Security researcher Dino Dai Zovi sent a shudder through the Mac community last week when he successfully hacked the Mac with an exploit that he sent to a friend attending the CanSecWest security conference.
He gained shell access to a Mac by pointing the Safari Web browser at a specially-constructed web page, and won a $10,000 prize from 3Com’s Tipping Point division for his efforts.
The hack - which has been attributed to a vulnerability in QuickTime and therefore could also affect Internet Explorer and Firefox users - took a lot of Apple Mac users by surprise, but security experts say they aren’t the least bit shocked.
“Literally any piece of code is going to have vulnerabilities and the Mac is no exception,” said Ray Wagner, Gartner’s managing vice president in the secure business enablement group.
Thomas Kristensen, chief technology officer of security-research firm Secunia, agreed. “Mac systems are as vulnerable as most other operating systems, so anyone with reasonable skills should be able to compromise them,” he said.
Most Mac users see their operating system as being much more secure than Windows. That’s true to a certain extent. But much of the Mac’s immunity from malicious attacks can be attributed to hackers going for the more widely used operating system to grab the most attention.
“If a hacker turned their attention to the Mac, it would suffer just as much as Windows,” Wagner said. “Attacking the 95 percent of the market gets them more attention.”
According to research Wagner did in the last year, an operating system would need to hit the 20 to 30 percent penetration level before it really becomes a target for hackers. This is the point where hackers will feel it is worth the time to expose a vulnerability.
However, in light of last week’s proof-of-concept exploit, Mac users shouldn’t worry that hacks are going to start flooding the market. “Just because there has shown to be a hack, that doesn’t mean there will be all kinds of hacks showing up all of a sudden,” Wagner said.
Dino Dai Zovi, the man that found the exploit, hopes for a safer operating system for all Mac users. “I hope the increased visibility due to the publicity surrounding this incident causes more people to search for and responsibly report vulnerabilities in the Mac to help make it a safer platform for everyone,” he said.
Dai Zovi said he came up with the hack in about nine hours from the time he got the call from his friend Shane Macaulay, who was attending the CanSecWest conference.
“In this instance, breaking into the Mac was not particularly difficult,” Dai Zovi said. “I got lucky and stumbled across a reliably exploitable vulnerability rather quickly. In many other times in the past, I have spent much longer looking without finding anything. It often comes down to luck and an intuition for where software weaknesses may lie.”
A Mac user since the release of Mac OS X, Dai Zovi has discovered local and remote vulnerabilities affecting Windows, Mac OS X, and Unix operating systems. While modern Unix-based systems like Linux and FreeBSD present the most difficulty for hacking, he praised Apple and Microsoft for the security improvements both companies have made.
“Microsoft has made great strides in improving the security of their codebase and implementing proactive security defences to make vulnerability exploitation more difficult,” Dai Zovi said. “Apple has made some sound design decisions in Mac OS X, such as minimising the number of default open network services, using non-executable writable memory segments and employing a well designed administrative user authorisation system, that are also good security measures.”
Dai Zovi said he is not currently working on any new Mac hacks, but he may start working on some new ones when he has some more time.