Posted on 06/13/2007 2:05:03 PM PDT by PajamaTruthMafia
Safari Security Claims Ignite Controversy Security researchers have already found eight bugs in the Windows version of Safari Apple released on Monday. They're blaming Apple's "hostile attitude towards security researchers" for the problems.
Just hours after Apple Inc. released a Windows version of Safari on Monday, security researchers had uncovered more than half a dozen vulnerabilities in the browser beta, including at least three that could let attackers grab complete control of the PC.
PC World's Erik Larkin isn't surprised that Safari would become a security risk. But Apple's claims about the new browser's security have touched a nerve with security researchers: Two of the researchers blamed Apple's "false claims" about security and what they called its "hostile attitude" toward bug finders for the rush to dig up flaws.
First off the mark was David Maynor of Errata Security, who posted notice of a bug about two hours after Apple made Safari 3 available for Windows. By the end of the day, Maynor had racked up six bugs. Four could be exploited to crash the browser and/or PC in a denial of service; the other two, Maynor claimed, were remote execution vulnerabilities.
Maynor, who clashed with Apple over a demonstration of a wireless hack on a MacBook at last summer's Black Hat security conference, didn't hesitate to take a shot at the Cupertino, Calif. company. "I can't speak for anybody else, but the bugs found in the beta copy of Safari on Windows work on the production copy on OS X as well," he said in a posting on the Errata site. "The exploit is robust mostly thanks to the lack of any kind of advanced security features in [Mac] OS X."
Shortly after Maynor posted his first bugs, Aviv Raff, an Israeli security researcher noted for his contributions to last July's "Month of Browser Bugs" project, announced he had found a flaw, too. "I found it using a fuzzer tool, Hamachi, that was developed by HD Moore and I," Raff said in an instant message interview. "This is a memory corruption vulnerability, which is potentially exploitable for remote code execution."
Danish researcher Thor Larholm wrapped up Safari's opening day with the most damaging disclosure of all: a remote execution vulnerability accompanied by proof-of-concept exploit code. That code -- Windows Safari users can click here for a demo -- could be used to hijack the PC, said Larholm, who plucked the vulnerability from the browser and built the exploit in just two hours.
He laid part of the blame on Apple's inexperience in writing code for Windows. "On OS X, Apple has enjoyed the same luxury and the same curse as Internet Explorer has had on Windows, namely intimate operating system knowledge," said Larholm. "The integration with the original operating system is tightly defined, but [that] knowledge is crippled when the software is released on other systems and mistakes and mishaps occur.
"[For example] you can still find references to the OS X proprietary URL protocols "open-help-anchor:" and "network-diagnostics:" inside the resource files for the Windows release [of Safari]."
Bugs are not unknown to Apple. Other applications available to Windows users, the QuickTime media player and the iTunes music store software, have been patched several times. Four fixes for QuickTime, two last month alone, have been issued by Apple this year. In March, Apple updated iTunes so it would work more smoothly with Windows Vista.
Even so, the number of vulnerabilities discovered in Safari's debut day was stunning. Aviv Raff had an explanation. "My guess is that it's because of Apple's issues with security researchers and the false claims that their products are far more secure than others," he said.
Larholm agreed. "Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser."
Maynor, who until last summer worked as a senior researcher for SecureWorks Inc., did not need to spell out his position. After he and colleague "Johnny Cache" demoed a MacBook hack prior to Black Hat, both Apple and Mac bloggers criticized the pair for either faking the hack or obfuscating its true nature. Maynor and Cache stood behind their claim. Several months later, Apple quietly patched the wireless drivers the researchers had used to break into the Mac machine.
On Monday, Maynor spelled out his policy regarding Apple vulnerabilities. "If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor."
Raff summed it up on the posting to his blog. "On the download page [for Safari] Apple writes 'Apple engineers designed Safari to be secure from day one.' I guess we can now call it 'Day zero.'"
Apple officials did not respond to a request for comment.
Apple software has always had bugs, just like any software has bugs. I don’t think you’ve ever heard any Macintosh user that has said that Apple Software doesn’t have any bugs. You’re simply putting up a straw man — so to then falsely knock it down...
There isn’t a single piece of software that has ever been made that has not had bugs in it.
However, what Apple software has done is integrate its software so that it works very well with other pieces of its software. And, it has less bugs than many other types of software out there, plus it has an excellent user interface — a user interface consistency that carries across the broad spectrum of its software, including those made by other developers (since they adhere to that same consistency).
In fact, for Macintosh software, it’s been a point of pride for a lot of Macintosh users to never have to read a manual because the software was intuitive enough to use without cracking open that manual. Most people, on the Macintosh will never have to refer to a manual since it’s so intuitive to use.
And, on the level of OS X it’s much more secure — in actual “real life” and “in practice” (where people actually use it every day) — than on the Windows side of things.
Here is another area where Macintosh users have never said that vulnerabilities don’t exist. What has been said is that it’s much better to have zero operating viruses on the Macintosh platform (and operating system) than the 114,000 Windows ones.
I’ve run Macintosh operating systems from 1986 to the present. In all that time, I’ve only encountered one virus — ever — and that was in 1990. Since 1990, I’ve never run into a single virus, while sharing disks, files, being on the Internet, downloading all sorts of files and so on. I do run a anti-virus program and it hasn’t ever popped up with a single “peep” of a warning about a single Macintosh virus. I really don’t expect to see one pop up any time soon. Being that I’ve only seen one virus in 21 years of Macintosh operating systems give me great confidence in the next 10-20 years of Macintosh operating systems.
So, for all practical purposes, you could say that there aren’t any “bugs” (i.e., viruses) in the Macintosh OS X operating system, no matter what someone wants to try and say. They simply don’t exist. As far as software bugs, vendors will keep updating their software and keep fixing whatever pops up, but that’s a far cry from viruses.
Regards,
Star Traveler
I skimmed the headline..initially I thought it was about mutant tse-tse flies infecting tourists on photo-safaris in Africa..
I always laugh at that kind of stuff. From all the reading that I’ve seen from some so-called experts, is that the Macintosh operating system is the most insecure thing around — and yet, we see 114,000 Windows viruses and none on the Macintosh side. All, I’ve got to say about that is let me know when they get five or ten viruses, much less 114,000 of them...
And then, someone says, well, they’re coming — and yet, for the last 21 years, I’ve only ran into one single virus — ever. And I’ve never gotten a single peep out of my antivirus software, ever (for the Macintosh), in all the years that the Mac OS X operating system has been out (many years, so far).
So, they can keep telling me what kind of great problems I’m going to have, while I enjoy what I’ve experienced in the last 21 years.
As far as any bugs in software, I usually let developers work out their bugs with further revisions. I like getting newer versions after they’ve gone through a few “dot” increments.
And anyone who wants to go with “beta software” — well.., they can have at it. I’ll go for the finished and completed versions. I can’t complain about problems in beta software.
For your viewing pleasure...... Not as secure as one might be led to believe.
Got some examples of that . . . . so we can determine WHO is blowing the hot air?
It’s the same result with a lot of other Macintosh users. I don’t run across any Macintosh user who ever tells of any problems with any viruses — at all. There are no reports of any Macintosh users being infected by viruses on Mac OS X operating system. They just don’t exist. So my experience is just like all the other Macintosh users.
The biggest argument in the Macintosh world — about viruses — is whether anyone who owns a Macintosh should ever bother with getting an anti-virus program. Many Macintosh users thinks it’s a scam for companies to sell an anti-virus program for the Macintosh.
For my part, I’ve got one, but it seems to be useless... it never registers a single peep about anything.
“There ain’t no bugs on me...”
I’ve got a program that checks all outgoing connections from my software and I do see several programs that do “call home” when they are started. Some I allow and others I don’t.
However, in all the years of using Safari, I’ve never seen it want to “phone home” to Apple.
But, I have seen, when loading certain web pages, that certain of those web pages will trigger a connection on a certain port to a certain outside IP number. That has nothing to do with Apple and has to do with that particular web page that you’ve accessed.
And one other time, I kept seeing certain cookies showing up all the time, even though I never accessed those web pages. The cookie would keep reappearing, after being repeatedly deleted. It wasn’t Apple’s web site, but a completely different company. I finally found out that it has to do with some RSS link that I had in the bookmarks, that was causing it to go back to that web site all the time and reset the cookie. So, I deleted the bookmark and it never did it again.
So, there are a lot of things that can go on, other than Safari “phoning home” to Apple. It doesn’t do that.
It’s been very debatable as to what the real reason is for the actual lack of problems with infections and/or infiltrations of Macintosh computers. Some say it’s because of the obscurity of the operating system. I’ve seen others who say that it’s because a lot of programmers don’t have a big beef with Apple like a lot of programmers seem to have with Microsoft. Others say it is because it — is — actually more secure.
Now we can argue all day long as to what the real reasons are for the — missing problems — with viruses and taking over a Macintosh computer and controlling it and so on.
BUT, for most people they don’t care about the reasons why. All they care about is that it simply doesn’t happen, as it does in the Windows world.
So, for those ordinary and normal users, all of the so-called experts can argue all day long and the ordinary user will simply enjoy the benefits of what he or she has, with the Macintosh Operating System — over Windows operating system.
I’ve got my ideas of why the lack of these kinds of problems are the “state of affairs” for the Macintosh, but it doesn’t matter to me whether anyone else believes me or not. All that matters to me is — that is the way it is — and that’s worth a lot, all by itself. I enjoy the current state of affairs.
I would imagine quite a few Macintosh users enjoy it as well...
Security through obscurity is one dimensional. Once the ROI of exploitation is outweighs the effort needed to exploit, you might as well lay back and enjoy it (that is IF you even know its happening). Most likely you wont even know when you have been picked.
Well, viruses have hit cellphones.... And the Mac has quite a huge installed base - 5% of e-friggin-normous is still a huge number.... And there's the opportunity to let a lot of air out of the viewpoint that the Mac is more secure.
That adds up to plenty of motivation to write a persuasive Mac OS X virus.
All you offer is speculation. All we offer is results. Some "professional" - ha!
No, I offered facts in my link on OS X vulnerabilities...did you not read, or are your eyes failing your brain?
Well, it ain’t happening with the Macintosh operating system — that’s for sure. I keep hearing about all the bad problems that can happen or will happen — but that’s been going on for years and years, and it’s never come true yet.
I guess that’s why the Macintosh user’s biggest argument these days is whether they should ever bother with an antivirus program. That’s the biggest concern that most of the Macintosh users have. They argue whether it’s a scam to even sell an anti-virus program since nothing has ever shown up in the last few years (and longer).
With the Windows operating system, you wouldn’t dare want to go without an anti-virus program. It would be suicide. That — by itself — tells you a great deal of the difference in the two operating systems.
As far as my system being “picked” — well, I keep checking all the time but never come up with anything. I’ve got all my accesses logged, the firewall operating, check the outgoing connections, run programs to check on anomalous programs, look over those logs for anything suspicious and so on...
It all seems to be a total exercise in futility — since nothing ever happens with my Macintosh. It’s like me looking for some disaster to happen for the last 21 years and never having it happen. It gets tiring to keep watching for the “coming disaster” and — today — still be waiting for that coming disaster that is going to happen with the Macintosh Operating System. It just never comes...
All I can say is let me know when the disaster happens..., it hasn’t come around yet...
1. Secunia sells Mac security software. Hence it is in their best interests to make the Mac appear less secure. Therefore they try to "amp" up the count of vulnerabilities Mac OS X has. An actual pro would present data from a less biased source.
2. Even so, according to that page you linked to: "Most Critical Unpatched The most severe unpatched Secunia advisory affecting Apple Macintosh OS X, with all vendor patches applied, is rated Less critical"
3. I hate to be the one to break this to you, Mr. "Security Professional", but there is a big difference between a vunerability and the ability to exploit said vunerability. So far, even though vulnerabilities have been found (hey, it's an OS created by human engineers), no effective exploit has been found to take advantage of these breif vulnerabilites. In other words, no attack has been able to be executed for real.
(Yes, there was that guy who figured out how to exploit QuickTime & Java - luckily he was a real security pro who found a way to alert Apple so they could close the hole before it was exploited in the field.)
I guess you're one of those yahoos who hang out a "Security Pro!" shingle, and await for what suckers walk in your door. Thanks for reminding me why I've been avoiding the Windows World for the past 20 years!
Yea, that’s why we get so many IAVAs in DOD on the OS X platform. I suppose the DOD sells security software as well. You don’t have a clue do you?
What you find, in “real life” is that not all so-called “vulnerabilities” are useful for anything at all. All that may happen with many of the so-called vulnerabilities is that something does’t work and something crashes and nothing more. In other words, it simply can’t be turned into anything useful for a virus or for a hacker to gain control of your computer.
And that’s the way it turns out in “real life” — with the Macintosh computers. The viruses don’t exist for the Macintosh and hackers don’t control Macintosh computers (unless you’re handing out your passwords or making them to be “password” :-) ... ).
As far as no one coming “knocking on the door” — I’ve got several machines on their own direct outside IP addresses, hooked into the Internet 24/7 and I see lots of “hammering away” at these computers. So, it’s not for the lack of trying. It’s just that nothing happens. It may be hard to believe for some, but that’s simply the facts of the matter.
I just just looking over the logs of one of the computers this morning. I see over 17,000 attempts in just 24 hours on one machine. Some are innocuous and others are not. But, all in all — nothing happens with these Macintosh computers and they are about as secure as one could ever wish it to be in real life.
So, it’s not for the lack of trying, not for the lack of being on the Internet 24/7 — and the bottom line result is — no viruses and no hacker gaining control of my Macintosh computers. That’s from years and years of usage this way.
So, like I said — when the big security disaster happens for the Mac OS X operating system, be sure to let me know...
Don’t put so much faith in your platform.
Yes, it's possible to forestall this sort of thing in Safari by using ZoneAlarm (or some similar program), but it requires denying Safari the right to connect, then removing it from the list of permitted programs and then re-allowing it to connect. Aggravating.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.