More News Out Showcasing Mac Security Issues
by Paul Ellis
We took a lot of flack over a post back in January that questioned the security of Apple’s Mac OS X. TechConsumers left various comments ranging from “For some reason unknown to me, no one can ever show me a situation where a user opens a e-mail and their Mac turns into a robot sending out hundreds of e-mails” to “Mac OS X *is* inherently safer. You have to be a major league Windows zombie not to know and accept that.”
Well, CanSecWest’s PWN 2 OWN contest has just shown that Mac OS X isn’t “inherently safer” and that clearly it is possible for a user to open an e-mail on a Mac and have it join a spam botnet.
For those not familiar with CanSecWest or their PWN 2 OWN contest, here is the scoop. CanSecWest is “the world’s most advanced conference focusing on applied digital security.” And for the last few years, they have been running a contest during the conference to see which operating system is the most vulnerable: Windows Vista, Mac OS X, or Ubuntu Linux.
If you can hack (run arbitrary code) the laptop running the OS, you get to keep the laptop and a $10,000 cash prize. It is important to note that the “hacker” does not get physical access to the machine, and the laptops are in their default configuration. If you want more details please check out this link.
For the second year in a row the Mac was the first to fall, and Charlie Miller is now the proud owner of a MacBook Air with Mac OS X 10.5.2. Charlie is best known for being the researcher who first hacked Apple’s iPhone. It may be rude to say, but it is kind of vindicating for us that clearly we weren’t out on a limb when it came to Mac security. Within two minutes of the start, he directed the contest organizers to a certain website that executed his exploit.
Although the winner cannot publicly disclose details of the vulnerability, it is safe to assume the problem is in Safari. This comes after Paypal started recommending to their users that they ditch Safari due to security issues. And for the icing on the cake, Apple has started to use some under-handed methods to trick fool scam swindle con hustle sucker encourage iTunes/Quicktime users to install their underdog browser.
What can the nay-sayers say now?
2 Comments 
March 30th, 2008 at 9:59 pm
What to say? That’s easy.
Wrong.
As the story comes out, Miller and a team of people (unspecified number) spent a week cooking this up in advance, creating a special website for the purpose. All they did at the contest was to simply give a url to the user client computer who went to the page to execute the exploit. Gee.
It took a week to break in. It took two minutes to execute a pre prepared hack. How long does it take for any computer to get hacked when the hack is already done and set, and all the client machine has to do is spring the trap?
Two minutes? Makes for a cute headline and food for commentary.
Could any one of the participants also prepared something in advance against any of the three OS’s? Yes. Did they? Who knows.
The two minute figure would have been equally fallacious applied to windows or linux.
In prior years contests, there was no advance time given. The problem was “how long would it take to break into computer os 1, 2 or 3?”
I set two computers in front of you and say “go”. How long will it take for you to break into computer b from computer a.
In this case, it took a week.
“I spend a week setting up a deer stand, after examining the terrain, the habits of the local herd and baiting the area that gives me the best shot” “I use all my deer hunting training, background and skills to position and equip the stand so I get the best shot” “The deer walk into the open, two minutes later, getting the best angle on the prize buck, I pull the trigger”
Boy oh boy! It only took 2 minutes to bag that 12 point buck!
Bullshit.
This whole thing is not about computer security, its about attention and about making windows users and IT folks feel better.
Just what this contest is about .. it gives an opportunity for windows users that deal with thousands of virus and spyware daily to guffaw the mac is no better when there are still only a handful of mac exploits. This has not one thing to do with security. It has to do with press, attention getting and the IT folks who need to justify their jobs.
March 30th, 2008 at 11:51 pm
The bottom line is this, the Mac was broken into in 2 minutes, and the security vulnerability was in an Apple piece of software (Safari). The Windows Vista machine took until the next day (and I read all sorts of reports about pre-planned attacks against Vista) and the vulnerability wasn’t even in Vista, it was in Adobe’s Flash Player. One of the hackers was quoted saying how he was really surprised how Vista was especially hard to get into after SP1 came out (which the CanSecWest laptop had installed). Lastly Linux wasn’t broken at all.
I may accept that people weren’t targeting Linux much, but you can guarantee that people were targeting Vista.
Finally, it is a fact that this is the second year in a row that the Mac fell first. Clearly it isn’t magically “inherently secure” like commenters to the previous post had said. It just hasn’t been targeted by organized crime. If they did target it though, it clearly could fall.
If you disagree with any of these facts then you are nothing more than an apologist, because these statements are factually true. They aren’t just my opinion.