Researcher Set to Announce 20 Zero-Day Holes in Mac OS X

[MacRumors]

The H Security reports (via The Inquirer) that noted cybersecurity researcher Charlie Miller is set to announce the discovery of twenty new zero-day holes in Mac OS X that could offer hackers means of entry to compromise computers running the operating system. As zero-day holes, Apple is currently not aware of their existence, and thus has not yet had the opportunity to address them.

Using the controversial "security through obscurity" argument, Miller claims that Mac OS X users have typically been relatively free of malware threats due to a lack of hacker interest in the relatively small user base, not necessarily due to Mac OS X being more secure than other operating systems.

"Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town."

Miller is set to reveal his methods of finding the vulnerabilities, which include "fuzzing" systems by bombarding them with an overwhelming quantity of corrupted data, at the prominent CanSecWest conference next week in Vancouver. He is not, however, planning to disclose details of the security holes.

Article Link: Researcher Set to Announce 20 Zero-Day Holes in Mac OS X

 

[Eidorian]

I remember seeing this in my RSS feeds this morning. Time for more security updates.

 

[marksman]

I will agree that Windows is like living in the bad part of town.

If only everyone were as noble as these people.

 

[Ca$hflow]

I hope not. My primary reason in switching with a mac was no viruses and easy to use interface.

 

[strike1555]

I'd lvoe to see an Apple apologist answer this.

Fact is, nobody gives a $%^& about a mac.

 

[flopticalcube]

Fact is, nobody gives a $%^& about a mac.

Long may that continue.

 

[uaecasher]

don't really care why I'm safe, important thing that I'm safe and 20 holes is really small compared to millions of viruses.

 

[notjustjay]

I'd lvoe to see an Apple apologist answer this.

Fact is, nobody gives a $%^& about a mac.

I dunno. Every time someone even says the word "virus" all the Mac fans jump out and say things like "Not for us! There are no viruses for the Mac!" (Myself included.) For the last 10 years, it's been the same smug, condescending battle cry. "No viruses! Not here! Not us!"

You don't think that the first guy to create an actual, self-replicating virus on OS X, the first guy to prove them all wrong, the first guy to stick it in everyone's face, wouldn't become as famous as Steve Jobs and Linus Torvalds themselves?

You don't think that somewhere out there is a hacker who wants to make a name for himself?

That's why I don't buy "security by obscurity".

 

[jrath1]

Still no known viruses...eat that.

 

[nkezhaya]

Hopefully the 0-days will get released after they're patched!

Maybe before the MBPs get updated.

(I'm just kidding. Pigs will fly before the MBPs get updated.)

 

[Earendil]

I'd lvoe to see an Apple apologist answer this.

Fact is, nobody gives a $%^& about a mac.

Answer what? There isn't a question.

I've never been under the illusion that OS X was perfect. Nor have I thought that the smaller market share or higher computer literacy among those that use OSX was a deterrent for hackers trying to make a buck.

However, The existence of those bonuses to OS X security does not mean that OS X is not build atop a more secure foundation.

Besides, as a consumer it's an easy choice: Windows has holes that are exploited on a monthly basis. OS X has no known Viruses or Worms in the wild. For all intents and purposes, it is currently in a state of perfection. When someone managed to bring hollywood to its knees, or 25% of college students across the US lose their senior projects, then we'll have a problem. But no one has managed that yet.

 

[jaw04005]

I wonder what access to physical hardware and social engineering his security holes will need? In the past, many of these exploits required quite a bit of user intervention including the administrator password.

For example,

"No one was able to execute code on any of the systems on Wednesday, the first day of the contest, when hacks were limited to over-the-network techniques on the operating systems themselves. But on the second day, the rules changed to allow attacks delivered by tricking someone to visit a maliciously crafted Web site, or open an e-mail. Hackers were also allowed to target "default installed client-side applications," such as browsers.

The team had attack code already set up on a Web site, and was able to gain access to the MacBook Air and retrieve a file after judges were "tricked" into visiting the site. According to the TippingPoint DVLabs blog, a newly discovered vulnerability in Safari was used to gain control of the Air.

…

Last year's contest was won by exploiting a QuickTime vulnerability, which was patched by Apple in less than two weeks.”

http://news.cnet.com/8301-13579_3-9905095-37.html

By the way, before anyone gets too crazy bashing this guy — I believe the rules of the conference dictate that he sign a NDA and that all exploits will be reported to Apple.

 

[sbrhwkp3]

I hope not. My primary reason in switching with a mac was no viruses and easy to use interface.

You won't run into problems with viruses. I wouldn't worry about it.

 

[calvy]

every piece of software has holes in it. Mac is no exception. I hear even Linux sometimes has security holes. gasp.

 

[err404]

20 security issues really isn't that bad. Every OS X security update fixes at least that many. I'm curious if Charlie Miller has submitted these to Apple, or is he sitting on them for his own publicity?

 

[Disc Golfer]

Fair enough, but head-in-sand was never an effective defensive strategy. Once I knew a girl who grew up in a farmhouse in the country, her family never locked their cars and kept the keys in the visor in case anyone needed to move a car out of the way when taking the boat out or something. When she moved to the city for a job her car was always getting stolen because it simply never occurred to her to lock the doors or not leave the keys in the glovebox.

 

[millertime021]

I hope not. My primary reason in switching with a mac was no viruses and easy to use interface.

Mac having no viruses? Really??? Of course Mac's can get viruses... Every computer/OS can.

Mac's just have less, due to the "less interest".

 

[waloshin]

every piece of software has holes in it. Mac is no exception. I hear even Linux sometimes has security holes. gasp.

Yes, but Linux has a larger team then Apple and Linux os get patched sooner.

 

[Ca$hflow]

I suppose viruses and security holes are two separate things. Trojans a third? How many more bad things are there?

 

[6-0 Prolene]

20 security issues really isn't that bad. Every OS X security update fixes at least that many. I'm curious if Charlie Miller has submitted these to Apple, or is he sitting on them for his own publicity?

I'm sure his silence to the press will be rewarded nicely by Apple, maybe even with a consulting job.

 

[ghostface147]

Good. Expose OS X for what it is, swiss cheese. This is one area where Apple needs to take the M$ standpoint and be upfront about security updates and when they will be patched. Their arrogance hinders them in the security field.

 

[nefan65]

All systems, and OS' have vulnerabilities. They'll never be 100% It's really a matter of who has the least, or is least vulnerable. So as long as there's Windows and MS, then they'll have the lion's share.

I used Windows systems for years, and never had a virus or security issue. My reason for leaving was the instability of the OS itself, and poorly written programs. Had nothing to do with viruses or 0 day security holes.

Some people are just prone to these things. It's like telling a kid to not touch the wet paint...5 minutes later they're standing in front of you, with a finger covered in wet paint...

 

[interconnect]

i think it's important to note that a lot of "hackers" use macs themselves. i used to know a lot of people that were insanely good with computers and were definitely capable of hacking... every single one of them used a mac as their primary machine.

 

[dejo]

Mac's just have less, due to the "less interest".

Name one.

 

[Earendil]

You don't think that somewhere out there is a hacker who wants to make a name for himself?

That's why I don't buy "security by obscurity".

Well, there are two reasons to make a virus like that. Fame, and money.

Certainly the majority of viruses and worms are out there to make the owner some money. So you could claim that Apple's smaller and smarter market is not worth the trouble. HOWEVER, There is certainly fame to be had to write a virus that nails ever Apple computer to a cross, and guess who the smarter crackers generally are, the money makers or the "for the fun and fame"?

The really brilliant ones do it as a hobby. That there isn't even ONE Virus out there says a lot.