Print 56 comment(s) - last by Gondorff.. on Apr 2 at 2:23 PM

Safari browser allows Mac to be easily taken over at hacker convention, Vista, Ubuntu machines survive the day

It has not been a good couple weeks for Apple and Safari.  First Opera knocked it from its position as sole 100 percent compatible Acid3 browser.  Then it tried to force iTunes users to unintentionally download the browser as part of an iTunes update, which included a pre-checked install option for Safari.  The move was met with broad criticism, including from Mozilla's CEO, who commented that Apple was bordering "on malware distribution practices."  Finally, Safari users who updated to v3.1 reported many bugs and crashes.

Now the browser, which Apple CEO Steve Jobs once called the "
most innovative browser in the world and the most powerful browser in the world", has had more bad news.  At the CanSecWest Show, an annual security conference, it was found that the Safari browser was surprisingly insecure, allowing successful attacks on Mac computers.

CanSecWest sponsors an annual hacking contest, which seeks to recognize vulnerabilities and give a comparative analysis of OS security.  A Mac, Vista machine, and Ubuntu box survived the first round, which only allowed pre-authentication attacks – a successful attack would have yielded a $20,000 prize.  However, on the second day, the flood gates were opened and hackers were allowed to use default-installed client applications.

The Mac fell within minutes, hijacked by security researcher Charlie Miller.  Miller compromised the computer through security flaws in the new Safari 3.1 browser, which he declined to make public.  For his takeover via the new vulnerability, Miller netted a sweet prize of $10,000.  Surprisingly, the hackers were unable to gain control of the Vista or Ubuntu machines that day.

On the third day, hackers were allowed to exploit popular third-party applications.  Hackers found the Vista machine surprisingly hard to crack in what they thought would be an "easy pickings" day.  The improved security is likely owing largely to SP1, perhaps because of NX support for heap memory.  In the end it was taken down by a cross-platform Flash Player attack.  The Ubuntu machine survived the day.

Some point that the Mac and others may be even more vulnerable than the show indicates as some have noted that a pre-authentication vulnerability might command a price of $50,000 or more elsewhere, making an exploit at the show unprofitable.  According to eWeek's security analysts, "Safari is prone to a remote code-execution vulnerability because it fails to adequately handle regular expressions with large, nested repetition counts. Inaccurate compilation lengths are calculated, and an overflow results."

Miller didn't even have to use new vulnerabilities also known for Safari.  The first is a simple overflow attack using zip files.  The second attack allows injection of content in a window belonging to a trusted site. 

A recent independent analysis confirmed that Apple patches its vulnerabilities slower than Microsoft.  The analysis followed a controversial Microsoft report by Jeff Jones, known for trashing Firefox for its bugs.  The report indicated that 36 vulnerabilities in Vista were fixed over a total of nine patching events, and 30 unpatched vulnerabilities remained, while a total of 116 vulnerabilities were fixed in OS X over 17 patching events, with 41 unpatched vulnerabilities.

Apple's patches last year indicated Apple's slower than acceptable patching pace.  It included patches for four vulnerabilities known since 2006 and two known since 2005.  The oldest of these, a vulnerability in Apache, had a fix released by Apache in 2005.

Security experts point out that despite Apple's poor security, its machines remain less attacked than Windows machines.  Many believe this is simply a matter of market share.  With Mac sales on the rise, there may soon be a large increase in Apple-targeted malware and takeovers with the Safari browsing taking the brunt of the attacks.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By cscpianoman on 3/31/2008 12:48:41 PM , Rating: 4
This is the experience of one event, I wonder if Apple will release a statement tomorrow still touting their security advantages along with a slew of new Mac ads. <shudder>

I just got the safari update request and I am quite disgusted. Now that I know there is a Winamp feature that plays itunes and a quicktime alternative it is time to give Apple's software the boot. I don't want Safari, I don't care for Safari, leave it be Jobs.

RE: Ironic...
By FITCamaro on 3/31/2008 1:38:05 PM , Rating: 4
Yet they'll make fun of Vista for how "insecure" it is. I think that tests like this show that Vista is a pretty secure OS when it took a third-party app that Microsoft has no control over to crack into the system.

I guess the main question here is, how was each machine set up? Set up as a regular, sheeple consumer's PC or set up as a knowledgeable computer user's PC.

RE: Ironic...
By JoshuaBuss on 3/31/2008 2:02:38 PM , Rating: 5
they were default installs with only basic third-party applications (like flash and java) added.

it's interesting that it took flash AND java to crack vista... that's a pretty complex hack and certainly something microsoft can't even do much about to fix. way to go vista!

(granted, ubuntu's even better of course) :)

RE: Ironic...
By Goty on 3/31/2008 4:01:16 PM , Rating: 5
Ubuntu probably didn't get cracked because they didn't bother to get flash working correctly in firefox =P (speaking from experience, here).

RE: Ironic...
By glennpratt on 4/1/2008 10:58:31 AM , Rating: 2
Yeah, because either checking a box in Synaptic or typing
sudo apt-get install flashplugin-nonfree
is sooooooo hard.

Now it is marginally complex if you're running 64 bit, but that's Adobe's fault; they don't provide 64 bit software for anyone last time I checked. Windows browsers just default to 32 bit to save you the hassle.

RE: Ironic...
By omnicronx on 3/31/2008 2:18:19 PM , Rating: 2
Whats ironic is that MacOSX is unix based, yet it does not even come close to in security comparisons to linux or BSD systems. I mean if Apache is out dated by 2-3 years, how can Apple ever think they will get any considerable marketshare beyond the day to day personal use.

I mean you sure as hell can't use a vunerable version of apache on your production machine.

RE: Ironic...
By michael2k on 3/31/2008 4:28:25 PM , Rating: 2
Why wouldn't a competent developer install the latest stable version of Apache on their machine?

RE: Ironic...
By marvdmartian on 3/31/2008 4:00:10 PM , Rating: 5
I'm just LMAO at Apple, and all Apple fanboys. They've touted their invulnerability for so long, this must be leaving quite the taste of ashes in their collective mouths now.

I'd love to see Microsoft hire the two actors that play "PC" and "Mac", and have them make a commercial where "Mac" is just standing there, hanging his head in shame, while "PC" points and laughs uproariously at him.

I guess maybe it's time that Apple got a taste of what it's like to be given the smackdown by hackers, and taught that if you want a bigger share of the limelight, it goes with a bigger share of hackers wanting to exploit your vulnerabilities. Welcome to the big time, Apple!

RE: Ironic...
By wildmannz on 3/31/2008 6:57:11 PM , Rating: 2
I have a PC and a Mac. Call me agnostic.
I'd like to see an Ad like that too.

Read the article so you understand what happened a bit better.
Apparently it wasn't done in just a day. The guys prepared the hack weeks in advance.
Of course - that doesn't excuse the vulnerability.
Just sayin'

RE: Ironic...
By kelmon on 4/1/2008 9:05:51 AM , Rating: 2
Anyone who touted the Mac as being invulnerable was a muppet. However, at present there's no know vulnerability in the wild so the situation hasn't changed in that respect.

For clarification, however, I do consider this an "EEK!" moment and I've switched my day-to-day browser to Camino.

"This is about the Internet.  Everything on the Internet is encrypted. This is not a BlackBerry-only issue. If they can't deal with the Internet, they should shut it off." -- RIM co-CEO Michael Lazaridis

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Yahoo Hacked - Change Your Passwords and Security Info ASAP!
September 23, 2016, 5:45 AM
A is for Apples
September 23, 2016, 5:32 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki