Get APLawrence.com by RSSMac Pwned
2008/03/28
I'm sure you've read about the Mac security challenge debacle.. if not, Ars Technica has a good writeup.
It turns out that it's actually a QuickTime flaw and more specifically a QuickTime Java flaw.. or so they seem to be saying now.
There's been a lot of confusion, with some blogs mixing in the two year old Mac Mini challenge and confusing that with this. That challenge involved giving the attacker a user account to work from; this one was done indirectly through a web page.
Of course some Windows folks are cheering wildly, but that's silly: most Mac fans are happy the bug was found and will be fixed. I wish they'd do this kind of thing more often: Apple, Microsoft, and everybody else with an interest in improving our Internet world should be ponying up prize money so that this kind of testing could be done every month. That could only improve life for everyone, right?
;
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.
Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.
We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.
I sell and support
Kerio Mail server
Click here to add your comments
Fri Mar 28 14:18:53 2008: Subject: BruceGarlock
I say offer up more MB Airs! Get all the security bugs out. From what I understand, there were two other computers in this "challenge", and the winner got to keep the 'owned' machine. Which simply says that the Air was wanted more over the Vista machine :-)
QT Java flaw? So, would that be Sun or Apple?
I was guessing WebKit, since it is OpenSource, and maybe he found a hole in that code somewhere.
Fri Mar 28 18:16:43 2008: Subject: TonyLawrence
I certainly agree - as I said above, all the big players should be putting up money for this regularly - the more the merrier, and the better off we all would be.
Tell me Microsoft and Apple and IBM and Sun etc. together couldn't fork out say $20,000 a month for a few years to do this kind of thing..
Fri Mar 28 22:36:39 2008: Subject: drag
""I was guessing WebKit, since it is OpenSource, and maybe he found a hole in that code somewhere. ""
Ya, that's a weird attitude that seems normal for a lot of computer folk. Somehow that because a piece of software is open source that means it's easier to hack. I see that stuff at work also people making odd statements about this program or that program and how it's a security issue that you can get the source code in a public place.
It's just funny because most of the time it's the opposite.
I mean it's not like there is not a crapload of insecure open source software out there... (there is lots of bad software, look at most PHP apps) but it has very little to do with the fact that it's open. It's just badly programmed.
Webkit is popular and it's a security sensitive thing. It's been around in various forms for years.. being originally developed for KDE for their KHTML platform and then forked by Apple. It's being adapted back into KDE and Gnome hackers are integrating support for webkit in addition to the existing Gecko support (from Mozilla folks). So it's widely reviewed, edited, and made to be portable across lots of different platforms and toolkits.
Now besides the fact that a web browser renderer is a massive and very complex piece of software (and complexity combined with large code base is the natural breeding ground for bugs and security issues) I would think that Webkit would be one of the less likely system to get hacked when compared to Microsoft's HTML renderer or any of the email apps that are used on any of the three systems.
Sat Mar 29 01:09:55 2008: Subject: BruceGarlock
Yea, I kind of worded that poorly. I totally agree that it is usually the opposite. I know with people having their eyes on the code in the wide open should lead to better quality, and better written code with respects to security, but there are still open source projects with security issues. Hell, how long has 'sendmail' been open, and that has been riddled through the years with exploits. Also, even the linux kernel has security holes from time to time.
I personally would *always* run open source where I can. Sometimes I have a hard time with the fact that I use OS X, which although uses open source, it still uses a lot of closed source as well. My hats off to the 'pure' GNU Linux diehards. I tend to fall in the middle, a little closed, and a little open.
A lot of insecure code can just plain be a result of what I call 'deadline creep'. Sure, the code works, but management wants to get it in the users' hands, without regard to how secure it is. I bet a lot of software falls in that category. The more features, the higher probability for security holes. It's actually the user that creates this mess. If we didn't require all the features out there, we could all be running OpenBSD, and call it a day.
I run the nightly builds of webkit on my Macbook Pro, and just thought that with all the releases, and new features, changes, etc, that there is always a chance for something insecure to slip in there. But, at the same time, there is actually less chance, because I am keeping updated by running the nightly, where security bugs are likely to get fixed quickly.
I'll still take open source over closed any day of the week. Now, if we can just get our government to require open source for the voting machines, so we can really see what is happening, then I would sleep better at night, knowing that those voting machines are really secure :-)
Sun Mar 30 14:15:07 2008: Subject: anonymous
I suspect this, from Rich Mogull, is an accurate and fair summary:
"... I spend a lot of time talking and working with the research community. Most feel that Mac users are relatively safer than Microsoft Windows users, but that Mac OS X has lost its lead as a secure consumer operating system. This was, in many ways, by necessity. Windows is under such constant onslaught that Microsoft had little choice but to increase the operating system's security significant or face the risk of losing customers, especially among their corporate clients. ... Since Macs are much less frequently attacked, Apple isn't under nearly the same pressure."
http://db.tidbits.com/article/9529
I still feel safer on Mac (and Linux) for obvious reasons -- they were never that bad (XP *was* that bad ... and before SP2 downright unconscionable) and are not such a big target anyway -- but I suspect MS of necessity has had to pull its socks up and may well have leapfrogged other vendors (at least for the present).
I think the "many eyes" theory is questionable at best and perhaps more a product of hopeful thinking than anything else. It's certainly no panacea in and of itself.
Marcus Ranum has a piece that's worth reading from that point of view. I quote:
"The 'many eyes' theory of software quality doesn't appear to hold true, either. FTWK was widely used for almost ten years, and only one of the problems I found with Fortify was a problem I already knew about."
http://www.ranum.com/security/computer_security/editorials/codetools/index.html
What's evidently needed from vendors these days is stringent code review, checking with automated tools, and architectural protections like randomization and running internet-facing applications with low privilege -- on Vista IE apparently runs in a "protected mode". Apple (and some others) are perhaps not as far along with those kinds of strategies as they arguably should be.
Sun Mar 30 15:28:19 2008: Subject: TonyLawrence
If Apple does not feel as pressured to concentrate on security as Microft, they are being complete idiots. Their position is really great right now: great product line up against a sputtering competitor. But security sloppiness can blow all that away very quickly.
Mon Mar 31 13:10:23 2008: Subject: TonyLawrence
Vista fell - http://blog.wired.com/gadgets/2008/03/windows-vista-f.html but that was a Flash exploit and Vista "almost" stopped it.
Linux remains standing at the moment.
Buy Take Control of Fonts in Leopard
Don't miss responses! Subscribe to Comments by RSS or by Email
Click here to add your comments
If you want a picture to show with your comment, go get a Gravatar