Thursday, March 27, 2008

Safari and Apple get Owned...Again...

Last week Apple released a huge security update, likely because 7 days later CanSecWest would be hosting its PWN2OWN contest. I wanted to write a blog post then and mention something about the best way to force Apple into releasing patches would be to announce an upcoming exploitation of Apples. It's not just Cansec, but the same thing happened when I announced I'd be publishing the disputed WiFi vulns at Toorcon, they quickly patched the vulns they denied existed. However, I decided to wait on that blog post.

Later in the week I saw Safari update debacle. I wanted to write a blog post about the underhanded padding of their marketshare, and note that Apple just made millions of Windows users less secure now by adding additional insecure code to their machines. However, I decided to wait on that blog post, too.

I decided to wait on writing both these posts because I know that even with the updates that Apple has released for Safari there are still tons of flaws in it that are exploitable and someone would leverage one to win the PWN2OWN contest and walk home with a Macbook Air.

Dave Aitel just reported on DailyDave that Charles Miller won the Macbook Air using a Safari exploit. I would like to note that out of the three machines (OSX, Linux, Vista) OSX was the first to fall. I hope this puts to rest the myth that OSX is more secure but I am sure the zealots will have a million reasons why this is a fixed or rigged contest. The only question I have remaining is who is going to be the first to file a class action lawsuit against Apple on behalf of users who were tricked into installing Safari and are now at risk of compromise? I am not advocating someone do that, I am not fan of needless litigation, but I can already picture the commercials the ambulance chasing lawyers could use.

"Were you tricked into installing Safari by Apple? Have you had any personal data compromised? Call the law firm of Dewey, Cheatem, and Howe!"

The other interesting thing about the updates is something I like to call the "window of owning". I advise our clients on this: Apple bundles open-source, but patches it late. It takes them weeks to as long as a year to patch their version of the code after it was patched in open-source. It's fairly straightforward to keep track of the open-source (and other 3rd party) code that Apple uses it, and when a vulnerability is announced for the open-source version, write exploits for the Mac version.

This "window of owning" is one reason that the update last week was so large. Apple security dug deep and fixed a lot of vulnerabilities that they would normally not bother with in a futile attempt to get OSX through the PWN2OWN contest unscratched.

UPDATE: More info at Security Focus.
UPDATE 2: Some people don't know the screenshot above is from our LookingGlass tool. I added it to show how many unsafe functions are used in Safari as well as the lack of ASLR or NX support. This means that I would wager that a vulnerability in the OSX version of Safari would also work on XP/Vista with a high success rate since Apple does not employ any of the available features to mitigate an attack.


Unknown said...

Good post... I'll definitely agree that Safari would have been my guesstimate on what app would take OS X down.

Pwn2Own is interesting though. I mean, I'm guessing that had Charlie focused on Ubuntu or Vista he would have had the same results. Maybe he just wanted the Air hardware. Maybe not... Like you said, it's good marketing for them.

I do, however, think the contests like this don't really show the platforms on an equal balance. Everyone could focus on OS X and not one registrant could go for the other competitors. Does that really reflect the true security? Probably not. Does it show which platform they are trying to point out? Definitely -- which is a good thing in many regards. But for all of the postings of "2 minutes to 0wnage" is really BS. This hack was preconceived probably weeks in advance and I would bet a large sum of money that it didn't take Charlie 2 minutes to surmise the attack. So, really, any of the attacks are going to be done in under the 5 minute mark. Nobody is going to sign up blindly and sit there and run test code until they get it right. Just not how it works.

So, all in all I'm glad the Air got bounced first. I don't feel any more secure on Windows. Maybe Ubuntu -- but the smart hacks go against the common denominator. Focus on what 95% of the users using their computers are doing. Surfing... FF, IE, Safari, etc. It's just too easy today. said...

I'm still waiting for details on your exploit. This has nothing to do with Mac OS X or Safari.

David Maynor said...

STeve: what are you talking about?