Linked by Thom Holwerda on Mon 6th Mar 2006 21:59 UTC, submitted by crispoe
Mac OS X "In response to the woefully misleading ZDnet article, 'Mac OS X hacked under 30 minutes', the academic Mac OS X Security Challenge has been launched. The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open."
Order by: Score:
argument makes no sense
by bvdl on Mon 6th Mar 2006 22:23 UTC
bvdl
Member since:
2006-03-06

Bullshit argument. Of course you should offer at least one or two services.

Remember Defcon 9? They couldn't even hack a OpenVMS system with telnet shell access, httpd, ftp and a admin account! Talking about security!

Of course you can't upgrade your Apple to OpenVMS, instead upgrade to OpenBSD - yes you can!

Reply Score: 4

RE: argument makes no sense
by someone on Mon 6th Mar 2006 22:39 UTC in reply to "argument makes no sense"
someone Member since:
2006-01-12

However, OS X is generally used as a desktop OS and not as a Server. Most real world systems don't have any services turned on by default and many are behind NAT routers. This *mimics* (it's already more wide open than most OS X systems) the real situations better.

OpenBSD would be a fine choice for a server, but I don't people are purchasing Macs to use them as servers.

Reply Score: 5

RE[2]: argument makes no sense
by rayiner on Mon 6th Mar 2006 22:53 UTC in reply to "RE: argument makes no sense"
rayiner Member since:
2005-07-06

Do remember that Apple sells an entire line of Macs intended to be servers!

Reply Score: 4

RE[3]: argument makes no sense
by someone on Mon 6th Mar 2006 23:01 UTC in reply to "RE[2]: argument makes no sense"
someone Member since:
2006-01-12

I am not sure how well XServe sells or what percentage of XServe users actually use Mac OS X Server as their OS.

Reply Score: 1

RE[4]: argument makes no sense
by riha on Tue 7th Mar 2006 11:38 UTC in reply to "RE[2]: argument makes no sense"
riha Member since:
2006-01-24

All Xserves we are selling are running macosX, if they would not run macosX, why even sell them an mac???

Having ssh and httpd is VERY common on servers. Or at least httpd, ssh could be setup in an secure way by using vpn or something, but it is pretty common with servers accesting ssh for their users.

Reply Score: 1

v RE[5]: argument makes no sense
by elsmob on Tue 7th Mar 2006 15:35 UTC in reply to "RE[2]: argument makes no sense"
RE[6]: argument makes no sense
by deathshadow on Tue 7th Mar 2006 17:18 UTC in reply to "RE[5]: argument makes no sense"
deathshadow Member since:
2005-07-12

>> Isn't a Mac Server an oxymoron
Don't tell that to the US Army - they bought a whole SLEW of G3's for that very use.


>> or military intelligence ?
Oh wait, nevermind.

Reply Score: 0

RE: argument makes no sense
by Celerate on Mon 6th Mar 2006 22:56 UTC in reply to "argument makes no sense"
Celerate Member since:
2005-06-29

In order to make things fair then, when testing Windows the Remote Desktop Server and IIS software should be left running right? In which case you're not really testing the security of the operating system, but the software running on it IMO.

No OS fairs well under such conditions, whether it takes someone 10 minutes or an hour to break in really isn't even remotely a measure of how secure any of my boxes were yesterday, are today, and will be tomorrow. As for people who still associate computers with magic, if they care about security they should have someone who knows what they're doing install a hardware firewall between their modem and any computers (routers are great for this and provide other good features too) and they should have some kind of automated AV update and scan depending on the OS.

So really, security benchmarks are for the most part useless marketting ploys. Does everyone agree?

Reply Score: 4

RE: argument makes no sense
by Shannara on Tue 7th Mar 2006 17:31 UTC in reply to "argument makes no sense"
Shannara Member since:
2005-07-06

An upgrade for a geek is a downgrade for a normal computer user ..

Dang it OSNews, fix the site so people can vote!

Reply Score: 1

Port scan
by JustAnotherMacUser on Mon 6th Mar 2006 22:37 UTC
JustAnotherMacUser
Member since:
2006-01-08

128.104.16.150, no response.

Publicity stunt or he went home early.

FOUL!!!

