Posted on 06/13/2007 2:05:03 PM PDT by PajamaTruthMafia
Safari Security Claims Ignite Controversy Security researchers have already found eight bugs in the Windows version of Safari Apple released on Monday. They're blaming Apple's "hostile attitude towards security researchers" for the problems.
Just hours after Apple Inc. released a Windows version of Safari on Monday, security researchers had uncovered more than half a dozen vulnerabilities in the browser beta, including at least three that could let attackers grab complete control of the PC.
PC World's Erik Larkin isn't surprised that Safari would become a security risk. But Apple's claims about the new browser's security have touched a nerve with security researchers: Two of the researchers blamed Apple's "false claims" about security and what they called its "hostile attitude" toward bug finders for the rush to dig up flaws.
First off the mark was David Maynor of Errata Security, who posted notice of a bug about two hours after Apple made Safari 3 available for Windows. By the end of the day, Maynor had racked up six bugs. Four could be exploited to crash the browser and/or PC in a denial of service; the other two, Maynor claimed, were remote execution vulnerabilities.
Maynor, who clashed with Apple over a demonstration of a wireless hack on a MacBook at last summer's Black Hat security conference, didn't hesitate to take a shot at the Cupertino, Calif. company. "I can't speak for anybody else, but the bugs found in the beta copy of Safari on Windows work on the production copy on OS X as well," he said in a posting on the Errata site. "The exploit is robust mostly thanks to the lack of any kind of advanced security features in [Mac] OS X."
Shortly after Maynor posted his first bugs, Aviv Raff, an Israeli security researcher noted for his contributions to last July's "Month of Browser Bugs" project, announced he had found a flaw, too. "I found it using a fuzzer tool, Hamachi, that was developed by HD Moore and I," Raff said in an instant message interview. "This is a memory corruption vulnerability, which is potentially exploitable for remote code execution."
Danish researcher Thor Larholm wrapped up Safari's opening day with the most damaging disclosure of all: a remote execution vulnerability accompanied by proof-of-concept exploit code. That code -- Windows Safari users can click here for a demo -- could be used to hijack the PC, said Larholm, who plucked the vulnerability from the browser and built the exploit in just two hours.
He laid part of the blame on Apple's inexperience in writing code for Windows. "On OS X, Apple has enjoyed the same luxury and the same curse as Internet Explorer has had on Windows, namely intimate operating system knowledge," said Larholm. "The integration with the original operating system is tightly defined, but [that] knowledge is crippled when the software is released on other systems and mistakes and mishaps occur.
"[For example] you can still find references to the OS X proprietary URL protocols "open-help-anchor:" and "network-diagnostics:" inside the resource files for the Windows release [of Safari]."
Bugs are not unknown to Apple. Other applications available to Windows users, the QuickTime media player and the iTunes music store software, have been patched several times. Four fixes for QuickTime, two last month alone, have been issued by Apple this year. In March, Apple updated iTunes so it would work more smoothly with Windows Vista.
Even so, the number of vulnerabilities discovered in Safari's debut day was stunning. Aviv Raff had an explanation. "My guess is that it's because of Apple's issues with security researchers and the false claims that their products are far more secure than others," he said.
Larholm agreed. "Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser."
Maynor, who until last summer worked as a senior researcher for SecureWorks Inc., did not need to spell out his position. After he and colleague "Johnny Cache" demoed a MacBook hack prior to Black Hat, both Apple and Mac bloggers criticized the pair for either faking the hack or obfuscating its true nature. Maynor and Cache stood behind their claim. Several months later, Apple quietly patched the wireless drivers the researchers had used to break into the Mac machine.
On Monday, Maynor spelled out his policy regarding Apple vulnerabilities. "If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor."
Raff summed it up on the posting to his blog. "On the download page [for Safari] Apple writes 'Apple engineers designed Safari to be secure from day one.' I guess we can now call it 'Day zero.'"
Apple officials did not respond to a request for comment.
Does Firefox out of the box, so to speak, not connect automatically to the BBC through “live bookmark”?...
How many Mac platforms run data bases that store credit card info, run secure web sites that transact sensitive information, make money transfers, centrally store secrete information . . .?
- Let's see. I have client businesses that do that with their Macs. A bank in Japan just went 100% Mac. JC Penneys runs Macs at their corporate headquarters for a lot of that. Several of them decided to go Mac after having such information stolen from their Windows computers by malware.
How many Mac platforms . . . fall victim to script kiddies, become bots in a network, or become magnets for fast spreading viruses, worms, or Trojans?
Uh, that would be about zero . . . While an owner of a Mac COULD intentionally use it as a kiddie porn or spam server, it is highly unlikely that it could occur without his permission. While any machine can fall victim to a Trojan (a malicious application masquerading as something else requiring social engineering to get the user to install and execute it), there are no successful viruses or worms on the Mac platform.
Ah, no. Not the same vulnerabilities nor the same exploitability. Maynor has NEVER demonstrated his third party driver/card exploit on an unmodified Apple laptop despite numerous challenges to do so, including one where, if he could break in, he could take the laptop home with him. Apple, when not given the supposed codes that could compromise an Apple laptop, instituted a top-to-bottom audit of all the code in the drivers and found three buffer overflow issues that would cause a Denial of Service crash... that's what they patched.
Maynor also refused to provide his exploit to the third party company whose card and driver he DID use. Not professional at all.
All of this was hashed out in public for months. Maynor could have ended it all by merely demonstrating his hack on an Mac laptop. He would not. Could it be because he COULD NOT?
Do these browsers run as root? If so that's the fundamental problem.
The NX bit is enabled by default in OSX Intel and the PowerPC version stacks and heaps are non-executable by design and don't require it. Now, if you are referring to some of the UNIX apps that come bundled with OSX and run outside of it, you might be correct. But then they are not really part of the default OSX.
95% of Windows users run effectively in root. That's a fundamental problem. I have some business clients whose vertical solution software will not operate except with all users being at Windows administrator level. Ridiculous.
Secunia has issued a total of 102 Secunia advisories in 2003-2007 for Apple Macintosh OS X. Currently, 5% (5 out of 102) are marked as Unpatched with the most severe being rated Less critical.
102 security advisories in FOUR YEARS. I'm underwhelmed. Average 25 a year. I have been following these since OSX was released in 2001... and the vast majority of them are announced by Secunia the DAY AFTER Apple announced the patch that fixes them... usually with a press release that somehow glosses over the fact that is was Apple that made them public.
Of the five "unpatched" vulnerabilities, four are only potential local exploits where a local user can crash the application (not the OS) causing a Denial of Service condition. Only one of the five, also a local vulnerability, claims it might lead to escalation of privileges after crashing the application and causing a DoS.
I have news for you. If I have local access to a Mac, I can control everything about it... including getting root access. It's not hard. Getting access to a user's data... now that's hard... especially if File Vault has been turned on. If it has, Root access won't help me.
Local access security is more about who you trust to have access to your computer.
Sooo according to that link.... there are 5... counte’m FIVE so called unpatched vulnerabilities.
And all five require a BAD LOCAL USER to be sitting AT the mac, logged in to execute them.
Hardly an exploit.
Disk Utility could be considered an exploit if I am sitting there logged in for Pete’s sake.
Their solution.... only grant access to trusted users...
HAHAHAHAHAHAHAHAHAHAHAHAHA !!
No F’n kiddin’ ??
Get real...
Now why do you suppose the other, more wide spread platforms do? Now you tell me why when Macs are the superior platform, why all the dummies are still using those other platforms?
Legacy investments. Legacy training investments. Pre-exisiting contracts. etc, etc etc.
It’s the old in for a penny in for a pound.
There is too much cost associated with a mass migration from the old platform to the new.
Most all of the computer systems were put in place with old school rules for depreciation, never accounting for Moore’s Law, which was not invented when the first PC systems came about.
Most businesses, and by this I mean the larger fortune 500 of which provided the backbone to IBM and now MS for years, set unrealistic 10 year cycles on this technology.
Also compatibility... until 2006... they were different hardware and that would mean additional risk. Corporate IT departments are highly risk aversive.
I have worked in banking since I was 14 part time while going to school. My father is an EVP with a Fortune 5 Bank. I remember when we got our XP upgrade at home and the bank did not want to upgrade from windows 98 because it WORKED and was too expensive.
Most of the machines in “services” still run win98... why? because they work and the machines work and thus the departments which are all COST Centers are not going over budget which means the managers keep their jobs.
When we do get newer computers, we now get them bare bones because we have per cost site licenses STILL for win98.
Follow the MONEY.
Will our bank go to Mac ??
As long as win98 still works, as long as we can save and open spreadsheets from the 90’s and as long as new computers cost more than a couple hundred dollars... NEVER.
“There might be bugs on some of these mugs...”
He's living on Bizarro world were 0 virii = bad security.
Maynor has a personal beef with Apple since his hyped-up OS X wi-fi exploit turned out not to be and he was humiliated in the community. He was unable to put up or shut up.
He said that was in 1990. Why are you blaming OS X?
With regard to your link, I'm sure there are vulnerabilities but Macs have yet to be hit with any malware. And even Secunia -- which is not an unbiased observer in this since spreading FUD regarding Macs is in its self-interest -- notes just about all the holes have been patched and the ones that haven't are vulnerabilities that "can be exploited by malicious, local users". Why not just say don't leave you laptop lying unattended on a subway.
To check you vulnerability on the web try ShieldsUP
They're currently running 4D WebSTAR on OS X, with some more back-end supporting XServes.
They switched in 99 after a kid hacked their NT system, defacing the site, and they researched what could provide the best security. The Army has a highly-attacked, trafficked and high-profile site. Another compromise would be quite embarrassing. Thus they go with OS X.
I think it's more a matter of chip rather than OS. Anyway, why would these sites -- most of which are Unix-based as is OS X -- want the home-consumer-oriented features of OS X?
Yeah..., it is humorous that the biggest argument that Macintosh users have with one another (concerning viruses on that platform) is whether they should even bother with purchasing an anti-virus program — at all — since none exist for the Macintosh operating system.
The Windows users probably wish they had that kind of argument going on for their platform...
Indeed. Hiding behind the "don't click unknown links" banner is a completely bogus tactic IMO. Sure, you're much more vulnerable when surfing the 'seedy' sides of the intenet, but there is just no way to tell where a link will take you to sometimes. Suppose you go to foxnews.com and their page has been hacked in a subtle way unbeknownst to you. You click on a link thinking that it should be safe since Foxnews is a reputable site. *P00F* you've been p0wned through no fault of your own...
The problem with most of these security discussions is that they're too general. What software load are we talking about? What use of the system? What services are turned on? What's considered third-party or the vendor's fault? What's the OS and what's not the OS?
You have to nail down a specific scenario and rules before you can really make a determination.
Give me an E
Give me a T
Give me an A
Whats it spell?
No Story!
Not to say I think OSX, let alone this beta is perfect but OSX lacks advanced security? its hardened Unix it dont get much more secure than that..
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.