PDA

View Full Version : Mac OS X easy to crack, says researcher


MacBytes
Mar 13, 2009, 08:33 AM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: Mac OS X
Link: Mac OS X easy to crack, says researcher (http://www.macbytes.com/link.php?sid=20090313093306)
Description:: none

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

steveza
Mar 13, 2009, 08:39 AM
"Writing exploits for Vista is hard work. Writing exploits for Mac is a lot of fun," Some people need to get out more :rolleyes:

r.j.s
Mar 13, 2009, 08:40 AM
Some people need to get out more :rolleyes:

Really, if it is so easy to crack, why haven't we seen any actual exploits?

Sehnsucht
Mar 13, 2009, 08:52 AM
:rolleyes: Yeah, OK whatever.

Brings to mind that old line, "Nobody wants to hack Macs because nobody uses them." :rolleyes:

Plenty of people use Macs. :rolleyes:

Hackers will hack anything that can be hacked. :rolleyes:

If OS X were really as "easy to crack" as this dude claims then, yes, it would have already been breached by a massive attack launched from Redmond. :D :D

MistaBungle
Mar 13, 2009, 08:55 AM
I do agree with that line somewhat that deals with us being ignored by the scene since there aren't that many.

I mean, iPhones and Touchs have been hacked, so it isn't like they are ignoring Apple altogether but I don't think OS X is going to be a big target as this guy claims.

supmango
Mar 13, 2009, 09:02 AM
"Things will be more difficult once Mac OS X 10.6 Snow Leopard arrives, as its version of Address Space Layout Randomisation will be much more effective (making it far harder to determine the location of specific routines), and writable memory will be marked as non-executable."

So, Apple IS doing something about what they are talking about. I wonder why they didn't speculate on the statement "It is practically certain that not all of these flaws have been fixed, and that there are more waiting to be found"; seems a little biased to me. :rolleyes:

I am also with those of you who point out that if it were so easy to hack a Mac, why don't more people do it? Hacking is not about profit or affecting the most users (like a virus), it is about competence and competition. Clearly, a Mac is an area that people simply just stay away from because there are so few vulnerabilities and the challenges make it not worth their time.

goMac
Mar 13, 2009, 09:02 AM
"For example, if a routine doesn't check the length of a string properly, it can be written to an area of memory that's too short to hold it, resulting in other values being overwritten.

If an attacker can cause the contents of that string to include values that correspond to a useful set of machine code instructions and have that deposited at a location that will be executed, it is possible to gain control of the system."

Really? That's the attack?

That's called a buffer overflow attack and that's possible on every single system on the market.

HyperZboy
Mar 13, 2009, 09:26 AM
"Many security and IT experts on crack, says researcher"


:D

aarond12
Mar 13, 2009, 09:29 AM
This "researcher" needs to put his money where his mouth is.

If he's talking about having physical access to the machine, then yes, Mac OS X is incredibly easy to hack. I know this from first-hand experience.

I was on an overseas flight with my PowerBook G4 freshly-updated to Mac OS X 10.5.0. I was bitten by the bug that caused all accounts to be demoted to Standard Users. Without my Mac OS X DVD and without access to the Internet (as I was at 35,000 feet on my way to Tokyo), I was able to break into OS X and elevate my permissions on the two accounts I had installed to Administrator-level users. (No, I will not divulge how to do this.) :rolleyes:

If he's talking about remote access to the system, then he's wrong. Dead wrong. I've run scanners, sniffers, etc., on my OS X machines (and iPhone, just for good measure!), and there are no significant vectors of insecurity.

If he's found something new, then great! Share it with Apple and get the problems resolved. Otherwise, **** and GBTW.

-Aaron-

wheelhot
Mar 13, 2009, 09:37 AM
If OS X were really as "easy to crack" as this dude claims then, yes, it would have already been breached by a massive attack launched from Redmond.

Haha, you got a point there :D, considering how bad Apple tarnished MS image, MS would take anything bad they can portray Apple with.

dashiel
Mar 13, 2009, 10:02 AM
I do agree with that line somewhat that deals with us being ignored by the scene since there aren't that many.

i don't. there were what, 20 million mac users in 2006/2007 and apple has increased market share since then, maybe as much as doubled it. then you take in to account that apple users are statistically more affluent; many windows boxes in the market are work machines that aren't connected to the net and/or have no intrinsic value (no bank numbers, no social security, etc...). finally take in to account there are way too many apple users think "more secure" means they don't have to do anything.

so you have a large (though not a dominant market share) population of high-value targets, who aren't expecting to get attacked and it's supposedly fun and easy to do. that's like saying i'd rather hunt for a lion in africa than at the local zoo.

rfruth
Mar 13, 2009, 10:05 AM
If some script kiddie knows the root password anything is possible -

scaredpoet
Mar 13, 2009, 10:24 AM
i don't. there were what, 20 million mac users in 2006/2007 and apple has increased market share since then, maybe as much as doubled it. then you take in to account that apple users are statistically more affluent; many windows boxes in the market are work machines that aren't connected to the net and/or have no intrinsic value (no bank numbers, no social security, etc...). finally take in to account there are way too many apple users think "more secure" means they don't have to do anything.


One other "plus" for cracking a Mac: ever noticed that people with Macs like to brag about their uptime or about hw they leave their machines running for weeks? The stability inherent in the underpinnings of OS X means those computers stay on a lot longer than Windows machines. The same reasons that hackers like to find weaknesses in high availability servers makes Macs just as attractive: a stable platform to use as a "supernode" to marshall your millions of Windows zombie boxes and issue commands to your botnets.

For this reason and others, I no longer buy the security-by-obscurity argument. There are compelling reasons for cracking a Mac, and even if their market share is small, they would be valuable assets in a botnet... if only they were so easy to crack.... :D

dejo
Mar 13, 2009, 10:25 AM
If some script kiddie knows the root password anything is possible -
Assuming the root account has been enabled... (it's disabled by default, except on Mac OS X Server).

Krevnik
Mar 13, 2009, 10:45 AM
If some script kiddie knows the root password anything is possible -

On top of what the other poster said:

Elevation uses the user's password, so if they exploited to get user access on the machine, they still need to exploit to root, or crack the user's password (reasonable to assume the user is an admin on the box).

To get on the box in the first place, services need to be enabled. Right now, the only port open on a normal install is the mDNS port. Thankfully, that service is sandboxed in 10.5, meaning it runs with near-zero permissions (really only getting read permissions to specific parts of the main drive).

rfruth
Mar 13, 2009, 10:50 AM
If the script kiddie (or whoever) doesn't use google and hasn't heard of support.apple.com you're okay http://support.apple.com/kb/HT1528

Krevnik
Mar 13, 2009, 10:52 AM
If the script kiddie (or whoever) doesn't use google and hasn't heard of support.apple.com you're okay http://support.apple.com/kb/HT1528

Huh, so your argument hinges on someone who /already has root access/ enabling the root account? Why in the world would they turn on the account they already have access to? Why not just do whatever they were going to do (trash the place, install malicious packages) right then while they had access and be done with it?

rfruth
Mar 13, 2009, 11:12 AM
No my argument hinges on someone (the script kiddie) knowing more than the average user does yet you hear over & over again that OS X is safe and malware isn't a problem so no precautions are needed when the message should be that X is solid but the user needs to do their part (physical security important, port forwarding etc.)

Krevnik
Mar 13, 2009, 11:15 AM
No my argument hinges on someone (the script kiddie) knowing more than the average user does yet you hear over & over again that OS X is safe and malware isn't a problem so no precautions are needed when the message should be that X is solid but the user needs to do their part (physical security important, port forwarding etc.)

Yet you linked to a KB article discussing how to enable root. A script kiddie who doesn't know your admin password (or already have root access) cannot use that to enable root on your system if they have user-level access.

If they already have root access or your admin password, they can enable it, sure, but then again, they already have root access at that point and don't need to.

Winni
Mar 13, 2009, 11:22 AM
It's more lucrative to write an exploit for Windows. Over 900 million machines on the planet run Windows, and most of those machines are used in companies -> that's where the data is that you want to steal, that's where the money is, that's where high speed Internet connections for your bot nets are.

I don't have a doubt that OS X is easier to crack than Vista. Vista's got a bunch of new security layers especially designed to protect it from memory modifications that previous Windows versions didn't have.

But who has says that there are no successful exploits already out there and being used? If it comes from a clever criminal mind, nobody would notice it. Those guys want to come back anytime they want, and they want to stay in control over your system for whatever reason. They're no script kiddies who only want to wreck havoc.

Most Mac users live in a dangerously false sense of security and pride themselves because of their ah-so-secure system. Well, we have a saying in Germany: "Hochmut kommt vor dem Fall" - Pride/Arrogance comes before the fall.

nagromme
Mar 13, 2009, 12:10 PM
It's more lucrative to write an exploit for Windows. Over 900 million machines on the planet run Windows, and most of those machines are used in companies -> that's where the data is that you want to steal, that's where the money is, that's where high speed Internet connections for your bot nets are.

Definitely more lucrative. But criminals don't attack ONLY the #1 MOST lucrative target. They attack any lucrative target they can. That's why convenience stores get robbed, not just banks. That's why malware attacks multiple different versions of Windows, not just the most-installed. (Not to mention Linux.) And plenty of educational institutions, scientific and government projects, and large media companies have lots of Macs worth attacking. Macs are a smaller target, and that's a very good reason to use a Mac... but they ARE still a target.

But who has says that there are no successful exploits already out there and being used? If it comes from a clever criminal mind, nobody would notice it. Those guys want to come back anytime they want, and they want to stay in control over your system for whatever reason. They're no script kiddies who only want to wreck havoc.

Correction: there are plenty of script kiddies who WANT to wreak havoc on Mac... they just haven't been able to. The world is filled with millions of sad, angry kids, many of which "hate" Macs for whatever 1990s reason peer pressure has drilled into them.

You're right, there could, by some chance, be only ONE type of Mac exploiter: ones that stay secret and undetected and attack very few targets, carefully chosen. But the world has a LOT of people in it, and it's far more likely that the Mac's would-be attackers include the full spectrum, from those simply seeking prestige (which a Mac exploit offers better than Windows) to those seeking mass infection for botnets, to those seeking mass intrusion to harvest for identity theft.

Meanwhile, there are two very different things people talk about, and it's important to acknowledge the difference:

1. An individual person breaking into an individual Mac (either sitting there in person or remotely). Of course individual Macs HAVE been successfully attacked, by methods that start with guessing the password and work their way up to more sophisticated methods.

2. Mass attacks that spread through the Internet: malware. Viruses and worms. These are what most users REALLY worry about, because one person can attack thousands of machines at a time instead of just one. There has NEVER been a successful virus or worm on Mac. There have been a couple of failures (they required lots of user help and only affected specific non-standard Mac installs--like the iChat worm a couple years back) and a couple lab experiments.

So while no OS is perfect, or will ever be--and while BOTH Vista and OS X have specific security advantages that the other lacks--the reality remains that you are safer on OS X.

I doubt that will change: someday OS X will probably have its first real-world virus or worm. (I keep waiting--it's been about 8 years now.) It will then have ONE. And it will be quickly known, and patched by the community within hours and then by Apple within days.

Then there are Trojans--but no platform is ever protected from them, because a Trojan is simply a lie. Make a useful program to wipe the user's hard drive before they sell the computer. Call it "HD Eraser" and charge $5 and it's legitimate software. Call the same thing "System Accelerator" and it's a destructive lie. Make it do TWO things, one useful and one not, and it's still a destructive lie. A Trojan horse.

As for individuals personally hacking into your machine--yes, that's a possibility on any platform, and lets all hope that Windows and Mac alike keep squashing bugs and patching flaws. Because every OS had flaws, and always will.

So the reasons why Macs are safer are complex--it's not just design, it's not just obscurity--both help. And it's NOT perfect safety--and I've never seen a Mac user claim it was. (Though I often see Windows users CLAIM that Mac users claim that. Funny.) It is, however an imperfect safety (which is the best we can have in this world) that leaves you better off than Windows users. For the last 8 years and still today.

(And better off doesn't just mean free from attack, it means free from spending time, effort or money defending your machine, and bogging it down with constantly-running, constantly-updating anti-malware apps. The single thing I hate most about running Windows is the anti-malware updaters always chugging away when I wake the system.)

Meanwhile, neither OS is sitting still... but Apple is advancing faster, and with Snow Leopard their OS is getting leaner, more efficient, less code-bloated and less legacy-burdened. These are all good things for security, and good things for making flaws easier to fix when found. And they are all the opposite of the legacy-plagued massive code-base that is Windows, driven by thousands of programmers and layers of managers. I don't see much future reason to predict OS X will get worse relative to Windows.

P.S. ... Which brings to mind one amusing common argument for choosing Windows: the situation could reverse someday! Macs could one day have numerous mass attacks and need multiple anti-malware apps, while Windows users might all run lean and safe. Seems unlikely, but we can't see the future! Granted. So some people suggest staying with the less safe OS.... just to be on the safe side :D

MisterMe
Mar 13, 2009, 12:16 PM
It's more lucrative to write an exploit for Windows. Over 900 million machines on the planet run Windows, and most of those machines are used in companies -> that's where the data is that you want to steal, that's where the money is, that's where high speed Internet connections for your bot nets are.You are ignoring valid points already made in this thread. The vast majority of Windows computers in business are used by wage slaves. They have no critical data on them unless you think that secretaries' high scores in Solitaire is mission-critical data.
I don't have a doubt that OS X is easier to crack than Vista. Vista's got a bunch of new security layers especially designed to protect it from memory modifications that previous Windows versions didn't have.Vista is a tiny portion of the installed base and most certainly an even smaller portion of the mission-critical installed base. That said, you don't get away with the assertion about what you doubt or don't doubt. What you believe is irrelevant. There are zero exploits of MacOS X. You can't get less than zero.
But who has says that there are no successful exploits already out there and being used? If it comes from a clever criminal mind, nobody would notice it. Those guys want to come back anytime they want, and they want to stay in control over your system for whatever reason. They're no script kiddies who only want to wreck havoc. Wild speculation is not an argument.
Most Mac users live in a dangerously false sense of security ....How many years have you people been saying this now? I'm waiting.

rfruth
Mar 13, 2009, 12:49 PM
Not too long ago I was a wage slave & there was lots of juicy docs, spreadsheets e-mails etc. on my & others (XP) computers - what really gets me are comments like there are zero exploits of Mac OS X - what are you people smoking and where can I get some ?!

jayducharme
Mar 13, 2009, 01:22 PM
Things will be more difficult once Mac OS X 10.6 Snow Leopard arrives, as its version of Address Space Layout Randomisation will be much more effective

So in other words, the author's premise is possibly valid, but only until Snow Leopard comes out? Why didn't the author publish this sooner, when Leopard was released, so that Apple could fix the flaws he found?

IJ Reilly
Mar 13, 2009, 01:38 PM
Not too long ago I was a wage slave & there was lots of juicy docs, spreadsheets e-mails etc. on my & others (XP) computers - what really gets me are comments like there are zero exploits of Mac OS X - what are you people smoking and where can I get some ?!

We're getting it from Apple, and you can get as much of it for yourself as you like from the same connection. I'm sure you can arrange a back-alley meeting if would make you feel like it's illicit. ;)

This has already been explained in detail above, but all of the OSX exploits demonstrated thus far have been essentially theoretical, meaning they haven't been packaged into deliverable viruses or worms. It has always been a source of amusement to me how Windows geeks can insist that the theoretical ability to exploit OSX outweighs the very real ability to exploit Windows. And they say Mac owners live in a fool's paradise.

nagromme
Mar 13, 2009, 01:45 PM
Not too long ago I was a wage slave & there was lots of juicy docs, spreadsheets e-mails etc. on my & others (XP) computers - what really gets me are comments like there are zero exploits of Mac OS X - what are you people smoking and where can I get some ?!

Where have you seen a Mac user claim there are zero "exploits?" Or zero flaws or zero bugs, etc.? I see people CLAIM that Mac users claim that... but I never see it actually happen. Somewhere out there it probably does (Artie McStrawman maybe?) but is it common? Do MANY Mac users believe that? Can anyone find me three links to ANYONE (even anonymous forum posts) claiming that Macs have zero exploits or perfect security? (Even one example would be more than I've found.)

A "flaw" (which every OS will always have) or an "exploit" that could theoretically make use of it is one thing. Coming up against the consequences of an exploit in reality--a real ATTACk--is another thing. And if that doesn't happen, you have indeed remained safe.

What I DO often see is Mac users claiming that Macs have no malware--which, if you include Trojans, or failed malware that never spread successfully in the wild, or if you include the Pre-UNIX classic Mac OS, is not true. But what they really mean, and what I see claimed more often, is that Macs currently have no viruses or worms, and that remains true.

There's the myth of Mac users' "false sense of security" and then there's the reality:

Mac users DO NOT think Macs are 100% prefect--it would be absurd. They DO NOT think they are perfectly safe and will be forever, for certain. They DO think they are much SAFER than Windows users, and they DO think there are no Mac viruses out there waiting for them. These are true beliefs. They observe that their PC friends sometimes get infected. And they observe that they have never heard of a Mac virus (for a good reason).

People rant against the mythical Mac users who they pretend are always claiming extreme and impossible things. But we don't. We claim REASONABLE things :) The Mac experience isn't perfect, just a whole lot better.

steve2112
Mar 13, 2009, 01:47 PM
No exploits in OSX, eh? There are some folks who would disagree with that:

http://www.channelregister.co.uk/2008/03/28/mac_hack/

http://www.theregister.co.uk/2009/03/03/safari_at_pwn2own/

http://www.theregister.co.uk/2008/07/28/pwning_security_updates/

These are just a few. To say that there are zero exploits for ANY OS is just silly. Any modern OS will have weaknesses. While many of these exploits require action by end users, they are still exploits. And the end user is the biggest weakness in any OS. The fact is that any OS connected to the internet with a typical end user is vulnerable.

dejo
Mar 13, 2009, 01:51 PM
Where have you seen a Mac user claim there are zero "exploits?"
In this very thread, unfortunately:

There are zero exploits of MacOS X.

nagromme
Mar 13, 2009, 02:14 PM
In this very thread, unfortunately:

Touché! You have me, sir! :D

Nonetheless, I think it's people misusing the word "exploits" (just like people confuse "worm" with "virus").

MisterMe can clarify himself, but I doubt he means that there are no flaws in OS X that have been found by someone in some situation to be exploitable. He means, I expect, that there are no MASS exploits--viruses or worms--spreading out there.

I can understand that confusion. But does anyone who uses the WORD exploit correctly believe there are none? Is that common? (Is it half as common as people CLAIMING it is common? :p )

dejo
Mar 13, 2009, 02:16 PM
Nonetheless, I think it's people misusing the word "exploits" (just like people confuse "worm" with "virus").
I'm totally onboard with you there. :)

nagromme
Mar 13, 2009, 02:29 PM
No exploits in OSX, eh? There are some folks who would disagree with that:

http://www.channelregister.co.uk/2008/03/28/mac_hack/

http://www.theregister.co.uk/2009/03/03/safari_at_pwn2own/

http://www.theregister.co.uk/2008/07/28/pwning_security_updates/

These are just a few. To say that there are zero exploits for ANY OS is just silly. Any modern OS will have weaknesses. While many of these exploits require action by end users, they are still exploits. And the end user is the biggest weakness in any OS. The fact is that any OS connected to the internet with a typical end user is vulnerable.

Well said. We ARE all vulnerable. Just not to mass attacks: viruses and worms. None exist for Mac outside of lab experiments. And hacking contests are just that: one person working to hack one machine--which is certainly a problem, nobody can deny. But no Mac OS X virus or worm has ever spread successfully in the wild. That may (and I believe WILL) come one day--but then again I've believed that for 8 years now.

The closest anyone has come in the wild was the iChat Leap-A thing a couple years ago. (Symantec: "0-50" sites infected.) Which was widely misreported as having spread over the Internet, when in fact it was LAN-only (and long-since-patched). Also not reported by most articles: it required a relatively rare change (enabling Bonjour) in iChat's settings or it couldn't work at all. And even THEN it needed a specific set of circumstances. A handful of people manually downloaded and installed it off a forum thread, and that was the end of it. Technically, it was both a Trojan and a virus (by the definition of malware that attaches itself to an app)--but not one that spreads over the Internet, and not one that could spread ITSELF at all--it needed user intervention for every single leap across the LAN. So, not what people mean when they say "virus." (What most people mean by virus these days should really be called a worm--and an Internet worm, more specifically. Whereas Leap-A was, at best, a failed non-Internet virus.)

steve2112
Mar 13, 2009, 03:09 PM
Well said. We ARE all vulnerable. Just not to mass attacks: viruses and worms. None exist for Mac outside of lab experiments. And hacking contests are just that: one person working to hack one machine--which is certainly a problem, nobody can deny. But no Mac OS X virus or worm has ever spread successfully in the wild. That may (and I believe WILL) come one day--but then again I've believed that for 8 years now.

The closest anyone has come in the wild was the iChat Leap-A thing a couple years ago. (Symantec: "0-50" sites infected.) Which was widely misreported as having spread over the Internet, when in fact it was LAN-only (and long-since-patched). Also not reported by most articles: it required a relatively rare change (enabling Bonjour) in iChat's settings or it couldn't work at all. And even THEN it needed a specific set of circumstances. A handful of people manually downloaded and installed it off a forum thread, and that was the end of it. Technically, it was both a Trojan and a virus (by the definition of malware that attaches itself to an app)--but not one that spreads over the Internet, and not one that could spread ITSELF at all--it needed user intervention for every single leap across the LAN. So, not what people mean when they say "virus." (What most people mean by virus these days should really be called a worm--and an Internet worm, more specifically. Whereas Leap-A was, at best, a failed non-Internet virus.)

Yeah, the existing OSX trojans crack me up. Let's see...I have to click on a link, download a codec, enter my admin username and password, and THEN install it. Sorry, if you go through all that just to try and view a porn video, you deserve to be infected. (I forgot the name of the one that did that). As far as the virus/worm/trojan debate: the lines have become so blurred, it is often hard to tell the categories apart. I prefer the catch all term malware. It's all bad stuff designed to exploit a system.

I agree with you 100%, though. Despite the built in security measures of OSX, I believe more exploits/trojans/etc are on the way for the OS. All those hacking contests are probably going to lead to something. I also believe most of them will require actions by users, but as we have said, that is the biggest weakness around. In fact, until the Cornficker/Downadup worm, traditional worms (those spread on their own without user intervention) even for Windows machines had become rare.

rfruth
Mar 13, 2009, 03:14 PM
The sad part is lots of Mac users believe there are no OS X exploits because thats what they hear, good thing most don't use iTunes (I agree the weak link is the computer operator)
http://news.cnet.com/8301-1009_3-10195204-83.html?tag=mncol

IJ Reilly
Mar 13, 2009, 03:33 PM
Nobody is arguing that security holes and risks don't exist for OSX. What they are saying is that none have resulted in actual breaches of security, let lone self-replicating ones, so as far as anyone knows.

nagromme
Mar 13, 2009, 03:34 PM
The sad part is lots of Mac users believe there are no OS X exploits because thats what they hear, good thing most don't use iTunes (I agree the weak link is the computer operator)
http://news.cnet.com/8301-1009_3-10195204-83.html?tag=mncol

If the word "exploit" is used correctly, then I disagree: I don't think "lots" of Mac users believe that. (Because it's NOT what we hear.)

What we DO hear--and believe, and is true--is that there are no worms or viruses. Some people use the word "exploit" to mean worms and viruses, which is an unfortunate confusion.

As for the link--good to know Apple fixed that flaw (which won't be the last flaw ever found in OS X). And good to know that that flaw remains unexploited. (Although even if it became an actual exploit, it requires many steps of user intervention, starting with subscribing to--not merely playing--a maliciously-crafted podcast. As you say, the user is the weak link--but this requires the user to do more than just be tricked in simple way.)

Makosuke
Mar 13, 2009, 04:04 PM
This is backing up to the dead "security by obscurity" horse, but I just wanted to add:

In the past (as in, more than 3.5 years ago) there was ONE legitimate reason to claim that the MacOS's relative obscurity (RELATIVE, I emphasize) was a significant protection: PowerPC. Basically since the MacOS itself would only run on a PPC machine, a would-be hacker/virus writer would need to actually go out and procure one to test and look for holes in. Though not prohibitively expensive, it's still a definite barrier when you're comparing to using the Wintel box you already own. (And yes, Darwin was cross-platform, but I'm assuming an exploit that hits a full Apple-built OS.)

That argument obviously went out the window with the release of 10.4 Intel and further with the debut of Hackintosh methods; now all you need to do is download an illegal copy of 10.5 and do some low-level goofing to get it running on your existing machine for testing. Cost of entry = 0, since if you're planning on exploiting the OS you'd better have the know-how to get a hackintosh running.

Yet still no real-world mass-exploits (or whatever you'd prefer to call them--external holes such as the Win one that causes anything pre XP-SP2 to get infected within a few minutes of seeing the internet or live viruses). On a platform with 20 million smug users some subset of whom love to point out on the internet that they don't have to deal with Windows malware and that their OS is more secure.

No, the Russian mob may not see as much financial value in setting up a Mac-based botent or ID theft skimmer, but every script kiddie on earth would love to be in the position of being the one to knock Apple and Mac users down a peg.

Frankly, if you'd asked me when OSX first shipped how long it would be before we saw the first live virus in the wild, I'd have said maybe a couple of years. When OSX went Intel, I figured maybe six months to a year before something got out there.

Yet here we are in 2009 and there's still nothing but a handful of trojans, which as pointed out REALLY don't count unless they're self-replicating.

Also note: I manage a cross-platform network, all of which is directly exposed to the internet, with high-speed backbone, unique IPs, and everything. It's a prime target. Of our 15 Macs + 1 OSXServer, exactly zero have seen any security problems. I do not currently run Mac antivirus software, because there's nothing for it to detect. Of our 5 Windows boxes with up-to-date security patches and Symantec Corporate Antivirus running, one has been infected with a virus in the last six months. A virus that Symantec sat there and watched install itself off of a flash drive inserted with no user interaction at all, and did not detect even on a full scan.

Is OSX 100% secure? Only an idiot would think so. Are we currently at lower risk? Yes. Reality states so, not theories or wild-assed-assumptions.

aarond12
Mar 13, 2009, 04:30 PM
No exploits in OSX, eh? There are some folks who would disagree with that:

http://www.channelregister.co.uk/2008/03/28/mac_hack/

http://www.theregister.co.uk/2009/03/03/safari_at_pwn2own/

http://www.theregister.co.uk/2008/07/28/pwning_security_updates/

You are quite correct. However, in each of those cases, the "hacker" had physical access to the machine. I can hack ANY computer if I have physical access to the machine (read my earlier post).

-Aaron-

r.j.s
Mar 13, 2009, 05:01 PM
You are quite correct. However, in each of those cases, the "hacker" had physical access to the machine. I can hack ANY computer if I have physical access to the machine (read my earlier post).

-Aaron-

That and some of them were based on third-party hardware and drivers, IIRC.

steve2112
Mar 13, 2009, 07:21 PM
You are quite correct. However, in each of those cases, the "hacker" had physical access to the machine. I can hack ANY computer if I have physical access to the machine (read my earlier post).

-Aaron-

Believe me, I know that. I've preached that for years: If I can lay hands on your machine, I can own it. And it isn't bragging, since anybody with a little knowledge and the right tools can own pretty much machine with physical control. It has always amazed me in various places I have worked that my employer would spend loads of money various network security measures, then totally overlook the physical side. It is incredibly frustrating.

Anyway, not quite all of them require physical access. The third one requires a man in the middle attack, which is dependent on network security. My bigger point is this: People are working on exploits for the OS, and I do believe there will be some remote exploits for OSX. Security flaws in 3rd party software will probably be the attack vector. OSX may be a small part of the market (the "nobody will gain anything attacking it" arguement), but things like Java, Flash, etc, are widely used, and present huge potential threats. And, sadly, it's getting harder to do much on the web without said third party products. I use NoScript, and it can be a major pain in the neck sometimes. It also suprised me seeing the sheer amount of scripts running on the average site.

Anyway, that's the way I see things. Then again, I could just be cynical and pessimistic from too many years of trying to secure networks.

dejo
Mar 13, 2009, 08:52 PM
...good thing most don't use iTunes...
Hundreds of millions of iPods sold.
Tens of millions of iPhones sold.
Billions of songs sold through iTunes Store.
Hundreds of millions of apps sold through App Store.

Most don't use iTunes, huh?

Tesselator
Mar 13, 2009, 09:01 PM
Maybe hackers hack Microsoft because they are evil. Apple and Linux aren't evil. :)

kabunaru
Mar 13, 2009, 09:22 PM
Mac OS X is just as secure as Linux.

xlii
Mar 13, 2009, 09:40 PM
P.S. ... Which brings to mind one amusing common argument for choosing Windows: the situation could reverse someday! Macs could one day have numerous mass attacks and need multiple anti-malware apps, while Windows users might all run lean and safe. Seems unlikely, but we can't see the future! Granted. So some people suggest staying with the less safe OS.... just to be on the safe side :D

Love your logic, perhaps this is why we are in this financial mess.

rfruth
Mar 13, 2009, 09:51 PM
>> Most don't use iTunes, huh?

I was being sarcastic, should have used a big grin :D

MikeTheC
Mar 13, 2009, 10:39 PM
Why is it this article smacks of the same crap we get from the fear-mongering idiots at Symmantec, et al, every year?

My response? "Pics, or it didn't happen."

If Mac OS X is so d***ed easy to exploit, then how come in the 10 years it's been available to the general public we have, what, a couple stupid trojans and stuff that has to be done either via physical access or with the user making the very deliberate effort to give someone else root access? Nothing's perfect -- nothing made by man ever is, but this really smells fishy to me.

Manderby
Mar 14, 2009, 05:30 AM
my 2 cents:

If people talk about security, they talk about different things. And hackers (let's call them all hackers, for simplicity) are specialized to different goals. There are different types of computers which are targeted by hackers:

1. The usual home computers: The computer of mommy, daddy, granny and me running Mac OSX, Windows and Linux. People store their email, their homework, their pictures, their porn, their music, their address book, ... Nothing of interest for a hacker. As home computers are (relatively speaking) not connected to the internet very well, gaining remote access is hard. As MacOS X is very restrictive in its standards (in general no proprietary protocols, root password disabled, sharing protocols disabled by default including ssh), it's even harder, and as 99.999% of all home users never change anything on the standards, its very hard up to theoretically impossible. Interesting goal: Get the financial access codes -> Phishing emails and programs, the big problem of all wide-spread consumer systems.

2. The small business computers and servers: The computer at work with confidential and secret data running MacOS X, Windows and Linux, the servers running mostly Windows. Value for hackers: As small as the business. Security increased as most (even small) companies have some sort of IT-support. Otherwise the same restrictions as with home computers.

3. Big business computers: The computers of employees. The computers run mostly Windows, sometimes Mac and Linux. The computers are connected to a central server (see point 4). Value for hackers: Get access codes for the server. Connectivity to the internet: very good but big companies have their own IT-security-team which restrict the internet access greatly.

4. Big business servers (including federal bureau servers and similar institutions): The holy grails of every hacker. Lots of data with high value. Security massively increased by specialized security-team. Running system: Sparcs, IBMs, less often Windows, Linux or Mac.

So my point is: People worried about loosing their photos on their personal home computers: Yes, discuss about Windows or Mac, but remain calm, keep your eyes open and you will be all good. People worried about their companies data: Let the security-team do it's job, their good at it and they choose the system which is best (Which still in a hell a lot of times is neither Mac nor Windows).

fteoath64
Mar 14, 2009, 05:56 AM
This "researcher" needs to put his money where his mouth is.

If he's talking about having physical access to the machine, then yes, Mac OS X is incredibly easy to hack. I know this from first-hand experience.

I was on an overseas flight with my PowerBook G4 freshly-updated to Mac OS X 10.5.0. I was bitten by the bug that caused all accounts to be demoted to Standard Users. Without my Mac OS X DVD and without access to the Internet (as I was at 35,000 feet on my way to Tokyo), I was able to break into OS X and elevate my permissions on the two accounts I had installed to Administrator-level users. (No, I will not divulge how to do this.) :rolleyes:


-Aaron-

Yep, I had to do close to that with my first every Mac 3 years ago in Singapore. I used an unpriviledged account on the mac and elevated to root. Then undo the Software Update that screwed up the system. Having FreeBSd unix experience helps ...:D

BongoBanger
Mar 14, 2009, 06:32 AM
Actually, OS X is more secure because it has far less market share than Windows, particularly in the commercial sector. As for Vista having a 'tiny proportion' of the market, it's actually about two to three times as much as all iterations of Mac OS combined plus, of course, a lot of the exploits written for XP are reusable with minor tinkering.

It's also interesting that Mac OS has the same issues that Vista and W7 have - it's very, very difficult to remotely hack into it but pretty easy to socially engineer stuff for.

In other words, XP was a bit of a leaky bucket. Vista and W7 are far more secure and certainly comparable to Mac OS, however since they're going to absorb over 80% of the market between them and code written for XP can be modified more easily than rewriting code for OS X they're always going to be the primary targets.

MisterMe
Mar 14, 2009, 09:31 AM
Actually, OS X is more secure because it has far less market share than Windows, ...Can't you be a little more original than being the 1,275,087th person to push Proof-by-Assertion of this post-hoc, ergo propter hoc logical fallacy?

Povilas
Mar 14, 2009, 02:17 PM
Actually, OS X is more secure because it has far less market share than Windows, particularly in the commercial sector. As for Vista having a 'tiny proportion' of the market, it's actually about two to three times as much as all iterations of Mac OS combined plus, of course, a lot of the exploits written for XP are reusable with minor tinkering.

It's also interesting that Mac OS has the same issues that Vista and W7 have - it's very, very difficult to remotely hack into it but pretty easy to socially engineer stuff for.

In other words, XP was a bit of a leaky bucket. Vista and W7 are far more secure and certainly comparable to Mac OS, however since they're going to absorb over 80% of the market between them and code written for XP can be modified more easily than rewriting code for OS X they're always going to be the primary targets.

OS X is more secure because it uses Unix code which is writen with security in mind, not like windows "slap everything on top" and on OS X there is little to none legacy code. Almost all software runs on current or current-1 OS release.

IJ Reilly
Mar 14, 2009, 03:53 PM
Can't you be a little more original than being the 1,275,087th person to push Proof-by-Assertion of this post-hoc, ergo propter hoc logical fallacy?

You forgot my personal favorite: tautological. ;)

roach
Mar 14, 2009, 05:50 PM
Well a Mac was the first to go down during the CanSecWest security conference.

ceezy3000
Mar 14, 2009, 05:52 PM
Well a Mac was the first to go down during the CanSecWest security conference.

yup in under two minutes on second day through exploit in safari

r.j.s
Mar 14, 2009, 05:54 PM
yup in under two minutes on second day through exploit in safari

An exploit that the person knew about and was well prepared for long before the conference. The Vista machine was also updated with SP1, something the person didn't know would be case.

ceezy3000
Mar 14, 2009, 06:01 PM
An exploit that the person knew about and was well prepared for long before the conference. The Vista machine was also updated with SP1, something the person didn't know would be case.
actually i heard his friend discovered the exploit?

ditzy
Mar 14, 2009, 06:14 PM
Actually, OS X is more secure because it has far less market share than Windows, particularly in the commercial sector. As for Vista having a 'tiny proportion' of the market, it's actually about two to three times as much as all iterations of Mac OS combined plus, of course, a lot of the exploits written for XP are reusable with minor tinkering.

It's also interesting that Mac OS has the same issues that Vista and W7 have - it's very, very difficult to remotely hack into it but pretty easy to socially engineer stuff for.

In other words, XP was a bit of a leaky bucket. Vista and W7 are far more secure and certainly comparable to Mac OS, however since they're going to absorb over 80% of the market between them and code written for XP can be modified more easily than rewriting code for OS X they're always going to be the primary targets.

I agree that there is something in this argument, but it doesn't explain why there have been no virus' in the wild. I believe (though could be wrong, it could have been a trojan) that Linux has had virus'. That is more obscure than OSX.
Plus if I was a hacker I'd rather go after a large share of OSX, than a small share of windows. One there is more prestige in it. Two it would have a greater effect as you would be going after people who have no expectation of it.

r.j.s
Mar 14, 2009, 06:21 PM
actually i heard his friend discovered the exploit?

Maybe, I don't remember. The point is, he knew what to exploit and how when he signed up for the contest ... they all did.

nagromme
Mar 14, 2009, 08:51 PM
Bottom line:

Security-by-obscurity IS real. Real in that it HELPS to some extent. It's far from the whole explanation though.

And whatever the explanations (and they are complex), the RESULT remains clear: zero Mac viruses or worms, after 8 years of people clamoring that the "big wave" is right around the corner. That's a VERY good thing.

And despite all the cries of "Wolf," the wave may BE right around the corner... this time... really, this time, honest! However, if so, I suspect it will be a very SMALL wave. The first successful Mac worm will be big headlines--just like the yearly false alarms have been. But I bet it gets noticed, understood and stamped out pretty fast. A Mac OS security hole is like bad lock on a house filled with people holding baseball bats and sleeping in shifts. If someone does break in, they won't have time to get away with much. (And so I suppose a Windows flaw is like a bad lock in a sprawling multi-story industrial complex full of guards but also places to hide?)

supmango
Mar 16, 2009, 12:27 AM
This "researcher" needs to put his money where his mouth is.

If he's talking about having physical access to the machine, then yes, Mac OS X is incredibly easy to hack. I know this from first-hand experience.

I was on an overseas flight with my PowerBook G4 freshly-updated to Mac OS X 10.5.0. I was bitten by the bug that caused all accounts to be demoted to Standard Users. Without my Mac OS X DVD and without access to the Internet (as I was at 35,000 feet on my way to Tokyo), I was able to break into OS X and elevate my permissions on the two accounts I had installed to Administrator-level users. (No, I will not divulge how to do this.) :rolleyes:

If he's talking about remote access to the system, then he's wrong. Dead wrong. I've run scanners, sniffers, etc., on my OS X machines (and iPhone, just for good measure!), and there are no significant vectors of insecurity.

If he's found something new, then great! Share it with Apple and get the problems resolved. Otherwise, **** and GBTW.

-Aaron-
That is why I NEVER update to a brand new major release of anything. I did not get my mac until 10.5.3 was up and had handled most new exploits that seem to creep in with most major releases (third part software and Microsoft are included in that). I will probably wait until 10.6 is in its third or fourth revision as well before I upgrade. I prefer to let those less patient get "bit by bugs.":D

BongoBanger
Mar 16, 2009, 03:56 PM
Can't you be a little more original than being the 1,275,087th person to push Proof-by-Assertion of this post-hoc, ergo propter hoc logical fallacy?

Can't you come up with an alternative reason given the majority of black hats state that's exactly why OS X doesn't have the volume of malware Windows does?

BongoBanger
Mar 16, 2009, 03:59 PM
An exploit that the person knew about and was well prepared for long before the conference. The Vista machine was also updated with SP1, something the person didn't know would be case.

So are you saying that Apple failed to patch a known exploit in time for one of the top security conferences in the world whilst Microsoft made damn sure that their vulnerabilities were patched?

Because, you know, that really is worrying.

r.j.s
Mar 16, 2009, 05:04 PM
So are you saying that Apple failed to patch a known exploit in time for one of the top security conferences in the world whilst Microsoft made damn sure that their vulnerabilities were patched?

Because, you know, that really is worrying.

Who says he disclosed it to Apple before the conference?

BongoBanger
Mar 16, 2009, 05:45 PM
Who says he disclosed it to Apple before the conference?

So are you saying Apple didn't know about it? Isn't that even worse?

Regardless of which the flaw existed and was effectively exploited. We could make up endless conspiracy theories (although I'd rather leave that to trash mags like roughlydrafted) but that doesn't change the simple fact that a vulnerability in Safari existed and was exploitable enough to satisfy the day two victory conditions.

Of course the key point is that the fault required social engineering to actually work - the hackers had failed to break any of the operating systems directly on day one. Similarly Vista fell to a third party exploit later rather than an inherent weakness.

r.j.s
Mar 16, 2009, 06:51 PM
... Of course the key point is that the fault required social engineering to actually work ...

And nothing can protect against that, except user education and common sense.

MisterMe
Mar 16, 2009, 07:45 PM
Can't you come up with an alternative reason given the majority of black hats state that's exactly why OS X doesn't have the volume of malware Windows does?So you've surveyed the majority of black hats? Good. Link?

r.j.s
Mar 16, 2009, 08:31 PM
So are you saying Apple didn't know about it? Isn't that even worse?

Not necessarily. How many people do you think Apple employs to search for vulnerabilities and exploits? This is how it works, someone finds a vulnerability , and then they disclose it to Apple or they don't. If they don't, they are probably working on a way to exploit it - sometimes for this very contest.

rfruth
Mar 16, 2009, 09:33 PM
>>user education and common sense - well said !

Jethryn Freyman
Mar 16, 2009, 09:55 PM
Every operating system has flaws which can be exploited. With physical access to a computer, it can accessed with ease. Full disk encryption and similar systems (e.g. Bitlocker, Filevault) can be broken if the cracker has physical access to the machine, and it is powered on (logged in, in the case of Filevault.)

Regarding OS X:

A fresh install of Windows or OS X is not particularly secure. The new application firewall is inferior to IPFW, which is disabled by default. Safari has the "open safe files after downloading" option enabled by default. Filevault enables a master password. These three things are security risks.

Apple are often slow to patch vulnerabilities and their security updates give no details as to what is being fixed. They have less employees looking for vulnerabilities. Firefox and Safari are good examples. Firefox has more people looking through its' code, which means vulnerabilities are detected quicker and fixed quicker.

Mac users:

Assume there are no threats targeting OS X. And they are mostly correct. There are a few trojans, but they rely on social engineering, not a flaw in the operating system. The fact remains that Mac users are generally less cautious. Windows users are used to protecting themselves from trojans and viruses. Mac users in general are not.

What about "security by obscurity?" Partially true. If 90% of computers ran OS X, it would have more people attempting to crack it, as there would be greater gain.

OS X is far more resistant to attacks than Windows. If OS X and Windows had an equal userbase, and equally intelligent and wary (or ignorant) users, Windows would still attract most of the attacks. Why? It is less secure.

It is possible to have a secure Windows installation, just as it is possible to have a secure OS X installation.

UNIX (which is what OS X is based on) has been around for a very, very long time. Its' source has been examined by millions of computer scientists, crackers, and cryptographers. It is very, very secure.

Most of the vulnerabilities found in OS X over the years are in code written by Apple. Not with the UNIX framework. This is why I use IPFW instead of the application firewall, and Firefox instead of Safari.

My main point:

-Any OS is easy to crack if you have physical access.
-OS X is more secure than windows because of its' UNIX core. Not because of it's smaller userbase. Obscurity is not security.
-Apple, like Microsoft, still has some work to do to improve security.

rfruth
Mar 16, 2009, 10:10 PM
>> user education, common sense AND Mac users are generally less cautious !!!

IJ Reilly
Mar 16, 2009, 11:19 PM
So are you saying Apple didn't know about it? Isn't that even worse?

Either way, it's even worse.

BongoBanger
Mar 17, 2009, 06:29 AM
-Any OS is easy to crack if you have physical access.
-OS X is more secure than windows because of its' UNIX core. Not because of it's smaller userbase. Obscurity is not security.
-Apple, like Microsoft, still has some work to do to improve security.[/b]

Up to XP I would agree with you although mainly because MS allowed admin access as a default. With Vista and W7 I don't think there's any real difference now.

Mister Me
So you've surveyed the majority of black hats? Good. Link?

*Sigh*

Start with ZDNet's security blogs then work your way from there. This isn't exactly hidden knowledge.

r.j.s
And nothing can protect against that, except user education and common sense.

Bingo. Truest thing ever said.

MisterMe
Mar 17, 2009, 08:40 AM
...

.... This isn't exactly hidden knowledge.

...Then why can't you give a link?

michael.lauden
Mar 17, 2009, 08:52 AM
it'd be funny if hackers used macs - so THEY didn't get their own viruses.

i guess people are more focused on stealing credit card information from large companies,

instead of some snare tracks recorded for a local band's demo - which was never mastered because they had a deadline to meet for a design

kastenbrust
Mar 17, 2009, 09:00 AM
it'd be funny if hackers used macs - so THEY didn't get their own viruses.

Most do, or Linux.

michael.lauden
Mar 17, 2009, 09:48 AM
Most do, or Linux.

yeah i figured linux

EmperorDarius
Mar 17, 2009, 10:16 AM
Up to XP I would agree with you although mainly because MS allowed admin access as a default. With Vista and W7 I don't think there's any real difference now.





Don't Vista and 7 do it too? Or is UAC supposed to make any difference? I'm sorry but adding an annoying useless feature like UAC which does nothing but ask if you're "sure" for everything that every program does gives no additional boost in security, in fact most people turn it off.

BongoBanger
Mar 17, 2009, 11:57 AM
Then why can't you give a link?

I did. ZDNet's security blogs.

However, if Google isn't working for you then try this:

http://blogs.zdnet.com/security/

Or you can go here and have a look around:

https://www.blackhat.com/

You may also want to have a look at this one:

http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf

Don't Vista and 7 do it too? Or is UAC supposed to make any difference? I'm sorry but adding an annoying useless feature like UAC which does nothing but ask if you're "sure" for everything that every program does gives no additional boost in security, in fact most people turn it off.

No they don't and if they do they kind of deserve everything they get. Calling UAC 'useless' just demonstrates a lack of understanding about what it does which is pretty much to mimic the non-admin default and security protocols that OS X and Linux have.

EmperorDarius
Mar 17, 2009, 01:37 PM
No they don't and if they do they kind of deserve everything they get. Calling UAC 'useless' just demonstrates a lack of understanding about what it does which is pretty much to mimic the non-admin default and security protocols that OS X and Linux have.

It is useless. It doesn't even ask you for your password, which would be logical. Asking you to click a couple of buttons to see if you're sure to do something (which happens very...very...very often) isn't security at all. It's just an illusion. It's a shame that people actually believe it.

BongoBanger
Mar 17, 2009, 02:43 PM
It is useless. It doesn't even ask you for your password, which would be logical. Asking you to click a couple of buttons to see if you're sure to do something (which happens very...very...very often) isn't security at all. It's just an illusion. It's a shame that people actually believe it.

I don't mean to be rude here but you really do have absolutely no idea what you're talking about.

EmperorDarius
Mar 17, 2009, 02:49 PM
I don't mean to be rude here but you really do have absolutely no idea what you're talking about.

Looks like the inverse thing to me.

BongoBanger
Mar 17, 2009, 06:06 PM
Looks like the inverse thing to me.

If that's the case then I'm sure you'll have absolutely no problem explaining the architecture of UAC, why it's 'useless' with reference to its particular vulnerabilities and how the majority of Vista users have disabled it - which you will obviously be able to back up with statistics.

I'll also be expecting a full explanation of the plus points that OS X and Linux have over UAC (because there are a few) and how that impacts the overall model.

Or you could just quit before you really make a fool out of yourself.

nagromme
Mar 17, 2009, 11:39 PM
Useful reference to keep the discussion going:
http://homepage.mac.com/bhoglund/forumFudsters.html
:)

EmperorDarius
Mar 18, 2009, 12:38 AM
If that's the case then I'm sure you'll have absolutely no problem explaining the architecture of UAC, why it's 'useless' with reference to its particular vulnerabilities and how the majority of Vista users have disabled it - which you will obviously be able to back up with statistics.

I'll also be expecting a full explanation of the plus points that OS X and Linux have over UAC (because there are a few) and how that impacts the overall model.

Or you could just quit before you really make a fool out of yourself.

What is UAC? A simple system that asks you Yes/No whenever a program is trying to modify 'an important system setting'. It is really, really annoying.
And it is often bypassed by malware too. (Especially in Windows 7, where it is "by design"). It also doesn't ask for the admin password by default. It doesn't even remember what you allowed to do. If I wanted something like that, I'd get a HIPS program which produces the same amount of popups but is much more useful.

UAC is flawed, and Symantec proved it in 2007:
www.bit-tech.net/news/2007/02/23/Symantec_proves_vista_UAC_flawed/
http://www.robpaveza.net/VistaUACExploit/UACExploitWhitepaper.pdf

And if you know malware authors you'll know that they don't really have any problem bypassing UAC.


OS X's/Linux authentication requires the password by default, and is much less annoying, yet effective and powerful.

I'm not gonna waste more time than that, if you can't understand that thing, too bad for you

roach
Mar 18, 2009, 03:10 AM
What is UAC? A simple system that asks you Yes/No whenever a program is trying to modify 'an important system setting'. It is really, really annoying.
And it is often bypassed by malware too. (Especially in Windows 7, where it is "by design"). It also doesn't ask for the admin password by default. It doesn't even remember what you allowed to do. If I wanted something like that, I'd get a HIPS program which produces the same amount of popups but is much more useful.

UAC is flawed, and Symantec proved it in 2007:
www.bit-tech.net/news/2007/02/23/Symantec_proves_vista_UAC_flawed/
http://www.robpaveza.net/VistaUACExploit/UACExploitWhitepaper.pdf



...and this is the result in 2008:

arstechnica (http://arstechnica.com/business/news/2008/01/microsoft-vistas-not-as-insecure-as-xp-please-buy-it.ars)

Why would you believe claim from a company whose business is to sell security software? I have read similar claims from securty software companies against OSX.

BongoBanger
Mar 18, 2009, 08:21 AM
What is UAC? A simple system that asks you Yes/No whenever a program is trying to modify 'an important system setting'. It is really, really annoying.
And it is often bypassed by malware too. (Especially in Windows 7, where it is "by design"). It also doesn't ask for the admin password by default. It doesn't even remember what you allowed to do. If I wanted something like that, I'd get a HIPS program which produces the same amount of popups but is much more useful.

UAC is flawed, and Symantec proved it in 2007:
www.bit-tech.net/news/2007/02/23/Symantec_proves_vista_UAC_flawed/
http://www.robpaveza.net/VistaUACExploit/UACExploitWhitepaper.pdf

And if you know malware authors you'll know that they don't really have any problem bypassing UAC.


OS X's/Linux authentication requires the password by default, and is much less annoying, yet effective and powerful.

I'm not gonna waste more time than that, if you can't understand that thing, too bad for you

Thanks you for your list of faults which refer to 2007 and which were closed with hotfixes and SP1. Do you have anything that's actually relevant or are we going to go through this merry dance again? Can I also point out that MS are changing the UAC model in W7 based on the public Beta feedback to prevent the issue you raise?

Currency. It's great.

I am going to add one point though - I actually do know malware authors or at least people capable of writing it) and they raise the same point as the hackers at CanSecWest did - it is incredibly difficult to install on a modern OS unless the user allows you to. Whether this is clicking an 'allow' box or typing in a password is a moot point.

roach
...and this is the result in 2008:

arstechnica

Indeed. Quoted from the article...

"This apparent success might redress some of the criticisms that have been leveled at UAC. During Vista's beta period, it was widely derided as annoying and intrusive, and although it was streamlined a little for release (and will see further refinements in Service Pack 1), it is still felt by many to be sufficiently irritating to disable. Its ability to mitigate security vulnerabilities, however, means that it's worth paying the price of annoyance. UAC doesn't make the security flaws disappear, but it does make them much safer. In the words of Austin Wilson, director of Windows Client Security Product Management and author of the blog post, "This is a great illustration of the importance of User Account Control and why we included it in the product".

So it looks like Microsoft's commitment to security is paying off; Vista has fewer security flaws, and those flaws it does have are often mitigated by its new features. As Wilson wrote, "Windows Vista is proving to be the most secure version of the Windows to date.""

We could argue this all day but since neither you have the slightest clue about the topic I don't realy see the point.

Toodles.

EmperorDarius
Mar 18, 2009, 02:39 PM
--

I was just showing how quickly an exploit was made for UAC...and guess what, Microsoft waited a year to release an update. Oh, and how many people actually are using SP1? Considering the terrible instability and buggyness of the Windows Service Packs?

If you really think that you're safer just because you get a stupid alert for everything a program does, well, too bad for you. I couldn't care less.

I'm not gonna waste my time trying to prove you something so obvious, so now go back to your shitfull OS and let's end this useless discussion.

BongoBanger
Mar 18, 2009, 06:20 PM
I was just showing how quickly an exploit was made for UAC...and guess what, Microsoft waited a year to release an update. Oh, and how many people actually are using SP1? Considering the terrible instability and buggyness of the Windows Service Packs?

If you really think that you're safer just because you get a stupid alert for everything a program does, well, too bad for you. I couldn't care less.

I'm not gonna waste my time trying to prove you something so obvious, so now go back to your shitfull OS and let's end this useless discussion.

Well netstats show that the vast majority of Vista users have SP1 installed.

Oh and thanks for the insults. It just goes to show that like most fanboys you simply don't have anything in the locker when you're called to provide facts.

And while we're on the subject of exploits and waiting to patch them perhaps you could explain why Apple allowed Safari to be nuked within seconds again at CanSecWest 2009 and why its password based security failed to prevent this?

http://blogs.zdnet.com/security/?p=2917

Wiped out in seconds two years running. Oh my.

r.j.s
Mar 18, 2009, 07:05 PM
http://blogs.zdnet.com/security/?p=2917

You do know that no software is perfect right, and since he was well prepared it should have been no surprise ...

Miller said he came to the CanSecWest security conference with a plan to hack into Safari and had tested the exploit carefully to ensure “it worked the first time.”

synth3tik
Mar 18, 2009, 07:11 PM
A well-regarded security consultant

regarded by whom? That's what I love about media.

Where would we be without blogs

r.j.s
Mar 18, 2009, 07:16 PM
And while we're on the subject of exploits and waiting to patch them perhaps you could explain why Apple allowed Safari to be nuked within seconds again at CanSecWest 2009 and why its password based security failed to prevent this?

So, you do know that neither XP or Vista were in this year's contest, correct?

And that ONLY IE8 was being tested, not the IE7 being run my most users.

http://cansecwest.com/post/2009-03-18-01:00:00.PWN2OWN_Final_Rules

Sounds like OS X was the priority again this year.

dejo
Mar 18, 2009, 07:18 PM
Where would we be without blogs
Living in a world with much greater journalistic integrity I would hope.

BongoBanger
Mar 19, 2009, 04:18 AM
So, you do know that neither XP or Vista were in this year's contest, correct?

And that ONLY IE8 was being tested, not the IE7 being run my most users.

http://cansecwest.com/post/2009-03-18-01:00:00.PWN2OWN_Final_Rules

Sounds like OS X was the priority again this year.

No, Safari was the priority because it's so easy to break. Look at the screenshot:

http://blogs.zdnet.com/security/?p=2917

All of the hackers went for Safari first because it's the easiest of the three to hack. Of course, IE8 and Firefox fell too but that required a bit more effort.

The point here is that no operating system or browser is inherently safe and if people want to find a way in they will. CanSecWest 2009 demonstrates it is perfectly possible to hack a Mac through social engineering - which, of course, is where the vast majority of consumer hacking efforts are targetted - in the same way it is perfectly possible to hack a Windows machine. Once you realise that essential point you see why security by obscurity actually is the best argument for why Macs are pretty safe at the moment. This may, however, not always be the case.

Password validation and UAC protect us from most of these threats. Common sense should hopefully do the rest. The OS X security system is sound - as is Vista's (XP's default was weak; I would never argue on that point) - it's up to us to do the rest.

OttawaGuy
Mar 25, 2009, 03:56 AM
Any more information surface regarding this situation?

pdjudd
Mar 25, 2009, 11:10 AM
No, Safari was the priority because it's so easy to break.


The guy that did it was also well prepared - he had a hack that he prepared a year ago that he knew was going to work. Hacking windows was old hat and he wanted to replace the success he had last year to get a lot of attention - by using the same method he did last year. In summary he was showing off by choosing a target that has big publicity. Big deal.

BongoBanger
Mar 25, 2009, 11:34 AM
The guy that did it was also well prepared - he had a hack that he prepared a year ago that he knew was going to work. Hacking windows was old hat and he wanted to replace the success he had last year to get a lot of attention - by using the same method he did last year. In summary he was showing off by choosing a target that has big publicity. Big deal.

Which would be true if the guy who cracked all three browsers - Nils - hadn't also confirmed that Safari on a Mac is one of the easiest to break. The easiest was apparently FireFox on a Mac.

Also Miller used a different method from 2008 just as Nils used a third one for his Safari hack.

Here's an interesting interview with Nils:

http://blogs.zdnet.com/security/?p=2951

Once again, don't kid yourself. Security is the individual's responsibility and we're all accountable for it regardless of browser and OS used.

pdjudd
Mar 25, 2009, 12:49 PM
Which would be true if the guy who cracked all three browsers - Nils - hadn't also confirmed that Safari on a Mac is one of the easiest to break. The easiest was apparently FireFox on a Mac.
We only have his word on that. One opinion of one guy who discovered the flaw. Again, I say he's showboating. He held off for a whole year so that he could maximize his fame.

Also Miller used a different method from 2008 just as Nils used a third one for his Safari hack.

You misunderstand me. He used the same methodology - he just went to a website that he exploited by knowing of a hack well before the contest began. That's why the exploit too so little time - everything was done before. Same method as last year. It was a dfferent exploit but I never claimed that it was the same exploit.

Once again, don't kid yourself. Security is the individual's responsibility and we're all accountable for it regardless of browser and OS used.
Where did I ever say antyhing that would indicate that? I have never denied that the weakest point in security is teh user. My only beef is the notion that macs can be hacked in seconds when that is disengenuous at best. THe only thing that takes seconds is the time for teh exploit to run after going to a vulnerable website. We don't know how long Nils took to discover the exploit or how long it took to take advantage of said exploit. We do know (i think from his own admission) that he sat on this for quite awhile and I do also recall that he never reported it. That is darn unethical

petermcphee
Mar 25, 2009, 12:59 PM
We don't know how long Nils took to discover the exploit or how long it took to take advantage of said exploit. We do know (i think from his own admission) that he sat on this for quite awhile and I do also recall that he never reported it. That is darn unethical

I require more ethics from my hackers. Insist on quality.