Myth crushed as hacker shows Mac break-in

Right after Apple's release of a patch for 25 vulnerabilities in OS X, a hacker managed to break into a Mac by exposing a hole in Apple's browser Safari, winning a $10,000 prize as part of a contest started at the CanSecWest security conference in Vancouver, Canada. Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.

Dino Di Zovie, who lives in New York, sent along a URL that exposed the hole. Because the contest was only open to attendees in Vancouver, he sent it to a friend who was at the conference and forwarded it on. The URL opened a blank page but exposed a vulnerability in input handling in Safari which allowed an attacker to use the vulnerability in a number of ways, but Di Zovie used it to open a back door that gave him access to anything on the computer. The vulnerability won't be published. 3Com's TippingPoint division will handle disclosing it to Apple. The prize for the contest was originally one of the Macs but on Thursday evening, TippingPoint put up the cash award, which may have spurred a wider interest in the contest.

"Currently, every copy of OS X out there now is vulnerable to this," said Sean Comeau, one of the organizers of CanSecWest. The conference organizers decided to offer the contest in part to draw attention to possible security shortcomings in Macs. "You see a lot of people running OS X saying it's so secure, and frankly, Microsoft is putting more work into security than Apple has," said Dragos Ruiu, the principal organizer of security conferences including CanSecWest. Macs haven't been targets for hackers and malicious code writers because there are fewer Macs in use, thus making the potential impact of malicious code smaller than on the more widely used Windows PCs.

Link: Forum Discussion (Thanks LTD)
News source: InfoWorld

Report a problem with article
Previous Story

U.S. Government had 100K Social Security numbers Online

Next Story

WalMart to sell $199 HD-DVD player in Q4 2007?

69 Comments

Commenting is disabled on this article.

My final comment on all this fud.

Look up the security sites to see what is the most secure, and underestand what it all means, as far as i am concerned if a hole is patched it is no longer a hole. This said i class a secure operating system to have no holes (i don't give a crap about how many it has had in the past, if they are fixed they are fixed). By this logic microsoft is without a doubt the best OS, linux doesn't come close, look at how many known linux vulnerabilities are out there in the wild at any one time, these take time to get patched and unfortunatley you have to put the vulnerability out in the wild before someone can patch it, this is just open source and the way it works. Now if a vulnerability is known about it can be cracked.

at this exact point in time apple is less secure than MS, as this issue is known and in the wild, Apple has a known issue out in the wild. i am not aware of any current known issues with MS out in the wild that are not patched. Remembering that issues may exist but if noone knows about them they can't exploit them The security of an OS is totally dependant on time, MS may be better now but ni a week Apple may have fixed thiss issue and ms have found one, its a never ending cycle, and to anyone out there that thinks it is so easy to write secure code adn that we "shouldn't have bugs", then try writing an OS with a few million lines of code.

"Myth crushed as hacker shows Mac break-in"

Oops. This myth was busted a long time ago. The only people who believe the myth are victims of Apple's marketing that don't relaize that Mac isn't as invincible as Apple would like people to believe.

Of course, the advertising and arrogance will continue and some people will continue to believe that Mac is invincible.

As opposed to getting into a big Windows vs. *nix argument, I'll just quote CNET:

"The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook--a type of attack familiar to Windows users.

CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day. (Emphasis added)

Macaulay teamed with Dino Dai Zovi, a security researcher until recently with Matasano Security. Dai Zovi, who has previously been credited by Apple for finding flaws in Mac software, found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said."


Full article:

http://news.com.com/MacBook+hacked+in+cont...ml?tag=nefd.top

LTD said,
Macs are still tops in security. By far.

Depending how you define 'top security'... you could look at % of affected users, actual number of affected users, number of known exploits, etc. which one are you looking at, and where did you get your figures from - or was it just a presumed opinion?

I read a good point on Macrumors.com

Quote - displaced
if this is a WebKit bug, claiming the 'Macintosh' or 'OS X' has been exploited because of a bug in the browser engine is just as silly as claiming Linux has been exploited because Firefox has a vulnerability.

As always, most problems are user action as opposed to OS security. But how many Mac users do not run any type of security software, or have the attitude that the Mac is safe from these types of attacks.

Remember, no matter the security, OS, connection,........ clicking links in emails potentially unsafe.

all this said about operating systems and hacker..blah blah.........and ive had 1 keylogger since

i really like osx for mac...think its great...but i wanna move to vista..i luv the new os....i'll switch over in aboot 1 yr's time..when most major security problems r ironed out..


btw...aces to the hacker....really shows that Apple..has an interest to improve its os's and relations with consumers ! :nuts:

MAC isn't very popular among hackers...Each and every soul knows about windows and they become hackers favourites for a break-in and a mac can also be hacked...a hacker who knows to hack a windows operating system...how many days will it take for him to hack a mac?.....

Windows is better...Always!...

Right, ignoring all these weird fanboy sercurity comments, all I gotta say, is Well Done to the hacker! The guy got $10k! :)

-Rich-

Yeh - and I would say Apples biggest issue is the fact the only growth they have on the computer market is predicted growth.

plastikaa said,

Yeh - and I would say Apples biggest issue is the fact the only growth they have on the computer market is predicted growth. :laugh:

Hmm.. too bad amount of sales != profitability. Sure, Microsoft may make more money now, but don't think that Apple is going to die someday soon. if you haven't noticed, Apple is much better at making end-to-end products, and people are only now realizing that right now. Since most people only buy a new PC every 3-4 years and Macs have only been able to run Windows for a year now, there's still quite a bit of headroom left to grow.

the hack still relies on someone having to click on something that they wont click on if theyre a knowledgeable user. i dont own a mac, but its damn sure more secure than windows, in part b/c of the unix core and in part because its much less of a target.

You do realize there are a number of exploits and rootkits available for Linux and all other versions of Unix. My Linux server has been compromised three times in the last year (with all the latest patches and tripwires). It did not matter. Sweeping generalizations are harmful because they stereotype and classify problems that could easily apply to them (in this case most users are not knowledgeable and will click on anything and open everything). Finally, NT is based off from VMS (and this OS is very similar to Unix (permissions and security). It is more compatibility features that have been introduced into the kernel and subsystems that cause security issues that have caused problems. Wait until Apple begins to support more and more legacy software.

What if someone just used FireFox? I am completely lost when it comes to this stuff but if I read it correctly, the user must use Safari as the app to open the URL, right?

Or is this a system issue and NOT a software issue?

Heh, people always make fun of Windows security. But truth be known, it's probably the most secure OS because its biggest security problems get exposed.

thats why I use firefox. lol those browsers that are tied to the operating system are not a secure method.

safari and Mac

IE and Windows

third party browsers are usually better off.

If it is installed on your computer and it connects to the internet, it really doesn't matter how "tied to the operating system" it is.

I've found IE7 in Vista to be far more secure than Firefox, thanks in part to the .ani exploit. I'll still prefer Firefox due to obvious reasons beyond security.

Slimy said,
If it is installed on your computer and it connects to the internet, it really doesn't matter how "tied to the operating system" it is.

Safari can be removed.

well do some research is all i can say. don't make up your own statements about security of an application unless you understand the consequenses.

There are indeed a number of holes in firefox and there has been a lto over the time it has ben out. some sites even consider ie7 more secure.

Yes and no, this hack still require user interaction, while some of windows weak points do not. Still it is distressing that you can have full user access to the machine from a url.

Sigh.. another disingenious windows basher. Your statement that windows has weak points that require no user interaction is simply not true in the context of a security debate. It is true from a historical perspective, ie, pre-xp sp 2 windows had these problems, but in that case are we going to bring up old versions of mac os like the ones that had viruses that spread simply from inserting a disk into a power-on'ed system? XP SP 2, server 2003, and vista shouldn't have those kind of exploits unless the user disables default, enitirely unobtrusive security features.
If you have proof that modern windows OSes have non-user interaction exploits, link it or shut it..

Windows bashers like to say that hackers would write malware for mac if it were possible just because of how 'l33t'
it would be, how do they reconcile this belief with the fact that security holes are plugged monthly for mac os x?
Obviously if a security hole is plugged, malware was previously possible, yet there is none for mac os x. Any half-literate person can see that hackers just have no interest in macs and could care less about the fame of hacking a computer who's only claim to fame is that some find it pretty, backing up the argument that hackers these days are almost entirely motivated by money, and windows users is where the money is as they out number mac users like 50 to 1. They write one hack for windows and can spread spam and do ddos attacks from 50 times the machines they would get to if they wrote a mac hack.

J_R_G said,
Sigh.. another disingenious windows basher. Your statement that windows has weak points that require no user interaction is simply not true in the context of a security debate. It is true from a historical perspective, ie, pre-xp sp 2 windows had these problems, but in that case are we going to bring up old versions of mac os like the ones that had viruses that spread simply from inserting a disk into a power-on'ed system? XP SP 2, server 2003, and vista shouldn't have those kind of exploits unless the user disables default, enitirely unobtrusive security features.
If you have proof that modern windows OSes have non-user interaction exploits, link it or shut it..

Windows bashers like to say that hackers would write malware for mac if it were possible just because of how 'l33t'
it would be, how do they reconcile this belief with the fact that security holes are plugged monthly for mac os x?
Obviously if a security hole is plugged, malware was previously possible, yet there is none for mac os x. Any half-literate person can see that hackers just have no interest in macs and could care less about the fame of hacking a computer who's only claim to fame is that some find it pretty, backing up the argument that hackers these days are almost entirely motivated by money, and windows users is where the money is as they out number mac users like 50 to 1. They write one hack for windows and can spread spam and do ddos attacks from 50 times the machines they would get to if they wrote a mac hack.

http://www.bullguard.com/virus/default.aspx?id=337

Your logic also fails to compensate for Linux viruses.

Kirkburn said,

Er, any reason for that completely irrelevant link?

XP SP 2, server 2003, and vista shouldn't have those kind of exploits unless the user disables default, enitirely unobtrusive security features.
If you have proof that modern windows OSes have non-user interaction exploits, link it or shut it..

Nuff said.

J_R_G said,
Sigh.. another disingenious windows basher. Your statement that windows has weak points that require no user interaction is simply not true in the context of a security debate. It is true from a historical perspective, ie, pre-xp sp 2 windows had these problems, but in that case are we going to bring up old versions of mac os like the ones that had viruses that spread simply from inserting a disk into a power-on'ed system? XP SP 2, server 2003, and vista shouldn't have those kind of exploits unless the user disables default, enitirely unobtrusive security features.
If you have proof that modern windows OSes have non-user interaction exploits, link it or shut it..

Windows bashers like to say that hackers would write malware for mac if it were possible just because of how 'l33t'
it would be, how do they reconcile this belief with the fact that security holes are plugged monthly for mac os x?
Obviously if a security hole is plugged, malware was previously possible, yet there is none for mac os x. Any half-literate person can see that hackers just have no interest in macs and could care less about the fame of hacking a computer who's only claim to fame is that some find it pretty, backing up the argument that hackers these days are almost entirely motivated by money, and windows users is where the money is as they out number mac users like 50 to 1. They write one hack for windows and can spread spam and do ddos attacks from 50 times the machines they would get to if they wrote a mac hack.

ergg yeah... sure, Historicaly mean two years ago, the blaster worm and it's still in the wild. Aldo it will not affect windows XP sp2 all version below will be affected. Like you friend with the dell and it's pre sp1 restaure cd. For the record i'm not really a windows basher: i hate microsoft current security pita but windows is decent since 2k i don't really hate them anymore.

Darkinspiration said,

ergg yeah... sure, Historicaly mean two years ago, the blaster worm and it's still in the wild. Aldo it will not affect windows XP sp2 all version below will be affected. Like you friend with the dell and it's pre sp1 restaure cd. For the record i'm not really a windows basher: i hate microsoft current security pita but windows is decent since 2k i don't really hate them anymore.

2 years is an extrememly long time in computing, and as for blaster still running around, the only reason for this would be the previously mentioned morons not updating their comuters for over 2 years. one thing to remeber about blaster, is if your machine was patched it was not vulnerable, microsoft had a patch out to plug the hole before the virus was releeases, so you can't blame MS for blaster, it's the moron users that don't update their machines

mattrobs said,
Moron users are the biggest vulnerability.

Yea, because we all know not being well-versed in computers makes someone a moron...

you don't work in IT do you ?

No really users are so useless about security, i've almost given hope. They can spend days in basic security training and still set three letters password if unsupervised...

People crash cars because they suck at driving, but it doesn't mean we shouldn't keep trying to add more safety features to prevent it from happening. Really, "joe user" shouldn't have to worry about security as long as he takes general common-sense precautions. It would be great if all computer users were as educated as the average Neowin reader when it comes to security, but I doubt that will ever happen.

No, a worm is the biggest threat. It does not require a clueless loser. I will agree that this is an issue and I hope that more details will emerge soon.

obsolete_power said,

Yes, it does.


Hmm, ok I am going to make the following assumption:

All people who are well versed in computers are elitist pricks.

Get where I'm going with this?

5HORiZONS said,
People crash cars because they suck at driving, but it doesn't mean we shouldn't keep trying to add more safety features to prevent it from happening. Really, "joe user" shouldn't have to worry about security as long as he takes general common-sense precautions. It would be great if all computer users were as educated as the average Neowin reader when it comes to security, but I doubt that will ever happen.

Driving is one thing. But operating if they suck at operating a vehicle. Just heard about a lady at work (who has no reverse on the car) figured she could make it up a hell. Nope. So for like 20 minutes she and her friend tried to push it up the hill. When one asked the other. "You don't have it in park do you" hmmm guess what, she did have it in park. Guess thats why they couldn't push it.

So where is that cupholder on this computer?? ahh there it is. Splat.....

Turbonium said,

Yea, because we all know not being well-versed in computers makes someone a moron... :rolleyes:

unfortuanaelty the truth hurst, users are the root cause of the majority of security breaches, it's caled social engineering, also have to say not being well versed in computers is a fast track to getign hit with something.

Turbonium said,

Hmm, ok I am going to make the following assumption:

All people who are well versed in computers are elitist pricks.

Get where I'm going with this?

agreed, thats why we say all the mean things to noob users that don't know crap

It is more secure. Sure, it's also targeted less often, but the OS is fundamentally more secure than Windows. It's not bullet proof, by any means, but it's better.

How exactly is OS X "fundamentally more secure" than Windows? That's a pretty broad statement, unless you are very knowledgeable about the intricacies of both operating systems (and, if you are, more details would be awesome).

5HORiZONS said,
How exactly is OS X "fundamentally more secure" than Windows? That's a pretty broad statement, unless you are very knowledgeable about the intricacies of both operating systems (and, if you are, more details would be awesome).

The fact that it's built on a Unix core should be a pretty obvious explanation of why it's more secure. I really can't believe someone asked me to explain further. I'm far from an engineer, but any basic understanding of the various OS's out there will show that systems with a Unix core generally fair much better than Windows has over the years.

Can't believe someone asked it either :S

Well, Apple better fix this ASAP even if it's one of the only ways to hack a Mac ATM. When I think about it, Month of Apple and contests like those are actually good for the company. Okay, MOA made the flaws public, that's not good, but at least it gives them more pressure to publish a fix and to show if they care for their users (or not...)!

bangbang023 said,
The fact that it's built on a Unix core should be a pretty obvious explanation of why it's more secure. I really can't believe someone asked me to explain further. I'm far from an engineer, but any basic understanding of the various OS's out there will show that systems with a Unix core generally fair much better than Windows has over the years.

Lol, I love how I get treated like I'm stupid for asking that question, but then get an answer that equates to "everyone knows it's better."

From an architectural standpoint, Unix and NT were designed with very similar goals in mind (multiple users, file permissions, and other items related to security)... NT is not a bad base, and Unix doesn't automatically mean "secure" like you're making it out to be. But really, who cares if it's Unix-based; most of OS X was designed and created by Apple. I guess what I'm trying to say is that neither OS is inherently secure or insecure, it depends largely on the frameworks and software running on to of it. That's where Windows has been falling flat on its face, and OS X remains largely untested.

5HORiZONS said,
From an architectural standpoint, Unix and NT were designed with very similar goals in mind (multiple users, file permissions, and other items related to security)... NT is not a bad base, and Unix doesn't automatically mean "secure" like you're making it out to be. But really, who cares if it's Unix-based; most of OS X was designed and created by Apple. I guess what I'm trying to say is that neither OS is inherently secure or insecure, it depends largely on the frameworks and software running on to of it. That's where Windows has been falling flat on its face, and OS X remains largely untested.

Microsoft's strong commitment to ensuring good backwards compatibility with software is the root cause of most of the security problems with Windows.

Mac OS has more distinct security lines between different user spaces. A user cannot install something into the system space without their knowledge (although, that is not to say that they cannot be tricked into doing it). Microsoft is closing this gap, and a lot of the security features in Windows Vista are nice to see.

Of course, with both operating systems, these sorts of security features still give programs running with the users system privileges (and not necessarily administrative privileges) access to all of the user's files. A malicious program can delete files or send information over the Internet.

Probably the worst thing I've been infected with on my Windows systems was a key logger. Luckily the end result was just my WoW account being hacked. Still, no attack is more disturbing than knowing that your key strokes have been logged and sent across the Internet. I changed all my passwords after the incident. It would have seriously sucked if my online banking was hacked.

Actual security flaws in software aside, it really comes down to the users who make dumb decisions that affect the security of their system. And Window's users are certainly more targeted than others.

By bangbang's logic Windows 'core' -- the kernel has lots of vulnerabilities. The fact is otherwise.
The kernel has proven rock solid. You see several app issues but you harldy see any kernel issues.

The whole "unix is fundementally more secure" thing is old, tired and just plain wrong.

Yes, in the 9x kernel days it would be. but unix isn't fundamentally more secure than NT, but the windows OS has allways been created with the user in mind, while unix has been created with multi user security in mind. Fundamentally they are the same, but what been dione aroudn them int he shell is different. And with vista and the internet being eveywhere al the time now, they have moved away from the best possible user experience to offer better security. Since the release of Vista, if you're counting, other OS' has had more security update each month than Vista has in total.

Also this was mroe of a hacker break in, Windows lack of security has been majorly in Viruses, sure hackgin into it has been an issue too, but the focus and complaints have been about the viruses. And when it comes to hackign into systems directly Linux is actually, I believe unless something has changed recently, the biggest target. Simply because such a large amount of web servers run Linux.


and for anyone coming out with those security issues are in apacher or mySQL... yeah well, the security issues in windows have pretty much been application issues as well, so that won't fly.

bangbang023 said,
It is more secure. Sure, it's also targeted less often, but the OS is fundamentally more secure than Windows. It's not bullet proof, by any means, but it's better.

That's Apple's arrogant assumption. Their more secure notion is simply marketing. Nothing more. Usually Linux is more secure because from what I've understood it's a pain to write code and the hacker/cracker has given up by then.

The only real positive thing about an Apple is it doesn't crash quite so often as Microsoft. But the more secure than Microsoft is simply a marketing ploy.

Since no one could hack the Mac thru a wireless access point with "NO" programs running....but they could thru a browser, doesn't point the finger to the OS. It points it towards Safari allowing the code to be run.

Keep in mind that the Beta 2 kernel release of Vista was injected with a rootkit.

This flippen argument is getting old.......fast.

Tiger is supposedly twice the amount of code as Vista... presuming the coders for both Apple and Microsoft are equally good, doesnt this mean Apple should in theory have twice the number of security problems...

Apple should have about 5% of targets from a Virus. The fact is they don't because hardly anyone targets them, as it isnt used as widely as windows. Its like a theif only stealing pink cars - you could... but why would anyone?

5HORiZONS said,
How exactly is OS X "fundamentally more secure" than Windows? That's a pretty broad statement, unless you are very knowledgeable about the intricacies of both operating systems (and, if you are, more details would be awesome).

You might want to search the forum?

http://www.neowin.net/forum/index.php?show...31&hl=virus, and more importantly http://www.informit.com/articles/article.a...qNum=7&rl=1

There's not a simple explanation why OS X is [i]more[/b] secure, it's quite complex.

HawkMan said,
The whole "unix is fundementally more secure" thing is old, tired and just plain wrong.

Yes, in the 9x kernel days it would be. but unix isn't fundamentally more secure than NT, but the windows OS has allways been created with the user in mind, while unix has been created with multi user security in mind. Fundamentally they are the same, but what been dione aroudn them int he shell is different. And with vista and the internet being eveywhere al the time now, they have moved away from the best possible user experience to offer better security. Since the release of Vista, if you're counting, other OS' has had more security update each month than Vista has in total.

Also this was mroe of a hacker break in, Windows lack of security has been majorly in Viruses, sure hackgin into it has been an issue too, but the focus and complaints have been about the viruses. And when it comes to hackign into systems directly Linux is actually, I believe unless something has changed recently, the biggest target. Simply because such a large amount of web servers run Linux.


and for anyone coming out with those security issues are in apacher or mySQL... yeah well, the security issues in windows have pretty much been application issues as well, so that won't fly.

In reality, it's not that Unix is more secure than NT, but that compared between the OSs themselves, one does a ****load more than the other to make sure that unauthorized programs don't get installed.

HawkMan said,
The whole "unix is fundementally more secure" thing is old, tired and just plain wrong.

Yes, in the 9x kernel days it would be. but unix isn't fundamentally more secure than NT, but the windows OS has allways been created with the user in mind, while unix has been created with multi user security in mind. Fundamentally they are the same, but what been dione aroudn them int he shell is different. And with vista and the internet being eveywhere al the time now, they have moved away from the best possible user experience to offer better security. Since the release of Vista, if you're counting, other OS' has had more security update each month than Vista has in total.

Also this was mroe of a hacker break in, Windows lack of security has been majorly in Viruses, sure hackgin into it has been an issue too, but the focus and complaints have been about the viruses. And when it comes to hackign into systems directly Linux is actually, I believe unless something has changed recently, the biggest target. Simply because such a large amount of web servers run Linux.


and for anyone coming out with those security issues are in apacher or mySQL... yeah well, the security issues in windows have pretty much been application issues as well, so that won't fly.

In reality, it's not that Unix is more secure than NT, but that compared between the OSs themselves, one does a ****load more than the other to make sure that unauthorized programs don't get installed.

The fact that it's built on a Unix core should be a pretty obvious explanation of why it's more secure. I really can't believe someone asked me to explain further. I'm far from an engineer, but any basic understanding of the various OS's out there will show that systems with a Unix core generally fair much better than Windows has over the years.

Obviously not an engineer, or very techinical, and as an explain further this simply does not cut it, its better cause it uses linux, is justa plain old load of rubish, there is no proof that unix/linux is more secure, this is a myth as is the myth that macs are not vulnerable to anything. did you even read the article, the last line sasys it all

(PatrynXX said @ #1.9)
The only real positive thing about an Apple is it doesn't crash quite so often as Microsoft. But the more secure than Microsoft is simply a marketing ploy.

when does your windows crash, i don't think ihave had windwos crash for years, yes i have had app crashes, but the last bluescreen of death i had would have been at least 3 years ago