Developers: Please Clarify CanSecWest Results on Apparent Safari Exploitation

Posted:
in macOS edited January 2014
The link below from Computerworld describes the apparent exploitation of Safari to gain access to user privileges on a Macbook by going to a malicious website. Two Macbooks were setup connected to a network at the MS sponsored CanSecWest Security conference. A $10,000 reward plus the Macbook were offered as a reward to anyone who could gain root access.



http://www.computerworld.com/comments/node/9017380



The reporting on this story on the internet has been a combination of poor journalism and confused reporting as to what was actually done. As far as I can tell, root access was never achieved. Can the Mac developers on the forum clarify what happened if they know.



Thanks.

Comments

  • Reply 1 of 7
    lfe2211lfe2211 Posts: 507member
    Quote:
    Originally Posted by lfe2211 View Post


    The link below from Computerworld describes the apparent exploitation of Safari to gain access to user privileges on a Macbook by going to a malicious website. Two Macbooks were setup connected to a network at the MS sponsored CanSecWest Security conference. A $10,000 reward plus the Macbook were offered as a reward to anyone who could gain root access.



    http://www.computerworld.com/comments/node/9017380



    The reporting on this story on the internet has been a combination of poor journalism and confused reporting as to what was actually done. As far as I can tell, root access was never achieved. Can the Mac developers on the forum clarify what happened if they know.



    Thanks.





    Developers who know the facts, please clarify.







    The following appeared in MacWorld on 4/20/07. More confusion.





    Hacker breaks into Mac at security conference




    By Nancy Gohring, IDG News Service



    VANCOUVER?A hacker managed to break into a Mac and win a $10,000 prize as part of a contest started at the CanSecWest security conference here.



    According to the security blog Matasano Chargen, Shane Macaulay and Dino Dai Zovi won the contest by gaining shell access to a Mac by pointing the Mac?s Safari browser at a specially-constructed Web page.



    ?Currently, every copy of OS X out there now is vulnerable to this,? said Sean Comeau, one of the organizers of CanSecWest.



    The conference organizers decided to offer the contest in part to draw attention to possible security shortcomings in Macs. ?You see a lot of people running OS X saying it?s so secure and frankly Microsoft is putting more work into security than Apple has,? said Dragos Ruiu, the principal organizer of security conferences including CanSecWest.



    Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.



    Di Zovie, who lives in New York, developed the exploit that exposed the hole on Thursday night. Since the contest was only open to conference attendees, he sent it to his friend Macaulay in Vancouver, who claimed the prize.



    The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said. An attacker could use the vulnerability in a number of ways, but Di Zovie used it to open a back door that gave him access to anything on the computer, Comeau said.



    The vulnerability won?t be published. 3Com Corp.?s TippingPoint division, which put up the cash prize, will handle disclosing it to Apple.



    The prize for the contest was originally one of the Macs. But on Thursday evening, TippingPoint put up the cash award, which may have spurred a wider interest in the contest. According to Matasano Chargen, Macaulay will keep the MacBook while Dai Zovi will pocket the cash prize.



    One reason Macs haven?t been much of a target for hackers is that there are fewer to attack, said Terri Forslof, manager of security response for TippingPoint. ?It?s an incentive issue. The Mac is not as widely deployed of a platform as say Windows,? she said. In this case, the cash may have provided motivation.



    Jason Snell contributed to this report.
  • Reply 2 of 7
    pbpb Posts: 4,255member
    Interesting. I don't think anyone here can give you a complete answer on what exactly happened. I too am curious to hear what the others have to say.
  • Reply 3 of 7
    lfe2211lfe2211 Posts: 507member
    Thanks for the post PB. I'm going to bump this thread today if I have to because I think it's too important to get lost in the daily hubub of the forum. I smell a fix but need details to prove it. TippingPoint was the Sponsor of the $10,000 reward. Perhaps AI can do some sleuthing and get to the truth pf the matter, whatever it is.





    Edit: I originally had ThinkSecret as the Sponsor but it was TippingPoint. Posting at 4am and all that.
  • Reply 4 of 7
    pbpb Posts: 4,255member
    Quote:
    Originally Posted by lfe2211 View Post


    I smell a fix but need details to prove it. ThinkSecret was the Sponsor of the $10,000 reward.



    Well, if true then it is even more interesting. Anyway, this must be the first widely known case of a hacked Macintosh under OS X and in a way that should never happen, even if it finally was only user and not root access. \
  • Reply 6 of 7
    lfe2211lfe2211 Posts: 507member
    Quote:
    Originally Posted by physguy View Post


    Try this.

    http://www.roughlydrafted.com/RD/RDM...BFA442BED.html



    Thanks physguy. This article should be required reading for all Mac users.



    Furthermore, it once again highlights the shoddy journalistic practices observed daily on the internet.
  • Reply 7 of 7
    lundylundy Posts: 4,466member
    Excellent.
Sign In or Register to comment.