Apple has been marketing Mac OS X and has claimed that their machine and its Safari browser are untouchable by malware and they have used this as their sales argument for years already. In the recent Pwn2Own hacker challenge in Vancouver, Mac OSX and Safari was the first to fall when the French software security company VUPEN was able to exploit the browser to win the contest.
This was done by leading the targeted MacBook to a rigged website and through this was able to start the calculator to show that the exploit has gained access to the machine running a fully patched 64 bit OS X Snow Leopard.
VUPEN won $15,000 and a MacBook Air 13” for being the first to exploit in this year’s contest.
VUPEN co founder Chaoki Bekrar said in an interview that the Safari webkit was kind of difficult to exploit. The difficulty arising from the lack of documentation in OS X 64 bit exploits so they had to start from scratch. He said that the company had to create the debugging tool, shellcode and ROP (return oriented programming) technique.
The company was able to run the award winning exploit without causing the browser to crash. Within 5 seconds of browsing the rigged website they were able to run the calculator app and write a file to disk to show that they have gained access. ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) were two key anti-exploits that were bypassed by the hack.
All it needed was for unsuspecting machine to visit a rigged website and you gain access to the said device.
This is quite scary for average users but while it has burst Apple’s bubble of invulnerability over computer viruses and malware. While there are still not much known exploits for Apple products, all we need to do in our part is be vigilant these kind of attacks could be avoided as exploits for OS X is still too few to set off alarms and avoid such products.