posted by Thom Holwerda on Sun 30th Mar 2008 20:35 UTC

"Countering misinformation, 2/2"

6. "Miller reported hacking something related to Safari, but the details haven't been revealed."

Safari is a default part of Mac OS X, and is, as such, a possible attack vector, in the exact same way that Ubuntu has Firefox, and Vista has Internet Explorer 7. A chain is only as strong as its weakest link, and if that weakest link is the browser, than the operating system has an insecurity. There was still a remote code execution and privilege escalation, and whether this is done through the kernel, Safari, or the folder icon's 56th pixel in the 15th row is completely irrelevant. Many of the big security threats to Windows XP were related to Internet Explorer and/or Outlook Express, does this make them any less severe or relevant?

In an update to the article, Roughly Drafted states that John Gruber claims the weakest link was a library used by WebKit's JavaScript engine, which has already been fixed by the WebKit team. According to Roughly Drafted, "this suggests that the entire contest was about Miller proving he could temporarily outsmart an open source development project for a few days, rather than having anything significant to do with relative platform security between Macs, Windows, and Linux". Again, something about a chain and weak links? Apple is responsible for the code it decides to ship with its OS, and for the speed with which they incorporate patches from the original developers into their trees. If Apple fails here, it is Apple's fault.

7. "Attendees with the ability to crack Linux 'didn't want to put the work into developing the exploit code that would be required to win the contest', according to [an] IDG article."

Roughly Drafted continues: "Why not? Because they lacked the political motivation to prove Linux was easy to hack, and they lacked the financial motivation to earn USD 10000 at a contest when they might be able to sell their vulnerability discovery for more than that."

Firstly, Roughly Drafted contradicts itself here. They stated that exploits for Macs were not used by malware creators in the wild because the Mac's userbase is too small, and now they claim that an exploit for a home operating system whose userbase is probably even smaller can be sold for a lot of cash? In their hurry to discredit Ubuntu, they contradicted themselves quite severely.

However, this is not the biggest problem with reason #7. The biggest problem is that they grossly misquote the original IDG article they say to have taken the quote from. This is what the article actually says:

"Although several attendees tried to crack the Linux box, nobody could pull it off, said Terri Forslof, a manager of security response with TippingPoint. "I was surprised that it didn't go," she said.

Some of the show's 400 attendees had found bugs in the Linux operating system, she said, but many of them didn't want to put the work into developing the exploit code that would be required to win the contest."

There is nothing on political motivation, nothing on selling exploits, nothing at all. All we have here is an highly anecdotal piece of evidence that "several attendees" had found bugs in Ubuntu, but that none of them wanted to "put the work into developing exploit code". This statement is not backed up by any evidence, or interviews with any of these "several attendees".

8. "Many exploits and vulnerabilities are not unique to 'Mac, Windows, or Linux', but instead are cross platform threats."

This is a very valid remark, but also an utterly irrelevant one in this specific context. Windows Vista does not ship with WebKit. Ubuntu does not ship with WebKit. Mac OS X does ship with WebKit. As such, this exploit is not cross-platform at all. It will only become cross-platform (possibly!) when you install Safari on Windows, or Konqueror on Ubuntu. This defeats the purpose of the contest rules on day two, which clearly stated only default installations were used (third party applications were added to the mix on day three).

Even if this was a cross-platform exploit, the reasoning is weak. This is actually a dressed up case of "but they are doing it too!" reasoning, usually employed by young kids trying to get stuff from their parents. But mom, Timmy gets two cookies with his milk, and I only one. I should get two cookies too because Timmy gets two too! The fact that an exploit exists on Windows does not absolve Mac OS X (or any other operating system) from its responsibilities. Exploitable on other operating systems or not, it is still and exploit on your platform.

9. "Miller has repeatedly stated that his life's work is to discredit the security of the Apple's platforms."

Roughly Drafted claims that the fact that Miller exploited outdated FOSS code in Mac OS X says more about his "knowledge, expertise, and motivations" than it does about Mac OS X, Windows, and Linux. They state that somehow, Miller had it easy because he is a security expert, who only had to battle with "non-motivated colleagues on Windows who have sold their exploits to spammers" and "Linux expert colleagues who have no interest in trying to make FOSS look bad".

Let's start with the Linux guys. Linux developers make FOSS look bad all the time. Try and load up the kernel's bug database, follow the kernel's mailing list. Read Ubuntu's LaunchPad, GNOME's Bugzilla. They are filled with Linux experts making FOSS look really, really bad by reporting bugs and security threats. In addition, I have a hard time believing the numerous Linux experts out there are not interested in 20000, 10000, or 5000 USD.

As for the Windows guys, the proceedings of the contest severely contradict Roughly Drafted's assumptions. If the Windows guys are indeed only interested in selling their exploits for huge profits to spammers, then why did Vista get hacked on the third day, for a relatively mere 5000 USD, using an exploit in Flash, which is installed on just about any machine out there? A major security hole in Flash, installed on so many Windows boxes, would be worth a lot of money according to Roughly Drafted's reasoning - yet, the Windows guys decided to only score 5000 USD with it.

10. "Apple's use of open source makes it easier for researchers like Miller to identify exploits."

This is not true. The reason researchers like Miller can use open source software as an attack vector is not because of the inclusion of open source software in and of itself, but because Apple lags behind when it comes to integrating patches from open source software projects back into Mac OS X. Even though Roughly Drafted points out, rightly so, that Apple needs a lot of testing before releasing patches, this still does not negate the fact that this leaves known attack vectors open, adding insecurity to Mac OS X - and allowing smart people like Miller to win lots of money.

Apple includes open source software because it means they have to hire less people to write software for them, which, logically, cuts costs. However, this also presents new problems for Apple, including one of security. Structural security problems like this might be beyond Apple's control, but that does not mean the security threats posed are any less severe or relevant than security exploits in Windows.

Conclusion

The reason I decided to write this rebuttal was not to discredit Apple, or because I have been paid by Canonical or Microsoft. The reason I wrote it is because the article contains an unrivaled wealth of misinformation, some things even bordering on slander, trying to attack the credibility of CanSecWest and its organisers. Apple does not need a 'Get the facts' campaign with websites like Roughly Drafted ready to do it for them.

Usually I ignore articles like this, but when they contain easily rebuttable misinformation and slander, I see it as my obligation to counter them, especially seeing how many in Mac-centric circles refer to Roughly Drafted as a reputable source. And trust me - this is just one example of the types of misinformation-laden articles on Roughly Drafted.

Do with it as you please.
If you would like to see your thoughts or experiences with technology published, please consider writing an article for OSNews.
Table of contents
  1. "Countering misinformation, 1/2"
  2. "Countering misinformation, 2/2"
e p (8)    81 Comment(s)

Technology White Papers

See More