Security Blog Log: Mac hack puts Apple faithful on defence

A much-hyped QuickTime exploit threatens Mac OS X and Windows browsers, but the Apple faithful feel the greatest sting.

The Apple faithful have had to defend the security prowess of Mac OS X an awful lot this past year and a half.

Early 2006 saw the appearance of the first malware targeting Macs, and a few months later a controversial Black Hat demo where a MacBook was hacked via a weakness in the wireless driver.

Now Mac Nation is defending the security of their OS against a media storm involving a Mac hijacked in a demo last week via a flaw in the QuickTime media player.

It doesn't matter that this flaw seems to affect most browsers, from Safari to Firefox to Internet Explorer 7, and that users are under threat whether they use a Windows or Mac machine. A Mac was successfully targeted first, further chipping away at the OS's reputation as a more secure alternative to Windows. Apple enthusiasts are feeling the sting.

Not surprisingly, the QuickTime exploit has sparked a new round of Mac vs. Windows debate in the blogosphere.

About Security Blog Log:
Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected].

Recent columns:

Despite new Windows flaws, ANI still preoccupies

Vista SP1: To be or not to be?

Will data breach be the end of TJX?

Errata Security CTO David Maynor, one of the researchers who sparked controversy with last year's MacBook demo at Black Hat, wrote in the Errata Security blog that the latest demo -- in which New Yorker Dino Di Zovie hijacked a Mac as part of a contest at the CanSecWest conference -- will no doubt send the Mac faithful on another defensive blitz.

"Brace yourselves for the flood of Mac faithful posts about why this [exploit] doesn't count," he wrote. "Of course, the reporters that will cover this will be called Microsoft zealots [with] an agenda against Apple."

Tech blogger Ian Betteridge wrote about the "myth of Mac security" in his Technovia blog. For him it didn't matter how the Mac was exploited. In the end, he wrote, no operating system is 100% secure and Mac fans should stop getting defensive whenever their OS is targeted.

"The reaction to this makes one thing clear: There are clearly a whole bunch of Mac users out there who believe that their machines are secure, invulnerable, and will actually dance around the issues to counter what they refer to as 'black PR,'" he wrote. "That's insanity. It's religion, not a lifestyle choice. These people are a problem for every Mac user, because security is like inoculation: The more people there are who take security seriously, the less likely it is that malware will spread widely. People who don't think security is their problem are a hazard."

While it may be true that there are Mac users who would rather deny reality, some of them point to their own situations as proof that Mac security remains unblemished.

An IT pro who writes under the name Hack a Mac said in his blog that his Mac kept on humming along recently as Windows boxes in his company were felled by attacks connected to the Microsoft's DNS Server Service zero-day flaw.

"I had to pull a couple of 24-hour-plus days due to a zero-day attack on our Windows network," he wrote. "Yes, like many Mac users, I have to work and live in a [Windows] world much to my annoyance but it does pay the bills."

In this case, he said, his company got slammed by a DNS hack with Rinbot as a payload. The attack came via one of the company's VPN connections in China and hit the DNS servers. It took a few days to work out what had happened. He said he spent more than a few hours in the Windows registry working out a band-aid solution that involved renaming files and putting dummy files in place to stop the worm.

During all this "fun," he said, "my trusty Mini just kept working away while my boss's laptop died, my co-worker's workstation died and most of the servers died."

For the amount of time lost and money spent trying to protect the Windows boxes, he said, "everyone and I mean EVERYONE in the office could have had top-flight Macs on their desktop. And yet, people refuse to admit that in some if not many cases, Windows is not the best solution."

As bloggers debated the security merits of the Mac, the Matasano Chargen blog continued to collect new details about the actual QuickTime exploit and its aftermath.

Thomas Ptacek, a member of the team at Matasano Security, a New York consultancy, warned Thursday about unconfirmed reports from multiple credible sources that the challenge MacBooks from the CanSecWest contest were exposed to an unprotected wireless network, and that "raw packet captures of the successful exploit have been taken by parties unknown to us."

After a lot of investigating, the Matasano team couldn't confirm that this had happened, as many of their leads failed to pan out. But they continued to collect more information on the breadth of the QuickTime threat.

"Anonymous sources at 3Com confirm Dino's QuickTime vulnerability is exploitable in IE7 and IE6 on Windows XP," Ptacek said. "I think we can now safely conclude this is a hell of a finding. Way to go, Dino!"

The QuickTime exploit proved that most browsers are threatened, including those running on Mac boxes. On this point I agree with Betteridge:

The larger lesson for Mac users and the top brass at Apple is that it's time to drop the defensiveness and acknowledge that they too are not bulletproof.

Read more on Operating systems software