Money Meets Mouth on Mac Exploits
Two hackers were able to meet a challenge at CanSecWest by gaining access to one of two fully patched MacBook Pros (one 15-inch, one 17-inch). The computers were updated with the latest security release from Apple (Security Update 2007-004, released 2007-04-19). Shane Macaulay and Dino Dai Zovi combined efforts to compromise one of the Macs. Dai Zovi developed the exploit off-site, relaying it to Macaulay at the conference. (Other reports indicate that remote attackers were also
eligible, but later reporting seems to contradict that.)
The contest was originally set up to offer attendees a chance to win either of the two MacBook Pro laptops, but 3Com’s TippingPoint division upped the ante by adding a $10,000 prize after the challenge started. Dai Zovi said that he has agreed to TippingPoint’s conditions and will accept prize money, which is pending. TippingPoint confirmed via email that they had verified the hack’s uniqueness.
The first challenge originally required the winner to retrieve a file protected with root permission on the root filesystem. The organizer planned to change the computers’ configuration each day, adding behaviors like polling a wiki page every five minutes or checking email.
After TippingPoint put its money on the line and the challenge progressed to include riskier behavior, the winning exploit appeared, requiring that a URL received via email was opened using the default Safari Web browser (relying on user interaction was a change from the original rules, after no one had been able to break in previously). However, the exploit wasn’t based on Safari’s “Open ‘safe’ files after downloading” preference, as was originally suspected. According to security researcher Thomas Ptacek, the attack was based on a flaw in Java, which would affect other Mac browsers as well; turning off the Enable Java preference
in Safari or other browsers will protect against the vulnerability.
The malicious page caused Mac OS X to give user-level privileges to the attacker, if I read the explanation at the conference site correctly. Dai Zovi told ZDNet he discovered the exploit and implemented it in about nine hours overnight. The second computer is still unexploited, and requires that root privileges be obtained.
The contest was apparently designed to tweak Apple for what one organizer said was its lack of participation in the security industry. Dragos Ruiu told InfoWorld, “I hear a lot of people bragging about how easy it is to break into Macs,” and this contest gave them a chance to show their stuff.
3Com’s TippingPoint offers bounties via its Zero Day Initiative, which tries to reward researchers by providing exploits that could be immediately put to use in a malicious fashion. TippingPoint then updates its own security software and notifies the affected vendor. The firm later notifies its competitors, too.
[Article updated after publication to reflect Dai Zovi’s acceptance of the prize money, and TippingPoint’s confirmation.]