backtop


Print 129 comment(s) - last by messele.. on Mar 21 at 5:58 PM


VUPEN co-founder Chaouki Bekrar hacked a MacBook in under 5 seconds.  (Source: ZDNet)
Charlie Miller lets someone else win a MacBook for a change

The conception that Apple, Inc. computers running OS X are magically more secure than Windows computers was dealt another setback this week.  Using a flaw in Apple's pre-installed first-party Safari browser, it took French security pro Chaouki Bekrar merely 5 seconds to hijack the unwitting MacBook at the CanSecWest Conference's pwn2own contest in Vancouver, British Columbia.

On a most basic level the attack exploited Apple's weak memory protections in OS X Snow Leopard.  Microsoft, more popular and more commonly attacked, includes two critical types of memory protection -- data execution prevention and robust address space layout optimization (ASLR) -- both of which attempt to prevent memory injection attacks.  By contrast, Snow Leopard only supports ASLR and the implementation is badly botched according to hackers.

The attack also exploited poor coding in Apple's branch of WebKit, which features many bugs and security flaws.  While Apple's WebKit branch, which powers its Safari browser, shares a certain amount of code with Google's WebKit browser Chrome, Google has added much more robust security layers and is less buggy.

So if Apple computers are less secure than Windows machines, why are Windows machines attacked so much more frequently?  Generally, the answer boils down to that there's far fewer Macs and that hackers often have misgivings about mass attacks Unix-like operating systems (Linux, OS X) as they view it as "attacking their own."  Ultimately these two factors combine into a greater barrier -- lack of information.

Since not many hackers target OS X, those that do have to tread entirely new ground.  Take Mr. Bekrar and his team at French security firm VUPEN.  He says that the exploit was "relatively difficult" due to lack of documentation in the security/hacking community on OS X.  He states in a ZDNet interview, "We had to do everything from scratch. We had to create a debugging tool, create the shellcode and create the ROP (return oriented programming) technique.  The main difficulty was doing this on our own, without the help of any documentation."

Another difficulty was in finding a "reliable" vulnerability.  All modern browsers have vulnerabilities, but not all vulnerabilities are created equal.  Identifying the "best" vulnerabilities takes a lot of time and dedication -- time that has been invested in attacking Windows machines, but not so much with OS X.

Describes Mr. Bekrar, "There are many WebKit vulnerabilities. You can run a fuzzer and get lots of good results. But it’s much more difficult to exploit it on x64 and to make your exploit very reliable."

But the results show that when somebody puts in the work to enter that undiscovered country, that Macs prove as hackable as Windows computers or more so.

Luring the user to a suspect site in Safari, the VUPEN researcher remotely launched OS X's calculator app and wrote a file to the disc -- essentially paving the way for a full hijack of the machine.  This was all done without the browser crashing or showing any irregularities.

He describes, "The victim visits a web page, he gets owned. No other interaction is needed."

The victim would likely think they merely clicked on a bad URL.

Mr. Bekrar and his VUPEN teammates are going to next try to hack a Windows machine using similar flaws found in Internet Explorer 8 on 64-bit Windows 7 (SP1).

For his success against OS X, Mr. Bekrar scores a 13-inch Apple MacBook Air running Mac OS X Snow Leopard and $15,000 USD in cash.

In past years the contest has been dominated by OS X hacking/security pro Charlie Miller.  So it was nice to see a fresh face for a change, though the MacBook was still the first to fall -- as usual.  Mr. Miller sums up OS X security the best, with his famous remark, "Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town."



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

There's a surprise....
By themaster08 on 3/10/2011 10:30:01 AM , Rating: 5
The same will happen again next year, and the year after that, and the year after that.

OS X is THE most unsecure OS. Period.




RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By Joz on 3/10/2011 10:40:42 AM , Rating: 5
Windows 7; and windows in general are very secure once you've installed two things: A good firewall and a good watchdog service. But that relationship can be the same for Apple...oh wait, they don't have those types of security measures available; they just have whatever "I'm Perfect"-Steve Jobs gives them.

But I'm still going to chose Windows over Apple-OS everysingle time for two simple reasons: Customization and security.


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By Iaiken on 3/10/2011 11:43:44 AM , Rating: 5
quote:
sure, for tech illiterate guys like you who know jack about os x security/firewalls/watchdogs windows is not too shabby


I've said it before and I will say it again...

I don't dislike OS X because I don't know anything about it. I dislike it because I know more about it than I would care to and what have learned has only increased my concerns about Apples smoke and mirrors security strategy.

My company will be using iPads for our residential sales force and event sales. After sending our device and software away for security testing, our software passed. However, this didn't matter because they could easily root the ipad, steal any saved login information and then use the trusted device and login to steal sales lead data (names, addresses, phone numbers etc).

My suggestion to any company interested in workforce automation using the iPad? DON'T!!!


RE: There's a surprise....
By Iaiken on 3/10/2011 11:46:30 AM , Rating: 2
Before Pirks jumps in with his predictable apples-oranges finger pointing...

I know OS X != iOS.

I posted in the BlackHole Rat article about specific hacks we've explored on OS X machines here at work.


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By Iaiken on 3/10/2011 12:08:38 PM , Rating: 4
l2Read
quote:
Before Pirks jumps in with his predictable apples-oranges finger pointing...

I know OS X != iOS.

I posted in the BlackHole Rat article about specific hacks we've explored on OS X machines here at work.


If you're too f***ing lazy to look it up, too f***ing bad, because I am too f***ing lazy to write it out again for you.

:P :P :P


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By Darnell021 on 3/11/11, Rating: -1
RE: There's a surprise....
By AstroGuardian on 3/15/2011 7:14:33 AM , Rating: 1
In your butts to both of you. Proof that humans evolved from apes, that's what you are.


RE: There's a surprise....
By Obujuwami on 3/10/2011 1:29:08 PM , Rating: 2
If you are looking for a replacement for the ipads, check out http://usa.asus.com/product.aspx?P_ID=QhWKR7Fmv4jD...


RE: There's a surprise....
By Boze on 3/10/2011 5:15:40 PM , Rating: 2
This really isn't a replacement for the iPad at all.

This is just a tablet computer without the keyboard and made thinner.

I don't know why you didn't offer up the Motorola XOOM or the Galaxy Tab 10.1 versus this EEESlate.

This thing gets 4.5 hours battery life - that's a problem because the reason this guy's business wants the iPads is because of 10 hour battery life. His sales force can run around with an iPad all day long (or a Motorola XOOM for that matter).

The EEESlate is twice as thick and twice as heavy as an iPad, or even a Motorola XOOM. Another no-go.

And I can't be sure, but I'd be willing to bet this slate is going to more than $499, $599, or $699. I didn't see any mention of 3G/4G capabilities either, another reason his company probably wants true "tablet" computers like the iPad - they need something that's connected everywhere.

Sorry, but this ASUS device just doesn't even remotely compete. I don't know who ASUS is trying to target with this thing, but its certainly not mainstream consumers, its not even mainstream business consumers!


RE: There's a surprise....
By kingius on 3/14/2011 11:58:20 AM , Rating: 2
ASUS should stick to Netbooks, iPads are for posers anyway. No wonder sales teams love them!


RE: There's a surprise....
By nafhan on 3/10/2011 10:50:15 AM , Rating: 4
How about: ditch the default browser and you're probably good (for now) on either system.


RE: There's a surprise....
By kleinma on 3/10/2011 10:58:17 AM , Rating: 5
All operating systems and browsers have flaws, but Microsoft takes a proactive approach and is more transparent about the flaws that are found than Apple is. For this sole reason, Apple will technically be less secure until Apple actually becomes proactive and conceeds that their OS/browser isn't some magical hack proof thing. Currently Apple's greatest defense is simply lower market share. If they can creep up to the 20% market share, they will start getting hit more. I would think more likely iOS and Android will be the main targets in the next few years, since most non tech people tend to not yet think of their phones the same was their computers, and tend to store VERY sensitive information on these pretty insecure devices.


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By themaster08 on 3/10/2011 11:20:16 AM , Rating: 5
No, but still, it didn't get pwned before Safari on OS X.


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By themaster08 on 3/10/2011 11:58:43 AM , Rating: 2
quote:
I see this little technicality made you really happy. Good for you.


quote:
Did this somehow protect IE8 on Win 7 from being pwned right after Safari on OS X? :P

It obviously seems to be making you happy.


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By Alexstarfire on 3/10/2011 3:31:23 PM , Rating: 3
I think the amount of work put in to each hack matters more than the order. Took the Windows guy about 3x as long.


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By ninjaquick on 3/11/2011 1:17:49 AM , Rating: 5
Obvious troll is obviousface.

It took 5 seconds for safari to crash because the user couldnt click fast enough. I bet the actual code only took a second to convince the Mac to be raped by it.

Windows is inherently safer... Way safer. And it takes thousands of people world wide to hack windows, but any garage punk coder can break a Mac. Nuff sed.


RE: There's a surprise....
By yomamafor1 on 3/10/2011 11:33:57 AM , Rating: 3
So by your logic, the second OS to fall is somehow the most unsecured OS?

Seriously, just give it up.


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By themaster08 on 3/10/2011 12:05:36 PM , Rating: 5
No, it is the one to fall in the quickest time, which is still OS X.
quote:
it took French security pro Chaouki Bekrar merely 5 seconds to hijack the unwitting MacBook


RE: There's a surprise....
By Klober on 3/10/2011 12:11:49 PM , Rating: 5
Not only that, but Fewer had to chain 3 exploits together in order to actually crack the Win7 machine, and it took him 5-6 weeks to find and write the exploits even with all of the documentation and research already available for Win7.

Yeah, that sounds far less secure than Mac OS X...


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By Iaiken on 3/10/2011 1:16:21 PM , Rating: 5
I'd like to think that you just fail at reading and comprehension, or that maybe you're just lazy or stupid... Anything else would mean you deliberately ignored what was written so that you could make up arguments that suited your agenda. However, I've ready enough of your fallacious drivel to know that the later is likely the case and that you're just petty and dishonest.

quote:
Three-man team of researchers spent about two weeks to find the vulnerability (using fuzzers) and writing a reliable exploit.


Two weeks with zero literature to go from resulting in a single reliable exploit.


