Mac Security

Mac Security 

Bukan berarti harus berhenti menggunakan Mac OSX, apalagi masih bisa dibilang tidak se hectic gangguan penggunaan Windows dengan segala Rootkits nya…

April 21, 2007
Mac Attack

Security in OS X is a pretty interesting topic to watch on the web. For every stereotypical Mac user, perfectly smug in the invulnerability of their operating system of choice, there is a detractor who claims Macs only seem secure because nobody uses them and thus nobody tries to break their security. The truth, as is usually the case in such things, surely lies somewhere in between.OS X generally has good defaults in terms of minimizing vulnerability surface (the number of places a bad guy has to pick and choose to attack at), something that Windows has only recently made a priority, with so many interfaces remotely exposed (interfaces like programmatic ones — NETBIOS/RPC being the gateway for lots of different code-paths). Still, there are definitely bugs waiting to be discovered in the operating system that has only recently come under heavier scrutiny from the security community.And sure enough, one was found just recently as a part of a contest run during the CanSecWest conference. Details are still coming out, and of course some Apple defenders* are pointing out that this was only a client-side vulnerability, not capable of creating a worm that could spread without user-action. Still, as skilled as Dino most certainly is, that he could come up with a working 0day in 9 hours doesn't exactly give one the impression that OS X is a hardened operating system set to rebuff all attackers the way some might claim.I'm definitely bummed I didn't get to attend this year, as CanSecWest is probably the most consistently interesting security conference in terms of the people you meet and the topics presented. The relatively small size compared to so many of the mega-cons is refreshing. Hopefully this year's Safari 0day won't do to it what Michael Lynn's Cisco speech did for the attendance at Black Hat last year (getting through the hallways in Ceasar's Palace between sessions was like dropping a paper boat in a river — you moved exactly as fast as the flood of people carried you).*Full disclosure–I'm writing this now on my MacBook Pro. Does that give me license to go after over-zealous Apple defenders? For examples of such folks, see the Slashdot thread on this topic.

EMB Numbers writes "Shane Macaulay just won a MacBook as a prize for successfully hacking OS X at CanSecWest conference in Vancouver, BC. The hack was based on a Safari vulnerability found by Dai Zovi and written in about 9 hours. CanSecWest organizers actually had to relax the contest rules to make the hack possible, because initially nobody at the event could breach the computers under the original restrictions. 'Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said in a telephone interview from New York. TippingPoint runs the Zero Day Initiative bug bounty program.'"

Another angle of Rurukan

Submit a Comment

Your email address will not be published. Required fields are marked *