The Mac Got Cracked (via Safari zero-day vulnerability)

That Mac running Mac OS X is no longer a virgin. It got cracked.
I might as well be the guy to announce it here since I have been
following Mac security issues closely for the last two years.

Definition of a zero-day vulnerability:
vulnerability:<http://en.wikipedia.org/wiki/Zero-day_Attack>

A zero-day (or zero-hour) attack is a computer threat that exposes
undisclosed or unpatched computer application vulnerabilities. Zero-day
attacks can be considered extremely dangerous because they take advantage of
computer security holes for which no solution is currently available.

The zero-day vulnerability in Safari was discovered by Dai Zovi
at the CanSecWest conference as part of the 'PWN to Own"
hack-a-mac contest. He teamed up with Shane Macaulay to manifest
the break-in. The contest required cracking into one of two
MacBook Pro machines then finding a file on the hard drive that
described how to report the crack to TippingPoint, who offered
the MacBook Pro and $10,000 to the winner.

Details of the zero-day vulnerability have not yet been
disclosed. But the crack required someone with an account on the
MacBook Pro to access a particular web page using the Safari
browser. This was a relaxation of the first day's rules of the
contest, but is nonetheless relevant to the average Mac user's
computer security. Because merely visiting the attacking website
was required, I personally have to assume that the vulnerability
in Safari is related to scripting.

Sadly, scripting (such JavaScript and AJAX) has compromised the
original intention of the World Wide Web which was for web pages
to be unable to install malicious software on any computer.
Scripting has become incredibly popular on the net because of the
remarkable effects and functionality it provides.

In any decent web browser, including Safari, it is possible to
disable scripting. However, you end up losing considerable
functionality on many site.

The "Security Now!" podcast has covered the problems with
Internet scripting repeatedly over the last year. Steve Gibson of
GRC, the security expert of the podcast, specifically recommends
that no one ever surf the net with scripting enabled. Once a user
has established that a particular website is safe and reliable,
they can then turn on scripting for just that site.

<http://www.grc.com/securitynow>

Flipping scripting on and off while surfing the net can be a pain
in the neck in most browsers. The exception that I know of is
OmniWeb for Mac OS X. You can turn scripting OFF by default, but
you are able to set preferences for every individual website such
that when you visit an approved site, scripting is automatically
enabled without any effort on your part. OmniWeb is an
inexpensive shareware web browser. Many people shy away from
having to pay for a web browser. But this feature is one of many
reasons I recommend OmniWeb above and beyond any other web
browser for Mac. A free alternative is to user FireFox along with
an installed extension that lets you control scripting on
individual web sites.

Until the details of this crack are published and hopefully Apple
has come up with a security update to repair the vulnerability, I
personally recommend concerned Macintosh users should turn off
scripting on their web browsers.


Conclusions:

1) As we all knew, there is no such thing as a perfect operating
system. We remain in what I call 'The Stone Age Of Computing'
where computing remains fundamentally a PITA.

2) Mac OS X has security vulnerabilities, and for the first time
one of them has been publicly exploited to crack into a Mac
machine.

3) What this bodes for the future is as yet unknown. The level of
access obtained by the crackers has not been disclosed, but at
the very least they were able to access files in the currently
running user account. Whether this means bots could successfully
be installed and run on the Mac to make it a zombie is not clear,
but appears to be unlikely. We shall see!

4) One crack into a Mac does not equal the HORROR that all the
FUD mongers have been flooding us with for the past couple years.
It means there has been one single successful crack into the Mac.
Compare that to the thousands of cracks into Windows PC machines
and you will discover some sane perspective. The Macintosh still
remains the single most secure GUI computer on the market today,
and it is likely to remain that way into the distant future.
Don't forget that there have already been three different methods
for cracking Windows Vista demonstrated.

5) Challenging Macintosh security is not just a good thing. It is
a GREAT thing! Apple were sitting on their butts regarding
security two years ago. Yeah, we had to suffer through some
insufferably stoopid anti-Mac security FUD recently, but the good
thing that came out of it was that Apple got serious about
security and have been patching security vulnerabilities in a mad
rush lately. Bravo! This is the process by which the Mac will
remain the most secure GUI computer on the market.

6) Expect the WinTrolls to cum all over themselves because of
this news. Pity them. They are still on Windows, which remains
the most insecure operating system on the market.

Share and Enjoy!

:-Derek

--
Fortune Magazine 11-29-05: What's your computer setup today?
Frederick Brooks: I happily use a Macintosh. It's not been
equalled for ease of use, and I want my computer to be a tool,
not a challenge.
<http://money.cnn.com/magazines/fortune/fortune_archive/2005/12/12/8363107/>
[Frederick Brooks is the author of 'The Mythical Man Month'.
He spearheaded the movement to modernize computer software
engineering in 1975.]
.

Loading