back to article Mac is the first to fall in Pwn2Own hack contest

A brand-new MacBook Air running a fully patched version of Leopard was the first to fall in a contest that pitted the security of machines running OS X, Vista and Linux. The exploit took less than two minutes to pull off. Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by …

COMMENTS

This topic is closed for new posts.

Page:

  1. Patrick
    Happy

    I call it first!

    Flame war on! w00t!!!

  2. Baboo
    Thumb Down

    Macworld 2009

    MacOS X is a security joke: http://www.baboo.com.br/absolutenm/articlefiles/31739-hacking_x_2min.jpg

  3. Antidisestablishmentarianist
    Go

    Go Web...sta, Go Web...sta

    If Master Phreaky doesn't LAY down the LAW on this one I'll eat my Apple.

  4. Eric Pinkerton
    Coat

    Misleading.

    It's misleading to report that it took him 2 minutes when all the reports are that he worked on this exploit for weeks beforehand. Sure it took him a couple of minutes to execute it - so what?

    If we really want to legitimately test the security of these 3 different OS'es - put them on the internet and increase the prize money to compete with what certain government agencies are prepared to pay for this sort of stuff.

    They would ALL be knocked over within seconds.

    All this comp tells me is someone who spends his time looking for and reporting vuln's found one and waited until this conference to report it.

    If you agree with me, add a pointless comment below bitching about how great your choice of OS is over someone elses.

    .......mine is the one with woolen mittens hanging out of the sleeves by a piece of wool.

  5. Andy
    Happy

    Dan Goodin:

    This is about the only report I've seen today which bothers to mention the fact that this was day two of the contest. And it's not often I remark on high-quality Register reporting these days. Kudos.

    As for the contest, I'm gonna come right out and say that this is a popularity contest, not a security contest. Not to belittle the vulnerability - which obviously is pretty serious - but I guarantee that all shipping browsers have vulnerabilities this serious in them, both discovered and undiscovered. It makes sense that the most desirable machine will be most attacked, and therefore likely fall first. A pretty sweet prize.

    I too await the Phreakmaster's arrival with bated breath.

  6. Webster Phreaky
    Jobs Horns

    TOLD YOU SO!!! TOLD YOU SO!!! ..... Eat Crow MacTards

    I predicted this two weeks ago and I said then I would be saying .... TOLD YOU SO!!! TOLD YOU SO!!! ..... Eat Crow MacTards

    Your OS X is a Buggy, Security Risky, Piece of Shit. Swallow that with your Crow.

  7. Gerrit Tijhof
    Happy

    My OS is great

    @Eric Pinkerton

    Too bad it's not 100%-proof, so I will remain carefull with what I do with it.

  8. C. Fuhrman
    Black Helicopters

    All programmers cut from the same (holey) cloth

    If anything, this contest confirms that no OS is any safer than the others. It's the same basic education system that goes into making up the coders, whether it's Apple, Windows, Linux. Unless universities change fundamentally how coders learn about what good security coding is, and static analysis tools are used to find security flaws, etc. software such as browsers with enough complexity is always going to have lots of holes.

  9. Kradorex Xeron

    @Misleading.

    It was a known exploit as per the contest rules, and it having been a known exploit would have been worked on for a long time beforehand, just an opportunity arose to use that research.

    As well as this was in a controlled environment as to allow the rules to be followed, it's true in real-world situations, that such rules don't exist, but this was a contest to determine which platform could be compromised via *known* exploits, if you were to perform this contest on the internet, people would use unknown exploits no doubt, therefore invalidating the contest.

    Overall, this contest is a good display at how proactive the different platforms are in creating patches for *individual* *known* exploits.

  10. yeah, right.

    Um, y es?

    Perhaps the effort was put into busting the Mac first because it was the more desireable machine?

    Security on most computers these days is a joke.

  11. Gareth Irwin

    Does anyone know

    If once the guy was onto the machine he was able to execute code without passwords etc?

    I am just interested.

    I am a mac user and if it did get hacked fair enough. I am interested to know how much would need to be hack and how much an error between the chair and keyboard.

  12. Anonymous Coward
    Heart

    @ Misleading

    "All this comp tells me is someone who spends his time looking for and reporting vuln's found one and waited until this conference to report it."

    I was just about to post the exact same comment, but you've hit the nail on the head. Apple hacker turns up to the event with an exploit he has worked for months to discover and craft, as does Windows hacker, as does Ubuntu hacker. But Apple hacker is first in the queue, he gets his machine set up 5 minutes earlier and his exploit takes 2 minutes instead of 3.

    You don't think comparable exploits can be discovered for the other OSs? You're living in la-la land.

    I'll be sticking with my Mac because using OS X doesn't cause me to suffer internal haemorrhaging, unlike using XP.

  13. Simpson
    Linux

    Don't hate me because I'm beautiful

    "Perhaps the effort was put into busting the Mac first because it was the more desireable machine?"

    That's right.....

    The 10k had nothing to do with it. They just wanted the Mac.

    Every smart and stylish person knows this, it's obvious

  14. Surur
    Black Helicopters

    End of day 2- Linux and Vista still stands!

    So day 2 is over and no one was able to hack the Vista and Linux installed apps, vs 2 minutes for the Macbook.

    I guess apple is the only one who is insecure by default !

  15. snafu

    Months?

    Last time this guy won a Mac hacking contest at CanSecWest he designed the trap in just a day or so. I don't think this was so different.

  16. Anonymous Coward
    Jobs Horns

    Brilliant

    Now that a Mac has been so publicly pwned I find it brilliant how the Mac fans have changed their tune from: "it's impossible to hack a Mac" to: "the Mac only got hacked first because it's more desirable".

    With idiots like you prepared to blindly perpetuate the Apple myth it's easy to see why Steve Jobs is laughing all the way to the bank. You are an Apple marketing executive's wet dream.

  17. Damien Jorgensen
    Gates Halo

    OSX Is as I've always said CACKOS

    Anonymous Coward:

    Windows XP, you cant compare that to OSX, its been replced buddy boy. And thus far its proved far more secure than OSX. So secure the latest SP even secures it against its desktop user lol.

    But come on, those people that use OSX which think its safe, or safer than Linux or fully patched Vista are the kind of people that drive a french car becuase it cam with alloy wheels, or drive an Audi becuase they pals at the graphic design shop think their chic lol

  18. Mike Ward
    Paris Hilton

    I'm 33/33/33

    I'm primarily a Windows user because most people I know use Windows and i like to play many games online which the other o/s' can't offer me. But that doesnt mean I do not like OSX or Ubuntu, I regularly switch o/s' on my laptop and we have several macbooks at work that I dabble on.

    As previously said, all operating systems have security flaws, Windows tends to have more out there because it's used the most by the masses, but as Linux and OSX become more popular they are getting more attention by the hacking scene to devote their efforts on it.

    I think this competition was a bit flawed in that rightly as others have said people could have been sat on an exploit for weeks and put it to work on the day to claim the prize, but on the other hand we need more of these types of encouragement for security devs to find out these bugs to help make the o/s' more secure (prize money is an incentive to nearly all people!)

    Paris icon? Because she could do with some lessons in keeping her personal data more secure.

  19. Chris

    @"First in the queue"

    "But Apple hacker is first in the queue, he gets his machine set up 5 minutes earlier and his exploit takes 2 minutes instead of 3."

    Did you miss the part where the article says that the Windows and Linux boxes are still standing at time of writing, or is the RDF in full effect this time of the morning?

    Given the "timely" nature of most Reg articles, I'd be astonished if this was published in the 60 seconds between the Mac being hacked and the other two...

  20. /\/\j17
    Stop

    @ Misleading

    "All this comp tells me is someone who spends his time looking for and reporting vuln's found one and waited until this conference to report it."

    Sorry, are we meant to bow our heads to the superior intellect of Mac hackers over their slow-witted PC/Linux brothers?

    Yes, this probably is something he found and sat on but then the PC/Linux boys were almost sure to be doing the same thing...they just didn't have as much ease/luck finding a hole as the Mac guy.

  21. Peter D'Hoye
    Pirate

    Not misleading at all

    If you would care to read TFA, you would have read that the Mac was hacked 2 minutes into dat 2, while the Windows and Linux machines were tried and tried again for the rest of the day without result.

    Are you really serious they did a bad job at trying to hack the other machines, and weren't interested in the $10,000? Come on.... All machines got even attention, the Mac failed miserably (the user just had to click on a link on a webpage).

    Get out of your false sense of security NOW!

  22. Anonymous Coward
    Paris Hilton

    Booohooo

    Eat this, fanbois;

    The *Microsoft* and Ubuntu boxes were still standing over *five* hours after the Mac was hacked at 12:38 local time. Fact.

    Mmm, let's just say that again, The *MICROSOFT* box was unhacked *FIVE* hours after the Mac was busted WIIIIIIIIIIDE open.

    You can't seriously be suggesting that none of the other contestants didn't work on finding vulnerabilities for weeks before the contest either can you?

    Paris, because she knows what it's like to be busted wide open and exploited.

  23. Anonymous Coward
    Paris Hilton

    @ Chris

    Why would anyone want to bother hacking the others when the prize has already been won?

  24. Ian Davies
    Stop

    @ all the Anonymous Cowards (surprise!)

    I'm a Mac user, and I'm not pretending this is even remotely OK. It's not.

    Are there mitigating circumstances? Perhaps.

    Is Mac OS X a more tempting target because of how Apple promotes its security record? Maybe.

    Was the MacBook Air targeted because it was a more desirable machine? ehhhhhh unlikely...

    What *has* been conveniently glossed over is that this exploit is not a straightforward remote attack, but relies on a bit of social engineering to get someone to click on a link, which then opens the machine to attack.

    Once again, just to calm down all the idiots on here who are already at the vinegar strokes over the fact that a Mac got hacked, I'm not saying this is OK.

    And Apple need to improve their attitude to security response and patch times.

    But this doesn't somehow absolve Microsoft from their shocking record of insecure software. Trying to pretend otherwise is like making someone stand in front of you on a train track and thinking that, because the train will hit them first, it somehow means you'll be safe...

  25. Will
    Jobs Horns

    That's all well and good

    Anyone know of any Mac's that are part of a botnet? What about one with a virus? A keylogger or a trojan anyone?

    Its good news that Microsoft have improved their security, shame that this has made little difference in the real world. The fact remains that I would be happy to put my Mac outside a firewall with no virus protection, can the users of Windows say the same?

    Of course these kind of incidents are useful, and teach us not to be complacent, hopefully Apple will take note and improve things.

    I never understand why people get so cross at a computer platforms.

  26. Anonymous Coward
    Gates Halo

    Typical

    As usual the rabid zealot mac bashing fanbois come out en-mass to spurt their jism over the web over any even minor flaw which comes up in OS X, conveniently forgetting their own platforms history, and missing the obvious in that Mac OS X is software, and that there is not a piece of software on the market, anywhere in the world, which does not contain some kind of flaw, even after bug fixes and security patches.

  27. brimful
    Flame

    I so wish

    I was working in PC World right now because then I could say to those muppets trying to buy a £2000 word processor that you shouldn't buy a mac because it's less secure than a HP or Compaq, or whatever.

    FLAME: because I think I'm going to take a blowtorch to a granny smith

  28. Grant Mitchell
    Alert

    To be fair

    To all those saying how the Vista and Ubuntu are still running, just remember they still likely have exploits, just that by the rules of the competition you can't use known ones (and in the interests of balance, OS-X has known exploits too...). I think what we should be taking away from this, rather than a "My penis is longer than yours" debate, is that things like firewalls are a good thing. That as IT professionals, we should not rely on the security of any single piece of kit (this includes firewalls), but take a holistic approach.

    Don't fall into the Mac fanboi trap of claiming your unhackable, just limit your exposure.

    For the record, I'm an OS/X, Windows (XP), Linux (Fedora/Lineo), Solaris (2.8/10), irix (6.2 iirc) and NeXTStep (And in the past VMS, RT11 and NetBSD) user at home... And I don't trust any of them to be secure... I don't trust my firewalls either (hardware and software), but I believe I've done what I can, which is what we all should do. Anyone who believes the inbuilt security on their OS is enough is an idiot (IMHO).

  29. Slaine
    Linux

    busting Paris wide open :) thanks 4 that

    Now, this Vista machine, it did actually complete it's boot up sequence didn't it?

  30. This post has been deleted by its author

  31. Anonymous Coward
    Black Helicopters

    Safari Bug

    Interesting that the hole was in Safari, which in another register report can (or cannot) be loaded onto Windows. Perhaps someone read the EULA before loading it onto the Windows machine, when updating QuickTime, iTunes etc.

  32. Chris Purcell
    Coat

    Hulk?

    "Trying to pretend otherwise is like making someone stand in front of you on a train track and thinking that, because the train will hit them first, it somehow means you'll be safe"

    If they're The Hulk, you probably are...

  33. Dave
    Jobs Horns

    Joy :D

    After spending the last hour fighting a G5 over a f&$@ing Quark install this has made me soooooooo happy. Great start to the weekend.

  34. brimful
    Flame

    @ Ian Davies

    "Trying to pretend otherwise is like making someone stand in front of you on a train track and thinking that, because the train will hit them first, it somehow means you'll be safe..."

    no but it does mean you'll be "safer" because the train would hit the guy infront at a greater speed than it will it you (assuming of course that the driver has applied his breaks before he hit the guy in front and the breaks remain on whilst the train is coming for you). Also the fact that the guy infront is probably still plastered infront of the train, it should provide adequate cusioning should you get hit as well :)

    Flame: Let the apple BURN!!!!

  35. Paul

    @Ian Davis

    Yes the exploit required someone to click a link but the same rules applied to the other two machines which withstood the attack.

    As to promoting security in my opinion it is the apple fanboys who have been promoting that a lot more than apple have. Probably because given an even installation base they would be found to be a buggy on the security front as windows and "Please buy our machines because the more of you that do the less secure they become" is not that good as a selling point.

  36. Anonymous Coward
    Anonymous Coward

    Bless.

    "Eat this, fanbois; The *Microsoft* and Ubuntu boxes were still standing over *five* hours after the Mac was hacked at 12:38 local time. Fact."

    It's also the case that the hack used on the Mac isn't allowed to be tried on the other platforms, and the winner can't submit any other hacks once he's won a laptop.

    He's a Mac guy, and says he hasn't tested the exploit on other platforms, so we don't yet know if his exploit is generic. He did one of the first iPhone cracks too, I believe - handy guy.

    OSX - favourite platform for talented crackers (er, security researchers) and having dtrace is only going to have helped...

    It goes some way to explaining how come Solaris, AIX, HP-UX systems don't get cracked so much - no desktop apps that any significant numbers of people use. I'm still not going back to my SunRay though.

    As for the gloaters, and those teaching all the silly/fashion-victim/stupid/arrogant/deluded Mac users a lesson - fair play, but I do have to imagine your mum standing over you, reading your posts and rolling her eyes while you rant and wag your fingers at the imaginary fanboi hordes you've just sussed up (and sussed up a treat, too).

  37. Anonymous Coward
    Jobs Horns

    Get a PC !

    always wanted to say that

  38. Chris

    @why bother?

    "Why would anyone want to bother hacking the others when the prize has already been won?"

    1: I can't be 100% certain as I can't see it written in as many words, but from the prize rules: http://dvlabs.tippingpoint.com/blog/2008/03/19/cansecwest-pwn-to-own-2008 it looks like the prize money is per machine, not overall. So you still get $10,000 even if another machine has been hacked first.

    2: Even if you don't get the cash, you still appear to get the laptop.

    3: Kudos?

    4: Why not?

  39. Ben
    Stop

    @Anonymous Coward

    "...Windows tends to have more out there because it's used the most by the masses..."

    Oh p-l-e-a-s-e... not that argument again. If you think the unwashed masses somehow dirty the Windows code you're beyond hope.

    The number of bugs per line of code has no correlation whatsoever to how many times the compiled code is copied/sold. This is in contrast to the direct correlation between bugs/LoC and eyes/LoC.

  40. Chris

    bollocks

    Just read it again, it does say

    "The first winner of each laptop gets to keep it (one laptop per vulnerability entry) as well as a cash prize sponsored by ZDI. Once a laptop is won however, no more exploits may be submitted. Therefore there are a maximum of three cash prizes, one per laptop."

    So there's no reason _not_ to keep going after one has been hacked

  41. Anonymous Coward
    Paris Hilton

    Still not critical

    The attacker actually does not open a session. It's Safari that opens a telnet on a remote host. Eventually the remote host can execute code but is on the remote host not on the Mac. Somebody calls this a flaw because via the terminal window you could run a script that asks for password but this has more to do with the moronity of the user than the platform itself.

    I can see why Apple is not considering this a critical patch.

    Next year I think I will take the effort to participate to the contest: it seems they have money to give away.

    Paris because all I can hope is to "execute" with her remotely.

    Mabuse68

  42. heystoopid
    Paris Hilton

    So

    So how the mighty god's children have fallen so quickly on the hackers field !

  43. Paul Buxton

    Vindicated? Yes, I think so. Smug? Who? Me?

    I've stated my opinion on this forum before - Mac and Linux users are a risk to security simply because they believe they are unhackable. Windows users (who are constantly being told how insecure their system is) don't believe any such nonsense.

    Will this make a difference? No. We can already see the Mac fanbois lining up with their excuses. Not a bloody single one of them will change their habits (or their OS) because of this and they'll still spout their crap about how wonderful and secure their OS is even though there is evidence to the contrary.

    I honestly hope that Windows survives longer than the Ubuntu box (though I doubt it will to be honest but it would be a bloody good laugh).

  44. Anonymous Coward
    Heart

    windows sucks, OS X sucks, linux sucks

    Why can't we all just agree that computers suck.

  45. Gulfie
    Paris Hilton

    I like my Mac but...

    ... I'm not so stupid as to think that it is 100% secure and completely invulnerable. For example, I can't examine the precise firewall rules currently enforced without dropping to the shell. The Mac is perceived as more secure because there are fewer viruses, worms, vulnerabilities reported. This is simply because the Mac is a relative minority in the big scheme of things.

    Think of it like a Ferrari if you will. Lots of effort on presentation, performance, slickness but boy they still break down.

    OK, 'nuff said, time to go Back To My Mac

    (Paris, because she'd choose a Mac based on style)

  46. Anonymous Coward
    Happy

    Mmmm, crow. Tasty.

    I'm not sure where Webster Phreaky actually lives, but I always have a mental picture of him chained to a stake in someone's back yard, like those rabid zombies in "28 Days Later".

  47. Anonymous Coward
    Linux

    Firefox Anyone :-)

    No one even entered the contest on Day1 where the OS, Drivers or Networks Stack were up for being hacked, so why the flame war over OS X ?

    The hack was targeted at the safari browser, a browser that I haven't used on my mac for a good few years due to the superior Firefox browser. In fact I don't use IE on XP or Vista for exactly the same reason.

    IE = better than Safari.

    Firefox = better than IE.

    Firefox = best browser (cue second flame war!!!!)

  48. Anonymous Coward
    Coat

    @Damien Jorgensen

    Huh, I thought this was about OSX Vs Linux Vs WinXP? Don't go bringing Audi's into this! ;)

    Mines the one haning up in the back of an A4!

  49. Anonymous Coward
    Anonymous Coward

    @will

    "Anyone know of any Mac's that are part of a botnet? What about one with a virus? A keylogger or a trojan anyone?"

    It would be a pretty fruitless task, who cares about a handful more apple machines in a botnet when theres already millions of windows machines to exploit. Most of those are down to clueless users running any old crap they come across via email or on the 'net.

  50. Andus McCoatover
    Coat

    @get a PC

    Yep, I did get a PC.

    It runs Ubuntu Linux. Splendidly.

    Ta-ta...

Page:

This topic is closed for new posts.