One of two MacBooks was hacked at the CanWestSec conference is Vancouver, Canada. Both Macbooks were part of the “hack-a-Mac-contest” at the show. A successful hacker got the Macbook. The Macbooks were set up with OS X and all the latest security updates (including 2007-004) but no additional security software or special settings.
One of the Macs was hacked on the second day, which made headlines (in the types of publications that care about such things). The headlines tended to be slanted in one of two directions. Some emphasized that Mac security was breached and equated it to the worst windows vulnerabilities. They left out the details. On the other side the articles were slanted towards the fact that the breach only occurred after the rules were relaxed and that the breach didn’t get root access. This was true and more detailed than the sensational headlines in the first category, but they tended to imply the breach was meaningless.
The facts are:
The Mac was breached when it visited a malicious website
The vulnerability is in Quicktime (Initial reports that it was a vulnerability in Safari were wrong.)
Both Firefox and Safari could be used to deliver the vulnerability
Windows is also considered vulnerable (if it has Quicktime)
The vulnerability was found by a security researcher and the exploit was actually delivered by a friend of his. The friend is keeping the MacBook, the researcher is applying for the $10,000 bounty offered by TippingPoint.
A second Mac, which required a hacker to get root/administrator level access and did not surf the web was not breached.
What does this all mean, if anything?
Starting at the top, it was necessary to visit a website to be breached. The OS used doesn’t affect whether or not a person visits a website. So social engineering is universally available to every OS with a web browser. (I’ll avoid the path which talks about which OS has “smarter” users.) The best that can be said is that since there’s more windows users they’re more likely to be affected if the vulnerability is OS specific. But do exploits have to be OS specific?
The vulnerability was in Quicktime which is essentially a third party app. I don’t say this to claim OS X wasn’t hacked. Apple created Quicktime and delivers it with every new Mac. Apple is responsible for it and for updating it. But Quicktime is essentially a 3rd party app made by the same company as the OS so it’s bundled. The vulnerability is also thought to exist in the Windows version (for obvious reasons the exact details of the vulnerability aren’t public). The Macromedia (now Adobe) Flash Player is another 3rd party web-helper app that has had vulnerabilities in the past. OS venders can’t prevent vulnerabilities in 3rd party apps, the most they can do is mitigate their effect.
Both Firefox and Safari could be used to run the exploit. This isn’t surprising since the vulnerability was in Quicktime. But it does mean any modern browser could probably be used.
Windows, with Quicktime, is also vulernable (or it’s thought to be). By exploiting a vulnerbility in a third party app it’s possible to exploit multiple OS’s. The greatest number of PCs are still Windows so the payload delivered by the exploit might be Windows only if the hacker is lazy or just wants the biggest bang. But it’s not difficult to determine the OS used so it would be trivial to deliver an OS specific exploit for various OS’s through the same exploit. It’s just a matter of writing each exploit.
The exploit was found as part of a contest with a prize of a Macbook and was submitted for a $10K prize. Year’s ago it might have been enough to be able to claim bragging rights. Now money is a prime motivator. Money motivates hacking for both good (bounties, paychecks) and for bad (sell spam distribution, steal passwords). An OS will be targeted when the financial rewards justify the efforts.
Root level access was not obtained, “only” user level access. While this may be the best a current OS can do when a 3rd party app is hacked it still does not mean we aren’t at risk. Programs installed into the user’s folders do not require a password to install and run. As Windows PCs become more secure hackers may have to learn to live with user-level hacks in the Windows world. Since that world is so large there’s a bigger financial reward for success. Once the lessons are learned there they will be trivial (low cost) to transfer to the OS X world. So while OS X may have a smaller user base (and therefore reward) the cost to hack OS X will also drop. Most of what hacker’s want is available though user level access, just easier when you can own the machine as an administrator. It just means you need to be signed on (unless they find a way around that) but many PCs and Macs use auto logons and most PCs stay always logged on when ever they are turned on.
Of course, the old unavoidable hacks persist as evidenced by the recent animated cursor exploit for which we were defenseless for awhile and could be exploited without us having to click anything (although receiving an email or going to a website were still required). But their numbers are decreasing.
I wouldn’t be surprised to learn that a PC installed with Vista (latest patches, additional software or settings) would be as secure as OS X. But what will bite Microsoft is that they don’t control the installations, the resellers do. Since tight security means more support calls (which go to the vendor, not to Microsoft) I wouldn’t be surprised to learn that what’s actually shipping is not as secure as it should be.
The best protection Mac users have is that there’s an extremely large population of vulnerable Windows machines out there and exploiting them is easy. In Windows XP Service Pack 2 Microsoft turned on the firewall by default. This made it much harder to just scan the internet looking for open ports to exploit and deliver a payload. This brought a drop in the spread of viruses through that method but an increase in other methods such as email and malicious websites. These are methods which require a user to take action (again, with some exceptions when a vulnerability can be exploited to bypass user action). With the firewall change the hackers changed their tactics to other profitable methods. I won’t be surprised to learn that web based attacks are becoming more sophisticated and will use cross-platform applications to exploit multiple OS. And as more applications work cross platform we’ll probably see more multiple OS aware attacks through their data files.
The good news is that Mac OS X has good security and Microsoft Windows is getting more secure as Microsoft learns it’s lessons. Us humans are now being targeted as the weak link but we do have control over where we browse and what email we open. The bad news is that there are still software vulnerabilities so that even the most careful of us are still at risk, although less risk than before.
The point isn’t which is more secure, OS X or Linux. The point is whether or not your computing habits and the software you use are secure. If they aren’t secure then no matter which OS you use it’s only a matter of time before you have problems.
News.com has a good story about the hack that emphasizes the details instead of the hype.
Mac Hacked - Both Sides Miss the Point
One of two MacBooks was hacked at the CanWestSec conference is Vancouver, Canada. Both Macbooks were part of the “hack-a-Mac-contest” at the show. A successful hacker got the Macbook. The Macbooks were set up with OS X and all the latest security updates (including 2007-004) but no additional security software or special settings.
One of the Macs was hacked on the second day, which made headlines (in the types of publications that care about such things). The headlines tended to be slanted in one of two directions. Some emphasized that Mac security was breached and equated it to the worst windows vulnerabilities. They left out the details. On the other side the articles were slanted towards the fact that the breach only occurred after the rules were relaxed and that the breach didn’t get root access. This was true and more detailed than the sensational headlines in the first category, but they tended to imply the breach was meaningless.
The facts are:
What does this all mean, if anything?
Starting at the top, it was necessary to visit a website to be breached. The OS used doesn’t affect whether or not a person visits a website. So social engineering is universally available to every OS with a web browser. (I’ll avoid the path which talks about which OS has “smarter” users.) The best that can be said is that since there’s more windows users they’re more likely to be affected if the vulnerability is OS specific. But do exploits have to be OS specific?
The vulnerability was in Quicktime which is essentially a third party app. I don’t say this to claim OS X wasn’t hacked. Apple created Quicktime and delivers it with every new Mac. Apple is responsible for it and for updating it. But Quicktime is essentially a 3rd party app made by the same company as the OS so it’s bundled. The vulnerability is also thought to exist in the Windows version (for obvious reasons the exact details of the vulnerability aren’t public). The Macromedia (now Adobe) Flash Player is another 3rd party web-helper app that has had vulnerabilities in the past. OS venders can’t prevent vulnerabilities in 3rd party apps, the most they can do is mitigate their effect.
Both Firefox and Safari could be used to run the exploit. This isn’t surprising since the vulnerability was in Quicktime. But it does mean any modern browser could probably be used.
Windows, with Quicktime, is also vulernable (or it’s thought to be). By exploiting a vulnerbility in a third party app it’s possible to exploit multiple OS’s. The greatest number of PCs are still Windows so the payload delivered by the exploit might be Windows only if the hacker is lazy or just wants the biggest bang. But it’s not difficult to determine the OS used so it would be trivial to deliver an OS specific exploit for various OS’s through the same exploit. It’s just a matter of writing each exploit.
The exploit was found as part of a contest with a prize of a Macbook and was submitted for a $10K prize. Year’s ago it might have been enough to be able to claim bragging rights. Now money is a prime motivator. Money motivates hacking for both good (bounties, paychecks) and for bad (sell spam distribution, steal passwords). An OS will be targeted when the financial rewards justify the efforts.
Root level access was not obtained, “only” user level access. While this may be the best a current OS can do when a 3rd party app is hacked it still does not mean we aren’t at risk. Programs installed into the user’s folders do not require a password to install and run. As Windows PCs become more secure hackers may have to learn to live with user-level hacks in the Windows world. Since that world is so large there’s a bigger financial reward for success. Once the lessons are learned there they will be trivial (low cost) to transfer to the OS X world. So while OS X may have a smaller user base (and therefore reward) the cost to hack OS X will also drop. Most of what hacker’s want is available though user level access, just easier when you can own the machine as an administrator. It just means you need to be signed on (unless they find a way around that) but many PCs and Macs use auto logons and most PCs stay always logged on when ever they are turned on.
Of course, the old unavoidable hacks persist as evidenced by the recent animated cursor exploit for which we were defenseless for awhile and could be exploited without us having to click anything (although receiving an email or going to a website were still required). But their numbers are decreasing.
I wouldn’t be surprised to learn that a PC installed with Vista (latest patches, additional software or settings) would be as secure as OS X. But what will bite Microsoft is that they don’t control the installations, the resellers do. Since tight security means more support calls (which go to the vendor, not to Microsoft) I wouldn’t be surprised to learn that what’s actually shipping is not as secure as it should be.
The best protection Mac users have is that there’s an extremely large population of vulnerable Windows machines out there and exploiting them is easy. In Windows XP Service Pack 2 Microsoft turned on the firewall by default. This made it much harder to just scan the internet looking for open ports to exploit and deliver a payload. This brought a drop in the spread of viruses through that method but an increase in other methods such as email and malicious websites. These are methods which require a user to take action (again, with some exceptions when a vulnerability can be exploited to bypass user action). With the firewall change the hackers changed their tactics to other profitable methods. I won’t be surprised to learn that web based attacks are becoming more sophisticated and will use cross-platform applications to exploit multiple OS. And as more applications work cross platform we’ll probably see more multiple OS aware attacks through their data files.
The good news is that Mac OS X has good security and Microsoft Windows is getting more secure as Microsoft learns it’s lessons. Us humans are now being targeted as the weak link but we do have control over where we browse and what email we open. The bad news is that there are still software vulnerabilities so that even the most careful of us are still at risk, although less risk than before.
The point isn’t which is more secure, OS X or Linux. The point is whether or not your computing habits and the software you use are secure. If they aren’t secure then no matter which OS you use it’s only a matter of time before you have problems.
News.com has a good story about the hack that emphasizes the details instead of the hype.
Related Posts: