Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Feb 9, 2013, 08:38 AM   #126
AidenShaw
macrumors G5
 
AidenShaw's Avatar
 
Join Date: Feb 2003
Location: The Peninsula
Quote:
Originally Posted by FloatingBones View Post
...
At the same time, we continue to get 0-day security risks for Flash.
This is not a zero-day exploit.
__________________
6 October 2014 - the day that the debate about marriage equality ended. And equality prevailed.
AidenShaw is offline   0 Reply With Quote
Old Feb 9, 2013, 08:51 AM   #127
FloatingBones
macrumors 65816
 
FloatingBones's Avatar
 
Join Date: Jul 2006
Quote:
Originally Posted by AidenShaw View Post
Quote:
Originally Posted by FloatingBones View Post
...
At the same time, we continue to get 0-day security risks for Flash.
This is not a zero-day exploit.
From Computerworld (Friday, February 8, 2012):

Quote:
Adobe releases emergency Flash fixes for two zero-day bugs
[...]
As part of that schedule, Adobe was to ship a Flash Player update next Tuesday, but it instead released the fixes early. In a Thursday advisory, Adobe confirmed that the update patched two vulnerabilities, designated CVE-2013-0633 and CVE-2013-0634. Not surprisingly, it rated the update critical: Criminals have been exploiting both vulnerabilities for an undisclosed amount of time.

"Adobe is aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash content," stated the advisory.

The second vulnerability, CVE-2013-0634, has been used in a similar fashion against Windows targets, but has also been exploited during "drive-by" attacks against Firefox and Safari users on the Mac, said Adobe. A drive-by attack requires only that a victim be duped into browsing to a malicious website hosting an exploit.
That's the quintessence of a zero-day attack -- two zero-day attacks.

@Aiden: the MR article quoted the section of the ARS Technica article explicitly noting these as "in the wild" attacks. Did you read the article before commenting on it?

Last edited by FloatingBones; Feb 9, 2013 at 09:35 AM.
FloatingBones is offline   1 Reply With Quote
Old Feb 9, 2013, 09:57 AM   #128
BigBeast
macrumors 6502a
 
Join Date: Mar 2009
What I don't like is the ambiguity of the notification. Apple should know better. I get a random popup telling me that I need to update my Flash plain, yet when I go to Flash Player in sys prefs, it says Flash is up to date. It also doesn't help that Apple took away the icon in Safari that showed if the site had been verified or not.
__________________
2012 cMBP 2.6GHz Core i7 16gb 512 SSD iPhone 5S iPad Air
BigBeast is offline   0 Reply With Quote
Old Feb 9, 2013, 12:08 PM   #129
FloatingBones
macrumors 65816
 
FloatingBones's Avatar
 
Join Date: Jul 2006
Quote:
Originally Posted by BigBeast View Post
What I don't like is the ambiguity of the notification. Apple should know better. I get a random popup telling me that I need to update my Flash plain, yet when I go to Flash Player in sys prefs, it says Flash is up to date. It also doesn't help that Apple took away the icon in Safari that showed if the site had been verified or not.
You're right -- it's good to be suspicious of pop-up messages you've never seen before. The malware notifications have been around since Snow Leopard, but many people have never seen them until this week.

Adobe provides the system preferences module. If it fails to report that there's a new version of Flash available, that sounds like Adobe's problem. After all the zero-day Flash exploits through the years, don't you think that Adobe would regard their version-checking software as mission-critical?

In the big scheme of things, a swift intervention to catch a zero-day exploit sounds like small potatoes. How many icons do you use to complain about websites that have failed to rid themselves of Flash code? How many would you have put in a posting if your computer had gotten infected by CVE-2013-0634?
FloatingBones is offline   0 Reply With Quote
Old Feb 9, 2013, 01:46 PM   #130
Lancer
macrumors 68000
 
Join Date: Jul 2002
Location: Australia
Quote:
Originally Posted by JaySoul View Post
Flash, Flash, why do you crash?
Plenty of sites rely on flash to run, no flash no access.
Lancer is offline   0 Reply With Quote
Old Feb 9, 2013, 02:24 PM   #131
John.B
macrumors 68040
 
Join Date: Jan 2008
Location: Flyover Country
Quote:
Originally Posted by musicpaladin View Post
Excuse me. I am one of the administrators (though not of as many systems as that) of a network which is mixed Mac/Windows network. Apple's enterprise system management leaves MUCH to be desired especially in a mixed environment. It is much easier and more trivial to push out a group policy than one of these commands. It would help if Apple's AD integration worked halfway decently.

...

We don't want to be cleaning up computers, but we also don't want apple flipping a switch and instantly rendering the tools that we use on a day to day basis instantly inoperable indefinitely while there is no update available to patch the hole. Users (at least the ones that work for us) are far more irritated when the whole organization can't do their day to day job than individual isolated computers being compromised.

Disabling third party software such as Java is not increasing security. It's called crippling someone else's system.

I say again: suppose a company uses a java based tool. Apple flips a switch and makes it useless. What would you tell them?
Quote:
Originally Posted by MagnusVonMagnum View Post
WTF doesn't Apple just give a warning and make the user DECIDE whether to disable it or not rather than just go around shutting down computers willy nilly without the users' permission? This strikes me as an invasion of privacy and frankly as pointed out with Java, it can do more damage than an actual threat in some cases if there's no update to move to (as was the case with Java at one point).
Quote:
Originally Posted by wood_e View Post
This Xprotect blocking is a PURE NIGHTMARE for enterprise users. I manage over 60 macs and updating each one by hand is such a PITA...
How is it that you guys claim to be "Mac admins" but don't know the first thing about security update settings on a Mac?

Quote:
Originally Posted by cerote View Post
Can't it just be turned off then? There are other solutions if it is causing this much of an issue.
Yes.

http://support.apple.com/kb/HT1338

Uncheck the box that says "Install system data files and security updates":

__________________
Apple develops an improved programming language. Google copied Java. Everything you need to know, right there.
MD388LL/A MG632LL/A ME344LL/A MD199LL/A MC572LL/A MD481LL/A FB463LL/A FC060LL/A
John.B is offline   1 Reply With Quote
Old Feb 9, 2013, 03:26 PM   #132
FloatingBones
macrumors 65816
 
FloatingBones's Avatar
 
Join Date: Jul 2006
Quote:
Originally Posted by Lancer View Post
Plenty of sites rely on flash to run, no flash no access.
That doesn't really make a lot of sense: you make it sound as if these sites are cast in concrete and cannot change. There are already hundreds of millions of computers that can't run Flash in their browser; what are those sites doing to run on those computers?

Zero-day Flash/Java exploits are coming at alarming frequency. Any website owner still relying on Flash to deliver their content needs to have their head examined.
FloatingBones is offline   3 Reply With Quote
Old Feb 9, 2013, 03:35 PM   #133
MagnusVonMagnum
macrumors 68040
 
MagnusVonMagnum's Avatar
 
Join Date: Jun 2007
Quote:
Originally Posted by nagromme View Post
Apple never shuts down your Mac remotely, and when they issue an urgent security update like this, it doesn't secretly collect any private information from you.
I think you are hanging on the literal words "shut down" rather than what was implied (i.e. them throwing a switch to prevent you from running something you may want to run).

Quote:
If a user doesn't know how to use a different browser, and doesn't know how
Using a different browser won't re-enable Java if Apple puts it on their block list since it's a system wide plugin (although Firefox CAN still disable it for their own browser DESPITE it being re-enabled for Safari).

Quote:
to uncheck a box in Security preferences, then they aren't going to know how answer that question you think should be asked. They are not the expert able to judge the magnitude of the threat, and getting malware is almost NEVER going to be better than losing access to some app temporarily until you get tech support to install a workaround (or until an automatic patch comes along--in this case, instantly).
Who actually got any flipping Malware??? One can debate about the tiny POSSIBILITY of getting malware accidentally with something like Flash, but it's an absolute CERTAINTY that your computer will be blocked from running things you may want to run when Apple puts something on their list (unless you have chosen ahead of time to not download safe download updates; the problem is there's a huge difference between wanting to be warned about "downloads" and just out and out blocking a major part of the computer's capability (whether Flash or Java).

Quote:
Leaving that kind of highly technical research and decision to a user who doesn't even understand the basic factors is asking for trouble on a scale
Dictators and the like have used similar words to take rights away from the people (who are always too ignorant to make decisions for themselves). Sadly, Apple is acting like a dictator here rather than warning people with an OPTION. Apple isn't too good about options, historically, though so I'm not surprised.

Quote:
Windows knows all about.... The choice you want from Apple IS there, but it's for knowledgeable users, not thrown in the face of people who won't know what to do with it.
Changing the setting AFTER the fact won't do any good without editing the Plist and that's beyond just "knowledgeable" IMO. And by turning off ALL security updates you've also blocked true threats like Trojan warnings that SHOULD be on the list at all times (whereas Flash and Java are legit apps with vulnerabilities that present a certain risk level, not malware themselves; OSX is the same way. It can have a known vulnerability. Should Apple shut down all Macs until they can update OSX? That would be absurd an that's why Apple doesn't do it. They just keep quiet and update the security settings and rarely mention specifics.

Quote:
The problem is not Apple, it's Flash and Java being insecure--people ought to write to THEM saying how vital Flash and Java are, and demanding better security. Security is a feature just as vital--and to a LOT more people--than browser-based Java or Flash.
Do you have ANY idea how many vulnerabilities have been found in OSX and Windows over the years? You act like this issue is something related only to Java and Flash. Again, the primary difference is Apple won't disable their entire OS, but they apparently won't hesitate to block Java and Flash.

Quote:
Originally Posted by FloatingBones View Post
The complaints that Apple is "taking over" machines is nonsense. Anyone with admin privileges on a Mac can turn off this mechanism in their security settings. Apple has provided a great mechanism to secure their computers, they are actively using it, and they even provide a simple means for those not wanting to use it to turn it off. None of the complainers here show understanding of how that mechanism works.
As I said to the other person above, turning off the safe download function AFTER it's disabled something like Java or Flash won't do you any good without going in and removing the program in question off the Plist and there is not user GUI access to that list so you'll have to manually edit it. The setting in the Security Preference Pane is simply a way to disable AUTOMATIC updates to that list; it doesn't remove things from the list that are already there. Besides, exactly who wants to DISABLE *ALL* security updates just to avoid having Apple turn off Flash or Java with no option to even temporarily re-enable them without jumping through hoops?

In other words, there's a BIG difference between a known trojan or worm and a vulnerability/exploit in something like Java. The former should always be on EVERYONE's list and NEVER removed from it while the latter is blocking something legit from running that has some risk attached to it (e.g. playing Scrabble on Pogo.com doesn't really quality as much of a "risk" to approve Java to run anyway despite the exploit. Apple should give a warning in those circumstances and offer to block or not block it. They should also have a GUI editable list for such things to add/remove it at the user's own risk (thus absolving Apple from any fault and making life tolerable for those that need to run certain things like Java regardless of a small threat that only occurs if you run an actual bogus application (not going to happen on a trusted site unless the entire site was hijacked or something).

Quote:
If Apple hadn't drawn that line in the sand with the iPhone back in 2007, imagine how much worse the malware problem would be today.
Yes, because Android smart phones are just rampant with people getting their stuff stolen because Flash is available for it.
__________________
Mac Mini Server 2012 (2.3GHz Quad i7, 8GB, 2x1TB RAID 0) ; External 12x Memorex Blu-Ray USB3, External WD 3x3TB,1x2TB HD USB3)
15" Matte MBP 2.4GHz, 4GB/500GB, NVidia 8600M GT; 3 ATV; 2 iPod Touch
MagnusVonMagnum is offline   1 Reply With Quote
Old Feb 9, 2013, 05:16 PM   #134
matdes
macrumors newbie
 
Join Date: Feb 2013
Quote:
Originally Posted by BornAgainMac View Post
I never hear any problems with Microsoft Silverlight. Is it extremely secure or just nobody uses it or cares?
We use it daily in EMS for some of the charting software, no issues for me so far in past 4 years.
matdes is offline   0 Reply With Quote
Old Feb 9, 2013, 06:53 PM   #135
Roc P.
macrumors regular
 
Join Date: Feb 2012
Location: Long Island
I honestly didn't even know about this! I feel kind of naive to be honest.

All I know is last night while on Facebook I got a popup from Apple saying Flash needed to be updated. So I opened up System Preferences to see what version of Flash I had and went to Adobe's site to see what the current version was.

The version on Adobe's site was newer so that led me to believe the popup I got was right and I downloaded the current version of Flash from Adobe and installed it.

I had no idea there was ever any security issues
Roc P. is offline   0 Reply With Quote
Old Feb 9, 2013, 07:10 PM   #136
Lancer
macrumors 68000
 
Join Date: Jul 2002
Location: Australia
Quote:
Originally Posted by FloatingBones View Post
That doesn't really make a lot of sense: you make it sound as if these sites are cast in concrete and cannot change. There are already hundreds of millions of computers that can't run Flash in their browser; what are those sites doing to run on those computers?

Zero-day Flash/Java exploits are coming at alarming frequency. Any website owner still relying on Flash to deliver their content needs to have their head examined.
I'm not saying they can't change I'm just saying what they are now using, it's like cars mostly run on petrol (Gasoline for those in the US) but there are also some that run of diesel it doesn't mean the manufactures are going to all switch to bio-fuels because it is better for the environment. Fact is many sites partly or solely use Java and it's going to take time for them to switch to better code.
Lancer is offline   0 Reply With Quote
Old Feb 9, 2013, 08:01 PM   #137
FloatingBones
macrumors 65816
 
FloatingBones's Avatar
 
Join Date: Jul 2006
Quote:
Originally Posted by MagnusVonMagnum View Post
I think you are hanging on the literal words "shut down" rather than what was implied (i.e. them throwing a switch to prevent you from running something you may want to run).
Your messages in this discussion have been ambiguous. Who is the "you" you're talking about? Who has been disenfranchised? I'm confident that MagnusVonMagnum knows how to hack plists, so it clearly wasn't you. In other words, the "you" you keep referencing is some hypothetical person...

Quote:
Who actually got any flipping Malware?
Neither you nor Aiden seem to have carefully read the article you're commenting on.

The Adobe security bulletin was quite explicit: CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform. I'm taking Adobe's report at face value: this is a real zero-day attack. Do you have some reason to disagree?

Quote:
but it's an absolute CERTAINTY that your computer will be blocked from running things you may want to run when Apple puts something on their list [SNIP]
Again, the "your" is referring to some hypothetical user who you assume has been disenfranchised, and you think you're qualified to speak for this hypothetical person.

Quote:
there's a huge difference between wanting to be warned about "downloads" and just out and out blocking a major part of the computer's capability (whether Flash or Java).
Please read the article: all a user had to do was upgrade to the current version of Flash and they could proceed. If "you" don't want that checking to happen in the future, then turn it off.

Quote:
Dictators and the like [SNIP]
Oh, please. Dictators don't give people an option of overriding the check, and they don't provide plists for people to manually edit. Do we really need to invoke Godwin's Law in this discussion?

Quote:
Flash and Java are legit apps with vulnerabilities that present a certain risk level, not malware themselves; OSX is the same way.
Apple clearly disagrees, and I think Apple is completely right in their comprehensive response to this clear and present malware attack.

Quote:
It can have a known vulnerability. Should Apple shut down all Macs until they can update OSX?
Please explain why your hypothetical about an OS X problem is remotely comparable to what happened this last week. Note: please actually read the Adobe security advisory before responding.

Quote:
Do you have ANY idea how many vulnerabilities have been found in OSX and Windows over the years? You act like this issue is something related only to Java and Flash.
Why do you think the ancient history of malware pertinent in this discussion? What's pertinent is the malware threats present today.

Quote:
As I said to the other person above, turning off the safe download function AFTER it's disabled something like Java or Flash won't do you any good without going in and removing the program in question off the Plist and there is not user GUI access to that list so you'll have to manually edit it.
What a convoluted statement! Again, the "you" in that spaghetti-statement clearly isn't you. For some quaint reason, you presume to speak for some hypothetical disenfranchised person with hypothetical outrage over some hypothetical "dictator".

If some real person wants to actually complain, let them complain. But you're clearly not that person.

Quote:
Besides, exactly who wants to DISABLE *ALL* security updates just to avoid having Apple turn off Flash or Java with no option to even temporarily re-enable them without jumping through hoops?
Nonsense. The only thing anyone had to do was to update Flash to the current version.

Quote:
In other words, there's a BIG difference between a known trojan or worm and a vulnerability/exploit in something like Java.
You presume there's a difference. Apple clearly does not, and I agree with them. I personally am quite happy they're taking such an active stance against malware.

Quote:
The former should always be on EVERYONE's list and NEVER removed from it while the latter is blocking something legit from running that has some risk attached to it (e.g. playing Scrabble on Pogo.com doesn't really quality as much of a "risk" to approve Java to run anyway despite the exploit.
That's your opinion. The fault with your position: if Java/Flash is enabled, then the computer is vulnerable to the current batch of zero-day exploits. Users are vulnerable to both general attacks and spear phishing using those exploits.

What's fascinating to me is that you have no anger towards Oracle and Adobe for failing to button down the security on their applications. Year after year, the exploits continue to happen; these third-party vendors fail to address them. Oracle even uses Java updates as an opportunity to install deceptive software on PCs. You have no anger about any of that? Really?

Quote:
Yes, because Android smart phones are just rampant with people getting their stuff stolen because Flash is available for it.
Really? iOS devices are far more secure than Android ones. Do you disagree?


Quote:
Originally Posted by Lancer View Post
I'm not saying they can't change I'm just saying what they are now using, it's like cars mostly run on petrol (Gasoline for those in the US) but there are also some that run of diesel it doesn't mean the manufactures are going to all switch to bio-fuels because it is better for the environment.
The analogy is fundamentally flawed. Those websites had to already ditch their Java and Flash code, or they could not be run on the 400M+ iOS devices and other mobile devices that cannot run plugins.

Last edited by FloatingBones; Feb 9, 2013 at 09:57 PM.
FloatingBones is offline   1 Reply With Quote
Old Feb 10, 2013, 10:22 AM   #138
Ant0ine
macrumors newbie
 
Join Date: Feb 2013
FYI, you can capture individual windows by doing this: ⇧⌘4, space, and click on the window you want to capture.
Ant0ine is offline   0 Reply With Quote
Old Feb 10, 2013, 03:17 PM   #139
MagnusVonMagnum
macrumors 68040
 
MagnusVonMagnum's Avatar
 
Join Date: Jun 2007
Quote:
Originally Posted by FloatingBones View Post
Your messages in this discussion have been ambiguous. Who is the "you" you're talking about? Who has been disenfranchised? I'm confident that MagnusVonMagnum knows how to hack plists, so it clearly wasn't you. In other words, the "you" you keep referencing is some hypothetical person...
I've seen plenty of unhappy people on these forums regarding Apple disabling Java and Flash. Whether it's the principle of the matter or they genuinely don't know how to reenable them is not my concern. My quibble is with how Apple is handling this issue. They could easily offer a simple yes or no option with a warning rather than just disabling something that a user may need (as in the case of several people on here with Java in the past couple of weeks). Whether I know how to do something is irrelevant. The topics of discussion have been about Apple's handling of the matter and that is what I'm addressing. I don't think just disabling something entirely is a good way to proceed when they could offer more options. They could have a GUI list of blocked apps and let the user choose to override if needed. Requiring a user to edit a Plist is hardly the "Apple" or "Mac" way. Surely, you would agree to that much.

Quote:
Neither you nor Aiden seem to have carefully read the article you're commenting on.
I'm not commenting on a specific article or this one specific incident, but rather how their block list is set up and what's required of the user to get around if they feel they NEED to still use something like Java. Yes, in this case Flash could be immediately updated, but that was NOT the case with Java and it clearly shows how the system works when an update is not available but a threat is identified. It is clearly not handled well. It's treating the user like a grade school child. Whether they have the technical know-how to bypass it is irrelevant. Apple could handle things in a more appropriate manner.

