one wants windows vista
At work, I speak to a lot of average users every day. Some of the with their “Very First PC ™”.
These people might not know a lot about computers, but the ones who have used computers at their friends house or workplace all complain that they HAD to take the machine with Vista and that it was a pile of poo.
The other people with no actual computing experience cannot believe how much hassle their systems are, as they believed the advertising that Vista is amazing. etc etc
So, in MY experience, you are correct. No-one wants Vista.
Unfortunately, this sort of thing is going to continue until consumer OSes approach system security the same way as they treat stability, and enforce it at the per-process – or even per-object – level.
The current ‘fortress wall’ security model may be fine for server OSes, where experienced sysadmins are expected to earn their pay constantly manning the outer defences against any hostile intrusion. It’s utterly inadequate for end-user systems, however, where (like it or not) most anything goes. Compromised processes are inevitable in such uncontrolled environments; the only question is whether or not they take the rest of the system down when they go.
Apple and Microsoft dealt with the inherent stability problems of OS9 and Win98 by introducing true per-process memory protection. It’s about time they applied the same approach to security as well.
i suspect it needs to go deep, hardware deep…
What percentage of Mac users use Safari rather than something else? Does anyone have an estimate?
What percentage of Windows users use Internet Explorer rather than something else?
They’re probably around the same mark. Although some might argue that the average Mac user is more likely to know about other browsers than the average Windows user.
Meh, clutching at straws. Apple’s attitude to security is lax… almost complacent, and Microsoft, while they have a poor record in the past, they have at least learned from it.
Posted from Mac OS X, using Safari.
I remember reading somewhere that it was close to 80%. Don’t take my word for it though, cause i don’t even remember the source, and it was a long time ago.
Hurrah! OS X has achieved what Windows did many years ago.
My 13-year old son did the same thing last weekend while testing XP via VMWare on Linux. The Windows system was totally hosed within an hour via Internet Explorer.
I’ve known some, a very small group, of users who’ve ran their Windows boxes without being breeched. The same is for Linux, BSD and OS X users who are safe online.
Your comment just shows a total misunderstanding of the article and the state of security in modern desktop operating systems.
XP can be hosed within seconds by simply exploiting its default security holes and open ports.
No wonder your kid hosed your machine, it was simply by letting it onto the net.
Whereas the article stated that none of the machines was compromised remotely, the first one being compromised over the net was the mac due to an unpatched safari security hole.
I agree with others that Vistas approach makes the most sense, they simply sandbox the browser which is probably the best approach you can do, every application which goes into the internet should be sandboxed, period!
Actually, my son wanted to validate what fellow Linux users were telling him about Windows security.
He followed the instructions at UbuntuGeek on setting up a VMWare server. Then he installed the original Win XP install CD that came with his Alienware box.
I suggested he go to a game emulator site. Sure enough, within minutes, his virtual XP instance was being set up to be remotely controlled.
After powering off and deleting the contaminated Windows container we booted up a clean-and-pristine backup and I showed him how to harden a Windows system.
He’s been running Linux for well over a year now after learning how to install it on his own at 12. He was less than impressed with the POS called Windows XP.
Since I religiously monitor my internal network I can say that under normal Internet activities our Linux and OS X systems are rock solid. Even our lowly XP system has yet to be compromised due to extensive hardening and teaching the users to be safe.
I must say I’m a little shocked that OSX went down before Windows. Perhaps it will cause the Apple people to take security a little more seriously. Now I’m not really interested in the Flame war between OSX and Windows, I’m just a happy Linux & Free BSD user sitting on the side lines of the proprietary battle, but now that OSX is hitting its stride they need to secure their Apps as well as the Unix base does for the OS.
I think Apple takes security pretty seriously when it comes to the OS, but there is definitely work to be done with Safari and Quicktime.
they can get me to click the link. Sorry, but an e-mail saying “We at Bank Of America need to update your account information, please click here” just isn’t going to get my click.
That, and I use Firefox.
Edited 2008-03-29 01:55 UTC
Just curious what the security settings were on all three platforms (especially the Mac)… Looking forward to all the details of the exploit.
I do find it funny how elated the Mac haters are. Their’s must be a pretty small world if Apple’s advertising campaigns stick in their craw so deeply.
Personally I think it’s great that chinks are being found in the armor. Apps like Safari and Quicktime have gotten a free pass for too long.
Question… Is there a similar competition where all three OS’s have been hardened?
According to
http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day…
the Vista laptop was eventually hacked after the Adobe Flash plugin was installed.
I’ve got to be honest, I’m surprised and *very* impressed that both Vista lasted this long, and that the eventual downfall of the Vista machine was caused by non-MS code. I’m even more impressed that Ubuntu (which doesn’t run a firewall by default, and doesn’t use SELinux) is still going.
Combine taht with the embarrassing result for Apple and the whole thing is really eye-opening.
Why are you surprised? I do not use Vista and am not particularly impressed with what I have seen of it but it has had a decent security record. Not outstanding, but quite decent, especially for Microsoft.
Again why?
1) Ubuntu has no services listening on an external address by default. This somewhat limits the utility or need for a firewall.
2) SELinux is not a miracle cure acting as the only line of defense on a Linux system. Properly configured SELinux makes a system more secure, no argument there. But if all applications running on the system are patched and do not have known buffer overrun or privilege escalation vulnerabilities then a system without SELinux can still be quite secure. The dire security need for SELinux is predicated on there being exploitable vulnerabilities on a system and an attempt to be made to use the exploit.
The trend I have been seeing on SELinux going from being seen as a tool to increase security to people arguing that a system is not secure without it is bothersome. The absence of SElinux does not make a system inherently vulnerable to attack. SELinux makes a system which has an exploit in need of being patched less likely to be compromised. The key here is the application with the exploit should be patched in any case.
Hear! Hear!
I would have further described it as “damned irritating”, as well. But you really hit the nail on the head, there.
Flash doesn’t even come with Windows by default, so should that even count?
Once again, OS X had been PROVEN UNDOUBTEDLY to be the most insecure OS ever created.
I’d better update my Mac anti-virus and spyware removal software.
I will never understand people who have vendettas against Macs. It is like having a vendetta against fuzzy bunnies.
Edited 2008-03-29 23:55 UTC
Geez, is it that hard to read sarcasm?
That was awsome.
Great news for Microsoft – now that people know Vista is secure I’m sure they will overlook all the other things they hate about it…
The contest really doesn’t expose holes in any of these OSes though. It wasn’t the operating system that was compromised it was a piece of software running on the operating system – regardless of it being bundled software. Web browsers are commonly used and therefore viewed as game for the hackers. How many other apps now interact with the ‘net in some way though? Who is to say that any of the apps bundled with any of these OSes don’t have flaws that could be exploited. Its great that the Safari flaw has been exposed – Apple can now fix it. So if that flaw is fixed and they redo it where does that leave the argument of all the near orgasmic frenzied Windows fanboys? Totally moot? How many flaws have been found in IE over the years – or Firefox – or [insert your browser of choice for whatever platform]?
The guy who won this obviously went along to the contest with the knowledge already in hand, which once again raises the argument about these people just wanting their 5 minutes of fame. Maybe Mummy and Daddy didn’t pay him enough attention when he was little? Who knows? The responsible thing to do with any such knowledge would be to inform the company in question. It seems though that these guys are really only interested in the kudos and making money from it. In some fields it would border on extortion – but when its software they get publicized and win rewards. Go figure.
And for the record, I use all three OSes – well, actually, I don’t use Vista ’cause, well, sorry but I gave it a week and then reinstalled XP Pro. And that was after the Service Pack. Secure or not it’s not for me. I never have issues with XP (after it was properly secured) or Linux (which I really only use on some servers) or OSX. Like everyone these days I regularly run utilities on all of them to check for rootkits, viruses, spyware, etc. And if I had browsed to the web page in question on one of my OSX boxes Little Snitch would have popped a dialog to ask me if I wanted to allow the connection – so my Mac would still be running along nice and secure.
I’d be interested to see what would happen if the hackers were allowed to give them a CD to insert…
The guidelines state:
Nothing about having to discover and figure out how to exploit a vulnerability during the contest. Everybody else had the same opportunity.
The guidelines state:
Hard to get more responsible than that.
Edited 2008-03-29 05:17 UTC
That wasn’t the original poster’s point. The guy who broke safari knew about the exploit before the contest but had not informed Apple but waited till the contest.
And what’s wrong about that. Why miss the opportunity to earn 10k and a laptop. You’d be a fool if you didn’t do it.
Edited 2008-03-30 15:56 UTC
Well the real issue here is that this is not the first time that here has been a comprimising exploit for safari. Anyone here remember the exploit used to jailbreak the iphone? At the end of the day the OS may be as safe as possible. If the applications aren’t written with security in mind then the OS doesn’t matter at that point.
I rarely use safari on my mac. I use firefox because I don’t like the way safari automatically mounts all of your downloaded content which i think is a huge security risk.
What I want to know is if this is an issue with webkit or if the problem soley rests on safari.
Btw, I’m also very pleased to see ubuntu still hanging in there. Considering that security hasn’t really been a priority for the distro its really surprising. Regardless of how much a pain in the ass Vista is Mas learned their lesson and the OS les seem far more secure than its predecessor. Thsrcis good to see as well eventhough I’m not windows user at home
Edited 2008-03-29 05:54 UTC
The opening of safe content is a preference that can be turned off. I think it should be off by default and don’t like the fact that it isn’t. I’m wondering if this attack exploited this default setting, or if the attack was based on some other crack in the code.
Should be real interesting when the exploit is announced.
Considering that security hasn’t really been a priority for the distro its really surprising.
I don’t agree. Just have a look at the release notes of the upcoming 8.04 release:
in the footsteps of Ubuntu 7.10 with even more virtualization support and security enhancements – enabling AppArmor for more applications by default, improving protection of kernel memory against attacks, and supporting KVM and iSCSI technologies out of the box.
FWIW, the claims that Ubuntu is not security conscious mainly seem to be coming from the “SELinux is the one true security framework” camp.
I would be interested in seeing a contest like this conducted between various Linux distros. (Obviously, the contest would have to run a lot longer than this one that included easier targets, like MacOSX and Windows.) But I’d like to see if the claims made by the Fedora camp (which I more or less consider to be my distro if choice) are valid, or just a bunch of smoke.
On the topic of firewalls, it is true that Ubuntu does not run one by default. But it also has no services listening on any ports, by default. IIRC, while Fedora has a firewall by default, the SSH service is running, and port 22 is open by default, giving Ubuntu the security edge, overall, on that front.
It’s simply not true that Ubuntu doesn’t have a firewall enabled by default, it’s called IPtables. Hardy has all ports stealthed by default but I’m not sure about Gutsy. I just had all my ports scanned and they are all stealthed from 0 -1055 in a default hardy install.
That would be a new feature of Hardy, then. I ran a Hardy development release for a while on my laptop a couple of months ago, and didn’t notice. But I believe I did an in-place upgrade.
But as I indicated, there have never been any ports listening by default on an Ubuntu install. And so, as Spock would say, a difference which makes no difference is no difference.
Edited 2008-03-29 17:15 UTC
It’s not a new feature, it’s just they must have modified the iptables better to suit. By default before Ubuntu used to respond to ICMP Echo Requests, in hardy is doesn’t, I actually remember making a report about this to the Ubuntu devs.
Edited 2008-03-29 17:24 UTC
I’m quite certain that in previous Ubuntu releases:
iptables -L -n
lists no rules at all. I’ve checked that after more than one default install.
http://www.linux.com/articles/55319
https://wiki.ubuntu.com/UbuntuFirewall
http://tinyurl.com/377dbm
I did a bit of research, and it looks like they are adding something called “Uncomplicated Firewall” in Hardy, and perhaps now have some default iptables rules in place after the install.
Edited 2008-03-29 18:23 UTC
when I reviewed Ubuntu 7.04 in 2007 (30 days with Ubuntu 7.04) I found that iptables had no rules setup whatsoever.
Please see here:-
http://linux-noob.com/review/ubuntu/7.04/part2.html#bittorrent
and I quote:-
“For a change, I decided to take it easy and not configure/fix/install anything, so I tested bittorent in Ubuntu, and guess what, it worked, first time, with no questions. But, that did lead me to check the firewall status which apparently is non-existant (and yes I’m aware of the Firestarter application):-
root@anyweb-laptop:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Why are there no iptables rules defined at all?, seems strange in a modern day linux distro (much like the lack of default screensaver password) described earlier.”
Edited 2008-03-30 20:34 UTC
Well I meant to say in the past. I think they’ve included an easy to use command line firewall utility this time around and they should be working on a UI for the next release. With 7.10 many complained about Ubuntu’s security compared to other distros and the Ubuntu devs heard their pleas and are now making the OS more secure (than it already is apparently).
I think Ubuntu was the perfect candidate for Linux in this contest, Its the most popular distro out there and because of the market that canonical wants to focus on the distro would be perfect to exploit. The fact that it couldn’t be done even with all the third party apps that come installed with Ubuntu by default and all the binary drivers that it installs for your hardware, it just makes Linux look like a rock.
The funniest thing about apple is that they don’t even acknowledge the Linux community, their focus (and I guess rightly so) is solely on windows users. This just doesn’t make them look good at all, loosing to windows is harsh,
“Once again, OS X had been PROVEN UNDOUBTEDLY to be the most insecure OS ever created. ”
Really? How it comes that you conclude that?
What i see is just that a given security researcher made his job, that is, looking for security holes. Miller has been doing that for several months in order to find problems with Safari (thanks for his work!) and i find it no surprising that he came up with an exploit.
I mean, come on, who here can believe that he came just like that and pull out an exploit magically. He prepared that exploit well before, he knew about it, and he was just waiting the moment that they relax the exploit methods to show up. No way that i can believe that he was not targeting the mac well before the context begins.
And no way that i can believe that the same thing could not gave been done for linux or windows. I mean there are a lot of researchers looking for exploits in Linux and associated softwares, so i can’t believe that no one could not use one exploit and make it work if he/she would really wants it. The point is that the mac was the primarily target during this context, that’s a matter of fact. Lets face it, that sounds well more sexy to say that the mac was hacked than to say it for linux or windows.
This context does not prove anything, he just shows that security researchers make their job and that they got more exited when hacking the mac.
“Apps like Safari and Quicktime have gotten a free pass for too long”
Well if i look at secunia data, Safari does actually better than Firefox…..
http://secunia.com/product/12434/?task=statistics
http://secunia.com/product/5289/?task=statistics
“As Elseware already mentioned, the days of zero user interaction remote exploits are pretty much over. Even XP-SP2 can withstand that. ”
Oh really, so tell me how to you call then what happened to Graduate School of Arts and Sciences last month?
http://www.devicepedia.com/security/harvard-site-hacked-and-then-le…
Their web site got just hacked and student data were stolen and then exposed to Bittorrent. And guess which system they are running? Oh, oh…. So please don’t come up with nonsense.
“Well the real issue here is that this is not the first time that here has been a comprimising exploit for safari. Anyone here remember the exploit used to jailbreak the iphone?”
That’s nothing do do with the case now. Even during context, he could get to the mac but he can’t do a lot of things beside of course accessing your data, but putting down the system will be difficult, he is not in root or does not have a admin password.
“I rarely use safari on my mac. I use firefox because I don’t like the way safari automatically mounts all of your downloaded content which i think is a huge security risk. ”
You can deactivate this in the preference. Also in Leopard, files downloaded using Safari, Mail, and iChat are automatically tagged
with metadata indicating that they are downloaded files and referring to the URL, date, and time of the download. The first time you try to run an application that has been downloaded, you are prompted by a warning asking whether you want to run the application and displaying the information on the date, time, and location of the download.
“I don’t know about that, if a user application exposes a back door into the core OS, isn’t that the OS’s fault for having a back door? Seems that an OS should have a failsafe core design that prevents a compromise in the case of a problem on the user’s end.”
Well Leopard does that as it supports Mandatory access controls and applications sandboxing. But well yes its a pity that Safari is not sandboxed yet, that would have made the exploit much more difficult to apply.
Hey Apple please sandbox Safari, Quicktime, and Java…..
Ok, why don’t you tell me how exactly it got hacked, since you seem to know so well?
So they were running a webserver on XP, which got hacked? Was it Apache or IIS? Hacked trough a software vulnerability or a leaked password? Not that it matters, since a default XP install does not run any webserver, so this would be an impossible attack angle in this contest anyway.
I guess I should have qualified my statement: non-user interaction exploits are pretty much over for the default setup of end user desktop systems. Vista and XP-SP2 run a firewall by default, OS X and Linux run few to no net exposed servers. How are you going to exploit them? Of course it’s possible that you discover a hole in the Windows firewall and a vulnerability in one of the services behind the firewall, but that probability is pretty low. That should be pretty clear from this contest: nobody even made an attempt on the first day. Even XP-SP2 in its default setup would probably do just as well.
Of course, it’s an entirely different matter if you’re talking about systems running servers exposed to the network, which are course much riskier. Claiming that non user interaction exploits or over in that scenario is of course foolish, since vulnerabilities in permanent running net exposed software (not just webservers, but also things like skype and instant messengers) are discovered all the time. But in that scenario it isn’t clear at all that OS X or Ubuntu with Apache would fare much better than, say Vista with IIS.
But that was not the point of the first day contest, where you’re asked to remotely compromise a default setup without user interaction. Pretty much all modern systems are hardened enough for that.
Nobody is asking you to believe that. Miller stated in his interview afterwards that it took him about 3 weeks to prepare the exploit. All teams were informed of the rules well in advance for all system. The whole point of the contest was to encourage researchers to find previously unknown or undisclosed holes. Miller found one in OS X. No other team found any in Vista or Ubuntu.
You should read the rules of the contest that others have conveniently summarized. All 3 systems were equally attacked. The contest wasn’t over after the Mac went down, it continued for the rest of the day on the Vista and Ubuntu under the same rules, both had their own cash prizes to win, and both survived the day. So you can choose to believe that the teams attacking Vista and Ubuntu weren’t interested in $10,000 and a free laptop or were plain incompenent (although one of the Vista attackers exploited the Mac through Quicktime last year, oops). Or you can stop trying to find excuses and just accept that OS X + Safari was just easier to crack than Vista + IE7 or Ubuntu + Firefox.
Well, it also proves that some people will engage in silly rationalizations when reality clashes with their preconceived notions.
The rules were fair. The Mac lost. It’s just that simple.
Please stop trying to iHurt people’s iReligious iFeelings.
I agree the Mac lost hands down, Although I would like to see what the exploit involved before I pass judgment. Vista was eventually broken after adding Java(or Flash I can’t remember) to the mix and Apple has that software pre-installed on the OS. But time will tell and we will know when its all out in the open.
Did you read the part of my post saying I’d have to update my “Mac antivirus and spyware removal software”?
I wasn’t being entirely serious, my point being, who cares about a few obscure security holes no one uses when no one exploits them, and even if they did, wouldn’t work too well anyway?
I wasn’t being entirely serious, my point being, who cares about a few obscure security holes no one uses when no one exploits them, and even if they did, wouldn’t work too well anyway?
If you care about files on your computer then you should care about security holes.. Even if the bug didn’t allow the attacker to modify any system files, he/she would still be able to read any of your files or delete them. Besides..You don’t know if anyone exploits those holes before you are hosed already.
I believe he was being sarcastic, well that’s the way I read it
If anyone remembers, last years vulnerability was in QuickTime.
You can code all you want, and put in as many bundled security features as the day is long. But at the end of the day, if the user is stupid, and doesn’t exact some sort of logical thinking while using a PC, the point of failure resides soley on them. You can’t patch a user.
That goes for any OS in the wild.
Gotta agree there, at this point in the game the fault is normally a problem caused by the users not taking due care in what they are doing.
Windows, Mac, Linux, BSD, Unix, Solaris are all able to be hurt by people that don’t know how to take care of themselves online.
I am not anti-mac by a long shot. But… as I posted earlier, all the user had to do was visit the web site with the exploit to give the cracker the foot in the door he needed. (There was no “Please download and run this.” and no “Please enter your administrator password”.) This site could just as easily have been a Google search hit encountered while a user was comparing the relative fuel economies of two cars he we considering buying. I really don’t see how or why anyone would choose to defend it. And by blaming the user, at that!
Apple needs to fix this serious security hole. Period.
That said, people are still safer with Mac than with Windows. Because the fact of the matter is that, for whatever reason (it doesn’t matter), Windows users are the ones under siege. If you had a choice of two Kevlar vests, of known equal quality, and of two associated destinations, would you rather wear vest #1 and go to Omaha Nebraska, where occasionally one reads in the paper about how someone was shot? Or would you rather wear vest #2 and go to a war zone?
While arguments that state, or imply, that if everybody used Operating System Q, it “would be just as vulnerable as Operating W is” are common, they are also completely specious.
Windows advocates: “If only it were you under attack. If only I weren’t the one under attack all the time!”
Everyone else: “Butcha are, Blanche! Ya are!”
Reality prevails… again.
Edited 2008-03-29 14:40 UTC
It’s this kind of denial and complancency which has led Apple to fall on its face over security. Personallty, I’d rather use an OS from a supplier that has shown willingness and demonstrable success in improving security. At least Microsoft has that going in its favor.
Does a swift kick from the foot to the ass count as a user-level patch?
Most of the repairs I’ve made were to user-level stupidity. Porn sites being the main culprit.
Of all the stuff that been has written so far, this scares me the most — even if Apple and Microsoft wrote perfect, secure code as soon as a user is involved any hope of security goes out the window. In a default “out of the box” install the first user on a Mac is an admin account, maybe I need to go and read the fine print of the contest and this wouldn’t be allowed, but with an admin account on a Mac and the user will run the application for me root access is 6 clicks. While I appreciate the inventiveness of the folks that cracked this — 3 weeks of work for something that would take 10 minutes on the phone with a user seems a little silly. And while it might take more than 6 clicks, I am sure that Vista would fail the same way, and the only saving grace for the *nix OS (yes I know OSX is a *nix OS but the world seems to think it is different (at least taht’s what Apple says)) is that the users tend to be a little more in tune with security. As soon as Mom and Dad buy an ubuntu box from Wal-Mart or Dell, even that differential will go away. Seems like the security folks are looking in the wrong direction and would rather people bought the latest super duper security suite version 10.
… between the Windows and Linux ? Lack of “mainstream” games and ability to run MS Office 2007 on the latter ?
More a matter of most Linux distros being of a “batteries included” nature, whereas with Windows, the user has to either go out and buy a lot of stuff to make it really useful, or steal it.
With Linux, one can keep both his wallet and his conscience happy. Nice troll, though.
It seems that Miller took an advantage of a overflow bug in the PCRE regex library used by webkit’s JavaScript engine.
http://daringfireball.net/
http://trac.webkit.org/projects/webkit/changeset/31388
This means that everything which uses webkit out there is affected by this bug, including Linux distributions that use KDE.
Moreover the bug is in PCRE library (http://www.pcre.org/), which is also used by Gnome (GLib), and KDE, and if the bug is also confirmed there (we’ll wait and see) then basically all Linux distribution are affected by the same issue.
But the funny thing is that the Mac lost in that context because of a bug in an open source code!!!!
Think about it, particularly the linux fanboys that may think that Linux won the context, it did not….
I figured it would be a problem with webkit, pretty much anyone with more than two braincells in their head would. There is not much left in Safari that would be exploitable that is not webkit. The strength of open source code is not that it is without flaws, it is that it is open to inspection and once a flaw is found quickly fixed.
Based on the patch though it does not look like the problem is in PCRE itself but in Webkit calculating the length of a nested regex. The length is then used to store the compiled regex. So now this is not a flaw in PCRE but one in Webkit and perhaps KHTML. Webkit based browsers on Linux would be vulnerable to this though not the default browser for Ubuntu (or most other Gnome based distros), Firefox.
So GLib, and other apps not using Webkit (Apache and PHP among others) are not vulnerable to this particular attack.
EDIT: Nice sensationalist post without fact checking though.
Edited 2008-03-30 14:09 UTC
Good post. And thanks for clearing up hakime’s disinformation with actual facts.
Okay. So if Linux didn’t win, what did? If Ubuntu was the last man standing doesn’t that count as a win? You also have to remember that the used was Ubuntu, a gnome based distro, and even though you mentioned that the error is also in glib apparently it was not exploitable. So it has to be an issue with the OS itself to allow the hack to get through. Besides that KDE is NOT using webkit, they are still using their own kde specific library and are planning to move to webkit soon, but the change hasn’t happened and many are not happy with that decision.
Blaming the library then pointing at Linux, when linux isn’t the end all be all of the OSS universe is kind of stupid. Apple uses open source software in their products as well including webkit which they maintain so the blame falls only on Apple and and not the Linux community which has very little to nothing to do with the webkit or the libraries used therein.
hi guys,
given the info we have on the hacks, i’m curious to know if a firewall such as Smoothwall or similar would have prevented the comprimises (given that one of the two hacks used telnet via a port assigned during a webpage view)
anyone have any ideas about that ????
cheers
anyweb
Assuming the client machine was behind a dedicated firewall such as shorewall the exploit on the Mac would not have succeeded in its current fashion. At that stage the exploit would have to initiate the socket connection with the hackers machine rather than just opening a port. This is more difficult and depending on configuration of the firewall even this might not have been possible.
Generally when you have a dedicated firewall you specify the type and port of traffic allowed in both directions. This is less common on local firewalls, where the most common configuration is to restrict incoming but not outgoing connections.
Also I would like to note that while I argue that a firewall on a system without any open ports is less critical, it very likely would have prevented the OS X exploit since the FW would have blocked the opened socket. This is an argument in favor of having a default firewall that blocks all incoming ports unless specifically opened. Personally I run shorewall on all my boxes whether they have any services running or not.
I have not looked at the Vista exploit so can’t really comment one way or the other on that.
EDIT: The statements above are under the assumption that the OS X exploit opened an unprivileged port allowing the hacker telnet into the box. I have not seen anything definite on how the flaw was actually exploited but that seems to be the consensus.
Edited 2008-03-30 20:48 UTC
there’s one more important faktor we should not forget: time.
Leopard is the the youngest operating system in the test. That means less time to patch security flaws.
Leopard may indeed be the most recently released of the bunch, but jut like windows and Linux it is based offs of pre-existing code.Webkit wasn’t released yeeteday, the issue probably existed before but was never exploited. The reason the exploit is a big deal is that it also affects the iPhone. As it we pointe the guy who flu d the exploit also found similar issues with safari on the iphone. It was obvious that the app is unsate, the stupid thning let you hack the device by using a tiff file. Blaming on the time is kind of lame. Safari is on version 3 which should be enough versions to at least make the browser safe. Apple doesn’t have their eye on security and probably won’t until they go through the same experience that MS had.
Apple products suck.
I have an iPod. I’m really dissatisfied with it. It doesn’t let me sync, or even manually copy, with any other media player other than iTunes. Your iPod will become bricked if you try to sync it with anything other thatn iTunes (I’ve tried twice with Amarok), albeit, it does automatically repair to factory settings next time you sync it with your iTunes on the original computer you synced it with.
That is ridiculous. I should be able to sync it with anything, with any computer. I legally purchased my music, and should be able to copy it to whatever device or PC I want, without artificial restrictions. I should also have an easy means of disaster recover, which was the original reason I tried to sync my iPod with another iTunes installation (so that I could copy music from my iPod to the second PC after the original machine died). When it would not let me do it, I was completely furious. It was a huge time waster, and I had to rip my CDs again. F&^% Apple.
And the fact that you can’t easily replace the battery is a joke. You have to take it to third parties and pay them to replace it for you, or you have to go to an Apple store and pay for a new iPod (at a reduced price).
How about this, Apple – just let me go to Longs or Radio shack and buy friggin standard battery for $10 or so, and easily put it in myself? I don’t give a rats ass about the sleek design or the compactness. I just want to easily replace the friggin battery when it dies, just like every other product on the market.
And iTunes sucks. It’s butt ugly, it’s slow, and any purchased music is wrapped in Apple DRM, which can’t be used with any other device other than iPod.
And Safari sucks. It is indeed fast as Apple claims, but it too is butt ugly and has fuzzy fonts. And the iTunes and Quicktime updates try to force a Safari install if you aren’t paying attention.
My iPod is my first Apple product. It will be my last. I did research it, and compared it to other MP3 players, and asked lot’s of different people. Yes, it’s sleek, has a great interface, and syncing with iTunes is very easy. But the other restrictions and inconveniences are infuriating.
To add to all that, Steve Jobs is a world class prick, and treats his employees like dog poop. Generally speaking, I like doing business at establishments that treat their employees well, because I generally get better products and services that way. That’s why I shop at places like Trader Joes and Costco (among other reasons) – their employees seem happy.
I think Apple products are the Heather Mills of tech products. Sure, pretty and seemingly friendly at first. But then they’ll rake you over the coals and try to take your money and leave you.
Just like Paul McCartney was stupid to be suckered in by a young pretty face after losing his beloved Linda to cancer, I was stupid by being suckered into the pretty interface iPods offer.
And if the all the Apple zealots don’t like what I’ve said. tough. I’m a dissatisfied paying customer. Deal with it.
So your concern about OS security is that you can’t buy a battery for your ipod or sync with something other than itunes?
You know there are other MP3 players on the market — and if you stop paying Apple for iPods and buy another brand with the features you want, maybe Apple will respond to the market and you would be less cranky.