Skip to comments.The Mac Hacker Strikes Again (Charlie Miller has a habit of upending Apple's security claims.)
Posted on 04/10/2010 9:49:52 AM PDT by SmokingJoe
Charlie A. Miller loves his Macbook Pro laptop. And his four other Apple ( AAPL - news - people ) PCs, the iPhone he uses daily and two older iPhones he keeps for tinkering. But his relationship with the company that created those gadgets is somewhat more complicated.
In March, for instance, the 36-year-old security researcher publicized his discovery of 20 security vulnerabilities in Apple's software. Each would allow a cybercriminal to take over the computer of a user who's tricked into opening a certain PDF attachment or who simply visits an infected Web page using Apple's Safari browser.
That haul of bugs is a record even for Miller, who over the last four years has become perhaps the world's most prominent Mac hacker. It may also be definitive proof that Apple devices aren't safe "right out of the box," as the company has claimed for years. "When I first began saying that Macs were less secure than Windows, everyone thought I was an idiot," says Miller. "So I had to prove it again and again and again."
In 2007 Miller became the first to hack the iPhone, using a flaw in its Safari browser to remotely gain control of the not-so-smart phone. Six months later he hacked a Macbook Air in two minutes at a competition in Vancouver. Last summer he revealed a method that allowed him to virally hijack the iPhone using text messages spread via a user's contact list.
(Excerpt) Read more at forbes.com ...
So much for, “I use a Mac because Windows is unsafe.”
NICE!!! I love this guy =oD (in a purely heterosexual way, of course)
The computer security expert I trust for my business jokes that Apple’s popularity among its users is like a religious cult, not based on reason.
And he prohibited our adopting iPhones, because they are a remarkably insecure consumer entertainment tool, unsuitable for business.
I use it for ePocrates at a business. But if I don’t get .exe files or allow a program to download can I still get a virus?
I’ll be the guy is lousy at sports....
be = bet
Waiting for the “Apple FUD!!!!1!1!!” crowd to show up. Any criticism, not matter how legitimate, is considered “FUD” by the disciples.
Waiting for the Apple FUD!!!!1!1!! crowd to show up.
Well, it's only natural... when someone posts "FUD"... you get the FUD crowd... no problem there, that I can see ... LOL ...
But.., it's going to take a whole lot more than FUD to get the Macintosh users to start using any anti-virus software, since they've never had any problems with it, across the board.
Heck! I can't find a single Windows users who will discontinue the use of any anti-virus software on a Windows platform machine -- while Macintosh users have been doing it for years on end (not running any anti-virus software).
Those anti-virus people have yet to find out a way to get Macintosh users to use their anti-virus software since hardly anyone on the Macintosh platform uses it or see a need for it... LOL ...
It will take a whole lot more than this FUD article, that's for sure... :-)
Reality check #1. All big software has security holes.
I’m an admitted Linux Biggot - been using it since 1992. Linux has security holes in it too. Fact is, any major piece of software does.
Reality check #2. Microsoft product have 10 times as many users, thus they are the biggest target for bad software.
Conversely, Macs and Linux boxen have relatively few threats against them because they are not the dominant environment. Who wants to bother. They are going to go for the biggest bang for the least effort when someone is trying to create malware.
Reality check #3. Architectural differences in the way the software is put together gives Unix derivatives some technical advantages in security.
Consider that up through Windows 98 - it was really DOS on steroids, where all Unix derived systems came from environments that had memory management hardware - which meant that they were originally multi-user systems that had to have a notion of security from the start.
Windows XP is a derivative of NT which was always multi-user, but it had some choices built into it like putting user accessible features in protected mode like the video driver that made it less stable and provided more vectors for attack.
This plus slack coding styles (from a security point) which exists in all three software stacks (Macs, Linux, XP) made XP the most vulnerable of the set.
I’ve got PCs I don’t use AV software on.
So you’ve found one.
I’ve gone without any virus protection on my mac since day one (more than two years). Recently, I thought I should give it a check. Complete scan reveals zero infection.
Just the facts.
I would guess it takes a certain minimum density of any particular OS for a virus to propagate in the wild. Too many misses and it dies out.
There would seem to be some minimum distribution density of an OS to reach critical mass to support sustainable levels of virus propagation.
Or in other words, the minority OS users should be careful what they wish for...
And It should be obvious that if the level of expertise is significantly greater to write bad things for a Mac than a PC, then the Mac is obviously safer.
Ive got PCs I dont use AV software on.
So youve found one.
Man! That is something for a Windows user... I couldn't find one before. I think you should put that information out on the net, as an article in one of the Windows' (and/or Macintosh) publications and let the world know about that one. That's extremely unusual.
I asked someone before to set up their Windows machine without a anti-virus program and use it for their web browsing and downloading and all their normal stuff (you know, like e-mail and their main computer...) but they just wouldn't do it, even though they told me that the Windows OS was more secure than the Mac OS..., so that's why I've been looking for someone like that. I wanted to run the Mac OS X and the Windows machine for a year that way and see which machine got "hosed" first ... LOL
What operating system are you using now and how are they configured (like direct on the Internet, or behind firewalls, etc.).
And also, is one of those machines the one you use for all your web browsing and downloading of files.
I ask those questions, because that's pretty much what Mac OS X users do -- most of the time, have it connected direct to the Internet (you know, at home through DSL or cable Internet), and use it for all their web browsing and any downloading of files that they may do.
So, that's why I'm wondering.
And to tell you the truth, I find that absolutely amazing for a Windows user, as I would be scared half to death to use the Windows operating system the same way as the Macintosh users generally do... LOL ... (really, I would...).
I cruise the web with my Macintosh with a direct Internet connection, bypassing the firewall and download all the time and also I try accessing some of those websites that some posters here have identified as infected, but I never can get anything to happen to the Mac... :-)
Ive gone without any virus protection on my mac since day one (more than two years). Recently, I thought I should give it a check. Complete scan reveals zero infection.
Yeah, that's the way the majority of Macintosh users go, too. And nothing happens. It's not because they are (themselves) inherently safer at doing stuff on the web, it's just that there doesn't exist the problems there and there's none of those nasty virus and malware programs for the Macintosh users to be concerned with.
If someone used the fingers of both hands, I don't think you can find enough virus/malware out there for the Mac OS X, to actually infect them with anything -- to even fit onto the fingers of one hand, much less two hands.
There are no anti-virus packages for Solaris either. Enough said. Unix is inherently secure And that is the reason anyone that has a concern for security does not run a Windows-only shop. The only reason that Windows exists is an open hardware platform, the ubiquitous MS Office, and stupidity among those that adopt the paradaigm.
The only computers I’ll run without AV are computers totally under my control (in my office) that are behind a business NAT router with firewall and that are never used for Email or browsing the Web. They do have Internet access for updates (both Windows and applications). Generally these computers are used for automatic test using IEEE-488 buses controlling test equipment. The current OS is XP but originally I used Win95 the same way for many years. The current primary machine was Vista but wouldn’t run the IEEE bus and Visual Basic test programs properly so I replaced the drive and installed XP professional.
These computers have network sharing with permissions setup but only select folders and never the root folder or OS folders. All of my work computers are on a separate physical network with a different subnet from the rest of the house and I have routers with strict rules setup between subnets (I have multiple) not allowing cross access other than select devices such as cameras, a music server, sprinkler controller and weather station data.
PC based computers for Email and Web browsing all have AV. I didn’t use AV software until I got online in the mid 90’s and did fine.
To date, I’ve never had any of my work computers get a virus or Trojan. I did have a music server get infected once about 10 years ago by someone connecting an infected laptop (not mine) to that network. At that time I didn’t have the safeguards in place that I do now. That’s it.
Each would allow a cybercriminal to take over the computer of a user who's tricked into opening a certain PDF attachment or who simply visits an infected Web page using Apple's Safari browser.
Since PDFs are so popular, they are now one of the vectors of choice for viruses for any OS.
Aside from exploitable software bugs in the PDF reader, the reader is shipped with a preference option that allows auto execution of malicious embedded programs in PDF files. I don’t understand why this option isn’t disabled by default.
Here’s an article about this and a solution:
Also be sure to update to the latest rev (IE: security bug fix), then turn off the above mentioned option.
Adobe reader link:
Yup, we have been using Macs for our business since 1982, and have never needed any security software.
I am not saying that Macs are invulnerable, understand... but with a modicum of intelligence in using them, they are not easy to mess with. Most of the successful hacks have depended on giving the would be hackers access in ways no normal user would ever permit.
Nope - see my previous post. Solaris has defects. Sheesh - the very first internet worm propagated on guess what - Solaris! For that matter - there have been several root kits for Solaris over the years.
It isn’t a dominant (numbers wise) OS - so doesn’t get as much attention, nor does it get the publicity when it’s compromised.
So get off your Unix high horse!
I am on my 3rd MAC at the office in less than 5 years. Safari stinks, Entourage not better, NEOOffice is awful, ICal doesn’t talk with other MAC software. My database kept reporting damage and after rebuilding it 6 times in one day, guess what, I got a new MAC. .ODT does not open .doc or .docx files correctly or in the same format. I sat with the folks at the Apple store with a list of 30 problems and they could not tell me how do do what I use to do on my PC. They visited the office to see our set up but I think that was just “let’s see what your doing” and then nothing. I am currently working on another list of problems and I’m on number 24. Check this out. http://theflashblog.com/?p=1888
Apple Slaps Developers In The Face. Another problem. .pdf’s another problem. We had to load update 5 times. It taked me double and triple the time to do my work and its getting tiresome.
Very true, and thank you for confirming what all Macintosh users have known from other Mac users’ and their experiences — plus their own experience.
You’re right, there is no problem with viruses and malware from users of the Macintosh computers and Mac OS X.
“Apple Slaps Developers In The Face.”
Yep. A primary reason Microsoft has done so well is that they embraced developers, produced many tools and books and conferences for free and training, etc, etc, etc. Apple is nowhere to be found in the developer community.
The only computers Ill run without AV are computers totally under my control (in my office) that are behind a business NAT router with firewall and that are never used for Email or browsing the Web.
Yeah, but you see, that's exactly what I was talking about. I had said several times before that I wanted to run my computer on the Internet, with no anti-virus program, direct on the internet, doing all the web browsing and e-mail and downloading and whatever else that a person does with their computer -- and -- some Window's user with their computer (the same way), for a year, and then see whose computer gets hosed in the process of doing it that way. That was the "whole thing" with what I was asking people with Windows to do.
I had said that I wanted to run a Macintosh with Mac OS X (that's the system that we have now (and besides upgrades, it's been Mac OS X for about a decade or more) -- and then -- have someone else run Windows, for a year, using it exactly the same way that people normally use it.
And what I'm saying is that I haven't found any Windows users that will use their Windows system that way -- while the vast majority Macintosh users do "exactly that" -- continuously, all the time, and never have any problems...
You see..., that's the point... :-)
[ ... I guess I still have no takers in the Windows world, for what Macintosh users do all the time with their computers ... :-) ... ]
The only reason that Windows exists is an open hardware platform, the ubiquitous MS Office, and stupidity among those that adopt the paradaigm.
True... true ... :-)
that’s odd about visiting web sites. Cause I always thought that you had to verify before any program was placed on a Mac. My mistake. I still don’t have a anti-virus software, I back my drive weekly and I guess I’ve been lucky.