back to article Mac is the first to fall in Pwn2Own hack contest

A brand-new MacBook Air running a fully patched version of Leopard was the first to fall in a contest that pitted the security of machines running OS X, Vista and Linux. The exploit took less than two minutes to pull off. Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by …

COMMENTS

This topic is closed for new posts.

Page:

  1. Anonymous Coward
    Anonymous Coward

    Unfortunately....

    the article doesn't say how far into the contest on the second day that the exploit was revealed... it sounds to me more like the exploit takes two minutes to execute, rather than the contest was was over in two minutes... so it's hard to say if the guy already knew of the hack or not...

  2. Mectron
    Flame

    @Tim Spence

    Mac have always been the whorst computer anyone could buy., It is pricy, low quality (lots of lawsuit from ex apple consumer), it is only one thing: VAPOR. Apple sell hype and a lot of mindless drone buy into that.

    The " i am better then you because i own a mac" syndrom is widspread among Mac users. But the reality is Mac are as buggy as any other platform. But if i am a maleware pusher i will go for Windows because there is more peoples on it, Simple logic. And no, a poor quality clone of FREE BSD is not a real OS and never will.

    Mac is a inferior machine OS wise and as more mindless drone start using it (thank to the totally un-deserve iPod success) the more hacker will discover how easy it is the hack that over price piece of junk,

    Fact: Most Mindless drone who own a Mac use Mac OS in front of they friends, but as soon as their alone... it Bootcamp time...

  3. WhatWasThat?
    Happy

    @Ian Davies

    Ian: Hehe, I had this five page statistical analysis laid out for vulnerabilities between Microsoft and Apple (OS, etc) from (http://www.kb.cert.org/vuls/bypublished) and a point-by-point rebuttal to your arguments. Likewise, there was a comparison to the number of vulnerabilities vs. the relative age of each (MS, Apple, Linux) and showing how as each matured, they gained vulnerabilities and what the proportions were for each (NOTE: it is _not_ directly proportional). Good thing I'm not at work or anything... <whistles innocently /> :-)

    Instead, I wish to state (explicitly this time) that I *do* agree with you - there can be no argument *either way* because of lack of data and control values (hence, impossibility of comparing). I was _trying_ to strengthen your argument. The point I was making was that _you_ weakened your argument, and I wanted to strengthen it because it _is_ valid. That aside, when you talk about "here and now" and "in the future", you implied extrapolation, which must be based off of historical fact or observation. That was why I took that approach to strengthen your argument.

    I must apologize, but after all I did I can't just sit on these numbers for 2007 from CERT, above with marketshare from (http://marketshare.hitslink.com/report.aspx?qprid=8):

    Microsoft vulnerabilities: 61/366 = 16.7% for 91.58% marketshare.

    Apple vulnerabilities: 45/366 = 12.3% for 7.46% marketshare.

  4. Paul Buxton

    @Neil Alexander

    "Okay, yeah. So the MacBook got beaten first, and now this has happened, the playing field is leveled a bit. The moral of the story is "use your firewall, install your updates and don't click links you don't trust". "

    That's very good advice - read above to find the moron who will happily put his Mac on the internet outside of a firewall and the other moron who doesn't use a S/W firewall but never specified whether or not he's behind a H/W firewall. Well maybe they'll listen to you - I just got flamed. :D

    "Now will the Windows or anti-Mac zealots please stop with the "take this, fanboys!" attitude? Your operating system is not perfect either, yet I do not waste my time bashing your system. Get back to me when it is and then I might be less tempted to gouge out your eyes with a screwdriver."

    Um... the thing about this is... um... NO! We've had to put up with shit from Mac and Linux users for years - the elitist bastards think they're untouchable. Well here's the reality check, live with it. Windows users never claim that their system is more secure than other comparable OSes, they'd be flamed to hell by the Mac fanbois so it's not worth doing even though it's now sort of been proven to be true(ish). It's time to eat humble pie and not time to attack people with screwdrivers.

  5. Ivan Headache

    @ The Mighty Spang

    the bloke said "I thought of the three it was the easiest".

    he did not say "I thought of the three it was the most desirable"

    Good point - but - he's a mac specialist.

    I'm a specialist on double-decker buses so I'm damned if I'm going to try to drive an Airbus 380 when I think the bus is so much easier.

  6. b166er

    Titter

    Tee-Hee

  7. Graham Lockley

    Here on my desk....

    ... I have an abacus, I would love to see you C64 fanbois try and hack it :)

  8. Grant Mitchell
    Stop

    @ Mectron

    Are you old enough to post here? How can you possibly claim to know what people do when there alone? Grow up. Oh, and for the record, BSD, it stands for Berkley Software Distribution, it's a flavour of unix see (not a distribution)... like System V. Is it free... well some versions of it are, but not all, SunOS was BSD, and commercial, as was NeXTStep, etc, so apple are hardly new there in charging for a BSD based OS. Might as well say that Windows users are dumb for paying when they could use reactos. In fact they pay considerably more than these Mac users you like to slag off for their OS, 200+quid saved on the OS cost.. based on prices today on amazon.co.uk ...

    Mac not perfect. Windows not perfect. Linux not perfect (seeing a patern here?). Be responsible, make sure you use firewalls (hardware and software), think before you click/download, etc.

    One final point... Think on this: they guy that won... he was a smart guy. Hacked the iPhone as well according to the blurb. Is a respected security expert. What else does it say about him in the article: "As a Mac user, he added, he felt...". Oh, he's a smart guy, a security expert, probably knows a hell of a lot more than most of the posters here on the subject of security, and what computer does he choose to use...

  9. Ed
    Happy

    Why all this fuss, i mean its JUST a Mac :p

    ROFL

  10. Steve Todd

    Sorry Mectron

    I could see that your heart was in it, you had all of the right elements (semi-coherent english, bad spelling, plenty of bile and unprovable assertions) but it still doesn't make up for lack of a good Webster rant.

  11. Paul
    Gates Halo

    Unison is a piece of what OS?

    Mr Greenwood makes a couple of comments I wish to take issue with...

    He's using Unbuntu and he let a log file get to 32GB before he could figure out how to turn it off? BWAH HAH HA HA!

    And he'd miss unison, a piece of Apple's crippleware? I've been phishing about with 'nix boxes for a long time --- Now it seems Apple are backdating a claim on a standard 'nix package that's older than some of Job's sales pitches.

    FFS

    Oh and for the Apple fan boys: In yer faeces! lol

    Gate's for sainthood, obviously, for once he didn't let the side down.

  12. Grant Mitchell
    IT Angle

    @ Paul

    I believe Mr Greenwood was referring to Panic Unison (http://www.panic.com/unison/), which is not made by Apple (hence not Apple's crippleware, Panic's crippleware perhaps, but not Apple's). Actually, I think it's not a bad newsreader, I certainly would describe it as crippleware (but I'm not even sure I know what that is, I'd have to guess by the name...). Never seen Apple claiming it was theirs. Much like Windows, where other developers (aside from MicroSoft) are allowed to produce and sell software for the OS, the same is true of OSX. If you insist of judging the OS by the quality (or lack of) of 3rd party software, you need to wait till day 3 of the competition ;)

  13. Anonymous Coward
    Anonymous Coward

    I wonder....

    I wonder, as a Mac user he went after the Mac cos it was an airbook, I wonder what the especs of teh other machines were?

    I dont remember. But I bet they werent as "sweet" as the mac.

    The comments are interesting, I got bored after teh first few, I do notice the venom of the windows crowd, I wonder if thats just jealous that they ahve such horrible boxes and horrible OS, vista is the Joke.

    come on MS can do so much better, but they have no need to cos you keep bying their crud, make Windows better by making MS actual develier decent software

  14. Ian Davies
    Happy

    @WhatWasThat

    OK, agreement noted :)

    However, I still don't think anything I said implied a need for historical data; I only said *may* change in the future. That something will change over time is a fairly safe probability. I didn't make any guess as to *how* it would change, or how quickly. I have my own opinions, but they're just that.

    The figures you give are interesting; I'll be the first to admit that I'm surprised by the percentages (in both cases), but there appears to be no data on how often (or even if at all) the vulnerability has been exploited, and I *was* specific about the number of *actively* used flaws on each platform. Looking at the severity metric on the CERT site, for example, I have to go to the 4th page before I find a single Apple flaw (Quicktime) and there are only 4 in total out of the 210 most severe vulnerabilities listed.

    I would still maintain to anyone who thinks they 'know' about the superiority of one platform's security over another, that you can't ignore the fact that in practical everyday use, a Mac is far less likely to be compromised.

    I should also say that I agree wholeheartedly with your original assertion that this competition didn't seem to be about any real hacking, and needing someone to click a link is pretty lame.

