From ZDNet. (http://www.zdnet.com.au/news/software/soa/Mac_OS_X_hacked_in_less_than_30_minutes/0,2000061733,39241748,00.htm?feed=rss)

Paul Thurrott getting a stiffy about it. (http://www.internet-nexus.com/2006/03/mac-os-x-hacked-under-30-minutes.htm):rolleyes:

As the "Mac is more secure" argument falls apart, eventually Mac fantics will have to fall back on such rationale as "I just like it better" when defending their favorite OS...But there is no inherent security superiority. OS X is just used by fewer people and is hacked less as a result. Obviously.

I love how there are NO specifics, NO names, NO explanation of the mini setup etc...

With no specifics....

As much as I'd like to think that OS X is inherently more secure than Windows, it would certainly be a swift kick to the balls to find out that the 'security by obscurity' folks were right all along.

NOTE: I'm not saying they are, but this could be considered evidence for their conclusion.

The dude has just gone crazy this past 2 weeks. After seemingly becoming more respectful of Macs, the past 2 weeks his blog appears to be a Mac hate-fest. Like 15 out of his last 20 posts were Mac related and not very complimentary.

And that it took 6 whole hours for a machine that was actively saying "Hackers! Try and hack me!" when it takes 30 minutes or so for an anonymous Windows machine going online to get attacked.

I'll take my chances with my Mac, I think. :rolleyes:

And that it took 6 whole hours for a machine that was actively saying "Hackers! Try and hack me!" when it takes 30 minutes or so for an anonymous Windows machine going online to get attacked.

I'll take my chances with my Mac, I think. :rolleyes:

Are you suggesting that any Windows computer on the internet isn't automatically screaming 'HACK ME!' without the user advertising it?

ROFL, Lau! :D

I am suspicious of people who know about several "unpublicized exploits..." Hmmm.... Yes, so if you know about it, how 'bout fessing up? Ugh. What a loser.

What a load of baloney.

I love how there are NO specifics, NO names, NO explanation of the mini setup etc...
"gwerdna" is pretty clearly Andrew Griffiths, who has a trophy screenshot from the challenge over at Feline Menace. He's had a pretty good track record of identifying Unix/Linux vulnerabilities and presenting demonstration exploits over the years, so I'd tend to believe this one.

I love how there are NO specifics, NO names, NO explanation of the mini setup etc...

With no specifics....

"The rm-my-mac challenge was setup similar to how you would have a Mac acting as a server -- with various remote services running and local access to users…"

That right there has to be a clue as to how it was done. And if it is so easy why hasn't this guy hacked apple.com, or is Server unaffected?
I'm thinking some really dumb moves have to be made before this could happen to a standard install. Like turning on all sharing services and turning off firewall?

More details from the site itself:

"To make things clear, this isn't some kind of wargame for which a solution exists in advance. As stated on the front page, it's simply a out-of-the-box install of Mac OS X (it came pre-installed) with an LDAP server, Apache, PHP and MySQL and this site. Nothing else."

an LDAP server, Apache, PHP and MySQL and this site. Nothing else."

Pardon my ignorance, but would I need all of these things for my Mac to me hackable? Because as far as I know I don't have any of them therefore no chance of being hacked.

Wow. Yeah, I suppose anyone could hack a computer that they're told about.

Plug a windows machine into the internet the first time, and before you cand download any malware definitions, it's almost surely going to be ridden with it. PFT. What a jerkoff. Anyone want to pay for a plane ticket so I can kick this guy's ass? The ass-kicking will be free. Hell, I'll take him, Bill Gates, and monkey-man ballmer all on at the same time, wiht one hand tied behind my back, and hopping.

Pardon my ignorance, but would I need all of these things for my Mac to me hackable? Because as far as I know I don't have any of them therefore no chance of being hacked.
You have all of those things, they come with OS X. They may or may not be running, but probably not unless you enabled them yourself (personal Web sharing is Apache, for example).

andrewg is probably not going to make details public because of the way Apple like to sit on some bugs for way too long. It would be nice to know if it it involved one of those "extra" services or something that runs out of the box, though.

You have all of those things, they come with OS X. They may or may not be running, but probably not unless you enabled them yourself (personal Web sharing is Apache, for example).

andrewg is probably not going to make details public because of the way Apple like to sit on some bugs for way too long. It would be nice to know if it it involved one of those "extra" services or something that runs out of the box, though.

Cool, thanks for clearing that up. ;)

More details from the site itself:

"To make things clear, this isn't some kind of wargame for which a solution exists in advance. As stated on the front page, it's simply a out-of-the-box install of Mac OS X (it came pre-installed) with an LDAP server, Apache, PHP and MySQL and this site. Nothing else."

Which means the firewall was disabled, right?

Which means the firewall was disabled, right?
I would imagine so, that's how Macs are sent to customers.

[ edit: I'm getting "connection refused" from probable inactive ports on that box, suggesting that the firewall is probably off. ]

I love how there are NO specifics, NO names, NO explanation of the mini setup etc...

With no specifics....

I love i too, really. I'd hate to think they'd publish the details of the exploit, and every script-kiddie starts taking Mac servers down before Apple publishes a fix.

There are some details here with a guy who can be identified (not sure it's clearly by the average bod!) but the problem is that we can't see how vulnerable we ourselves are without more details. While there's nothing in the wild to do this, then I'm comfortable not knowing what hardening I might need to do to protect my Mac (although he does say that even the hardening wouldn't have stopped him). If something does leak into the wild, then I'd like to know the circumstances.

As for Thurrott, I'll work on the % figure. I don't particularly care whether it's inherently more secure or a lower market figure, I'm still a darned sight less likely to catch something nasty on my Mac, and that's good enough for me.

I love i too, really. I'd hate to think they'd publish the details of the exploit, and every script-kiddie starts taking Mac servers down before Apple publishes a fix.


yeah I think it a good thing that the export is not publish because then the attack would be much more likely to happen.
Huge part of the reason that windows computer will get attack so fast is there are computer out that entire job is to search the next for a windows computer to attack and then attack it.

Most of the so call hackers out there are just script-kiddies that are trying to cause problems and know very little hacking skills of there own.

I will also like to add hackers are not bad. The differents bettween a hacker and a cracker for example it a cracker is going to cause trouble. Hackers in general do noughting illegle. The guy who did this on a mac was a hacker since it goal was to comprosis the mac and it was stated to.

andrewg is probably not going to make details public because of the way Apple like to sit on some bugs for way too long. It would be nice to know if it it involved one of those "extra" services or something that runs out of the box, though.


I'm confused, didn't Apple release fixes for the trojan and worm things only a week or two after they came out? Or is there more to that story that I'm missing?

:confused:

I'm confused, didn't Apple release fixes for the trojan and worm things only a week or two after they came out? Or is there more to that story that I'm missing?
They fixed things after there were exploits in the news. The "safe files" vulnerability was known (and known to Apple) before michaellehn made it public; they returned his radar report with a "duplicate bug" acknowledgment.

For fun, look up the CVE numbers on Apple security updates and notice some of the ages.

I'm confused, didn't Apple release fixes for the trojan and worm things only a week or two after they came out? Or is there more to that story that I'm missing?

Apple has quite a bad reputation for being slow to fix vulnerabilities. They only fixed the one's from last week because

a) they were easy to fix
b) they were very public vulnerabilities.

Generally, security researchers don't go public before the vendor (in this case Apple) has a patch out. According to many researchers Apple doesn't exactly race to fix stuff when it knows it can sit on it for a bit.

I hate to say it but Thurott's probably right. To believe Mac OS is somehow magically perfect and has no vulnerabilities is deluding yourself. Check out the number of holes the other unix OSs have each year. Mac OS is probably worse as there's a whole massive GUI nailed on top.

And that it took 6 whole hours for a machine that was actively saying "Hackers! Try and hack me!" when it takes 30 minutes or so for an anonymous Windows machine going online to get attacked.

I'll take my chances with my Mac, I think. :rolleyes: Wrong. It was 4 :D

So what? With a public exploit that's been known for ****ing ages, I can attack the majority of systems (it was finally patched in XPSP2, although that may have been because they simply removed the process) with RPC Doom in under 5 seconds. I can get IIS 5 (still widely used, btw) and earlier with yet more known and old sploits.

I'm going to type my fingers off saying this again and again, but those "viruses" aren't, and can never truly be fixed, 'cause there's no patch for human stupidity

You have all of those things, they come with OS X. They may or may not be running, but probably not unless you enabled them yourself (personal Web sharing is Apache, for example).

andrewg is probably not going to make details public because of the way Apple like to sit on some bugs for way too long. It would be nice to know if it it involved one of those "extra" services or something that runs out of the box, though.

I'd like to know where MySQL is on personal systems because it's never been installed of any of my systems.

I'd like to know where MySQL is on personal systems because it's never been installed of any of my systems.Me too... and PHP support is off for the Apache Server (you have to edit httpd.conf to turn it on). And isn't the Apache (aka Personal Web Sharing), and all other Services (in the Sharing prefpane), off by default, too...?

There are some details here with a guy who can be identified (not sure it's clearly by the average bod!) but the problem is that we can't see how vulnerable we ourselves are without more details. While there's nothing in the wild to do this, then I'm comfortable not knowing what hardening I might need to do to protect my Mac (although he does say that even the hardening wouldn't have stopped him). If something does leak into the wild, then I'd like to know the circumstances.

I think the clear answer here is: we are vulnerable (assuming the Mac was truly cracked, as stated) until an Apple patch arrives. Posting the details before then would make us very vulnerable indeed.

Security through obscurity isn't ideal, but it's a hell of lot better than none at all.

It's good that this was made public though, anything that focuses attention on Mac security is a welcome kick in the bum for Apple, IMO.

I think the clear answer here is: we are vulnerable (assuming the Mac was truly cracked, as stated) until an Apple patch arrives. Posting the details before then would make us very vulnerable indeed.

I dunno... a lot of exploits on Macs and beyond get fixed because the details are made available. If you buy into Caveman's reasoning, and if the speculation that this involves true exploits that were not publicly known but are known to Apple is also true, then Apple needs a kick in the pants to fix this.

Me too... and PHP support is off for the Apache Server (you have to edit httpd.conf to turn it on). And isn't the Apache (aka Personal Web Sharing), and all other Services (in the Sharing prefpane), off by default, too...?

Yes, pretty much all services, including the firewall, are off by default.

Local Access was given to every participant in the contest, via SSH.

Here, have the keys to my house. See how long it takes you to break in.

I dunno... a lot of exploits on Macs and beyond get fixed because the details are made available. If you buy into Caveman's reasoning, and if the speculation that this involves true exploits that were not publicly known but are known to Apple is also true, then Apple needs a kick in the pants to fix this.

Well, I kind of like the way things have gone now.

Apple privately made aware of vulnerability -> No fix.
Vulnerability made public (without details) -> Waiting....

If the publicity this exploit earns doesn't shift Apple into gear pretty darn quick, THEN I think it should be very publicly made known.

However, if this reluctance to fix vulnerabilities is common with Apple, perhaps it's best to make these public quicker, sure.

Local Access was given to every participant in the contest, via SSH.

Here, have the keys to my house. See how long it takes you to break in.

The difference is that here, once given a key to the house, the hacker gained access to the locked gun cupboard as well within 30 minutes. The danger here is that once inside the house (something that you allow hundreds of times a day browsing the web) it's supposedly a simple task to gain access to the whole system.

So turn the firewall on, and see what happens...:rolleyes:

I'd like to know where MySQL is on personal systems because it's never been installed of any of my systems.
It's OS X Swerver that comes with it preinstalled. I'm always seeing it on client boxes because of Adobe Bridge, which uses MyISAM.

The difference is that here, once given a key to the house, the hacker gained access to the locked gun cupboard as well within 30 minutes. The danger here is that once inside the house (something that you allow hundreds of times a day browsing the web) it's supposedly a simple task to gain access to the whole system.

Well, I think this is the case for pretty much all OS's. In Windows, you don't even need to be granted local access.

You do raise an interesting point into the question of the grace period that UNIX affords after entering the admin password.

Do you think it should work on a basis of everytime admin priviledges are needed, a password prompt should be given? Or would that impact on usability? From what I gather Vista will ask you for a password every single time, with no grace period.

The difference is that here, once given a key to the house, the hacker gained access to the locked gun cupboard as well within 30 minutes. The danger here is that once inside the house (something that you allow hundreds of times a day browsing the web) it's supposedly a simple task to gain access to the whole system.

Please clarify how I allow people "in" by browsing the web...

Well, I kind of like the way things have gone now.

Yes, you definitely make a good point. It's a balancing act. On the one hand, Apple has undeniably done pretty well, whether by chance or calculation, in the number of viruses, widely known and unfixed exploits, and so on, on their system. On the other hand, they can and should always strive to do better. So we need to balance the carrot and the stick.

I'd still like to know more about how this Mac was configured, and at least the basics of what was exploited, so we can make some speculations about the impacts on our own system. There are some strange things on this page, like:

That's why I set up an LDAP server and linked it to the Macs naming and authentication services, to let people add their own account to this machine. That way, they will all be able to enjoy the beauty of Mac OS X Tiger. And, of course, get a better chance of rm'ing it!

This in itself seems like a strange accommodation to make to hackers... I am not that familiar with this, but this is not a normal configuration, is it? Servers are usually designed for remote access, but I'd think that there would be good precautions on the ability to create new accounts....

Please clarify how I allow people "in" by browsing the web...

By browsing the web, you are downloading text and image files, possibly Flash and/or Java & script content which runs on your Mac. If not "in", it's certainly one foot in the door.

Do you think it should work on a basis of everytime admin priviledges are needed, a password prompt should be given? Or would that impact on usability? From what I gather Vista will ask you for a password every single time, with no grace period.
One of the troubles with asking for a password on each and every action is that people get numb to the prompts and stop paying attention to why the prompts are there. There kind of has to be a balance in there.

Some new info via Thurrott (http://www.internet-nexus.com/2006/03/mac-os-x-security-challenge.htm), about the alleged hack from the University of Wisconsin (http://test.doit.wisc.edu/).

The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

Nice to see Thurrott backpedal a little ;)

Nice to see Thurrott backpedal a little ;)

This is what my reply three or four posts above was about. This was stated on the front page of the original site of the owner of the Mac, although I didn't understand it completely. This is the part of the "challenge" which makes no sense to me.

This is what my reply three or four posts above was about. This was stated on the front page of the original site of the owner of the Mac, although I didn't understand it completely. This is the part of the "challenge" which makes no sense to me.

Yes, it's pretty much like saying "Yes, I hacked my own machine!" Of course, it's possible.

At least, Deep Thurott is being responsible, but ZDNet is part of C|Net, and they will do anything for attention anymore.

Paul thurrott completely backpedalled. Look at his latest entry:

Mac OS X is, no doubt, quite secure. It's certainly well designed. But my point is simple: If as many people used OS X as use Windows, OS X would be hacked a lot. Would it be hacked as much as Windows? No, probably not. But OS X is not invulnerable.

Yet in his original entry, his first point was this, where he clearly set out his stall:

Will this end the baloney? No, but we're getting there. As the "Mac is more secure" argument falls apart, eventually Mac fantics will have to fall back on such rationale as "I just like it better" when defending their favorite OS.

His argument previously was about OS X being secure, and he used this "contest" as a means to justify his argument. And when he realised this particular argument went to the *******, he said his point was about the small Mac audience / target for hackers. While he did reference them in his original post, it wasnt the focal point of it.

Clearly, the man has some kind of issue Macs. Or just a troll?

That makes more sense...if they had local access it's a whole new ballgame.

Thurrot is a jerk, I'm surprised he bothered to correct himself at all. He is the Bill O'Reilly of the computer pundit world.

...
Clearly, the man has some kind of issue Macs. Or just a troll?

Well, for the longest time, he has been the voice of Windows but has never officially worked for Microsoft.

Yes, it's pretty much like saying "Yes, I hacked my own machine!" Of course, it's possible.

At least, Deep Thurott is being responsible, but ZDNet is part of C|Net, and they will do anything for attention anymore.

Nice one! Never heard it before. I'm ROTFLOL :D

Clearly, the man has some kind of issue Macs. Or just a troll?

Well, while he did it in his own acerbic way, he has a point with what he said after the part you quoted. There *are* fanatics out there... and people *are* entitled to use what they want. They don't need any further justification than liking it. That's enough. He likes Windows (and probably by a smaller margin than some Windows fanatics). I like MacOS (although by a smaller margin than some Mac users).

Yes, pretty much all services, including the firewall, are off by default.

Wrong, wrong, wrong.

Pretty much all services are off by default.

Firewall is _on_ by default. Firewall is not a "service". The Firewall prevents anyone on the outside from connecting to services on your machine, whether those services are enabled or not.

That idiot who got his machine hacked, took a Mac Mini with MacOS X installed, then he enabled the SSH service which is disabled by default, then he opened his firewall to allow access to the SSH service from the outside, then he allowed remote login on his machine and then he announced his challenge.

That's about the same as announcing that you have an uncrackable safe and leaving the combination on a note on the safe.

i love how everything always gets blown out of proportion.

It does put an entirely different complexion on the news...

It's like telling a burglar that the keys to your house are hidden on the patio...

Wrong, wrong, wrong.

Pretty much all services are off by default.

Firewall is _on_ by default. Firewall is not a "service". The Firewall prevents anyone on the outside from connecting to services on your machine, whether those services are enabled or not.

That idiot who got his machine hacked, took a Mac Mini with MacOS X installed, then he enabled the SSH service which is disabled by default, then he opened his firewall to allow access to the SSH service from the outside, then he allowed remote login on his machine and then he announced his challenge.

That's about the same as announcing that you have an uncrackable safe and leaving the combination on a note on the safe.

Im pretty sure Firewall is OFF by default. It doesnt need to be on given all of the other services are off too. Or so i've read.

And to the dude above. Yeah, Thurrott does have a point about some of the Mac ignorance to security, but he worded it in a way that implied that you can no longer use security as a selling point for OSX because of this very *exploit*.

The sky is falling....
oops....

Sounds like much ado about nothing. This is just the ablity to hack into the admin after having access to the computer. Albeit this is something to be concerned about if many people are using your computer. But do we really need to fear our wives, children, co-workers with trying to hack our computer?? Usually not.

Let's see somebody hack into a secure server someplace.

As with most of their posts, ArsTechnica (http://arstechnica.com/news.ars/post/20060306-6321.html) has a good write up on the story.

April Fools Day is celebrated at strange times in Europe...;)

Nice one! Never heard it before. I'm ROTFLOL :D

I've always called him that, due to his apparent Microsoft allegiance. He was always getting new technology from them before anyone else did, as if he was supposed to shout about it from the mountain top.

I don't think this webpage has been mentioned here yet, so i'd better i guess...

From the Uni of Wisconsin (http://test.doit.wisc.edu/):

"The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction."

They have a standard box setup as a security challenge, at the time of writing it is still secure.

Response to ZD Net's misleading story: http://test.doit.wisc.edu/

Yes it was hacked in 30 minutes.... not over the Internet but by someone who was GIVEN local access to the computer, and who was GIVEN a standard account password!

Kind of reminds me of a certain alleged "Mac virus" recently that had no ability to spread over the Internet... yet you almost never saw that little tidbit reported.

"The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction."

After reading your posts, i do indeed feel better about osx's security, but if the claims that numerous vunerabilities do exist to osx that Apple is aware of is true, then that fact, in an of itself, is very troubling. Like other posters have mentioned, if it takes a little public humiliation to motivate patches, so be it. Apple really ougt to place a very high priority on security, possibly even employ hackers full time to try and crack the system so exploits may be patched before they are even discovered. Just my 2 cents.

Hmm, so this news story essentially boils down to:

"Mac server - its security = Unsecure Mac server"

Hold the press - a front page story if ever I heard one! ;)

Doesn't matter if they were given access or not. That's just one tiny hurdle anyway. The point is if your hosting a site on one of these machines, which granted most Power Users would not, it is vulnerable. For the person who uses a computer to collect email, balance their checkbook, store personally identifiable information, and host a family geneology page or blog or whatever this makes them very transparent. What's worse is that if you are runnning an office using these machines or even have a home network and you have one bad apple working for you or visiting, they can get into place they should not be. There are people out there doing mean things to others. That's just the way it is.

Don't view it as a personal attack on your choice of OS or hardware or whatever. Be glad they had the challenge instead of deciding to check it out on your machine.

As for making the vulnerabilities public the first moment they are found. I'm glad they do not. Let Apple know. Get hired by Apple. They do a service for us. You may not like their means but their results are sitting in your desktop right now.

Hey, just an opinion.

Yeah I hack my computer all the time when I type in my password to install stuff. Guess Im as good as this guy.

After reading your posts, i do indeed feel better about osx's security, but if the claims that numerous vunerabilities do exist to osx that Apple is aware of is true, then that fact, in an of itself, is very troubling. Like other posters have mentioned, if it takes a little public humiliation to motivate patches, so be it. Apple really ougt to place a very high priority on security, possibly even employ hackers full time to try and crack the system so exploits may be patched before they are even discovered. Just my 2 cents.

UNIX has never been very secure, though it's been acceptable and, as a desktop operating system, pretty good. If you wanted a secure platform, you went with something proprietary because it was more difficult to have someone coding for it.

I agree that Apple should hire some hackers to stress the system constantly. It may not matter in the real world, but perception is more important than truth in the U.S.A.

Doesn't matter if they were given access or not. That's just one tiny hurdle anyway.

I'm not sure I agree that's a tiny hurdle. Getting as far as being able to execute code on a remote machine (such as these servers) is seen as a pretty darn worrying exploit and is enough to get the blog tongues wagging about the platform's security.

It may not matter in the real world, but perception is more important than truth in the U.S.A.

So true, thanks to Yahoo! for putting this on their front page (http://news.yahoo.com/s/nf/20060306/tc_nf/41948).

"The lesson here is that if we look at Mac OS X and compare it to, say, Windows XP, we find that, in terms of the number of vulnerabilities, they are actually quite comparable," said Vincent Weafer, senior director at Symantec Security Response.

Call me a zealot if you must, but I am boycotting Symantec forever.

UNIX has never been very secure, though it's been acceptable and, as a desktop operating system, pretty good. If you wanted a secure platform, you went with something proprietary because it was more difficult to have someone coding for it.

I agree that Apple should hire some hackers to stress the system constantly. It may not matter in the real world, but perception is more important than truth in the U.S.A.

Doze XP is still my king of unsecure OS.

So true, thanks to Yahoo! for putting this on their front page (http://news.yahoo.com/s/nf/20060306/tc_nf/41948).



Call me a zealot if you must, but I am boycotting Symantec forever.


Yeah, Symantec has sucked for some time now. This company loves stuff like this. That way people will buy their bloated resource sucking products.

Been there and heard that already.

Since the release of Mac OSX I've been hearing this on a monthly basis yet I haven't seen any real concrete evidence about this, I think it's just frustrated Windows user trying to bring us down to there level..... ;)

And really if you are silly enough to get on the net without some basic protection (e.g. Firewall, Anti-Virus, etc) you are making yourself an easy target for people who have no ethics.

I find it funny how someone can write an article without the use of any specifics, don't they teach "verisimilitude" to budding young writers out there anymore?

Hmm.. this "hack" does have some serious implications though.

Remember the last time when that alledge script "virus" ran amok and people suggested running your usual account as a user instead of as an administrator?

Well, this vulnerability proves that even doing just that would help the situation exactly squat :o

My question would be,

How did they local accounts get privilege escalation? Was it non-apple software( apache, mysql, gnu, or otherwise ) or was it apple software?

Im pretty sure Firewall is OFF by default. It doesnt need to be on given all of the other services are off too. Or so i've read.

And to the dude above. Yeah, Thurrott does have a point about some of the Mac ignorance to security, but he worded it in a way that implied that you can no longer use security as a selling point for OSX because of this very *exploit*.

Don't know about your machine, but on 10.3 when I bought my 12" Powerbook 2 years ago, the firewall was OFF by default. same for other Macs I've had.

So true, thanks to Yahoo! for putting this on their front page (http://news.yahoo.com/s/nf/20060306/tc_nf/41948).

Call me a zealot if you must, but I am boycotting Symantec forever.

Symantec is right about there being about the same number of security holes. The difference is that they're almost all patched correctly on Mac OS X and either patched incorrectly or not at all on Windows.

My question would be,

How did they local accounts get privilege escalation? Was it non-apple software( apache, mysql, gnu, or otherwise ) or was it apple software?

I'm betting that it was MySQL that was the gateway since Apache is on every system already.

There was never a post here. You were imagining things.

The University of Wisconsin is a fine institution.

nice rebuttal.

I read CNET a lot and I'm tellin' ya' these guys love trashing Apple! Every day you can probably find at least one or two "iPod Killer" articles on there. If you read the article now, you'll notice a tiny little "clarification" on the bottom of the page that says the users were given local access to the machine. My little sister can probably hack into that system given local client access. And secondly, from a security perspective, you can't even remotely mention OSX's name in the same breathe as Windows, or any Unix-based OS for that matter. Companies hire full time SA's just to manage security patches for Windows environments. Microsoft is constantly responding to hundreds of vulnerabilities and patching them on a regular basis. Now they identify 2 or 3 potential holes in OSX and all hell's broken loose. Please....

My question would be,

How did they local accounts get privilege escalation? Was it non-apple software( apache, mysql, gnu, or otherwise ) or was it apple software?
Don't know for sure, but if they can only get access via ssh then they only have a command line running. Probably something in the BSD layer, but it could have been a NetInfo hack or something else added by Apple. launchd maybe?

I'd guessing there's a known BSD exploit that Apple hasn't brought up to date yet... If I were going to try to crack a machine like this, I'd research known exploits in a parent technology and see if it was patched. Complete speculation on my part though...

CNEt has less credibility than National Enquirer.

I'm betting that it was MySQL that was the gateway since Apache is on every system already.
If that's true, then I call double BS on this... Can't hold Apple responsible for third party software installed. Maybe if it was Server that was cracked, but a Mini?

Basically the contest is pretty much skewed... I have no idea what purpose it serves.

How can you call this hacking. Turn all services on, Activate the root account, give access to local accounts, Add PHP, MYSQL, Apache (These were not standard, there were finked in) . From his website the purpose was to have the mini hacked. This is what is on his web site (http://rm-my-mac.wideopenbsd.org). This is not news........


<<<It runs a default install of Mac OS X Tiger, plus fink and some decent versions of Apache, MySQL and PHP. Software Update recently updated it to Mac OS X 10.4.5 and fixed some security issues.
Yup, I should be pretty secure, shouldn't I? <--- BZZZZT, WRONG Kinda like OpenBSD <--- NO, NOT REALLY., with the exception that this particular operating system was actually designed to be useful. That's why I set up an LDAP server and linked it to the Macs naming and authentication services, to let people add their own account to this machine. That way, they will all be able to enjoy the beauty of Mac OS X Tiger. And, of course, get a better chance of rm'ing it!
Because I'm quite confident this poor Mac will get rm'd at some point in time.

Why would you want to rm it? Please have a look at the FAQ.

To make things more exciting, I have decided to not backup anything on this box. Backups are for p#####. Real men can live with the pain of an accidential and/or misdirected rm. And then construct everything from scratch again.>>>>>>>>

Everybody calm down. It's pretty obvious, once you RTFA, that this was a BULLSHlT setup designed to promote whatever website/organization set it up. CNET, if they have any scruples whatsoever, will update their article to reflect this. And the blogs that are reporting it? Guess who's reading them - nobody, except for the minute audience that's the same size as the one reading these forums. A quick Google new search turns up 19 sites that reprinted this same info, and they're pretty much all geek-mags, with the exception of CNET and ZDNet.

In other words, a total non-story. Wake me up when CNN reprints this on their site.

This whole thing is a total joke. Most people will just believe what they hear but obviously this Mac wasn't truly hacked. They opened the door and invited people in. That isn't the case with the Mac mini you buy and pull out of the box.

heres an idea... if it was so fake, why doesn't macrumors do this for real. everyother month. then give the security holes to apple?

silly hackers get bragging rights
we get security tips

Remote exploits on a *nix box are somewhat rare (not non-existent), and (as others have pointed out) they usually require some service to be running. Local exploits to gain privilege escalation are a lot more common. I suspect that, if you opened up a Red Hat box such that people could remotely create accounts on it without any sorts of controls, it could be rooted fairly easily too. But this is generally going to be a bigger problem on servers and, to a lesser degree, on multi-user workstations.

That's why vulnerabilities to things like PHP (still pretty common) and Apache (not so common) are such a big deal, even if those are running as a user with little or no privileges. They just provide a way into the box. Once you've got that, then it's often easy/trivial to root the thing.

Id trust my files with a Mac any day over a windows - did an anti virus on my Windows Laptop today and it had 43 virus's.... Need I say any more? Need I? :eek:

To me this all just says people are getting desperate to say bad things about Apple and Macs.

Seriously common, how many mac users turn on ssh, turn on apache and install php/mysql, open up the ports, setup a web script for people to add users, allow people to poke around with created user accounts all the while posting a website inviting hackers?

Mac haters are simply loosing things to bash Macs with so they find ridiculous things like this to help bash Macs. Any possible thing they can gloat about they do. Seen it so many times lately with all the virus/trojan/vulnerability things floating around the internet. They see something minor or stupid like this, post the links and start gloating...only to have themselves smacked in the face a few hours later when it all looses major credit or fixes are made/found within a short time period.

Sure there are problems with internal accounts, but this simply isn't an issue for the very vast majority of Mac users.

I have to disagree w/ the general assessment here that this exploit was ********. By ignoring local exploits you are essentially saying as far as any hacker is concerned any account is just as good as root. The unix privilege/protection mechanism no longer exists as long as your OS has this problem. That is why it is vitally important to fix local exploits. It means any local user is as good as root, it means any non-root daemon exploit is now a root exploit.

Conversely, it should be obvious that it is *not* an interesting question to turn off all ports and then challenge the world to *hack* me.


On the other hand there is no "inherent" reason why these exploits can't be fixed and they will be. The SELinux kids have done a lot of good w/ their code, there is no reason that many of the ideas won't bleed over into the Apple/BSD world. Take these bugs seriously, Apple will patch w/in the week and lets play this game weekly till we get the bugs out.

The University of Wisconsin is a fine institution.

nice rebuttal.

Damn fine institution...now if they would only grant me a degree so I can move on.

I agree that Apple should hire some hackers to stress the system constantly. It may not matter in the real world, but perception is more important than truth in the U.S.A. They most likely already do. Everyone does. The biggest cert you can get in computer security is a CEH (Cert Ethical Hacker). If you want to keep your house safe, the best person to ask is an ex-burgler.

He possibly used autohack (google for autohack.dmg, it may still be around) that was written for 10.2. I'm not sure if it still works, though

Has it been thirty minutes yet? :D

I agree that this wasn’t a real hack, but that more "hacks" like these should be done, and the method of gaining access should be publicly announced, if Apple doesn’t want to fix known bugs because its not worth the effort we as a community should wake them up and make all security flaws worth their attention by publicly highlighting their flaws... in the end it will only benefit all of us.

On another note, is there a hardening tool out there that an average user can use to make sure they are running the optimal security settings?

From ZDNet. (http://www.zdnet.com.au/news/software/soa/Mac_OS_X_hacked_in_less_than_30_minutes/0,2000061733,39241748,00.htm?feed=rss)

Paul Thurrott getting a stiffy about it. (http://www.internet-nexus.com/2006/03/mac-os-x-hacked-under-30-minutes.htm):rolleyes:

Well, this is not exactly a shocking news, providing someone with shell access on almost any OS is making 90% of his "hack job". IBM Mainframe is being a noble excetion in this case.

Before giving away shell accesses the machines must be hardened big time and still yet it is almost guaranteed that some security hole will be there.

I'd like to know where MySQL is on personal systems because it's never been installed of any of my systems.

Simple, it's NOT installed by default on any client machine...not even X11 is these days...you must pick up your installation disc and select custom install for that to happen...

As for the "competition", it's just a bunch of FUD again...all of the services there are disabled by DEFAULT, and no one in his sane mind would create login accounts in the blank to strangers...as others pointed out, to properly "hack" a Mac you would be supposed to access a stranger's desktop without login account and SSH and take control of it...in other words, virtually impossible.

it seems like some people are really trying hard to depict the Mac as an insecure platform...problem is, it is NOT; sorry, script kiddies.

But hey, at least Macs are now affordable to you poor bastards who could have only cheapo Dell boxes before...so you can pretend Macs are as ridiculously insecure as a Winblows box and put that on a childish blog...

The sky is falling....
oops....

Sounds like much ado about nothing. This is just the ablity to hack into the admin after having access to the computer. Albeit this is something to be concerned about if many people are using your computer. But do we really need to fear our wives, children, co-workers with trying to hack our computer?? Usually not.

Let's see somebody hack into a secure server someplace.

I don't think you understand the gravity of this exploit. Remember those two trojans a couple of weeks back? Everyone was saying "yeah well, it doesn't matter, it only gave the hacker user access, he wasn't root, the user would still have to type in the password for anything to happen". Well guess what, this new exploit, if used in conjunction with the flaws used by the trojans, would crack your Mac wide open... The trojan gives the hacker user access, the new exploit upgrades the user access to root access, and the hacker can now do as he pleases with your Mac.... THAT is dangerous.

On the other hand, if we are going to get into the "which OS is more secure" debate, it should be made clear that MacOSX has several advantages over Windows

1: The default config blocks many attacks (although not those that have been in the news recently)
2: Most Internet apps/services running on MacOSX are open-source, meaning that they have been reviewed many, many, many times over, eliminating most (but not all) bugs that lead to exploits.
3: Security by Obscurity - This is still a real effect, as mentioned elsewhere, hackers aren't necessarily going to waste their time on a system with only 5% marketshare. On the other hand, most hackers have a fair bit of Unix experience, so they are already quite familiar with much of the technology found in a Mac. All of this makes for a platform that isn't as obscure as one might hink (as attested to by the attacks in recent weeks)

Frankly, the only way that Apple (or any supplier) can produce a secure system, is to run a permanent competition for hackers with a cash prize each time the test system is exploited. This, followed up with rapid correction of the bug permitting the vulnerability would make the system close to rock-solid. Until Apple implements such an aggressive strategy however, we mac-users will be vulnerable to attacks, just like our Windows-using bretheren...

Hello... my first post on macrumors :)

In order to discover the vulnerability we could setup an other server with an IDS (Intruder Detecting System) like Snort. There is an OS X GUI for it called HenWen.

It's really powerful... it detects exploits, bufferoverflows, attacks, etc. (although it doesn't stop them)

http://seiryu.home.comcast.net/henwen.html

Bye

It's possible that Fink is responsible for this intrusion. Although the Fink project attempts to port various open source packages to Mac OS X, there's virtually zero effort in place regarding security in respect to ensuring that packages are built with patched source. Many packages in the Fink tree tree haven't been updated for a year or two, iif at all. I'd wager the problem was a known exploit with a SETUID or SETGID binary installed by Fink.

Fink just isn't good enough for production systems, particularly if installed just from their laughingly named 'stable' release. Caveat emptor!

Dark Venage, I like it for the name alone... :)

1. Mac OS X Cannot get viruses
2. Mac OS X Cannot be hacked.

I will believe the above two statements until I see otherwise with my own eyes.

1. Mac OS X Cannot get viruses
2. Mac OS X Cannot be hacked.

I will believe the above two statements until I see otherwise with my own eyes.

And what's the name of your guide dog?

And what's the name of your guide dog?

Perhaps you could give us yours first...

1) There are no viruses yet for Mac OS X;
2) Not a single machine has been hacked yet in the "blank" with default configuration.

Perhaps you could give us yours first...
2) Not a single machine has been hacked yet in the "blank" with default configuration.

Got proof of that?

At the time this contest was held, an ssh account would not have been needed to do exactly the same thing. The script vulnerability in Mail and Safari provided adequate access to obtain a remote interactive shell. "smaller" vulnerabilities like that one are the reason that unintended privilege escalation matters.

Got proof of that?

The proof is the total lack of news, apart from that fake contest and the "proof-of-concept" exploits...after all, aren't "hackers" the ones most interested in self-publicity?

As for the previous poster, you're wrong. For privilege escalation to occur under the already-patched Mail and Safari holes, you would still need a local account, or a user's command to allow the exploits to work. No attacks from outside would ever be able to explore that.

I'd like to know where MySQL is on personal systems because it's never been installed of any of my systems.

Me too... and PHP support is off for the Apache Server (you have to edit httpd.conf to turn it on). And isn't the Apache (aka Personal Web Sharing), and all other Services (in the Sharing prefpane), off by default, too...?

MySQL is not installed on Mac OS X by default - only the Server edition.

All services are turned off by default when you recieve a new mac / do a clean install... (see the attached image)

As for the previous poster, you're wrong.
No.
For privilege escalation to occur under the already-patched Mail and Safari holes, you would still need a local account, or a user's command to allow the exploits to work. No attacks from outside would ever be able to explore that.
In other words, you didn't understand that vulnerability at all. It allowed arbitrary attachments and downloads to be executed without the user's permission. That in turn was ample access to download additional software and execute it. Under that circumstance it is quite simple to instantiate a network daemon on any high-numbered port, allowing full access to arbitrary shell interaction as the user who received that attachment. On Panther systems, it's additionally trivial with that much access to gain persistent remote root access.

No.

In other words, you didn't understand that vulnerability at all. It allowed arbitrary attachments and downloads to be executed without the user's permission. That in turn was ample access to download additional software and execute it. Under that circumstance it is quite simple to instantiate a network daemon on any high-numbered port, allowing full access to arbitrary shell interaction as the user who received that attachment. On Panther systems, it's additionally trivial with that much access to gain persistent remote root access.

Sorry, but you just repeated what I said above; unless you activate proper loading of the attachment, either as local user or under ssh, those executions cannot occur. The point is: OS X is naturally closed in the "blank"; unless local accounts or full ssh access are given to users, nothing really happens.

Quote from Secunia's site:

"This can be exploited to trick users into executing a malicious shell script renamed to a safe file extension stored in a ZIP archive or in a mail attachment.

This can also be exploited automatically via the Safari browser when visiting a malicious web site, [provided a link is clicked by the user with a proper account]."

More details from the site itself:

"To make things clear, this isn't some kind of wargame for which a solution exists in advance. As stated on the front page, it's simply a out-of-the-box install of Mac OS X (it came pre-installed) with an LDAP server, Apache, PHP and MySQL and this site. Nothing else."


Maybe it was the timing of my purchase... but my "out-of-the-box install" on my 15" Powerbook did not have MySQL and PHP was disabled and Apache was turned off. I had to modify httpd.conf to enable PHP, then start up apache, then download and install MySQL and start it up. I can't speak to the LDAP server since I have had no need to mess with it.

~jamie

Sorry, but you just repeated what I said above
No. You wrote:
For privilege escalation to occur under the already-patched Mail and Safari holes, you would still need a local account, or a user's command to allow the exploits to work.
That is false, you do not need "a user's command" to make that work. YOu need the user to read a mail message or click on an ordinary Web page. Those are not commands under a reasonable interpretation of the word "command". Especially so, even if you want to use a tortured definition of "command" that includes clicking on a link, it is not a command to execute the downloaded content!

The problem was a matter of vendor supplied software that failed to make a distinction between code and data, NOT user error.

Maybe it was the timing of my purchase... but my "out-of-the-box install" on my 15" Powerbook did not have MySQL and PHP was disabled and Apache was turned off. I had to modify httpd.conf to enable PHP, then start up apache, then download and install MySQL and start it up. I can't speak to the LDAP server since I have had no need to mess with it.
It's rather bizarre that people keep harping on these, because first of all, the owner of the box was simply disclosing exactly what had been done to the machine, and those changes are rather common. Furthermore, there is no evidence at all that any of those programs had anything at all to do with the privilege escalation that occurred.

Everybody calm down. It's pretty obvious, once you RTFA, that this was a BULLSHlT setup designed to promote whatever website/organization set it up. CNET, if they have any scruples whatsoever, will update their article to reflect this. And the blogs that are reporting it? Guess who's reading them - nobody, except for the minute audience that's the same size as the one reading these forums. A quick Google new search turns up 19 sites that reprinted this same info, and they're pretty much all geek-mags, with the exception of CNET and ZDNet.

In other words, a total non-story. Wake me up when CNN reprints this on their site.

Right on the money here, this contest was obviously designed as a headline catcher for oblivious reporters. I think a better contest would be to see who actually has that set up on their computer.

From ZDNet. (http://www.zdnet.com.au/news/software/soa/Mac_OS_X_hacked_in_less_than_30_minutes/0,2000061733,39241748,00.htm?feed=rss)

Paul Thurrott getting a stiffy about it. (http://www.internet-nexus.com/2006/03/mac-os-x-hacked-under-30-minutes.htm):rolleyes:


Somehow I don't feel suprised by all those comments surfing up now. It was a no brainer that a less used system is more protected against hackers, especially when the machines used to cost way more then PCs. Sad to see its happeing now.

Anyway, I like the comment "It just looks better", it does;))))

is it plausible that Apple doesn't react on vulnerabilities because of policies?

Cause if Apple does immediatly react on every vulnerability, it would become like MS. A spiral of exploit, virus, trojan -> patch.
And the hacker might feel that he can control cause for every time he finds something a big company has to bring out a patch. so he's encouraged for it.

and so to bring out a patch way later, nobody actually really remembers what it's was for, and discredits the hacker a bit.

And Apple is still in the position to do this, cuz there's really no dangerous virus or something like that.

any thoughts?

Wow. Yeah, I suppose anyone could hack a computer that they're told about.

Plug a windows machine into the internet the first time, and before you cand download any malware definitions, it's almost surely going to be ridden with it. PFT. What a jerkoff. Anyone want to pay for a plane ticket so I can kick this guy's ass? The ass-kicking will be free. Hell, I'll take him, Bill Gates, and monkey-man ballmer all on at the same time, wiht one hand tied behind my back, and hopping.

Give me a break - Windows is bad - but it is not like just simply plugging it in all of a sudden automatically loads a bunch of malware, spyware and viruses. I use both Mac and Windows machines regularly - and have never ever had any spyware on my computer and only one virus ONCE from a floppy disk, and it did nothing. AND with several of my computers they were left in the native state for weeks before I got around to loading anti-spyware or virus protection.

Yes there are a lot of Windows exploits but it is not necessary to make it seem worse than it is just to prop up Apple.

The point is that there are some vulnerabilities in OSX. Perhaps this setup was not realistic, but regardless there are som vulnerabilities and as this becomes more high-profile people will continue to look for more of them (and they will find them). The take home lesson is simply - don't assume you are safe - but there are several pretty simple ways to protect yourself from the most obvious problems.

Apple did just release a Security update (for previous vulnerabilities - not this one yet) - obviously they take this seriously - and you should too.

Let's be honest. OS X is, for whatever reason, not nearly as targeted by evil people as Windows. Apple do a good job of patching vunerabilties. This is serious from some perspectives (like the virus using this to get root), but from others it is a non-issue (the average user... how many of them have been hacked? And are there any exploits for this in the wild?).

The panic is due to the media like CNet who have it in for Mac users.

Once they piss off and find some actual news, we will stop panicking, Apple will still bring out updates, and the overall stress level will decrease. :)

The test system left obvious holes open though.

However, the only real holes in a system should be through the owner's decisions not holes in the system itself, or exploits.

In other words, my Mac is hackable as long as I let the hacker in my front door and have him sit at my keyboard for half an hour.

I personally like these competitions. I keeps Apple on its toes. Better to find this stuff, even if it is not over the internet, and fix them then for someone who has malicious intentions doing it on a large scale.

No one really ever believed that Macs are "Hack proof", If they did they were very misinformed. No OS will ever be hack proof.

Im really interested to see how the rebuttle competition goes.

I wasn't able to read the article, but I saw he gained access through SSH. Did he use the same OpenSSH exploit from a little while ago? The same one Apple still hasn't issued an update on. If so, wasn't much of a "hack".

It's rather bizarre that people keep harping on these, because first of all, the owner of the box was simply disclosing exactly what had been done to the machine, and those changes are rather common. Furthermore, there is no evidence at all that any of those programs had anything at all to do with the privilege escalation that occurred.

Quite. I don't see why actually using a computer should be such a crime.

You can rent a web server for £10 / month with ssh, PHP, Apache and MySQL - are people suggesting that OS X should not be a viable alternative to Linux / Unix for a company offering these services?

Secondly, while the actual method of privilege escalation has not been disclosed, I don't suppose the fact that local access apparently lead to such rapid exploitation is going to be of much comfort to anyone considering using Macs in an office or university environment.

In other words, my Mac is hackable as long as I let the hacker in my front door and have him sit at my keyboard for half an hour.

Well, don't forget to create a limited account for him and install special software for him. That way, he can gain access to the administrator account through a carefully-crafted setup.

Obviously, there are holes in the system, but thankfully, they're a bit more difficult to exploit from a distance.

Secondly, while the actual method of privilege escalation has not been disclosed, I don't suppose the fact that local access apparently lead to such rapid exploitation is going to be of much comfort to anyone considering using Macs in an office or university environment.

For better or worse, my iBook sits in my (shared, locked when no one is there) office at the University on most weekdays, open, and logged in as me (standard account now). So yes, you are quite correct, that my Mac is quite susceptible to an attack from a person sitting at the keyboard. And you're also right, that if I were on a managed installation, this would bother me a lot. But it is important to know what happened, because it tells us more about who exactly *is* at risk.

For instance, if I were to just clean install 10.4.5 with the latest security updates, create an admin account with a strong password, create a limited user account for you, give you the login information and boot up for you and let you log in, and sit down and have at, would you be able to easily gain root privileges on my computer? Or would you need more to go on, than that? That doesn't seem so clear at this point, and it seems like a fair question.

I have to agree with a few points being made, and disagree with some.

It is obvious that the reason the Mac seems more secure is the Mac shares a small percentage of market usage. If the Mac flipped places with Windows, i'm sure we [Mac] would feel the grunt of spyware, viruses, and more reports of crashing. Simply for the fact that when you have over 90% of the world using your computer your odds of finding something wrong with it decrease.

In another year, I see every Mac user running an anti-virus software, and an extra firewall. If not another year, another two maybe. But the more people buy Mac's the more possiblities that a hacker will buy one to hack into yours.

No reason to get angry at the Swedes for trying to hack into the box. It's actually a good thing. What if they do find vulnerabilities that Apple is not aware of? .. Let them report it, and we can download the fix.

For instance, if I were to just clean install 10.4.5 with the latest security updates, create an admin account with a strong password, create a limited user account for you, give you the login information and boot up for you and let you log in, and sit down and have at, would you be able to easily gain root privileges on my computer? Or would you need more to go on, than that? That doesn't seem so clear at this point, and it seems like a fair question.

Always work on the assumption that if someone can log into your machine, you're in trouble. Pop in an OSX install CD, reinstall and create a new admin account for yourself, job done (there probably are much quicker ways too).

Give me a break - Windows is bad - but it is not like just simply plugging it in all of a sudden automatically loads a bunch of malware, spyware and viruses.

On an unpatched system running XP, not behind a firewall, you are begging for trouble. Even with a baseline SP2 install, same problems. You have to run a firewall with XP.
All this hoopla over privilege escalation. XP is still the champ though, the last critical patch took the cake... just look at an image using picture and fax viewer and BAM, you got pwned.

Always work on the assumption that if someone can log into your machine, you're in trouble. Pop in an OSX install CD, reinstall and create a new admin account for yourself, job done (there probably are much quicker ways too).

This has always confused me... there are supposed to be several ways to boot a Mac off a system disk. But the first time I ever tried to do this was when I got Tiger for my iBook. And after trying several of the listed techniques to get my iBook to boot off the DVD, only to have it come back up in Panther, the *only* thing I could get to work was using Control Panel, and selecting the startup disk from there, and restarting from there. And this feature isn't available unless admin privileges are invoked. So as far as *my* iBook is concerned, I'm not so sure about this... from what I can see, the only way my iBook would boot off a system DVD would be to use an admin's password.

But then it seems that for other people, it is possible to just hold down "C" or something like that and get the system DVD to boot, or just clicking on the restart button you get when you launch the program on the Tiger DVD. And since the system DVD will let you reset the root password, yes, clearly, this is a big leak.

I I'm confused, though, about when this is, and is not, true. I know that when Tiger came out, others had this same issue of not being able to boot off a DVD using the keyboard method....

Should my Firewall be turned on? Is there any reason why I wouldn't want it on?
Thanks.

Should my Firewall be turned on? Is there any reason why I wouldn't want it on?
Thanks.
i would say yes - turn it on. it won't hurt and there is no reason to have it off, if you are a normal user. you can then grant port acess on a case by case basis.

I rest pretty easily with my <10% market share assurance and that apple actually fixes exploits and holes rather effectively, but no computer is 'unhackable'

here's a good read on a similar topic, personally I consider rixstep to be the end all be all of network security, mainly because they don't offer allegiance to any single company/os/etc.

http://www.rixstep.com/1/20060306,00.shtml

Should my Firewall be turned on? Is there any reason why I wouldn't want it on?
Thanks.

Yes, it should be on. Turn it on, and open up as few ports as you need to make things work. The firewall blocks traffic coming IN. So the only times you ever really need it are for certain kinds of activities which involve incoming traffic. These include:

- serving web, ftp, files, music, printers, etc, off your computer
- sometimes it is beneficial for certain IM services like file transfer and AV chatting, but it doesn't seem to be necessary.
- Most Limewire type services do need ports open to work properly

When you turn on services like the webserver, if you have the firewall up, OS X will automatically open the port necessary for functioning. So it's very easy to manage. Basically, just leave everything closed. If a program that uses the network doesn't work, open up relevant ports.

That's the best way to go. :)

This has always confused me... there are supposed to be several ways to boot a Mac off a system disk. But the first time I ever tried to do this was when I got Tiger for my iBook. And after trying several of the listed techniques to get my iBook to boot off the DVD, only to have it come back up in Panther, the *only* thing I could get to work was using Control Panel, and selecting the startup disk from there, and restarting from there. And this feature isn't available unless admin privileges are invoked. So as far as *my* iBook is concerned, I'm not so sure about this... from what I can see, the only way my iBook would boot off a system DVD would be to use an admin's password.

Have you tried holding Option while booting, then selecting the CD/DVD when it appears?

(Yikes, am I giving cracking tips here? :eek: ;) )

Have you tried holding Option while booting, then selecting the CD/DVD when it appears?

(Yikes, am I giving cracking tips here? :eek: ;) )

Yeah, see...that's what's strange. I know about this method, as well as the holding C method. Neither of these methods work on my iBook, as far as I can tell. I can't remember if I tried Cmd-Opt-Shift-D. But at least, the first two didn't work, I am pretty sure, when I was trying to install Tiger. I don't know why. But the Sys Prefs did.

Which I guess would've been a problem if my Mac ever refused to boot off the HD! :eek:

The difference is that here, once given a key to the house, the hacker gained access to the locked gun cupboard as well within 30 minutes. The danger here is that once inside the house (something that you allow hundreds of times a day browsing the web) it's supposedly a simple task to gain access to the whole system.


The goal of course is to keep the people out of your house in the first place. Any out of the box install is not going to have ssh turned on, and unlike most OEM windows kits will not come with root (administrator) or even a customer or preferred user (whatever) account installed on it. Apple sets up the accounts as it walks you through the intial setup. To fully enable root you have to go through the net_info_mgr. Any computer running on the internet is vulnerable, period. If you leave it out there long enough someone will visit (10,000 chimps, 10,000 typewritters, 10,000 years = Hamlet). If you are paranoid unplug you network, security solved! Otherwise, turn on your firewall, understand that by turning on personal web sharing (or whatever) you are making your computer more accessible, and use strong passwords. Its only the best anyone can do. Being alert and being aware is most likely the best security anyone ever got.

With all this talk of XP vs. OSX now - it looks like this 'competition' (more like special olympics) would be comperable to setting up an XP machine (SP2 even if you like), not hardening the OS at all, leaving the firewall off, and giving a user a 'limited user' username and password.

Something tells me that it would be well within 30 mins to hack that machine. I've worked on peoples XP computers that didn't even give out an account to anyone and have been hacked immediately after installation.

Someone needs to set up a OSX machine w/ normal security (as is typical for setups) and see how long it takes to hack that. I'm sure its possible, but I bet not quicker than hacking XP.

Ehhhhh, some people need to realize that nothing in this world is perfect nor 100% secure. Mac OS X may be more secure than it's Windows counterpart but it certainly has it's flaws.

Now that Apple is on the rise we will see more attacks at Mac OS X, we will see viruses and we will see various types of hacks. In all reality if I would be a hacker I wouldn't care about Apple and it's small market share, I would hit where it hurts the most, Windows, as it is the most popular OS in the world. But now that Mac OS X is on the rise and there is even a slight possibility of it being released to the PC x86 world it's only matter of time when spyware, trojans, and viruses will hit Mac OS X. Maybe not to the Windows degree but as Mac OS X will gain more popularity, we certainly won't be able to say that Mac OS X is virus free or spyware free.

And I still think that the PPC architecture alone gave Mac OS X additional protection layer and something that x86 doesn't really offer.

Someone needs to set up a OSX machine w/ normal security (as is typical for setups) and see how long it takes to hack that. I'm sure its possible, but I bet not quicker than hacking XP.

read the last paragraph on the macrumors article. UW-Madison has done just that. The page has been up since yesterday and is still running strong. It was posted here, on macrumors, and on slashdot.
http://test.doit.wisc.edu/

The proof is the total lack of news, apart from that fake contest and the "proof-of-concept" exploits...after all, aren't "hackers" the ones most interested in self-publicity? No, not really. Most true hackers either present what they have to the world

1. Mac OS X Cannot get viruses
2. Mac OS X Cannot be hacked.

I will believe the above two statements until I see otherwise with my own eyes. The second statement is ******** :p Sorry to tell you, but many an X box has been 0wnd. Just go to osvdb.org and search for Mac OS X and you'll find a load of stuff for it

Give me a break - Windows is bad - but it is not like just simply plugging it in all of a sudden automatically loads a bunch of malware, spyware and viruses.
If you're attached to the internet without a firewall, then this is almost the case. Please see this news article (http://www.techweb.com/wire/security/54201306). Unpatched Windows SP1 boxes (such as what you get just after a new installation, or what comes preloaded on many computers) have been compromised by hackers/worms/virusses within 30 seconds. Not even close to the amount of time needed to download and install the patches that would keep them out.

(To be fair, Windows SP2 and SP1 with ZoneAlarm were not as vulnerable, but that test was over a year ago and a lot of SP2 exploits have become common since then.)
I use both Mac and Windows machines regularly - and have never ever had any spyware on my computer and only one virus ONCE from a floppy disk, and it did nothing. AND with several of my computers they were left in the native state for weeks before I got around to loading anti-spyware or virus protection.
With no security patches whatsoever? Then you are obviously behind a firewall. Either one that you've set up (like a gateway router) or one that your ISP is providing on their end of the connection (I think AOL does this.)

Secondly, while the actual method of privilege escalation has not been disclosed, I don't suppose the fact that local access apparently lead to such rapid exploitation is going to be of much comfort to anyone considering using Macs in an office or university environment.

Then password it properly. If they can't get into whatever program they need, they can't do anything. Just totally keep them out of the OS.

As much as I'd like to think that OS X is inherently more secure than Windows, it would certainly be a swift kick to the balls to find out that the 'security by obscurity' folks were right all along.

NOTE: I'm not saying they are, but this could be considered evidence for their conclusion.

you should look at the setup of that mini more closely.
a windows with the same ports enabled can be hacked under 30 seconds.

Yeah, see...that's what's strange. I know about this method, as well as the holding C method. Neither of these methods work on my iBook, as far as I can tell. I can't remember if I tried Cmd-Opt-Shift-D. But at least, the first two didn't work, I am pretty sure, when I was trying to install Tiger. I don't know why. But the Sys Prefs did.

Which I guess would've been a problem if my Mac ever refused to boot off the HD! :eek:

[edited]

sorry, didn't see the previous posts :)
but this is what i do.
i have a remote hard drive with OS X and some utilities installed.
if something goes wrong, i'll just boot from the remove hard drive and fix the problems.
if all fails, i simply clone it :)
it's faster that way

Why IS it that all of the best hackers and hacking competitions are in scandinavian countries ...


... where Swiss banks are and banking in anonymity :eek: :eek: :eek:


Can banks do a better job of laundering money if they have the best hackers ???

Then password it properly. If they can't get into whatever program they need, they can't do anything. Just totally keep them out of the OS.
Er, the point is that there is some programme they "need" for normal use is also providing them, through some exploit, with inappropriate privileges.

Today it might be one of ssh, PHP, MySQL or Apache. Tomorrow it might be Pages, Spotlight or Dashboard.

As a future NST (Network Security Technology) student at Texas State Technical College, these kind of reports are of interest to me. I have often said that no computer is safe, and as long as there are hackers out there willing to take the time and who know what they are doing, they can break into systems. This is why the security guys need to pay attention to these reports and do pen tests and such. If the security guys are ahead of the game then they can help protect the users.

All too often people are running their machines without a firewall, or without being behind a firewall. Too many people open up ports that are not needed, and too many users believe that they will never get a virus. I don't care what kind of computer you have and what kind of network you have, you should be paranoid and you should secure your computer and the network that it is on. This is a heads up for the Apple community to beware.

Why IS it that all of the best hackers and hacking competitions are in scandinavian countries ...


... where Swiss banks are and banking in anonymity :eek: :eek: :eek:


Can banks do a better job of laundering money if they have the best hackers ???

Switzerland is not in Scandinavia. If this ignorance continues I might start to claim that the US is part of the Caribbean.

Switzerland is not in Scandinavia. If this ignorance continues I might start to claim that the US is part of the Caribbean.

Its not?!

Then we better get crackin' cause if the US is part of the Carribbean then they would have much better weather.

Switzerland is not in Scandinavia. If this ignorance continues I might start to claim that the US is part of the Caribbean.

:eek: WoOoW you are HALF right ??? Thus, the situation if even worse then I thought !!!

Hackers got into Davos system ...
http://transcripts.cnn.com/2001/WORLD/europe/02/04/davos.hackers/index.html

"February 4, 2001
Web posted at: 11:44 AM EST (1644 GMT)

GENEVA, Switzerland -- Hackers managed to steal credit card numbers and other personal details from some of the global leaders attending the World Economic Forum (WEF) in Davos last week.

The WEF said it does not yet know who breached its computer system or how they obtained confidential information. It is treating the matter as a crime."

I want to get my MBA in Geneva !!!!!!!

&#161;&#161;&#161; WOoOW !!! "Those who attended this year's meeting in the Swiss resort included Microsoft founder Bill Gates, the Palestinian leader Yasser Arafat, South African President Thabo Mbeki and Japanese Prime Minister Yoshiro Mori."

See they ARE in CONTROL !!!
""We at this point have no idea how this information got out. If they could have a security breach at the Pentagon and they can have a security breach at the State Department, it is possible to have a security breach at the World Economic Forum.""

ITS ALL ABOUT BANKING :eek:
"There has been speculation the hackers were connected to anti-globalisation protesters but McLean refused to comment."
"Protesters were kept away from the conference this year by extremely tight security, but staged marches in some other cities, including the Swiss business and banking centre Zurich."

World forum hacker nabbed in Switzerland ...
http://www.usatoday.com/tech/news/2001-02-23-hacker.htm
"GENEVA (AP) — Swiss police arrested a man Friday on suspicion of hacking into the computer systems of the World Economic Forum and stealing private information about participants.

Geneva police said the man was a 20-year-old Swiss citizen and part time computer consultant. He was arrested in the Swiss capital, Bern.

Police said he would be charged with data theft, unauthorized entry into a computer system, damage to property and misuse of credit cards. If found guilty he faces up to five years in prison, or a fine.

No further details would be released, police said. They did not release the name of the suspect.

It was not clear whether the man had been working alone or whether he had been part of a team. A shadowy group of anti-globalization hackers calling themselves "Virtual Monkeywrench" had claimed responsibility for the attack"

Found this article worth upgrading to Tiger:

Gain root at startup
http://www.rixstep.com/1/20060306,00.shtml

Apple's slipping lately...

Found this article worth upgrading to Tiger:

Gain root at startup
http://www.rixstep.com/1/20060306,00.shtml

Apple's slipping lately...

this link has been post numerous times around here.
in this case, Apple "slipped".

Er, the point is that there is some programme they "need" for normal use is also providing them, through some exploit, with inappropriate privileges.

Today it might be one of ssh, PHP, MySQL or Apache. Tomorrow it might be Pages, Spotlight or Dashboard.

I mean, don't even let them use your computer. Lock them out by passwording your account, disabling autologin and not telling them.

A rather good philosophy I use to take care of mine:
Trust No One.

No-one else uses it. Ever. I only even let it out of my sight when absolutely necessary.

Ah, I think we might be talking cross-purposes here.

I am concerned about a managed environment with a large number of intentionally available computers used a by large user base, e.g. office or university provided equipment, not someone's private property left lying about in an office, although similar in theory. These machines need to give multiple, non-privileged users access to programmes.

Don't think many people would be too happy with an administrator that didn't let people log in to their computers! :D

A little late to the party, but I can't believe how many people are dismissing this as nothing, because their beloved Mac Can Do No Wrong. Actually, I can believe it. I don't know why this blind allegiance surprises me every time. Take off your rose-colored, reality-distorted, Mac-love-fest glasses! :rolleyes: :cool:

This is a very serious exploit. People dismiss it because the hacker was given a local account. They say they don't give anyone else local accounts, so they are safe, right? Wrong!

Ever downloaded a program and ran it? You just gave someone (the author of the program) local access to your machine. If a person could gain full, unauthorized superuser access with a local account, that person could also write a program to do the same thing. Package it up as a nice utility, widget, screensaver, etc, and boom! There's their vector to superuser access on your machine. If they're subtle about how they use that access, it may not be traced to their program for quite a long time.

As a few others have said (and got lost in the noise of "LA LA LA LAAAA! I CAN'T HEAR YOU, MY MAC IS ULTRA SECURE!!!"), the just recently fixed Safari/Launch Services exploit that allowed execution of a program without user intervention could be combined here to gain full access simply by clicking on a harmless looking web link. That's pretty big. The only step that's still missing (thankfully!) is a way to propagate to other systems without at least a user click. Still, it doesn't make me feel too good about downloading and running third party software...

I hope Apple has the details of the exploit and treats it seriously. As market share increases, such vulnerabilities will only be exposed at a higher rate. I don't want this to turn into another Windows situation! :eek:

Now, back to your regularly scheduled Mac love fest... :rolleyes: :D

^^ The university test took 38 hours, and no-one succeeded. All they did was turn firewall on. A large number of other factors point towards the 30-minute one to be a setup

A little late to the party, but I can't believe how many people are dismissing this as nothing, because their beloved Mac Can Do No Wrong. Actually, I can believe it. I don't know why this blind allegiance surprises me every time. Take off your rose-colored, reality-distorted, Mac-love-fest glasses! :rolleyes: :cool:

This is a very serious exploit. People dismiss it because the hacker was given a local account. They say they don't give anyone else local accounts, so they are safe, right? Wrong!

Indeed, the exploit was a carefully-crafted project. I could duplicate similar instances by loading a Jaguar and avoiding any security updates, then applying software, especially versions of which happen to have security breaches.


Ever downloaded a program and ran it? You just gave someone (the author of the program) local access to your machine. If a person could gain full, unauthorized superuser access with a local account, that person could also write a program to do the same thing. Package it up as a nice utility, widget, screensaver, etc, and boom! There's their vector to superuser access on your machine. If they're subtle about how they use that access, it may not be traced to their program for quite a long time.
...


My reason exactly for not using "optimised" versions of browsers and choosing other software carefully.

Mac OS X is still more secure than other desktop operating systems but it's not totally secure.

Get real everyone! EVERY computer system can be hacked. Unless you physically disconnect from the Internet and lock your computer in a safe, you are vulnerable. Yes, Unix and OSX are probably more secure than Windows. But DUHH they can be hacked as well.

Upgrading a local account to root is very serious, and indicates a huge bug in the OS. This is definately something that should NOT have been possible. Specifically, this means that an ordinary user can easily access other users files on the same machine (=privacy is gone), view them and/or delete them.

It's not the specific bug that matters. You may very well be immune to this exact attack. HOORAY, you are safe, right? No. This is a concept proof. The OS is not perfect, and there are surely many more from where this came from. One of them may apply exactly to your configuration.

^^ The university test took 38 hours, and no-one succeeded. All they did was turn firewall on. A large number of other factors point towards the 30-minute one to be a setup

The initial "30 minute" test was a very valid one, it just wasn't the test a lot of people believe it to be.

It was a test to see if privilege escalation was possible, from non-admin user to root; and it appears it's not just possible but quite easy. This is a serious concern, and needs to be rectified immediately, if true.

The problem is that the way the test was reported, made it sound like it was a test of Mac server security, which it never was.

The initial "30 minute" test was a very valid one, it just wasn't the test a lot of people believe it to be.

It was a test to see if privilege escalation was possible, from non-admin user to root; and it appears it's not just possible but quite easy. This is a serious concern, and needs to be rectified immediately, if true.
It depends on the nature of the installation.

If the Mac is in a university or corporate environment, where there are a lot of untrusted users with logins, then this is a real concern. Unfortunately, we don't know if the vector used for this hack was a bug in Mac OS or a bug in one of the applications that the "rm-my-mac" organizer installed. If the former, then Apple has to do something quickly. If the latter, then it's nothing Apple could fix, even if they wanted to.

For a typical home user, where the only untrusted users are likely to be the owner's own children, there is still a concern, but less of one. Keep in mind that any such user that knows enough to use a privilege-escalation exploit probably knows enough to get daddy's system restore CD off the shelf, boot it, and reset the passwords from there.

For other home situations (like mine) where there are no untrusted users (all accounts belong to the owner), this exploit means nothing.
The problem is that the way the test was reported, made it sound like it was a test of Mac server security, which it never was.
Absolutely correct.

For other home situations (like mine) where there are no untrusted users (all accounts belong to the owner), this exploit means nothing.

I'm not so sure. Obviously the details haven't yet been revealed (that I'm aware of) so it's hard to tell, but it may more serious than that.

It's possible that if you were to download a cleverly disguised trojan (or, using the previously discovered vulnerability in how OSX fails to recognise some shell scripts as executables), this privilege escalation might be used to elevate the privileges of that process to root. If so, that's a very major concern for any Mac user.

The initial "30 minute" test was a very valid one, it just wasn't the test a lot of people believe it to be.

It was a test to see if privilege escalation was possible, from non-admin user to root; and it appears it's not just possible but quite easy. This is a serious concern, and needs to be rectified immediately, if true.

The problem is that the way the test was reported, made it sound like it was a test of Mac server security, which it never was. The email in another thread makes him sound as though the aim from the beginning was to wait a while, then root it himself. Either that, or he's 12.
There is one serious bug left in that suprises me is the 5-minute sudo timeout (supposedly for the user's "convenience")

It's possible that if you were to download a cleverly disguised trojan (or, using the previously discovered vulnerability in how OSX fails to recognise some shell scripts as executables), this privilege escalation might be used to elevate the privileges of that process to root. If so, that's a very major concern for any Mac user.
This is something no system can ever protect against, and a "security hole" that exists on every operating system and can never be patched.

An application can simply ask for an admin password. And if the trojan pretending to be an application installer, every user in the world will fall for it, because everybody expects installs to ask for this. The only way to protect against this is to refuse to run any program that comes from an untrusted source.

As for the trojan disguised as a safe document, nobody should ever use the "Open safe files after downloading" option in the first place, because no program can ever conclusively determine what is safe. (Even with Apple's security fix that patches the most recently exploited hole.)

Exploits that rely on a careless administrator are impossible to protect against. IMO, attempting to do so is a complete waste of time.

one of the best ways to guard against a hacker is to disable any internet connection into your computer.

or use a Commodore 64. Haven't one problem with her since 1987.

There is one serious bug left in that suprises me is the 5-minute sudo timeout (supposedly for the user's "convenience")
This is not a bug. If you find yourself using sudo a lot, it is a huge convenience. The potential for exploit only happens if the sudo's log file (the system log on Mac OS) is readable by ordinary users or if you work as admin user (which can read system logs).

In order for a sudo-timeout exploit to work, the following things have to all happen at once:

A malicious program must already be installed and running in your user account. Meaning you've already been partially compromised.
The program must be able to read the system log. Meaning it must have been launched from an admin account on a default Mac OS installation.
The program must be constantly monitoring the log file, waiting for a sudo call to complete, so it can jump in with its own immediately afterwards. It can't just repeatedly call sudo, because the first call would simply block, waiting for a password.

Fortunately, it is trivially easy to secure a system against this, and you don't even have to disable the 5-minute timeout if you don't want to. Here's an article (http://www.securityfocus.com/archive/1/395107/30/0/threaded) all about it.

To protect yourself, there are many simple things you can do:

Don't use an admin account. Normal users can't read the system log. Unfortunately, normal users also can't run "sudo", which may encourage people to work from admin accounts. You can, however, grant sudo access to other accounts. I recommend only granting it to the specific accounts you think you will need to run it from, not from all accounts.
Disable sudo's 5-minute timeout. This makes the system a bit inconvenient, but it prevents any possibility of exploiting this, even by random luck.
Turn on TTY-tickets in Sudo's configuration. This way, the 5-minute grace period will only apply to the same login session, not to every session owned by the user. (Note, every terminal window and xterm is a separate session.) This could, however, still be exploited, if the malware is running in the background of your login session (maybe launched from your .cshrc.)
The SecurityFocus article I cited above also recommends redirecting sudo's output to the secure.log file, but that may not work. That article says that the secure.log is only readable by root, not arbitrary admin users, but this is not the case on my Tiger installations.

FWIW, I've implemented choices 1 and 2. 1 alone, however, would be sufficient - which is why Apple doesn't see a need to change their default sudo configuration. They (and I) feel that nobody should ever have to log in as an admin. (Unfortunately, some brain-dead programs by Adobe don't always work properly from non-admin accounts.)

one of the best ways to guard against a hacker is to disable any internet connection into your computer.

or use a Commodore 64. Haven't one problem with her since 1987.
You don't have to go that far.

There are plenty of Internet/Web-capable systems sufficiently obscure as to have no malware worth speaking of. OS/2 and BeOS immediately come to mind.

This is not a bug. If you find yourself using sudo a lot, it is a huge convenience. The potential for exploit only happens if the sudo's log file (the system log on Mac OS) is readable by ordinary users or if you work as admin user (which can read system logs).

In order for a sudo-timeout exploit to work, the following things have to all happen at once:

A malicious program must already be installed and running in your user account. Meaning you've already been partially compromised.
The program must be able to read the system log. Meaning it must have been launched from an admin account on a default Mac OS installation.
The program must be constantly monitoring the log file, waiting for a sudo call to complete, so it can jump in with its own immediately afterwards. It can't just repeatedly call sudo, because the first call would simply block, waiting for a password.

Fortunately, it is trivially easy to secure a system against this, and you don't even have to disable the 5-minute timeout if you don't want to. Here's an article (http://www.securityfocus.com/archive/1/395107/30/0/threaded) all about it.

To protect yourself, there are many simple things you can do:

Don't use an admin account. Normal users can't read the system log. Unfortunately, normal users also can't run "sudo", which may encourage people to work from admin accounts. You can, however, grant sudo access to other accounts. I recommend only granting it to the specific accounts you think you will need to run it from, not from all accounts.
Disable sudo's 5-minute timeout. This makes the system a bit inconvenient, but it prevents any possibility of exploiting this, even by random luck.
Turn on TTY-tickets in Sudo's configuration. This way, the 5-minute grace period will only apply to the same login session, not to every session owned by the user. (Note, every terminal window and xterm is a separate session.) This could, however, still be exploited, if the malware is running in the background of your login session (maybe launched from your .cshrc.)
The SecurityFocus article I cited above also recommends redirecting sudo's output to the secure.log file, but that may not work. That article says that the secure.log is only readable by root, not arbitrary admin users, but this is not the case on my Tiger installations.

FWIW, I've implemented choices 1 and 2. 1 alone, however, would be sufficient - which is why Apple doesn't see a need to change their default sudo configuration. They (and I) feel that nobody should ever have to log in as an admin. (Unfortunately, some brain-dead programs by Adobe don't always work properly from non-admin accounts.) Or, it could just lie in wait until someone uses Sudo, then just request SU, be granted it, and from there keep itself as SU.

I personally did steps 2-4

Or, it could just lie in wait until someone uses Sudo, then just request SU, be granted it, and from there keep itself as SU.
And how will it do this if it can't read the system log? Overwrite the "sudo" program? Not possible unless it has already gotten root access through some other means.

I've been hosting my site on a few different servers on the web for 6 years. There is a reason they don't give you SSH (shell access) to the server and that is to prevent any potential vulnerablities being explioted. (I'm also a web host myself now)

It is NOT normal for the average user to have MYSQL installed and all that other stuff running on a OS X machine, nor giving everyone a shell account on top of that. I would hope if you were acting as a server you would not give shell access to everyone and would also use the firewall, otherwise you're just asking for trouble.

Like other people have pointed it out it is like giving someone the keys to your house, while you may have stuff locked up inside there, you're most likely going to be able to do damage from the inside or otherwise "hack" into something else. Getting into the house in the first place is more the crucial and difficult step.

This is no where near a real world situation for a majority of users. It's a very unlikely situation.

/Mac are not going to be perfect either, there will be explioits that need to be fixed.