Queens wear brown...

The Vista laptop also went down, the fault of Abode. The irony of Adobe being at fault is only compounded by the LookingGlass vendor of the week last week being Adobe. No NX, No ASLR, unsafe libraries, no cookie Adobe.


http://www.cnet.com/8301-13509_1-9906502-20.html

Only the Mac faithful could take something like a Macbook being hacked and turn it into a commerical for Apple products. It seems as if the Macalope is stumping for a job as Apple's Chief Security Officer or as Obama's running mate, I can't decide which.

"Plus, you hack it, you keep it. So, sure, everyone's trying to hack the Air."

He seems to imply that the only reason people were hacking Macs were they get to keep them. Since not everyone can live without the faux sexiness that is Apple, of course someone will find a way to go home with that hardware. He also goes on to explain the only reason "security researchers" are paying attention to Mac is that they are cool and we are not.

I have a different theory: it was the easiest. With Vista and Linux correctly implementing technologies Apple botched like ASLR it is the naturally easiest target. If you want an analogy, it is kind of like the slow Antelope that has been separated from the herd by predators.

We all know what happens to that ailing animal.

Safari and Apple get Owned...Again...

Last week Apple released a huge security update, likely because 7 days later CanSecWest would be hosting its PWN2OWN contest. I wanted to write a blog post then and mention something about the best way to force Apple into releasing patches would be to announce an upcoming exploitation of Apples. It's not just Cansec, but the same thing happened when I announced I'd be publishing the disputed WiFi vulns at Toorcon, they quickly patched the vulns they denied existed. However, I decided to wait on that blog post.

Later in the week I saw Safari update debacle. I wanted to write a blog post about the underhanded padding of their marketshare, and note that Apple just made millions of Windows users less secure now by adding additional insecure code to their machines. However, I decided to wait on that blog post, too.

I decided to wait on writing both these posts because I know that even with the updates that Apple has released for Safari there are still tons of flaws in it that are exploitable and someone would leverage one to win the PWN2OWN contest and walk home with a Macbook Air.

Dave Aitel just reported on DailyDave that Charles Miller won the Macbook Air using a Safari exploit. I would like to note that out of the three machines (OSX, Linux, Vista) OSX was the first to fall. I hope this puts to rest the myth that OSX is more secure but I am sure the zealots will have a million reasons why this is a fixed or rigged contest. The only question I have remaining is who is going to be the first to file a class action lawsuit against Apple on behalf of users who were tricked into installing Safari and are now at risk of compromise? I am not advocating someone do that, I am not fan of needless litigation, but I can already picture the commercials the ambulance chasing lawyers could use.

"Were you tricked into installing Safari by Apple? Have you had any personal data compromised? Call the law firm of Dewey, Cheatem, and Howe!"

The other interesting thing about the updates is something I like to call the "window of owning". I advise our clients on this: Apple bundles open-source, but patches it late. It takes them weeks to as long as a year to patch their version of the code after it was patched in open-source. It's fairly straightforward to keep track of the open-source (and other 3rd party) code that Apple uses it, and when a vulnerability is announced for the open-source version, write exploits for the Mac version.

This "window of owning" is one reason that the update last week was so large. Apple security dug deep and fixed a lot of vulnerabilities that they would normally not bother with in a futile attempt to get OSX through the PWN2OWN contest unscratched.

UPDATE: More info at Security Focus.

UPDATE 2: Some people don't know the screenshot above is from our LookingGlass tool. I added it to show how many unsafe functions are used in Safari as well as the lack of ASLR or NX support. This means that I would wager that a vulnerability in the OSX version of Safari would also work on XP/Vista with a high success rate since Apple does not employ any of the available features to mitigate an attack.