Print 56 comment(s) - last by Gondorff.. on Apr 2 at 2:23 PM

Safari browser allows Mac to be easily taken over at hacker convention, Vista, Ubuntu machines survive the day

It has not been a good couple weeks for Apple and Safari.  First Opera knocked it from its position as sole 100 percent compatible Acid3 browser.  Then it tried to force iTunes users to unintentionally download the browser as part of an iTunes update, which included a pre-checked install option for Safari.  The move was met with broad criticism, including from Mozilla's CEO, who commented that Apple was bordering "on malware distribution practices."  Finally, Safari users who updated to v3.1 reported many bugs and crashes.

Now the browser, which Apple CEO Steve Jobs once called the "
most innovative browser in the world and the most powerful browser in the world", has had more bad news.  At the CanSecWest Show, an annual security conference, it was found that the Safari browser was surprisingly insecure, allowing successful attacks on Mac computers.

CanSecWest sponsors an annual hacking contest, which seeks to recognize vulnerabilities and give a comparative analysis of OS security.  A Mac, Vista machine, and Ubuntu box survived the first round, which only allowed pre-authentication attacks – a successful attack would have yielded a $20,000 prize.  However, on the second day, the flood gates were opened and hackers were allowed to use default-installed client applications.

The Mac fell within minutes, hijacked by security researcher Charlie Miller.  Miller compromised the computer through security flaws in the new Safari 3.1 browser, which he declined to make public.  For his takeover via the new vulnerability, Miller netted a sweet prize of $10,000.  Surprisingly, the hackers were unable to gain control of the Vista or Ubuntu machines that day.

On the third day, hackers were allowed to exploit popular third-party applications.  Hackers found the Vista machine surprisingly hard to crack in what they thought would be an "easy pickings" day.  The improved security is likely owing largely to SP1, perhaps because of NX support for heap memory.  In the end it was taken down by a cross-platform Flash Player attack.  The Ubuntu machine survived the day.

Some point that the Mac and others may be even more vulnerable than the show indicates as some have noted that a pre-authentication vulnerability might command a price of $50,000 or more elsewhere, making an exploit at the show unprofitable.  According to eWeek's security analysts, "Safari is prone to a remote code-execution vulnerability because it fails to adequately handle regular expressions with large, nested repetition counts. Inaccurate compilation lengths are calculated, and an overflow results."

Miller didn't even have to use new vulnerabilities also known for Safari.  The first is a simple overflow attack using zip files.  The second attack allows injection of content in a window belonging to a trusted site. 

A recent independent analysis confirmed that Apple patches its vulnerabilities slower than Microsoft.  The analysis followed a controversial Microsoft report by Jeff Jones, known for trashing Firefox for its bugs.  The report indicated that 36 vulnerabilities in Vista were fixed over a total of nine patching events, and 30 unpatched vulnerabilities remained, while a total of 116 vulnerabilities were fixed in OS X over 17 patching events, with 41 unpatched vulnerabilities.

Apple's patches last year indicated Apple's slower than acceptable patching pace.  It included patches for four vulnerabilities known since 2006 and two known since 2005.  The oldest of these, a vulnerability in Apache, had a fix released by Apache in 2005.

Security experts point out that despite Apple's poor security, its machines remain less attacked than Windows machines.  Many believe this is simply a matter of market share.  With Mac sales on the rise, there may soon be a large increase in Apple-targeted malware and takeovers with the Safari browsing taking the brunt of the attacks.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By BigToque on 3/31/2008 12:46:20 PM , Rating: 2
What is the general method people use to gain access to these systems? I assume by gaining access, it is meant that they have full read and write access.

I also assume they're not figuring out the usernames/passwords and logging in remotely, so what exactly has to happen to gain access to the system?

By Trisagion on 3/31/2008 1:03:44 PM , Rating: 5
Well, hackers don't usually gain full access to a system (administrative rights) in a single step unless the machine is completely unprotected. Usually, it's a combination of hacks that give incremental rights, until they reach their goal.

For example, a hacker might know or have discovered that browser X, when executing an uncommon sequence of code Y allows the hacker to execute another block of code Z with administrative privileges. This code Z can retrieve passwords, etc. for the hacker's next attack and so forth.
The hacker might embed Y itself in some innocuous looking website.

Of course, browser's are just one point of entry to a system. Good hackers can test other known points of vulnerability and see if anything gives...

By Master Kenobi on 3/31/2008 1:06:22 PM , Rating: 3
It's simple in theory. When you log into a computer, anything that runs, will run with your credentials. All the hacker needs to do is execute some code that your computer will handle to give himself access or cause your computer to "throw up" which basically dumps them out to the root with full access (it's considerably more complex than that but were trying to keep this at a high level).

They don't need your usename/password, they are hijacking a system that is already authenticated (you logged in didnt you?). This is why servers typically have no internet access or people when on a server do not use the root credential and instead used a restricted one to do their job that contains only the permissions they need and nothing more (especially not internet access or browser access).

By Mitch101 on 3/31/2008 1:42:44 PM , Rating: 1
Sometimes the hack is too obvious and is found out of curiosity or accidentally.

You know that background music you get when you go to a web page? Instead of pointing it to a WAV file a hacker used to be able to point it to a program. There are commands to do just about anything on a computer that you do through a GUI.

Most common I would say is putting an executable program where you wouldn't normally put one and having it execute on the machine.

Overflows are also common and then trying to get the dump data.

Imagination is key. Also know your place in the world. Dont ever mock a hacker no matter what skill level. A determined hacker with a case of Red Bull and the summer off. I wouldnt push it.

"This is from the It's a science website." -- Rush Limbaugh

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki