Logic clearly escapes you, however, what I was trying to say is. . . I can write scripts that pop up shells on a network machine. I can also make scripts that popup shells on a machine, but are blocked by firewalls. While something may be effective on a network, it might not be effective over the internet. Next time, before you mouth off, think. Furthermore, how I used any words in my post that anyone on this board wouldn't understand escapes me. You, in contrast, felt necessary to insult my intelligence, level of expertise, and overall competence. Grow up, please. If you have something meaningful to add to this discussion, by all means, do so, otherwise, don't bother posting, it is unnecessary wear and tear on your keyboard.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
First Mac hacked at CanSecWest
- Thread starter kiwi-in-uk
- Start date
- Sort by reaction score
Logic clearly escapes you, however, what I was trying to say is. . . I can write scripts that pop up shells on a network machine. I can also make scripts that popup shells on a machine, but are blocked by firewalls. While something may be effective on a network, it might not be effective over the internet. Next time, before you mouth off, think. Furthermore, how I used any words in my post that anyone on this board wouldn't understand escapes me. You, in contrast, felt necessary to insult my intelligence, level of expertise, and overall competence. Grow up, please. If you have something meaningful to add to this discussion, by all means, do so, otherwise, don't bother posting, it is unnecessary wear and tear on your keyboard.
Average users are idiots who will click on links in e-mails titled "hehehe this site is sooooooo cute: Kitties!" without hovering over the link to see that the site actually leads to http://125.231.52.51/fckurmother.virus
You can't hold Apple accountable for idiots.
-Clive
It is valid with or without the firewall.
This modified test is similar to what happens to windows users ALL THE TIME. They user their browser to go to a site and the site has an attack that takes over some of the functionality of the browser or that causes a buffer overflow in the browser. We do not yet know exactly the nature of the attack, but it is real and firewalls won't make a difference since port 80 outbound has to be open in order for your browser to reach any (good or malicious) web site. If port 80 is closed in the firewall (hardware or Mac) you can't surf.
Depends .... If the script uses port 80, you are fried, if it uses something else that is closed on the firewall, you are right, the shell it won't work.
What ever they did, they prob used the ports that were normaly open like 80, 443, 25, 110.
By default the Mac firewall and a lot of cheap firewalls will allow any outbound port (Mac makes the connection). If the script opens a socket using any port to the hacker machine, the hacker got you. Obviously not all attacks are like that, but I seen viruses and trojans that use port 80.
There's a new update claiming that the exploit affects Firefox as well...which is very interesting. I would have guessed the exploit was in webkit if this researcher discovered and exploited it in only 9 hours. My guess now is that it has to do with Apple's Java implementation -- that's the only unique link between Firefox and Safari that I can think of. And they recommend disabling Java/Javascript, which supports my theory.
Link
They claim, "more details, momentarily"...let's see what they say.
Anyway, this thread is really embarassing to all the people who are coming here saying "this is nothing" or "they had to lower the bar". We don't enough information yet to say how significant it is, but based on what we do know it seems like a valid exploit. He was able to get a remote shell just by visiting a website.
This is a real threat. We click on thousands of links a day. Imagine if the link above was actually a link to the exploit page...I'd have shells on all your machines now too.
However, the article does say that it's a user shell, not a root shell. This is a big difference. He didn't exploit any system code, he exploited userland code. This means the system itself is safe, as are all other users. Of course, that won't be much consolation to the user who has all of his data stolen/trashed/trojan'd, etc.
Link
They claim, "more details, momentarily"...let's see what they say.
Anyway, this thread is really embarassing to all the people who are coming here saying "this is nothing" or "they had to lower the bar". We don't enough information yet to say how significant it is, but based on what we do know it seems like a valid exploit. He was able to get a remote shell just by visiting a website.
This is a real threat. We click on thousands of links a day. Imagine if the link above was actually a link to the exploit page...I'd have shells on all your machines now too.
However, the article does say that it's a user shell, not a root shell. This is a big difference. He didn't exploit any system code, he exploited userland code. This means the system itself is safe, as are all other users. Of course, that won't be much consolation to the user who has all of his data stolen/trashed/trojan'd, etc.
I know that, I was just making the point that there are viruses and exploits that are designed to work inside a network and will not work across a firewall. Also, I was defending myself against unfounded claims of illiteracy.
See my questions of whether or not this was a javascript exploit or whether it was safari speccific, I recall being lambsted for that query as well, maybe not on this forum, now it appears that it wasn't so far fetched.
Seriously? Dial down the drama.
Refer to my above post. Only the foolish click links without checking the URLs, especially on public forums.
Yes, Apple can fix this hole, but there will always be something else where user-idiocy causes the destruction of their own computer system. Apple cannot be held accountable for every moron who thinks he or she can use a computer. Ignorance is not an excuse!
-Clive
My parents don't mouse over links. My grandparents don't either. None of them are foolish or ignorant. Hell, I work with computers professionaly and I don't mouse over EVERY SINGLE link. Nor do I think I should have to.
It IS Apple's jobs to protect naive users from themselves. You shouldn't have to understand HOW something works in order to use it. There is a limit...if a user downloads a program from an untrusted source and then runs it and erases their data, sure not much you can do about that.
I can't take service a carbeurator or flush a transmission, but I can drive a car.
How is that any different than clicking a link which will open up your computer to a hacker to steal all your personal information?
To use your car analogy, you don't have to know how to flush the tranny! You just have to adhere to common sense "rules of the road." Drivers are accountable for their own saftey whether they know the rules or not. Surfers should be as well. There is no excuse.
Like I said, there will ALWAYS be a method used by online predators to trick you into compromising your system's security. You'll be kidding yourself if you think anything else. That being said, I suggest you give your parents and grandparents a crash course in web safety - or revoke their "Driver's License."
-Clive
On that last point, we can agree. I educate both my parents about scams and how to avoid them. For my grandparents, I keep them in their "sandbox" -- i.e. I tell them not to ever, ever give out private information on the internet, not even to people they trust. Their fear of computers is innate and they heed this warning.
Still, its hard to explain to my mom and dad (each of whom, a long time ago, was capable of programming IBM mainframes on punchcards) how a link can be forged to look real and still be fake. (I'm talking about the http://www.citibank.com@1.2.3.4/ variety.)
Nevertheless, there are certain safeguards we can build in. I'm gonna try not to wear out the car analogy, but the responsibility is divided between the user and the manufacturer. Each has certain responsibilities and expectations.
If I open a Java applet and it asks for escalated permissions (with the requisite warning symbol and ominous wording), and I grant it those permissions and then it wipes out my files...that's my fault. I don't know how software can (or can be expected to) remove that risk.
But if Java didn't have that sandbox model to begin with, that would be inherently risky...and I would hold the makers responsible for creating dangerous scenarios. If somebody finds a hole in Java that allows automatic privilege escalation, then that's a real danger IMO.
We don't know much about the exploit mentioned here, but it sounds similar to me. It's taking advantage of a weakness in Safari and doesn't require particularly risky behavior on the user's part.
@ savar:
I don't want you to think I'm pro-hacker or anything, and believe it or not, I do think you're right that Apple should fix any and all exploits that are discovered. The only part I disagree with is the attitude. Though it sounds as though you've relaxed a bit on the issue, your initial post sounded like you thought the sky was falling because of a single Safari exploit; one that *can* be avoided by using caution.
Are there more exploits? Yes, it's likely. Do they need to be fixed? Of course. Should Apple be chastized for their existence? No, not when they are exploits that can be avoided.
The point is that computer experts worked all day for two days working to find an external crack to the OS. One was not to be found (not to say they don't exist, because some likely do). I highly doubt the same could be said about a Windows PC. For a platform that is being run by 95% of the computer-using population, that is scary!
To say that a Mac can be exploited by a "user" who will click any link that comes through an e-mail is not saying much.
-Clive
I don't want you to think I'm pro-hacker or anything, and believe it or not, I do think you're right that Apple should fix any and all exploits that are discovered. The only part I disagree with is the attitude. Though it sounds as though you've relaxed a bit on the issue, your initial post sounded like you thought the sky was falling because of a single Safari exploit; one that *can* be avoided by using caution.
Are there more exploits? Yes, it's likely. Do they need to be fixed? Of course. Should Apple be chastized for their existence? No, not when they are exploits that can be avoided.
The point is that computer experts worked all day for two days working to find an external crack to the OS. One was not to be found (not to say they don't exist, because some likely do). I highly doubt the same could be said about a Windows PC. For a platform that is being run by 95% of the computer-using population, that is scary!
To say that a Mac can be exploited by a "user" who will click any link that comes through an e-mail is not saying much.
-Clive
Then you lead a sheltered life. Actually, it is the exact same report-- and same author-- that appeared in MacWorld (with the "bar-lowering" reference), just edited differently. I believe the "journalist" did her job pretty well.
Even the most professional and smartest, sooner or later will absentmindly click on the wrong link without looking first. Most times no harm done and you get to live another day. Most Mac users don't have to worry about this except for 2 to 3 times a year when something like this gets discovered. Count your blessings, windows user are under a constant barrage of attacks.
But there are a lot of naive (new) computer users out there that are unaware of the dangers. They do learn soon or dump their computer, LOL.
Hey I don't mouse over every link and I should know better, but then again I live dangerously since I spend time in true hacker sites. Since Macs are more resilient and most hackers don't take the time to go after the Mac platform, the danger is reasonable.
"Your mileage may vary"
So far the following is the key:
1) Don't go where you should not
2) Know what you click
3) Know what you download
4) Know what you execute
5) Keep patches up to date
6) Use a non-priviledge account most of the time
7) Last but not least ... Backup
One more
Think before you download a web browser plug-in. Your browser may have weaknesses and your plug-ins can also have some. The more plug-ins the higher the likelyhood.
Think before you download a web browser plug-in. Your browser may have weaknesses and your plug-ins can also have some. The more plug-ins the higher the likelyhood.
Good to know that there are people like this that attempt to break in, as it only means more awareness to Apple and to the rest of us capable of rectifying even the least critical of exploits...at least I'd like to thinks so 
OK, it turns out to be the way QuickTime handles Java. They say it affects any web browser where QuickTime handles Java: Firefox or Safari, and they say even if you are using Windows and have QuickTime installed. It is not a bug in the OS or Safari, but QuickTime. The one program from Apple I never liked much... Maybe we should update front page info.
More info:
http://www.matasano.com/log/812/breaking-macbook-vuln-in-quicktime-affects-win32-apple-code/
Maybe we should update front page info. More info:
http://www.matasano.com/log/812/breaking-macbook-vuln-in-quicktime-affects-win32-apple-code/
Fix is out for this issue...
Just over one work week from date of reporting to Apple... not bad response time.
Just over one work week from date of reporting to Apple... not bad response time.
Code:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2007-05-01 QuickTime 7.1.6
QuickTime 7.1.6 is now available. Along with functionality
improvements (see release notes), it also addresses the
following security issue:
QuickTime
CVE-ID: CVE-2007-2175
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9, Windows XP SP2,
Windows 2000 SP4
Impact: Visiting a malicious website may lead to arbitrary code
execution
Description: An implementation issue exists in QuickTime for Java,
which may allow reading or writing out of the bounds of the allocated
heap. By enticing a user to visit a web page containing a
maliciously-crafted Java applet, an attacker can trigger the issue
which may lead to arbitrary code execution. This update addresses the
issue by performing additional bounds checking when creating
QTPointerRef objects. Credit to Dino Dai Zovi working with
TippingPoint and the Zero Day Initiative for reporting this issue.
QuickTime 7.1.6 may be obtained from the Software Update
application, or from the Download area in the QuickTime site
http://www.apple.com/quicktime/download/
For Mac OS X v10.4.9 and Mac OS X v10.3.9
The download file is named: "QuickTime716.dmg"
Its SHA-1 digest is: 275327dadcb28b704eb2ed40db3ee300103cea6f
QuickTime 7.1.6 for Windows XP/2000
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 2ebfbab44f7ee26ce15f88373d5f843ef2232ed4
QuickTime 7.1.6 with iTunes for Windows XP/2000
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 528be70403b1675597e8563bafe2f9f728eda6dd
Information will also be posted to the Apple Product Security
web site: http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
iQEVAwUBRjd8SImzP5/bU5rtAQjwcwf/cS2ooYOgvphfAPMnkoeFqELnKHg81bFd
hRbWCAtIoKA8wK6r4ipCihYtwjJLB/5rmr8mwAicXh7zI5FcAWt1oO7WJo63FAbY
e2DViNNwclBZZwS1l/ZBmDETJ9NDJopTIDOZzURjXJIFexXmFqYHIEaznKW93tCQ
G8NhGZQfA87HU1swx2JQOftu+HkyLGbxrnkW76GGiM7E8A5gkk0a4zp/OIPhafGZ
633LfJ0Fkyo2sWVdAW+y0shB2Lj5hNEdz8II+r+dOQZ0pr03kwjhHD32Pe60HLb+
H7Y6p78goiFgXvcpaqjgzCPyNcWhiR2Blp2afo1hV7QLwMH1I/SxZQ==
=9v9q
-----END PGP SIGNATURE-----