Print 30 comment(s) - last by jimhsu.. on Mar 28 at 9:53 PM

Charlie Miller pwned yet another Mac computer at CanSecWest. He says Macs are easier to hack than Windows 7 computers.  (Source: ZDNet)

Peter Vreugdenhil managed to hack a patched 64-bit Windows 7 machine using tricks to bypass the operating system's memory protections.  (Source: ZDNet)
Safari on a Mac and Internet Explorer 8 in Windows 7 were also exploited

It's been an action-packed couple of days of Pwn2Own hacking contests at the CanSecWest security conference in Vancouver.  Hackers eroded Apple's image of superior security, making quick work of both Microsoft and Apple products alike.

The fireworks began with an iPhone exploit coded primarily by Vincenzo Iozzo and Ralf Philipp Weinmann.  The exploit works on fully patched iPhone 3GS (and presumably other models).  It allows a malicious user to lure a target to a website and then steal any or all of the following -- the person's SMS text database (including deleted messages), their contacts, pictures, and iTunes music files.

Describes Iozzo, "Basically, every page that the user visits on our [rigged] site will grab the SMS database and upload it to a server we control."

Halvar Flake also helped the pair develop the exploit.  He says that the iPhone's sandbox protections don't do enough to protect the user fully.  He states, "This exploit doesn’t get out of the iPhone sandbox.  Apple has pretty good counter-measures but they are clearly not enough. The way they implement code-signing is too lenient."

He posts more details on a blog here.  

The exploit currently crashes the browser, but the collaborators are planning a version that allows the browser to keep running.  They sold the rights to the vulnerability to TippingPoint Zero Day Initiative, which is in turn working with Apple to come up with a patch.

Iozzo and Winmann scored the iPhone 3GS they hacked and a $15,000 cash prize.

That wasn't the only Apple product exploited -- as promised, Charlie Miller successfully hacked a Mac computer for the third year in the row.  Conference organizers navigated to a prepared webpage which downloaded content without informing the user.  That download was used by Miller to gain root access to the machine.

Miller is a champion of a hacking/testing technique known as fuzzing.  Fuzzers throw random inputs  such as environment variables, keyboard and mouse events, and sequences of API calls to try to get a program to do something it doesn't usually do (like compromise its security).

For his efforts Miller scored another MacBook Pro (though he probably doesn't need it).  He's cooperating with Apple on a patch and won't release details of the vulnerability until it lands.

Apple wasn't the only OS maker to have their products hacked, though.  Windows 7's much celebrated memory protections were cracked.

Dutch hacker Peter Vreugdenhil infiltrated a fully patched Windows 7 64-bit machine by bypassing the ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) memory protections.  With the protections down Vreugdenhil used Internet Explorer 8 exploits to hijack the machine.  

Vreugdenhil is also a proponent of fuzzing to discover exploits.  He describes, "I started with a bypass for ALSR which gave me the base address for one of the modules loaded into IE. I used that knowledge to do the DEP bypass.  I specifically looking through my fuzzing logs for a bug like this because I could use it to do the ASLR bypass."

IE team members were on hand to witness the feat.  They said that they are working with conference organizers to determine the nature of the vulnerability and make a patch to protect against it.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Wait for it...
By Iaiken on 3/25/2010 10:00:52 AM , Rating: 5
Where is Pirks, Apple Fanboy, Defender of the Faith?

When Apple hackers come out and say MS did a good job with Windows 7 security, it's worth taking notice.

RE: Wait for it...
By biggsjm on 3/25/10, Rating: -1
RE: Wait for it...
By amanojaku on 3/25/2010 10:59:28 AM , Rating: 5
Maybe I misunderstood the Win7 hack, but it used IE to hack the OS. That is the same thing as the iPhone and Mac hacks; all three where "user initiated" by simply navigating to a malicious web page. All three hacks are valid and 100% possible for anyone with an Internet-connected computer. Considering how hackers have uploaded malicious content to well known sites like CNN, the fact is no site is trustworthy.

RE: Wait for it...
By weskurtz0081 on 3/25/2010 11:26:57 AM , Rating: 2
Yeah, all three exploits were done via the browser.... IE, over the internet.

I wonder who fixes the exploits first?

RE: Wait for it...
By pequin06 on 3/25/2010 11:50:58 AM , Rating: 5
Microsoft will issue a patch, Apple will charge for the new feature.

RE: Wait for it...
By Samus on 3/25/2010 6:10:16 PM , Rating: 3

RE: Wait for it...
By B3an on 3/27/2010 12:49:29 AM , Rating: 2
LOL and release it 6+ months after MS's patch.

RE: Wait for it...
By kamel5547 on 3/25/2010 12:02:55 PM , Rating: 3
All three exploits are browser based. The summary on DailyTech is a little misleading. "HOW: Target is lured to a website hosting an exploit - the attack code bypasses ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) - the attacker gains user right on the machine"

An interesting note is that no one attempted to exploit Chrome due to difficulty in geting out of its sandbox. So I guess the real thing to do is drop your current browser and use Chrome.

15 years ago (1995) Apple had roughly 11% of the personal computer market, so it was probably a more attractive target than now...

On a side note the moral of the story may be that iPhone users are screwed as they cannot use an alternate browser. Its too easy to craft a bad "page", in fact its as easy as buying an ad and convincing a reputable site to carry it (which has happened many times).

RE: Wait for it...
By jimhsu on 3/28/2010 9:53:26 PM , Rating: 2
A well managed whitelist (e.g. NoScript) will always be superior, although usability suffers. Just saying...

RE: Wait for it...
By arjunp2085 on 3/26/2010 3:53:09 PM , Rating: 2
Hey is pirks on vacation??? No post from him .. thats ODD!!!

"Where is Pirks, Apple Fanboy, Defender of the Faith?"

RE: Wait for it...
By Gio6518 on 3/27/2010 12:34:23 AM , Rating: 2
Hey is pirks on vacation???

bizare how reader1 comments are also missing coincidence ?

RE: Wait for it...
By crystal clear on 3/27/2010 4:19:42 AM , Rating: 2
Where is Pirks

That shows you all miss him very much !.

Yes the very fact you need him, shows he is of entertainment value !.

He like Apple is considering charging you for every update he posts on the site.

When Apple hackers come out and say MS did a good job with Windows 7 security, it's worth taking notice.

Yes the same hacker recommends you buy a Mac ! it's worth taking notice.

Charlie Miller prefers to use Macs & recommends you to buy one !
By crystal clear on 3/20/10, Rating: 2
By crystal clear on 3/20/2010 1:11:37 PM , Rating: 2

Not that Win7 is bad ..its just a case of choice & personal preferences.

By the way all O.S. are work in progress......

Read this-

Ubuntu's Latest Should Scare Microsoft

The Ubuntu community, shepherded by the company Canonical, has delivered not only its fastest operating system to date but has included so many flourishes that are relevant to today's PC market that it should receive much stronger consideration in competitive engagements than ever before. From social networking to security to desktop cloud services, the Beta 1 of Ubuntu 10.04, the so-called Lucid Lynx version, leaves Windows 7 behind in several areas with tightly integrated applications.

Moral of the story
By corduroygt on 3/25/2010 10:15:31 AM , Rating: 1
All systems can be hacked, but hacking Macs is not worth it even though it's easier. Security through obscurity works.

RE: Moral of the story
By amanojaku on 3/25/2010 10:34:34 AM , Rating: 2
hacking Macs is not worth it
Linux OS - Free
Reasonably-priced Laptop - $800
Shoving that holier-than-thou attitude down a fanatics throat - Priceless

Speaking of which:

RE: Moral of the story
By biggsjm on 3/25/2010 11:04:40 AM , Rating: 5
. . . watching even an educated user struggle with maintaining the system? Priceless.

Look, I'm not bashing Linux. I love the OSS model and think that Linux (Ubuntu is the one I use at home on my desktop) is pretty amazing. That being said, I don't see how a system like that could be "easy to use" for a non-tech user. Ubuntu has gone a long way at improving the system to make it more user friendly (one of the reasons I'm able to run it as my secondary machine now) and the new music store and ubuntu one will take it even further. But there are droves and droves of people who think that even the iPhone and all of its locked-down glory is too difficult to use.

I think people don't mind buying an entry level machine at higher price points ($600 for a mini / $900 for a mac book) if they think they will have less frustration or support costs. I'm not saying that this is actually true, I'm just saying that this is one reason why mac sales are surging. They have a store where you can talk to friendly people, they have an OS that is purpoted to be easier to use (and in some cases it is) and they have good customer service ($99 and for an ENTIRE YEAR you can come in for hour-sessions to learn about how to use your machine).

That's pretty compelling for the hockey-mom.

Linux isn't.

As for Windows . . . I think its dominance in the work place pretty much assures that it will be the majority desktop for some time to come.

RE: Moral of the story
By amanojaku on 3/25/2010 11:24:07 AM , Rating: 3
I like Linux, but I wasn't advocating it as a user OS. God forbid; I get enough calls about trivial Windows issues, which are usually the result of negligence. Like not being able to find files because they were deleted. By the user...

I was pointing out the hackers' systems. Only one was a Mac, and it was likely the machine being broken into. Even Charlie, who's already won a few free Macs from this competition, likes using a non-Mac. That's saying quite a lot when free hardware is passed up in favor of other hardware.

RE: Moral of the story
By xpax on 3/25/2010 11:26:53 AM , Rating: 3
Oh, it's worth it for sure. It's time that people realized that this is 2010, and there's no excuse for being an idiot who doesn't know how to use computers. It's time that people realize they can't hide behind Apple any more, and they're actually going to have to properly learn how to use the technology in front of them. Or you know, face their own limitations and adopt a more Luddite ethos.

RE: Moral of the story
By kmmatney on 3/25/2010 3:51:25 PM , Rating: 2
OK - that totally doesn't make sense. For 99% of people, they have no need to know the "technology" behind their computers, they just need to know how to use Word, Excel, CAD, Photoshop, or whatever software they use. You can be a computer idiot, and still be very good at what you do on a computer.

RE: Moral of the story
By AssBall on 3/26/2010 5:14:52 PM , Rating: 2
40,000 years we didn't know much about bones and rocks, but we knew they were better than hands for beating, slicing, and cutting stuff.
You don't need to have to know equations for torque, shear, pressure, and friction memorized to be handy with a wrench.
You don't need to know about belt timeing, cam shaft design, and the bernoulli principle to be an excellent race car driver.
You don't need to know how a computer works to use it for profit or personal enjoyment.

Knowing how to work a tool is often more important than knowing how a tool works.

Blackberry Browser?
By Mitch101 on 3/25/2010 9:31:00 AM , Rating: 3
I expect everything to be hacked as these guys come well prepared to show their latest work. Im not really interested in the hack itself but how much control of the device they are able to achieve through their method and the iPhone access is really scary as the Windows 7 access.

I'm not sure anyone had Chrome on their radar as far as the browsers go.

Finally even if they dont give out full details they do list the methods which give hackers a lead on where to look and try.

RE: Blackberry Browser?
By Smilin on 3/25/2010 1:16:12 PM , Rating: 2
The windows hack only allows user access.

RE: Blackberry Browser?
By eddieroolz on 3/25/2010 4:07:38 PM , Rating: 2
Chrome gets patched quicker, so even if they do exploit a hole it probably would be patched by the Chromium devs within a few days.

Spin machine is warming up
By pequin06 on 3/25/2010 10:59:11 AM , Rating: 2
Apple followers will (and already have) state that any hack on an apple device requires the users to go to a "bad" site to get hacked and therefore the apple device is truly hacker proof.
Get real fan boys, a hack is a hack.
I can use the same excuse for a XP system, but that doesn't fly for some reason.

RE: Spin machine is warming up
By xpax on 3/25/2010 11:29:51 AM , Rating: 3
Yeah, but they can only use that defense if they're STUPID. All hacks for Windows at this point are accomplished the same way. Peoples machines filled up with spyware, trojans, etc are all the result of indiscriminate and uneducated browsing.

"Oh, it says my system is unprotected and I should click here." Morons. These are the same people who allow thieves into their home who are pretending to be from the gas company doing an unscheduled inspection. Get a clue, really.

RE: Spin machine is warming up
By PrezWeezy on 3/25/2010 2:43:22 PM , Rating: 2
In all fairness, (and I am in no way trying to make a case for Apple) even CNN has been infected by the Fake AV virus which on XP doesn't ask you to install, it just installs. That is completely and totally the fault of Java, however, and Sun should be kicked in the butt until they get it fixed. But CNN, MSNBC, the Seattle Times, a bunch of high profile, completely legit sites have been compromised by Fake AV.

By crystal clear on 3/27/2010 2:28:29 AM , Rating: 4
Charlie Miller won't hand over 20 flaws he found by fuzzing Mac OS, Office, Adobe Reader

The only researcher to "three-peat" at the Pwn2Own hacking contest said today that security is such a "broken record" that he won't hand over 20 vulnerabilities he's found in Apple's, Adobe's and Microsoft's software.

Instead Charlie Miller will show the vendors how to find the bugs themselves .

"We find a bug, they patch it," said Miller. "We find another bug, they patch it. That doesn't improve the security of the product. True, [the software] gets incrementally better, but they actually need to make big improvements. But I can't make them do that."

"People will criticize me and say I'm a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them," Miller said. "What I can do is tell them how to find these bugs, and do what I did. That might get them to do more fuzzing." That, Miller maintained, would mean more secure software.

"Maybe some will say I'm bragging about finding the bugs, that I can kick ass, but I wasn't that smart. I did the trivial work and I still found bugs."

He went into the project figuring that he wouldn't find any vulnerabilities with the dumb fuzzer. "But I found bugs, lots of bugs. That was both surprising and disappointing."

And it also made him ask why vendors like Microsoft, Apple and Adobe, which have teams of security engineers and scores of machines running fuzzers looking for flaws, hadn't found these bugs long ago .

One researcher with three computers shouldn't be able to do beat the efforts of entire teams, Miller argued. "It doesn't mean that they don't do [fuzzing], but that they don't do it very well."

By refusing to hand over technical information about the vulnerabilities he uncovered , Miller is betting that Microsoft, Apple and others will duplicate his work, and maybe, just maybe, be motivated to do better . "I think they'll feel some pressure to find these bugs," he said.

By bhieb on 3/25/10, Rating: 0
RE: Hacking?
By Chocobollz on 3/26/2010 9:15:01 AM , Rating: 1
Yeah, it's more like user's problem so I think they should fix the user :P

RE: Hacking?
By sbtech on 3/26/2010 9:30:50 AM , Rating: 1
Do you understand the concept of the sandbox security model, the need for it, the competitive advantage one company should have over another by adding more value (here security).

Your logic is flawed when you say that in 2010.

RE: Hacking?
By Gio6518 on 3/27/2010 12:39:19 AM , Rating: 1
To me this is not a bug per se. If you have to rely on tricking the user then it is not really an OS problem IMHO (sure they should fix it).

and what virus doesnt depend upon the stupidity of the user.....

1) questionable website (porn etc.)
2) torrents
3) out of date or expired anti-virus (if any)
4) e-mails
5) tired of typing but you get the point

"Vista runs on Atom ... It's just no one uses it". -- Intel CEO Paul Otellini

Most Popular ArticlesTop 5 Smart Watches
July 21, 2016, 11:48 PM
Free Windows 10 offer ends July 29th, 2016: 10 Reasons to Upgrade Immediately
July 22, 2016, 9:19 PM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki