The Month of Apple Bugs: lots

Forums › Mac OS › The Month of Apple Bugs: lots

1 | 2 | 3 | 4

298 posts

Ultimate Geek
Inactive user

#68043 21-Apr-2007 21:11

Just for clarity.

The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook--a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.

...the first box required a flaw that allows the attacker to get a shell with user level privilages. The second box, still up for grabs, requires the same, plus the attacker needs to get root.

And for a laugh

“It took $10,000 to break a Mac, but people break Windows machines for free every day!”

freitasm

BDFL - Memuneh
80655 posts

Uber Geek
+1 received by user: 41053

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#68047 22-Apr-2007 06:52

Don't get it? It's proven it can be done. That's the point. If the economics of doing it is so low that crooks won't do it in the field, that's another thing.

Surfing to an "infected" web page? Users do this all the time around the world. Not impossible at all that Mac OS users are no smarter than other and wouldn't do it.

Also, of course the attack requires a flaw. That's how it works most of the times. People notice "flaws" and use that to break in. Or have you not noticed that Apple released patches for 25 flaws in March and for 65 flaws in April?

And the money? Well clearly people don't want to invest time in breaking into Mac OS machines because of the numbers. How much effort is needed to find cheap development resources to create malware for Mac OS when you cvan get almost free development for Windows? This is because of the market penetration.

Still feeling safe?

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

CrispinMullins

128 posts

Master Geek

#68053 22-Apr-2007 11:32

freitasm: Still feeling safe?

Safer than I feel using Windows, yes.

Crispin Mullins
Auckland, New Zealand

bradstewart

4338 posts

Uber Geek
+1 received by user: 166

Retired Mod

Trusted

Lifetime subscriber

#68061 22-Apr-2007 12:34

Actually you are just as safe using Windows if you are smart.

barf

643 posts

Ultimate Geek

#68065 22-Apr-2007 14:06

freitasm: How much effort is needed to find cheap development resources to create malware for Mac OS when you cvan get almost free development for Windows?

The (official) Xcode developer tools for OSX are free, which is better than what can be said about Visual Studio prices. So the possibility of OSX malware being written is very real.

Apple/Mac users don't need to be vigilant, smart or spend big bucks on anti-spyware apps (and etc) to be safe online, I think thats the big difference. At the bottom line OSX is safer either by design or obscurity, take your pick

Sniffing the glue holding the Internet together

rscole86

4999 posts

Uber Geek
+1 received by user: 462

Moderator

Trusted

Lifetime subscriber

#68066 22-Apr-2007 14:22

I dont think anyone needs anti-spyware apps etc, it all depends on what sites you visit and what you blidly install.

On my vista PC ive been running it unprotected, defender has been disabled, for the last month with no problems what so ever :)

People just need to get a licence to use a PC :p

Dell

Shop now for Dell laptops and other devices (affiliate link).

lokinz

298 posts

Ultimate Geek
Inactive user

#68067 22-Apr-2007 15:08

freitasm: Don't get it? It's proven it can be done. That's the point. If the economics of doing it is so low that crooks won't do it in the field, that's another thing.

What I don't get is how you can say "only hours after a contest was launched".

I never once said it couldn't be done, so what's your point?

Surfing to an "infected" web page? Users do this all the time around the world. Not impossible at all that Mac OS users are no smarter than other and wouldn't do it.

Also, of course the attack requires a flaw. That's how it works most of the times. People notice "flaws" and use that to break in. Or have you not noticed that Apple released patches for 25 flaws in March and for 65 flaws in April?

And the money? Well clearly people don't want to invest time in breaking into Mac OS machines because of the numbers. How much effort is needed to find cheap development resources to create malware for Mac OS when you cvan get almost free development for Windows? This is because of the market penetration.

All of my quotes came from other sources and were posted for clarity on both the time frame (as yours was deceptive) and as much detail of the exploit as I could find. - Even the joke isn't mine, hence both the quote box and the "".

Still feeling safe?

Yes, there is nothing to suggest it affects Firefox.

I hope that helps you understand now

mike

307 posts

Ultimate Geek
+1 received by user: 20

Trusted

#68069 22-Apr-2007 15:26

Just for clarity, from Daring Fireball:

Thomas Ptacek has the scoop: Dino Dai Zovis winning exploit in the CanSecWest contest involves Java. It is not specific to Safari; Firefox and, I presume, Camino are also vulnerable. Turning off Java in your browser should defend against it.

