Mac backers bash MacBook hack, defend OS X's mettle

Computerworld - The contest at a security conference last week to see who could first find and exploit a vulnerability in Mac OS X has reopened the debate about whether Apple Inc.'s operating system is safer than its rivals, especially Microsoft Corp.'s Windows.

Held at the CanSecWest security conference in Vancouver, the challenge pitted a pair of MacBook Pro notebooks, each with all currently-available security patches installed, against all comers. The battle was won by Dino Dai Zovi, who took home a $10,000 prize offered by TippingPoint's Zero Day Initiative.

On Friday, the flaw exploited by Dai Zovi was pinned to Safari, Apple's browser; yesterday, however, it came out that the bug was actually in QuickTime, Apple's media player.

Readers responding to stories in Computerworld and elsewhere were overwhelmingly pro-Mac OS X, while a majority were dismissive of Dai Zovi's exploit. In their comments, they called into question everything and everyone from the vulnerability itself to the CanSecWest organizers' motives.

"It was proven that the hackers could not break OSX. Why? It's hard as hell," said a reader identified as pathogenetic. "OSX is the strongest of the OS's. They had to open up Safari which is a web browser, and a web browser is designed to accept and read information...get my point!"

"Though CanSecWest's contest may have discovered a flaw in Safari, it has not found a flaw in OS X, and CanSecWest could be accused of being a shill for Microsoft," said reader Orlando Smith.

"So this 'Mac OS X Vulnerability' requires that the user open a URL the attacker sends him? How lame is that?" asked Anonymous.

Security researchers and the contest organizer responded to the now-familiar "mine's better" arguments that seem to follow most news of security vulnerabilities on the Mac.

One of the strongest came from Kevin Finisterre, whose "Month of Apple Bugs" project in January got considerable media attention and resulted in a series of patches from the Cupertino, Calif. company. "Mac users are still in denial plain and simple. It is a defensive reaction. The bottom line is Safari is Apple's code," Finisterre said in an e-mail interview. "The fact is there are plenty of bugs still being fixed behind closed doors and still being found behind closed doors. I think at this point the only thing that will completely wake up a Mac user is a good worm or virus."

HD Moore, a vulnerability researcher noted for the Metasploit hacking and attack testing software, took on the claim that Mac OS X is safer than, say, Windows, a position taken by many of the readers/commenters. "The Mac OS X platform is years behind Linux, Windows, and OpenBSD in terms of operating-system security," said Moore in a separate e-mail interview. "All of the above platforms support some form of address randomization (ASLR) and include features that make exploitation slightly more difficult.