Mac security researcher wins Pwn2Own contest
In a repeat performance of last year, security researcher Charlie Miller arrived at the CanSecWest conference this week with a prepared exploit to use in cracking Safari running on Mac OS X.
Unsurprisingly, Miller was able to use his exploit to immediately win the event's "Pwn2Own" contest, generating headlines that suggested that Macs are inherently less secure, despite the fact that every browser involved in the contest failed on the first day.
This year's contest arranged for two test computers. According to the CanSecWest event's official website, which is oddly littered with typos, the "Browsers and Associated Text PAltform" [sic] were a Sony Vaio PC running a prerelease Windows 7 beta with Internet Explorer 8, Firefox, and Google's new Chrome browser, and a MacBook running Safari and Firefox.
In each of the three days of the contest, the exploit rules were intended to be progressively relaxed, starting only with exploits that attacked the browser itself, then adding Flash, Java, .Net and QuickTime to the mix on day two, and then "popular apps such as Acrobat Reader" on the third day.
Finding vulnerabilities
The Pwn2Own contest is being presented as a shootout between Mac and Windows browsers. Last year's contest also included Linux, but attendees with the ability to crack Linux "didn?t want to put the work into developing the exploit code that would be required to win the contest," according to a report by IDG.
That fact highlights that, in reality, the platforms and browsers involved aren't targeted by a series of equal attacks. Instead, researchers arrive with exploits they hope to use against vulnerabilities they are aware of in specific platforms or browsers, but have not yet reported. Were they to report the exploits in advance, they would be patched by the vendor. There's no money in that, so the contest provides an incentive to report vulnerabilities.
In exchange for the winning prize, Miller granted the reporting rights to the discovered flaw in Safari to TippingPoint?s Zero Day Initiative, which will coordinate the handling of the disclosure and the patch release process with Apple. When a vulnerability is reported to Apple, the company credits the discoverer with finding the problem when issuing a patch for it.
Last year, Miller's winning attack on Safari actually targeted the open source Perl Compatible Regular Expressions library used by WebKit?s JavaScript engine, an exploit he also made headlines with for using against the iPhone. Apple's extensive use of open source software makes it far easier for researchers to discover exploits for at their leisure, compared to closed proprietary software. It wasn't Apple's proprietary code in Safari that was cracked.
At the same time, proprietary, closed code isn't invulnerable due to its opaque "security through obscurity." Windows Vista was cracked in last year's contest due to a flaw in the Adobe Flash plugin, which is not open source but which security experts were still able to exploit.
Patching vulnerabilities
At the same time, Apple's use of open source also enables the company to issues more security patches and operating system updates than Microsoft does, according to a study of Windows and Mac OS X releases conducted by the Swiss Federal Institute of Technology.
That group found that in the years between 2002 and 2007, Apple released 815 patches compared to 678 by Microsoft. In that timeframe, Apple shipped five paid reference releases of Mac OS X (Jaguar, Panther, Tiger, Tiger for Intel, and Leopard) and 33 free updates, including eight for Jaguar, nine for Panther, eleven for Tiger, and one for Leopard, a total of 38 significant feature and security releases, excluding Mac OS X Server, the iPhone, and standalone security patches.
In contrast, Microsoft only released a total of seven updates over that period, including Windows XP SP1 and SP2; Windows Server 2003, SP1, R2, and SP2; and Windows Vista. In the year since, Microsoft has released two service packs for Vista and one for XP. Apple has released five additional free updates for Leopard, again not counting Mac OS X Server patches or iPhone updates.
"Simplifying security to the point of uselessness"
The oversimplification of the Pwn2Own contest's results by the media has resulted in criticism of how the contest is portrayed and conducted. The Pwn2Own contest is "simplifying security to the point of uselessness," according to comments by Jeff Jones, the director of Microsoft's security group.
Last year, Jones addressed CanSecWest in a blog post which stated, "I don't really care for 'hack the box' contests. If a machine doesn't get hacked, it does not mean it isn't breakable. If it does get hacked, it just shows us what we already know - any machine can be broken under the right circumstances. So, don't read too much into the PWN 2 OWN results. I don't."
Last year's contest was also distorted by the arbitrary timing of patches, with Miller's successful exploit for Safari happening to miss Apple's patch cycle, while other researchers armed with exploits for Windows Vista were stymied by the last minute application of the then-new Vista Service Pack 1.
The contest is also somewhat removed from reality due to the fact that it pits the current release of Mac OS X with new versions of Windows that do not reflect what the vast majority of Windows PC users are actually running. Last year, Vista was only in use by a small fraction of early adopters (and even now, less than a quarter of the installed base is using it), and SP1 was so new and problematic that PC World was advising users not to install it until "the wrinkles are ironed out."
This year, the use of the prerelease Windows 7 operating system, which security researchers have had limited access and time to study, combined with the fact that Microsoft expressly warns users not to use it in production environments, tends to create the impression that Pwn2Own is more about theoretical games than real world security issues relevant to end users.
Security in the real world
The real world security problems that affect today's Windows users relate to the fact that there are not only more discovered flaws on Windows, but that these flaws are being actively exploited to develop viruses, spyware, adware, and other malware. Further, there are vast numbers of machines that are not promptly updated with the patches that do exist, resulting in fleets of vulnerable botnets that actively distribute new attacks to other systems. These two problems aggravate each other to create the Windows security crisis.
While pundits like to talk about numbers of discovered vulnerabilities, often failing to correctly compare similar code on each side (with Mac OS X inheriting the vulnerability counts in optional open source server programs, Java, and other components that are not considered on the Windows side), the real problem is active exploits. Mac OS X continues to have no real viruses, while Windows users continue to be plagued by viruses, adware, and other security problems.
At the same time however, the tech media is promoting the CanSecWest event as a "security shootout," with at least one report noting that browsers on the Windows box were "still standing" after Miller successfully applied his exploit attack to the Mac, as if the Windows box had somehow successfully dodged Miller's exploit rather than simply never having been aimed at by his open source attack.
Internet Explorer 8 on the Windows machine was exploited shortly afterward by a different researcher calling himself Nil, followed by his demonstration of a successful crack of the Firefox browser.
Unsurprisingly, Miller was able to use his exploit to immediately win the event's "Pwn2Own" contest, generating headlines that suggested that Macs are inherently less secure, despite the fact that every browser involved in the contest failed on the first day.
This year's contest arranged for two test computers. According to the CanSecWest event's official website, which is oddly littered with typos, the "Browsers and Associated Text PAltform" [sic] were a Sony Vaio PC running a prerelease Windows 7 beta with Internet Explorer 8, Firefox, and Google's new Chrome browser, and a MacBook running Safari and Firefox.
In each of the three days of the contest, the exploit rules were intended to be progressively relaxed, starting only with exploits that attacked the browser itself, then adding Flash, Java, .Net and QuickTime to the mix on day two, and then "popular apps such as Acrobat Reader" on the third day.
Finding vulnerabilities
The Pwn2Own contest is being presented as a shootout between Mac and Windows browsers. Last year's contest also included Linux, but attendees with the ability to crack Linux "didn?t want to put the work into developing the exploit code that would be required to win the contest," according to a report by IDG.
That fact highlights that, in reality, the platforms and browsers involved aren't targeted by a series of equal attacks. Instead, researchers arrive with exploits they hope to use against vulnerabilities they are aware of in specific platforms or browsers, but have not yet reported. Were they to report the exploits in advance, they would be patched by the vendor. There's no money in that, so the contest provides an incentive to report vulnerabilities.
In exchange for the winning prize, Miller granted the reporting rights to the discovered flaw in Safari to TippingPoint?s Zero Day Initiative, which will coordinate the handling of the disclosure and the patch release process with Apple. When a vulnerability is reported to Apple, the company credits the discoverer with finding the problem when issuing a patch for it.
Last year, Miller's winning attack on Safari actually targeted the open source Perl Compatible Regular Expressions library used by WebKit?s JavaScript engine, an exploit he also made headlines with for using against the iPhone. Apple's extensive use of open source software makes it far easier for researchers to discover exploits for at their leisure, compared to closed proprietary software. It wasn't Apple's proprietary code in Safari that was cracked.
At the same time, proprietary, closed code isn't invulnerable due to its opaque "security through obscurity." Windows Vista was cracked in last year's contest due to a flaw in the Adobe Flash plugin, which is not open source but which security experts were still able to exploit.
Patching vulnerabilities
At the same time, Apple's use of open source also enables the company to issues more security patches and operating system updates than Microsoft does, according to a study of Windows and Mac OS X releases conducted by the Swiss Federal Institute of Technology.
That group found that in the years between 2002 and 2007, Apple released 815 patches compared to 678 by Microsoft. In that timeframe, Apple shipped five paid reference releases of Mac OS X (Jaguar, Panther, Tiger, Tiger for Intel, and Leopard) and 33 free updates, including eight for Jaguar, nine for Panther, eleven for Tiger, and one for Leopard, a total of 38 significant feature and security releases, excluding Mac OS X Server, the iPhone, and standalone security patches.
In contrast, Microsoft only released a total of seven updates over that period, including Windows XP SP1 and SP2; Windows Server 2003, SP1, R2, and SP2; and Windows Vista. In the year since, Microsoft has released two service packs for Vista and one for XP. Apple has released five additional free updates for Leopard, again not counting Mac OS X Server patches or iPhone updates.
"Simplifying security to the point of uselessness"
The oversimplification of the Pwn2Own contest's results by the media has resulted in criticism of how the contest is portrayed and conducted. The Pwn2Own contest is "simplifying security to the point of uselessness," according to comments by Jeff Jones, the director of Microsoft's security group.
Last year, Jones addressed CanSecWest in a blog post which stated, "I don't really care for 'hack the box' contests. If a machine doesn't get hacked, it does not mean it isn't breakable. If it does get hacked, it just shows us what we already know - any machine can be broken under the right circumstances. So, don't read too much into the PWN 2 OWN results. I don't."
Last year's contest was also distorted by the arbitrary timing of patches, with Miller's successful exploit for Safari happening to miss Apple's patch cycle, while other researchers armed with exploits for Windows Vista were stymied by the last minute application of the then-new Vista Service Pack 1.
The contest is also somewhat removed from reality due to the fact that it pits the current release of Mac OS X with new versions of Windows that do not reflect what the vast majority of Windows PC users are actually running. Last year, Vista was only in use by a small fraction of early adopters (and even now, less than a quarter of the installed base is using it), and SP1 was so new and problematic that PC World was advising users not to install it until "the wrinkles are ironed out."
This year, the use of the prerelease Windows 7 operating system, which security researchers have had limited access and time to study, combined with the fact that Microsoft expressly warns users not to use it in production environments, tends to create the impression that Pwn2Own is more about theoretical games than real world security issues relevant to end users.
Security in the real world
The real world security problems that affect today's Windows users relate to the fact that there are not only more discovered flaws on Windows, but that these flaws are being actively exploited to develop viruses, spyware, adware, and other malware. Further, there are vast numbers of machines that are not promptly updated with the patches that do exist, resulting in fleets of vulnerable botnets that actively distribute new attacks to other systems. These two problems aggravate each other to create the Windows security crisis.
While pundits like to talk about numbers of discovered vulnerabilities, often failing to correctly compare similar code on each side (with Mac OS X inheriting the vulnerability counts in optional open source server programs, Java, and other components that are not considered on the Windows side), the real problem is active exploits. Mac OS X continues to have no real viruses, while Windows users continue to be plagued by viruses, adware, and other security problems.
At the same time however, the tech media is promoting the CanSecWest event as a "security shootout," with at least one report noting that browsers on the Windows box were "still standing" after Miller successfully applied his exploit attack to the Mac, as if the Windows box had somehow successfully dodged Miller's exploit rather than simply never having been aimed at by his open source attack.
Internet Explorer 8 on the Windows machine was exploited shortly afterward by a different researcher calling himself Nil, followed by his demonstration of a successful crack of the Firefox browser.
Comments
In each of the three days of the contest, the exploit rules were intended to be progressively relaxed, starting only with exploits that attacked the browser itself, then adding Flash, Java, .Net and QuickTime to the mix on day two, and then "popular apps such as Acrobat Reader" on the third day.
Once again, Miller needed actual access to the machine through admin privileges, just like last year. Nothing to see here, move along.
Once again, Miller needed actual access to the machine through admin privileges, just like last year. Nothing to see here, move along.
Don't be so fast to shrug it off. Users need stories like this as a reality check: Your computer isn't safe from your other personality.
Don't be so fast to shrug it off. Users need stories like this as a reality check: Your computer isn't safe from your other personality.
How is it a feat when you need admin privileges to do anything? Why is it that CanSecWest never advertise this bit much, nor that people spend months preparing their "exploits" that do nothing on day 1, which is real world tests anyway...
How is it a feat when you need admin privileges to do anything? Why is it that CanSecWest never advertise this bit much, nor that people spend months preparing their "exploits" that do nothing on day 1, which is real world tests anyway...
It's not a feat. Hence the laughing smiley and the loose Jekyll and Hyde reference. Worrying about turning into an evil hacking monster when you're logged into your admin account is silly, just like tests that normally succeed.
Even if the account he used had administrator rights, it cannot be used to get access to other accounts on the machine or to install software or to run 'sudo bash' etc. Not without a password, that is.
So this means that at least two security exploits must exist, one in Safari to get hold on the user (or administrator) account, and one to elevate the account to root level.
J.
The article starts off as announcing the results of a hacking contest. It then discusses Windows and Macintosh patches. It then proceeds to discredit the contest. What are we trying to say here? Mac rules, Windows sux? The Mac was hacked, but the contest sucks?
Na, I don't think it's that. I see both points, but it's true that one of the foundations of a Mac's security is that nothing auto executes on a mac. It always asks for u-name and p-word. If a user is already logged in as an admin (or has admin privs...then that user (or hacker) can pretty much do anything.
Am I mistaken?
Oh, and just to add - I really dislike these biased Mac vs PC articles on AppleInsider. I'd rather just have the facts (which I read elsewhere in this case) and make up my own opinion.
This contest is like a make a heist on Fort Knox without guards, video cameras, lasers, infra reds off and giving the bad guys an all level access card/id to the whole building.
just bs
It took a while longer but Microsoft?s Internet Explorer 8 did not survive the hacker onslaught at this year?s CanSecWest Pwn2Own contest.
later in the afternoon, he exploited a Firefox zero-day flaw to claim the trifecta.
If a user is already logged in as an admin (or has admin privs...then that user (or hacker) can pretty much do anything.
Am I mistaken?
Yes, see my comment above.
J.
Oh, and just to add - I really dislike these biased Mac vs PC articles on AppleInsider. I'd rather just have the facts (which I read elsewhere in this case) and make up my own opinion.
Yeah, its a good article, without all of the bits trying to discredit the report. Mac's aren't magically super secure, nor are they completely insecure. Taking the report a bit less personally would make for better reporting.
Besides, if you have to click on a link, the whole challenge is auto-FAIL.
And for those of us that are a bit worried . . .
WINDOWS VIRUSES/MALWARE (but just the appetizer menu):
Windows PC worm infection numbers skyrocket; Macintosh unaffected - January 19, 2009
Dangerous new sleeper virus exposes millions of Windows PCs to hijack; Macintosh unaffected - January 16, 2009
Zero-day attack targets all versions of Internet Explorer; Mac users unaffected - December 12, 2008
Windows worm loose on International Space Station; Mac-using astronauts unaffected - August 27, 2008
Microsoft inflicts Internet Explorer 8 Beta; Mac users unaffected - March 05, 2008
Gathering ‘Storm’ superworm poses grave threat to Windows PCs; Apple Macs unaffected - October 19, 2007
Windows virus cripples Florida newspaper; Mac-based publishers unaffected - March 02, 2007
Insidious Windows virus threatens business networks worldwide; Macintosh unaffected - March 01, 2007
Windows ‘Storm Worm’ rages across globe; Apple Macintosh unaffected - January 19, 2007
Sony, Gracenote sound alarm over Microsoft flaw; Macintosh unaffected - September 19, 2006
PowerPoint zero-day attack compromises data in infected Windows PCs; Mac OS X unaffected - July 21, 2006
Windows PC users infected with worm face loss of all Microsoft, Adobe files; Mac users unaffected - January 31, 2006
Microsoft Windows’ Zero-Day WMF flaw threats widespread; Macintosh unaffected - December 29, 2005
Microsoft Windows virus spreads rapidly; Apple Macintosh unaffected - November 28, 2005
Windows users fall victim to huge ID theft ring, 50 banks in danger; Apple Mac users unaffected - August 25, 2005
Quickly spreading Microsoft Windows worm affects CNN, ABC, NY Times; Apple Macintosh unaffected - August 16, 2005
‘Zotob’ worm rapidly infects Microsoft Windows; Macintosh unaffected - August 15, 2005
16-percent of computer users are unaffected by viruses, malware because they use Apple Macs - June 15, 2005
Microsoft warns of critical Windows flaws; unaffected Mac users just continue working - June 15, 2005
Michael Jackson suicide spam hides Windows virus; Macintosh unaffected - June 10, 2005
Windows Sober.p poised to attack this Monday; Macintosh unaffected - May 21, 2005
Microsoft Windows Sober.P worm shows ‘epidemic’ spread; Macintosh unaffected - May 03, 2005
Anzae/Inzae worm affects all Windows versions after 3.1; Macintosh unaffected - December 28, 2004
Windows Mydoom worm variant spreading in the wild; Macintosh unaffected - November 09, 2004
Windows XP worm speaks to users as it deletes their files; Macintosh unaffected - September 13, 2004
Millions of Windows PC’s hijacked by hackers, turned into zombies; Macintosh unaffected - September 08, 2004
Windows ‘Zindos’ virus spreads, attacks Microsoft.com; Macintosh unaffected - July 29, 2004
New Windows Bagle virus variants spread; Macintosh unaffected - July 16, 2004
Windows Lovegate worm variant renders computers useless; Macintosh unaffected - July 08, 2004
Windows Scob virus collects passwords, financial data; Macintosh unaffected - July 05, 2004
Windows ‘Scob’ virus designed to steal financial data, passwords; Macintosh unaffected - June 26, 2004
Windows users warned of infectious Web sites that take over computers; Mac users unaffected - June 25, 2004
Windows Korgo virus ‘aggressively stealing’ credit card numbers; Macintosh unaffected - June 04, 2004
First Windows 64-bit virus appears; Macintosh unaffected - May 27, 2004
Windows Wallon virus wipes out Microsoft Media Player on infected PCs; Macintosh unaffected - May 12, 2004
Windows Sasser worm mutates, knocks out banks, EC; Macintosh unaffected - May 04, 2004
Windows Sasser worm severely disrupts UK coastguard; Mac users remain unaffected - May 04, 2004
Windows Sasser net worm spreading rapidly; Macintosh unaffected - May 03, 2004
Sen. Edward Kennedy’s Apple Mac-based office totally unaffected by viruses - March 22, 2004
Five new Windows Bagle virus variants break nasty new ground; Macintosh unaffected - March 19, 2004
Windows worm, virus outbreaks intensify; Macintosh unaffected - March 03, 2004
Destructive MyDoom.F virus deletes Windows users’ files; Macintosh unaffected - March 01, 2004
Netsky-D Windows worm spreading; Macintosh unaffected - March 01, 2004
Windows users suffer five new Bagle worm variants; Macintosh unaffected - March 01, 2004
New MyDoom Windows worm deletes random files; Macintosh unaffected - February 25, 2004
Windows NetSky e-mail worm spreading; Macintosh unaffected - February 18, 2004
Windows virus ‘Bagle.B’ spreading; Macintosh unaffected - February 17, 2004
‘Doomjuice’ worm emerges, targets Microsoft; Macintosh unaffected - February 10, 2004
New version of Mydoom Windows virus appears, attacks Microsoft; Macintosh unaffected - January 28, 2004
Latest Windows virus ‘MyDoom’ sets new infection records worldwide; Macintosh unaffected - January 27, 2004
‘MyDoom’ Windows virus spreads rapidly; Macintosh unaffected - January 26, 2004
New Windows worm spreading ‘hard and fast’ worldwide; Macintosh unaffected - January 19, 2004
Florida students patch 360 PCs in marathon session due to Blaster virus; their Macs unaffected - October 01, 2003
Pennsylvania school district’s PCs infected with virus; their Macs unaffected - October 01, 2003
New ‘Swen worm’ masquerades as Windows Security Update; Macintosh unaffected - September 19, 2003
University of Illinois still patching all Windows machines; Macintosh unaffected - September 05, 2003
Montana school district’s Windows computers offline due to worm; Macintosh computers unaffected - September 03, 2003
A tale of two school systems: Windows schools crippled while Mac schools unaffected - August 21, 2003
SoBig virus variant rapidly inflecting Windows machines; Macintosh unaffected - August 19, 2003
Windows Blaster worm to attack Microsoft on Saturday; Macintosh unaffected - August 13, 2003
MBlast Worm spreads through flaw in Windows; Macintosh unaffected - August 11, 2003
Hackers hijack Windows PCs for porn serving; Macintosh unaffected - July 11, 2003
Palyh Worm strikes Windows users worldwide; Macintosh unaffected - May 19, 2003
Microsoft bug exposes millions to attack; Macintosh unaffected - November 20, 2002
Don't worry, it's only a partial list. There's thousands more where that came from.
OS X VIRUSES/MALWARE IN THE WILD:
Like 2. Maybe. In over 7 years. But make sure to click on the obvious links, though, otherwise nothing will happen. With OS X, "infection" is a two-way street. You need to put in the effort!
That's really all we need to know.
I don't like it but I know I have to just accept it. Meanwhile the proof is in the pudding. The company is wildly successful, profitable, and has customer loyalty unmatched by any company in the world, ever. It's not going away anytime soon, much to the chagrin of countless trolls here and elsewhere.
As a long time Apple user I have gotten used to the tech media going after the company with venom dripping from their pens. I have also gotten used to the slugs and slime that slither around this and other Apple centric forums putting down every single thing the company releases. It just goes with the territory of being the company that forces change in the industry, the company that's always out at the frontier moving forward.
I don't like it but I know I have to just accept it. Meanwhile the proof is in the pudding. The company is wildly successful, profitable, and has customer loyalty unmatched by any company in the world, ever. It's not going away anytime soon, much to the chagrin of countless trolls here and elsewhere.
Kudos, someone with common sense
As a long time Apple user I have gotten used to the tech media going after the company with venom dripping from their pens. I have also gotten used to the slugs and slime that slither around this and other Apple centric forums putting down every single thing the company releases. It just goes with the territory of being the company that forces change in the industry, the company that's always out at the frontier moving forward.
I don't like it but I know I have to just accept it. Meanwhile the proof is in the pudding. The company is wildly successful, profitable, and has customer loyalty unmatched by any company in the world, ever. It's not going away anytime soon, much to the chagrin of countless trolls here and elsewhere.
Very well put. Bolded the really important part. And there's good reason for that kind of loyalty.
p.s. Send to all newspapers about to run the results of this competition.
Quadra 610: Great post but come on, don't tease ... give us the full list
p.s. Send to all newspapers about to run the results of this competition.
Oh yes, there's so much more! I won't post because I don't want to overload AI.
But anyway, here's the latest:
http://news.cnet.com/8301-1009_3-10196122-83.html
Complete, utter mess. All it did was get worse. It's so bad, that lame MS is offering a reward.
And OS X remains unaffected. Again.
As a long time Apple user I have gotten used to the tech media going after the company with venom dripping from their pens. I have also gotten used to the slugs and slime that slither around this and other Apple centric forums putting down every single thing the company releases. It just goes with the territory of being the company that forces change in the industry, the company that's always out at the frontier moving forward.
I don't like it but I know I have to just accept it. Meanwhile the proof is in the pudding. The company is wildly successful, profitable, and has customer loyalty unmatched by any company in the world, ever. It's not going away anytime soon, much to the chagrin of countless trolls here and elsewhere.
Ever? What about Porsche?
Honestly though, whenever you're on top or threatening to take the crown. Those below will hate and those currently there and their allies will sling mud.