Network News

X My Profile
View More Activity

Mac OS X Top Target in Browser Beatdown

Legendary bank robber Willie Sutton was made famous for allegedly explaining why he robbed banks with the answer: "Because that's where the money is." So why do cyber crooks attack Web browsers? Because that's where the user is.

But maybe a more accurate answer is: "Because that's where the vulnerabilities are." At least, that was the answer given by a 25-year-old German computer science student known only as "Nils," who last week proudly showcased three brand new exploits for remotely hijacking the most popular Web browsers, including Firefox, Safari and the last beta release of Microsoft's Internet Explorer 8.

Nils was competing in the "Pwn2Own" contest at the CanSecWest security conference in Vancouver. That contest, sponsored by 3Com's TippingPoint, awarded contestants $5,000 per browser bug. The first person to crack any of the browsers was allowed to keep the laptop it was running on (TippingPoint purchases information about unpatched security flaws but alerts the affected vendor and keeps the bug under wraps until the vendor has a chance to patch the vulnerability).

"Browser security is hard to get right, because you have a lot of technology in these programs which is exposed to the Internet, and when it's exposed to he Internet it's also exposed to hackers," Nils said. "When you have the large code bases that these programs have, it's very hard to get these things right, and I think I was able to show that none of the current browsers are really secure."

Nils won $5,000 and a Sony Vaio netbook for his IE8 vulnerability (which Microsoft fixed the very next day in its release of the first non-beta version of IE8) plus another $5,000 each for the Firefox and Safari bugs.

Nils, a student at German's University of Oldenburg, said he opted not to divulge his full name because he didn't want to be pestered by less-than-scrupulous individuals who try to purchase information about unpatched vulnerabilities for criminal purposes.

"Most of the people interested in buying vulnerabilities aren't the kind of people I want to talk to, because there are some really shady people out there looking for this information who are using it for illegal purposes," Nils said. "So, while it is probably true what people have been saying -- that I could have probably made a lot more money selling these bugs on the open market -- I think $15,000 is a nice amount of money."

Both the Firefox and Safari vulnerabilities that he proved were exploited on a Mac OS X system. The German hacker said the latest versions of both Firefox and IE take full advantage of features built in to Windows Vista that make it far more difficult to reliably exploit than on the current version of OS X. Those features, including "data execution prevention" (DEP) and "address space layout randomization," (ASLR) don't appear to be properly implemented between OS X and versions of Safari and Firefox built for that operating system, Nils said.

"It's quite easy to write an exploit for Firefox on OS X compared to Firefox on Vista," he said.

Attackers usually craft exploits so that they write data or programs to very specific, static sections in the operating system's memory, but ASLR counters that approach by constantly moving those points to different positions. DEP makes it so that even if the attacker succeeds in guessing the location of the memory location point they're seeking, the code placed there will not execute or run.

While few cyber crooks are attacking Mac users through Safari and Firefox at the moment, that may change soon if a large number of Windows users migrate to Windows 7, the successor to Windows Vista, due to be released sometime later this year.

"It's getting pretty hard to do a lot of this stuff on Windows Vista and Windows 7," Nils said. "Especially when a lot of people who stayed with [Windows XP] switch to Windows 7 because they didn't want Vista, the bad guys may start to figure out they can more easily exploit these bugs more reliably on a Mac."

Charlie Miller, an analyst with Baltimore-based Independent Security Evaluators, also won a Macbook and $5,000, for developing an exploit for a previously unknown critical flaw in Safari on Mac OS X.

"Mac OS X has some ASLR but not much, and there is no DEP in OS X," Miller said. "My exploit relied on exploit code being in certain spot, and that it would [execute], and in Vista neither of those things would have happened."

Interestingly, none of the contestants managed to find a remotely exploitable vulnerability in Google's Chrome, the other remaining browser targeted in the Pwn2Own contest.

By Brian Krebs  |  March 24, 2009; 9:00 PM ET
Categories:  From the Bunker , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Web Fraud 2.0: Data Search Tools for ID Thieves
Next: Hacked File-Upload Accounts Prized by E-Jihadis


ahem... where are all Apple clones and Google bashers?

Posted by: SoCalSnowback | March 24, 2009 10:24 PM | Report abuse

I like Chrome.
Did anyone really try?
Maybe the hackers like to hack stuff that pays.

Posted by: shrink2 | March 24, 2009 10:34 PM | Report abuse

I hope Chrome comes out soon for OSX. I very much enjoy WebKit which is why I use Safari. I don't care about that addons, I just want a damn browser that's snappy. Safari does the job. However Chrome has a much better security model then Safari but is based on WebKit. So I can still have my WebKit but with better security. I think once Chrome is released for OSX, it will become my main browser.

Did they get 'root' when Safari got exploited?

Posted by: StillLoveWebkit | March 24, 2009 11:39 PM | Report abuse

Is Apple fixing this? Will be tragic to see OS X turns into a hacker heaven.

