• This forum is for posting news stories or links from rumor sites. When you start a thread, please include a link to the site you're referencing.

    THIS IS NOT A FORUM TO ASK "WHAT IF?" TYPE QUESTIONS.

    THIS IS NOT A FORUM FOR ASKING QUESTIONS ABOUT HOW TO USE YOUR MAC OR SOFTWARE.

    This is a NEWS and RUMORS forum as the name implies. If your thread is neither of those things, then please find the appropriate forum to ask your question.

    If you don't have a link to a news story, do not post the thread here.

    If you don't follow these rules, then your post may be deleted.

Safari exploited

Joined
Oct 10, 2004
Messages
10,345
Reaction score
597
Points
113
Location
Margaritaville
Your Mac's Specs
3.4 Ghz i7 MacBook Pro (2015), iPad Pro (2014), iPhone Xs Max. Apple TV 4K
Meh, something else for Apple to fix....
 
Joined
Oct 13, 2006
Messages
724
Reaction score
60
Points
28
Location
Blacksburg, VA
Your Mac's Specs
13'' Macbook w/ 2Ghz Core Duo, 2GB DDR2, 250GB HD, 10.5.4. iPod Touch.
That is pretty funny.
 
Joined
Feb 2, 2004
Messages
12,455
Reaction score
604
Points
113
Location
PA
Your Mac's Specs
MacBook
Well, let's look at some key details for this "hack":

1. "CanSecWest organizers will set up the MacBooks with their own access point and all security updates installed, but without additional security software or settings."

2. After nobody was able to successfully complete the task, the rules were then 'relaxed'. This was planned, as they expected failure. The original contest site states: "progressive rules over the three days". In the relaxed set of rules, a URL was provided that exposed Safari to a "specially-constructed Web page" which allowed the hacker to gain shell access to the MacBook. In other words, they continually aided these "hackers" by gradually crippling the machines to a point where no conscientious person would have his system set up.

3. What exactly did he do? The details have yet to be published, and whether or not his "exploit" was malicious or not. Did he have root access? How so, the root user is disabled by default. If he had root, then he would have to have had access on a local level, not from a different machine. He would have also have needed the machine's password in order to activate the root user. The only way to have such information is to have exclusive knowledge of the machine, something your average hacker would not have.


After reading those articles and others related to this story, it would seem that the computer being "hacked", is the SAME computer that is being used by the "hacker"??? Sure, when you relax rules, allow a person to "hack" the very machine they are working on, thus giving them complete and total local access to the machine.... well, suddenly this doesn't seem so sensational or like much of a grand acheivement.

"I can hack my very own Mac, the one sitting in front of me...w00t r0X0rZZZZ!!!!111"

Give me a break.
 
Joined
Mar 9, 2004
Messages
9,065
Reaction score
331
Points
83
Location
Munich
Your Mac's Specs
Aluminium Macbook 2.4 Ghz 4GB RAM, SSD 24" Samsung Display, iPhone 4, iPad 2
I don't think that was the case...

From what I've read, the change they made to the rules allowed the contestants to send the remote macbook an email containing a url, that was then opened by the competition organizers.

This is a fairly typical point of attack for many systems and is actually particulary dangerous in OS X mail as you can really easily disguise links and there's no way to see where the link actually goes before clicking on it.

1. "CanSecWest organizers will set up the MacBooks with their own access point and all security updates installed, but without additional security software or settings."

That would be the majority of OSX users out there - I doubt many members here run 3rd party firewalls or "security software".


I agree the the reporting surrounding the exploit has been very sensationalistic, (is that a word? :)) but the hack itself seems legit. Nonetheless it isn't out there in the wild, should be easily fixable and doesn't really do much besides prove a point.
 
Joined
Mar 11, 2004
Messages
1,964
Reaction score
174
Points
63
From what I've read, the change they made to the rules allowed the contestants to send the remote macbook an email containing a url, that was then opened by the competition organizers.
The rules weren't changed. They stipulated from the outset that if the two Macs could not be breached in a given time, security would be weakened. This was the case, so event organizers using Safari clicked on contrived "malicious" websites built by the hackers expressly to run their exploits.

Since no one will divulge the successful hack, no one outside of the principals, and perhaps by now, Apple, knows what it is. The method might be a stunningly easy, which is highly unlikely, or incredibly contrived, which is far more likely.

The story on the exploit as written by InfoWorld has a grotesquely innacurate headline that is meant to inflame. InfoWorld is owned by IDG that regarding Apple has its own axe to grind.

The other Mac involved in the contest was not breached.
 
Joined
Nov 18, 2006
Messages
175
Reaction score
2
Points
18
Location
Wisconsin
Your Mac's Specs
iBook G3|800Mhz|256MB Ram|ComboDrive|30GB HD|
Eh, I use firefox anyways....
 
Joined
Feb 2, 2004
Messages
12,455
Reaction score
604
Points
113
Location
PA
Your Mac's Specs
MacBook
The rules weren't changed. They stipulated from the outset that if the two Macs could not be breached in a given time, security would be weakened. This was the case, so event organizers using Safari clicked on contrived "malicious" websites built by the hackers expressly to run their exploits......The method ... is highly unlikely, or incredibly contrived....

The story on the exploit as written by InfoWorld has a grotesquely innacurate headline that is meant to inflame. ....
Precisely. This hole in Safari is nothing new. It has been shown before. However, the only way to 'exploit' it is to put the target machine in a very specific, contrived, and egregiously unsafe state for it to work. A state that is really only found in a lab or other similar, controlled situation. This is not likely to happen in any real-world scenario.

The story was meant to sensationalize and to blow out of proportion, a "lab only" situation. It still proves nothing new and it is still an unlikely event to happen to any normal user. It is merely "anti-Mac", Windows fanboy propoganda disguised as "informative news".
It is sort of ironic also, that the prize here was the Mac itself. :black:
 
Joined
Mar 11, 2004
Messages
1,964
Reaction score
174
Points
63
The flaw is with Java (not JavaScript) and includes Firefox, not just Safari, this article says. I suppose any other browser would be affected, as well. A posted comment on that site in an earlier story said the same thing, so this latest article supports that poster's contention.

After reading about Java's many flaws months ago, I turned it off and have never come across a website that requires it.
 
Joined
Sep 24, 2006
Messages
2,766
Reaction score
232
Points
63
Location
Brooklyn, New York
Your Mac's Specs
15" 2014 MacBook Pro, i7 2.5Ghz, 16GB RAM, 512GB SSD; iPad 3, iPhone 6
OK, own up, who doesn't run a firewall? I always run a firewall, no matter what, which is the router default firewall as well as the OS X firewall. There is no real reason to disable it, IMO, whether running Windows, OS X, Linux BSD, Unix or DOS 1.0.
 
Joined
Feb 2, 2004
Messages
12,455
Reaction score
604
Points
113
Location
PA
Your Mac's Specs
MacBook
OK, own up, who doesn't run a firewall? I always run a firewall, no matter what, which is the router default firewall as well as the OS X firewall. There is no real reason to disable it, IMO, whether running Windows, OS X, Linux BSD, Unix or DOS 1.0.
I always run mine, it is simple common sense to do so when you have a computer active on the internet.
 
Joined
Mar 11, 2004
Messages
1,964
Reaction score
174
Points
63
Lots of people running OS X haven't turned the software firewall on even when the machine's not behind a router, because Macs don't ship with it turned on.

I never bothered with a firewall before OS X came along, and there were up to 60 Mac viruses, supposedly (though some say no more than 35), a small number compared to the Windows world but that many more than there are with OS X.

I still run OS 9 on the web without a firewall because it's no less difficult for a virus to gain entry than it ever was. And with OS 9, especially now, security through obscurity is no myth, and it's growing more obscure all the time.

But in the case of this Java exploit, a firewall would have no affect, anyway.
 
Joined
Feb 2, 2004
Messages
12,455
Reaction score
604
Points
113
Location
PA
Your Mac's Specs
MacBook
I never bothered with a firewall before OS X came along, and there were up to 60 Mac viruses, supposedly (though some say no more than 35), a small number compared to the Windows world but that many more than there are with OS X.
I never used a firewall pre-OS X either, but those two dozen or so "viruses" for the earlier Mac OSes were in reality, nothing more than bad macros for early versions of Word and Excel for Mac. If you never used or enabled macros in those apps, or if you had anything past version 5.0 for Word or Excel, then you had nothing to really worry about.:black:
 

cwa107


Retired Staff
Joined
Dec 20, 2006
Messages
27,042
Reaction score
812
Points
113
Location
Lake Mary, Florida
Your Mac's Specs
14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
Meh, I wasn't really impressed with this news, although it did give my Windows-loving friends something to talk about. Truth be told, ALL browsers have flaws - and they always will. There's simply no way to absolutely lock down a versatile Internet-enabled portal, teeming with 3rd-party add-ons (Java, in this example) that give it even more functionality. This is just the "always-on, always connected" world we live in today. What I would find impressive would be a hack that doesn't involve a browser. There have been many Windows vulnerabilities discovered that were non-browser specific.
 
Joined
Mar 11, 2004
Messages
1,964
Reaction score
174
Points
63
Meh, I wasn't really impressed with this news, although it did give my Windows-loving friends something to talk about.
According to this, Windows probably is affected, too.
Gregg Keizer reports for Computerworld, "'Any Java-enabled browser is a viable attack vector, if QuickTime is installed. Apple's vulnerable code ships by default on Mac OS X (obviously) and is extremely popular on Windows, where this code introduces a third-party vulnerability,' said Thomas Ptacek of Matasano on the group's blog."
 
Joined
May 31, 2008
Messages
8
Reaction score
0
Points
1
The only reason the Mac was hacked was because the group wanted the Mac and they worked hard to hack it.
 
Joined
Mar 25, 2008
Messages
62
Reaction score
2
Points
8
Location
Oklahoma
Your Mac's Specs
2010 MacBook Air, 2.13GHZ, 4GB RAM, 256GB Flash Memory, SuperDrive, 32GB iPhone 4
not to sound like a dunce, but what is root access anyway?
 
Joined
Jan 3, 2008
Messages
107
Reaction score
0
Points
16
Root access gives you complete control over the system. You are superuser when you are root. Root access gives you the ability to change any system setting, modify any file, and basically whatever you want to do.
 
Joined
Mar 25, 2008
Messages
62
Reaction score
2
Points
8
Location
Oklahoma
Your Mac's Specs
2010 MacBook Air, 2.13GHZ, 4GB RAM, 256GB Flash Memory, SuperDrive, 32GB iPhone 4
i see, so what you are saying is with root access, you control every thing from the ground up? ;D
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top