Like anyone is really going to give up their secrets to cracking Mac OS X.

shesh, so lame

Reply Score: 0

RE: Port scan
by someone on Mon 6th Mar 2006 22:49 UTC in reply to "Port scan"
someone Member since:
2006-01-12

I tried "ssh test.doit.wisc.edu" and the machine seems to have ssh access enabled.

Edited 2006-03-06 22:50

Reply Score: 2

RE[2]: Port scan
by archiesteel on Mon 6th Mar 2006 23:35 UTC in reply to "RE: Port scan"
archiesteel Member since:
2005-07-02

Indeed, nmap reveals that ssh and http are open:

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-03-06 18:33 EST
Interesting ports on test.doit.wisc.edu (128.104.16.150):
(The 1659 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
427/tcp closed svrloc
443/tcp closed https

Nmap finished: 1 IP address (1 host up) scanned in 35.609 seconds

Reply Score: 3

RE[3]: Port scan
by CloudNine on Tue 7th Mar 2006 07:51 UTC in reply to "RE[2]: Port scan"
CloudNine Member since:
2005-06-30

"and has ssh and http open"

It's all in the summary.

Reply Score: 1

local account
by postmodern on Mon 6th Mar 2006 23:01 UTC
postmodern
Member since:
2006-01-27

'"It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain mis-configurations and other obvious things but then I decided to use some unpublished exploits -- of which there are a lot for Mac OS X," gwerdna told ZDNet Australia .

According to gwerdna, the hacked Mac could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or patched by Apple.'

That's not misleading at all, he got root via unpublished local vulns. That's still insecurity, why isn't anyone jumping on Apple to step up the security process? Why are so many people quick to defend Apple, when there's a good amount of evidence security researchers are picking OSX (and it's open source subcomponents) apart?

Edited 2006-03-06 23:04

Reply Score: 3

RE: local account
by Windows Sucks on Mon 6th Mar 2006 23:16 UTC in reply to "local account"
Windows Sucks Member since:
2005-11-10

Because it has not been proven that this is a true story!

It's prob about at real as weapons of mass destruction in Iraq. They could be there and people said they were there but NO one has proven it yet! But people were sure hooked when Powell went to the UN though and said they were there!

Same thing (Although much less serious) some guy says he did XYZ but yet no one is showing how it was done? The person won’t even give a credible name! Come on you must be kidding!

Until the facts show themselves, there is nothing to show that someone has hacked a current Mac, patched 100% in 30 min.

"Why are so many people quick to defend Apple, when there's a good amount of evidence security researchers are picking OSX (and it's open source subcomponents) apart?"

Do you know anyone who has gotten a Worm in OSX or a Virus or hacked? I doubt it.

Reply Score: 2

RE[2]: local account
by Tom K on Mon 6th Mar 2006 23:32 UTC in reply to "RE: local account"
Tom K Member since:
2005-07-06

It's people like you that keep believing that OS X is the pinnacle of computer security.

The lot of you are in for a nasty surprise sooner or later.

Reply Score: 1

RE[3]: local account
by Windows Sucks on Mon 6th Mar 2006 23:48 UTC in reply to "RE[2]: local account"
Windows Sucks Member since:
2005-11-10

I'm still waiting... People have been saying that about Linux, Unix, BSD's, Mac OS etc for ever and a day. Linux is growing by leaps and bounds, shoot companies like Google run their whole business on Linux and Bsd.

Hummm when is the last time you heard Google having to go to an outside company like Akamai to protect their network? Oh thats right Akamai uses all Linux all over the world also.

The internet is run by Unix type OS's not Windows. And the internet keeps humming along. Yes, you will have a few unpatched machines here and there that will get taken down. But I am still waiting for all the Linux and BSD web hosters like Yahoo to get taken down, waiting for the University of VA's Apple supper computer to get taken down. (It faces the net)

Yet NONE of this has happened. None.

Reply Score: 2

RE[4]: local account
by Tom K on Mon 6th Mar 2006 23:52 UTC in reply to "RE[3]: local account"
Tom K Member since:
2005-07-06

You missed the point.

The point was that Apple apologists are aplenty, and they're living up in the clouds. With every security issue raised about OS X, they have a cheap explanation.

