A New View on Mac Security
Two weeks ago, the CanSecWest computer-security conference staged a simple contest for would-be hackers: Be the first to break into any one of three up-to-date laptops--one running Ubuntu Linux 7.10, one running Windows Vista Ultimate, one running Mac OS X 10.5.2--by exploiting a new software vulnerability, and you can take home the computer, plus a hefty cash prize.
On the first day of this "Pwn to Own" contest in Vancouver, during which contestants could only use remote exploits (those involving no action by the target computer's user), all three machines held up.
(In case you were wondering, "pwn" rhymes with "own" and is computing shorthand for "gain unauthorized control of.")
On day two, attackers could stage attacks requiring some action by the user--"following a link through email, vendor supplied IM client or visiting a malicious website," as the contest rules explained. This time around, the Mac laptop got taken down:
Congratulations to our first winner of the CanSecWest PWN to OWN contest! At 12:38pm local time, the team of Charlie Miller, Jake Honoroff, and Mark Daniel from Independent Security Evaluators have successfully compromised the Apple MacBook Air, winning the laptop and $10,000 from TippingPoint's Zero Day Initiative. They were able to exploit a brand new 0day vulnerability in Apple's Safari web browser.
The Ubuntu laptop survived all three days of attacks.
As it should, this test has spurred a great deal of discussion among Mac security experts (see, for instance, this recap in the TidBits newsletter).
It's not that a Vista PC is suddenly the "safe" choice over a Mac. In the real world, there are tens of thousands of dangerous viruses in the wild targeting Windows, against just about none on a Mac. A Mac also remains more resistant against viruses and trojans--i.e., malware that requires the user to run a program after it arrives on the machine--because of the need to type an administrator password before a program will make major system-level changes on a Mac. But the CanSecWest demo shows that a Mac may be even more susceptible to drive-by downloads than a Windows Vista computer.
"Browser hijackings" are among the most dangerous attacks around, because they require so little effort on the part of the victim. You just need to convince somebody to follow a link in their Web browser--something we all do all the time, usually with little forethought. It's been a huge problem on Windows for years, especially for people still running older versions of Internet Explorer.
Remember, the Mac laptop in this contest was completely patched, with every Apple security fix available at the time of the contest. Its firewall was in the ill-chosen default setting of "off," but Miller e-mailed me yesterday to say that an active firewall would not have stopped him from taking control of the computer--he already had the ability to run his own commands on the machine after breaking in through Safari.
Apparently, the Safari vulnerability exploited by Miller and his colleagues at Baltimore-based Independent Security Evaluators has already been fixed in test versions of Safari.* But Apple needs to step up its efforts--not least because vulnerabilities in Safari and QuickTime can bite Windows users as well as Mac owners, which is no way to draw PC owners into the Mac fold. The hardened defenses in the latest update to QuickTime, which try to limit the exposure of this common multimedia plug-in to entire types of attack, are the right idea.
If you use a Mac, you're going to want to be careful about going to strange Web sites. But you're going to want to do that if you run any operating system. You should be especially leery of links that show up in junk messages of any kind--e-mail, IM or comment spam. The Internet is just like the real world; there are some rough neighborhoods out there.
* Miller wrote in Tuesday afternoon to say that the shipping version of Safari still includes the vulnerability he exploited.
The comments to this entry are closed.