Safari Security Claims Ignite Controversy [8 bugs found in first day alone]

PCWorld ^ | 6/12/07 | Gregg Keizer

[PajamaTruthMafia]

Safari Security Claims Ignite Controversy Security researchers have already found eight bugs in the Windows version of Safari Apple released on Monday. They're blaming Apple's "hostile attitude towards security researchers" for the problems.

Just hours after Apple Inc. released a Windows version of Safari on Monday, security researchers had uncovered more than half a dozen vulnerabilities in the browser beta, including at least three that could let attackers grab complete control of the PC.

PC World's Erik Larkin isn't surprised that Safari would become a security risk. But Apple's claims about the new browser's security have touched a nerve with security researchers: Two of the researchers blamed Apple's "false claims" about security and what they called its "hostile attitude" toward bug finders for the rush to dig up flaws.

First off the mark was David Maynor of Errata Security, who posted notice of a bug about two hours after Apple made Safari 3 available for Windows. By the end of the day, Maynor had racked up six bugs. Four could be exploited to crash the browser and/or PC in a denial of service; the other two, Maynor claimed, were remote execution vulnerabilities.

Maynor, who clashed with Apple over a demonstration of a wireless hack on a MacBook at last summer's Black Hat security conference, didn't hesitate to take a shot at the Cupertino, Calif. company. "I can't speak for anybody else, but the bugs found in the beta copy of Safari on Windows work on the production copy on OS X as well," he said in a posting on the Errata site. "The exploit is robust mostly thanks to the lack of any kind of advanced security features in [Mac] OS X."

Shortly after Maynor posted his first bugs, Aviv Raff, an Israeli security researcher noted for his contributions to last July's "Month of Browser Bugs" project, announced he had found a flaw, too. "I found it using a fuzzer tool, Hamachi, that was developed by HD Moore and I," Raff said in an instant message interview. "This is a memory corruption vulnerability, which is potentially exploitable for remote code execution."

Danish researcher Thor Larholm wrapped up Safari's opening day with the most damaging disclosure of all: a remote execution vulnerability accompanied by proof-of-concept exploit code. That code -- Windows Safari users can click here for a demo -- could be used to hijack the PC, said Larholm, who plucked the vulnerability from the browser and built the exploit in just two hours.

He laid part of the blame on Apple's inexperience in writing code for Windows. "On OS X, Apple has enjoyed the same luxury and the same curse as Internet Explorer has had on Windows, namely intimate operating system knowledge," said Larholm. "The integration with the original operating system is tightly defined, but [that] knowledge is crippled when the software is released on other systems and mistakes and mishaps occur.

"[For example] you can still find references to the OS X proprietary URL protocols "open-help-anchor:" and "network-diagnostics:" inside the resource files for the Windows release [of Safari]."

Bugs are not unknown to Apple. Other applications available to Windows users, the QuickTime media player and the iTunes music store software, have been patched several times. Four fixes for QuickTime, two last month alone, have been issued by Apple this year. In March, Apple updated iTunes so it would work more smoothly with Windows Vista.

Even so, the number of vulnerabilities discovered in Safari's debut day was stunning. Aviv Raff had an explanation. "My guess is that it's because of Apple's issues with security researchers and the false claims that their products are far more secure than others," he said.

Larholm agreed. "Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser."

Maynor, who until last summer worked as a senior researcher for SecureWorks Inc., did not need to spell out his position. After he and colleague "Johnny Cache" demoed a MacBook hack prior to Black Hat, both Apple and Mac bloggers criticized the pair for either faking the hack or obfuscating its true nature. Maynor and Cache stood behind their claim. Several months later, Apple quietly patched the wireless drivers the researchers had used to break into the Mac machine.

On Monday, Maynor spelled out his policy regarding Apple vulnerabilities. "If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor."

Raff summed it up on the posting to his blog. "On the download page [for Safari] Apple writes 'Apple engineers designed Safari to be secure from day one.' I guess we can now call it 'Day zero.'"

Apple officials did not respond to a request for comment.

[Rodney King]

Hmm.. I thought Apple software didn’t have bugs.

[big'ol_freeper]

Pfft. Ok.

[theFIRMbss]

>I thought Apple software didn’t have bugs

So long as no one
uses it, it's rock solid!
Don't ask for the moon!

[Disturbin]

“Larholm agreed. “Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser.””

The popular attitude of some pro-Mac folks is that there are no security risks associated with Macs.

[theFIRMbss]

>>I thought Apple software didn’t have bugs

Besides, give Apple
a break. All their Quality
Assurance sherpas

are struggling to fix
60% of the bugs
in the new iPhone...

[Spktyr]

Let’s also not forget that this is a *Beta* version of Safari/Windows.

Or should I mention all the bugs that are in the *release* version of IE?

[Spktyr]

Lousy? Hm. Please name one exploit of OS X that has been found in the wild.

[PajamaTruthMafia]

Maybe you missed this:

I can't speak for anybody else, but the bugs found in the beta copy of Safari on Windows work on the production copy on OS X as well," he said in a posting on the Errata site. "The exploit is robust mostly thanks to the lack of any kind of advanced security features in [Mac] OS X."

[Spktyr]

I will believe it when someone else confirms it (i.e., peer review).

Remember, people have claimed a lot of bugs with OS X before that have turned out to be a lot of hot air.

[GovernmentIsTheProblem]

Remember, people have claimed a lot of bugs with OS X before that have turned out Apple falsely claimed to be a lot of hot air.

[itsahoot]

"The exploit is robust mostly thanks to the lack of any kind of advanced security features in [Mac] OS X."

Do you work for Norton by chance? Just asking because this is the most blatant nonsense I have ever seen posted about OS X. I will email you my Static IP address and challenge you to get into my mac if you want to prove your statement.

[Liberty Valance]

"...in the Windows version of Safari Apple"

That explains that.

[SolitaryMan]

I found this on PC mag this morning and tried to post it here, but FR will not allow PC Mag content on the web site.

I installed Safari on my Vista desktop and XP laptop the day it was released. I’m using Safari right now on my laptop, nice program, but not nearly as customizable as IE or Firefox. I had to uninstall it from my Vista machine as it would not display any text in the title bar, address bar, drop down menus or even on the web page. definitely buggy.

[rightwingextremist1776]

As a computer security professional I just have to chuckle about all the Mac user claims of security. The fact is there is not one single computer anywhere this isn’t vulnerable to exploitation. One of the main reasons there is so much focus on Microsoft products is the fact that they are so prevalent. If someone is in the business of exploiting machines, the best platform to concentrate on is obviously MS products just because of the shear numbers. If the numbers were reversed, I’m sure that Macs would be victimized just as easily. If any of you Mac users think you are invincible, you obviously haven’t seen the number of exploits available to hackers\malicious software for the Mac platform.

[Star Traveler]

That’s why they call it a beta version.

I won’t be getting it until it goes final and probably, also, one revision past final. Then it will be stable and holes will be plugged.

Windows hasn’t had a Safari browser before and thus it will always have bugs when it’s first worked out in a new OS environment (i.e., Windows).

It’s going to be necessary for Safari on Windows because of Safari being necessary for the iPhone and how developers will be able to work with iPhone. Thus, they are coming out with it now, to get ready for it.

It’s not just going to be Apple Macintosh people who get iPhones, but Windows people who get it, too.

Regards,
Star Traveler

[SandRat]

Apple software doesn’t have bugs, they are “New Apple ‘Jobs,’” users will have to pay Apple for to get fixed.

[Chicos_Bail_Bonds]

"As a computer security professional I just have to chuckle about all the Mac user claims of security. The fact is there is not one single computer anywhere this isn’t vulnerable to exploitation. One of the main reasons there is so much focus on Microsoft products is the fact that they are so prevalent. If someone is in the business of exploiting machines, the best platform to concentrate on is obviously MS products just because of the shear numbers. If the numbers were reversed, I’m sure that Macs would be victimized just as easily. If any of you Mac users think you are invincible, you obviously haven’t seen the number of exploits available to hackers\malicious software for the Mac platform."

I believe you are correct. Macs make up something like 4.5% market share of all computers in the USA so most hackers aren't going to bother hacking them. The more prevelent they become (if) the more hackers will turn to them. Right now, there just aren't enough out there for the hackers to bother with the effort.

[PajamaTruthMafia]

Gee, you must have not really read the article either. If you had, you would have read this:

I can't speak for anybody else, but the bugs found in the beta copy of Safari on Windows work on the production copy on OS X as well," he said in a posting on the Errata site. "The exploit is robust mostly thanks to the lack of any kind of advanced security features in [Mac] OS X."

[snarks_when_bored]

Safari loads faster than Firefox, but each time it starts it insists on trying to connect to this or that IP number. No program should try to connect to the internet without asking the user whether it's okay to do so.

Also, the tab text and status bar text are too small and don't seem to be scalable. And the gray background color of the tab bar and the status bar is too dark.

[Star Traveler]

Apple software has always had bugs, just like any software has bugs. I don’t think you’ve ever heard any Macintosh user that has said that Apple Software doesn’t have any bugs. You’re simply putting up a straw man — so to then falsely knock it down...

There isn’t a single piece of software that has ever been made that has not had bugs in it.

However, what Apple software has done is integrate its software so that it works very well with other pieces of its software. And, it has less bugs than many other types of software out there, plus it has an excellent user interface — a user interface consistency that carries across the broad spectrum of its software, including those made by other developers (since they adhere to that same consistency).

In fact, for Macintosh software, it’s been a point of pride for a lot of Macintosh users to never have to read a manual because the software was intuitive enough to use without cracking open that manual. Most people, on the Macintosh will never have to refer to a manual since it’s so intuitive to use.

And, on the level of OS X it’s much more secure — in actual “real life” and “in practice” (where people actually use it every day) — than on the Windows side of things.

Here is another area where Macintosh users have never said that vulnerabilities don’t exist. What has been said is that it’s much better to have zero operating viruses on the Macintosh platform (and operating system) than the 114,000 Windows ones.

I’ve run Macintosh operating systems from 1986 to the present. In all that time, I’ve only encountered one virus — ever — and that was in 1990. Since 1990, I’ve never run into a single virus, while sharing disks, files, being on the Internet, downloading all sorts of files and so on. I do run a anti-virus program and it hasn’t ever popped up with a single “peep” of a warning about a single Macintosh virus. I really don’t expect to see one pop up any time soon. Being that I’ve only seen one virus in 21 years of Macintosh operating systems give me great confidence in the next 10-20 years of Macintosh operating systems.

So, for all practical purposes, you could say that there aren’t any “bugs” (i.e., viruses) in the Macintosh OS X operating system, no matter what someone wants to try and say. They simply don’t exist. As far as software bugs, vendors will keep updating their software and keep fixing whatever pops up, but that’s a far cry from viruses.

Regards,
Star Traveler

[ken5050]

I skimmed the headline..initially I thought it was about mutant tse-tse flies infecting tourists on photo-safaris in Africa..

[Star Traveler]

I always laugh at that kind of stuff. From all the reading that I’ve seen from some so-called experts, is that the Macintosh operating system is the most insecure thing around — and yet, we see 114,000 Windows viruses and none on the Macintosh side. All, I’ve got to say about that is let me know when they get five or ten viruses, much less 114,000 of them...

And then, someone says, well, they’re coming — and yet, for the last 21 years, I’ve only ran into one single virus — ever. And I’ve never gotten a single peep out of my antivirus software, ever (for the Macintosh), in all the years that the Mac OS X operating system has been out (many years, so far).

So, they can keep telling me what kind of great problems I’m going to have, while I enjoy what I’ve experienced in the last 21 years.

As far as any bugs in software, I usually let developers work out their bugs with further revisions. I like getting newer versions after they’ve gone through a few “dot” increments.

And anyone who wants to go with “beta software” — well.., they can have at it. I’ll go for the finished and completed versions. I can’t complain about problems in beta software.

[rightwingextremist1776]

Just because you have only had one run-in with a virus does not make it free of other risks... OS X vulnerabilities

For your viewing pleasure...... Not as secure as one might be led to believe.

[savedbygrace]

Remember, people have claimed a lot of bugs with OS X before that have turned out Apple falsely claimed to be a lot of hot air.

Got some examples of that . . . . so we can determine WHO is blowing the hot air?

[Star Traveler]

It’s the same result with a lot of other Macintosh users. I don’t run across any Macintosh user who ever tells of any problems with any viruses — at all. There are no reports of any Macintosh users being infected by viruses on Mac OS X operating system. They just don’t exist. So my experience is just like all the other Macintosh users.

The biggest argument in the Macintosh world — about viruses — is whether anyone who owns a Macintosh should ever bother with getting an anti-virus program. Many Macintosh users thinks it’s a scam for companies to sell an anti-virus program for the Macintosh.

For my part, I’ve got one, but it seems to be useless... it never registers a single peep about anything.

[Old Professer]

“There ain’t no bugs on me...”

[Star Traveler]

I’ve got a program that checks all outgoing connections from my software and I do see several programs that do “call home” when they are started. Some I allow and others I don’t.

However, in all the years of using Safari, I’ve never seen it want to “phone home” to Apple.

But, I have seen, when loading certain web pages, that certain of those web pages will trigger a connection on a certain port to a certain outside IP number. That has nothing to do with Apple and has to do with that particular web page that you’ve accessed.

And one other time, I kept seeing certain cookies showing up all the time, even though I never accessed those web pages. The cookie would keep reappearing, after being repeatedly deleted. It wasn’t Apple’s web site, but a completely different company. I finally found out that it has to do with some RSS link that I had in the bookmarks, that was causing it to go back to that web site all the time and reset the cookie. So, I deleted the bookmark and it never did it again.

So, there are a lot of things that can go on, other than Safari “phoning home” to Apple. It doesn’t do that.

[rightwingextremist1776]

Again, as I said in my first post, it’s a numbers game. If someone gets their rocks off writing malicious code, they are going to write it for the most popular platform so it spreads as far and as quickly as it can. A Mac’s security is ONLY one that is by shear lack of interest, not designed in. It is the worst kind of security, born of a false notion, not rooted in reality. It breeds complacency....bad bad juju in the security world.

[Star Traveler]

It’s been very debatable as to what the real reason is for the actual lack of problems with infections and/or infiltrations of Macintosh computers. Some say it’s because of the obscurity of the operating system. I’ve seen others who say that it’s because a lot of programmers don’t have a big beef with Apple like a lot of programmers seem to have with Microsoft. Others say it is because it — is — actually more secure.

Now we can argue all day long as to what the real reasons are for the — missing problems — with viruses and taking over a Macintosh computer and controlling it and so on.

BUT, for most people they don’t care about the reasons why. All they care about is that it simply doesn’t happen, as it does in the Windows world.

So, for those ordinary and normal users, all of the so-called experts can argue all day long and the ordinary user will simply enjoy the benefits of what he or she has, with the Macintosh Operating System — over Windows operating system.

I’ve got my ideas of why the lack of these kinds of problems are the “state of affairs” for the Macintosh, but it doesn’t matter to me whether anyone else believes me or not. All that matters to me is — that is the way it is — and that’s worth a lot, all by itself. I enjoy the current state of affairs.

I would imagine quite a few Macintosh users enjoy it as well...

[rightwingextremist1776]

Security through obscurity is one dimensional. Once the ROI of exploitation is outweighs the effort needed to exploit, you might as well lay back and enjoy it (that is IF you even know its happening). Most likely you won’t even know when you have been “picked”.

[Yossarian]

Again, as I said in my first post, it’s a numbers game. If someone gets their rocks off writing malicious code, they are going to write it for the most popular platform so it spreads as far and as quickly as it can. A Mac’s security is ONLY one that is by shear lack of interest, not designed in. It is the worst kind of security, born of a false notion, not rooted in reality. It breeds complacency....bad bad juju in the security world.

Well, viruses have hit cellphones.... And the Mac has quite a huge installed base - 5% of e-friggin-normous is still a huge number.... And there's the opportunity to let a lot of air out of the viewpoint that the Mac is more secure.

That adds up to plenty of motivation to write a persuasive Mac OS X virus.

All you offer is speculation. All we offer is results. Some "professional" - ha!

[rightwingextremist1776]

No, I offered facts in my link on OS X vulnerabilities...did you not read, or are your eyes failing your brain?

[Star Traveler]

Well, it ain’t happening with the Macintosh operating system — that’s for sure. I keep hearing about all the bad problems that can happen or will happen — but that’s been going on for years and years, and it’s never come true yet.

I guess that’s why the Macintosh user’s biggest argument these days is whether they should ever bother with an antivirus program. That’s the biggest concern that most of the Macintosh users have. They argue whether it’s a scam to even sell an anti-virus program since nothing has ever shown up in the last few years (and longer).

With the Windows operating system, you wouldn’t dare want to go without an anti-virus program. It would be suicide. That — by itself — tells you a great deal of the difference in the two operating systems.

As far as my system being “picked” — well, I keep checking all the time but never come up with anything. I’ve got all my accesses logged, the firewall operating, check the outgoing connections, run programs to check on anomalous programs, look over those logs for anything suspicious and so on...

It all seems to be a total exercise in futility — since nothing ever happens with my Macintosh. It’s like me looking for some disaster to happen for the last 21 years and never having it happen. It gets tiring to keep watching for the “coming disaster” and — today — still be waiting for that coming disaster that is going to happen with the Macintosh Operating System. It just never comes...

All I can say is let me know when the disaster happens..., it hasn’t come around yet...

[rightwingextremist1776]

So let me throw this back in your lap.....If you read the link I posted it is obvious that there are a considerable amount of vulnerabilities in the OS X platform, some of which there are NO patches for. Given those FACTS, why then do you suppose you have remained so secure? Could it be that no one has come a knocking on your door? Or is it because Macs are so “secure”? I hope you don’t take the same precautions with your home....

[Yossarian]

Ah, the typical ignorance and arrogance of a Windows IT guy....

1. Secunia sells Mac security software. Hence it is in their best interests to make the Mac appear less secure. Therefore they try to "amp" up the count of vulnerabilities Mac OS X has. An actual pro would present data from a less biased source.

2. Even so, according to that page you linked to: "Most Critical Unpatched The most severe unpatched Secunia advisory affecting Apple Macintosh OS X, with all vendor patches applied, is rated Less critical"

3. I hate to be the one to break this to you, Mr. "Security Professional", but there is a big difference between a vunerability and the ability to exploit said vunerability. So far, even though vulnerabilities have been found (hey, it's an OS created by human engineers), no effective exploit has been found to take advantage of these breif vulnerabilites. In other words, no attack has been able to be executed for real.

(Yes, there was that guy who figured out how to exploit QuickTime & Java - luckily he was a real security pro who found a way to alert Apple so they could close the hole before it was exploited in the field.)

I guess you're one of those yahoos who hang out a "Security Pro!" shingle, and await for what suckers walk in your door. Thanks for reminding me why I've been avoiding the Windows World for the past 20 years!

[rightwingextremist1776]

Yea, that’s why we get so many IAVAs in DOD on the OS X platform. I suppose the DOD sells security software as well. You don’t have a clue do you?

[Star Traveler]

What you find, in “real life” is that not all so-called “vulnerabilities” are useful for anything at all. All that may happen with many of the so-called vulnerabilities is that something does’t work and something crashes and nothing more. In other words, it simply can’t be turned into anything useful for a virus or for a hacker to gain control of your computer.

And that’s the way it turns out in “real life” — with the Macintosh computers. The viruses don’t exist for the Macintosh and hackers don’t control Macintosh computers (unless you’re handing out your passwords or making them to be “password” :-) ... ).

As far as no one coming “knocking on the door” — I’ve got several machines on their own direct outside IP addresses, hooked into the Internet 24/7 and I see lots of “hammering away” at these computers. So, it’s not for the lack of trying. It’s just that nothing happens. It may be hard to believe for some, but that’s simply the facts of the matter.

I just just looking over the logs of one of the computers this morning. I see over 17,000 attempts in just 24 hours on one machine. Some are innocuous and others are not. But, all in all — nothing happens with these Macintosh computers and they are about as secure as one could ever wish it to be in real life.

So, it’s not for the lack of trying, not for the lack of being on the Internet 24/7 — and the bottom line result is — no viruses and no hacker gaining control of my Macintosh computers. That’s from years and years of usage this way.

So, like I said — when the big security disaster happens for the Mac OS X operating system, be sure to let me know...

[rightwingextremist1776]

Look, I’m not going to argue with you on this. I just want to say this again.....If someone wanted to put the time into exploiting your system because they thought it would give them access to something of value, they would do it regardless of platform. Just because you haven’t been exploited doesn’t mean it can’t or won’t happen IF someone really wants to. I’m sure the logs on your other machines bear this out. They aren’t looking for Macs because there aren’t enough of them to matter. They are looking for Microsoft and Linux platforms because there are more of them to exploit AND there are more exploits to choose from.
My argument isn’t which is the better platform. All I’m saying is don’t be fooled by a false sense of security...that’s all.

Don’t put so much faith in your platform.

[snarks_when_bored]

I understand the point you're making, but in any case Safari is permitting connections from an earlier session to re-establish themselves without asking for an okay from the user of the new session. What it should do is either squelch those connections or else ask users if they wish to re-establish them. (By the way, I didn't say that Safari was trying to contact Apple...I just said that it was trying to connect to "this or that IP number".)

Yes, it's possible to forestall this sort of thing in Safari by using ZoneAlarm (or some similar program), but it requires denying Safari the right to connect, then removing it from the list of permitted programs and then re-allowing it to connect. Aggravating.

[Bubba Ho-Tep]

If someone gets their rocks off writing malicious code, they are going to write it for the most popular platform so it spreads as far and as quickly as it can

As I believe swordmaker pointed out on another thread, someone wrote a virus that infects iPods rigged to run Linux, of which there probably aren't enough to break five figures. The "obscurity" excuse just doesn't work when there are viruses for far smaller user bases.

[Oystir]

I have access to the apple version of safari and I tried the windows version the other day. I don’t find it all that intuitive and the claim that it is faster than explorer seems dubious - on some pages it is very, very slow.

[rightwingextremist1776]

As I believe swordmaker pointed out on another thread, someone wrote a virus that infects iPods rigged to run Linux, of which there probably aren't enough to break five figures. The "obscurity" excuse just doesn't work when there are viruses for far smaller user bases.

Well, I guess it depends on the purpose the author of the virus had in mind...doesn't it? A little known thing that people fail to keep in mind when discussing things such as this. So what you are saying is because it hasn't been done means it can't be done...... HMMMM?

[Star Traveler]

As far as putting faith in the platform, it deserves that kind of faith, just from its actual and real life performance over the last several years.

Now, you’re saying that it’s simply because of its obscurity that nothing is happening (i.e., compromising the OS for control or a virus). Well, as I said, there are many different kinds of arguments out there as to the real reason why these compromises aren’t happening. You’ve just taken one particular reason as the one you want to adhere to. Others take it to be that the OS is more secure — as the reason.

So, as I said, one can go around and around about that — but it still remains that the Mac OS is not being compromised in real life situations (where people use their computers everyday). And that’s pretty much all people really care about.

And, furthermore, there is such a thing as something more secure and less secure. Now, let’s say that there can be a major compromise of any particular OS, if someone were to really, really try. Even if that were the case, there would still be the situation in which one OS is more secure than another OS, no matter if it’s true that someone could really compromise a system if they had enough resources and enough reasons to do so.

It is an argument, with many, that the Mac OS is that “more secure OS” no matter if it could be compromised if you pitted the CIA and the KGB at it, with unlimited resources and enough reasons to do so — or, on the other hand, if it simply is generating no interest (from anyone) to actively compromise it.

So, that is the opinion of many — that it is more secure. But, even so, the last word in the matter is that it is “secure in practice” (no matter what the reason), because, basically, no compromises are happening from viruses or from hackers controlling the Mac OS.

[rightwingextremist1776]

We will just have to agree to disagree, with one exception;
You are correct in that the end result is there are less security violations on Mac platforms the the others.
I will leave you with one last thought;

How many Mac platforms run data bases that store credit card info, run secure web sites that transact sensitive information, make money transfers, centrally store secrete information, fall victim to script kiddies, become bots in a network, or become magnets for fast spreading viruses, worms, or Trojans? Now why do you suppose the other, more wide spread platforms do? Now you tell me why when Macs are the superior platform, why all the dummies are still using those other platforms?

Why rob a church when the bank is where the money is stored?

[Star Traveler]

The only instance I ever ran into from Safari making a connection from an earlier session was from one particular RSS feed. It basically did not happen with all the other RSS feeds. I have no idea what the deal was with that one particular feed. But, all that happened was a connection through port 80, which is the normal port for Safari to use. I mean, it’s sort of a non-starter issue, really. Not too much of anything except a curiosity (at least with me it was only that...). I wouldn’t consider that to be a problem.

Besides that, I can block any cookie that I want, if I choose to do so and I can turn off all cookies of I want to. So, it’s a matter of setting something up, if I’m really concerned about that. No other instance ever occured of Safari re-establishing anything from an earlier session.

As far as the ports that are normal for Safari to access, they would be port 80 and port 443. I have that currently set up to allow all the time for all IP addresses.

Now, if I were concerned about any other ports, I could simply have all other ports permanently blocked and never allow anything outside of those ports, but I don’t do that. I have it set up to allow and disallow, per session, as I determine — when the request comes up. I try to see what it is doing.

If I didn’t want to do that, it would be easy to disallow all others permanently and never have to think about it again. I could allow Safari to always connect on port 80 and 443, while disallowing all others — and I could leave it that way permanently. However, it appears that other web sites do want you to connect on other ports to various IP addresses. So, it appears to be a normal functionality of a web browser to do that — not something that is necessarily an adverse or illegal type of connection. All I’m saying is that if you’re that concerned about that — for any named web browser (and they’ll all do that) — then you can block the ports you don’t want used and do it for all IP addresses. Otherwise, you can let Safari work just like all the other web browsers work, accessing other IP addresses with other port numbers. I guess it’s just up to you as to how far you want to go with this thing. I’m just saying you can block it all or not. It’s just not a Safari thing that you’re referring to — it’s something that goes on with all web browsers.

[Star Traveler]

Well, in answer to your question about all the other machines out there on other platforms (other than Mac OS X), there are reasons why they are used — that has nothing to do with their greater security or less secure status (depending on which way you view the “security” of those systems).

There are programs developed on certain platforms. There is a business-type “ecosystem” that grows up around a platform. It doesn’t matter if that platform is less secure than another. You just hire more people to deal with it, and you use the tools and programs that have developed in that ecosystem.

Apple Computer hasn’t pursued the business ecosystem. Now, while it may be more secure an operating system — if — a business ecosystem isn’t built up around it (which does take some time to do, once you’ve decided you’re going to pursue that kind of strategy), then one is not going to have that operating system spread in all these areas that you’re talking about.

The simple fact of the matter is that Apple Computer has not made that a part of its strategy for selling computers (and its operating system). They’re not pursuing that.

The benefit for the consumer is that they’ve got a better and more secure operating system than many of these very businesses that you’re talking about. Apple is not there in those business environments because it’s never bothered to go after them. It’s going for the consumer and certain other specialty computing environments.

If Apple ever decides to go after those kinds of businesses, then things might be different. But, I really don’t know if Apple will ever decide to go for those kinds of businesses. It’s making so much money right now doing what it’s doing with a very safe and secure system, which benefits the consumer, that it may decide it’s not worth it to pursue these other kinds of businesses.

But, I can’t know what Apple will decide to pursue in the future. That remains to be seen. In the meantime, the consumer can be satisfied that it has a safer operating system than many of these other types of businesses that you mention.

[GovernmentIsTheProblem]

” Got some examples of that . . . . so we can determine WHO is blowing the hot air?”

Dave Maynor who is in this article and the apple wifi driver vulns they claimed not to exist... and then patched.

[GovernmentIsTheProblem]

“I hate to be the one to break this to you, Mr. “Security Professional”, but there is a big difference between a vunerability and the ability to exploit said vunerability. So far, even though vulnerabilities have been found (hey, it’s an OS created by human engineers), no effective exploit has been found to take advantage of these breif vulnerabilites. In other words, no attack has been able to be executed for real.”

Actually there are a number of Mac exploits in the Metasploit project framework. :)

http://framework.metasploit.com/exploits/view/?refname=osx:afp:loginext
AppleFileServer LoginExt PathName Overflow

This module exploits a stack overflow in the AppleFileServer service on MacOS X. This vulnerability was originally reported by Atstake and was actually one of the few useful advisories ever published by that company. You only have one chance to exploit this bug. This particular exploit uses a stack-based return address that will only work under optimal conditions.

This module (revision 4498) was provided by hdm, under the Metasploit Framework License.

External references:

* http://www.securityfocus.com/bid/10271
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0430
* http://www.osvdb.org/5762
* http://milw0rm.com/metasploit/2

Targets:

* Mac OS X 10.3.3

http://framework.metasploit.com/exploits/view/?refname=osx:arkeia:type77
Arkeia Backup Client Type 77 Overflow (Mac OS X)

This module exploits a stack overflow in the Arkeia backup client for the Mac OS X platform. This vulnerability affects all versions up to and including 5.3.3 and has been tested with Arkeia 5.3.1 on Mac OS X 10.3.5.

This module (revision 4498) was provided by hdm, under the Metasploit Framework License.

External references:

* http://www.osvdb.org/14011
* http://www.securityfocus.com/bid/12594
* http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html
* http://milw0rm.com/metasploit/6

Targets:

* Arkeia 5.3.1 Stack Return (boot)

http://framework.metasploit.com/exploits/view/?refname=osx:samba:trans2open
Samba trans2open Overflow (Mac OS X)

This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the bug on Mac OS X PowerPC systems.

This module (revision 4498) was provided by hdm, under the Metasploit Framework License.

External references:

* http://www.securityfocus.com/bid/7294
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0201
* http://www.osvdb.org/4469
* http://www.digitaldefense.net/labs/advisories/DDI-1013.txt
* http://milw0rm.com/metasploit/54

Targets:

* Stack Brute Force

Then there’s Immunity CANVAS
http://immunitysec.com/news-latest.shtml
Miami Beach, FL - (June 4, 2007) - Immunity brings you a flurry of exciting new exploits this June, including a reliable remote root exploit for OS X on both Intel and PPC platforms.

[Yossarian]

This is just too easy:

How many Mac platforms run data bases that store credit card info, run secure web sites that transact sensitive information, make money transfers, centrally store secrete information,

OK, up until this comma, this is a fair question with an easy answer (see below). But then you continue in your inane rambling....

fall victim to script kiddies, become bots in a network, or become magnets for fast spreading viruses, worms, or Trojans?

Now why do you suppose the other, more wide spread platforms do? Now you tell me why when Macs are the superior platform, why all the dummies are still using those other platforms?

Mmmm....maybe because they made the mistake of hiring you for security consulting?

Now to answer the top, coherent part of your rambling question/statement/certification-of-your-lack-of-thinking-skills:

See this?

That's a big well-encased farm of xServes (Apple's 1U server platform, then PowerPC based) from Apple's developer conference a little over 10 months ago.

It's installed at a "eBureau" (was "xTech"), one of America's largest processors of credit card data, as well as other financial and security systems. In the company's own words:

"eBureau provides a suite of precision marketing, credit risk management, fraud prevention and receivables management solutions to direct marketers, financial services companies, Internet retailers and agencies"

eBureau calls this installation the "Aquarium". It runs Mac OS X Server.

For a "Computer Security Pro", you're quite the ignorant chump, aren't you?