Security flaws in Mac OS Log Out | Lost Password? | Topics | Search
Contact | Register | My Profile | SO home | MOL home

M-SO Message Board » Technology & The Internet » Archive through February 17, 2006 » Security flaws in Mac OS « Previous Next »

  Thread Originator Last Poster Posts Pages Last Post
  ClosedClosed: New threads not accepted on this page          

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Tom Reingold
Supporter
Username: Noglider

Post Number: 12132
Registered: 1-2003


Posted on Saturday, January 28, 2006 - 12:22 am:   Edit PostDelete PostPrint Post   Move Post (Moderator/Admin Only)

http://tinyurl.com/cj62k

Mac OS is not invulnerable. The most important thing for an attack to occur is for someone to want to do it.

"This is the only thing my signature says."
Top of pagePrevious messageNext messageBottom of page Link to this message

Dave
Supporter
Username: Dave

Post Number: 8505
Registered: 4-1997


Posted on Saturday, January 28, 2006 - 1:14 am:   Edit PostDelete PostPrint Post   Move Post (Moderator/Admin Only)

Most of those expoits seem to require the hacker to log into the system. How would he do that exactly?
Top of pagePrevious messageNext messageBottom of page Link to this message

Tom Reingold
Supporter
Username: Noglider

Post Number: 12134
Registered: 1-2003


Posted on Saturday, January 28, 2006 - 7:24 am:   Edit PostDelete PostPrint Post   Move Post (Moderator/Admin Only)

First, it's silly to assume that because the front door is locked, no one can get in. 1. It might not be locked, and 2. there are other entry points.

Two other entry points that pop to mind: 1. downloaded programs, and 2. input data streams on the network that invoke programs on the system.

"This is the only thing my signature says."
Top of pagePrevious messageNext messageBottom of page Link to this message

Eponymous
Citizen
Username: Eponymous

Post Number: 40
Registered: 6-2004
Posted on Saturday, January 28, 2006 - 11:53 am:   Edit PostDelete PostPrint Post   Move Post (Moderator/Admin Only)

No OS is 100% secure, but even in this article, 2 of 3 of the mentioned vulnerabilities had already been fixed and the third is said to be worked on now. It wouldn't surprise me that Apple is less forthcoming than other OS companies (though surely not MS), but this strikes me as a story looking for a reason to be printed.

More relevant is that there have been "in the wild" attacks on OS X so far.

(Apple ships OS X with most, if not all, network ports disabled, and it's not so easy to invoke a program that way. I think these vulnerabilities work in other ways.)
Top of pagePrevious messageNext messageBottom of page Link to this message

JMF
Citizen
Username: Jmf

Post Number: 234
Registered: 9-2004
Posted on Sunday, January 29, 2006 - 10:46 am:   Edit PostDelete PostPrint Post   Move Post (Moderator/Admin Only)

"The most important thing for an attack to occur is for someone to want to do it. "

That is alsmot implying that no one has waned to make a mac virus...
There was even a challenge a while back for someone to crate one, and there was a prize involved. That was eventually shut down because it condoned illegal activity, but no one ever did.

No OS will ever be completly invulnerable. That is the nature of the beast. Someone can write code to run on a computer. If they find a way in, or send it through e-mail, they can create a mallicious code.

OSX has been around for 5 years now? and there have been zero outbreaks.
Top of pagePrevious messageNext messageBottom of page Link to this message

Tom Reingold
Supporter
Username: Noglider

Post Number: 12175
Registered: 1-2003


Posted on Sunday, January 29, 2006 - 10:55 am:   Edit PostDelete PostPrint Post   Move Post (Moderator/Admin Only)

Yes, I am saying that almost no one has wanted to create a mac virus. Virus writers want a perverse form of fame and glory, so they go for the big targets.

I believe your story which shows that writing malware for MacOS is harder. And yes, it's true that no OS is totally invulnerable. My warning is for those who believe or claim that MacOS is invulnerable. You were not one of them.

I'm on the bugtraq mailing list. It comes out several times a week, with vulnerabilities in all flavors of unix. I expect the bugs that apply to freebsd also apply to macos in some cases, since the latter is based on the former.

"This is the only thing my signature says."
Top of pagePrevious messageNext messageBottom of page Link to this message

monster
Supporter
Username: Monster

Post Number: 1966
Registered: 7-2002


Posted on Sunday, January 29, 2006 - 6:21 pm:   Edit PostDelete PostPrint Post   Move Post (Moderator/Admin Only)

Here's a link to a paper by Marion Bates at Dartmouth University that you might like.

http://www.ists.dartmouth.edu/classroom/macintosh-security/index.htm

Quote:

Macintosh Security Basics - Presentation Notes
Presentation for ENGS 69: Engineering Secure Computer Systems
Thayer School of Engineering, Dartmouth College
Winter 2002-2003

Marion Bates Investigative Research for Infrastructure Assurance

Overview Macintosh Security Basics

What we’ll cover:
Basic system security for MacOS (mainly v. 9.x) and Mac OS X, including:

• File Sharing (from both client and server perspectives)
• Network/Internet client security (“safe surfing”)
• Firewalls, viruses, email
• OS X basics, bonuses, and pitfalls We’ll start with MacOS 9, since OS X inherits from 9. 2
INDEX
Page 1
A little bit of history | There can be only one | Macs can serve | Ok, so what’s Timbuktu? | General Security implications | Unique is good | Unique but still pretty versitile | Versitile in not so nice ways | What to do | Physical Security | Physical Security Solutions | File Sharing | Password Encryption | OS 9 on Both Ends | OS 9 to old server | Os 9 to OS X | What if it IS clear text? | Done with client, now: Server FS | The point of diversification

Page 2
Configuring a File Sharing server | File Sharing control panel | Security Through Obscurity | Owner is Omnipotent | File Sharing over TCP | Apps over the net and Program Linking | Recommended initial setup | Other users | Creating accounts | Users and Groups | User Identity | User Sharing | Groups |

Page 3
Guest | On to the Files | Example | We can do this | Set the permissions | Control-click | Specify Access for each Joe |

Page 4
The Joes’ read-only folder | Drop Box | The MP3’s folder | Check for Leaks | File Sharing Wrap-up | More File Sharing Wrap-up |

Page 5
Personal Web Sharing | PWS Features | PWS Caveats and Wrap-up | Remote Access | Moving on: “Safer Surfing” | Web browsing | Ok, now I can’t use the web at all | FTP | What you can do |

Page 6
Fetch gets teeth | Fetch security options |

Page 7
Fetch security options 2 | E-Mail | PGP | Attachments (“Enclosures”) | More on email at Dartmouth | BlitzMail’s brethren | Viruses! | Countermeasures | Firewalls |

Page 8
Test it | MAC OS X | MAC OS X Continued | Macs and Unix | There can be many | Users and Folders | Users and Apps | BSD File Security | Classic | Classiconfusion | More on Classic/X | OS X Security “out of the box” | What is THAT port? | More on ports and services | Logs | Unix and Mac can collide | Apache vulnerability! | Ease of Use |

Page 9
OS X 10.2 Sharing pane | File Sharing | Connecting to other servers |

Page 10
Connecting with 10.2 | Connecting to other servers | Firewalling on OS X |

Page 11
Firewalling on OS X - Part 2 | Useful Tools - Network Utility | Useful Tools - Keychain | Useful Tools - Process Viewer |

Page 12
Useful Tools - NetInfo Manager | Useful Tools - Terminal | Useful Tools - tcpdump | Useful Tools - MacSniffer | Useful Tools - MacJanitor | Useful Tools - CheckMate |

Page 13
Useful Tools - CheckMate - Part 2 | GPG Mac | MacSFTP Carbon | Surfing Differences | Patches | Patching 3rd Party Software | Conclusions | Appendix A - URLs and sources | Appendix B - Supplemental Info


Top of pagePrevious messageNext messageBottom of page Link to this message

monster
Supporter
Username: Monster

Post Number: 1967
Registered: 7-2002


Posted on Sunday, January 29, 2006 - 9:00 pm:   Edit PostDelete PostPrint Post   Move Post (Moderator/Admin Only)

For an architectural overview of OS X, http://developer.apple.com/documentation/MacOSX/Conceptual/OSX_Technology_Overvi ew/index.html

then, to learn more about the security architecture of OS X, go here, http://developer.apple.com/documentation/Security/Conceptual/Security_Overview/i ndex.html

And now for a site that is all about security for the Mac, http://www.securemac.com/

Top of pagePrevious messageNext messageBottom of page Link to this message

JMF
Citizen
Username: Jmf

Post Number: 235
Registered: 9-2004
Posted on Monday, January 30, 2006 - 10:19 am:   Edit PostDelete PostPrint Post   Move Post (Moderator/Admin Only)

"Virus writers want a perverse form of fame and glory, so they go for the big targets. "

Wouldn't the first ever widespread Mac virus bring some kind of fame and glory?

There is also a fair amount of PC users who HATE the mac... I would figure there are some hackers who would love to get mac users, just because they hate macs.

I don't know... I am honstly just fairly suprised that there has never been a major mac virus.
Top of pagePrevious messageNext messageBottom of page Link to this message

Dave
Supporter
Username: Dave

Post Number: 8511
Registered: 4-1997


Posted on Tuesday, January 31, 2006 - 8:28 am:   Edit PostDelete PostPrint Post   Move Post (Moderator/Admin Only)

I'm sure it's not because they haven't tried.
Top of pagePrevious messageNext messageBottom of page Link to this message

Tom Reingold
Supporter
Username: Noglider

Post Number: 12215
Registered: 1-2003


Posted on Tuesday, January 31, 2006 - 8:56 am:   Edit PostDelete PostPrint Post   Move Post (Moderator/Admin Only)

Dave, it would be naive to think it won't or can't happen. Subscribe to bugtraq. At the least, you should not promote a warm and fuzzy feeling.

"This is the only thing my signature says."
Top of pagePrevious messageNext messageBottom of page Link to this message

TomD
Citizen
Username: Tomd

Post Number: 358
Registered: 5-2005


Posted on Tuesday, January 31, 2006 - 9:16 am:   Edit PostDelete PostPrint Post   Move Post (Moderator/Admin Only)

There are mac viruses, but not as many as exist for Windows machines; not even close. Macs certainly ship with more secure default settings than Windows. Virus writers have a harder time writing viruses for macs but part of the reason mac viruses haven't been a huge problem is that there just aren't as many macs and most macs don't run mission critical corporate apps. In the corporate world a pc virus can hit thousands of PCs and critical servers. A mac virus might interrupt a couple of graphic designers and if the the designer's mac gets hosed it just isn't a critical corporate event.

Topics | Last Day | Last Week | Tree View | Search | User List | Help/Instructions | Credits Administration