The Apple faithful have had to defend the
security prowess of Mac OS X an awful lot this past year and a
half.
Early 2006 saw the appearance of the first
malware targeting Macs, and a few months
later a controversial Black Hat demo where a
MacBook was hacked via a weakness in the
wireless driver.
Now Mac Nation is defending the security of their OS against a
media storm involving a Mac hijacked in a demo last week via a
flaw in the QuickTime media player.
It doesn't matter that this flaw seems to affect most browsers,
from Safari to Firefox to Internet Explorer 7, and that users are
under threat whether they use a Windows or Mac machine. A Mac was
successfully targeted first, further chipping away at the OS's
reputation as a more secure alternative to Windows. Apple
enthusiasts are feeling the sting.
Not surprisingly, the QuickTime exploit has sparked a new round
of Mac vs. Windows debate in the blogosphere.
Errata Security CTO David Maynor, one of the researchers who
sparked controversy with last year's MacBook demo at Black Hat,
wrote in the
Errata Security blog that the latest demo --
in which New Yorker Dino Di Zovie hijacked a Mac as part of a
contest at the CanSecWest conference -- will no doubt send the
Mac faithful on another defensive blitz.
"Brace yourselves for the flood of Mac faithful posts about why
this [exploit] doesn't count," he wrote. "Of course, the reporters
that will cover this will be called Microsoft zealots [with] an
agenda against Apple."
Tech blogger Ian Betteridge wrote about the "myth of Mac
security" in his
Technovia blog. For him it didn't matter how
the Mac was exploited. In the end, he wrote, no operating system is
100% secure and Mac fans should stop getting defensive whenever
their OS is targeted.
"The reaction to this makes one thing clear: There are clearly a
whole bunch of Mac users out there who believe that their machines
are secure, invulnerable, and will actually dance around the issues
to counter what they refer to as 'black PR,'" he wrote. "That's
insanity. It's religion, not a lifestyle choice. These people are a
problem for every Mac user, because security is like inoculation:
The more people there are who take security seriously, the less
likely it is that malware will spread widely. People who don't
think security is their problem are a hazard."
While it may be true that there are Mac users who would rather
deny reality, some of them point to their own situations as proof
that Mac security remains unblemished.
An IT pro who writes under the name
Hack a Mac said in his blog that his Mac kept
on humming along recently as Windows boxes in his company were
felled by attacks connected to the
Microsoft's DNS Server Service zero-day
flaw.
"I had to pull a couple of 24-hour-plus days due to a zero-day
attack on our Windows network," he wrote. "Yes, like many Mac
users, I have to work and live in a [Windows] world much to my
annoyance but it does pay the bills."
In this case, he said, his company got slammed by a DNS hack
with Rinbot as a payload. The attack came via one of the company's
VPN connections in China and hit the DNS servers. It took a few
days to work out what had happened. He said he spent more than a
few hours in the Windows registry working out a band-aid solution
that involved renaming files and putting dummy files in place to
stop the worm.
During all this "fun," he said, "my trusty Mini just kept
working away while my boss's laptop died, my co-worker's
workstation died and most of the servers died."
For the amount of time lost and money spent trying to protect
the Windows boxes, he said, "everyone and I mean EVERYONE in the
office could have had top-flight Macs on their desktop. And yet,
people refuse to admit that in some if not many cases, Windows is
not the best solution."
As bloggers debated the security merits of the Mac, the
Matasano
Chargen blog continued to collect new details about the actual
QuickTime exploit and its aftermath.
Thomas Ptacek, a member of the team at Matasano Security, a New
York consultancy, warned Thursday about unconfirmed reports from
multiple credible sources that the challenge MacBooks from the
CanSecWest contest were exposed to an unprotected wireless network,
and that "raw packet captures of the successful exploit have been
taken by parties unknown to us."
After a lot of investigating, the Matasano team couldn't confirm
that this had happened, as many of their leads failed to pan out.
But they continued to collect more information on the breadth of
the QuickTime threat.
"Anonymous sources at 3Com confirm Dino's QuickTime
vulnerability is exploitable in IE7 and IE6 on Windows XP," Ptacek
said. "I think we can now safely conclude this is a hell of a
finding. Way to go, Dino!"
The QuickTime exploit proved that most browsers are threatened,
including those running on Mac boxes. On this point I agree with
Betteridge:
The larger lesson for Mac users and the top brass at Apple is
that it's time to drop the defensiveness and acknowledge that they
too are not bulletproof.