Wednesday, November 01, 2006

You want Mac wireless bugs?

So, the Month of Kernel Bugs (MoKB) begins today. They start by releasing a live exploit for a remote kernel bug in older PPC Macs with Orinoco-based chipsets. "1999-2003 PowerBooks, iMacs". (Note: I've done no independent verification of the bug, I just trust the people reporting it.)

With no official notification to Apple, and no patch available.

Even though the machine I'm typing this on right now is vulnerable to the exploit, I believe this is the appropriate way to handle this release. Why? Because of they way Apple handled the same kind of issue with David Maynor and Johnny Cache, of course.

Apple thinks it should not even acknowledge unpatched bugs. It (apparently) thinks that it should issue press releases denying the issue and use vague legal threats against researchers to "protect customers".

This kind of release is the result. If Apple doesn't want to play responsible disclosure, then the researchers will be happy to oblige. I trust there will be no denial of the problem by any interested parties this time?

(No, not really. The Mac zealots still won't believe it. But it sounds good, anyway.)

Update: I'm taking my Mac off the list of affected machines. It's an iBook G4 with an Airport Extreme that was purchased separately. It appears that the Extreme (802.11g) version of the Airport isn't affected by this particular bug. I might as well try to be careful about technical accuracy. I've seen how the Mac community reacts to any little inaccuracy.


DudeVanWinkle said...

I agree fully. If you want to play with discrediting security researchers, throwing around your weight to try and make them look the fool and possibly get them fired, then this is karmic retribution :-)

Dave said...

(Also posted to kernel fun, but apparently wasn't approved, since I saw a comment show up there subsequent to when I posted this.)

Apple has specifically stated, twice, that SecureWorks, nor Maynor or Ellch, were able to provide any information that demonstrated in any way that Apple's shipping wireless chipsets and drivers were vulnerable.

This sums up the issue as I see it:

- Maynor and Ellch demoed a wireless exploit on a MacBook via using a third party USB wireless card at Black Hat.

- Krebs of the Washinton Post sensationally alleges that Apple "leaned on" Maynor and/or Ellch to not show the demo at Black Hat, without providing any proof of that then, or since.

- Maynor told the Washington Post and others that he was NOT revealing the brand of the third party wireless card because of "responsible disclosure"; presumably, to give the vendor a chance to respond, and so on - I don't know of any other meaning of "responsible disclosure".

- The vulnerability is also allegedly exploitable on other hardware platforms and under Windows and Linux, but Maynor and Ellch chose Mac OS X because of Apple users' "smug" attitude about security, which makes him apparently want to "jam a lit cigarette into Mac users' eyes" (this from a SecureWorks "Senior Researcher"; it doesn't matter whether you think it was said in jest or not).

- Maynor allegedly tells Krebs of the Washington Post that the MacBook's internal, integrated wireless is exploitable in the exact same way that the third party wireless card is. Since the brand of the third party card has not been revealed to date, and the card was carefully hidden in a wrapper so as to conceal its identity because of "responsible disclosure", how is it "responsible disclosure" to then say that the MacBook's internal wireless is exploitable in the identical fashion?

- Maynor fails to provide Apple engineers at Black Hat with any working exploit of the MacBook's integrated wireless, after working with Apple for a week. Subsequent attempts to demonstrate this exploit on the MacBook's integrated wireless turn up nothing, but Apple launches an internal code audit of all of its wireless drivers anyway.

- After attempts to reproduce the alleged exploit on the MacBook's integrated wireless with the direct assistance of Maynor during and following Black Hat fail, Apple asserts that SecureWorks has provided no useful information that may indicate an exploit in Apple's currently shipping hardware and software.

- Maynor's issue is shown to work for a Raytheon Raylink driver, which is not a driver that Apple ships. Any usable information has yet to be provided to Apple on how any of Apple's shipping drivers may be vulnerable to this alleged exploit.

- Apple issues a patch that updates Atheros and Broadcom wireless drivers. Two separate updates are issued:

Two separate stack buffer overflows exist in the AirPort wireless driver's handling of malformed frames. An attacker in local proximity may be able to trigger an overflow by injecting a maliciously-crafted frame into a wireless network. When the AirPort is on, this could lead to arbitrary code execution with system privileges. This issue affects Power Mac, PowerBook, iBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini computers equipped with wireless. Intel-based Mac mini, MacBook, and MacBook Pro computers are not affected. There is no known exploit for this issue. This update addresses the issues by performing additional validation of wireless frames.


A heap buffer overflow exists in the AirPort wireless driver's handling of scan cache updates. An attacker in local proximity may be able to trigger the overflow by injecting a maliciously-crafted frame into the wireless network. This could lead to a system crash, privilege elevation, or arbitrary code execution with system privileges. This issue affects Intel-based Mac mini, MacBook, and MacBook Pro computers equipped with wireless. Power Mac, PowerBook, iBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini computers are not affected. This update addresses the issue by performing additional validation of wireless frames. There is no known exploit for this issue. This issue does not affect systems prior to Mac OS X v10.4.

- Everyone immediately assumes this is the fix for the Black Hat wireless issue, but Apple again asserts that Maynor, Ellch, and SecureWorks have provided NO usable information to discovering any alleged vulnerability.

So, where are we now?

- I believe that Maynor and Ellch discovered a general theoretical class of 802.11 vulnerabilities, in which a malformed frame can theoretically be used to attack a number of drivers and platforms. This is clearly a serious issue.

- The handling of this issue by Maynor and Ellch, and especially by Krebs in the Washington Post, made it appear that MacBooks (and only MacBooks) were immediately exploitable in a very scary and shadowy fashion, via wireless, and potentially with no knowledge of the system's owner.

- However, Maynor and Ellch went out of their way to NOT divulge the identity of the third party wireless card they used; why didn't Apple deserve the same "responsible disclosure" if the MacBook is claimed to be identically exploitable? And, since SecureWorks or its representatives couldn't reproduce the alleged issue for Apple on Apple's stock hardware, and further given the derogatory statements about Mac users (whether or not Mac users may have a "smug" attitude or may need cigarettes jammed into their eyes on occasion is beside the point), and given that Apple has insisted twice now, weeks apart, that SecureWorks has not provided any useful information that would indicate a vulnerability in Apple's shipping products with no protest from SecureWorks, it would seem that their general claims should be called into question. (And no, conspiracy theorists, it's not because Big Bad Apple threatened SecureWorks with legal action and poor little SecureWorks rolled over under the weight from Mighty Apple.)

- Maynor and Ellch probably legitimately wanted to demonstrate an example of a general exploit that could ALSO affect Mac OS X systems; i.e., to show that Mac OS X is not only invulnerable to attacks (duh), but could also be vulnerable to general attacks that also affect other platforms and operating systems (interesting). Unfortunately, Maynor and Ellch underestimated the enthusiasm of the press whenever any security issue, no matter how small or large, is found in anything remotely related to Apple. The Washington Post splashes the headline "MacBook hacked in 60 seconds", and proceeds to make Apple's brand new flagship portable product look as insecure as wet swiss cheese, when the alleged vulnerability also is purported to affect: Windows, Linux, other hardware platforms, and even other Apple products. So if a general class of theoretical 802.11 vulnerabilities has really been discovered, how is it helpful for Apple to get ALL of the bad press and ALL of the blame, with the focus on just one product? And since subsequent work to uncover this vulnerability with the cooperation of Maynor turned up nothing (and if the discoverer himself can't show it to work on the gear he claims it works on in pretty short order, who can?), it would seem that this vulnerability is more theoretical - and more broad - than the clear and present danger it was trumpeted as being to the MacBook.

