Faster Forward
Recent Posts
Timing Is Something: PR and Tech Reviews
"Deep Packet Inspection" Means Deep Trouble
Survey: Apple, Google Gaining in Customer Satisfaction
More Contrition, Less Communication From Apple
Music Biz *Still* Trying to Kill Web Radio
Stories By Date
Rob on the Web
More Tech on post.com
Subscribe to this Blog
RSS Feed
spacer

spacer

spacer

spacer

spacer

spacer

spacer

spacer

spacer

spacer

A New View on Mac Security

Two weeks ago, the CanSecWest computer-security conference staged a simple contest for would-be hackers: Be the first to break into any one of three up-to-date laptops--one running Ubuntu Linux 7.10, one running Windows Vista Ultimate, one running Mac OS X 10.5.2--by exploiting a new software vulnerability, and you can take home the computer, plus a hefty cash prize.

On the first day of this "Pwn to Own" contest in Vancouver, during which contestants could only use remote exploits (those involving no action by the target computer's user), all three machines held up.

(In case you were wondering, "pwn" rhymes with "own" and is computing shorthand for "gain unauthorized control of.")

On day two, attackers could stage attacks requiring some action by the user--"following a link through email, vendor supplied IM client or visiting a malicious website," as the contest rules explained. This time around, the Mac laptop got taken down:

Congratulations to our first winner of the CanSecWest PWN to OWN contest! At 12:38pm local time, the team of Charlie Miller, Jake Honoroff, and Mark Daniel from Independent Security Evaluators have successfully compromised the Apple MacBook Air, winning the laptop and $10,000 from TippingPoint's Zero Day Initiative. They were able to exploit a brand new 0day vulnerability in Apple's Safari web browser.

The Vista laptop wasn't cracked until the next day, through a vulnerability in an almost universally installed third-party program--Adobe's Flash plugin.

The Ubuntu laptop survived all three days of attacks.

As it should, this test has spurred a great deal of discussion among Mac security experts (see, for instance, this recap in the TidBits newsletter).

It's not that a Vista PC is suddenly the "safe" choice over a Mac. In the real world, there are tens of thousands of dangerous viruses in the wild targeting Windows, against just about none on a Mac. A Mac also remains more resistant against viruses and trojans--i.e., malware that requires the user to run a program after it arrives on the machine--because of the need to type an administrator password before a program will make major system-level changes on a Mac. But the CanSecWest demo shows that a Mac may be even more susceptible to drive-by downloads than a Windows Vista computer.

"Browser hijackings" are among the most dangerous attacks around, because they require so little effort on the part of the victim. You just need to convince somebody to follow a link in their Web browser--something we all do all the time, usually with little forethought. It's been a huge problem on Windows for years, especially for people still running older versions of Internet Explorer.

Remember, the Mac laptop in this contest was completely patched, with every Apple security fix available at the time of the contest. Its firewall was in the ill-chosen default setting of "off," but Miller e-mailed me yesterday to say that an active firewall would not have stopped him from taking control of the computer--he already had the ability to run his own commands on the machine after breaking in through Safari.

Apparently, the Safari vulnerability exploited by Miller and his colleagues at Baltimore-based Independent Security Evaluators has already been fixed in test versions of Safari.* But Apple needs to step up its efforts--not least because vulnerabilities in Safari and QuickTime can bite Windows users as well as Mac owners, which is no way to draw PC owners into the Mac fold. The hardened defenses in the latest update to QuickTime, which try to limit the exposure of this common multimedia plug-in to entire types of attack, are the right idea.

If you use a Mac, you're going to want to be careful about going to strange Web sites. But you're going to want to do that if you run any operating system. You should be especially leery of links that show up in junk messages of any kind--e-mail, IM or comment spam. The Internet is just like the real world; there are some rough neighborhoods out there.

* Miller wrote in Tuesday afternoon to say that the shipping version of Safari still includes the vulnerability he exploited.

By Rob Pegoraro |  April 8, 2008; 10:41 AM ET  | Category:  Mac
Previous: Microsoft and Yahoo's Courtship Continues | Next: Mail Manners: A Question Of Quoting

Comments

Please email us to report offensive comments.



