or Connect
AppleInsider › Forums › Software › Mac OS X › Mac security researcher wins Pwn2Own contest
New Posts  All Forums:Forum Nav:

Mac security researcher wins Pwn2Own contest - Page 2

post #41 of 82
Quote:
Originally Posted by vidlearn View Post

Sorry, security through obscurity has been disproven years ago. Just because you haven't read about it doesn't mean it doesn't exist. It just means you are ill-informed.

There have been several articles. Some are no longer posted. An article from three months ago can be found here;

http://www.roughlydrafted.com/2009/0...-malware-myth/

A minor article here;

http://blog.wired.com/gadgets/2008/1...-x-isnt-v.html

Another here;

http://aplawrence.com/MacOSX/securit...obscurity.html

A very detail article from five years ago here;

http://www.macdailynews.com/index.ph...bscurity_myth/

None of those articles disprove anything. They are just opinion pieces.

There are trojans for OSX. Bundled with software the user would very well give authorization for the software and thus get infected. Granted a user has to authorize this. But that is also true of Vista or 7.
I have heard from many OSX users that they got keylogged and their WoW accounts hacked.
OSX has been hacked twice now, two years in a row. In a matter of minutes. That sort of speaks for itself. It's not as secure as you think and there are vulnerabilities that can be exploited.

You can't disprove security through obscurity until the OS is no longer obscure. And you certainly can't do it with opinion pieces.

I also have yet to read about Vista with UAC on getting a virus unless the user authorizes it. But if the user authorizes anything they would be no safer on any other OS.

That said, I do like OSX. I can boot into it right now as a matter of fact. But there is no substitute for smart computing. The person on the other side of that keyboard is the biggest security threat no matter the OS.
post #42 of 82
Quote:
Originally Posted by Alonso Perez View Post

Hey, I love Apple. But I don't need these spin pieces by Apple Insider to tell me that Apple is better than Microsoft on security.

And this is pure spin. We are supposed to be happy because Apple issued more patches? If they had issued fewer patches, we would be told it was proof they had fewer flaws.

The fact is, both Apple and Microsoft have vulnerable systems. Apple is safer because it's such a small percentage of the installed base that hackers don't stand to profit much from it. Also, a lot of malware comes from countries where Macs are very expensive and thus rare.

Another reason is that Mac users tend to update their software more. You can find Windows boxes with Windows 95, 98, or Me in many homes even today.

Glad I caught this post before posting mine as it's dead on right. As much as I love the Mac and feel it's more secure I still have to realize that if Mac's owned 90% of the market we'd be seeing much of the same thing Windows users go through. Maybe less, but still much of the same. Attacks are less for a number of reason, but market share is definitely #1.

This reminds me of a really funny quote I read in an article last year I believe from Joe Wilcox of eWeek Microsoft Watch. Enterprises should be concerned about rogue browser installations, for reasons I shouldnt have to state. Safari is fairly new to Windows and has yet to really show that it has can muster the security to withstand the associated attacks. Mac OS X is a quaint neighborhood where little Safari was safe. By comparison, Windows is a gang-ridden ghetto: life is survival, and its tough going.

Now this quote was obviously aimed at Safari being available on Windows and the challenges Apple faces with security, but one can't help think it's much the same when it comes to OS'. So far Apple has been living happily in their quaint little neighborhood where security is great, but intruders and thieves wonder around much less. While Windows has been living in a tough, mean, take what you can however you can ghetto where thieves, hackers, and criminals of all kinds constantly lurk and look for even the smallest exploit.

To me it really all comes down to numbers. Although Apple's Mac OS X probably is more secure... it really hasn't been tested by the masses just yet. If growth continues on this path we just might see it get tested sooner than we once thought. I for one enjoyed being part of a small % of people who used this alternative platform, but as Apple grows so will the "evil" looking to take it down.
post #43 of 82
Last year, Miller's winning attack on Safari actually targeted the open source Perl Compatible Regular Expressions library used by WebKits JavaScript engine, an exploit he also made headlines with for using against the iPhone. Apple's extensive use of open source software makes it far easier for researchers to discover exploits for at their leisure, compared to closed proprietary software. It wasn't Apple's proprietary code in Safari that was cracked.

Come on, So apple dont see what source code is using in OSX... So so lame comentary...
Safari was cracked no matters witch part of it, Safari is a all, incluing the open source library that it use, is Apple responsability to do an review of that code too!
post #44 of 82
the frustrating part of this annual event is we don't learn in detail exactly what was achieved by the hacker. the website says the target computers are running with out-of-the-box default settings. so the Mac is in its initial Admin user account, which of course makes any attack easier than a Standard user account. Ok, a lot of people run their Macs with admin privileges turned on. but would the attack have worked if not? we don't know. then the attacker was able to install and run something. but what? getting control of the system takes more than adding a widget or something simple like that. would they still have to crack the password too to modify system settings, or did they find some way around that? we don't know.

anyone have the facts?
post #45 of 82
This is just my opinion, but I do believe the Mac is a safer OS. The Mac was designed from day one to not allow external processes without user intervention. Unlike, Microsoft's unwise attempt, from the beginning, to allow marketing concern to push it's wares to the Windows user base. Microsoft saw a cash cow in serving ads through programs like chat and games et. al. using active X. They allowed developers to run wild over the low level system processes, that it became commonplace, and this is the main reason the Window code base is less secure.

Apple took the closed approach and, when it comes to security, is enjoying the fruits of that decision. For those who believe the Mac platform isn't a large enough target for hackers, you miss a very important human point. The hacker's ego. It's the challenge that drives most extreme sports. I believe if the black hat's could penetrate Mac OSX's defenses easily, they would have by now, just to claim the prize of being King for a Day. Social engineering exploits aside, some system designs are just harder to crack.

Apple chose to keep its system closed and is winning the security argument. Microsoft saw a way to make money and it's paying the price now.
post #46 of 82
Quote:
Originally Posted by jnjnjnjn View Post

If Charlie Miller gained root access (the claim is that after executing the exploit by clicking a link on a website, he "owned" the computer), Mac OS X is certainly lacking in security.

Even if the account he used had administrator rights, it cannot be used to get access to other accounts on the machine or to install software or to run 'sudo bash' etc. Not without a password, that is.

So this means that at least two security exploits must exist, one in Safari to get hold on the user (or administrator) account, and one to elevate the account to root level.

J.

If it's an exploit in Safari, it's within WebKit, which is open source and thus gives the hacker months upon months of running edge case tests to find any and all exploits.

Now, instead of hardening up Webkit and submitting back to the community he goes to a hackfest to win a laptop. Now that's a real stud.

Fix the exploits and get a job with Apple Engineering. You'll get the laptop you want and paid well.

Conclusion: He's a Moron.
post #47 of 82
Quote:
Originally Posted by mdriftmeyer View Post

If it's an exploit in Safari, it's within WebKit, which is open source and thus gives the hacker months upon months of running edge case tests to find any and all exploits.

Now, instead of hardening up Webkit and submitting back to the community he goes to a hackfest to win a laptop. Now that's a real stud.

Fix the exploits and get a job with Apple Engineering. You'll get the laptop you want and paid well.

Conclusion: He's a Moron.

The details of the exploit are not released until apple has patched this exploit. So yes, he is giving back to the community.
post #48 of 82
Quote:
Originally Posted by Alfiejr View Post

Ok, a lot of people run their Macs with admin privileges turned on. but would the attack have worked if not? we don't know. then the attacker was able to install and run something. but what? getting control of the system takes more than adding a widget or something simple like that. would they still have to crack the password too to modify system settings, or did they find some way around that? we don't know.

anyone have the facts?

It doesn't matter what the facts are or if you're in an admin account or anything about cracking passwords. All it takes is being able to run some code outside the sandbox of the browser by clicking on a link (which is what they did).

Simply being able to run code outside the browser is plenty powerful enough ... as in delete all the user's files perhaps? Or if the hacker decides to run a program that pops up a window which looks exactly like Software Update and prompts you to enter an admin username/password ... game over.
post #49 of 82
Quote:
Originally Posted by archer75 View Post

You don't have to spend time and money and update virus and malware apps daily. For one those apps update themselves and it's not something you have to spend time on. Second, if you aren't a moron you don't even need them. I run without antivirus and malware protection and have never had a problem.

Antivirus programs are a lesson in hindsight regardless of platform. On the Mac, I use it only to scan my downloads folder for known problems because all anti-virus programs need to be aware of the problem. They're always one step behind. It's not worth using a lot of system resources 24/7 to catch a new virus.

I'm no moron, I do use Little Snitch, because you never know what programs, that call home, are sending. It's amazing how Little Snitch has made me aware of a lot of things going on out of sight without my permission. Using program like these makes me less a moron and more security conscious.
post #50 of 82
Quote:
Originally Posted by archer75 View Post

The details of the exploit are not released until apple has patched this exploit. So yes, he is giving back to the community.

It's been an "exploit" for months. Instead of furthering a career he targeted a hack fest, 10k and a laptop.

Conclusion: He's a moron.
post #51 of 82
Quote:
Originally Posted by ljocampo View Post

I'm no moron, I do use Little Snitch, because you never know what programs, that call home, are sending. It's amazing how Little Snitch has made me aware of a lot of things going on out of sight without my permission. Using program like these makes me less a moron and more security conscious.

I'm still trying to figure out what my iPhone was doing on my wireless network this morning ... when I have WiFi turned OFF in the system preferences.
post #52 of 82
Quote:
Originally Posted by mdriftmeyer View Post

It's been an "exploit" for months. Instead of furthering a career he targeted a hack fest, 10k and a laptop.

Conclusion: He's a moron.

He got 10k and a laptop. Seems pretty smart to me.
post #53 of 82
Quote:
Originally Posted by archer75 View Post

OSX has been hacked twice now, two years in a row. In a matter of minutes. That sort of speaks for itself. It's not as secure as you think and there are vulnerabilities that can be exploited.

You can't disprove security through obscurity until the OS is no longer obscure. And you certainly can't do it with opinion pieces.

Neither case was a matter of minutes; he had a prepared exploit before he walked into the contest. There's no telling how long it took him to find the exploit, but it was NOT as if he discovered these exploits within minutes (to say nothing of the fact that he needed to be logged in with admin privileges as others have pointed out). And it was Safari, not OSX.

Your other examples—trojan horses and keylogging—are not real security exploits, either (on either platform). They're idiot-user exploits.

The "security through obscurity" argument is absolute crap because of all the Windows-loving, Mac-bashing trolls that you can see on the internet. Being the first person to REALLY (not like this bullshit) hack Mac OSX would be a badge of fucking honor to a hacker. But where is this all-star Mac-myth-dispelling demigod? Nowhere.

The fact is, it IS more secure, not because people haven't tried to (for instance) write a virus for it, but because they can't do it.
Multiplex is an online comic strip about the staff of a movie theater.
Reply
Multiplex is an online comic strip about the staff of a movie theater.
Reply
post #54 of 82
Quote:
Originally Posted by gmcalpin View Post

Neither case was a matter of minutes; he had a prepared exploit before he walked into the contest. There's no telling how long it took him to find the exploit, but it was NOT as if he discovered these exploits within minutes (to say nothing of the fact that he needed to be logged in with admin privileges as others have pointed out). And it was Safari, not OSX.

Your other examples—trojan horses and keylogging—are not real security exploits, either (on either platform). They're idiot-user exploits.

The "security through obscurity" argument is absolute crap because of all the Windows-loving, Mac-bashing trolls that you can see on the internet. Being the first person to REALLY (not like this bullshit) hack Mac OSX would be a badge of fucking honor to a hacker. But where is this all-star Mac-myth-dispelling demigod? Nowhere.

The fact is, it IS more obscure, not because people haven't tried, but because they can't do it.

It is a real hack, believe it or not. Safari is installed on all macs. Comes standard with OSX and is the browser most OSX users use. So it is a completely valid hack.

If I found a hack for OSX I wouldn't tell everyone about it. In fact I wouldn't tell anyone about it. I'd let the OSX users carry on with their head in the sand and reap the benefits of my creation.

Yes, you can write a virus for OSX. The trick is getting it on the system with the permission to do it's thing. And as you put it, it would involve idiot users. Which would define a great deal of mac users with a false sense of security.
But then the same thing applies to Vista and 7. The only way to infect them is via a button pushing moron. OSX is no more secure.
post #55 of 82
Quote:
Originally Posted by archer75 View Post

He got 10k and a laptop. Seems pretty smart to me.

I responded earlier that 10k and a laptop is pittance compared to a job at Apple Engineering, a laptop and stock.


Conclusion: He's a moron. I can guarantee you his "attitude" has shot any chance for a job inside Apple Corporate. I sure as hell would never hire such a person.
post #56 of 82
Quote:
Originally Posted by mdriftmeyer View Post

I responded earlier that 10k and a laptop is pittance compared to a job at Apple Engineering, a laptop and stock.


Conclusion: He's a moron.

You assume he would even be offered a job at apple. Or that the job he has now isn't better. Just because you find an exploit doesn't mean you get a job.
post #57 of 82
Quote:
Originally Posted by pmjoe View Post

Simply being able to run code outside the browser is plenty powerful enough ... as in delete all the user's files perhaps? Or if the hacker decides to run a program that pops up a window which looks exactly like Software Update and prompts you to enter an admin username/password ... game over.

Well, in Windows I take care of this kind of thing by using a unique color scheme. Any time I see a dialog with the standard blue scheme, I know it's fake.

On the Mac I don't really have simple, obvious way of doing the same thing. Still, I've been using computers for a long time, and you can usually tell something is off, not quite right with these sorts of social engineering exploits.
post #58 of 82
Quote:
Originally Posted by archer75 View Post

You assume he would even be offered a job at apple. Or that the job he has now isn't better. Just because you find an exploit doesn't mean you get a job.

Not only that, since his identity isn't exactly a secret, Apple could offer him a job without him asking for it. If they don't, he has no obligation whatsoever to give Apple, or anybody else, the product of his work for free.

Amazing how using hard-earned knowledge to obtain something in return makes you a moron in the eyes of some people.
post #59 of 82
Infect my base, vanilla OS X install remotely. Then I might be impressed.
post #60 of 82
Quote:
Originally Posted by Quadra 610 View Post

Winblows was also hacked, and I believe that new Winblows in particular, the one that tries to be an upside-down, ass-bakwards copy of OS X. Again. It's the allegedly fixed version of Vista. LOL, we'll see.

Besides, if you have to click on a link, the whole challenge is auto-FAIL.

And for those of us that are a bit worried . . .

WINDOWS VIRUSES/MALWARE (but just the appetizer menu):

Windows PC worm infection numbers skyrocket; Macintosh unaffected - January 19, 2009
Dangerous new sleeper virus exposes millions of Windows PCs to hijack; Macintosh unaffected - January 16, 2009
Zero-day attack targets all versions of Internet Explorer; Mac users unaffected - December 12, 2008
Windows worm loose on International Space Station; Mac-using astronauts unaffected - August 27, 2008
Microsoft inflicts Internet Explorer 8 Beta; Mac users unaffected - March 05, 2008
Gathering Storm superworm poses grave threat to Windows PCs; Apple Macs unaffected - October 19, 2007
Windows virus cripples Florida newspaper; Mac-based publishers unaffected - March 02, 2007
Insidious Windows virus threatens business networks worldwide; Macintosh unaffected - March 01, 2007
Windows Storm Worm rages across globe; Apple Macintosh unaffected - January 19, 2007
Sony, Gracenote sound alarm over Microsoft flaw; Macintosh unaffected - September 19, 2006
PowerPoint zero-day attack compromises data in infected Windows PCs; Mac OS X unaffected - July 21, 2006
Windows PC users infected with worm face loss of all Microsoft, Adobe files; Mac users unaffected - January 31, 2006
Microsoft Windows Zero-Day WMF flaw threats widespread; Macintosh unaffected - December 29, 2005
Microsoft Windows virus spreads rapidly; Apple Macintosh unaffected - November 28, 2005
Windows users fall victim to huge ID theft ring, 50 banks in danger; Apple Mac users unaffected - August 25, 2005
Quickly spreading Microsoft Windows worm affects CNN, ABC, NY Times; Apple Macintosh unaffected - August 16, 2005
Zotob worm rapidly infects Microsoft Windows; Macintosh unaffected - August 15, 2005
16-percent of computer users are unaffected by viruses, malware because they use Apple Macs - June 15, 2005
Microsoft warns of critical Windows flaws; unaffected Mac users just continue working - June 15, 2005
Michael Jackson suicide spam hides Windows virus; Macintosh unaffected - June 10, 2005
Windows Sober.p poised to attack this Monday; Macintosh unaffected - May 21, 2005
Microsoft Windows Sober.P worm shows epidemic spread; Macintosh unaffected - May 03, 2005
Anzae/Inzae worm affects all Windows versions after 3.1; Macintosh unaffected - December 28, 2004
Windows Mydoom worm variant spreading in the wild; Macintosh unaffected - November 09, 2004
Windows XP worm speaks to users as it deletes their files; Macintosh unaffected - September 13, 2004
Millions of Windows PCs hijacked by hackers, turned into zombies; Macintosh unaffected - September 08, 2004
Windows Zindos virus spreads, attacks Microsoft.com; Macintosh unaffected - July 29, 2004
New Windows Bagle virus variants spread; Macintosh unaffected - July 16, 2004
Windows Lovegate worm variant renders computers useless; Macintosh unaffected - July 08, 2004
Windows Scob virus collects passwords, financial data; Macintosh unaffected - July 05, 2004
Windows Scob virus designed to steal financial data, passwords; Macintosh unaffected - June 26, 2004
Windows users warned of infectious Web sites that take over computers; Mac users unaffected - June 25, 2004
Windows Korgo virus aggressively stealing credit card numbers; Macintosh unaffected - June 04, 2004
First Windows 64-bit virus appears; Macintosh unaffected - May 27, 2004
Windows Wallon virus wipes out Microsoft Media Player on infected PCs; Macintosh unaffected - May 12, 2004
Windows Sasser worm mutates, knocks out banks, EC; Macintosh unaffected - May 04, 2004
Windows Sasser worm severely disrupts UK coastguard; Mac users remain unaffected - May 04, 2004
Windows Sasser net worm spreading rapidly; Macintosh unaffected - May 03, 2004
Sen. Edward Kennedys Apple Mac-based office totally unaffected by viruses - March 22, 2004
Five new Windows Bagle virus variants break nasty new ground; Macintosh unaffected - March 19, 2004
Windows worm, virus outbreaks intensify; Macintosh unaffected - March 03, 2004
Destructive MyDoom.F virus deletes Windows users files; Macintosh unaffected - March 01, 2004
Netsky-D Windows worm spreading; Macintosh unaffected - March 01, 2004
Windows users suffer five new Bagle worm variants; Macintosh unaffected - March 01, 2004
New MyDoom Windows worm deletes random files; Macintosh unaffected - February 25, 2004
Windows NetSky e-mail worm spreading; Macintosh unaffected - February 18, 2004
Windows virus Bagle.B spreading; Macintosh unaffected - February 17, 2004
Doomjuice worm emerges, targets Microsoft; Macintosh unaffected - February 10, 2004
New version of Mydoom Windows virus appears, attacks Microsoft; Macintosh unaffected - January 28, 2004
Latest Windows virus MyDoom sets new infection records worldwide; Macintosh unaffected - January 27, 2004
MyDoom Windows virus spreads rapidly; Macintosh unaffected - January 26, 2004
New Windows worm spreading hard and fast worldwide; Macintosh unaffected - January 19, 2004
Florida students patch 360 PCs in marathon session due to Blaster virus; their Macs unaffected - October 01, 2003
Pennsylvania school districts PCs infected with virus; their Macs unaffected - October 01, 2003
New Swen worm masquerades as Windows Security Update; Macintosh unaffected - September 19, 2003
University of Illinois still patching all Windows machines; Macintosh unaffected - September 05, 2003
Montana school districts Windows computers offline due to worm; Macintosh computers unaffected - September 03, 2003
A tale of two school systems: Windows schools crippled while Mac schools unaffected - August 21, 2003
SoBig virus variant rapidly inflecting Windows machines; Macintosh unaffected - August 19, 2003
Windows Blaster worm to attack Microsoft on Saturday; Macintosh unaffected - August 13, 2003
MBlast Worm spreads through flaw in Windows; Macintosh unaffected - August 11, 2003
Hackers hijack Windows PCs for porn serving; Macintosh unaffected - July 11, 2003
Palyh Worm strikes Windows users worldwide; Macintosh unaffected - May 19, 2003
Microsoft bug exposes millions to attack; Macintosh unaffected - November 20, 2002


