If you keep informed of the movements that are going on in the computer security world, you would know that this week Vancouver was host to the CanSecWest Security Conference. Last year, CSW organizers had “Hack a Mac”, whereby owning their testlab Mac made it yours – plus a nice cash prize.
To take things further, this year the contest was extended to one representative of each of the major platforms: a MacBook Air, a Vista and an Ubuntu Linux. The MBA was first to fall, and while I tried to keep off comments about it… I can’t.
A round-up of ideas:
- David Maynor’s remark that the MBA was simply the easiest to own.
- TidBITS’ article on it.
- The SecurityFocus coverage of the hack.
Wait, easiest to own? Miller’s exploit had been researched for about 3 weeks. And only after the contest will the bug be reported to Apple1. So the “minute after we’ve relaxed the rules” hack was really exactly what Miller was waiting for to score the bounty. Every researcher has their own definition of disclosure or, alternatively, the price they will accept for their 0-days. I’m just amazed that Maynor seems to ignore these simple facts. Sure, maybe others were researching Vista or Linux ahead of time as well and they couldn’t pull off an exploit for those platforms in time for the contest. Last year, Dino Dai Zovi actually wrote the hack overnight; Miller didn’t, he memorized the exploit2. Does that look bad for Apple? Well, in some sense, yes. They weren’t able to lock down a bug that lead to ownage. The flip side is that Miller had the sploit all ready to go as he was waiting patiently for CSW’s PWN2OWN to commence. So while a ’silent’ submittal to Apple might have received some credit in the Software Update notes when the patch rolled around, CSW had fireworks, cash and fame.
Somewhat related: Maynor is right about the “window of owning” in regard to Apple’s laziness to move into Security Updates those patches that are committed for the open source components of their OS. For a company that offers a Server version of its OS, it would really be a good idea to have those patches available faster. Otherwise it’s almost boring for a cracker to get in. Irregardless, Apple needs to focus a bit more on security before they lose one of their strongest selling points.
