I call it first!
Flame war on! w00t!!!
A brand-new MacBook Air running a fully patched version of Leopard was the first to fall in a contest that pitted the security of machines running OS X, Vista and Linux. The exploit took less than two minutes to pull off. Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by …
It's misleading to report that it took him 2 minutes when all the reports are that he worked on this exploit for weeks beforehand. Sure it took him a couple of minutes to execute it - so what?
If we really want to legitimately test the security of these 3 different OS'es - put them on the internet and increase the prize money to compete with what certain government agencies are prepared to pay for this sort of stuff.
They would ALL be knocked over within seconds.
All this comp tells me is someone who spends his time looking for and reporting vuln's found one and waited until this conference to report it.
If you agree with me, add a pointless comment below bitching about how great your choice of OS is over someone elses.
.......mine is the one with woolen mittens hanging out of the sleeves by a piece of wool.
This is about the only report I've seen today which bothers to mention the fact that this was day two of the contest. And it's not often I remark on high-quality Register reporting these days. Kudos.
As for the contest, I'm gonna come right out and say that this is a popularity contest, not a security contest. Not to belittle the vulnerability - which obviously is pretty serious - but I guarantee that all shipping browsers have vulnerabilities this serious in them, both discovered and undiscovered. It makes sense that the most desirable machine will be most attacked, and therefore likely fall first. A pretty sweet prize.
I too await the Phreakmaster's arrival with bated breath.
If anything, this contest confirms that no OS is any safer than the others. It's the same basic education system that goes into making up the coders, whether it's Apple, Windows, Linux. Unless universities change fundamentally how coders learn about what good security coding is, and static analysis tools are used to find security flaws, etc. software such as browsers with enough complexity is always going to have lots of holes.
It was a known exploit as per the contest rules, and it having been a known exploit would have been worked on for a long time beforehand, just an opportunity arose to use that research.
As well as this was in a controlled environment as to allow the rules to be followed, it's true in real-world situations, that such rules don't exist, but this was a contest to determine which platform could be compromised via *known* exploits, if you were to perform this contest on the internet, people would use unknown exploits no doubt, therefore invalidating the contest.
Overall, this contest is a good display at how proactive the different platforms are in creating patches for *individual* *known* exploits.
"All this comp tells me is someone who spends his time looking for and reporting vuln's found one and waited until this conference to report it."
I was just about to post the exact same comment, but you've hit the nail on the head. Apple hacker turns up to the event with an exploit he has worked for months to discover and craft, as does Windows hacker, as does Ubuntu hacker. But Apple hacker is first in the queue, he gets his machine set up 5 minutes earlier and his exploit takes 2 minutes instead of 3.
You don't think comparable exploits can be discovered for the other OSs? You're living in la-la land.
I'll be sticking with my Mac because using OS X doesn't cause me to suffer internal haemorrhaging, unlike using XP.
Now that a Mac has been so publicly pwned I find it brilliant how the Mac fans have changed their tune from: "it's impossible to hack a Mac" to: "the Mac only got hacked first because it's more desirable".
With idiots like you prepared to blindly perpetuate the Apple myth it's easy to see why Steve Jobs is laughing all the way to the bank. You are an Apple marketing executive's wet dream.
Anonymous Coward:
Windows XP, you cant compare that to OSX, its been replced buddy boy. And thus far its proved far more secure than OSX. So secure the latest SP even secures it against its desktop user lol.
But come on, those people that use OSX which think its safe, or safer than Linux or fully patched Vista are the kind of people that drive a french car becuase it cam with alloy wheels, or drive an Audi becuase they pals at the graphic design shop think their chic lol
I'm primarily a Windows user because most people I know use Windows and i like to play many games online which the other o/s' can't offer me. But that doesnt mean I do not like OSX or Ubuntu, I regularly switch o/s' on my laptop and we have several macbooks at work that I dabble on.
As previously said, all operating systems have security flaws, Windows tends to have more out there because it's used the most by the masses, but as Linux and OSX become more popular they are getting more attention by the hacking scene to devote their efforts on it.
I think this competition was a bit flawed in that rightly as others have said people could have been sat on an exploit for weeks and put it to work on the day to claim the prize, but on the other hand we need more of these types of encouragement for security devs to find out these bugs to help make the o/s' more secure (prize money is an incentive to nearly all people!)
Paris icon? Because she could do with some lessons in keeping her personal data more secure.
"But Apple hacker is first in the queue, he gets his machine set up 5 minutes earlier and his exploit takes 2 minutes instead of 3."
Did you miss the part where the article says that the Windows and Linux boxes are still standing at time of writing, or is the RDF in full effect this time of the morning?