Don't worry, it's only a partial list. There's thousands more where that came from.

OS X VIRUSES/MALWARE IN THE WILD:

Like 2. Maybe. In over 7 years. But make sure to click on the obvious links, though, otherwise nothing will happen. With OS X, "infection" is a two-way street. You need to put in the effort!

That's really all we need to know.

Why would you think anyone would give a shit about the opinion of someone who says "winblows" twice in one sentence?

post #61 of 82
Quote:
Originally Posted by mdriftmeyer View Post

I sure as hell would never hire such a person.

I'm sure he's losing sleep about it...
post #62 of 82
A controlled environment and open source code used on all systems. Doesn't that seem to add bias to the "contest?" And apparently he was already aware of a known exploit and was prepared for it. Going against Windows 7 Beta isn't a fair test either since it is unfinished software.
post #63 of 82
I think another thing people failed to realize is that while bravo on hacking IE8 on W7, the fact is both of those are in Beta with IE8 coming to retail only today to Vista.

So unless they were hacking Safari 4 Beta, i don't see how its a fair comparison.

All this really goes to prove is that its the end user you need to be scared off. Today, its not really what Apple, Mozilla, or Microsoft do. Its really how you yourself are aware and protect your own computer. The Trojan on iWork further proved that, Apple users need to be just as aware when they visit websites and download unknown software as Microsoft users do. In addition social engineering such as phishing sites designed to steal your banking details do not differeintiate between browsers or operating systems.

Nokia Lumia 920, iPhone, Surface RT, Intel i3 Desktop with Windows 7 & Hackintosh, Power Cube G4

Reply

Nokia Lumia 920, iPhone, Surface RT, Intel i3 Desktop with Windows 7 & Hackintosh, Power Cube G4

Reply
post #64 of 82
Quote:
Originally Posted by pmjoe View Post

Simply being able to run code outside the browser is plenty powerful enough ... as in delete all the user's files perhaps? Or if the hacker decides to run a program that pops up a window which looks exactly like Software Update and prompts you to enter an admin username/password ... game over.

I don't think that will work, apart from the difficulty of recreating an application in a realistic way (lots of subtle details) it must be created and launched. This throws up all kinds of hurdles for the hacker. The application must be signed to prevent a password request popup. And I suspect that signing cannot be done without elevated user rights and results in ... a password request.

It won't work to delete all files either. With time machine all files can be restored.
And ... no, the time machine database cannot be deleted even with elevated (root) access.
post #65 of 82
Quote:
Originally Posted by Alonso Perez View Post

Not only that, since his identity isn't exactly a secret, Apple could offer him a job without him asking for it. If they don't, he has no obligation whatsoever to give Apple, or anybody else, the product of his work for free.

Amazing how using hard-earned knowledge to obtain something in return makes you a moron in the eyes of some people.

He has more of a risk being sued by Apple, if his exploit turns up in the wild.

A moron, I would say.
post #66 of 82
My favorite example of the utter fallacy of "security through obscurity":

http://en.wikipedia.org/wiki/Witty_worm

And Mac OS X systems exist in much greater numbers than ISS firewalls ever did. If there was a vulnerability in Mac OS X that would lead to something as disruptive as Witty Worm was, then someone definitely would have taken advantage of it by now.
post #67 of 82
As Mac users, we should never fall into the trap of using Windows as a baseline. I don't use the behaviour of Milosovic or Blair to check my moral compass, and I don't use Windows to evaluate how secure my Mac ought to be.

Better to compare with, say, an Oracle database, which is a system built on top of a unix platform as OSX is. I have never heard of someone logging into an Oracle session and hacking their way to view data or run programs that they were not granted access to. They even dare to advertise their system as 'Unbreakable' in a world of US lawyers and UK advertising standards. I want that level of confidence in my Mac.

Many of the most important software concepts were invented in the 70s and forgotten in the 80s.

Reply

Many of the most important software concepts were invented in the 70s and forgotten in the 80s.

Reply
post #68 of 82
Quote:
Originally Posted by archer75 View Post

The details of the exploit are not released until apple has patched this exploit. So yes, he is giving back to the community.

Right after he lined his own pockets far outside the normal run of business for a "security professional".
post #69 of 82
This argument can go on for ages.

I found that:

1) No computer is 100% "secure."
2) I run Windows XP with commercial anti-virus/spyware and I can still get malware/slowdowns.
3) I ran Mac OS X stock and had no problems.

And:

4) I ran GNU/Linux, but IMHO it is not ready for the desktop.
post #70 of 82
Quote:
Originally Posted by archer75 View Post

It is a real hack, believe it or not. Safari is installed on all macs. Comes standard with OSX and is the browser most OSX users use. So it is a completely valid hack.

If I found a hack for OSX I wouldn't tell everyone about it. In fact I wouldn't tell anyone about it. I'd let the OSX users carry on with their head in the sand and reap the benefits of my creation.

Yes, you can write a virus for OSX. The trick is getting it on the system with the permission to do it's thing. And as you put it, it would involve idiot users. Which would define a great deal of mac users with a false sense of security.
But then the same thing applies to Vista and 7. The only way to infect them is via a button pushing moron. OSX is no more secure.

If your "virus" requires a user to give it permission to do it's thing, it's not really a virus; it's just malware. A virus has to be able to install, run and self replicate without user interaction. Writing malware and tricking stupid people to run it is easy, but that's because operating systems are intentionally designed to be blind to the code a user wishes to run and stupid people do stupid things.
post #71 of 82
Quote:
Originally Posted by macFanDave View Post

I'll never understand how buffer overflow attacks even get started.

Back when I was programming regularly in C, I'd use strlen() or strncpy() to check whether strings were within a limit and truncate it to a safe length, if necessary.

Are programmers these days too lazy to check string length before using it to execute potentially dangerous code? Or do they think that performance would suffer if they wasted clock cycles for safety?

My guess is that they mostly occur within (closed-source) libraries... If I use an API that refers to a closed library, I don't necessarily know what my buffer limitations are... In Microsoft's case, right through XP (which is still the majority of their install base), there are literally hundreds of legacy APIs, some of which are undocumented, some of which are part of legacy libraries that haven't been rewritten in a decade...

Quote:
I believe IE7 and IE8 run in a sandbox. And in Vista and Windows 7 the code couldn't execute without the users permission.

IE7 is sandbox-y, but still passes executable code to the kernel without user intervention or knowledge. I have no information on IE8. In Windows 6.0 ("Vista") and Windows 6.1 ("7"), most functions requiring administrator-level access require user intervention (also true on Unix operating systems, including OS X, though Windows 6.x waives the password requirement)-- but in every OS, it's possible by a variety of means to bypass these security features and gain superuser ("administrator" in Windows, "root" in unix) access without user intervention (or knowledge).

Such bypass methods are called "security vulnerabilities", and exist in every operating system ever devised. Windows 6.x is the first Windows version to offer a tool for user-intervention to grant superuser access to a process thread (the lack of this feature in previous Windows editions has a lot to do with why Windows in general and IE in particular has, historically, been stupidly easy to hijack: with no way to perform many reasonable and critical functions, like installing software, other than logging out and back in as an Administrator, Microsoft, their users, and their developers came up with a variety of workarounds, all of which created an opportunity to exploit...)

Quote:
Glad I caught this post before posting mine as it's dead on right. As much as I love the Mac and feel it's more secure I still have to realize that if Mac's owned 90% of the market we'd be seeing much of the same thing Windows users go through. Maybe less, but still much of the same. Attacks are less for a number of reason, but market share is definitely #1.

We can probably safely assume that greater market share will eventually result in greater effort from malware engineers-- but there's strong evidence that Mac OS X (like all other Unix variants) is actually harder to write malware for than Windows 5.x and below. It's probably a bit early in Windows 6.x's lifecycle to say if it's still harder to write malware for it, than for Unix (my guess is, still easier on Windows, but I personally can't say that with certainty).

Notably, for example, as Mac OS X pushes towards 10% of OS install base, we do NOT see anything like 10% (not even 1%, probably not even 0.1%) of malware install base on OS X.

Currently, Windows 6.x is estimated at 25% of the ~90% that's running Windows-- a total of about 22% of the install base, or a bit more than twice as many 6.x (Vista / Win7) machines as Mac OS X machines. I'll be interested to see if the malware install base continues to be proportionally higher on Win6x than on Mac OS X, as the 6x install base grows.
post #72 of 82
Quote:
Originally Posted by CU10 View Post

This argument can go on for ages.

I found that:

1) No computer is 100% "secure."
2) I run Windows XP with commercial anti-virus/spyware and I can still get malware/slowdowns.
3) I ran Mac OS X stock and had no problems.

And:

4) I ran GNU/Linux, but IMHO it is not ready for the desktop.

As an 8-year veteran in IT, I say only:

QFT on all counts!
post #73 of 82
Quote:
Originally Posted by djdj View Post

This article perfectly demonstrates what I consider to be a disappointingly smug attitude of many Apple users. Truth is that the Mac isn't currently targeted for attacks, not because it is inherently more secure than other operating systems, but because it isn't as large of a target and the potential payoff therefore isn't as great. Anybody that believes that their Mac is immune to exploits from security issues is living with their head in the sand. Everyone still needs to practice safe computing, i.e. staying away from potentially malicious web sites, not installing software that shouldn't be trusted, keeping our systems up to date with security patches, using a good quality router/firewall, etc. Just because there aren't any significant exploits in the wild today does NOT mean that the platform is immune. Windows didn't have significant security exploits in the wild once upon a time as well. It's really only a matter of time before someone decides that they want to create a Mac virus/worm. And anyone who believes that their computer is inherently immune is in for a very rude awakening at that point.

There also seems to be a fundamental misunderstanding of security here too. Posts like "you need a password to gain access to the machine" make this pretty clear. Security holes aren't security holes because you intentionally grant access to your machine (that's called social engineering, not an exploit), they're security holes because there is a fundamental coding problem in the underlying application/operating system. Most viruses and worms on Windows never asked for permission to be installed; they took advantage of flaws in a browser, application, or in Windows itself, even while users are logged on with non-administrative privileges. Requiring a username/password, or running as a non-admin user (while they may make exploits harder to find) grant a false sense of security; a computer is only as secure as its weakest link, and that link could be anywhere in the chain from browser plugin to operating system to device drivers and the kernel, or even the BIOS/EMI itself. The fact is that there are a lot of links in that chain that inherently have (and require) low level access to your computer, and an exploit in any one of those can potentially turn access to your entire machine over to whatever code happens to be attempting to run. Only the top few layers are protected by the user login. Just because you are logged on with a normal user account doesn't mean that there isn't code running on your computer that has access to everything, because the truth is that there is, and a heck of a lot of it. And an exploit in any of that code can grant access to everything. Just because you don't let someone through the front door of your home doesn't mean they can't come in another way.

So while it seems the majority of the people posting on this forum are dismissing this as insignficant, I believe it is a bit naive to do so. The fact remains that there are indeed exploitable security issues on every computing platform, and OS X is NOT immune. Just because it isn't actively being targeted, it doesn't mean that it is 100% safe. I certainly wouldn't be caught dead (pun intended) putting a Mac connected to the internet in control of launching nuclear weapons, anyway. This test demonstrates that all computing platforms have issues, whether Mac users choose to bury their heads in the sand or not.

You're missing the point entirely: most of us are angry at the fact of the manner in which the Windows biased media will report this. None of us are saying OS X or Safari are perfect, but given that the contest itself was biased against Mac and that the PCs were cracked not much longer after that pisses us all off given places like CNET will report that as " Macs inherently less secure that masrurbatorily awesome Windows 7 computers." It has nothing to do with Macs and all to do with idiotic media outlets who have no idea what fact checking means.
post #74 of 82
Quote:
Originally Posted by wilco View Post

Why would you think anyone would give a shit about the opinion of someone who says "winblows" twice in one sentence?


MS specializes in making third-rate products. They are ripe for jokes and parody. Have fun with it.

MS' responsibility for the kind of gargantuan data loss over the span of more than a decade, thanks to their negligence on security, borders on criminal.
post #75 of 82
As far as I could read a machine is "owned" (according to the test rules) when a hacker is able to run his own code in the context of the browser. What does this say us? Nothing!

