Safari browser exploit produced within 9 hours in hacking competition
by Conrad Quilty-Harper 
posted Apr 22nd 2007 at 4:35AM
Shane Macaulay and Dino Dai Zovi, a software engineer and security researcher taking part in the brilliantly named "PWN to Own" Hack-a-Mac contest at the CanSecWest conference in Vancouver, managed to hack into and take control of a MacBook by finding a security exploit that takes advantage of an open Safari browser window. Shane and his teammate Dino won the prize of a brand new MacBook -- presumably loaded with Firefox or some other browser variant -- for managing to find the hole on the second and final day of the contest. The hack wasn't exactly a breeze, since the pair admitted to a total of 9 hours in order to find and exploit the weakness. Apple has patched OS X four times over the last year to fix dozens of security updates, and only regurgitated the corporate line when asked for comment on this particular vulnerability. ("Apple takes security very seriously", well duh!) Even with the recent arousal of interest in Mac OS security, the world has yet to see any kind of exploit released into the wild world web; when / if one does, we'd probably expect the most damaging exploit to use good ol' social engineering rather than a complicated hack like this. Still, Mac users should take some form of satisfaction from knowing that the issue of Mac security is being investigated, rather than being taken for granted.
Reader Comments (Page 1 of 2)
Peter @ Apr 22nd 2007 4:49AM
You kind of failed to mention that because noone could hack it on the first day, they had to make it easier the second day by opening up some stuff on the computer to make it easier... and even then it took 9 hours.
BigD @ Apr 22nd 2007 8:14AM
The first day didn't allow any open apps? That makes a whole lot of sense for security testing.
Yeah because in the real world, people never open any applications. They just sit and stare at their oh-so-sexy Macs, pondering whether or not to actually do anything. Constantly and obsessively washing their hands, so that if they do decide to do something on their stiffy inducing consumer electronic device, they won't smudge it up.
jabber_wolf @ Apr 25th 2007 4:05PM
Yeah having a firewall that is not a MAC, is kinda not a hacking a MAC.
So they actually let the MAC stand alone.
What you this article failed to mention, is that the contest required that they hack the Mac with an UNKNOWN exploit. Not one that is already known and hasn't been fixed yet.
Mactards are so funny!! ;)
Gaz @ Apr 22nd 2007 4:51AM
The headline will be giving Microsoft fanboys a stiffy.
But its just nonsense, under the conditions they could probably have hacked any OS.
They shouldn't have given a prize to the winner, they should have slapped anybody who failed.
James Smith @ Apr 22nd 2007 9:14AM
Don't forget it gives Linux fanboys a stiffy too! I got one as soon as I read the article.
Marian @ Apr 22nd 2007 5:14AM
Vista would have failed in the first day (the real hack business - remote exploits, not the kiddie stuff to find vulnerabilities in browsers), probably within the first 30 minutes.
duke @ Apr 22nd 2007 5:58AM
given microsoft's attempt at security, lets give them some credit okay ?
Its more likely under 1 hour.
Brian Kaempen @ Apr 22nd 2007 5:18AM
Ya I agree with those comments, the title should be "within 9 hours of making it easy to hack since it could've have been done in the whole preceding day." Maybe that's just me though.
-Brian
John Doe @ Apr 22nd 2007 5:31AM
Good thing I don't use Safari, or IE for that matter. :-P
Wireless Buddy @ Apr 22nd 2007 10:01AM
What do you use? I use Opera and I love it!
Josh L. @ Apr 22nd 2007 6:10AM
^^^^^
Wow, sore losers...
Everything everywhere can be hacked always all the time. Okay, yeah, everyone agrees? good.
Mac still sucks regardless(OMG flamebait, ignore it)
BobTurbo @ Apr 22nd 2007 6:11AM
Wow, such a positive spin on this story Engadget. If it was about Vista it would go something like this:
Vista cracked in only 9 hours! Security researches created exploit in their sleep it was so easy. This exploit, one of many for Windows over the years, continues to shine light on the horrible security of Windows Vista. It is obvious Microsoft does not take security seriously.
Christian Martin @ Apr 22nd 2007 3:16PM
What do you expect? It's a Conrad article. If it's about Apple, he's gushing and spinning to his heart's content no matter what the subject matter.
panik @ Apr 22nd 2007 6:12AM
Why would anyone what to hack Safari!!
Unless you wanted to alter someone's blog
Kizorblade @ Apr 22nd 2007 6:28AM
I think Peter said it all:
"You kind of failed to mention that because none could hack it on the first day, they had to make it easier the second day by opening up some stuff on the computer to make it easier... and even then it took 9 hours."
You REALLY need that in the post. Otherwise it's a little... Misleading to the masses.
BobTurbo @ Apr 22nd 2007 6:36AM
What other stuff? As far as I know all they did was make it so that clicking links was involved. That is pretty obvious because it is a Safari exploit.
Also it was already in the rules that the contest would get easier each day. It is pretty hard to break ANY fully patched operating system without any user intervention at all.
Cleverboy @ Apr 22nd 2007 7:14AM
I agree with Peter. I read this recap, and I'm thinking... wow, Engaget... a little honesty wouldn't hurt. Personally, I keep reading these write ups about the contest looking for 2 things. 1.) The small note that no one could hack to Mac with the original "normal user" setup. 2.) For God sakes, a description of what rules were actually relaxed. 3.) If you please, even the vaguest of descriptions of the hack, or even the level of access.
Engadget fails on all three. I didn't even think *anyone* would miss that first one. Imagine my surprise. The last "mac hack" I believe had the same deal. The hackers were given a user account that they were able to "promote" to "root", as opposed to being able to get in without such help.
YankInOz @ Apr 22nd 2007 7:18AM
Also failed to mention that the "hack" was of a Java routine that is outdated and no longer used. I love selective (chough cough) journalism. This "exploit" is easily found to work in Firefox, Camino and Safari. don't be so smug - Foxheads. And "Josh L." obviously you have yet to use a Mac for anything of real importance. My company (and I do mean "my" company) uses only Macs and we are a full scale scientific research facility - soon to grow a tera-scale system in house. BUT alas, we do not do any gaming. So, that might leave you ou
tehpyro @ Apr 22nd 2007 7:45AM
Within 9 hours of the last day of competition... get your story right or dont report at all...
tehpyro @ Apr 22nd 2007 7:46AM
2nd last day *** I guess i gotta get my sh** in order too...
mrmckeb @ Apr 22nd 2007 8:09AM
The fanboys are angered.
michael @ Apr 22nd 2007 8:10AM
but this proves whats been always said, its not that a mac is super secure, its that no one cares about it enough to take the time, you sit down with it for a few hours and look at that...
Teh Gascan @ Apr 22nd 2007 12:51PM
I agree, it's the same for Windows. If I never opened any application but IE (including IE ActiveX plugins) I would never get viruses. But then again, the only reason I never get any viruses or spyware is because I'm CAREFUL on the internet. I use Firefox, TrendMicro, and Bitcomet and I haven't had a virus, spyware, or anything malware related since November, and that was removed in 5 seconds.
That last comment really changed my position in this argument.
Jeff @ Apr 22nd 2007 1:53PM
"If I never opened any application but IE I would never get viruses."
That's where you're wrong, and why this engadget post is so poorly written.
The fact is that there are many remote exploits (as is, exploits to your computer that require ZERO action on your part) for windows, while ZERO remote exploits for root access exist (yet) on OS X.
Requiring user interaction (not just "opening safari" but following a link, which engadget happened to either just not mention or fail to comprehend,) makes this a very unimpressive hack (still worth fixing, obviously)
the fact is that a windows computer can be compromised within an hour of just being on the internet, with or without you opening IE. nothing anywhere near that kind of exploit exists on OS X yet.
I'm all for security testing, and i firmly believe someone will get a remote exploit for the mac out in the wild eventually, and when it happens Apple will need to get off their tower and fix it immediately. THat day just hasn't come yet, and people like Engadget need to try (at least a little) to publish ACCURATE articles: this one is not.
Marian @ Apr 22nd 2007 5:34PM
Really? Well, look again!
You can become a Windows spam machine or something like that without opening any applications!!!
That's because it's so simple to crack wide open the services that are already running on your windows machine!
Teh Gascan @ Apr 22nd 2007 9:02PM
What services run in Windows that can be exploited w/o any recognition/contact on the internet? Aside from Windows Update, nothing else contacts the internet w/o your consent or somehow being installed.
Besides, if somehow it were to get on my machine, Trend Micro would immediately recognize it as mass email and prevent anything from being sent. I know, because the virus I got in November was that EXACT type of trojan.
jonas @ Apr 22nd 2007 9:33AM
@Gaz (current #2) "But its just nonsense, under the conditions they could probably have hacked any OS."
So you deem the conditions "you may open url:s in safari" not to be acceptable?
The funny thing is that alomst all of the Windows hacks involve user intevention, and malicious websites is one of the most common ones. But I don't see most of the comments to those articles revolve around trashing OS X and defending Vista, as is the (opposite) here.
treetrunk @ Apr 22nd 2007 9:54AM
All those who are saying "but they made it easier", "it required this.." etc are missing the point. Virtually ALL "hacks", viruses, exploits etc involve some kind of user interaction. Most viruses spread via email requiring the user to download and run them, which sounds moronic but it clearly works!
An unattended system running nothing but the OS is obviously the hardest to compromise, as the possibilities of exploiting third-party applications or indeed the user of the system are removed. This is not to say they're impossible - flaws in the OS or in drivers do exist, but are usually harder to find than in other applications as OSs tend to be more rigorously tested. However, if you intend to actually use your computer for anything, this is not a realistic scenario, and as soon as other applications and/or user intervention are brought into the equation the potential for exploits is much larger.
Compromising a system in only a few hours using one of its most commonly used and shipped-with applications is of course an issue.
Jeff @ Apr 22nd 2007 2:01PM
you have a valid point, but the complaint here is that engadget should be giving us a decent summation of what happened, not just selective crap that leaves out so much relevant information.
That engadget choose to not mention that the exploit requires user action, or that it only gave normal user privs (and not root), or that there was a $10,000 prize that was NOT claimed, etc. are valid complaints. If this article were the only article i read about the event, i'd have a very mislead and uninformed view of the event: but i should be able to COUNT on engadget to at least be clear and accurate. (hopefully)
at the very least, saying "a security exploit that takes advantage of an open Safari browser window" is (either just showing that the author is writing about something over his head, or is) intentionally misleading. If all the exploit needed was an open safari window, but otherwise was a remote exploit, that would be a much bigger deal. Engadget choosing not to mention that the exploit requires user action, well that's irresponsible reporting.
(So, security issues ARE important, the complaint is just the bad reporting from engadget.)
ssuk @ Apr 22nd 2007 10:05AM
You all seem to think because Engadget missed out a few trivial details they're MS fanboys (I mean, there's no other OS manufacturers out there, right?). If you actually READ the article, you'll notice that while it does say your precious white computer CAN be exploited they came away with the resolution that Apple are looking into any security threats, even though Macs are hardly the centre of ANY security debates/critism. Which I find admirable, MS wouldn't look into anything without first receiveing half a million complaints and then it'd take them half a year to fix it.
Now go sit in your corner reasuring yourself your mac wont ever be hacked one day... Even though... It probably wont be.
Rick (the original Rick) @ Apr 22nd 2007 10:10AM
who even uses Safari? Lousy little browser, Firefox is where it's at.
Subaru_Nation555 @ Apr 22nd 2007 10:04PM
I don't know about anyone else, but FireFox takes too long to open on both my Mac. I perfer Camino with Safari as a backup.
catachip @ Apr 22nd 2007 12:05PM
After two Apple MacBook Pros survived the first day of CanSecWest's 'PWN to OWN' contest, they lowered the barriers as planned since "there has not been a successful attack." Both MacBook Pros were connected to a wireless router and with all security updates installed, but without additional security software or settings. The contest's second-day relaxed rules allowed attackers to place exploit code online and launch drive-by exploits on the Mac's built-in Safari browser.
Tarnished Halo @ Apr 22nd 2007 11:18AM
The hack uses a bug in Java, so it will affect any web browser using Java on the Mac. So the line about having Firefox installed is complete toss. Please Engadget, do your research first. This is something a good journalist would have picked up... Oh sorry, you're just bloggers.
imajoebob @ Apr 22nd 2007 11:57AM
Let's take it easy on Engadget; the source for this piece is c|net, which "sponsored" the contest and put up the prize money. First, anyone who's ever read c|net knows that it's owned (well "pwned") by Microsofts advertising department. Second, they did change the rules when no one could hack it the first day. At the least, this means it took 16 to 20 hours(and a big cheat) to hack it. Third, the software wasn't up to date. The last security update wasn't done. Fourth, the "hack" was performed on the users computer (I'm not sure if I can 'hack" my own computer). Fifth, the computers were running with the default minimum security (other than none) that comes preset on OS X. Finally, even with all these factors, the only thing that was 'hacked" was the computer, not the OS.
So all c|net proved, other than what whores they are for Microsoft, was that leaving your computer unattended without a screensaver and user password is a dumb thing to do. And c|net (supposedly) is willing to pay 10 Grand for that stunning development (though it hasn't been confirmed they're willing to pay yet)?
It just doesn't get much sleazier.
echeck @ Apr 22nd 2007 12:55PM
Wow, so much hate towards Engadget.
Of course you can hack in to OS X, anyone who has the brains and patience can hack in to any OS.
What's really funny to me is that there are always these "Hack a Mac" contests with prizes given out to the winners, etc...
How many "Hack Windows" contests are there? None, because it's not a challenge.
I'm still so much more secure running OS X than I am any worthless Windows sorry-excuse-for-an-OS. In two years of owning my PowerMac G5 I haven't had a SINGLE problem with viruses, spyware or any sort of hacking. Oh, and I don't even have the built-in firewall enabled, nor have I bothered to secure my wireless network.
gb @ Apr 22nd 2007 1:36PM
The most amazing thing is that this article seems to have an equal amount of "Engadget are MS whores!" and "Engadget are totally Apple fanboys!" responses. In light of that, it would seem that engadget isn't the one being biased here. Rather, people are reading it the way they want to read it. Everyone loves supporting the underdog. Which, in this case, is one of two muli-billiion dollar corporations. So they really need people to stick up for them.
Jesse @ Apr 22nd 2007 1:44PM
It would be better if they had a contest where they are asked to make Safari and good browser instead. As if there is any incentive beyond a contest to hack Safari
Jeff @ Apr 22nd 2007 1:45PM
I'm starting to believe that engadget is TRYING to write misleading/inacurate articles about Apple... just for the hits they'll get from people coming here to correct them.
what a bunch of crap.
"that takes advantage of an open Safari browser window." ? look, the CRUX of the entire thing is that THERE IS NO REMOTE EXPLOIT. - even when there is $10K on the line. Taking advantage of an open window? bullshit. were you not paying attention at all? it takes advantage of Safari, but requires manual user interaction, which is a completely different monster a remote exploit. (i'm sure you were paying attention, and that the vagueness was no accident.)
Not only that but they were only able to get normal user access. Granted, i'd rather them get NO access: i'd love an OS that was completely impermeable, but that's just not the case.
But all you windows fanboys, and linux fanboys, and engadget do-anything-for-a-few-page-impressions jerkoffs, let me know when there is even a SINGLE remote exploit that gives root access. even a single one in the wild would actually be news.
what i really like is how you mention they "won the prize", but not that it was basically a consolation prize because no one could win the $10,000. good job.
this article is just sensational, misleading, selective crap.
treetrunk @ Apr 22nd 2007 2:55PM
I agree in your point that the journalism isn't perfect (I would similarly take issue with the implication that 9 hours was a long time), however I don't think that's the point most people are going for. Comments like "they had to make it easier" suggest that this "doesn't count" because it required another application or user interaction, which is absurd as almost ALL exploits do.
As for
"The fact is that there are many remote exploits for windows, while ZERO remote exploits for root access exist (yet) on OS X."
Perhaps, if you care to add the "root" quantifier, equivalent to Administrator account (as in the safe-mode "Administrator" account which can take ownership of all users files, not a normal user set as "an administrator" which can only access their own or shared files) in XP. To be honest I don't know what remote exploits exist in either OS, let alone if any of these would give root/administrator access. However, I don't think it's really relevant as (A) you don't need root/administrator access to delete a users files and (B) exploits of this sort tend to be few and far between, and are usually patched very quickly when they do emerge on either platform.
JoeBob @ Apr 22nd 2007 3:19PM
Hey, hey hey! It's not a bad report by Engadget (and I'm a low-level, i.e. pragmatic, fanboy). The problem is that no "journalistic" source reported it besides c|net. And they didn't mention much about their sponsorship, the rules, or their vested interest in claiming a hack.
So Engadget did a decent job of telling us about a report, though I think it deserved a mention that it was from c|net. Remember, Engadget is just about collecting and disseminating info about tech gadgets on the 'net. The primary source appears to be press releases and reports from news sites. The one real difference here is that they didn't realize this was a c|net press release masquerading as news.
So my one suggestion is better attribution/clarity in your source links.
taylor @ Apr 22nd 2007 4:02PM
Vista also had a similar hacking event where in the end they had to give the hackers an administrative console to be able to hack it.
finally mac fanboys feel the hurt!!!
Although i will give the mac fanboys credit for not taking over the post with windows trash talk like they normally do.
imajoebob @ Apr 22nd 2007 5:38PM
Too bad we fanboys (even low-level fanboys) can't say the same for you.
taylor @ Apr 23rd 2007 12:30AM
imajoebob, I did not say anything bad about macs, I was just saying vista had a similar thing happen where they could not hack it so they had to have an admin console open to hack it. I'm not being sarcastic, i meant what I said about the mac boys taking over any given windows post on engadget with trash talk, both systems have their downfalls, macs are not bullet proof.
JoeBob @ Apr 23rd 2007 12:36PM
"Although i will give the mac fanboys credit for not taking over the post with windows trash talk like they normally do" isn't trashing Mac fans? A "backhanded compliment" is a negative. It's called passive-aggressive behaviour. All you had to say was something like, "I'm glad the usual trash talk didn't take over the post." But you needed to trash talk Mac fans.
But it's not your fault. Most Windows users have a problem compensating for their feeling of inadequacy. (See? That's passive-aggressive trash talk.)
HG @ Apr 22nd 2007 5:39PM
Speaking of regurgitation. Engadgets not tired of dishing up the stale regurgitation of the FUD kind.
Juaquin @ Apr 22nd 2007 6:01PM
Every OS is going to be hacked. Everyone should get over their little security pretentiousness and realize that if a human built it, a human can exploit it. The best security is to just not leave it on for 9 hours; if you don't give them time to hack, they can't. Simple enough. All firewalls and security suites do is increase the complexity (and therefore time) of hacking so as to make it less worthwhile to bother.
John @ Apr 24th 2007 4:19AM
Apple plugs 25 Mac OS X flaws (confirm via Apple:http://docs.info.apple.com/article.html?artnum=305391)
The security update affects various parts of the operating system, including some third-party components such as the Kerberos authentication technology. The most serious of the vulnerabilities could allow an attacker to gain complete control over an unpatched Mac, Apple said in a security advisory.
SO MUCH FOR THE MIGHTY UNHACKABLE OSX.
darn it fanboys say it isn't so*
but of course you guys are always in denial
Kizorblade @ Apr 23rd 2007 5:55AM
Oi, John. Shutup. 10.4.9 is good, hell, 10.4.8 was also good. Even the ones before that were also good. If they are patching something, then good! They should. But that doesn't necessarily mean that a large amount of people actually get hacked or anything.
Microsoft XP and Vista for example, has LOADS of virus' floating around the internetto infect them. But that doesn't mean that all of them actually infect users and piss them off. But Microsoft may patch them anyway (I say may because I have no idea about what the patches actually fix) even though it doesn't annoy anyone.
Kizorblade @ Apr 23rd 2007 5:57AM
Internet to*
My bad. Just woke up =)