April 23, 2007
Mac hacked at CanSecWest
Posted Apr. 23, ’07, 5:13 AM PT by Derik DeLong
Category | Security
We’ve got a new security saga for consumption here in the Mac community. It’s been a while and we’re likely to see some old names and faces to surface in the following weeks (I’m hoping that exaggeration, but I doubt it will turn out to be). A MacBook was hacked at CanSecWest.
The conference organizers decided to offer the contest in part to draw attention to possible security shortcomings in Macs. “You see a lot of people running OS X saying it’s so secure and frankly Microsoft is putting more work into security than Apple has,” said Dragos Ruiu, the principal organizer of security conferences including CanSecWest.
Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.
Allow me to point that they changed the rules when it turned out no one could accomplish the goal, they changed the goal. The hack basically comes down to this: If someone visits a maliciously crafted page in Safari (or Firefox according to Matasano), it can trigger a remote shell for an attacker on that machine. While that could be coupled with a privelege escalation problem (a user on the system can get root without permission) for serious damage, that shell is as the user using the web browser. Turning off Java reportedly will avoid the problem.
Now for some off the cuff analysis. You need to surf to a bad page. However, due to the lack of details, we don’t know if people will be able to embed the necessary content into websites like MySpace, etc. Matasano is leaking pieces of information in chunks (and putting in fancy bold type “EXCLUSIVE: MUST CREDIT MATASANO” like ten times). He says you might want to turn off everything under Web Content, including JavaScript and plug-ins. The JavaScript bit doesn’t have much traction because unless that would rely on Safari and Firefox both having a common implementation flaw in their independent codebases. It’s not impossible, just unlikely. The flaw, most logically, is in the Java Virtual Machine for Mac OS X. That would make it apply to basically any Mac web browser. The current information also says nothing about whether a hardware firewall would prevent the remote shell access (which would make this pretty impotent for most Mac users).
We’re still early in the saga, so stay tuned to (Java free) MacUser for more details as they’re revealed. If you want to stay safe, turn off Java (just a sidenote, OmniWeb allows for globally turning off Java while enabling it for specific websites, a feature I’ll be using for now).
4 Comments
Leave a comment
Recent Entries
About MacUser
MacUser is your source for news, info, and opinion about Apple, the Mac, and the iPod. Our dedicated team of bloggers covers everything that is relevant to Mac users — and, okay, some stuff that’s not quite relevant, but is still a lot of fun. (Plus, we've got columns by Andy Ihnatko!)
Subscribe/RSS
- Blog Posts
- Blog Comments
- Podcast (RSS) (iTunes)
Tip us off!
- Email: macuser [at] macuser [dot] com
Recent Comments 
- D Jones on Wait...Spotlight can do that?!
- Bob on U-Charge: like U-Haul, but for batteries. Except not.
- Noah on Maybe this CBS buyout thing will be a good thing
- Gary Gygax on Effective by design: Apple wins prestigious two (count 'em, two) black pencil awards
- Kelmon on Mozilla Messaging Thunderbird 3.0 alpha 1 released
- Scissor on Maybe this CBS buyout thing will be a good thing
Categories
- Apple (173)
- Advertising (135)
- Events (198)
- Huh? (139)
- Humor (229)
- News (128)
- People (223)
- Rivals (334)
- Speculation (134)
- Steve Jobs (142)
- Stores (170)
- Apple TV (50)
- Business (374)
- Games (128)
- Geekery (409)
- Hardware (836)
- Accessories (53)
- Intel Macs (157)
- Ihnatko (18)
- Internet (379)
- Legal (194)
- MacUser (87)
- Money (153)
- Music (312)
- Podcasting (97)
- Photography (66)
- Security (205)
- Software (1368)
- Updates (457)
- Tips (324)
- Troubleshooting (172)
- Video (356)
- Windows (190)
- iPhone (174)
- iPod (560)
- iPod Accessories (87)
- iPod Software (56)
- iTunes (97)
- iTunes Store (376)
Archives
- May 2008 (109)
- April 2008 (234)
- March 2008 (217)
- February 2008 (215)
- January 2008 (239)
- December 2007 (169)
- November 2007 (164)
- October 2007 (187)
- September 2007 (167)
- August 2007 (195)
- July 2007 (152)
- June 2007 (223)
- May 2007 (243)
- April 2007 (286)
- March 2007 (288)
- February 2007 (250)
- January 2007 (266)
- December 2006 (244)
- November 2006 (293)
- October 2006 (307)
- September 2006 (250)
- August 2006 (268)
- July 2006 (288)
- June 2006 (293)
- May 2006 (297)
- April 2006 (351)
- March 2006 (366)
- February 2006 (110)
- January 2006 (107)
- December 2005 (23)
Mac Publishing Sites
Links
IDG NETWORK:
Or you can use Opera (hopefully)
Say what you will about agendas or changing the rules, they have gone to a great effort to provide enough information to avoid panic and allow you to protect yourself without giving hackers enough information to exploit the hole. They are also talking to Apple to get a fix as soon as possible. Contrast with the irresponsible egoism of the MoAB.
ooo... good tip on that OmniWeb preference. I use it for 99.9% of my browsing. Matter of fact, there is only one web site I go to that I have to use Safari. Yes, OmniWeb allows custom settings for everything for each and every web site you visit.
I find it remarkable that the contest rules had to be altered before the Mac could be hacked. I also think it’s worth pointing out that Microsoft is one of the chief sponsors of the CanSecWest conference.