Posted on 07/21/2010 5:39:02 AM PDT by Gomez
I was wondering how the Mac OSX is more secure crowd was going to respond to being the first hacked several times in a row. But what you are ignoring is that these exploits have been known for a long time and yet Apple has not fixed them. The fact that they hacked them in advance AND apple knew they were doesn't speak very well of their ability to patch products.
Before these contests the macbot mantra was it's unbreakable. Then after seeing they were the first hacked it's now but it took a lot of planning to make mac the first to be hacked.
Ok...whatever helps you sleep at night I guess. But it's obvious to anyone that is concerned about security over a company doing well--it's not secure.
2008 exploit: patched with Safari 3.1.1
2009 exploit: patched with Safari 3.2.3
2010 exploit: patched with CVE-2010-1120
The fact that they hacked them in advance AND apple knew they were doesn't speak very well of their ability to patch products.
The contest is part of TippingPoint's Zero Day Initiative. Being zero-day, the vulnerabilities by definition had not been previously reported to any vendor. TippingPoint reported the vulnerabilities to the appropriate vendors after the contest.
You're 0 for 2 in your first paragraph. That might be some kind of record for you.
But this proves my point, MS architecture is fatally flawed and IT IS THE BUSINESS CULTURE OF MS WHICH WILL NEVER CHANGE THIS.
As you mention above, the non-unix Mac OS had numerous exploits (and I have been a victim of this myself). But Apple was willing to admit that their proprietary OS was poorly designed, and was willing to replace it with a superior architecture primarly developed by others outside of Apple because it is the "best of breed" technology.
>
> for other product populations with numbers well under a
million.
>
You have to factor all Un*x (real and cloned) into the user base since they all have the same basic design. And as for the Safari exploit, as I mentioned earlier, it only hijacks a single, user's account, while the vast majority of Windows exploits result in complete control of the system.
And mine, too, that the lack of effective self-replicating malware in the wild for OS X is NOT because of the low marketshare.
OS 9 had such a poor security architecture that developer tools for it specialized in catching potential memory writes outside of the program's address space. As you know, that's a common method of exploiting a system, and it was easy to do just by accident.
Personally, I'd love to see a full-blown OS based on a true microkernel like Minix or seL4. The latter has even been subjected to a formal proof of its function. That's enough to get EAL7 certified, something no other operating system has achieved.
Oh I see you are referring to a different contest then the one I was. I didn’t know Tipping Point had one as well. Good to know...there are two different contests where Mac is leading the fail.
Nice to know.
Which version of windows are you referring to?
I see where tippingpoint was a sponsor of pwn2own. So are you referring to the same one as I am?
If so the person who hacked the mac listed several exploits in ADVANCE telling Apple they have serious issues and they failed to fix it. SO he used one of those hacks to win the contest. There were several more that he had queued up. I believe that’s how he won it a couple years in a row.
While Apple is patching after the fact you think they would fix it BEFORE hand.
Well let’s see what the person who actually hacked the Mac has to say:
http://blogs.computerworld.com/15605/hacker_pwn2own_organizer_windows_7_is_safer_than_snow_leopard
And what the organizer of Pawn2own says is in there as well.
They both agree at worst Windows 7 is as secure as Snow Leopard. At best it is better.
I already see you’re perfectly willing to lie right here. Two lies smacked down in the same paragraph. And now you still claim to have knowledge of the situation?
We are referring to the same contest. The vulnerabilities are reported to the vendors AFTER the contest.
Safari, based on the open source WebKit, seems to be a serious problem. I hope all the other companies using WebKit wake up. Of course, ASLR and DEP didn’t help IE 8 from letting a hack either. Everybody needs to look to Chrome, which was never compromised.
Chrome really wasn't attempted to be hacked though. I believe they were a late attender to the festivities.
Charlie Miller has said he had a list of 25 hacks (or something like that) and has enouraged Apple to take security seriously or he will continue to win that contest with those 25 hacks releasing one per year.
So while the hack is announced to apple after he told them BEFORE hand that he has 25 exploits and has had them for a long while.
How is posting a link to what two professional hackers have to say about OSX a lie?
I guess you have to restort to name calling when you lose the battle of facts.
How is posting a link to what two professional hackers have to say about OSX a lie?
I guess you have to resort to name calling when you lose the battle of facts.
Win7/Chrome was the configuration of one of the four target computers for the entire contest. It was eligible for the prize money if hacked, just like the rest.
Charlie Miller has said he had a list of 25 hacks (or something like that) and has enouraged Apple to take security seriously or he will continue to win that contest with those 25 hacks releasing one per year.
Given your prior history, you have to show me proof of that. Apple released a patch covering a bunch of Safari security bugs just before the last contest. It's pretty obvious they did it so Safari wouldn't get hacked again. So you're telling me they purposely didn't fix just Miller's submissions knowing that not doing so would result in him hacking Safari again?
Miller also has a hard-on for DEP and ASLR; they are his main focus for talking about the Mac. He is right about the advantages they bring and that Apple could do more work to implement them better. But he forgets that many common Windows apps don't support them fully anyway, or even at all. You see, Windows apps have to be written specifically to support DEP and ASLR, or they don't get the security advantages. So the real-world security of your average Windows user isn't improved all that much by DEP and ASLR.
You just lost the battle of facts by posting two provably false statements.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.