legit security researchers will alert a company months before it goes public. they only go public if they get blown off. it's why apple had patches ready last year within days of exploits being shown off. not like they coded the fixes in a few days.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Researcher Set to Announce 20 Zero-Day Holes in Mac OS X
- Thread starter MacRumors
- Start date
- Sort by reaction score
legit security researchers will alert a company months before it goes public. they only go public if they get blown off. it's why apple had patches ready last year within days of exploits being shown off. not like they coded the fixes in a few days.
As I sit here and type on my Unibody 2.66GHZ Mac Book, while streaming AirTunes with my Airport Express (though its connect to a Linksys Router I must be evil for not having an Airport), watching Pulp Fiction on my Apple TV. The sad thing is I probably have more Apple products than most of these fan boys.
Funny thing is I had an M3 4 years ago. Loved the car to death. Always wanted one. BMW is a great brand. So I have this brand new M3 that I loved to death however! It had tons of wierd issues. I went on a BMW board and talked about it. Interesting enough the guys and gals on that board were helpful and understanding. Just like here on MR I never said I hate BMW I simple talked about my anger towards buying a 75,000 dollar car that had tons of issues and BMW's horrible treatment of me. Long story short no company is perfect and as a paying customer I feel that my voice could make a difference in solving issues other people might be having as well. What the fanboys don't get is that by them always praising and never questioning they are going against everything Apple was when the used to "Think Different". Now Apple wants everyone to "Think the Same".
It doesnt matter what OS it was designed to target when it was made. Its still a self executing worm, they do exist.
I would dig thorugh the Virus Databases but theres SOOO MANY its hard to find ones with specific behaviour. I'd much rather spend my time doing useful stuff like study.
The argument turned into if worms are able to be self executed. The original argument is dead.
Just to clarify for everybody, (the crossover cable negates the functionality of ipfw because <- this is totally wrong) the target computer is accessing the internet via the wireless connection of the attackers computer.
The target computer is exposed to the attacking computer. Essentially the target computers traffic is being passed through the attackers computer. (Edit: took out misinformation, using a crossover cable creates an easy way to set up a man-in-the-middle attack).
This is why PWN2OWN is not real world relevant in relation to any OS, but even less relevant to systems running ipfw, such as Mac OSX, Linux, and BSD.
I was totally wrong in my explanation about the relationship between ipfw and crossover cable in previous posts, but the essential elements of what I was saying are true.
Edit: I was wrong. Miller's exploits require a local area network and an artificial (as in unlikely in the wild) situation.
Second Edit: I was double wrong, exploitation using these methods are not uncommon in the wild. But, it is rare in the wild in OS X because the impact of such exploitation in Mac OS X is limited by the low incidence rate of privilege escalation exploits and user space security mitigations that prevent keyloggers and other malware from logging security sensitive passwords, such as from authentication prompts or website logins, without privilege escalation. BTW, user interaction is required to hack a Mac via a crossover cable as the user has to allow "Internet Sharing" in System Preferences. Man-in-the-middle attacks facilitate these methods on wireless networks. Navigating to a malicious website facilitates these methods across the web.
The target computer is exposed to the attacking computer. Essentially the target computers traffic is being passed through the attackers computer. (Edit: took out misinformation, using a crossover cable creates an easy way to set up a man-in-the-middle attack).
This is why PWN2OWN is not real world relevant in relation to any OS, but even less relevant to systems running ipfw, such as Mac OSX, Linux, and BSD.
I was totally wrong in my explanation about the relationship between ipfw and crossover cable in previous posts, but the essential elements of what I was saying are true.
Edit: I was wrong. Miller's exploits require a local area network and an artificial (as in unlikely in the wild) situation.
Second Edit: I was double wrong, exploitation using these methods are not uncommon in the wild. But, it is rare in the wild in OS X because the impact of such exploitation in Mac OS X is limited by the low incidence rate of privilege escalation exploits and user space security mitigations that prevent keyloggers and other malware from logging security sensitive passwords, such as from authentication prompts or website logins, without privilege escalation. BTW, user interaction is required to hack a Mac via a crossover cable as the user has to allow "Internet Sharing" in System Preferences. Man-in-the-middle attacks facilitate these methods on wireless networks. Navigating to a malicious website facilitates these methods across the web.
Last edited:
+1 I'm sorry but I wasn't impressed with this guy last time after reading what he had to do to hack the macbook air. I'm not saying he's not talented, its just that his methods rely greatly on setups and user stupidity. You can't protect an OS from that.
Not to mention if it was so easy to hack mac and linux systems you'd see it all the time. Linux has a huge user base all over the world despite what most people in the states think and you don't see viruses for it.
I'm pretty sure this guy is just out for attention. I don't feel any less "safe" because of this announcement. 20 security holes? Who cares each OS/piece of software has them. 20 security holes verses windows' hundreds of thousands of viruses and malware AND security holes that are 10+ years old? I'll stick with my mac thank you.
Re: Country House With No Locks
....well, sometimes a bad guy gets blown out of his shoes being out in the country, fixin' to mess with a house with no locks.
G.
....well, sometimes a bad guy gets blown out of his shoes being out in the country, fixin' to mess with a house with no locks.
G.
@munkery:
You talk about Leopard and ipfw in the same breath. Why? It's common knowledge that ipfw is disabled by default, because Leopard uses Apple's new Application Firewall. (/usr/libexec/ApplicationFirewall/socketfilterfw -h)
And why are you so reluctant to explain further? [or provide a decent link, ffs.]
^EDIT: after reading more posts, i see some effort at documentation... but my salient points remain: ipfw is not active (ps axcu |sed -E '1p;/ (ipf|soc)/!d'), and if there was an ounce of truth to be milked on the crossover deal, places like <roughlydrafted.com> would have long been all over it like flies on sugar.
--
[OFF-TOPIC]
FWIW, this guy (former NSA employee) does not strike me as a "media whore":
I'm very pro-OSX and anti-Windows... but some members here are overreacting.
You talk about Leopard and ipfw in the same breath. Why? It's common knowledge that ipfw is disabled by default, because Leopard uses Apple's new Application Firewall. (/usr/libexec/ApplicationFirewall/socketfilterfw -h)
Well I did. The only emphasis on "crossover cables" seem to come in the form of comments (like yours). I'd expect if there was any substance to this crossover business that there would be an entire web page devoted to denouncing the pwn2own results and detailing the significance of "crossover". This would not be any long-held secret in the Mac community.
And why are you so reluctant to explain further? [or provide a decent link, ffs.]
^EDIT: after reading more posts, i see some effort at documentation... but my salient points remain: ipfw is not active (ps axcu |sed -E '1p;/ (ipf|soc)/!d'), and if there was an ounce of truth to be milked on the crossover deal, places like <roughlydrafted.com> would have long been all over it like flies on sugar.
--
[OFF-TOPIC]
FWIW, this guy (former NSA employee) does not strike me as a "media whore":
I'm very pro-OSX and anti-Windows... but some members here are overreacting.
Did you patent "responding to a post on a message board with a completely irrelevant post"?
Priceless you say?
No one could ever approach your extraordinary depths of hypocrisy:
Priceless²
You have no idea what a crossover cable is, do you?
It's not the iPad: It's not some magical device that makes the impossible possible. It's simply a way of connecting one network device with another like device (like a desktop computer with a laptop, or two switches.) It actually DOES exist "in the wild," but is not really all that necessary due to Auto-MDX, though Auto-MDX doesn't necessarily work all the time, thus necessitating a crossover-cable. MOST network ports these days are Auto-MDX, meaning they will automatically cross the appropriate connections if it senses that the attached cable is a straight-through cable.
You can get the same exact results using straight-through cables and a network hub. It's not wizardry. You're just building a 2-device LAN. In fact, crossover is absolutely essential for network communications because the ethernet standard defines certain wires to be used for talking and certain wires to be used for listening. That means that if Computer A is using wires 1&2 to send and 3&6 to receive, Computer B will be doing the same thing. That means that a straight-through cable would mean that the signals Computer A sends to Computer B will arrive on the pins used by Computer B to send... which wouldn't work. A typical network Switch or Hub will automatically "cross" the signal onto the receiving pins on the distant end, so that the distant end can "hear" what's being said.
Cabling relates to Layer 1 of the OSI model: Physical connections. It has absolutely nothing to do with anything above that layer, meaning all security applications and networking protocols are still in place, so no, using a "magical" crossover cable isn't going to automatically hack anything: you still have the OS's security layers to contend with, just as if you were connected to that computer via LAN.
Shouldn't it be illegal to reveal "zero-day" exploits? Even if no specific details are given, to reveal them some details have to be given, and those are details that hackers could potentially use, even without being handed a step-by-step guide.
Might as well just exploit them all himself, as it seems a very hypocritical thing to do for a so-called professional in the field of security.
That aside, I fully expect most (if not all) of them will be the usual drivel that's identified as a security hole, such as some process or other that almost no-one runs and hasn't been updated every 5 minutes since it was added to the OS, which on an unprotected network, might allow some access to another process that probably isn't running either.
Might as well just exploit them all himself, as it seems a very hypocritical thing to do for a so-called professional in the field of security.
That aside, I fully expect most (if not all) of them will be the usual drivel that's identified as a security hole, such as some process or other that almost no-one runs and hasn't been updated every 5 minutes since it was added to the OS, which on an unprotected network, might allow some access to another process that probably isn't running either.
There is always a weakness.
Whether it is the OS, the hardware, the network, the user - there is always a weakness that can be exploited by someone with malicious intent.
We appear to be at a stage where exploits against the OS itself aren't as high profile as they were before, but exploits targeting the user themselves are all over the place.
News like this doesn't really matter much - the nasties that work are very likely to require either:
(a) some form of user interaction, in which case the defence is the vigilance of the user
(b) a previously undisclosed and unknown security hole in the hardware, software or network, in which case there is no defence, but there is damage limitation
As for all the technical detail, that's not an area I am familiar with. Reading the discussion so far has been interesting though.
Whether it is the OS, the hardware, the network, the user - there is always a weakness that can be exploited by someone with malicious intent.
We appear to be at a stage where exploits against the OS itself aren't as high profile as they were before, but exploits targeting the user themselves are all over the place.
News like this doesn't really matter much - the nasties that work are very likely to require either:
(a) some form of user interaction, in which case the defence is the vigilance of the user
(b) a previously undisclosed and unknown security hole in the hardware, software or network, in which case there is no defence, but there is damage limitation
As for all the technical detail, that's not an area I am familiar with. Reading the discussion so far has been interesting though.
Yeah Well thats quite a load of. Here are few:
Virus (PoC): OSX/Inqtana.A
Trojan-Downloader: OSX/Jahlev.A
Backdoor: OSX/iWorkServ.A
Worm: OSX/Tored.A
Integos blog.
Inqtana: Requires direct access to the machine from within bluetooth range, but at least this would qualify as a worm. Just not in a practical, exploitable way.
Tored is not a worm!!!! It requires a human to run it and move it along via e-mail.
Trojans do exist. I guess my general point is
1. Don't be stupid.
2. Make sure your patched up-to-date or turn off your bluetooth when you go to Starbucks.
And if you can't use Google on your own...
A worm is a self-propigating virus.
It is a proven fact that most security issues are found by outsiders, not the team members. And I have been there with Mozilla, Google and Intel and happen to know a few of the Safari developers, because I worked with them in the past. Just great developers, but very much humans too.
Which is a proven fact – the bugs found in WebKit shows me that it is working.
Apple developers are disciplined and do have a great tool set, but they didn't have someone like Window Snyder and this massive QA team like Mozilla has. That's what you get when you open up, because so many people want to help out, and secure the products they love to use.
And the minute Apple opens up Safari, I will jump right in and do what I did in the past... for Mozilla and Google right now.
All systems, and OS' have vulnerabilities. They'll never be 100% It's really a matter of who has the least, or is least vulnerable. So as long as there's Windows and MS, then they'll have the lion's share.
I used Windows systems for years, and never had a virus or security issue. My reason for leaving was the instability of the OS itself, and poorly written programs. Had nothing to do with viruses or 0 day security holes.
Some people are just prone to these things. It's like telling a kid to not touch the wet paint...5 minutes later they're standing in front of you, with a finger covered in wet paint...
+1 Couldn't have said it better myself.
So where would most people like to live? In a farmhouse out in the country where life is good, the air is fresh, and you can leave your doors and windows unlocked? Or in the ghetto, cowering under the bed, listening to gunshots throughout the night and hoping the thugs don't break down your door and rob you?
To me, that pretty much describes the difference between Macs and PCs. Charlie Miller is unintentionally, I'm sure, kicking Windows users in the balls.
The quote should have read...
"Windows, a ghetto OS." -Charlie Miller
Safety through obscurity makes no sense.
Ok, so say I've got a keylogger in the wild and my colleagues in a dingy office in the Ukraine are making a nice earner from cloning and selling credit cards and bank details.
But I could increase my success rate by targeting an OS which, whilst small in market share, still consists of million and millions of machines. And people using that OS are less hard wired to be cautious about downloading and running programs.
So all the programmers I know are Windows guys, but I put the word out that I want to target OS X and it shouldn't be too hard to find someone who would say "OS X? yeah, I can crack that. It's piece of pis*. Give me a couple of weeks."
And then you just combine your OS X code with your windows code so that it replicate on whatever system it lands on.
So how come it doesn't happen like that? It's about making money by gaining information, be it bank details or setting up a botnet to spam. Surely increasing your potential userbase by 5% at a stroke would be an excellent return on an investment?
Ok, so say I've got a keylogger in the wild and my colleagues in a dingy office in the Ukraine are making a nice earner from cloning and selling credit cards and bank details.
But I could increase my success rate by targeting an OS which, whilst small in market share, still consists of million and millions of machines. And people using that OS are less hard wired to be cautious about downloading and running programs.
So all the programmers I know are Windows guys, but I put the word out that I want to target OS X and it shouldn't be too hard to find someone who would say "OS X? yeah, I can crack that. It's piece of pis*. Give me a couple of weeks."
And then you just combine your OS X code with your windows code so that it replicate on whatever system it lands on.
So how come it doesn't happen like that? It's about making money by gaining information, be it bank details or setting up a botnet to spam. Surely increasing your potential userbase by 5% at a stroke would be an excellent return on an investment?
Agree completely. These people who say Mac has a low marketshare seem to think that low means a total quantity of 10 machines. We're talking about millions upon millions of Macs most of them unprotected (in the Windows sense) and still nothing has remotely affected them in the same way.
What's the problem? Mac users are "smug," have more money to throw around (supposedly), and their machines run no anti-malware. Where's the guy who will finally shut them up all up by getting software to secretly install itself?
I still say hackers go after the easier targets.
* In the Windows (desktop) case, Windows is the larger marketshare.
* In the phone market, Android is the MUCH smaller marketshare (so far) and yet has already gotten more Trojans than iPhone (which is at ZERO the hacked iPhones don't count).
I don't really know, but I would have though that any serious targets are going to be businesses, and large groups of machines - not single owners, ie. not macs.
The example of a Ukrainian keylogger is no different on any os. Get a user to download the file, execute it and voila - it's logging and sending, irrelevant of os/firewalls/nat. Talking of which (the comparison has come up a few times here), UAC is arguably more secure than privilege escalation on *nix (and users clicking through 'ok' boxes is obviously no different than putting in your account password).
It's all well and good blabbing on about 10 year old assumptions, considering nothing but people with an old unpatched xp install directly connected to the internet - but the truth is that windows is a pretty secure OS nowadays, and microsoft are generally pretty fast responding to any vulnerabilities (what choice do they have?).
It's been said a fair few times in this thread, but security issues are with the user.
That's what I thought too, but it's been awhile since I had to anything with networking so I wasn't sure if something new had been found.
I wouldn't say it makes no sense. Security is all about layers. One of those valid layers is obscurity. Now, relying only on obscurity for your security model is just as bad as relying only on any other layer and thinking you're safe. It's the combination of layers that does the job and not any single one.
That's still a very serious vulnerability. Do you have any idea how easy it is to get the average user to click on links in e-mails?
And you might think, "Well, I'm too smart to ever do that." But it doesn't matter, because you're not the only person looking at your own data. Every single person who looks at your data (financial aid counselor, mortgage broker, IRS) is susceptible to attacks like this.
It's one of the largest threat areas out there in information security right now.
Bzzt.
The problem with obscurity is that it also hinders the "good guys" from auditing your security.
Bad guys have more time and money to spend on this than the good guys do. Therefore, security needs to be geared towards efficient investments, and clear, published designs are efficient. Obscurity is inefficient, and without a doubt leads to lower security.