Page 1 of 5 12345 LastLast
Results 1 to 20 of 82
  1.    #1  


    Last night brought news that OSX is much more insecure than the competing Vista and Linux based Ubuntu OS. Serial OSX hacker Charlie Miller walked away with the $10 000 prize in the PWN2OWN hacking competition for hacking a MacBook Air by simply having it visit a website, and did this only 2 minutes after the second day of the competition started. No-one else was able to claim the respective $10 000 prizes for cracking a Vista and Ubuntu laptop during the rest of day 2, despite feverish attempts by security experts such as Shane
    Macaulay,
    who was Dai Zovi's co-winner last year, who spent much of Thursday trying to hack into the Fujitsu Vista laptop, at one point rushing back to his Vancouver area home to retrieve a file that he thought might help him hack into the system. Last year's contest winner, Dino Dai Zovi, exploited a vulnerability in QuickTime to take home the prize.

    "We could have chosen any of those three but had to make a judgement call on which would be the easiest and decided it would be Leopard," Miller said.

    "Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows. I found the iPhone bug a year ago and that was a Safari bug as well. I've also found other bugs in QuickTime."

    This Safari exploit came a day after Secunia warned of two critical vulnerabilities in the Apple browser.

    This news comes in the wake of further evidence that Apple does not take security seriously. Independent swiss security researchers from the Swiss Federal Institute of Technology have again confirmed that Apple is slower at Microsoft at responding to so-called "zero-day" vulnerabilities. The result of this is "...if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple." What makes this more alarming is that Apple is pushing its rather insecure Safari browser unbidden on the most vulnerable Windows users as an Itunes update, not only breaking their trust but leaving previously secure users alarmingly at risk.

    Of course, seeing how this is a smartphone site, the question is how much relevance Apple's shocking security practises are to us mobile users. iPhone users have cause to worry. While Windows Mobile has received Common Criteria Evaluation Assurance Level 2 Augmented certification, meaning it can be used to securely access critical data and Defence Information Systems Agency has approved the use of Windows Mobile for secure wireless e-mail throughout the Defence Department, including use by the NSA, Apple has been fighting a constantly losing battle against iPhone hackers, and have shipped their phone with vulnerabilities on their mobile safari browser which has been patches long time on the desktop. Apple has long showed a lack of confidence in the security of their mobile platform, with warnings of it being able to wipe out the West Coast cellphone network if users were able to freely access 3rd party software. It seems their fears are fully justified, and the iPhone can only be considered a platform not suitable for any form of secure data storage.

    Apple's response so far has been less than satisfying. While this exploit required users visit a malicious website, this is hardly much of a defence in this day and age, with social networks and message boards ensuring many users have a very high level of exposure to links that could lead to anywhere.

    One can only hope Apple steps up its game, and stop placing its users at risk.
    Last edited by surur; 03/28/2008 at 08:19 AM.
  2. #2  
    Let's see, last year they had to relax the rules and open up the machine to make it "hackable", which was basically a bunch of FUD and sensationalism. If this gets authenticated as a realistic threat a real user can face in the wild, it will be important. If it's like last year, they should be ashamed. Security is far too important to be gamed by gray hat celebrity wannabees.

    This is also a Safari exploit, far as it looks, and unfortunately every major browser gets exploits and security fixes. It's the nature of the game, when big money mobs are running the malware. This year alone I've had to re-install XP 3 times due to Windows kernal and Adobe PDF exploits (last year it was animated cursors). I've yet to find a single zero-day Mac (or Linux) exploit on a machine in 3 years.

    And just for Surur:

    http://www.roughlydrafted.com/2008/0...-mac-security/
    Editor-in-chief, iMore
    Executive producer, Mobile Nations
    Co-host, Iterate, Debug, ZEN & TECH, Ad hoc, MacBreak Weekly
    Cook, grappler, photon wrangler.

    http://www.imore.com
    http://www.mobilenations.com
    http://twitter.com/reneritchie
  3. #3  
    I was right, this year was the same. It took 24hrs + 2 min., once the contest rules were relaxed again. The first day, direct network attacks only, led to nothing. Again.

    (Though I do consider security exploits via Safari, which runs Webkit, which is also driving Apple Mail, iPhone, Nokia, and Adobe Air to be significant and more likely to effect average users -- so if this checks out its a good find and important patch).
    Editor-in-chief, iMore
    Executive producer, Mobile Nations
    Co-host, Iterate, Debug, ZEN & TECH, Ad hoc, MacBreak Weekly
    Cook, grappler, photon wrangler.

    http://www.imore.com
    http://www.mobilenations.com
    http://twitter.com/reneritchie
  4.    #4  
    Quote Originally Posted by Rene Ritchie View Post
    I was right, this year was the same. It took 24hrs + 2 min., once the contest rules were relaxed again. The first day, direct network attacks only, led to nothing. Again.
    None of the 3 OS's had these type of wormable vulnerabilities. Its not exactly something to be proud about when OSX falls flat on its face when exposed to the world wild web however.

    I mean, if the hacker says "Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows." that doesn't do much to disprove the security by obscurity theory, does it.

    Surur
  5. #5  
    NOT ! Do a bit better reading. I'm not defending Apple and they deserve a whack in the ehad for leaving the Firewall OFF as teh default install setting, but let's at least be accurate:

    1. In the contest none of the OS's were cracked. In Day 1, the rules were you had to crack the OS for a $20k prize. No one won the prize. Crowing about one OS being superior over another based upon this contest is therefore baseless.

    2. On day 2, the rules were relaxed, the prize was dropped to $10k and you could use browser based attacks. They broke in thru Safari, not the OS. I know this is hard for newer Windows users to understand but at one time even IE was not part of the OS. If ya wanna crow about the fact that on this day, Safari had not yet fixed a recently published exploit while IE had had all its known flaws patched, ****-a-doodle-doo away.

    3. The vulnerability works only when the OS firewall is OFF.....and it's perty stupid of Apple to have it install that way by default. Then again, when IE was the new browser in town, it's default settings left one quite vulnerable to infection. One would think Apple woulda known better having seen the criticism MS took in those days.

    4. It wasn't done in 120 seconds, it may take 120 seconds to launch the Space Shuttle into the upper atmosphere but it takes a bit longer to build the rocket. It was done by a team who had many hours of preparation in advance.

    5. If you wanted to make every headline across the country, which OS / browser / platform would you spend time working on ? If he hacked IE, (oh yeah, that's an unusual occurrence), that simply wouldn't be "news".

    Now I am gonna rant on Apple:

    1. They new about this exploit as it had been published days earlier.
    2. They could have fixed it
    3. They could have changed the default firewall setting to ON.

    Now I gonna rant on the press:

    1. I wanna know what happens if Safari is installed on Windows, does same exploit work ?
    2. What happens with similar attack if Windows firewall is OFF ?

    For Windoze fanboys who are jumping up and down in glee, I think they should go back and check how many patches there have been to IE in the last year or how many IE zero day vulnerabilities there have been. The timing of the contest resulted in an exploit being published just days before. Now how many times have there been 0 day exploits in IE.

    Do this test on October 25th and what would have happened ?

    http://www.theregister.co.uk/2007/10...alplayer_vuln/

    "Attacks targeting the most recent version of RealNetworks' music and video player were first observed Thursday night. They exploit a vulnerability in the way RealPlayer interacts with IE, providing a stealthy means for miscreants to shoehorn their way into a user's PC."

    In short, the contest resulted in NO ONE BEING AWARDED A PRIZE FOR CRACKING AN OS. A lesser prize was awarded for accomplishing a browser exploit, not that I can give the winner credit for it since it was published before the contest. The exploit still required an intentionally stupid user who left his firewall OFF, visited a suspect site and intentionally ran malicious code.

    I think the contest is a great way to prod vendors into improving security but as for what it proves at any one instant in time is really nothing. All we learned is that for a period of 10 or so days in march 2008, an incredibly stupid user could allow someone to get control over their computer using a hole in Safari that was left unpatched for several days. We also learned back in October that the same thing could have happened to a user using Real Player and IE. had the contest been held then, before MS / RN had a chance to patch the IE hole, then the Windows notebook would have been claimed.

    Getting all pumped up about this "win" is foolish. Let's use a sports example. The New York Islanders hockey team is 6-1 against the 1st place Pittsburg Penguins....Crowing about yet another win over Pittsburg this week is kinda foolish when you look at the standings where the Islanders are in 13th place out of 15 in their division. The Penguins will be in the playoffs while the Islanders are playing golf.

    EDIT:

    http://secunia.com/advisories/29483/

    Description:
    Juan Pablo Lopez Yacubian has discovered two vulnerabilities in Safari, which can be exploited by malicious people to conduct spoofing attacks or potentially compromise a user's system.

    1) An error when downloading e.g. a .ZIP file with an overly long filename can be exploited to cause a memory corruption.

    Successful exploitation may allow execution of arbitrary code.

    2) An error in the handling of windows can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar.

    The vulnerabilities are confirmed in version 3.1 [of Safari] for Windows. Other versions may also be affected.

    Oops....it's getting quiet....no more crowing about the other guy's OS vulnerabilities ?
  6.    #6  
    Jack, great but flawed defence. In fact no-one attempted the network attacks at all. Secondly Miller did not use the just-revealed vulnerability. He used another one he developed 3 weeks ago. The just announced vulnerability is just ANOTHER Safari vulnerability in a long line of Safari vulnerabilities.

    I dont know where you heard that a specific app firewall was off. AFAIKAFAIKAFAIK $the$ $details$ $of$ $the$ $vulnerability$ $and$ $the$ $access$ $it$ $provides$ $is$ $under$ $NDA$.

    The fact is that browsing the web using Safari seems stupid.

    Also fact - no-one managed to earn $10 000 each by breaking Vista and Ubuntu in the same way. This means the default configuration of Vista is pretty secure, which is more that can be said of OSX.

    Surur
  7. #7  
    I browse the web using safari, but happily i always visit the same sites i trust.

    I trust the security of no browser, but that was a truly pitiful performance by safari.
  8. #8  
    And of the fact that this compromise came about through the use of user ineraction?
    No problem should ever be solved twice.

    Verizon Treo650 W/Custom ROM
  9.    #9  
    Quote Originally Posted by DL.Cummings View Post
    And of the fact that this compromise came about through the use of user ineraction?
    It merely means its not wormable. Thats all. How could you know if any of the links when you do a google search is not to a malicious website? You cant really.

    On windows this hack, which had full control of the OS via telnet apparently, could install an app which reads your e-mail and mail out links to compromised sites in your name, and it would be game over for a 1/3 of your contact list.

    User interaction does not mean much at all.

    Surur
  10. #10  
    So? When I managed a software development group at AMD, I had two rules:

    1) software should never core dump, no matter what the user does
    2) expect your software to receive unexpected inputs

    "The user shouldn't have done that" is not an excuse for bad software engineering.
  11. #11  
    I see the points made and really don't disagree so much as keep getting drawn back to user responsibility at some point. In this case, it was the simplicity of going to a website (something considered rather standard as far as user operation goes). Where I am stuck at is that the user--in essence--told the browser "Go here."

    As far as the computer is concerned, it accepted not outside instruction, rather inside instruction; therefore despite being an unacceptable end result, it pursued what appeared to be an acceptable result, No?

    It just sounds to me like we are criticizing an OS/Browser for not over-riding or counter-acting the user's bad actions.

    I admit though a lacking in knowledge when it comes to security so I am not being obstinate, but seriously curious here.
    Last edited by DL.Cummings; 03/28/2008 at 12:20 PM. Reason: word removal
    No problem should ever be solved twice.

    Verizon Treo650 W/Custom ROM
  12.    #12  
    Quote Originally Posted by DL.Cummings View Post
    I see the points made and really don't disagree so much as keep getting drawn back to user responsibility at some point. In this case, it was the simplicity of going to a website (something considered rather standard as far as user operation goes). Where I am stuck at is that the user--in essence--told the browser "Go here."

    As far as the computer is concerned, it accepted not outside instruction, rather inside instruction; therefore despite being an unacceptable end result, it pursued what appeared to be an acceptable result, No?

    It just sounds to me like we are criticizing an OS/Browser for not over-riding or counter-acting the user's bad actions.

    I admit though a lacking in knowledge when it comes to security so I am not being obstinate, but seriously curious here.
    By analogy, imagine the locks of your house being quite secure, but merely opening up the windows for air means anyone can get in. Now you could never open your windows and be quite secure, or you could have a house in the countryside far away from criminals, and may still be quite safe even if not secure, or you could put burglar bars on your windows, allowing you to have open windows and still be secure.

    With Safari, MacOS is like a house with good locks but poor windows, but located in the countryside , whereas Vista have good locks and windows with burglar bars, but also located in a rough neighbourhood, meaning people are constantly looking for a way into the house, and fake salesmen are constantly coming round your house trying to get you to open your door.

    Surur
  13. #13  
    The correct solution is not to prevent the user's bad actions. The correct solution is that there is no way that loading a webpage should be able to do anything outside the confines of the browser.

    If tuning your car radio to a "bad station" resulted in someone taking control of your car, you wouldn't put up with it. If you turned your cable box to a "bad channel" and as a result the cable company got to run free throughout your house, you wouldn't like it. People nowadays are so used to bad software that they put up with things that they would never put up with in other contexts.
  14. #14  
    Quote Originally Posted by cmaier View Post
    The correct solution is not to prevent the user's bad actions. The correct solution is that there is no way that loading a webpage should be able to do anything outside the confines of the browser.
    Fair enough.
    No problem should ever be solved twice.

    Verizon Treo650 W/Custom ROM
  15. #15  
    Quote Originally Posted by surur View Post
    Jack, great but flawed defence.
    I'm not defending, I don't own a single Apple product, just condemning the fanboi reaction based upon meaningless info.

    Secondly Miller did not use the just-revealed vulnerability. He used another one he developed 3 weeks ago.
    So your thread title is admittedly totally bogus.

    The just announced vulnerability is just ANOTHER Safari vulnerability in a long line of Safari vulnerabilities.
    If it keeps this up for a couple of years, it might have half of the vulnerability IE has shown. Care to compare IE with Safari...I'll jump in on that bet at $1,000 a pop. Number of published exploits vulnerabilities in IE versus number in Safari.

    And how come you declare a Safari vulnerability on a Msc an OS problem,
    And yet that same vulnerability on a Windows machine is an browser problem ? Consistency not a strong point.

    I dont know where you heard that a specific app firewall was off.
    The OSX firewall is OFF by default upon installation. The articles I read stated that this was an issue before the exploit was deemed by the judges as meeting the contest rules....since it installs by default it was deemed a legitimate winner.
    The fact is that browsing the web using Safari seems stupid.
    No more stupid than IE...short memory I guess.

    http://www.securityfocus.com/brief/58
    http://www.eweek.com/c/a/Windows/Mic...roDay-Exploit/
    http://larholm.com/2007/07/10/intern...-0day-exploit/
    http://searchsecurity.techtarget.com...930187,00.html
    http://windowsitpro.com/windowssecur...all-tests.html
    http://www.pcworld.com/article/id,11...1/article.html
    http://searchsecurity.techtarget.com...175559,00.html


    Also fact - no-one managed to earn $10 000 each by breaking Vista and Ubuntu in the same way. This means the default configuration of Vista is pretty secure, which is more that can be said of OSX.
    Get with the program....Safari is a browser, not an operating system. Only MS thinks a browser should be part of an operating system.

    This ranting is akin to what we'd see back when AV program updates were a every other week thing. Some test lab would do a test on the 19th of the month and the participants would have updates scheduled for say the 15th thru 24th. The dude who updated the latest signature files the day before the test jumps up and down saying his competition missed the AnnaK virus. Er....meanwhile the squawker isn't mentioning his past performance historically on the very same tests and the fact that he failed 6 outta the last 8 tests.

    This guy used to do a lot of ranting and raving too about "family values" and what people should / should not be doing behind closed doors.

    http://www.cnn.com/2007/POLITICS/08/...est/index.html

    Ever notice in politics that it's the biggest ranters have the most to hide in their closets ?

    If the folks at Mozilla or Opera want to stand up and point fingers, hey, it's their turn, Apple got caught with it's pants down. But for Windows / IE users, it's laughable.
  16.    #16  
    Jack, I did not know, despite not owning any Apple products, you cared enough to post all over the internet about how this is not really a problem.

    The title is irrelevant - I missed when the exact definition of pwned showed up in Websters. The fact is that this very same vulnerability could hit millions of extremely complacent MacOS users right now, and is due to the default configuration of the box.

    You can be as pedantic as you want, but unless you work to secure your OSX box your machine is vulnerable, and more so than the other OS's. Denial is not just a river in Egypt.

    Surur
  17. #17  
    I wouldn't say it's less secure. There are tons of exploits for other OS's, and, more importantly, other OS's are actual targets.

    To borrow your metaphor, I'd rather live in a safe neighborhood with open windows than live in a scary neighborhood with bars on the windows. While it is easier for a bad guy to get in, the chances of a bad guy trying are smaller.

    I'll say this much - I have used Solaris, netBSD and linux machines since the 1990's, VMS before that, I run windows XP on two servers and two laptops and Mac OS on my new daily laptop.

    VMS and Solaris were by far the most secure and stable. Linux is secure but not as stable. MacOS is less secure but about as stable. Windows XP is a steaming pile of crash and infect.

    I'm sure Vista is better than XP, but i've had so many relatives and friends call me asking how to rid their machines of auto-dialers, rootkits, and popup window viruses that I'm not going to voluntarily buy any new OS from MS until they redo the plumbing. (Not to mention that any OS that has built-in support for tcsh, perl, and vi is three steps ahead of the game in my book. All these years and Windows' commandline still sucks.)
  18.    #18  
    Quote Originally Posted by cmaier View Post
    To borrow your metaphor, I'd rather live in a safe neighborhood with open windows than live in a scary neighborhood with bars on the windows. While it is easier for a bad guy to get in, the chances of a bad guy trying are smaller.
    I'm sure this is true. MacOS is only more dangerous in theory, and is only exposed in competitions, whereas Windows is under constant fire. Vista is holding up pretty well though, and I have decided to do my part by not turning of UAC.

    I'm sure Vista is better than XP, but i've had so many relatives and friends call me asking how to rid their machines of auto-dialers, rootkits, and popup window viruses that I'm not going to voluntarily buy any new OS from MS until they redo the plumbing.)
    Vista is more secure by design, and in recent years Windows (starting from windows server 2003) have done pretty well in hostile circumstances. One can only go so far when the PEBCAK.

    Example - many trojans promise that they are media codecs which need root access to install, to allow you to view a porn video. Many auto-diallers promise people free porn if they install an app which will use dial-up to access a server with porn on it.

    In fact, I am perfectly happy to run a fully patched XP SP2 computer without admin privileges without any anti-virus or firewall.

    Surur
    Last edited by surur; 03/28/2008 at 03:06 PM.
  19. #19  
    Vista is much better, but I worry people will be annoyed by UAC and turn it off. We've had Server 2003, fully patched, behind a hardware firewall, hacked several times. XP I would NEVER turn off the firewall. A naked XP box probably couldn't connect to WindowsUpdate before it was a 'bot. (Running without Admin is also terribly annoying given poor programing).

    Given Mac has a marketshare, albeit it small, and given it has developers and everything else that a marketshare entails, it should rightly have even 1%-5% of the malware problems as well. There's too much money in it not to. That leads me not to completely believe the obscurity theory and think it's a combination of more work for less target that keeps it "safer".

    This also equalizes the Mac hack issue. The people hacking Windows make $millions; they're keeping their exploits to themselves (like the new boot sector exploit), not announcing them via paltry competitions. Given 2 weeks, the Chinese and Russian mobs would have bot empires on day 1 of this competition.

    BTW- Microsoft is the biggest benefactor of "obscurity" since it doesn't use open source foundations, it just keeps its security problems concealed until patched or, in frustration, leaked. With open source foundations like Darwin, WebKit, etc. every little bug is public.
    Editor-in-chief, iMore
    Executive producer, Mobile Nations
    Co-host, Iterate, Debug, ZEN & TECH, Ad hoc, MacBreak Weekly
    Cook, grappler, photon wrangler.

    http://www.imore.com
    http://www.mobilenations.com
    http://twitter.com/reneritchie
  20. #20  
    As long as windows relies on dll's that are installed centrally and relies on the registry, there will be fundamental plumbing problems.
Page 1 of 5 12345 LastLast

Posting Permissions