Macworld - Security researcher Dino Dai Zovi sent a shudder through the Macintosh community late last week when he successfully hacked the Mac with an exploit that he sent to a friend attending the CanSecWest security conference. By gaining shell access to a Mac by pointing the Safari Web browser at a specially-constructed Web page, Dai Zovi won a $10,000 prize from 3Com’s Tipping Point division -- and took a lot of Mac users by surprise.
But if the news of a hacked Mac was alarming in some quarters, security experts say they aren’t the least bit shocked.
"Literally any piece of code is going to have vulnerabilities and the Mac is no exception," said Ray Wagner, Gartner’s managing vice president in the secure business enablement group.
Thomas Kristensen, chief technology officer of security-research firm Secunia, agreed. "Mac systems are as vulnerable as most other operating systems, so anyone with reasonable skills should be able to compromise them," he said.
Most Mac users see their operating system as being much more secure than Windows. That’s true to a certain extent. But much of the Mac’s immunity from malicious attacks can be attributed to hackers going for the more widely used operating system to grab the most attention.
"If a hacker turned their attention to the Mac, it would suffer just as much as Windows," Wagner said. "Attacking the 95 percent of the market gets them more attention."
According to research Wagner did in the last year, an operating system would need to hit the 20 to 30 percent penetration level before it really becomes a target for hackers. This is the point where hackers will feel it is worth the time to expose a vulnerability.
However, in light of last week’s proof-of-concept exploit, Mac users shouldn’t worry that hacks are going to start flooding the market. "Just because there has shown to be a hack, that doesn’t mean there will be all kinds of hacks showing up all of a sudden," Wagner said.
Dino Dai Zovi, the man that found the exploit, hopes for a safer operating system for all Mac users. "I hope the increased visibility due to the publicity surrounding this incident causes more people to search for and responsibly report vulnerabilities in the Mac to help make it a safer platform for everyone," he said.
Dai Zovi said he came up with the hack in about nine hours from the time he got the call from his friend Shane Macaulay, who was attending the CanSecWest conference.
"In this instance, breaking into the Mac was not particularly difficult," Dai Zovi said. "I got lucky and stumbled across a reliably exploitable vulnerability rather quickly. In many other times in the past, I have spent much longer looking without finding anything. It often comes down to luck and an intuition for where software weaknesses may lie."
Free Insider GuideCopyright © 1994 - 2013 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
