If you haven't seen the results of the Pwn2Own 2009 yet then Mac Owners are in for a shock. A fully up to date MacBook fell in 10 seconds through a drive by through Safari. In addition the latest and greatest from Microsoft Windows 7/IE 8 fell but it took longer. Also to fall was Firefox.

Overall this is worse than last year! Defintely not a great day for Desktop security.

Day 1 (http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-day-1---safari-internet-explorer-and-firefox-taken-down-by-four-zero-day-exploits)

Well, I expect that he took a while beforehand investigating and attacking the vulnerability that he knew about. So "gone in ten seconds" isn't really a true statement.

http://blogs.zdnet.com/security/?p=2917

Sigh, are you are saying Hackers don't have all the time in the world to create the malware and study the software? They have all the time in the world to perfect their vectors, and the financial incentive. IE vulns can command a price premium up to $100-150k for unpatched flaws. There is increasing bounties being offered for Firefox vulnerablities. Most vectors are social engineering these days and that's what's happened here.

It's not just about knowing in advance, people have had IE 8 and Firefox for just as long and they stood up to the attack longer. Safari security is a joke and this was proven last year and again this year.

Sigh ... here we go again.

Heh, I have to agree with Pete here too about these guys doing a fair amount of research and testing to break this stuff.

Also keep in mind they are configured via computer-to-computer and there is no additional task of breaching network protocols, external security etc. It's pretty much a walk in, raise hell and walk out scenario which isn't very common in todays day and age :)

If you haven't seen the results of the Pwn2Own 2009 yet then Mac Owners are in for a shock.

No, I won't be.

A fully up to date MacBook fell in 10 seconds through a drive by through Safari.

BS. This guy announced several weeks ago that he had found a hole in Safari.

Overall this is worse than last year!

You're right. They still let them have physical access to the computer (how real is that?). So, I guess we should all avoid letting hackers touch our computers. I suppose I ought to start locking my house, too. :rolleyes:

Still today, no one has hacked into a Mac without having physical access to the computer.

Still today, no one has hacked into a Mac without having physical access to the computer.

Technically, this is untrue.

A hack existed for a short period in 2006/2007 that allowed nefarious folks to use Apple's Airport drivers to inject code into the system. This hack could be done remotely from the machine and the machine could be controlled.

Some may remember the big bruhaha about this when it arose...many people said it was fake but apparently it was real. The hack was quickly patched by apple. See http://support.apple.com/kb/HT2697?viewlocale=en_US

There are no reports of the hack actually being used to control a device though.

You're right. They still let them have physical access to the computer (how real is that?). So, I guess we should all avoid letting hackers touch our computers. I suppose I ought to start locking my house, too. :rolleyes:

So you're ignoring the Social Engineering techniques that Hackers use? That's the Vector that's simulated here. On a BSD/Linux system if you compromise the user shell then you've achieved your goal and there is a number of security alerts over the years that could allow escalation of privileges.

I'm not criticisng the computers, but I'm making aware that Macs are not infallible. I've stated this before. The user is the biggest security risk and this is something Microsoft learned to it's cost and have done their best to to prevent this, this is apparent in that it took hours to take out the IE/Firefox browsers. Gone are the days where you could say a Windows OS could be infected in 1 minute (XP Pre-SP1).

I'm not criticisng the computers, but I'm making aware that Macs are not infallible.

No one has ever said Macs are infallible. So everything else you say is pretty meaningless.

No one has ever said Macs are infallible. So everything else you say is pretty meaningless.

No information is meaningless, you just need to find the framework to judge the data.

Apple spends a lot of time saying Microsoft Windows is insecure, you just have to look at the advertising they have done over the years such as Mac/PC adverts. This gives the user a false feeling of security in that they're system is hack proof. In fact you can see some of this attitude from a few people in this fora.

Review the information in context of it's framework:

1) Fully patched OS X platform, default settings out of the box for a normal user.
2) All applications are as is.
3) The hacker is simulating a user experience.
4) The flaw is acrafted attack based on a standard vector, user simulated visiting a site. The early data from the convention is that it's a drive by, which can hit any platform. So the physical access argument is moot.

Drive by attacks can occur on any server if it's been comprimised, there is even cases and document attacks of top tier sites who's suffered injection attacks into their pages (IBM, ZDNet and so on). Some malware scripts are so sophisticated that they will target not just one vulnerability but hundreds depending on OS, software and even security patches!

Remember most people buy a Mac because they don't want the 'complexity' of a PC, most users won't have any anti-malware protection like Microsoft systems usually do. So they are even less likely to detect something is wrong.

Apple spends a lot of time saying Microsoft Windows is insecure, you just have to look at the advertising they have done over the years such as Mac/PC adverts. This gives the user a false feeling of security in that they're system is hack proof. In fact you can see some of this attitude from a few people in this fora.

Do you work for some software security firm? Because it sounds like you're trying to sell something. The simple fact is, no one has hacked into a Mac without being able to physically touch it. You cannot say the same for Windows XP (and to a much lesser extent Vista). Anyone suggesting that this "test" (for Mac OS X or Windows 7) is a meaningful to 99.99999% of real-world use of a computer is yanking your chain.

Review the information in context of it's framework:

1) Fully patched OS X platform, default settings out of the box for a normal user.
2) All applications are as is.
3) The hacker is simulating a user experience.
4) The flaw is acrafted attack based on a standard vector, user simulated visiting a site. The early data from the convention is that it's a drive by, which can hit any platform. So the physical access argument is moot.

5) Hacker has physical access to the computer.

Done.

The Hacker didn't have physical access, the sponsors did. The hacker sent them a crafted URL. Hence the term drive by payload. The infection allowed remote access and control of the Mac system. Full details haven't been posted, but that's what has been released.

Read the report I posted a while back if you want to learn more about Drive By payloads, it's an old method that's used even today. You can get hit by a payload without even clicking on a link through a Flash advert. The recent ZDNet attack was one such incident.

As to working for a InfoSec firm, no I don't.

The Hacker didn't have physical access, the sponsors did. The hacker sent them a crafted URL.

http://farm4.static.flickr.com/3432/3366421149_15b170fab1.jpg?v=0

Looks like pretty physical access if you ask me, direct adhoc connection computer to computer basically. Because that's realistic that I let everyone just attach a network cable to my laptop in public :)

My MacBook doesn't have enough connecting points to share one with a hacker.

http://www.exposedreality.com/wp-content/uploads/2007/02/office2001to2003.PNG

Protects my windows machines.

Apple spends a lot of time saying Microsoft Windows is insecure, you just have to look at the advertising they have done over the years such as Mac/PC adverts. This gives the user a false feeling of security in that they're system is hack proof. In fact you can see some of this attitude from a few people in this fora.

I don't think the adds said anything about PC's being 'insecure' per say, just that there were 100,000+ known PC viruses & spyware . Parody or not, they cannot say anything outright inaccurate or libelous, but they can express opinions.

No one is saying that OS X is hardened as much as it could - with ease of use comes security holes. Vista locked up their OS to the irritation of many :) Snow Leopard is going to fix many issues too, so this time next year should be interesting (Windows 7 vs Snow Leopard).

For Mac users that may be interested: Mac OSX Security Guides (http://www.apple.com/support/security/guides/)

"Physical Access" in this case just means that he was connected over a simulated internet. You don't run something like this over the actual net so that you can monitor all the traffic that goes across the network more closely. Yes, there are cables connecting the hacked machine to the server that put out the code that led to the hack, but it didn't take the attacker sitting at the keyboard himself to execute the code and take advantage of the vulnerability. There was no more or less physical access to the machine than happens anytime someone connects to the 'net.

And yes, I did used to work in security. ;)

Also keep in mind they are configured via computer-to-computer and there is no additional task of breaching network protocols, external security etc. It's pretty much a walk in, raise hell and walk out scenario which isn't very common in todays day and age :)
Since the vulnerability was exploited via an http connection, it really is pretty similar to a "invite the bad guy in, let him have a look around and raise hell" situation.

The user initiated the connection to the exploit. The hacker didn't have to initiate the connection to the target. Once the http connection was established, it was game over.

The other security mechanisms that work to recognize and prevent these sorts of vulnerabilities are largely pattern and behavioral based, which makes them reactive, and not proactive. If they don't know something is supposed to be bad, they don't block it. That's why anti-virus packages and the like have constant updates. They can't react if they don't know they're supposed to react. With a "zero-day" exploit, none of those other mechanisms know there's something out there they should be watching out for.

Arguing that you're not going to give an attacker a cable and hook it up to your machine for them is missing the point. If you have ever browsed a website, you already have given the attacker a cable that's hooked up to your machine.

got to laugh

I have never been hacked. Ever.

Who the fu*ck cares...Seriously. Except the fanboys who must insist their "whatever" is better.

*racist, but sarcastic warning*
Well guess what? White females MUST be better. Cause they are not black and don't live in Africa. White female people MUST *rolls eyes* be better than black female people...fanboy FTW!

I mean seriously? That is how extremely redic it is to argue about stuff like this.

I feel no threat, cause I don't go around DLing stupid stuff that could compromise my computer and I'm one in billions that owns one. And seriously, you guys back up your files right? The chance that you are going to get hacked and your files messed up is about the chance your hard drive fails or lighting fries your compy. GTFO.

I have never been hacked. Ever.

Who the fu*ck cares...Seriously. Except the fanboys who must insist their "whatever" is better.

*racist, but sarcastic warning*
Well guess what? White females MUST be better. Cause they are not black and don't live in Africa. White female people MUST *rolls eyes* be better than black female people...fanboy FTW!

I mean seriously? That is how extremely redic it is to argue about stuff like this.

I feel no threat, cause I don't go around DLing stupid stuff that could compromise my computer and I'm one in billions that owns one. And seriously, you guys back up your files right? The chance that you are going to get hacked and your files messed up is about the chance your hard drive fails or lighting fries your compy. GTFO.

<MaxxuM> moves slowly away from AlphaChicken & toward door....;)

Alpha, I don't think anyone is going fanboy on anyone. It's just a talk about security is all.

Hah...yeah I go a little nuts when people argue over what company is better...as if it is as simple as one simply being better.

Seemed like fanyboyism to me...arguing about who has better security to no reasonable end.

Still today, no one has hacked into a Mac without having physical access to the computer.

No one has ever said Macs are infallible. So everything else you say is pretty meaningless.

based on your dismissive logic quoted above:

macs have been hacked without physical access to the computer. therefore, everything else you say is pretty meaningless.

I am sorry but if it takes an action buy the end user then it is not a solid hack that is like saying that if I convince you to let me into your house I have successfully broken in to your house. I have successfully gained access but I did not break in just as if I trick you into downloading a file and installing it and that file then gives me access to your computer I have not hacked your computer all I have proved is that you have an id10T problem. This does not count as a hack on any platform.

I am sorry but if it takes an action buy the end user then it is not a solid hack .......


The problem is the vast majority of "hacks" into computers ARE the result of the user doing something stupid and clicking on something they shouldn't have.

It is eactly why MS put UAC in Vista.


The biggest threat to any system is not the system, but the operator, and it just so happens that a lot of niave and stupid people use computers, and are exploited.


I can garuntee you right now a hacker somewhere is doing a cost benifit anlysis on targeting Mac users.
Once the numbers add up they will be targeted just as much as Windows users, and operator error will cause them to become infected.

The problem is the vast majority of "hacks" into computers ARE the result of the user doing something stupid and clicking on something they shouldn't have.

It is eactly why MS put UAC in Vista.


The biggest threat to any system is not the system, but the operator, and it just so happens that a lot of niave and stupid people use computers, and are exploited.


I can garuntee you right now a hacker somewhere is doing a cost benifit anlysis on targeting Mac users.
Once the numbers add up they will be targeted just as much as Windows users, and operator error will cause them to become infected.

QFT. Everything you said is 100% accurate and I obviously agree 100% ;-)

I am sorry but if it takes an action buy the end user then it is not a solid hack that is like saying that if I convince you to let me into your house I have successfully broken in to your house. I have successfully gained access but I did not break in just as if I trick you into downloading a file and installing it and that file then gives me access to your computer I have not hacked your computer all I have proved is that you have an id10T problem. This does not count as a hack on any platform.
As I read the attack, the way that it worked is that a user goes to a webpage that they believe to be 100% legit. Hidden, inserted, injected, hacked into -- whatever you want to call it -- the legitimate webpage was malicious code. The malicious code then executed and gained access without any additional user intervention beyond browsing a website that they would ordinarily trust. The user did not have to directly execute the malicious code.

This sort of drive-by attack has been used successfully against Windows machines for some time starting with attackers inserting code into servers from all OSes. There have been attacks where hundreds of thousands of hosts serving up advertisements and the like have had evil code injected that, when browsed as part of an otherwise completely legitimate and believed to be safe site, executed malware. Photobucket was recently targeted with this very sort of attack (http://photography-on-the.net/forum/showthread.php?t=648519 was related to this very sort of attack.)

This was not a "click this EXE" or "download this file" sort of attack. This represents a very real, and very common way that attackers spread malware these days. Attack a database that serves up ads, get the database to serve up evil code instead of the legit ad, and when users go to their regular, everyday sites that happen to use ads ordinarily hosted by that server, they get the malware instead.

I don't take sides in this debate (I don't care). I just want people to be aware that this sort of attack is extremely common, and is the very same sort of passive attack that has been victimizing Windows users for a while.

Pwn2Own Contest winner: Macs are safer than Windows

Charlie Miller still recommends people get a Mac. Odd this isn't stated in the 'sensationalized' contest. Here is the link (http://www.roughlydrafted.com/2009/03/26/pwn2own-contest-winner-macs-are-safer-than-windows/).

Charlie Miller still recommends people get a Mac. Odd this isn't stated in the 'sensationalized' contest. Here is the link (http://www.roughlydrafted.com/2009/03/26/pwn2own-contest-winner-macs-are-safer-than-windows/).

probably because of all the disclaimers he gives right after that comment and the fact that a sensationalized article attracts more viewers. which catches your attention more?:

1. "MAC HACKED IN TEN SECONDS!"

2. "EXPERT HACKER RECOMMENDS MACS!"

3. "Miller states that Macs are less likely to be targeted by malicious programmers."

Two of those headlines are meant to grab attention, while one depicts a more accurate representation of what was actually quoted.

There's nothing new on that link that contradicts what's been said elsewhere on the thread. Macs are insecure, but there's no market for the malware. It's simple security through obscurity. Mac lacks much of the layered protection now built into Vista/Windows 7 which shouldn't be the case as it's built on BSD.

The case still stands though, it took hours to crack Windows compared to Macs, this shows how much more secure the standard Windows installation is, also M$ responded within 24 hours of the security issue. Whilst that doesn't seem important, remember they was holding a exhibition and launching IE 8.

Apple really needs to step up to the plate and deal with security now rather than do a Microsoft and ignore it till it became a issue. This is what happened to XP and was one of the reasons Vista took so long to come. Microsoft learned the hard way and needed to re-prioritise it's security model.

Faolan, though I tend to agree about Apple being slow to deal with the issue I think they are in no hurry because there does not seem to be a credible threat at the moment. Typically, human beings are slow to be preemptive in all categories of their lives. There is one part that is new (that I saw) - where he stated he still recommended them.

I still think Snow Leopard is going to elevate Mac security to the next level. Apple (I would think) is likely getting tired of being the first down at these little dog & pony shows. It doesn't matter that it took many long hours of research and programing to find and implement and exploit the so called '10 second' glitch and took longer on other platforms. The stigma is still there even though it is an illusion of Windows security. I think what we should take away from this is that every OS/Browser is vulnerable and could, with little effort, be cracked by a professional and that only through education and vigilance will we be able to gain back some security in our online lives.

Maxxum, it's little different with Windows, you don't think they can crack Windows at a drop of a hat? Hackers have all the time in the world to find one flaw and all the incentive to do so. The security measures in place for Vista and Win 7 are far more robust and makes Windows less of a target these days compared to when Win XP came out. Even that article said as much. Win x64 takes this a stage further with further kernel hardening.

The main problem for Mac isn't security or flaws, it's more the case when it's been hacked you have little or no warning that your system is comprimised. There aren't that many InfoSec tools for a Mac (in some ways justified) but the ethos of InfoSec it's better to lock the system down instead of letting the horse bolt free. There wasn't a credible threat to XP when it came out initially, that came after. Just look at the various Service Packs and the security measures they had to be backported to lock the OS down.

This dog and pony show, as you call it, serves a important need to highlight security. Without it people wouldn't be aware that you still need to take precautions. The ignorance shown in this thread highlights this starkly. No offence to any member but this is simple fact. Most members here rely on their OS and have little or no understanding of what an attack vector is let alone preventing one. Bill (wlescall) posted a guide to security OS X but who is going to read a massive document like that let alone understand it? This is the problem Microsoft faced, and still faces especially in the corporate sector.

I still think you are overstating Vista's capabilities and it is a dog and pony show. There have been plenty of these shows (DES, Black Hat, etc...). That is not to mean they don't have their purpose. They can be pretty informative - but we personally don't learn much because to do so we would have to go over ton's of white papers. To defeat this flaw all one has to do is run noscript and not go to sights outside the safe beltway. The way he describes it is it's a minefield out there for Vista users!

In any case, it's highly unlikely I will be hit as I'm hardened (OS X & Vista). I'm so geeky that I will actually sit down and watch a packet sniffer on my home and work LAN just trying to see if I can spot and name all the ports/protocols being sent :)

In any case, it's highly unlikely I will be hit as I'm hardened (OS X & Vista). I'm so geeky that I will actually sit down and watch a packet sniffer on my home and work LAN just trying to see if I can spot and name all the ports/protocols being sent :)

:oops: me too :o

I'm so geeky that I will actually sit down and watch a packet sniffer on my home and work LAN just trying to see if I can spot and name all the ports/protocols being sent :)

Ethereal, Ettercap or something else? Just curious...