Daniel Eran Dilger
Random header image... Refresh for more!

Mac security researcher wins Pwn2Own contest with Safari hack

Prince McLean, AppleInsider
In a repeat performance of last year, security researcher Charlie Miller arrived at the CanSecWest conference this week with a prepared exploit to use in cracking Safari running on Mac OS X.
Unsurprisingly, Miller was able to use his exploit to immediately win the event’s “Pwn2Own” contest, generating headlines that suggested that Macs are inherently less secure, despite the fact that every browser involved in the contest failed on the first day.

This year’s contest arranged for two test computers. According to the CanSecWest event’s official website, which is oddly littered with typos, the “Browsers and Associated Text PAltform” [sic] were a Sony Vaio PC running a prerelease Windows 7 beta with Internet Explorer 8, Firefox, and Google’s new Chrome browser, and a MacBook running Safari and Firefox.

In each of the three days of the contest, the exploit rules were intended to be progressively relaxed, starting only with exploits that attacked the browser itself, then adding Flash, Java, .Net and QuickTime to the mix on day two, and then “popular apps such as Acrobat Reader” on the third day.

Finding vulnerabilities

The Pwn2Own contest is being presented as a shootout between Mac and Windows browsers. Last year’s contest also included Linux, but attendees with the ability to crack Linux “didn’t want to put the work into developing the exploit code that would be required to win the contest,” according to a report by IDG.

That fact highlights that, in reality, the platforms and browsers involved aren’t targeted by a series of equal attacks. Instead, researchers arrive with exploits they hope to use against vulnerabilities they are aware of in specific platforms or browsers, but have not yet reported. Were they to report the exploits in advance, they would be patched by the vendor. There’s no money in that, so the contest provides an incentive to report vulnerabilities.

In exchange for the winning prize, Miller granted the reporting rights to the discovered flaw in Safari to TippingPoint’s Zero Day Initiative, which will coordinate the handling of the disclosure and the patch release process with Apple. When a vulnerability is reported to Apple, the company credits the discoverer with finding the problem when issuing a patch for it.

Last year, Miller’s winning attack on Safari actually targeted the open source Perl Compatible Regular Expressions library used by WebKit’s JavaScript engine, an exploit he also made headlines with for using against the iPhone. Apple’s extensive use of open source software makes it far easier for researchers to discover exploits for at their leisure, compared to closed proprietary software. It wasn’t Apple’s proprietary code in Safari that was cracked.

At the same time, proprietary, closed code isn’t invulnerable due to its opaque “security through obscurity.” Windows Vista was cracked in last year’s contest due to a flaw in the Adobe Flash plugin, which is not open source but which security experts were still able to exploit.

Patching vulnerabilities

At the same time, Apple’s use of open source also enables the company to issues more security patches and operating system updates than Microsoft does, according to a study of Windows and Mac OS X releases conducted by the Swiss Federal Institute of Technology.

That group found that in the years between 2002 and 2007, Apple released 815 patches compared to 678 by Microsoft. In that timeframe, Apple shipped five paid reference releases of Mac OS X (Jaguar, Panther, Tiger, Tiger for Intel, and Leopard) and 33 free updates, including eight for Jaguar, nine for Panther, eleven for Tiger, and one for Leopard, a total of 38 significant feature and security releases, excluding Mac OS X Server, the iPhone, and standalone security patches.

In contrast, Microsoft only released a total of seven updates over that period, including Windows XP SP1 and SP2; Windows Server 2003, SP1, R2, and SP2; and Windows Vista. In the year since, Microsoft has released two service packs for Vista and one for XP. Apple has released five additional free updates for Leopard, again not counting Mac OS X Server patches or iPhone updates.

Mac and Windows updates

“Simplifying security to the point of uselessness”

The oversimplification of the Pwn2Own contest’s results by the media has resulted in criticism of how the contest is portrayed and conducted. The Pwn2Own contest is “simplifying security to the point of uselessness,” according to comments by Jeff Jones, the director of Microsoft’s security group.

Last year, Jones addressed CanSecWest in a blog post which stated, “I don’t really care for ‘hack the box’ contests. If a machine doesn’t get hacked, it does not mean it isn’t breakable. If it does get hacked, it just shows us what we already know – any machine can be broken under the right circumstances. So, don’t read too much into the PWN 2 OWN results. I don’t.”

Last year’s contest was also distorted by the arbitrary timing of patches, with Miller’s successful exploit for Safari happening to miss Apple’s patch cycle, while other researchers armed with exploits for Windows Vista were stymied by the last minute application of the then-new Vista Service Pack 1.

The contest is also somewhat removed from reality due to the fact that it pits the current release of Mac OS X with new versions of Windows that do not reflect what the vast majority of Windows PC users are actually running. Last year, Vista was only in use by a small fraction of early adopters (and even now, less than a quarter of the installed base is using it), and SP1 was so new and problematic that PC World was advising users not to install it until “the wrinkles are ironed out.”

This year, the use of the prerelease Windows 7 operating system, which security researchers have had limited access and time to study, combined with the fact that Microsoft expressly warns users not to use it in production environments, tends to create the impression that Pwn2Own is more about theoretical games than real world security issues relevant to end users.

Security in the real world

The real world security problems that affect today’s Windows users relate to the fact that there are not only more discovered flaws on Windows, but that these flaws are being actively exploited to develop viruses, spyware, adware, and other malware. Further, there are vast numbers of machines that are not promptly updated with the patches that do exist, resulting in fleets of vulnerable botnets that actively distribute new attacks to other systems. These two problems aggravate each other to create the Windows security crisis.

While pundits like to talk about numbers of discovered vulnerabilities, often failing to correctly compare similar code on each side (with Mac OS X inheriting the vulnerability counts in optional open source server programs, Java, and other components that are not considered on the Windows side), the real problem is active exploits. Mac OS X continues to have no real viruses, while Windows users continue to be plagued by viruses, adware, and other security problems.

At the same time however, the tech media is promoting the CanSecWest event as a “security shootout,” with at least one report noting that browsers on the Windows box were “still standing” after Miller successfully applied his exploit attack to the Mac, as if the Windows box had somehow successfully dodged Miller’s exploit rather than simply never having been aimed at by his open source attack.

Internet Explorer 8 on the Windows machine was exploited shortly afterward by a different researcher calling himself Nil, followed by his demonstration of a successful crack of the Firefox browser.

  • http://coderad.net StrictNon-Conformist

    This whole contest is a pile of BS, because what it truly measures is the choice-making ability of the contestants, along with their typing speed and knowledge of any particular platform.

    I find it very hard to believe that as the reports suggest, he had “full control of the machine” in a few seconds, because you need sudo access to have full control over the entire machine, as opposed to merely taking control of the account. Sure, it may have been running under an administrator account (not wise online, that’s for sure!), but certain actions still require entering the administrator’s password to accomplish, but the coverage doesn’t cover things that deeply, though at least it did mention that the guy stated he practiced the exploit until he was 100% sure it’d work every time: again, it was really a contest to show what I stated above, with typing speed being a paramount differentiator. It wouldn’t even matter which platform: the one that’s hit first with the fastest typist that has a known-good exploit will likely go down first.

  • darwiniandude

    Quite right, and admin account on the Mac isn’t like on windows, especially if things like ‘Require password to unlock each System Preferences Pane’ are enabled.

    What version of Safari was used???

  • Brau

    Ahh well, the furor over this event last year blew over pretty quick and this one will too. Those who are looking to blast Macs or crow about Windows will find any excuse, reverting to “Macs are only good for graphics” if they can’t find anything else. Personally, I’m just glad the exploits are kept secret because both Apple and MicroSoft can create patches before any real damage is done.

  • tzx4

    This following is a copy & pasted passage I found when there was the minor flap a few months ago concerning whether or not Apple recommends running anti virus software. It must be considered hearsay, but if accurate, it sure is at least a bit humorous if not enlightening.

    “But Miller, who regularly roots out Mac and iPhone vulnerabilities and is perhaps best-known for walking away with a $10,000 prize for hacking a MacBook Air laptop in under two minutes last March, pooh-poohed Apple’s recommendation using the same logic as many longtime users.

    “Windows has 90% of the market, but [attackers] give it 100% of their time,” he said, echoing the idea that hackers target the largest pool of victims.

    Criticizing security software for its cost — both in dollars and in the processor cycles it consumes — Miller admitted that he doesn’t bother running any on his Macs. “I don’t think it protects me as well as it says,” he argued. “If I was worried about attacks, I would use it, but I’m not worried.”

  • Pingback: Kaspersky Sells Mac AntiVirus Fear Using Charlie Miller… Mac AntiVirus Foe — RoughlyDrafted Magazine()

  • JulesLt

    If you look at the CanSecWest page, the definition of ‘owned’ is ‘code execution in the context of the browser process’ – so it says nothing about the wider security of the platform, only the browser.

    Now, as it is, you could still do a lot of damage (deleting the users home directory) from getting control of a user level process, but Snow Leopard – correctly comparable with Windows 7 – implements the process sandboxing introduced in Leopard – which would significantly reduce the damage that could be done.

  • Pingback: Apple Sicherheit - Security Forum()