COLUMN

Mac hack puts Apple faithful on the defense

By Bill Brenner 27 Apr 2007 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Early 2006 saw the appearance of the first malware targeting Macs, and a few months later a controversial Black Hat demo where a MacBook was hacked via a weakness in the wireless driver.

Now Mac Nation is defending the security of their OS against a media storm involving a Mac hijacked in a demo last week via a flaw in the QuickTime media player.

It doesn't matter that this flaw seems to affect most browsers, from Safari to Firefox to Internet Explorer 7, and that users are under threat whether they use a Windows or Mac machine. A Mac was successfully targeted first, further chipping away at the OS's reputation as a more secure alternative to Windows. Apple enthusiasts are feeling the sting.

Not surprisingly, the QuickTime exploit has sparked a new round of Mac vs. Windows debate in the blogosphere.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com. Recent columns: Despite new Windows flaws, ANI still preoccupies Vista SP1: To be or not to be? Will data breach be the end of TJX?

Errata Security CTO David Maynor, one of the researchers who sparked controversy with last year's MacBook demo at Black Hat, wrote in the Errata Security blog that the latest demo -- in which New Yorker Dino Di Zovie hijacked a Mac as part of a contest at the CanSecWest conference -- will no doubt send the Mac faithful on another defensive blitz.

"Brace yourselves for the flood of Mac faithful posts about why this [exploit] doesn't count," he wrote. "Of course, the reporters that will cover this will be called Microsoft zealots [with] an agenda against Apple."

Tech blogger Ian Betteridge wrote about the "myth of Mac security" in his Technovia blog. For him it didn't matter how the Mac was exploited. In the end, he wrote, no operating system is 100% secure and Mac fans should stop getting defensive whenever their OS is targeted.

"The reaction to this makes one thing clear: There are clearly a whole bunch of Mac users out there who believe that their machines are secure, invulnerable, and will actually dance around the issues to counter what they refer to as 'black PR,'" he wrote. "That's insanity. It's religion, not a lifestyle choice. These people are a problem for every Mac user, because security is like inoculation: The more people there are who take security seriously, the less likely it is that malware will spread widely. People who don't think security is their problem are a hazard."

While it may be true that there are Mac users who would rather deny reality, some of them point to their own situations as proof that Mac security remains unblemished.

An IT pro who writes under the name Hack a Mac said in his blog that his Mac kept on humming along recently as Windows boxes in his company were felled by attacks connected to the Microsoft's DNS Server Service zero-day flaw.

"I had to pull a couple of 24-hour-plus days due to a zero-day attack on our Windows network," he wrote. "Yes, like many Mac users, I have to work and live in a [Windows] world much to my annoyance but it does pay the bills."

In this case, he said, his company got slammed by a DNS hack with Rinbot as a payload. The attack came via one of the company's VPN connections in China and hit the DNS servers. It took a few days to work out what had happened. He said he spent more than a few hours in the Windows registry working out a band-aid solution that involved renaming files and putting dummy files in place to stop the worm.

During all this "fun," he said, "my trusty Mini just kept working away while my boss's laptop died, my co-worker's workstation died and most of the servers died."

For the amount of time lost and money spent trying to protect the Windows boxes, he said, "everyone and I mean EVERYONE in the office could have had top-flight Macs on their desktop. And yet, people refuse to admit that in some if not many cases, Windows is not the best solution."

As bloggers debated the security merits of the Mac, the Matasano Chargen blog continued to collect new details about the actual QuickTime exploit and its aftermath.

Thomas Ptacek, a member of the team at Matasano Security, a New York consultancy, warned Thursday about unconfirmed reports from multiple credible sources that the challenge MacBooks from the CanSecWest contest were exposed to an unprotected wireless network, and that "raw packet captures of the successful exploit have been taken by parties unknown to us."

After a lot of investigating, the Matasano team couldn't confirm that this had happened, as many of their leads failed to pan out. But they continued to collect more information on the breadth of the QuickTime threat.

"Anonymous sources at 3Com confirm Dino's QuickTime vulnerability is exploitable in IE7 and IE6 on Windows XP," Ptacek said. "I think we can now safely conclude this is a hell of a finding. Way to go, Dino!"

The QuickTime exploit proved that most browsers are threatened, including those running on Mac boxes. On this point I agree with Betteridge:

The larger lesson for Mac users and the top brass at Apple is that it's time to drop the defensiveness and acknowledge that they too are not bulletproof.

Tags: Alternative OS security: Mac, Linux, Unix, etc.,  Windows Security: Alerts, Updates and Best Practices,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Alternative OS security: Mac, Linux, Unix, etc. Machiavelli Mac OS X rootkit unveiled at Black Hat How secure is 'Platform as a Service (PaaS)?' Security comparison: Mac OS X vs. Windows Mac OS memory flaws pose challenges for enterprise endpoint protection Rootkit Hunter demo: Detect and remove Linux rootkits Oracle to buy Sun Microsystems for $7.4 billion How to harden Linux operating systems Serious holes in Mac OS X memory, researcher shows What is the best operating system for an FTP server implementation? Black Hat DC 2009: Mac OS attack method Alternative OS security: Mac, Linux, Unix, etc. Research Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS Web Browser Security Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary