Mac security researcher wins Pwn2Own contest

Posted:
in macOS edited January 2014
In a repeat performance of last year, security researcher Charlie Miller arrived at the CanSecWest conference this week with a prepared exploit to use in cracking Safari running on Mac OS X.



Unsurprisingly, Miller was able to use his exploit to immediately win the event's "Pwn2Own" contest, generating headlines that suggested that Macs are inherently less secure, despite the fact that every browser involved in the contest failed on the first day.



This year's contest arranged for two test computers. According to the CanSecWest event's official website, which is oddly littered with typos, the "Browsers and Associated Text PAltform" [sic] were a Sony Vaio PC running a prerelease Windows 7 beta with Internet Explorer 8, Firefox, and Google's new Chrome browser, and a MacBook running Safari and Firefox.



In each of the three days of the contest, the exploit rules were intended to be progressively relaxed, starting only with exploits that attacked the browser itself, then adding Flash, Java, .Net and QuickTime to the mix on day two, and then "popular apps such as Acrobat Reader" on the third day.



Finding vulnerabilities



The Pwn2Own contest is being presented as a shootout between Mac and Windows browsers. Last year's contest also included Linux, but attendees with the ability to crack Linux "didn?t want to put the work into developing the exploit code that would be required to win the contest," according to a report by IDG.



That fact highlights that, in reality, the platforms and browsers involved aren't targeted by a series of equal attacks. Instead, researchers arrive with exploits they hope to use against vulnerabilities they are aware of in specific platforms or browsers, but have not yet reported. Were they to report the exploits in advance, they would be patched by the vendor. There's no money in that, so the contest provides an incentive to report vulnerabilities.



In exchange for the winning prize, Miller granted the reporting rights to the discovered flaw in Safari to TippingPoint?s Zero Day Initiative, which will coordinate the handling of the disclosure and the patch release process with Apple. When a vulnerability is reported to Apple, the company credits the discoverer with finding the problem when issuing a patch for it.



Last year, Miller's winning attack on Safari actually targeted the open source Perl Compatible Regular Expressions library used by WebKit?s JavaScript engine, an exploit he also made headlines with for using against the iPhone. Apple's extensive use of open source software makes it far easier for researchers to discover exploits for at their leisure, compared to closed proprietary software. It wasn't Apple's proprietary code in Safari that was cracked.



At the same time, proprietary, closed code isn't invulnerable due to its opaque "security through obscurity." Windows Vista was cracked in last year's contest due to a flaw in the Adobe Flash plugin, which is not open source but which security experts were still able to exploit.



Patching vulnerabilities



At the same time, Apple's use of open source also enables the company to issues more security patches and operating system updates than Microsoft does, according to a study of Windows and Mac OS X releases conducted by the Swiss Federal Institute of Technology.



That group found that in the years between 2002 and 2007, Apple released 815 patches compared to 678 by Microsoft. In that timeframe, Apple shipped five paid reference releases of Mac OS X (Jaguar, Panther, Tiger, Tiger for Intel, and Leopard) and 33 free updates, including eight for Jaguar, nine for Panther, eleven for Tiger, and one for Leopard, a total of 38 significant feature and security releases, excluding Mac OS X Server, the iPhone, and standalone security patches.



In contrast, Microsoft only released a total of seven updates over that period, including Windows XP SP1 and SP2; Windows Server 2003, SP1, R2, and SP2; and Windows Vista. In the year since, Microsoft has released two service packs for Vista and one for XP. Apple has released five additional free updates for Leopard, again not counting Mac OS X Server patches or iPhone updates.







"Simplifying security to the point of uselessness"



The oversimplification of the Pwn2Own contest's results by the media has resulted in criticism of how the contest is portrayed and conducted. The Pwn2Own contest is "simplifying security to the point of uselessness," according to comments by Jeff Jones, the director of Microsoft's security group.



Last year, Jones addressed CanSecWest in a blog post which stated, "I don't really care for 'hack the box' contests. If a machine doesn't get hacked, it does not mean it isn't breakable. If it does get hacked, it just shows us what we already know - any machine can be broken under the right circumstances. So, don't read too much into the PWN 2 OWN results. I don't."



Last year's contest was also distorted by the arbitrary timing of patches, with Miller's successful exploit for Safari happening to miss Apple's patch cycle, while other researchers armed with exploits for Windows Vista were stymied by the last minute application of the then-new Vista Service Pack 1.



The contest is also somewhat removed from reality due to the fact that it pits the current release of Mac OS X with new versions of Windows that do not reflect what the vast majority of Windows PC users are actually running. Last year, Vista was only in use by a small fraction of early adopters (and even now, less than a quarter of the installed base is using it), and SP1 was so new and problematic that PC World was advising users not to install it until "the wrinkles are ironed out."



This year, the use of the prerelease Windows 7 operating system, which security researchers have had limited access and time to study, combined with the fact that Microsoft expressly warns users not to use it in production environments, tends to create the impression that Pwn2Own is more about theoretical games than real world security issues relevant to end users.



Security in the real world



The real world security problems that affect today's Windows users relate to the fact that there are not only more discovered flaws on Windows, but that these flaws are being actively exploited to develop viruses, spyware, adware, and other malware. Further, there are vast numbers of machines that are not promptly updated with the patches that do exist, resulting in fleets of vulnerable botnets that actively distribute new attacks to other systems. These two problems aggravate each other to create the Windows security crisis.



While pundits like to talk about numbers of discovered vulnerabilities, often failing to correctly compare similar code on each side (with Mac OS X inheriting the vulnerability counts in optional open source server programs, Java, and other components that are not considered on the Windows side), the real problem is active exploits. Mac OS X continues to have no real viruses, while Windows users continue to be plagued by viruses, adware, and other security problems.



At the same time however, the tech media is promoting the CanSecWest event as a "security shootout," with at least one report noting that browsers on the Windows box were "still standing" after Miller successfully applied his exploit attack to the Mac, as if the Windows box had somehow successfully dodged Miller's exploit rather than simply never having been aimed at by his open source attack.



Internet Explorer 8 on the Windows machine was exploited shortly afterward by a different researcher calling himself Nil, followed by his demonstration of a successful crack of the Firefox browser.
«1345

Comments

  • Reply 1 of 81
    Quote:

    In each of the three days of the contest, the exploit rules were intended to be progressively relaxed, starting only with exploits that attacked the browser itself, then adding Flash, Java, .Net and QuickTime to the mix on day two, and then "popular apps such as Acrobat Reader" on the third day.



    Once again, Miller needed actual access to the machine through admin privileges, just like last year. Nothing to see here, move along.
  • Reply 2 of 81
    arteckxarteckx Posts: 39member
    Quote:
    Originally Posted by slacker00 View Post


    Once again, Miller needed actual access to the machine through admin privileges, just like last year. Nothing to see here, move along.



    Don't be so fast to shrug it off. Users need stories like this as a reality check: Your computer isn't safe from your other personality.
  • Reply 3 of 81
    Quote:
    Originally Posted by arteckx View Post


    Don't be so fast to shrug it off. Users need stories like this as a reality check: Your computer isn't safe from your other personality.



    How is it a feat when you need admin privileges to do anything? Why is it that CanSecWest never advertise this bit much, nor that people spend months preparing their "exploits" that do nothing on day 1, which is real world tests anyway...
  • Reply 4 of 81
    That's it, the internet cannot be trusted. Call Al Gore, tell him to turn it off.
  • Reply 5 of 81
    arteckxarteckx Posts: 39member
    Quote:
    Originally Posted by slacker00 View Post


    How is it a feat when you need admin privileges to do anything? Why is it that CanSecWest never advertise this bit much, nor that people spend months preparing their "exploits" that do nothing on day 1, which is real world tests anyway...



    It's not a feat. Hence the laughing smiley and the loose Jekyll and Hyde reference. Worrying about turning into an evil hacking monster when you're logged into your admin account is silly, just like tests that normally succeed.
  • Reply 6 of 81
    talksense101talksense101 Posts: 1,738member
    The article starts off as announcing the results of a hacking contest. It then discusses Windows and Macintosh patches. It then proceeds to discredit the contest. What are we trying to say here? Mac rules, Windows sux? The Mac was hacked, but the contest sucks?
  • Reply 7 of 81
    If Charlie Miller gained root access (the claim is that after executing the exploit by clicking a link on a website, he "owned" the computer), Mac OS X is certainly lacking in security.



    Even if the account he used had administrator rights, it cannot be used to get access to other accounts on the machine or to install software or to run 'sudo bash' etc. Not without a password, that is.



    So this means that at least two security exploits must exist, one in Safari to get hold on the user (or administrator) account, and one to elevate the account to root level.



