MacDailyNews - Where Mac news comes first

Mar 19, 09 - 08:17 am Comment from: Wandering joe

Its a good thing they find these holes, but they don't reflect reality too much.

The short version of this apologist creed - Security through Obscurity wins again, and no-one wants to waste time hacking 5% of the worlds computers.

Well, I have had OSX since Panther, what about 5 years?

Still no viruses.

You see, I don't live in the theoretical world.

Unlike some people who can't function anywhere else.

I wonder if they were using Safari 3.2.1 or 4-Beta. (Since the hack was an open source Perl library, it may not make a difference.)

Mar 19, 09 - 09:01 am Comment from: Predrag

5% of world's computers today is more machines than 98% of worlds computers in year 2000. Yet, in year 2000, there were over 40,000 viruses, worms, trojans and other malware for Windows, and botnets were already slowly appearing and being offered for rent in the underworld of cybercrime. So, no; security-through-obscurity does NOT hold water today, much like it never did before. Early on, when writing a successful virus was a show of hacking skill, getting one for the Mac would have been the ultimate achievement. Today, it's a business, and there is no doubt that Mac viruses (or commercial trojans) would have been here had the platform been easier to hack. In general, Macs are rarely shut down; their owners are much more affluent than Windows (on the average, folks!), and their internet connections are consequently more reliable, more robust and fatter than your average Windows machine (many of which are still on dial-up). As such, Macs would present prime cyber real estate for botnets. Yet, no malware.

As MDN had said, today is their annual feeding day. Let's give them that privilege. Tomorrow, it's back to grim reality (for them).

Mar 19, 09 - 09:07 am Comment from: bjh

MDN : "Wait a sec. You mean that Miller had months beforehand to find a hole and prepare his exploit, then just set it up and ran it when the "contest" began? "
So what ? A vulnerability is a vulnerability. Come on, we're all grown-ups here. We like Mac's and continue to use them. But a browser - with the system access it provides - is a different piece of software to the OS. It's not inconceivable there will be bugs. And those bugs need to get fixed. Stop whining.

Yup. Here, let me hand you my ATM card, write down my pin number for you and see how long it takes you to hack into my bank account.

Mar 19, 09 - 09:17 am Comment from: Predrag

BJH:

The point is that the article makes it sound like the guy walked up to Safari and cracked it in 7 seconds flat. Whereas in fact, he worked on that crack for hours, days, weeks, months, and possibly a full year; we simply can't know. Which means, we simply can't know if this vulnerability is really worth exploiting commercially (by underground hackers who rent botnets). If it really takes months to discover a way to exploit this vulnerability in order to write code to take ownership of bunch of Macs, nobody in their sane mind would want to do that, if the other option is to spend a few hours exploiting one of a variety of well-documented, wide open Explorer vulnerabilities and deliver your fresh botnet to your customer in a matter of days.

So vulnerability isn't exactly a vulnerability; in other words, there are vulnerabilities, and there are vulnerabilities. Some (Explorer) take fairly short time to figure out how to exploit. Other might take a lot longer.

And as soon as Snow Leopart is deployed, that task becomes significantly more difficult still (with memory space randomisation and other security features apparently already in current SL builds).

It's really lame for MDN to throw stones at Windows when Apple's platform is the first to fall. Excuses and justifications not welcomed.

As a long time Mac user, It's tough to argue the security virtues of OS X when the weakest link (Safari, QT, etc.) exposes the whole OS to takeover. Yeah, the OS is secure (no open ports, UNIX perms, etc) but that's irrelevant in the face of swiss cheese apps.

I liked Apple's "state" a LOT better back in the PPC days. Light code, fast, secure apps. Not anymore. Bloat & Gloss.

"Today, it's a business, and there is no doubt that Mac viruses (or commercial trojans) would have been here had the platform been easier to hack. In general, Macs are rarely shut down; their owners are much more affluent than Windows (on the average, folks!), and their internet connections are consequently more reliable, more robust and fatter than your average Windows machine (many of which are still on dial-up). As such, Macs would present prime cyber real estate for botnets. Yet, no malware."

This really belies your ignorance as to what botnets accomplish. The target size of the Windows user base so utterly dwarfs the global Mac user base that the oft-mentioned, yet decidedly dubious proposition of scoring the ostensibly more affluent users of Macs has no relative value to an organization in search of zombie systems. It's simply an opportunity cost proposition. They're looking to hijack systems for network operations, not steal the personal financial information of pretentious and snooty customers with a bizarre fetish for anodized aluminum.

That said, these Pwn2Own stunts are just that...stunts, coordinated for maximum media effect.

Mar 19, 09 - 09:34 am Comment from: Shadowself

Copernicus, Safari fell first for one reason only: the perpetrator hates Apple (known and long documented fact) and literally spent months going after Safari (as declared by him quite a while ago). He also had exploits for IE and FF. He just went after Safari first. If he had chosen to go after IE or FF on day one first those would have fallen first. As it was they fell the same day too.

Mar 19, 09 - 09:35 am Comment from: British Mac Head

Hey, we're all missing the point here. This is pwn2own right?

So you get to take home the computer you hack yeah?

Well which one would you spend weeks hacking? The MacBook or the Viao if it meant you got a free one?

I rest my case!

...you make a valid point. If I'm a hacker and want to deliver a botnet, I'd aim for Windoze simply because there are so many more systems available out there - assuming that my exploit code reliably captured systems and allowed them to keep working for me (as opposed to being re-taken by other hackers or cleaned).

Of course, it doesn't hurt that there are scads more known vulnerabilities for WinXX based systems, and the patch levels of those systems are frequently very badly managed. They are, in general, far easier targets - which is the whole point of MDN's take - WinXX-based systems are inherently less secure than Macs, even though this "contest" would appear to demonstrate otherwise.

The proof of this is that Macs do NOT typically see the types of attacks you later reference - "stealing the personal financial information of pretentious and snooty customers" - even though, demographically, this would be a great target, with by far a large enough user base to make it worthwhile - a user base that has theoretically been lulled into complacency because they don't need to run antivirus, antispyware, anti-whatever else programs. So, if a bad guy writes really clever malware that can propagate through this community, it will run roughshod over everyone. Yet, for some reason, this hasn't happened. While it's impossible to prove a negative, it seems evident that there's a big, fat target that's being neglected, and I haven't yet heard a reason why that makes any sense at all.

Mar 19, 09 - 10:00 am Comment from: Predrag

Another IT Guy:

You seem to have missed the point; my argument was that Mac botnets present a more desirable product to offer for rent in the underworld of cybercribe because they are more reliable performers as such (faster net connections, consistently longer up-time). Windows botnets are full of machines that are constantly up and down, on and off, connected then disconnected, many via clogged pipes (dialup or 192kbps ADSL). I never mentioned data on those Macs, as that is obviously of no interest to purveyors of botnets. Their primary goal is to commandeer as many reliable computers, that are reliably connected to the internet with a reasonably good connection, with the ability to deploy software of their choice on those computers and rent that software to others. Clearly, in general, Macs present an attractive target from that perspective.

The problem is that majority of these hackers don't know how to, or don't find it worthwhile spending the time to learn to develop such software for Mac. Which in the end indicates that the platform makes it more difficult to develop. Low hanging fruit is still Windows.

Safari being hacked is not a good thing which ever way you slice it, but as mentioned in the comments we don't know the background to the hack. Did it take a long time to come up? Similarly how easy a thing is it to fix? If it's some obscure bug- something akin to a typ - that is easily missed and hard to exploit but simple to fix once discovered then it's less of an overall concern than some hack that was discovered in 2 minutes and would take a major reengineering of the entire product to fix. This is not a defense of Safari, more an example of how the setup of the contest isn't truly indicitive of the quality of the security they're hacking and how much of the reporting of it fails to match up to real world experiences.

@Predrag - so you still maintain Safari security is better, despite it being easily hacked by the determined?

The fact that is has been hacked a number of times show that the only reason it has not been targeted is because the attention is elsewhere. Your logic makes no sense.

Let me repeat - Safari is demonstrably hackable. It is not being targeted.

You can not claim its not insecure, as this has been demonstrated repeatedly. The only thing left to explain is why its not being targeted.

"The problem is that majority of these hackers don't know how to, or don't find it worthwhile spending the time to learn to develop such software for Mac. Which in the end indicates that the platform makes it more difficult to develop."

Isn't that security through obscurity? I could say the same about an Amiga.

Mar 19, 09 - 10:39 am Comment from: Big Als MBP

@ Copernicus,

"It's really lame for MDN to throw stones at Windows when Apple's platform is the first to fall. Excuses and justifications not welcomed."

He could use the same exploit and not be able to hack one of my Macs in his lifetime.

Like every other well publicized Mac exploit, physical access to the Mac in question was needed. You don't go to the obscure, infected site on purpose, you don't get hacked.

the Safari pwn2own caper is a valuable technical exercise. Exploits of open source software like Webkit based browers such as Safari will continue to be uncovered. The security community plans for this inevitability. What the media fail to discern is the lack of Mac browser or virus exploits in the wild.
dd

Mar 19, 09 - 10:50 am Comment from: Big Als MBP

If the exploit was in an open source part of Safari, it has just been peer reviewed and the exploit will be repaired by the open source community shortly.

Apple is a contributer to the open source community.

Charlie Miller, obviously, is not.

Charlie Miller is a dickhead who received financial aid by hacking a computer.

There are laws against that.

In a past competition the hack was designed and created the day before the contest. Winners have stated designing an OS X hack is actually quite easy by their standards, what with Apple both being often late in upgrading OSS components (because of it having to adapt them to the peculiarities of OS X' HFS+ filesystem and whatnot) and listing the versions OS X uses (so hackers just have to look for the relevant vuln lists). And that's just the OSS elements: let's not talk about Apple-originated ones such as Quicktime, plus not being quite up to best practices security-wise.

In short, there is no mitigating it by alluding to "months of work" and such: Macs are an easy target for webpage-based attacks.

And Charlie Miller, by pointing all that out, contributes to the OSS and Mac community by making them move their asses and plug the holes, thank you.

I think that giving the 'researchers' months to prepare isn't much of a contest. The 'researchers' arrive on Sunday, Sunday afternoon they are given a program and OS to try and attack, and it can't be a program that they've exploited previously, and Monday morning at 0800 the clock starts running 24 hours a day to Friday afternoon at 1700. Then we'll see how well the programs and operating systems stand up.

We'll also see what interest 'main stream media' has in the results when all they have to photograph are bleary-eyed 'researchers' looking at a monitor...

Mar 19, 09 - 11:48 am Comment from: Islandgirl

The AppleInsider article says all browsers were hacked. But Engadget and others said Google Chrome was the only browser to remain uncompromised.
Anybody here know whether Chrome actually was included in the contest and was or was not cracked?

30+ million copies of OSX out there.

Should there not be SOMEONE out there in those 30 million copies whose computer has been taken over by a hacker?

I use my Mac 8 or more hours per day and have since 1988.

Give me a name, a phone number, an e-mail address of a real every day Mac owner whose machine has been high-jacked.

I have owned as many as 8 networked Macs at one time all connected to the internet.

I am still waiting.............. I know a meteor can hit me on the head, but until I have some statistical evidence that it will, I really don't intend to worry too much.

[They're looking to hijack systems for network operations, not steal the personal financial information of pretentious and snooty customers with a bizarre fetish for anodized aluminum.]

Pretentious? Moi?

But, really. What could be more pretentious, than a ignorant windroid coming to a Mac related site on his $187 unfinished knotty-pine laptop, and calling the residents names?

This bears repeating:

30+ million copies of OSX out there.

Should there not be SOMEONE out there in those 30 million copies whose computer has been taken over by a hacker?

I use my Mac 8 or more hours per day and have since 1988.

Give me a name, a phone number, an e-mail address of a real every day Mac owner whose machine has been high-jacked.

I have owned as many as 8 networked Macs at one time all connected to the internet.

I am still waiting.............. I know a meteor can hit me on the head, but until I have some statistical evidence that it will, I really don't intend to worry too much.

At least 3 macs have been taken over by hackers - at the Pwn2Own contests this year and last year.

And btw - do you ever click on a tinyurl link in twitter? That makes anyone vulnerable, dont you know?

Mar 19, 09 - 02:53 pm Comment from: lantzn

@Surur
That's means we can all go home and use our Macs without anything to worry about then. Remember practice safe surfing.

Mar 19, 09 - 03:12 pm Comment from: Ampar

Miller will be hocking his hacks at a Pwn shop.

"At least 3 macs have been taken over by hackers - at the Pwn2Own contests this year and last year."

Refer to:"Yup. Here, let me hand you my ATM card, write down my pin number for you and see how long it takes you to hack into my bank account." good analogy

3 out of 30+ million, no other reports in real life situations. What does that tell you?

"And btw - do you ever click on a tinyurl link in twitter? That makes anyone vulnerable, dont you know?""

And why exactly would I do that? Assuming that it actually works.

Yes Ken, no-one ever clicks on a tinyurl link.... Sure.

Mar 19, 09 - 04:50 pm Comment from: Arnold Ziffel

Come and get me, Charlie Miller. My Mac Pro is connected 23.99/6.99, so what are you wating for, you narcissistic moron!

Surur;
You sound like a highly-skilled Windows enthusiast who runs the latest anti-virus software(s) and maybe even writes his own, since you're obviously very clever.

You keep your Windows machine(s) (mostly) up and running and (mostly) virus-free, wipe and reformat your drives regularly, and you have no trouble doing so blindfolded.

You then claim that because your Windows machine is mostly virus-free, and because a highly-massaged "contest" proved a Safari browser could be exploited by a potential Trojan, that therefore Apple computers and Windows computers are equally secure and insecure.

Right?

So let me ask you; when you're 60 year-old mom says she wants to get a computer so she can email and send and receive pictures with you in Redmond, from her home in Tampa, do you recommend a Windows computer to your mom, or a Mac, since you feel both are so equal?

Yes, this is a test of both your ethics and your intellect.

Ooops!

"your 60 year-old mom", not, "you're 60 year-old mom".

@Noodle Boy

A cheap $600 windows machine without admin rights of course! Switch of the ability to install software and most threats go right away.

You were not expecting me to pay the average price of a mac, which is about$1500, were you?

No matter how you paint it MDN, it is concerning that Safari has a level of insecurity that enables a guy to own the whole system in 10 seconds, just by clicking on a link.

Likewise, that it was cracked with two different vulnerabilities in one day.

How many more vulnerabilities does Safari have that we don't know about?

I don't care that the Windows machine was compromised too - I just want a secure browser and a secure operating system.

Perhaps Snow Leopard will go some way to achieving this.

Here is a tidbit I saved from a reading on the 'net, of course it must be considered hearsay . .

But Miller, who regularly roots out Mac and iPhone vulnerabilities and is perhaps best-known for walking away with a $10,000 prize for hacking a MacBook Air laptop in under two minutes last March, pooh-poohed Apple's recommendation using the same logic as many longtime users.

"Windows has 90% of the market, but [attackers] give it 100% of their time," he said, echoing the idea that hackers target the largest pool of victims.

Criticizing security software for its cost -- both in dollars and in the processor cycles it consumes -- Miller admitted that he doesn't bother running any on his Macs. "I don't think it protects me as well as it says," he argued. "If I was worried about attacks, I would use it, but I'm not worried."

Mar 19, 09 - 07:51 pm Comment from: Arnold Ziffel

Previous poster, uh, Mister Miller "took down" the system after working for no-telling how long prior to the "contest" perfecting the exploit.

We've run Macs now for TWENTY years without a single malware incident...without wasting as much as a single CPU cycle running anti-virus software. That's where the rubber meets the road.

Java is insecure

Javascript is insecure

Flash is insecure

Intel processors are insecure

Safari should be sandboxed since it runs third party code.

Fixing Intel processors will be quite a different matter as OS type or version doesn't matter, it's most likey a NSA "backdoor" directly into our machines.

My only suggestion, don't keep a Intel processor machine on the internet or networked any longer than you have too.

Learn how to change your MAC Address, turn off Java/javascript/plug-in's when surfing potentially hostile sites.

Set up another "User" as Admin, log into it and set your normal "User" to user only (non-admin). This will protect you by providing a level of security for your apps from alteration.


That is all.

Oh yea, no matter what the porn site says and so "nice of them" to provide a link too a Adobe or other plug-in update, don't fall for it like Windows losers do.

Google search for Adobe or other plug-in updates and then install them from verified sites.

@Noodle-Armed Choir Boy

And if I go to the mom and ask her to install this program cos it will make sure no one can hacker her safari she'll probably install it. Then I'll insert a script that greats a HTML page on removeable drives and JPEGs and anything else I can attach exploits into. After that's done I'll send the links to everyone in her messengers.

You clearly forget that infecting machines is easy, the only problem is the technical and awareness of the users. If people want to (and are doing slowly) it is easy to infect MACs.

Infact the general consensus here seems to be on viruses, which is a outdated idea, the main uses are trojans coupled with web drivebys. If you think a UNIX/BSD operating system can't be rooted like Windows then you're wrong, it's done all the time. Everyone here needs to grow up and stop acting like they're better than all other computer users, because infact you all know relatively little on coding, exploiting crafting and general security.