Sun Aug 05, 2007 6:37 pm

	daemon wrote:
	Guest wrote: Mac OS X has not been obscure for the past several years. There has not been a single true virus or worm in the wild for Mac OS X, yet there are countless Windows-related viruses, etc. That is all I need to know about to determine which operating system is more secure by design. OSX.Leap.A

Tempest in a teapot. Per SecurityFocus: "The malicious code uses social engineering tactics to infect a user's system, and does not exploit any security holes in OS X (emphasis mine)."

Only Sophos called it a virus. All others called it either a worm or a trojan, and ineffective at that. Also per securityfocus: "There are also a number of steps that require user interaction for a system to be infected: the user must first be sent the infected file (manually by email, or automated via iChat instant messaging), then the user must double-click and decompress the image, open the image, and finally provide his administrator account and password for the code to be installed."

You could get the same effect by mailing people a terminal script with rm and some fool will execute it.

This is not to say that there aren't things to worry about (no OS is bulletproof, including OSX), but Leap.A was a really poor attempt. Less than 50 "infections", all of which took user intervention to occur.

Sun Aug 05, 2007 10:37 pm

Don't argue with me. Argue with securityfocus.

Mon Aug 06, 2007 10:20 am

Guest wrote:

Wow. This guy actually has a valid criticism of OS X, and one where it doesn't take a great leap of imagination to think that there might be a vulnerability involved, and you guys jump all over him? I'm as big a fan of OS X as the next guy, but his logic is sound here, and maybe it will get Apple more on the ball with delivering updates to their 'broken' packages in between major versions. (i.e. Python)

Well Said, Guest. This guy is right-on-the-money. He's simply showing how easy it is to exploit a vulnerability using widely available information. If Apple doesn't change their practice of not updating the open source code that they're using on a regular basis, there will be viruses and worms that take advantage of these known weaknesses.

And for all of you who defend Apple based on "There are no viruses yet".. we're not talking about right now. We're talking about the future. If what Dr. Miller's intentions are as he claims, he's trying to help Apple avoid viruses and other exploits in the future. He did report it to Apple first.

Don't be like the legions of MS supporters who blindly defend MS because it's all they know. Don't assume Apple is doing absolutely everything right just because you love the company and/or products. Get your information straight, be objective and [some of you need to] get your head out of your ass.

Mon Aug 06, 2007 12:20 pm

	Anonymous wrote:
	Am I the only one who actually remembers ...

Heh, that was me, I remember OS 6 viruses from 18 years ago but still forget that I can't post to IPO threads through the news post themselves, have to go through TMO forums

Mon Aug 06, 2007 2:10 pm

Intruder wrote:

Other than some of our passing guests, I don't think anybody here has seriously claimed that OS X is bulletproof and can't be exploited. It is true that the number of public exploits for OS X is very small. Leap.A is one that gets mentioned, but it (even in the eyes of the security community) failed at what it was trying to do, and is a poor example. This is not to say that it can't be done or should be ignored, but it hasn't been successfully done "in the wild" to anyone's knowledge (including Sophos, Symantec, etc.). I know there are those that will claim that OS X is being actively exploited already, but there is no actual proof of it as yet. If it is true, then Sophos, Symantec, Kaspersky et al are failing at their jobs and there is little or nothing that can be done anyway other than totally locking down your system. I welcome the additional scrutiny that can be provided to help improve the OS (any OS). I completely DISAGREE with the tactic of releasing exploits into the wild (for ANY OS) without prior notification of the vendor, giving them time to address the issue. I know that there are those who think it is the only way to get anything to happen, but in any other venue it would be extortion.

Is it extortion to publicly report about a problem with a car before the car manufacturer can issue a recall? Is it extortion to report about possible fire hazards with power cables before the manufacturer can issue a recall? Is it extortion to to report about insider trading?

Vulnerabilities exsist and it is to everyone's benefit to know which ones will impact them the most, secrecy only protects the manufacturer and the criminal trying to exploit the vulnerability.

Mon Aug 06, 2007 3:45 pm

	gslusher wrote:
	That's not what Intruder said. He/she said that to release an exploit into the wild was irresponsible. A better analogy might be releasing your passwords for your online bank account.

Intruder seems to use the terms "exploit" and "vulnerability" interchangably.

Oh, and your password analogy doesn't fit.

Tue Aug 07, 2007 1:15 am

Security is a big issue on the mac platform, and I am glad there are some people like Dr. Charles Miller who are keeping Apple on their toes and insisting better security. We all love the fact that we can all sit down at our Mac, connect to the internet and hardly think twice about the issues other Windows users constantly deal with.

To say that OSX is bullet proof and impervious to any "security breech" is blind madness. Of course it is fallible. I believe the reason Mac users have had such great luck with our platform is because of our love for our platform. Sure any computer can drive a person nuts from time to time, but it happens less often on Mac OSX. I am sure market share has a part to play also, although not as much as is "advertised".

It is the users that have kept our Mac OSX shiny happy operating system. We love Macs, we love using Macs, why would we want to ruin our Macs? It is an entirely different ecosystem of users on the Mac platform, and we all must remember that the biggest reason the Mac platform has survived, is because of it's loyal fan/user base and camaraderie amongst Mac Users which has kept the Macintosh floating through the tough times.

On that note, we should all be wary of instantaneous reactions to other Mac OSX users, their thoughts and opinions. We are a fantastic community of computer users, and I am always thankful that I am part of it.

Tue Aug 07, 2007 3:29 am

Hey gslusher,

My mommy taught me that pointing was rude... ... and I am not sure what exactly your ... point is.

I do not post comments to pooh-pooh others, just leave my thoughts on the subject.

Although it seems that flaming is slowly creeeeping into the mac community. ahh, I suppose it is simply a human thing. And this is simply a generalized comment regarding the entire Online Mac Community, not specific just to this single thread.

The crux of my comment is my theory that Macintosh users in general, have little interest in "breaking" their operating system.

One could argue the same for Windows users; however, in my experience it seems much easier to reach that "breaking point" where a user becomes so frustrated, so vexed that he/she just wants to destroy it all... he, he...

When I have an issue with OS X, I can usually find a solution either on my own or through the community within an hour. I would say that the online support system ( of users ) is closer to being as responsive and helpful as the OpenSource community is, rather than Windows. I am just mentioning the very real "human" element that is part of OSX security, beyond its underpinnings. That being said, sometimes it takes a pooh disturber to make us notice that there may very well be some poohpy-code lingering behind our shiny happy OS.

"Inconceivable!" - I have heard this chant from many Mac zealots about security breaches in OSX. Meanwhile, they still click on "Software Update" and download their 'security updates'... *he*

forgive me if I come across semi-literate, I lack polish, and have a tendency to forget there is a "delete" key.

Tue Aug 07, 2007 9:35 am

	amagine wrote:
	Although it seems that flaming is slowly creeeeping into the mac community. ahh, I suppose it is simply a human thing.

Hehe, you really must be new to mac discussions or have gotten an incredibly positive impression of us from somewhere, Mac users can, have and will again start and maintain a flamewar until there is nothing left to burn. We're just so used to being sniped at it takes quite a bit to provoke us into open conflict.

@Daemon: At what point did I discuss viruses on windows in my post? Mine was the guest post above the one you responded to. I would be the first to tell you that I feel windows viruses, their prevalence, virulence, etc are completely irrelevant to mac exploits, viruses, etc. Particularly since most/all of the current Mac OSX concerns are from old open source code, and we all know that in Redmond open source is synonymous with stalinism. Having exploits that go unchecked for 15 years is what happens when you have a completely closed code base as massive as windows, my understanding is that its one of the many reasons Apple abandoned the majority of the OS9/Copland codebase in shifting to X.

As to this idea that hackers want to remain covert and hidden, there is some truth to that, but I find it hard to believe that nobody would want to trumpet the accomplishment if they hacked OSX and controlled it, the hundreds of thousands of hits CNET generates everytime it puts the word apple in a negatively-spun headline says otherwise. What most of these people want is to get recognition, either from their direct peers or from security firms that will then hire them for fat paychecks. The first guy who posts a successful method for completely compromising a remote OS X machine will be paid for life.

I'm also not trying to shoot the messenger, as I said in my accidentally anonymous post earlier, and I'm not attacking you personally, but you do need to take a chill on trumpeting about it here, unless you're part of the good doctor's security team, and in that case why are you wasting time here when you should be working on finding more holes in the iPhone?

@TMO: Perhaps we need to put a massive boldfaced graphical "NOBODY THINKS OSX IS 100% SECURE!!!" banner at the top of every page on every security newspost or forum topic? I don't think many people are getting it.

Tue Aug 07, 2007 11:09 am

DaiMac wrote:

@Daemon: At what point did I discuss viruses on windows in my post? Mine was the guest post above the one you responded to. I would be the first to tell you that I feel windows viruses, their prevalence, virulence, etc are completely irrelevant to mac exploits, viruses, etc. Particularly since most/all of the current Mac OSX concerns are from old open source code, and we all know that in Redmond open source is synonymous with stalinism. Having exploits that go unchecked for 15 years is what happens when you have a completely closed code base as massive as windows, my understanding is that its one of the many reasons Apple abandoned the majority of the OS9/Copland codebase in shifting to X.

Wow. To answer you're first question, you didn't. But it is foolish to discount lessons learned from the single most widely and frequently attacked platform ever. It's like saying we have nothing to learn from history since it's not the future. I brought up MS Windows' Metafile vulnerability as a prime example of an unknown vulnerability that allowed hackers the capability to easily execute code on a host system. Further, Mac OS X is not all open source, it is based on open source software, and the open source community has frequently had to push Apple into releaseing the source code of their modified versions of the open source, but Apple has not released any code for Cocoa, Quartz, QuickTime, and Aqua to name a few. Also Apple's concerns aren't just from outdated open source, several vulnerabilities have been found in QuickTime, the outdated open source is just the most convienent route for finding vulnerabilities to craft exploits.

Quote:

As to this idea that hackers want to remain covert and hidden, there is some truth to that, but I find it hard to believe that nobody would want to trumpet the accomplishment if they hacked OSX and controlled it, the hundreds of thousands of hits CNET generates everytime it puts the word apple in a negatively-spun headline says otherwise. What most of these people want is to get recognition, either from their direct peers or from security firms that will then hire them for fat paychecks. The first guy who posts a successful method for completely compromising a remote OS X machine will be paid for life.

Well first, there have been people that have developed proof of concept exploits and demonstrated to the entire world that they can hack and control OS X. But each time this has happened it's been dismissed as "not being in the wild," as if that's supposed to make OS X more secure. No, what you want is someone to develop malicious code, damage a few million OS X machines, and then announce to the entire world that he did it so that his ego can be stroked and he can get millions of dollars from corporations as a genius security consultant. There is a significant flaw in this senario: Anyone who actually damaged a few million computers wouldn't find a cushy job and easy money at the end of the road, they'd go to jail. It used to be that a talented hacker once caught would get a couple years suspended sentence and a bunch of job offers, that isn't the case any more. Corporations don't want felons on their payroll and the penalty isn't just a couple years on probation any more, you go to real jail and you get massive fines. This idea of "The first guy who posts a successful method for completely compromising a remote OS X machine will be paid for life," is a fantasy.

	Quote:
	I'm also not trying to shoot the messenger, as I said in my accidentally anonymous post earlier, and I'm not attacking you personally, but you do need to take a chill on trumpeting about it here, unless you're part of the good doctor's security team, and in that case why are you wasting time here when you should be working on finding more holes in the iPhone?

I'm confused. This topic is specifically about discussing Mac OS X vulnerabilities and you don't want me to discuss it here?

Tue Aug 07, 2007 6:55 pm

	DaiMac wrote:
	Thats why I made sure to mention that windows was an "almost completely" closed code base, vs. OS X which is only partially closed.

No, you didn't.

Here's what you posted:

Code:

I would be the first to tell you that I feel windows viruses, their prevalence, virulence, etc are completely irrelevant to mac exploits, viruses, etc. Particularly since most/all of the current Mac OSX concerns are from old open source code, and we all know that in Redmond open source is synonymous with stalinism. Having exploits that go unchecked for 15 years is what happens when you have a completely closed code base as massive as windows, my understanding is that its one of the many reasons Apple abandoned the majority of the OS9/Copland codebase in shifting to X.

You allude to Redmond thinking open source is stalinism, and then say that Windows is completely closed source, and then said that Apple abandoned OS9 because of exploits. It takes a bit of imagination to get from this to "windows was an "almost completely" closed code base, vs. OS X which is only partially closed."

	Quote:
	Seriously Daemon, if you or someone you know can hack just my machine, if I post my IP to you, with no firewall enabled, over the Net, I will start a collection to pay you myself.

Why don't you just post your IP?

	Quote:
	I know if you do the same with virtually any version of windows (with no protection enabled) I can find someone to do the reverse. Please, feel free to private message me if you want to do this. There have been numerous contests held to do this, etc, etc and nobody has ever successfully done it.

I am only aware of one contest, and that was revoked immediately after it was announced due to liability issues that weren't thought of by the organizers until their lawyer started smacking them with case history.

Quote:

And yes, I only care about such hacks because the likelihood of another type of exploit affecting me, with the practices I use to shield myself and my data, is about the same as winning the lottery. I don't execute apps or Movies I don't fully trust the source of, and if I had to I would do so on an isolated machine. Right there most of your exploits are meaningless as they require user participation.

It's the same under Windows.

	Quote:
	I don't care what you do (not your mom),

Then what's with the insistence that I stop?

	Quote:
	but posting repeatedly the same bit of junk exploit code as you did in the first page of this topic is just obnoxious and useless, it only causes us to tune you out.

And which bit is that? The OSX.Leap.A that I posted once in response to a claim that OS X has never had a worm?

	Quote:
	Again if you actually give a damn about OSX security please feel free to either work on it or discuss it constructively, pointing out that Apple is not sufficiently concerned about the problem doesn't add anything, qualified security researchers have pointed this out and we have heard them.

And once again you take it upon yourself to instruct me to stop posting about the topic of this article.

	Quote:
	As I said on the Apple Perception thread, I don't think you personally own a mac or intend to anytime soon. You've used them enough to know you don't care for them would be my guess. None of us go to Microsoft Windows forums to harp on them about their OS' security issues, so unless I've completely misperceived you why are you here again?

So you want to know what I don't own? I don't own a Dell, an IBM, a Hewlett-Packard, a Gateway, a Sony, a Fujitsu, a Toshiba, or an Apple. I build my own computers. On my computer I run FreeBSD, RedHat, XP, and Vista. I would run OS X, but Apple has this thing against people who try to run their software on anything but their hardware.

I'm here to discuss Apple products. Security just happens to be one of many subjects I'm interested in.

Tue Aug 07, 2007 11:07 pm

	Guest wrote:
	Blah, blah, blah, I'm here to disucss blah blah blah but I have nothing intelligent to say blah, blah blah, so I will use argument to exhaustion as my weapon blah blah and more blah. Such a weak tactic was exposed on USENet in the last century. You aren't fooling anyone.

Is that you DaiMac?