The CanSecWest “PWN to Own” Mac break in contest that IDG’s InfoWorld failed to accurately cover was picked up and regurgitated by many sites that reveled in repeating the same myths, but failed to actually point out what really happened.

Even CanSecWest was quiet on the subject.

What was really compromised, and what was the result of the exploit? Readers of InfoWorld , Computerworld , and other IDG properties that republished Nancy Gohring’s uninformed and incomplete article don’t know.

Speaking From The Ars .

Charles Jade at Ars Technica cited IDG’s reports without adding any new facts. Jade even suggested that $10,000 prize contests like this one might turn the tide for Mac security, somehow creating the incentive to develop Windows style security problems for Mac OS X.

How would a contest that pays for an exploit, then takes the exploit off the market by delivering the details to Apple for patching, create a less secure platform?

It wouldn’t; it does the opposite.

Imagine a developer paying freelance workers to find bugs in its software, paying an award for each bug that is discovered and described in detail to allow for a fix. Would the software become more buggy as it is refined?

Whose Exploit Was It Anyway?

CanSecWest kept the details mostly a secret. Engadget’s report, written by Conrad Quilty-Harper, succinctly covered the facts without introducing any uninformed speculation.

Still, while the Engadget article pointed out that it took nine hours to discover the crack, it didn’t point out a full 24 hours of attempts the day before had gotten nowhere, and that because of that, CanSecWest dropped the security threshold of the contest.

Rather than trying to hack into Mac OS X remotely, contestants were able to feed it a URL in attempts to exploit a local user on its web browser instead.

Imagine a contest to break into a panic room; after everyone participating in the challenge fails to break in, they’re given telephone access to the person inside the room so they can talk them in to opening the door from the inside to let them in. Is that a security compromise of the panic room, or a social exploit?

What Did They Crack?

According to “YankInOz,” a reader who responded to the Engadget article, “the ‘hack’ was of a Java routine that is outdated and no longer used.”

He added, “This ‘exploit is easily found to work in Firefox, Camino and Safari.”

An anonymous user on Slashdot described the exploit as involving a JavaScript routine. Sun’s Java and Netscape’s JavaScript share little in common apart from their names, but both are third party browser plugins that are not specific to Safari. Exploiting either one and calling it a “Mac exploit” is disingenuous.

Third Party Issues.

That also highlights a fact many ‘security experts’ don’t seem to grasp: installing software changes your level of security. While Macs are quite secure when kept up to date, installing software and turning on new services can open one up to attack vectors that Apple can’t control for you.

This is also certainly part of the problem Microsoft faces with Windows. While the company is guilty of maintaining very poor security controls until just the last couple years--when it has been forced out of panic and shame to clean up its most flagrantly bad practices--Microsoft also faces problems it can’t solve itself.

All third party Windows software that does anything foolish can override Microsoft’s best efforts. Of course, that same principle applies to the Mac. Turn on Microsoft’s SMB protocol for Windows file sharing and you’ll expose the Mac to some of the same insecure exploits that Windows PCs face on insecure networks.

And of course, if you install Windows under Parallels or Boot Camp on a Mac, there is no magic force field of Apple security that will prevent you from getting virus infections.

Even using Microsoft Office files on a Mac will enable it to distribute the mostly annoying macroviruses that latch onto Office files for a free ride.

Updating Third Party Problems.

Since Apple distributes various outside code as part of Mac OS X--including Java and lots of open source software--it maintains the responsibility for patching exploits for all that software. That explains why Apple is picky about what it bundles in Mac OS X: it bears accountability for everything it ships.

Many of the security patches Apple regularly releases relate to software from outside projects. The most recent 2007-004 patch included fixes for GNU tar, BSD’s lukemftpd FTP server, and MIT’s Kerberos, for example.

The fact that Apple manages the security updates for all of the software bundled with Macs makes Mac OS X more attractive to many users than a roll-your-own version of Linux, which might include code from hundreds of different projects, all of which are constantly being updated, patched, and overhauled.

Install your own version of some software package, and the onus of managing the very complex art and science of security will fall directly in your lap.

It’s like installing homemade tires on your pickup: you can’t demand a recall from Ford if your tires explode and send you careening into a ditch, because you exposed yourself to that particular engineering flaw.

Lying about Security With “Vulnerability Counts.”

At the same time, the vast majority of media outlets reporting on security are being both disingenuous and dishonest in their reporting of security issues by conflating security with the number of exploits or vulnerabilities reported for a platform. While many writers are just ignorant, plenty of pundits do realize they are lying.

Microsoft has recently jumped on this bandwagon in an effort to cover up the obvious security disaster it created on Windows with the dishonest insinuation that Linux and Macs have greater security problems because there are so many potential holes being reported and patched in the open source Unix world.

That’s what active security is! It’s like complaining that a country isn’t safe because it has an visible military presence, or that a patient has a bad immune system because he are actively fighting off multiple infections.

What Did CanSecWest Prove?

The Microsoft sponsored CanSecWest was pointedly trying to besmirch the reputation of Mac security. While it successfully resulted in creating false headlines like the one published by IDG, what did it really prove?

Using a browser flaw in conjunction with an automated ‘user’ programmed to visit a site at regular intervals is quite a desperate reach, particularly given the limited access this convoluted and artificial attack achieved.

Nearly every report on the subject failed to mention the extent of the access the attacker was actually granted. IDG’s article clearly suggested that the break in was not only a “remote exploit,” which is was not , but also that it granted the attacker access to do pretty much anything. This was not true either .

Weren’t There Two Macs?

According to the CanSecWest website , the contest involved two Macs, but the rules were different for each. To win the first Mac, a cracker had to break in and “follow the instructions in the home of the default user.”

In other words, gain access to a file with limited local user rights, and prove they had by acting on what it said.

To win the second Mac, contestants needed to “follow the instructions in the filesystem root (this one will need admin compromise).” Had both Macs been given away, this would have been a real exploit.

After not being able to directly break into even the user realm in a day of trying, the contest dropped the bar to allow users to send URLs to the contest manager, who put them on a server and set the two Mac Book Pros to automatically visit a website site and ‘click on’ the submitted URLs.

Reenacted by Jody Foster, it might have gone like this:

“Hello inside the panic room! It’s safe to come out now!” Door opens. “Ah hah! We broke in!”

Getting To The Root of Things.

After Dino Dai Zovi’s attack exploited what was apparently a Java routine via the automated browser actions, he was still only able to gain access to a user level file.

While this is a significant flaw that needs to be patched, it is unlikely that anyone who wanted access to a system would be able to set up such a Rube Goldberg event chain to gain access to a specific users’ files.

A real attacker would better use their time simply mugging the user of their laptop, breaking into their office or home, or kidnapping them and demanding their information at gunpoint. The premise is fairly absurd already.

The real exploits used in the Windows virus, worm, and spyware business involve installing malware as an admin, and commonly hiding commands in the system’s Windows Registry to automatically reinstall the malicious code behind the back of the system, the user, and any security software that is running.

To make this worth the time of attackers hoping to control PCs for use as email spam drones, it has to be easy to roll out exploits remotely in mass installations; they need to get to the root of things quickly.

That happens many thousands of times a day in the Windows PC world, but that’s not what happened to the Mac at CanSecWest after 33 hours of security experts’ trying. To recap, the contest officially restated:

“Just to review the rules, the first box required a flaw that allows the attacker to get a shell with user level privilages [sic]. The second box, still up for grabs, requires the same, plus the attacker needs to get root.”

Nancy Gohring, You Are Coming to a Sad Realization. Cancel or Allow?

Step two didn’t ever happen. Nobody could gain root privileges on the Mac despite the $10,000 prize (and the laptop), even though there are many hundreds of known vectors for doing just that on Windows PCs.

Were an attacker to use a Windows-like exploit to try installing software via a browser link, or through a malware graphic attempting to run arbitrary code simply as a user simply visited a booby-trapped website, Mac OS X would throw up an authentication dialog telling the user to sign in for the software that was being installed.

Windows does not do this. Even the “new and improved” Vista does not ask for authentication. It asks the user to click Allow, after previously having asked the user to click Allow repeatedly. Guess what most users will do when prompted to Allow some executable to do some technical sounding thing in the Registry?

Oops, You Forgot to Include the Critical, Pertinent Facts.

Gohring didn’t mention this, IDG didn’t correct its headlines, and sites across the web ran the same story insisting that proof had been delivered that Macs are no more secure than Windows.

It wasn’t true though.

They nearly all failed to mention that there was no root exploit, no remote access, no installation of malware, and no viruses to install anyway, because Apple has taken reasonable and responsible efforts to secure its platform.

Open vs Proprietary.

Part of those efforts involve working together with various teams of open source developers. A significant amount of the effort required to secure software in Mac OS X is shared by GNU/Linux developers, the various flavors of BSD, and other open source projects. Think of components such as Apache, OpenSSH, and GCC.

Microsoft has worked hard to patch around the discovered flaws in its broken Windows software, code that nobody outside of the company really understands on an intimate level.

XP and Vista’s NT kernel is an entirely proprietary, known to be full of undiscovered holes, and has not been exhaustingly reviewed by multiple eyes in multiple teams the way Unix has been for decades.

Additionally, Windows users don’t benefit from the shared work done on projects such as Apache, OpenSSH and GCC, because Microsoft chooses to write its own closed versions. Everything from Microsoft’s IIS web server, to its RPC and its compilers are done against the tide of shared, open development.

Microsoft’s Massive Security Problem.

Microsoft’s security problems extend from a past decade of incompetent sloppiness, but it still bears responsibility for securing those flaws today, because it made tens of billions of dollars every year selling its insecure software before anyone realized the damage the company was creating for users.

I wonder what might happen when the asbestos lawyers run out of business?

While the security experts Microsoft pays are quick to point out that the company has made progress, and indeed it has, they are awfully quick to absolve the company of its prior sins, despite the fact that we’re all suffering from that negligence every time we check mail and receive tons of spam from the rooted Windows PC spambots.

Even more problematic is that Microsoft still doesn’t seem to understand how to effectively determine when to trade off security for user convenience, even in Vista, the new version of Windows that supposedly solves all security problems going forward.

Super Users and the Vistapocalypse.

Glenn Marshall of Object Development Labs wrote to explain how Vista still offers a poor security policy:

“Macs don't, by default, run as the super user. This means software can't be installed without entering the root password.

“Windows, by default, does run as the super user. This means if you break in, the bank vault is wide open, in distinct contrast to OS X and any other operating system designed for internet use.

“This, more than anything else, in my view, is the reason Mac are as resistant as they are. I find it odd that this isn't more widely known. And even odder that the class action lawyers aren't all over this, but that is another story.

“In fairness, a malware could delete user files, which is bad, of course. The point here is that it couldn't, generally, install itself, and, most particularly start tinkering with the operating system itself.

“With Vista, Microsoft has begun to think about this, but all Vista folks I've talked to are running as the administrator (the super user) because ‘it came that way.’

“All that has resulted from Microsoft's ‘thinking’ on this issue so far is the ‘improvement’ Vista gives with its now infamous warnings (as hysterically spoofed in the [ Cancel or Allow ] Apple commercial) as opposed to asking for a password like OS X.”

“I'm not absolutely positive if retail Vista (the one Grandma will buy) is running as the administrator, but I haven't heard of people being forced to enter their password, so its seems like it is. Still.

“This is like leaving the bank vault wide open but having someone stop you before you go in and say ‘you are about to enter the bank vault - do you wish to continue’ and if you say ‘yes,’ let you in, regardless of the fact that you're wearing a ski-mask and are carrying large empty bags.

“ David Pogue from the New York Times goes into more detail.”

Recruiting Windows PCs for Botnets .

Reader Tristan writes:

“While I completely agree that the Mac is significantly more secure for all the reasons you've outlined here, I think it's a little naive to suggest that the Macs’ small market share has nothing to do with the lack of malware targeting it. In the context of how much malware is ‘targeted’ at the Mac you’ve quoted Gohring as saying, ‘That's in part because there are fewer Macs in use.’

“The key is that she said ‘in part’ which I don't think can be denied. I've been a ‘power user’ on Macs for close to twenty years and primarily use Windows, Solaris and Linux in my day to day work environment (although I'm now running windows in Parallels on my MacBook Pro at work :-).

“I have only ever seen malware, worms and viruses on my Windows machines at work. None of them were ever targeted at the affluence of the user. At least in my experience the majority of these things are either out to add a machine to a botnet or just cause havoc by either deleting data or making machines reboot every 60 seconds.

“I've been subject to an attack on my Mac just recently due to inadvertently leaving myself wide open via an unprotected VNC server. While this is clearly not a sign of an insecure operating system, (the fact that I was so open to attack, was attacked and still suffered nothing as a result says a lot for the Mac), the nature of the attack speaks volumes. There are thousands of script kiddies out there building their own botnet armies by downloading and tweaking scripts to own PCs.

“They aren't out to compromise the machines owned by well-off people to get their credit card details, they're running scripts that scan a huge range of IP addresses looking for open ports. I was hit by one that was looking for VNC servers, which it would then use to run a DOS command to download a worm from an ftp server and execute. Obviously they weren't being executed because it doesn't respond to windows commands.

“Before I realized what was going on, the same attempt would retry every couple of days over a couple of weeks. Just to reiterate. Someone had discovered that my machine had a VNC Server running on it that they had gained access to and at no point had any human ever bothered to look at it.

“These guys are not attacking individuals. They aren't looking for specific types of machines, operating systems or users. They're just playing a numbers game. With somewhere around 95% of the machines on the internet running windows, your botnet script is far more likely to find a target if your looking for Windows.

“If you're building a botnet army, numbers matter. If you're just scanning for a target for your script, numbers matter. To sum up, I agree that the Mac is vastly more secure than Windows for the reasons you've outlined in this article, but suggesting that the market share of the Mac is not at least ‘part’ of the reason it experiences fewer attacks is unrealistic.”

Like reading RoughlyDrafted? Share articles with your friends, link from your blog, and subscribe to my podcast!

Did I miss any details?

Next Articles:

This Series

What do you think? I really like to hear from readers. Leave a comment or email me with your ideas.