Mac Shot First: 10 Reasons Why CanSecWest Targets Apple
March 29th, 2008
Daniel Eran Dilger
The details emerging from the CanSecWest security contest fill out a story that is bigger than the simple “Mac Shot First” headlines convey. This was not a contest where three systems were placed in an equal foot race and the Mac simply lost due to being a slower runner. Here’s why.
The CanSecWest contest featured a number of security researchers, each with different backgrounds, motivations, and levels of expertise working to exploit flaws in the three systems running Mac OS X, Windows Vista, and Ubuntu Linux. However, rather than being a level contest to expose the flaws in the three systems, it was really a contest highlighting the knowledge and abilities of the researchers, each of whom targeted the platform of their choice.
10 Things to Remember About CanSecWest and Software Vulnerabilities.
1. Exploits discovered for the Mac have little other value outside of contests like CanSecWest. Nobody would buy the exploit Charlie Miller found, because there is no market for it. In the Windows world, there is a thriving market for selling exploits (discovered, not disclosed and “0-day” disclosed, not patched) because spammers, botneters, and identity thieves need them to stay in business. There is no malware underworld servicing the Mac, and subsequently no demand for obtaining such exploits. Once discovered, Mac exploits are patched within a few weeks, so while they make lots of heat and light for headlines, in the real world they don’t result in any catastrophic destruction in the manner that Windows exploits do.
CanSecWest was a controlled explosion designed to demonstrate how fearsome a theoretical attack on Macs might be if there were any market to support such an event from actually happening outside of an artificial contest. The tech media has reported the event as if it stands on an equal footing with the millions of successful, real world attacks on Windows PCs that occur daily, and which actually cause real damage and lost time, and demand the continual, vigilant use of performance-robbing anti-virus software at all times on the Windows platform. This is grossly misleading and hypocritical.
2. The CanSecWest contest clearly appears intent to transfer the security focus belaboring Windows to other platforms. Microsoft has repeatedly paid for research that might suggest that enterprise users could face greater theoretical security risks on Linux. Microsoft desperately desires to rid itself of its decades long reputation for abysmal security, and the best way to hide the obvious reality of the Windows security crisis is to craft misleading headlines that announce that up is down.
Mission accomplished: despite billions of dollars in real world losses annually due to the mess of Windows’ active virus and malware crisis, CanSecWest has announced that Macs are less secure than Windows, and a childlike media and idiot public have chosen to believe that the stark reality around them has been authoritatively disproved by a publicity stunt.
[Update: while the motives of those setting up CanSecWest’s contest can be argued both ways, Microsoft’s maximizing of the simplistic marketing message in the media can’t. Jeff Jones, a director in Microsoft’s security group, blogged about the winning Mac OS X crack, noting:
“I don’t really care for ‘hack the box’ contests. If a machine doesn’t get hacked, it does not mean it isn’t breakable. If it does get hacked, it just shows us what we already know – any machine can be broken under the right circumstances. So, don’t read too much into the PWN 2 OWN results. I don’t.”
Jones’ blog is headlined “SECURITY IS NOT SIMPLE, SO WE SHOULD TRY NOT TO SIMPLIFY IT TO THE POINT OF USELESSNESS.” However, he also added, “having said that, given how obnoxious and misleading I find those Mac OS X ads and how they’ve spent millions of dollars publicly criticizing Windows Vista security improvements, I find it ironic and apropos that Mac OS X was the first machine to be owned in the PWN 2 OWN contest at CanSecWest today.”
The media only reported his final line. Further, Jones’ comment that Apple’s ‘Get a Mac’ ads are “misleading” is fully unsubstantiated. Windows Enthusiasts like to work themselves into a frenzy relating how upset they are about this message, but they don’t refute it. Also, saying Apple spends “millions of dollars publicly criticizing Windows Vista security improvements” is not really accurate or fair.
Jeff Jones Security Blog : Mac OS X Security – Reality Check #2]
3. The contest prominently focused attention on the brand name of the MacBook Air, while only describing the other two laptops by their manufacturer. This delivered the most sensational headline payload possible, associating the security problems dogging Windows with Mac OS X while also serving to malign Apple’s new laptop with the suggested taint of some special insecurity. Apple will have to step up its “I’m a Mac, Vista is dreadful” advertising just to balance things out.
