nm

So, if it is such a hole, why don't they exploit it in laboratory conditions, just to, well, PROVE what they are claiming?

I don't see how this is a flaw. The User should use their own judgement about downloading programs from unknown or untrusted sites. It is like buying over the couter drugs from the trunk of a car. If you get posioned, there is no one to blame but yourself.

How hard is it to make an application that has an icon that looks like a preview document? Human exploites are not something that can be prevented.

Have these 'experts' said exactly how it would be possible for Apple to add enough security to Safari so that it “does not prevent users from launching applications that are masquerading as something else." ? What are they suggesting? If you attempt to open something Safari thinks could be malicious, some rotating knives come out of your screen and cut your hands off?

Certainly anyone who DOES open a programme download not knowing where it has come from, should have a huge fist leap out the screen and punch them. But this really is a non-story. Probably the next one down on whatever website it comes from, was; 'Elvis seen alive in local supermarket.' Yes it's possible, but then - the Univers is infinite, so anything you (and the 'experts') can imagine happening, does. Somewhere. Just not in Apple's universe.

Well you can prevent them but only if you make the computer pretty much unusable. Surely its the stuff that creeps through without any action on the users part that is the true test.

nm

The more I see this stuff, the less confident I am in Mac security. The link below is from a cnet article about a guy that hacked a Mac in a contest in less then 30 minutes as the root using the default OS X configuraton.

I own Macs and like them a lot but I am not going to try to blow this stuff off as nonsense and defend Mac OS X for the heck of it... how much more is going on that we don't know about?


http://news.com.com/Winner+mocks+OS+X+hacking+contest/2100-1002_3-6046197.html

I've used Macs for a long time, and whilst they are not perfect (what is?), security has never been a concern. Never had data lost to a virus, or anything more than a worm passed along on a zip disk (years ago on a PowerMac 8100). If I didn't know better, I'd say this recent Mac OS security chatter is meant to draw attention away from the QE II of security flaws-Windows and it's soon to be released-sea of security holes-Vista. Here are the facts as they have been released so far:

• If you give access to the root directory access of your Mac, it can be hacked in about half an hour. Also, if you leave your keys in your car with the engine running-it can be stolen. Go figure.

• A "concept only" trojan can-if you install it-mess up your Mac computing day, a very little bit. After reading that it took a Mac tech who intentionally tried to install this malware about an hour or better to do so. I'm not very worried. BTW: it was extricated in less time than it took to install it. This may be a danger to those who place "kick me" signs on their own backs.

• The dude who wanted hackers to "rm" his mini, is a Microsoft stooge. Humm does anyone else's bullshit detector have the same readings as mine.

Macs are secure, dependable, cheaper OLM and just plain good looking. I would like some changes, but this security issue is, insofar as Macs are concerned, something I won't loose sleep over.

You're smart in not being overconfident, but you should also keep the same suspicious eye on these reports. There are many factions that have an interest in making Macs seem less secure than they are... competing OS software vendors, anti-virus software vendors, etc.

As for the exploit you mention in your post, it's already been pointed out that the cracker was given local access through SSH access. What they did could not be done remotely (i.e., over the internet).

A general fear or suspicion can be good, but it must be informed.

What I find exciting is that Apple is actually looking for ways to make Trojans easier to detect.

BTW, um, I'm not totally on the boat with all you people saying that users should be wise enough.

Not that that isn't a valid comment, it's just very lame to hear that comment from mac users.

I know many mac users who aren't up to the task and never will be. Actually that's precisely the reason why they are mac users. And that's precisely the reason I convinced some of those people to switch in the first place. And let me clarify those are not stupid people. Not. At. All.

And it's precisely the comment I expect from windows freaks and IT staff that's a bit too out of touch with its user base, so IMO coming from the mouth of mac fans it's NOT a valid argument.

Unfair statement? Perhaps. Even so... The moment that mindset becomes common mac culture, it'll be a valid reason to look elsewhere. And I shudder at the thought.

Quote

Guest wrote:
The more I see this stuff, the less confident I am in Mac security. The link below is from a cnet article about a guy that hacked a Mac in a contest in less then 30 minutes as the root using the default OS X configuraton.

I own Macs and like them a lot but I am not going to try to blow this stuff off as nonsense and defend Mac OS X for the heck of it... how much more is going on that we don't know about?


http://news.com.com/Winner+mocks+OS+X+hacking+contest/2100-1002_3-6046197.html

Yeah they reported that on this site too. Do you only read headlines? Did you not notice the part where the guy running that "hacking" contest gave everyone a user account to login in to the machine with? Yeah a user should not be able to gain admin access without the proper password, but its not like some guy just hacked some Mac over the Internet using some fundamental security flaw. Do you even understand what this means?

And what about this story? The one that you used as your subject line. This bothers you?!? The fact that if you run a random program it might do something bad? Um hello. If you choose to run a program you are accepting the consequences of letting it do whatever the author wrote it to do.

A veritable Fort Knox, Windows can be the only solution to Mac OSX's flaws. Once I get that system, I'll be completely safe from viruses, malware and spyware. BTW where are all those hacked, virus ridden Mac users? Don't they want to get some equal time in the media and complain how they are so easily hacked. Can't they find just one? One victim who will come forward and confirm what we all know; OSX is as leaky as a cheese grater with all these glaring flaws. Who will be the first! Come on, anyone, speak up-let us hear your Mac horror story! Oh the horror!

Most of this kind of talk is FUD, and seems to be working as one of the guests above said he or she is starting to doubt Mac security. Nothing to doubt here folks.

However in regards to this particular article, there is a valid point. While it is true there is no technological prevention for Trojan Horses and other forms of human engineering (besides turning the computer off and locking it up somewhere), there is a technological solution to this vulnerability described here.

The problem is a file of one type masquerading as a file of another type. That is a vulnerability which could lead to the creation of a Trojan Horse, and is something which Apple could (and should) check for. In other words, a file which looks like a JPEG should not contain any executable code, and if a file which looks like a JPEG tries to execute some code, the OS should squelch it. In other words, the OS should enforce its filetypes.

Stop, you'll use it all up.

Quote

Guest wrote:
The more I see this stuff, the less confident I am in Mac security. The link below is from a cnet article about a guy that hacked a Mac in a contest in less then 30 minutes as the root using the default OS X configuraton.…

Link to yellow journalism article where a Mac was left in a bad part of town with the windows rolled down, the doors unlocked, and the keys in the ignition with “Please Steal Me” painted on the side, and was subsequently hacked from the inside in less than 30 minutes.

This is why you shouldn’t be concerned about such yellow journalism: Mac OS X Security Challenge

Rainy Day wrote:

Quote

The problem is a file of one type masquerading as a file of another type. That is not exactly a Trojan Horse, per se, and it is something which Apple could (and should) check for. In other words, a file which looks like a JPEG should not contain any executable code, and if a file which looks like a JPEG tries to execute some code, the OS should squelch it. In other words, the OS should enforce its filetypes.

I agree.

I finally gave up 9 and made the leap to X just last Aug. (when I bought my iMac G5). It has been relatively easy so far. I have learned, lately, not to run as an Administrator, don't let Safari open "safe" downloads, the firewall is on, and I know that viewing a .jpg should not require a password.

My wife and I share the computer and our boys use it on occasion. We have an Admin. account, the standard account we use, and a managed account for the boys (which I don't worry about since they don't know the password).

That being said, let me say that I still see some possible vulnerabilities. My wife likes to play and download games on the "internet". Let's say she finds a link to some site to downloaded a game, only this site is one of those "malicious web sites" you read about in those "Security Alerts" all over the web. You would expect this type of file (an .app I would say) to show the password required field. My wife (and myself) would give the password if we thought it was legitiment because we expected this dialogue box.

You people are so full of it.

Apple patched this at APPLICATION level.

If you run any web apps other than their own, you're still wide open.

Stop being so bloody annoying.

blah, blah, blah....

Right. Fists coming out of the screen. You'll be the first to get hit, dimrod.

Worms like the love bug and anna-k inflicted tens of billions of dollars of damage on the net.

That's OK by you so long as your precious OS doesn't get attacked and your widdle weener get shrunk no more.

You're pathetic.

This was an ordinary machine hacked in thirty minutes from an unprivileged account.

OK, two bitter: how long have you worked as a Unix admin?

Hack a * UNIX * system in half an hour from any account at all?

No way.

Hack OS X? Of course.

The code isn't up to date, Apple discouraged (and finally killed off) all collaboration in their supposed 'open darwin' - and worst of all: they think with their heads up their butts just like you do, einstein.

You people are pathetic.

"This was an ordinary machine hacked in thirty minutes from an unprivileged account."

It was an essentially rigged contest that was used to create a lie that OS X could be hacked in 30 minutes right out of the box.

Don't be so clueless.

Quote

"This was an ordinary machine hacked in thirty minutes from an unprivileged account."

It was an essentially rigged contest that was used to create a lie that OS X could be hacked in 30 minutes right out of the box.

Amusingly enough, both statements are true....

Still trolling thru Brazil.