APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Mac Pwned

I'm sure you've read about the Mac security challenge debacle.. if not, (link dead, sorry) Ars Technica has a good writeup.

It turns out that it's actually a QuickTime flaw and more specifically a QuickTime Java flaw.. or so they seem to be saying now.

There's been a lot of confusion, with some blogs mixing in the two year old Mac Mini challenge and confusing that with this. That challenge involved giving the attacker a user account to work from; this one was done indirectly through a web page.

Of course some Windows folks are cheering wildly, but that's silly: most Mac fans are happy the bug was found and will be fixed. I wish they'd do this kind of thing more often: Apple, Microsoft, and everybody else with an interest in improving our Internet world should be ponying up prize money so that this kind of testing could be done every month. That could only improve life for everyone, right?



Got something to add? Send me email.


7 comments



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence







Fri Mar 28 14:18:53 2008: 3910   BruceGarlock


I say offer up more MB Airs! Get all the security bugs out. From what I understand, there were two other computers in this "challenge", and the winner got to keep the 'owned' machine. Which simply says that the Air was wanted more over the Vista machine :-)

QT Java flaw? So, would that be Sun or Apple?

I was guessing WebKit, since it is OpenSource, and maybe he found a hole in that code somewhere.



Fri Mar 28 18:16:43 2008: 3912   TonyLawrence

gravatar
I certainly agree - as I said above, all the big players should be putting up money for this regularly - the more the merrier, and the better off we all would be.

Tell me Microsoft and Apple and IBM and Sun etc. together couldn't fork out say $20,000 a month for a few years to do this kind of thing..



Fri Mar 28 22:36:39 2008: 3915   drag


""I was guessing WebKit, since it is OpenSource, and maybe he found a hole in that code somewhere. ""

Ya, that's a weird attitude that seems normal for a lot of computer folk. Somehow that because a piece of software is open source that means it's easier to hack. I see that stuff at work also people making odd statements about this program or that program and how it's a security issue that you can get the source code in a public place.

It's just funny because most of the time it's the opposite.

I mean it's not like there is not a crapload of insecure open source software out there... (there is lots of bad software, look at most PHP apps) but it has very little to do with the fact that it's open. It's just badly programmed.

Webkit is popular and it's a security sensitive thing. It's been around in various forms for years.. being originally developed for KDE for their KHTML platform and then forked by Apple. It's being adapted back into KDE and Gnome hackers are integrating support for webkit in addition to the existing Gecko support (from Mozilla folks). So it's widely reviewed, edited, and made to be portable across lots of different platforms and toolkits.

Now besides the fact that a web browser renderer is a massive and very complex piece of software (and complexity combined with large code base is the natural breeding ground for bugs and security issues) I would think that Webkit would be one of the less likely system to get hacked when compared to Microsoft's HTML renderer or any of the email apps that are used on any of the three systems.



Sat Mar 29 01:09:55 2008: 3916   BruceGarlock


Yea, I kind of worded that poorly. I totally agree that it is usually the opposite. I know with people having their eyes on the code in the wide open should lead to better quality, and better written code with respects to security, but there are still open source projects with security issues. Hell, how long has 'sendmail' been open, and that has been riddled through the years with exploits. Also, even the linux kernel has security holes from time to time.

I personally would *always* run open source where I can. Sometimes I have a hard time with the fact that I use OS X, which although uses open source, it still uses a lot of closed source as well. My hats off to the 'pure' GNU Linux diehards. I tend to fall in the middle, a little closed, and a little open.

A lot of insecure code can just plain be a result of what I call 'deadline creep'. Sure, the code works, but management wants to get it in the users' hands, without regard to how secure it is. I bet a lot of software falls in that category. The more features, the higher probability for security holes. It's actually the user that creates this mess. If we didn't require all the features out there, we could all be running OpenBSD, and call it a day.

I run the nightly builds of webkit on my Macbook Pro, and just thought that with all the releases, and new features, changes, etc, that there is always a chance for something insecure to slip in there. But, at the same time, there is actually less chance, because I am keeping updated by running the nightly, where security bugs are likely to get fixed quickly.

I'll still take open source over closed any day of the week. Now, if we can just get our government to require open source for the voting machines, so we can really see what is happening, then I would sleep better at night, knowing that those voting machines are really secure :-)



Sun Mar 30 14:15:07 2008: 3920   anonymous


I suspect this, from Rich Mogull, is an accurate and fair summary:

"... I spend a lot of time talking and working with the research community. Most feel that Mac users are relatively safer than Microsoft Windows users, but that Mac OS X has lost its lead as a secure consumer operating system. This was, in many ways, by necessity. Windows is under such constant onslaught that Microsoft had little choice but to increase the operating system's security significant or face the risk of losing customers, especially among their corporate clients. ... Since Macs are much less frequently attacked, Apple isn't under nearly the same pressure."

(link)

I still feel safer on Mac (and Linux) for obvious reasons -- they were never that bad (XP *was* that bad ... and before SP2 downright unconscionable) and are not such a big target anyway -- but I suspect MS of necessity has had to pull its socks up and may well have leapfrogged other vendors (at least for the present).

I think the "many eyes" theory is questionable at best and perhaps more a product of hopeful thinking than anything else. It's certainly no panacea in and of itself.

Marcus Ranum has a piece that's worth reading from that point of view. I quote:

"The 'many eyes' theory of software quality doesn't appear to hold true, either. FTWK was widely used for almost ten years, and only one of the problems I found with Fortify was a problem I already knew about."

(link)

What's evidently needed from vendors these days is stringent code review, checking with automated tools, and architectural protections like randomization and running internet-facing applications with low privilege -- on Vista IE apparently runs in a "protected mode". Apple (and some others) are perhaps not as far along with those kinds of strategies as they arguably should be.



Sun Mar 30 15:28:19 2008: 3921   TonyLawrence

gravatar
If Apple does not feel as pressured to concentrate on security as Microft, they are being complete idiots. Their position is really great right now: great product line up against a sputtering competitor. But security sloppiness can blow all that away very quickly.



Mon Mar 31 13:10:23 2008: 3922   TonyLawrence

gravatar
Vista fell - but that was a Flash exploit and Vista "almost" stopped it.

Linux remains standing at the moment.

------------------------
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





Keeping URIs so that they will still be around in 2, 20 or 200 or even 2000 years is clearly not as simple as it sounds ... However, all over the Web, webmasters are making decisions which will make it really difficult for themselves in the future. (Tim Berners-Lee)





This post tagged: