

Fully patched OSX hacked within seconds of start of pen test contest - nikblack
http://blogs.zdnet.com/security/?p=2917

======
patrickg-zill
As much as I like Apple and OSX, I see some of the same kinds of mistakes
Next/NeXT made with NextStep, being made with OSX.

(I used to sell Next software for about 6 months and got to use a NextStation
every day. Very cool - later at another company I got to speak with the GUI
designer Keith Ohlfs and personally thank him for the best copmuter experience
I ever had.)

For instance, NextStep's POSIX interface was broken and thus, Next was not
able to compete against the then-very-inferior SunOS in government contracts
(because POSIX compliance was a requirement).

Instead, Next did win in CIA/NSA and other exempt contracts where the solution
was considered to be "custom" and thus didn't have to follow the standards.

It probably would have taken a competent Next programmer a few weeks to fix
the POSIX layer - but since POSIX was viewed as "dumb" it was never made a
priority.

Apple is letting some of the boring stuff slip - which is a danger sign.
Programmers at Apple can't all be programming the cool CoverFlow stuff and
ignoring the "guts".

~~~
jballanc
I appreciate your past experience with NeXT, but I'm going to have to disagree
with your extrapolation: <http://www.apple.com/macosx/technology/unix.html>

~~~
iuguy
I don't think he's specifically referring to POSIX compliance in the current
OSX, but I can certainly attest to my experiences with A/UX (the original Mac
OS/Unix hybrid OS) and say that POSIX compliance was also a minor issue -
perhaps not so much for a Unix, but it's other stuff that they let slip. I
don't use OSX as I don't have a Mac but I wouldn't be surprised if they're
focusing on the insanely great bits to the detriment of stuff under the hood,
as has happened before.

------
ealar
I find the title highly sensational and misleading. Of course it was hacked in
seconds given a prepared exploit, I would be shocked if it took the computer
longer than that to execute the exploit code.

~~~
tvon
Leads to the question, what took FF/IE so long?

They surely tested them all ahead of time, so why did anything take any longer
than a few seconds?

~~~
thenduks
It did take FF/IE only seconds to 'get exploited', but it was more than a few
seconds after the start of the contest... In short -- the guy with the Safari
exploit went first.

------
yan
Yup, I'm at CanSecWest now. This doesn't say much except that he just brought
a ready, armed exploit and just took the prize. Nils' breaking of the browser
trifecta was quite impressive though.

------
blasdel
Bringing a pre-made exploit to a contest like this kind of dodges the point of
the competition.

Maybe an exploit contest could be started after each browser revision, where
winning submissions must be exploiting a bug introduced by that version of the
software.

~~~
anatoli
While I definitely agree with you, I also think that Apple should start more
seriously addressing these kinds of problems. So far, unlike Microsoft,
they've been very slow to respond. (I'm an Apple-user.)

~~~
wallflower
I just got a MacBook (my first). Previously, in Windows land, I logged in as a
Limited User all the time (and saved Adminiatrator access for what it should
be used for - adding printers, installing software).

On the Apple, I run Security Update habitually. What software for virus
scanning, additional protection do you recommend?

~~~
inklesspen
There is no anti-virus software for the Mac worth running, because there are
no viruses for OS X.

This story is about a security flaw in Safari where the browser can be tricked
into executing code.

~~~
Jem
Ouch. A tad naive.

[http://www.sophos.com/pressoffice/news/articles/2006/02/maco...](http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html)

[http://louisgray.com/live/2008/08/i-got-mac-os-x-virus-
and-i...](http://louisgray.com/live/2008/08/i-got-mac-os-x-virus-and-
infected.html)

Just 2 from a quick google search:
<http://www.google.co.uk/search?q=mac+os+x+virus>

~~~
inklesspen
Second one's a trojan. First one's a worm; it doesn't actually infect files or
disks the way viruses did "back in the day". It relies on tricking the user
into executing a program when the user is not expecting to be executing a
program.

Compare to Windows worms that run automatically, or viruses for Microsoft
platforms that infect files that are commonly shared.

I repeat my statement that you don't need anti-virus on the Mac. You simply
need to have common sense.

I don't think it's too naive of a viewpoint. There are legitimate security
concerns on the Mac, just as there are on other operating systems. My point
was that you don't need cpu-cycle-sucking memory-resident antivirus programs
the way you do on Windows.

~~~
Jem
Worm, trojan, whatever - I didn't read the links, I left that for you to do :)

> You simply need to have common sense.

I ran Windows ME (of all things) for several years with no AV, using just
common sense. So, you don't "need" AV in Windows, but I would definitely
recommend it.

Although I agree with what you're getting at, both your original comment and
this one seems to be relying heavily on stereotypes more than actual fact.
That's what I think is naive.

~~~
wallflower
Microsoft is getting better when it comes to default lockdown modes (Vista)
but I believe Administrator by default is the reason why Conficker et al and
botnets exist.

I can't think of any good reason why the average home user needs to run as
Administrative user, other than convenience.

I have to "administer" my dad's old computer and I gave him a Limited User
account. Yes, he complains about not being to install some software his
friends email but no viruses, no spyware. Cuts down on support calls and
unnecessary trips home.

------
KirinDave
This is frustrating for me. I've become _very_ accustomed to the speed and
interface of Safari, but the security-conscious part of me says the only
rational response to this article is to stop using Safari for general surfing
and switch to Firefox, which seems to be lacking any major crash holes right
now.

But every time I fire up Firefox my entire body cringes at the sluggishness.
For many Mac users, myself included, this is going to be a real test of
discipline.

~~~
tortilla
If you haven't tried using an Intel optimized build of Firefox, give it a go,
it's pretty snappy: [http://www.latko.org/2009/02/04/firefox-31-intel-
optimized-b...](http://www.latko.org/2009/02/04/firefox-31-intel-optimized-
build/) (Still not as fast as the Safari, but very close)

And I use the Grapple Delicious theme (very mac like):
<http://www.takebacktheweb.org/>

~~~
KirinDave
I have.

The problem is that Firefox isn't _much_ slower, but it's _noticeably_ slower,
so it's tough to complain about but very irritating.

------
st3fan
Are there more details available? Like which version of Safari was hacked?

~~~
tptacek
You can safely assume the most recent version, and most likely the nightly.

~~~
tvon
It would be the latest stable release that you would get by running all of the
software updates in OSX.

it would not be a nightly.

~~~
tptacek
Running on the laptop, it wouldn't be a nightly; I'm opining that it would be
surprising if it didn't hit the nightly too.

~~~
tvon
Ah, good point, I completely misunderstood what you said.

~~~
tptacek
That's because I was terse and ambiguous.

------
JeremyBanks