I'm calling foul on this this incorrect and hypocritical comment:

>>A Mac also remains more resistant against viruses and trojans--i.e., malware that requires the user to run a program after it arrives on the machine--because of the need to type an administrator password before a program will make major system-level changes on a Mac.

Vista has recieved a TON of critism from you and nearly every other reviewer (Mac vs PC Ads anyone??) for adding exactly this feature. The Vista "Elevation prompt" that appears when your try to run an administrative action or program is the butt of critism, but it protects against exactly this vulnerability. It's really unfair to say that MacOS is more secure because of this feature, but Vista is somehow less useable for the exact same feature.

Give credit where it is due and try to be consistent in your critisms.

Posted by: Fred | April 8, 2008 2:53 PM

Rob, can you explain in relatively simple language how a browser hijacking works? I have always assumed that I could follow just about any link and be safe, but apparently that is not true. How does following a link compromise security? Is it the code that the browser then loads?

Posted by: Eric | April 8, 2008 4:40 PM

Fred, I think the point is that not every program a mac user tries to add requires Admin approval -- only those that install in places beyond the user's relatively sequestered Home folder. Thus, the user isn' barraged with requests for approval for every little thing.

A friend of mine won't install software that requires a password to install b/c it opens the machine to more instability and uncertainty.

The bottom line is that the way the OS is writ, the kernel is protected. Windows has never had that sort of separation.

By the way, Rob, are you actually suggesting people use .. I can hardly believe my eyes... COMMON SENSE? I thought you a Man of the World, not some pie-eyed noob fresh from the farm!

Posted by: Bush -- not related | April 8, 2008 5:25 PM

"It's not that a Vista PC is suddenly the "safe" choice over a Mac."

That may actually be true although Mac fans (I consider myself one) are loathe to cede any ground to Windows even if the facts suggest otherwise. You're still adhering to "old" Windows-think here Rob. You're treating Vista as though nothing has changed since XP SP1. Even though Windows machines are targeted had a phenomenally higher rate than any other OS, there has been no successful widespread malware attack against Vista since its release almost a year and a half ago.

Considering its huge footprint, and proven safety, why are you so unwilling to admit that Microsoft actually got it right? If there has been no successful widespread exploit of Vista, and there are no successful widespread exploits of OSX then why can't Vista be a safe choice over the Mac considering how easily it was compromised and how security bug-riddled QuickTime has proven to be on both platforms? Remember Vista was brought down by third party software while the Apple was vulnerable straight out of the box.

The hypocrisy of tech journalism with regards to Apple and Microsoft is disappointing. I love my Mac but the truth matters more.

Posted by: Luke | April 8, 2008 7:28 PM

Rob (or anyone):

If one went to one of these websites that can exploit a weakness in Safari, is there anything that would tip you off? As part of my discussion with someone who had placed an ad on Craig's List, he asked me to follow a link in one of his emails. When I clicked on the link, all I saw was lines of what I think is HTML coding (regular words along with some words and symbols enclosed in less than and greater than brackets.) I did not stay long to look at it very closely. There were no pictures or anything moving, just letters and symbols.

And if one's computer was compromised, what would one look for?

I have a MacBook running Mac OS 10.4.

Thanks Rob or anyone else.

Posted by: Greg | April 8, 2008 8:05 PM

Luke, while I don't disagree with your conclusion, I wonder that the reason there has not been any "widespread malware attack" is more that the hackers and virus writers have gotten smarter. Essentially, the malware is less likely now to disrupt networks and get widespread media attention and is more likely to sit relatively quietly and steal user data or pump out spam. I don't know the answer or have any information to support that hypothesis, but just curious and think it should be something to consider.

Posted by: PT | April 8, 2008 9:16 PM

I'd like to point out that keeping Quicktime up to date is more burdensome than most programs. QT (and iTunes) don't just download patches, they make you download and reinstall the program for every update. Annoys me to no end.

Posted by: ugh | April 9, 2008 2:47 AM

So, let's continue this dialogue. Rob, please put together a column that tells us what to do, how to be safer, what types of things NOT to click on. Tell us more about these "strange" websites, if you can. What are some of their characteristics? Thanks. Those of us running Macs with either Safari or Firefox (or both) would like to know more.....

Posted by: rjrjj | April 9, 2008 8:01 AM

I've been somewhat disappointed in the journalistic coverage of PWN to OWN. In hacking a system, one must focus his/her efforts on the specific quirks of the target operating system. This inherently means that a Mac hack won't work on Vista and vice versa.

That being said, the results of the contest need to be presented along with an analysis of the contest itself (rather than a quick summary.) For instance, how many viable attack attempts were actually made on each machine?

Is it not possible that most hackers viewed the Macbook Air as the most desirable piece of hardware and so focused their efforts accordingly?

Posted by: dsix | April 9, 2008 10:21 AM

I believe the most important line in the article is
"The Ubuntu laptop survived all three days of attacks."

I use a Mac sometimes, Windows very rarely, and, for real work, gnu/Linux. Any of these systems can be made secure. Some take more time and effort than others. A well-planned distribution of gnu/Linux (Ubuntu, SuSE, Red Hat, Fedora, etc.) is far easier to secure and maintain that way.

Posted by: Dan Coakley | April 9, 2008 11:51 AM

Here are the facts.

Windows has scores of exploits in the wild, Macs have ZERO. There is no practical way you can conclude Vista is more secure than Apple's Unix based OS X. I recommend the following article to explain why malware will never reach the crisis levels on Mac that is has for Windows.

http://www.roughlydrafted.com/2008/04/02/five-factors-shifting-the-future-of-malware-and-platform-security/

Posted by: HMCIV | April 9, 2008 12:42 PM

I find it funny that Ubuntu only gets one line "The Ubuntu laptop survived all three days of attacks." This is the most important line in the article though. If you want a secure easy to use PC then check out Ubuntu.

Posted by: UbuntuUser | April 9, 2008 2:08 PM

It's not actually accurate to say that Ubuntu resisted. Well Vista broke because of a third party app, ie adobe flash. Ubuntu was vulnerable as well to the same flaw in flash, but the rules don't allow for the same flaw to be used on another machine.

Posted by: Mohamed | April 9, 2008 2:26 PM

Microsoft claims Windows 7 (beta due next year. reely) is a ground-up re-write. Gee. I wonder if they'll discover abstraction layers and stop breaking device drivers every Tuesday?

With minimal competence on the part of the OS vendor, a device driver that worked in one version of an OS should work in the next. It is not rocket science, and there's no excuse for Microsoft to break device drivers with such infuriating regularity. (No, it is not the OEMs' fault) Of course, there's no excuse for much of what Microsoft does.

Track record notwithstanding, don't count on Microsoft to keep turning out horrible OSes. Apple, now's your chance: lower your prices as much as you can stand. Bleed for a quarter. Watch your market share grow.

Posted by: Default | April 9, 2008 4:18 PM

Being a recent Mac convert, I immediately download and installed Firefox for OS X the day that I brought my Macbook Air home.

Back in the bleakest days of Internet Explorer hijackings, I bailed on IE and started using Firefox to weather the storm on my Windows machine.

Since I was familiar with Firefox from my time on Windows, I immediately gravitated to it on my Mac.

Whether I'm fooling myself or not is a good question, but my understanding is that Firefox for OS X is well maintained and has no current gaping security holes,

Posted by: Jeff G. | April 10, 2008 1:10 AM

In addition, doesn't Safari lack Phishing Protection, which is available in both IE7 and FF2?

Posted by: JohnJ | April 10, 2008 10:06 AM

Macs are far from perfect ... but ... One of the most important (cheap and worth it) programs for Mac OS X = Little Snitch http://obdev.at/products/littlesnitch/

helps detect/prevent OUTgoing connections that are hidden or unauthorized (not perfect but it's pretty good). lots of programs that 'phone home' that you never even know about, including apple, adobe, microsoft ... it should be MY decision if any info goes out from my computer, not a corporation's or a hacker's

and if you use firefox on any system, be sure you get the NoScript add-on

FWIW

Posted by: Junk-Swap.com | April 18, 2008 1:38 AM

The comments to this entry are closed.

 
 

© 2008 The Washington Post Company