Mac Security In Spotlight

Discussion in ' News Discussion' started by MacRumors, Mar 31, 2008.

  1. MacRumors macrumors bot


    Apr 12, 2001

    A MacBook Air running an up to date installation of Mac OS 10.5 Leopard was the first laptop to fall in last week's CanSecWest PWN2OWN contest, casting the spotlight once again on the Mac's security.

    The contest pitted a MacBook Air against a Vista laptop and a Ubuntu Linux laptop, all fully patched. While all 3 laptops did not fall the first day which only allowed attacks against the base OS for a prize of $20,000 (+laptop), the MacBook Air reportedly took only 2 minutes to fall on day 2 when conference rules were relaxed to include all OS-bundled software for a prize of $10,000 (+ laptop).

    While details of the exploit are under non-disclosure while Apple works on the issue, the sponsor's blog does note that the attack was levied against Safari, after the user was directed to a specially crafted website (as allowed by the rules). The exploit appears to be an overflow bug in Webkit.

    The remaining two laptops survived the rest of the second day, but the Vista laptop fell the following day when Adobe Flash player was installed as the rules were further relaxed to allow for attack of popular 3rd party applications. The Linux laptop was not exploited.

    While Apple is aware of and working on the vulnerability, a recent study has claimed that Apple's response time to such 0-day vulnerability patches lags significantly behind that of Microsoft.

    The study, conducted by the Swiss Federal Institute of Technology, analyzed 658 vulnerabilities affecting Microsoft products and 738 affecting Apple, all of which were high and medium risk according to the National Vulnerability Database.

    A spot-check of security firm Secunia's statistics show that 6% of 113 bugs found in Apple's Mac OS X operating system from 2003 to 2008 remain unpatched.

    Article Link
  2. Jetson macrumors 6502a


    Oct 5, 2003
    If Apple's OS X is so secure, why are these hackers saying that it's the easiest OS to hack?

  3. beppo macrumors member

    Jan 7, 2008
    I would expect apple to fix this now that its out in the open
  4. pdpfilms macrumors 68020


    Jun 29, 2004
    Because OSX's "security" relies on the fact that it takes up only about 7% (or is it 8% now?) marketshare.

    A man in camouflage is less likely to be shot than a man in a neon jumpsuit.

    EDIT: aaaaand start the flame wars. (Just reread my post and realized it's going to offend 90% of the people reading it.)
  5. shigzeo macrumors 6502a


    Dec 14, 2005
    i posted about this in and got slathered in hot boiling oil. it seems that they with a cooler website are a bit more scathing. anyway, yeah i am upset.

    some people are using many different excuses for this but the fact is that no excuse can excuse the fact that our osx is not that secure. i don't care if the guy spent two years finding this hole, he found it and it made safari fall and that led to osx going down.

    i hope that apple stop this silly advertising smere campaign to make their os look bulletproof when it has been shown time and time again to not be bulletproof but rather just well done.

    the numbers that come in are more and nore scary - we need less focus on just designability and usability but proper security, proper security, not advertising security.
  6. brop52 macrumors 68000


    Feb 26, 2007
    These things should be fixed and there is no excuse for it now that they know the problems. A lot of these have been known in the past and still haven't been fixed. I'm hoping for some improvement.

    Personally though, I have no anxiety over someone hacking into my machine.
  7. LaDirection macrumors 6502

    Jul 14, 2006
    Well, it's no secret that Mac OS X is the least secure OS on the market today.

    Apple has been making **** software and **** computers ever since they decided to put all their focus on the iPod and the impressive iPhone. They have limited resources. Since iPod became huge not ONE SINGLE hardware release did not have at least one recall on one of its part in the following 15 months.

    10.5 was a colossal technical failure. Every softwares are buggy. Maybe it's time they separated the 2 businesses and star making really good computers that works for years again.
  8. socamx macrumors 6502

    Oct 7, 2004
    This just goes to show you that the OS itself is secure but what the user does in applications can bring the security down.

    The lesson learned as I see it (and always have).
    Don't go to sites that look seedy and don't download/open things you don't trust.

    I will still stand by OS X as a very secure OS. User error and applications are the weak point.
  9. applefan69 macrumors 6502a

    Oct 9, 2007
    i hear the only 8% arguement So mcuh... it may have some credibility.

    BUT... ok so the MAJORITY of hackers wont bother to hack macs simply because they can only attack a small 8% marketshare. Thing is, EVENTUALLY a hacker is gonna say "im gonna hack OS X for fun!"

    in THAT case... dont you think we'd begin hearing problems of macs being hacked? Honestly other then in hacking contests and such, I've NEVEr heard of a mac being hacked in a normal-life situation. Can anyone explain that? Considering AT LEAST one hacker would decide to either try to challenge himself, or try to be one of the only hackers attacking macs.
  10. longofest Editor emeritus


    Jul 10, 2003
    Falls Church, VA
    pretending I didn't hear the "cooler website" part, but either way, no burning hot oil should be poured here.
  11. tveric macrumors 6502

    Jun 23, 2003
    The first 7 posts are all (basically) correct. What shocked me was the lack of (so far) Mac fanboy posts protesting whatever they can think of in defending their choice of computer to the death. Maybe this site is actually attracting some critical thinkers, though!

    Nah, the flames will start in 3.... 2..... 1.......

    PS I own 3 Macs and won't go back to Windows in the near future, but this latest hole is still an embarrassment.
  12. EagerDragon macrumors 68020


    Jun 27, 2006
    MA, USA

    This guy been practicing at home/work for weeks on end. No way any hacvker Pwn a system in 2 minutes flat with a new unknown vulnerability. This guy knew the vulnerability was there and unpatch weeks ahead and then sat down and worked the details prior to the competition. Seems to me this was completly unfair as the other hackers did not do the same prior to coming to the competition. Sorry but this is bull.

    I have 12 full time hackers in my team and we bring the best and brightest to come show us how they do it and show our hackers their best tricks (for pay), none (internal hackers or 3rd parties) can do that in 2 minutes with zero preparation.

    This was researched and was ready prior to getting there.

    This is flat out unfair and a bunch of bull.

    Had he gone thru the same preparations in another OS, he would have pwn any of the systems in about the same amount of time.

    This was likely an issue with image or some multimedia malformed file, NONE OF THE BROWSER do a good job of properly parsing multimedia, they all have issue in this area.

    We send our people to these competitions from time to time and beleive me there are all sorts of preparations by some and no preparation by others. They all know what they will be hacking well ahead of time.

    The chain breaks at the weakest link. The weakest link is ussualy the browser, anyone in security knows that they are the most vulnerable programs.

    These new HTML-5 features that WebKit and Safari are implementing ahead of everyone else are going to be a nightmare for users, these new HTML-5 features are very unsecured. Have you heard about the ability to store information using SQL at your workstation, have you heard how another program or javascript can read and steal that data off your workstation? Same thing withthe new animations. Horrible.
  13. tveric macrumors 6502

    Jun 23, 2003
    So why didn't the same-type exploit result in the Vista machine getting hacked in 2 minutes, like the Mac?

    You can blame users and apps all you want - bottom line, if someone got remote access to an entire machine thru a user clinking on a link in an app, that's still not as secure as the OS should be. And CAN be.
  14. longofest Editor emeritus


    Jul 10, 2003
    Falls Church, VA
    for what it's worth, the first known instance of OSX Malware was posted to MacRumors :rolleyes:

    Story Link
  15. Full of Win macrumors 68030

    Full of Win

    Nov 22, 2007
    Ask Apple
    Apple really needs a kick in their complacency.
  16. tveric macrumors 6502

    Jun 23, 2003
    That's a negative, sonny. RTFA next time before you jump in with your assumptions.

    But, for the sake of argument, let's say he had the hack prepared ahead of time. Does that make it any less of a security hole? Sure doesn't.

    In addition, all the hackers had their choice of which machine to hack: the OS X, Vista, or Linux box. Incidentally, the Linux box never did fall.
  17. DeaconGraves macrumors 65816


    Apr 25, 2007
    Dallas, TX
    Correct me if I'm wrong, but the guy was able to hack the Mac because the user sitting at the Mac clicked a link e-mailed to him that sent him to a website with malicious code right?

    I'm not going to get into an argument about whether OSX is more secure or not (I don't have enough knowledge to do so), but I'm still comforted by the fact that if the user isn't too much of an idiot and doesn't blindly click into any link he/she receives, that person's Mac is still (fairly) secure.

    That being said. Fix this hole, Apple, and fix it quick.
  18. cloudnine macrumors 6502a


    Jul 3, 2006
    San Francisco, CA
    While it sucks that the MBA got hacked in less than 2 minutes, it's not like that's the full story. The guy who hacked into it was working on the Safari exploit for something like 6 months before the competition. I realize that in hindsight, if your computer gets hacked into, it's not going to matter how long the hacker took to prepare for it... but still... it deserves mention.

    If anyone can prove me wrong, please do... I read an article which stated the above, but I can't find the link to validate it.
  19. ChrisA macrumors G4

    Jan 5, 2006
    Redondo Beach, California
    Apple used to make great computers but then they went and changed their name to remove the word "computer" and found that their is more money to be made in iPhones and iPds.
  20. inkswamp macrumors 68030


    Jan 26, 2003
    I think it's a little ridiculous to start drawing any conclusions about this until all the details are known. However, here's something to keep in mind. All three platforms resisted network-only attacks through day one. That's actually really good news. Where OS X and Windows buckled was during days two and three when the hackers were given various degrees of access to the actual machines. For example, on day two a contestant could instruct someone at the machine to do various things (i.e., "click the link I'm emailing you.") You don't have to be a security guru to know that such a massive relaxation of the rules casts a dubious light on any conclusions drawn about it.

    I write a tech blog for my publisher and put up my own thoughts on this contest for anyone interested. In short, what should have been the focus of this event was the fact that all three machines withstood the attacks on day one which was limited to network-only attacks--the kind of attacks most people are concerned about. That's pretty good news.
  21. 36183 Guest

    Jun 24, 2004
    They sure do, leaving things un-patched for years is beyond being complacent. Chances are, that even when they do fix this there will be quiet about it, as it will be an embarrassment for them. It is good that it is hitting discussion websites like this. Makes it harder to pretend problems don't exist.
  22. inkswamp macrumors 68030


    Jan 26, 2003
    Yes. That's exactly what happened. Once a hacker has any degree of physical access to your machine all bets are off, and drawing conclusions about one platform's security over another on that basis is pretty silly.

    It's impressive that Linux withstood that and it's true that Apple needs to address whatever security hole allowed the hacker access, but I don't see the point of claiming superior security of one platform over the other when the hackers were given access to the machine itself.
  23. shigzeo macrumors 6502a


    Dec 14, 2005
    haha, perhaps i should have said, 'cooler looking'. or at most, 'more colourful'. otherwise, i find them useful or buying accessories but for actual intellectual and good discussion, macrumors are far the better.

    I should mention that i was called a microsoft-troll. well, maybe it is true. i use windows every day to use one app: utopia angel so that i can play utopia without getting my poor grasp of maths involved and the kindgom in a bustle.
  24. inkswamp macrumors 68030


    Jan 26, 2003
    Because the Vista machine had SP1 and the hackers weren't expecting that. It took them a while to figure it out, thus the delay.

Share This Page