What is Digg?Sponsored by HowLifeWorks
How Much Are You Over-Paying For Your Auto Insurance view!
howlifeworks.com - Car insurance rates have dropped leaving many people paying far more than they need to...
110 Comments
- caliform, on 10/12/2007, -30/+149OS X has quite a lot of security besides obscurity. Anyone who believes a Mac is secure out of the box, and always invulnerable is delusional.
- caliform, on 10/12/2007, -23/+91I'm sorry, but who is digging my comment down? Mac OS X uses a lot of open-source applications and services and works with open standards to attain a high level of security by scrutiny of the community. It's based on a FreeBSD codebase - BSD's code has been audited to a high degree up to the integration with NeXT and Mach which would become OS X.
I can guarantee you, that Apple itself still has code audits, and is very conscious about vulnerabilities and security. I fist dugg the comment above up because I thought he was saying "Anyone who thinks Mac are just secure are delusional" — But what he is saying, in effect, is really "Anyone who thinks Macs have any security at all are delusional, they are just safe because nobody uses them". Which is total nonsense. - ZrO-1, on 11/11/2007, -20/+79I disagree completely. First, the hack gives user-level shell access only; root-level is still not possible. Second, it was not stated whether the hole was in Apple's portion of Safari or in the KHTML/Konqueror portion of the code.
Now of course with that said, we all saw what IE's lax security did to Win XP, so let's hope that this doesn't get to that point. But from what I've read, OS X's security is such that, though the hackers were able to get shell access, that didn't give them root... so by definition, the mac was not pwned; just compromised.
It just goes to show: it doesn't matter what software you are running, being secure means thinking before you click...
Just my $.02
/edit
BTW I dug this because I think this needs attention, but I don't think it's as major as some of the submitted headlines try to make it sound. - smpdigital, on 10/12/2007, -52/+103What a lame contest:
1. Sponsored by company who wanted it to happen, MS.
2. Organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.
3. it was a Safari vulnerability. - mindbender9, on 10/12/2007, -21/+717of7 said: "Any who thinks at this point that OSX has any kind of security besides obscurity is delusional."
And this is done by comparing OSX to.... what? Microsoft Windows?
It has been mentioned already that FreeBSD/OSX/*nix offers a clear separation of root permissions from common user permissions. Although no OS has zero vulnerabilities, OSX has a better track record (albeit not perfect).
But for someone to say that OSX has no security, is ridiculous in itself. - unit101, on 10/12/2007, -32/+62Actually it's a Safari flaw, not an OS X vulnerability. Also, interestingly enough the event was sponsored by Microsoft, which the article didn't disclose.
- catalysis, on 10/12/2007, -24/+47CanSecWest is not put on by microsoft. They are just one of dozens of sponsers.
- SillyRabbits, on 10/12/2007, -12/+33@smpdigital
They relaxed the rules some, but they then also increased the offer to $10,000 + the laptop. That's when it was broken. Before that the participants were grumbling that a zero-day exploit for Mac that didn't require user input was worth $20,000 in the real world (and by real world I mean on the shady market). So, it probably had a lot more to do with them actually making it worth somebody's time. - kheldorin, on 10/12/2007, -11/+32Rules for the 3-day contest:
"First day you have to go in over ethernet or wifi.
On the first box default user compromise is enough. You'll
need priviledge escalation and a root compromise for the second one.
The victory conditions are to scp a specific file on the disk using the
preshared key stored there to a server,
If they last to the second day... then the second day brings browser
bugs into scope. Safari will be set up to scrape a wiki page every
five minutes or so (and to follow a changeable link there).
The last day will bring in mail.app polls and three pane preview, and
allow physical connections to the boxes... this will probably be only USB,
as Firewire is TOO easy :).
We are not going to denature any security, and make this easier, but
we will expand the attack surface by bringing in typical user activities."
http://www.securityfocus.com/archive/142/464216/30/0/threaded - Electric_Sheep, on 10/12/2007, -13/+32Heh. The rules were liberalised. After the first day, nobody could hack it, so they opened all the ports, switched off the default firewall, were running on the root account, and had people email them URLs, download a file and excecute that command.
Before, you had to hack it remotely, without input from the user, behind the firewall, a hardware router firewall and with factory ports closed.
It's just for the headlines, and no doubt people won't even bother listening to hear how and why they had to change the rules of the contest, they just see "OMG MAC HAX! LOL PWNED!".
But yes, there are exploits in macs, but Unix is much more of a stable and secure base. - runeasgar, on 10/12/2007, -14/+33Hacking a computer that is setting in front of you is exceedingly unimpressive.
In addition, did the Macbook even have open firmware protection? Probably not.
Show me someone hacking a Macbook wirelessly from 100 miles away and putting a self-propogating virus on it that infects at least 10 computers and I might be mildly impressed. - tizz66, on 10/12/2007, -12/+30unit101: Be fair, 90% of the 'windows' vulnerabilities are actually IE problems too. A browser (well, rendering engine) is naturally going to be a weak(er) spot because that's where most of your interaction with the wide world takes place.
- celabo, on 10/12/2007, -2/+16@inkhead
The MacBook Pro was running a fully patched 10.4.9. The largest threat to the average user is malicious web sites. Web browsers and all the plugins (Flash, QuickTime, etc) are the largest attack surface for any desktop operating system. The competition approximated a real world scenario quite well, IMHO.
Despite the 0-day, Macs are still better than Windows PCs. - Dweller99, on 10/12/2007, -7/+21Wow the Apologists are thick in this thread.
A couple points I would like to make:
1. Yesterday someone was pointing to this contest as an example of how unhackable OSX was. Maybe this will serve to open some eyes. NO OS is secure.
2. To the people claiming "this is not an OSX vulnerability, this is in Safari!":
a. Safari ships with OSX right?
b. Safari is the default browser out of the box, right?
c. How many IE vulnerability threads did you come into saying "but this is an IE vulnerability, not a Windows vulnerability!"? None? thought so.
The fact that a known 0-day exploit is in the wild should hopefully serve as a bit of a wakeup call. Didn't Apple just release 24 patches the other day? you think Apple knows about every exploit that the black hats know about? - kheldorin, on 10/12/2007, -3/+15Only your last comment is true. The rest is BS. You don't have to download a file. You just have to click on a link. And as such the hack did not require physical access.
- inactive, on 10/12/2007, -7/+19Dweller you're forgetting that Apple zealots on Digg carry the same mantra as a politician, "Do what I say and not as I've done".
When something happens to Windows, its LoL GeT A MaC.
When something happens to a Mac, its excuse city.
It's not like EITHER COMPANY DOESN'T support its OS. - caliform, on 10/12/2007, -7/+19And here's a tad more useful link to TUAW's article.
http://www.tuaw.com/2007/04/20/one-mac-hack-bounty-claimed-one-to-go/ - klawz, on 10/12/2007, -1/+13@atomicfireball
You tell people to RTFA, when you didn't even read it yourself? The security wasn't relaxed, the scope increased. (as in now, instead of trying to compromise it in a "at home" simulation, it's at a "at the coffee shop" simulation). And the whole event was in 3 days. Next time they should have phase 1 for 30 days and see what happens. The compromised (user level) machine was fully patched, even using the Patch that came out on the 18th. People spewing off about XP need to stay on topic. Get back to dream land now. - caliform, on 10/12/2007, -16/+27Indeed, definately. Macs -can- get hacked, but it's once again blown out of proportion (remember the whole 'there is a vulnerability in the airport module - no, really! Really!) and with Cnet, it's always rather scarce on details. Oh well, people do need to know what to do to secure their computers.
- skinfitz, on 10/12/2007, -2/+9Yet another Apple apologist. RTFA.
I myself am sitting on a zero day Safari exploit that I found that has been in Safari for YEARS. - ez12a, on 10/12/2007, -2/+9After using vista, UAC shows up MUCH more than OS X's verification (I have both installed on my MBP)..."yes I want to run that program, damnit!" while OS X only needs verification when system files/preferences are modified/accessed.
- githoc, on 10/12/2007, -11/+18You can wake up now. They had planned to change the rules. Day 1 was to see if you could exploit a Mac via a network connection which failed - it would also fail on XP SP2, Vista, Linux, etc in there default configuration due to the firewall and limited running servies. The 2nd day was to see if the Mac could be exploited via simulating someone browsing a website - which they did in a few hours!! It was on a system with all the latest patches. There was a Day 3 planned with allowing access to emails I believe. Are you awake yet?
- Darcy, on 10/12/2007, -6/+13Well, it's true what they say. Mac users really are more creative than PC users, especially when comes to making excuses.
- switchfiend, on 10/12/2007, -0/+6Actually, almost none of that is true. The only thing changed on the second day was that they ran safari and had it auto-refresh a specific wiki page. Dino discovered the exploit that first night, and then wrote the code for it so Shane (who unlike Dino, was at the contest) could exploit it.
Also, the exploit works for both Safari and Firefox.
I'm not going to sit here and say that this is the most dangerous thing ever found, because it's not. But at the same time, even with all of Apple's security updates, every single user is potentially vulnerable to this. It'll be fixed, and people will move on, but it's a moderately big deal. - githoc, on 10/12/2007, -9/+15Digging you up as I also appear to be getting Dugg down for explaining the contest. I can't believe how much they are trying to bury there heads in the sand over this. There was no dumming down of security at all - it was a genuine exploit.
- dbr_onix, on 10/12/2007, -8/+14. Anyone who believes a Mac is secure out of the box [..] is delusional."
OS X is reasonably secure out of the box - There's no listening services by default, the users don't run as a user who could break the machine without having to enter their password again - Those two small problems are what account for a huge amount of Window's security problems..
A Window's machine without any running services (or a decently configured firewall), and not running as an administrative user is actually quite hard to break - If the user can't install spyware or other software that will screw things up, and viruses can't really do much there's relatively (compared to the default Windows setup) that is breakable.
OS X comes decently setup, which hugely helps its security - of course there's not (as) much to prevent things like vulnerabilities in software (Although I'm not sure if OS X has things such as the buffer rearranging kernel-patch stuff to make buffer-overflows much much more complicated), even if you can exploit the browser, you still need to either trick the user into entering their password for sudo (Quite possible, most users will enter their password when asked, although if their browser asks it may seem slightly odd - Although creating that password prompt without root-access in the first place might be complicated), or using some privilege escaltion exploit (There's been a few for OS X, so again, it's possible).
As it stands just now - putting up random .app files with the hope that a OS X user will download and run it, just won't work because of the relatively small number of Macs - But, seeing as how OS X doesn't have any form of outbound firewall, and that there's *nothing* to stop someone putting trojan/botnet-drone code in any application, it's slightly worrying.. - stuman77, on 10/12/2007, -3/+9@githoc:
The Macworld article you linked is written terribly, mainly with a lot of "blah blah said..." quotes that are factually errant.
"Di Zovie used it to open a back door that gave him access to anything on the computer, Comeau said."
-Actually, the explot gave him user privelages, not root privelages, so no, it DIDN'T give him access to "anything on the computer", only to files which accounts with user permissions can access.
" “You see a lot of people running OS X saying it’s so secure and frankly Microsoft is putting more work into security than Apple has,” said Dragos Ruiu"
-Microsoft puts more work into security because of their history of insecurity. While agreed, no OS is totally secure, the BSD/NeXT base of OS X provides it with much better fundamental security than Windows typically has (although Windows security has mades vast strides of improvement in the last few years). - klawz, on 10/12/2007, -2/+8@inkhead
YOU FOOL! RTFA! - shark615, on 10/12/2007, -2/+7They weren't at the computer they went in via the ethernet or wifi and as we know being 10 feet a way and using a network is the same as being 100 miles away just maybe a bit slower...
- Dweller99, on 10/12/2007, -6/+11Macbook? check.
Hacked? check.
Contest? check.
Security event? check.
"lame & inaccurate story"? hardly.
A 0-day exploit was used to gain elevated privileges to a Mac. The people running the contest said:
"A TippingPoint representative said the company would pay, after looking at the vulnerability. "If it is an actual zero-day in Safari that's fine with us," said Terri Forslof, manager of security response at TippingPoint."
The only thing lame and inaccurate here is your comment about this article. - shark615, on 10/12/2007, -3/+8Why is gi being dugg down his comment is right on the money? Atomicretard is 100% in the wrong.
- kris33, on 10/12/2007, -16/+21This "hack" is ***** for several reasons:
* The hacker had psychical access to the computer (WTF, how is that going to be usefull?)
* Firewall was disabled and all ports where open.
* The attacker could request that the client visited a URL and downloaded and run the file.
* The attacker did not manage to get root-access. - kris33, on 10/12/2007, -13/+18Tizz66: The reason that "IE" hacks are considered to be "Windows" hacks, is because Microsoft quite intentionally (and most have concluded, entirely, unethically) integrated "IE" directly into "Windows"... at a, fundamentally, un-removable-level... specifically meaning that "IE" IS "Windows". And, this HAS made "web-exploits"... one of the major attack-vectors for "Windows" machines. Even, Microsoft, has admitted to this having been a serious error.
Safari runs at a level just like all other programs in OS X. Hacking Safari doesn't mean that you can do anything with the OS itself, while hacking IE often can give you root-access. - kris33, on 10/12/2007, -2/+7Haha cawpin. Obviously you have no idea what I am talking about. I am not talking about legal stuff, I am talking about security. It was a problem that the two were so tightly integrated(MS has admitted it, and fixed it partially in Vista). How can you say that I'm wrong, when even MS has admitted it and have tryed to fix it?
http://www.dailytech.com/article.aspx?newsid=1371 - kheldorin, on 10/12/2007, -4/+9No it wasn't. RTFA. "The successful hack comes a day after Apple release its fourth security update for Mac OS X this year. The update repairs 25 vulnerabilities."
- githoc, on 10/12/2007, -4/+9@noahhoward
Maybe you should read this from Macworld - he opened a backdoor on the Mac using Safari (the default installed browser) as the attack vector and opened a backdoor to the Mac that gave him access to anything he wanted.
http://www.macworld.com/news/2007/04/20/machack/index.php - joshpar, on 10/12/2007, -8/+121) Did you try running the computer without the updates? It would work fine. On the web in minutes, checking email, whatever.
2) More secure is different then totally secure. The amount of security tuning through virus software I have to do on my PC is much more then my Mac. Is the Mac totally secure? No. Is it more secure? Sure.
3) if you find one annoying, then you are right. I find both MUCH less annoying then NOT having that control. - klawz, on 10/12/2007, -6/+10Oh yeah, that's right, gaining user access is never a stepping stone to gaining root access, I forgot, you're a professional huh?
/sarcasm for the handicap - skinfitz, on 10/12/2007, -2/+6@sheep
"Heh. The rules were liberalised. After the first day, nobody could hack it, so they opened all the ports, switched off the default firewall, were running on the root account, and had people email them URLs, download a file and excecute that command."
Can you show me a link where it says they were running as root? - inkswamp, on 10/12/2007, -4/+8This is such an eye-opening thing. I mean, think about the implications in the real world. I didn't realize my bank was so insecure... if they stopped locking their doors at night. And I didn't realize it would be so easy for someone to steal my car... if I left the keys in the ignition. Oh, and OS X can be hacked... if you sufficiently lower the bar as they did in this contest after the initial set-up couldn't be hacked.
What a shocking turn of events. OS X is a security nightmare!!! Newspapers all over America are stopping the presses even as we speak. - klawz, on 10/12/2007, -2/+6@kheldorin - the problem is, and if you had read the article you'd know too, the system that was exploited, had this patch you say possibly was created just for this event. If that is true, then Apple has truly failed.
- HunterTV, on 10/12/2007, -6/+10No computer is safe if someone really wants to hack it. I'm not knowledgeable about security or exploits at all, but just based on human nature I'd say that "If there's a will there's a way" applies, and probably always will.
Just purely as an example in the abstract -- no political overtones here -- it's like the first WTC bombing. They tried to bring down the building in basically what amounts to the most obvious way, by attempting to undermine it's foundation. Didn't work. I think anyone who can think two seconds in front of them knew that after that it was just a matter of time. Some out-of-box thinking and now they're gone.
It doesn't mean that the WTCs were bad buildings (i.e. analougus to being "not secure"), quite the opposite, they survived quite a lot of trauma before caving, it just means that people will find a way. If nothing else, the human race is persistant when motivated. Saying something can't be done is like writing an open invitation. - caliform, on 10/12/2007, -23/+26CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions. It's not like they -didn't- spend days upon days of trying and eventually got to the user-level access with an application, instead of a service. I mean, how many exploits (user-level access) have there been for IE and Firefox in the last year? This is hardly any news. Bounties were actually raised to help the 'hackers' in question.
And yes, without any detail, it could as well be an error by the user. Automatic opening of files after downloading, for instance, or say, surfing like an idiot, the firewall was off, perhaps even services opened. I can make a Mac crash too, wohoo, do I get a cookie now? - darkten, on 10/12/2007, -0/+3I personally think the denial is hilarious...AND I'M A MAC OS X USER to the core. I've been using Macs since before a lot of these people here were little more than their Papa's imagination...and I've never seen a more foolhardy group then this New Generation of screaming crazies we've got now. I thought Ragosta's usenet posts back in the day were bad....sheesh.
Look guys, "we got got" as the saying goes. I was talking to some of my more saavy friends, programmers that should *know better*...and all I heard Friday night was...
"but...but...but...but...but..." and if it was *inconceivable* that this could happen....but no one could tell me *why* :)
Let's go over the dismissals, then...starting with my 2nd favorite:
"Its 'just' a Safari bug...so what?"
Well...we know this to be untrue...but what's worse, *anyone can write an app* that can call a url, kids. Happy fun buried gotcha time ensues. Some nasty person writes an "ooo shiny" that the web goes ga-ga over that 3 weeks later puts it in ya deep. Ask a Windows guy...they'll tell ya.
My favorite, tho, and the one that shows the high level of self-delusion is this one:
"No 'root' no biggie...who cares?"
This is mostly folks parroting what they read on a blog somewhere. Any fool knows that 1. Nobody runs routinely as root. 2. The way you do hard "damage" to a machine and its users is ***** with THEIR FILES, not the systems. You can do a reinstall, but Jr's First Steps or that massive music collection from Classic Yodelers of the 20's don't come on the OS install disk...ya' dig?
MacOS X *users* get attacked far more than the OS itself due to their arrogance more so than anything else. We should be THANKFUL that this was found in a controlled environment...by responsible MAC PEOPLE (yes...that's right...not some Mac Hatin' Windows Guys. Mac People. Remember that) and will likely be patched before anyone can do damage.
This Mac User saw it coming...but also knew it would be no good.
To all you other OS people throwing your arms up in disgust and disbelief: Don't worry about it. Sadly, the OS X general userbase will NEVER acknowledge these things...until some piece of ***** does harm, in a major way, without warning.
Its sad, but true :( - shark615, on 10/12/2007, -1/+4Windows XP has the firewall enabled by default and no macs do not come configured with a hardware firewall out of the box.
- shark615, on 10/12/2007, -8/+11Man are you that stupid?
If you put windows behind a hardware + software firewall with all the ports closed and no user input you can't hack it either. - wonderchemist, on 10/12/2007, -0/+3"Apple's portion of Safari or in the KHTML/Konqueror portion of the code."
This is important, finding a flaw in WebKit is different then finding one in Safari.app. WekKit is an open-source framework, and can be fixed without the help of Apple. - Darcy, on 10/12/2007, -2/+5All very interesting, but WTF does all this have to do with a MacBook pro being hacked at CanSecWest?
- r3zonance, on 10/12/2007, -0/+2"Furthermore, people shouldn't run an admin root account unless they know what they're doing."
People shouldn't run as admin/root even if they do know what they're doing. If they are running as admin/root, then they don't know what they are doing. - Dweller99, on 10/12/2007, -4/+6Quit spamming that garbage in this thread.
-
Show 51 - 100 of 110 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is