the exploit that wasn't

egg on the face of infoworld -

Nancy Gohring, writing for InfoWorld, delivered a misleading report
yesterday on a Mac security exploit contest held at the CanSecWest
conference in Vancouver, BC.

In her defense, it appears likely that Gohring did not write the
headline for her InfoWorld article, which described the contest winner
as being ³able to remotely break into a Mac as part of a contest
designed to illustrate security flaws in OS X.² That part was simply

Whoever did write the headline must have been smoking weed in
celebration of 4/20, because Gohring¹s article clearly described a local
exploit. There¹s a big difference between the remote exploits that made
Windows infamous for its insecurity and a local exploit of an

Gohring reported that ³contestants were invited to try to access one of
two Macs through a wireless access point while the Macs had no programs
running. No attackers managed to do so, and so conference organizers
allowed participants to try to get in through the browser by sending
URLs via e-mail.²

Opening an email URL that exposes a security flaw in Safari is both news
to report and a problem for Apple to tackle, but reporting it as a
remote exploit is inaccurate, irresponsible, and sloppy journalism,
particularly for IDG's InfoWorld, which purports to be an authority on

Gohring's Mac Security Myths.

Beyond the glaring error of conflating a remote exploit with something
that requires a concerted effort between a user acting locally on the
machine and an outside party, Gohring's article perpetuated a number of
myths about Mac security.

Gohring quoted Dragos Ruiu, the principal organizer of the security
conference, as saying, ³You see a lot of people running OS X saying it's
so secure, and frankly, Microsoft is putting more work into security
than Apple has.²

Of course, the reason why Microsoft has been forced to ?put so much work
into security¹ is because of the infamous reputation the Windows
platform has earned as a security nightmare. Microsoft was entirely
blind-sided by the Windows security crisis, and was forced to attack its
security problems out of embarrassment.