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By Cheesew1z69 on 3/10/2011 1:21:26 PM , Rating: 4
quote:
I'd like to think that you just fail at reading and comprehension, or that maybe you're just lazy or stupid
Honestly, I think it's both...


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By SKiddywinks on 3/10/2011 5:26:09 PM , Rating: 2
Same effort for both.

Wrong. It took one guy 5-6 weeks even when there was tons of documentation, and even then he had to chain 3 vulnerabilities together to get through the Windows security.

It may have taken the same amount of time (as in about 6 weeks of work) to get the Mac exploit together, but seeing as there was no documentation, more time was spent researching than hacking.

The Windows guy needed to do more work, and use 3 exploits, to get through Windows. The Mac guys simply need to do more searching, not hacking. The actual exploit was much easier, also demonstrated by the fact that they only needed the one exploit.

Honestly Pirks, you are either so blind/angry you miss the facts, or you are so blinded by Apple that you ignore them on purpose.


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By ninjaquick on 3/11/2011 1:22:19 AM , Rating: 1
No, I bet that 4 of the 6 man weeks were spent drinking and having fun on the Mac side where as the techno geek that hacked the windows system coded day and night for six weeks straight.


RE: There's a surprise....
By Pirks on 3/11/11, Rating: -1
RE: There's a surprise....
By Targon on 3/11/2011 12:13:33 PM , Rating: 2
The point is that with full documentation, the MacOS X would have been hacked in much less time. If you consider security through obscurity to be true security, then you are the sort that will be easily taken advantage of.

Here's the thing, if/when someone takes the time to write malware for MacOS, the idea that Macs are secure will also mean that Mac owners are also more vulnerable if they DO get an infection.

I really hope that we see a TON of new pieces of Malware for MacOS, and that all those people who feel they don't need an anti-virus program on their Mac will end up getting infected. Seriously, nothing is worse than people who act like their PLATFORM is better, even when there is evidence to the contrary.

Remember, MacOS X came out back in 2001, and while it was better than Windows XP in many ways, Apple has not released any significant improvement to the UI in all this time, and Microsoft has incorporated many new improvements over the years. With this in mind, in another few years, will Apple still have MacOS X while Windows has many newer and better features that make the Mac look old and outdated as a platform?


RE: There's a surprise....
By Pirks on 3/11/11, Rating: -1
RE: There's a surprise....
By TSS on 3/10/2011 7:19:59 PM , Rating: 5
you must be new around here. Pirks is our resident apple troll, he will defend apple to the death simply to lure out reactions from anybody not completly convinced on the apple ideal. Which on this site is everybody but 2-3 trolls trying to copy pirks.

Though it's been a while since he's gone on a page wide rant. he even got a few posts rated above 2. A part of me is kinda happy to see him up to his old tricks, good times ^^.

It's a small part though.


RE: There's a surprise....
By Pirks on 3/11/11, Rating: -1
RE: There's a surprise....
By Targon on 3/11/2011 12:19:34 PM , Rating: 2
Just because Windows can also be hacked does not change how secure an OS is. When many Apple users go around claiming that MacOS X is more secure than Windows, this really is an invitation for people to make Malware, since that false sense of security makes for an easy victim.

If MacOS X by its design is not more secure, then claims that it IS more secure invite critics.


RE: There's a surprise....
By Pirks on 3/11/11, Rating: -1
RE: There's a surprise....
By seraphim1982 on 3/10/2011 3:06:42 PM , Rating: 2
Stop listening to him, he a Mac-Fanatic.
Like the psych papers have said, Apple users THINK they are smarter.....

Clearly, everyone has proven them wrong.


RE: There's a surprise....
By seraphim1982 on 3/10/2011 3:06:45 PM , Rating: 2
Stop listening to him, he a Mac-Fanatic.
Like the psych papers have said, Apple users THINK they are smarter.....

Clearly, everyone has proven them wrong.


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By Boze on 3/10/2011 5:21:16 PM , Rating: 2
He was probably double posting his drivel because of DailyTech's poor rating scheme which automatically rates a post as "1" if it is replying to a -1 post, or if a "bad word" is used.

His post shouldn't be automatically downgraded simply based on the fact that he's trying to provide information.

As an aside, I can't possibly believe Apple users think they're smarter than everyone else. From the ones I've met, that's preposterously laughable.


RE: There's a surprise....
By Alexstarfire on 3/10/2011 3:33:27 PM , Rating: 2
1 exploit and 1-2 weeks.


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By Alexstarfire on 3/10/2011 7:18:49 PM , Rating: 1
That wasn't even part of the question you asked.


RE: There's a surprise....
By Pirks on 3/11/11, Rating: -1
RE: There's a surprise....
By Phynaz on 3/10/2011 2:43:12 PM , Rating: 1
You should read a little deeper. It took 5 seconds to execute a hack that took a team of security professionals weeks to create.


RE: There's a surprise....
By themaster08 on 3/10/2011 4:48:40 PM , Rating: 2
Then why didn't it take 5 seconds to execute on the Windows machine, which took 6 weeks to create an exploit?


RE: There's a surprise....
By messele on 3/21/2011 5:58:41 PM , Rating: 1
Maybe nobody cares enough to make the effort to win the cheapo plastic PoS that Windows was running on?


RE: There's a surprise....
By ncage on 3/10/2011 1:31:14 PM , Rating: 3
quote:
Windows 7 is THE most unsecure OS. Period.


Your an Idiot! Why do you think almost every one of comments has been downgraded? Who do you think people are going to trust some troll commenter who doesn't even try to come up with a lick of evidence or some security researcher who does this full time and actually knows what he is talking about? ASLR and DEP actually work pretty damn good. They aren't perfect of course but at least the make it harder for holes found to turn into a full blown exploit. Its impossible to make something as complex as an OS without having bugs. I'm sure you wouldn't know that though because you don't know what your talking about.

Thats not saying i don't like OSX because i do.


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By Alexstarfire on 3/10/2011 3:52:52 PM , Rating: 1
Considering it says OS X has no DEP I question your credibility.


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By Iaiken on 3/10/2011 4:54:10 PM , Rating: 2
I question your intelligence for not understanding the fundamental difference between Software DEP and NX-bit.

quote:
"Software DEP" is unrelated to the NX bit, and is what Microsoft calls their enforcement of Safe Structured Exception Handling. Software DEP/SafeSEH checks when an exception is thrown to make sure that the exception is registered in a function table for the application, and requires the program to be built with it.


This prevents you from throwing being able to throw stacks of exceptions that will then be handled by the kernel while you inject instructions into the resulting instruction overflow in RAM.

Totally different technology.


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By Alexstarfire on 3/10/2011 7:22:55 PM , Rating: 2
Would you accept an answer of it has half DEP then? Or shit DEP? Apparently it has shit ASLR already.


RE: There's a surprise....
By Iaiken on 3/10/2011 10:43:50 PM , Rating: 2
quote:
half DEP then


That pretty much sums it up.

NX-bit only works on the data and instruction stacks. If you can overflow these out onto the cache and then RAM, you can change the data in ram because of Apples crappy ASLR implentation and inject instructions that way.

Though it's cute that Pirks thinks he knows what he is talking about or that he could discuss it with people who actually do this for a living.


RE: There's a surprise....
By Pirks on 3/11/11, Rating: -1
RE: There's a surprise....
By Alexstarfire on 3/11/2011 5:23:11 PM , Rating: 2
You're right. Who the hell uses the information provided from the article? How silly of me.


RE: There's a surprise....
By Pirks on 3/14/11, Rating: -1
By damianrobertjones on 3/10/2011 1:47:26 PM , Rating: 2
From a reply on EndGadget

"Of course the description of the IE8 failure is glaringly missing from this description, because the successful hacker describes how difficult it was to write, and how time consuming it was.

Fewer said the new mitigation technologies being built into modern browsers make it “incrementally difficult” to exploit but insisted that a motivated attacker with enough resources will eventually find a way to write a reliable exploit."


RE: There's a surprise....
By Alexstarfire on 3/10/2011 3:23:51 PM , Rating: 2
I'll assume you didn't read the details in the pwn2own contest. Took the Mac guy 1-2 weeks to do all of the work to make the exploit. Took the Windows guy like 5-6 weeks. Considering that the Mac guy said a lot of the reasons it took him longer is because of lack of documentation for OS X hacks I'm going to say that's pretty freaking bad for OS X. Since both got hacked in the end it's rather a moot point. They both fell, end of story. Microsoft generally patches quicker so you're probably better off with them than Apple's Safari.

I, as well as others who actually read about the contest, am wondering if there is a difference between the 32-bit version and the 64-bit version in terms of hackability. I don't use IE anyway, but it'd be nice to know.


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By Alexstarfire on 3/10/2011 3:55:20 PM , Rating: 2
Yep, I thought Fewer had help, but apparently not. Still took 3 exploits to 1 though.


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By Alexstarfire on 3/10/2011 7:41:29 PM , Rating: 2
I'll take the 3 obviously small exploits over your one huge one any day. It's like having a small hole in 3 sheets of paper compared to a huge whole in 1 sheet. Every now and then with some time and effort you can get the 3 sheets to line up, but with 1 hole all you have to do is find it first.


RE: There's a surprise....
By Pirks on 3/11/11, Rating: -1
RE: There's a surprise....
By Targon on 3/11/2011 12:28:22 PM , Rating: 2
What you fail to understand is that once the information is out there, it takes less time to come up with an exploit for the Mac. How long do you think it will take from the time a true malware author comes up with a way to infect a Mac to the time 50+ percent of the Macs in the world are infected?


RE: There's a surprise....
By Pirks on 3/11/11, Rating: -1
RE: There's a surprise....
By Alexstarfire on 3/11/2011 5:33:46 PM , Rating: 2
Apple patch something quickly? Now that's a joke if I ever heard it. Microsoft will patch those 3 exploits quicker than Apple will patch that 1, assuming it wasn't already fixed in the new version of Safari already anyway. Don't know why that one wasn't used but apparently updates for other browsers were.


RE: There's a surprise....
By yomamafor1 on 3/10/2011 8:08:41 PM , Rating: 2
You really are a fan boy aren't you? I'm absolutely mystified at the fact that you'd twist the facts so they seem to agree with you.

Here's the fact: the hackers used 3 exploits on the Windows to take over the machine, while the hackers only used 1 exploit on the Mac. Does that mean Windows have 3x more exploits than Mac? No, it just simply means Windows requires 3x more exploits to take over the machine, when the Mac only requires 1. This contest proves Mac OS X is less secure than Windows, and is only seems to be less attacked due to its smaller market share.

Seriously, just give it up.


RE: There's a surprise....
By nafhan on 3/10/2011 4:10:01 PM , Rating: 2
quote:
1 guy 6 weeks Windows == 3 guys 2 weeks OS X
Nope. This is just a bunch of meaningless numbers unless you've got a method to measure relative skill and speed amongst these 4 coders.

This isn't directed solely at Pirks, I'm just responding to him because he's said the same thing about 12 times... which is actually a great example of how volume does not always equal quality.


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By themaster08 on 3/10/2011 4:54:29 PM , Rating: 2
Then why did you even come up with it in the first place?


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By nafhan on 3/10/2011 5:34:14 PM , Rating: 2
Hard to believe, but contrary to what you may have learned from TV commercials and the web sites, there's a big difference between "a metric" and "a useful metric".


RE: There's a surprise....
By Pirks on 3/10/11, Rating: -1
RE: There's a surprise....
By nafhan on 3/10/2011 7:31:32 PM , Rating: 2
As long as we stay inside the context of this discussion, that information adds nothing. Therefore: useless. Not a difficult concept...


RE: There's a surprise....
By Alexstarfire on 3/10/2011 7:43:22 PM , Rating: 2
True, but nearly all of the time it takes more equivalent time for multiple people to do it than it would 1 person. Think of going from single threaded to multi-threaded. If you go from 1 to 2 threads you will almost never get 2x the performance because usually one thread is waiting on the other. That usually happens with people as well.

Does this matter? Not too much in the end. Both ended up being completely exploited. With enough time and manpower anything can be done.


RE: There's a surprise....
By nafhan on 3/10/2011 5:31:00 PM , Rating: 2
Actually, I didn't suggest that or any other method, at all. You, however, repeated it again, and again, and again.


RE: There's a surprise....
By Tony Swash on 3/10/11, Rating: -1
RE: There's a surprise....
By themaster08 on 3/10/2011 11:00:41 AM , Rating: 3
Most attacked != least secure.


RE: There's a surprise....
By kleinma on 3/10/2011 11:02:59 AM , Rating: 3
agreed.

Most Attacked = Most Surface Area to attack.

Besides, much of the malware these days require use of social engineering, and there is just no program that cures stupid.


RE: There's a surprise....
By sprockkets on 3/10/2011 11:01:13 AM , Rating: 2
Yeah, and what is OSX's market share again?


RE: There's a surprise....
By kleinma on 3/10/2011 11:01:19 AM , Rating: 4
And in the real word, 9 out of every 10 people using a computer are running Windows.

If 9 out of 10 people used Macs, you would be using Windows and happy that no one was writing malware for it because of its low market share.


RE: There's a surprise....
By Tony Swash on 3/10/11, Rating: -1
RE: There's a surprise....
By Pirks on 3/10/2011 3:14:06 PM , Rating: 2
quote:
Choose another and those problems vanish
Yeah, they vanish... together with all the huge selection of hardware and software and ubercool games etc etc. No, thanks. Your stupid advice, Tony, won't work for most people.


RE: There's a surprise....
By themaster08 on 3/10/2011 4:39:18 PM , Rating: 2
quote:
So according to your logic one in ten malware attacks should be on Macs - except that is not what happens.
That's what you would like his logic to be, but unfortunately that's not the case.

Why on earth would any malware creator waste their time to attack a platform that makes up for an insignificant percentage of the OS market, is hard to find in clusters due to OS X's poor business adoption, therefore harder to spread, and has a lack of documentation, therefore having to write from scratch.

Almost any platform is secure with good practice. Windows doesn't magically get viruses. People are reckless, stupid, and inconsiderate of their consequences. You might as well jump in the driving seat of a car without ever doing so before, crash into someone and kill them, and come to the conclusion that the car is to blame.


RE: There's a surprise....
By themaster08 on 3/10/2011 4:39:18 PM , Rating: 2
quote:
So according to your logic one in ten malware attacks should be on Macs - except that is not what happens.
That's what you would like his logic to be, but unfortunately that's not the case.

Why on earth would any malware creator waste their time to attack a platform that makes up for an insignificant percentage of the OS market, is hard to find in clusters due to OS X's poor business adoption, therefore harder to spread, and has a lack of documentation, therefore having to write from scratch.

Almost any platform is secure with good practice. Windows doesn't magically get viruses. People are reckless, stupid, and inconsiderate of their consequences. You might as well jump in the driving seat of a car without ever doing so before, crash into someone and kill them, and come to the conclusion that the car is to blame.


RE: There's a surprise....
By themaster08 on 3/10/2011 4:58:46 PM , Rating: 2
Double post. Piece of crap.


RE: There's a surprise....
By ChristopherO on 3/10/2011 9:44:50 PM , Rating: 3
Actually this is an easy reason based on a medical concept. It is called Herd Immunity, The same holds true for anyone using technology.

In order for a virus or worm to be spread successfully a certain percentage of the target population needs to be vulnerable.

That's why, in order to eradicate Swine Flu, you don't need to vaccinate everyone, just enough people where statistical containment always occurs.

Even if Macs were exploited broadly, they would still have a statistical edge on protection because they are less likely to run into other Macs. Thus you could statistically be safer even if lots of exploits were in the wild. Hackers, scammers, phishers, etc, all these people know this, so it is pointless to attempt. If Apple ever gets real market share, the Apple to Apple collision ratio would be higher and they'll start to have problems.

Windows on the other hand has several issues. High statistical collision rates, plus the most popular version of the OS is 10 years old (which is an eternity when it comes to the evolution of security). On top of that, you get many of the older versions of the OS lacking deep-security, so you still get a lot of XP-to-XP collisions that result in worms.

There is also the political angle -- Microsoft should bundle security essentials for free (force firewall, AV, anti-malware via Windows Update), but certain other virus companies who make billions off annual subscriptions would sue them for being anti-competitive. Even though everyone on the planet knows an OS maker should do *everything* they can for security. It is just a *bad* situation when one of your partners tries to make money off the fact that you're "insecure" and would try to sue the pants off you when you try to fix the problems that pay their mortgages.

The other thing about Macs. They are a status-symbol. Wealthy people get tired of status symbols and buy new ones fairly quickly. Thus your *churn* to new technology is quite rapid. That's why Apple can change it's main OS twice in a decade, and it's entire CPU platform 3 times and no one really notices because everyone needs the latest model... The net effect is that the Mac user base benefits from more security since the average age is less.

The most *recent* Windows is always *more* secure than the most recent MacOS, but the average age of the operating system being used by the public is probably twice as old.

Anyway, that's my 2 cents. Just some things that people rarely consider and instead go mac vs. pc without any logic.


RE: There's a surprise....
By ChristopherO on 3/11/2011 2:15:38 AM , Rating: 3
quote:
The most *recent* Windows is always *more* secure than the most recent MacOS


Well, I should correct that. Windows tends to include the latest in security technologies (as per enterprise, DoD, other large non-consumer demands). But the totality of features doesn't necessarily correlate to actual security. Defense in depth can work, or it can provide more avenues of attack if not done correctly.

I think the real truth is that both choices are completely adequate when fully updated... The problem are the tin-foil-hat people who think big brother is spying on them when they enable auto-updates. The other problem is piracy, if you own a Mac, you have a MacOS license, thus no reason not to update. If you own a PC, you may not have a Windows license. If half of the third-world thinks their computer will die from a service pack, they never get updated at all...


RE: There's a surprise....
By Alexstarfire on 3/10/2011 10:42:51 PM , Rating: 1
Looking at ratios doesn't always work. Kinda like claiming that if 20 people have their own OS that they should get like 20/2000000000 of the viruses. That simply doesn't hold water. At a certain marketshare point people are going to start attacking an OS. IDK what that point is and I'm not sure anyone could know what that point is.

I love how you point to a year and a half old article for some evidence too. Not surprised that UAC doesn't do much, though that does depend on the setting. In the link they left things at default values which isn't the highest for UAC at least. Hell, there are several security features you would have to turn on to make Windows 7 as secure as it could be. Is it dumb that users should have to do that? A little bit. They had a ton of backlash when the UAC was defaulted to the highest setting though.


RE: There's a surprise....
By Iaiken on 3/10/2011 11:30:47 AM , Rating: 2
It's too bad that stupidity isn't painful...


RE: There's a surprise....
By marvdmartian on 3/10/2011 12:19:15 PM , Rating: 3
Wait.....the MAGIC doesn't prevent this from happening???


RE: There's a surprise....
By Breakfast Susej on 3/10/2011 1:51:46 PM , Rating: 3
Something that happened recently for me with a Windows 7 machine really impressed me.

I built and loaded up a machine for my brother, who is a complete neophyte to the world of using a computer. This is a guy who still pays his bills by driving downtown to the utility company and paying in hard cash.

I expected there would be pain, suffering, fear and loathing, all that good stuff in putting someone as new to computers as him at the helm of a brand new machine and online with no supervision.(he lives quite a distance from me.)

So anyway I set him up with Win7 pro x64, and gave myself remote desktop access for the inevitable meltdowns I expected. I didn't put anything on it other than Microsoft security essentials, and chrome set as the default browser.

Sure enough he called several weeks later and started describing some problems that made me jump to the conclusion that he had gone and got infected with a rogue app. But as I questioned him more I found that while he indeed nearly got infected by a rogue app, Microsoft security essentials actually managed to detect, warn, and prevent him from installing the rogue app he was describing.

I couldn't help but be impressed. I have been out of the game so to speak as far as doing PC repairs goes, so my era of knowledge centers more around the XP days and thusly, my loathing of rouge apps is intense. However, for such a simplistic and free program to so effectively protect a complete and utter neophyte user, as I said above, I was impressed by Microsoft in this regard.

Back in the day If only I had been given a dollar for every XP user that brought their machine in infected to the gills and scratching their head as to why their copy of Norton, or their copy of Kaspersky, or whatever other useless third party program they payed for failed to protect them.


