186 Comments so far

• Dave G.

  April 20th, 2007 6:28 pm

  “It’s only clientside… How is someone going to get me to go to a malicious webpage”

• Thomas Ptacek

  April 20th, 2007 6:29 pm

  “But Macs have automatic update, so nobody will be vulnerable to this for more than a few hours”

• Thomas Ptacek

  April 20th, 2007 6:29 pm

  “You guys are jerks”

• shooter

  April 20th, 2007 6:30 pm

  Was this before or after today’s released security update? And would it matter?

• g

  April 20th, 2007 6:35 pm

  I’m reading this on my MacBook Pro, and I just wanted to say that this “does count.”

• Martin Pilkington

  April 20th, 2007 6:40 pm

  Probably the most likely (because it’s the easiest to argue) would be the “But it was for a challenge and there’s still no exploits out in the wild”. Which is true. I honestly think the day the first widespread Mac exploit appears in the wild will be a good day as it will ground the more zealous mac users. And I’m a Mac user myself so it’s not like I’m ranting against them because I hate them. I just think some people like to take “more secure” as “invulnerable”.

• wrc

  April 20th, 2007 6:42 pm

  “Client-side attacks in OSX, but still OSX much better than windows”

• Dave G.

  April 20th, 2007 6:52 pm

  It is important to note that lots of mac folks do get security. We are making fun of a loud and often-ill-informed subset of the mac community.

• Gustav

  April 20th, 2007 7:03 pm

  I can’t seem to find what they actually did? I wonder if the recreated the old disk image flaw, which can be disabled simply by unchecking “Open ’safe’ files after downloading” in Safari’s preferences. Regardless, Apple should really remove that feature or disable it by default.

  While I agree many Mac users should be more serious about security, it’s still not time to say MacOS X and Windows are on equal footing - not by a long shot.

• Todd M.

  April 20th, 2007 7:24 pm

  How about the actual (almost) excuse Gruber himself makes:
  “Makes me wonder whether it’s another exploit against Safari’s on-by-default “Open ‘Safe’ Files” preference.”

• Walid

  April 20th, 2007 7:28 pm

  Well,
  Nice to see that any time a Mac OS vulnerability is discovered it makes the news. There’s so few of those! With windows it’s so common…
  This said, of course Macs are vulnerable. What isn’t?
  One of the reasons, as pointed out in the article, is that there’s a Mac for every gazillion windows pc, so exploits for Macs are more for sports than money. To me it’s a great reason to be Mac. Sorry Steve: sell all the iPods you want, just don’t advertise Macs too much. 3 or 5% market share is enough.

• dre

  April 20th, 2007 7:31 pm

  daveg: you said, “lots of mac folks do get security”. does this include the engineers/developers at Apple Computer?

• sxtxixtxcxh

  April 20th, 2007 7:36 pm

  submitted to digg: http://digg.com/apple/MacBook_0wned

• Mark Grimes

  April 20th, 2007 7:45 pm

  One little two little, five hundred and thirty five lil webkit heap overflows — wait that doesn’t flow… so being presumptuous, i’m mystified that local user -> local root context in the second hack is still standing hours later. Not having fuzzed webkit in a loooong time, I’m still under the impression that there are more then enough lurking… have things gotten better?

  Still under the tone of presumption, what year is Apple going to adopt heap protection? Maybe the media will cover it (again) that Vista continues to be more secure. Oh well you have to spend time working on securing an OS to secure an OS — we aren’t growing sea monkeys

• rp

  April 20th, 2007 7:48 pm

  “Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine.”

  Oh wait, that’s Bill Gates, nevermind.

• Nectar

  April 20th, 2007 7:50 pm

  “Well, it’s not a real-world scenario. Still no viruses.”
  “I bet it depends on third party software.”
  “Another faux disclosure!!! Where’s the proof? Where’s the code?”
  “That would never happen to me.”

  Dino: wow on the mind-blowing acceleration from-standstill-to-pwnership. Congrats on the bounty. Buy me a ponie?

• Mo

  April 20th, 2007 7:50 pm

  @Mark Grimes: There probably are plenty of other heap overflows in WebKit, but you’re pretty limited in the number of ways that’d help with a local privilege escalation exploit, unless you can find a way that WebKit’s executed by a SUID app.

• Paul Blair

  April 20th, 2007 7:52 pm

  “But they didn’t get root! Everyone knows that without root, viruses can’t do anything bad.”

• Thomas Ptacek

  April 20th, 2007 7:53 pm

  The DMG vulnerability that “open safe files” was implicated in wasn’t even exploitable.

• Ryan Russell

  April 20th, 2007 8:02 pm

  So why is it that Dino wrote the ’sploit, but Shane used it?

• Thomas Ptacek

  April 20th, 2007 8:04 pm

  Because Dino cannot teleport.

  Yet.

• Thomas Ptacek

  April 20th, 2007 8:05 pm

  NO WAIT NEW DRINKING GAME: Conspiracy theories for why Dino couldn’t do it in person. I vote: CUZ HE FAKED IT.

• Chris

  April 20th, 2007 8:17 pm

  My conspiracy theory: Dino was going to perform the exploit himself, but was nabbed by Apple PR folks in a black van outside the hotel. Thankfully he left the code on a disc where K2 could get at it. Ownage ensues…oh wait, that’s the wrong movie.

• Nate

  April 20th, 2007 8:19 pm

  I think I’m reading this on a malicious website. Good thing I’m too poor to upgrade from FreeBSD to Mac OSX.

  Congrats to Dino on his quick execution. I guess we’ve established an OSX clientside is worth somewhere between $3K and $10K. And OSX remote is worth somewhere > $10K. With binary search and enough datapoints, we can have our own vuln futures market.

• Ryan Russell

  April 20th, 2007 8:54 pm

  I see. You don’t give your guys time to go to CanSecWest? What are you doing over there, trying to ship product?

• Dave

  April 20th, 2007 9:12 pm

  Chiming in on a drinking game…
  Drink if you read:
  - Snobby comment about Mac superiority.
  - Snarky comment about Windows.
  - Snarky comment about Macs or Apple.
  - Snobby comment about Windows superiority based on the idea that because lots more people use Windows it is better.
  - Snarky comment about Gates being nerdy or rich.
  - Snarky comment about Jobs being arrogant or controlling.

  Chug if you read:
  -Snarky comment about both Windows and Macs in one post.
  -Half-hearted attempt at snobby comment about Linux or Unix superiority.
  -Attempt at argument that Mac OS is superior because it is built on Unix.
  -Attempt at argument that Windows has superior security because it gets lots of viruses and exploits.
  -Post with link to a website that remotely escalates account privileges.
  -Rationalization that a prize winning, Zero day exploit on OS X means that OS X is less secure than any other OS.

• ignis fatuusz

  April 20th, 2007 9:16 pm

  Congratulations to the hackers on the find, and thanks (from a long-time Mac user and evangelist). Stuff like this will keep Apple on its toes, and its users safer in the long run. It’ll be interesting to see how this plays out in the next few weeks/months.

• Mike

  April 20th, 2007 9:30 pm

  “Time to remotely exploit a stock Mac over the LAN: Undetermined.

  Time to create an exploit for a stock Mac via a malicious website: 9 hours.

  Time to exploit a stock XP machine via LAN, malicious site, email payload, macro virus, GIF trojan, Messenger hack, IE quirk: how fast is your stopwatch?”

  Congratulations to Dino on the $10K reward. May it go towards the purchase of an Octocore Mac Pro, to reduce compile times for the next demonstration of his coding prowess.

• LarryV

  April 20th, 2007 9:32 pm

  At least this wasn’t discovered in the wild, but in a controlled manner. Hopefully Apple will fix it quickly and perhaps take a deeper look for more possible vulnerabilities.

• Jeff

  April 20th, 2007 9:36 pm

  I’m glad they found it (no snarky comment here), as it only strengthens the platform. As long as Apple fixes it quickly, of course. Which I have no doubt they will

  /crosses fingers.

  Anyone know if it affects both Intel and PPC?

• Mike

  April 20th, 2007 9:57 pm

  But you have to be running Safari, which I despise. Firefox is the only browser I’ll use on any platform (except the Wii, of course).

• Safari vulnerability | Advocrazy

  April 20th, 2007 10:13 pm

  […] Right on the heels of the Apple Security Update, a Safari vulnerability was just publicly announced. I commend the hackers for ethically informing Apple about it before releasing the description of the flaw to the rest of us. Now, we will see how fast Apple responds to this and if Apple will “threaten” them for exposing the exploit. […]

• Rosyna

  April 20th, 2007 10:53 pm

  So was this problem in WebKit or in Safari? The report doesn’t make it clear.

  Also, why’d they have to lower the bar? The original “contest” was accessing a Mac remotely without getting the Mac to do anything special. Then it was changed to autoloading a specific URL? Was Safari automatically relaunched if it crashed?

• Thomas Ptacek

  April 20th, 2007 10:58 pm

  The report doesn’t make it clear because it’s not clear. What you know now is that it’s been verified, the prize has (apparently) been awarded, and that it involves visiting a malicious location in the Safari browser.

  I don’t know anything about the “original” rules vs. the “current” rules, but note that the worst Microsoft problems are also clientside vulnerabilities in the core user applications.

• Rosyna

  April 20th, 2007 11:04 pm

  Thomas, I ask if it is WebKit or Safari because if it is WebKit, it may already be fixed (as are many, many other bugs in the nightlies). But the nightlies all use the same Safari. For example, I am using the ToT WebKit (build 522+), but still using the Safari 2.0.4.

  As for “original” versus “current” you can see the changes here http://cansecwest.com/index.html

  Notice on 4/20 the attack surface was increased. Also, there’s another Mac that’s still open in the contest. The same exploit cannot be used twice. The new one requires you also become root.

• CabSecWest: OS X successfully attacked via a Safari zero-day flaw : Meandering Passage

  April 20th, 2007 11:11 pm

  […] The first MacBook Pro has been successfully attacked by taking advantage of a flaw in Safari which can be triggered with a malicious web page. It appears this is a zero-day exploit with no known patch at this time. […]

• BrianD

  April 21st, 2007 12:11 am

  Another question would be: Is this exploit patched by the MOAB fixes patchtool?

• Ian Graham

  April 21st, 2007 1:09 am

  CanSecWest earlier today lowered the barriers as planned since “there has not been a successful attack.”

  Sorry but if you have to “lower” your barriers, than that’s not a true deal. Sort of like having a hockey goalie play without pads and a glove because he stopped every shot otherwise. Why would CanWest do this on only the second day too? Load of junk!

• Dave G.

  April 21st, 2007 2:10 am

  Ian:

  Clientside vulnerabilities are common attack vectors against windows systems as well. What you call “lowering the barriers”, I would call “normal use cases for a Mac”.

• bri

  April 21st, 2007 2:15 am

  “my IDP will just strip out the malicious code anyhow”
  “let’s see it work in the wild first”

  obligatory: duuuude, i wonder if he totally pwned it at 4:20 on 4/20..

• James J

  April 21st, 2007 3:21 am

  As Ian states is correct as the organisers lowered the barrier in order to find a winner. In other words the organisers relaxed their rules.

  Sorry Dave G. but having to change the rules enough to allow a contestant to try another means of gaining access via Safari does not constitute normal use cases for a Mac. However I am glad that a possible flaw has been identified eventhough this flaw in all likelihood will not effect other Mac owners outside of CanSecWest and the winner(s).

  Remember CanSecWest set a competition and no one likes an unwinnable competition where no one wins. By raising the award to $10,000 the organisers had to relax the rules somewhere.

  There is one more MacBook Pro to go and the same method cannot be used again, plus root access has to be made in order to win this one. Should this be successful and I doubt it will be as long as the organisers don’t relax their rules, this is the one to watch and see what happens.

  I put it to you all here what would it be like if the same set of rules for a competition was applied to a Windows laptop, say a Sony Vaio? Would the organiser of that have to relax the rules? I know that Microsoft ran a similar contest for Vista and somehow the details of that disappeared - I wonder why?

• flynn

  April 21st, 2007 3:37 am

  Just wondering for how long Dino has been sitting on that exploit for real…

• How Stof Works - » Zero day vulnerability discovered in Safari?

  April 21st, 2007 5:46 am

  […] Matasano has some more details on it. Further details will be coming in soon, but for now it shows that the vulnerability in Safari, so using Firefox or Camino should keep you safe. […]

• Chris

  April 21st, 2007 8:36 am

  Congrats on the 10k prize Dino, thats awesome. I can’t believe an OSX vuln is worth that much though. If an OSX vuln can go for 10k now, then a remote Linux vulnerability should be able to fetch 15k, and a remote MS vulnerability better be somewhere near 20k at the very least. Remote Linux vulnerabilities are under valued in my point of view. Most of the stats I can google still show a huge Linux server market that is still growing. I don’t have numbers for linux desktop share but thats obviosuly growing too, more then ever before. Any thoughts? I have not personally sold a vulnerability so for all I know those $ amounts are ridiculously off scale.

• State of Mac Security - Nothing’s Changed… | RiskAnalys.is

  April 21st, 2007 8:46 am

  […] If you haven’t been reading the Interwebs, Matasano hacked a Mac.  I’m actually very relieved that they did.  I n fact, I was “first post” on TUAW.com letting them know they could stop being so dang sanctimonious.   Symantec and Microsoft are probably happier than I, because they’ll get a ton of mileage out of this event, but I’m very glad that some of the stupidity we’ve seen surrounding OS X security is over. […]

• Brian R

  April 21st, 2007 9:29 am

  So, if I’m running Firefox or OmniWeb or Camino on my PowerBook (instead of Safari), are my browsers exploitable in the same manner?

  Also, given that no OS is invulnerable to exploitation, why was the attempted remote hack unsuccessful? Drive by exploits in Windows have been dime-a-dozen….

• Brian R

  April 21st, 2007 9:37 am

  Here’s an interesting read re the MacBook exploit coverage:

  http://www.roughlydrafted.com/RD/RDM.Tech.Q2.07/616874CC-35CE-49D3-B859-C2719B6FF352.html

• Maccampus

  April 21st, 2007 10:03 am

  Rosyna :

  I’dd like to find out how i can use these nightly build Webkits in my Safari & other Webkit based Browsers/RSSreaders

  Do we still require the http://groups.google.com/group/moabfixes if we use the latest Mac OS & all security updates ? And why doesn’t these get included in Paranoid Android, the security Ape you crated & later open sourced 5 so Landon hasn’t got an excuse to get involved & make this happen)

  To anyone who can answer this one :

  Does this hack, which is javascript if i’m correct, needs admin rights ?

  In other words; if the user who browses to the hacked website has no admin rights & the user doesnt provide a admin user name & password can this hack do his work?

• Thomas Ptacek

  April 21st, 2007 11:13 am

  “Drive-by” exploits of Windows haven’t been “a dime a dozen” for years.

• Thomas Ptacek

  April 21st, 2007 11:14 am

  James: you haven’t even read the stories, have you? They didn’t “do” anything to make the Mac’s more vulnerable to attack. If you use Safari, you lose. Pretty common use case.

  Thanks for playing the drinking game though.

• BobTurbo

  April 21st, 2007 11:22 am

  “Drive by exploits in Windows have been dime-a-dozen…. “

  Chug chug chug.

• Hal B

  April 21st, 2007 12:37 pm

  Re: the people complaining about a rule change: The rules always specified that it would get progressively easier.

  See
  http://lists.immunitysec.com/pipermail/dailydave/2007-March/004198.html
  and
  http://www.securityfocus.com/archive/142/464216/30/0/threaded

  which were both posted long before the contest started.

• Brian R

  April 21st, 2007 12:37 pm

  Anyone who is using OSX and Windows in the real world side by side knows what the real deal is about this security issue…well beyond the fact that neither is impervious to exploits. Yeah…’Dime a Dozen’ and Windows exploits over the past 5 years is an egregious understatement.

• newsham

  April 21st, 2007 1:08 pm

  What, Dino couldn’t deliver the payload via the canadian power grid!? Congrats to dino for the sploit writing and to k2 for the quick economic analysis.

  Btw, is k2 covering the capital gains taxes? Inquiring minds want to know!

• Dino Dai Zovi

  April 21st, 2007 1:27 pm

  Thanks for all the congrats.

  Nectar: Anything left over from spending it on an octocore mac pro goes toward your pony :).

  Other drinking game speculators: With any 0day bug, there is a ton of conflicting information in what it is in and what is affected. I obviously don’t want to say too much so as to hint as to where the bug is until a patch is released. I will say that applying slightly paranoid web browser configuration changes will prevent this vulnerability from being exploited.

  And no, I have not been sitting on this exploit, I really did find the vulnerability and write the exploit that night. I got lucky :). I have spent way more time not finding bugs many other times.

• Thomas Ptacek

  April 21st, 2007 1:30 pm

  Tim: SHHHHHHHHHHHHH. They might hear you.

• Thomas Ptacek

  April 21st, 2007 1:30 pm

  Brian: http://www.matasano.com/log/644/safety-vs-security-2/

• d

  April 21st, 2007 1:45 pm

  “’Dime a Dozen’ and Windows exploits over the past 5 years is an egregious understatement. “
  You said remote exploits. The “dime a dozen” exploits are exploiting client-side vulnerabilities you try to poo-poo.

• Brian R

  April 21st, 2007 2:04 pm

  Social Engineering (phishing) and PEBCAK are vulnerabilities for users regardless of platform. If you don’t have physical access to my Mac and I don’t exhibit PEBCAK stupidity on the web….well….I think you get the idea.

• Dave G.

  April 21st, 2007 2:17 pm

  Brian:

  Common misconception is that browser attacks are only social engineering or PEBCAK issues. There have been multiple cases where popular websites were hacked and an attacker modified the website to serve up some clientside zeroday.

• Matt Thomas

  April 21st, 2007 2:21 pm

  Congrats Dino and Shane. It should be interesting to see how long it takes for Apple to fix this. I also wonder if there are larger implications since Webkit is used throughout MacOS X (assuming it’s a webkit issue and not a safari issue)

• danieleran

  April 21st, 2007 2:23 pm

  InfoWorld Publishes False Report on Mac Security

  “Nancy Gohring, writing for InfoWorld, delivered a misleading report yesterday on a Mac security exploit contest held at the CanSecWest conference in Vancouver, BC.

  “In her defense, it appears likely that Gohring did not write the headline for her InfoWorld article, which described the contest winner as being “able to remotely break into a Mac as part of a contest designed to illustrate security flaws in OS X.” That part was simply wrong.

  “Whoever did write the headline must have been smoking weed in celebration of 4/20, because Gohring’s article clearly described a local exploit. There’s a big difference between the remote exploits that made Windows infamous for its insecurity and a local exploit of an application.”

  More info under a series of subheadings:

  Gohring’s Mac Security Myths
  Microsoft’s Security Embarrassment
  Mac OS X and Security
  The Mac Minority Malware Myth
  Why Macs Aren’t Sending You Spam

• Brian R

  April 21st, 2007 2:25 pm

  Dave G:

  Agreed…ActiveX enabled sites come to mind on the Windows side. Re the Mac Safari exploit, I’m curious what specifically needs patching on Safari that isn’t necessary for Firefox, Camino, OmniWeb, etc. (assuming that they are not similarly vulnerable).

• Thomas Ptacek

  April 21st, 2007 2:27 pm

  It’s stuff like that RoughlyDrafted article that pits the Mac zealots against the security Mac people. Clientsides are not “local” vulnerabilities.

• Thomas Ptacek

  April 21st, 2007 2:29 pm

  Brian, unless you’ve disabled Javascript (have fun!), your analysis of the seriousness of “malicious URL” problems is remarkably off. It is trivial to get people to visit malicious sites.

• Robert Moir

  April 21st, 2007 2:33 pm

  It strikes me that a lot of the arguments being presented here in defence of the Mac (browser exploits not local, PEBKAC, “dumb defaults which no one really uses” and the like were sneered at by Mac advocates when used to defend the same sort of problems on the Windows platform.

  And they’re still wrong, either way.

• Jim Schmidt

  April 21st, 2007 2:59 pm

  Finding the flaws will only improve the OS. I do believe the reporting leaves a lot to be desired as it does not appear to be very accurate.

  On a side note, those complaining about “mac zealots” seem to be very anti-mac zealots, so it just becomes a perpetual circle-jerk between the two camps. If I could filter out all the moronic MS, Linux, *nix, OS X posts’ and just read level headed articles I would. But that will never happen when the people reporting continue to sensationalize.

  Congrat’s on the 10K, btw!

• Robert Moir

  April 21st, 2007 3:25 pm

  “On a side note, those complaining about “mac zealots” seem to be very anti-mac zealots, so it just becomes a perpetual circle-jerk between the two camps.”

  I’d just like people to realise that their safety or lack of safety is down to hard work by security researchers, OS designers and *themselves* on one side vs. black hats and script kiddies on the other side. Not magic, or how nice the CEO of the company smiles at the camera.

• julian

  April 21st, 2007 3:25 pm

  “How about the actual (almost) excuse Gruber himself makes:
  “Makes me wonder whether it’s another exploit against Safari’s on-by-default “Open ‘Safe’ Files” preference.””

  I just wanted to note that the reason Gruber brings this up is that he has made it very clear in previous articles that he believes “Open ‘Safe’ Files” should be turned off by default. Every new exploit found which makes use of this preference is another point in favor of getting that preference turned off by default.

  Mac users want Macs to be secure, too.

  If Dino really did discover this flaw on-the-fly as claimed that’s very impressive. Congratulations.

  Maybe it’ll be another point in favor of getting rid of Java.

• julian

  April 21st, 2007 3:26 pm

  “I’d just like people to realise that their safety or lack of safety is down to hard work by security researchers, OS designers and *themselves* on one side vs. black hats and script kiddies on the other side.”

  If you guys count LMH and the users themselves on the same side, I think LMH didn’t get that memo.

• Robert C.

  April 21st, 2007 3:29 pm

  Here’s a rationalization: “So few people use Macs that it’s not worth the trouble to exploit this bug–nobody will try to attack Mac users it even if the bugs go unfixed.”

  Oh wait. That’s (close to) Apple’s actual strategy.

• Thomas Ptacek

  April 21st, 2007 4:53 pm

  Jim Schmidt: that’s a weird criticism to level at a group of people who have almost universally standardized on the Mac as a platform — I’m speaking of security and vulnerability research on the whole, not simply Matasano (which has ALSO standardized on the Mac, and has probably more than once used Macs on Microsoft engagements).

  I think, in this once instance, that I speak for the community as a whole when I say: it’s not the Mac we don’t like. It’s you.

• Jim Schmidt

  April 21st, 2007 5:07 pm

  Thanks for making my argument Mr. Ptacek. I have said nothing bad about anyone except how it seems there are two extremes on both sides that perpetuate this “zealotry”. I did not claim Mac to be superior nor MS to be inferior. I did not call anyone names nor did I say I “hate” anyone, yet you respond with “I think, in this once instance, that I speak for the community as a whole when I say: it’s not the Mac we don’t like. It’s you.”

  This is an example of the exact behavior that is uncalled for. Direct personal attacks. I believe the behavior of “zealotry” on either side is abhorrent, but this isn’t going to make me “hate” a person. My goodness man, that is such a childish reaction.

  Did I strike some nerve with you? Remember the old saying, if the shoe fits….

• Dave

  April 21st, 2007 7:01 pm

  “If an OSX vuln can go for 10k now, then a remote Linux vulnerability should be able to fetch 15k”

  No it would be an OPEN SOURCE vulnerability and therefore it’d go for free.

• Thomas Ptacek

  April 21st, 2007 7:06 pm

  I’m glad we understand each other, Jim.

• Thomas Ptacek

  April 21st, 2007 7:11 pm

  By the way, in case it makes the saddle on your high horse any more comfortable, a quick subset of the words you used in your two comments:

  zealotry, superior, inferior, “calling names”, hate, behavior, “personal attacks”, abhorrent, childish, nerve, zealots, “inaccurate”, complaining, “perpetual circle-jerk”, moronic, sensationalize.

  Now, in fairness, the worst of my response to you:

  “None of us like you.”

• Brian R

  April 21st, 2007 7:21 pm

  Thomas, in the interest of accuracy in understanding the nature and scope of the exploit in question, are you reporting that ANY Mac browser with Javascript enabled is exploited, or just a subset of those browsers? I suppose the number of malware-powered bots out there demonstrate how trivial it is to get numbers of computer users to surf to a bogus url and enjoy the consquences.

  However, one of the problems with the reporting of this exploit is the insinuation that the motvating factor is to shove pie in the face of all those Mac zealots who brag that OSX is invincible. In my opinion, this contest would be a hell of a lot more interesting if the winner had hacked a lappie configured the way that a growing number of broadband users would: ie., OSX firewall enabled; stealth mode enabled; running behind a router with SPI enabled, etc.

• Thomas Ptacek

  April 21st, 2007 7:23 pm

  It’s not Javascript. A Javascript vulnerability would be a much bigger deal, because turning Javascript off breaks the Internet.

  Yeah, I turned off Javascript too, but I did that because there’s always a risk that Dino will whip out a Javascript variant just to make me look dumb. But there’s no specific reason to do that right now.

• Brian R

  April 21st, 2007 7:29 pm

  Then, why did you suggest turning off Javascript in this very thread? This is starting to come across as a shell game. Make no mistake, I have no illusions that Apple has their security sh*t buttoned down tight. But, there is so much mis-information swirling around about this exploit that it calls into question any assertions at this point, unless supported by detail that sheds light and doesn’t obfuscate.

• Todd M

  April 21st, 2007 8:23 pm

  @julian:
  The reason I made mention of Gruber’s comment vis-a-vis ‘open safe files’ is that I seriously doubt that ZDI would pay $10k for an exploit that depends upon that.

  @Brian R:
  I fail to see how your suggestions of “OSX firewall enabled; stealth mode enabled; running behind a router with SPI enabled, etc.” would matter.

  A host-based firewall would let any web content in, as it’s been requested by a user behind the firewall. Stealth mode has no effect because again, the attack is a clientside bug in Safari. A router inspecting packets will only be able to detect attacks that it has configured in its filters, which may not detect a 0day attack.

• Rosyna

  April 21st, 2007 8:30 pm

  If it’s not JavaScript, why mention turning it off at all? Why mention turning off Java, what does Java have to do with JavaScript? Looks like a, what’s it called, McGuffin?

  You can get the webkit nightlies from WebKit.org.

  As the days go on, this is looking more like a plugin problem if FireFox has the same issue.

  Thomas, I assume that Dino did the responsible thing and immediately reported the bug to Apple’s security team or immediately reported it to the security component in their bug reporter?

• Jason CRAIG

  April 21st, 2007 8:32 pm

  It seems like Opera will keep holding its “the most secure web browser” crown for some time! I use Opera. May be Opera can pay $10k as well?

• Rosyna

  April 21st, 2007 8:40 pm

  if this is Java, does it affect PowerPCs too or just ICBMs? IIRC, they have different source bases with different people in charge of each.

• Thomas Ptacek

  April 21st, 2007 8:53 pm

  Brian: lighten up. I can disclose that it’s a Java applet vulnerability. Dino said “slightly paranoid browser configuration” stops it. You can reasonably assume that turning Java off solves the problem.

  I’m simply going to delete comments that try to turn this into the Maynor game. There is zero question that Dino’s exploit works, and, because of the manner it’s been disclosed, virtually no chance that Apple isn’t going to acknowledge it.

• Thomas Ptacek

  April 21st, 2007 8:53 pm

  By the way: anyone tempted to gripe about the “obfuscation” can direct their attention at 3Com.

• Jim Schmidt

  April 21st, 2007 9:18 pm

  Yes Mr. Ptacek I used those big bad words to describe broad generalizations of basically a group of people whom posters have been calling “mac zealots”. At no time did I refer to a person. Nor did I characterize you or any group except for these “zealots” both anti and pro mac that people are complaining about.

  The only person that made it personal was you. I find this illuminating. Taking what words I use and just listing them out of context is a cute way to attempt to make it seem that I’m name calling, but if you go back to either of my posts I have not done so. I’m sorry if you felt I was calling you childish, I was not, just your response.

  Further, don’t you think it is a bit presumptious to speak for “everyone” or did I miss something and you are God?

  I apologize if any of my words, none of which were ever directed at you, hurt you. I’m sorry that they cut so close to the bone that you felt a need to respond in such a hateful manner.

• Thomas Ptacek

  April 21st, 2007 9:20 pm

  “big bad words”, “generalizations”, “complaining”, “personal”, “cute way to attempt”, “childish”, “presumptious”, “you are God?”, “hurt”, “cut so close to the bone”, “hateful”.

  Do you have anything technical to contribute? I just posted a challenge. Take a crack at it! Maybe it’ll take your mind off of how fed up you obviously are with security professionals.

  http://www.matasano.com/log/809/a-little-challenge-to-our-mac-advocate-friends/

• Terri Forslof

  April 22nd, 2007 1:15 am

  First- Congratulations to Dino for winning the contest!
  To help alleviate some of the questions about the disclosure of this vulnerability, and details surrounding it-
  Dino has submitted the details of the vulnerability he used to the Zero Day Initiative program. We will independently verify the issue (as quickly as possible) and then formally contract the vulnerability and award the bounty to Dino.
  As soon as the issue is verified, we will immediately disclose the vulnerability to Apple (and Mozilla since Firefox has found to be vulnerable as well).
  At that time, we’ll post the issue on our upcoming advisories page: http://www.zerodayinitiative.com/upcoming_advisories.html
  So everyone can track it until Apple resolves it.

  As per the ZDI disclosure policy, details of the vulnerability will not be discussed in depth until the respective vendors have a chance to get updates out.

• grrrr

  April 22nd, 2007 2:43 am

  If it is a java applet bug are other systems that have java like linux or windows also affected?

• Fred Hanranhansenhansen

  April 22nd, 2007 3:45 am

  The thing I like about this bug and also the MOAB bugs is that they are not big-game. You don’t even need a hunting license to hunt these bugs. You can be a rodent and rabbit hunter … small varmints, if you will … and still hunt these tiny little bugs.

  There are individual Microsoft Windows bugs that have cost billions of dollars. The singularly low quality of Microsoft software is the elephant in the room in tech today. Anyone defending Microsoft on a technical level has to be immediately suspect because they are so far out of date that my next phone is going to have both a better core OS and better Web engine than Microsoft Windows Vista. It isn’t just Microsoft’s illegal business practices that are the problem there is also the massive quality problem.

• How Stof Works - » CanSecWest Mac exploit through Java, all browsers vulnerable!

  April 22nd, 2007 4:54 am

  […] According to Matasano, the only way to protect yourself is by turning off Java in the browser settings. When full details come available, I wonder how fast Apple is gonna fix this. This is one where Apple can really show how it thinks about vulnerability management. […]

• Snagg

  April 22nd, 2007 7:24 am

  I might be wrong, but I think is a plugin problem. Those of you who runs Safari just go to http://www.etienne.nu/isis/start.html (IS an High IQ society website) you will see safari crashing. From the backtrace one of the last thing it tries to do is to open a new bundle:
  11 com.apple.Foundation 0×92bc9a00 _NSBundleLoadCode + 820
  12 com.apple.Foundation 0×92bc91e0 -[NSBundle load] + 308
  13 com.apple.Foundation 0×92bc9094 -[NSBundle principalClass] + 44
  14 com.apple.WebKit 0×95be1690 -[WebPluginPackage load] + 60

  And then He has some serious problems with images mapping:
  1 libobjc.A.dylib 0×90a45d4c flush_caches + 220
  2 libobjc.A.dylib 0×90a3fb7c _objc_read_categories_from_image + 136
  3 libobjc.A.dylib 0×90a3d260 map_images + 656
  4 dyld 0×8fe0f590 ImageLoaderMachO::doNotification(dyld_image_mode, unsigned, dyld_image_info const*) + 108
  5 dyld 0×8fe035c4 dyld::notifyAdding(std::vector >&) + 260
  6 dyld 0×8fe0dc34 ImageLoader::link(ImageLoader::LinkContext const&, ImageLoader::BindingLaziness, ImageLoader::InitializerRunning,

  I cannot say wheter the bug discovered by Dino was this or not, but to me it sounds like..

• Brian R

  April 22nd, 2007 7:40 am

  Terri..
  Thanks for that post. Can you disclose whether Dino’s reported vulnerability affects browsers beyond Safari and Firefox: ie., Camino, Opera and OmniWeb?

• Thomas Ptacek

  April 22nd, 2007 8:20 am

  Fred, no company in the world spends more on software security, PER TITLE, than Microsoft.

• Thomas Ptacek

  April 22nd, 2007 8:20 am

  grrrrrr: doubt it.

• Settoblo » Blog Archive » MacOS X è stato compromesso

  April 22nd, 2007 10:11 am

  […] E’ stato assegnato un premio di 10.000 $ all’hacker che ha vinto la sfida ed è riuscito ad entrare in un Mac lasciato esposto ad internet. Credo sia la prima volta che succede una cosa del genere con MacOS. C’è voluto un premio di 10.000 $ e parecchio tempo, su Windows basta un giorno e la gente lo fa gratis, ma questo non toglie che l’evento è importante e rende non sicuro MacOS X. […]

• Jim Schmidt

  April 22nd, 2007 12:01 pm

  So Mr. Ptacek you are claiming that people in the security field are either mac zealots or anti-mac zealots?

  I have nothing against computer security professionals, real ones. A true professional does not would not make generalized statements or take words out of context in an attempt to make themselves look good.

  You do not appear very professional Mr. Ptacek as you have assigned things to me that I have never said and taken things I have said out of context.

  I’ll post a challenge for you Mr. Ptacek, can you make a post without cut and paste? Can you find where I said I am fed up security professionals? I’m not by the way but if you can find the post cool! But you prefer to right things in the hopes people will read it and if enough people read it maybe it will become fact.

  What are you going to accuse me of next Mr. Ptacek?

• Thomas Ptacek

  April 22nd, 2007 12:06 pm

  Not having anything interesting to say.

• newsham

  April 22nd, 2007 1:40 pm

  “A true professional” — wouldn’t a true security professional (”real ones”) be someone who is trained in computer security who gets paid to do computer security? ie. what Tom’s been doing since 1997 or thereabouts? (That’s what I always thought, but I’m not really that great with the english).

• Thomas Ptacek

  April 22nd, 2007 3:38 pm

  95, yo. FreeBSD crt0 was my first finding.

• Thomas Ptacek

  April 22nd, 2007 3:39 pm

  Every time I try to play the “I Actually Am A Lawyer” card, someone accuses me of being elitist; just like every time I say the Mac is safe, but not secure, I’m accused of hating the troops.

  Hypothetical straw-man Mac person: if I could send you back through time so you could catch up to security research circa this decade, really and for true, I’d do it.

• Brian R

  April 22nd, 2007 4:41 pm

  Thomas, is your ‘Mac-standardized’ group running AV on Tiger? I’ve found that Intego’s VirusBarrierX4 plays nice with the OS and apps, but of course, hasn’t been catching anything yet.

• Thomas Ptacek

  April 22nd, 2007 4:46 pm

  I don’t see the point. There really aren’t any major Mac viruses.

• El Capitano

  April 22nd, 2007 5:26 pm

  “EXCLUSIVE: MUST CREDIT MATASANO” (repeatedly)

  You don’t really understand how the press works, do you? It’s news now. Sorry. You can’t insist on attribution any more.

• Thomas Ptacek

  April 22nd, 2007 5:28 pm

  You’ve really never read the Drudge Report before, have you? No offense, but I think your sense of humor needs tuning.

• Brian R

  April 22nd, 2007 5:36 pm

  Thomas, the ‘point’ is elementary. Those of us who trade files in a mixed OS environment every day (60% of my day is in Windows XP Pro) have to avoid inadvertently passing along any Windows malware that is otherwise harmless for the Mac. The Mac doesn’t get a free pass in our enterprise. See the point??

• Thomas Ptacek

  April 22nd, 2007 5:40 pm

  I’m a bit biased. More on our take on AV here:

  http://www.matasano.com/log/434/ignore-igor-muttiks-retrospective-antivirus-testing-method/

• Vulnerabilità 0-day in Safari at bufferOverflow

  April 22nd, 2007 5:53 pm

  […] Aprile si sta rivelando un mese abbastanza complesso per la sicurezza dei sistemi Apple. L’azienda di Cupertino ha da poco rilasciato ben 25 patch per altrettante vulnerabilità. Ma la sicurezza non è mai troppa e dalla CanSecWest arrivano brutte notizie per gli utenti MacOSX che usano Safari. Sembra infatti che sia stata individuata una vulnerabilità 0-day nel browser che se sfruttata consentirebbe il controllo della macchina vittima con privilegi dell’utente (non di root dunque). Basterebbe navigare su una pagina contenente l’exploit per compromettere il sistema dando accesso a un attaccante esterno. Al momento nessun PoC è stato reso noto ma comunque se usate Safari fate molta attenzione. Qualche dettaglio in più è stato rivelato sul blog di Brian Krebs e su Matasano Chargen. […]

• One Mac hacked, one to go « GRIND3RMAN

  April 22nd, 2007 6:40 pm

  […] Aprile 22nd, 2007 Da una conferenza sulla sicurezza arriva notizia di una vulnerabilità di Safari e Firefox legata a Java che consente all’attaccante di ottenere una shell controllabile da remoto. […]

• El Capitano

  April 22nd, 2007 8:09 pm

  “You’ve really never read the Drudge Report before”

  Ah, I didn’t realise that was a prerequisite. Sorry, I’m a Mac user, not a right-wing nutjob (well, maybe the nutjob bit is accurate).

• Cult of Mac » Blog Archive » Safari Zero-Day Exploit — Links Worth Checking

  April 22nd, 2007 8:37 pm

  […] Thomas Ptacek at Matasano: Turn off Java; to be safe, until Dino lets us say more, turn off everything else too. Or live dangerously like me. […]

• myMacBUZZ » MacBook hacked in CanSecWest contest

  April 22nd, 2007 9:50 pm

  […] Oooh! So scary! Bad bad hacker pwned a MacBook. Seriously man, this story is overblown. Especially when the vulnerability is a problem with Java and affects other browsers like Firefox. Security blog Matasano Chargen confirms this and tells us how to defend against this zero-day exploit - turn off Java in your browser. […]

• Thomas Ptacek

  April 22nd, 2007 10:05 pm

  I’m not sure why anyone would care about whether the vulnerability involves Java, and, uh, call me crazy, but doesn’t the fact that it breaks FFX make it WORSE, not BETTER?

• Rosyna

  April 22nd, 2007 11:38 pm

  “As soon as the issue is verified, we will immediately disclose the vulnerability to Apple (and Mozilla since Firefox has found to be vulnerable as well).”

  If the issue is in Java, why would you bother to contact Mozilla? Does Firefox ship with its own JVM now?

• „ shiftzwei » Blog Archive » Mac OS X - Sicherheitslücke Safari

  April 23rd, 2007 3:11 am

  […] Einzelheiten zur der Sicherheitslücke wurden bislang nicht veröffentlicht. Vermutlich wurde eine entsprechend präparierte Webseite benutzt um über Safari Code ausführen zu lassen. Im Matasano Blog wird darüber berichtet, dass die Sicherheitslücke auch Firefox betreffen soll. […]

• Max

  April 23rd, 2007 3:51 am

  Thomas,

  thanks for the matasano site. Was unknown to me. Great resources.

  One question though, the very same engineer who developed the exploit on Dino’s finding said that because in real life people will be behind a router this exploit will not be capable of a full remote exploit. Could you elaborate on this?

• bob

  April 23rd, 2007 5:54 am

  what can this vulnerablity do to your computer?

• JulesLt

  April 23rd, 2007 5:59 am

  >Anyone know if it affects both Intel and PPC?
  Well if it’s Java then yes . . . (watch Jobs get rid of Java from OS X as well as the iPhone - ‘I told you it was a goddamn ball and chain).

  I like the fact Firefox is affected too, because it makes a lot of people look dumb for thinking that makes them better/safer and mouthing off before knowing the facts.

  Also - changing the rules of the contest is completely acceptable as it’s been clear - you could see it as a sequence of challenges. Personally I think the fact the second challenge has been achieved gives more credibility to OS X surviving the ‘drive-by’ phase - it shows it’s not just that no one can be bothered, but that it survived.

  The problem will come when it hits the mainstream media, or at least cnet, where the story will become confused, or simplified.

  Robert C - we just don’t know Apple’s strategy or what efforts they put in, internally, into security, do we. The fact that MS employ a full time security PR team, and have realised it pays to engage with the security community, tells us nothing about Apple. Just as we don’t know how effective any Mac AV software is. Here’s our opportunity to find out.

  Distribution of vuln : I’d guess mySpace or any other easily hacked site that allows embedded code / mashups, and has an audience likely to have a significant number of Mac users. Or at the very least that’s the kind of place you can get somewhere to link somewhere dumb by spamming comments.
  Or put up a site of ‘Leapoard preview screenshots’.

• Brian R

  April 23rd, 2007 6:00 am

  Thomas, does the exploit ‘break’ OmniWeb specifically?? Also, can you pierce my Keychain config if it’s behind 1Passwd (see Agile Web Solutions)? just curious…

• Thomas Ptacek

  April 23rd, 2007 8:38 am

  Brian: I don’t know much about 1passwd, but am guessing “yes”. I think 1Passwd might make things slightly worse.

• Thomas Ptacek

  April 23rd, 2007 8:39 am

  Max, “the very same engineer” who developed Dino’s exploit is Dino, and I assure you, Dino didn’t say that “routers” protect you.

• Brian r

  April 23rd, 2007 8:58 am

  Thomas, are you guessing that a filter like 1Passwd would make things slightly worse for the user or more difficult for the hacker? Could you take a few moments, and look at the Agile Web Solutions app info and perhaps comment..

• Free Apple iPhone Stuff » Blog Archive » More on the CanSecWest exploit and Java

  April 23rd, 2007 9:18 am

  […] iPhonebitz.com/wp-content/plugins/auto-Feeder/images/nojava.jpg” alt=”” />According to Matasano (home base for security researcher Dino Dai Zovi), the announced-but-unreleased web browser exploit that was used to win the CanSecWest MacBook Pro challenge involves browser support for Java. Turn off Java for Safari (or Firefox, or Camino) and your machine is immune. […]

• An Information Security Place » Blog Archive » Need some blogging meat

  April 23rd, 2007 9:37 am

  […] Is it just my imagination, or has there been a lack of security blogging meat here lately?  There have been a few things happening, but I am fairly bored with stuff right now.  The Mac Book hack over at Matasano was pretty cool, but I hinestly didn’t want to blog about it because it all just sounded like the typical “Bash Mac because of arrogance - Love Mac because it’s pretty” thing that goes around and around. […]

• Max

  April 23rd, 2007 10:12 am

  Max, “the very same engineer” who developed Dino’s exploit is Dino, and I assure you, Dino didn’t say that “routers” protect you.

  Thomas, I meant Machauley. He made the comment reported on securityfocus web site:

  “This is more realistic,” Macaulay said of the exploit. “Everyone is going to be behind a router, so you are not going to have a chance to use a fully remote exploit.”

• Thomas Ptacek

  April 23rd, 2007 10:37 am

  Max: he’s saying that clientside browser exploits are WORSE than client-server remotes.

• Max

  April 23rd, 2007 10:51 am

  Specifically, since the problem seems then with Java, what Apple could possibly do? Make Safari more of a watchdog of Java problems?
  Will then Safari become slower or Apple will be able to post a patch to its own Java VM?

  I thought it was a specific Safari issue rather.

• Andrew

  April 23rd, 2007 11:03 am

  What about Opera, is that affected?

• Adam

  April 23rd, 2007 2:45 pm

  how can one get you to go to an exploitable site. Email -> “Citibank requires you to log in and verify your account - click here”, link on forum for spam -> “Apple has gone nuts and is selling macBook Pros for $500 - click here”, Go to a graphic design freelance forum (most of them use mac), I requesting a logo to be created, I’m will to spend between 500 and 1500 dolloars, respond asap to email@host.com, and don’t mind where that link goes to.”

• ESET Research's Blog

  April 23rd, 2007 4:36 pm

  New security flaw affecting Mac OSX

  The “pwn-2-own” challenge at CanSecWest has been won. One of the two mac laptop that were made available to be attacked by the conference attendees has been compromised by Shane Macaulay using a vulnerability discovered by Dino Dai Zovi. The flaw s…

• Nate

  April 23rd, 2007 5:00 pm

  Tom, this stuff is hilarious. Keep up the Onion quality comments. Maybe ask the audience why less lines of code are always more secure or something.

• Thomas Ptacek

  April 23rd, 2007 6:11 pm

  There are a million ways to get people to the site of your choosing, and the best don’t even involve an explicit user action.

• T Bade

  April 23rd, 2007 6:19 pm

  What amazes me most about these “contests” are that they are sponsored by the very companies that stand to make a profit if people who use Macs begin to have a need to anti-malicious software applications.

  Is it obvious to only me that these people are only looking to find a way to make more money?

  What a sickening thought that the great programming minds of our world think only of profit and spend their resources scaring grandmothers and other people who just want to use their computers for fun. “Buy our software before it is too late, you wouldn’t want to loose those pictures of your grandchildren, would you?”

  I don’t think anyone ever said MacOs X was invunerable. We all know that there are some few viruses for the Mac because its marketshare is significantly less then MS and the negative effects of writing this code wouldn’t be big enough for the people who write such code. Then again, perhaps they aren’t into scaring grandmothers, and other people who enjoy using the Mac, unlike their more “ethincal” counterparts that create Anti-virus software

  Please, try not to choke when you enjoy your victory meal, we wouldn’t want any more negative effects from this silliness….

• Thomas Ptacek

  April 23rd, 2007 6:32 pm

  T-Blade, I don’t understand what you’re saying at all. Help me understand your argument. Dino didn’t ship the vulnerable code. Neither did 3Com. Right now, it looks like Apple shipped the vulnerable code.

  Dino’s time is valuable. Dino has no obligation to Apple. Apple charges him to run Apple software on Apple hardware. Dino pays them money to use Apple gear.

  You have never found a vulnerability in Apple code. I am guessing you’ve never found a vulnerability in anyone’s code. I want to understand better why you feel like you can dictate terms to people who do that work. If you’d like a different standard of disclosure — and I will probably agree with it — why don’t you go find some vulnerabilities of your own?

• KC

  April 23rd, 2007 6:49 pm

  Very cool for CanSec West to offer the bounty! Congrats on getting it collected and good disclosure process going on. Seems like it will take some time, so everyone should cool their jets on the ‘which browser’ stuff until they say more.

  Long time Mac (and Windows) user, and of late, security guy.

  User/Client side exploit is the BIG attack surface in my world these days, so its good to see attention going that way.

• La vulnerabilidad descubierta en CanSecWest basada en Java : planetamac

  April 23rd, 2007 6:54 pm

  […] una solución al problema.  fresqui |  menéame | permalink | trackback url volver Temas relacionados:Descubierta una vulnerabilidad de Safari y ciertas imágenes dedisco|Consiguen acceso remoto a un OSX en la conferencia de seguridad CanSecWest|Vulnerabilidad crítica en OSX|Los bug del OSX o como todos quieren arrimarse a la sombra de Apple|Apple publica una actualización de seguridad|Apple publica 3 actualizaciones, una de ellas de seguridad| Escribir un comentario […]

• joeldm

  April 23rd, 2007 7:01 pm

  The interesting thing about this to me is that it took a hackers convention and then after a day of no success by said hackers (and a lot of hemming and hawing about “we don’t really _want_ to hack that Mac!”)in penetrating either MacBook, a “relaxation of the rules” to make this come true.

  But hacked the Mac is and I wonder what this means? Will there, at long last, be one exploit in the wild for the OS X? Will more than one Mac ever be exploited?

  Reading all the snarky, snobby FUD above one would think the Mac bird flu was moving across midwest . . . but that isn’t the case, is it?

  Macs currently ship about 5% of PC marketshare but still have approximately (rounding here) 0% of the exploits. If they are as fragile as the discussion here implies, shouldn’t they at least have .0001%?

  Explain it to me like I’m 4. Why does it take a convention to hack one Mac (using relaxed rules) and if a PC (and tell me if I’m mischaracterizing this) was configured similarly and placed on the web _anywhere_ it would take less than an hour for exploits to start taking the machine over and making it into a Borg machine?

  Am I overstating this? Did the Mac have a firewall turned on? Any antivirus protection? What am I missing here?

  Why is difference in the reality of Mac security (zero exploits in the real everyday user world) vs PC security (numerous exploits across the board unless draconian efforts are made to secure a home PC) so stark? Marketshare just doesn’t cover it.

  Why the difference in the real world? And no BS, please, tell me the real reason why Macs are de facto, so secure.

  JoeL

• Thomas Ptacek

  April 23rd, 2007 7:03 pm

  “Relaxed rules” is just a talking point. It’s inside baseball. The attack Dino found hurts you even more than the class of attack (client->server) you’re thinking about. If you have to be educated on why the OSX firewall doesn’t stop this attack, there is very little chance I’ll be able to explain the severity issue either.

  The reason why Macs are, prima facie, *safer* is that they are a less relevant target for attackers.

  http://www.matasano.com/log/644/safety-vs-security-2/

• Ryan Russell

  April 23rd, 2007 8:21 pm

  Ptacke: “There are a million ways to get people to the site of your choosing, and the best don’t even involve an explicit user action.”

  But Tom, how in the world are you going to get the mac zealots to come visit your web site?

• Matt

  April 23rd, 2007 8:27 pm

  BWAHAHAHA… Thread over, Mr Russel wins.

• Ryan

  April 23rd, 2007 9:21 pm

  [IMG]http://i93.photobucket.com/albums/l50/oracle619/20060513.jpg[/IMG]

• joeldm

  April 23rd, 2007 9:51 pm

  “If you have to be educated on why the OSX firewall doesn’t stop this attack, there is very little chance I’ll be able to explain the severity issue either.”

  Interesting, you could have chosen to educate or to be smugly juvenile. I might have gone another way. I know why a firewall doesn’t help when you choose to navigate to a site with an exploit embedded in it, still, it doesn’t explain why Macs are safer overall. I know you know, if you don’t then there is very little chance I’ll be able to explain it to you.

  Your “they are a less relevant target for attackers” is obfuscatory drivel and doesn’t really address the issue. Why is there a 5% marketshare of Macs but 0% marketshare of Mac exploits? You know. Jupiter Research in 2005 said that 14% of businesses with 10,000+ employees run OS X Server. I know of companies here in Fatlanta that run OS X Server. If companies run it and Mac users are such braggarts about being so secure (like me, no firewall and I download music randomly and run no antivirus) and if security geeks are holding conferences where they jury-rig some exploit off a 2nd party card that isn’t really widely transferable to the real world like many of the most damaging Windows exploits are, then how is it possible that Macs are “less relevant”.

  Some of these guys are DROOLING to see a virus in the wild for Macs. Drooling! I know I read the comments after these articles and you’d think their city just won the super bowl, world series and their girlfriend is playmate of the month when there is even a _suggestion_ that a Mac is perhaps, maybe, someday, under-the-right-circumstances, “watch-out-it-could-be-you-next”, if you just go to THIS website, vulnerable.

  They’ve heard how bad Windows security sucks for so long and what you have to do to lock it down (and my Windows machines ARE locked down, haven’t had a virus in some time!) and if Mac were just 1% as sucky, they’d die happy . . . .

  Every other day I see an article about Mac security and how poor it is from some company either with a product to sell or a bone to pick, but I NEVER see these exploits spread into the wild like the Windows exploits so commonly do. EVER. Why IS that? There’s so much public interest in Mac security literally EVERY DAY that your puerile excuses about how “they are a less relevant target for attackers” just sounds . . . well, silly! Look it up man, plug “Mac vulnerability” into any search engine and check out how “relevant” thousands of people think it is.

  Why, have so many PC exploits spread worldwide and caused billions of dollars of damage and yet even when someone finds some potential exploit in the Mac OS, it never does? Yes there are _potential_ exploits found in the OS regularly just like any OS. Yet nothing comes of them.

  There is a reason and it’s not numbers, babe. You’re the expert I’m just a fanboy.

  JoeL

• Thomas Ptacek

  April 23rd, 2007 10:36 pm

  You’re right. I am, you are. Virtually all of the Fortune 500 has more than 10,000 employees, and you just attributed Apple a 14% SERVER share there.

  I’d like you to name one of the security “geeks” you know that are DROOLING, just DROOLING for an OSX virus. I’ll give you a tip, while I’m wallowing in smugness: check our blogroll and comment feeds.

  Just name one.

• joeldm

  April 23rd, 2007 11:53 pm

  “You’re right. I am, you are. Virtually all of the Fortune 500 has more than 10,000 employees, and you just attributed Apple a 14% SERVER share there.”

  Soooooo . . . your assertion is that all companies over 10,0000 employees are Fortune 500? Wow, I guess our economy isn’t as big as I thought! You might want to retool that logic stream there, Frege.

  “I’d like you to name one of the security “geeks” you know that are DROOLING, just DROOLING for an OSX virus. I’ll give you a tip, while I’m wallowing in smugness: check our blogroll and comment feeds.”

  Ahhh! You’re seeking a diversion! You want to avoid answering my pesky query so you select an observation I’ve made about the character of these discussions and want me to prove an unprovable so that you won’t have to comment on what my post is really about. Nice. A sort of straw man technique to avoid having to answer my question. The question. Such courage, such panache! What intellectual curiosity!

  I don’t believe it, but let’s _say_ NO Windows security bloggers find Mac assertions of invulnerability galling and wish in their heart of hearts that JUST ONE Mac virus would do generally harmless, but widespread mischief in the Macish world (And Red Sox fans wish the Yankees well . . . .).

  So in this utopia of yours, why has the OS X Mac been so secure and Windows (at least until Vista and then we’ll see), NOT (see previous note). Your turn. Be honest. It’s midnight, you can be honest. I know there are structural difference between Windows and the Mac, differences in approach that go back to almost the birth of Windows and its proprietary codes. Macs were reborn in 2001 Phoenix’d from NeXT. Hatched from Unix.

  I swear these discussions crack me up. You guys really live in your own world, don’t you. Hacker parties where they try to hack Macs under very controlled circumstances and then chortling with glee:

  “In the meantime, a drinking game: predict the rationalizations given by Mac zealots for why this finding “doesn’t count”.”

  What was it you wanted me to look up again? “Mac Zealots?” There’s more . . . but answer my question.

  I was watching a news program where one political operative said in during one of those Crossfire moments that “everyone has an agenda”. Everyone of course, except the articulator of everyone else’s agenda. The camera panned to another veteran newsman and his face said it all, “yeah, everyone but you — right.”

  BS is so much easier to spot than exploits.

  JoeL

• Thomas Ptacek

  April 24th, 2007 12:59 am

  So, you can’t name a single “security geek” who’s DROOLING, just DROOLING, over a Mac virus. Let’s “relax the rules” for you. Name a single company with more than 10,000 employees besides Apple that relies on Apple servers.

• Thomas Ptacek

  April 24th, 2007 1:07 am

  Let me help put this perspective, by the way. Here’s a quick list, just off the top of my head, of companies that rely on Windows servers:

  * Wal-Mart
  * Exxon
  * GM
  * Ford
  * GE
  * Chevron
  * Conoco
  * Citigroup
  * IBM
  * AIG

  That list might look familiar to you. Sorry.

• Thomas Ptacek

  April 24th, 2007 1:08 am

  So, you just name one company that relies on Apple servers. Gotta have more than 10,000 employees. Can’t be Apple.

• Matt

  April 24th, 2007 1:40 am

  joeldm: Please read up on the economics of modern vulnerability research and exploit development, with particular attention to the black markets surrounding botnets and activities made possible by botnets.

  Just to add a little fuel to the fire, here’s the start of a mailing list thread with some anecdotal discussion of Macs getting compromised:

  http://lists.apple.com/archives/macos-x-server/2006/Dec/msg00422.html

  The bad guys don’t need OS or service vulns if you have a weak password or are running some broken PHP.

• Brian R

  April 24th, 2007 7:39 am

  Yo, Thomas….could you take a quick look at the links here:
  http://1passwd.com/ ……and comment on their approach to protecting Mac webforms, passwords, Keychain, etc. How readily do you think you can crack their solution, given that the password utilized in setting up 1Passwd is not logged or stored anywhere. Also, look at their approach to defeating keyloggers and phishers…thanks.

• Giorgio Maone

  April 24th, 2007 8:20 am

  Well, if it affects Firefox too and it’s Java and/or (less likely) JS related, looks like just another job for NoScript

  http://noscript.net

• Apple MacBook Hacked | The SoBe Project

  April 24th, 2007 10:49 am

  […] After TippingPoint put its money on the line and the challenge progressed to include riskier behavior, the winning exploit appeared, requiring that a URL received via email was opened using the default Safari Web browser (relying on user interaction was a change from the original rules, after no one had been able to break in previously). However, the exploit wasn’t based on Safari’s “Open ’safe’ files after downloading” preference, as was originally suspected. According to security researcher Thomas Ptacek, the attack was based on a flaw in Java, which would affect other Mac browsers as well; turning off the Enable Java preference in Safari or other browsers will protect against the vulnerability. […]

• joeldm

  April 24th, 2007 2:21 pm

  Matt,

  “Just to add a little fuel to the fire, here’s the start of a mailing list thread with some anecdotal discussion of Macs getting compromised:
  http://lists.apple.com/archives/macos-x-server/2006/Dec/msg00422.html “

  You didn’t read down far enough:
  http://lists.apple.com/archives/macos-x-server/2006/Dec/msg00494.html

  They used a compromised user account, not a bot.

  JoeL

• Thomas Ptacek

  April 24th, 2007 2:34 pm

  And?

• joeldm

  April 24th, 2007 3:17 pm

  Cox newspapers uses Mac servers and desktop Macs for at least 50% of their publishing enterprises, 17 dailies and 26 non-dailies nationwide. Cox Enterprises has 77,000

  The AJC recently ran an article about how much the switch has saved them and their major advertising vendor, DTI, which does business with nearly every newspaper in the US reported that ““Our clients were primarily Macintosh users”

  Cox Communications uses more than Mac’s servers or course, Final Cut Pro Non-Linear Edit Suites are common across the entire company and who can say how much penetration Macs have in other areas of this media company? Fortune 500 baby!

  I also remember that U of F also runs OS X servers and desktops, that’s 50,000 students and professors.

  But is this going to be a pissing contest now? I thought someone, anyone would step up and answer my question. No one has. Now why would that be? No guts, no glory!

  Why is OS X so much more secure than Windows? I know you guys know, you’re just too . . . err . . . timid to admit it.

  And really, a link to some obscure discussion about a bot that turns out NOT to be a Mac bot? Really, that’s pathetic. Step up or step off wimps . . . .

  nyuk, nyuk,

  JoeL

• Thomas Ptacek

  April 24th, 2007 3:18 pm

  U of F isn’t an enterprise and you just counted their customers as employees.

  Please cite a source saying Cox uses Mac *servers*. Any enterprise with “creatives” in-house will use Mac desktops, but attackers aren’t motivated by zero-day TIFFs.

• Matt

  April 24th, 2007 3:20 pm

  joeldm:

  No, I actually read the whole thread. Compromised is compromised. Weak passwords are one of the lowest of the low-hanging fruit; why bother spending time and/or money weaponizing a “real” vulnerability when you can just write a loop around ssh and /usr/dict/words?

  My point (if any) is that saying “No Mac has never been pwned in the wild” is prima facie incorrect; if that’s what you were trying to say earlier, I think you actually meant, “I don’t have any evidence of a Mac being pwned in the wild by a remote vuln in Apple software” (because I assume you’re going to discount vulns in, say, Apache).

• Thomas Ptacek

  April 24th, 2007 3:21 pm

  Nice trying to move the goalposts, though. Sorry, we’ll only “relax the rules” once.

• Mike

  April 25th, 2007 12:56 pm

  Sounds like ManBearPig logic. The only facts that count are the ones that the Zealots want to count. Same crowd I guess.

• joeldm

  April 26th, 2007 1:13 pm

  Facts seem to be plastic things around here. I keep asking the same question, you keep answering the one I didn’t ask. Afraid to I guess. It’s like watching an old rerun of Crossfire.

  Does OS X have vulnerabilities? Sure. Has OS X been widely compromised a la Windows? No. Name one compromise that has been widespread and has done damage. Can we say the same for Windows? No we can’t. Windows exploits are legendary and widespread and ongoing. There are over 22 million OS X installs in the US. This isn’t a small target. And BTW, the test was for a desktop system, so whining that OS X Server isn’t installed widely is kind of lame.

  It’s interesting to me that this conference didn’t set up three computers for the test, one Windows running Vista, once Mac running Tiger and one Linux (pick your distro). But as Microsoft is a sponsor I guess that just wasn’t in the cards. From a Mac-watcher’s POV this is all too familiar FUD.

  No computer is completely secure, but to suggest that Windows security and Mac security are somehow equal given their architectures is a whole new level of naivete. It’s hard to imagine what mental gymnastics are required to arrive at this self-congratulatory circle jerk . . . but it’s fun to watch!

  The fact is, both Macs survived ethernet and wireless access attacks. No one was able to commandeer either machine under the original rules. On the second day, regardless of your making fun of the phrase, the rules _were_ relaxed and hackers were allowed to put code on a wiki & do drive-bys using Safari.

  What we learned is that Safari has a flaw, nothing more. So does Firefox and so does the PC version and IE? Well, you tell me. And refresh my memory, even with the “relaxed” rules, the second MacBook was never compromised, correct? Maybe next time you could sit at the keyboard with root access open. Or maybe they should just have installed Vista using BootCamp.

  It’s been fun(ny) . . . .

  JoeL

• Thomas Ptacek

  April 26th, 2007 1:33 pm

  Joel, I’d like you to find anyone, in this whole big crazy wide world of ours, who (a) works professionally in security and has published — in any security venue: advisories, papers, refereed journal articles, and the like; and (b) agrees with any of these points.

  Just one person.

  I will be more than happy to reciprocate.

• joeldm

  April 26th, 2007 8:28 pm

  Dai Zovi:

  “Apple has made some sound design decisions in Mac OS X, such as minimizing the number of default open network services, using non-executable writable memory segments and employing a well designed administrative user authorization system, that are also good security measures.”

  You, uh, know this guy, right?

  If you were to look at the thread of my posts they are essentially (with some frills around the edges) the same as his comment: that Apple made sound security decisions in their design of OS X. Not least of which is that it is built on a foundation of Open Source Unix while Windows is entirely proprietary and secretive.

  BTW, your response is so vague as to be interpreted in almost any way, so it’s impossible to know what you’re referring to exactly. Plausible deniability!

  My question put to your group of somewhat supercilious and dismissive posters might have easily been answered by Mr Zovi’s comment as quoted above.

  BTW, do you agree with this guy or is he another “zealot?”

  I also note that Jim Schmidt struck a reasonable and mature tone in the discussion about the notion of attackers on both sides being engaged in a polarized “circle jerk” only to be attacked personally and unnecessarily by Thomas Ptacek (proving his point). Clearly, maturity has nothing whatsoever to do with security work.

  JoeL

• Techno Pinoy » Is a Mac REALLY safer?

  April 26th, 2007 8:53 pm

  […] According to the CanSecWest site, “there is an exploitable flaw in Safari which can be triggered within a malicious web page” and Matasano claims that the vulnerability affects Firefox as well and advises to turn off Java to be safe (the best way to turn off Java in Firefox is to use the NoScript add on). […]

• generic mac user

  April 26th, 2007 9:18 pm

  Please just answer these questions. Or say why you’re avoiding them. Or preferably, both. I’m curious.
  Is it harder to discover a new exploit in windows or in mac?
  Why are macs so safe if they aren’t secure? You hear about occasional crimes happening in the suburbs, but you never hear about instances of malware affecting macs.

  A straight answer would really help me understand the security of my computer better. If there’s no clear answer, just say so, or guess, or something. : )

• Thomas Ptacek

  April 27th, 2007 1:15 am

  It’s harder to discover a new Win32 vulnerability. There’s tens of millions of dollars spent hunting down the few remaining Windows vulnerabilities and nothing comparable on the Mac side.

  Macs are safe for the same reason my house in Oak Park is safe and insecure, while my apartment on Racine was unsafe but quite secure. Here’s an EXCELLENT example:

  http://www.chicagocrime.org/

  Now, generic mac user, I’d like you to tell me: why aren’t there more dog fighting arrests in my neighborhood? There are no anti-dog-fight measures that I know of in Oak Park.

• Thomas Ptacek

  April 27th, 2007 1:25 am

  JoeL: Dino does NOT agree with you that Macs are more secure than Windows. I guess I can wait for him to say that, but I think it’s safe to take my word for it. Like Dave and I, he probably does buy that Macs are safer.

  As for “also note that Jim Schmidt struck a reasonable and mature tone in the discussion about the notion of attackers on both sides being engaged in a polarized “circle jerk””: best quote ever. Well played, sir!

• generic mac user

  April 27th, 2007 1:56 pm

  Thanks for being straight — I guess because no one tries to dog fight in your neighborhood, there aren’t any arrests?

  To be a hacker, or to write viruses on the mac, would you have to own one so you could test it and find vulnerabilities and stuff? Maybe that’s why macs are safer because hackers don’t want to buy a mac just to hack it. Reward doesn’t justify the price.

  I’d also imagine that a windows virus could propagate itself a lot better than a mac one because of the sheer number of installed copies of windows compared to Mac OS X.

  I’m still kind of surprized that there haven’t been any widely reported clientside exploits on macs. If vulnerabilities are truely easier to find in mac, and if mac users surf the web like windows users, and if there exists even a few hackers who want the glory of putting the first mac exploit on the web, what causes the mac to still be safe.

  So I guess I want to know, is apple’s low marketshare the only thing that protects it? If OSX Tiger had the same amount of users and the same amount of money spent on security, everything equal, which platform would be more secure?
  Thanks.

• Whether a tree falls to the south or to the north, in the place where it falls, there will it lie. » Blog Archive » Mac Hacker Interview about his $10,000 Exploit.

  April 27th, 2007 3:38 pm

  […] How much can you say about the details of your exploit? Thomas Ptacek reported that, contrary to some initial reports, it isn’t specific to Safari, and that it can be defended against by disabling Java. Can you verify that? Is it specific to Intel-based Macs? Does it crash the browser? […]

• David Schor

  April 27th, 2007 3:42 pm

  I’ve been buzzing the web for a week trying to find out of this vulnerability affects ppc (powerpc) macs. Any news? Does anybody even care? Is security by obscurity still my best bet?

• Thomas Ptacek

  April 27th, 2007 3:44 pm

  Nobody has confirmed or denied this. Either outcome is equally plausible.

• Thomas Ptacek

  April 27th, 2007 3:48 pm

  generic mac user: Yes, I think the verdict among the security community is in, and it’s that market share is the primary defensive measure OSX has right now.

  There is nothing wrong with this. People move to the suburbs all the time to get away from crime. That’s the “safety and convenience” approach. The “security” approach is, “build a panic room and hire a bodyguard”. For desktop computers, that kinda sucks. This is the gist of what Mossberg keeps saying in the WSJ.

  Us security people tend to care about the “security” approach, though, because it defines what attacks against our clients are VIABLE, as opposed to LIKELY.

• Rolf

  April 30th, 2007 8:28 pm

  David Schor: I rather suspect I know what the vulnerability is. If so then yes, PPC Macs are also affected. It probably also affects Mac OS 9

• CompX

  May 1st, 2007 10:11 am

  This is a sad day for the Mac community. I’d hoped I’d never see this day in my lifetime. Whoever hacked that beautiful Mac computer has to pay. And be banned from this forum and from MacRumors and MacNN too. This is war IMO.

• David Schor

  May 1st, 2007 5:10 pm