Posted by: sayNo2MS | March 25, 2009 7:46 AM | Report abuse

Can OS X be patched to include full ASLR and DEP? Or will we have to install a completely new version of OS X?

I love my Mac, but I wouldn't put it past Apple to require buying a new OS 10.6 to get these 2 features. This would likely require buying a new Mac if you own an older one that won't accept OS 10.5 (such as my 667 mHz Titanium Powerbook; OS 10.5 requires a faster chip).

If this happens, I'll keep my old Powerbook for limited use. Instead of springing at least $1000 for a Mac Book, or $2000 for a Mac Book Pro, I'll buy a $300 Windows PC and run Linux (probably Ubuntu).

Posted by: Garak | March 25, 2009 8:10 AM | Report abuse

With 90% of computers still using Windows - hackers will continue to focus their time on PCs instead of Macs. Just like it takes the same amount of time to sell a car as it does a yacht - PC hacking is a better investment of the crooks' time - better returns on the same amount of work.

Posted by: harry12 | March 25, 2009 8:40 AM | Report abuse

Awesome stuff. I use Chrome, I hate Mac's. Excellent article!

Posted by: soloman5000 | March 25, 2009 9:31 AM | Report abuse

Apple users should not be using their 'Administrator' account as their primary user account. Working under a 'Standard' user account can go a long way in preventing these sort of exploits. I find it easy to operate OS X under a 'Standard' user account, it's not an exercise in frustration like it can be trying to work under a 'Limited' user account in Windows XP.

Posted by: carter1932 | March 25, 2009 9:33 AM | Report abuse

" it's not an exercise in frustration like it can be trying to work under a 'Limited' user account in Windows XP."

That's just user error.

Posted by: soloman5000 | March 25, 2009 9:40 AM | Report abuse

Duh, the only thing a 'Limited' user account in Windows XP cannot do is install software. My wife and I are doing just fine without Admin rights, thank you.

Posted by: MSchafer | March 25, 2009 9:44 AM | Report abuse

Mr. Mengelewasaboyscout (telling choice for an online name, eh?) can't seem to focus on the issue at hand. Certainly, browsers should be written so that reciprocation in code integration is reviewed. Hopefully, OS X can be brought into conformity security-wise, and quickly. This isn't a political debate.

Posted by: bikebro | March 25, 2009 10:22 AM | Report abuse

I infer that these exploits don't work under OSX user accounts, only admin accounts?

Posted by: raschumacher | March 25, 2009 11:01 AM | Report abuse

Is it just me or does ASLR seem like a band aide to a bigger problem? Why should any data in the browser have the ability to write to a specific memory address? Shouldn't browsers be running in a "sand box" environment as well?

Posted by: jim_maryland | March 25, 2009 3:30 PM | Report abuse

Given how dependent we've all become on computers, I'm puzzled why more effort isn't expended to discourage hackers from plying their trade, which is disruptive, damaging, even dangerous. Would we hold a contest and give a free laptop to someone who came up with, say, the cleverest way to poison people? When is our society going to devote energy and resources to cracking down on hacking -- arresting perpetrators and hitting them with lengthy prison sentences and hefty fines? Enough of this!

Posted by: civcat | March 25, 2009 10:50 PM | Report abuse

That is interesting, It almost sounds like an ad for vista, or maybe they are that much improved.
civcat-Would we hold a contest and give a free laptop to someone who came up with, say, the cleverest way to poison people? Only if you could do it with the laptop!
This is just an innovative way to find out what people are capable of. If they didn't do this publicly to find vulnerabilities what would your online experience be like without it?

Posted by: fr1chise | March 26, 2009 7:20 AM | Report abuse

StillLoveWebKit, Google Chrome for Mac OS x is called Stainless. I love it ... so fast.

Posted by: davida3 | March 27, 2009 10:04 PM | Report abuse

I'm tired of the "don't run as Administrator" dodge. It's very 1999, okay?

Almost everything of real value on your system is stored in your /home (or /Users) folder, including all the documents and work you've produced, your photos, your music, your stored passwords, your bookmarks, and your application preferences. If an attacker deletes or (worse) corrupts these files, you are going to be very sad. It won't actually matter much that the underlying OS and applications are still in good shape.

Using your computer as non-admin is an important security layer, but it's just the beginning of a "defense in depth" approach that includes a whole spectrum of technology and practice designed to foil attacks.

Competition is good. Windows security has apparently benefited from it. Now it's time for Apple and the Linux community to step up and reciprocate.

Posted by: JJCarpenter1 | March 28, 2009 12:27 PM | Report abuse

Chrome doesn't need security vulnerabilities for you to have problems. Not when Google's got bad eggs on the inside.

Posted by: wabewalker | March 29, 2009 4:16 PM | Report abuse

Snap is good but not crashing is better. FF never crashes. With Safari it's always a matter of time.

Posted by: Rixstep | March 30, 2009 2:56 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company