Friday, April 20, 2007

Say it ain't so Steve...

UPDATE: In my world people like John Gruber upset me. I keep hearing about this straw man argument from the Mac faithful but the real straw man argument is that he has the technical skills to even discuss these issues. From Gruber: “Makes me wonder whether it’s another exploit against Safari’s on-by-default “Open ‘Safe’ Files” preference. Update: A good source says it’s not “Open ‘Safe’ Files”. My next guess is that it’s a pseudo-URL protocol handler.” Wow, that’s one super educated guess. I’ll go one further in the security version of can you be more vague…Its probably in something that handles DATA.

http://www.matasano.com/log/
OH SNAP SON…

The badass guys at Matasano, namely Dino, just pocketed a cool 10k and a Macbook in the CanSecWest challenge to own a Mac. Tom is right, brace your self for the flood of Mac faithfully posts about why this doesn’t count. I can hear John Gruber tapping away and silent sobbing in the distance…

Of course the reporters that will cover this will be called Microsoft zealots and they have an agenda against Apple. Lets put an end to that now, even if they did, does it make the story any less true…

11 comments:

Daniel said...

Agreed, it was a good find but enough with the tit for tat now :p

dru_satori said...

Actually, I'd be surprised if what you posit happens. First, it's a flaw that has been verifiably demonstrated. That in and of itself, more or less makes the events you've postulated unlikely.

Unfortunately, there are probably some Mac faithful that will downplay the incident, but I rather doubt Gruber is one of them, and there is no way that Apple attempts to smear a documentable flaw like this. I could see them shifting the blame for OS X to it being a Java bug that they'll patch, but even that I find unlikely.

I guess time will tell, but I for one would be shocked if this isn't taken very seriously by Apple and the Apple community as a whole. I know that I took it seriously enough to take steps to find out how to protect against it and did so on all of my Macs.

David Maynor said...

What are you talking about, its already happening...

http://www.roughlydrafted.com/RD/RDM.Tech.Q2.07/616874CC-35CE-49D3-B859-C2719B6FF352.html

Not to mention Gruber originally misidentifying it as a trivial “Open Safe Files” problem and bloggers saying it didn’t count because it affected safari and to mitigate the risk all you have to do is run firefox. The ZDI program manager said it also affected Firefox.

The downplay drama continues. And for the record, I never said Apple would smear anyone, Gruber did. After what happened with me Apple will no longer comment to the media about anything security related other than the standard corp line.

wadesworld said...

Last I heard, the challenge was to exploit a Mac remotely. When nobody was able to do that, they lowered the bar and said, "OK, exploit a Mac locally where the user has been duped into clicking a link of your construction." If my facts are wrong, feel free to correct me.

Obviously the fact that they were able to successfully exploit against the lowered bar is not good, but let's stop thumping our chest about "exposing" the Mac. It had a security flaw - same as many that have been discovered previously, and will continue to be discovered. Same as thousands of similar exploits on Windows.

David Maynor said...

Dru Satori: wadesworld is a perfect example of what I was talking about and that you said wouldn't happen.

Wadesworld:
It really sounds like you didn't read the rules and are grasping to the "relaxed" rules explanation I have seen so often. How about you go educate youself:

http://lists.immunitysec.com/pipermail/dailydave/2007-March/004198.html

http://www.securityfocus.com/archive/142/464216/30/0/threaded

These are an explanations of the rules that clear shows that what happened was not a relaxation but instead intended from the beginning (check the dates on these emails, they were long before the conference ever started).

dru_satori said...

While I agree, they are downplaying the scope of the threat, to their own stupidity, they are correctly stating that the compromise only came after the initial remote exploit time frame elapsed. That's accurate, but it in no way invalidates the risk of the exploit. Actually to my mind, the risk of the lowered bar is actually a worse risk than a remote exploit that requires a higher level of user to implement. Browser related exploit should scare the pee out of users because the ease of deployment and the average Mac user thinking they are immune and clicking blithely on anything remotely interesting.

So, I'll say, yes, I'm wrong, we do have some stupid users in the Mac community, but let's also be fair in the assessment that the exploit did occur against a lowered bar, but the exploit in and of itself should be giving the Mac community at large a serious wake up call :-(

Jason said...

Interesting how you attack Gruber but never respond to any of his accusations. People who live in glass houses...

Lawrence said...

Of course the reporters that will cover this will be called Microsoft zealots and they have an agenda against Apple.

But from your comments, it looks like everyone who doesn't scream that Mac OS X is a bug-ridden mess is an Apple fanboy. Can't have it both ways.

wadesworld said...

David,

Ok, so they did not change the rules. The "sliding scale" of difficulty was in the rules from the beginning. Unless I misread it, the exploit was not remote, and did require local access and the user clicking on a malicious link.

The exploit is serious and needs to be fixed. There are or have been similar exploits on Windows and Linux. So what's the big news here? Just a desire to shove an exploit in the face of Apple's ad-campaign and fanboys?

David Maynor said...

Did anybody say similar exploits don't exist for Windows or Linux? This bug affects every platform quicktime runs on so everyone is well aware of what platforms are affected. As far as it not being remote these are the same arguments that were seen on the matasano blog so there is no need to rehash the definations of what a remote exploit is and different ways a user could be compromised with out ever knowingly clicking on a link. Can you show me a link that claims this is a local only bug requiring physcial access?

Derik said...

Boy, yeah, Gruber really dug into Dino when he interviewed him.



That was sarcasm, by the way.