Mac backers bash MacBook hack, defend OS X's mettle
They're 'in denial,' retorts a vulnerability researcher
Computerworld - The contest at a security conference last week to see who could first find and exploit a vulnerability in Mac OS X has reopened the debate about whether Apple Inc.'s operating system is safer than its rivals, especially Microsoft Corp.'s Windows.
Held at the CanSecWest security conference in Vancouver, the challenge pitted a pair of MacBook Pro notebooks, each with all currently-available security patches installed, against all comers. The battle was won by Dino Dai Zovi, who took home a $10,000 prize offered by TippingPoint's Zero Day Initiative.
On Friday, the flaw exploited by Dai Zovi was pinned to Safari, Apple's browser; yesterday, however, it came out that the bug was actually in QuickTime, Apple's media player.
Readers responding to stories in Computerworld and elsewhere were overwhelmingly pro-Mac OS X, while a majority were dismissive of Dai Zovi's exploit. In their comments, they called into question everything and everyone from the vulnerability itself to the CanSecWest organizers' motives.
"It was proven that the hackers could not break OSX. Why? It's hard as hell," said a reader identified as pathogenetic. "OSX is the strongest of the OS's. They had to open up Safari which is a web browser, and a web browser is designed to accept and read information...get my point!"
"Though CanSecWest's contest may have discovered a flaw in Safari, it has not found a flaw in OS X, and CanSecWest could be accused of being a shill for Microsoft," said reader Orlando Smith.
"So this 'Mac OS X Vulnerability' requires that the user open a URL the attacker sends him? How lame is that?" asked Anonymous.
Security researchers and the contest organizer responded to the now-familiar "mine's better" arguments that seem to follow most news of security vulnerabilities on the Mac.
One of the strongest came from Kevin Finisterre, whose "Month of Apple Bugs" project in January got considerable media attention and resulted in a series of patches from the Cupertino, Calif. company. "Mac users are still in denial plain and simple. It is a defensive reaction. The bottom line is Safari is Apple's code," Finisterre said in an e-mail interview. "The fact is there are plenty of bugs still being fixed behind closed doors and still being found behind closed doors. I think at this point the only thing that will completely wake up a Mac user is a good worm or virus."
HD Moore, a vulnerability researcher noted for the Metasploit hacking and attack testing software, took on the claim that Mac OS X is safer than, say, Windows, a position taken by many of the readers/commenters. "The Mac OS X platform is years behind Linux, Windows, and OpenBSD in terms of operating-system security," said Moore in a separate e-mail interview. "All of the above platforms support some form of address randomization (ASLR) and include features that make exploitation slightly more difficult.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Overcome Top 7 Admin Challenges of Active Directory
- As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
- Insiders Can Ruin Your Company. Take Action.
- Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
- Top Solutions and Tools to Prevent Devastating Malware
- Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
- Streamline Compliance and Increase ROI
- Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will...
- X-Ray of the PCI Process-4 Proactive Steps
- This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into... All Mac OS White Papers
- Optimizing Networks for the Cloud
- Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
- Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
- Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
- Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
- Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
- Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
- Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn...
- Virtualize Business-Critical Applications with Confidence
- Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere®... All Mac OS Webcasts