- SecureWorks probably silenced Maynor solely because his interactions with the press were making SecureWorks look like a bunch of fools when they're trying to be a responsible enterprise security company, and not for any other reason. The way this incident was handled in the press makes it appear that Apple and only Apple was where this vulnerability existed, when, if anything, it's a general class of vulnerabilities that affects a lot more, which is a much bigger story (but was never covered). And it would appear that the exploit is more theoretical than anything, since even the discoverer himself could not provide a working example to Apple after working directly with Apple.

- In the end, Apple may have discovered the general vulnerability described by Maynor and Ellch during its own code audit. But how can they be credited if SecureWorks, Maynor, and/or Ellch never provided Apple with any useable information of how to find it? Before anyone jumps on the bandwagon of "why should independent security researchers do Apple's work for them?" remember that this demo was given under the guise of SecureWorks, a purportedly responsible security firm with "responsible disclosure" policies, which implies providing usable information to the vendor(s) before a vulnerability is disclosed. If these were antisec guys, I'd say "fine". But they're operating under the auspices of a responsible security company, AND even going out of their way to hide the third party wireless card, but giving Apple none of the same courtesy, and then creating a massive firestorm of bad PR for only ONE vendor and ONE platform, when all other platforms and vendors are just as easily affected, according to their own statements.

- The reason SecureWorks and Apple are probably now "collaborating" is to prevent this kind of situation from happening in the future. And can you blame Apple? If the story was correctly reported as theoretically affecting everyone with vulnerable drivers equally, there wouldn't have been days of "MacBook hijacked via wireless in seconds!" stories, with no actual useful details, but just a bunch of FUD.

- If you look at this objectively, it wouldn't appear that the situation was as dire as it was presented on Apple's shipping hardware, and, if ANYTHING, anyone else - including Linux and Windows and the affected drivers and chipsets on those platforms - are just as vulnerable, and it's not only unfair but counterproductive to single out Apple and only Apple in the coverage of such an exploit, whether theoretical and general (which I think this is), or specific and in-the-wild (which this isn't).

In the end, Maynor and Ellch, because of their handling of this issue, and because of Maynor's possibly unintended interaction with the Washington Post, may have unwittingly undermined the importance of their claims (if true). This is unfortunate, and ironically, because of all the attention Apple got on this issue, IF Apple did uncover the general issues discovered by Maynor and Ellch, Mac OS X is likely more secure in this area than other platforms that have not tackled this issue.

Also, Mac OS X certainly has vulnerabilities. The people saying it doesn't are morons. But the problem is that any vulnerability discovered in any Apple product gets amplified in the press massively disproportionately. For example, the iPod Windows virus issue:

By all accounts, there was likely a Windows PC used for QA at a non-Apple contractor that was infected with a virus that was infecting iPods with the virus when they were plugged in to that machine. (If anything, this is a problem in the QA process at Apple's manufacturing contractors, not ANY indication that "Macs" or Apple are any more susceptible to viruses or attacks, in any way, shape, or form - I'm surprised at the level of shoddy journalism on this. This is a Windows worm copying itself to a locally attached Windows disk (that happens to be an iPod), nothing more. Yes, it's really bad for any manufacturer to ship something with a virus on it, but this doesn't indicate the susceptibility of Apple or Macs in general. If anything, it indicates the iPod is effective as a USB-attached disk. Which it is. Again, no excuse for the processes to let something like this happen, but still.)

Then, the coverage of this goes on to rehash the (incorrect) assumption that someday there will be a huge worm outbreak on Macs, an assertion that is *completely unrelated* to iPods being infected with a Windows (or even Mac) virus.

I'm not going to rehash why it's literally impossible for the type of devastating mass-propagating worms that we've seen on Windows happen on Macs; marketshare *alone* is enough to make that argument, but marketshare is only one of many factors.

I predict that we'll continue seeing these sky-is-falling and "WAKEUP CALL FOR APPLE" articles month after month and year after year, with nothing *actually happening* of any consequence to the installed Mac OS X base. Will there be new viruses, worms, malware, and proofs of concept of malicious items for Mac OS X? Yep. Absolutely. Just as there have been. Will there be something that can mass-propagate to the point where it costs the tens/hundreds of billions of dollars and hundreds of thousands of manhours in recovery and lost productivity like we do on Windows? Nope. The architectural, use, marketshare, and security differences on the Apple platform versus Windows ensures that.

The coverage of this will likely be further classic examples of press jumping on any negative or security-related story that has to do with Apple.


Dave Schroeder
University of Wisconsin - Madison

Dave said...

Also, can you clarify what you mean by:

Apple thinks it should not even acknowledge unpatched bugs. It (apparently) thinks that it should issue press releases denying the issue and use vague legal threats against researchers to "protect customers"?

I'm not trying to be rude, but can you back up that statement? There was never any proof - ever, from anyone - that Apple used a legal threat (or any kind of threat) against Maynor and Ellch. Like, at all. The only source for that is Krebs' article, and it's not backed up or substantiated in any way, by anyone. Krebs said Apple "leaned on" them. What does that mean? Who leaned on who, and what exactly happened? Was it just someone who worked at Apple who said "I don't think showing this at Black Hat is a good idea"? What exactly occurred? I know people will think that Maynor and Ellch "can't talk about it" for fear of legal retribution or some other crap, but I'm sorry, that's utter BS. There was no evidence of a threat of any kind, much less a "legal threat", and I have never seen any evidence of any threat, legal or otherwise, to anyone for making a security issue known in an Apple product. I know you want to believe they were threatened, but there is simply no proof of that at all. And given how many issues - some very serious - that Apple patches, and given that it freely lists acknowledgments to reporters and discoverers, this idea that they were somehow "threatened" just doesn't hold water.

Apple patches issues of which it's informed, period. Now, some can argue sometimes they don't think it's fast enough, or Apple should be doing more audits, etc., but the fact is, if you report a provable issue to Apple, it WILL get patched. Sometimes it happens more quickly than others, but I've never seen an occurrence, to date, of a REPORTED issue not getting fixed. Again, how soon the fix becomes available is at issue for some, and I imagine always will be.

Also, this issue, while it should certainly be fixed, requires the card to be in promiscuous scanning mode to be easily exploited. The likelihood of this being able to be exploited if that is NOT the case appears low or remote, to virtually impossible. So an issue, yes, but also no evidence that it had even been reported to Apple before it was posted. So fine, Apple can (and will) patch it now. Will it happen instantly? Probably not.

But I am really curious to know what you meant by that statement...

- Dave

Anonymous said...

longest comment EVAR.

Ryan Russell said...

Hey Dave, thanks for taking the time to comment. I wasn't really intending to rehash the whole saga, but since you took the time to post a very nice summary, let me see if I can address a few key points, and disclose my biases and assumptions on the matter.

First off, you can find my extraordinarily-sarcasm-ridden comments on the original topic here. I didn't intended that to be any kind of serious refutation, but you can get a flavor for some of my beliefs on the subject. let me repeat a few here in a little more serious tone.

-I don't believe Apple is being completely honest when they say that they weren't given the information. A best, I think they are being incredibly insincere by wording things very carefully. At worst, they are just lying.

-If you go over the video with a fine-tooth comb, you will see a few little discrepancies. Some people have done this. I believe that those don't mean that the video was faked (in the sense that the Mac zealots think). Rather, I think the video originally showed Maynor also popping the MacBook with the built-in card (in addition to the USB one), and that they had to cut it down because of some pressure from someone.

-I don't particularly care if Krebs' article was sensational. I also don't think he would just make up a non-existent demo and wording about "leaning". I don't particularly worry about Maynor's attitude towards Mac users. I think I share a significant portion of that contempt myself, and display it things like the blog entry you replied to here.

-Seriously. These Mac users who don't understand security models, don't understand the difference between vulnerability and threat, and just outright deny any suggestion that there was a security problem, they drive me insane.

-Clearly, something happened that made them shy all of a sudden about presenting their findings at a conference. OK, two conferences (see toorcon.) There is blame on the table for Apple, from one camp. Does anyone want to argue that Apple doesn't like to sue people? Does anyone want to argue that Apple doesn't have a stated policy of denying the existence of unpatched vulnerabilities? Want a cite?

-Clearly, I'm of the opinion that Maynor and Ellch have a real something. No, I can't point you at any proof, sadly. I'd love to. But that's what I believe, and there is a lot of personal experience, bias, and a tiny bit of private info behind that opinion.

-So if they have something, did they share it with Apple? For a lot of the same reasons, I also believe they did.

-Did Apple in some way pressure them to not present findings? I believe that is likely. It could have been legal threats. It might have been as "innocent" as a business relationship between SecureWorks and Apple. I.e. Apple may have even paid for their silence.

-Ellch has provided some proof now that he knows how to exploit wireless stuff in general, no?

-If you read carefully, Ellch has indicated in emails to public mailing lists that "that" Apple wireless patch fixed "their" vulnerability.

So, for your second post. That means that I think; Apple put some kind of pressure on them to not present, Apple put out a press release that for all intents and purposes was equivalent to a lie, Apple did get the vulnerability info from Maynor and Ellch, and based their patches on that, and Apple still doesn't acknowledge that nor give credit for it.

No, I won't argue that there is sufficient proof for everyone to say for certain that it happened that way. Clearly, the general public (myself included) are missing some key info to decide that for sure.

Which leads to today's vulnerability. Doesn't particularly matter how few models or what comm mode you need to be in to exploit it. That's not the real point, and that's more of the kind of Apple/Mac zealot denial that drives me insane. Rather, the important part is who gets told when. There are a number of researchers who are on Maynor & Ellch's "side". When they find an OS X vulnerability, they have to decide what to do with it.

There's this game that software vendors like to play called "responsible disclosure". They think it means that the researchers have to give all their research to the affected vendors, and wait for however long the vendor wants them to before they do anything else with it. They often forget that there is an expectation on the researcher's end for some credit, acknowledgement, response, timely patches, and so on.

There is absolutely nothing to force the researchers to play the way the vendors want. So if Apple doesn't want to play, then neither will some of the researchers.

By itself, Apple stating that it will not acknowledge vulnerabilities before the patch is out is enough to get some researchers to not play. Since Apple appears to have done much worse than that, I expect more releases like todays.

What'd I miss?

(Anonymous: How's this one?)

Silver said...

ryan - one wonders what was so special about the Maynor / Ellch discovered vulnerability that made Apple respond in the way you accuse them of. It isn't like this was the first vulnerability ever found in MacOS X. A quick browse through Apple's security patches shows many patches do give credit to those who reported them.

Ryan Russell said...

Silver: Like many vendors, Apple will (apparently) give credit if you keep your mouth shut until their patch is ready. Maynor and Ellch declined to keep its existence secret beforehand (though they did hold back details), and in fact got some publicity for it.

PatrickQG said...

Seriously, why the hating on Apple Ryan? Did the company steal your children or something? Because the irrational hatred of Apple is about as stupid as the irrational hatred of Microsoft.

There's no proof whatsoever that Apple did anything untoward with regards to the SecureWorks "incident", yet somehow SW, who have yet to provide any evidence that the exploit was against a stock MacBook running stock software, are the good guys? Huh?

In either case publicly revealing an exploit without first providing the responsible company with a chance of providing a fix is just plain, well, irresponsible.

For some reason people love to hate Apple. Don't understand it myself.

Anonymous said...

Does anyone want to argue that Apple doesn't have a stated policy of denying the existence of unpatched vulnerabilities? Want a cite?

Yes, please. Thank you.

Anonymous said...

In your rebutal to Dave's excellent (and long) comment you keep stating "Clearly, something..." and "Clearly this..."


That word, I don't think it means what you thinks it means...

Seriously, your replys is full of "Opinions" and "Beliefs" and seems to be totally short on "Proofs" and "Facts".

Matt said...

Personally I have to believe Apple here just because they have more to lose if they're caught in a lie like this. SecureWorks is a company no one had heard of before this incident. Maynor and Ellch have said little to nothing publicly on what they may or may not have found. The only people I've seen making the claims that Apple is lying or applying legal pressure, or whatever are tech reporters and bloggers. Ou and Krebs seeming to be the most outspoken, and both have blown any form of credibility they may have had. One needs to look no further than Ou's coverage of this vulnerability to see he doesn't have the slightest clue what he's talking about. In his world Airport means PPC and Airport Extreme means Intel.

What it comes down to is Maynor and Ellch could have easily publicly shown Apple to be lying. If they really had a vulnerability that could affect stock MacBooks, all they needed to do was publicly demonstrate it. Responsible disclosure would have gone right out the window when Apple essentially called them liars. They never did this though. They have presented zero evidence that their exploit ever worked on a stock MacBook and they have yet to explain the anomalies in their video.

Until someone is going to show me some proof, I'm just going to believe the group who has the most to lose from being caught in a lie.

Nicholas said...

"Seriously. These Mac users who don't understand security models, don't understand the difference between vulnerability and threat, and just outright deny any suggestion that there was a security problem, they drive me insane."

This is weak ad hom; I've followed this issue from when it first broke, and I have never seen any serious commentary (apart from a very few fan boi forum trolls and comment posters) that could be so characterized. All the Mac media coverage I read acknowledged the possibility of Mac security flaws, and the importance of having them addressed. The issue, and what was covered, was whether Maynor and Ellch had indeed found something, whether they had communicated it to Apple (and in a way that allowed Apple to address the issue), the apparent bias in their comments to Krebs and the manner in which he reported it, and the truthfulness of Apple's response. Apple risked a shitstorm of bad PR, as well as violation of financial disclosure laws, by lying about what happened, so I tend to believe what I think is the far more likely account, so well recounted by Dave above.
Despite the fact that the situation seems pretty clear, people insist on stirring the pot. And no one has shown that this new exploit has anything to do with the vulnerability described by Maynor and Ellch (triggering a race condition in the third party driver by pummelling it with packets from two separate wifi cards). Also Maynor and Ellch's purported exploit required a netcat UDP listener running on the victim, which requires prior access to the machine. Some vulnerability...

Anonymous said...

I am going to clear this up once and for all. The vulnerability that Jon Ellch discussed on the DailyDave mailing list was NOT an Apple vulnerability. It was a vulnerability in Intel drivers for WINDOWS. Jon was not attempting to dump evidence of the apple vulnerability but instead show that these types of bugs are indeed real, possible, and exploitable.

So people who think that what Jon talked about was an Apple bug fit in to two nice categories:
1. You don’t know what Centrino is. Apple does not ship any Centrino products.
2. You couldn’t understand the crash dumps made available with it. Unless I am mistaken loading Apple crashdumps into windbg and doing !analyze –v wouldn’t work.
If you fall into one of these two categories please stop talking about this and you have no clue what you are babbling about.

So lets recap, the Mac vulnerability did not require a netcat listener, a Centrino vulnerability did. The netcat listener was used to make demoing the vuln easier since otherwise you would have to wait to win a race condition to exploit the vulnerability.

Anonymous said...

more Apple 0day in bluetooth.

Ryan Russell said...

Patrick: I hate a few things in particular here. I hate Apple's handling of vulnerability disclosure. I hate their marketing efforts around security issues. I hate that some vocal chunk of Apple's userbase (zealots) buy into this marketing to the point that they cannot believe there are any security problems. I think that's it. I have used Apple products on and off for 25 years now. Still typing this on the iBook G4.

Anonymous: Apple's acknowledgement policy:

Anonymous: Clearly, when I say "clearly", I mean clearly to me. Still, I said: "Clearly, something happened that made them shy all of a sudden about presenting their findings at a conference." You don't find that to be correct? Then: "Clearly, I'm of the opinion that Maynor and Ellch have a real something." You don't think it's clear that I hold that opinion? Also: "Clearly, the general public (myself included) are missing some key info to decide that for sure." You don't think that info is missing? Clearly, someone wanted to work in a Princess Bride quote rather than actually disagree with those particular statements.

Matt: You just disagree with my opinions and conclusions, which is obviously fine. I will just say that I believe that Apple doesn't care one bit if they get caught in a lie. Would it actually cause them any harm at all if it came out? Maynor and Ellch, on the other hand, DO have some reputation to lose, and I think that would affect them. If you watch any of the followup from Ellch in particular, it seems obvious to me that it's killing him that he isn't allowed to show what he knows.

Nicolas: Absolutely, this is an ad hominem attack against the Mac zealots, that is a big part of the point. I try to limit the attacks to that particular group, apologies if in my rantings I expand them beyond that group. I'm certainly aware that there are security knowledgeable Mac users out there, I like to think I am one.

As to your other points, no one should be claiming that this current attack is the same one as Maynor and Ellch's. After all, that one was patched, and this one isn't yet. The relationship between that vuln and this one is that the prior one has had an impact on how this one was disclosed. And your netcat statement is the kind of misunderstanding that drives me nuts. The claim is that they found that having a listening UDP port made their attack work better. No, that doesn't mean that you would have had to pre-compromise the machine and install netcat. Another listening port would have worked, too.

The Nog said...

Why is it anyone who points out that Ellch and Maynord refused to give any information on the flaw is called a "zealot?"

Ryan Russell said...

the nog: That's not the definition of "Mac zealot" I'm using. Obviously, Maynor and Ellch have so far declined to provide public proof. I'm defining zealot as Mac fans that use any kind of inconsistency or lack of proof as evidence that no problem exists whatsoever. Or they make claims that viruses and malware on the mac "aren't possible", or say things like "there is no exploit, so no one has to worry about it". Things like that.

Anonymous said...

... some vocal chunk of Apple's userbase (zealots) buy into this marketing to the point that they cannot believe there are any security problems.

-- This is so true. For instance, a blogger at MacUsingEducators believes his machine is immune to those "virus thingees". Those zealots are caught in a world where though it's POSSIBLE to exploit a Mac OS X machine, such a situation almost NEVER happens. So, to the uneducated layperson, VIRTUALLY exploit free == exploit free.

-- all in all, the Mac OS X platform has held up well on a wide scale, but my concern is for the 1 unskilled user being exploited by the skilled cracker. All it takes is 1 Drivers license, credit card #, bank acct. etc. At the end of the day, cracked Airport drivers or virtually virus free, my security is MY security. Apple and Secureworks/Cache/Maynor have gotta figure out their business ...

can't waste another mental cycle on this.

PS. I like the debate. Pretty respectful, IMHO.

-- chemicality

Sheldon said...


I'm confused at your dislike for Apple's security policy. Any security information in the hands of a miscreant is bad news - even knowing what a security flaw affects allows the attacker to begin probing.

My career is in physical security, as in threat vulnerability assessments for physical properties/security systems/etc. We have similar disclosure policies.

If I notify a company of a security vulnerability and they or I publicly disclose that vulnerability, we are doing more of a disservice to their customers than if we had not found the flaw in the first place.

Either way, the vulnerability can be exploited - but why tell the public before the situation has been fully investigated and better yet, resolved.

Ryan Russell said...

Sheldon: You are asking, in essence, about the entire full disclosure discussion. I'm not getting into that here, now. If you want the really short pithy answer, the purpose of blindsiding Apple like this is to make Apple change its policies and behavior. Or at least, that would be my reason if I were the one doing in this case, rather than just talking. But I think I've got the gist of what the MoKB guys are up to.

You may think that sounds stupid and idealistic, but it has worked on bigger companies in the past.

Anonymous said...

For the anonymous poster that wants a cite on Apple's acknowledgement policy:

"For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. Apple usually distributes information about security issues in its products through this site and the mailing list below."


Simply put, Apple will not even confirm the existance of a security problem until a patch exists. Any questions?

Anonymous said...

"I might as well try to be careful about technical accuracy. I've seen how the Mac community reacts to any little inaccuracy."

Actually, since you are a security researcher and professional, I would expect you to be careful about the technical accuracy of any public postings or discourse concerning security. You should be careful, not because of anything to do with the Mac community's reaction, but because any inaccuracies will negatively affect your credibility.

A cavalier attitude towards these details doesn't help your reputation in the eyes of your readers. You are an expert and we count on you to know what you are talking about.

Dave said...

To the person saying "more 0day in Apple bluetooth", that's NOT a 0day for anything.

This is an old presentation and I don't know why that post is calling it a "Bluetooth 0day for Macs" when even back when this was released months ago, the vulnerability had already been patched in all versions of Mac OS X for a year (since June 2005). "0day" means the vendor hasn't patched yet by the time a vulnerability is described. This is the furthest from a 0day you could get, and it's not even a new exploit, it's one that was talked about MONTHS ago.

Learn how to read instead of making an incorrect kneejerk post about a 0day that's more like a patched-550day that makes you look like a fool.

- Dave

Anonymous said...

"use any kind of inconsistency or lack of proof as evidence that no problem exists"

That is logic?? I think I am flying spaghetti monster zealot then . How totally stupid can you get Ryan ?

Anonymous said...

"use any kind of inconsistency or lack of proof as evidence that no problem exists"
I mean that kind of reasoning is the proof that you are the zealot. there is no proof that you are right? there are even inconsistencies in what you are saying? but you still want to believe you are right stupid zealot!!!

Ryan Russell said...

Anonymous: "use any kind of inconsistency or lack of proof as evidence that no problem exists"

Oops, yes that is extraordinarily bad wording on my part, sorry. I didn't mean to go the "facts can be used to prove anything that is remotely true" route.

When I say "lack of proof", I meant the kind of proof that Mac zealots seem to want. Such as "You will meet me in the park at exactly 12:05, I will unbox the brand-new MacBook, and you will read the contents of the secret file I just typed in."

As opposed to: Apple shipped a patch for it. We still don't believe the vulnerability existed.

Anonymous said...

Mac zealots, mac fanboys ... yup beeen running into those for the past 20 years. They are one of the two reasons I don't like my macs.

The ones I have ran into can not comprehend there are other ways of doing things and macOSX is restricting in many ways. The sad news is because of this OSX has not changed into the gloryious OS we all been waiting for.

Its a decent operating system with some brilliant ideas but bloatware excecution. And not nearly as much freedom as you get with Windows 2000.

Its funny, after using macs for about 20 years on a daily basis I still don't like them. To rigid, I always tell people "the OS you like is based on the way you think"

Thats why I liked the AmigaOS: as free as you could be.

but this is the problem with the mac fanboy community: all they can answer to this is "you just don't understand how it works" but thats the problem, people who are actual computer users and not mac users do understand and i have never ran into anyone that thought the mac was a god given machine.

We all agreed that by closing the eyes of the users its just a matter of time. You see as long as people don't think they have spyware and don't search for it, they can get infected.No doubt a lot of mac user s have a million tracking cookies.

This is what i learned from running Unix servers: You need to close every hole on your computer you can possibly imagine because a cracker only needs one to get in.