Mac Cracked in Hack Attack

Just one day following Apple's (Nasdaq: AAPL) release of a security update containing 25 patches, two security researchers at the CanSecWest conference held in Vancouver, British Columbia, were able to hack into a MacBook using a zero-day exploit in Apple's Safari browser.

Shane Macauley, a software engineer, and Dino Dai Zovi, a security researcher, undertook the challenge as part of the "PWN to Own" Hack-a-Mac contest hosted by conference organizers.

The two were awarded a MacBook Pro computer and a US$10,000 prize.

Hacking For Dollars

Conference founder and organizer Dragos Ruiu came up with the contest as a way to bring a little Apple security into the conference. Running MacBook Pro computers on the conference network, organizers dared their security-minded conference goers to find a way to remotely gain control of the machines. The first hacker able to compromise the system using an exploit gave the attacker default user account access would win one computer. For the second machine, the challenge was to exploit a security flaw that would enable root access to the system and allow the hacker to take complete control of the system.

Initial interest in the contest was relatively lackluster during the first day of the conference. Then Tipping Point, a security vendor, stepped in and upped the ante with a $10,000 bonus to the first person to successfully hack one of the machines with a previously unknown bug.

That was all it took and on the second day of the conference, organizers announced, "One OS X box has been owned," read a message on the CanSecWest Web site. "At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious Web page. Of course all of the latest security patches have been applied. This one is zero-day folks. Technical details will be forthcoming as the winner works out the release."

Truth in Advertising

In its marketing campaign touting the benefits of owning a Macintosh computer over a PC running Microsoft (Nasdaq: MSFT) Windows, Apple has furthered the perception among computer users that the Mac operating system (OS) is somehow more secure.

Security experts, however, argue that the Mac is actually no more secure than a PC. In fact, they note that the relatively low number of viruses, exploits and other cyberattacks directed at Mac users is due to Apple's relatively small share of the computer market.

"I don't think that the Mac OS is more secure than Windows -- I think it is safer than Windows because there are less people trying to attack it. There is a big difference," Natalie Lambert, a senior analyst at Forrester Research, told MacNewsWorld

For every single attack on a Mac, there are at least 100 attacks on Windows-based systems, Avivah Litan, an analyst at Gartner (NYSE: IT), told MacNewsWorld. This hack, she continued, is significant because it shows the system can be broken. However, in the whole scheme of things, it's fairly insignificant

"No one in the security business believes that any operating system or browser is infallible," Litan said. "If you're looking at a million desktops, you'd rather go after 900,000, instead of a 100,000 because the response rate [that enables successful attacks] is only about 2 percent. And 2 percent of 900,000 is a lot more."

The Right Message?

In response to the successful hack, Apple maintained it "takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."

Litan, however, said the Cupertino, Calif.-based company's marketing campaign undermines their security message. "If consumers aren't aware, they won't take precautions."

According to Forrester's Lambert, hackers are absolutely starting to turn up the heat on Apple's security. As the Mac OS continues to grow in popularity, more criminals will try to exploit it, she explained.

"It is all about getting the most bang for your buck," she continued. "Today, the most bang belongs to Windows. However, Apple is doing well and has gained market share -- especially in the consumer space. Also, you can't discount the Apple commercials saying that Macs don't have vulnerabilities. This in itself will lead hackers to prove them wrong."

Apple's security propaganda hurts Mac users, Lambert said, because attackers now see Mac as a target that, if successfully hit, will give them notoriety. "It is like telling a child not to eat the chocolate ... by telling them that, you just make them want to do it even more."

Lambert predicted that as the popularity of Apple increases, so will attacks on the company's products. "Hackers are going to go after the most ubiquitous OS and applications," she stated.

"First, I see attackers going after iTunes, as we have seen attacks on Office applications, due to their market saturation," she noted. "It really comes down to financial gains. Where will exploit gains get the most traction? For now, it is Microsoft, but any vendor is ripe for the picking when they see dominate market share."