Skip to comments.Mac bomb ticks for security smug users—OS X, Safari weaker than Windows
Posted on 05/02/2009 12:51:51 AM PDT by Swordmaker
The idée fixe that Macintosh is impervious to attack could be shattered if cyber-criminals act on their arsenal of 0-day exploits, security experts say.
Hackers need only a few critical vulnerabilities, common to all operating systems including the security-focused OpenBSD, to craft a successful attack.
Pure Hacking senior security consultant Chris Gatford said hackers may retain 0-day Macintosh vulnerabilities unknown to the industry and exploit them at an opportune time.
It's only a matter of a time before Macs get more market share and become a more viable target, Gatford said.
Mac users now are exposed to less risk because bad guys see the money in compromising Windows machines as they have a better chance of a hit with malware.
Most Mac users don't run anti-virus and those that do rarely update. Apple are a lot slower to patch holes for the Unix/BSD back-end than the other Unix variants, he said.
Only last year, a MacBookAir was hacked in less than two minutes using the Safari browser. The hacker, a US security analyst who scored US$10,000 at the pwn to own competition, said the fully updated and patched OSX 10.5.2 was easier to hack than the updated Vista and Unbuntu systems.
Securus Global CEO Drazen Drazic said it is well reported that Macs are not invulnerable and said it is doubtless that hackers are hiding unreleased exploits.
Very surprised if there is not exploits that guys are sitting on as 0-days for their own private use, Drazic said. It's far more beneficial to keep private a vulnerability for an iPhone.
Hackers that keep vulnerabilities on the down-low have more time to write and perfect exploits. It could take say three months to write an exploit for a standard memory-corrupting vulnerability for OpenBSD, Drazic said, adding that it may take a few days or hours to exploit address space randomisation and memory protection which are new to Apple systems.
Still, industry figures say the security of an operating system cannot be rated by its exploit count an approached favoured by many vendors because more vulnerabilities will be discovered in popular operating systems than obscure alternatives.
Moreover, the most prevalent Mac infection techniques require reckless users as it is arguably more difficult to hack the latest OS X and Windows Vista systems - if only because they do not allow root access by default and contain better application installation controls than their predecessors. The iServices Trojan Horse, discovered in January which triggered a Mac botnet scare, typified the use of pirate software as a vector of attack.
Researchers are not suggesting that Mac exploits will be launched in a collective Armageddon, rather they may be quietly in use now, and taking advantage of Mac users smug on security, or vendors that are ignorant to the holes.
You can't be certain that their not using exploits just because you're not hearing about it. Many organisations don't have decent logging or monitoring and don't run penetration tests, so they can't tell if they are compromised, Drazic said.
If you want on or off the Mac Ping List, Freepmail me.
So there is some widespread plot to state the obvious just to “ruin” WWDC?
We’ve seen story after story of REAL exploits found, trojans contracted by Mac users, and stories of how Macs were easily compromised quicker than Windows and Linux, and yet Mac users still march around like these warnings are all an elaborate lie cooked up just to hurt Apple’s feelings?
In order to perpetuate the marketing myth that Macs are magically invulnerable, all of these people that say otherwise have to be lying.
Hey, if they want to keep pretending that they are bulletproof just to appear to be a good Apple users, then don’t scream when it does hit you personally. Likely you wont scream for long because other Mac users will accuse you of spreading FUD, because WWDC is right around the corner.
I noticed it mentioned the Linux flavor “Ubuntu” . I’m using that right now. It’s been a hoot.
The grammar in this article is horrible.
Huh? Show some examples.
And this may be Bigfoot.
Same article that has been written for the past ten years.
This is just silly, everybody knows Apples are impervious to any and all exploits, virus attacks, trojans, you name it.
Apples are perfect, everything else is just flawed.
Exactly, whoever wrote this article is a pure Microsoft troll
The security through obscurity lie is getting old. IF there are exploits out there targeting specific smartphones, then how can the claim still stand that OS X is not a target because there are not that many targets. How many million new Apple computers were sold in the last quarter? And how many total OS X computers are out there? Enough to make any hacker salivate if it were an easy target.
...In order to perpetuate the marketing myth that Macs are magically invulnerable, all of these people that say otherwise have to be lying... -VDK
Nobody says that. What we do say is that Mac users are smart enough not to load a program they didn't request! Viruses and trojans are programs that cannot run any other way. But you probably know that, right?
As for Vista security, what's Vista but a poor emulation of OSX? They finally got the memo that says "ask"!
Apple knows security!
Apple are a lot slower to patch holes...
Very surprised if there is not exploits...
It’s far more beneficial to keep private a vulnerability...
You can’t be certain that their not using exploits...
“Apple knows security! “
Not really, they just happened to select a platform which is inherently more secure. However it is not perfect and we will see more and more attacks focused on Macs.
As more unsophisticated users buy Macs it will easier to exploit them.
Virtually every “infection technique” require reckless users.
It doesn’t matter if you are someone surfing to a porn site or some guy downloading a bootleg copy of iWork, in the end no OS can guarantee, not even one with an Apple logo, that the person using it isn’t ignorant.
It isn’t like some hacker looks at installation controls on a Mac and said “Oh darn! I’m totally out of options!”
“Only last year, a MacBookAir was hacked in less than two minutes using the Safari browser. The hacker, a US security analyst who scored US$10,000 at the pwn to own competition, said the fully updated and patched OSX 10.5.2 was easier to hack than the updated Vista and Unbuntu systems.”
Like I said, keep repeating the marketing if it makes you feel better.
“Its far more beneficial to keep private a vulnerability...”
The general trend by hackers now days is not to crash hacked computers. Its to monitor it for valuable information and use it as a safe platform from which to conduct other attacks.
Most computer crime is not jimmy in his bedroom. Its Chinese or Russian organized crime intent on stealing dollars and/or valuable information.
Oh by the way, in the end the Great Wall didn’t work.
"You keep using that word. I don't think it means what you think it means."
"idée fixe" has a meaning similar to "obsession," which doesn't seem to fit the attempted use here.