On Thursday, March 27th, a MacBook Air became the first victim in the second annual Pwn2Own hacking contest at the CanSecWest conference. It took security researcher Charlie Miller only 2 minutes to win the $10,000 cash prize (and the MacBook Air) by discovering and exploiting a previously unknown vulnerability in the Safari Web browser. Miller immediately signed a non-disclosure agreement with contest sponsor TippingPoint, who promptly reported the flaw to Apple. No details will be released until Apple patches the vulnerability.
Last year, the Pwn2Own contest was limited to two Macs, but contest organizers opened the field this year by pitting Mac OS X 10.5 Leopard against both Microsoft Windows Vista and Ubuntu Linux. The rules are simple; if a researcher can “pwn” a fully patched laptop (“pwn” is hacker lingo for completely exploiting and taking over a system), they take home the laptop and a cash prize. The amount of cash decreases every day as the rules make it easier for an attacker to control the system. No one claimed the $20,000 prize on the first day for remotely exploiting any of the systems through a network attack. On the second day, when the MacBook Air went down, attackers were allowed to email or direct the Web browser on the system to a hostile site (known as a client-side attack). On the last day of the contest the conference organizers installed a variety of common third-party applications for the attackers, but the prize dropped to $5,000. By the end of the contest, only the Linux system had not been compromised.
Although we need to take contests like these with a grain of salt, we can’t dismiss the results. Since it took Charlie Miller only 2 minutes to compromise the MacBook Air, it’s clear that he walked in the door with a complete exploit ready to go. That’s far different from creating one on the spot. Still, it’s concerning that Mac OS X was the first victim to succumb to attack since the contest rules don’t favor any particular platform.
The Windows Vista laptop held out until the last day, finally succumbing to a vulnerability in the Adobe Flash player. This is likely an indication that the new anti-exploitation security features of Vista are effective at making it more secure than Windows XP, and more secure than it would have been without these changes. Although Apple added similar features to Mac OS X in Leopard, such as library randomization, discussions with security researchers indicate that these defenses are not yet fully implemented, and thus provide little additional security.
As a Mac enthusiast and security professional, I spend a lot of time talking and working with the research community. Most feel that Mac users are relatively safer than Microsoft Windows users, but that Mac OS X has lost its lead as a secure consumer operating system. This was, in many ways, by necessity. Windows is under such constant onslaught that Microsoft had little choice but to increase the operating system’s security significantly or face the risk of losing customers, especially among their corporate clients. (But I can also say from experience that Windows Vista suffers from severe usability issues, most of which are completely unrelated to the new security features.) Since Macs are much less frequently attacked, Apple isn’t under nearly the same pressure. The researchers I work with, most of them Mac users themselves, frequently identify Safari and QuickTime as particularly problematic programs to secure, and none were surprised by the contest results.
What does this mean to the average Mac user? Not much… yet. We’re no more or less secure today than we were the day before the contest, and we shouldn’t make major decisions based on stunts like these. Although I’m not ready to reverse my advice and send you all running to the nearest store for additional security software (see “Should Mac Users Run Antivirus Software?,” 2008-03-18), we, as a community, still can’t afford to be complacent. If security is a priority for us, it will be a priority for Apple. With Leopard, all the hooks are there for a very secure operating system. We just need to continue to pressure Apple to finish implementation and make it far more difficult for our platform of choice to lose next year’s contest.