or Connect
AppleInsider › Forums › Software › Mac OS X › Mac security researcher wins Pwn2Own contest
New Posts  All Forums:Forum Nav:

Mac security researcher wins Pwn2Own contest

post #1 of 82
Thread Starter 
In a repeat performance of last year, security researcher Charlie Miller arrived at the CanSecWest conference this week with a prepared exploit to use in cracking Safari running on Mac OS X.

Unsurprisingly, Miller was able to use his exploit to immediately win the event's "Pwn2Own" contest, generating headlines that suggested that Macs are inherently less secure, despite the fact that every browser involved in the contest failed on the first day.

This year's contest arranged for two test computers. According to the CanSecWest event's official website, which is oddly littered with typos, the "Browsers and Associated Text PAltform" [sic] were a Sony Vaio PC running a prerelease Windows 7 beta with Internet Explorer 8, Firefox, and Google's new Chrome browser, and a MacBook running Safari and Firefox.

In each of the three days of the contest, the exploit rules were intended to be progressively relaxed, starting only with exploits that attacked the browser itself, then adding Flash, Java, .Net and QuickTime to the mix on day two, and then "popular apps such as Acrobat Reader" on the third day.

Finding vulnerabilities

The Pwn2Own contest is being presented as a shootout between Mac and Windows browsers. Last year's contest also included Linux, but attendees with the ability to crack Linux "didnt want to put the work into developing the exploit code that would be required to win the contest," according to a report by IDG.

That fact highlights that, in reality, the platforms and browsers involved aren't targeted by a series of equal attacks. Instead, researchers arrive with exploits they hope to use against vulnerabilities they are aware of in specific platforms or browsers, but have not yet reported. Were they to report the exploits in advance, they would be patched by the vendor. There's no money in that, so the contest provides an incentive to report vulnerabilities.

In exchange for the winning prize, Miller granted the reporting rights to the discovered flaw in Safari to TippingPoints Zero Day Initiative, which will coordinate the handling of the disclosure and the patch release process with Apple. When a vulnerability is reported to Apple, the company credits the discoverer with finding the problem when issuing a patch for it.

Last year, Miller's winning attack on Safari actually targeted the open source Perl Compatible Regular Expressions library used by WebKits JavaScript engine, an exploit he also made headlines with for using against the iPhone. Apple's extensive use of open source software makes it far easier for researchers to discover exploits for at their leisure, compared to closed proprietary software. It wasn't Apple's proprietary code in Safari that was cracked.

At the same time, proprietary, closed code isn't invulnerable due to its opaque "security through obscurity." Windows Vista was cracked in last year's contest due to a flaw in the Adobe Flash plugin, which is not open source but which security experts were still able to exploit.

Patching vulnerabilities

At the same time, Apple's use of open source also enables the company to issues more security patches and operating system updates than Microsoft does, according to a study of Windows and Mac OS X releases conducted by the Swiss Federal Institute of Technology.

That group found that in the years between 2002 and 2007, Apple released 815 patches compared to 678 by Microsoft. In that timeframe, Apple shipped five paid reference releases of Mac OS X (Jaguar, Panther, Tiger, Tiger for Intel, and Leopard) and 33 free updates, including eight for Jaguar, nine for Panther, eleven for Tiger, and one for Leopard, a total of 38 significant feature and security releases, excluding Mac OS X Server, the iPhone, and standalone security patches.

In contrast, Microsoft only released a total of seven updates over that period, including Windows XP SP1 and SP2; Windows Server 2003, SP1, R2, and SP2; and Windows Vista. In the year since, Microsoft has released two service packs for Vista and one for XP. Apple has released five additional free updates for Leopard, again not counting Mac OS X Server patches or iPhone updates.



"Simplifying security to the point of uselessness"

The oversimplification of the Pwn2Own contest's results by the media has resulted in criticism of how the contest is portrayed and conducted. The Pwn2Own contest is "simplifying security to the point of uselessness," according to comments by Jeff Jones, the director of Microsoft's security group.

Last year, Jones addressed CanSecWest in a blog post which stated, "I don't really care for 'hack the box' contests. If a machine doesn't get hacked, it does not mean it isn't breakable. If it does get hacked, it just shows us what we already know - any machine can be broken under the right circumstances. So, don't read too much into the PWN 2 OWN results. I don't."

Last year's contest was also distorted by the arbitrary timing of patches, with Miller's successful exploit for Safari happening to miss Apple's patch cycle, while other researchers armed with exploits for Windows Vista were stymied by the last minute application of the then-new Vista Service Pack 1.

The contest is also somewhat removed from reality due to the fact that it pits the current release of Mac OS X with new versions of Windows that do not reflect what the vast majority of Windows PC users are actually running. Last year, Vista was only in use by a small fraction of early adopters (and even now, less than a quarter of the installed base is using it), and SP1 was so new and problematic that PC World was advising users not to install it until "the wrinkles are ironed out."

This year, the use of the prerelease Windows 7 operating system, which security researchers have had limited access and time to study, combined with the fact that Microsoft expressly warns users not to use it in production environments, tends to create the impression that Pwn2Own is more about theoretical games than real world security issues relevant to end users.

Security in the real world

The real world security problems that affect today's Windows users relate to the fact that there are not only more discovered flaws on Windows, but that these flaws are being actively exploited to develop viruses, spyware, adware, and other malware. Further, there are vast numbers of machines that are not promptly updated with the patches that do exist, resulting in fleets of vulnerable botnets that actively distribute new attacks to other systems. These two problems aggravate each other to create the Windows security crisis.

While pundits like to talk about numbers of discovered vulnerabilities, often failing to correctly compare similar code on each side (with Mac OS X inheriting the vulnerability counts in optional open source server programs, Java, and other components that are not considered on the Windows side), the real problem is active exploits. Mac OS X continues to have no real viruses, while Windows users continue to be plagued by viruses, adware, and other security problems.

At the same time however, the tech media is promoting the CanSecWest event as a "security shootout," with at least one report noting that browsers on the Windows box were "still standing" after Miller successfully applied his exploit attack to the Mac, as if the Windows box had somehow successfully dodged Miller's exploit rather than simply never having been aimed at by his open source attack.

Internet Explorer 8 on the Windows machine was exploited shortly afterward by a different researcher calling himself Nil, followed by his demonstration of a successful crack of the Firefox browser.
post #2 of 82
Quote:
In each of the three days of the contest, the exploit rules were intended to be progressively relaxed, starting only with exploits that attacked the browser itself, then adding Flash, Java, .Net and QuickTime to the mix on day two, and then "popular apps such as Acrobat Reader" on the third day.

Once again, Miller needed actual access to the machine through admin privileges, just like last year. Nothing to see here, move along.
post #3 of 82
Quote:
Originally Posted by slacker00 View Post

Once again, Miller needed actual access to the machine through admin privileges, just like last year. Nothing to see here, move along.

Don't be so fast to shrug it off. Users need stories like this as a reality check: Your computer isn't safe from your other personality.
post #4 of 82
Quote:
Originally Posted by arteckx View Post

Don't be so fast to shrug it off. Users need stories like this as a reality check: Your computer isn't safe from your other personality.

How is it a feat when you need admin privileges to do anything? Why is it that CanSecWest never advertise this bit much, nor that people spend months preparing their "exploits" that do nothing on day 1, which is real world tests anyway...
post #5 of 82
That's it, the internet cannot be trusted. Call Al Gore, tell him to turn it off.
"Picasso had a saying, 'Good artists copy, great artists steal.' And we've always been shameless about stealing great ideas."
Reply
"Picasso had a saying, 'Good artists copy, great artists steal.' And we've always been shameless about stealing great ideas."
Reply
post #6 of 82
Quote:
Originally Posted by slacker00 View Post

How is it a feat when you need admin privileges to do anything? Why is it that CanSecWest never advertise this bit much, nor that people spend months preparing their "exploits" that do nothing on day 1, which is real world tests anyway...

It's not a feat. Hence the laughing smiley and the loose Jekyll and Hyde reference. Worrying about turning into an evil hacking monster when you're logged into your admin account is silly, just like tests that normally succeed.
post #7 of 82
The article starts off as announcing the results of a hacking contest. It then discusses Windows and Macintosh patches. It then proceeds to discredit the contest. What are we trying to say here? Mac rules, Windows sux? The Mac was hacked, but the contest sucks?
Most of us employ the Internet not to seek the best information, but rather to select information that confirms our prejudices. - Nicholas D. Kristof
Reply
Most of us employ the Internet not to seek the best information, but rather to select information that confirms our prejudices. - Nicholas D. Kristof
Reply
post #8 of 82
If Charlie Miller gained root access (the claim is that after executing the exploit by clicking a link on a website, he "owned" the computer), Mac OS X is certainly lacking in security.

Even if the account he used had administrator rights, it cannot be used to get access to other accounts on the machine or to install software or to run 'sudo bash' etc. Not without a password, that is.

So this means that at least two security exploits must exist, one in Safari to get hold on the user (or administrator) account, and one to elevate the account to root level.

J.
post #9 of 82
Quote:
Originally Posted by talksense101 View Post

The article starts off as announcing the results of a hacking contest. It then discusses Windows and Macintosh patches. It then proceeds to discredit the contest. What are we trying to say here? Mac rules, Windows sux? The Mac was hacked, but the contest sucks?

Na, I don't think it's that. I see both points, but it's true that one of the foundations of a Mac's security is that nothing auto executes on a mac. It always asks for u-name and p-word. If a user is already logged in as an admin (or has admin privs...then that user (or hacker) can pretty much do anything.

Am I mistaken?
post #10 of 82
People of course jumped on the "Mac is the most insecure platform" bandwagon but the security of Mac OS X was not discredited in this contest. The security of Safari was discredited. The user needed to click a link in Safari in order to execute the code so if you're not using Safari as your browser, you're not affected by it.

Oh, and just to add - I really dislike these biased Mac vs PC articles on AppleInsider. I'd rather just have the facts (which I read elsewhere in this case) and make up my own opinion.
post #11 of 82
Lot of buzz, no real thing happen around.
This contest is like a make a heist on Fort Knox without guards, video cameras, lasers, infra reds off and giving the bad guys an all level access card/id to the whole building.

just bs
post #12 of 82
If you read the article you'll find that he was also able to exploit IE8 and Firefox:
Quote:
It took a while longer but Microsofts Internet Explorer 8 did not survive the hacker onslaught at this years CanSecWest Pwn2Own contest.

Quote:
later in the afternoon, he exploited a Firefox zero-day flaw to claim the trifecta.
bb
Reply
bb
Reply
post #13 of 82
Quote:
Originally Posted by 2blindforyou2 View Post

If a user is already logged in as an admin (or has admin privs...then that user (or hacker) can pretty much do anything.

Am I mistaken?

Yes, see my comment above.

J.
post #14 of 82
Quote:
Originally Posted by Shookster View Post

Oh, and just to add - I really dislike these biased Mac vs PC articles on AppleInsider. I'd rather just have the facts (which I read elsewhere in this case) and make up my own opinion.

Yeah, its a good article, without all of the bits trying to discredit the report. Mac's aren't magically super secure, nor are they completely insecure. Taking the report a bit less personally would make for better reporting.
post #15 of 82
Winblows was also hacked, and I believe that new Winblows in particular, the one that tries to be an upside-down, ass-bakwards copy of OS X. Again. It's the allegedly fixed version of Vista. LOL, we'll see.

Besides, if you have to click on a link, the whole challenge is auto-FAIL.

And for those of us that are a bit worried . . .

WINDOWS VIRUSES/MALWARE (but just the appetizer menu):

Windows PC worm infection numbers skyrocket; Macintosh unaffected - January 19, 2009
Dangerous new sleeper virus exposes millions of Windows PCs to hijack; Macintosh unaffected - January 16, 2009
Zero-day attack targets all versions of Internet Explorer; Mac users unaffected - December 12, 2008
Windows worm loose on International Space Station; Mac-using astronauts unaffected - August 27, 2008
Microsoft inflicts Internet Explorer 8 Beta; Mac users unaffected - March 05, 2008
Gathering ‘Storm’ superworm poses grave threat to Windows PCs; Apple Macs unaffected - October 19, 2007
Windows virus cripples Florida newspaper; Mac-based publishers unaffected - March 02, 2007
Insidious Windows virus threatens business networks worldwide; Macintosh unaffected - March 01, 2007
Windows ‘Storm Worm’ rages across globe; Apple Macintosh unaffected - January 19, 2007
Sony, Gracenote sound alarm over Microsoft flaw; Macintosh unaffected - September 19, 2006
PowerPoint zero-day attack compromises data in infected Windows PCs; Mac OS X unaffected - July 21, 2006
Windows PC users infected with worm face loss of all Microsoft, Adobe files; Mac users unaffected - January 31, 2006
Microsoft Windows’ Zero-Day WMF flaw threats widespread; Macintosh unaffected - December 29, 2005
Microsoft Windows virus spreads rapidly; Apple Macintosh unaffected - November 28, 2005
Windows users fall victim to huge ID theft ring, 50 banks in danger; Apple Mac users unaffected - August 25, 2005
Quickly spreading Microsoft Windows worm affects CNN, ABC, NY Times; Apple Macintosh unaffected - August 16, 2005
‘Zotob’ worm rapidly infects Microsoft Windows; Macintosh unaffected - August 15, 2005
16-percent of computer users are unaffected by viruses, malware because they use Apple Macs - June 15, 2005
Microsoft warns of critical Windows flaws; unaffected Mac users just continue working - June 15, 2005
Michael Jackson suicide spam hides Windows virus; Macintosh unaffected - June 10, 2005
Windows Sober.p poised to attack this Monday; Macintosh unaffected - May 21, 2005
Microsoft Windows Sober.P worm shows ‘epidemic’ spread; Macintosh unaffected - May 03, 2005
Anzae/Inzae worm affects all Windows versions after 3.1; Macintosh unaffected - December 28, 2004
Windows Mydoom worm variant spreading in the wild; Macintosh unaffected - November 09, 2004
Windows XP worm speaks to users as it deletes their files; Macintosh unaffected - September 13, 2004
Millions of Windows PC’s hijacked by hackers, turned into zombies; Macintosh unaffected - September 08, 2004
Windows ‘Zindos’ virus spreads, attacks Microsoft.com; Macintosh unaffected - July 29, 2004
New Windows Bagle virus variants spread; Macintosh unaffected - July 16, 2004
Windows Lovegate worm variant renders computers useless; Macintosh unaffected - July 08, 2004
Windows Scob virus collects passwords, financial data; Macintosh unaffected - July 05, 2004
Windows ‘Scob’ virus designed to steal financial data, passwords; Macintosh unaffected - June 26, 2004
Windows users warned of infectious Web sites that take over computers; Mac users unaffected - June 25, 2004
Windows Korgo virus ‘aggressively stealing’ credit card numbers; Macintosh unaffected - June 04, 2004
First Windows 64-bit virus appears; Macintosh unaffected - May 27, 2004
Windows Wallon virus wipes out Microsoft Media Player on infected PCs; Macintosh unaffected - May 12, 2004
Windows Sasser worm mutates, knocks out banks, EC; Macintosh unaffected - May 04, 2004
Windows Sasser worm severely disrupts UK coastguard; Mac users remain unaffected - May 04, 2004
Windows Sasser net worm spreading rapidly; Macintosh unaffected - May 03, 2004
Sen. Edward Kennedy’s Apple Mac-based office totally unaffected by viruses - March 22, 2004
Five new Windows Bagle virus variants break nasty new ground; Macintosh unaffected - March 19, 2004
Windows worm, virus outbreaks intensify; Macintosh unaffected - March 03, 2004
Destructive MyDoom.F virus deletes Windows users’ files; Macintosh unaffected - March 01, 2004
Netsky-D Windows worm spreading; Macintosh unaffected - March 01, 2004
Windows users suffer five new Bagle worm variants; Macintosh unaffected - March 01, 2004
New MyDoom Windows worm deletes random files; Macintosh unaffected - February 25, 2004
Windows NetSky e-mail worm spreading; Macintosh unaffected - February 18, 2004
Windows virus ‘Bagle.B’ spreading; Macintosh unaffected - February 17, 2004
‘Doomjuice’ worm emerges, targets Microsoft; Macintosh unaffected - February 10, 2004
New version of Mydoom Windows virus appears, attacks Microsoft; Macintosh unaffected - January 28, 2004
Latest Windows virus ‘MyDoom’ sets new infection records worldwide; Macintosh unaffected - January 27, 2004
‘MyDoom’ Windows virus spreads rapidly; Macintosh unaffected - January 26, 2004
New Windows worm spreading ‘hard and fast’ worldwide; Macintosh unaffected - January 19, 2004
Florida students patch 360 PCs in marathon session due to Blaster virus; their Macs unaffected - October 01, 2003
Pennsylvania school district’s PCs infected with virus; their Macs unaffected - October 01, 2003
New ‘Swen worm’ masquerades as Windows Security Update; Macintosh unaffected - September 19, 2003
University of Illinois still patching all Windows machines; Macintosh unaffected - September 05, 2003
Montana school district’s Windows computers offline due to worm; Macintosh computers unaffected - September 03, 2003
A tale of two school systems: Windows schools crippled while Mac schools unaffected - August 21, 2003
SoBig virus variant rapidly inflecting Windows machines; Macintosh unaffected - August 19, 2003
Windows Blaster worm to attack Microsoft on Saturday; Macintosh unaffected - August 13, 2003
MBlast Worm spreads through flaw in Windows; Macintosh unaffected - August 11, 2003
Hackers hijack Windows PCs for porn serving; Macintosh unaffected - July 11, 2003
Palyh Worm strikes Windows users worldwide; Macintosh unaffected - May 19, 2003
Microsoft bug exposes millions to attack; Macintosh unaffected - November 20, 2002


