First Mac hacked at CanSecWest

[Diatribe]

Just reading the securityfocus.com article - it's a bit scary. People are paying up to 20,000 USD for OSX exploits? Why? Who? In fact, why are TippingPoint - the company who paid the 10,000 bounty for this one - offering so much? What do they gain?

Just publicity? Or do they hope to make money directly from the exploit?

Who knows what their ulterior motives are but I guess this proves the point that the Mac platform is just not interesting enough yet. When OS X has a 20% market share you WILL see WAY MORE used exploits.
Because that's the point where organized crime gets interested in the platform because it makes money. Maybe we will never see the kiddie viruses and trojans but those are not the only ones writing that stuff. So either hope for better security until then or that Apple never reaches that market share.

 

[iSee]

Once again -- if this is a WebKit bug, claiming the 'Macintosh' or 'OS X' has been exploited because of a bug in the browser engine is just as silly as claiming Linux has been exploited because Firefox has a vulnerability.

What?!? You've got some good posts on this subject, but on this I completely disagree!

The WebKit isn't just some random third party framework that users download from the Internet. It is installed with the OS. And it's not just any OS X framework either, but the basis for OS X's bundled web browser! Apple has also provided an API to encourage developers to incorporate it into their apps as well.

The WebKit is a component of the OS, as much as the sound system is or QuickTime, and it is one that many (most?) Mac users will use on a daily basis. It may not be a core component of the OS from an architectural standpoint, but it is a core component in terms of importance.

 

[shawnce]

Personally I recommend the following to all Mac users that I know (and follow it myself)...

1. If you get a system from anyone other then Apple do a erase and install of Mac OS X before using the system [1]. Consider always doing this even if you get the system from Apple (however I trust Apple).
2. In the setup assistant (thing you see on first run or after install) name the first user something like "Local Administrator" and give it a strong password.
3. After logging into the "Local Administrator" account create an account for yourself and DON'T give it the right to administer the system. (create additional accounts as needed for others all without administration rights)
4. Only use the "Local Administrator" account when you need to do system level changes and/or have to install software that requires admin rights directly (to broken/dumb to ask you for those rights).
5. By default use your user account when possible. Note as needed the Finder and other tools will ask you to authenticate with a user that has admin rights. If you see this and you know why it is happening then you can type in the account information for the "Local Administrator" account.

Additionally Apple provides a nice little password generation tool in the Accounts pane (the little key button near the "new password field). I suggest trying it out. Personally I have standardized on memorizable 16 characters passwords.

Why do the above? Well for one reason a user that has the ability to administer the computer is part of the Admin (80) group which has write permission to many locations in the filesystem that can be used inject code and/or fully overwrite filesystem permissions across the whole system. In other words the system can be locally attacked (say by malware or this newly disclosed Safari bug) without the OS attempting to stop or prompting you for password information.

[1] I have seen a few Mac vendors actually create the first user, set that as the auto login user, run some tests, and then box the Mac backup and sell it to customers. The customer then gets a system that logs them in on first boot bypassing the normal registration and account creation... weird. Folks end up with weird account names and never know how things got configured.

The WebKit is a component of the OS

Correct. WebKit.framework (also contains WebCore and JavaScriptCore frameworks) is installed as part of the operating system now (starting in 10.3 IIRC). It is part of the operating system and is used by many Apple and 3rd party applications.

 

[EagerDragon]

So, if root is not enabled, does the sudo command still grant root access?

I'm still not considering this security hole a huge threat at this point and time. Not once have I ever believed OS X was bullet-proof. However, I'm still safer than all my Windows brethren out there.

yes sudo is enabled for users in the wheel group. If you have admin rights, you have sudo, if you cen get the user password and decript it (child play in most cases) you can then use sudo. most peple use lousy passwords that can be easily cracked. There are tools that will take an excrypted password and try to come up with the value (brute force) by guessing, if the value of the encrypted guess is the same, then they know now your password and can use it.

But even without sudo, they can just use your account and your machine can be used by the hacker for all sort of nefarious purposes. Since most Mac users do not shutdown their Macs, the hacker has your machine until you either reboot or he figures your password.

They could also insert something in the scheduler to execute at the next reboot but it less likely, too much trouble for the low amount of Mac systems in the field, Windows is a bigger target.

 

[50548]

Why can you people not understand this simple concept?

Step 1: Some one constructs this "special page". (Can happen in the normal world.)
Step 2: They plant a link to it in an honest website. (Can happen in the normal world.)

Step 3: You click on the link. (Can happen in the normal world.)

Step 4: You are compromised. (Can happen in the normal world.)

Sounds wonderful. So why don't you please tell us WHY on Earth no such websites have EVER been created against the Mac, even though it's on for, like, 23 years, almost 10 years of OS X, some 2 years on Intel and more than 50 million users around the world?

And please, explain to us what "compromised" means.

 

[manu chao]

[*]If you get a system from anyone other then Apple do a erase and install of Mac OS X before using the system. Consider always doing this even if you get the system from Apple (however I trust Apple).

Doing anything else is just lazy. Even alone from a troubleshooting perspective I would never do else. Except if you got the system from somebody you know and trust.

[*]In the setup assistant [...]

About using non-admin accounts: This is just one layer of security albeit a powerful one. However, if nobody manages to own your user account it won't matter whether is an admin or not. So, for me this is a secondary layer of defense to limit the damage. If the attacker is good enough to get your non-admin account owned she or he might also find a privilege escalation flaw (which counting from the release notes of the security updates seem to be more common than the remotely exploitable flaws).

[...] Personally I have standardized on memorizable 16 characters passwords.

If I am not mistaken, the complexity of the username is as important and effective as the complexity of the password against remote attacks.

 

[shawnce]

Sounds wonderful. So why don't you please tell us WHY on Earth no such websites have EVER been created against the Mac, even though it's on for, like, 23 years, almost 10 years of OS X, some 2 years on Intel and more than 50 million users around the world?

And please, explain to us what "compromised" means.

Ummm one was just publicly verifiably created. If others discover the same or similar attack vector you could easily see it popup in places that are already frequented by such attacks used against IE/Windows (MySpace, imbedded ads, etc.).

Compromised means anything from simply deleting all of your files, to sending all of you files to a remote system, using your system to send attacks to all of you iChat, etc. buddies, to fully taking over the system so that all accounts on the system are affected.

I know how to do all of that if I could get code to execute under the users local account and that user is a member of the admin group. Others likely know how to exploit one of the local vulnerabilities that can be used in the case on non-admin group membership. This Safari vulnerability allows code execution so it can easily allow what I outlined.

 

[manu chao]

Sounds wonderful. So why don't you please tell us WHY on Earth no such websites have EVER been created against the Mac, even though it's on for, like, 23 years, almost 10 years of OS X, some 2 years on Intel and more than 50 million users around the world?

For once, because so far there was no possibility of legally earning $10000 + a notebook + legal publicity by trying to do so. And it takes time for the momentum and knowledge to built up that is necessary to do so.

 

[displaced]

What?!? You've got some good posts on this subject, but on this I completely disagree!

The WebKit isn't just some random third party framework that users download from the Internet. It is installed with the OS. And it's not just any OS X framework either, but the basis for OS X's bundled web browser! Apple has also provided an API to encourage developers to incorporate it into their apps as well.

Oh, I agree entirely. But I stick by the point that Safari/Webkit != OS X. Just as Firefox/Gecko != Linux, although virtually every desktop linux distro will install it, and apps such as Thunderbird use the same rendering engine.

I would say that an exploit in OS X itself would be something such as a vulnerability in the TCP/IP stack or window manager.

The WebKit is a component of the OS, as much as the sound system is or QuickTime, and it is one that many (most?) Mac users will use on a daily basis. It may not be a core component of the OS from an architectural standpoint, but it is a core component in terms of importance.

I think you've hit the nail on the head - it's semantics. But, when discussing the technical side of security problems, semantics are important. I know it's a pipe-dream, but accurate media reports should be stating that this is a vulnerability in the Safari application or the Webkit framework, not OS X. I agree completely that from the user's perspective, the difference is minimal.

I suppose the point I'm trying to allude to is that this is not an inherent vulnerability in the design of the OS X architecture. There's no design decision here that shouts "this was a dumb move". Compare with the Windows approach that the IE renderer is architecturally bound to the shell (although this is not quite the case now in IE7). The exploit seems to be quite firmly rooted in the application domain, since the privileges gained are that of the application which has been exploited.

Note that the contest has two stages. One Mac, the one which has fallen, was a contest to gain local privileges as the current user. The second Mac, as yet uncracked, is for a hacker to gain root privileges remotely.

 

[shawnce]

If the attacker is good enough to get your non-admin account owned she or he might also find a privilege escalation flaw (which counting from the release notes of the security updates seem to be more common than the remotely exploitable flaws).

Well a user in the admin group allows a lazy attack to take place that will result in full access to the system without having to try any local exploit (which may get patched on ya)... admin group membership is a right that OS is being asked to honor and it will do so without question and it will give you access to locations that can be used to fully compromise a system (at least at this time). It greatly reduces the work someone has to do to compromise a system.

Basically puts the issue fully into the social engineering realm... hey you run this cool app, etc.

If I am not mistaken, the complexity of the username is as important and effective as the complexity of the password against remote attacks.

It can help but those can some times be discovered via external disclosures so the passwords have to be good.

 

[iSee]

Just reading the securityfocus.com article - it's a bit scary. People are paying up to 20,000 USD for OSX exploits? Why? Who? In fact, why are TippingPoint - the company who paid the 10,000 bounty for this one - offering so much? What do they gain?

Just publicity? Or do they hope to make money directly from the exploit?

Look, I (cover your ears, kiddies) swear I'm not usually a conspiracy nut, but I am almost certain the virus protection software companies directly or indirectly fund much of the virus development work. Like they say, follow the money...

Think about it. Obviously, they have the most to gain. The money you could make on selling time on legions of zombie computers is peanuts compared to what those corporations are pulling in.

And why has the Mac been so free from infection? If viruses were written by hackers looking to make themselves feel important or win bragging rights, they would have been all over the Mac for years. There would be at least some wild viruses, roughly in proportion to Mac market share. But they haven't been.

A company, though, would do a careful market analysis and determine that they want their 100K/yr security researcher working on stuff that will impact 97% of consumers rather than the other 3%. Let's keep those people scared so they keep their subscription up to date!
Mac market has been growing though... 6% looks better 3%. I think the companies will feel it's worth the effort at around 10%.

Now Windows has "tens of thousands" of viruses, but there are a much smaller number of "root" viruses. An exploit, with code, will be posted somewhere and then "script kiddies" will copy it or combine it with another virus, etc. and try to distribute it. But where did the original posts come from in the first place? From a trained, working professional, perhaps?

And why do security researchers spend so much time hacking things rather than fixing them?

 

[whooleytoo]

Sounds wonderful. So why don't you please tell us WHY on Earth no such websites have EVER been created against the Mac, even though it's on for, like, 23 years, almost 10 years of OS X, some 2 years on Intel and more than 50 million users around the world?

And please, explain to us what "compromised" means.

There have been several, they even have been reported here. It's just none (that we're aware of) have been used "in the wild" - they've been found and reported to Apple first.

 

[EagerDragon]

Personally I recommend the following to all Mac users that I know (and follow it myself)...

1. If you get a system from anyone other then Apple do a erase and install of Mac OS X before using the system [1]. Consider always doing this even if you get the system from Apple (however I trust Apple).
2. In the setup assistant (thing you see on first run or after install) name the first user something like "Local Administrator" and give it a strong password.
3. After logging into the "Local Administrator" account create an account for yourself and DON'T give it the right to administer the system. (create additional accounts as needed for others all without administration rights)
4. Only use the "Local Administrator" account when you need to do system level changes and/or have to install software that requires admin rights directly (to broken/dumb to ask you for those rights).
5. By default use your user account when possible. Note as needed the Finder and other tools will ask you to authenticate with a user that has admin rights. If you see this and you know why it is happening then you can type in the account information for the "Local Administrator" account.

Additionally Apple provides a nice little password generation tool in the Accounts pane (the little key button near the "new password field). I suggest trying it out. Personally I have standardized on memorizable 16 characters passwords.

Why do the above? Well for one reason a user that has the ability to administer the computer is part of the Admin (80) group which has write permission to many locations in the filesystem that can be used inject code and/or fully overwrite filesystem permissions across the whole system. In other words the system can be locally attacked (say by malware or this newly disclosed Safari bug) without the OS attempting to stop or prompting you for password information.

[1] I have seen a few Mac vendors actually create the first user, set that as the auto login user, run some tests, and then box the Mac backup and sell it to customers. The customer then gets a system that logs them in on first boot bypassing the normal registration and account creation... weird. Folks end up with weird account names and never know how things got configured.

I would add a few more cautions:
1) Make sure the local admin password and the user password are not the same. If they compromize your account they also have the password for the local admin
2) Turn off services you do not need. Remove that printer sharing and file sharing , etc if you do not need them, open them when you do.
3) In a public place like the airport, coffee shop, etc, where people gather, make sure you turn off everything except for your wireless. These are not needed in that environment.
4) If you have the ability, setup a VPN machine at home that you can connect into from public places. This way at the airport you connect to the wirelss and open a VPN tunnnel home, as long as your requests go thru the VPN, no-one at the airport, hacker or even an admin can see what you are doing, If they want to see what you are doing they have to sniff your (outbound) home connection to the ISP.
5) Stay away from porn sites and known hacker sites, even the mild ones ussualy have payloads to deliver, sooner or later these payloads will be Mac specific and work. Avoid them, they will work sooner or later.

Sorry for spell issues.

 

[whooleytoo]

Who knows what their ulterior motives are but I guess this proves the point that the Mac platform is just not interesting enough yet. When OS X has a 20% market share you WILL see WAY MORE used exploits.
Because that's the point where organized crime gets interested in the platform because it makes money. Maybe we will never see the kiddie viruses and trojans but those are not the only ones writing that stuff. So either hope for better security until then or that Apple never reaches that market share.

That's what I'm curious about - if OSX's market share isn't big enough yet to be interesting to the 'professional' hacker market, why is someone paying 10K for an exploit? Other than the publicity, the only two uses I can think of are to use this exploit in an attack, or to incorporate a fix for this exploit in a security product.

But if it's the latter, it doesn't make much sense unless someone actually uses it in the wild.

 

[TheBobcat]

I wonder if they've reported their findings to Apple, or if they'll go public with it first?

 

[shawnce]

I wonder if they've reported their findings to Apple, or if they'll go public with it first?

They said they will report it to Apple and not disclose it publicly (at least that is how I read things).

 

[EagerDragon]

That's what I'm curious about - if OSX's market share isn't big enough yet to be interesting to the 'professional' hacker market, why is someone paying 10K for an exploit? Other than the publicity, the only two uses I can think of are to use this exploit in an attack, or to incorporate a fix for this exploit in a security product.

But if it's the latter, it doesn't make much sense unless someone actually uses it in the wild.

Researchers (White Hats) do it for fame, the company and researcher are seen as smart and effective by other researchers and potential customers that need protection. Researchers get paid to give talks and write books and get better jobs with more MONEY is they prove that they are effective.

Real Hackers (black hats (the bad guys)) now days are motivated by money. Their primary goal (for workstations) is to take over the machine and make a zombi out of it. Hopefully in a way that you do not notice so the machine looks and feels normal. Then they sell access to your machine and several thousand others to people that want to break into a financial institution or some other business. Either to get money, to humble the company, or to steal data that they can use for other purposes like identity theft. So one hacker creates the door and the second hacker uses it for what-ever. Hackers are now selling hacks to each other also.

The button line .... MONEY. The days of the script kiddie are long gone, now it is big business.

Depending on your paranoia level there is also the goverment (CIA, NSA, FBI, Some Police, and private detectives) may be interested in looking at what you are doing and what is in your machine or network.

There is also political issues, goverments such as China, Russia, and others play games to see if they can break in, to either steal secrets, but also to see if they can disrupt things. In the case of war, hacking becomes a weapon. Some of these goverments have teams of hackers and they are QUITE good. Financial institutions, the stock markets, Electical Power, water, networks, nuclear power plants and many others are targets.

 

[Freyqq]

"As originally planned, the rules for the hack a mac contest were relaxed on Friday after nobody had won the contest on the previous days."

lmao

basically..just use firefox and you're unhackable?

 

[msandersen]

Interesting mix of responses. At one point I was worried the naysayers was getting the upper hand, but I am glad more rational voices have prevailed; whereas responses from people like BRLawyer may seem funny, it reflects badly on the Mac community, and the reason why some consider Mac users snobs or unquestioning acolytes.
To the likes of BRLawyer, I say: Don't forget it was on these very furums that the very first Worm was unleashed, not a mere proof of concept like previously, but an actual exploit. And also of Safari. Thankfully it was not very destructive and OSX security did mostly protect the system itself. But a user's personal files are what a user values most.
As has been expressed well by others, it was a legitimate scenario of a user visiting a compromised webpage. The difference between day one and two was user interaction: Initially hackers were unable to gain access remotely
on the Macs running a stock OSX setup with the default security settings and no 3rd party apps running.
The second day allowed people from anywhere on the Internet to email a link to a compromised web page to be opened in Safari.

I haven't seen this mentioned here:
2 Macs were up for grabs: A 15" MacBook Pro and a 17". The first one required Default User-level access, the second one required Root access. Instructions for claiming the prize was in the Default user's Home directory one the 15", and in Root on the second 17".
It was the first one that got "owned"; in other words, through the Safari flaw, they gained external terminal access as the Default User, not as Root. The second one has not been claimed. Whereas gaining User access is very bad and is the first step in Privilege Elevation, it is still worth noting that they were not able to get Root on the 2nd 17" machine, or surely they would have done so rather than claiming the easier prize.
Claiming the 2nd is made harder by the fact that the same exploit is not allowed.

Whether this means there are no currently-known unpatched privilege-elevating exploits, or the hackers in question simply weren't up to it in the time allowed, I don't know; the guy who previously gave people local access on his Mac Mini and challenged people to get Root and consequently got "owned", shows it is possibly, or at least was at the time.

An interesting thing was mentioned that people can get Webkit nightlies and check for any vulnerabilities being patched, and then apply it to the wild before any official patches are issued. This is an interesting example of Opensource being used against itself.
WebKit/Safari is an obvious mode of attack, since just as Internet Explorer is such a major security risk because it is so deeply embedded in the System, so is WebKit, though I don't know that Apple has blundered quite as badly as Microsoft did.

 

[Swift]

3Com's money

That's who TippingPoint is, and why do they pay all that money for OS X hacks? Security firms love having shows to make people afraid. They make their money off of fear. Sound familiar?

Security companies have lost a big chunk of their market with Vista, because MS is locking them out of the system -- a good move, actually. So they jump up and down about how vulnerable this makes people by not having their junk on the hard drive. (This, at the moment, is partially true, as Windows OneCare is full of holes.) If you want a truly secure system, Windows Vista 64-bit is actually pretty good. Hardware DEP protects against buffer overrun -- all of it. Unfortunately, it breaks a ton of software and hardware that people need to use.

Remember that "Mac OS X is only secure because of its small marketshare!" refrain? Partially true, but so is the inverse: "Windows is terribly insecure because of its monopoly marketshare." Security is a trade-off, and they have been giving security second place since Windows began. Better keep all the old code so it works with all machines.

I presume this is a bug in either Safari's Webkit or javascript. You might be cautious and turn off javascript in Safari until this is resolved. On the other hand, if you don't go to suspicious web sites -- stay away from porn, Russian hacker sites and warez -- then the odds are overwhelming that you'll be fine.

By the way, by itself, overwhelming a web browser isn't that hard. It's figuring out what to do when you crash it that makes malware dangerous.

 

[nagromme]

They're letting Apple know the details first so they have a chance to patch before letting the public know, right? So the contest is legitimate and useful, and found a bug to patch, which is all good. Not the first OS X flaw, not the last, and not malware--though it COULD be a step toward making malware if they hadn't found the bug for Apple so it could be fixed. Now it will be patched, like many others have been (but nothing like the Windows nightmare) and will continue to be. I'm happy

As for security by obscurity, YES obscurity helps. So does a secure UNIX design heritage. BOTH are advantages over Windows, and both are here to stay.

(Profit IS the biggest motive for attacks, but far from the only one. And Macs aren't THAT obscure: people would love the prestige of making the first real Internet virus for Mac OS X.)

PS just curious about the old classic Mac OS from the 80s-90s. I know it did have a few viruses. How many of them were self-spreading Internet viruses? Were they mostly floppy/CD/LAN viruses? Those are the kind I recall.

 

[EagerDragon]

What we know

Follow up to my other posts, please read them first.

We know very little, but we know that the primary vector of attack is the browser. The browser has been one of the more prolific vectors of attacks in the windows world for many years now. All browsers like Netscape, Firefox, Safari and others have been known to have weakness in the past that allow code injection. We have no reason to believe that there is anything special about this new hack other that is new and maybe not closed up to 10.4.9 minus the latest patch 2007-004. At this time we do not know if that patch is effective or not.

The next thing we do not know is what the secondary vector is. For example:
1) The core code of Safari
2) The javascript being injected and the security settings of the browser
3) One of the Safari supplied plug-ins,
4) A third party plug-in not installed as part of Safari.

Number 2 above would be my primary suspect. Javascript has become very powerful and can do just about anything. A malicious site can inject javascript code and even a java applet. These in turn can be executed by the browser. Not sure if you seen the PDF image attack and others, where dowloading a pdf with some javascript code attached caused the browser to execute the javascript on the user browser. There are many others like this. Browsers are nasty due to the functionality that they need to perform.

Depending on the security settings and even a logic error in the browser, it is possible for javascript and java applets to read and write files in the user machine. It is also possible to open network connections to other machines like for example the hacker's system.

Also all browsers have a cache where they store images, at other bits that maybe needed later. If you can get the browser to load cached information it maybe possible to also execute it.

Javascript can even execute programs that are in your machine.

The second most likely secondary vector are 3 and 4 above. Most of these plug-ins are written in compiled code and that makes them subject to a buffer overflow or even a feature or backdoor that allows code execution. We really don't know what is in those plug-ins or how vulnerable they are.

If they can cause a buffer overflow in either the browser core code, or in one of the plug-ins then they can in some cases cause the CPU to start executing code that is part of the buffer overflow. Any code excution at the process level results in a process now owned by the hacker that is running with the priviledges and access to the ID that is running (in this case) the browser. If you are an admin user, they own your box now, if you are not, then they own you and all your files until you reboot (for the most part).

If there is a backdoor or feature that allows a plug-in to execute code you have the same scenario as a buffer overflow but a little worse becasue the code may run as a separate process that you are not aware of since nothing is different in the browser and these is no slow down or even a bad paint of the screen to make you aware. In that case the separate process is not tied to the browser security or settings no mater how relaxed or stringent they are.

Even if you do not care about your files wich I am sure you do, most unixes have a set of utilities that have very weak security and that sometimes can change the user identity to gain elevated priviledge or to write to files that are executed during the boot up process with the system (root) privileges. This would be really nasty.

Without more info I can not tell for sure, but what I do know makes me think this is a real weakness and a nasty one.

As more info develops I will post.

 

[EagerDragon]

"As originally planned, the rules for the hack a mac contest were relaxed on Friday after nobody had won the contest on the previous days."

lmao

basically..just use firefox and you're unhackable?

Allowing any part of the OS to run prior to the attack and using that part as a vector for the attack is very reasonable.

Most people run their rss feeds, browser, mail and others. So it is fair that the hacker will find them running in most machines.

I think that the relaxation was fair but this change the test. They were not able to find a hack with a system just running system processes, but they apparently found a hack in one of the most common utilities that most peiople run and that they run for hours at a time.

Sounds fair, but it is a different test if you want to nitpick at it.

This test is very similar to what happens with windows machines running IE. In IE they found tons of these and even today, they are still finding issues. Apple has a browser with similar functionality so it can also have similar issues.

The key to keep in mind is scale, they find 3000 holes in windows for every one in OSX.

 

[Diatribe]

Allowing any part of the OS to run prior to the attack and using that part as a vector for the attack is very reasonable.

Most people run their rss feeds, browser, mail and others. So it is fair that the hacker will find them running in most machines.

I think that the relaxation was fair but this change the test. They were not able to find a hack with a system just running system processes, but they apparently found a hack in one of the most common utilities that most peiople run and that they run for hours at a time.

Sounds fair, but it is a different test if you want to nitpick at it.

The thing is though, they offered the $10,000 with the first day (first challenge type) almost over. And the $10,000 is what sparked the interest, which eventually led to the exploit.
Who what would have happened if they had offered the $10,000 from the start...

 

[EagerDragon]

The thing is though, they offered the $10,000 with the first day (first challenge type) almost over. And the $10,000 is what sparked the interest, which eventually led to the exploit.
Who what would have happened if they had offered the $10,000 from the start...

Good question .... They may have found something else or because they had little participation, they may had found nothing.

It is not clear at this time if this particular researcher was involved from the start or not. So we do not know if this reasearcher would have been able to find a hole without the browser.

I rather a WhiteHat (researcher or security professional) find these issues and report them to Apple for repair than a BlackHat (bad guy) finding it, exploit it, never tell Apple and sell it to his friends when he is done with it so they can attack us some more.

Fair or not is not as important as discovering something now, having it fixed, and avoiding the bad boys from getting it and using it against us.

Some of you may not like us (White Hats) but in the long run it is a benefit to Apple and consumers that these weakeness are found before the bad guys find them.

Yes it looks bad becuase of the publicity, but long term is great, we end up with a better, stronger and more secured OS.

Think about it.