No word if it's specific to Mac OS X, Intel or PPC...

thegeekboy

97 posts

Master Geek
+1 received by user: 19

#71796 22-May-2007 23:18

@ lokinz - I'm not so sure that Firefox is any safer - the flaw was not unique to Safari.

The flaw is in Java - and so affects Windows machines as well as Macs... and of course FF too.
see here: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1252605,00.html

I've seen the opposing views about the security of Macs vs. PCs. I do own and use both types of computers which is good.

I agree with some of the comments made here.

Windows machines can be just as safe (but are still vulnerable to the flaw used in this attack) if the user does the right things.
Unfortunately in the real world not everyone is very computer savvy or smart.

There are things that Mac users can do to make themselves more secure than the standard settings too - and I would bet that a very small percentage of Mac users actually know that.
Mac vs. PC arguments are just a waste of time.
I prefer using my Mac compared to my PC - things are just easier to do, and it seems like more fun. (And remember - it's just a preference - I still LIKE both of them)
PC users shouldn't really criticise unless they have used a Mac for a decent period of time - and ACTUALLY know.
Mac users shouldn't spout Apples marketing while sounding smug - despite how they feel about their machines.

freitasm

BDFL - Memuneh
80655 posts

Uber Geek
+1 received by user: 41053

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#72396 27-May-2007 14:38

Please patch your Mac OS systems:

"Apple has released fixes for 17 OSX vulnerabilities, ranging from system takeover to denial-of-service attacks. It was the fifth security update released this year. It also marked the first time this year that an operating system security update from Apple did not patch a vulnerability disclosed by the January Month of Apple Bugs project. Today's update pushed Apple's year-to-date patch total to over 100. More than one of the affected flaws were called 'critical' or 'dangerous'."

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

rwales

122 posts

Master Geek

#72446 28-May-2007 06:31

CrispinMullins: I say Apple Mac OS X is not *as* vulnerable, and I base this mainly on the economics of the hacker who wants to make as big a splash

CrispinMullins: Security by obscurity (which is essentially what we're talking about) is but one piece of the puzzle, and nobody should rely on it. But it has its merits.

I would argue that massively popular, targetted software has more security than an obscure system. From the Apache website - "Apache has been the most popular web server on the Internet since April 1996. The November 2005 Netcraft Web Server Survey found that more than 70% of the web sites on the Internet are using Apache, thus making it more widely used than all other web servers combined.", so - IIS is more obscure than Apache, therefore Apache is more insecure than IIS? Without starting a flame-war, I'm sure many webmasters would respectfully disagree with you.

freitasm: However most of the malware installed on a Windows-based PC is not installed silently, but because some dumb user was tricked into opening an attachment or downloading and installing an unknown file.

Exactly. It may be that the malware 'enconomy' is not governed by the software, but the end user. Windows has strived (and largely succeeded) in securing the layman market. How many laymen are running OpenBSD? Gentoo? Of course, Ubuntu linux is making strong inroads into this demographic (now available preinstalled on Dells, school installations etc). What will be interesting in the coming years is to see how Ubuntu stands up security wise. For arguably the first time we have a free, well-known, reliable linux distro that my gran could install.

freitasm: Blame the developers who are stupid enough to require their software to run as Administrator because that's how they developed and tested without even thinking of having a second machine (or virtual machine) to test it as a normal user.

Everyone blames the developers *mumble*. On a serious note though, I've seen some major weaknesses in this vein. Applications that require the infamous 'sa' password to operate (and then store it, plaintext, on the client-side). These weren't fly-by-night small companies either, but enterprise grade applications. There's no excuse for this kind of practice, although it's often (PHB) management's fault for pushing poor (but fashionable) technology, setting unrealistic deadlines, fostering a 'who cares - so long as it does the job' attitude & overworking development staff rather than developer stupidity.

All your base are belong to us.

Geekzone support

Support Geekzone with one-off or recurring donations Donate via PressPatron.

CrispinMullins

128 posts

Master Geek

#72450 28-May-2007 07:28

rwales: I would argue that massively popular, targeted software has more security than an obscure system.

I think what you mean is that the more attention a given piece of software receives from hackers, the more likely it is that a larger percentage of existing vulnerabilities will be found, the right people notified, and the vulnerabilities removed.

But how does that detract from the reverse equation, which is that the less attention a given piece of software receives from hackers, the less likely it is that vulnerabilities will be discovered at all, by anyone? To my mind, both ring true. And security is not about the number of vulnerabilities that exist, but rather the likelihood that vulnerabilities will be found and exploited.

The November 2005 Netcraft Web Server Survey found that more than 70% of the web sites on the Internet are using Apache, thus making it more widely used than all other web servers combined.", so - IIS is more obscure than Apache, therefore Apache is more insecure than IIS?

IIS has a market share of about 30% at the moment. That's a bit of a stretch when it comes to obscurity.

C.Mullins
On tour

Crispin Mullins
Auckland, New Zealand

rwales

122 posts

Master Geek

#72454 28-May-2007 08:16

I think what you mean is that the more attention a given piece of software receives from hackers, the more likely it is that a larger percentage of existing vulnerabilities will be found, the right people notified, and the vulnerabilities removed.

Yes, that's what I mean. The more scrutiny a system gets, the more holes will get fixed, the less holes will ultimately exist at the end of the day.

But how does that detract from the reverse equation, which is that the less attention a given piece of software receives from hackers, the less likely it is that vulnerabilities will be discovered at all, by anyone? To my mind, both ring true. And security is not about the number of vulnerabilities that exist, but rather the likelihood that vulnerabilities will be found and exploited.

In the 'obscure' system, holes exist and are not exploited due to 'less attention'. In the scrutinized system, holes are exploited and fixed leading to a system with less holes. Follow the trend to conclusion. What happens when hackers can no longer exploit the scrutinized system? What happens when there's more (and easier) money to be made elsewhere? The attention will shift. Hence, security through obscurity is no security at all. In a different analogy, even the most remote, 'top-secret' military installation will still have guards. Without them it wouldn't be secure.

IIS has a market share of about 30% at the moment. That's a bit of a stretch when it comes to obscurity.

I was taking the extreme to clarify the argument. Even so, Apple sold more than 1.3 million Macs in the last quarter of 1999 [macfacts]. Hardly the picture of obscurity either.

All your base are belong to us.

CrispinMullins

128 posts

Master Geek

#72456 28-May-2007 08:37

rwales: What happens when hackers can no longer exploit the scrutinized system?

Um, they look for new vulnerabilities in the said system? Remember, there are no known Mac exploits in the wild...

What happens when there's more (and easier) money to be made elsewhere? The attention will shift. Hence, security through obscurity is no security at all. In a different analogy, even the most remote, 'top-secret' military installation will still have guards. Without them it wouldn't be secure.

The analogy is correct, but I fear it's an inappropriate analogy: Despite the obscurity of the vulnerabilities in Mac OS, it continues to come with a firewall as standard and a permissions system that works, for example. But as a single piece of the puzzle, security by obscurity has its merits.

I was taking the extreme to clarify the argument. Even so, Apple sold more than 1.3 million Macs in the last quarter of 1999 [macfacts]. Hardly the picture of obscurity either.

1.3 million firewalled Macs vs. god knows how many unprotected Windows machines -- that IS the picture of obscurity! And we all know which way the hackers have gone. As I say, no known Mac exploits in the wild (yet).

C. Mullins

Crispin Mullins
Auckland, New Zealand

rwales

122 posts

Master Geek

#72462 28-May-2007 09:18

The analogy is correct, but I fear it's an inappropriate analogy: Despite the obscurity of the vulnerabilities in Mac OS, it continues to come with a firewall as standard and a permissions system that works, for example. But as a single piece of the puzzle, security by obscurity has its merits.

The argument is obscurity versus prominance. Fundamentally, OS X is a good, secure system (based on decades of tried & tested *nix). However, obscurity is *not* what makes it secure.

1.3 million firewalled Macs vs. god knows how many unprotected Windows machines -- that IS the picture of obscurity!

It's all about economics. 1.3 million machines would be very much worth my time to compromise - and that's just what was sold in 1 quarter. If I get a buck for the raft of adverts I can put onto 1.3 million machines, that's a quick 1.3 million bucks, or just under a *lifetime* of commerical development. Can you imagine what a zero day exploit of OS X would be worth? A group of security researchers found 62 vulnerabilities in 3 months. You must be grateful they weren't tempted by the lucrative sums of money offered by spam peddlers for access to virgin desktops?

And we all know which way the hackers have gone.

So far. No guarantee where the future will take them.

As I say, no known Mac exploits in the wild (yet).

Indeed.

I have a lot of respect for Darwin/FreeBSD (although I prefer OpenBSD personally). In fact, to quote from OpenBSD's press page, "security through obscurity" is "the myth that just won't go away".

All your base are belong to us.

1 | 2 | 3 | 4