Don't worry, it's only a partial list. There's thousands more where that came from.

OS X VIRUSES/MALWARE IN THE WILD:

Like 2. Maybe. In over 7 years. But make sure to click on the obvious links, though, otherwise nothing will happen. With OS X, "infection" is a two-way street. You need to put in the effort!

That's really all we need to know.
post #16 of 82
As a long time Apple user I have gotten used to the tech media going after the company with venom dripping from their pens. I have also gotten used to the slugs and slime that slither around this and other Apple centric forums putting down every single thing the company releases. It just goes with the territory of being the company that forces change in the industry, the company that's always out at the frontier moving forward.

I don't like it but I know I have to just accept it. Meanwhile the proof is in the pudding. The company is wildly successful, profitable, and has customer loyalty unmatched by any company in the world, ever. It's not going away anytime soon, much to the chagrin of countless trolls here and elsewhere.
post #17 of 82
Quote:
Originally Posted by lkrupp View Post

As a long time Apple user I have gotten used to the tech media going after the company with venom dripping from their pens. I have also gotten used to the slugs and slime that slither around this and other Apple centric forums putting down every single thing the company releases. It just goes with the territory of being the company that forces change in the industry, the company that's always out at the frontier moving forward.

I don't like it but I know I have to just accept it. Meanwhile the proof is in the pudding. The company is wildly successful, profitable, and has customer loyalty unmatched by any company in the world, ever. It's not going away anytime soon, much to the chagrin of countless trolls here and elsewhere.

Kudos, someone with common sense
post #18 of 82
Quote:
Originally Posted by lkrupp View Post

As a long time Apple user I have gotten used to the tech media going after the company with venom dripping from their pens. I have also gotten used to the slugs and slime that slither around this and other Apple centric forums putting down every single thing the company releases. It just goes with the territory of being the company that forces change in the industry, the company that's always out at the frontier moving forward.

I don't like it but I know I have to just accept it. Meanwhile the proof is in the pudding. The company is wildly successful, profitable, and has customer loyalty unmatched by any company in the world, ever. It's not going away anytime soon, much to the chagrin of countless trolls here and elsewhere.

Very well put. Bolded the really important part. And there's good reason for that kind of loyalty.
post #19 of 82
Quadra 610: Great post but come on, don't tease ... give us the full list
p.s. Send to all newspapers about to run the results of this competition.
Enjoying the new Mac Pro ... it's smokin'
Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini.
Reply
Enjoying the new Mac Pro ... it's smokin'
Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini.
Reply
post #20 of 82
Quote:
Originally Posted by digitalclips View Post

Quadra 610: Great post but come on, don't tease ... give us the full list
p.s. Send to all newspapers about to run the results of this competition.

Oh yes, there's so much more! I won't post because I don't want to overload AI.

But anyway, here's the latest:

http://news.cnet.com/8301-1009_3-10196122-83.html

Complete, utter mess. All it did was get worse. It's so bad, that lame MS is offering a reward.

And OS X remains unaffected. Again.
post #21 of 82
Quote:
Originally Posted by lkrupp View Post

As a long time Apple user I have gotten used to the tech media going after the company with venom dripping from their pens. I have also gotten used to the slugs and slime that slither around this and other Apple centric forums putting down every single thing the company releases. It just goes with the territory of being the company that forces change in the industry, the company that's always out at the frontier moving forward.

I don't like it but I know I have to just accept it. Meanwhile the proof is in the pudding. The company is wildly successful, profitable, and has customer loyalty unmatched by any company in the world, ever. It's not going away anytime soon, much to the chagrin of countless trolls here and elsewhere.

Ever? What about Porsche?

Honestly though, whenever you're on top or threatening to take the crown. Those below will hate and those currently there and their allies will sling mud.
[center] "Hey look, it's in the center. I am SO cool!"[/center]
Reply
[center] "Hey look, it's in the center. I am SO cool!"[/center]
Reply
post #22 of 82
In a repeat performance from last week/last month Daniel Eran Dilger of Roughly Drafted posts another maniacal diatribe under the pseudonym Prince McLean and once again drives the staunchest of fanboys running for the exits. AI: you're going to have to learn that this isn't doing your street cred any good.
post #23 of 82
Quote:
Originally Posted by StuBeck View Post

Yeah, its a good article, without all of the bits trying to discredit the report. Mac's aren't magically super secure, nor are they completely insecure. Taking the report a bit less personally would make for better reporting.

Quote:
Originally Posted by talksense101 View Post

The article starts off as announcing the results of a hacking contest. It then discusses Windows and Macintosh patches. It then proceeds to discredit the contest. What are we trying to say here? Mac rules, Windows sux? The Mac was hacked, but the contest sucks?

Dilger has personal issues.
post #24 of 82
Quote:
Originally Posted by Fairly View Post

In a repeat performance from last week/last month Daniel Eran Dilger of Roughly Drafted posts another maniacal diatribe under the pseudonym Prince McLean and once again drives the staunchest of fanboys running for the exits. AI: you're going to have to learn that this isn't doing your street cred any good.

Wow. I guess someone is feeling very threatened. Maybe what he said hit close to home???

While I would have liked to see more detail from both Prince Mclean and from the original author of the ConWest article, its nice to see more than one side to these "Macs are all bad, oK?" hit pieces.

OH, and you post just proves my point. LOL

Just a thought.
en
post #25 of 82
The real world security problems that affect today's Windows users relate to the fact that there are not only more discovered flaws on Windows, but that these flaws are being actively exploited to develop viruses, spyware, adware, and other malware. Further, there are vast numbers of machines that are not promptly updated with the patches that do exist, resulting in fleets of vulnerable botnets that actively distribute new attacks to other systems. These two problems aggravate each other to create the Windows security crisis.

While pundits like to talk about numbers of discovered vulnerabilities, often failing to correctly compare similar code on each side (with Mac OS X inheriting the vulnerability counts in optional open source server programs, Java, and other components that are not considered on the Windows side), the real problem is active exploits. Mac OS X continues to have no real viruses, while Windows users continue to be plagued by viruses, adware, and other security problems.

At the same time however, the tech media is promoting the CanSecWest event as a "security shootout," with at least one report noting that browsers on the Windows box were "still standing" after Miller successfully applied his exploit attack to the Mac, as if the Windows box had somehow successfully dodged Miller's exploit rather than simply never having been aimed at by his open source attack. Internet Explorer 8 on the Windows machine was exploited shortly afterward by a different researcher calling himself Nil, followed by his demonstration of a successful crack of the Firefox browser.


Seems reasonable to me.
post #26 of 82
This article perfectly demonstrates what I consider to be a disappointingly smug attitude of many Apple users. Truth is that the Mac isn't currently targeted for attacks, not because it is inherently more secure than other operating systems, but because it isn't as large of a target and the potential payoff therefore isn't as great. Anybody that believes that their Mac is immune to exploits from security issues is living with their head in the sand. Everyone still needs to practice safe computing, i.e. staying away from potentially malicious web sites, not installing software that shouldn't be trusted, keeping our systems up to date with security patches, using a good quality router/firewall, etc. Just because there aren't any significant exploits in the wild today does NOT mean that the platform is immune. Windows didn't have significant security exploits in the wild once upon a time as well. It's really only a matter of time before someone decides that they want to create a Mac virus/worm. And anyone who believes that their computer is inherently immune is in for a very rude awakening at that point.

There also seems to be a fundamental misunderstanding of security here too. Posts like "you need a password to gain access to the machine" make this pretty clear. Security holes aren't security holes because you intentionally grant access to your machine (that's called social engineering, not an exploit), they're security holes because there is a fundamental coding problem in the underlying application/operating system. Most viruses and worms on Windows never asked for permission to be installed; they took advantage of flaws in a browser, application, or in Windows itself, even while users are logged on with non-administrative privileges. Requiring a username/password, or running as a non-admin user (while they may make exploits harder to find) grant a false sense of security; a computer is only as secure as its weakest link, and that link could be anywhere in the chain from browser plugin to operating system to device drivers and the kernel, or even the BIOS/EMI itself. The fact is that there are a lot of links in that chain that inherently have (and require) low level access to your computer, and an exploit in any one of those can potentially turn access to your entire machine over to whatever code happens to be attempting to run. Only the top few layers are protected by the user login. Just because you are logged on with a normal user account doesn't mean that there isn't code running on your computer that has access to everything, because the truth is that there is, and a heck of a lot of it. And an exploit in any of that code can grant access to everything. Just because you don't let someone through the front door of your home doesn't mean they can't come in another way.

So while it seems the majority of the people posting on this forum are dismissing this as insignficant, I believe it is a bit naive to do so. The fact remains that there are indeed exploitable security issues on every computing platform, and OS X is NOT immune. Just because it isn't actively being targeted, it doesn't mean that it is 100% safe. I certainly wouldn't be caught dead (pun intended) putting a Mac connected to the internet in control of launching nuclear weapons, anyway. This test demonstrates that all computing platforms have issues, whether Mac users choose to bury their heads in the sand or not.
post #27 of 82
Quote:
Originally Posted by djdj View Post

This article perfectly demonstrates what I consider to be a disappointingly smug attitude of many Apple users. Truth is that the Mac isn't currently targeted for attacks, not because it is inherently more secure than other operating systems, but because it isn't as large of a target and the potential payoff therefore isn't as great. ....

No one is saying that Mac OS-X is immune from viruses so most of your argument in regards that is a waste of time. The part highlighted above, that you started out with (security through obscurity) has been dis-proven many times over. When deciding between Windows and Mac, the Mac system *is* inherently more secure (not perfectly secure), than Windows, by design.

Also, while you are correct that a computer can be attacked without a user's password, to imply anything other than the fact that the majority of attacks are "socially" based is to ignore the truth. Most problems (on both systems), come from a user clicking on something they shouldn't.
In Windows, a window can be a document, it can be an application, or it can be a window that contains other documents or applications. Theres just no consistency. Its just a big grab bag of monkey...
Reply
In Windows, a window can be a document, it can be an application, or it can be a window that contains other documents or applications. Theres just no consistency. Its just a big grab bag of monkey...
Reply
post #28 of 82
Quote:
Originally Posted by djdj View Post

This article perfectly demonstrates what I consider to be a disappointingly smug attitude of many Apple users. Truth is that the Mac isn't currently targeted for attacks, not because it is inherently more secure than other operating systems, but because it isn't as large of a target and the potential payoff therefore isn't as great. Anybody that believes that their Mac is immune to exploits from security issues is living with their head in the sand. Everyone still needs to practice safe computing, i.e. staying away from potentially malicious web sites, not installing software that shouldn't be trusted, keeping our systems up to date with security patches, using a good quality router/firewall, etc. Just because there aren't any significant exploits in the wild today does NOT mean that the platform is immune. Windows didn't have significant security exploits in the wild once upon a time as well. It's really only a matter of time before someone decides that they want to create a Mac virus/worm. And anyone who believes that their computer is inherently immune is in for a very rude awakening at that point.

There also seems to be a fundamental misunderstanding of security here too. Posts like "you need a password to gain access to the machine" make this pretty clear. Security holes aren't security holes because you intentionally grant access to your machine (that's called social engineering, not an exploit), they're security holes because there is a fundamental coding problem in the underlying application/operating system. Most viruses and worms on Windows never asked for permission to be installed; they took advantage of flaws in a browser, application, or in Windows itself, even while users are logged on with non-administrative privileges. Requiring a username/password, or running as a non-admin user (while they may make exploits harder to find) grant a false sense of security; a computer is only as secure as its weakest link, and that link could be anywhere in the chain from browser plugin to operating system to device drivers and the kernel, or even the BIOS/EMI itself. The fact is that there are a lot of links in that chain that inherently have (and require) low level access to your computer, and an exploit in any one of those can potentially turn access to your entire machine over to whatever code happens to be attempting to run. Only the top few layers are protected by the user login. Just because you are logged on with a normal user account doesn't mean that there isn't code running on your computer that has access to everything, because the truth is that there is, and a heck of a lot of it. And an exploit in any of that code can grant access to everything. Just because you don't let someone through the front door of your home doesn't mean they can't come in another way.

So while it seems the majority of the people posting on this forum are dismissing this as insignficant, I believe it is a bit naive to do so. The fact remains that there are indeed exploitable security issues on every computing platform, and OS X is NOT immune. Just because it isn't actively being targeted, it doesn't mean that it is 100% safe. I certainly wouldn't be caught dead (pun intended) putting a Mac connected to the internet in control of launching nuclear weapons, anyway. This test demonstrates that all computing platforms have issues, whether Mac users choose to bury their heads in the sand or not.


the Mac isn't currently targeted for attacks,

It hasn't been for over 7 YEARS now. How long will it take? Another 3 years? Maybe another 5? We're still waiting. Hopefully we'll still be alive when something happens. And with that upside-down, ass-backwards clone-attempt of OS X (Windows 7), it looks like yet another iteration of the worst OS on the planet will keep hackers and malware writers happy for some time to come.

Until OS X *is* "targeted" (whatever that means), we'll stay quite smug, thank you.
post #29 of 82
Quote:
Originally Posted by Quadra 610 View Post

Oh yes, there's so much more! I won't post because I don't want to overload AI.

But anyway, here's the latest:

http://news.cnet.com/8301-1009_3-10196122-83.html

Complete, utter mess. All it did was get worse. It's so bad, that lame MS is offering a reward.

And OS X remains unaffected. Again.

People think that just because there is a windows virus out there that windows automatically gets infected. Not true at all.
Just like with OSX it's up to the user to allow a virus in. I don't think there is a single case of Vista getting infected with a virus with UAC left on unless the user allowed it through.

Security is less about the OS and more about the person behind the keyboard. Just because you have an OS that is touted as more secure doesn't mean it is. Hell you just have to visit a certain website with OSX and safari to get hacked.
Trojans can masquerade in apps and when you authorize the app to install you inadvertently install the trojan.

Most people are stupid. And on other platforms and a false sense of security anything can happen. One must always remain vigilant.

The problem with this particular test is they used a beta OS and a beta browser. And considering it's beta it still outlasted OSX. I'm curious as to which beta release of 7 they were using.
post #30 of 82
Quote:
Originally Posted by Virgil-TB2 View Post

No one is saying that Mac OS-X is immune from viruses so most of your argument in regards that is a waste of time. The part highlighted above, that you started out with (security through obscurity) has been dis-proven many times over. When deciding between Windows and Mac, the Mac system *is* inherently more secure (not perfectly secure), than Windows, by design.

Also, while you are correct that a computer can be attacked without a user's password, to imply anything other than the fact that the majority of attacks are "socially" based is to ignore the truth. Most problems (on both systems), come from a user clicking on something they shouldn't.

Ok, how is it more secure by design?

I have yet to see security through obscurity disproven. Do you have any links?
post #31 of 82
Quote:
Originally Posted by djdj View Post

This article perfectly demonstrates what I consider to be a disappointingly smug attitude of many Apple users. Truth is that the Mac isn't currently targeted for attacks, not because it is inherently more secure than other operating systems, but because it isn't as large of a target...

No one is arguing that point, once Macs attain a larger user base they will face more viruses.

However, viruses on a Windows platform, especially when using IE, can download and install immediately without the user's intervention, and sometimes the window that is performing these tasks will be working behind your main browser window, and sometimes it will be happening right in front of you and there would be nothing you can do about it. Although all that can be minimized by delving into the arduous tasks of setting up Internet securities and ActiveX.
BTW: Windows UAC is the most annoying security "feature" I've ever run into.

On the Mac, a virus can force an automatic file download and if it was professionally crafted, it can also launch the file; however, you'll get an alert stating the the file you're about to decompress or launch is from the internet and that it has never been launched before. Even if you mistakingly clicked "Open" you'll have to insert your password to actually initiate the installation process.
This even applies to installing updates through Apple's own "Software Update".

Snow Leopard will have even a safer way of isolating downloads by sandboxing apps.
bb
Reply
bb
Reply
post #32 of 82
Quote:
Originally Posted by Quadra 610 View Post

Until OS X *is* "targeted" (whatever that means), we'll stay quite smug, thank you.

Yep, smug as a bug in a rug.

Quote:
Originally Posted by Quadra 610 View Post


That's really all we need to know.

Exactly
post #33 of 82
Quote:
Originally Posted by djdj View Post

This article perfectly demonstrates what I consider to be a disappointingly smug attitude of many Apple users. Truth is that the Mac isn't currently targeted for attacks, not because it is inherently more secure than other operating systems, but because it isn't as large of a target and the potential payoff therefore isn't as great. Anybody that believes that their Mac is immune to exploits from security issues is living with their head in the sand. Everyone still needs to practice safe computing, i.e. staying away from potentially malicious web sites, not installing software that shouldn't be trusted, keeping our systems up to date with security patches, using a good quality router/firewall, etc. Just because there aren't any significant exploits in the wild today does NOT mean that the platform is immune. Windows didn't have significant security exploits in the wild once upon a time as well. It's really only a matter of time before someone decides that they want to create a Mac virus/worm. And anyone who believes that their computer is inherently immune is in for a very rude awakening at that point.

There also seems to be a fundamental misunderstanding of security here too. Posts like "you need a password to gain access to the machine" make this pretty clear. Security holes aren't security holes because you intentionally grant access to your machine (that's called social engineering, not an exploit), they're security holes because there is a fundamental coding problem in the underlying application/operating system. Most viruses and worms on Windows never asked for permission to be installed; they took advantage of flaws in a browser, application, or in Windows itself, even while users are logged on with non-administrative privileges. Requiring a username/password, or running as a non-admin user (while they may make exploits harder to find) grant a false sense of security; a computer is only as secure as its weakest link, and that link could be anywhere in the chain from browser plugin to operating system to device drivers and the kernel, or even the BIOS/EMI itself. The fact is that there are a lot of links in that chain that inherently have (and require) low level access to your computer, and an exploit in any one of those can potentially turn access to your entire machine over to whatever code happens to be attempting to run. Only the top few layers are protected by the user login. Just because you are logged on with a normal user account doesn't mean that there isn't code running on your computer that has access to everything, because the truth is that there is, and a heck of a lot of it. And an exploit in any of that code can grant access to everything. Just because you don't let someone through the front door of your home doesn't mean they can't come in another way.

So while it seems the majority of the people posting on this forum are dismissing this as insignficant, I believe it is a bit naive to do so. The fact remains that there are indeed exploitable security issues on every computing platform, and OS X is NOT immune. Just because it isn't actively being targeted, it doesn't mean that it is 100% safe. I certainly wouldn't be caught dead (pun intended) putting a Mac connected to the internet in control of launching nuclear weapons, anyway. This test demonstrates that all computing platforms have issues, whether Mac users choose to bury their heads in the sand or not.


A little quick to judge don't you think? I don't think Mac fans are saying we're 100% immune, we're just saying that we're "more secure". It is a fact and you can't deny it. The code is more stable and privs are in place that minimize the risk of malware, etc to the Mac OS.

I chose to switch because I wanted to spend my time and money on my computer, not updating my virus, malware, phishing software every day to shield myself from the enemy. I chose a system that allows me to use it with a more clear mind, not a fearful one. Do Apple haters really want to wait years and years for hackers to "catch up" and make Apple their "target"...or do you just want to live a web based life a lot more relaxed and safe until they do?

If it ever happens.

The average consumer is starting to see my side. When will you?

My head is held up high...far away from the sand.
post #34 of 82
I'll never understand how buffer overflow attacks even get started.

Back when I was programming regularly in C, I'd use strlen() or strncpy() to check whether strings were within a limit and truncate it to a safe length, if necessary.

Are programmers these days too lazy to check string length before using it to execute potentially dangerous code? Or do they think that performance would suffer if they wasted clock cycles for safety?

It seems like such a simple and obvious solution to the often-used hacker strategy of the buffer overflow.

Would you call a hacker who uses such trite, cliche and unoriginal techniques a "hack?" I would.
post #35 of 82
Quote:
Originally Posted by bloggerblog View Post

No one is arguing that point, once Macs attain a larger user base they will face more viruses.

However, viruses on a Windows platform, especially when using IE, can download and install immediately without the user's intervention, and sometimes the window that is performing these tasks will be working behind your main browser window, and sometimes it will be happening right in front of you and there would be nothing you can do about it. Although all that can be minimized by delving into the arduous tasks of setting up Internet securities and the highly annoying ActiveX.

Snow Leopard will have even a safer way of isolating downloads by sandboxing apps.


I believe that only applies to XP and IE6

I believe IE7 and IE8 run in a sandbox. And in Vista and Windows 7 the code couldn't execute without the users permission.

Security always goes back on the user. And let's face it, most users, no matter the platform, are stupid.

Quote:
Originally Posted by 2blindforyou2 View Post

I chose to switch because I wanted to spend my time and money on my computer, not updating my virus, malware, phishing software every day to shield myself from the enemy. I chose a system that allows me to use it with a more clear mind, not a fearful one.

My head is held up high...far away from the sand.

You don't have to spend time and money and update virus and malware apps daily. For one those apps update themselves and it's not something you have to spend time on. Second, if you aren't a moron you don't even need them. I run without antivirus and malware protection and have never had a problem.

Phishing has nothing to do with the OS at all. And it will affect people no matter the OS.

Your head is buried deep in the sand as it is with the majority of computer users.
post #36 of 82
Quote:
Originally Posted by arteckx View Post

Don't be so fast to shrug it off. Users need stories like this as a reality check: Your computer isn't safe from your other personality.

The logic of this argument is seriously flawed.

1) these report breed false fears & misconceptions, which can actually contribute to a user being deceived. Spreading false information can not lead to educating users.

2) The word has long been out to end users that they can be their own worst enemy. There is absolutely nothing Microsoft or Apple can do about users allowing admin rights on a machine except continue to warn them not to do it. Users will still click through the warning prompts or even authenticate with username & password in the face of these warnings. There are unfortunately just some really naive & technology stupid people out there.

Many Apple folks already recommend that you should use a non admin account for your personal use & just authenticate when needed. The beauty of OS X is that you can actually function as a standard user in almost any aspect of the system, vs Windows that has major issues with this even when you are a power user.
post #37 of 82
Quote:
Originally Posted by talksense101 View Post

The article starts off as announcing the results of a hacking contest. It then discusses Windows and Macintosh patches. It then proceeds to discredit the contest. What are we trying to say here? Mac rules, Windows sux? The Mac was hacked, but the contest sucks?

Hey, I love Apple. But I don't need these spin pieces by Apple Insider to tell me that Apple is better than Microsoft on security.

And this is pure spin. We are supposed to be happy because Apple issued more patches? If they had issued fewer patches, we would be told it was proof they had fewer flaws.

The fact is, both Apple and Microsoft have vulnerable systems. Apple is safer because it's such a small percentage of the installed base that hackers don't stand to profit much from it. Also, a lot of malware comes from countries where Macs are very expensive and thus rare.

Another reason is that Mac users tend to update their software more. You can find Windows boxes with Windows 95, 98, or Me in many homes even today.
post #38 of 82
Quote:
Originally Posted by Fairly View Post

In a repeat performance from last week/last month Daniel Eran Dilger of Roughly Drafted posts another maniacal diatribe under the pseudonym Prince McLean and once again drives the staunchest of fanboys running for the exits. AI: you're going to have to learn that this isn't doing your street cred any good.

QFT

filter fodder
post #39 of 82
Quote:
Originally Posted by Fairly View Post

In a repeat performance from last week/last month Daniel Eran Dilger of Roughly Drafted posts another maniacal diatribe under the pseudonym Prince McLean and once again drives the staunchest of fanboys running for the exits. AI: you're going to have to learn that this isn't doing your street cred any good.

Sorry to disagree, but your street cred is what's at stake.

Daniel's cred is he does wonderful honets reporting on all things Apple technical. It's a shame he has to put up with the hounds of hell. (That'd be you, Fairly.)
post #40 of 82
Quote:
Originally Posted by archer75 View Post

Ok, how is it more secure by design?

I have yet to see security through obscurity disproven. Do you have any links?

Sorry, security through obscurity has been disproven years ago. Just because you haven't read about it doesn't mean it doesn't exist. It just means you are ill-informed.

There have been several articles. Some are no longer posted. An article from three months ago can be found here;

http://www.roughlydrafted.com/2009/0...-malware-myth/

A minor article here;

http://blog.wired.com/gadgets/2008/1...-x-isnt-v.html

Another here;

http://aplawrence.com/MacOSX/securit...obscurity.html

A very detail article from five years ago here;

http://www.macdailynews.com/index.ph...bscurity_myth/
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Mac security researcher wins Pwn2Own contest