Contest winner: Vista more secure than Mac OS

Status
Not open for further replies.

alsiladka

Noobie Pro
Source : Macworld

Dino Dai Zovi, the New York-based security researcher who took home $10,000 in a highly-publicized MacBook Pro hijack on April 20, has been at the center of a week’s worth of controversy about the security of Apple’s operating system. In an e-mail interview with Computerworld, Dai Zovi talked about how finding vulnerabilities is like fishing, the chances that someone else will stumble on the still-unpatched bug, and what operating system — Windows Vista or Mac OS X — is the sturdiest when it comes to security.

Friday, the vulnerability was first identified as within Safari, but by Monday, QuickTime was tagged. Why the confusion?
I knew exactly where the vulnerability was when I wrote the exploit; that is part of the basic vulnerability research usually required to write a reliable exploit. I intentionally did not reveal where exactly the vulnerability was in order to prevent others from reverse engineering the vulnerability from those details. Initially, I was only revealing that the vulnerability affected Safari on Mac OS X, the target of the contest. However, now ZDI [3com TippingPoint’s Zero Day Initiative] has been willing to publicly reveal that it affects many more system configurations, including all Java-enabled browsers on Mac OS X and Windows if QuickTime is installed.

As you were working with the vulnerability and exploit, did you know that it would impact non-Mac OS X systems?
I had suspected that it might affect other platforms running QuickTime, but I did not have time to look into it.

You found the vulnerability and crafted an exploit within 9 or 10 hours. And you’ve said ‘there was blood in the water.’ Does that mean you had a head start — in other words, prior research — or was it all built from scratch? Is it really that easy to dig up a vulnerability?
I had found other vulnerabilities in Mac OS X and even QuickTime in the past, so I had some familiarity with the code, but I only discovered this vulnerability that night. My quote that there was “blood in the water” referred to the fact that there were reports of other vulnerabilities in QuickTime, and even Java-related vulnerabilities in QuickTime over the last few years. In my experience, if a certain software package has had vulnerabilities in the past, it is more likely to contain other undiscovered vulnerabilities.

Halvar Flake and Dave Aitel, two prominent security researchers, use the fishing metaphor to explain vulnerability finding. Some days you go out and catch nothing, some days you catch something great. Sometimes you hear about some great fishing happening in a stream somewhere and there are lots of fish to catch until everyone else starts fishing there and the stream becomes overfished. In this case, I suspected that there would be good fishing in QuickTime and I got lucky and found something good in a short amount of time. This is far from the first time that I’ve gone fishing for vulnerabilities, however.

After the positive ID of the vulnerability, there were some unconfirmed claims that your exploit had been snatched at CanSecWest. Although those reports have been discounted, what can you tell us about how you protect your findings? And what are the chances that someone will independently dig out the vulnerability based on the limited information made public?
I do everything that I consider reasonable to protect my security research. I keep exploits in encrypted disk images that are only mounted when necessary on hardened systems that are not always powered on. I am very conservative in what details I share and with whom in order to tightly control knowledge of the vulnerabilities. I often give my exploits non-obvious code names so that I can refer to them over non-encrypted channels without revealing anything about them. [But] with the details that have been released so far, I believe that is a very real possibility that someone may be able to independently dig out the vulnerability, but it won’t exactly be trivial and I hope that whoever does acts responsibly with it.

With the ongoing ‘Mac OS X is safe’ vs. ‘You’re in denial’ debate, what would you recommend to a Mac user as reasonable security precautions?
I recommend that Mac users make their primary user a non-admin account, use a separate keychain for important passwords, and store sensitive documents in a separate encrypted disk image. I think these are fairly straightforward steps that many users can take to better protect their sensitive information on their computer.

As a researcher who works often in Mac OS X, what’s your take on the amount of information that Apple releases when it patches vulnerabilities?
I think that the amount of information that Apple releases with its patches is sufficient in the level of detail for a knowledgeable user to determine the criticality of the vulnerabilities. They do not, however, provide guidance on the level of criticality of the security update for less technical users. I do not think this is too much of an issue, though, as I believe that the vast majority of users should simply patch the security vulnerabilities as soon as possible regardless of their criticality.

How important in this case was it that 3com TippingPoint stepped up with a $10,000 prize? Would you have bothered if the prize money had not been there?
For me the challenge, especially with the time constraint, was the real draw. I also hoped that the live demonstration of a Mac OS X exploit would provide some much needed hard evidence in the recent Mac security debates.

From your research on both platforms, is there a winner between Mac OS X 10.4 and Vista on security?
I have found the code quality, at least in terms of security, to be much better overall in Vista than Mac OS X 10.4. It is obvious from observing affected components in security patches that Microsoft’s Security Development Lifecycle (SDL) has resulted in fewer vulnerabilities in newly-written code. I hope that more software vendors follow their lead in developing proactive software security development methodologies.

What are you spending most of your time on these days? Last October, for instance, there were news stories that mentioned you showed a VM rootkit to developers at Microsoft.
I recently co-authored a book, The Art of Software Security Testing: Identifying Software Security Flaws, which was just published by Addison-Wesley Professional in December. Also since around that time, I have been managing information security for a financial firm in New York City. I do still spend some of my free time researching software vulnerabilities, VM hypervisor rootkits, and 802.11 wireless client security.

Now we will see all Mac lovers bullying this interview and rubbishing the claims. I somehow wonder why Mac and Open Source fans get so wild at any comment about the security of the OSs. I dont remember seeing windows fan behave like this.
 

iMav

The Devil's Advocate
well they are all gonna point out the fact that the bug also affects windows ... thats what nepcker posted in this section some days ago ....
 

ketanbodas

Journeyman
Whadda? Macworld reporting it ? But it does not mean anything. Mac may be good. But Vista is good too, I knwo.
 

freebird

Debian Rocks!
Reality Million $$ answer for U:Open Source more secure than ur Vista!!!

I dont understand why these people wants to backup M$ for everything.I can suspect that as per M$ trackrecord they can buy anything-YES ANYTHING,be it a positive reply from this so called mac hacker can be bought too.even that macreporter site.they can make NEWS positive.
Microsoft as of Now is world's richest Companies with almost no Business ethics.they can sue anyone for patents,can create troubles for Other better OS like GNU/Linux by trying anything:
as of latest:
Microsoft's 'Men in Black' kill Florida open standards legislation
*en.wikipedia.org/wiki/United_States_v._Microsoft
*en.wikipedia.org/wiki/European_Union_Microsoft_antitrust_case
*weblog.infoworld.com/openresource/archives/2007/04/microsofts_anti.html
M$ Vista cant be that secure as with UNIX based MAC.

Yes, Linux/Unix/MacOSX/Anything is more secure than Windows
I can't believe some folks are still defending Window's security model, or more accurately the absolute lack of one. The executive summary: Linux, Unix, and Mac OSX are inherently far more secure than Windows. Windows is insecure to the core. It's akin to rubbing yourself with honey and lying on top of an anthill.

Here are a few links discussing the whys and wherefores:

Is Windows inherently more vulnerable to malware attacks than OS X?
*weblog.infoworld.com/enterpri...dows_inhe.html

Security Report: Windows vs Linux
*www.theregister.co.uk/securit...dows_vs_linux/

Ed Sawicki is a brilliant computer guru:
Windows vs. Linux Security
*www.biznix.org/articles/winlinsecure.html

You don't have to buy anti-virus and anti-malware programs for *nix, unless you are running *nix mailservers with Windows clients.

*nix machines cannot become infected from visiting a Web site or downloading infected email.

You can expose a properly-configured *nix machine to the Internet with no firewall. It's not even difficult- a stock Ubuntu install is one example.

When the richest, most powerful software company on the planet can't produce a decently secure operating system, and has to resort to blaming end users, especially when they market heavily to unsophisticated users, there's something fundamentally wrong. They're either incapable or unwilling.

Anyone who claims "windows gets attacked more because it has more market share" gets sent to the corner with a dunce cap. Anyone who really believes this should not be running computers of any kind. First of all it's false- the installed base of non-Windows operating systems outnumbers all Windows machines. Secondly, it demonstrates ignorance of the fundamental differences between Unix-type operating systems and windows.
*forums.serverwatch.com/showpost.php?p=37623&postcount=1
[FONT=Verdana, Arial, Helvetica] *www.microsuck.com/images/h_whatsbad_story.gif

[/FONT]
From a Software User's Perspective

[FONT=Verdana, Arial, Helvetica] From a Software User's Perspective [/FONT]
  • [FONT=Verdana, Arial, Helvetica][/FONT][FONT=Verdana, Arial, Helvetica]
    [*]Bloat
    [*]Backward incompatibility
    [*]Perpetual upgrading
    [*]Vaporware
    [*]Hostile treatment of customers
    [*]Predatory practices
    [*]Bundling of inferior products
    [*]Bugs, bugs, and more bugs
    [*]Insecurity
    [/FONT]
[FONT=Verdana, Arial, Helvetica]
From a Technical Perspective
[/FONT]
  • [FONT=Verdana, Arial, Helvetica][/FONT][FONT=Verdana, Arial, Helvetica]
    [*]Closed "standards"
    [*]Mutilation of existing standards
    [*]Lack of innovation
    [/FONT]
[FONT=Verdana, Arial, Helvetica]
From the Perspective of Everybody Else
[/FONT]
  • [FONT=Verdana, Arial, Helvetica][/FONT][FONT=Verdana, Arial, Helvetica]
    [*]Attempts at taking over appliance markets
    [*]Attempts at buying the public's trust
    [*]Outright deception
    [/FONT]
[FONT=Verdana, Arial, Helvetica]
Common Defenses of Microsoft Debunked
[/FONT]
  • [FONT=Verdana, Arial, Helvetica][/FONT][FONT=Verdana, Arial, Helvetica]
    [*]Microsoft is ahead because their products are superior
    [*]Microsoft should not be punished for its success
    [/FONT]
Vaporware

Whenever Microsoft spies yet another potential market which it thinks is ripe for taking over it generally announces its intention to move aggressively into that market. Microsoft frequently announces new products for these markets that they will ship soon regardless of whether or not they have any genuine interest in actually shipping said products. What this frequently leads to is that people stop buying software in this market because they want to wait for the Microsoft version. Unfortunately if Microsoft sees the market drying up they usually just walk away and never deliver their promised products. The end result is that the small software companies in these markets take a very big hit and frequently go under while consumers end up without their promised product.
source
*www.microsuck.com/content/whatsbad.shtml
as to the author of the thread:dude!I've gone through ur threads/posts U r such a windows only believer!try a dual boot with Ubuntu/Kubuntu+Beryl to have some ideas about other OS`s (esp UNIX* like) before supporting the monopoly OS.
*whylinuxisbetter.net
So M$ users think again.
 
Last edited:

iMav

The Devil's Advocate
^^ he just reported a news item which is an interview of an individual who did something which members cannot come to terms with and their egos are hurt coz theyv been brought down to earth .... as far as u are concerned if u dont like windows dont like it no 1 is telling u to like it .... and as far ur stupid quote of the vaporware is concerned ... open source has no idea of how a business is run so theres no point of commenting on it and yeah open source is a community who cannot and/or do not want to pay for something and rather prefer fukat ka maal and wud rather type long commands than make a few clicks ....

iv used slax, ubuntu and almost every version of windows from 95 .... and as far as im concerned .... i wud prefer windows 98 to ubuntu or slax if ur talking abt security i was only infectd once in my 4 years of windows 98 by a virus and tht too was thanx to norton who wasnt capable enought todetect it ... so it actually depends on the user as to what he does .... go to a warez site and then cry i got infected and windows is insecure is BS
 

freebird

Debian Rocks!
wowowow!!!^_^(vishta effect eh?)
baba cant digest the realitY!Open Source Software does make money..for eg:Redhat,cannonical biggies.FOSS depends on the subscription model.there is a diff btw FOSS and OSS see below site:
*www.follars.com/
*linuxlookup.com/2007/apr/25/open_source_and_money
*www.builderau.com.au/strategy/businessmanagement/soa/How-to-make-money-from-Open-source/0,339028271,339191343,00.htm
*www.google.co.in/search?sourceid=Mozilla-search&q=Open+Source+and+money
*www.manageability.org/blog/archive/20030611%23101_ways_to_make_money1/view


Now what u quote in defense is absolutelY c*ap!! what M$ insticts spreads to their (some)users!they too start FUDing!!...
U r just too much of a M$ fan...I pointed out the reality dude!take it.I know of some M$ tools who posts for defending every thing M$...
Face It Open SOurce Linux OS is EATing ur M$ Winwows=reality dont grudge over that.
Linux Looks gr8 ,better and easy to customize.again FUDing
 
Last edited:

iMav

The Devil's Advocate
obviuosly the market is so big that every1 can survive what reality did u point out that linux has eaten MS' market share off course it has just as phpbb has vb or ipb .... however as an end user ur last line has no standing what so ever

and u showed me redhat wasnt there a linux company which MS tied up with .... thats what happens in business as long as linux doesnt have 1 or 2 corporates running it it will survive the moment corporates start claiming it and selling it its not gonna with stand MS or apple
 

eddie

El mooooo
mAV3 said:
yeah open source is a community who cannot and/or do not want to pay for something and rather prefer fukat ka maal and wud rather type long commands than make a few clicks ....
..and I am just guessing you did pay for your copies of Windows 98, 2000/Me, XP, Vista and Norton? Yes tell me you did. I love hearing jokes.

Please think before making generalized statements. If we go by your logic, Open Source users will also start saying that Windows/Proprietary software users are pathetic buffoons who like to steal and pirate someone else's hard work. What will happen to this forum then? Just mud-slinging?
 
Last edited:

eddie

El mooooo
^ The same thing that makes him think whole open source community prefers fukat ka maal. It was a way to make him realise how bad generalized statements are!!!
 

mehulved

18 Till I Die............
mAV3 said:
open source has no idea of how a business is run so theres no point of commenting on it
Well I can all but laugh at this. What are you a big business tycoon?
mAV3 said:
open source is a community who cannot and/or do not want to pay for something and rather prefer fukat ka maal and wud rather type long commands than make a few clicks ....
Get well soon mamu, you are really living in your own fantasyland. Be careful or reality will hit you too hard.
 

praka123

left this forum longback
as reg Open Source and money making,@meditator got some link showing who is involved mostly in Linux kernel development.
edit:found link

Who writes the Linux kernel?

Big and small companies alike,they send their patches and makes the kernel more better day by day!.
can we have the title edited?
Contest winner: GNU/Linux more secure than Mac OS and Vista
 
Last edited:

iMav

The Devil's Advocate
tech_your_future said:
Get well soon mamu, you are really living in your own fantasyland. Be careful or reality will hit you too hard.
and what reality is that ???

@eddie ... i wonder which open source software can be bought in other words which is not a fukat ka maal ...

and really want to know from the open source guys here waht reality are they talking about every thread they say reality reality what reality are they talking about ...
 

nepcker

Proud Mac Pro Owner
The interview was good, but the headline was FUD. Something like "Mac Hack Contest Winner Thinks Vista is More Secure than Mac OS" should have been the headline.

Originally Posted by Dino Dai Zovi
I had found other vulnerabilities in Mac OS X and even QuickTime in the past, so I had some familiarity with the code, but I only discovered this vulnerability that night.
So why didn’t he use them? Why did the boxes go unhacked until the rules were bent?

Originally Posted by Dino Dai Zovi
I think that the amount of information that Apple releases with its patches is sufficient in the level of detail for a knowledgeable user to determine the criticality of the vulnerabilities.
I think it is in Apple’s best interest not to provide more information. The less they know the harder it makes it for people like this.

Originally Posted by Dino Dai Zovi
For me the challenge, especially with the time constraint, was the real draw. I also hoped that the live demonstration of a Mac OS X exploit would provide some much needed hard evidence in the recent Mac security debates.
I'm still waiting to see that one… The hacker never breached OS X until the rules were altered. The only thing that was displayed was some hack that required user input and not a standalone box. I think the best conclusion is that the browser is a security sore spot for any platform.
 

nepcker

Proud Mac Pro Owner
The QuickTime flaw has now been patched. Check out *www.thinkdigit.com/forum/showthread.php?p=487742 for more details.

Get the latest version of QuickTime from Apple.com.

W00t for Apple. They addressed this pretty quick, so that will hopefully calm down this tempest of OS X doomsayers that have been coming out of the woodworks over the last two weeks.

Now, let's all go and install this update yeah?;)
 
OP
alsiladka

alsiladka

Noobie Pro
Re: Reality Million $$ answer for U:Open Source more secure than ur Vista!!!

@freebird

LOL You could not be more blind could you!!!
Which was the company which got their lawyers together and started sending off notices to BLOGS, for all that they was post pics of the companies future phone #@$% Money Power Man!!!!!

Which company starts suing people just because the are using half a word from the company's hot selling product. I am not sure of the word, but i had read in TOI that the company says that word belongs to them and other people cannot use that word.

And about saying that MS bought positive reply from this hacker, man, you can really be the creative head of some advertising agency ;)

About my windows only love, who said i am a windows only lover.

I would love to have a MAC, but it is out of my budget. But i am pretty happy with windows, have not been infected more than twice in the 5 years of using it with internet. Like its user friendliness and customization.

I respect UNIX and Linux, but feel they are more suited for Sys Admin controlled & deployed offices and cos. where the work is restriced to Non Multimedia kinds. Forgive me for being ignorant, but You tell me, does Linux support Games and Multimedia as easily and nicely as Windows or MAC?
 

gxsaurav

You gave been GXified
nepcker said:
So why didn’t he use them? Why did the boxes go unhacked until the rules were bent?
The exploit required safari & a url to break the flaw, obviously it needed the rules to chage for the user to work in a more real world scenerio.

I'm still waiting to see that one… The hacker never breached OS X until the rules were altered. The only thing that was displayed was some hack that required user input and not a standalone box. I think the best conclusion is that the browser is a security sore spot for any platform.
For your kind arrogence, each & every hack requires user interaction. Just like I said in that thread, do u start your Mac & don't start any app to work on it? nepcker to be very frank your posts are stupid & baseless.
I respect UNIX and Linux, but feel they are more suited for Sys Admin controlled & deployed offices and cos. where the work is restriced to Non Multimedia kinds. Forgive me for being ignorant, but You tell me, does Linux support Games and Multimedia as easily and nicely as Windows or MAC?

You are absolutely right about lack on linux here, linux users have been saying that is easy. Well....i tried in the last few days. Will post my verdict soon from a user point of view
 

eddie

El mooooo
mAV3 said:
@eddie ... i wonder which open source software can be bought in other words which is not a fukat ka maal ...
RHEL
SLED
MySQL
Crossover Office
Cedega...to name a few!

Also, if open source community members prefer "fukat ka maal" then what do you think stops us from pirating Windows and other paid software like millions of other people? Do you think open source community members don't have enough internet know-how to find these warez or do you think we do not have enough bandwidth to download them? If we preferred "fukat ka maal" then what do you think stops us from downloading a copy of a pirated Windows XP Professional CD from bittorrent and installing it on our systems? Nothing stops us dude...nothing at all!!! Its not about price, money or someone stopping us from doing it...it is about choices. We choose to use open source software because we are comfortable with them and find them much better than Windows counter parts for our usage requirements. Nothing more nothing less...so take your stupid generalization some where else and stay there!
 
Status
Not open for further replies.
Top Bottom