    J.
  • Reply 8 of 81
    Quote:
    Originally Posted by talksense101 View Post


    The article starts off as announcing the results of a hacking contest. It then discusses Windows and Macintosh patches. It then proceeds to discredit the contest. What are we trying to say here? Mac rules, Windows sux? The Mac was hacked, but the contest sucks?



    Na, I don't think it's that. I see both points, but it's true that one of the foundations of a Mac's security is that nothing auto executes on a mac. It always asks for u-name and p-word. If a user is already logged in as an admin (or has admin privs...then that user (or hacker) can pretty much do anything.



    Am I mistaken?
  • Reply 9 of 81
    shookstershookster Posts: 113member
    People of course jumped on the "Mac is the most insecure platform" bandwagon but the security of Mac OS X was not discredited in this contest. The security of Safari was discredited. The user needed to click a link in Safari in order to execute the code so if you're not using Safari as your browser, you're not affected by it.



    Oh, and just to add - I really dislike these biased Mac vs PC articles on AppleInsider. I'd rather just have the facts (which I read elsewhere in this case) and make up my own opinion.
  • Reply 10 of 81
    Lot of buzz, no real thing happen around.

    This contest is like a make a heist on Fort Knox without guards, video cameras, lasers, infra reds off and giving the bad guys an all level access card/id to the whole building.



    just bs
  • Reply 11 of 81
    bloggerblogbloggerblog Posts: 2,462member
    If you read the article you'll find that he was also able to exploit IE8 and Firefox:

    Quote:

    It took a while longer but Microsoft?s Internet Explorer 8 did not survive the hacker onslaught at this year?s CanSecWest Pwn2Own contest.



    Quote:

    later in the afternoon, he exploited a Firefox zero-day flaw to claim the trifecta.



  • Reply 12 of 81
    Quote:
    Originally Posted by 2blindforyou2 View Post


    If a user is already logged in as an admin (or has admin privs...then that user (or hacker) can pretty much do anything.



    Am I mistaken?



    Yes, see my comment above.



    J.
  • Reply 13 of 81
    stubeckstubeck Posts: 140member
    Quote:
    Originally Posted by Shookster View Post


    Oh, and just to add - I really dislike these biased Mac vs PC articles on AppleInsider. I'd rather just have the facts (which I read elsewhere in this case) and make up my own opinion.



    Yeah, its a good article, without all of the bits trying to discredit the report. Mac's aren't magically super secure, nor are they completely insecure. Taking the report a bit less personally would make for better reporting.
  • Reply 14 of 81
    quadra 610quadra 610 Posts: 6,757member
    Winblows was also hacked, and I believe that new Winblows in particular, the one that tries to be an upside-down, ass-bakwards copy of OS X. Again. It's the allegedly fixed version of Vista. LOL, we'll see.



    Besides, if you have to click on a link, the whole challenge is auto-FAIL.



    And for those of us that are a bit worried . . .



    WINDOWS VIRUSES/MALWARE (but just the appetizer menu):



    Windows PC worm infection numbers skyrocket; Macintosh unaffected - January 19, 2009

    Dangerous new sleeper virus exposes millions of Windows PCs to hijack; Macintosh unaffected - January 16, 2009

    Zero-day attack targets all versions of Internet Explorer; Mac users unaffected - December 12, 2008

    Windows worm loose on International Space Station; Mac-using astronauts unaffected - August 27, 2008

    Microsoft inflicts Internet Explorer 8 Beta; Mac users unaffected - March 05, 2008

    Gathering ‘Storm’ superworm poses grave threat to Windows PCs; Apple Macs unaffected - October 19, 2007

    Windows virus cripples Florida newspaper; Mac-based publishers unaffected - March 02, 2007

    Insidious Windows virus threatens business networks worldwide; Macintosh unaffected - March 01, 2007

    Windows ‘Storm Worm’ rages across globe; Apple Macintosh unaffected - January 19, 2007

    Sony, Gracenote sound alarm over Microsoft flaw; Macintosh unaffected - September 19, 2006

    PowerPoint zero-day attack compromises data in infected Windows PCs; Mac OS X unaffected - July 21, 2006

    Windows PC users infected with worm face loss of all Microsoft, Adobe files; Mac users unaffected - January 31, 2006

    Microsoft Windows’ Zero-Day WMF flaw threats widespread; Macintosh unaffected - December 29, 2005

    Microsoft Windows virus spreads rapidly; Apple Macintosh unaffected - November 28, 2005

    Windows users fall victim to huge ID theft ring, 50 banks in danger; Apple Mac users unaffected - August 25, 2005

