We took a lot of flack over a post back in January that questioned the security of Apple’s Mac OS X. TechConsumers left various comments ranging from “For some reason unknown to me, no one can ever show me a situation where a user opens a e-mail and their Mac turns into a robot sending out hundreds of e-mails” to “Mac OS X *is* inherently safer. You have to be a major league Windows zombie not to know and accept that.”
Well, CanSecWest‘s PWN 2 OWN contest has just shown that Mac OS X isn’t “inherently safer” and that clearly it is possible for a user to open an e-mail on a Mac and have it join a spam botnet.
For those not familiar with CanSecWest or their PWN 2 OWN contest, here is the scoop. CanSecWest is “the world’s most advanced conference focusing on applied digital security.” And for the last few years, they have been running a contest during the conference to see which operating system is the most vulnerable: Windows Vista, Mac OS X, or Ubuntu Linux.
If you can hack (run arbitrary code) the laptop running the OS, you get to keep the laptop and a $10,000 cash prize. It is important to note that the “hacker” does not get physical access to the machine, and the laptops are in their default configuration. If you want more details please check out this link.
For the second year in a row the Mac was the first to fall, and Charlie Miller is now the proud owner of a MacBook Air with Mac OS X 10.5.2. Charlie is best known for being the researcher who first hacked Apple’s iPhone. It may be rude to say, but it is kind of vindicating for us that clearly we weren’t out on a limb when it came to Mac security. Within two minutes of the start, he directed the contest organizers to a certain website that executed his exploit.
Although the winner cannot publicly disclose details of the vulnerability, it is safe to assume the problem is in Safari. This comes after Paypal started recommending to their users that they ditch Safari due to security issues. And for the icing on the cake, Apple has started to use some under-handed methods to trick fool scam swindle con hustle sucker encourage iTunes/Quicktime users to install their underdog browser.