Re: The Mac Got Cracked (via Safari zero-day vulnerability)


"Nashton" <nana@xxxxx> wrote in message
news:T6HWh.133883$nh4.60754@xxxxxxxxxxxxxxx
Derek Currie wrote:
That Mac running Mac OS X is no longer a virgin. It got cracked. I might
as well be the guy to announce it here since I have been following Mac
security issues closely for the last two years.

Definition of a zero-day vulnerability:
vulnerability:<http://en.wikipedia.org/wiki/Zero-day_Attack>

A zero-day (or zero-hour) attack is a computer threat that exposes
undisclosed or unpatched computer application vulnerabilities. Zero-day
attacks can be considered extremely dangerous because they take
advantage of computer security holes for which no solution is currently
available.

The zero-day vulnerability in Safari was discovered by Dai Zovi at the
CanSecWest conference as part of the 'PWN to Own" hack-a-mac contest. He
teamed up with Shane Macaulay to manifest the break-in. The contest
required cracking into one of two MacBook Pro machines then finding a
file on the hard drive that described how to report the crack to
TippingPoint, who offered the MacBook Pro and $10,000 to the winner.
Details of the zero-day vulnerability have not yet been disclosed. But
the crack required someone with an account on the MacBook Pro to access a
particular web page using the Safari browser. This was a relaxation of
the first day's rules of the contest, but is nonetheless relevant to the
average Mac user's computer security. Because merely visiting the
attacking website was required, I personally have to assume that the
vulnerability in Safari is related to scripting. Sadly, scripting (such
JavaScript and AJAX) has compromised the original intention of the World
Wide Web which was for web pages to be unable to install malicious
software on any computer. Scripting has become incredibly popular on the
net because of the remarkable effects and functionality it provides. In
any decent web browser, including Safari, it is possible to disable
scripting. However, you end up losing considerable functionality on many
site.

The "Security Now!" podcast has covered the problems with Internet
scripting repeatedly over the last year. Steve Gibson of GRC, the
security expert of the podcast, specifically recommends that no one ever
surf the net with scripting enabled. Once a user has established that a
particular website is safe and reliable, they can then turn on scripting
for just that site.

<http://www.grc.com/securitynow>

Flipping scripting on and off while surfing the net can be a pain in the
neck in most browsers. The exception that I know of is OmniWeb for Mac OS
X. You can turn scripting OFF by default, but you are able to set
preferences for every individual website such that when you visit an
approved site, scripting is automatically enabled without any effort on
your part. OmniWeb is an inexpensive shareware web browser. Many people
shy away from having to pay for a web browser. But this feature is one of
many reasons I recommend OmniWeb above and beyond any other web browser
for Mac. A free alternative is to user FireFox along with an installed
extension that lets you control scripting on individual web sites.

Until the details of this crack are published and hopefully Apple has
come up with a security update to repair the vulnerability, I personally
recommend concerned Macintosh users should turn off scripting on their
web browsers.


Conclusions: 1) As we all knew, there is no such thing as a perfect
operating system. We remain in what I call 'The Stone Age Of Computing'
where computing remains fundamentally a PITA.

2) Mac OS X has security vulnerabilities, and for the first time one of
them has been publicly exploited to crack into a Mac machine.

3) What this bodes for the future is as yet unknown. The level of access
obtained by the crackers has not been disclosed, but at the very least
they were able to access files in the currently running user account.
Whether this means bots could successfully be installed and run on the
Mac to make it a zombie is not clear, but appears to be unlikely. We
shall see!

4) One crack into a Mac does not equal the HORROR that all the FUD
mongers have been flooding us with for the past couple years. It means
there has been one single successful crack into the Mac. Compare that to
the thousands of cracks into Windows PC machines and you will discover
some sane perspective. The Macintosh still remains the single most secure
GUI computer on the market today, and it is likely to remain that way
into the distant future. Don't forget that there have already been three
different methods for cracking Windows Vista demonstrated.

5) Challenging Macintosh security is not just a good thing. It is a GREAT
thing! Apple were sitting on their butts regarding security two years
ago. Yeah, we had to suffer through some insufferably stoopid anti-Mac
security FUD recently, but the good thing that came out of it was that
Apple got serious about security and have been patching security
vulnerabilities in a mad rush lately. Bravo! This is the process by which
the Mac will remain the most secure GUI computer on the market.

6) Expect the WinTrolls to cum all over themselves because of this news.
Pity them. They are still on Windows, which remains the most insecure
operating system on the market.

Share and Enjoy!

:-Derek



You talk too much, as usual. This has been debated ad nauseam for the past
2 days.

This fool is Wegie, aka Timberwolf, aka a bunch of other names because
Timberwolf is a troll who gets ignored. He is doing this for attention.
Killfile him like most people do. He will say stupid stuff just to get a
response. Don't play his game.

John


.