| Author |
Topic: Think your Mac is secure from automatic web exploits? |
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 20 Mar 2009 6:58 am |
|
Gone in 10 seconds!
That's how long it to Security evaluator Charlie Miller to hack and take over a brand new MacBook laptop at this year's Pwn2Own contest. The exploit was carried out automatically after a link to a specially coded web page was clicked upon, in the Safari browser that shipped with the MacBook. Both the OS and Safari were fully patched at the time of the exploit. No further user interaction was required after clicking on that link.
The exploit code has been given to Apple so that they can protect others against a similar attack.
Charlie Miller won $5000 and the MacBook for his 10 second takeover. Read about the Mac takedown on NetworkWorld.
With this established as a legitimate concern, Mac users may wish to consider installing an anti virus program approved by Apple. They list some on their website. Or, Mac users can hope that the code is never leaked to the blackhat community before a patch is created and pushed out.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
b0b
From:
Cloverdale, CA, USA
|
|
|
|
Randy Phelps
From:
California, USA
|
Posted 21 Mar 2009 10:05 pm
|
|
The oversimplification of the Pwn2Own contest's results by the media has resulted in criticism of how the contest is portrayed and conducted. The Pwn2Own contest is "simplifying security to the point of uselessness," according to comments by Jeff Jones, the director of Microsoft's security group.
There is more to this contest than scientists seeking truth. |
|
|
|
Jeff Agnew
From:
Dallas, TX
|
Posted 23 Mar 2009 4:40 am
|
|
Wiz, it was a browser exploit that auto-downloaded a trojan. An anti-virus program on the Mac wouldn't have helped. Apple will need to patch Safari.
I'm with b0b. The best defense is to use Firefox or Opera on the Mac. |
|
|
|
Matt Elsen
From:
Deer Harbor, Orcas Island, WA
|
Posted 25 Mar 2009 5:20 pm
|
|
| What anti-virus program do you guys recommend to use with a Mac? |
|
|
|
b0b
From:
Cloverdale, CA, USA
|
Posted 25 Mar 2009 8:21 pm
|
|
I don't use one. I just run Apple's Software Update program weekly and install the latest patches.
Also, I don't install programs from untrusted sources. |
|
|
|
Edward Efira
From:
California, USA
|
Posted 26 Mar 2009 9:31 am
|
|
There is a good antivirus program called "CLAMXAV" with virus updates published daily. It's freeware and comes from UK.
http://www.versiontracker.com/dyn/moreinfo/macosx/52238
Best,
Ed
_________________
<small><b>'75 Sho-Bud 4&4, '01 Zumsteel 8&8, 2012 Zum Hybrid 4&6</b></small> |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 26 Mar 2009 9:55 am
|
|
| b0b wrote: |
I don't use one. I just run Apple's Software Update program weekly and install the latest patches.
Also, I don't install programs from untrusted sources. |
b0b and other Mac users on the forum;
I don't want to start an argument with you about Mac security. I am but the town crier alerting you to a clear and present danger that is getting more attention from hackers than before. The Metasploit hacking toolkit has just been updated to cash in on the new Mac and Safari vulnerabilities. Mac users are now being actively targeted by hackers.
Some of these vulnerabilities require zero user interaction should you be unlucky enough to visit a web page containing specific active content targeting your OS and browser. You would receive no alerts or privilege escalation pop-ups to warn you that your PC was about to be Pwned. Normally, Mac exploits use trickery to get users to agree to install malware Trojans disguised as a legitimate application (via privilege escalation boxes). The new exploits are totally silent.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
b0b
From:
Cloverdale, CA, USA
|
Posted 26 Mar 2009 12:09 pm
|
|
I'm not suggesting that anyone follow my example. I'm just saying that I don't use an anti-virus program on my Mac. My friend uses Norton, and he says it caught something once.
_________________
-𝕓𝕆𝕓- (admin) - Robert P. Lee - Recordings - Breathe - D6th - Video |
|
|
|
