Writing the news, raising hell, and telling truth to power - Egan Orion
|
|
|
Apple and Microsoft get trashed by hackers again
DESPITE THE RABID CLAIMS of Apple fan boys that its software is more secure than anything else on the market, Jobs' Mob products were the first to be trashed again at a Pwn2Own hacking competition.
In fact flaws in the Iphone OS and zero-day vulnerabilities in Apple's Safari 4 web browser made a mockery of Apple's advertising.
Flaws were also found in Mozilla Firefox and Internet Explorer 8 but apparently hackers had some trouble getting around exploitation mitigations in Windows 7, although eventually they did.
Vincenzo Iozzo and Raif Weinmann were the first to successfully hack a mobile device, exploiting a flaw in the Iphone Safari browser to run SMS messages to a remote web server.
Researcher Charlie Miller, principal security analyst at Independent Security Evaluators, quickly exploited a vulnerability in the desktop version of Safari running on Mac OS X. He won $10,000 for the exploit, which was one of 20 zero-day bugs that Apple fanbois deny exist in OS X.
Miller's exploit opened up a remote shell, which he accessed and was able to run any malicious code he wanted. We guess it just worked!
Miller has said in the past that he is unhappy with Jobs' Mob's secure software development processes. While he will be telling them that the flaw that won the competition for him, he will be sitting on the other 19. Perhaps it will act as an incentive for Apple to get off its lazy arse and develop a security policy with some meaning rather than screwing around with punters while at the same time insisting they are safe.
Miller said discovering the 20 zero-day vulnerabilities took him only three weeks using three computers, so who knows what he would have found if he had kept looking.
Microsoft's Internet Exploder 8 eventually got turned over and Peter Vreugdenhil managed to get past its insecurity mitigation technologies. The flaw can be exploited if a user browses to a malicious website.
Fireferret was also successfully exploited by bypassing ASLR and DEP.
UK-based MWR Infosecurity targeted a memory vulnerability. It started a calculator on a laptop running Windows 7.
The most secure web browser out there was Google's Chrome 4 running on Windows 7.
No one bothered to take down Google's Nexus One, a RIM Blackberry Bold 9700 or a Nokia E72 device running Nokia's Symbian OS. µ
Share this:
Share
You are all so blind, aren't you? Yes, IE and Firefox were hacked on Windows, what Nick is saying is that Safari on the iPhone and OS X were hacked FIRST.
@bob Your so one sided... The reason Windows has so much malware is because they are targeted more. A hacker wants to do as much damage as possible, which cannot be done with an operating system that has a 8% (at the most!) market share compared to Windows at 90%. God your stupid.
@Mr Cat
I've been running multiple windows boxes, desktop, laptop and servers, ranging from windows xp to server 2008 r2 and everything in between, with windows 7 as my primary OS.
Being a consultant for small business, i get all sorts of odd requests and therefore find myself all over the web, downloading all sorts of random and unknown software, many times from places unknown. with that said, i cant tell you the last time i had malware running on any of my machines. i vaguely remember a trojan on my laptop 3 laptops ago, in 2006, running windows xp. since then, nothing...
so you keep right on claiming your false superiority of mac, over windows, and i'll keep on counting the money i saved by running windows on self built boxes...
What a piece of link-baiting trash! Nick Farrell, your name should be Dick Ferret!
Here are the facts: iPhone was hacked via mobile Safari; Mac OS X was hacked via Safari 4; and Window 7 was hacked via IE8 and Firefox.
The only thing that the Pwn2Own challenge proves is this: any device with an internet connection is potentially vulnerable. Be careful where you surf.
Window fanboys (can there be such a thing?) love to pull out the "we have lots of malware because we have so many computers" card. Too bad they can't seem to do the math to see that while Macs have only say 5% market share, they have a much smaller share of the malware. Windows is the clear winner in malware. It's no contest.
Mac OS more secure than Windows?
Charlie Miller (referred to earlier) said the following in an inverview (link at bottom):
"Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows."
"It’s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn’t have anti-exploit stuff built into it."
Nice to know Apple don't bother to protect their systems, just their shareholders. Let's continue.
"It’s clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that’s only half the equation. The other half is exploiting it. There’s almost no hurdle to jump through on Mac OS X."
No hurdles? I guess Jobs doesn't like hurdles.
Question: On a scale of 1-10, how impressive was the Nils’ sweep of exploiting all three main browsers?
Answer: I was surprised. For IE 8, I’d give him a 9 out of 10. For Safari, maybe a 2. It’s just too easy to pop Safari.
That last line sounds like mew hen I was 16.
Cry if you want to Apple-babies, here's the link:
http://blogs.zdnet.com/security/?p=2941
Mac fanboys are Mac fanboys because they aren't able to grasp the difference between "the most secure OS" and "the most targeted-by-hackers OS".
Which of these cases does your little experiment is going to prove, "Mr Cat"?
That's not fanboyism. If both options are bad, you grab the cheapest one, unless you're just stupid.
What makes the claims rabid? Run an AV program on a PC and a Mac that has been used for a month without AV protection and see which has proven to be the most secure.
Repeat with AV in place if you like.
Then you will have evidence as to whether the fanboys case is "rabid" or not.
would Nick say anything positive about Apple? They hire a security expert - he complains. Safari gets hacked (as does IE 8 and FireFox 3 on Windows 7) and he complains that they should take security more seriously.
The order in which systems were hacked isn't relevant. Time slots were handed out by random ballot. It could just have easily have been IE8 that got hacked first. What is important is that all of these flaws needed months of research to identify and exploit. The hackers didn't break these systems on the spot, they brought fully developed exploits with them. Non of this is script-kiddy easy.
Anyone who tells you that they have a 100% secure system is either lying or it's unusable. Apple have an advantage in that they present a much smaller target for hackers, but they are aware of this being eroded and seem to be taking an honest run at improving their systems (hence the hiring mentioned above). Even Charlie Miller, the guy who hacked Safari, still reckons it's a safer platform to use.
Let's see there's about 1 million types of malware directed at PCs, and a hand full for the Mac and iPhone. Time to buy a little perspective.
Apple follows msft path, and nothing user friendly will come out from it. It's the shareholders that counts not users.... so shut up all mac boys, and watch Jobs joining the dark side....
I'm a fan of apple products, it has to be said - but enough is enough now. Apple has had long enough to get their sh*t together, and done jack about it.
They got a drubbing last year and the year before that, if I'm not mistaken, so all my future Apple purchases are now on hold until I see some affirmative action on the security front.
It'll take a lot more to make me switch my primary OS to the "dark side" though. And I don't enjoy command-line pain enough to switch to linux (even though my redhat subscription is renewed yearly).
Maybe I'll just unplug the lot, and become are hermit or something. :-)