  15. Alexander Hanff
    Stop

    Known Exploit?

    Forgive me but last time I read the rules (when they were announced about 2 weeks ago and reported here on El Reg) they clearly stated that the exploits had to be NEW and previously unreported. This is clearly contrary to people claiming this was a known exploit.

    Face it Apple products are shite and Apple users are gullible sheep.

  16. Stuart Duel
    Happy

    What would have been more interesting...

    ....would be to see if the same exploit worked on the other systems using the same browser. Or a different browser with the same engine (WebKit) or a different browser with a different engine. THAT would be more instructive regardless of the outcome of such tests.

    To answer another guys question, the 'hacker' was able to access files on the Macbook Air, not execute code. Although we don't know what 'access' files means - does it mean get a file list, open a file, or something more? We don't know how critical these files were that he could access or whether any other actions could be taken such as changing permissions, deleting, moving, renaming, altering, overwriting or copying files nor who owned the files. Was it the system files or did he get right into the user accounts?

    As to the suggestion that the guy went for the 'prettiest' laptop I think is quite silly - $10K is sweet no matter what hardware you nab, although the Air would have been icing on the cake. So next time have three Macs laptops so we can dispense with this silly 'pretty' argument.

    The fact remains that there is an entire community pouring over the code of Darwin (the actual OS part of OS X) and WebKit (the core of Safari) being open source software and there is only one company looking at the code of the close source Windows - for everyone else it's secret sauce, or perhaps that should be spaghetti sauce.

    As a result flaws are being found, reported and generally fixed quickly for open source and the only exploits we find out about in Windows and other Microsoft proprietary software are the ones that hit the headlines, not the stuff that Microsoft finds but keeps secret.

    It still doesn't alter the fact that there are no exploits in the wild affecting OS X, no viruses, no spyware, no adware or any of those other annoyances and real world destructive nasties which exist and cause dramas day in, day out for Windows.

    But perhaps this will teach Apple a lesson - firewall on by default. I'd also recommend AV software (such as clamXav), just in case and perhaps set up to run in stealth mode by default.

  17. Jach
    Linux

    Cheer

    I was hoping Mac would bite the dust first. I really don't think this whole thing is too valid, but it does have some use, and really exposes the idiocy of the Mac fans. (I plan on showing this to a friend just to bug him. =P)

    Anyway.. The argument about user base is crap. The majority of web servers run some flavor of Linux, yet it's the Windows server ones that are more vulnerable. (There are still Linux flaws, anyone who says otherwise is deluded; check out that kernel hack recently, and I've read things about compromised Linux servers in botnets.) An argument about user stupidity might be better than user base, as many Windows users can't tell a USB port from a Mic port, and a proper move to Linux would hopefully educate some users a bit. (Everyone go install Gentoo now! Good luck compiling your kernel.)

    Thanks other El Reg readers for an amusing read through of the comments!

  18. Anonymous Coward
    Coat

    The best OS ever!

    My OS is not the best, or the most secure...

    and I'm not telling you what it is either because I don't care and I'm not so sad as to have an "OS ego".

    Everything will be cracked eventually, as security is only an illusion.

    Meanwhile...

    There's nothing on this system worth stealing, and I don't "click-on" or open any emails from retards.

    ...parker jacket, with big holes under the arms

  19. Matthew Gray
    Flame

    *sigh*

    okay, i signed up to post this...

    "It seems the word "hacking" is vastly misunderstood these days."

    sure is... hacking is just writing code, and code, to be executed on a computer. "cracking" is the act of wiritng malicious code (criminal hacking... hence cracking)

    Also, to try and make this vulnerabilty seem less valid owing to the fact it requires a user to click a hyperlink is also fairly naive, all it takes is one reatrd and a "hot babes here" in underlined blue. That retard could be sitting infront of any of the three boxes in fairness, although given the fact that there's at least one retard out there who hapily states "The fact remains that I would be happy to put my Mac outside a firewall with no virus protection" makes me start to loose faith in the human race. Along with making me think the Mac might just be that more susceptible to attc, due to user-error.

    Oh, and while i'm at it (pauses for breath) did i just read that os x disables firewall by default? I've been accused of overconfidence before, but that seems like inviting trouble for me. especially wiht above mentioned "I don't need a firewall" type users out there. In vista not only does it turn on your firewall by defualt, it bitches if you turn it off, or neglect to install virus protection. Cue arguments about this being becuse microsoft know their OS is open to attck. well i say, i'd rather spend days installing layers of security, and never need it, over proudly proclaiming that my OS is free of hacks whilst having my card details slyly read but some sly b*****d who decided to test that theory.

    Oh, and what's all this more desirable spew too? I've used macs, and as far as i can tell you pay for a pretty box and some pretty software. Seems you pay twice the price for half the spec too.

    annnnnnnnd (pauses again for breath) where's that guy who was aying that market share has nothing to do with how many security flaws there are... Well, i suppose market share doesn't affect how many exist in the code, but it will definately affect how many are found. a cracker is going to spend more time looking for holes in a system used by 90 odd percent of users, as it's going to be of more use to them. This is the reaosn you don't find Macs in botnets... quite simply why bother designing a botnet for such a limited audience? a botnet is supposed to be huge.

    I really hope that this report knocks some of those mac users off their pedestals. Quite simply, the majority of you seem to be under the delusion your OS has some kind of super shield. Well it hasn't. Less viruses exist for it becuase people aren't as interested in wirting viruses for your OS. viruses are supposed to take down huge businesses. not just their art departments.

    Oh, and finally, for the record, i use both Gentoo and Windows, i am under no delusion as to their security, both are virus protected and behind a software and hardware firewall, and I never click links for free pron no matter how tempting the offer may seem. And I don't hate OS X. I believe it has its positives, along with its negatives. It just angers me that for so long Windows users ahve had to put up with flac from users of other OSes... point in fact, PCs are cheaper than Macs, and Windows is more user-friendly than Linux. so in my opinion it's no surprise Microsoft comandeers such a large market percentage.

  20. Ign R. Amis
    Jobs Horns

    @Matthew Gray

    "I really hope that this report knocks some of those mac users off their pedestals."

    You appear to be one of the people who a) didn't actually read the article, and/or b) didn't comprehend what you read.

    The rules of the contest were that no PREVIOUSLY KNOWN exploits were to be employed. Considering Windows storied history of being pwned in every way imaginable, that doesn't leave many options to the contest participants.

    Secondly, the guy who cracked OSX did so using an exploit he'd been working on for several weeks prior to the contest.

    I don't think it's surprising that there would be a vulnerability in some of the software on OSX, but the crowing about this by the Windows drones is stupid. When someone actually finds a real virus or malware for OSX in the wild, then I'll consider getting off the pedestal. Until then, I'll continue enjoying my far superior, and more secure, OS.

  21. Ben
    Alert

    @Steve

    "That's not what he said. He was talking about the number of KNOWN vulnerabilities. In this case there certainly is a correlation between the number of people using code and the number of discovered bugs.

    "If there weren't, then beta testing could be done by one guy on his own just as effectively as 200 people testing simultaneously."

    That's exactly the faulty argument I was trying to highlight.

    1. Users don't find vulnerabilities - developers do. It doesn't matter if you've got a customer base of 1M+ if all they do is restart the program every time it crashes.

    2. One beta tester with one fuzzer can crash an application just as fast as 200 testers. Finding crashes is just a *small* part of Beta testing (that should've been fixed in Alpha testing q-: ). The real reason for large-scale beta testing is to see how idiot-proof the software is from a usability/functionality PoV.

  22. Matthew Gray

    @Ign R. Amis

    "Considering Windows storied history of being pwned in every way imaginable, that doesn't leave many options to the contest participants."

    so the fact that vulnerabilities have been found, and corrected, somewhow lessens the fact that the OS X box fell first. Oh, and from further reading, the Ubuntu box failed to fall completely.

    "When someone actually finds a real virus or malware for OSX in the wild, then I'll consider getting off the pedestal."

    http://vil.nai.com/vil/content/v_138578.htm there's one. (particularly humourous imo that the pictures being offered aren't naked celebs, as with pc users, but images of the next OS X release :D - that's gotta say something about mac users)

    and in response to both, the argument your OS is safer because hardly anyone has bothered to make use of exploits is fairly redundant. It mearly means less people have bothered exploiting the flaws, becuase there's no point attacking a 4% market share.

    In fact, what will happen is in a few years time, this "better than tho" attitude will bite you in the ass. somebody WILL release a virus, and all the "i don't need virus protection" crowd will fall flat on their faces as their unprotected systems go belly up.

Page:

This topic is closed for new posts.