InfoWorld publishes false report on Apple Mac security

Apple Store“Nancy Gohring, writing for InfoWorld, delivered a misleading report yesterday on a Mac security exploit contest held at the CanSecWest conference in Vancouver, BC,” Daniel Eran writes for RoughylDrafted.

Eran writes, “In her defense, it appears likely that Gohring did not write the headline [“Myth crushed as hacker shows Mac break-in”] for her InfoWorld article, which described the contest winner as being ‘able to remotely break into a Mac as part of a contest designed to illustrate security flaws in OS X.’ That part was simply wrong.”

“Whoever did write the headline must have been smoking weed in celebration of 4/20, because Gohring’s article clearly described a local exploit. There’s a big difference between the remote exploits that made Windows infamous for its insecurity and a local exploit of an application,” Eran writes.

Eran writes, “Gohring reported that ‘contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.'”

“Opening an email URL that exposes a security flaw in Safari is both news to report and a problem for Apple to tackle, but reporting it as a remote exploit is inaccurate, irresponsible, and sloppy journalism, particularly for IDG’s InfoWorld, which purports to be an authority on computing,” Eran writes.

Much, much more in the full article here.

Related articles:
CanSecWest’s $10,000 ‘Hack a Mac’ challenge relaxes barriers, finds exploitable hole in Safari – April 20, 2007
Apple MacBooks hold strong, remain unhacked after first day of $10,000 ‘Hack a Mac’ challenge – April 20, 2007
CanSecWest sweetens ‘Hack a Mac’ contest pot to $10,000 – April 20, 2007
CanSecWest to hold ‘PWN to OWN’ contest: pits Apple MacBook Pros vs. hackers – March 26, 2007
Microsoft’s oft-delayed, much-pared-down Windows Vista hacked at Black Hat – August 07, 2006
Microsoft publicity stunt asks hackers to attack Windows Vista – August 04, 2006
Apple Mac remains ‘unhacked’ as University of Wisconsin’s Mac OS X Security Challenge ends – March 08, 2006
Mac OS X ‘unhacked’ over 24 hours and counting in genuine security challenge – March 07, 2006

50 Comments

  1. The fact that such a contrived and artificial situation had to be resorted to in order to be able to report something resembling some sort of successful attack on OSX, in itself speaks volumes about just how buttoned down OSX really is.

    Exactly right. Microsoft Windows is like a house with all the doors and windows left wide open, but the morons are crowing because someone succeeded in breaking down the locked door of the OS X house with a battering ram. What an accomplishment! This kind of “news” is obviously written by morons, for morons. Let them all rush out and buy Vista. It’s exactly what they deserve!

  2. Here’s another article from yahoo news
    Hacker Cracks a Mac at Security Conference
    A hacker managed to break into a Mac and win a US$10,000 prize as part of a contest started at the CanSecWest security conference in Vancouver.

    The conference organizer decided to offer the contest in part to draw attention to possible security shortcomings in Macs. “You see a lot of people running
    OS X saying it’s so secure and frankly Microsoft is putting more work into security than Apple has,” said Dragos Ruiu, the organizer of security conferences including CanSecWest
    http://news.yahoo.com/s/pcworld/20070421/tc_pcworld/131050

  3. Sigh… User-level access, folks. User-level access. That’s all they got. Without contriving some way to get the admin password, there’s very little they could do. They couldn’t even truly install software. Sure, they could run it out of the user’s directory… and then hope the guy never turns off his Mac or logs out.

    Oh sure, they could delete files, f*** you up, etc., but that’s not what hackers want. They want valuable stuff. And since no two user’s directories are the same, that would mean searching all the files by hand. Not worth it.

    People who are panicking at this just see “exploit” and immediately jump to “OMFG TEH SKY SI FALLING!!11”. Take a deep breath and ask yourself “What has really been accomplished?” Is it an exploit? Yes. Is it an exploit of any significant value? No!

  4. One more comment: Why the ungodly panic now? This is not new. We had a problem with Safari a year or two ago, where visting a webpage could cause Safari to execute commands. I don’t remember anywhere near the flailing of arms and panicking back then. We had the MOAB announce ways to run “arbitrary code” via holes in third-party programs in January. Everyone just rolled their eyes. So what’s different now? The $10,000 prize? I don’t get it.

  5. When all is said and done, there is still no malware out there. There is nothing to stop me from using Safari for my browsing. I still have nothing to worry about.

    Wake me when something other than a proof of concept is out there to worry about.

  6. Windows, by default, runs as the super user (haven’t got a clear answer on Vista yet, altho all I’ve talked to are also running as the super user).

    This means that YOU CAN DO ANYTHING IF AN EXPLOIT HAPPENS, and they will happen, especially if you have, ahem, software design issues. And, as others have said, all OS’s have exploits.

    Contrast this with any operating system (all Unix systems, including OS X) designed for connection to the internet: you are NEVER, EVER, by default, running as the super user.

    In other words, the doors and windows are locked, as alansky says.

    Notice that Vista asks you “do you want to to do this”, it doesn’t ask you for your password, and block you if you fail to give it.

    With Windows XP the bank vault is in the middle of the street, but with the door wide open. With Vista there is a sign “you are entering the bank vault”, but the door is still wide open. With OS X, you have to unlock the bank vault by giving a password. Guess which one should never be (in this analogy) given any money, assuming basic intelligence on the part of the depositor?

    It is amazing there aren’t MORE Windows exploits, more massive failures, given such a brain dead design decision as to run as the super user. A simple user level exploit and the bank vault is all yours.

    Where are the class action lawyers, by the way?

  7. tell her to get back in the kitchen and stop writing tech pices witch she know nothing about, and witch most of you posting don’t either.
    Safari is fine nothing going on there. Stop crying worf and the sky is falling all the time….yea spell errors…my teachers fualt I do have a masters in comptuers….just can’t spell with a shit…plus at my house it’s alway 4/20

  8. “You see a lot of people running OS X saying it’s so secure and frankly Microsoft is putting more work into security than Apple has,” said Dragos Ruiu, the organizer of security conferences including CanSecWest

    What a truly laughable thing to say! It’s like saying that a leaky dike is more secure than a water-tight barrier because the owner of the leaky dike spends more time patching holes. I believe “shit for brains” is the expression one would use to describe this kind of reasoning.

    This so-called “security challenge” was nothing more than another cheap publicity stunt at Apple’s expense. By morons, for morons. I hate to keep repeating myself, but…

  9. “It is amazing there aren’t MORE Windows exploits, more massive failures, given such a brain dead design decision as to run as the super user.”

    You can run either way on Windows, “root” equivalent or as a nonprivileged user. it’s a brain dead decision that Windows Users (not Microsoft) make when they install and/or setup the system.

    With respect to having someone visit a URL, that’s a very normal attack vector. The vast majority of Windows attacks are those which rely on getting the user to do something dumb.

  10. “It works. It is real. This is not something that I have made up,” Dai Zovi said. “It seems that a lot of people harbor the belief that the Mac doesn’t have these problems, but it does.”

    but more realistically, the developer who actually put the exploit in place at the conference makes a distinguo:

    “This is more realistic,” Macaulay said of the exploit. “Everyone is going to be behind a router, so you are not going to have a chance to use a fully remote exploit.”

    So a stunt capable of winning ONE of the two MacBooks: at the conference no one has been able to remotely attack any of the Macs nor getting a root-level privilege.

    So the “Pwn to Own” result was: A Mac was owned but none was Pwned.

  11. This article (to the best of my knowledge) reports the most details . . . .
    http://www.securityfocus.com/news/11461

    If windows suffers a similar vulnerablility, would that even be news?
    I fully entertain the possibility I am ignorant on this subject, but, it seems to me the fact such an attack gets such a huge response & publicity in itself, lends credence to how secure OSX is. If this is the worst they can do? YAWN !

  12. WIndows Internet Explorer bugs allow for Windows to be corrupted simply by VISITING a malicious web page still exist.

    Phishing and social engineers problems where the user has to actively participate and collaborate in order to be exploited are nasty, sure, but way less problematic.

    The problem shown in Safari does not work simply by visiting a URL, you have to act. Bad, not nice but very limited.

    Internet Explorer even had an issue by which even MOVING the cursor on a malicious web page was enough for the system to get corruption.

    Again, this is at the same level of the MOAB vulnerability shown in February. IS this all it can be done? Social engineered scams are not what is dangerous. What truly is dangerous is of weaknesses that do not need active participation from the users.

    Windows apologists, even here, say that hey, this is 90% of the attacks on Windows, users are lured into something and then infection happens and propagates: the Windows machine is pwned. EXACTLY, this is NOT what happened here: no propagation, no control of the machine, so *initiator* infection that translates into an exponential problem.
    It is for this very reason that such malware still do not happen on the Mac camp: no control of the machine, no spreading.

    Hackers and cracker are not interested into exploiting Mac after Mac till you get tens infected after some time.

    When there will be something able to get into a Mac (even via Safari and user intervention) that will then allow something to get installed, acquire the rights to control the machine and start an automatic infection able to infect some millions machines out of the Mac user base (it would take a couple day maximum) no malware nor attacks will be witnessed in the wild.

    20+ million users is WAY MORE THAN ENOUGH to attract virus writers if they had a slim chance for an automatic spreading affecting all Macs remotely. Windows users resting themselves on the case “Macs are so few they are not interesting” are as silly as those who say “Mac is invulnerable”. Both camps are clueless the same.

    MDN “control” as in: till one will be able to get remote control of a Mac OS X platform, none of this proofs will ever turn into malware.

  13. Might this be a fair analogy? Window’s castle walls are battered and broken, the invaders are inside pillaging. Meanwhile someone manages to lob an arrow over the intact walls of OSX’s castle, and a jubilant chorus goes up “OSX has been breached”

  14. Since CanSecWest is over and there was no BIG news about the other MacBook being “owned,” so I guess no one was able to get Root access to the 17″ MacBook Pro, even by using a Safari bug. That’s important news, because the hacker does not really “own” the Mac without it. Apple can easily fix bugs in Safari (or QuickTime or any other app) as they come up. It’s much more difficult (probably close to impossible) to fix fundamental design flaws that cause security problems in Windows. Apple just needs to fix a few bugs. Microsoft needs to start from scratch.

  15. Reality:

    A operating system designed for internet use makes it very difficult (and not the default) for the user to run as root.

    Blaming the user for a grevious design decision like this is just ridiculious, and, in my opinion, this particular design decision is grounds for a class action lawsuit (but IANAL).

    If a nuclear power plants had a day care center in the main control room, and a 3 year old toddler triggered a meltdown is it the toddler’s fault or the designer’s fault?

    tz:

    Not quite. A more accurate analogy is that Microsoft, due to its history of not paying attention to security before the fact (i.e. during design), has a 20 lane expressway ending at its place of residence, and everybody has cars that travel at the speed of light (you can get anywhere in the world in a few seconds or so).

    And, since by default and in most cases Windows users are running as the administrator, the door is wide open and unlocked.

    Under Vista, as you enter the door, by default, a doorman says “do you want to enter?”. If you say “yes”, you enter, regardless of whether or not you should be there or not, and regardless if you’re wearing a ski mask and exit in 2 minutes with bags of valuables over your shoulder.

    Disclosure: my data on Vista is limited – the 3 (all were technical) people I’ve talked to who use Vista are all running as the administrator, and their machines arrived with the operating system installed. I can’t swear what the default user rights (administrator or not) is if the proverbial Grandma bought a machine with Vista from the local store, but it sure seems like its the administrator. Does anybody know for sure, by the way?

  16. Yes, Leftcoaster, the contest was held in Canada so that the FBI wouldn’t throw a hacker into Gitmo. *rolling eyes*

    1) Does the US government use Macs primarily? No.
    2) Is hacking under these circumstances a crime? No.
    3) Was the attacker furthering the abilities of foreign nationals to wage war against the United States, directly? No.

    That I even have to write this shows the failure of the educational system to teach elementary logic.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.