    Quickly spreading Microsoft Windows worm affects CNN, ABC, NY Times; Apple Macintosh unaffected - August 16, 2005

    ‘Zotob’ worm rapidly infects Microsoft Windows; Macintosh unaffected - August 15, 2005

    16-percent of computer users are unaffected by viruses, malware because they use Apple Macs - June 15, 2005

    Microsoft warns of critical Windows flaws; unaffected Mac users just continue working - June 15, 2005

    Michael Jackson suicide spam hides Windows virus; Macintosh unaffected - June 10, 2005

    Windows Sober.p poised to attack this Monday; Macintosh unaffected - May 21, 2005

    Microsoft Windows Sober.P worm shows ‘epidemic’ spread; Macintosh unaffected - May 03, 2005

    Anzae/Inzae worm affects all Windows versions after 3.1; Macintosh unaffected - December 28, 2004

    Windows Mydoom worm variant spreading in the wild; Macintosh unaffected - November 09, 2004

    Windows XP worm speaks to users as it deletes their files; Macintosh unaffected - September 13, 2004

    Millions of Windows PC’s hijacked by hackers, turned into zombies; Macintosh unaffected - September 08, 2004

    Windows ‘Zindos’ virus spreads, attacks Microsoft.com; Macintosh unaffected - July 29, 2004

    New Windows Bagle virus variants spread; Macintosh unaffected - July 16, 2004

    Windows Lovegate worm variant renders computers useless; Macintosh unaffected - July 08, 2004

    Windows Scob virus collects passwords, financial data; Macintosh unaffected - July 05, 2004

    Windows ‘Scob’ virus designed to steal financial data, passwords; Macintosh unaffected - June 26, 2004

    Windows users warned of infectious Web sites that take over computers; Mac users unaffected - June 25, 2004

    Windows Korgo virus ‘aggressively stealing’ credit card numbers; Macintosh unaffected - June 04, 2004

    First Windows 64-bit virus appears; Macintosh unaffected - May 27, 2004

    Windows Wallon virus wipes out Microsoft Media Player on infected PCs; Macintosh unaffected - May 12, 2004

    Windows Sasser worm mutates, knocks out banks, EC; Macintosh unaffected - May 04, 2004

    Windows Sasser worm severely disrupts UK coastguard; Mac users remain unaffected - May 04, 2004

    Windows Sasser net worm spreading rapidly; Macintosh unaffected - May 03, 2004

    Sen. Edward Kennedy’s Apple Mac-based office totally unaffected by viruses - March 22, 2004

    Five new Windows Bagle virus variants break nasty new ground; Macintosh unaffected - March 19, 2004

    Windows worm, virus outbreaks intensify; Macintosh unaffected - March 03, 2004

    Destructive MyDoom.F virus deletes Windows users’ files; Macintosh unaffected - March 01, 2004

    Netsky-D Windows worm spreading; Macintosh unaffected - March 01, 2004

    Windows users suffer five new Bagle worm variants; Macintosh unaffected - March 01, 2004

    New MyDoom Windows worm deletes random files; Macintosh unaffected - February 25, 2004

    Windows NetSky e-mail worm spreading; Macintosh unaffected - February 18, 2004

    Windows virus ‘Bagle.B’ spreading; Macintosh unaffected - February 17, 2004

    ‘Doomjuice’ worm emerges, targets Microsoft; Macintosh unaffected - February 10, 2004

    New version of Mydoom Windows virus appears, attacks Microsoft; Macintosh unaffected - January 28, 2004

    Latest Windows virus ‘MyDoom’ sets new infection records worldwide; Macintosh unaffected - January 27, 2004

    ‘MyDoom’ Windows virus spreads rapidly; Macintosh unaffected - January 26, 2004

    New Windows worm spreading ‘hard and fast’ worldwide; Macintosh unaffected - January 19, 2004

    Florida students patch 360 PCs in marathon session due to Blaster virus; their Macs unaffected - October 01, 2003

    Pennsylvania school district’s PCs infected with virus; their Macs unaffected - October 01, 2003

    New ‘Swen worm’ masquerades as Windows Security Update; Macintosh unaffected - September 19, 2003

    University of Illinois still patching all Windows machines; Macintosh unaffected - September 05, 2003

    Montana school district’s Windows computers offline due to worm; Macintosh computers unaffected - September 03, 2003

    A tale of two school systems: Windows schools crippled while Mac schools unaffected - August 21, 2003

    SoBig virus variant rapidly inflecting Windows machines; Macintosh unaffected - August 19, 2003

    Windows Blaster worm to attack Microsoft on Saturday; Macintosh unaffected - August 13, 2003

    MBlast Worm spreads through flaw in Windows; Macintosh unaffected - August 11, 2003

    Hackers hijack Windows PCs for porn serving; Macintosh unaffected - July 11, 2003

    Palyh Worm strikes Windows users worldwide; Macintosh unaffected - May 19, 2003

    Microsoft bug exposes millions to attack; Macintosh unaffected - November 20, 2002




    Don't worry, it's only a partial list. There's thousands more where that came from.



    OS X VIRUSES/MALWARE IN THE WILD:



    Like 2. Maybe. In over 7 years. But make sure to click on the obvious links, though, otherwise nothing will happen. With OS X, "infection" is a two-way street. You need to put in the effort!



    That's really all we need to know.
  • Reply 15 of 81
    lkrupplkrupp Posts: 10,557member
    As a long time Apple user I have gotten used to the tech media going after the company with venom dripping from their pens. I have also gotten used to the slugs and slime that slither around this and other Apple centric forums putting down every single thing the company releases. It just goes with the territory of being the company that forces change in the industry, the company that's always out at the frontier moving forward.



    I don't like it but I know I have to just accept it. Meanwhile the proof is in the pudding. The company is wildly successful, profitable, and has customer loyalty unmatched by any company in the world, ever. It's not going away anytime soon, much to the chagrin of countless trolls here and elsewhere.
  • Reply 16 of 81
    Quote:
    Originally Posted by lkrupp View Post


    As a long time Apple user I have gotten used to the tech media going after the company with venom dripping from their pens. I have also gotten used to the slugs and slime that slither around this and other Apple centric forums putting down every single thing the company releases. It just goes with the territory of being the company that forces change in the industry, the company that's always out at the frontier moving forward.



    I don't like it but I know I have to just accept it. Meanwhile the proof is in the pudding. The company is wildly successful, profitable, and has customer loyalty unmatched by any company in the world, ever. It's not going away anytime soon, much to the chagrin of countless trolls here and elsewhere.



    Kudos, someone with common sense
  • Reply 17 of 81
    quadra 610quadra 610 Posts: 6,757member
    Quote:
    Originally Posted by lkrupp View Post


    As a long time Apple user I have gotten used to the tech media going after the company with venom dripping from their pens. I have also gotten used to the slugs and slime that slither around this and other Apple centric forums putting down every single thing the company releases. It just goes with the territory of being the company that forces change in the industry, the company that's always out at the frontier moving forward.



    I don't like it but I know I have to just accept it. Meanwhile the proof is in the pudding. The company is wildly successful, profitable, and has customer loyalty unmatched by any company in the world, ever. It's not going away anytime soon, much to the chagrin of countless trolls here and elsewhere.



    Very well put. Bolded the really important part. And there's good reason for that kind of loyalty.
  • Reply 18 of 81
    MacProMacPro Posts: 19,718member
    Quadra 610: Great post but come on, don't tease ... give us the full list

    p.s. Send to all newspapers about to run the results of this competition.
  • Reply 19 of 81
    quadra 610quadra 610 Posts: 6,757member
    Quote:
    Originally Posted by digitalclips View Post


    Quadra 610: Great post but come on, don't tease ... give us the full list

    p.s. Send to all newspapers about to run the results of this competition.



    Oh yes, there's so much more! I won't post because I don't want to overload AI.



    But anyway, here's the latest:



    http://news.cnet.com/8301-1009_3-10196122-83.html



    Complete, utter mess. All it did was get worse. It's so bad, that lame MS is offering a reward.



    And OS X remains unaffected. Again.
  • Reply 20 of 81
    Quote:
    Originally Posted by lkrupp View Post


    As a long time Apple user I have gotten used to the tech media going after the company with venom dripping from their pens. I have also gotten used to the slugs and slime that slither around this and other Apple centric forums putting down every single thing the company releases. It just goes with the territory of being the company that forces change in the industry, the company that's always out at the frontier moving forward.



    I don't like it but I know I have to just accept it. Meanwhile the proof is in the pudding. The company is wildly successful, profitable, and has customer loyalty unmatched by any company in the world, ever. It's not going away anytime soon, much to the chagrin of countless trolls here and elsewhere.



    Ever? What about Porsche?



    Honestly though, whenever you're on top or threatening to take the crown. Those below will hate and those currently there and their allies will sling mud.
Sign In or Register to comment.