Quote:
Firefox or Safari on the Macintosh platform[/B][/I]. I'm taking Adobe's report at face value: this is a real zero-day attack. Do you have some reason to disagree?
I disagree that just disabling things without an option to override for people without the skills to do it themselves is a bad way to run a business. No one is suggesting Apple shouldn't warn the user and offer to disable the program in question. Forcing it disabled is another matter entirely. The Java threat was hardly threatening, particularly if a user has "high" level security enabled and Java apps cannot run without approval (i.e. if you're on a site like Pogo.com and you know the Scrabble App is the one requesting to run, it's a pretty safe bet that it's not going to take over your computer regardless of the vulnerability on some unknown site).

Quote:
Again, the "your" is referring to some hypothetical user who you assume has been disenfranchised, and you think you're qualified to speak for this hypothetical person.
And who are YOU qualified to speak for? You seem to be arguing long and hard on a specific position and like to bring up IRRELEVANT things like "who is YOU?", but apparently have no argument or logic what-so-ever to counter the arguments presented or you'd have something useful to say rather than wasting my time.
Quote:
Oh, please. Dictators don't give people an option of overriding the check, and they don't provide plists for people to manually edit. Do we really need to invoke Godwin's Law in this discussion?
The ability to override Apple's security does not discount their methods and as I said, disabling security overrides AFTER the fact will not help. But again, you ignore all the arguments and logic presented and just harp on your view that turning off all security forever is a good solution to a specific problem when it clearly is not.


Quote:
Apple clearly disagrees, and I think Apple is completely right in their comprehensive response to this clear and present malware attack.
That is your right to to have that opinion, but I personally think it's a really bad one but that is the same reason I've argued against Apple's approach in both threads. Your computer is not their property to disable valid programs. Security threats like trojans are completely different from turning off what to some people are vital systems (i.e. people who need Java for work, for example).

Quote:
Please explain why your hypothetical about an OS X problem is remotely comparable to what happened this last week. Note: please actually read the Adobe security advisory before responding.
There is nothing hypothetical about past security vulnerabilities in OSX. Apple has patched numerous flaws in OSX in the past. They never once disabled anyone's computer until they came up with a security update, however. Your inability to even comprehend the most basic logical argument makes this discussion pointless. IMO.

Quote:
Why do you think the ancient history of malware pertinent in this discussion? What's pertinent is the malware threats present today.
Those who ignore history are doomed to repeat it. That reason alone is enough to look at any form of history. Your mission in life, however, seems to be to try and win an argument at all cost, even when you have absolutely not logical basis to base an argument upon. You just keep repeating yourself and seem to want to talk only about this one particular case and ignore the problems with the Java block (hardly "ancient" by anyone's account). In point of fact, I've only had a Macintosh since 2006. I'd hardly call anything from that time period "ancient" either and yet I've had dozens of security updates for OSX in that time frame.

Quote:
Again, the "you" in that spaghetti-statement clearly isn't you. For some quaint reason, you presume to speak for some hypothetical disenfranchised person with hypothetical outrage over some hypothetical "dictator".
You prefer to invent strawmen than actually deal with the argument at hand. You keep harping on about the use of the word "you" rather than deal with the discussion at hand. It's blatantly obvious you have no clue what to say other than to try and use a lot of words and hope that people are fooled by lines of text rather than making a cogent point.

Quote:
Nonsense. The only thing anyone had to do was to update Flash to the current version.
Again, that was not the case with Java less than two weeks ago. But that's "ancient history" to you? How has Apple fixed the problems presented since then? By waiting until an update was available? That's coincidence and not a fix for their methods.
__________________
Mac Mini Server 2012 (2.3GHz Quad i7, 8GB, 2x1TB RAID 0) ; External 12x Memorex Blu-Ray USB3, External WD 3x3TB,1x2TB HD USB3)
15" Matte MBP 2.4GHz, 4GB/500GB, NVidia 8600M GT; 3 ATV; 2 iPod Touch
MagnusVonMagnum is offline   1 Reply With Quote
Old Feb 11, 2013, 06:53 PM   #140
FloatingBones
macrumors 65816
 
FloatingBones's Avatar
 
Join Date: Jul 2006
Quote:
Originally Posted by MagnusVonMagnum View Post
I'm not commenting on a specific article or this one specific incident
Of course you did! In this thread, you said:

Quote:
Originally Posted by MagnusVonMagnum View Post
Who actually got any flipping Malware???
The Adobe security bulletin was quite explicit: CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform. I am also baffled why Adian said that this wasn't a zero-day attack. The attacks are really happening, and real people are being harmed.

OTOH, you are not being wronged with Apple's anti-malware efforts. You are clearly clever enough to hack the plists if you needed to do that. You're complaining on behalf of some hypothetical user. I've gotta ask: why don't you just let those [hypothetically wronged] users speak for themselves?

Quote:
And who are YOU qualified to speak for?
Bingo. That's the exact question you need to ask yourself, Magnus. If some real user was harmed by Apple's system, they should speak for themselves. You were clearly not harmed.
FloatingBones is offline   0 Reply With Quote
Old Feb 11, 2013, 07:14 PM   #141
Cubytus
macrumors 65816
 
Join Date: Mar 2007
Quote:
Originally Posted by Ricanlegend View Post
Does anybody use flash anymore ? I been blocking flash for 4 years
Trying to run Flash-free for the past 4 months. So hard to quit I thought I would relapse. At times only when Safari for iOS is detected will the website display its available non-Flash version.

Quote:
Originally Posted by BornAgainMac View Post
I never hear any problems with Microsoft Silverlight. Is it extremely secure or just nobody uses it or cares?
Both

Quote:
Originally Posted by scaredpoet View Post
(...)
No, people need to stop making users "do actual work" using poor platform choices and insecure software. Flash and Java's times are over. I'm glad Apple is doing this, because it highlights the fact that these plugins need to go.
Couldn't state it more clearly.

Quote:
Originally Posted by FloatingBones View Post
(...)

Really? iOS devices are far more secure than Android ones. Do you disagree?
I would take something to substantiate it with, not that I disagree, far from it.
__________________
Ubuntu and Mac OS X user means sacrilege both to Mac and GNU/Linux communities.
Stop ranting, give feedback: http://www.apple.com/feedback
Online, my trilingual blog
Cubytus is offline   0 Reply With Quote
Old Feb 11, 2013, 08:49 PM   #142
AidenShaw
macrumors G5
 
AidenShaw's Avatar
 
Join Date: Feb 2003
Location: The Peninsula
Quote:
Originally Posted by FloatingBones View Post
That's the quintessence of a zero-day attack -- two zero-day attacks.
There are no known zero-day attacks, on any platform.



Quote:
Originally Posted by FloatingBones View Post
Neither you nor Aiden seem to have carefully read the article you're commenting on.
You claim to carefully read, but you don't understand what you are reading.
__________________
6 October 2014 - the day that the debate about marriage equality ended. And equality prevailed.

Last edited by AidenShaw; Feb 11, 2013 at 08:58 PM.
AidenShaw is offline   2 Reply With Quote
Old Feb 11, 2013, 10:25 PM   #143
AidenShaw
macrumors G5
 
AidenShaw's Avatar
 
Join Date: Feb 2003
Location: The Peninsula
Quote:
Originally Posted by Cubytus View Post
Ubuntu and Mac OS X user means sacrilege both to Mac and GNU/Linux communities.
LOL agree.

Debian is the bastard child of Linux, and Ubuntu is the bastard child of Debian.

It's so sad that many people think that Linux is an OS, not a war among different tribes succeeding in tearing it apart.
__________________
6 October 2014 - the day that the debate about marriage equality ended. And equality prevailed.

Last edited by AidenShaw; Feb 11, 2013 at 10:44 PM.
AidenShaw is offline   0 Reply With Quote
Old Feb 12, 2013, 04:33 AM   #144
FloatingBones
macrumors 65816
 
FloatingBones's Avatar
 
Join Date: Jul 2006
Quote:
Originally Posted by AidenShaw View Post
There are no known zero-day attacks, on any platform.
Aiden, it's sort of a bizarre thing to say without explaining your claim. Adobe's report directly contradicts what you say:

Quote:
Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.
You're clearly denying what Adobe is saying -- yet none of the media is challenging their factual claims. Why should we believe you? Your definition of "zero-day attack" clearly disagrees with the wikipedia definition or computer security expert Steve Gibson's use of the word (here's an example from his podcast).

Quote:
You claim to carefully read, but you don't understand what you are reading.
Then please explain yourself. Please tell us what's wrong with the usage of the concept that Adobe, Ars Technica, Steve Gibson, MacRumors, and others are using. Please tell us why you think that the CVE-2013-0634 report is fiction.

Making the one-line claim without explaining yourself contributes nothing to the discussion.
FloatingBones is offline   0 Reply With Quote
Old Feb 12, 2013, 07:47 AM   #145
AidenShaw
macrumors G5
 
AidenShaw's Avatar
 
Join Date: Feb 2003
Location: The Peninsula
Quote:
Originally Posted by FloatingBones View Post
Aiden, it's sort of a bizarre thing to say without explaining your claim.
There are no known zero-day exploits, there are only unknown zero-day exploits.

Quote:
"A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability.[1] This means that the developers have had zero days to address and patch the vulnerability. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability."

http://en.wikipedia.org/wiki/Zero-Day_Attack
Once the exploit is known, it is no longer zero-day. This exploit is not only known, but a patch is available. It is not a zero-day attack.


Quote:
Originally Posted by FloatingBones View Post
Making the one-line claim without explaining yourself contributes nothing to the discussion.
One can always hope that it would trigger someone into looking up the definition of the term, and realize that it was being mis-used.
__________________
6 October 2014 - the day that the debate about marriage equality ended. And equality prevailed.
AidenShaw is offline   0 Reply With Quote
Old Feb 12, 2013, 08:07 AM   #146
Tech198
macrumors 601
 
Join Date: Mar 2011
Location: Australia, Perth
I think i've opened up a can of worms

Lets see... Which came first, the chicken, or the egg.
__________________
13" MBPR, i5, 256Gig SDD, 8 Gig Ram, Apple TV, iPhone 5S 16Gig, iPad 4th Gen 16Gig, Mac Mini 2.3Ghz i7, 1TB HD
"There are no stupid questions, just stupid people."
Tech198 is offline   0 Reply With Quote
Old Feb 12, 2013, 12:48 PM   #147
MagnusVonMagnum
macrumors 68040
 
MagnusVonMagnum's Avatar
 
Join Date: Jun 2007
Quote:
Originally Posted by FloatingBones View Post
The Adobe security bulletin was quite explicit: CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform. I am also baffled why Adian said that this wasn't a zero-day attack. The attacks are really happening, and real people are being harmed.
Who do you know who was harmed by this "attack" ? Has even a single person on here or any other known site reported that their machine was compromised by this "attack" ? Who was harmed by the Java attacks a couple of weeks ago? Do you know a single person? But in BOTH cases, my machine was disabled by Apple. That's a 100% ATTACK on my computer's operability and in Java's case, there was nothing a normal, non-advanced user could do to restore it until Oracle provided an update. We had NUMEROUS people on here report they could NOT access their banks, medical records/prescriptions, etc. etc. due to their country making extensive use of Java as a platform to access those services/documents. Who did MORE harm here? The supposed hackers (of whom I have yet to see a single person report their computer was maligned in some damaging way) or Apple where I have seen dozens on this site alone reporting their inability to access services they feel they NEED to access. THAT is my point. It's SAD you don't seem to comprehend it.

Quote:
OTOH, you are not being wronged with Apple's anti-malware efforts. You are clearly clever enough to hack the plists if you needed to do that. You're complaining on behalf of some hypothetical user. I've gotta ask: why don't you just let those [hypothetically wronged] users speak for themselves?
This is simply not true. I had to waste my TIME (and time is valuable to me) to look up what was going on (I am new to Mountain Lion and never had such an occurrence happen before so advanced or not, I still have to look up how to bypass it). I had to describe to another family member what to do and it was beyond their comprehension what I was talking about and I could not reasonably expect them to update their Plist. Thus, we could not play online games on Pogo.com until the update. This might seem trivial to you, but in other cases it was prescriptions, banking, etc. and not so trivial. So AGAIN, I reiterate that Apple in its current method is doing MORE HARM than any threat out there because they affect EVERYONE, not just the few that visit some pRoN site or whatever and get infected. Apple could handle this sort of thing MUCH BETTER as I described above. PERIOD.


Quote:
Bingo. That's the exact question you need to ask yourself, Magnus. If some real user was harmed by Apple's system, they should speak for themselves. You were clearly not harmed.
If you would speak for yourself, you'd just say, "I wasn't harmed so I don't care" or something to that effect, but NO, you want to argue and lecture everyone on here that disagrees about it, so I'd say you are NOT speaking JUST for yourself. You're taking up the mantle of all those on Apple's side by making that argument. Instead of arguing the pointed debated, however, you seem to want to come back to the idea that I should only speak for myself and thus concede. How ridiculous an approach is that?

Now please stop wasting my time arguing about your opinion. You're currently doing ME more harm in time wasted than Apple.
__________________
Mac Mini Server 2012 (2.3GHz Quad i7, 8GB, 2x1TB RAID 0) ; External 12x Memorex Blu-Ray USB3, External WD 3x3TB,1x2TB HD USB3)
15" Matte MBP 2.4GHz, 4GB/500GB, NVidia 8600M GT; 3 ATV; 2 iPod Touch
MagnusVonMagnum is offline   2 Reply With Quote
Old Feb 12, 2013, 02:20 PM   #148
FloatingBones
macrumors 65816
 
FloatingBones's Avatar
 
Join Date: Jul 2006
Quote:
Originally Posted by AidenShaw View Post
Once the exploit is known, it is no longer zero-day. This exploit is not only known, but a patch is available. It is not a zero-day attack.
Can you point to a single place where any credible reporter or security expert is using your particular definition of "zero-day attack"? AFAICT, yours is an obfuscation that no credible reporter or security expert is making. Claiming that CVE-2013-0634 isn't a zero-day attack is doing a disservice both to the term and to the discussion here.

Quote:
One can always hope that it would trigger someone into looking up the definition of the term, and realize that it was being mis-used.
And where exactly should we go to find your personal definition? The wikipedia article you reference certainly doesn't say it. If you tried to add such nonsense to the wikipedia page, it would be removed.

You still have done nothing to back up your initial claim:

Quote:
Originally Posted by AidenShaw View Post
This is not a zero-day exploit.
and I see this isn't the only time you've attempted to impose your personal definition of "zero-day" into a MR discussion. Unless you can produce some credible source that actually backs up what you say, I request you stop doing this.

