Print 56 comment(s) - last by Gondorff.. on Apr 2 at 2:23 PM

Safari browser allows Mac to be easily taken over at hacker convention, Vista, Ubuntu machines survive the day

It has not been a good couple weeks for Apple and Safari.  First Opera knocked it from its position as sole 100 percent compatible Acid3 browser.  Then it tried to force iTunes users to unintentionally download the browser as part of an iTunes update, which included a pre-checked install option for Safari.  The move was met with broad criticism, including from Mozilla's CEO, who commented that Apple was bordering "on malware distribution practices."  Finally, Safari users who updated to v3.1 reported many bugs and crashes.

Now the browser, which Apple CEO Steve Jobs once called the "
most innovative browser in the world and the most powerful browser in the world", has had more bad news.  At the CanSecWest Show, an annual security conference, it was found that the Safari browser was surprisingly insecure, allowing successful attacks on Mac computers.

CanSecWest sponsors an annual hacking contest, which seeks to recognize vulnerabilities and give a comparative analysis of OS security.  A Mac, Vista machine, and Ubuntu box survived the first round, which only allowed pre-authentication attacks – a successful attack would have yielded a $20,000 prize.  However, on the second day, the flood gates were opened and hackers were allowed to use default-installed client applications.

The Mac fell within minutes, hijacked by security researcher Charlie Miller.  Miller compromised the computer through security flaws in the new Safari 3.1 browser, which he declined to make public.  For his takeover via the new vulnerability, Miller netted a sweet prize of $10,000.  Surprisingly, the hackers were unable to gain control of the Vista or Ubuntu machines that day.

On the third day, hackers were allowed to exploit popular third-party applications.  Hackers found the Vista machine surprisingly hard to crack in what they thought would be an "easy pickings" day.  The improved security is likely owing largely to SP1, perhaps because of NX support for heap memory.  In the end it was taken down by a cross-platform Flash Player attack.  The Ubuntu machine survived the day.

Some point that the Mac and others may be even more vulnerable than the show indicates as some have noted that a pre-authentication vulnerability might command a price of $50,000 or more elsewhere, making an exploit at the show unprofitable.  According to eWeek's security analysts, "Safari is prone to a remote code-execution vulnerability because it fails to adequately handle regular expressions with large, nested repetition counts. Inaccurate compilation lengths are calculated, and an overflow results."

Miller didn't even have to use new vulnerabilities also known for Safari.  The first is a simple overflow attack using zip files.  The second attack allows injection of content in a window belonging to a trusted site. 

A recent independent analysis confirmed that Apple patches its vulnerabilities slower than Microsoft.  The analysis followed a controversial Microsoft report by Jeff Jones, known for trashing Firefox for its bugs.  The report indicated that 36 vulnerabilities in Vista were fixed over a total of nine patching events, and 30 unpatched vulnerabilities remained, while a total of 116 vulnerabilities were fixed in OS X over 17 patching events, with 41 unpatched vulnerabilities.

Apple's patches last year indicated Apple's slower than acceptable patching pace.  It included patches for four vulnerabilities known since 2006 and two known since 2005.  The oldest of these, a vulnerability in Apache, had a fix released by Apache in 2005.

Security experts point out that despite Apple's poor security, its machines remain less attacked than Windows machines.  Many believe this is simply a matter of market share.  With Mac sales on the rise, there may soon be a large increase in Apple-targeted malware and takeovers with the Safari browsing taking the brunt of the attacks.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By psychobriggsy on 3/31/2008 12:57:42 PM , Rating: 4
Apple's blase attitude to security looks like it will come and bite them in the rear soon if they don't get on top of basic security fixes.

They've been riding on the coattails of having a more secure by design operating system, but that's no use if the software they run on top has holes like this.

I hope that Apple take a step back and spend some serious time getting security correct. It's not as pretty as a fancy Core Animation desktop effect, but it's far more desirable. You can't catch all the holes, but you can make it harder to get them cracked.

By Master Kenobi on 3/31/2008 1:24:39 PM , Rating: 5
I'm actually quite pleased to see Mac's security through obscurity model utterly destroyed... again...

In any case I am pleased that to break Vista down they had to use Flash (which has plenty of issues on its own).

By DASQ on 3/31/2008 2:28:42 PM , Rating: 5

Enough said.

By Goty on 3/31/2008 2:33:13 PM , Rating: 2
I was under the impression that it was a java vulnerability, not flash (I've read this on multiple other sites).

By Chadder007 on 3/31/2008 2:56:38 PM , Rating: 2
Thats what I read too. ??????

By Master Kenobi on 3/31/2008 3:24:07 PM , Rating: 5
It was actually a combination of Flash and Java (which is quite complex). In either case, neither Flash nor Java have ever been secure.

By tallcool1 on 3/31/2008 3:46:42 PM , Rating: 2
In any case I am pleased that to break Vista down they had to use Flash (which has plenty of issues on its own).
I'm just curious, why does this please you?

By Goty on 3/31/2008 3:58:20 PM , Rating: 2
Probably because that means someone had to resort to third-party code in order to breach the system, it was not an OS vulnerability.

By jvillaro on 3/31/2008 5:04:47 PM , Rating: 2
I think it's because everybody just says this and that about Micrsoft and its XP, Vista and IE security. And it's about time people start recognizing the improvements. It's not perfect but it's definetly much better than a couple of years ago. Also it kind of validates when people say that some security and stability isues are caused by flawed 3rd party software.

By jvillaro on 3/31/2008 4:55:01 PM , Rating: 2
I don't know about you guys, but ever since Adobe tookover Flash, it's just been awful even more than before. Internet Explorer hangups and gets pretty heavy when displaying flash.

By MonkeyPaw on 3/31/2008 5:53:42 PM , Rating: 2
Yes, and so much of the poorly written flash content is from advertisements. I can think of some from companies like IBM and CDW that loaded CPUs to 100%, making the system sluggish or unresponsive until it cycled through. Fortunately, Firefox with Adblock does wonders to quell all the crappy flash floating around out there.

By jvillaro on 3/31/2008 6:12:05 PM , Rating: 2
I also like firefox, but I use IE more. Just to know if anyone has had some issue. When I recently installed Firefox again and then installed the flash pluggin, flash stoped working oruninstalled in IE, WTF??? Is this common? Is there a work around? Was I high and didn't notice? Has anybody experienced this?

By glennpratt on 4/1/2008 10:45:23 AM , Rating: 2
No this isn't common and probably unrelated. The plug ins are totally separate (ActiveX vs Netscape style Plugin) and use different installers.

By psychobriggsy on 3/31/2008 5:16:54 PM , Rating: 2
Most likely the flaw that was exploited was in the open-source webkit component, sounds like it is in a parser if its to do with regular expressions.

Not exactly "security through obscurity". A lot of people seem to forget that Apple has open-sourced a lot of stuff (whilst keeping much of the stuff (cocoa, etc) that adds end-user value closed, of course).

Of course it could be in a deeper API, but then any other application that used that code would also be vulnerable.

By Flunk on 3/31/2008 10:35:03 PM , Rating: 2
Webkit is open-source because it has to be, it is based on code from the KDE project and the source must be made public on any derived works. Same with the code from the Darwin project, it must be made available because it is based on open-source FreeBSD code.

Apple provides sources only to portions of OS X they are legally required to.

By smitty3268 on 3/31/2008 10:44:06 PM , Rating: 2
You're correct, it was in part of the javascript library in Webkit.

By cscpianoman on 3/31/2008 12:48:41 PM , Rating: 4
This is the experience of one event, I wonder if Apple will release a statement tomorrow still touting their security advantages along with a slew of new Mac ads. <shudder>

I just got the safari update request and I am quite disgusted. Now that I know there is a Winamp feature that plays itunes and a quicktime alternative it is time to give Apple's software the boot. I don't want Safari, I don't care for Safari, leave it be Jobs.

RE: Ironic...
By FITCamaro on 3/31/2008 1:38:05 PM , Rating: 4
Yet they'll make fun of Vista for how "insecure" it is. I think that tests like this show that Vista is a pretty secure OS when it took a third-party app that Microsoft has no control over to crack into the system.

I guess the main question here is, how was each machine set up? Set up as a regular, sheeple consumer's PC or set up as a knowledgeable computer user's PC.

RE: Ironic...
By JoshuaBuss on 3/31/2008 2:02:38 PM , Rating: 5
they were default installs with only basic third-party applications (like flash and java) added.

it's interesting that it took flash AND java to crack vista... that's a pretty complex hack and certainly something microsoft can't even do much about to fix. way to go vista!

(granted, ubuntu's even better of course) :)

RE: Ironic...
By Goty on 3/31/2008 4:01:16 PM , Rating: 5
Ubuntu probably didn't get cracked because they didn't bother to get flash working correctly in firefox =P (speaking from experience, here).

RE: Ironic...
By glennpratt on 4/1/2008 10:58:31 AM , Rating: 2
Yeah, because either checking a box in Synaptic or typing
sudo apt-get install flashplugin-nonfree
is sooooooo hard.

Now it is marginally complex if you're running 64 bit, but that's Adobe's fault; they don't provide 64 bit software for anyone last time I checked. Windows browsers just default to 32 bit to save you the hassle.

RE: Ironic...
By omnicronx on 3/31/2008 2:18:19 PM , Rating: 2
Whats ironic is that MacOSX is unix based, yet it does not even come close to in security comparisons to linux or BSD systems. I mean if Apache is out dated by 2-3 years, how can Apple ever think they will get any considerable marketshare beyond the day to day personal use.

I mean you sure as hell can't use a vunerable version of apache on your production machine.

RE: Ironic...
By michael2k on 3/31/2008 4:28:25 PM , Rating: 2
Why wouldn't a competent developer install the latest stable version of Apache on their machine?

RE: Ironic...
By marvdmartian on 3/31/2008 4:00:10 PM , Rating: 5
I'm just LMAO at Apple, and all Apple fanboys. They've touted their invulnerability for so long, this must be leaving quite the taste of ashes in their collective mouths now.

I'd love to see Microsoft hire the two actors that play "PC" and "Mac", and have them make a commercial where "Mac" is just standing there, hanging his head in shame, while "PC" points and laughs uproariously at him.

I guess maybe it's time that Apple got a taste of what it's like to be given the smackdown by hackers, and taught that if you want a bigger share of the limelight, it goes with a bigger share of hackers wanting to exploit your vulnerabilities. Welcome to the big time, Apple!

RE: Ironic...
By wildmannz on 3/31/2008 6:57:11 PM , Rating: 2
I have a PC and a Mac. Call me agnostic.
I'd like to see an Ad like that too.

Read the article so you understand what happened a bit better.
Apparently it wasn't done in just a day. The guys prepared the hack weeks in advance.
Of course - that doesn't excuse the vulnerability.
Just sayin'

RE: Ironic...
By kelmon on 4/1/2008 9:05:51 AM , Rating: 2
Anyone who touted the Mac as being invulnerable was a muppet. However, at present there's no know vulnerability in the wild so the situation hasn't changed in that respect.

For clarification, however, I do consider this an "EEK!" moment and I've switched my day-to-day browser to Camino.

By BigToque on 3/31/2008 12:46:20 PM , Rating: 2
What is the general method people use to gain access to these systems? I assume by gaining access, it is meant that they have full read and write access.

I also assume they're not figuring out the usernames/passwords and logging in remotely, so what exactly has to happen to gain access to the system?

By Trisagion on 3/31/2008 1:03:44 PM , Rating: 5
Well, hackers don't usually gain full access to a system (administrative rights) in a single step unless the machine is completely unprotected. Usually, it's a combination of hacks that give incremental rights, until they reach their goal.

For example, a hacker might know or have discovered that browser X, when executing an uncommon sequence of code Y allows the hacker to execute another block of code Z with administrative privileges. This code Z can retrieve passwords, etc. for the hacker's next attack and so forth.
The hacker might embed Y itself in some innocuous looking website.

Of course, browser's are just one point of entry to a system. Good hackers can test other known points of vulnerability and see if anything gives...

By Master Kenobi on 3/31/2008 1:06:22 PM , Rating: 3
It's simple in theory. When you log into a computer, anything that runs, will run with your credentials. All the hacker needs to do is execute some code that your computer will handle to give himself access or cause your computer to "throw up" which basically dumps them out to the root with full access (it's considerably more complex than that but were trying to keep this at a high level).

They don't need your usename/password, they are hijacking a system that is already authenticated (you logged in didnt you?). This is why servers typically have no internet access or people when on a server do not use the root credential and instead used a restricted one to do their job that contains only the permissions they need and nothing more (especially not internet access or browser access).

By Mitch101 on 3/31/2008 1:42:44 PM , Rating: 1
Sometimes the hack is too obvious and is found out of curiosity or accidentally.

You know that background music you get when you go to a web page? Instead of pointing it to a WAV file a hacker used to be able to point it to a program. There are commands to do just about anything on a computer that you do through a GUI.

Most common I would say is putting an executable program where you wouldn't normally put one and having it execute on the machine.

Overflows are also common and then trying to get the dump data.

Imagination is key. Also know your place in the world. Dont ever mock a hacker no matter what skill level. A determined hacker with a case of Red Bull and the summer off. I wouldnt push it.

By kextyn on 3/31/2008 12:49:47 PM , Rating: 2
Steve Jobs thinks (or thought) Safari is the most innovative browser in the world? Safari was released in 2003 and the only notable feature not found on other browsers (that I could find) was the bookmark syncing. What have they added since then that was more innovative than anything Opera or Mozilla did?

RE: Innovative?
By 777 on 3/31/2008 4:36:16 PM , Rating: 2
I'm a Apple user and mostly surf with Safari, but also use Mozilla because some sites just don't except Safari. You may be right about what Jobs thinks and as a business owner I would believe he might say anything to sell his product. I would never say Safari is the most innovative browser, because it's not it certainly lacks features I want, but it's simple and on my Macs'(not Pc), it is the fastest browser I have ever used. Mozilla is quite a bit slower than Safari. I have yet to use IE on Vista so I can't speak for that, but I have in the past hated older versions of IE, my surfing experience was some of the worst.

RE: Innovative?
By RedStar on 3/31/2008 6:34:38 PM , Rating: 2
no per an article here the other day ...

apple purposely slowes other browser code down.

RE: Innovative?
By kelmon on 4/1/2008 9:16:16 AM , Rating: 2
Without keeping track of what the other browsers were doing and when it is a bit hard to say but a proper RSS reader back in Safari 2 was (I think) more than anyone else provided (I don't think Firefox's LiveBookmarks count). Beyond that the only other additions I can think of is Web Clips in conjunction with Dashboard for the creation of widgets and enhancements to the WebKit rendering engine, which is generally ahead of the competition in terms of support for new technologies.

Tab management tends to be better in Safari but this is tempered by the fact that you can't set it to open all links in a new tab without changing a hidden preference using the command line, which is incredibly dumb. Still, it is nice at times that in addition to being able to reorganise tabs in your current window, you can also drag tabs into new windows or move them to another existing window.

As a general rule, I prefer Safari but after this debacle I've switched to Camino.

Enterprise iPhone concerns...
By Carter642 on 3/31/2008 2:42:44 PM , Rating: 2
So iPhones are racking up mobile browsing market share hand over fist and are using safari and Apple is pushing enterprise adoption for iPhone as hard as they can with SDK 2.0... I'd be concerned if I were considering iPhone deployment. Losing control of a corporate computer with access is a big hole, and losing control of an iPhone would be nearly as big a hole.

If I were a hacker I'd try and figure out how to get control of an iPhone through Safari. You'd get ahold of alot of the same data as a corporate hack with alot less trouble and it would give a chance to infect the user's main computer through syncing the iPhone giving an easy chance at the corporate network... Just a thought.

RE: Enterprise iPhone concerns...
By michael2k on 3/31/2008 3:21:47 PM , Rating: 2
Essentially every "unlock" performed on an iPhone is a security exploit that compromised the system (gaining root, installing applications, modifying firmware), so from that standpoint Apple has "free" security audits coming from the unlock crowd, and every fix, as distasteful as it may be to the unlockers, makes the iPhone more and more secure.

So yes, hackers have been trying to compromise iPhones via Safari from day 1 and Apple has been fixing those holes.

RE: Enterprise iPhone concerns...
By kelmon on 4/1/2008 9:19:33 AM , Rating: 2
I believe that this was already done to some degree by the same chap who perform this hack and is one of the reasons why he targeted the MacBook Air. Interestingly, he's a Mac user and choose the Mac as the target for the simple reason that it's the platform he's most familiar with.

If installs were allowed...
By wildmannz on 3/31/2008 7:06:55 PM , Rating: 2
...Why didn't they install Safari on the Vista machine and hack that too?

RE: If installs were allowed...
By kelmon on 4/1/2008 9:22:28 AM , Rating: 2
I don't think it qualified in the rules of the competition. Potentially it could have been done on Day 3 but that was for popular 3rd party applications and I don't think that Safari qualifies.

RE: If installs were allowed...
By Gondorff on 4/2/2008 2:23:14 PM , Rating: 2
...Why didn't they install Safari on the Vista machine and hack that too?

I'm pretty sure the rules stated that you couldn't install the virus _directly_ onto the machine. ;-)

By Locutus465 on 3/31/2008 2:17:49 PM , Rating: 4
Apple, security though non-interest in the platform...

By Mudvillager on 3/31/2008 2:19:03 PM , Rating: 2
First Opera knocked it from its position as sole 100 percent compatible Acid3 browser.
As a big Opera fan I can't help but get annoyed by this sentence since it's incorrect - Safari never had a 100% Acid3 score.

Awesome Picture
By fuser197 on 3/31/2008 3:21:44 PM , Rating: 2
Hee, what an awesome picture for this post...

By greylica on 3/31/2008 5:45:14 PM , Rating: 2
People are always asking for reasons to switch to Linux.
Here is one more...
Ubuntu is being the most used Linux distribution, but did not forget to be a secure software.


Give up on the browser Apple
By daftrok on 3/31/08, Rating: -1
By psychobriggsy on 3/31/2008 1:01:02 PM , Rating: 2
Well they've done the work now, and they need the browser for Mac OS X. Might as well keep on compiling for Windows. Anyway, it helps web designers make sure their web sites look good in it. I certainly don't see any reason for any user to stop using Firefox on Windows otherwise.

If Safari makes any inroads on Windows market share, it's likely it will be at IE's expense, not Firefox's. I don't think it will, of course.

RE: Give up on the browser Apple
By michael2k on 3/31/2008 1:14:32 PM , Rating: 3
Except Safari is worth the time and resources to continue. If Apple doesn't have Safari, we wouldn't have:
1) WebKit
2) Safari for Mac (since IE for Mac was discontinued)
3) Safari for iPhone
4) Safari for iPod touch
5) Nokia based WebKit browser

Safari and WebKit has done a lot for mobile browsing and lightweight browsing. If FireFox could take marketshare away from IE, there is no reason to think Safari couldn't as well; competition means better browsers for everyone, so as long as Apple can afford it, I think Safari for Windows is a great idea, if for no other reason that Microsoft and FireFox cannot "rest on their laurels".

RE: Give up on the browser Apple
By retrospooty on 3/31/08, Rating: -1
RE: Give up on the browser Apple
By DASQ on 3/31/2008 2:32:19 PM , Rating: 3
I think he was trying to hide for "If Apple didn't have Safari, they have one less aspect of control over your Mac".

RE: Give up on the browser Apple
By michael2k on 3/31/2008 3:32:01 PM , Rating: 2
You're not supposed to care about them. I didn't write that list of things that you should care about, it was a list of things that Apple cares about.

There is no IE, so Apple has to use Safari, on Mac. They likewise ported Safari to the iPhone and iPod touch in order to have the "best" web experience on those platforms; again, they don't need you to care.

WebKit is important because of it's contribution to competition and diversity, since it is the foundation for Nokia's N60 browser and Android's web browser.

Which is where my last point concludes; WebKit and Safari is important for competition. It is already the most used mobile web browser over pocket IE and FireFox. It's pushing Microsoft and Mozilla to try harder on portables, and that is good for us.

RE: Give up on the browser Apple
By 777 on 3/31/2008 4:46:08 PM , Rating: 2
competition means better browsers for everyone

Exactly, it's great we have choices and competition.

They likewise ported Safari to the iPhone and iPod touch in order to have the "best" web experience on those platforms; again, they don't need you to care.

Good point!

RE: Give up on the browser Apple
By omnicronx on 3/31/2008 2:34:13 PM , Rating: 2
Webkit is based directly from Konqueror.(the integrated KDE browser from linux)... Apple did not invent it..

So maybe you should change your list to.. if we didnt have KDE we wouldnt have
2)WebKit etc ;)

Google and Nokia also have a huge stake in webkit, and when googles android OS comes out, its going to wipe the flour with anything apples safari has to offer...

RE: Give up on the browser Apple
By michael2k on 3/31/2008 3:26:45 PM , Rating: 2
I'm not disagreeing in the least. Without KHTML there would be no WebKit (more on and

Of interest is that Nokia's browser is based on WebKit; and so is Android.

So even if Android is competing with the iPhone, it can't "wipe" Safari because it's basic web browsing component is the same as Safari!

RE: Give up on the browser Apple
By omnicronx on 3/31/2008 8:05:05 PM , Rating: 2
same component, different o/s, different performance..
safari performance is probably not the same across all platforms either.

By michael2k on 4/1/2008 2:37:47 PM , Rating: 2
I will re-iterate my point. If Android takes off, so too will WebKit because Android uses WebKit.

Which means, in the end, increasing competition against Microsoft and FireFox; as long as people use WebKit, then developers will fix WebKit, and therefore Apple will see positive returns on WebKit, further encouraging Apple to continue to develop and ship Safari.

The point of this thread was someone said Apple should can Safari, and the existence of Android, N60 browser, the iPhone, the iPod touch, and the Mac all argue against canning Safari.

RE: Give up on the browser Apple
By thartist on 3/31/2008 4:36:01 PM , Rating: 2
I agree with one thing: since Safari was introduced in the browser wars, that war and competition got incredibly hot and even Opera and Apple got to pass Acid 3 quite quickly (even if dev builds).

The rest: Safari has a chance and niche for Mac-ers running Windows, IE haters that will go Safari just because the like it or think Apple is cool, and a little amount of random people but, the game already has it's strong players AND Safari ain't really better than those.

Those 5 points you mention are not medium-weights and don't make for anything outside themselves to be honest.

"Let's face it, we're not changing the world. We're building a product that helps people buy more crap - and watch porn." -- Seagate CEO Bill Watkins

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki