If you want on or off the Mac Ping List, Freepmail me.
Posted on 06/13/2007 2:05:03 PM PDT by PajamaTruthMafia
Safari Security Claims Ignite Controversy Security researchers have already found eight bugs in the Windows version of Safari Apple released on Monday. They're blaming Apple's "hostile attitude towards security researchers" for the problems.
Just hours after Apple Inc. released a Windows version of Safari on Monday, security researchers had uncovered more than half a dozen vulnerabilities in the browser beta, including at least three that could let attackers grab complete control of the PC.
PC World's Erik Larkin isn't surprised that Safari would become a security risk. But Apple's claims about the new browser's security have touched a nerve with security researchers: Two of the researchers blamed Apple's "false claims" about security and what they called its "hostile attitude" toward bug finders for the rush to dig up flaws.
First off the mark was David Maynor of Errata Security, who posted notice of a bug about two hours after Apple made Safari 3 available for Windows. By the end of the day, Maynor had racked up six bugs. Four could be exploited to crash the browser and/or PC in a denial of service; the other two, Maynor claimed, were remote execution vulnerabilities.
Maynor, who clashed with Apple over a demonstration of a wireless hack on a MacBook at last summer's Black Hat security conference, didn't hesitate to take a shot at the Cupertino, Calif. company. "I can't speak for anybody else, but the bugs found in the beta copy of Safari on Windows work on the production copy on OS X as well," he said in a posting on the Errata site. "The exploit is robust mostly thanks to the lack of any kind of advanced security features in [Mac] OS X."
Shortly after Maynor posted his first bugs, Aviv Raff, an Israeli security researcher noted for his contributions to last July's "Month of Browser Bugs" project, announced he had found a flaw, too. "I found it using a fuzzer tool, Hamachi, that was developed by HD Moore and I," Raff said in an instant message interview. "This is a memory corruption vulnerability, which is potentially exploitable for remote code execution."
Danish researcher Thor Larholm wrapped up Safari's opening day with the most damaging disclosure of all: a remote execution vulnerability accompanied by proof-of-concept exploit code. That code -- Windows Safari users can click here for a demo -- could be used to hijack the PC, said Larholm, who plucked the vulnerability from the browser and built the exploit in just two hours.
He laid part of the blame on Apple's inexperience in writing code for Windows. "On OS X, Apple has enjoyed the same luxury and the same curse as Internet Explorer has had on Windows, namely intimate operating system knowledge," said Larholm. "The integration with the original operating system is tightly defined, but [that] knowledge is crippled when the software is released on other systems and mistakes and mishaps occur.
"[For example] you can still find references to the OS X proprietary URL protocols "open-help-anchor:" and "network-diagnostics:" inside the resource files for the Windows release [of Safari]."
Bugs are not unknown to Apple. Other applications available to Windows users, the QuickTime media player and the iTunes music store software, have been patched several times. Four fixes for QuickTime, two last month alone, have been issued by Apple this year. In March, Apple updated iTunes so it would work more smoothly with Windows Vista.
Even so, the number of vulnerabilities discovered in Safari's debut day was stunning. Aviv Raff had an explanation. "My guess is that it's because of Apple's issues with security researchers and the false claims that their products are far more secure than others," he said.
Larholm agreed. "Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser."
Maynor, who until last summer worked as a senior researcher for SecureWorks Inc., did not need to spell out his position. After he and colleague "Johnny Cache" demoed a MacBook hack prior to Black Hat, both Apple and Mac bloggers criticized the pair for either faking the hack or obfuscating its true nature. Maynor and Cache stood behind their claim. Several months later, Apple quietly patched the wireless drivers the researchers had used to break into the Mac machine.
On Monday, Maynor spelled out his policy regarding Apple vulnerabilities. "If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor."
Raff summed it up on the posting to his blog. "On the download page [for Safari] Apple writes 'Apple engineers designed Safari to be secure from day one.' I guess we can now call it 'Day zero.'"
Apple officials did not respond to a request for comment.
Nope, just not to susceptible to propaganda, I have had 5 Macs online for 15 years, never a problem, you on the other hand live for those problems and earn your keep from them. I just use my Mac for me, and do not require your help or dire warnings. Save them for those who willingly pay you to solve them.
On my site, I list several vulnerabilities I've found and reported to Apple and I've found them to be very responsive and upfront about verifying things and giving credit. Some things are fixed quicker than others and maybe you can say they take too long on some things but when there are interdependencies on components being fixed, it can be a month of two before you see a patch.
They do tend to be a little quiet when dealing with researchers. They'll communicate on an as-needed basis and if you don't provide adequate information, maybe they'll follow up and ask for more. When I report bugs to Apple, I send full details including an exploit. They've been very good about pinpointing the issue and providing a fix.
I had an issue once where their engineers had trouble reproducing a vulnerability and I had to send more information and an actual exploit. After that, they found it and fixed it. I've always received appropriate credit.
I WAS TALKING ABOUT DAVE MAYNOR.
Apple didn’t act that way towards him.
There are plenty of Apple sploits out there. I provided a bunch of links.
If you want to keep changing the subject, do it with someone else.
“By the way, doesn’t it strike anyone as odd that there’s no real big vulnerabilities on Safari when used with OS X and only when its used by Windows does everything go to pot?”
DID YOU READ THE ARTICLE?
-—”I can’t speak for anybody else, but the bugs found in the beta copy of Safari on Windows work on the production copy on OS X as well,” he said in a posting on the Errata site.-—
“Let’s also not forget that this is a *Beta* version of Safari/Windows.
Or should I mention all the bugs that are in the *release* version of IE?”
READ THE ARTICLE FANBOY.
-—”I can’t speak for anybody else, but the bugs found in the beta copy of Safari on Windows work on the production copy on OS X as well,” he said in a posting on the Errata site.-—
btw STILL waiting for you to talk your way out of #64.
Evidently most people using computers have no idea what a BETA version of a software program is!
The debate isn’t whether Apple has vulnerabilities that require patching. It’s about whether Apple has publicly denied vulnerabilities that they later patched.
You haven’t posted support for that claim yet. You gave one man’s unquoted claim as reported by PC Mag, but if you think you can support your claim that Apple has done that lots of time by just that one unsourced note, you’re mistaken.
The debate isn’t whether Apple has vulnerabilities that require patching. It’s about whether Apple has publicly denied vulnerabilities that they later patched.
You haven’t posted support for that claim yet. You gave one man’s unquoted claim as reported by PC Mag, but if you think you can support your claim that Apple has done that lots of time by just that one unsourced note, you’re mistaken.
Indeed, I've heard Al Gore say the very same thing. I'm sure he appreciates your support of his lifestyle.
Me I couldn't bring myself to give a penny to the likes of Al and Jobs. Snakes both of them.
As far as I can tell, those were not in the wild, and no computer, other than the hackers’ computers, were taken down.
Do you have authoritative evidence that differs with that assessment? Bring it out.
It’s not going to stop me, in the least, from getting the best hardware and operating system to use.
It’s too bad that some conservatives couldn’t make something as good...
Vulnerabilities do not equate with exploits, Rightwing.
Many of these were "found" by the security industry after Apple announced them when they fixed them. Proof of concept demonstration viruses that have never been seen outside of a security company lab and ever in the wild are hardly exploits. What they all lack is a vector that works.
Uninformed? From someone who didn't even know Apple servers were used in the credit card industry. LOL
Anything built to run on a crappy platform like Windows is going to have flaws. Personally, I would never run Mac software on a PC, or Windows on a Mac. There’s no need to.
Keep getting in digs at Macs, you homosexual. You’ll just keep looking like a damn fool.
The "Security by Obscurity" canard has been shot down many times.
There are 23,000,000 OS X Macintoshes being used right now. That is not obscure.
In addition, Apple has been advertising its superior security for over a year now (those ads just were awarded the top prize for Television Advertising, the Grand Effie)... and that should be equivalent to throwing down the gauntlet to thousands of hackers who would love to be known as the cracker who wrote a viable Macintosh OSX virus that could infect machines in the wild.
There have been a few Mac virus candidates seen only in security company labs... All of them have been less than successful and none of them had a viable vector to spread. One of them took TWO security experts and TWO OS X software engineers SIX HOURS just to get it to copy itself from one Mac to another... and then it didn't do what it was claimed to do.
Studies have been done which show that Apple Mac users are, as a group, more affluent than their PC using compatriots... and that Mac users tend to run NO anti-spyware, anti-adware, or anti-virus applications (because, as yet, in six years of experience, there are effectively ZERO of any of those encountered on Mac OS X!\) so they should be sitting ducks for even the simplest spyware or virus that comes along.
Crackers have written viruses for iPods running Linux as an operating system... all 200 of them in the world. Other malware authors have written viruses designed to infect all 12,000 unpatched Black Ice Firewalled machines and every single one was infected within 45 minutes of the virus being released into the wild. Viruses have been written to infect 32,000 Internet LAN Routers... and viruses have been written to infect approximately 50,000 users of a specific make of Internet capable cell phone. Yet you claim that NO ONE is interested in exploiting a population of 23,000,000 MAC USERS who are UNPROTECTED BY ANTI-MALWARE? Absurd.
Contests have been staged for security experts to hack into a stock Mac. The most recent was the contest at the Canadian Western Computer Security Conference where all attendees were challenged to break into an out-of-the-box MacBook Pro. The successful cracker would win the MacBook plus $10,000. After the first two days, when none had been successful, the rules were relaxed and crackers were allowed to have the referees navigate to specific websites the crackers had designed and click on various links they found there. Only when that was allowed was a user level access hack successful using a hole in Java and iTunes. No one succeeded in winning the second MacBook Pro and another $10,000 by achieving a ROOT access. These were some of the top computer security experts in the world.
Another was mounted by an assistant Professor of Computer Science at the University of Wisconsin. Intended to run a full seven days, the contest ran for 37 hours until bandwidth concerns forced the cancellation of the contest. Thousands of attempts to break in were unsuccessful.
Your assertion that the security in OS X is not designed in is incorrect and ignores the almost 40 years of UNIX development that underpins the FreeBSD UNIX core that runs OSX. It has been acid tested by thousands of open source developers who have examined the code with a microscope... and the trials by fire in which UNIX was attacked and the holes used were patched over those years.
I would never buy an anti-virus software for my Mac. It would be money down the drain. May as well burn a couple of C-notes.
Which means that when you compare the cost of buying a Mac and a PC, you need to add the cost of a virus software onto your PC price in order to compare apples and oranges.
You can buy a MacBook for as little as $1100. If you buy it refreshed, and get 10% off, that’s only $990. An iMac costs $1000; a refreshed iMac costs $900. Great price for the best computer on the market.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.