Last edited by FloatingBones; Feb 12, 2013 at 03:13 PM.
FloatingBones is offline   0 Reply With Quote
Old Feb 12, 2013, 08:12 PM   #149
AidenShaw
macrumors G5
 
AidenShaw's Avatar
 
Join Date: Feb 2003
Location: The Peninsula
Quote:
Originally Posted by FloatingBones View Post
Can you point to a single place where any credible reporter or security expert is using your particular definition of "zero-day attack"? AFAICT, yours is an obfuscation that no credible reporter or security expert is making. Claiming that CVE-2013-0634 isn't a zero-day attack is doing a disservice both to the term and to the discussion here.
...

and I see this isn't the only time you've attempted to impose your personal definition of "zero-day" into a MR discussion. Unless you can produce some credible source that actually backs up what you say, I request you stop doing this.
Can *you* produce any evidence to support the claim that an exploit for which a patch is already available is still a "zero-day exploit".

Your "personal definition" of "zero-day" won't stand up to scrutiny.


Quote:
Originally Posted by FloatingBones View Post
The wikipedia article you reference certainly doesn't say it. If you tried to add such nonsense to the wikipedia page, it would be removed.
Let me again quote the opening paragraph of the Wikipedia article:

Quote:
"A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability.[1] This means that the developers have had zero days to address and patch the vulnerability. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability."

http://en.wikipedia.org/wiki/Zero-Day_Attack
I don't need to "add nonsense" to the Wikipedia article - it's already in 100% agreement with what I am saying.

How on earth can you continue to blather on about calling a known attack with an available patch a "zero-day" exploit? By definition, labeling the exploit "CVE-2013-0634" removes it from the "zero-day" category, and places it into the "known" category.

This is a known exploit with an available patch. It fits no accepted definition of "zero day" exploit.

Of course, in the blogosphere one can find quotes from confused beings to support about any lame-brained conjecture. You can't shut up stupid.
__________________
6 October 2014 - the day that the debate about marriage equality ended. And equality prevailed.

Last edited by AidenShaw; Feb 12, 2013 at 11:05 PM.
AidenShaw is offline   1 Reply With Quote
Old Feb 13, 2013, 12:16 PM   #150
FloatingBones
macrumors 65816
 
FloatingBones's Avatar
 
Join Date: Jul 2006
Quote:
Originally Posted by AidenShaw View Post
Quote:
Originally Posted by FloatingBones View Post
Can you point to a single place where any credible reporter or security expert is using your particular definition of "zero-day attack"? AFAICT, yours is an obfuscation that no credible reporter or security expert is making. Claiming that CVE-2013-0634 isn't a zero-day attack is doing a disservice both to the term and to the discussion here.
[Silence. No response.] You can't point to a single writeup anywhere backing up your conjecture that a "zero day exploit" ceases to be one once it's discovered.

Quote:
Can you produce any evidence to support the claim that an exploit for which a patch is already available is still a "zero-day exploit".
If you look at the wikipedia article's section about vulnerability window, you'll get your answer: it's a zero-day attack whose vulnerability window has closed. Apple's use of their malware plist to include known exploits of Flash and Java has served to close the vulnerability window on those exploits. Another way to address your question: if a different term existed to describe zero-day attacks whose vulnerability window had closed, then you would be able to name it. But you can't do that -- you ignore the question. If there were some other word, then you would know what it was. Simple.

Quote:
I don't need to "add nonsense" to the Wikipedia article - it's already in 100% agreement with what I am saying.
Actually, wikipedia article fails to support your conjecture -- for exactly the same reason. If we had a separate term to describe a zero-day attack whose vulnerability window had closed, then the wikipedia article would tell us that term. But no such word exists!

Quote:
How on earth can you continue to blather on about calling a known attack with an available patch a "zero-day" exploit?
Please keep the tone respectful, Aiden. I'll repeat the question: what name are you suggesting we use as an alternative name for a zero-day exploit whose window of vulnerability has expired? Why do you find fault with that name?

Quote:
By definition, labeling the exploit "CVE-2013-0634" removes it from the "zero-day" category, and places it into the "known" category.
A known what? Congratulations. You have painted yourself into a semantic corner.
FloatingBones is offline   1 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Adobe Releases Another Emergency Update for Flash MacRumors Mac Blog Discussion 125 Feb 25, 2014 07:11 PM
Apple Enforces Adobe Flash Player Security Upgrade with Updated Malware Definitions MacRumors Mac Blog Discussion 51 Feb 15, 2014 11:04 AM
Adobe Releases 'Critical' Update for Flash After Security Vulnerability Discovered MacRumors Mac Blog Discussion 92 Feb 10, 2014 12:29 PM
Am I The Only One Who Can't Update Adobe Flash Player? 53kyle OS X Mavericks (10.9) 4 Jun 14, 2013 03:29 AM
Apple Updates Anti-Malware Software to Block Older Versions of Adobe Flash Player Plug-in MacRumors MacRumors.com News Discussion 40 Mar 9, 2013 04:46 PM

Forum Jump

All times are GMT -5. The time now is 01:43 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC