Myth crushed as hacker shows Mac break-in

Status
Not open for further replies.

alsiladka

Noobie Pro
Right after Apple's release of a patch for 25 vulnerabilities in OS X, a hacker managed to break into a Mac by exposing a hole in Apple's browser Safari, winning a $10,000 prize as part of a contest started at the CanSecWest security conference in Vancouver, Canada. Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.

Dino Di Zovie, who lives in New York, sent along a URL that exposed the hole. Because the contest was only open to attendees in Vancouver, he sent it to a friend who was at the conference and forwarded it on. The URL opened a blank page but exposed a vulnerability in input handling in Safari which allowed an attacker to use the vulnerability in a number of ways, but Di Zovie used it to open a back door that gave him access to anything on the computer. The vulnerability won't be published. 3Com's TippingPoint division will handle disclosing it to Apple. The prize for the contest was originally one of the Macs but on Thursday evening, TippingPoint put up the cash award, which may have spurred a wider interest in the contest.

"Currently, every copy of OS X out there now is vulnerable to this," said Sean Comeau, one of the organizers of CanSecWest. The conference organizers decided to offer the contest in part to draw attention to possible security shortcomings in Macs. "You see a lot of people running OS X saying it's so secure, and frankly, Microsoft is putting more work into security than Apple has," said Dragos Ruiu, the principal organizer of security conferences including CanSecWest. Macs haven't been targets for hackers and malicious code writers because there are fewer Macs in use, thus making the potential impact of malicious code smaller than on the more widely used Windows PCs.

Sources :-
Neowin.Net
Infoworld
 

nepcker

Proud Mac Pro Owner
While it is true that the shell was accessed, the access is only for that account. Not the whole machine. And, if you read the article, definitely not as root. So, if you use Safari, and you have a 'regular' user account that does not have 'administrator rights', the damage will be kept to that account, and not compromise the entire OS.

In the article -- there are 2 macs up for grabs. The second is still not hacked. Which, if these were Windows machines, the machines would have been compromised long ago.

The security updates the article talks about have nothing to do with Safari. Well, directly anyway.

The article also mentions that while the macs were on the LAN only -- they couldn't be hacked. They had to allow the macs to the internet and then to a specifically crafted website. They don't specify if pop-ups were being blocked etc.

To conclude -- I do think this is an issue. But to compare it to the security of windows -- please...
So, don't enable root - most folks don't.
Don't use an 'admin enabled' account and do backups.
 

nepcker

Proud Mac Pro Owner
The other way of looking at this story is that the Mac is incredibly secure.

The Mac remained unhacked for many tries, and it wasn't until the event organizers opened the contest to non attendees that one successful attack was made. The second machine has not as of this writing, been compromised.

So yes, Safari now needs a patch, someone found a way in. And if someone finds their way in through a different hole, that too will be patched.

It is a wonderful thing when vulnerabilities are found in this way, so they can be fixed before they are exploited.

Windows is full of holes, the Mac now has one we know about (there are certain to be others). There is still no comparison.

This is not a wake up call, not a reason to ring alarms, it is incredibly good news. The Mac remains very difficult to exploit, and the one way found in so far will surely be patched soon.

"You see a lot of people running OS X saying it's so secure, and frankly, Microsoft is putting more work into security than Apple has," said Dragos Ruiu, the principal organizer of security conferences including CanSecWest.

I have never heard anyone say that the Mac is so secure, you can visit any URL in any spam message. As with all operating systems, the standard advice is not to click on a link unless you know where it's taking you.

Secondly, Microsoft had to put more work into security; Windows was so vulnerable it was driving people away. Apple has stayed on top of and, according to one study, been more responsive to security issues than Microsoft. The whole Leopard delay has shown us that Apple's resources are stretched thin. If Apple hasn't been making security a priority, it couldn't possibly have the record it does. It's a complete fallacy to suggest that Apple is disregarding security.
 

praka123

left this forum longback
is just an intrusion on a local user account,show us that root account is compromised.UNIX arch is superior;no doubt on this as MAC uses a fork of FreeBSD.
 

Sukhdeep Singh

Host4Cheap.org
Well, venerability lies in everything. Just that Windows is used by 90% of World's PC makes it a target for hackers since they want the maximum effective result :D
 

freebird

Debian Rocks!
Well,even if volume of users increases,UNIX wont be much affected by Viruses.
THis is explained if u study the unix architecture.
*www.linuxinsider.com/rsstory/54742.html

As with MAC,these vulnies are caused bcoz of its closed source and propreitory approach.
 
Last edited:

aryayush

Aspiring Novelist
freebird said:
As with MAC,these vulnies are caused bcoz of its closed source and propreitory approach.
LOL! This is one of the more ridiculous statements I have seen on this forum. Just because you Linux fans want Apple to open the source of Mac OS X because you guys want everything to be free, does not mean that OS X is insecure because of the closed source. If anything, it is more secure because the source is not entirely open.

kumarmohit said:
Jobs is a human being afterall.
Please do not credit/discredit Steve Jobs for whatever happens at Apple. He was not the guy who coded Mac OS X. He is not the primary reason it is so secure. :)

nepcker said:
Don't use an 'admin enabled' account
I hate to disagree but this is advice that is derived from paranoia. Mac OS X is highly secure and it does not require you to have lesser privileges to be safe. That is what differentiates it from Windows.
I use an administrator account and surf the web completely without fear. Yes, I have a pop-up blocker and firewall turned on but that's it. I have never had any problem related to viruses or spyware.
The attack demonstrated by the winner is a real threat but keep in mind that Mac OS X is not any less secure just because someone found a hole in Safari. There must be several other holes in Mac OS X but the fact is that there is not even a single virus for it out there in the wild even today. It is highly secure.
A hole was discovered, everyone is surprised. It will be patched. Software will always be vulnerable to attacks. But at the end of the day, I know that I cannot use Windows without anti-virus and anti-spyware programs (heck, I couldn't subject myself to it for long hours even if it was as secure as Mac OS X) while I can, and do, use Mac OS X in its default state. :)
 

freebird

Debian Rocks!
freebird said:
Well,even if volume of users increases,UNIX wont be much affected by Viruses.
THis is explained if u study the unix architecture.
*www.linuxinsider.com/rsstory/54742.html

As with MAC,these vulnies are caused bcoz of its closed source and propreitory approach.

aryaaysh said:
LOL! This is one of the more ridiculous statements I have seen on this forum. Just because you Linux fans want Apple to open the source of Mac OS X because you guys want everything to be free, does not mean that OS X is insecure because of the closed source. If anything, it is more secure because the source is not entirely open.
who wants it free?and we dont want apple to open source its codes originally from BSD UNIX.It is the Apple ppl who looted from FreeBSD to make Mac OS X ,thanks to their BSD license ,LOL:p ur contradicting here,let MAc fanboyism be controlled

Open SOurce is more stabler with fast patches whether u admit or not.Linux is anytime better and stronger than ur Mac OS X.
Darwin, the core of Apple's Mac OS X, borrows heavily from FreeBSD, including its virtual file system, network stack and components of its userspace. Apple continues to integrate new code from and contribute changes back to FreeBSD. The open source OpenDarwin, originally derived from Apple's codebase but now a separate entity, also includes substantial FreeBSD code. In addition, there are a number of operating systems originally forked from or based on FreeBSD including PC-BSD and DesktopBSD, which include enhancements aimed at home users and workstations;
*en.wikipedia.org/wiki/FreeBSD#Derivatives
In early May I posted benchmarks comparing Linux and OS X on a MacBookpro running my R packages (I later added Windows XP benchmarks). In one of the original benchmarks, both Linux and Windows XP were more than twice as fast as OS X. And in a second (more representative) benchmark, Linux was about 20% faster. The benchmarks were posted on Digg and a variety of other high traffic Internet websites such as OSnews. This attention generated a lot of comments and suggestions.
*sekhon.berkeley.edu/macosx/
^ read for now and enjoy!but anytime being a UNIX user is better than Windows!
 

mehulved

18 Till I Die............
aryayush said:
LOL! This is one of the more ridiculous statements I have seen on this forum. Just because you Linux fans want Apple to open the source of Mac OS X because you guys want everything to be free, does not mean that OS X is insecure because of the closed source. If anything, it is more secure because the source is not entirely open.
Totally wrong assumption. Open source code doesn't in anyway make software more vulnerable. A good coder will never hard code data into the software. So, if the data isn't hard coded then it is still as obscure so there's no real vulnerability.
In fact on the other hand if you want to argue that due to the fact that source is open, hackers can expose faulty logic or an error in the program that is true. But remember there are hundred times more people looking at the same code without malicious intentions. So, open sourcing it rather makes security better.
Who the hell said anything open source is free?
And anyways how much of Mac's base is actually non-open source? X server, BSD kernel, unix toolchain, and lot more are all open source. Ever wonder why Mac prefers BSD, which again is open source?
It's cos softwares under BSD license are mostly high quality and second to none. And they are so confident of their capability that they don't only show their code but also allow it to be used commercially without receiving any payments.
Not an ideal situation for a commercial venture but universities and talented individuals can always release high quality code under BSD license.
aryayush please read a bit on open source before making such comments.
 

aryayush

Aspiring Novelist
Look, I do not have a problem with open source software. I like open source stuff (except Linux distros and Firefox).

But I do have a problem with this attitude that everything should be free. And if you are honest, you will agree with me that most open source enthusiasts have this attitude. I say "most" because I know that some don't. But most do.
I am tired of hearing people whining that Apple should open the source code of Mac OS X. They say that it will improve the security or help Apple in one way or the other. But everyone knows that such a step would only give away Apple's proprietary technologies which would immediately be snapped up by all other operating systems, nulling the advantage of Mac OS X that Apple can offer to its customers.

What will happen if they open the source code? Linux distributions will become clones of Mac OS X, maybe even better due to the efforts of thousands of independent and passionate developers. And what is the price of Linux distros? Well, I know it as well as anybody else that most of them are free.
So if Apple opens the source code of Mac OS X, Linux users will get Mac OS X for free. This is something that freebird and eddie know and want. This is the sole reason they keep saying that Apple should open the source code of Mac OS X. No one gives a **** about what would happen to Apple if they did that.

mediator posted a thread the other day about some article that says Microsoft should open the source code of Vista if they want to survive. I, on behalf of Microsoft, would like to give the author of that article (whoever he/she is) the famed salute that requires the use of only one finger.


Such opinions and posts are all derivatives of the basic instinct of open source enthusiasts that I mentioned before - "you guys want everything to be free".

I am not pointing a finger at anyone in particular and any names I have mentioned are purely for reference purposes. If anyone feels insulted, they should probably give up their Internet and phone connections today.
 

praka123

left this forum longback
Oh! So Linux users are waiting for apple to open Mac OS X!gr8 lies are made in this forum,thx to fanboyism.I can assure u that I DONT want Mac computer even given free.
 

infra_red_dude

Wire muncher!
aryayush said:
What will happen if they open the source code? Linux distributions will become clones of Mac OS X, maybe even better due to the efforts of thousands of independent and passionate developers. And what is the price of Linux distros? Well, I know it as well as anybody else that most of them are free. So if Apple opens the source code of Mac OS X, Linux users will get Mac OS X for free. This is something that freebird and eddie know and want. This is the sole reason they keep saying that Apple should open the source code of Mac OS X. No one gives a **** about what would happen to Apple if they did that.

so what abt it? when u claim that mac os x is the best, wudn't it be good if everyone can haf it? why are you hell bent on making people pay for something??!! why can't others haf it for free if its possible? the bold part clearly indicates jelousy! u speak as if u own apple or that if apple makes things open source and people dun buy apple products then ur salary will be cut and u mite've to come on the road!

apple can still sell the harware and software separately. give users a choice!

aryayush said:
But everyone knows that such a step would only give away Apple's proprietary technologies which would immediately be snapped up by all other operating systems, nulling the advantage of Mac OS X that Apple can offer to its customers.

come on man! who will copy a copy cat itself??!!! the core, the vfs, the networking components everything's been directly lifted! who will wanna copy it again??!! and for what???

aryayush said:
I, on behalf of Microsoft, would like to give the author of that article (whoever he/she is) the famed salute that requires the use of only one finger.

i never knew u even own MS!!! :D pal, even ur employees (MS staff) are not that rude!!!

aryayush said:
If anyone feels insulted, they should probably give up their Internet and phone connections today.

a more polite disclaimer wud've been much better!!!

****************************************************************

this is fanboyism at its peak! now after reading all this if steve jobs or the board of directors of apple don't hire you then apple's sure gonna lose a lot in business! how can they ignore a person like u man??!!!

ps: btw, of all ur signatures ur current one is the most sensible according to me!
 
Last edited:

nepcker

Proud Mac Pro Owner
RoughlyDrafted has a nice reply to the original InfoWorld article. Check it out: *www.roughlydrafted.com/RD/RDM.Tech.Q2.07/616874CC-35CE-49D3-B859-C2719B6FF352.html

@freebird:
As with MAC,these vulnies are caused bcoz of its closed source and propreitory approach.
I found this funny as well.

Open SOurce is more stabler with fast patches whether u admit or not.Linux is anytime better and stronger than ur Mac OS X.
Another funny statement, especially considering the fact that Apple delivers patches quicker than any other do. Agreed, Linux delivers fast patches do -- but Apple delivers it more quickly.

@aryayush:
Please do not credit/discredit Steve Jobs for whatever happens at Apple. He was not the guy who coded Mac OS X. He is not the primary reason it is so secure.
Of course, Steve Jobs should not be given the entire credit/discredit for what Apple does. But at the heart of Mac OS X lies the code of software he and a couple of other people developed at NeXT.

I am tired of hearing people whining that Apple should open the source code of Mac OS X. They say that it will improve the security or help Apple in one way or the other. But everyone knows that such a step would only give away Apple's proprietary technologies which would immediately be snapped up by all other operating systems, nulling the advantage of Mac OS X that Apple can offer to its customers.
I agree. But given Apple's recent track record, I don't think that OS 10 will ever go opem-source.:)

@shantanu_webmaster:
is it a big deal that MAC OS X got hacked...
Until a lot of details are published about this, I'm not even going to acknowledge that a true hack has occurred.

For one thing, the standards of the so-called hacked machine have not been stated, and it may very well be that it was compromised just so such an exploit could occur. What, you have total faith in the honesty of this contest?
 
Status
Not open for further replies.
Top Bottom