Mac backers bash MacBook hack, defend OS X's mettle

They're 'in denial,' retorts a vulnerability researcher

The contest at a security conference last week to see who could first find and exploit a vulnerability in Mac OS X has reopened the debate about whether Apple Inc.'s operating system is safer than its rivals, especially Microsoft Corp.'s Windows.

Held at the CanSecWest security conference in Vancouver, the challenge pitted a pair of MacBook Pro notebooks, each with all currently-available security patches installed, against all comers. The battle was won by Dino Dai Zovi, who took home a $10,000 prize offered by TippingPoint's Zero Day Initiative.

On Friday, the flaw exploited by Dai Zovi was pinned to Safari, Apple's browser; yesterday, however, it came out that the bug was actually in QuickTime, Apple's media player.

Readers responding to stories in Computerworld and elsewhere were overwhelmingly pro-Mac OS X, while a majority were dismissive of Dai Zovi's exploit. In their comments, they called into question everything and everyone from the vulnerability itself to the CanSecWest organizers' motives.

"It was proven that the hackers could not break OSX. Why? It's hard as hell," said a reader identified as pathogenetic. "OSX is the strongest of the OS's. They had to open up Safari which is a web browser, and a web browser is designed to accept and read information...get my point!"

"Though CanSecWest's contest may have discovered a flaw in Safari, it has not found a flaw in OS X, and CanSecWest could be accused of being a shill for Microsoft," said reader Orlando Smith.

"So this 'Mac OS X Vulnerability' requires that the user open a URL the attacker sends him? How lame is that?" asked Anonymous.

Security researchers and the contest organizer responded to the now-familiar "mine's better" arguments that seem to follow most news of security vulnerabilities on the Mac.

One of the strongest came from Kevin Finisterre, whose "Month of Apple Bugs" project in January got considerable media attention and resulted in a series of patches from the Cupertino, Calif. company. "Mac users are still in denial plain and simple. It is a defensive reaction. The bottom line is Safari is Apple's code," Finisterre said in an e-mail interview. "The fact is there are plenty of bugs still being fixed behind closed doors and still being found behind closed doors. I think at this point the only thing that will completely wake up a Mac user is a good worm or virus."

HD Moore, a vulnerability researcher noted for the Metasploit hacking and attack testing software, took on the claim that Mac OS X is safer than, say, Windows, a position taken by many of the readers/commenters. "The Mac OS X platform is years behind Linux, Windows, and OpenBSD in terms of operating-system security," said Moore in a separate e-mail interview. "All of the above platforms support some form of address randomization (ASLR) and include features that make exploitation slightly more difficult.

"[But] from a user's perspective, Mac OS X may look safer, simply because there are less people exploiting it," Moore continued.

"We don't have any security issues?" asked conference and contest organizer Dragos Ruiu rhetorically. "Get real. This was a litmus test. There are [Mac] security issues dormat out there, and we wanted to shake them out." He also reacted to the contention that the bug is less dangerous because it involves the browser; Dai Zovi's exploit required a user to click on a link in an e-mail which in turn opened a malicious Web site containing the exploit code. "Some of the bugs that have been found in [Microsoft's] Internet Explorer and used to such devastating effect are similar. That [attack vector] is one of the major threats right now. These people just aren't thinking."

Vincent Weafer, senior director of Symantec Corp.'s security response team, however, called the contest a publicity stunt, echoing some reader comments. "It doesn't prove or change anything," Weafer said. "All technologies have vulnerabilities...but although Mac [OS X] and Windows have roughly a comparable number of vulnerabilities, the number of exploits on the Mac are radically fewer. We just don't see the activity on the Mac that we do on Windows."

Moore agreed with Weafer here. "Until OS X becomes a valuable target for botnets and malware installers, the user base will see very little visible impact from security issues," he said. "It's just a matter of market share right now."

But this stealth defense, that Macs are less vulnerable because Apple's 5% share of the U.S. market makes them unlikely targets, didn't sit well with Finisterre. "The thing that I have a problem with is when hacks don't occur folks claim that it proves [their machines] are rock solid," he said.

"What this proves to me is that someone knows that their zero-day is worth a lot more than a $3,000 MacBook or whatever prize is being offered," said Finisterre.

Moore seconded that bottom-line bottom line. "CanSecWest did a great job of defining the value of Mac OS X security," he said. "$10,000 will get you access to someone else's Mac, regardless of security patches.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon