Forgot your password?
typodupeerror
Security Apple

Macs More Vulnerable Than Windows For Enterprise 281

Posted by CmdrTaco
from the commencing-holy-war dept.
sl4shd0rk writes "At a Black Hat security conference in Las Vegas, researchers presented exploits on Apple's DHX authentication scheme which can compromise all connected Macs on the LAN within minutes. 'If we go into an enterprise with a Mac and run this tool we will have dozens or hundreds of passwords in minutes,' Stamos said. Macs are fine as long as you run them as little islands, but once you hook them up to each other, they become much less secure."
This discussion has been archived. No new comments can be posted.

Macs More Vulnerable Than Windows For Enterprise

Comments Filter:
  • by Anonymous Coward on Tuesday August 09, 2011 @09:34AM (#37031996)

    Macs Good! Microsoft BAD! MACDOR THE BARBARIAN SMASH THE HEATHENS!!!!

    --
    Filter error: Don't use so many caps. It's like YELLING.
    (really? you'd almost think that was the intent

    • Mac is a evil pathetic dogmatic corporation. Mac BAD, Microsoft BAD. I also hate mate because they bastardized the greatest OS ever, Free BSD. Mac needs to stop child labor and labor camps associated with their company, and stop suing people because they are jealous of their success. They are a bunch of cry babies that need to be put down.
  • by improfane (855034) on Tuesday August 09, 2011 @09:35AM (#37032004) Journal

    ...when you hook them up.

    I have no love for Apple but even this article smells like astroturfing.

    • by gcnaddict (841664)
      Have you seen any recent networked exploits on Windows which compromise an entire bank of passwords?

      No? That's what I thought.
      • Re: (Score:2, Funny)

        by somersault (912633)

        Isn't that just because it isn't news when it happens on Windows?

      • by NatasRevol (731260) on Tuesday August 09, 2011 @09:54AM (#37032216) Journal

        You might want to go read the actual presentation.

        It starts out with an exploit called Aurora, which compromises AD.

        Whoops.

        • by NatasRevol (731260) on Tuesday August 09, 2011 @09:59AM (#37032254) Journal

          And the Mac exploit STILL REQUIRES AN ADMIN PASSWORD. Which is not typically given to users in a corporate setting - at least by sane sysadmins.

          • by hansraj (458504)

            The whole point of TFA is that if even one computer gets infected on the network then it can be used to infect other machines without requiring the admin password on the remote machine. All it would take is one malicious person with physical access to one mac, or one careless click from someone who does has admin access to their own mac in the building.

            • Yeah. And how is that not having the admin password?

              Tell you what, give me the admin password to an active directory forest. See if I can fuck things up a bit. Want to bet I can?

          • If you configure Windows or *nix right, it requires an admin password as well...

        • by DrgnDancer (137700) on Tuesday August 09, 2011 @10:40AM (#37032630) Homepage

          It's also worth pointing out that the "exploits" for Macs these guys found require an amazing amount of stupidity on the part of the system/network admins. We're supposed to worried about using Macs in "Enterprise" level exploits, but the configuration required for exploiting is distinctly amateur.

          They claim DHX is vulnerable, Kerberos is not; but it's "trivial" to change the scheme. This is true if you have root on the server box, but getting there should not be "trivial" in the first place. Even with DHX, you need to get admin privileges on a workstation box to start sniffing passwords. Again, that shouldn't be trivial in the first place. Admin accounts should only belong to trained administrative users, whether your OS is Windows, MacOS, or Linux. Sure, if you make every Tom, Dick, and Sue an admin you're highly vulnerable to social engineering attacks. On any OS. OSX permits and encourages privilege separation like any other OS; if you chose not to use it, you're an idiot, not "Enterprise IT".

          A competently administered Mac network, with proper encryption, privileged separation, threat training , etc should be no more vulnerable than any other if I'm reading this right (I read the slides form the presentation in addition to the almost useless article). The take home point shouldn't be "Don't use Macs", it should be "Treat Macs like every other client and server." They're not more vulnerable, they're just not full of magic hacker repelling pixie dust.

          • It's no more 'amateur' than the way these sites that keep getting hacked are setup, and they're supposedly enterprise-level business as well.

          • Maybe. But I've heard too often that "Macs are more secure than Windows, so we don't need safety stuff." Mind you, this came from the guy who wanted to install an AV on all their Powerbooks, but handed out same Powerbooks without proper passwords, no password policy, no automatic lockdown and admin accounts to everyone.

