Vista, Mac Hacked in Pwn2Own Contest

This year CanSecWest, an annual security conference held in Vancouver, Canada, sponsored a security contest called "Pwn2Own" (pronounced p-own to own). The targets for this year's security specialists were three fully patched systems that included:

• A Sony Vaio VGN-TZ37CN running Ubuntu 7.10
• A Fujitsu U810 running Microsoft's Vista Ultimate with Service Pack 1 installed
• A fully patched and updated version of Mac's OSX running on a new MacBook Air.

A successful attack on any of the three came with a cash prize and the successful team got to keep the hacked machine.

The difficulty of the challenge changed over the course of the three day contest. On the first day the contestants were allowed to attack only the default installation of the operating system over a network. Starting on the second day of the contest the competitors were allowed to make attacks on the target systems by exploiting vulnerabilities in Internet browsers and email. The third and final day of the contest the competitors were allowed to make attacks on the target systems through any popular third-party application.

None of the competitors were able to successfully attack any of the three target systems on the first day. Indeed, according this article on The Register, none of the hackers even attempted to assault the systems on day one.

Of interest to the general Internet and computing community is that the first system to fall was the MacBook, which was running a fully patched version of the latest release of OS X (Leopard). Contestant Charlie Miller was able to bring down Apple's entry to the Pwn2Own contest in two minutes by exploiting a vulnerability in the Safari web browser. Miller took home both the MacBook Air and a $10,000 cash prize.

The target machine running Vista was the next machine to fall. It came down on the third day of the contest when Shane MaCaulay exploited a vulnerability in Adobe's Flash. No one was able to make a successful attack on the target machine running Ubuntu. MaCaulay went home with the Vaio and a cash prize of $5,000.

Does this mean that Mac, and more specifically Safari, is actually the most vulnerable machine out there? Does it mean that Linux, and specifically Ubuntu, is actually the most secure operating system? No, on both counts. It is important to remember that tests such as this are a necessary part of uncovering potentially threatening vulnerabilities. It is also important to note that malware threats such as those used by the competitors are commonplace on the Internet. No system, regardless of operating system, is invulnerable to attack. The best way to protect your sensitive information is to practice common sense in your browsing and email habits, and to keep your anti-virus and anti-spy programs up to date. Back up your data often and avoid opening email messages if you're uncertain of the source. These few simple tactics will help prevent your system from falling to malicious hackers.

Mac Attack

In the battle royale that is PC versus Macintosh, the latter has traditionally held the lead on the question of system integrity and security from hackers. Mac's argument is essentially that almost no malware exists that targets the Macintosh line of computers. By contrast PC owners must be constantly vigilant against over one-hundred-thousand malware programs. Malware is a portmanteau of malicious software, and the term itself is a general label given to everything from viruses, to ad-ware and spyware, to phishing programs. Anything that can attack your computer in any way can be considered malware.

While valid, Macintosh's argument "malware doesn't exist for the Mac" needs to be taken with a grain of reality. PCs are used throughout the world in every business, agency, and occupation imaginable. By comparison, Macs occupy only a tiny fraction of this marketplace. PCs just make a much bigger and more attractive target than Macintosh.

This may be changing. In a recent story on NPR it was revealed that an increase has been observed by security firm F-Secure in the number of new malware programs for the Mac. This is being attributed to the run-away success of Mac's products in recent years. The Macbook (now running on traditionally PC components), the iPod, and the iPhone are top-selling technology items, and are contributing to Mac making itself a bigger target.

What this means for the consumer is that you cannot blithely dismiss virus threats anymore just because you have a Mac. Even a minor increase in the number of malicious software attacks on the Mac operating system indicates an increased level of interest in that platform on the part of malicious hackers. The number of attacks, and the number of software threats, will just continue to increase as more and more people turn to Macintosh, or adopt other Apple technologies like the iPod or iPhone. Much like PC users you can reduce the possibility of an infected OS by implementing some common sense computing practices:

• Practice cautious web browsing.
• Install anti-virus software and keep it up to date.
• Don't open attachments of any type if you don't know the sender.
• Don't install software if you don't know and trust the vendor.
  
• Run periodic virus scans (this is still less of a burden for Mac users than those clinging to the PC)

These are just five simple things that will either prevent your system being attacked all together, or catch an attack before it can do any damage. Doing just these five things will ensure you are able to enjoy your Mac for years to come.