“A report by Agence Presse-France from this year’s DefCon hacker convention in Las Vegas centered on comments from security analyst Cameron Hotchkies. Hotchkies, who works with Zero Day Initiative to find and report security vulnerabilities in Apple software, gave a talk on Mac OS X hacking this past Saturday to a packed room. ‘There are a lot more people getting into it and really getting their hands dirty,’ he told AFP. ‘I’ve been seeing a lot of reverse engineering on the Apple platform,'” Chris Foresman reports for Ars Technica.
“The article goes on to ‘explain’ that an increase in Windows ports and iPhone jailbreaks are evidence that users should start to be worried about hackers and malware,” Foresman reports. “The truth is that increased scrutiny could lead hackers to target Mac OS X, but users jailbreaking an iPhone or a Windows developer porting poorly-written code to Mac OS X isn’t going to lead to rampant malware problems overnight. Users jailbreak iPhones to add software capabilities that aren’t approved by Apple; a bad Windows port is not likely to sell in very high numbers on a Mac.”
Full article, which also rightly reminds readers to be wary of social engineering (phishing and trojans), here.
MacDailyNews Take: Somehow this is “news” yet again, this time to Agence Presse-France. The same “report” has been published quarterly, at least, for the last half a decade. Yet, somehow, we Mac users manage to survive and surf the Web unimpeded on our Macs in the face of all of these “reports.”
In the full Agence Presse-France article, Glen Chapman reports, “Hackers have historically focused devious efforts on computers using Windows operating systems because the Microsoft software has more than 90 percent of the global market, promising evil-doers a wealth of targets. Macintosh computers have been gaining market share and catching the interest of hackers.”
That the Mac is secure via obscurity is a myth. Why, if obscurity means security, in April 2007 was there a virus for iPods running Linux (a few thousand devices total, at most, in all the world), but there are no viruses for the 30 million or so Mac OS X computers that are currently online? Hello? Bueller?
Uh, oh – logic is certainly not what AV software peddlers, Windows PC box assemblers, and the rest of the leeches stuck to the Windows ecosystem want people to hear. Fear is what they’re after. Increased Mac sales always result in increased anti-Mac FUD. It’s as sure as death and taxes. The sheep must be kept in the Windows pen, no matter the cost to reputations, reality, productivity, sanity, etc. Far too many have far too much invested in Microsoft Windows for them to stand idly by and let it all slip away due to a vastly superior solution from Apple. But slip away it does nonetheless.
The idea that Windows’ morass of security woes exists because more people use Windows and that Macs have no security problems because fewer people use Macs, is simply not true. By design, Mac OS X is simply more secure than Windows. Period. For reference and reasons why Mac OS X is more secure than Windows, read The New York Times’ David Pogue’s mea culpa on the subject of the “Mac Security Via Obscurity” myth here.
“Security via Obscurity” is a defense mechanism for the delusional and also tool for Microsoft apologists and/or those who profit from Windows to keep the sheep in the pen. 30 million Mac OS X installs is not “obscure” at all, but seven (7) years of Mac users surfing the ‘Net unimpeded certainly is “secure.” Besides social engineering scams (phishing, trojans; no OS can instill common sense) the only thing by which Mac users are really affected are large swaths of compromised Windows machines slowing down the ‘Net with spam and nefarious botnet traffic targeted at exploiting even more insecure Windows boxes. Get a Mac.
“OS X is, in fact, secure relative to other operating systems “
I don’t think so.
www-935.ibm.com/services/us/iss/xforce/midyearreport/xforce-midyear-report-2008.pdf
Apple currently holds the tittle of least secure software provider in the world.
btw derek there are a lot of people that hack into you, it’s not just one person using different names.
@me ?? or whatever your AKA happens to be at the moment.
Oh, really.
Since you reference an IBM Internet Security Systems report in your post above, what’s your take on Mark Dowd ,an IBM-X Force researcher at IBM Internet Security Systems, and his recent finding regarding a flaw in VISTA that could bring it to its knees and there’s nothing M$ can allegedly do about it? BS or terrifying truth? We wait with baited and bad breath for your response, oh great forked-tongue one.
See HERE
Bite Me!
“Since you reference an IBM Internet Security Systems report in your post above, what’s your take on Mark Dowd ,an IBM-X Force researcher at IBM Internet Security Systems, and his recent finding regarding a flaw in VISTA that could bring it to its knees and there’s nothing M$ can allegedly do about it? BS or terrifying truth? We wait with baited and bad breath for your response, oh great forked-tongue one.”
Don’t get too exited Mactard, Apple implemented some of what is being discussed by IBM in OSX 10.5 (ASLR). How’s that for a terrifying truth?
Oooooh, “Mactard”. You must be have just been promoted to juice monitor.
@me
“Don’t get too exited Mactard,” I think you mean EXCITED, indubitably, right?
You need to cut back on the ‘weed’ and pay more attention in English Class, dude.
You didn’t address the issue stated in my post. Also, the article made no reference to OSX 10.5 whatsoever. Your starting to take diversionary tangential excursions in your responses. Your rage against Apple is blinding your logic and reasoning.
Now AGAIN, my question: IS what Mark Dowd saying about this VISTA vulnerability accurate or not?
@me
Also to help you in your English Class, I buried a grammatical error in my post. Can you find it? Fire away!
@me
Thanks for the link. That was a good read, and I had not heard of the X-Force organization before.
However, it appears that you haven’t read it yourself, or if you did, you aren’t capable of reading it in the context of what Eran and Gruber have already written. All this report says is that Apple had the highest number of reported vulnerabilities. So? Please, take the time to read the links I’ve given you.
Additionally, if you have bothered to read the entire X-Force report, you should know that it also reports that attacks against operating systems are becoming less frequent and malware writers are targeting websites and attempting phishing schemes as their preferred weapons of choice.
Regarding phishing, there’s no o.s. that can save someone who foolishly goes to a site promising cheap Rolex knock-offs or a share in a Nigerian fortune. Regarding internet malware, the report pointed out that most vulnerabilites are through third-party plug-ins AND “four out of the top five exploits listed in Table 6 are ActiveX controls (browser plug-ins for Internet Explorer). (P. 27.) It goes on to point out that, “Although the number of high-priority vulnerabilities affecting Internet Explorer was much smaller in the first half of this year (only 6), there were 73
high-priority ActiveX vulnerabilities. These ActiveX controls are marked as safe for the browser to load and execute and, when properly exploited, provide remote code execution. (P. 30)
So, you not only failed to prove anything about OS X’s alleged hazards by giving me that link, you also pointed to the fact that Microsoft and its products are more vulnerable to the current malware threat of hackers’ choice.
Thank you, “me.”
Enjoy the rest of your weekend.
The anonymous ‘me’ OFT (our frequentative troll) sez:
“btw derek there are a lot of people that hack into you, it’s not just one person using different names.”
So what do you have when a gang of cowards beat up on one person? Thank you ‘aka Christian’ for adding your sane research.
” “OS X is, in fact, secure relative to other operating systems “”
“I don’t think so.”
“http://www-935.ibm.com/services/us/iss/xforce/midyearreport/xforce-midyear-report-2008.pdf”
What, you’re counting on other people being stupid enough to take you at your word? First, the data you are quoting does not equate to security at all. It is on page 11 and is titled “Table 2: Vendors with the Most Vulnerability Disclosures”. That last word again is ‘Disclosures’ not the number of exploits. I’ve already clearly pointed out that Pre-2005 Apple were NOT serious about security, for the obvious reasons of not having any malware or major exploits. Post-2005 they were embarrassed into taking it seriously by proof-of-concept exploits, a string of vulnerability reports by hackers, as well as Mac user public outcry. Clearly the result is Apple playing catch up. Thus the numbers.
Now consider the next page of the IBM document, page 12. Who is the #1 company in the table titled “Table 3: Vendors Affected by the Highest Number of Public Exploits”? It’s Microsoft. No surprise! That completely turns your wrong assertion on its head. HP comes in at #2. Apple comes in at #3.
Onward to page 28: “Table 6: Most Prevalent Web Browser Exploits, H1 2008”. What is #1. Again, no surprise. It’s ActiveX. I already pointed out this fact and you of course ignored me. #2 is RealPlayer. #3 is Internet Explorer via another ActiveX flaw. #4 is Apple’s Quicktime, which again I pointed out previously as being found to be remarkably insecure during this past year. #5 is Internet Explorer, again, with a DirectAnimation flaw.
So OFT(s):
You gotta be crazy,
you gotta have a real need
You gotta sleep on your toes,
and when you’re on the street
You gotta be able to pick out the easy meat
with your eyes closed
And then moving in silently,
down wind and out of sight
You gotta strike when the moment is right without thinking.
And after a while,
you can work on points for style
Like the club tie, and the firm handshake
A certain look in the eye, and an easy smile
You have to be trusted by the people that you lie to
So that when they turn their backs on you
You’ll get the chance to PUT THE KNIFE IN…
(Credit: © Roger Waters and David Gilmour)
And why is Vista in particular vulnerable to this problem?
“This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.”
There we are again, we’re back at Microsoft’s inane implementation of active scripting. Which leads me to my usual suggestion:
NEVER
USE
ACTIVEX
Here’s how to turn off ActiveX in Internet Explorer:
http://acd.ucar.edu/~fredrick/win2k/active_scripting/
Be sure to follow the links on the page above for related detailed information. I particularly like the CERT Malicious Web Scripts FAQ.
Could this sort of attack happen on a Mac? Wisely, most Mac web browsers completely ignore ActiveX. But you can run it in FireFox. Turning off ActiveX in FireFox is easy: Uninstall its ‘Add On’. Thankfully this Add On is not installed by default.
Meanwhile, if some bad website requires you use ActiveX, write the site’s admin, send him a URL about the Black Hat Vista exploit and ask him to strip ActiveX scripts out of his site. The sooner ActiveX is dead the sooner the current biggest source of web exploits is wiped out.
The remaining ‘Active Scripting’ on the Mac side is the mess known as ‘JavaScript’. Sad to say, the safest thing to do on any computer platform is to turn off JavaScript in your web browser. (One thing I like about OmniWeb on the Mac side is that I can selectively turn on JavaScript for particular websites I trust). With time I expect web browsers will be able to detect dangerous JavaScript code calls and prevent them from working. But that’s a discussion for another day.
Apologies: B comes before A today.
I’m having trouble getting MDN to not choke on the first part of the post I made above. If I succeed it will be below.
:-Derek
Part 1 of 3, with Part 3 previously posted. (o_0)
Apologies: B comes before A today. Please read this section before the one I posted above it. I’m taking the rest of the day off…
Onward to an unfortunate comment the cowardly troll gang made:
“Don’t get too exited [expletive deleted], Apple implemented some of what is being discussed by IBM in OSX 10.5 (ASLR). How’s that for…” FUDFUDFUD
First, what is ASLR? Read:
http://en.wikipedia.org/wiki/Address_space_layout_randomization
What version of Mac OS X first used ASLR? Not 10.5. It was 10.4 Tiger from 2005:
http://en.wikipedia.org/wiki/Mac_OS_X
But check out that article Pit_BULL pointed to:
http://www.neowin.net/news/main/08/08/08/vista39s-security-rendered-completely-useless-by-new-exploit
It sadly points out:
Part 2 of 3, with Part 3 previously posted above Part 1 (o_0):
“ASLR is meant to stop attackers from predicting key memory addresses by randomly moving a process’ stack, heap and libraries. While this technique is very useful against memory corruption attacks, it would be rendered useless against Dowd and Sotirov’s new method. “This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista,” said Dai Zovi to SearchSecurity.com. “If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they’re safe because they’re .NET objects, you see that Microsoft didn’t think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force.” “
So much for the ASLR implementation in Vista!
OFF TOPIC! DANGER! DO NOT READ! TOTAL WASTE OF BANDWIDTH!
Why I had trouble posting above:
1) I suspected that the length of posts is limited here at MDN. This sort of filter is of course standard on the net.
2) It turns out that the # of allowed characters at MDN is NOT CONSISTENT. It’s also not posted anywhere I could find. I suspect it is supposed to be about 1000 characters, and yet the first of the three posts I made, which as the second ‘half’ or the whole post, is 1618 characters and that made it through. The first ‘half’ is actually less at about 1472 characters but it won’t pass the filter. HUH?
3) I was fooling around trying to get different ‘halves’ of my post to publish on MDN. The second half had previously failed in one browser. Then it worked in another. Post success, but in the wrong order.
4) I then had to post the first half in two further pieces to make it through the filter.