Apple receives and an F+ at Sytem Security

http://news.yahoo.com/s/infoworld/20080327...infoworld/96676

Quote:

San Francisco - It may be the quickest $10,000 Charlie Miller ever earned.


He took the first of three laptop computers -- and a $10,000 cash prize -- Thursday after breaking into a MacBook Air at the CanSecWest security conference's PWN 2 OWN hacking contest.

Show organizers offered a Sony Vaio, Fujitsu U810, and the MacBook as prizes, saying that they could be won by anybody at the show who could find a way to hack into each of them and read the contents of a file on the system using a previously undisclosed "0day" attack.

Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday, the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.

Miller, best known as one of the researchers who first hacked Apple's iPhone last year, didn't take much time. Within 2 minutes, he directed the contest's organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on.

He was the first contestant to attempt an attack on any of the systems.

Miller was quickly given a nondisclosure agreement to sign, and he's not allowed to discuss particulars of his bug until the contest's sponsor, TippingPoint, can notify the vendor.

Contest rules state that Miller could only take advantage of software that was preinstalled on the Mac, so the flaw he exploited must have been accessible by, or possibly inside, Apple's Safari browser.

Last year's contest winner, Dino Dai Zovi, exploited a vulnerability in QuickTime to take home the prize.

Dai Zovi, who congratulated Miller after his hack, didn't participate in this year's contest, saying it was time for someone else to win.

wow, now that's interesting.

Wish I could do that sorta stuff.

I too wish I could so something like this. Mostly to just say I can.

Hah. Take that Apple users.

Quote:

Originally Posted by http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-own-final-day-and-wrap-up

Vista Laptop was Won!: Congratulations to Shane Macaulay from Security Objectives - he has just won the Fujitsu U810 laptop running Vista Ultimate SP1 after it was installed with the latest version of Adobe Flash. Not only is he the official winner of the Fujitsu laptop, but also $5,000 from us. Shane received some assistance from his friends Derek Callaway (also from Security Objectives) and Alexander Sotirov. If you'll also remember, Shane Macaulay was Dino Dai Zovi's on-site team member at last year's PWN to OWN event in which they ultimately took the top prize.

Quote:

Originally Posted by http://www.allheadlinenews.com/articles/7010483023

Vancouver, British Columbia (AHN)-- The Linux running on a Sony Vaio remained undefeated at the end of a three-way computer hacking challenge Friday at the CanSecWest conference.
Sponsors had wagered three laptops to anyone who could hack into one of the systems and run their own software. A $20,000 cash prize sweetened the deal.
The MacBook Air went first; Independent Security Evaluators' Charlie Miller took the Mac after about two minutes work on Thursday. Miller took home $10,000, courtesy of 3Com's TippingPoint division, in addition to the new laptop.
After two days of work, Shane Macaulay finally cracked the tiny Fujitsu laptop running Vista on Friday, with a little help from his friends.
Macaulay said the flaw he exploited was a cross-platform bug that took advantage of Java to circumvent Vista's security.Macaulay said he chose to work on Vista because he had done contract work for Microsoft in the past and was more familiar with its products.
TippingPoint Manager Terri Forslof said several attendees tried to crack the Linux box, but nobody could pull it off. She noted that some had found bugs in the Linux operating system but many of them didn't want to put the work into developing the exploit code that would be required to win the contest.

so they got the OSX box in 2 minutes, they got the vista box in 2 days and they gave up on the linux box...

To be fair, none of the systems were hacked on the first day. Only on the second day, when the rules were relaxed a bit, was the Mac hacked.

Quote:

Originally Posted by I <3 Midna

To be fair, none of the systems were hacked on the first day. Only on the second day, when the rules were relaxed a bit, was the Mac hacked.

Very true.

And when a Mac is hacked at every one of these conventions, Apple patches the weakness they found pretty quickly. Apple is really good with their patches.

wow, apple sucks. What else is new?

Quote:

Originally Posted by Aniday

Very true.

And when a Mac is hacked at every one of these conventions, Apple patches the weakness they found pretty quickly. Apple is really good with their patches.

as far as 0 day patching, apple is dead last amoung most considerations. M$ beats them, a few other *nix distributions beat them and...

well let google talk
apple 0 day - Google Search

that said it is undeniable that OS X is targeted FAR less than winblows, though not nearly as infrequently as most other *nix based OSes.

Quote:

Originally Posted by I <3 Midna

To be fair, none of the systems were hacked on the first day. Only on the second day, when the rules were relaxed a bit, was the Mac hacked.

to be fair this vulnerability was "Go to this website and download this cool product"
and Apple makes claims that they're rock solid in regards to security for the average idiot. The average idiot could potentially have had f'ed themselves over there.

and the vulnerability affecting vista also affected OS X(and ubuntu) but due to the rules of the contest it could not be used more than once.

Quote:

Originally Posted by zeldask8r

wow, apple sucks. What else is new?

Wow, you don't know what you're talking about. What else is new?

Quote:

as far as 0 day patching, apple is dead last amoung most considerations. M$ beats them, a few other *nix distributions beat them and...

Maybe I should have said 'most times'. I didn't read about any patching from this latest convention, but I remember that it was patched pretty quickly last time.

Quote:

Contest rules state that Miller could only take advantage of software that was preinstalled on the Mac, so the flaw he exploited must have been accessible by, or possibly inside, Apple's Safari browser.

Well, considering the way the dude hacked was with a flaw in Apple's Safari browser. I believe Safari is a pretty recent browser, and I remember recently (looks for article) there was a period of time that paypal insisted that no Safari user were to use their paypal information until a patch was made.

PayPal warns: Steer clear of Apple's Safari browser | InfoWorld | News | 2008-02-28 | By Robert McMillan, IDG News Service

One of many articles by Googling.

Quote:

Originally Posted by Aniday

Maybe I should have said 'most times'. I didn't read about any patching from this latest convention, but I remember that it was patched pretty quickly last time.

if you read more or less any of the links going off of that google search you'de have found that apple was more or less last when it came to giving timely patches.

by your very own standards that'd put M$ up there as being incredible with Apple being a few steps below. M$ is not incredible by any means.

I must admit even though I am an Apple fan, I'm pretty disappointed in Safari. Apple knows it has some serious security issues, and yet they continue to do nothing... Hopefully this changes soon.