Apple Mac gets pwned at CanSecWest
UPDATE 21/04/07 19.33GMT. The Matasano website has been amended to add the following:
- Apparently the issue also affects Firefox.
- Turn off Java as a workaround for now.
Breaking news as of yesterday. The CanSecWest security conference are running an event with two Apple MacBook Pros to be won, simply hack them to take them over.
Of the two, the first MBP can be won by exploiting it to achieve a shell access with the current user context, and the second MBP can be won by exploiting it to achieve shell access in an administrator context.
The first MBP was won yesterday (20th April 2007) via a Safari exploit, with the second MBP still up for grabs at the time of writing.
There is considerable speculation over what exactly happened to the first MBP as details have not yet been published (Matasano's weblog appears to be the source for info here), but this appears to be an 0-day attack on a component of the default OS as shipped (and fully patched of course).If I had to speculate, my first thoughts would turn to the previously identified problems with Safari, but offhand I'm not sure if Apple have closed this hole, and I'm not sure this would count as a new hack anyway. Upon reflection, I think this will turn out to be something new. At the very least, a variation on previous holes.
Some people may point out that this exploit doesn't give you administrative access to the machine as such, and that's quite true. It certainly doesn't. However, how many 'home' users run their Mac with an administrator type account anyway, and in either case, who needs root to break your heart? I don't need admin access to run a shell-scrip from your user account using the above exploit, and it's very easy to ruin someone's use of their computer with just two lines in a script...
cd ~
rm -rf *
Hope you had all those files backed up.