Mac Security - Gone 10 Seconds.

If you haven't seen the results of the Pwn2Own 2009 yet then Mac Owners are in for a shock. A fully up to date MacBook fell in 10 seconds through a drive by through Safari. In addition the latest and greatest from Microsoft Windows 7/IE 8 fell but it took longer. Also to fall was Firefox.

Overall this is worse than last year! Defintely not a great day for Desktop security.

Day 1

Well, I expect that he took a while beforehand investigating and attacking the vulnerability that he knew about. So "gone in ten seconds" isn't really a true statement.

http://blogs.zdnet.com​/security/?p=2917

Sigh, are you are saying Hackers don't have all the time in the world to create the malware and study the software? They have all the time in the world to perfect their vectors, and the financial incentive. IE vulns can command a price premium up to $100-150k for unpatched flaws. There is increasing bounties being offered for Firefox vulnerablities. Most vectors are social engineering these days and that's what's happened here.

It's not just about knowing in advance, people have had IE 8 and Firefox for just as long and they stood up to the attack longer. Safari security is a joke and this was proven last year and again this year.

Sigh ... here we go again.

Heh, I have to agree with Pete here too about these guys doing a fair amount of research and testing to break this stuff.

Also keep in mind they are configured via computer-to-computer and there is no additional task of breaching network protocols, external security etc. It's pretty much a walk in, raise hell and walk out scenario which isn't very common in todays day and age

Faolan wrote in post #7555840
If you haven't seen the results of the Pwn2Own 2009 yet then Mac Owners are in for a shock.

No, I won't be.

BS. This guy announced several weeks ago that he had found a hole in Safari.

You're right. They still let them have physical access to the computer (how real is that?). So, I guess we should all avoid letting hackers touch our computers. I suppose I ought to start locking my house, too.

Still today, no one has hacked into a Mac without having physical access to the computer.

Tony-S wrote in post #7557967
Still today, no one has hacked into a Mac without having physical access to the computer.

Technically, this is untrue.

A hack existed for a short period in 2006/2007 that allowed nefarious folks to use Apple's Airport drivers to inject code into the system. This hack could be done remotely from the machine and the machine could be controlled.

Some may remember the big bruhaha about this when it arose...many people said it was fake but apparently it was real. The hack was quickly patched by apple. See http://support.apple.c​om/kb/HT2697?viewlocal​e=en_US

There are no reports of the hack actually being used to control a device though.

Tony-S wrote in post #7557967
You're right. They still let them have physical access to the computer (how real is that?). So, I guess we should all avoid letting hackers touch our computers. I suppose I ought to start locking my house, too.

So you're ignoring the Social Engineering techniques that Hackers use? That's the Vector that's simulated here. On a BSD/Linux system if you compromise the user shell then you've achieved your goal and there is a number of security alerts over the years that could allow escalation of privileges.

I'm not criticisng the computers, but I'm making aware that Macs are not infallible. I've stated this before. The user is the biggest security risk and this is something Microsoft learned to it's cost and have done their best to to prevent this, this is apparent in that it took hours to take out the IE/Firefox browsers. Gone are the days where you could say a Windows OS could be infected in 1 minute (XP Pre-SP1).

Faolan wrote in post #7558576
I'm not criticisng the computers, but I'm making aware that Macs are not infallible.

No one has ever said Macs are infallible. So everything else you say is pretty meaningless.

Tony-S wrote in post #7558675
No one has ever said Macs are infallible. So everything else you say is pretty meaningless.

No information is meaningless, you just need to find the framework to judge the data.

Apple spends a lot of time saying Microsoft Windows is insecure, you just have to look at the advertising they have done over the years such as Mac/PC adverts. This gives the user a false feeling of security in that they're system is hack proof. In fact you can see some of this attitude from a few people in this fora.

Review the information in context of it's framework:

1) Fully patched OS X platform, default settings out of the box for a normal user.
2) All applications are as is.
3) The hacker is simulating a user experience.
4) The flaw is acrafted attack based on a standard vector, user simulated visiting a site. The early data from the convention is that it's a drive by, which can hit any platform. So the physical access argument is moot.

Drive by attacks can occur on any server if it's been comprimised, there is even cases and document attacks of top tier sites who's suffered injection attacks into their pages (IBM, ZDNet and so on). Some malware scripts are so sophisticated that they will target not just one vulnerability but hundreds depending on OS, software and even security patches!

Remember most people buy a Mac because they don't want the 'complexity' of a PC, most users won't have any anti-malware protection like Microsoft systems usually do. So they are even less likely to detect something is wrong.

Faolan wrote in post #7561258
Apple spends a lot of time saying Microsoft Windows is insecure, you just have to look at the advertising they have done over the years such as Mac/PC adverts. This gives the user a false feeling of security in that they're system is hack proof. In fact you can see some of this attitude from a few people in this fora.

Do you work for some software security firm? Because it sounds like you're trying to sell something. The simple fact is, no one has hacked into a Mac without being able to physically touch it. You cannot say the same for Windows XP (and to a much lesser extent Vista). Anyone suggesting that this "test" (for Mac OS X or Windows 7) is a meaningful to 99.99999% of real-world use of a computer is yanking your chain.

5) Hacker has physical access to the computer.

Done.

The Hacker didn't have physical access, the sponsors did. The hacker sent them a crafted URL. Hence the term drive by payload. The infection allowed remote access and control of the Mac system. Full details haven't been posted, but that's what has been released.

Read the report I posted a while back if you want to learn more about Drive By payloads, it's an old method that's used even today. You can get hit by a payload without even clicking on a link through a Flash advert. The recent ZDNet attack was one such incident.

As to working for a InfoSec firm, no I don't.

Faolan wrote in post #7562304
The Hacker didn't have physical access, the sponsors did. The hacker sent them a crafted URL.

http://farm4.static.fl​ickr.com …421149_15b170fa​b1.jpg?v=0

Looks like pretty physical access if you ask me, direct adhoc connection computer to computer basically. Because that's realistic that I let everyone just attach a network cable to my laptop in public

My MacBook doesn't have enough connecting points to share one with a hacker.