MBA hacked in 2 minutes while Vista and Ubuntu stand strong

fleurya · Mar 27, 2008

http://crave.cnet.com/8301-1_105-9905095-1.html

Hackers were able to gain access to a Macbook Air in 2 minutes by exploiting a Safari weakness and getting a user to connect with a malicious site. Luckily it was part of a competition where the actual method is only disclosed to Apple. But what's worse; the fact that a Mac was hacked, or that Vista couldn't not be?

MacGal · Mar 27, 2008

Yeeiiiks!!! That is really scary! And I thought that my Mac was safe from things like that.

Seriously, it makes the news when a Mac gets hacked into because it is such a rare occurrence. Windows computers get hacked every day and the media doesn't pay any attention because it happens all the time.

I still think that Macs are the more secure systems.

D3v1L80Y · Mar 27, 2008

fleurya said:
But what's worse; the fact that a Mac was hacked, or that Vista couldn't not be?

Again, same as last year's fiasco of fallacies.... nothing was "hacked".

article said:
No one was able to execute code on any of the systems on Wednesday, the first day of the contest, when hacks were limited to over-the-network techniques on the operating systems themselves. But on the second day, the rules changed to allow attacks delivered by tricking someone to visit a maliciously crafted Web site, or open an e-mail.

That isn't hacking, that is social engineering. Take note, that no person was able to actually 'hack' into the Mac until the rules were changed. Just like last year. They couldn't touch the Mac until the rules were changed and severely improbable situations were allowed to take place.

This story is nothing more than sensationalism. Use buzzwords like "hack" and a new product release with as much pomp and fanfare as the MacBook Air... and, well... you get the picture. It's just fodder for fanboyz.

fleurya · Mar 27, 2008

The rules were tweaked, but opening a website isn't anything extraordinary. Many hacks are perpetuated by people getting lured into connecting with a malicious site or opening a malicious email. If that's all that's required to let someone into my computer, it does make me sit up and pay a little attention.

Gbeav · Mar 28, 2008

I hope they shut this stuff down quick. Safari has become my browser of use.

andersmj · Mar 28, 2008

D3v1L80Y said:
Take note, that no person was able to actually 'hack' into the Mac until the rules were changed. Just like last year. They couldn't touch the Mac until the rules were changed and severely improbable situations were allowed to take place.

Unfortunately this is something Windoze users really like to just overlook when they see news like this (and it p****s me off) and then have a bash at our choice of computer/OS.

Notice that the article says that the judges were tricked into visiting this website with the attack code, but I guess that was what you meant with this not being hacking, but social engineering.

jram · Mar 28, 2008

Before the exploit could be executed, did OS X ask for a password?

giulio · Mar 28, 2008

OSX is not the weakness. It's Safari/Webkit that failed. Since Apple followed Microsoft and made a rendering engine part of the OS, it looks like OSX as a whole is vulnerable.

PS:
http://www.mac-forums.com/forums/showthread.php?p=623544#postcount623629

sanity1082 · Mar 28, 2008

i think it is funny how the windows and the ubantu hardware isnt mentioned but the fact it is a mba came up several times

D3v1L80Y · Mar 28, 2008

andersmj said:
Notice that the article says that the judges were tricked into visiting this website with the attack code

They weren't even tricked. They were told to go to the website. There was no trickery involved here.

jram said:
Before the exploit could be executed, did OS X ask for a password?

http://www.mac-forums.com/forums/showpost.php?p=580429&postcount=15

gunnerjoe · Mar 28, 2008

D3v1L80Y said:
Again, same as last year's fiasco of fallacies.... nothing was "hacked".

That isn't hacking, that is social engineering. Take note, that no person was able to actually 'hack' into the Mac until the rules were changed. Just like last year. They couldn't touch the Mac until the rules were changed and severely improbable situations were allowed to take place.

This story is nothing more than sensationalism. Use buzzwords like "hack" and a new product release with as much pomp and fanfare as the MacBook Air... and, well... you get the picture. It's just fodder for fanboyz.

Well he owns a new laptop either way. When he can take full control of the system that's not good, no matter how he did it. Visiting a malicious website is something that can happen to a lot of people. Mac users (my self included) can be a little cocky, and we just got B%$#$ slapped, learn to live with it .

Joe

Brown Study · Mar 28, 2008

gunnerjoe said:
Mac users (my self included) can be a little cocky, and we just got B%$#$ slapped, learn to live with it .

MacGal said:
Yeeiiiks!!! That is really scary! And I thought that my Mac was safe from things like that.

Being b%$#$ slapped is more likely if the person is relatively new to Macintosh after switching from Windows.

Those who have used Macs for years — some approaching decades and who might have never used Windows — are not among the Windows shell-shocked. They are not b%$#$ slapped and they don't live with it.

This stunt is as old as the Mac platform. Even pre-OS X, when "exploits" were reported and real viruses were possible and a new one was discovered, the trumpets would blare, the flags would unfurl and fingers would point as the doze crowd crowed, despite 100,000 viruses for doze vs. 52 or 84 or whatever the final tally is for pre-OS X.

And pre-X, when an exploit was reported, came the same result with the same aftermath — the exploit was contrived when it wasn't fiction. And there's nothing like a well-publicized event complete with prizes to make the doze crowd crane their necks and rub their hands together in anticipation of watching the walls of Jericho tumble down.

It never happens. This stunt was as contrived as last year's stage-managed farce. This year's was a lesson in social engineering. Next year's, if it happens, probably will be a lesson in hacking with a hammer and chisel.

It's an annual affair because if it was held any more often, even the crickets would be silent. It takes a year to work out another attack — after the defences have been lowered before the press sees something else shiny and/or heads for the bar.

I'm going back to sleep.

giulio · Mar 28, 2008

So what if 'hacked' is the wrong term. A machine should not be compromised just by visiting a webpage. That's just ridiculous. Apple deserves all the trumpet blaring and attention.

jaynorris · Mar 28, 2008

Either some people are just ignorant to the facts, or plain blind. Regardless how the hack was pitched it still worked. Yeah so, it was crafted as a social engineered attempted. The results and the out come was the same. We all know Windows is vulnerable, what's the joy in reporting old news, and who really cares anymore... It's not new. Apple exploits on another had are more exciting because it's die hard users act like it's impenetrable. Please... Reality check... Even if the OS is secure, the applications running on it could have a vulnerabilities to allow escalated assess.

Now I credit Apple. They are pretty fast in fixing these holes when they get wind of them. So while todays hackers show off at security conferences, it allows Apple to fix them and closing the doors for leveraged malicious use.

Also I read Apple has risen in market share... What is it now? Anyone? I think I read today it's just over 15% from about 8% last year. Yeah... Give it a few more years. Change is coming... Just understand while there's really nothing to do today, tomorrow might be different.

"Know the enemy and know yourself; in a hundred battles you will never be in peril. When you are ignorant of the enemy, but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and yourself, you are certain in every battle to be in peril." - Sun Tzu ("Art of War")

hagen · Mar 28, 2008

Can someone explain to me how visiting a website constitutes being "tricked" or "lured"?

Nothing I've seen yet suggests it was "social engineering", if that term means tricking the user into doing something stupid or unusual. Visit a website, get infected, pwned, hacked, whatever.

IOW, a drive-by.

Brown Study · Mar 28, 2008

hagen said:
Can someone explain to me how visiting a website constitutes being "tricked" or "lured"?

From the linked story:

But on the second day, the rules changed to allow attacks delivered by tricking someone to visit a maliciously crafted Web site, or open an e-mail. Hackers were also allowed to target "default installed client-side applications," such as browsers.

The team had attack code already set up on a Web site, and was able to gain access to the MacBook Air and retrieve a file after judges were "tricked" into visiting the site.

Which is one reason I'm unconcerned. The chances of clicking on a such a site are infinitesimal. If Safari is required, it matters to me even less, since I don't use it.

EGGO · Mar 28, 2008

MacGal said:
Yeeiiiks!!! That is really scary! And I thought that my Mac was safe from things like that.

Seriously, it makes the news when a Mac gets hacked into because it is such a rare occurrence. Windows computers get hacked every day and the media doesn't pay any attention because it happens all the time.

I still think that Macs are the more secure systems.

No, Macs rely on obscurity. That's it.

Here's a better article:

http://securitywatch.eweek.com/apple/mac_hacked_via_safari_browser_in_pwn2own_contest.html

Also, for those that say the defense is that one goes to a website, that's just how it's usually done on PCs too. The best thing to have with an anti-virus software is common sense, which not to be mean, but a lot of people who are sold on "Macs don't have viruses = Macs WON'T GET viruses" didn't seem to use. Most hacks that cause issues are not impressive. They don't need to be. People click "yes", "accept", "ok", and any other random link they get all the time. It's all about what the software does (or doesn't do) to protect the stupid user that makes this sort of thing impressive.

When answering questions while simultaneously typing at the keyboard, he would occasionally reach over to slap a plastic "Easy!" button from Staples

Hahahaha!

harryb2448 · Mar 28, 2008

What a load of BS and hype (and hope from PC quarters). Read the full story and laugh:-

http://www.macworld.com.au/blogs/view/the-weakest-link-323

EGGO · Mar 28, 2008

harryb2448 said:
What a load of BS and hype (and hope from PC quarters). Read the full story and laugh:-

http://www.macworld.com.au/blogs/view/the-weakest-link-323

Psst...that's how a lot of hacks are done. Quoting myself:

Most hacks that cause issues are not impressive. They don't need to be. People click "yes", "accept", "ok", and any other random link they get all the time. It's all about what the software does (or doesn't do) to protect the stupid user that makes this sort of thing impressive.

hagen · Mar 28, 2008

harryb2448 said:
What a load of BS and hype (and hope from PC quarters). Read the full story and laugh:-

http://www.macworld.com.au/blogs/view/the-weakest-link-323

Until we learn more details, that has to be considered BS. Merely visiting a website doesn't count as "inside help", it's what we do every day.

Of course the danger is almost zero because the flaw isn't known publicly, but that's not what is being claimed by saying inside help, lured, or tricked.