Macs More Vulnerable Than Windows For Enterprise 281
sl4shd0rk writes "At a Black Hat security conference in Las Vegas, researchers presented exploits on Apple's DHX authentication scheme which can compromise all connected Macs on the LAN within minutes. 'If we go into an enterprise with a Mac and run this tool we will have dozens or hundreds of passwords in minutes,' Stamos said. Macs are fine as long as you run them as little islands, but once you hook them up to each other, they become much less secure."
NNNGGGHYAAA!!!! (Score:5, Funny)
Macs Good! Microsoft BAD! MACDOR THE BARBARIAN SMASH THE HEATHENS!!!!
--
Filter error: Don't use so many caps. It's like YELLING.
(really? you'd almost think that was the intent
Re: (Score:2)
Re: (Score:2)
I think you mean Apple, not Mac...
All computers are less secure (Score:3, Insightful)
...when you hook them up.
I have no love for Apple but even this article smells like astroturfing.
Re: (Score:2)
No? That's what I thought.
Re: (Score:2, Funny)
Isn't that just because it isn't news when it happens on Windows?
Re: (Score:3)
Erm. it's ALWAYS big news on Slashdot when the news is anything anti-MS, regardless of it being true or not.
Remember this story(and countless others)? http://tech.slashdot.org/article.pl?sid=09/02/16/2259257 [slashdot.org]
Re:All computers are less secure (Score:5, Informative)
You might want to go read the actual presentation.
It starts out with an exploit called Aurora, which compromises AD.
Whoops.
Re:All computers are less secure (Score:5, Informative)
And the Mac exploit STILL REQUIRES AN ADMIN PASSWORD. Which is not typically given to users in a corporate setting - at least by sane sysadmins.
Re: (Score:3)
The whole point of TFA is that if even one computer gets infected on the network then it can be used to infect other machines without requiring the admin password on the remote machine. All it would take is one malicious person with physical access to one mac, or one careless click from someone who does has admin access to their own mac in the building.
Re: (Score:2)
Yeah. And how is that not having the admin password?
Tell you what, give me the admin password to an active directory forest. See if I can fuck things up a bit. Want to bet I can?
Re: (Score:2)
That's not the case though. Otherwise, it can't authenticate to another network Mac. Unless all the local admin passwords are the same, in which case they're effectively the network admin password.
It's always going to need the network admin password. Now lazy sysadmins often make them the same as the local admin passwords, but they're not actually the same thing.
Re: (Score:3)
You might want to go actually read the presentation. It does need an admin password in order to get privilege escalation. See pages 32-34 in the presentation.
There is no exploit here on getting the local admin or network admin password. It requires an admin password to ... wait for it ... do admin type things on the network.
Re: (Score:2)
From page 32:
Privileged credentials in the keychain can be used to spread and explore
ie network admin login credentials.
Or all the local admin logins are the same - which is essentially a network admin password. Often, computers are set up with the same local admin account across all/most machines - Mac or PC.
Re: (Score:2)
Two things.
1. *How* to decrypt the keychain would be an important detail
2. Still doesn't mean that it's not using network/admin passwords.
Re: (Score:2)
If you configure Windows or *nix right, it requires an admin password as well...
Re: (Score:2)
Yeah, that's not really a remote exploit now is it?
And you don't need the fsck at all, showing that you don't really understand it but just copy & pasted.
It's not any different than booting from a linux cd that can crack the passwords on a Windows machine.
Re:All computers are less secure (Score:5, Insightful)
It's also worth pointing out that the "exploits" for Macs these guys found require an amazing amount of stupidity on the part of the system/network admins. We're supposed to worried about using Macs in "Enterprise" level exploits, but the configuration required for exploiting is distinctly amateur.
They claim DHX is vulnerable, Kerberos is not; but it's "trivial" to change the scheme. This is true if you have root on the server box, but getting there should not be "trivial" in the first place. Even with DHX, you need to get admin privileges on a workstation box to start sniffing passwords. Again, that shouldn't be trivial in the first place. Admin accounts should only belong to trained administrative users, whether your OS is Windows, MacOS, or Linux. Sure, if you make every Tom, Dick, and Sue an admin you're highly vulnerable to social engineering attacks. On any OS. OSX permits and encourages privilege separation like any other OS; if you chose not to use it, you're an idiot, not "Enterprise IT".
A competently administered Mac network, with proper encryption, privileged separation, threat training , etc should be no more vulnerable than any other if I'm reading this right (I read the slides form the presentation in addition to the almost useless article). The take home point shouldn't be "Don't use Macs", it should be "Treat Macs like every other client and server." They're not more vulnerable, they're just not full of magic hacker repelling pixie dust.
Re: (Score:2)
It's no more 'amateur' than the way these sites that keep getting hacked are setup, and they're supposedly enterprise-level business as well.
Re: (Score:3)
Maybe. But I've heard too often that "Macs are more secure than Windows, so we don't need safety stuff." Mind you, this came from the guy who wanted to install an AV on all their Powerbooks, but handed out same Powerbooks without proper passwords, no password policy, no automatic lockdown and admin accounts to everyone.
I think these stories are valuable because you can show them to the twits in power who think that Macs are magically more secure, and drop every security practice there is.
Re: (Score:2)
Yeah, the whole thing is kinda... stupid. Admittedly I only skimmed the "article", but: so... if you can put arbitrary code on the update server you can infect every mac that gets updates from it? Really? Color me shocked and surprised, news at 11
Some good quotes, like "With a large enterprise, you have to assume that people are going to get tricked into installing malware." which is another way of saying "if you can get someone to run arbitrary code then you can do arbitrary things on their computer". Duh.
Re: (Score:2)
Admittedly there is one semi-serious problem. DHX is apparently vulnerable to false credential attacks, and I believe that it is the default way that Macs servers handle AD type user management. It *shouldn't* be a problem: default user accounts shouldn't be able to escalate privileges to allow the attack, and admins should set up the more secure Kerberos ticketing scheme anyway. That said, Apple should fix it. Even offering an option this vulnerable, even if other, better, alternatives exist is a bad i
Re: (Score:2)
Re: (Score:2)
A competently administered Mac network
A rare and exotic animal. Turtleneck computers weasel their way into school districts and the IT savvy of network admins in your average school district is woefully inadequate, even if they have the savvy the teachers unions will force them to allow trivial passwords and universal access to all resources (by hardcoded P address of course, because neither side of the IT gap really grasp the enterprise utility of DNS or DHCP and rarely have the skills to administrate it) which includes admin passwords. Welcom
Re: (Score:2)
... you're an idiot, not "Enterprise IT".
You obviously don't work for my company.
Re:All computers are less secure (Score:5, Informative)
This would be easier if the story linked to the real presentation [isecpartners.com].
Yes, Apple services generally support Kerberos as an authentication scheme. The problem is that it's almost always possible to downgrade from Kerberos to unsigned Diffie-Hellman and retrieve the plaintext password trivially. This requires an active MITM attack on the network. Traditional ways attackers have done this include ARP spoofing, DHCP spoofing and DNS poisoning attacks. Our talk also discussed a Mac-specific MITM which uses Bonjour to temporarily take over the identity of OS X servers and relay or downgrade authentication.
Even if OS X allowed itself to be limited to Kerberos auth (and it doesn't) most Apple protocols do not perform channel binding, meaning there is no cryptographic integrity protection tied to the initial handshake. This allows an attacker to relay the Kerberos handshake and then modify the resultant communication, which can be disastrous if the communication is security critical, such as LDAP or an AFP mounted home directory.
A competently administered Mac network, with proper encryption, privileged separation, threat training , etc should be no more vulnerable than any other
That is incorrect. Our research has shown that it is currently impossible to secure a network using OS X services. The only secure Mac network is one that runs the machines as separate "islands" without directory services, file sharing, or remote server administration. There are a lot of insecure Windows networks, due to the use of downlevel versions as well as configuration mistakes, but in theory you can build a new Windows 2008R2/7 Active Directory network that is hardened against network privilege escalation using GPO (KerbOnly, NoLMHash, RPC privacy/integrity, AD integrated IPSec, smartcard auth, etc...)
Re: (Score:2, Insightful)
Watch out, once they lose the forced and convoluted arguments to support Apple and discredit MS, this what they will degenerate to:
http://www.computerworld.com.au/article/188807/mac_worm_author_receives_death_threats/ [computerworld.com.au]
After all ,it's a religion.
http://www.businessinsider.com/apple-is-a-religion-neuroscientists-find-it-triggers-the-same-reaction-in-your-brain-2011-5 [businessinsider.com]
Re: (Score:2)
Excellent of you to comment. I did in fact find and read your slides before commenting, but I did not see where you pointed out that clients could force a downgrade of the auth protocols. That is indeed far more concerning. Typically when I've used any significant number of Macs on a network I link just them into the infrastructure I use for my Linux clients (usually OpenLDAP over TLS) so I've not really ever tried to use the Apple services. I still stand by my assertion that a well configured Mac netwo
Re: (Score:3)
There are a couple of different issues here. Escalating locally (even from inside the sandbox) can be done via impersonating an escalation prompt or by an offline brute-force of the keychain. Our criticism of the keychain is that it provides a decryption oracle that can be moved off of the machine and cracked at the leisure of the attackers. Even though it's relatively strong (1000 round MD5) state-sponsored attackers will definitely recover poor passwords.
There are also often local privilege escalation
Re: (Score:3)
So how is this different from any other OS? sudoer is sudoer.
The escalation prompt impersonation is in no way unique to OS X. We never said it was, although it's a bit easier on OS X than on Windows.
There seems to be some misunderstanding on Slashdot of the purpose of this research. Our goal was to apply our experience with advanced attacks against corporate Windows networks against equivalent Apple technologies so that the defenders could stay one step ahead. We have a lot of clients that are now 40, 50
Re: (Score:3)
Ah, so... according to your research, if you already have the admin pw and physical access, infiltrating the Mac network would be easier than infiltrating the dream Windows system you envision without having the admin pw or physical access. Truly outstanding and brilliant work.
I have no idea what you are talking about.
The point was that Apple has done a good job preventing initial exploitation and trying to contain exploitation to a low-rights process. If the attacker is able to defeat those protections, w
Re: (Score:2)
---
Out in the real world, there's an amazing amount of stupidity.
Re: (Score:3)
That kinda is my point. If you do a bad job of building your network, it's going to be vulnerable, regardless of OS. If you do a good job (and MacOS has the tools to do a good job, the presentation points them out indirectly), you will be less vulnerable, regardless of OS. These guys are focusing on: "Don't use Macs in the enterprise" rather than the more obviously lesson: "Treat Macs in the enterprise with the same degree of care as any other machine with any other OS"
Re: (Score:2)
You might want to go read the actual presentation.
It starts out with an exploit called Aurora, which compromises AD.
Whoops.
So the questions is, if it's AD, are Macs using AD somehow more vulnerable than Windows boxes? Or is the threat equal and the article misrepresenting things?
Either way, is AD the real problem?
Re: (Score:2)
It starts out with an exploit called Aurora, which compromises AD.
Whoops.
Actually, on page 6 (and 20) of the pdf, the exploit starts by tricking the user into clicking a malicious link in Safari; but yeah, the Windows Domain Controller gets the second bullet.
Re: (Score:2)
No, the AD hack doesn't rely on Safari. It just says click on malicious link - no browser mentioned.
Safari is mentioned as a route for compromise on the Mac side though. One that still requires you to type in an admin password to get admin privs.
Re: (Score:2)
More a reply to your sig, in particular, the last book... You like alien pornos?
You may be the one who referenced him last week or the week before, but if not, I'd recommend Alistair Reynods, since your other books suggest you can live with sci-fi lacking porn.
Re: (Score:2)
Uhhh...well. I cannot say I am massively into alien pornos, I don't really know for sure since I have not tried them. I don't mind romance or naughty bits in science fiction but as long as it does not distract from the science or depiction of the future.
Wait a minute, you tricked me!
Re: (Score:3)
All computers are less secure ... when you hook them up.
If that were true then hooking my computer up to the internet could end is disaster! It's a good thing I'm using a Siemen's SCADA firewall.
Re: (Score:2)
Oh I should have read the article. It's a genuine exploit for Apple computers. It's also the Black Hat conference and not a media release. Apologies Slashdot crowd.
Just goes to show that all software has bugs and it is highly likely that those bugs include security bugs. Nobody is immune from making mistakes.
One thing I find amusing is that Apple deploys malware detection called XProtect based on string matching [avast.com]. It is irresponsible to say that Macs are completely immune from malware. Security on Macs can o
Re: (Score:2)
To me it sounds like there's two flaws that compound a problem. I don't know much about Apple's auth scheme, but I wouldn't be surprised if either the machines share credential information to such an extent that one infected machine ends up with a bunch of tasty data, or if there's a remote vulnerability that is normally not accessible when an Apple is behind a firewall and not on a direct network segment with another Apple. It's quit
Re: (Score:3, Insightful)
...when you hook them up.
I have no love for Apple but even this article smells like astroturfing.
Can we please stop this Slashdot trend of calling everything that don't immidiately fit into our worldview for astroturfing. The article is sensationalist (duh, it's The Register!) but these are security researches presenting at the Black Hat conference, check out other sources and the actual basis for their claim before immidiately jumping to the astroturfing cop-out.
I've seen people with posting histories long as a mile proving they are Linux users and supporters getting called M$ astroturfers because t
And? (Score:4, Insightful)
Windows machines can be pretty secure on their own too, but once hooked up to an active directory domain they are only as secure as the weakest point...
Also, this seems to be a particular authentication scheme which is flawed, windows has similar flawed schemes (google: pass the hash).
Finally this just seems to be a stupid bug in a service used for pushing updates, and should therefore be relatively easy to fix.
Re: (Score:3, Interesting)
Read TFA. It is possible (trivially, supposedly) to force Macs to use DHX (the insecure protocol). So, essentially, even if you use the secure system, it doesn't matter. That is a bit troubling for OS X enterprise users, to say the least.
I suppose the lesson here is that after 15 years of being the #1 target, M$ might finally be starting to get its shit in a respectable state, while Apple, for all its theoretical security, has very little experience dealing with actual security issues. Or maybe it's just a
Re:And? (Score:4, Funny)
It's not a bug, it's a design difference. On Mac Server, it does fall back to simpler protocols because that's how it was often set up - no real sysadmins means no consistent use of strong authentication.
However, it would all go away if Apple required and ONLY allowed kerberos for authentication of any service from OS X Server. In other words, just like AD.
Having said that, this exploit still requires an admin password to escalate privileges - which isn't typically given in a corporate setting. In other words, admin passwords can do admin things.
Re: (Score:3)
AD doesn't require and exclusively make use of kerberos, it can (and by default does, although which ones depend on the version) use weaker authentication schemes (ntlm, ntlmv2, lanman)... Apparently the hash passing vulnerabilities also exist when using kerberos only, its just that tools to exploit this are not publicly available to do this yet.
Re: (Score:2)
Re: (Score:2)
--
Or a privilege escalation exploit...
Re: (Score:2)
But it doesn't *require* DHX, therefore it should be a relatively easy patch to make it possible to force DHX off at all times.
Re: (Score:3, Insightful)
...while Apple, for all its theoretical security, has very little experience dealing with actual security issues. Or maybe it's just a random bug, IDK.
Exactly. The bigger picture is concerning because Apple really *is* poised to become the Next Big Thing on the Desktop (Sorry Linux. Your awesome, but slaying the n00bs will never get you on the Desktop). Hopefully Apple will do a better job at fixing vulnerabilities than Microsoft did. The user's are (As usual) going to be key howerver because (FTFA - pdf link):
* Apple users feel safe because they have no history of exploitation
* Apple users tend to be just as ignorant as a
Re: (Score:2)
--
not at those prices...
Re: (Score:2)
Windows machines can be pretty secure on their own too, but once hooked up to an active directory domain they are only as secure as the weakest point...
Just because a windows computer has joined a domain does not mean the domain now has root or for that matter *any* access to the local computer. It is still determined by local policy.
Also, this seems to be a particular authentication scheme which is flawed, windows has similar flawed schemes (google: pass the hash).
Windows of today uses kerberos.
Re:And? (Score:4, Informative)
But anyway, back to the topic at hand... uh, where the hell do you work? I work in a very Windows-heavy environment, and every time we add any Windows boxen to the domain, the domain admins get automatic admin rights. There's nothing we can do to stop it. This is a 10,000+ workstation university, though, so at least they're distant and maybe (only maybe) competent enough to not abuse it.
Re:And? (Score:5, Insightful)
Under a typical/default configuration, a domain has full control over a local machine once it has been joined to the domain... Buy that's not the point, the fact that having compromised the *server* you can take control of the *clients* is a given in any distributed authentication scheme, be it nis, kerberos, ldap or whatever...
The problem discussed in the article is that having compromised a single *client* you can take control of the server or other clients. Windows has such problems too, for instance once a domain user is logged in their password hash is stored on the system where it can be retrieved and then used. Also since most machines are built from images, local admin passwords are often the same and thanks to hash passing vulnerabilities can be used immediately without having to crack them (and as such irrespective of how strong the password is).
Windows of today still has NTLM and NTLMv2 enabled by default... It also still supports LANMAN although that is disabled by default in the latest versions. It is also apparently possible to do hash passing attacks even with only kerberos enabled, although i'm not aware of tools for doing that being widely available yet.
Ideally compromising a single client should get you nowhere (and many admins incorrectly assume this to be true)... But as some recent high profile attacks show, a serious attack can easily start from a single unimportant workstation, and there are many ways to compromise a single workstation (social engineering, browser exploit, malicious document exploiting whatever app they open it with etc)...
What is really needed, is a complete rethink of the old perimeter defence model... Although you can (and should) take steps to reduce the chances of the perimeter being breached in the above ways, if you don't pay attention to internal security then once a single small breach has happened its game over for you.
One morning (Score:2)
Could it be?
Mac's lacking Enterprise tools that windows has (Score:2)
Mac's lacking are Enterprise tools that windows has.
At least apple should yet you run mac os X sever on ANY VM on any hardware.
Re: (Score:3)
http://www.ntpro.nl/blog/archives/1786-vSphere-5-Video-EFI-the-Extensible-Firmware-Interface.html [ntpro.nl]
Re: (Score:2)
Re: (Score:2)
Nice cut-n-paste job. If it's a genuine comment then I apologize for the error of mistaking a word-for-word comment used in what seems every damn Apple in the enterprise article submitted on slashdot.
The problem with the "any hardware" theory is that (1) Apple would not allow a stupid thing like that to occur again because they are a hardware company and the clone experiment didn't work out and (2) it's not even close to being requi
Re: (Score:2)
Apple isn't a hardware company, they're a systems company. An easy mistake to make these days though since there really aren't a lot of those left. Apple's thing is integration, to make sure everything fits together nicely (not saying it's ever 100% but it sure tends to beat the average Wintel OEM box).
Is DHX enterprise grade? (Score:5, Insightful)
Reading the tech note (marked archived) it makes it appear that DHX is an optional install and it is not clear. Also, doesn't MacOS X also provide enterprise grade solutions for authentication? Kerberos is available out of the box if I understand, for example.
BTW With the description "The DHX (Diffie-Hellman Exchange) UAM provides a relatively secure way to transport cleartext passwords..." (emphasis mine),
I am not sure you would want to use this for anything serious.
Re: (Score:2)
The DHX UAM was introduced to Mac OS X 10.0. That should tell you something about how secure (or not) it is. It's over 10 years old, and deals in clear text.
Apple really should give you a way to disable this, and have it disabled by default; allowing a sysadmin to turn it on only if absolutely necessary.
Re: (Score:2)
I'll admit I don't have much experience in the realm of crypto, but the on the tin it did have labelled "relatively secure" as opposed to "secure". Sure I am may be misreading the label and it may be Apple's way of saying "it is secure, but we won't guarantee it legally"?
Also, if the tech note is marked "archived", what is the current status of DHX in Lion?
Easy fix, for lazy administrators (Score:5, Informative)
defaults write com.Apple.AppleShareClient afp_cleartext_allow -bool NO
There, that wasn't so hard, was it? Oh, and their hack only works if the server is on the same subnet as the other machines, which is a really bad idea for secure networks to begin with.
To be sure, keeping Diffie-Hellman around in an era when sending plaintext passwords is anathema was pretty stupid, but you can bet that it'll be dead and gone in 10.7.1. This hack is not nearly as scary or as "persistent" as all that, and conveniently their paper isn't available for download and perusal. Looks like they just wanted their names in the news.
Next up, these same hackers break DES and show you how to infiltrate BSD 3! What will they think of next?
Re: (Score:3)
You can turn off plaintext auth, but you cannot disable unsigned DH.
Even if you could restrict to kerberos, there is no channel binding protecting the contents of these protocols, so auth relay attacks are pretty easy to pull off.
The mDNS MITM attack can be carried out across Layer-3 routing in some circumstances. In situations where this does not work, an attack against clients on the same broadcast domain is just as effective.
