Contest winner: Vista more secure than Mac OS

[alsiladka]

Source : Macworld

Quote:

Dino Dai Zovi, the New York-based security researcher who took home $10,000 in a highly-publicized MacBook Pro hijack on April 20, has been at the center of a week’s worth of controversy about the security of Apple’s operating system. In an e-mail interview with Computerworld, Dai Zovi talked about how finding vulnerabilities is like fishing, the chances that someone else will stumble on the still-unpatched bug, and what operating system — Windows Vista or Mac OS X — is the sturdiest when it comes to security.

Friday, the vulnerability was first identified as within Safari, but by Monday, QuickTime was tagged. Why the confusion?
I knew exactly where the vulnerability was when I wrote the exploit; that is part of the basic vulnerability research usually required to write a reliable exploit. I intentionally did not reveal where exactly the vulnerability was in order to prevent others from reverse engineering the vulnerability from those details. Initially, I was only revealing that the vulnerability affected Safari on Mac OS X, the target of the contest. However, now ZDI [3com TippingPoint’s Zero Day Initiative] has been willing to publicly reveal that it affects many more system configurations, including all Java-enabled browsers on Mac OS X and Windows if QuickTime is installed.

As you were working with the vulnerability and exploit, did you know that it would impact non-Mac OS X systems?
I had suspected that it might affect other platforms running QuickTime, but I did not have time to look into it.

You found the vulnerability and crafted an exploit within 9 or 10 hours. And you’ve said ‘there was blood in the water.’ Does that mean you had a head start — in other words, prior research — or was it all built from scratch? Is it really that easy to dig up a vulnerability?
I had found other vulnerabilities in Mac OS X and even QuickTime in the past, so I had some familiarity with the code, but I only discovered this vulnerability that night. My quote that there was “blood in the water” referred to the fact that there were reports of other vulnerabilities in QuickTime, and even Java-related vulnerabilities in QuickTime over the last few years. In my experience, if a certain software package has had vulnerabilities in the past, it is more likely to contain other undiscovered vulnerabilities.

Halvar Flake and Dave Aitel, two prominent security researchers, use the fishing metaphor to explain vulnerability finding. Some days you go out and catch nothing, some days you catch something great. Sometimes you hear about some great fishing happening in a stream somewhere and there are lots of fish to catch until everyone else starts fishing there and the stream becomes overfished. In this case, I suspected that there would be good fishing in QuickTime and I got lucky and found something good in a short amount of time. This is far from the first time that I’ve gone fishing for vulnerabilities, however.

After the positive ID of the vulnerability, there were some unconfirmed claims that your exploit had been snatched at CanSecWest. Although those reports have been discounted, what can you tell us about how you protect your findings? And what are the chances that someone will independently dig out the vulnerability based on the limited information made public?
I do everything that I consider reasonable to protect my security research. I keep exploits in encrypted disk images that are only mounted when necessary on hardened systems that are not always powered on. I am very conservative in what details I share and with whom in order to tightly control knowledge of the vulnerabilities. I often give my exploits non-obvious code names so that I can refer to them over non-encrypted channels without revealing anything about them. [But] with the details that have been released so far, I believe that is a very real possibility that someone may be able to independently dig out the vulnerability, but it won’t exactly be trivial and I hope that whoever does acts responsibly with it.

With the ongoing ‘Mac OS X is safe’ vs. ‘You’re in denial’ debate, what would you recommend to a Mac user as reasonable security precautions?
I recommend that Mac users make their primary user a non-admin account, use a separate keychain for important passwords, and store sensitive documents in a separate encrypted disk image. I think these are fairly straightforward steps that many users can take to better protect their sensitive information on their computer.

As a researcher who works often in Mac OS X, what’s your take on the amount of information that Apple releases when it patches vulnerabilities?
I think that the amount of information that Apple releases with its patches is sufficient in the level of detail for a knowledgeable user to determine the criticality of the vulnerabilities. They do not, however, provide guidance on the level of criticality of the security update for less technical users. I do not think this is too much of an issue, though, as I believe that the vast majority of users should simply patch the security vulnerabilities as soon as possible regardless of their criticality.

How important in this case was it that 3com TippingPoint stepped up with a $10,000 prize? Would you have bothered if the prize money had not been there?
For me the challenge, especially with the time constraint, was the real draw. I also hoped that the live demonstration of a Mac OS X exploit would provide some much needed hard evidence in the recent Mac security debates.

From your research on both platforms, is there a winner between Mac OS X 10.4 and Vista on security?
I have found the code quality, at least in terms of security, to be much better overall in Vista than Mac OS X 10.4. It is obvious from observing affected components in security patches that Microsoft’s Security Development Lifecycle (SDL) has resulted in fewer vulnerabilities in newly-written code. I hope that more software vendors follow their lead in developing proactive software security development methodologies.

What are you spending most of your time on these days? Last October, for instance, there were news stories that mentioned you showed a VM rootkit to developers at Microsoft.
I recently co-authored a book, The Art of Software Security Testing: Identifying Software Security Flaws, which was just published by Addison-Wesley Professional in December. Also since around that time, I have been managing information security for a financial firm in New York City. I do still spend some of my free time researching software vulnerabilities, VM hypervisor rootkits, and 802.11 wireless client security.

Now we will see all Mac lovers bullying this interview and rubbishing the claims. I somehow wonder why Mac and Open Source fans get so wild at any comment about the security of the OSs. I dont remember seeing windows fan behave like this.

[rakeshishere]

OMG!!!...Not again

[iMav]

well they are all gonna point out the fact that the bug also affects windows ... thats what nepcker posted in this section some days ago ....

[ketanbodas]

Whadda? Macworld reporting it ? But it does not mean anything. Mac may be good. But Vista is good too, I knwo.

[freebird]

I dont understand why these people wants to backup M$ for everything.I can suspect that as per M$ trackrecord they can buy anything-YES ANYTHING,be it a positive reply from this so called mac hacker can be bought too.even that macreporter site.they can make NEWS positive.
Microsoft as of Now is world's richest Companies with almost no Business ethics.they can sue anyone for patents,can create troubles for Other better OS like GNU/Linux by trying anything:
as of latest:
Microsoft's 'Men in Black' kill Florida open standards legislation
http://en.wikipedia.org/wiki/United_States_v._Microsoft
http://en.wikipedia.org/wiki/Europea...antitrust_case
http://weblog.infoworld.com/openreso...ofts_anti.html
M$ Vista cant be that secure as with UNIX based MAC.

Quote:

Yes, Linux/Unix/MacOSX/Anything is more secure than Windows
I can't believe some folks are still defending Window's security model, or more accurately the absolute lack of one. The executive summary: Linux, Unix, and Mac OSX are inherently far more secure than Windows. Windows is insecure to the core. It's akin to rubbing yourself with honey and lying on top of an anthill.

Here are a few links discussing the whys and wherefores:

Is Windows inherently more vulnerable to malware attacks than OS X?
http://weblog.infoworld.com/enterpri...dows_inhe.html

Security Report: Windows vs Linux
http://www.theregister.co.uk/securit...dows_vs_linux/

Ed Sawicki is a brilliant computer guru:
Windows vs. Linux Security
http://www.biznix.org/articles/winlinsecure.html

You don't have to buy anti-virus and anti-malware programs for *nix, unless you are running *nix mailservers with Windows clients.

*nix machines cannot become infected from visiting a Web site or downloading infected email.

You can expose a properly-configured *nix machine to the Internet with no firewall. It's not even difficult- a stock Ubuntu install is one example.

When the richest, most powerful software company on the planet can't produce a decently secure operating system, and has to resort to blaming end users, especially when they market heavily to unsophisticated users, there's something fundamentally wrong. They're either incapable or unwilling.

Anyone who claims "windows gets attacked more because it has more market share" gets sent to the corner with a dunce cap. Anyone who really believes this should not be running computers of any kind. First of all it's false- the installed base of non-Windows operating systems outnumbers all Windows machines. Secondly, it demonstrates ignorance of the fundamental differences between Unix-type operating systems and windows.

http://forums.serverwatch.com/showpo...23&postcount=1

Quote:

From a Software User's Perspective

From a Software User's Perspective

• Bloat
• Backward incompatibility
• Perpetual upgrading
• Vaporware
• Hostile treatment of customers
• Predatory practices
• Bundling of inferior products
• Bugs, bugs, and more bugs
• Insecurity

From a Technical Perspective

• Closed "standards"
• Mutilation of existing standards
• Lack of innovation

From the Perspective of Everybody Else

• Attempts at taking over appliance markets
• Attempts at buying the public's trust
• Outright deception

Common Defenses of Microsoft Debunked

• Microsoft is ahead because their products are superior
• Microsoft should not be punished for its success

Vaporware

Whenever Microsoft spies yet another potential market which it thinks is ripe for taking over it generally announces its intention to move aggressively into that market. Microsoft frequently announces new products for these markets that they will ship soon regardless of whether or not they have any genuine interest in actually shipping said products. What this frequently leads to is that people stop buying software in this market because they want to wait for the Microsoft version. Unfortunately if Microsoft sees the market drying up they usually just walk away and never deliver their promised products. The end result is that the small software companies in these markets take a very big hit and frequently go under while consumers end up without their promised product.

source

as to the author of the thread:dude!I've gone through ur threads/posts U r such a windows only believer!try a dual boot with Ubuntu/Kubuntu+Beryl to have some ideas about other OS`s (esp UNIX* like) before supporting the monopoly OS.
http://whylinuxisbetter.net
So M$ users think again.

[iMav]

^^ he just reported a news item which is an interview of an individual who did something which members cannot come to terms with and their egos are hurt coz theyv been brought down to earth .... as far as u are concerned if u dont like windows dont like it no 1 is telling u to like it .... and as far ur stupid quote of the vaporware is concerned ... open source has no idea of how a business is run so theres no point of commenting on it and yeah open source is a community who cannot and/or do not want to pay for something and rather prefer fukat ka maal and wud rather type long commands than make a few clicks ....

iv used slax, ubuntu and almost every version of windows from 95 .... and as far as im concerned .... i wud prefer windows 98 to ubuntu or slax if ur talking abt security i was only infectd once in my 4 years of windows 98 by a virus and tht too was thanx to norton who wasnt capable enought todetect it ... so it actually depends on the user as to what he does .... go to a warez site and then cry i got infected and windows is insecure is BS

[freebird]

wowowow!!!^_^(vishta effect eh?)
baba cant digest the realitY!Open Source Software does make money..for eg:Redhat,cannonical biggies.FOSS depends on the subscription model.there is a diff btw FOSS and OSS see below site:
http://www.follars.com/
http://linuxlookup.com/2007/apr/25/o...urce_and_money
http://www.builderau.com.au/strategy...9191343,00.htm
http://www.google.co.in/search?sourc...urce+and+money
http://www.manageability.org/blog/ar...ke_money1/view


Now what u quote in defense is absolutelY c*ap!! what M$ insticts spreads to their (some)users!they too start FUDing!!...
U r just too much of a M$ fan...I pointed out the reality dude!take it.I know of some M$ tools who posts for defending every thing M$...
Face It Open SOurce Linux OS is EATing ur M$ Winwows=reality dont grudge over that.
Linux Looks gr8 ,better and easy to customize.again FUDing

[iMav]

obviuosly the market is so big that every1 can survive what reality did u point out that linux has eaten MS' market share off course it has just as phpbb has vb or ipb .... however as an end user ur last line has no standing what so ever

and u showed me redhat wasnt there a linux company which MS tied up with .... thats what happens in business as long as linux doesnt have 1 or 2 corporates running it it will survive the moment corporates start claiming it and selling it its not gonna with stand MS or apple

[eddie]

Quote:

Originally Posted by mAV3

yeah open source is a community who cannot and/or do not want to pay for something and rather prefer fukat ka maal and wud rather type long commands than make a few clicks ....

..and I am just guessing you did pay for your copies of Windows 98, 2000/Me, XP, Vista and Norton? Yes tell me you did. I love hearing jokes.

Please think before making generalized statements. If we go by your logic, Open Source users will also start saying that Windows/Proprietary software users are pathetic buffoons who like to steal and pirate someone else's hard work. What will happen to this forum then? Just mud-slinging?

[gxsaurav]

el mooooo

what makes u think every windows user pirates?

[eddie]

^ The same thing that makes him think whole open source community prefers fukat ka maal. It was a way to make him realise how bad generalized statements are!!!

[mehulved]

Quote:

Originally Posted by mAV3

open source has no idea of how a business is run so theres no point of commenting on it

Well I can all but laugh at this. What are you a big business tycoon?

Quote:

Originally Posted by mAV3

open source is a community who cannot and/or do not want to pay for something and rather prefer fukat ka maal and wud rather type long commands than make a few clicks ....

Get well soon mamu, you are really living in your own fantasyland. Be careful or reality will hit you too hard.

[praka123]

as reg Open Source and money making,@meditator got some link showing who is involved mostly in Linux kernel development.
edit:found link

Who writes the Linux kernel?

Big and small companies alike,they send their patches and makes the kernel more better day by day!.
can we have the title edited?
Contest winner: GNU/Linux more secure than Mac OS and Vista

[iMav]

Quote:

Originally Posted by tech_your_future

Get well soon mamu, you are really living in your own fantasyland. Be careful or reality will hit you too hard.

and what reality is that ???

@eddie ... i wonder which open source software can be bought in other words which is not a fukat ka maal ...

and really want to know from the open source guys here waht reality are they talking about every thread they say reality reality what reality are they talking about ...

[nepcker]

The interview was good, but the headline was FUD. Something like "Mac Hack Contest Winner Thinks Vista is More Secure than Mac OS" should have been the headline.

Quote:

Originally Posted by Dino Dai Zovi
I had found other vulnerabilities in Mac OS X and even QuickTime in the past, so I had some familiarity with the code, but I only discovered this vulnerability that night.

So why didn’t he use them? Why did the boxes go unhacked until the rules were bent?

Quote:

Originally Posted by Dino Dai Zovi
I think that the amount of information that Apple releases with its patches is sufficient in the level of detail for a knowledgeable user to determine the criticality of the vulnerabilities.

I think it is in Apple’s best interest not to provide more information. The less they know the harder it makes it for people like this.

Quote:

Originally Posted by Dino Dai Zovi
For me the challenge, especially with the time constraint, was the real draw. I also hoped that the live demonstration of a Mac OS X exploit would provide some much needed hard evidence in the recent Mac security debates.

I'm still waiting to see that one… The hacker never breached OS X until the rules were altered. The only thing that was displayed was some hack that required user input and not a standalone box. I think the best conclusion is that the browser is a security sore spot for any platform.

[iMav]

Quote:

Originally Posted by nepcker

Unix + Macintosh interface = OS X = happiness in work for me & many others.

pure sensationalism

Quote:

Originally Posted by nepcker

All that is Microsofty = lame.

horses**t.

[nepcker]

The QuickTime flaw has now been patched. Check out http://www.thinkdigit.com/forum/technology-news/56700-quicktime-update-patches-java-flaw.html#post487742 for more details.

Get the latest version of QuickTime from Apple.com.

W00t for Apple. They addressed this pretty quick, so that will hopefully calm down this tempest of OS X doomsayers that have been coming out of the woodworks over the last two weeks.

Now, let's all go and install this update yeah?

[alsiladka]

@freebird

LOL You could not be more blind could you!!!
Which was the company which got their lawyers together and started sending off notices to BLOGS, for all that they was post pics of the companies future phone #@$% Money Power Man!!!!!

Which company starts suing people just because the are using half a word from the company's hot selling product. I am not sure of the word, but i had read in TOI that the company says that word belongs to them and other people cannot use that word.

And about saying that MS bought positive reply from this hacker, man, you can really be the creative head of some advertising agency

About my windows only love, who said i am a windows only lover.

I would love to have a MAC, but it is out of my budget. But i am pretty happy with windows, have not been infected more than twice in the 5 years of using it with internet. Like its user friendliness and customization.

I respect UNIX and Linux, but feel they are more suited for Sys Admin controlled & deployed offices and cos. where the work is restriced to Non Multimedia kinds. Forgive me for being ignorant, but You tell me, does Linux support Games and Multimedia as easily and nicely as Windows or MAC?

[gxsaurav]

Quote:

Originally Posted by nepcker

So why didn’t he use them? Why did the boxes go unhacked until the rules were bent?

The exploit required safari & a url to break the flaw, obviously it needed the rules to chage for the user to work in a more real world scenerio.

Quote:

I'm still waiting to see that one… The hacker never breached OS X until the rules were altered. The only thing that was displayed was some hack that required user input and not a standalone box. I think the best conclusion is that the browser is a security sore spot for any platform.

For your kind arrogence, each & every hack requires user interaction. Just like I said in that thread, do u start your Mac & don't start any app to work on it? nepcker to be very frank your posts are stupid & baseless.

Quote:

I respect UNIX and Linux, but feel they are more suited for Sys Admin controlled & deployed offices and cos. where the work is restriced to Non Multimedia kinds. Forgive me for being ignorant, but You tell me, does Linux support Games and Multimedia as easily and nicely as Windows or MAC?

You are absolutely right about lack on linux here, linux users have been saying that is easy. Well....i tried in the last few days. Will post my verdict soon from a user point of view

[eddie]

Quote:

Originally Posted by mAV3

@eddie ... i wonder which open source software can be bought in other words which is not a fukat ka maal ...

RHEL
SLED
MySQL
Crossover Office
Cedega...to name a few!

Also, if open source community members prefer "fukat ka maal" then what do you think stops us from pirating Windows and other paid software like millions of other people? Do you think open source community members don't have enough internet know-how to find these warez or do you think we do not have enough bandwidth to download them? If we preferred "fukat ka maal" then what do you think stops us from downloading a copy of a pirated Windows XP Professional CD from bittorrent and installing it on our systems? Nothing stops us dude...nothing at all!!! Its not about price, money or someone stopping us from doing it...it is about choices. We choose to use open source software because we are comfortable with them and find them much better than Windows counter parts for our usage requirements. Nothing more nothing less...so take your stupid generalization some where else and stay there!

[goobimama]

The Mac sucks at gaming...end of story.

^^Holy fricks. I forgot that I'm on the Mac side...^^

[mehulved]

Quote:

Originally Posted by goobimama

The Mac sucks at gaming...end of story.

^^Holy fricks. I forgot that I'm on the Mac side...^^

well atleast we know what the OS that we are using is capable/not capable of.

[iMav]

Quote:

Originally Posted by eddie

We choose to use open source software because we are comfortable with them and find them much better than Windows counter parts for our usage requirements.

thats the key word ... which implies that MS is not shitty and neither is windows its just that what u want is done better by linux and not by windows ... so if that is the sentiment shared by majority open source users then why bad mouth and bash microsoft and its products ...what ur requirements are fulfiled best by linux what our requirements are fulfilled best by windows ... so we should be both happy about the fact that we have suppliers in the market that cater to both our needs (not forgetting mac boys ) ... so i guess it is wrong tht people from open source community hi-jack threads which by title shud have had been between windows and mac and come here start bashing MS products ... and start telling every1 to "wake up to reality" ... when the reality is that linux requires more command lines than clics


PSand im not specifically pointing out to u

[nepcker]

Who contributed money to this conference?

Apple?.... Microsoft?

Quote:

Originally Posted by Dino Dai Zovi
For me the challenge, especially with the time constraint, was the real draw. I also hoped that the live demonstration of a Mac OS X exploit would provide some much needed hard evidence in the recent Mac security debates.

Does anybody else see the qualifier built into this statement? What about Vista's legacy code? Every OS has legacy code, and Vista is no exception here.

So he's comparing only the new parts of Vista, versus all of OS X -- both new and old. Where's the fairness?

The exploit he apparently exploited is an application issue not an OS issue. You cannot judge how secure OS X based on vulnerabilities in software working atop the OS. While we all understand that no computer is 100% secure, this "contest" is nothing more than the anti-Mac FUD machine going into high gear due to the growing interest in Macs and the lackluster adoption, if not outright rejection, of Windows Vista.

Quote:

Originally Posted by mAV3
well they are all gonna point out the fact that the bug also affects windows ... thats what nepcker posted in this section some days ago ....

I just posted a news item. I never defended Mac in the original "Myth crushed" thread by saying that it affects Windows too.

Quote:

Originally Posted by ketanbodas
Whadda? Macworld reporting it ? But it does not mean anything. Mac may be good.

This story is actually published by Computerworld, and was republished to the Macworld website. And whatever makes you think that Macworld won't write anything anti-mac. It gives a fair review of Apple -- crushes it when Apple does something bad, and supports it when it does something good.

And mac is good. Try using one and I'm pretty sure you'll get a mac for yourself.

Quote:

Originally Posted by alsiladka
And about saying that MS bought positive reply from this hacker, man, you can really be the creative head of some advertising agency

I believe this was a MS-sponsored event. Not sure about this, but I've read this somewhere.

Quote:

Originally Posted by goobimama
The Mac sucks at gaming...end of story.

^^Holy fricks. I forgot that I'm on the Mac side...^^

The mac just has less no. of games. But for the titles that are available, the mac performs equally well. The mac is not the best thing you can get for gaming, but most major game developers like EA, id software, Microsoft, Blizzard, etc. have mac versions of their games.

[iMav]

Quote:

Originally Posted by nepcker

It gives a fair review of Apple -- crushes it when Apple does something bad, and supports it when it does something good.

unlike members here who even at times dont accept the fact that apple can do some thing wrong

Quote:

Originally Posted by nepcker

And mac is good.

not the best and thats what most of us here have a problem with when u claim it to be the best

Quote:

Originally Posted by nepcker

I believe this was a MS-sponsored event. Not sure about this, but I've read this somewhere.

quite expected from u ... how about me saying that 90% of windows exploits are courtesy apple ... "Not sure about this, but I've read this somewhere."

[nepcker]

Here are the CanSecWest (the mac hack event organizer) sponsors:
Juniper Networks
Microsoft
Google
Core Security
VMWare
Qualys
Wurldtech
Insecure.org
Mail Channels
No Starch Press

Go to http://cansecwest.com/ and look for yourself. I guess all those companies have it in for Apple too?

[aryayush]

Quote:

Originally Posted by alsiladka

I dont remember seeing windows fan behave like this.

In that case, you either have a really (and I mean really) short term memory or you walk around with a blindfold around your eyes and plugs into your ears.

[i_am_crack]

Well Actually Its like you like your Pop more or your mom more...Or your GF.Ok I almost forgot your Computer more....

Man it goes like this....MS approached each and every corner of the world and gave out all they got right from schools raedhed upto corporate...

But the open source is like rebels came out from started flawing stuffs saying i am better in this and i am betterin that...well actually all has flaws..

Believe me I am sys admin for an mnc (8 years of exp)...I have worked in all the OS of MS and a lot on Unix , Linux (Red Hat, Suse, Ubuntu) also waiting for Gubunto)

Its all Liking tahtz it...

[nepcker]

hey i_am_crack,
You haven't used mac. It has the power of UNIX yet is the most easy-to-use. Try it!

[iMav]

hey nepcker where is ur price list ... a salesman w/o a price list