More FUD
- Thread starter Satcomer
- Start date
tsizKEIK
its all about HOUSE music
(right link: http://abcnews.go.com/sections/scitech/ZDNet/mac_vulnerablility_pcmag_031211.html )
i was just about to post this topic...
this guy is to LAUGH at...
this guy seems to have issues... i wonder how they let such ppl wright articles... is the editor his gay partner or somethin ???
i was just about to post this topic...
this guy is to LAUGH at...
this guy seems to have issues... i wonder how they let such ppl wright articles... is the editor his gay partner or somethin ???
nervus
fencer
Attachments
diablojota
Doctoral Student
http://abcnews.go.com/sections/scitech/ZDNet/mac_vulnerablility_pcmag_031211.html
It's back up.
So after reading this article, I am very angered at his opinions. He doesn't understand the Mac community, much less care. He fails to mention the long list of security updates for Windoze. Oh well, of course there are security issues with all software. We all see it. Even Steve Jobs knows that there will be problems. It is just a matter of response time, and apple has never failed to fix something in a timely manner.
It's back up.
So after reading this article, I am very angered at his opinions. He doesn't understand the Mac community, much less care. He fails to mention the long list of security updates for Windoze. Oh well, of course there are security issues with all software. We all see it. Even Steve Jobs knows that there will be problems. It is just a matter of response time, and apple has never failed to fix something in a timely manner.
Satcomer
In Geostationary Orbit
Ok, I fixed the link in my original post.
Now, diablojota is right. I would also like to add is this is really almost a non-issue. DHCP is ALWAYS inherently insecure! Consider any wireless DHCP you connect to. Do you know who owns that network (I'm not talking about your home network)? Also, for someone to take advantage of this, 1) They would have to be ON THE SAME NETWORK YOU ARE ON !!! 2) They would have to know your ROOT PASSWORD!!!
Now, this sounds like a REAL WAY to loose your money/identity. This is just ONE of numerous security holes for Explorer ALONE.
I apologize for shouting. It's just I seem really miffed about baseless FUD being thrown at Apple. Now, don't get me wrong, I'm one of the first to criticizes Apple when they screw up. I just don't like baseless FUD! Shame on ABC NEWS for even considering this article.
Plus, diablojota Apple has ISSUED A DHCP FIX! Please pass this along to our fellow Mac users.
Now, diablojota is right. I would also like to add is this is really almost a non-issue. DHCP is ALWAYS inherently insecure! Consider any wireless DHCP you connect to. Do you know who owns that network (I'm not talking about your home network)? Also, for someone to take advantage of this, 1) They would have to be ON THE SAME NETWORK YOU ARE ON !!! 2) They would have to know your ROOT PASSWORD!!!
Now, this sounds like a REAL WAY to loose your money/identity. This is just ONE of numerous security holes for Explorer ALONE.
I apologize for shouting. It's just I seem really miffed about baseless FUD being thrown at Apple. Now, don't get me wrong, I'm one of the first to criticizes Apple when they screw up. I just don't like baseless FUD! Shame on ABC NEWS for even considering this article.
Plus, diablojota Apple has ISSUED A DHCP FIX! Please pass this along to our fellow Mac users.
scruffy
Notorious Olive Counter
I like how the author ends with "suddenly it's gotten pretty quiet around here", and then doesn't include any contact information. Gee, if I stick my fingers in my ears and sing the "Henry the Eighth" song, I can't hear much either...
The author's e-mail address is Lance_Ulanoff@ziffdavis.com. Just in case anyone is interested.
The author's e-mail address is Lance_Ulanoff@ziffdavis.com. Just in case anyone is interested.
scruffy
Notorious Olive Counter
Satcomer - just a note, this seems at first to be a relatively unimportant vulnerability, but it might actually not be.
As you noted, an attacker does need to control one computer on your local network, and could then use it to take over any Macs you own that use DHCP. So, there would already have to be one security breach just to get you access to this. Still, it's a serious enough problem for a couple of reasons.
For one thing, if you use airport, it could be pretty easy to insert a computer onto your local network. Could do it from across the street. If you go to an Internet cafe with wireless access, you'd probably use DHCP to get the right IP settings. So, an attacker could take their laptop to an Internet cafe, and take over people's powerbooks.
For another thing, if you have a Windows box and some Macs, someone might take over the Windows box (hardly unlikely) and use that as a vehicle to take the Macs.
And, in a large organization or lab setting, it's relatively easy to get temporary control of one computer - all you have to do is boot it off a CD. In that situation though, the really important files are likely to be on a server in a locked server room somewhere, maybe encrypted, and you'd need the right passwords to get at them. The workstation itself is not that valuable a target. But, if you set up a Linux boot CD that runs a DHCP server, you could cause any Macs in that lab or workplace to send their passwords to you, not the regular authentication server. Then you'd have the real information you were after...
Of course, it's not as bad as the sort of vulnerabilities that are found in Windows once every month or so, but it's still pretty serious
As you noted, an attacker does need to control one computer on your local network, and could then use it to take over any Macs you own that use DHCP. So, there would already have to be one security breach just to get you access to this. Still, it's a serious enough problem for a couple of reasons.
For one thing, if you use airport, it could be pretty easy to insert a computer onto your local network. Could do it from across the street. If you go to an Internet cafe with wireless access, you'd probably use DHCP to get the right IP settings. So, an attacker could take their laptop to an Internet cafe, and take over people's powerbooks.
For another thing, if you have a Windows box and some Macs, someone might take over the Windows box (hardly unlikely) and use that as a vehicle to take the Macs.
And, in a large organization or lab setting, it's relatively easy to get temporary control of one computer - all you have to do is boot it off a CD. In that situation though, the really important files are likely to be on a server in a locked server room somewhere, maybe encrypted, and you'd need the right passwords to get at them. The workstation itself is not that valuable a target. But, if you set up a Linux boot CD that runs a DHCP server, you could cause any Macs in that lab or workplace to send their passwords to you, not the regular authentication server. Then you'd have the real information you were after...
Of course, it's not as bad as the sort of vulnerabilities that are found in Windows once every month or so, but it's still pretty serious
Satcomer
In Geostationary Orbit
Well, like I said ANY DHCP client has potential security problem. DHCP is made for the dishing out automatic IP assigning. So, if the DHCP server was 1) Taken over on your network, 2) A network that has a server that has been hacked or turned off and malicious server is taken place. In that case, other computers on the network besides/including the Macintosh is going to have real problems!
The particular problem with this so called problem was with a malicious DHCP-supplied LDAP Server. The turning off the DHCP-supplied LDAP Server option described in the Apple document tells people how to avoid the problem.
Why are so many people ignoring the fact that as soon as the security hole was discovered, Apple came out with a solution?
The particular problem with this so called problem was with a malicious DHCP-supplied LDAP Server. The turning off the DHCP-supplied LDAP Server option described in the Apple document tells people how to avoid the problem.
Why are so many people ignoring the fact that as soon as the security hole was discovered, Apple came out with a solution?
scruffy
Notorious Olive Counter
Oh, I think Apple did a great job of quickly countering the problem. They were very prompt with the solution (a simple one, granted, but that's just Apple ease-of-use).
I'm just saying, some people (like, say, Slashdot posters) are really minimizing what is actually potentially a real problem...
I'm just saying, some people (like, say, Slashdot posters) are really minimizing what is actually potentially a real problem...
scruffy
Notorious Olive Counter
Yes, isn't it fun?
Actually, I did a bit of research since last posting - looks like Apple didn't actually do a very prompt job on that one. The fellow who discovered the vulnerability informed Apple immediately, and waited a good long time for them to fix it. They didn't, then didn't some more, then finally he disclosed it publicly and only then they fixed it.
Actually, I did a bit of research since last posting - looks like Apple didn't actually do a very prompt job on that one. The fellow who discovered the vulnerability informed Apple immediately, and waited a good long time for them to fix it. They didn't, then didn't some more, then finally he disclosed it publicly and only then they fixed it.
Actually, Apple took over 2 months before issuing the problem. The person who found the problem wrote to Apple and gave them a deadline, after which he'd come out with the problem publicly. He even postponed that deadline for Apple - and Apple didn't react.
The fact that you think Apple reacted promptly is because after the person broke the news, they got a bit pale in their face, I guess... The actual problem is _not_ solved yet. There's only a document describing how to disable the feature at fault. However, there are still people who actually _want_ to use the feature.
But still: Only because Apple _has_ security issues doesn't make it 'as bad' as Windows.
The fact that you think Apple reacted promptly is because after the person broke the news, they got a bit pale in their face, I guess... The actual problem is _not_ solved yet. There's only a document describing how to disable the feature at fault. However, there are still people who actually _want_ to use the feature.
But still: Only because Apple _has_ security issues doesn't make it 'as bad' as Windows.
diablojota
Doctoral Student
http://www.theregister.co.uk/content/4/34554.html
Well, it looks like even The Register got involved in this one. Great article.
Well, it looks like even The Register got involved in this one. Great article.
Cat
Registered
This article should clarify the nature of the "vulnerability". A very good read.