Re: The Mac Got Cracked (via Safari zero-day vulnerability)

Derek Currie wrote:
That Mac running Mac OS X is no longer a virgin. It got cracked. I might as well be the guy to announce it here since I have been following Mac security issues closely for the last two years.

Definition of a zero-day vulnerability: vulnerability:<http://en.wikipedia.org/wiki/Zero-day_Attack>

A zero-day (or zero-hour) attack is a computer threat that exposes undisclosed or unpatched computer application vulnerabilities. Zero-day attacks can be considered extremely dangerous because they take advantage of computer security holes for which no solution is currently available.

The zero-day vulnerability in Safari was discovered by Dai Zovi at the CanSecWest conference as part of the 'PWN to Own" hack-a-mac contest. He teamed up with Shane Macaulay to manifest the break-in. The contest required cracking into one of two MacBook Pro machines then finding a file on the hard drive that described how to report the crack to TippingPoint, who offered the MacBook Pro and $10,000 to the winner.

Details of the zero-day vulnerability have not yet been disclosed. But the crack required someone with an account on the MacBook Pro to access a particular web page using the Safari browser. This was a relaxation of the first day's rules of the contest, but is nonetheless relevant to the average Mac user's computer security. Because merely visiting the attacking website was required, I personally have to assume that the vulnerability in Safari is related to scripting.

Sadly, scripting (such JavaScript and AJAX) has compromised the original intention of the World Wide Web which was for web pages to be unable to install malicious software on any computer. Scripting has become incredibly popular on the net because of the remarkable effects and functionality it provides.

In any decent web browser, including Safari, it is possible to disable scripting. However, you end up losing considerable functionality on many site.

The "Security Now!" podcast has covered the problems with Internet scripting repeatedly over the last year. Steve Gibson of GRC, the security expert of the podcast, specifically recommends that no one ever surf the net with scripting enabled. Once a user has established that a particular website is safe and reliable, they can then turn on scripting for just that site.

<http://www.grc.com/securitynow>

Flipping scripting on and off while surfing the net can be a pain in the neck in most browsers. The exception that I know of is OmniWeb for Mac OS X. You can turn scripting OFF by default, but you are able to set preferences for every individual website such that when you visit an approved site, scripting is automatically enabled without any effort on your part. OmniWeb is an inexpensive shareware web browser. Many people shy away from having to pay for a web browser. But this feature is one of many reasons I recommend OmniWeb above and beyond any other web browser for Mac. A free alternative is to user FireFox along with an installed extension that lets you control scripting on individual web sites.

Until the details of this crack are published and hopefully Apple has come up with a security update to repair the vulnerability, I personally recommend concerned Macintosh users should turn off scripting on their web browsers.


Conclusions:

1) As we all knew, there is no such thing as a perfect operating system. We remain in what I call 'The Stone Age Of Computing' where computing remains fundamentally a PITA.

2) Mac OS X has security vulnerabilities, and for the first time one of them has been publicly exploited to crack into a Mac machine.

3) What this bodes for the future is as yet unknown. The level of access obtained by the crackers has not been disclosed, but at the very least they were able to access files in the currently running user account. Whether this means bots could successfully be installed and run on the Mac to make it a zombie is not clear, but appears to be unlikely. We shall see!

4) One crack into a Mac does not equal the HORROR that all the FUD mongers have been flooding us with for the past couple years. It means there has been one single successful crack into the Mac. Compare that to the thousands of cracks into Windows PC machines and you will discover some sane perspective. The Macintosh still remains the single most secure GUI computer on the market today, and it is likely to remain that way into the distant future. Don't forget that there have already been three different methods for cracking Windows Vista demonstrated.

5) Challenging Macintosh security is not just a good thing. It is a GREAT thing! Apple were sitting on their butts regarding security two years ago. Yeah, we had to suffer through some insufferably stoopid anti-Mac security FUD recently, but the good thing that came out of it was that Apple got serious about security and have been patching security vulnerabilities in a mad rush lately. Bravo! This is the process by which the Mac will remain the most secure GUI computer on the market.

6) Expect the WinTrolls to cum all over themselves because of this news. Pity them. They are still on Windows, which remains the most insecure operating system on the market.

Share and Enjoy!

:-Derek



You talk too much, as usual. This has been debated ad nauseam for the past 2 days.

--

Nicolas

.