Apple’s OS X is First OS to be Hacked at This Year’s Pwn2Own

The conception that Apple, Inc. computers running OS X are magically more secure than Windows computers was dealt another setback this week.  Using a flaw in Apple’s pre-installed first-party Safari browser, it took French security pro Chaouki Bekrar merely 5 seconds to hijack the unwitting MacBook at the CanSecWest Conference’s pwn2own contest in Vancouver, British Columbia.

On a most basic level the attack exploited Apple’s weak memory protections in OS X Snow Leopard.  Microsoft, more popular and more commonly attacked, includes two critical types of memory protection — data execution prevention and robust address space layout optimization (ASLR) — both of which attempt to prevent memory injection attacks.  By contrast, Snow Leopard only supports ASLR and the implementation is badly botched according to hackers.

The attack also exploited poor coding in Apple’s branch of WebKit, which features many bugs and security flaws.  While Apple’s WebKit branch, which powers its Safari browser, shares a certain amount of code with Google’s WebKit browser Chrome, Google has added much more robust security layers and is less buggy.

So if Apple computers are less secure than Windows machines, why are Windows machines attacked so much more frequently?  Generally, the answer boils down to that there’s far fewer Macs and that hackers often have misgivings about mass attacks Unix-like operating systems (Linux, OS X) as they view it as “attacking their own.”  Ultimately these two factors combine into a greater barrier — lack of information.

Since not many hackers target OS X, those that do have to tread entirely new ground.  Take Mr. Bekrar and his team at French security firm VUPEN.  He says that the exploit was “relatively difficult” due to lack of documentation in the security/hacking community on OS X.  He states in a ZDNet interview, “We had to do everything from scratch. We had to create a debugging tool, create the shellcode and create the ROP (return oriented programming) technique.  The main difficulty was doing this on our own, without the help of any documentation.”

Another difficulty was in finding a “reliable” vulnerability.  All modern browsers have vulnerabilities, but not all vulnerabilities are created equal.  Identifying the “best” vulnerabilities takes a lot of time and dedication — time that has been invested in attacking Windows machines, but not so much with OS X.

Describes Mr. Bekrar, “There are many WebKit vulnerabilities. You can run a fuzzer and get lots of good results. But it’s much more difficult to exploit it on x64 and to make your exploit very reliable.”

But the results show that when somebody puts in the work to enter that undiscovered country, that Macs prove as hackable as Windows computers or more so.

Luring the user to a suspect site in Safari, the VUPEN researcher remotely launched OS X’s calculator app and wrote a file to the disc — essentially paving the way for a full hijack of the machine.  This was all done without the browser crashing or showing any irregularities.

He describes, “The victim visits a web page, he gets owned. No other interaction is needed.”

The victim would likely think they merely clicked on a bad URL.

Mr. Bekrar and his VUPEN teammates are going to next try to hack a Windows machine using similar flaws found in Internet Explorer 8 on 64-bit Windows 7 (SP1).

For his success against OS X, Mr. Bekrar scores a 13-inch Apple MacBook Air running Mac OS X Snow Leopard and $15,000 USD in cash.

In past years the contest has been dominated by OS X hacking/security pro Charlie Miller.  So it was nice to see a fresh face for a change, though the MacBook was still the first to fall — as usual.  Mr. Miller sums up OS X security the best, with his famous remark, “Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.”