Mac hack sparks debate – Dai Zovi and Macaulay take top prize
By Steve Ragan Apr 23, 2007, 15:00 GMT
Over the weekend, there was much debate over the nature of the exploit used in the ‘PWN to OWN’ contest held by CanSecWest. While the debate heats up the truth of the matter is at the end of the day, Dino Dai Zovi though his friend Shane Macaulay took the top prize of $10,000 for successfully gaining root level access to OS X.
“One OSX box has been owned! At this point all we can say is there is an exploitable flaw in Safari, which can be triggered within a malicious web page. Of course, all of the latest security patches have been applied. This one is 0-day folks,” said the CanSecWest website Friday. The exploit has been disclosed by TippingPoint to Apple for later correction. For the record, the ‘PWN to OWN’ contest at the CanSecWest conference was modified, adding the cash to the prize as well as the MacBook. Some sources and news outlets say this was because of lack of interest in the contest, others report that this was because of how difficult the original rules to the contest were. No matter the reason, Dino took the award money and Shane is keeping the MacBook.
If what is currently being discussed is true, and Dino created, tested, and released the exploit within hours of discovery, then the $10,000 prize is a nice payday and he should be given the hefty pat on the back. (If for no other reason than because that kind of rush job is hard to pull off.) The debate however is not the contest or the prize; it was how it was reported in the media.
Some of the early news reports cite several experts and sources. Blogs, comment posts, almost anything you would normally see cited was used in the stories. One point that was missed in this reporter’s opinion was the difference between local and remote exploitation. There is a huge difference between the two. The contest allowed for an email with a malicious link to be sent to the computer. The link when followed is what triggers the exploit and allows the system to be compromised.
Testing of the exploit so far shows that Safari, Camino, and Firefox are all vulnerable. Patches and security settings are being debated heavily online. Some claim the systems were left open and the proper patches were not in place. According to CanSecWest, the systems were patched and updated to current standards. The bulk of the patches released in the last few days were not on the systems, and if they were, it would have mattered little. The exploit supposedly works regardless.
If you read the earlier reports on the contest, it would appear that the ‘myth of Mac security’ was busted. Well remember the difference between local and remote exploitation and you will see that it was not. There is also the fact that there were many reasons for the Mac at CanSecWest to be exploited or ‘rooted’ as it was. Ten-thousand of them to be precise, offer someone cash and allow local exploits or any means to gain access and no matter the system, someone will take your money.
The debate over the news reports and normal arguments are still taking place. The arguments are over the rule changes of the contest, local verses remote exploitation, and as normal when it comes to security and the Mac, what operating system is best. Some claim the local exploit is no threat. No matter the operating system, anything that a user can click on and later lead to exploitation is a threat. That covers EXE files, Email links or even installing applications that give local or remote access to a third party. They are all threats, it is just that the level of danger changes depending on the method used to compromise the computer.
No matter the argument or point expressed. This time they are all stale because the news here is that someone worked through the night, and created a local exploit that will net a payday of $10,000.
Dino and Shane earned the prize. They played by the rules set, they worked as a team and because of that pulled it off. Dino is reported to say that it was sheer luck that he discovered the flaw when he did. It may be luck, but whatever it was, he is now richer for it.
Apple has released no public statement on the issue, and the disclosure processes is closed to the public and media. No word has been issued as to when there will be a patch for the exploit used in the contest. A fix is circulating on the web that disabling Java on the browsers negates the issue. Dino in so many words has also stated this is true, but has not given any detailed information about workarounds, or the exact methods of the exploit.