The truth of the matter is that OS X got *owned*, regardless of how. I feel pretty confident about my Mac Mini/iBook setups, but I'm not blindly faithful -- I still keep tabs on the latest security patches, and I don't let anyone touch my Mac either locally or remotely.

Reply Score: 2

RE[5]: local account
by Windows Sucks on Tue 7th Mar 2006 00:07 UTC in reply to "RE[4]: local account"
Windows Sucks Member since:
2005-11-10

I didn't miss the point. My point was please show me where Mac OS got "Owned" ??? I am not seeing it. If you take this story with nooooo proof as law then I guess you are right.

I can say I hacked norad and if I can get someone to reprint the story I guess that makes me true to my word also. LOL!

Reply Score: 1

RE[6]: local account
by Tom K on Tue 7th Mar 2006 01:30 UTC in reply to "RE[5]: local account"
Tom K Member since:
2005-07-06

Um ...

The guy who *held the competition itself* said that the machine was successfully broken into. Are you on crack?

Reply Score: 0

RE[7]: local account
by Windows Sucks on Tue 7th Mar 2006 02:26 UTC in reply to "RE[6]: local account"
Windows Sucks Member since:
2005-11-10

The "GUY" ??? LOL! Are you on crack? Who is this guy, does anyone know him, are there any other witnesses like on this forum tonight?

I mean did you even look at what you wrote "The Guy" Didn't even put "The Guy"'s name. LOL!

Oh yea this same guy broke into my VAX machine tonight in under 30 minutes. LOL! Now I guess I can be the guy also. I will get my cousin to come on and be the hacker guy and use a cool undercover name like "supercrack" and say yea he hit my Vax machine hard! LOL!

Come on how gullible can people be. LOL!

Reply Score: 0

RE[4]: local account
by sappyvcv on Tue 7th Mar 2006 00:00 UTC in reply to "RE[3]: local account"
sappyvcv Member since:
2005-07-06

Hummm when is the last time you heard Google having to go to an outside company like Akamai to protect their network? Oh thats right Akamai uses all Linux all over the world also.

That's great, but who uses Akamai to protect their network?

Reply Score: 2

RE[5]: local account
by Windows Sucks on Tue 7th Mar 2006 00:08 UTC in reply to "RE[4]: local account"
Windows Sucks Member since:
2005-11-10

Ummmmm, Microsoft has long used Akamai to provide caching for their webservices. That is an OOOOOOLD story.

Reply Score: 2

RE[6]: local account
by n4cer on Tue 7th Mar 2006 00:10 UTC in reply to "RE[5]: local account"
n4cer Member since:
2005-07-06

They don't use it for network protection though.

Reply Score: 2

RE[6]: local account
by sappyvcv on Tue 7th Mar 2006 00:10 UTC in reply to "RE[5]: local account"
sappyvcv Member since:
2005-07-06

Yes. They use akamai for hosting downloads, not to protect their networks.

There is a difference buddy ;)

Reply Score: 1

RE[7]: local account
by Windows Sucks on Tue 7th Mar 2006 00:16 UTC in reply to "RE[6]: local account"
Windows Sucks Member since:
2005-11-10

Ummmm, Akamai handles 4 of MS's 8 DNS servers!

Also : http://www.crn.com/sections/breakingnews/dailyarchives.jhtml;jsessi...

"Akamai runs a service to help boost Web site performance by caching copies of Web sites on many servers in many locations. Akamai can help defend against denial-of-service attacks by spreading the attack among many servers. Just as a distributed denial-of-service attack enlists large numbers of systems to attack a single server, Akamai presents a distributed defense against denial-of-service attacks."

Sounds like network protection to me. But maybe I can't read.

Come on it's just the same as Microsoft using several parts of BSD in Windows, like Telnet, the FTP client, the IP stack etc. It's well known, old news!

Edited 2006-03-07 00:18

Reply Score: 2

RE[4]: local account
by anduril on Tue 7th Mar 2006 00:54 UTC in reply to "RE[3]: local account"
anduril Member since:
2005-11-11

You do realize taht Akamami isnt a company you hire to "protect" your network. It's a global caching service that allows a company to provide fast, streaming content regionally without having to establish their own satellite DC's in those regions.

You also seem quite misinformed about how corporate level networks are setup, let alone how someone would find vulnerabilities within a software package let alone exploit them.

So, fanboy, go talk on slashdot.

Reply Score: 1

RE: local account
by grrr on Mon 6th Mar 2006 23:24 UTC in reply to "local account"
grrr Member since:
2005-09-03

You are right it must be patched but people are saying that it is not a realistic test and it s not. Also people are running al kinds of scripts with cron as root that may write files that are all security risks when i have a local account even I can do some damage to a lot of machines and i am no security expert and no hacker i am a simple system administrator. You have to be always alert you have to always keep security as tight as posible only alowing ssh some ip's for example inpecting log's ,......that is true for all operating systems also for os-x.

Reply Score: 1

RE: local account
by Deviate_X on Mon 6th Mar 2006 23:29 UTC in reply to "local account"
Deviate_X Member since:
2005-07-11

"Why are so many people quick to defend Apple, when there's a good amount of evidence security researchers are picking OSX"

I remember the first editions of OSX where one could take ‘root’ and take down the kernel with simple commands (http://www.google.co.uk/search?hl=en&safe=off&q=osx+privilege+escal...).

Despite this there are many in the apple community continually promoting the idea that OS X is practically invulnerable.

Edited 2006-03-06 23:31

Reply Score: 4

RE[2]: local account
by Windows Sucks on Mon 6th Mar 2006 23:34 UTC in reply to "RE: local account"
Windows Sucks Member since:
2005-11-10

Wow, I remember when there were viruses in Dos? LOL!

Question is, can you do that now? You for sure can do that in Windows. There is no question about it. Almost ALL windows worstations run with the "root" admin account as the current user. No work there.

You can rootkit the heck out of Windows machines and 99% people out there would not even know and would never find out.

Show me where someone can take root and take the Kernel down with a simple command. Shoot I will put my own Mac up for that challenge!

Reply Score: 1

RE[3]: local account
by anduril on Tue 7th Mar 2006 00:58 UTC in reply to "RE[2]: local account"
anduril Member since:
2005-11-11

You truely are dillusional. Rootkits exist for Unix/Linux/OSX just as well as they exist for Windows. If you're in the right circles, you'll have easy access to them.

Also, the point of a rootkit is to make detection difficult if not impossible in some situations. The same, suprise suprise, can happen in Unix. In fact, rootkits existed on Unix before Windows. Hmm.

So to your final point, if Im in user mode in Windows XP (which I am) show me the simple command to take root and take down the kernel. Other than Ctrl+Alt+Del which doesn't give you root access.

Reply Score: 4

RE[4]: local account
by grrr on Tue 7th Mar 2006 07:25 UTC in reply to "RE[3]: local account"
grrr Member since:
2005-09-03

" If you're in the right circles, you'll have easy access to them. "
you mean if you are in the wrong circles ;-)

Reply Score: 2

RE[3]: local account
by iain.dalton on Tue 7th Mar 2006 05:36 UTC in reply to "RE[2]: local account"
iain.dalton Member since:
2006-02-28

I agree with you that one cannot take down the kernel with "a simple command," but if you say that you will put your mac up for hacking attempts, you should do it. If you do, please tell us.

Reply Score: 1

RE: local account
by Jedd on Tue 7th Mar 2006 03:57 UTC in reply to "local account"
Jedd Member since:
2005-07-06

Right and gwerdna should tell Apple about this "vulnerbility" unless he has some reason (Black Hat unsavory much?) for keeping it secret. If indeed said reason exists, and the whole thing is not a flim-flam.

Reply Score: 1

RE: local account
by DevL on Tue 7th Mar 2006 10:35 UTC in reply to "local account"
DevL Member since:
2005-07-06

95% of all exploits are only usablew to escalte privilidges for a local account. Remote exploits are much more uncommen (take a look at OpenBSDs track record - tons of security patches, but few that covers remote exploits).

Reply Score: 1

MonkeyPie
Member since:
2005-07-06

The guy was given "local" access through SSH.

What validates THIS challenge, is that you are NOT handed a local account. Therefore, you do not have a local account to work your way from the inside out.

Not to because I want to "validate" the original claims, but I too would like them to offer up some real proof and methods of attack. What vulnerabilities were actually used.

The reason everyone is defending Apple in this matter is the same reason people defend the *nixs and BSDs, this was done using local (ssh accounts are considered local not remote, for those who do not know) exploits and not remote vulnerabilities.

JRM7

Reply Score: 5

ormandj
Member since:
2005-10-09

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.8.1p1 (protocol 1.99)
80/tcp open http Apache httpd 1.3.33 ((Darwin))
427/tcp closed svrloc
443/tcp closed https

Reply Score: 1

archiesteel Member since:
2005-07-02

How do you get the version of the server software with nmap? I should really learn more about it...

Reply Score: 1

ormandj Member since:
2005-10-09

The easiest way is just to use -A. It'll get OS and daemon versions for you. You need nmap 4.x though. ;)

Reply Score: 1

archiesteel Member since:
2005-07-02

Dang. I'll have to wait until I upgrade to Dapper Drake! :-)

Thanks for the tip, though!

Reply Score: 1

ormandj Member since:
2005-10-09

You can try nmap with the "-sV" flag. It just won't have up to date service information. ;)

Reply Score: 1

I am amazed
by JoeBuck on Tue 7th Mar 2006 00:26 UTC
JoeBuck
Member since:
2006-01-11

I am amazed at the number of Mac zealots who want to plug their ears, cover their eyes, and insist that all talk of exploits in Mac OS X are lies, despite the claims of reputable computer security researchers to the contrary.

Yes, it is true that this was not a remote exploit. But privilege escalation is half of what you need for a remote exploit: if you can trick an ordinary user into executing arbitrary code, and that arbitrary code has a root exploit, the remote attacker gets root.

If I were a paying Apple customer, I would lean on the people I'm paying money to to do a better job of patching the already-known exploits. Remember, the bottom layer of MacOS X (Darwin) is available in source form for the black hats to inspect; Mac users need to be just as careful as everyone else to keep their patches up to date.

There are real architectural reasons for better safety on Unix-like systems, but it is no excuse for complacency.

Reply Score: 5

RE: I am amazed
by modmans2ndcoming on Tue 7th Mar 2006 15:00 UTC in reply to "I am amazed"
modmans2ndcoming Member since:
2005-11-09

No one is saying they are lies. They are saying that OS X's hack was done by a local user, not a remote user.

Windows problem is remote user hacks. remote vulnrabilities are teh bad ones.

Reply Score: 1

Well past 30 minutes and counting
by JLF65 on Tue 7th Mar 2006 00:46 UTC
JLF65
Member since:
2005-07-06

Well, it's been more than 30 minutes and the page is still unhacked. Just goes to show you how much FUD the ZDNet article was.

Reply Score: 1

anduril Member since:
2005-11-11

Not exactly FUD. It was completely different situations. On the box that the ZDnet article talks about anyone and everyone was given local shell accounts. Quite a bit different than whats currently being used in the UnvWi hackertest.

Reply Score: 1

modmans2ndcoming Member since:
2005-11-09

and quite a bit diffrent than what happens in the world.

Reply Score: 1

anduril Member since:
2005-11-11

Not totally tho. Most webhosting servers will have SSH access for any of their users. So a similar privelage escelation attack COULD be accomplished. Tho it should technically be much harder

Reply Score: 1

Who cares about MS and Akamai?!
by tertiary_adjunct on Tue 7th Mar 2006 00:59 UTC
tertiary_adjunct
Member since:
2006-01-15

Umm...the article is about a challenge to hack Mac OS X because of an article that said it can be done in 30 minutes.

The discussion of Akamai and Microsoft is totally irrelevant. Though I personally find it interesting, it is completely off topic.

Can we return to the issue at hand?

BTW - As someone else pointed out, the Mac OS X challenge web site is still running. If OS X is so easy to break into, then why is a web site challenging the public to hack it, still up? Its been several hours since the challenge was made. I thought OS X could be hijacked in 30 minutes. If that is the case, why is the page still up?!

Reply Score: 3

Windows Sucks Member since:
2005-11-10

You are right.

I am still waiting for this machine to be hacked myself. Will be interesting to see if it can be.

Reply Score: 1

kamper
Member since:
2005-08-20

The problem I see with this is that, when it doesn't get hacked, too many people will rejoice and once again claim that os x is invulnerable.

But they're testing such a small part of it here. If you're going to talk about desktop machines then you have to acknowledge that most exploits will involve something other than just opening ports to fairly secure applications. Frequently it will involve getting the user to accept some form of data, getting the exploit code in just far enough to open a much wider range of code to attack. Things like the viewing of maliciously crafted files (to use a nice media term). This new challenge simply doesn't acknowledge those attack angles.

While the recent 30-minute exploitation was portrayed in entirely the wrong way by zdnet, it does highlight a critical problem: all these claims about how not running as root is more secure are a little weak. Compromise the user account and you're in the same situation as the rm-my-mac exploit (the attacker is going to get root). Don't compromise the user account and point not running as root doesn't even come into play.

I'm not saying it's pointless to restrict the default user account, just that the presence of privilege escalation holes is still a very serious thing for a desktop machine.

Reply Score: 2

modmans2ndcoming Member since:
2005-11-09

hmmm... so, basicly, if you can gain a local account on a Mac, then you can hack it.... just like all the Unix type systems out there.

peice of cake.... I will just call up teh sys admin and as for a local account.... oh wait.

Reply Score: 1

kamper Member since:
2005-08-20

hmmm... so, basicly, if you can gain a local account on a Mac, then you can hack it.... just like all the Unix type systems out there.

Yeah, that's exactly what I'm saying, except it's not supposed to be so easy on all the unix type systems out there. I have access to at least one system with several thousand users running solaris. I'm not a cracker so I don't know how easy it would be to get root but I don't think the admins would consider using os x for this machine for one second.

peice of cake.... I will just call up teh sys admin and as for a local account.... oh wait.

Or you could use some other exploit to gain access to a local account. People have never claimed that wasn't possible, only that the damage done would be minimized due to the lack of root access. This proved that once you get a local account, not running as root doesn't matter.

Reply Score: 1

What's that?
by Buck on Tue 7th Mar 2006 06:10 UTC
Buck
Member since:
2005-06-29

So basically people don't want to believe that you can't crack a MacOSX machine that has ssh and http services available? That's ridiculous! Many many people including me run a MacOSX server with http and ssh, iChat, IMAP, POP3 services available to the outside world yet nothing extraordinary happens. You people, just subscribe to macos-x-server list to get the proof. Local account is one thing, open ports are quite another.

Reply Score: 0

Shifting security paradigms
by g__t on Tue 7th Mar 2006 09:20 UTC
g__t
Member since:
2006-01-04

I respect ZDnet test and this test.
However, those kind of tests are progressively loosing significance.
Now we have fairly secure OSes, whidely and extensively tested and fairly simple to manage, we have secure crypto primitives with provable security and robust protocols based on them.
Real pains now comes form other things.

Applications:
even if built and run on a secure framework, a custom application is more subject to bias, bugs, security misconceptions etc than an OS or a protocol that's much more extensively tested and examined. Simply, there is no easy way to make a non-trivial application x that's used and tested by 100 end users as secure as application (or system, or protocol) y that is used and tested by 100 millions of users, even if real testers would just be 100 thousands.
Here, just a couple of cases where best systems + good programmers + good admins == quite a mess
http://www.theregister.co.uk/2005/07/06/usc_site_cracked/
http://www-tech.mit.edu/V124/N20/20ssn.20n.html

Consumer electronics security, c.e. users:
what's the point to have super-duper strong encryption, or bug-free, absolutely secure operating system on a PC, a machine that's not built for top secret level security and it's usually not managed to even fairly good security?
Circuits are not shielded and some really good opponent can bypass any of your contermesoures reading the EM path radiated from your machine, from CPU to monitor, with a TEMPEST equipement.
Or someone may tamper your machine, as credit card readers and bancomat are tampered, in order to bypass anything you are supposing to do to secure your data.
Or simply most people will chose guessable or easy to bruteforce passwords, or leave sensitive data on non ecrypted media, or even don't care of anything.

IMHO, security at OS level will become progressively a PRErequisite for security rather than a subject to security analysis itself.

Reply Score: 1

Stirring the pot
by elsewhere on Tue 7th Mar 2006 14:29 UTC
elsewhere
Member since:
2005-07-13

Well, now, here's CNet's latest Apple security warning:

http://news.com.com/Mac+OS+X+patch+faces+scrutiny/2100-1002_3-60465...

Is it another Chicken Little scenario or is it a cause for concern?

If I'm reading it correctly (and I'm not an OS X user so I'm not entirely familiar with the workings of the OS, and my gf refuses to let me "experiment" with her powerbook), then the flaw with file content issue wasn't actually repaired, Apple only put a stop gap into their own net apps like Safari and iChat. But since the flaw still exists at the OS level, if users of something like firefox are tricked into downloading a masqueraded file they could still wind up with a nasty payload, one that could theoretically be combined with a privilege escalation vulnerability and cause some serious grief.

Yes, yes, I know, Mac users know better than to click on links, right? So yes, I know, why worry about such a trivial flaw existing, right?

If I was a Mac user and reading between the lines, this is the quote that would concern me:

However, with its security update for Safari, Mail and iChat, Apple believes it cut off access for such Trojans. "The tools most people use (now) have built-in validation for things before they even get to the desktop," Schiller (Michael Schiller, Sr VP for Worldwide Product Marketing, Apple) said. "The point of where people get the file is often through the browser and mail and instant messaging."

So basically, they don't need to worry about the flaw existing in a core OS component because they believe they can block it at the application level. Assuming you only use their applications to access the net.

To reinforce that:

"If the method we use works for most people most of the time and some people use some other tools and would like to have some more support for validation, we think that's good feedback we'll consider for the future," he said. "We always try to make this better and stronger."

Huh? If this method works for most of our customers using our own apps, we'll consider building this security into the OS to protect users of other applications.

And one more:

This vulnerability has actually existed for years in Mac OS, Long said. If attackers really were targeting Mac users, numerous examples of malicious code taking advantage of the flaw would be in circulation. "In fact, that is not the case," he said. "While it can be a factor in a system being compromised, this vulnerability by itself does not justify panic."

So again, the argument, is OS X secure because it can't be compromised or secure because nobody's really made a serious effort to compromise it?

Yes, Apple is based on BSD and uses well proven OSS tools like OpenSSH and Apache for network services. I won't argue that properly deployed, an OS X system is fairly secure. In the context of this example, I doubt the machine will get compromised but I don't think it proves anything.

Can you be as confident that those parts of the OS that are not "proven" OSS technologies, all those little proprietary bits built on top of it, are just as secure? I guess time will tell, but the fact is that Apple has yet to face a serious security breech with OS X and only then, by their reaction, will you be able to judge how seriously they're taking platform security.

Security is a mindset; ignoring vulnerabilities because you can't envision an obvious attack vector ("Oh sure it was compromised, but it was done over SSH using a local account, so what do you expect?" Huh? That's ok, then?) isn't appropriate, you need to assume vulnerabilities CAN and WILL be exploited by attack vectors you may not have yet anticipated. You don't just reduce the vectors, you reduce the vulnerabilities themselves.

Remember macro viruses in Office? Back then, did anybody anticipate opening a word file in Windows could launch a covert virus attack against everyone in your address book? Hindsight is 20/20 and we can argue now that was simply poor design on Microsoft's part, but at the same time there didn't exist precedent to believe that two unrelated desktop components would be linked and compromised so effectively. Microsoft took a long time to learn that lesson the hard way, if they truly have yet. Apple should and must do better. There's only so much an OS can do to secure the apps running on top of it, but it should still do whatever it can.

We can argue all day long about the nature of OS X security, and certainly much of it is academic for now, but remember that denial ain't just a river in Egypt.

Reply Score: 4

What a weird competition
by mikehearn on Tue 7th Mar 2006 15:09 UTC
mikehearn
Member since:
2005-12-31

This is testing the security of Apache and OpenSSH, which are already known to be quite secure. Testing the security of OS X would be more like adware/spyware wargaming.

Reply Score: 3

RE: What a weird competition
by silicon on Wed 8th Mar 2006 03:02 UTC in reply to "What a weird competition"
silicon Member since:
2005-07-30

Yes I second that.

Reply Score: 1