Researcher Set to Announce 20 Zero-Day Holes in Mac OS X

[AidenShaw]

User Account Control without a password could be easily defeated. By default Windows UAC has no password.

Prove this.

In my experience, UAC requests a password.

Unless, of course, you are already logged in as an administrator,
in which case it requests an "OK" without a password. You've already
been authorized as an administrator - it would offer no additional
security to ask you to enter the same password a second time.

 

[polaris20]

Prove this.

In my experience, UAC requests a password.

Unless, of course, you are already logged in as an administrator,
in which case it requests an "OK" without a password. You've already
been authorized as an administrator - it would offer no additional
security to ask you to enter the same password a second time.

He won't, he'll just tell you to Google it.

 

[archer75]

Prove this.

In my experience, UAC requests a password.

Unless, of course, you are already logged in as an administrator,
in which case it requests an "OK" without a password. You've already
been authorized as an administrator - it would offer no additional
security to ask you to enter the same password a second time.

That's correct. If you run as a standard user account then any UAC prompts do indeed request a password.

 

[polaris20]

Sitting in a speeding car towards a brick wall with your seat belt on you're secure. Doesn't mean you're safe!

Unfortunately it doesn't matter how many different analogies we come up with to explain the security shortcomings, the denialists won't accept the fact that we will have a problem if Apple doesn't start being more responsive in fixing the security issues with OS X.

 

[bpd115]

That's not what it says at all. It doesn't auto restart. It lets you postpone the message. You aren't stopping a restart. Though if you click the button it will restart.
I have win7 on 4 computers here. I am aware of the dialog box. I've left it up all day long with no restart.

Do I really need to drag out screen shots?

http://smudj.wordpress.com/2009/10/21/stopping-windows-7-auto-restart-after-windows-updates/

http://www.keyongtech.com/5297979-windows-will-restart-your-computer


If Windows update is set to "Automatic", it WILL reboot your machine if you do not respond to the dialog box.

 

[Mattie Num Nums]

Use Google to look up about all of Miller's exploits. I am not going to do it for you!.

Then don't make a point if you aren't going to make it.

 

[archer75]

See above. Without crossover cable, Mac OSX wouldn't of fell.

That's irrelevant. Hacked is hacked.

They couldn't hack Vista or Linux until the next day when they could install 3rd party software on the machine and used a flash exploit. This would have also worked on OSX.

 

[archer75]

Do I really need to drag out screen shots?

http://smudj.wordpress.com/2009/10/21/stopping-windows-7-auto-restart-after-windows-updates/

http://www.keyongtech.com/5297979-windows-will-restart-your-computer


If Windows update is set to "Automatic", it WILL reboot your machine if you do not respond to the dialog box.

Yes, post screen shots. Because this does not happen on my machines. Any of them. The dialog box allows me to postpone the reminder. Up to 4 hours. There is no auto restart. The box just sits there waiting for me to select postpone or restart.

 

[LagunaSol]

Do you feel threatened because someone else is also posting irrelevant
responses?

Did you patent "responding to a post on a message board with a
completely irrelevant post"?

Fix your word wrap. Or do you get paid by the line?

 

[newuser2310]

I read a post on another forum from a very knowledgeable guy. Here's the jist of it:

Most of the Mac user base earns an above average wage, since the cost of them makes then unattainable for a lot of people(regardless of the particular pros and cons of osx vs windows). Therefore the guy who cracks the mac keychain/security, thus revealing passwords/information will ultimately have the most financial gain.

 

[munkery]

Prove this.

In my experience, UAC requests a password.

Unless, of course, you are already logged in as an administrator,
in which case it requests an "OK" without a password. You've already
been authorized as an administrator - it would offer no additional
security to ask you to enter the same password a second time.

In the default admin account in windows it does not ask for password. Most windows users use there admin account.

Without the password authorization and with a simple "OK" click (which without a password can be defeated) executables (viruses) can be installed without user intervention.

 

[deputy_doofy]

Unfortunately it doesn't matter how many different analogies we come up with to explain the security shortcomings, the denialists won't accept the fact that we will have a problem if Apple doesn't start being more responsive in fixing the security issues with OS X.

Not denying anything, but I also won't give in to Chicken Little syndrome. The sky is not falling. And even though people have been saying since 2001 that problems are coming, they haven't (except for a small trickle, and even that only affected pirated software). That doesn't mean I don't want security updates. If security updates forever keep me without fear, keep 'em coming.

In the meantime, I'm happy to:
1) surf what I want, when I want, with no issues
2) get paid to fix Windows boxes for users TRYING to do #1

 

[dejo]

http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html


Don't be naive.

I'm naive? That's a worm, not a virus.

 

[polaris20]

Not denying anything, but I also won't give in to Chicken Little syndrome. The sky is not falling. And even though people have been saying since 2001 that problems are coming, they haven't (except for a small trickle, and even that only affected pirated software). That doesn't mean I don't want security updates. If security updates forever keep me without fear, keep 'em coming.

In the meantime, I'm happy to:
1) surf what I want, when I want, with no issues
2) get paid to fix Windows boxes for users TRYING to do #1

I'm not saying the sky is falling either. But I'm not running in front of guns with a bullet proof vest either. Oops, there I go with the analogies again.

 

[munkery]

That's irrelevant. Hacked is hacked.

They couldn't hack Vista or Linux until the next day when they could install 3rd party software on the machine and used a flash exploit. This would have also worked on OSX.

Wrong! Linux didn't fall. Hasn't for two years. Linux does some things better than OSX. But, after a little reading, I don't think OSX would have fell without a crossover cable due to a 3rd party software/flash exploit because the flash exploit requires remote access of the system which is the loophole the crossover cable circumvented.

Edit: I was wrong. Miller's exploits require a local area network and an artificial (as in unlikely in the wild) situation.

Second Edit: I was double wrong, exploitation using these methods are not uncommon in the wild. But, it is rare in the wild in OS X because the impact of such exploitation in Mac OS X is limited by the low incidence rate of privilege escalation exploits and user space security mitigations that prevent keyloggers and other malware from logging security sensitive passwords, such as from authentication prompts or website logins, without privilege escalation. BTW, user interaction is required to hack a Mac via a crossover cable as the user has to allow "Internet Sharing" in System Preferences. Man-in-the-middle attacks facilitate these methods on wireless networks. Navigating to a malicious website facilitates these methods across the web.

 

[AidenShaw]

Originally Posted by AidenShaw
Did you patent "responding to a post on a message board with a
completely irrelevant post"?

Fix your word wrap. Or do you get paid by the line?

Priceless.

 

[LagunaSol]

But as someone who loves the products, I expect Apple to be responsive and work on improving security, not just be complacent with the lack of attacks.

True.

Apple fanboys should be rabidly pestering Apple to make it more secure, not bragging about how secure their OS, and how much they have nothing to worry about.

Yes, Apple should make it more secure, but yes, right now we have nothing to worry about. Both facts.

It's like standing in a forest with camo on and yelling "shoot me". Sure, they probably won't hit you. Probably.

Who's going to shoot at me when I'm surrounded by a thousand Windows users in bright orange jumpsuits sitting in the tops of the trees waving their arms?

Yes, Apple should fix the potential problem - but the naysayers should tone down the hysteria to match the reality. (Though anti-Apple hysteria is what fuels some of the commenters on this forum.)

BTW, Microsoft and Adobe haven't exactly been Johnny-On-The-Spots when it comes to timely security updates. A fact not mentioned in AidenShaw's brochure.

 

[polaris20]

True.



Yes, Apple should make it more secure, but yes, right now we have nothing to worry about. Both facts.

True. Right now.

Who's going to shoot at me when I'm surrounded by a thousand Windows users in bright orange jumpsuits sitting in the tops of the trees waving their arms?

I don't want to be the one to get unlucky.

Yes, Apple should fix the potential problem - but the naysayers should tone down the hysteria to match the reality. (Though anti-Apple hysteria is what fuels some of the commenters on this forum.)

I don't see a lot of paranoia here. I don't see people saying there's an immediate risk RIGHT NOW. I'm seeing rational people saying Apple should be responsive and fix the issues before they're a problem.

BTW, Microsoft and Adobe haven't exactly been Johnny-On-The-Spots when it comes to timely security updates. A fact not mentioned in AidenShaw's brochure.

True, but they've actually been faster than Apple has been, which troubles me.

 

[Mac-Michael]

I do believe Windows has better security features, but on the other hand OS X has a better architecture so there has been little need for those features. When it comes to comparing OS security I prefer to look at history data and so far OS X has a better track record. But I use it because it is the more sensible OS, easy on the eyes too. The ability to scroll a window's content even if it is sitting behind the one in focus is my favourite feature.
Now where is my updated MBP?

 

[MikhailT]

http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html


Don't be naive.

Not a virus. It's a worm that travels itself by sending a file to another user via iChat. The user still have to allow the file transfer and download it and install it. It didn't even make any impact. Just a test worm that Sophos found and spreading FUD around. Don't trust any anti-virus vendors about "finding the first virus", they do that to spread the sales of their Mac antivirus product, which almost nobody on the Mac needs. The fact that Sophos has to redefine the word to fit their needs and the obvious sale pitch on the bottom, BS meter going off.

 

[polaris20]

Edit: When did Linux fall. I thought at the last one Linux went undefeated. Can someone give me a Link. I looked on google and couldn't find it.

Oh, I'm sure you can find it. Google harder.

 

[munkery]

Oh, I'm sure you can find it. Google harder.

I found it! Linux didn't fall!

http://boycottnovell.com/2009/03/20/pwn2own-2009-and-diebold/

 

[Mattie Num Nums]

Priceless.

Yeah people tell me I'm a paid MS employee. Far from it. Former Apple employee getting paid to protect and integrate Mac users. Lover of Apple computers, but someone who can't stand Apple slowly forgetting about its computer users. Because hey the App/iTunes/iPad whatever store makes more money now!

 

[LagunaSol]

True, but they've actually been faster than Apple has been, which troubles me.

The squeaky wheel gets the grease. And if ever there's been a squeaky wheel when it comes to computing security, it's Windows.

 

[Mattie Num Nums]

I found it! It didn't fall!

http://boycottnovell.com/2009/03/20/pwn2own-2009-and-diebold/

"Safari was the first to fall this week at the Pwn2Own 2009 security competition held at the CanSecWest conference in Vancouver, Canada. "

Did I miss something?