MacDailyNews - Where Mac news comes first

Vulnerabilities ≠ Exploits

Symantic and Dave Cole:
Nattering Nabobs of Negativism.

or to quote Moe Howard:
"I'd knock your brains out if you had any!!"

Old, old, old, news.

We really do have to blame Symantec for leading these idiots astray.

Apple is set to grow exponentially. And Symantec will earn precisely ZERO from those billions.

Good thing I say.

MDN: enjoy repeating its own crap over and over.
Point made: MDN not yet totally self convinced.
Results: childish takes and pointless shouting.

Oh Lord, not "Symantec says...", again. Haven't we learned not to learn from Symantec yet?

And, is anybody really saying that Macs are totally invulnerable, without any possibility of any viruses (in the future)? Is anybody really saying that? I don't hear anyone saying that. If Macs are going to become targets by virtue of market share, then lets get there first, then start worrying about viruses that may or may not take advantage of vulnerabilities. And that's assuming Apple, for some crazy reason, stops releasing security updates.

No, I've got to believe that this kind of rhetoric is ulteriorally motivated.

Apple more secure than Windows? Well, Duh!

Wait, WWDC was yesterday!? CRAP! I missed it!!

(MDN, you might want to edit your take a little bit... )

"Attackers are driven by money, so they go after the bigger market"

Um ok, tell me exactly how these people are making a profit from creating viruses?

Attackers are driven by ego.

Symantec is shooting themselves in the foot. In a feeble attempt at spreading FUD - fear, uncertainty and doubt - they are proving themselves to be an unreliable source of real data. The "obscurity myth" is old, dead and buried, and for a company that should be actually looking to real vulnerabilities to spew rumors and falsehoods as facts totally underlies ANY credibility they may have.

I also have issue with BaseLineMag.org for using an obviously biased company as a source of factual information.

Aren't there ANY REAL JOURNALISTS out there any more?!!!

A story about how Macs are more secure than Windows? This is a certainly a first for MDN. You guys should cover stories like this more often.


Death, taxes, MDN stories about Mac security.

Good point, Macromancer. Hackers don't make any money from their activities. What is Symantec talking about? Perhaps Symantec is really talking how THEY make money from hackers' activities?

Wonder how many hackers Symantec pays off the books, working night and day, to develop a hack, virus, worm, trojan, anything Apple based.

They see they will lose much $$ as Apple expands.

Ultimately, it doesn't matter WHY Macs are more secure. No one (not even a FUD spreader) argues the point THAT Macs are more secure. Far more secure...

Symantec is just looking to sell their shitware to the clueless by using FUD, that's all. Just don't be stupid enough to fall for it and you'll be fine.

Hackers that write malware for "ego" usually like to make a splash and that means revealing the exploit and creating havoc in the process - this still happens but is less common than they more damaging kind of "commercial" malware that is today's threat.

Malware authors make money by compromising internet-connected personal computers and using them for botnets that can then relay spam or participate in DDOS attacks. They get a return for each machine that they provide for the network. They may also install key loggers or other software used to harvest and forward identity information for whatever purpose you choose to imagine. These security breaches are not useful to the attackers if they reveal themselves, since the owner would then take steps to remove the intrusion (usually this means reinstalling Windows and rebuilding the system). Root kits are the ultimate in stealthed exploits, since they become invisible to the OS itself.

Windows users who also use IE for browsing are particularly vunerable to attack, but social engineering can make it possible for a user with the proper privilages to unwittingly install maware on any platform.

Even Mac OS users would be well advised to not routinely run as administrator (or as root in a Unix/Linux box). There is a known weakness in the Mac OS where a user running with aministrator privilages can install a package that requires root privilages without getting the authentication dialog box - run as a normal user and this weakness is not an issue, you will always get an authentication request. Listen to the last Macbreak Weekly podcast for discussion of this issue.

"Spangler writes, "Symantec's Cole says it's a fallacy to claim that any Web browser is inherently safer than another. 'The reality is, Apple has lower market share' than Windows PC makers, he says. 'ATTACKERS ARE DRIVEN BY MONEY [emphasis mine], so they go after the bigger market. If you have lower market share, you're not more secure—you're just less interesting [to a hacker].'"

My question to this 'logic' is this... "Who the h*ll is paying for hackers to attack *any* OS or browser???? I mean, if MONEY is the objective of these ne'er-do-wells, just EXACTLY who is paying them???

I propose that Symantec's Cole is shoveling a huge, steaming pile of FUD and needs to StFU.

MW: effect... As in, Dave Cole needs to be aware of what type of effect his stupid opinions have.

If you believe that you can find the source of motivation by following the money trail. It doesn't take much to figure out who has the biggest financial stake in insuring that malware remains a threat.

RE: dpp

Ummmm, ok....

Answers that question.

MDN,

Why do you post articles under headlines that state the opposite of what the article says?

I read the article with the expectation of finding another 'expert' who had come to his senses about security. Instead, I find another misguided fool. I have no need to hear from this person.

Your 'take' should never be the headline.

I agree with DanieIN. I am an avid Apple user and fan. But don't appreciate when MDN changes article Titles for their own spin. Agree with above 100%

To answer the question how hackers get paid for finding and using exploits.

Just look at your well used email account, full of spam right?

Fools click on this spam and actually buy stuff. Some are phishing scams where people click a link in a spam and actually enter their vital banking login information.

Some people are taken by the email scams too.


So what does this have to do with exploits?

Simple, every email can be traced back to a IP address that sent it. Even if the headers are altered a bit. If spammer uses their own IP address they can be shut off by their ISP.

So what spammers need is botnets of unsuspecting users machines to spam from to hide their identity, grab new email addresses and propogate viruses to start the hole process over and over again. This is where hackers come in.

When a spam makes it to a suspects email box, it usually has a image that needs to be downloaded from a spammers server. This tells the spammer your IP address and chocks up a reward $$ for the hacker.

PharmaMaster taught me everything I know.

As Apple's market share continues to increase over the next few years and could be poised to enter the double digit domain. What this means for Symantec, who has to deal with Windows One Care or Live Care or whatever they are calling thier software they sell to protect an inferior product that they also sell. In either case Symantec loses money. If I was Symantec's marketing department I would exploit every piece of FUD I could to generate my cash flow.

“Attackers are driven by money, so they go after the bigger market.”

Actually, most are not driven by money (yet).

I'm a big MDN fan, but I agree that this is a very poor headline ("Apple Macs are far more secure than Windows PCs") for this article. I can see where MDN didn't want to include a headline that just propagates the article's misinformation, but instead their headline misrepresents what the article said.

Perhaps a better headline would be:

"Symantec again spreads self-serving FUD about Mac OS X"

What about the argument that OS9 and earlier had viruses but Mac OSX has none. Doesn't that basically defeat this obsurity crap as well?

to fandango:

My comments were in reply to questions of how money could motivate hackers - it does, and this is considered the "business model" for applying many exploits that exist for Windows and IE (primarily). Many of these exploits require little or no involvement of the user, just poor security management. Unfortunately, on the Windows platform, being safe requires being a security expert - hence the large numbers of compromised systems.

I got rid of Windows PCs at home and use only Macs for this reason.

"Ultimately, it doesn't matter WHY Macs are more secure."

---> One word: UNIX

"Even Mac OS users would be well advised to not routinely run as administrator (or as root in a Unix/Linux box). There is a known weakness in the Mac OS where a user running with aministrator privilages can install a package that requires root privilages without getting the authentication dialog box - run as a normal user and this weakness is not an issue, you will always get an authentication request."

---> Link concerning this can be found here: http://www.macgeekery.com/tips/security/how_a_malformed_installer_package_can_crack_mac_os_x
This would definitely fall under safe computing practices, as in - Do not download, authorize, and install things on your Mac from untrusted websites., but it still needs to be fixed. Another one that concerns me, but falls under the same category, is the authentication dialog spoof that MDN reported on here:

http://www.macdailynews.com/index.php/weblog/comments/security_alert_mac_os_x_authentication_dialogs_can_lie/

And the metadata vulnerability (where, say, a file with a jpeg icon can actually be a Unix executable) is one that should have been fixed by now - it's been a looooooong time coming.

Of the three, the metadata vulnerability concerns me the most. I don't want to have to use "get-info" on a jpeg file to make sure it is not an executable. I am not losing any sleep over it, but, all things considered, it should have been patched by now.

No, the sky is not falling, but Apple please fix that damn metadata vulnerability!

Just came across this one a minute ago, and thought I'd come back. New QuickTime vulnerability (no known exploits) found:

http://www.securityfocus.com/bid/20138/exploit

PLEASE NOTE: The above link takes you to a page with two "proof-of-concept" links. They are "mp3" files that show how the exploit can be used. They are also harmless. DO NOT CLICK ON THEM IF YOU ARE WORRIED ABOUT IT.

Click tabs above links for further info on it. Again, no known exploits and the sky is not falling, but it's good to be informed of such things.

Sorry to eat up all this space, but a very good explanation of "Back-dooring" .mp3, .mp4, .mov etc. files in QT can be found here:

http://www.gnucitizen.org/blog/backdooring-mp3-files/

I'm sure this affects Windows versions of QT as well...............

Stop beating me.

Just once, I'd love to read an explanation by one of the 'computer security' vendors of why the Mac OS prior to OS X had viruses, but OS X has none. If OS X isn't a big enough target, how is it that OS 9 and previous versions were big enough? Security by obscurity either works or it doesn't, and if it works for OS X, then it should have worked for previous versions too.

"Just once, I'd love to read an explanation by one of the 'computer security' vendors of why the Mac OS prior to OS X had viruses, but OS X has none"

---> OS X's foundation is BSD Unix, which has been security pounded for years. Previous iterations of the Mac OS foundation were proprietary (not released to the public for scrutiny) and becoming "spaghetti-code".

Symantec should be run out of town. What the hell good do they do, anyway? Nothing worthwhile....

You can only go up to a certain point in order to protect users:
http://secunia.com/mac_os_x_command_execution_vulnerability_test/

The above shows that the metadata fix is actually is place. Previously if you were to download the file in the link above, Safari was duped into believing it was a movie (as from the metadata content) while instead a terminal script (the file above is supposed to start 'Calculator') hence the hack.

Now not only in does not happen but the icon is no more that of a movie: it appears clearly as a terminal application. In finder I use the columns view, moreover selecting the Secunia.mov (that previously in the unpatched metadata flaw had a movie icon) the Finder clearly states it is a Terminal.Application.

Having different custom icon for a terminal application is not illegal, actually it is a requirement that cannot be broken: developers distributing software would get mad and they would be right. Better to make one angry idiot user (who would double-click that file even in it SCREAMS it is not a movie) than the hundred thousands developers that need to have a custom icon for their legit programs.

@Metadata - That is the ZIP archive shell script execution vulnerability:

http://secunia.com/advisories/18963/

Solution Status: Partial Fix

"NOTE: The update does not completely fix the vulnerability as it is still possible to trick users into opening malicious shell scripts (masqueraded as a safe file type) in ZIP archives. Do not open files in untrusted archives."

Apple did a partial fix for this in Security Update 2006-002. Now it will show the actual file type in the finder (in column view) and using get-info regardless of the file extension.

In icon view however, - say you just downloaded a .mov file to your desktop but it is actually a Unix executable, it will NOT show as such. The icon will look to be a QT movie. So you could inadvertently have your system comprimised by downloading what you think to be a podcast, but in reality is an executable. Plain and simple - this needs to be fixed. PERIOD. It's critical IMO. Apple needs to change the way OS X deals with custom icons so users are protected AND developers are also happy. Yes, you can only go so far to protect users from malware (like email attachments), but this is in another category altogether.