Myth crushed as hacker shows Mac break-in

[alsiladka]

Quote:

Right after Apple's release of a patch for 25 vulnerabilities in OS X, a hacker managed to break into a Mac by exposing a hole in Apple's browser Safari, winning a $10,000 prize as part of a contest started at the CanSecWest security conference in Vancouver, Canada. Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.

Dino Di Zovie, who lives in New York, sent along a URL that exposed the hole. Because the contest was only open to attendees in Vancouver, he sent it to a friend who was at the conference and forwarded it on. The URL opened a blank page but exposed a vulnerability in input handling in Safari which allowed an attacker to use the vulnerability in a number of ways, but Di Zovie used it to open a back door that gave him access to anything on the computer. The vulnerability won't be published. 3Com's TippingPoint division will handle disclosing it to Apple. The prize for the contest was originally one of the Macs but on Thursday evening, TippingPoint put up the cash award, which may have spurred a wider interest in the contest.

"Currently, every copy of OS X out there now is vulnerable to this," said Sean Comeau, one of the organizers of CanSecWest. The conference organizers decided to offer the contest in part to draw attention to possible security shortcomings in Macs. "You see a lot of people running OS X saying it's so secure, and frankly, Microsoft is putting more work into security than Apple has," said Dragos Ruiu, the principal organizer of security conferences including CanSecWest. Macs haven't been targets for hackers and malicious code writers because there are fewer Macs in use, thus making the potential impact of malicious code smaller than on the more widely used Windows PCs.

Sources :-
Neowin.Net
Infoworld

[gxsaurav]

Bound to happen.

[infra_red_dude]

nothing is perfect in this world. afterall these are man made!

[iMav]

i am just glad this is not a rumor

[Zeeshan Quireshi]

Quote:

Originally Posted by gx_saurav

Bound to happen.

+1

[nepcker]

While it is true that the shell was accessed, the access is only for that account. Not the whole machine. And, if you read the article, definitely not as root. So, if you use Safari, and you have a 'regular' user account that does not have 'administrator rights', the damage will be kept to that account, and not compromise the entire OS.

In the article -- there are 2 macs up for grabs. The second is still not hacked. Which, if these were Windows machines, the machines would have been compromised long ago.

The security updates the article talks about have nothing to do with Safari. Well, directly anyway.

The article also mentions that while the macs were on the LAN only -- they couldn't be hacked. They had to allow the macs to the internet and then to a specifically crafted website. They don't specify if pop-ups were being blocked etc.

To conclude -- I do think this is an issue. But to compare it to the security of windows -- please...
So, don't enable root - most folks don't.
Don't use an 'admin enabled' account and do backups.

[kumarmohit]

Quote:

Originally Posted by infra_red_dude

nothing is perfect in this world. afterall these are man made!

Totally Agree. Jobs is a human being afterall.

[nepcker]

The other way of looking at this story is that the Mac is incredibly secure.

The Mac remained unhacked for many tries, and it wasn't until the event organizers opened the contest to non attendees that one successful attack was made. The second machine has not as of this writing, been compromised.

So yes, Safari now needs a patch, someone found a way in. And if someone finds their way in through a different hole, that too will be patched.

It is a wonderful thing when vulnerabilities are found in this way, so they can be fixed before they are exploited.

Windows is full of holes, the Mac now has one we know about (there are certain to be others). There is still no comparison.

This is not a wake up call, not a reason to ring alarms, it is incredibly good news. The Mac remains very difficult to exploit, and the one way found in so far will surely be patched soon.

Quote:

"You see a lot of people running OS X saying it's so secure, and frankly, Microsoft is putting more work into security than Apple has," said Dragos Ruiu, the principal organizer of security conferences including CanSecWest.

I have never heard anyone say that the Mac is so secure, you can visit any URL in any spam message. As with all operating systems, the standard advice is not to click on a link unless you know where it's taking you.

Secondly, Microsoft had to put more work into security; Windows was so vulnerable it was driving people away. Apple has stayed on top of and, according to one study, been more responsive to security issues than Microsoft. The whole Leopard delay has shown us that Apple's resources are stretched thin. If Apple hasn't been making security a priority, it couldn't possibly have the record it does. It's a complete fallacy to suggest that Apple is disregarding security.

[praka123]

is just an intrusion on a local user account,show us that root account is compromised.UNIX arch is superior;no doubt on this as MAC uses a fork of FreeBSD.

[Sukhdeep Singh]

Well, venerability lies in everything. Just that Windows is used by 90% of World's PC makes it a target for hackers since they want the maximum effective result

[freebird]

Well,even if volume of users increases,UNIX wont be much affected by Viruses.
THis is explained if u study the unix architecture.
http://www.linuxinsider.com/rsstory/54742.html

As with MAC,these vulnies are caused bcoz of its closed source and propreitory approach.

[aryayush]

Quote:

Originally Posted by freebird

As with MAC,these vulnies are caused bcoz of its closed source and propreitory approach.

LOL! This is one of the more ridiculous statements I have seen on this forum. Just because you Linux fans want Apple to open the source of Mac OS X because you guys want everything to be free, does not mean that OS X is insecure because of the closed source. If anything, it is more secure because the source is not entirely open.

Quote:

Originally Posted by kumarmohit

Jobs is a human being afterall.

Please do not credit/discredit Steve Jobs for whatever happens at Apple. He was not the guy who coded Mac OS X. He is not the primary reason it is so secure.

Quote:

Originally Posted by nepcker

Don't use an 'admin enabled' account

I hate to disagree but this is advice that is derived from paranoia. Mac OS X is highly secure and it does not require you to have lesser privileges to be safe. That is what differentiates it from Windows.
I use an administrator account and surf the web completely without fear. Yes, I have a pop-up blocker and firewall turned on but that's it. I have never had any problem related to viruses or spyware.
The attack demonstrated by the winner is a real threat but keep in mind that Mac OS X is not any less secure just because someone found a hole in Safari. There must be several other holes in Mac OS X but the fact is that there is not even a single virus for it out there in the wild even today. It is highly secure.
A hole was discovered, everyone is surprised. It will be patched. Software will always be vulnerable to attacks. But at the end of the day, I know that I cannot use Windows without anti-virus and anti-spyware programs (heck, I couldn't subject myself to it for long hours even if it was as secure as Mac OS X) while I can, and do, use Mac OS X in its default state.

[freebird]

Quote:

Originally Posted by freebird

Well,even if volume of users increases,UNIX wont be much affected by Viruses.
THis is explained if u study the unix architecture.
http://www.linuxinsider.com/rsstory/54742.html

As with MAC,these vulnies are caused bcoz of its closed source and propreitory approach.

Quote:

Originally Posted by aryaaysh

LOL! This is one of the more ridiculous statements I have seen on this forum. Just because you Linux fans want Apple to open the source of Mac OS X because you guys want everything to be free, does not mean that OS X is insecure because of the closed source. If anything, it is more secure because the source is not entirely open.

who wants it free?and we dont want apple to open source its codes originally from BSD UNIX.It is the Apple ppl who looted from FreeBSD to make Mac OS X ,thanks to their BSD license ,LOL ur contradicting here,let MAc fanboyism be controlled

Open SOurce is more stabler with fast patches whether u admit or not.Linux is anytime better and stronger than ur Mac OS X.

Quote:

Darwin, the core of Apple's Mac OS X, borrows heavily from FreeBSD, including its virtual file system, network stack and components of its userspace. Apple continues to integrate new code from and contribute changes back to FreeBSD. The open source OpenDarwin, originally derived from Apple's codebase but now a separate entity, also includes substantial FreeBSD code. In addition, there are a number of operating systems originally forked from or based on FreeBSD including PC-BSD and DesktopBSD, which include enhancements aimed at home users and workstations;

http://en.wikipedia.org/wiki/FreeBSD#Derivatives

Quote:

In early May I posted benchmarks comparing Linux and OS X on a MacBookpro running my R packages (I later added Windows XP benchmarks). In one of the original benchmarks, both Linux and Windows XP were more than twice as fast as OS X. And in a second (more representative) benchmark, Linux was about 20% faster. The benchmarks were posted on Digg and a variety of other high traffic Internet websites such as OSnews. This attention generated a lot of comments and suggestions.

http://sekhon.berkeley.edu/macosx/
^ read for now and enjoy!but anytime being a UNIX user is better than Windows!

[mehulved]

Quote:

Originally Posted by aryayush

LOL! This is one of the more ridiculous statements I have seen on this forum. Just because you Linux fans want Apple to open the source of Mac OS X because you guys want everything to be free, does not mean that OS X is insecure because of the closed source. If anything, it is more secure because the source is not entirely open.

Totally wrong assumption. Open source code doesn't in anyway make software more vulnerable. A good coder will never hard code data into the software. So, if the data isn't hard coded then it is still as obscure so there's no real vulnerability.
In fact on the other hand if you want to argue that due to the fact that source is open, hackers can expose faulty logic or an error in the program that is true. But remember there are hundred times more people looking at the same code without malicious intentions. So, open sourcing it rather makes security better.
Who the hell said anything open source is free?
And anyways how much of Mac's base is actually non-open source? X server, BSD kernel, unix toolchain, and lot more are all open source. Ever wonder why Mac prefers BSD, which again is open source?
It's cos softwares under BSD license are mostly high quality and second to none. And they are so confident of their capability that they don't only show their code but also allow it to be used commercially without receiving any payments.
Not an ideal situation for a commercial venture but universities and talented individuals can always release high quality code under BSD license.
aryayush please read a bit on open source before making such comments.

[aryayush]

Look, I do not have a problem with open source software. I like open source stuff (except Linux distros and Firefox).

But I do have a problem with this attitude that everything should be free. And if you are honest, you will agree with me that most open source enthusiasts have this attitude. I say "most" because I know that some don't. But most do.
I am tired of hearing people whining that Apple should open the source code of Mac OS X. They say that it will improve the security or help Apple in one way or the other. But everyone knows that such a step would only give away Apple's proprietary technologies which would immediately be snapped up by all other operating systems, nulling the advantage of Mac OS X that Apple can offer to its customers.

What will happen if they open the source code? Linux distributions will become clones of Mac OS X, maybe even better due to the efforts of thousands of independent and passionate developers. And what is the price of Linux distros? Well, I know it as well as anybody else that most of them are free.
So if Apple opens the source code of Mac OS X, Linux users will get Mac OS X for free. This is something that freebird and eddie know and want. This is the sole reason they keep saying that Apple should open the source code of Mac OS X. No one gives a **** about what would happen to Apple if they did that.

mediator posted a thread the other day about some article that says Microsoft should open the source code of Vista if they want to survive. I, on behalf of Microsoft, would like to give the author of that article (whoever he/she is) the famed salute that requires the use of only one finger.


Such opinions and posts are all derivatives of the basic instinct of open source enthusiasts that I mentioned before - "you guys want everything to be free".

I am not pointing a finger at anyone in particular and any names I have mentioned are purely for reference purposes. If anyone feels insulted, they should probably give up their Internet and phone connections today.

[shantanu]

is it a big deal that MAC OS X got hacked...

Quote:

Nothing is IMPOSSIBLE , even the word itself says I M Possible

so its not a big deal to hype so much..

[praka123]

Oh! So Linux users are waiting for apple to open Mac OS X!gr8 lies are made in this forum,thx to fanboyism.I can assure u that I DONT want Mac computer even given free.

[infra_red_dude]

Quote:

Originally Posted by aryayush

What will happen if they open the source code? Linux distributions will become clones of Mac OS X, maybe even better due to the efforts of thousands of independent and passionate developers. And what is the price of Linux distros? Well, I know it as well as anybody else that most of them are free. So if Apple opens the source code of Mac OS X, Linux users will get Mac OS X for free. This is something that freebird and eddie know and want. This is the sole reason they keep saying that Apple should open the source code of Mac OS X. No one gives a **** about what would happen to Apple if they did that.

so what abt it? when u claim that mac os x is the best, wudn't it be good if everyone can haf it? why are you hell bent on making people pay for something??!! why can't others haf it for free if its possible? the bold part clearly indicates jelousy! u speak as if u own apple or that if apple makes things open source and people dun buy apple products then ur salary will be cut and u mite've to come on the road!

apple can still sell the harware and software separately. give users a choice!

Quote:

Originally Posted by aryayush

But everyone knows that such a step would only give away Apple's proprietary technologies which would immediately be snapped up by all other operating systems, nulling the advantage of Mac OS X that Apple can offer to its customers.

come on man! who will copy a copy cat itself??!!! the core, the vfs, the networking components everything's been directly lifted! who will wanna copy it again??!! and for what???

Quote:

Originally Posted by aryayush

I, on behalf of Microsoft, would like to give the author of that article (whoever he/she is) the famed salute that requires the use of only one finger.

i never knew u even own MS!!! pal, even ur employees (MS staff) are not that rude!!!

Quote:

Originally Posted by aryayush

If anyone feels insulted, they should probably give up their Internet and phone connections today.

a more polite disclaimer wud've been much better!!!

************************************************** **************

this is fanboyism at its peak! now after reading all this if steve jobs or the board of directors of apple don't hire you then apple's sure gonna lose a lot in business! how can they ignore a person like u man??!!!

ps: btw, of all ur signatures ur current one is the most sensible according to me!

[freebird]

A known fanboy he is.someone should link his posts to apple's site

[nepcker]

RoughlyDrafted has a nice reply to the original InfoWorld article. Check it out: http://www.roughlydrafted.com/RD/RDM...19B6FF352.html

@freebird:

Quote:

As with MAC,these vulnies are caused bcoz of its closed source and propreitory approach.

I found this funny as well.

Quote:

Open SOurce is more stabler with fast patches whether u admit or not.Linux is anytime better and stronger than ur Mac OS X.

Another funny statement, especially considering the fact that Apple delivers patches quicker than any other do. Agreed, Linux delivers fast patches do -- but Apple delivers it more quickly.

@aryayush:

Quote:

Please do not credit/discredit Steve Jobs for whatever happens at Apple. He was not the guy who coded Mac OS X. He is not the primary reason it is so secure.

Of course, Steve Jobs should not be given the entire credit/discredit for what Apple does. But at the heart of Mac OS X lies the code of software he and a couple of other people developed at NeXT.

Quote:

I am tired of hearing people whining that Apple should open the source code of Mac OS X. They say that it will improve the security or help Apple in one way or the other. But everyone knows that such a step would only give away Apple's proprietary technologies which would immediately be snapped up by all other operating systems, nulling the advantage of Mac OS X that Apple can offer to its customers.

I agree. But given Apple's recent track record, I don't think that OS 10 will ever go opem-source.

@shantanu_webmaster:

Quote:

is it a big deal that MAC OS X got hacked...

Until a lot of details are published about this, I'm not even going to acknowledge that a true hack has occurred.

For one thing, the standards of the so-called hacked machine have not been stated, and it may very well be that it was compromised just so such an exploit could occur. What, you have total faith in the honesty of this contest?

[shantanu]

Quote:

Originally Posted by nepcker

Until a lot of details are published about this, I'm not even going to acknowledge that a true hack has occurred.

For one thing, the standards of the so-called hacked machine have not been stated, and it may very well be that it was compromised just so such an exploit could occur. What, you have total faith in the honesty of this contest?

did i say something wrong... only common sense needed to understand such simple comments... i aint saying it been done or not.. but am sure that
it can be done

nothing is impossible...

[mehulved]

Well I am leaving this thread. Just smells of fanboyism from all the 3 sides - mac, linux and windows. No use of talking sense here.

[infra_red_dude]

^^^ very true mehul!

[gxsaurav]

what...did i missed everything

[infra_red_dude]

yeah... kinda.. we were expecting you!

[gxsaurav]

damn, had an exam followed by seminar of TIME. too busy these days

[nepcker]

Yes, macs are hackable. What's more, hacking a mac is way too easier than hacking a Windows PC. Here are the steps which you can follow to hack a mac:

Step 1: Find a dude with a mac running.
Step 2: Tap on his shoulder, and state something like "Hey, is that Steve Jobs over there using an iPhone?".
Step 3: Quickly rip the Mac from his hands, and run like hell.
Step 4: Pray that he was logged on as an admin, so you can change the rights.

See? It is crystal clear that the mac is more hackable. In my attempts with Windows systems, I had to perform Step 2 several times over to try and get the driver disks, Service Pack 2, the anti-virus program manual, et cetera. I have also noticed that the mac I own, the Mac Pros are more secure, as the hacker will probably fail in the step 3 process.

Seriously, I know there are holes in the Mac OS X, as there would be with any. The line about Mac not spending enough time on security when compared to Windows is a crock, as they (and the UNIX developers) started working on security about twenty years before Windows even considered it. I think it would be very interesting to see the code behind the hack, as I suspect it actually may be more like my "comedic code" above than a true, and grave threat.

There are currently zero real viruses for Mac OS X. It's not that it is impossible to infect or exploit a Mac, it's that Apple hasn't shipped millions of Macs listening wide open for commands to act upon, or shipped a web browser designed to naively run programs like Microsoft's ActiveX did, or installed an email program designed to automatically run commands that arrive as attachments as Outlook did. To say that Macs are not targets for hacking because there are not enough of them installed is just plain ridiculous.

If you still are under the illusion that this was really a hack, here's a great link for you to check: roughlydrafted.com/RD/RDM.Tech.Q2.07/616874CC-35CE-49D3-B859-C2719B6FF352.html

[eddie]

Quote:

Originally Posted by aryayush

This is something that freebird and eddie know and want. This is the sole reason they keep saying that Apple should open the source code of Mac OS X.

Man...oh...man...
Does your imagination run wild or what!!! Do you just keep shooting crap out of your mouth or do you have some valid links where I said that "Apple should open their source code"? Is it something you dreamed about or is it another one of your "thoughts"? All I have ever done is to get Apple fanboys in a line when they were whining about Windows "copying" from Apple OS. All I ever said was that Apple should contribute something back from the place where they "copy" so much!!!

Quote:

mediator posted a thread the other day about some article that says Microsoft should open the source code of Vista if they want to survive. I, on behalf of Microsoft, would like to give the author of that article (whoever he/she is) the famed salute that requires the use of only one finger.

There is another finger adjacent to that "salute" finger of yours...it is known as "Index Finger". Use it to click on the link of that article and then use your eyes (they are two things just above the nose on your face) to read it...once you are done with reading the article...read the articles that are linked to it. Those articles give some valid points and are written by professionals...they are not comments of some random 19 year old who has problems with reading long articles but love to rant without any reasons.

Quote:

I am not pointing a finger at anyone in particular and any names I have mentioned are purely for reference purposes. If anyone feels insulted, they should probably give up their Internet and phone connections today.

People who rant and mention names just for the heck of it without any valid points backing up their statements should give up their computers and watch WWF on their TVs

[xenkatesh]

i dont think so apple will come forward to release the Source code for Max OS X

[freebird]

now who wants apple to open source os x,it is a wrong accusition by a fanboy.Apple OS X heavily depends on Free BSD which is open sourced-thats what i want 2 say.