secure by design .. but missing the point...

octane

octane

I have issues, OK!
I found this on Mac Slash:

Anonymous Coward writes "Well, Microsoft managed to expose a vulnerability in OS X by way of their VPC product. Details found here." From their security warning: "A security vulnerability exists in Microsoft Virtual PC for Mac. The vulnerability exists because of the method by which Virtual PC for Mac creates a temporary file when you run Virtual PC for Mac. An attacker could exploit this vulnerability by inserting malicious code into the file which could cause the code to be run with system privileges. This could give the attacker complete control over the system. To exploit this vulnerability, an attacker would have to already have a valid logon account on the local system, or the attacker would already have to have access to a valid logon account." Updates are available to fix this hole and should be installed post haste.
Click to expand...

The point here is: "To exploit this vulnerability, an attacker would have to already have a valid logon account on the local system, or the attacker would already have to have access to a valid logon account."

This is a pretty big point. And just like the DHCP vulnerability recently, the same applied to that; you have to be within the network to instigate an attack.

What got overlooked in all the hooha was the the fact the patch Apple cooked up was to fix a flaw with the DHCP standard itself and _not_ Apple's implementation of it.

The fact of the matter is, if you have username & password access to a mac and you wanted to do damage, why the hell would you fart-arse around with some swap file? As a security flaw, this is not blowing wind up my skirt.

Contrast this with Windows security. Two words: Night & Day...
 
More than one thing's wrong with what you're saying, though...

1.) No, the attacker does _not_ need to be 'in the network' (as in 'a local user') to exploit the VPC vulnerability. He needs to have access to an account on the machine. Means: He could login to the Mac remotely.

2.) Apple's patch for the DHCP vulnerability did _not_ in fact 'fix a flaw with the DHCP standard' - it just turned off a feature that was on by default. People who want to use the feature can still be attacked through the vulnerability.

Then you say: "The fact of the matter is, if you have username & password access to a mac and you wanted to do damage, why the hell would you fart-arse around with some swap file? As a security flaw, this is not blowing wind up my skirt."

Because you want root-access privileges. If you manage to crack open an account on a system (say, your Macintosh) and have access privileges of, say, the user 'octane', that still doesn't let you do everything (unless you're also the administrative user). Things like this VPC vulnerability are useful to gain root-access to your Macintosh.

If you still think hackers are trying out user/password pairs for nights on end to get inside of your machine, your machine might already be open for them. Because most of the time they just apply a known issue to several thousand machines and will be happy to use the one or two that lay open. The danger is not a single hacker wanting access to your machine. The danger is that if your system is not secure, one of the thousands of script kiddies just might try the IP-range YOU're in - and find your machine open for their access.
 
OK I have a question. This is probably extremely n00b question but I don't care - I'm no genius:

Since I'm behind a router (AirPort, or anything) how easy is it to connect directly to my computer from outside my network? I don't have port mapping setup to go to this specific computer at all. So is it easy to gain access (or at least access to the u/p prompt)? Or am I pretty safe being behind a router?

Thx,
Kevin
 
fryke said:
More than one thing's wrong with what you're saying, though...

1.) No, the attacker does _not_ need to be 'in the network' (as in 'a local user') to exploit the VPC vulnerability. He needs to have access to an account on the machine. Means: He could login to the Mac remotely.
Click to expand...

You're missing the point that I'm trying to make. You _still_ need the account details no matter what you plan on doing...

fryke said:
2.) Apple's patch for the DHCP vulnerability did _not_ in fact 'fix a flaw with the DHCP standard' - it just turned off a feature that was on by default. People who want to use the feature can still be attacked through the vulnerability.
Click to expand...

Now you're nit-picking. And again, you're missing the point I'm trying to make: Apple got a lot of stick for a vulnerability that wasn't their fault in the first place...

fryke said:
Then you say: "The fact of the matter is, if you have username & password access to a mac and you wanted to do damage, why the hell would you fart-arse around with some swap file? As a security flaw, this is not blowing wind up my skirt."

Because you want root-access privileges. If you manage to crack open an account on a system (say, your Macintosh) and have access privileges of, say, the user 'octane', that still doesn't let you do everything (unless you're also the administrative user). Things like this VPC vulnerability are useful to gain root-access to your Macintosh.
Click to expand...

:confused: You're just not reading through what I'm saying, are you? Again, this isn't an issue with Apple software, it's third-party software .. it's Microsoft software! Now there's a surprise!

Just how many people are going to be running a copy of Virtual PC? This isn't a vulnerability in the sense that it's a pervasive flaw within the mechanics of OS X itself...

fryke said:
If you still think hackers are trying out user/password pairs for nights on end to get inside of your machine, your machine might already be open for them.
Click to expand...

Again, the point is getting lost on you.

With Windows, all you need to take control of a Windows pc is something stupid like a javascript file in an email .. no username & password required.

With a mac, at the very least, you need a username & password before you can do anything.

Since I put my G4 up on the fixed IP I've got with my broadband connection, I've had between 3 and 5 crack attempts per week. All of which are people / viruses assuming I'm running IIS on Windows.

I don't know what insults me the most, the crack attempt in the first place or the assumption I'm running Windows...
 
Kevin
I've been watching you for days now behind your router :)

Just kidding. You are safe.
 
kainjow said:
OK I have a question. This is probably extremely n00b question but I don't care - I'm no genius:

Since I'm behind a router (AirPort, or anything) how easy is it to connect directly to my computer from outside my network? I don't have port mapping setup to go to this specific computer at all. So is it easy to gain access (or at least access to the u/p prompt)? Or am I pretty safe being behind a router?

Thx,
Kevin
Click to expand...

PRETTY safe. There are still things that can happen, but most of them require you to do something (connect to an "unsafe" system, execute an attachment that does bad things, etc). For the most part people trying to get in to you will be blocked. It's *pretty* good protection, but by no means perfect.

Airport might be a hole, for example, since Wi-Fi is relatively insecure and easy to break, even with security/encryption turned on. Of course, it might require someone being very close to your house for quite a while.
 
I've got a router / firewall connected via ethernet to my G4.

My G4 has the firewall switched on with only web server and personal files shared.

Then I use my G4 as an ad hoc AirPort router for my iBook which also has its firewall switched on. But I only occasionally use my wireless network, it's not like it's on all of the time.

I've set the the wireless network up with 128bit WEP encryption but I'm going to get my friend over to configure the networking so that the two AirPort cards only accept connections from the MAC addresses on my G4 and my iBook.

I don't have a base station, I just use a couple of AirPort cards which for me is just as good and a lot cheaper.

The thing is, I live in a small village in the middle of nowhere, so this really is overkill .. but it's a laugh if nothing else...
 
drustar said:
Why would you even taint a mac w/ anything PC related (install VPC)?
Click to expand...

I'm a web developer and 90% of my clients audience are pc users. I have to know that my web sites and web applications both work and look the way they should...
 
octane, you wrote: "Again, the point is getting lost on you. With Windows, all you need to take control of a Windows pc is something stupid like a javascript file in an email .. no username & password required." --- I rather feel secure than 'more secure'.

you went on: "With a mac, at the very least, you need a username & password before you can do anything." --- That's where you just might be wrong and should have read what I wrote. You don't _need_ a user name and the password. You only need an open door like a vulnerable SSH server, DNS well - whatever, basically. There are buffer overflow hacks that give you local access (you'll be on the shell) as the user the process you hack runs as. A simple example: Say, you've got a vulnerable installation of Apache (this is just an example!). Apache runs as, say, user wwwrun, which has limited capabilities on your machine. An attacker might get access by exploiting a known issue and suddenly have shell access as the user 'wwwrun'. While this is not yet enough to take over your machine, he can now execute _other_ and _local_ vulnerabilities. He can make OUTGOING ftp connections, for example. He could _already_ use _your_ machine to attack other machines in your network or outside...

It's okay to feel safe. Just don't blame anyone but yourself if something happens all the same.

I got your message, you don't think that this security issue is severe as in 'Windows can be hacked by malicious JavaScripts'. But if one door to your Mac is open and a script kiddie happens to scan your network range for _that_ vulnerability, you're done.
 
fryke said:
octane, you wrote: "Again, the point is getting lost on you. With Windows, all you need to take control of a Windows pc is something stupid like a javascript file in an email .. no username & password required." --- I rather feel secure than 'more secure'.
Click to expand...

And? I don't understand the point you're trying to make, here...

fryke said:
you went on: "With a mac, at the very least, you need a username & password before you can do anything." --- That's where you just might be wrong and should have read what I wrote. You don't _need_ a user name and the password. You only need an open door like a vulnerable SSH server, DNS well - whatever, basically. There are buffer overflow hacks that give you local access (you'll be on the shell) as the user the process you hack runs as. A simple example: Say, you've got a vulnerable installation of Apache (this is just an example!). Apache runs as, say, user wwwrun, which has limited capabilities on your machine. An attacker might get access by exploiting a known issue and suddenly have shell access as the user 'wwwrun'. While this is not yet enough to take over your machine, he can now execute _other_ and _local_ vulnerabilities. He can make OUTGOING ftp connections, for example. He could _already_ use _your_ machine to attack other machines in your network or outside...
Click to expand...

I read everything you had to say, like I have with the above and again [sigh] you're just utterly avoiding the simple facts and stepping over them to prop up your argument.

Even worse, you're drifting way off topic. Wasn't my original post to do with Virtual PC?

Is SSH on by default with OS X? No. Of course SSH offers a way to get into a computer, so does ftp or any other port, I'm not contesting that.

To make absolutely clear to you the point that I'm trying to hammer home in this thread .. OS X is by default more secure than Windows.

Who cares what little nooks & crannies you offer up to the great unwashed. You open every port up, you're level of security diminishes .. it's a given.

fryke said:
It's okay to feel safe. Just don't blame anyone but yourself if something happens all the same...

I got your message, you don't think that this security issue is severe as in 'Windows can be hacked by malicious JavaScripts'. But if one door to your Mac is open and a script kiddie happens to scan your network range for _that_ vulnerability, you're done.
Click to expand...

Hands up all those crackers who know about or even care about the mac? I'm not complacent, if that's your angle.

The average cracker doesn't care who you are, the challenge to them is the cracking, often there is no financial motive, it's all about the challenge.

Also, you're scare-mongering. I'm at a loss as to your agenda.

Just about everyone on this forum understands these issues, it isn't like I or anyone else reading this thread is new to this sort of thing.

To reiterate, OS X is by default more secure than Windows...
 
Hmm... octane, I have _not_ misunderstood what you wanted to say. I get that. Yes, Mac OS X is more secure than Windows. It's a nice statement. And of course it's wrong to describe this VPC vulnerability as 'severe' in the sense that a) not many people use Macs and b) not many of those use VPC. However, the statement that it _is_ a severe vulnerability for those who _are_ using Macs and _are_ using VPC is true.

And about hammering... I did not want to say your statement that Mac OS X is more secure than Windows was wrong. I only want to warn from feeling _too_ secure. 'More secure' is not equal to 'safe'. And your statements show that NOT "just about everyone on this forum understands these issues".

I did not talk about financial motives. I did not talk much about the motives of hackers at all. I only wanted to make clear one very simple and mostly overlooked fact. The fact that while you are not a _specific_ target as a Mac user, you're still a target. You say that crackers don't care about the Mac. They don't _have_ to. We're using open source networking software. We're using software with bugs, too. (No such thing as a software without bugs in my opinion.) If a certain software that a Mac is running by default (be it a DHCP client, be it whatever, I don't care because I don't know - and neither do you - what's going to be the next funny vulnerability) is faulty, it could be one that is not only used on Mac OS X but also on linux and other UN*X variants. Like OpenSSH (was affected several times in the past two years). Or named. Or Perl. Or whatever. And the hacker doesn't _have_ to care whether it's a Mac that runs the software or a Dell PC with RedHat installed. Because the vulnerability (and its exploit) is the very same. Only after the hacker has access to the machine he will have to care about what kind of machine he's dealing with.
 
And about why this is _on_ topic, just to make it clear:

1.) A cracker scans a network range for exploit 27a3 (just an example).
2.) A cracker happens to hit your machine with the exploit, because your Mac runs the affected software.
3.) He has shell access as a low-level user.
4.) He can exploit the VPC vulnerability (of course only if you're actually running VPC).
5.) He ownz your machine.

The important point is that too many people are unattentive to such issues. Threads like yours let people think it's not _that_ important that they install the updates. But that's exactly what people _should_ do. Known vulnerability leads to exploit of it. Patched software is immune to those exploits. That's the message users should be given. Not that OS X is safe.
 
fryke said:
Threads like yours let people think it's not _that_ important that they install the updates. But that's exactly what people _should_ do. Known vulnerability leads to exploit of it. Patched software is immune to those exploits. That's the message users should be given. Not that OS X is safe.
Click to expand...

Fryke, whether through shear argumentative spite or just plain neglect, you have lost the argument hands down.

Your last post merely raked over all that I had said previously, yet you presented it as if you were mounting some moral assault.

Love the bullet points, I guess you're a bit of a Powerpoint whizz?

Just explain to me how something is more secure than secure? Is that like a cup can be more full than full?

[?]

Again, I'll make the point, by default, OS X is more secure than windows. This however, does not in any way translate to being impenetrable.

I can't be held accountable for the shortcomings in your grasp of this thread. If you misinterpret what I say, then so beit.

What you're stating is analogous to someone saying: 'Hey! You're only going to get your house broken into if you leave the keys in the door!'

We know this! I know this! Anyone with a skedic of sense knows this! Stop stating the obvious and drifting into obtuse niche arguments...
 
Well I've got an Netgear DG814 Router, which has its own firewall, and a G4 with the Panther firewall turned on. All file sharing is off, remote logon is off, windows sharing is off, in fact everything is off although I have port-forwarding for Bit Torrent.
I don't, nor will I ever have, VPC.
I have a static IP address.

So am I safe? Or is some egghead going to grep my machine anyway?
 
MacMuppet said:
Well I've got an Netgear DG814 Router, which has its own firewall, and a G4 with the Panther firewall turned on. All file sharing is off, remote logon is off, windows sharing is off, in fact everything is off although I have port-forwarding for Bit Torrent.
I don't, nor will I ever have, VPC.
I have a static IP address.

So am I safe? Or is some egghead going to grep my machine anyway?
Click to expand...

I would say your relatively safe. Plus, remember spam rules (don't open attachments, etc.) I would safely say your about 97% secure. I would also encourage to you turn off any wireless card when not using it (if you have one) and try not to brag on the Net and you should be safe. All things considered, no computer is 100% safe. However, anything NOT Redmond has an advantage in code and relative obscurity . Some better than others. :)

Also, a little preventive maintenance goes a long way in the computer world. Check you firewall logs and report port sniffers to your ISP or the local authorities. Plus, keeping a low profile on the Net will help security too. Compliancy will kill any network/computer security!
 
MacMuppet said:
So am I safe? Or is some egghead going to grep my machine anyway?
Click to expand...

Good question.

Better ask Fryke. I'm guessing DoS attacks or some other overkill method of net death is to be the next topic on the agenda for our lively little thread...
 
*sigh* ... just read my very first answer again, octane. Maybe I shouldn't have corrected you in the first place. My intention never was to flame you in any way, I just wanted to correct you where you were mistaken, mostly because I hear a lot of false information about security issues. If you want to further argue about how your first post in this thread was not mistaken at all or something, take it to e-mail. You know where to reach me.
 
You must log in or register to reply here.
Back
Top