New To Mac-Forums?

Welcome to our community! Join the discussion today by registering your FREE account. If you have any problems with the registration process, please contact us!

Get your questions answered by community gurus Advice and insight from world-class Apple enthusiasts Exclusive access to members-only contests, giveaways and deals

Join today!

 
Start a Discussion
 

Mac-Forums Brief

Subscribe to Mac-Forums Brief to receive special offers from Mac-Forums partners and sponsors

Join the conversation RSS
Apple Rumors and Reports Discuss what's going on with Apple in this forum

Safari exploited


Post Reply New Thread Subscribe

 
Thread Tools
mraya

 
mraya's Avatar
 
Member Since: Feb 27, 2005
Location: Framingham, MA
Posts: 942
mraya is a jewel in the roughmraya is a jewel in the rough
Mac Specs: MacBook C2D 2.4 2GB

mraya is offline
If you are aware of the PWN to OWN contest you may know about this already...

http://www.engadget.com/2007/04/22/s...acking-compet/

http://news.com.com/2100-7349_3-6178131.html

Any thoughts?

[is pointless to click here]
QUOTE Thanks
baggss

 
baggss's Avatar
 
Member Since: Oct 10, 2004
Location: Margaritaville
Posts: 10,309
baggss has a reputation beyond reputebaggss has a reputation beyond reputebaggss has a reputation beyond reputebaggss has a reputation beyond reputebaggss has a reputation beyond reputebaggss has a reputation beyond reputebaggss has a reputation beyond reputebaggss has a reputation beyond reputebaggss has a reputation beyond reputebaggss has a reputation beyond reputebaggss has a reputation beyond repute
Mac Specs: 27" 3.4 Ghz i7 iMac-13" C2D Macbook-OSX 18.8.2-64Gb iPad 2-32 Gb iPhone 5-ATV 2-14Tb of Storage

baggss is offline
Meh, something else for Apple to fix....


QUOTE Thanks
walmartconnect

 
walmartconnect's Avatar
 
Member Since: Oct 13, 2006
Location: Blacksburg, VA
Posts: 724
walmartconnect is a jewel in the roughwalmartconnect is a jewel in the roughwalmartconnect is a jewel in the rough
Mac Specs: 13'' Macbook w/ 2Ghz Core Duo, 2GB DDR2, 250GB HD, 10.5.4. iPod Touch.

walmartconnect is offline
That is pretty funny.
QUOTE Thanks
D3v1L80Y

 
D3v1L80Y's Avatar
 
Member Since: Feb 02, 2004
Location: PA
Posts: 12,459
D3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond repute
Mac Specs: MacBook

D3v1L80Y is offline
Well, let's look at some key details for this "hack":

1. "CanSecWest organizers will set up the MacBooks with their own access point and all security updates installed, but without additional security software or settings."

2. After nobody was able to successfully complete the task, the rules were then 'relaxed'. This was planned, as they expected failure. The original contest site states: "progressive rules over the three days". In the relaxed set of rules, a URL was provided that exposed Safari to a "specially-constructed Web page" which allowed the hacker to gain shell access to the MacBook. In other words, they continually aided these "hackers" by gradually crippling the machines to a point where no conscientious person would have his system set up.

3. What exactly did he do? The details have yet to be published, and whether or not his "exploit" was malicious or not. Did he have root access? How so, the root user is disabled by default. If he had root, then he would have to have had access on a local level, not from a different machine. He would have also have needed the machine's password in order to activate the root user. The only way to have such information is to have exclusive knowledge of the machine, something your average hacker would not have.


After reading those articles and others related to this story, it would seem that the computer being "hacked", is the SAME computer that is being used by the "hacker"??? Sure, when you relax rules, allow a person to "hack" the very machine they are working on, thus giving them complete and total local access to the machine.... well, suddenly this doesn't seem so sensational or like much of a grand acheivement.

"I can hack my very own Mac, the one sitting in front of me...w00t r0X0rZZZZ!!!!111"

Give me a break.

__________________________________________________
Posting and YOU|Forum Community Guidelines|The Apple Product Cycle|Forum Courtesy

mac: a waterproof raincoat made of rubberized fabric
MAC: a data communication protocol sub-layer, also known as the Media Access Control
Mac: a brand name which covers several lines of personal computers designed, developed, and marketed by Apple Inc.

QUOTE Thanks
Aptmunich

 
Aptmunich's Avatar
 
Member Since: Mar 09, 2004
Location: Munich
Posts: 9,075
Aptmunich has a brilliant futureAptmunich has a brilliant futureAptmunich has a brilliant futureAptmunich has a brilliant futureAptmunich has a brilliant futureAptmunich has a brilliant futureAptmunich has a brilliant futureAptmunich has a brilliant futureAptmunich has a brilliant futureAptmunich has a brilliant futureAptmunich has a brilliant future
Mac Specs: Aluminium Macbook 2.4 Ghz 4GB RAM, SSD 24" Samsung Display, iPhone 4, iPad 2

Aptmunich is offline
I don't think that was the case...

From what I've read, the change they made to the rules allowed the contestants to send the remote macbook an email containing a url, that was then opened by the competition organizers.

This is a fairly typical point of attack for many systems and is actually particulary dangerous in OS X mail as you can really easily disguise links and there's no way to see where the link actually goes before clicking on it.

Quote:
1. "CanSecWest organizers will set up the MacBooks with their own access point and all security updates installed, but without additional security software or settings."
That would be the majority of OSX users out there - I doubt many members here run 3rd party firewalls or "security software".


I agree the the reporting surrounding the exploit has been very sensationalistic, (is that a word? ) but the hack itself seems legit. Nonetheless it isn't out there in the wild, should be easily fixable and doesn't really do much besides prove a point.
QUOTE Thanks
Brown Study

 
Brown Study's Avatar
 
Member Since: Mar 11, 2004
Location: Winnipeg
Posts: 1,964
Brown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to all
Mac Specs: G4 Tiger and OS 9

Brown Study is offline
Quote:
Originally Posted by Aptmunich View Post
From what I've read, the change they made to the rules allowed the contestants to send the remote macbook an email containing a url, that was then opened by the competition organizers.
The rules weren't changed. They stipulated from the outset that if the two Macs could not be breached in a given time, security would be weakened. This was the case, so event organizers using Safari clicked on contrived "malicious" websites built by the hackers expressly to run their exploits.

Since no one will divulge the successful hack, no one outside of the principals, and perhaps by now, Apple, knows what it is. The method might be a stunningly easy, which is highly unlikely, or incredibly contrived, which is far more likely.

The story on the exploit as written by InfoWorld has a grotesquely innacurate headline that is meant to inflame. InfoWorld is owned by IDG that regarding Apple has its own axe to grind.

The other Mac involved in the contest was not breached.
QUOTE Thanks
rollershoer4MAC

 
rollershoer4MAC's Avatar
 
Member Since: Nov 18, 2006
Location: Wisconsin
Posts: 175
rollershoer4MAC is on a distinguished road
Mac Specs: iBook G3|800Mhz|256MB Ram|ComboDrive|30GB HD|

rollershoer4MAC is offline
Eh, I use firefox anyways....

iBook G3, 800 MHz, Combo Drive, 256MB Ram, 30GB, Airport Card...For Sale! Here.
QUOTE Thanks
D3v1L80Y

 
D3v1L80Y's Avatar
 
Member Since: Feb 02, 2004
Location: PA
Posts: 12,459
D3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond repute
Mac Specs: MacBook

D3v1L80Y is offline
Quote:
Originally Posted by Brown Study View Post
The rules weren't changed. They stipulated from the outset that if the two Macs could not be breached in a given time, security would be weakened. This was the case, so event organizers using Safari clicked on contrived "malicious" websites built by the hackers expressly to run their exploits......The method ... is highly unlikely, or incredibly contrived....

The story on the exploit as written by InfoWorld has a grotesquely innacurate headline that is meant to inflame. ....
Precisely. This hole in Safari is nothing new. It has been shown before. However, the only way to 'exploit' it is to put the target machine in a very specific, contrived, and egregiously unsafe state for it to work. A state that is really only found in a lab or other similar, controlled situation. This is not likely to happen in any real-world scenario.

The story was meant to sensationalize and to blow out of proportion, a "lab only" situation. It still proves nothing new and it is still an unlikely event to happen to any normal user. It is merely "anti-Mac", Windows fanboy propoganda disguised as "informative news".
It is sort of ironic also, that the prize here was the Mac itself. :black:

__________________________________________________
Posting and YOU|Forum Community Guidelines|The Apple Product Cycle|Forum Courtesy

mac: a waterproof raincoat made of rubberized fabric
MAC: a data communication protocol sub-layer, also known as the Media Access Control
Mac: a brand name which covers several lines of personal computers designed, developed, and marketed by Apple Inc.

QUOTE Thanks
Brown Study

 
Brown Study's Avatar
 
Member Since: Mar 11, 2004
Location: Winnipeg
Posts: 1,964
Brown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to all
Mac Specs: G4 Tiger and OS 9

Brown Study is offline
The flaw is with Java (not JavaScript) and includes Firefox, not just Safari, this article says. I suppose any other browser would be affected, as well. A posted comment on that site in an earlier story said the same thing, so this latest article supports that poster's contention.

After reading about Java's many flaws months ago, I turned it off and have never come across a website that requires it.
QUOTE Thanks
Zoolook

 
Zoolook's Avatar
 
Member Since: Sep 24, 2006
Location: Brooklyn, New York
Posts: 2,751
Zoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud of
Mac Specs: 15" MacBook Pro, i7 2.66Ghz, 8GB RAM, 512GB SSD; iPad 3, iPhone 5

Zoolook is offline
OK, own up, who doesn't run a firewall? I always run a firewall, no matter what, which is the router default firewall as well as the OS X firewall. There is no real reason to disable it, IMO, whether running Windows, OS X, Linux BSD, Unix or DOS 1.0.

In the land of the blind, the one-eyed man is stoned to death.
- Joan D. Vinge

QUOTE Thanks
D3v1L80Y

 
D3v1L80Y's Avatar
 
Member Since: Feb 02, 2004
Location: PA
Posts: 12,459
D3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond repute
Mac Specs: MacBook

D3v1L80Y is offline
Quote:
Originally Posted by Zoolook View Post
OK, own up, who doesn't run a firewall? I always run a firewall, no matter what, which is the router default firewall as well as the OS X firewall. There is no real reason to disable it, IMO, whether running Windows, OS X, Linux BSD, Unix or DOS 1.0.
I always run mine, it is simple common sense to do so when you have a computer active on the internet.

__________________________________________________
Posting and YOU|Forum Community Guidelines|The Apple Product Cycle|Forum Courtesy

mac: a waterproof raincoat made of rubberized fabric
MAC: a data communication protocol sub-layer, also known as the Media Access Control
Mac: a brand name which covers several lines of personal computers designed, developed, and marketed by Apple Inc.

QUOTE Thanks
Brown Study

 
Brown Study's Avatar
 
Member Since: Mar 11, 2004
Location: Winnipeg
Posts: 1,964
Brown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to all
Mac Specs: G4 Tiger and OS 9

Brown Study is offline
Lots of people running OS X haven't turned the software firewall on even when the machine's not behind a router, because Macs don't ship with it turned on.

I never bothered with a firewall before OS X came along, and there were up to 60 Mac viruses, supposedly (though some say no more than 35), a small number compared to the Windows world but that many more than there are with OS X.

I still run OS 9 on the web without a firewall because it's no less difficult for a virus to gain entry than it ever was. And with OS 9, especially now, security through obscurity is no myth, and it's growing more obscure all the time.

But in the case of this Java exploit, a firewall would have no affect, anyway.
QUOTE Thanks
D3v1L80Y

 
D3v1L80Y's Avatar
 
Member Since: Feb 02, 2004
Location: PA
Posts: 12,459
D3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond repute
Mac Specs: MacBook

D3v1L80Y is offline
Quote:
Originally Posted by Brown Study View Post
I never bothered with a firewall before OS X came along, and there were up to 60 Mac viruses, supposedly (though some say no more than 35), a small number compared to the Windows world but that many more than there are with OS X.
I never used a firewall pre-OS X either, but those two dozen or so "viruses" for the earlier Mac OSes were in reality, nothing more than bad macros for early versions of Word and Excel for Mac. If you never used or enabled macros in those apps, or if you had anything past version 5.0 for Word or Excel, then you had nothing to really worry about.:black:

__________________________________________________
Posting and YOU|Forum Community Guidelines|The Apple Product Cycle|Forum Courtesy

mac: a waterproof raincoat made of rubberized fabric
MAC: a data communication protocol sub-layer, also known as the Media Access Control
Mac: a brand name which covers several lines of personal computers designed, developed, and marketed by Apple Inc.

QUOTE Thanks
cwa107

 
cwa107's Avatar
 
Member Since: Dec 20, 2006
Location: Middletown, Pennsylvania
Posts: 26,481
cwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond reputecwa107 has a reputation beyond repute
Mac Specs: 15" MBP, Core i7/2GHz, 8GB RAM, 480GB Crucial M500 SSD

cwa107 is offline
Meh, I wasn't really impressed with this news, although it did give my Windows-loving friends something to talk about. Truth be told, ALL browsers have flaws - and they always will. There's simply no way to absolutely lock down a versatile Internet-enabled portal, teeming with 3rd-party add-ons (Java, in this example) that give it even more functionality. This is just the "always-on, always connected" world we live in today. What I would find impressive would be a hack that doesn't involve a browser. There have been many Windows vulnerabilities discovered that were non-browser specific.

Liquid and computers don't mix. It might seem simple, but we see an incredible amount of people post here about spills. Keep drinks and other liquids away from your expensive electronics!
QUOTE Thanks
Brown Study

 
Brown Study's Avatar
 
Member Since: Mar 11, 2004
Location: Winnipeg
Posts: 1,964
Brown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to allBrown Study is a name known to all
Mac Specs: G4 Tiger and OS 9

Brown Study is offline
Quote:
Originally Posted by cwa107 View Post
Meh, I wasn't really impressed with this news, although it did give my Windows-loving friends something to talk about.
According to this, Windows probably is affected, too.
Quote:
Gregg Keizer reports for Computerworld, "'Any Java-enabled browser is a viable attack vector, if QuickTime is installed. Apple's vulnerable code ships by default on Mac OS X (obviously) and is extremely popular on Windows, where this code introduces a third-party vulnerability,' said Thomas Ptacek of Matasano on the group's blog."
QUOTE Thanks

Post Reply New Thread Subscribe


« Limit 1 iPhone? | 10.5.3 Released! »
Thread Tools

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off
Forum Jump

Similar Threads
Thread
Thread Starter
Forum
Replies
Last Post
Force-refresh on Safari DrQuincy Web Design and Hosting 5 12-04-2006 11:03 PM
Need help installing Safari 888 OS X - Apps and Games 4 09-15-2006 11:33 PM
Safari and RAM usage Kyomii OS X - Apps and Games 11 10-21-2005 03:17 PM
Safari is the browser to use on OS X!! Computer.Geek OS X - Apps and Games 14 04-29-2005 03:01 PM
Messanger And Safari mysteriousal Apple Desktops 0 04-29-2004 08:39 AM

All times are GMT -4. The time now is 05:16 AM.

Powered by vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
X

Welcome to Mac-Forums.com

Create your username to jump into the discussion!

New members like you have made this community the ultimate source for your Mac since 2003!


(4 digit year)

Already a member?