Given the "timely" nature of most Reg articles, I'd be astonished if this was published in the 60 seconds between the Mac being hacked and the other two...
"All this comp tells me is someone who spends his time looking for and reporting vuln's found one and waited until this conference to report it."
Sorry, are we meant to bow our heads to the superior intellect of Mac hackers over their slow-witted PC/Linux brothers?
Yes, this probably is something he found and sat on but then the PC/Linux boys were almost sure to be doing the same thing...they just didn't have as much ease/luck finding a hole as the Mac guy.
If you would care to read TFA, you would have read that the Mac was hacked 2 minutes into dat 2, while the Windows and Linux machines were tried and tried again for the rest of the day without result.
Are you really serious they did a bad job at trying to hack the other machines, and weren't interested in the $10,000? Come on.... All machines got even attention, the Mac failed miserably (the user just had to click on a link on a webpage).
Get out of your false sense of security NOW!
Eat this, fanbois;
The *Microsoft* and Ubuntu boxes were still standing over *five* hours after the Mac was hacked at 12:38 local time. Fact.
Mmm, let's just say that again, The *MICROSOFT* box was unhacked *FIVE* hours after the Mac was busted WIIIIIIIIIIDE open.
You can't seriously be suggesting that none of the other contestants didn't work on finding vulnerabilities for weeks before the contest either can you?
Paris, because she knows what it's like to be busted wide open and exploited.
I'm a Mac user, and I'm not pretending this is even remotely OK. It's not.
Are there mitigating circumstances? Perhaps.
Is Mac OS X a more tempting target because of how Apple promotes its security record? Maybe.
Was the MacBook Air targeted because it was a more desirable machine? ehhhhhh unlikely...
What *has* been conveniently glossed over is that this exploit is not a straightforward remote attack, but relies on a bit of social engineering to get someone to click on a link, which then opens the machine to attack.
Once again, just to calm down all the idiots on here who are already at the vinegar strokes over the fact that a Mac got hacked, I'm not saying this is OK.
And Apple need to improve their attitude to security response and patch times.
But this doesn't somehow absolve Microsoft from their shocking record of insecure software. Trying to pretend otherwise is like making someone stand in front of you on a train track and thinking that, because the train will hit them first, it somehow means you'll be safe...
Anyone know of any Mac's that are part of a botnet? What about one with a virus? A keylogger or a trojan anyone?
Its good news that Microsoft have improved their security, shame that this has made little difference in the real world. The fact remains that I would be happy to put my Mac outside a firewall with no virus protection, can the users of Windows say the same?
Of course these kind of incidents are useful, and teach us not to be complacent, hopefully Apple will take note and improve things.
I never understand why people get so cross at a computer platforms.
As usual the rabid zealot mac bashing fanbois come out en-mass to spurt their jism over the web over any even minor flaw which comes up in OS X, conveniently forgetting their own platforms history, and missing the obvious in that Mac OS X is software, and that there is not a piece of software on the market, anywhere in the world, which does not contain some kind of flaw, even after bug fixes and security patches.
To all those saying how the Vista and Ubuntu are still running, just remember they still likely have exploits, just that by the rules of the competition you can't use known ones (and in the interests of balance, OS-X has known exploits too...). I think what we should be taking away from this, rather than a "My penis is longer than yours" debate, is that things like firewalls are a good thing. That as IT professionals, we should not rely on the security of any single piece of kit (this includes firewalls), but take a holistic approach.
Don't fall into the Mac fanboi trap of claiming your unhackable, just limit your exposure.
For the record, I'm an OS/X, Windows (XP), Linux (Fedora/Lineo), Solaris (2.8/10), irix (6.2 iirc) and NeXTStep (And in the past VMS, RT11 and NetBSD) user at home... And I don't trust any of them to be secure... I don't trust my firewalls either (hardware and software), but I believe I've done what I can, which is what we all should do. Anyone who believes the inbuilt security on their OS is enough is an idiot (IMHO).
This post has been deleted by its author
"Trying to pretend otherwise is like making someone stand in front of you on a train track and thinking that, because the train will hit them first, it somehow means you'll be safe..."
no but it does mean you'll be "safer" because the train would hit the guy infront at a greater speed than it will it you (assuming of course that the driver has applied his breaks before he hit the guy in front and the breaks remain on whilst the train is coming for you). Also the fact that the guy infront is probably still plastered infront of the train, it should provide adequate cusioning should you get hit as well :)
Flame: Let the apple BURN!!!!
Yes the exploit required someone to click a link but the same rules applied to the other two machines which withstood the attack.
As to promoting security in my opinion it is the apple fanboys who have been promoting that a lot more than apple have. Probably because given an even installation base they would be found to be a buggy on the security front as windows and "Please buy our machines because the more of you that do the less secure they become" is not that good as a selling point.
"Eat this, fanbois; The *Microsoft* and Ubuntu boxes were still standing over *five* hours after the Mac was hacked at 12:38 local time. Fact."
It's also the case that the hack used on the Mac isn't allowed to be tried on the other platforms, and the winner can't submit any other hacks once he's won a laptop.
He's a Mac guy, and says he hasn't tested the exploit on other platforms, so we don't yet know if his exploit is generic. He did one of the first iPhone cracks too, I believe - handy guy.
OSX - favourite platform for talented crackers (er, security researchers) and having dtrace is only going to have helped...
It goes some way to explaining how come Solaris, AIX, HP-UX systems don't get cracked so much - no desktop apps that any significant numbers of people use. I'm still not going back to my SunRay though.
As for the gloaters, and those teaching all the silly/fashion-victim/stupid/arrogant/deluded Mac users a lesson - fair play, but I do have to imagine your mum standing over you, reading your posts and rolling her eyes while you rant and wag your fingers at the imaginary fanboi hordes you've just sussed up (and sussed up a treat, too).
"Why would anyone want to bother hacking the others when the prize has already been won?"
1: I can't be 100% certain as I can't see it written in as many words, but from the prize rules: http://dvlabs.tippingpoint.com/blog/2008/03/19/cansecwest-pwn-to-own-2008 it looks like the prize money is per machine, not overall. So you still get $10,000 even if another machine has been hacked first.
2: Even if you don't get the cash, you still appear to get the laptop.
3: Kudos?
4: Why not?
"...Windows tends to have more out there because it's used the most by the masses..."
Oh p-l-e-a-s-e... not that argument again. If you think the unwashed masses somehow dirty the Windows code you're beyond hope.
The number of bugs per line of code has no correlation whatsoever to how many times the compiled code is copied/sold. This is in contrast to the direct correlation between bugs/LoC and eyes/LoC.
Just read it again, it does say
"The first winner of each laptop gets to keep it (one laptop per vulnerability entry) as well as a cash prize sponsored by ZDI. Once a laptop is won however, no more exploits may be submitted. Therefore there are a maximum of three cash prizes, one per laptop."
So there's no reason _not_ to keep going after one has been hacked
The attacker actually does not open a session. It's Safari that opens a telnet on a remote host. Eventually the remote host can execute code but is on the remote host not on the Mac. Somebody calls this a flaw because via the terminal window you could run a script that asks for password but this has more to do with the moronity of the user than the platform itself.
I can see why Apple is not considering this a critical patch.
Next year I think I will take the effort to participate to the contest: it seems they have money to give away.
Paris because all I can hope is to "execute" with her remotely.
Mabuse68
I've stated my opinion on this forum before - Mac and Linux users are a risk to security simply because they believe they are unhackable. Windows users (who are constantly being told how insecure their system is) don't believe any such nonsense.
Will this make a difference? No. We can already see the Mac fanbois lining up with their excuses. Not a bloody single one of them will change their habits (or their OS) because of this and they'll still spout their crap about how wonderful and secure their OS is even though there is evidence to the contrary.
I honestly hope that Windows survives longer than the Ubuntu box (though I doubt it will to be honest but it would be a bloody good laugh).
... I'm not so stupid as to think that it is 100% secure and completely invulnerable. For example, I can't examine the precise firewall rules currently enforced without dropping to the shell. The Mac is perceived as more secure because there are fewer viruses, worms, vulnerabilities reported. This is simply because the Mac is a relative minority in the big scheme of things.
Think of it like a Ferrari if you will. Lots of effort on presentation, performance, slickness but boy they still break down.
OK, 'nuff said, time to go Back To My Mac
(Paris, because she'd choose a Mac based on style)
No one even entered the contest on Day1 where the OS, Drivers or Networks Stack were up for being hacked, so why the flame war over OS X ?
The hack was targeted at the safari browser, a browser that I haven't used on my mac for a good few years due to the superior Firefox browser. In fact I don't use IE on XP or Vista for exactly the same reason.
IE = better than Safari.
Firefox = better than IE.
Firefox = best browser (cue second flame war!!!!)
"Anyone know of any Mac's that are part of a botnet? What about one with a virus? A keylogger or a trojan anyone?"
It would be a pretty fruitless task, who cares about a handful more apple machines in a botnet when theres already millions of windows machines to exploit. Most of those are down to clueless users running any old crap they come across via email or on the 'net.