            I think these stories are valuable because you can show them to the twits in power who think that Macs are magically more secure, and drop every security practice there is.

          • by thoromyr (673646)

            Yeah, the whole thing is kinda... stupid. Admittedly I only skimmed the "article", but: so... if you can put arbitrary code on the update server you can infect every mac that gets updates from it? Really? Color me shocked and surprised, news at 11

            Some good quotes, like "With a large enterprise, you have to assume that people are going to get tricked into installing malware." which is another way of saying "if you can get someone to run arbitrary code then you can do arbitrary things on their computer". Duh.

            • Admittedly there is one semi-serious problem. DHX is apparently vulnerable to false credential attacks, and I believe that it is the default way that Macs servers handle AD type user management. It *shouldn't* be a problem: default user accounts shouldn't be able to escalate privileges to allow the attack, and admins should set up the more secure Kerberos ticketing scheme anyway. That said, Apple should fix it. Even offering an option this vulnerable, even if other, better, alternatives exist is a bad i

              • by CalTrumpet (98553)
                Admins can't fix this. There is no way to restrict OS X clients (and it's the clients we care about in auth downgrade attacks) from using DH.
          • by Anomalyst (742352)

            A competently administered Mac network

            A rare and exotic animal. Turtleneck computers weasel their way into school districts and the IT savvy of network admins in your average school district is woefully inadequate, even if they have the savvy the teachers unions will force them to allow trivial passwords and universal access to all resources (by hardcoded P address of course, because neither side of the IT gap really grasp the enterprise utility of DNS or DHCP and rarely have the skills to administrate it) which includes admin passwords. Welcom

          • by Zemplar (764598)

            ... you're an idiot, not "Enterprise IT".

            You obviously don't work for my company.

          • by CalTrumpet (98553) on Tuesday August 09, 2011 @12:20PM (#37033830)
            I am the researcher quoted in the article.

            This would be easier if the story linked to the real presentation [isecpartners.com].

            Yes, Apple services generally support Kerberos as an authentication scheme. The problem is that it's almost always possible to downgrade from Kerberos to unsigned Diffie-Hellman and retrieve the plaintext password trivially. This requires an active MITM attack on the network. Traditional ways attackers have done this include ARP spoofing, DHCP spoofing and DNS poisoning attacks. Our talk also discussed a Mac-specific MITM which uses Bonjour to temporarily take over the identity of OS X servers and relay or downgrade authentication.

            Even if OS X allowed itself to be limited to Kerberos auth (and it doesn't) most Apple protocols do not perform channel binding, meaning there is no cryptographic integrity protection tied to the initial handshake. This allows an attacker to relay the Kerberos handshake and then modify the resultant communication, which can be disastrous if the communication is security critical, such as LDAP or an AFP mounted home directory.

            A competently administered Mac network, with proper encryption, privileged separation, threat training , etc should be no more vulnerable than any other

            That is incorrect. Our research has shown that it is currently impossible to secure a network using OS X services. The only secure Mac network is one that runs the machines as separate "islands" without directory services, file sharing, or remote server administration. There are a lot of insecure Windows networks, due to the use of downlevel versions as well as configuration mistakes, but in theory you can build a new Windows 2008R2/7 Active Directory network that is hardened against network privilege escalation using GPO (KerbOnly, NoLMHash, RPC privacy/integrity, AD integrated IPSec, smartcard auth, etc...)
            • Re: (Score:2, Insightful)

              by recoiledsnake (879048)

              Watch out, once they lose the forced and convoluted arguments to support Apple and discredit MS, this what they will degenerate to:

              http://www.computerworld.com.au/article/188807/mac_worm_author_receives_death_threats/ [computerworld.com.au]

              After all ,it's a religion.

              http://www.businessinsider.com/apple-is-a-religion-neuroscientists-find-it-triggers-the-same-reaction-in-your-brain-2011-5 [businessinsider.com]

            • Excellent of you to comment. I did in fact find and read your slides before commenting, but I did not see where you pointed out that clients could force a downgrade of the auth protocols. That is indeed far more concerning. Typically when I've used any significant number of Macs on a network I link just them into the infrastructure I use for my Linux clients (usually OpenLDAP over TLS) so I've not really ever tried to use the Apple services. I still stand by my assertion that a well configured Mac netwo

          • by rgviza (1303161)
            the "exploits" for Macs these guys found require an amazing amount of stupidity
            ---
            Out in the real world, there's an amazing amount of stupidity.
        • by DesScorp (410532)

          You might want to go read the actual presentation.

          It starts out with an exploit called Aurora, which compromises AD.

          Whoops.

          So the questions is, if it's AD, are Macs using AD somehow more vulnerable than Windows boxes? Or is the threat equal and the article misrepresenting things?

          Either way, is AD the real problem?

        • by sl4shd0rk (755837)

          It starts out with an exploit called Aurora, which compromises AD.

          Whoops.

          Actually, on page 6 (and 20) of the pdf, the exploit starts by tricking the user into clicking a malicious link in Safari; but yeah, the Windows Domain Controller gets the second bullet.

          • No, the AD hack doesn't rely on Safari. It just says click on malicious link - no browser mentioned.

            Safari is mentioned as a route for compromise on the Mac side though. One that still requires you to type in an admin password to get admin privs.

    • by ByOhTek (1181381)

      More a reply to your sig, in particular, the last book... You like alien pornos?

      You may be the one who referenced him last week or the week before, but if not, I'd recommend Alistair Reynods, since your other books suggest you can live with sci-fi lacking porn.

      • by improfane (855034)

        Uhhh...well. I cannot say I am massively into alien pornos, I don't really know for sure since I have not tried them. I don't mind romance or naughty bits in science fiction but as long as it does not distract from the science or depiction of the future.

        Wait a minute, you tricked me!

    • All computers are less secure ... when you hook them up.

      If that were true then hooking my computer up to the internet could end is disaster! It's a good thing I'm using a Siemen's SCADA firewall.

    • by improfane (855034)

      Oh I should have read the article. It's a genuine exploit for Apple computers. It's also the Black Hat conference and not a media release. Apologies Slashdot crowd.

      Just goes to show that all software has bugs and it is highly likely that those bugs include security bugs. Nobody is immune from making mistakes.

      One thing I find amusing is that Apple deploys malware detection called XProtect based on string matching [avast.com]. It is irresponsible to say that Macs are completely immune from malware. Security on Macs can o

    • by TWX (665546)

      I have no love for Apple but even this article smells like astroturfing.

      To me it sounds like there's two flaws that compound a problem. I don't know much about Apple's auth scheme, but I wouldn't be surprised if either the machines share credential information to such an extent that one infected machine ends up with a bunch of tasty data, or if there's a remote vulnerability that is normally not accessible when an Apple is behind a firewall and not on a direct network segment with another Apple. It's quit

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      ...when you hook them up.

      I have no love for Apple but even this article smells like astroturfing.

      Can we please stop this Slashdot trend of calling everything that don't immidiately fit into our worldview for astroturfing. The article is sensationalist (duh, it's The Register!) but these are security researches presenting at the Black Hat conference, check out other sources and the actual basis for their claim before immidiately jumping to the astroturfing cop-out.

      I've seen people with posting histories long as a mile proving they are Linux users and supporters getting called M$ astroturfers because t

  • And? (Score:4, Insightful)

    by Bert64 (520050) <bert&slashdot,firenzee,com> on Tuesday August 09, 2011 @09:37AM (#37032018) Homepage

    Windows machines can be pretty secure on their own too, but once hooked up to an active directory domain they are only as secure as the weakest point...

    Also, this seems to be a particular authentication scheme which is flawed, windows has similar flawed schemes (google: pass the hash).

    Finally this just seems to be a stupid bug in a service used for pushing updates, and should therefore be relatively easy to fix.

    • Re: (Score:3, Interesting)

      by Baloroth (2370816)

      Read TFA. It is possible (trivially, supposedly) to force Macs to use DHX (the insecure protocol). So, essentially, even if you use the secure system, it doesn't matter. That is a bit troubling for OS X enterprise users, to say the least.

      I suppose the lesson here is that after 15 years of being the #1 target, M$ might finally be starting to get its shit in a respectable state, while Apple, for all its theoretical security, has very little experience dealing with actual security issues. Or maybe it's just a

      • Re:And? (Score:4, Funny)

        by NatasRevol (731260) on Tuesday August 09, 2011 @10:12AM (#37032360) Journal

        It's not a bug, it's a design difference. On Mac Server, it does fall back to simpler protocols because that's how it was often set up - no real sysadmins means no consistent use of strong authentication.

        However, it would all go away if Apple required and ONLY allowed kerberos for authentication of any service from OS X Server. In other words, just like AD.

        Having said that, this exploit still requires an admin password to escalate privileges - which isn't typically given in a corporate setting. In other words, admin passwords can do admin things.

        • by Bert64 (520050)

          AD doesn't require and exclusively make use of kerberos, it can (and by default does, although which ones depend on the version) use weaker authentication schemes (ntlm, ntlmv2, lanman)... Apparently the hash passing vulnerabilities also exist when using kerberos only, its just that tools to exploit this are not publicly available to do this yet.

          • And if any sysadmin doesn't turn all those weak protocols off as one of the very first things in setting up the server, he needs to turn in his pocket protector. In our AD policies turn those protocols off on the client machines before joining to AD. Using Kerberos is a requirement to join.
        • by rgviza (1303161)
          Having said that, this exploit still requires an admin password to escalate privileges
          --
          Or a privilege escalation exploit...
      • by Bert64 (520050)

        But it doesn't *require* DHX, therefore it should be a relatively easy patch to make it possible to force DHX off at all times.

      • Re: (Score:3, Insightful)

        by sl4shd0rk (755837)

        ...while Apple, for all its theoretical security, has very little experience dealing with actual security issues. Or maybe it's just a random bug, IDK.

        Exactly. The bigger picture is concerning because Apple really *is* poised to become the Next Big Thing on the Desktop (Sorry Linux. Your awesome, but slaying the n00bs will never get you on the Desktop). Hopefully Apple will do a better job at fixing vulnerabilities than Microsoft did. The user's are (As usual) going to be key howerver because (FTFA - pdf link):

        * Apple users feel safe because they have no history of exploitation
        * Apple users tend to be just as ignorant as a

        • by rgviza (1303161)
          Exactly. The bigger picture is concerning because Apple really *is* poised to become the Next Big Thing on the Desktop

          --
          not at those prices...
    • Windows machines can be pretty secure on their own too, but once hooked up to an active directory domain they are only as secure as the weakest point...

      Just because a windows computer has joined a domain does not mean the domain now has root or for that matter *any* access to the local computer. It is still determined by local policy.

      Also, this seems to be a particular authentication scheme which is flawed, windows has similar flawed schemes (google: pass the hash).

      Windows of today uses kerberos.

      • Re:And? (Score:4, Informative)

        by Revotron (1115029) on Tuesday August 09, 2011 @10:54AM (#37032758)
        I do have modpoints, but unfortunately there is no "-1, Wrong" rating. And unlike other people, I will not substitute Troll, Overrated or Flamebait.

        But anyway, back to the topic at hand... uh, where the hell do you work? I work in a very Windows-heavy environment, and every time we add any Windows boxen to the domain, the domain admins get automatic admin rights. There's nothing we can do to stop it. This is a 10,000+ workstation university, though, so at least they're distant and maybe (only maybe) competent enough to not abuse it.
      • Re:And? (Score:5, Insightful)

        by Bert64 (520050) <bert&slashdot,firenzee,com> on Tuesday August 09, 2011 @10:54AM (#37032764) Homepage

        Under a typical/default configuration, a domain has full control over a local machine once it has been joined to the domain... Buy that's not the point, the fact that having compromised the *server* you can take control of the *clients* is a given in any distributed authentication scheme, be it nis, kerberos, ldap or whatever...

        The problem discussed in the article is that having compromised a single *client* you can take control of the server or other clients. Windows has such problems too, for instance once a domain user is logged in their password hash is stored on the system where it can be retrieved and then used. Also since most machines are built from images, local admin passwords are often the same and thanks to hash passing vulnerabilities can be used immediately without having to crack them (and as such irrespective of how strong the password is).

        Windows of today still has NTLM and NTLMv2 enabled by default... It also still supports LANMAN although that is disabled by default in the latest versions. It is also apparently possible to do hash passing attacks even with only kerberos enabled, although i'm not aware of tools for doing that being widely available yet.

        Ideally compromising a single client should get you nowhere (and many admins incorrectly assume this to be true)... But as some recent high profile attacks show, a serious attack can easily start from a single unimportant workstation, and there are many ways to compromise a single workstation (social engineering, browser exploit, malicious document exploiting whatever app they open it with etc)...

        What is really needed, is a complete rethink of the old perimeter defence model... Although you can (and should) take steps to reduce the chances of the perimeter being breached in the above ways, if you don't pay attention to internal security then once a single small breach has happened its game over for you.

  • I found 10.7 with Airport turned on and little snitch (software outgoing firewall for Mac OS X) needing to be reinstalled....
    Could it be?
  • Mac's lacking are Enterprise tools that windows has.

    At least apple should yet you run mac os X sever on ANY VM on any hardware.

    • With Lion and VMWare ESX 5.0 you'll be able to do this. The license terms were changed in Lion to allow you to run in a VM, and ESX 5.0 will come with UEFI as a boot option.

      http://www.ntpro.nl/blog/archives/1786-vSphere-5-Video-EFI-the-Extensible-Firmware-Interface.html [ntpro.nl]

      • by Anomalyst (742352)
        Unfortunately there are no affordable/commodity hardware platforms that will allow you to use more than 4GB of memory in your host to support multiple IOS Guest VM.
    • At least apple should yet you run mac os X sever on ANY VM on any hardware.

      Nice cut-n-paste job. If it's a genuine comment then I apologize for the error of mistaking a word-for-word comment used in what seems every damn Apple in the enterprise article submitted on slashdot.

      The problem with the "any hardware" theory is that (1) Apple would not allow a stupid thing like that to occur again because they are a hardware company and the clone experiment didn't work out and (2) it's not even close to being requi

  • by Midnight Thunder (17205) on Tuesday August 09, 2011 @09:48AM (#37032146) Homepage Journal

    Reading the tech note (marked archived) it makes it appear that DHX is an optional install and it is not clear. Also, doesn't MacOS X also provide enterprise grade solutions for authentication? Kerberos is available out of the box if I understand, for example.

    BTW With the description "The DHX (Diffie-Hellman Exchange) UAM provides a relatively secure way to transport cleartext passwords..." (emphasis mine),
    I am not sure you would want to use this for anything serious.

    • The DHX UAM was introduced to Mac OS X 10.0. That should tell you something about how secure (or not) it is. It's over 10 years old, and deals in clear text.

      Apple really should give you a way to disable this, and have it disabled by default; allowing a sysadmin to turn it on only if absolutely necessary.

  • by schmidt349 (690948) on Tuesday August 09, 2011 @09:48AM (#37032150)

    defaults write com.Apple.AppleShareClient afp_cleartext_allow -bool NO

    There, that wasn't so hard, was it? Oh, and their hack only works if the server is on the same subnet as the other machines, which is a really bad idea for secure networks to begin with.

    To be sure, keeping Diffie-Hellman around in an era when sending plaintext passwords is anathema was pretty stupid, but you can bet that it'll be dead and gone in 10.7.1. This hack is not nearly as scary or as "persistent" as all that, and conveniently their paper isn't available for download and perusal. Looks like they just wanted their names in the news.

    Next up, these same hackers break DES and show you how to infiltrate BSD 3! What will they think of next?

    • by CalTrumpet (98553)

      You can turn off plaintext auth, but you cannot disable unsigned DH.

      Even if you could restrict to kerberos, there is no channel binding protecting the contents of these protocols, so auth relay attacks are pretty easy to pull off.

      The mDNS MITM attack can be carried out across Layer-3 routing in some circumstances. In situations where this does not work, an attack against clients on the same broadcast domain is just as effective.

      I would love for these issues to be fixed in 10.7.1, but that is extremely unli

  • by mark-t (151149)

    FTA:

    To demonstrate the threat, they developed a proof-of-concept that runs on a Mac connected to a local area network. It waits to be contacted by a machine running OS X server and then quickly copies all its authentication credentials. Next, it contacts other Macs on the network and pretends to be the administrator machine, and when they respond it is able to steal valuable data.

    Why is the server transmitting any authentication credentials to a machine that it hasn't actually confirmed is supposed to be

    • by Chuckstar (799005)

      The article got it wrong. There's a PowerPoint linked at the bottom that explains it better. The infected machine spoofs the server. A client looking for the OS X server instead authenticates to the infected machine. The infected machine now has one user's credentials, so can do whatever that user can (including, I guess, act as man-in-the-middle passing legitimate requests to/from the server so that the user perceives not problem with the network).

      In the PowerPoint, they show the infected machine getti

  • by Udo Schmitz (738216) on Tuesday August 09, 2011 @09:56AM (#37032234) Journal

    Do I understand their presentation correctly? Users in said Enterprise have admin privileges?

    • by NatasRevol (731260) on Tuesday August 09, 2011 @10:13AM (#37032376) Journal

      Yeah, which is not the case most of the time.

      Users with admin passwords can do admin things. Duh.

      Meaning this 'exploit' isn't much of an exploit.

      • by snemarch (1086057)

        Admin passwords or admin privileges?

        Taking local privilege escalation exploits into consideration, there's a damn big difference between the two.

    • by CapuchinSeven (2266542) on Tuesday August 09, 2011 @10:16AM (#37032400)
      No, you got it, this is a load of rubbish and is being presented as some sort of reason to bash Macs. If you're a Admin and you let your users have admin rights, you shouldn't be in your job. Interestingly, as I understand it, the same vulnerability used on Microsofts AD, doesn't need an admin password. So... how does that make any sense that Macs in enterprise are more vulnerable...?
    • Do I understand their presentation correctly? Users in said Enterprise have admin privileges?

      No. The point is that *any* device which gets access to a network with OS X server can:

      1) Wait to be contacted by OS X server. The server will stupidly identify itself with network-wide credentials (can be used for other hosts)
      2) Device under attacker'c control turns around and starts contacting *other* machines using the credentials it has just learned from the server.
      3) Other OSX machines will stupidly answer the request and will previde their *own* credentials since you are "obviously" a trusted server.
      4

  • This should be no surprise to anyone. MacBook, MacBook Pro, iMac, Macmini, and Mac Pro are not enterprise machines. The service and support offered by Apple to Enterprise customers is below the needs of an enterprise environment. Mac OS X is increasingly more consumer oriented as well. And I think it is no secret that Apple has been pulling anything that resembles Enterprise -anything and focusing more on consumer-side things.

    So... is this a surprise?

    • by Caste11an (898046)
      I couldn't agree more. I've been using a MacBook Pro in my enterprise DBA job for the last year. In that time, the Enterprise-grade AD has suffered numerous outages and fallen to two viruses. During that time, my consumer-grade laptop has powered through the darkest hours, providing me with quick access to our data centers and generally outperforming the Windows-based machine on my desk. Furthermore, our corporate wi-fi has been nearly unusable for the past two years, and because our overlords are cheapska
      • by erroneus (253617)

        I think you're not getting it at all.

        All you have shown is that a heterogenus environment has its advantages and most IT people will agree with you. We already know what happens when Christian missionaries visit pygmy villages -- "god's judgement" kills them all with the common cold. Same is true for heterogenus environments.

        But you know, instead of talking about software -- you know, MacOSX can be made to run on any PC after all, let's talk about the thing that actually differentiates the two -- the thin

    • by CompMD (522020)

      Oh I don't know about that. I'm an engineer for a large, multinational aerospace and electronics company. For what I do, I need several computers running different operating systems. Out of the 8 machines I have, two are macs, an imac and a 2011 macbook pro. The macbook pro is seriously the best machine I've ever used for work. I really despise Steve Jobs, but I cannot fault a good product, I really like my macbook pro for work.

  • by mark-t (151149) <markt@@@lynx...bc...ca> on Tuesday August 09, 2011 @10:16AM (#37032404) Journal

    It's my understanding that Linux has even more widespread enterprise adoption than Mac does... so does that mean that we get to see a Linux exploit next?

    And when someone does... any bets on how many hours it will take from actual publication of said exploit until a fix is available? My money's on it being fast enough that by the time most people who might want to exploit it have heard about it, that a fix will already be available, and attentive sysadmins will have already patched their servers.

    • It's my understanding that Linux has even more widespread enterprise adoption than Mac does... so does that mean that we get to see a Linux exploit next?

      While Linux has a strong following in several critical areas of the enterprise, such a servers, this really wasn't about server exploits. Sure, it needed a server to work, but it really was about individual desktops and laptops being used to compromise others from an non-server machine. Since Linux has very low desktop / laptop adoption compared to even Macs I'd say it's doubtful anyone would even try to exploit it. Even if they did, someone would have to be actively looking to detect it - I doubt they'd si

    • by Rich0 (548339)

      Depends - if the exploit works on android phones then I'd expect the patch to be deployed in anywhere from six months to never...

  • My turtleneck is feeling a bit uncomfortable today.

  • DHX is already deprecated in Lion, and people have been bitching about that. Typical Apple hater bait story.

    • by CalTrumpet (98553)

      Slide 41 of the presentation [isecpartners.com] shows the hierarchy of available authentication protocols and the best known attack against each. DHX has technically been deprecated, but it was replaced by DHX2 which has the exact same problem. The MITM tool we demonstrated works just fine on 10.7.

      • Even if it was fully deprecated, I don't know see how it makes the news invalid a typical Apple hater bait story. After all, there are a lot of Macs that haven't been upgraded to Lion. And we see stories about exploits in XP and Vista.

What the scientists have in their briefcases is terrifying. -- Nikita Khruschev

Working...