4. The Mac exploit was something Charlie Miller had in hand when he arrived. There was nothing else he could use it for other than winning the contest. If it were a remote exploit, he could have made $20,000 rather than $10,000 by using it the first day of the contest. He knew exactly what his exploit was worth and what it could do. He’s a security expert.
[Update: Some people think this was a controversial idea I invented. It is not. Reader Don Bach sent in a link to an article interviewing Miller, and he states, with regard to the Mac OS X exploit he used to win the contest, “We sat down about three weeks ago and decided we wanted to throw our hats into the ring. It took us a couple of days to find something, then the rest of the week to work up an exploit and test it. It took us maybe a week altogether”.
Miller’s comments intended to express how trivially easy it was to find an exploit by raking through FOSS code that Apple hasn’t updated, but it also points out that Miller had a plan in hand and was politically motivated beyond many of his colleagues to find an exploit that would target the Mac. The rest of the article repeated portions of Jones’ comments above, devoid of any context. Shame on Softpedia.
Microsoft Finds Irony in Mac OS X Getting Hacked Before Vista SP1 – Courtesy of Jeff Jones, Strategy Director in the Microsoft Security Technology Unit – Softpedia ]
5. The researcher who cracked the Vista machine was stymied by the fact that he didn’t expect it to have SP1 installed, according to a follow up report by IDG’s Robert McMillan. So Miller was better prepared than the second place winner. That’s a positive reflection on Miller more than a negative reflection on Mac OS X.
Incidentally, last year Apple released a Mac OS X update prior to CanSecWest that similarly addressed several exploits contestants were planning to use. This year, Mozilla also pushed out Firefox 2.0.013 the day before the contest, patching flaws that might otherwise have been used to attack the Ubuntu installation.
The date CanSecWest is held, relative to release of security updates by each vendor, results in a variable that can have a big impact on the contest but doesn’t really say anything about the overall security of each platform. Had the contest been held prior to the release of Vista SP1 (which was released a full year after Vista arrived), it would have reflected the actual level of security Vista users enjoyed throughout 2007. Instead, it only reflects the state of Vista for users who have elected to install SP1, which has been dogged by problems of its own.
Steve Gold complained in IT Pro Portal that “Microsoft’s problems with SP1 are on a scale of BAA’s problems with Heathrow Terminal 5, but on a worldwide scale. Like BAA they’ve had months to iron out any problems, yet it singularly failed to do so. The known problems list makes for eye-popping reading.”
Earlier this week, the day before CanSecWest’s contest was held, Stuart Johnston observed in PC World, “Service Pack 1 for Windows Vista is (almost) ready for prime time. SP1 contains a whopping 573 bug fixes and patches that have accumulated since Vista first shipped in early 2007, plus some performance improvements. I advise you to get it–but only after the wrinkles are ironed out.”
If Vista’s SP1 has so many issues holding back PC World from recommending an immediate deployment, how much does CanSecWest’s contest, which installed SP1 on the Vista test machine, really say about the relative security of the users running Vista?
6. Miller reported hacking something related to Safari, but the details haven’t been revealed. Whether this was a real world vulnerability in Apple’s code, a copy-and-paste attack on a FOSS library as Miller’s PCREL exploit was (or the libtiff exploit found by another researcher after PCREL was patched), or a contrived test that opened up telnet remote login on the machine and gave the researchers an account to use is still unknown. The notes so far suggest that it really had little to do with Apple’s own code, although Apple is still responsible for the versions of FOSS code it distributes as part of Mac OS X.
Incidentally, both the PCREL and libtiff vulnerabilities had exploits developed for them that were used both to demonstrate their use, and to work around security on the iPhone in order to install unsupported software. Neither were actively used to do any actual damage, and both were patched within a few weeks of their discovery.
Changeset 31388 – WebKit – Trac via Daring Fireball.]
The security problem affecting Windows users relates to the fact that there are not only more discovered flaws, but that these are being actively exploited to develop viruses, spyware, adware, and other malware. Further, there are vast numbers of machines that are not promptly updated with the patches that do exist, resulting in fleets of vulnerable botnets that actively distribute new attacks to other systems. These two problems aggravate each other to create the Windows security crisis.
Pointing out the presence of a theoretical attack vector in Mac OS X that can be easily addressed is nowhere near the scale of the actively destructive, virulently perpetuating problem that dogs Microsoft. Because there is actually very little Microsoft can now do to solve the problem it created in the 90s, it is left with only two options: doing what it can to solve security problems in Vista, which most Windows users have elected not to use, and erecting a smokescreen of misleading marketing that says the problem does not really exist and that other more secure platforms are actually somehow at greater theoretical risk.
7. Attendees with the ability to crack Linux “didn’t want to put the work into developing the exploit code that would be required to win the contest,” according to the IDG article cited above. Why not? Because they lacked the political motivation to prove Linux was easy to hack, and they lacked the financial motivation to earn $10,000 at a contest when they might be able to sell their vulnerability discovery for more than that.
8. Many exploits and vulnerabilities are not unique to “Mac, Windows, or Linux,” but instead are cross platform threats. Vista was cracked this year using a flaw related to Java Adobe Flash. Vulnerabilities discovered in Java, generic browser flaws, and other common code implementations mean that researchers can often use a given vulnerability discovery to attack the platform they chose. In the past, Miller has applied this principle to use FOSS vulnerabilities against Apple. In the same manner, experts in FOSS vulnerabilities affecting both Linux and Windows could sell their findings to Windows spammers.
This elasticity in discovered flaws demonstrates that vulnerabilities are most likely be used to gain the most value to finder, rather than being applied equally in some sort of convenient platform shootout that empirically rates the overall security reputation of each platform in one dramatic contest. Reality clearly demonstrates that in practice, discovered flaws are more often channeled into the thriving malware market related to Windows in order to create spyware, adware, and other malicious tools commonly distributed by viruses.
9. Miller has repeatedly stated that his life’s work is to discredit the security of the Apple’s platforms. The only outlet and business model for such an effort is currently CanSecWest. Last year, Miller’s partner, working for the same company, won the same contest the exact same way. Both have repeatedly stated that Macs are trivially easy to attack each time they were given the opportunity to plant that particular meme into media coverage.
Certainly, if you’re a security expert with an outdated FOSS exploit in hand, you can beat both your non-motivated colleagues on Windows who have sold their exploits to spammers, and your Linux expert colleagues who have no interest in trying to make FOSS look bad, and easily win a contest like CanSecWest by exposing a flaw in Apple’s distribution of open source code. But again, that says more about your knowledge, expertise, and motivations that it does about Mac OS X, Windows, and Linux.
10. Apple’s use of open source makes it easier for researchers like Miller to identify exploits, including those that have been patched by their FOSS project, but have not been updated and distributed by Apple. I specifically noted in yesterday’s article that this is an area where Apple has received criticism, and ideally, that Apple should be faster at keeping its FOSS components up to date. Of course, there are also issues related to using the bleeding edge of FOSS software revisions, which despite being patched for vulnerabilities, may have other problems related to their newness.
Corporate IT staff frequently do not immediately patch their critical software until they know what the patch will actually do and that it will not cause other problems or expose other vulnerabilities. Apple’s distributing of FOSS patches to its commercial customers requires a similar delay. FOSS projects can blow out patches fast and furiously, but Apple can’t or we’d all be annoyed to see patch updates in Software Update on a daily basis. Apple’s commercial customers demand software that “just works,” which requires a very different approach to version management than the “do it yourself” model in the Linux world.
It is overly simplistic to criticize Apple for not always distributing the newest version of every open source component it ships. Certainly, there are specific cases where Apple has dropped the ball and needs to improve. But making a blanket criticism that Apple doesn’t just throw together the most recent versions of every open source library available shows a gross ignorance of version management.
Apple Patches Faster than Microsoft Because it Patches More than Microsoft.
Which brings us to the other elephant in the room: Apple patches its OS software far more frequently than Microsoft, according to the same Swiss study that worked to discredit the timing of Apple’s patches relative to their vulnerabilities’ official date of disclosure.
Apple also improves its operating systems far more rapidly, with 66 updates to its Mac OS X desktop and server products (not including the iPhone) versus 7 releases of Windows desktop and server service packs over the six years of the Swiss study. That was entirely ignored by the media to focus on the completely skewed “who statistically patches flaws faster relative to the flaws’ public disclosure” metric.
For a media enraptured with titillating headlines, and an idiot public entertained by hearing what they want to hear instead of being informed of the more complex reality, CanSecWest delivers in spades. The rest of us have more facts to consider.
Like reading RoughlyDrafted? Share articles with your friends, link from your blog, and subscribe to my podcast! Submit to Reddit or Slashdot, or consider making a small donation supporting this site. Thanks!