I would love for these issues to be fixed in 10.7.1, but that is extremely unli
Re: (Score:3)
Slide 28 -- I'm not particularly clear on why you would want ASLR or DEP to be configurable -- that just opens another avenue of attack. It should be always on every process all the time to be meaningfully effective.
It's unlikely that any consumer OS will ship with these protections on all of the time. By default, both OS X and Windows 7 apply ASLR and NX protections to binaries that "opt-in". The difference is that on Windows you can force these protections on binaries from legacy compilers and linkers.
wtf? (Score:2)
FTA:
Why is the server transmitting any authentication credentials to a machine that it hasn't actually confirmed is supposed to be
Re: (Score:2)
The article got it wrong. There's a PowerPoint linked at the bottom that explains it better. The infected machine spoofs the server. A client looking for the OS X server instead authenticates to the infected machine. The infected machine now has one user's credentials, so can do whatever that user can (including, I guess, act as man-in-the-middle passing legitimate requests to/from the server so that the user perceives not problem with the network).
In the PowerPoint, they show the infected machine getti
Users with admin rights? (Score:3)
Do I understand their presentation correctly? Users in said Enterprise have admin privileges?
Re:Users with admin rights? (Score:4, Insightful)
Yeah, which is not the case most of the time.
Users with admin passwords can do admin things. Duh.
Meaning this 'exploit' isn't much of an exploit.
Re: (Score:2)
Admin passwords or admin privileges?
Taking local privilege escalation exploits into consideration, there's a damn big difference between the two.
Re: (Score:2)
Well, per the presentation, they need to get the admin passwords to use the 'exploit'.
Re:Users with admin rights? (Score:4, Insightful)
Re: (Score:2)
I didn't see the actual presentation, but the exploit at the beginning of the presentation shows an AD hack, and doesn't mention needing passwords - just clicking on a malicious link.
Re: (Score:2)
Do I understand their presentation correctly? Users in said Enterprise have admin privileges?
No. The point is that *any* device which gets access to a network with OS X server can:
1) Wait to be contacted by OS X server. The server will stupidly identify itself with network-wide credentials (can be used for other hosts)
2) Device under attacker'c control turns around and starts contacting *other* machines using the credentials it has just learned from the server.
3) Other OSX machines will stupidly answer the request and will previde their *own* credentials since you are "obviously" a trusted server.
4
Mac is not for the enterprise (Score:2, Insightful)
This should be no surprise to anyone. MacBook, MacBook Pro, iMac, Macmini, and Mac Pro are not enterprise machines. The service and support offered by Apple to Enterprise customers is below the needs of an enterprise environment. Mac OS X is increasingly more consumer oriented as well. And I think it is no secret that Apple has been pulling anything that resembles Enterprise -anything and focusing more on consumer-side things.
So... is this a surprise?
Re: (Score:2)
Re: (Score:2)
I think you're not getting it at all.
All you have shown is that a heterogenus environment has its advantages and most IT people will agree with you. We already know what happens when Christian missionaries visit pygmy villages -- "god's judgement" kills them all with the common cold. Same is true for heterogenus environments.
But you know, instead of talking about software -- you know, MacOSX can be made to run on any PC after all, let's talk about the thing that actually differentiates the two -- the thin
Re: (Score:3)
Oh I don't know about that. I'm an engineer for a large, multinational aerospace and electronics company. For what I do, I need several computers running different operating systems. Out of the 8 machines I have, two are macs, an imac and a 2011 macbook pro. The macbook pro is seriously the best machine I've ever used for work. I really despise Steve Jobs, but I cannot fault a good product, I really like my macbook pro for work.
Re: (Score:2)
Yes and they don't have the problem of "enterprise level support" as they are their own enterprise support. As I indicated, Apple does not offer any enterprise level support for Apple products. If you want it fixed, you either fix it yourself or you take it to an Apple store at their convenience. Warranty and replacement is also not up to enterprise levels as there are no "sorry, we don't have those parts any more, so we will upgrade you to the current version of the hardware" offers and there is no acci
So... practical linux attacks next? (Score:5, Insightful)
It's my understanding that Linux has even more widespread enterprise adoption than Mac does... so does that mean that we get to see a Linux exploit next?
And when someone does... any bets on how many hours it will take from actual publication of said exploit until a fix is available? My money's on it being fast enough that by the time most people who might want to exploit it have heard about it, that a fix will already be available, and attentive sysadmins will have already patched their servers.
Re: (Score:2)
It's my understanding that Linux has even more widespread enterprise adoption than Mac does... so does that mean that we get to see a Linux exploit next?
While Linux has a strong following in several critical areas of the enterprise, such a servers, this really wasn't about server exploits. Sure, it needed a server to work, but it really was about individual desktops and laptops being used to compromise others from an non-server machine. Since Linux has very low desktop / laptop adoption compared to even Macs I'd say it's doubtful anyone would even try to exploit it. Even if they did, someone would have to be actively looking to detect it - I doubt they'd si
Re: (Score:2)
Depends - if the exploit works on android phones then I'd expect the patch to be deployed in anywhere from six months to never...
oh no (Score:2)
My turtleneck is feeling a bit uncomfortable today.
DHX already deprecated in 10.7 (Score:2)
DHX is already deprecated in Lion, and people have been bitching about that. Typical Apple hater bait story.
Re: (Score:3)
Slide 41 of the presentation [isecpartners.com] shows the hierarchy of available authentication protocols and the best known attack against each. DHX has technically been deprecated, but it was replaced by DHX2 which has the exact same problem. The MITM tool we demonstrated works just fine on 10.7.
Re: (Score:2)
Even if it was fully deprecated, I don't know see how it makes the news invalid a typical Apple hater bait story. After all, there are a lot of Macs that haven't been upgraded to Lion. And we see stories about exploits in XP and Vista.
Re:A virus? In my MAC? (Score:4, Insightful)
It's more likely thank you think! Why would someone write a worm that is targeted at 0.00001% of the user base when they can target 90?
Unpatched vulnerabilities leave open doors for custom-tailored villainy. I would call it a pretty big deal.
Re:A virus? In my MAC? (Score:4, Funny)
Most douchenozzles write virii for kicks.
And much worse, only a total and utter douchebag uses "virii" as a plural form of "virus".
Re: (Score:2)
Re: (Score:2)
This was true well into the 90's, but today the vast majority of malware is written for monetary gain.
+1
Re: (Score:2)
Re: (Score:3)
>> Why would someone write a virus that is targeted at 10% of the user base when they can target 90?
Because they are an asshole?
Re: (Score:2)
Re:A virus? In my MAC? (Score:5, Insightful)
Why would someone write a virus that is targeted at 10% of the user base when they can target 90?
I'm assuming you are implementing sarcasm there, but in case you are not...
How about because you've got as large a chunk on the 90% as you are going to get any time soon in your botnet already, and you are having to fight every other botnet going to keep them? A chunk of that 10% could make a useful difference.
Or if you are installing a key logger to try purloin credit card details or authentication credentials, why not target the more-affluent-on-average users of that 10% who might actually take less effort to infect as they are complacent?
Or how about "just to prove you can". I'm guessing that in lieu of actually making money simple bragging rights still count for something in the hacker/cracker world.
Re: (Score:2, Interesting)
Also, one can lodge malicious code in a Mac that would require physical replacement of components, such as the flash ROM of the keyboard, or even the battery of a Macbook.
This isn't new to Macs either. Back in the System 6 days, where the OS would read from the SCSI drive code to execute a hard disk driver, it would be trivial to hide a malicious payload there, and because it ran before anything else, there would be no way to stop it. Had a virus that did that been combined with WDEF (which infected machi
Re: (Score:3)
Re: (Score:2)
My favorite analogy to that is to say that if you set a sack of $2,000 and a sack of $200 in cash beside each other on the street, that only the $2,000 sack will get stolen, even if the $200 sack isn't chained down and the $2,000 sack is.
Thieves will take everything that's not nailed down. Risk and effort matter more than payout when selecting targets. Most thieves prefer low risk easy marks over large payout
Re: (Score:2)
I agree that while it's a simple fix, it's not something to call an over-reaction. The results of the methodology used here are pretty heavy, and definitely something to be aware of. Is it going to affect many people? Probably not, but you don't just ignore it.
I will say that the article is a bit dramatic, something which the exploit developer even commented on.
Re: (Score:2)
Not just that... if you offend the Mac faithful, this is what you get! http://apple.slashdot.org/story/07/07/19/1231216/Mac-Worm-Author-Gets-Death-Threats [slashdot.org]