RE: There's a surprise....
By damianrobertjones on 3/10/2011 2:11:34 PM , Rating: 3
Never let anyone run as admin.

Whenever I setup WIn7 now, I create two accounts
- Security: Admin, long password
- Family: Standard user, usual password, whatever they like

I then demonstrate what happens when logged into the 'Family' account as it presents them with a box asking for the SECURITY account password... "If you see that, think for a second, what have I done that asks for that?"

Works well, zero problems with NO people coming back to me.

Never run as admin.


RE: There's a surprise....
By Breakfast Susej on 3/10/2011 5:41:53 PM , Rating: 2
While that may be a fine strategy in certain situations, and Indeed that is how I set up every Windows 7 computer in the office for example, It is not something that I ultimately wanted to do in this case.

I would like the user in this case to learn by doing and develop a level of skill to administer the system, as I know he is fully capable of learning to, and not aiming to remain a neophyte.

For work related situations or people who are going remain a novice a user only account is an option.


RE: There's a surprise....
By Breakfast Susej on 3/10/2011 5:50:32 PM , Rating: 2
One other point I forgot to add in my reply was in this case he also got a UAC prompt for a Java update which was what he was actually calling about when I got around to getting the story of the rogue app out of him.

In the case of UAC he didn't know what it was and called to ask at which point I confirmed for him it was legit. Exactly as UAC is supposed to do, even without having to have it locked down in a user mode account.

So I guess what I am saying, is everything is working as intended, and he is learning to use his system by doing with limited training wheels just as I intended.


Here is a serious question for a change
By NanoTube1 on 3/10/2011 11:42:28 AM , Rating: 1
When surfing to porn sites, which is the most secure browser?

-Safari
Obviously pwned in 5 seconds but the question remains: what devious porn site will even bother with Macs? it's not economically viable.

-Chrome
Famously secure but owned by Google, the largest espionage organization on earth. The last thing anyone wants is for Google to log their porn consumption on some server.

-FireFox
Open source, pretty secure, tons of plugins that disable everything but basic html. Here usability can be an issue - you can install so many "blockers" that at the end you find yourself looking at broken pages and needing to enable/disable things in real-time. That can be hard to do with one hand.

So... what do you say?




RE: Here is a serious question for a change
By cashkennedy on 3/10/2011 12:28:45 PM , Rating: 3
Firefox is actually quite insecure

http://www.bit9.com/company/news-release-details.p...

Additionally there was an article about a year ago about how a clean install of firefox is rather secure, but after installing plug-ins like adblock the security vulnerabilities increase 10x.


By Alexstarfire on 3/10/2011 7:50:22 PM , Rating: 2
And according to that link Chrome is the worst yet hasn't been hacked and Flash is quite secure yet everyone seems to know/think otherwise. Kinda goes to show you that numbers aren't everything.


By Camikazi on 3/10/2011 4:57:59 PM , Rating: 3
-Chrome
Famously secure but owned by Google, the largest espionage organization on earth. The last thing anyone wants is for Google to log their porn consumption on some server.

Next time you go to a porn site on any browser, make sure you have NoScript or Ghostery installed and see how often Google Analytics shows up, I think you might be surprised. Seeing those pops up means Google doesn't need you using Chrome to see when you visit porn sites :P


By sorry dog on 3/14/2011 10:06:05 AM , Rating: 2
Opera is good for porn surfing. It's targeted less, opens back to the same place easily, and comes with one handed navigation out of the box.


By UnauthorisedAccess on 3/18/2011 8:45:14 PM , Rating: 2
TOR Browser Bundle (which uses Firefox), running on Linux, running in a Virtual Machine, running on spare hardware, air-gapped from the rest of your network and finally dangle the whole setup over a salt water swimming pool with a quick release.

Secure.

...ish.


The Flame Wars
By ThatNewGuy on 3/10/2011 11:02:49 AM , Rating: 2
They have begun.

Can't we all just learn to get along?




RE: The Flame Wars
By themaster08 on 3/10/2011 11:10:33 AM , Rating: 5
Too late. The red flames of Pirks and Tony Swash have started.


RE: The Flame Wars
By Pirks on 3/10/11, Rating: -1
RE: The Flame Wars
By StraightCashHomey on 3/10/2011 3:13:35 PM , Rating: 2
Pretty sure you guys were born flamers.


OS X Compromised in 5 seconds ...
By Norseman4 on 3/10/2011 2:18:42 PM , Rating: 3
... Steve Job's, paraphrased, response:

quote:
You're using [the browser] wrong.




Stop with the bias
By VPofCommonSense on 3/10/11, Rating: -1
By vol7ron on 3/10/2011 11:27:45 AM , Rating: 2
The question now is: are these tools available and is there now more documentation?


By Iaiken on 3/10/2011 11:28:42 AM , Rating: 5
I think Mr. Millers best answer so far on OSX security was thus (paraphrased):

It's just not worth it. You would need to write something that can infect 100% of OSX machines to achieve the same result as something that can infect only 9% of windows machines. What's more, that 9% could go unnoticed for a really long time.

His new farmhouse/ghetto comparison is OK too, but what really pisses me off is Apple telling their users that firewalls and AV software are a waste of time. In my eyes, this is simply using the users ignorance to cover up their own incompetence and it's positively shameful.


By sxr7171 on 3/16/2011 1:19:48 PM , Rating: 2
I'd have to agree. No OS is secure. However even as an OSX user it boils my blood to see how they market the thing like its hack proof. It's actually good product, but the way they market it is plain irresponsible. Every time I see something like "magical device" I want to stop using their products.


It just doesn't make sense....
By TEAMSWITCHER on 3/10/11, Rating: -1
RE: It just doesn't make sense....
By gamerk2 on 3/10/2011 12:21:30 PM , Rating: 2
Macs are significantly less SECURE then a PC. The reason you haven't been hit [that you know of anyway] is because everyone ignores the platform. If I have a choice between haking a system with 90% market share, or one with 10% share, I'm going the 90% route. That does NOT translate to Macs being secure, it just means they aren't being targeted.


RE: It just doesn't make sense....
By TEAMSWITCHER on 3/11/2011 8:22:14 AM , Rating: 2
You can say it as many times as you like - it's not true. Mac are not less secure than the PC. I have been moving friends from PC's to Macs, and, they too don't get mal-ware. I know this because they all called me when their dumb-ass PC got infected. In addition I no longer get late night phone calls about printing issues - a double fix.

It's not hard evidence, but it's real, and I have experienced it first hand. If the PC had such great security relative to the Mac it would be the other way around.


RE: It just doesn't make sense....
By nafhan on 3/11/2011 10:26:13 AM , Rating: 2
My experience is that, most of the time I hear people talking about how great their new Mac is compared to their old Windows PC, it's people moving from a 5 year old, unpatched, XP box, they spent $500 on to a new, $1800 Macbook Pro (or a $2100 iMac in one case).

Point is, unless you are moving your friends from new, high end, Windows boxes to a Mac, then you're absolutely right - it's not hard evidence. Seriously, there better be an amazing user experience upgrade when moving from an outdated bargain bin PC to a luxury product!


RE: It just doesn't make sense....
By Iaiken on 3/10/2011 12:30:04 PM , Rating: 1
quote:
I cannot say the same thing about the PC I use at work, or the gaming PC I built for home.


I can... I haven't had a virus or malware since Windows 98.

If you saw SANS logs of what sort of active attempts are being made against windows machines all day long, you'd probably have a different outlook on the security through obscurity.

The first problem is that you have to find the machines of the appropriate OS for the exploit. Most hackers simply pick windows exploits because if I find a machine that is not hidden away behind a router or a firewall, there is a 91% chance it is going to be a windows machine.

It's just a matter of the path of least resistance and not a raw numbers game. Trying to find those 50 million OS X machines amongst the almost 1 billion windows machines in the world is no easy feat.

The second issue is that the knowledge just isn't out there and that what IS out there isn't easy to find. The windows hacking community effectively has an 18 year head start as well as ready access to extensively documentation on windows system and browser code.

I could write a browser hook that would launch internet explorer inside a wrapper, navigate to a website of my choice, and manipulate the DOM and other system components as however I like all without the user seeing. I didn't figure any of this out myself, this is all readily available information on the interop use of IE and mshtml.dll


RE: It just doesn't make sense....
By lyeoh on 3/10/2011 12:51:23 PM , Rating: 2
quote:
I could write a browser hook that would launch internet explorer inside a wrapper, navigate to a website of my choice, and manipulate the DOM and other system components as however I like all without the user seeing.

But why would you need to do that on the Mac? If you've already got it running arbitrary code, just get your exploit to run a perl script. ;). A perl script can be very cross-platform for a lot of malware stuff- sending spam, DDoS, fetching new instructions, etc.


RE: It just doesn't make sense....
By Iaiken on 3/10/2011 1:54:56 PM , Rating: 3
quote:
But why would you need to do that on the Mac?


I wasn't talking about exploits on a mac. Once I have something like this, I can set it up for automated testing and just wail away on the browser until I find holes and exploits. You can blow through thousands of variations of the same exploit in a very short period of time. This is more for the development of exploits.

If I were going to attack a mac, I would certainly use perl since I can do anything from examining which processes are running in real time to throwing up phishing dialogs that look exactly like system dialogs (thanks to Apples uniform look) or even attempt to force kill other applications.

The best part is that OS X is great for running perl scripts from the shell without requiring any form of administrative rights. Basically as long as you don't try to attack the kernel itself without the administrative password, you're in the clear to keep pulling down new script files from an instruction server.

Go west young hacker... it'll be a wild one...


By damianrobertjones on 3/10/2011 2:09:16 PM , Rating: 2
Then the guy doing I.T. where you work should be fired and also, WHAT are you looking at in order to get malware onto your work pc?


RE: It just doesn't make sense....
By sxr7171 on 3/16/2011 1:22:47 PM , Rating: 1
I think it would be nice for someone to write that killer Mac virus just to get those clowns to shut up and start doing something about it. Start advising customers correctly instead of with marketing fluff. I use Mac far more than Windows now, and I think it needs to happen. Someone please make this killer virus.


"There's no chance that the iPhone is going to get any significant market share. No chance." -- Microsoft CEO Steve Ballmer














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki