Matasano Chargen » Blog Archive » Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

Thomas Ptacek | April 20th, 2007 | Filed Under: Apple, Uncategorized

EXCLUSIVE: MUST CREDIT MATASANO

More details as they become available. In the meantime, a drinking game: predict the rationalizations given by Mac zealots for why this finding “doesn’t count”.

I’ll start: “It took $10,000 to break a Mac, but people break Windows machines for free every day!”

[Update: 6:12 EST]

EXCLUSIVE: MUST CREDIT MATASANO

About an hour ago, security researcher Shane Macaulay leveraged a clientside exploit to bind a remotely-accessible shell on the fully-patched MacBook used by the PWN 2 0WN contest at CanSecWest.

The vulnerability and exploit were developed last night by Dino Dai Zovi, in the wake of an announcement by 3Com establishing a $10,000 bounty on successful exploitation of one of the contest MacBooks. Said Dino: “I think I may have set the land-speed record”.

Shane keeps the laptop, Dino keeps the reward.

Details about the specifics of the vulnerability to follow at a later date.

[Update: 7:45 EST]

Dragos and the CanSec crew beat us to the punch while I was commuting home, but, yes, it’s a Safari clientside.

[Update: 7:55 EST]

You were wondering if your MacBook was vulnerable even after you applied that last batch of Apple patches? Sean Comeau confirms, “Currently, every copy of OS X out there now is vulnerable to this”. You are. So, uh, switch to Firefox until the patch comes out? Or live dangerously like me.

Leave it to Theo to mouth off about it: Apple is “extremely litigious when people do find stuff”. Yeah, uh, no they aren’t. But thanks for playing.

[Update: 1:37P EST]

EXCLUSIVE: MUST CREDIT MATASANO

The vulnerability affects Firefox as well as Safari. More details, momentarily.

[Update: 1:46P EST]

Turn off Java; to be safe, until Dino lets us say more, turn off everything else too. Or live dangerously like me. You don’t have to be more secure than Windows to be safer than it.

[Update 6:00EST Monday]

More details emerging —- vulnerability in QuickTime, may place Windows users at risk.

Viewing 160 Comments

Dave G. 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

"It's only clientside... How is someone going to get me to go to a malicious webpage"

reply edit reblog flag

http://www.matasano.com/log

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

"But Macs have automatic update, so nobody will be vulnerable to this for more than a few hours"

reply edit reblog flag

http://www.matasano.com/log

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

"You guys are jerks"

reply edit reblog flag

http://www.matasano.com/log

shooter 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Was this before or after today's released security update? And would it matter?

reply edit reblog flag

g 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I'm reading this on my MacBook Pro, and I just wanted to say that this "does count."

reply edit reblog flag

Martin Pilkington 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Probably the most likely (because it's the easiest to argue) would be the "But it was for a challenge and there's still no exploits out in the wild". Which is true. I honestly think the day the first widespread Mac exploit appears in the wild will be a good day as it will ground the more zealous mac users. And I'm a Mac user myself so it's not like I'm ranting against them because I hate them. I just think some people like to take "more secure" as "invulnerable".

reply edit reblog flag

http://www.mcubedsw.com

wrc 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

"Client-side attacks in OSX, but still OSX much better than windows"

reply edit reblog flag

Dave G. 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

It is important to note that lots of mac folks do get security. We are making fun of a loud and often-ill-informed subset of the mac community.

reply edit reblog flag

http://www.matasano.com/log

Gustav 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I can't seem to find what they actually did? I wonder if the recreated the old disk image flaw, which can be disabled simply by unchecking "Open 'safe' files after downloading" in Safari's preferences. Regardless, Apple should really remove that feature or disable it by default.

While I agree many Mac users should be more serious about security, it's still not time to say MacOS X and Windows are on equal footing - not by a long shot.

reply edit reblog flag

Todd M. 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

How about the actual (almost) excuse Gruber himself makes:
"Makes me wonder whether it’s another exploit against Safari’s on-by-default “Open ‘Safe’ Files” preference."

reply edit reblog flag

http://breakingpointsystems.com

Walid 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Well,
Nice to see that any time a Mac OS vulnerability is discovered it makes the news. There's so few of those! With windows it's so common...
This said, of course Macs are vulnerable. What isn't?
One of the reasons, as pointed out in the article, is that there's a Mac for every gazillion windows pc, so exploits for Macs are more for sports than money. To me it's a great reason to be Mac. Sorry Steve: sell all the iPods you want, just don't advertise Macs too much. 3 or 5% market share is enough.

reply edit reblog flag

dre 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

daveg: you said, "lots of mac folks do get security". does this include the engineers/developers at Apple Computer?

reply edit reblog flag

sxtxixtxcxh 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

submitted to digg: http://digg.com/apple/MacBook_0wned

reply edit reblog flag

http://endignorance.com/sxtxixtxcxh

Mark Grimes 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

One little two little, five hundred and thirty five lil webkit heap overflows -- wait that doesn't flow... so being presumptuous, i'm mystified that local user -> local root context in the second hack is still standing hours later. Not having fuzzed webkit in a loooong time, I'm still under the impression that there are more then enough lurking... have things gotten better?

Still under the tone of presumption, what year is Apple going to adopt heap protection? Maybe the media will cover it (again) that Vista continues to be more secure. Oh well you have to spend time working on securing an OS to secure an OS -- we aren't growing sea monkeys

reply edit reblog flag

rp 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

"Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine."

Oh wait, that's Bill Gates, nevermind.

reply edit reblog flag

Nectar 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

"Well, it's not a real-world scenario. Still no viruses."
"I bet it depends on third party software."
"Another faux disclosure!!! Where's the proof? Where's the code?"
"That would never happen to me."

Dino: wow on the mind-blowing acceleration from-standstill-to-pwnership. Congrats on the bounty. Buy me a ponie?

reply edit reblog flag

Mo 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

@Mark Grimes: There probably are plenty of other heap overflows in WebKit, but you're pretty limited in the number of ways that'd help with a local privilege escalation exploit, unless you can find a way that WebKit's executed by a SUID app.

reply edit reblog flag

Paul Blair 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

"But they didn't get root! Everyone knows that without root, viruses can't do anything bad."

reply edit reblog flag

http://toadlife.net

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

The DMG vulnerability that "open safe files" was implicated in wasn't even exploitable.

reply edit reblog flag

http://www.matasano.com/log

Ryan Russell 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

So why is it that Dino wrote the 'sploit, but Shane used it?

reply edit reblog flag

http://ryanlrussell.blogspot.com/

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Because Dino cannot teleport.

Yet.

reply edit reblog flag

http://www.matasano.com/log

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

NO WAIT NEW DRINKING GAME: Conspiracy theories for why Dino couldn't do it in person. I vote: CUZ HE FAKED IT.

reply edit reblog flag

http://www.matasano.com/log

Chris 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

My conspiracy theory: Dino was going to perform the exploit himself, but was nabbed by Apple PR folks in a black van outside the hotel. Thankfully he left the code on a disc where K2 could get at it. Ownage ensues...oh wait, that's the wrong movie. ;)

reply edit reblog flag

Nate 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I think I'm reading this on a malicious website. Good thing I'm too poor to upgrade from FreeBSD to Mac OSX.

Congrats to Dino on his quick execution. I guess we've established an OSX clientside is worth somewhere between $3K and $10K. And OSX remote is worth somewhere > $10K. With binary search and enough datapoints, we can have our own vuln futures market.

reply edit reblog flag

http://www.root.org/

Ryan Russell 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I see. You don't give your guys time to go to CanSecWest? What are you doing over there, trying to ship product?

reply edit reblog flag

http://ryanlrussell.blogspot.com/

Dave 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Chiming in on a drinking game...
Drink if you read:
- Snobby comment about Mac superiority.
- Snarky comment about Windows.
- Snarky comment about Macs or Apple.
- Snobby comment about Windows superiority based on the idea that because lots more people use Windows it is better.
- Snarky comment about Gates being nerdy or rich.
- Snarky comment about Jobs being arrogant or controlling.

Chug if you read:
-Snarky comment about both Windows and Macs in one post.
-Half-hearted attempt at snobby comment about Linux or Unix superiority.
-Attempt at argument that Mac OS is superior because it is built on Unix.
-Attempt at argument that Windows has superior security because it gets lots of viruses and exploits.
-Post with link to a website that remotely escalates account privileges.
-Rationalization that a prize winning, Zero day exploit on OS X means that OS X is less secure than any other OS.

reply edit reblog flag

ignis fatuusz 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Congratulations to the hackers on the find, and thanks (from a long-time Mac user and evangelist). Stuff like this will keep Apple on its toes, and its users safer in the long run. It'll be interesting to see how this plays out in the next few weeks/months.

reply edit reblog flag

Mike 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

"Time to remotely exploit a stock Mac over the LAN: Undetermined.

Time to create an exploit for a stock Mac via a malicious website: 9 hours.

Time to exploit a stock XP machine via LAN, malicious site, email payload, macro virus, GIF trojan, Messenger hack, IE quirk: how fast is your stopwatch?"

Congratulations to Dino on the $10K reward. May it go towards the purchase of an Octocore Mac Pro, to reduce compile times for the next demonstration of his coding prowess.

reply edit reblog flag

http://www.tuaw.com

LarryV 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

At least this wasn't discovered in the wild, but in a controlled manner. Hopefully Apple will fix it quickly and perhaps take a deeper look for more possible vulnerabilities.

reply edit reblog flag

Jeff 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I'm glad they found it (no snarky comment here), as it only strengthens the platform. As long as Apple fixes it quickly, of course. Which I have no doubt they will

/crosses fingers.

Anyone know if it affects both Intel and PPC?

reply edit reblog flag

mike3k 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

But you have to be running Safari, which I despise. Firefox is the only browser I'll use on any platform (except the Wii, of course).

reply edit reblog flag

2 /people/mike3k/ /people/mike3k/following/ http://mcdevzone.com/ mike3k mike3k mike_c mike3k

Rosyna 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

So was this problem in WebKit or in Safari? The report doesn't make it clear.

Also, why'd they have to lower the bar? The original "contest" was accessing a Mac remotely without getting the Mac to do anything special. Then it was changed to autoloading a specific URL? Was Safari automatically relaunched if it crashed?

reply edit reblog flag

http://www.unsanity.org

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

The report doesn't make it clear because it's not clear. What you know now is that it's been verified, the prize has (apparently) been awarded, and that it involves visiting a malicious location in the Safari browser.

I don't know anything about the "original" rules vs. the "current" rules, but note that the worst Microsoft problems are also clientside vulnerabilities in the core user applications.

reply edit reblog flag

http://www.matasano.com/log

Rosyna 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Thomas, I ask if it is WebKit or Safari because if it is WebKit, it may already be fixed (as are many, many other bugs in the nightlies). But the nightlies all use the same Safari. For example, I am using the ToT WebKit (build 522+), but still using the Safari 2.0.4.

As for "original" versus "current" you can see the changes here http://cansecwest.com/index.html

Notice on 4/20 the attack surface was increased. Also, there's another Mac that's still open in the contest. The same exploit cannot be used twice. The new one requires you also become root.

reply edit reblog flag

http://www.unsanity.org

BrianD 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Another question would be: Is this exploit patched by the MOAB fixes patchtool?

reply edit reblog flag

Ian Graham 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

CanSecWest earlier today lowered the barriers as planned since "there has not been a successful attack."

Sorry but if you have to "lower" your barriers, than that's not a true deal. Sort of like having a hockey goalie play without pads and a glove because he stopped every shot otherwise. Why would CanWest do this on only the second day too? Load of junk!

reply edit reblog flag

Dave G. 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Ian:

Clientside vulnerabilities are common attack vectors against windows systems as well. What you call "lowering the barriers", I would call "normal use cases for a Mac".

reply edit reblog flag

http://www.matasano.com/log

bri 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

"my IDP will just strip out the malicious code anyhow"
"let's see it work in the wild first"

obligatory: duuuude, i wonder if he totally pwned it at 4:20 on 4/20..

reply edit reblog flag

James J 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

As Ian states is correct as the organisers lowered the barrier in order to find a winner. In other words the organisers relaxed their rules.

Sorry Dave G. but having to change the rules enough to allow a contestant to try another means of gaining access via Safari does not constitute normal use cases for a Mac. However I am glad that a possible flaw has been identified eventhough this flaw in all likelihood will not effect other Mac owners outside of CanSecWest and the winner(s).

Remember CanSecWest set a competition and no one likes an unwinnable competition where no one wins. By raising the award to $10,000 the organisers had to relax the rules somewhere.

There is one more MacBook Pro to go and the same method cannot be used again, plus root access has to be made in order to win this one. Should this be successful and I doubt it will be as long as the organisers don't relax their rules, this is the one to watch and see what happens.

I put it to you all here what would it be like if the same set of rules for a competition was applied to a Windows laptop, say a Sony Vaio? Would the organiser of that have to relax the rules? I know that Microsoft ran a similar contest for Vista and somehow the details of that disappeared - I wonder why?

reply edit reblog flag

flynn 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Just wondering for how long Dino has been sitting on that exploit for real...

reply edit reblog flag

Chris 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Congrats on the 10k prize Dino, thats awesome. I can't believe an OSX vuln is worth that much though. If an OSX vuln can go for 10k now, then a remote Linux vulnerability should be able to fetch 15k, and a remote MS vulnerability better be somewhere near 20k at the very least. Remote Linux vulnerabilities are under valued in my point of view. Most of the stats I can google still show a huge Linux server market that is still growing. I don't have numbers for linux desktop share but thats obviosuly growing too, more then ever before. Any thoughts? I have not personally sold a vulnerability so for all I know those $ amounts are ridiculously off scale.

reply edit reblog flag

http://em386.blogspot.com

Brian R 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

So, if I'm running Firefox or OmniWeb or Camino on my PowerBook (instead of Safari), are my browsers exploitable in the same manner?

Also, given that no OS is invulnerable to exploitation, why was the attempted remote hack unsuccessful? Drive by exploits in Windows have been dime-a-dozen....

reply edit reblog flag

Brian R 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Here's an interesting read re the MacBook exploit coverage:

http://www.roughlydrafted.com/RD/RDM.Tech.Q2.07...

reply edit reblog flag

Maccampus 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Rosyna :

I'dd like to find out how i can use these nightly build Webkits in my Safari & other Webkit based Browsers/RSSreaders

Do we still require the http://groups.google.com/group/moabfixes if we use the latest Mac OS & all security updates ? And why doesn't these get included in Paranoid Android, the security Ape you crated & later open sourced 5 so Landon hasn't got an excuse to get involved & make this happen)

To anyone who can answer this one :

Does this hack, which is javascript if i'm correct, needs admin rights ?

In other words; if the user who browses to the hacked website has no admin rights & the user doesnt provide a admin user name & password can this hack do his work?

reply edit reblog flag

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

"Drive-by" exploits of Windows haven't been "a dime a dozen" for years.

reply edit reblog flag

http://www.matasano.com/log

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

James: you haven't even read the stories, have you? They didn't "do" anything to make the Mac's more vulnerable to attack. If you use Safari, you lose. Pretty common use case.

Thanks for playing the drinking game though.

reply edit reblog flag

http://www.matasano.com/log

BobTurbo 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

"Drive by exploits in Windows have been dime-a-dozen…. "

Chug chug chug.

reply edit reblog flag

Hal B 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Re: the people complaining about a rule change: The rules always specified that it would get progressively easier.

See
http://lists.immunitysec.com/pipermail/dailydav...
and
http://www.securityfocus.com/archive/142/464216...

which were both posted long before the contest started.

reply edit reblog flag

Brian R 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Anyone who is using OSX and Windows in the real world side by side knows what the real deal is about this security issue...well beyond the fact that neither is impervious to exploits. Yeah...'Dime a Dozen' and Windows exploits over the past 5 years is an egregious understatement.

reply edit reblog flag

newsham 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

What, Dino couldn't deliver the payload via the canadian power grid!? Congrats to dino for the sploit writing and to k2 for the quick economic analysis.

Btw, is k2 covering the capital gains taxes? Inquiring minds want to know!

reply edit reblog flag

Dino Dai Zovi 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Thanks for all the congrats.

Nectar: Anything left over from spending it on an octocore mac pro goes toward your pony :).

Other drinking game speculators: With any 0day bug, there is a ton of conflicting information in what it is in and what is affected. I obviously don't want to say too much so as to hint as to where the bug is until a patch is released. I will say that applying slightly paranoid web browser configuration changes will prevent this vulnerability from being exploited.

And no, I have not been sitting on this exploit, I really did find the vulnerability and write the exploit that night. I got lucky :). I have spent way more time not finding bugs many other times.

reply edit reblog flag

http://www.theta44.org

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Tim: SHHHHHHHHHHHHH. They might hear you.

reply edit reblog flag

http://www.matasano.com/log

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Brian: http://www.matasano.com/log/644/safety-vs-secur...

reply edit reblog flag

http://www.matasano.com/log

d 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

"’Dime a Dozen’ and Windows exploits over the past 5 years is an egregious understatement. "
You said remote exploits. The "dime a dozen" exploits are exploiting client-side vulnerabilities you try to poo-poo.

reply edit reblog flag

Brian R 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Social Engineering (phishing) and PEBCAK are vulnerabilities for users regardless of platform. If you don't have physical access to my Mac and I don't exhibit PEBCAK stupidity on the web....well....I think you get the idea.

reply edit reblog flag

Dave G. 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Brian:

Common misconception is that browser attacks are only social engineering or PEBCAK issues. There have been multiple cases where popular websites were hacked and an attacker modified the website to serve up some clientside zeroday.

reply edit reblog flag

http://www.matasano.com/log

Matt Thomas 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Congrats Dino and Shane. It should be interesting to see how long it takes for Apple to fix this. I also wonder if there are larger implications since Webkit is used throughout MacOS X (assuming it's a webkit issue and not a safari issue)

reply edit reblog flag

http://codecaffeine.com

danieleran 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

InfoWorld Publishes False Report on Mac Security

"Nancy Gohring, writing for InfoWorld, delivered a misleading report yesterday on a Mac security exploit contest held at the CanSecWest conference in Vancouver, BC.

"In her defense, it appears likely that Gohring did not write the headline for her InfoWorld article, which described the contest winner as being “able to remotely break into a Mac as part of a contest designed to illustrate security flaws in OS X.” That part was simply wrong.

"Whoever did write the headline must have been smoking weed in celebration of 4/20, because Gohring’s article clearly described a local exploit. There’s a big difference between the remote exploits that made Windows infamous for its insecurity and a local exploit of an application."

More info under a series of subheadings:

Gohring's Mac Security Myths
Microsoft’s Security Embarrassment
Mac OS X and Security
The Mac Minority Malware Myth
Why Macs Aren’t Sending You Spam

reply edit reblog flag

http://roughlydrafted.com

Brian R 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Dave G:

Agreed...ActiveX enabled sites come to mind on the Windows side. Re the Mac Safari exploit, I'm curious what specifically needs patching on Safari that isn't necessary for Firefox, Camino, OmniWeb, etc. (assuming that they are not similarly vulnerable).

reply edit reblog flag

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

It's stuff like that RoughlyDrafted article that pits the Mac zealots against the security Mac people. Clientsides are not "local" vulnerabilities.

reply edit reblog flag

http://www.matasano.com/log

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Brian, unless you've disabled Javascript (have fun!), your analysis of the seriousness of "malicious URL" problems is remarkably off. It is trivial to get people to visit malicious sites.

reply edit reblog flag

http://www.matasano.com/log

Robert Moir 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

It strikes me that a lot of the arguments being presented here in defence of the Mac (browser exploits not local, PEBKAC, "dumb defaults which no one really uses" and the like were sneered at by Mac advocates when used to defend the same sort of problems on the Windows platform.

And they're still wrong, either way.

reply edit reblog flag

Jim Schmidt 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Finding the flaws will only improve the OS. I do believe the reporting leaves a lot to be desired as it does not appear to be very accurate.

On a side note, those complaining about "mac zealots" seem to be very anti-mac zealots, so it just becomes a perpetual circle-jerk between the two camps. If I could filter out all the moronic MS, Linux, *nix, OS X posts' and just read level headed articles I would. But that will never happen when the people reporting continue to sensationalize.

Congrat's on the 10K, btw!

reply edit reblog flag

Robert Moir 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

"On a side note, those complaining about “mac zealots” seem to be very anti-mac zealots, so it just becomes a perpetual circle-jerk between the two camps."

I'd just like people to realise that their safety or lack of safety is down to hard work by security researchers, OS designers and *themselves* on one side vs. black hats and script kiddies on the other side. Not magic, or how nice the CEO of the company smiles at the camera.

reply edit reblog flag

julian 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

"How about the actual (almost) excuse Gruber himself makes:
“Makes me wonder whether it’s another exploit against Safari’s on-by-default “Open ‘Safe’ Files” preference.”"

I just wanted to note that the reason Gruber brings this up is that he has made it very clear in previous articles that he believes "Open 'Safe' Files" should be turned off by default. Every new exploit found which makes use of this preference is another point in favor of getting that preference turned off by default.

Mac users want Macs to be secure, too.

If Dino really did discover this flaw on-the-fly as claimed that's very impressive. Congratulations.

Maybe it'll be another point in favor of getting rid of Java. ;)

reply edit reblog flag

julian 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

"I’d just like people to realise that their safety or lack of safety is down to hard work by security researchers, OS designers and *themselves* on one side vs. black hats and script kiddies on the other side."

If you guys count LMH and the users themselves on the same side, I think LMH didn't get that memo.

reply edit reblog flag

Robert C. 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Here's a rationalization: "So few people use Macs that it's not worth the trouble to exploit this bug--nobody will try to attack Mac users it even if the bugs go unfixed."

Oh wait. That's (close to) Apple's actual strategy.

reply edit reblog flag

http://irobert.org

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Jim Schmidt: that's a weird criticism to level at a group of people who have almost universally standardized on the Mac as a platform --- I'm speaking of security and vulnerability research on the whole, not simply Matasano (which has ALSO standardized on the Mac, and has probably more than once used Macs on Microsoft engagements).

I think, in this once instance, that I speak for the community as a whole when I say: it's not the Mac we don't like. It's you.

reply edit reblog flag

http://www.matasano.com/log

Jim Schmidt 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Thanks for making my argument Mr. Ptacek. I have said nothing bad about anyone except how it seems there are two extremes on both sides that perpetuate this "zealotry". I did not claim Mac to be superior nor MS to be inferior. I did not call anyone names nor did I say I "hate" anyone, yet you respond with "I think, in this once instance, that I speak for the community as a whole when I say: it’s not the Mac we don’t like. It’s you."

This is an example of the exact behavior that is uncalled for. Direct personal attacks. I believe the behavior of "zealotry" on either side is abhorrent, but this isn't going to make me "hate" a person. My goodness man, that is such a childish reaction.

Did I strike some nerve with you? Remember the old saying, if the shoe fits....

reply edit reblog flag

Dave 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

"If an OSX vuln can go for 10k now, then a remote Linux vulnerability should be able to fetch 15k"

No it would be an OPEN SOURCE vulnerability and therefore it'd go for free.

reply edit reblog flag

http://blog.pixelgun.com

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I'm glad we understand each other, Jim.

reply edit reblog flag

http://www.matasano.com/log

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

By the way, in case it makes the saddle on your high horse any more comfortable, a quick subset of the words you used in your two comments:

zealotry, superior, inferior, "calling names", hate, behavior, "personal attacks", abhorrent, childish, nerve, zealots, "inaccurate", complaining, "perpetual circle-jerk", moronic, sensationalize.

Now, in fairness, the worst of my response to you:

"None of us like you."

reply edit reblog flag

http://www.matasano.com/log

Brian R 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Thomas, in the interest of accuracy in understanding the nature and scope of the exploit in question, are you reporting that ANY Mac browser with Javascript enabled is exploited, or just a subset of those browsers? I suppose the number of malware-powered bots out there demonstrate how trivial it is to get numbers of computer users to surf to a bogus url and enjoy the consquences.

However, one of the problems with the reporting of this exploit is the insinuation that the motvating factor is to shove pie in the face of all those Mac zealots who brag that OSX is invincible. In my opinion, this contest would be a hell of a lot more interesting if the winner had hacked a lappie configured the way that a growing number of broadband users would: ie., OSX firewall enabled; stealth mode enabled; running behind a router with SPI enabled, etc.

reply edit reblog flag

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

It's not Javascript. A Javascript vulnerability would be a much bigger deal, because turning Javascript off breaks the Internet.

Yeah, I turned off Javascript too, but I did that because there's always a risk that Dino will whip out a Javascript variant just to make me look dumb. But there's no specific reason to do that right now.

reply edit reblog flag

http://www.matasano.com/log

Brian R 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Then, why did you suggest turning off Javascript in this very thread? This is starting to come across as a shell game. Make no mistake, I have no illusions that Apple has their security sh*t buttoned down tight. But, there is so much mis-information swirling around about this exploit that it calls into question any assertions at this point, unless supported by detail that sheds light and doesn't obfuscate.

reply edit reblog flag

Todd M 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

@julian:
The reason I made mention of Gruber's comment vis-a-vis 'open safe files' is that I seriously doubt that ZDI would pay $10k for an exploit that depends upon that.

@Brian R:
I fail to see how your suggestions of "OSX firewall enabled; stealth mode enabled; running behind a router with SPI enabled, etc." would matter.

A host-based firewall would let any web content in, as it's been requested by a user behind the firewall. Stealth mode has no effect because again, the attack is a clientside bug in Safari. A router inspecting packets will only be able to detect attacks that it has configured in its filters, which may not detect a 0day attack.

reply edit reblog flag

http://breakingpointsystems.com

Rosyna 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

If it's not JavaScript, why mention turning it off at all? Why mention turning off Java, what does Java have to do with JavaScript? Looks like a, what's it called, McGuffin?

You can get the webkit nightlies from WebKit.org.

As the days go on, this is looking more like a plugin problem if FireFox has the same issue.

Thomas, I assume that Dino did the responsible thing and immediately reported the bug to Apple's security team or immediately reported it to the security component in their bug reporter?

reply edit reblog flag

http://www.unsanity.org

Jason CRAIG 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

It seems like Opera will keep holding its "the most secure web browser" crown for some time! I use Opera. May be Opera can pay $10k as well?

reply edit reblog flag

Rosyna 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

if this is Java, does it affect PowerPCs too or just ICBMs? IIRC, they have different source bases with different people in charge of each.

reply edit reblog flag

http://www.unsanity.org

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Brian: lighten up. I can disclose that it's a Java applet vulnerability. Dino said "slightly paranoid browser configuration" stops it. You can reasonably assume that turning Java off solves the problem.

I'm simply going to delete comments that try to turn this into the Maynor game. There is zero question that Dino's exploit works, and, because of the manner it's been disclosed, virtually no chance that Apple isn't going to acknowledge it.

reply edit reblog flag

http://www.matasano.com/log

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

By the way: anyone tempted to gripe about the "obfuscation" can direct their attention at 3Com.

reply edit reblog flag

http://www.matasano.com/log

Jim Schmidt 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Yes Mr. Ptacek I used those big bad words to describe broad generalizations of basically a group of people whom posters have been calling "mac zealots". At no time did I refer to a person. Nor did I characterize you or any group except for these "zealots" both anti and pro mac that people are complaining about.

The only person that made it personal was you. I find this illuminating. Taking what words I use and just listing them out of context is a cute way to attempt to make it seem that I'm name calling, but if you go back to either of my posts I have not done so. I'm sorry if you felt I was calling you childish, I was not, just your response.

Further, don't you think it is a bit presumptious to speak for "everyone" or did I miss something and you are God?

I apologize if any of my words, none of which were ever directed at you, hurt you. I'm sorry that they cut so close to the bone that you felt a need to respond in such a hateful manner.

reply edit reblog flag

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

"big bad words", "generalizations", "complaining", "personal", "cute way to attempt", "childish", "presumptious", "you are God?", "hurt", "cut so close to the bone", "hateful".

Do you have anything technical to contribute? I just posted a challenge. Take a crack at it! Maybe it'll take your mind off of how fed up you obviously are with security professionals.

http://www.matasano.com/log/809/a-little-challe...

reply edit reblog flag

http://www.matasano.com/log

Terri Forslof 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

First- Congratulations to Dino for winning the contest!
To help alleviate some of the questions about the disclosure of this vulnerability, and details surrounding it-
Dino has submitted the details of the vulnerability he used to the Zero Day Initiative program. We will independently verify the issue (as quickly as possible) and then formally contract the vulnerability and award the bounty to Dino.
As soon as the issue is verified, we will immediately disclose the vulnerability to Apple (and Mozilla since Firefox has found to be vulnerable as well).
At that time, we'll post the issue on our upcoming advisories page: http://www.zerodayinitiative.com/upcoming_advis...
So everyone can track it until Apple resolves it.

As per the ZDI disclosure policy, details of the vulnerability will not be discussed in depth until the respective vendors have a chance to get updates out.

reply edit reblog flag

http://www.zerodayinitiative.com

grrrr 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

If it is a java applet bug are other systems that have java like linux or windows also affected?

reply edit reblog flag

Fred Hanranhansenhansen 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

The thing I like about this bug and also the MOAB bugs is that they are not big-game. You don't even need a hunting license to hunt these bugs. You can be a rodent and rabbit hunter ... small varmints, if you will ... and still hunt these tiny little bugs.

There are individual Microsoft Windows bugs that have cost billions of dollars. The singularly low quality of Microsoft software is the elephant in the room in tech today. Anyone defending Microsoft on a technical level has to be immediately suspect because they are so far out of date that my next phone is going to have both a better core OS and better Web engine than Microsoft Windows Vista. It isn't just Microsoft's illegal business practices that are the problem there is also the massive quality problem.

reply edit reblog flag

Snagg 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I might be wrong, but I think is a plugin problem. Those of you who runs Safari just go to http://www.etienne.nu/isis/start.html (IS an High IQ society website) you will see safari crashing. From the backtrace one of the last thing it tries to do is to open a new bundle:
11 com.apple.Foundation 0x92bc9a00 _NSBundleLoadCode + 820
12 com.apple.Foundation 0x92bc91e0 -[NSBundle load] + 308
13 com.apple.Foundation 0x92bc9094 -[NSBundle principalClass] + 44
14 com.apple.WebKit 0x95be1690 -[WebPluginPackage load] + 60

And then He has some serious problems with images mapping:
1 libobjc.A.dylib 0x90a45d4c flush_caches + 220
2 libobjc.A.dylib 0x90a3fb7c _objc_read_categories_from_image + 136
3 libobjc.A.dylib 0x90a3d260 map_images + 656
4 dyld 0x8fe0f590 ImageLoaderMachO::doNotification(dyld_image_mode, unsigned, dyld_image_info const*) + 108
5 dyld 0x8fe035c4 dyld::notifyAdding(std::vector >&) + 260
6 dyld 0x8fe0dc34 ImageLoader::link(ImageLoader::LinkContext const&, ImageLoader::BindingLaziness, ImageLoader::InitializerRunning,

I cannot say wheter the bug discovered by Dino was this or not, but to me it sounds like..

reply edit reblog flag

http://www1.autistici.org/snagg

Brian R 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Terri..
Thanks for that post. Can you disclose whether Dino's reported vulnerability affects browsers beyond Safari and Firefox: ie., Camino, Opera and OmniWeb?

reply edit reblog flag

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Fred, no company in the world spends more on software security, PER TITLE, than Microsoft.

reply edit reblog flag

http://www.matasano.com/log

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

grrrrrr: doubt it.

reply edit reblog flag

http://www.matasano.com/log

Jim Schmidt 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

So Mr. Ptacek you are claiming that people in the security field are either mac zealots or anti-mac zealots?

I have nothing against computer security professionals, real ones. A true professional does not would not make generalized statements or take words out of context in an attempt to make themselves look good.

You do not appear very professional Mr. Ptacek as you have assigned things to me that I have never said and taken things I have said out of context.

I'll post a challenge for you Mr. Ptacek, can you make a post without cut and paste? Can you find where I said I am fed up security professionals? I'm not by the way but if you can find the post cool! But you prefer to right things in the hopes people will read it and if enough people read it maybe it will become fact.

What are you going to accuse me of next Mr. Ptacek?

reply edit reblog flag

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Not having anything interesting to say.

reply edit reblog flag

http://www.matasano.com/log

newsham 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

"A true professional" -- wouldn't a true security professional ("real ones") be someone who is trained in computer security who gets paid to do computer security? ie. what Tom's been doing since 1997 or thereabouts? (That's what I always thought, but I'm not really that great with the english).

reply edit reblog flag

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

95, yo. FreeBSD crt0 was my first finding.

reply edit reblog flag

http://www.matasano.com/log

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Every time I try to play the "I Actually Am A Lawyer" card, someone accuses me of being elitist; just like every time I say the Mac is safe, but not secure, I'm accused of hating the troops.

Hypothetical straw-man Mac person: if I could send you back through time so you could catch up to security research circa this decade, really and for true, I'd do it.

reply edit reblog flag

http://www.matasano.com/log

Brian R 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Thomas, is your 'Mac-standardized' group running AV on Tiger? I've found that Intego's VirusBarrierX4 plays nice with the OS and apps, but of course, hasn't been catching anything yet.

reply edit reblog flag

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I don't see the point. There really aren't any major Mac viruses.

reply edit reblog flag

http://www.matasano.com/log

El Capitano 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

"EXCLUSIVE: MUST CREDIT MATASANO" (repeatedly)

You don't really understand how the press works, do you? It's news now. Sorry. You can't insist on attribution any more.

reply edit reblog flag

http://www.realultimatepower.net/

Thomas Ptacek 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

You've really never read the Drudge Report before, have you? No offense, but I think your sense of humor needs tuning.

reply edit reblog flag

http://www.matasano.com/log

Brian R 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Thomas, the 'point' is elementary. Those of us who trade files in a mixed OS environment every day (60% of my day is in Windows XP Pro) have to avoid inadvertently passing along any Windows malware that is otherwise harmless for the Mac. The Mac doesn't get a free pass in our enterprise. See the point??

reply edit reblog flag

Hot Off The Matasano SMS Queue: CanSec Macbook Challenge Won

Add New Comment

Viewing 160 Comments