CanSecWest Produces Zero Day Safari Exploit

After a number of false starts hackers in Vancouver were able to gain ordinary user access to a MacBook Pro through the Safari web browser. InfoWorld, home of Rob and Mary Enderle, tried to twist the news ever so slightly to favour their benefactor even as Daniel Eran Dilger's Roughly Drafted came to the counterattack to set things straight.

VANCOUVER -- The CanSecWest Applied Security Conference held from 18-20 April 2007 netted one exploit against a fully patched MacBook Pro after a number of false starts and initial failures. The initial contest - to 'PWN' MacBook Pros accessible on internal IANA IPs - met with no success despite the machines themselves being the prizes to the winners.

It was only when the organisers upped the ante and lightened the rules of the contest that an exploit succeeded. The new rules specified sending URLs to the organisers which they would access from the MPBs with the default Safari web browser.

'There has not been a successful attack. Time to expand your attack surface. Email links and we will visit them using Safari', read the communique. Then, two hours twenty four minutes later:

'One OS X box has been owned! At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page. Of course all of the latest security patches have been applied. This one is 0day folks. Technical details will be forthcoming as the winner works out the release. There is still one more Mac to go.'

'The first box required a flaw that allows the attacker to get a shell with user level privileges. The second box, still up for grabs, requires the same, plus the attacker needs to get root.'

No one ever got root.

Orcs Unleashed

InfoWorld, home of Microsoft bag team Rob and Mary Enderle, pounced on the opportunity to make their benefactor look better by slanting the news to make others look worse. 'Myth crushed in Mac hack demo', read the link from the InfoWorld homepage; 'Myth crushed as hacker shows Mac break-in', read the header on the article itself which went on to offer niceties such as the following.

• 'I hear a lot of people bragging about how easy it is to break into Macs.'
• 'Di Zovie used it to open a back door that gave him access to anything on the computer.'

The former of the above two statements is purely anecdotal: the latter is directly false: the winner succeeded only in gaining ordinary user access - not access to 'anything on the computer'; the contest to get root - to get 'anything' - didn't result in a successful exploit.

Roughly Drafted Roughs Up

Something which Daniel Eran Dilger hastened to point out in his rebuttal.

'Given Microsoft's nearly complete lack of regard for security prior to about 2003, it's more than a little suspicious for a so-called security expert like Ruiu to inflate an obscure local vulnerability in Safari into the scale of the gross incompetence and negligence demonstrated by Microsoft over the previous decade', writes a focused Dilger.

'The reason why millions of botnet Windows PC are sending out spam is not because there are so many PCs, but because Windows security has been so bad for so long that all those millions of PC are easy targets to exploit. Simply plugging in a new PC to the open Internet will result in a rapid remote exploit of the machine within an hour', he reminds his readers.

'Any security expert who is confused on that subject really needs to inform themselves better. IDG's InfoWorld is doing the world a disservice to offer up such rubbish information on the subject. Perhaps it should be rebranded as ConjectureWorld.'

Or BullshitWorld or FUDWorld for that matter.

CanSecWest 2007 was guested by familiar names on the speaker circuit: Jim Hoagland, HD Moore, Mark Russinovich, Ilja van Sprundel, and Michael Geide from the US DHS amongst others. It is run and organised by Dragos Ruiu of Alberta.

The InfoWorld article was authored by Nancy Gohring (Göring) currently evading taxes in Dublin.

See Also
Bill Gates: World Domination in Eight Years