Each software, that gets installed by the users hand on his system has more rights and can cause more damage. (So look carefully where from you get your next printer driver or if this nice snowfall on the desktop is really necessary.)

The real question is: Is a hacker able to turn a machine into a bot zombie or can he gain file access or can he install background processes to spy passwords or other things due to the internet usage of its users?

We have millions of real world proves, that such is possible on Windows machines. But how about Linux or Unix based systems like the Mac? No real threats!

The argument: "These machines are not worth hacking due to their low market share." is also plain stupid. Linux is used for 50% of all web servers at least. Hacking them (for getting access to millions of website visitor data like passwords, addresses ...) could be very profitable. But the hackers try to hack the websites not the operating system.

For me this says way more than Pwn2own and makes my decision what operation system to use quite easy.
post #76 of 82
Quote:
Originally Posted by jpellino View Post

Right after he lined his own pockets far outside the normal run of business for a "security professional".

Look: taking in account how lazy Apple has been shown to be about patching security holes (it takes them years, sometimes!), I'd rather have him around to kill its complacency. That he is able to work on a exploit for weeks or months reflects very poorly on Apple, don't you think?

Plus you don't know if he and others don't pass Apple information about things like this regularly.
post #77 of 82
were still left standing unscathed on the Day One.

So was Chrome. Nobody needs it, or WebKit evolved so much since what was in Safari 3?

We mean Apple no harm.

People are lovers, basically. -- Engadget livebloggers at the iPad mini event.

Reply

We mean Apple no harm.

People are lovers, basically. -- Engadget livebloggers at the iPad mini event.

Reply
post #78 of 82
The issue deals with Randomization which OS X 10.6 resolve:

http://www.appleinsider.com/articles...ty.html&page=2

Quote:
Security in 64-bit Snow Leopard

In addition to expanded sandboxing, the move to 64-bit computing will provide a series of other benefits related to security. Apple's 64-bit binaries set all writable memory as non-executable by default, including thread stacks, the heap, and any other writable data segments.

This is already present to an extent in today's Leopard Server, which runs some services, such as the Apache web server, as 64-bit processes. Using the vmmap command reveals that no memory allocated by these 64-bit apps is both writable and executable. On 32-bit Intel systems, while no memory is marked as both writable and executable, the legacy x86 processor design does not enforce the permissions bits, but 64-bit CPUs do. This feature prevents exploits from injecting malicious executable code into memory and tricking the app to run it as it if were its own instructions.

Another security weakness in the x86 architecture solved in the move to 64-bits is the use of registers for function call arguments. This makes exploits using return-into-libc techniques much more difficult. On 32-bit x86, function arguments are passed directly on the stack, so when an attacker has overwritten the stack segment, they can completely control the arguments passed to a function that they cause the compromised program to "return into," according to a security researcher.

The move to 64-bits also greatly enhances the Address Space Layout Randomization (ASLR) techniques used to secure Leopard. Currently, 32-bit binaries are restricted to a relatively small 4GB allocation, making it easier to predict useful addresses for malicious code to target. Additionally, Leopard keeps dyld, Mac OS X's dynamic loader (responsible for loading all of the frameworks, dylibs, and bundles needed by a process) in the same known location, making it relatively trivial to bypass the existing ASLR.

With the much larger address space available to 64-bit binaries, Snow Leopard's ASLR will make it possible to hide the location of loaded code like a needle in a haystack, thwarting the efforts of malicious attackers to maintain predictable targets for controlling the code and data loaded into memory. Without knowing what addresses to target, the "vast majority of these exploits will fail," the security expert explained.

For the hacker, it's good he used this freebie this year because it's days are over.
post #79 of 82
The important thing is a "good guy" found it the exploit and connect with Apple to fix it.

OS X is a tougher target than Windows, but it can never be bulletproof. Remember, it is BSD, and it has been the subject of attacks for years. There is a local junior college website that my wife does not get on with Windows, as it has been either attacked or mangled twice. No such issue with Linux or OS X.

OpenBSD seems to be the most "Locked Down" form of Unix for personal computers.
post #80 of 82
Quote:
Originally Posted by mdriftmeyer View Post

If it's an exploit in Safari, it's within WebKit, which is open source and thus gives the hacker months upon months of running edge case tests to find any and all exploits.

Now, instead of hardening up Webkit and submitting back to the community he goes to a hackfest to win a laptop. Now that's a real stud.

Fix the exploits and get a job with Apple Engineering. You'll get the laptop you want and paid well.

Conclusion: He's a Moron.

If the fault was just in Webkit, then Chrome would've been hacked quickly as well, but out of Firefox, Safari, and IE, it wasn't, so it is a Safari/OSX issue, (and FF and IE use different engines, obviously).
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Mac security researcher wins Pwn2Own contest