Your link above says exactly that, it’s just that the person describing it found it necessary to declare that attacks on mail clients or web browsers aren’t really hacking, in order to preserve a belief in the intrinsic invulnerability of their platform which is held as an article of faith, even when it’s contrary to common sense. The protest that the “rules were changed” is meaningless, as the contest is traditionally structured to have different targets of attack on each day.
Most malware is written with propagation in mind. Even for the small subset of malware which does not (say, exclusively limited to browser hijacking or pop-up display) Macs are not a practical target for much the same reason - rate of potential infection is not attractive enough to make the effort worthwhile, because the exploit will be noticed and patched before an attractive number of systems are affected.
The net result is the same, Apple or Linux users don’t have to worry about these sorts of attacks. It’s silly to argue that they’re impossible, though - minority systems actual security have exactly the same sorts of vulnerabilities - the immunity comes from their relative obscurity.
Someone did build a truck and it only took a few man weaks - it’s not as difficult as your analogy tries to imply
Just because you personally are unaware of a website with this type of malware doesn’t mean there aren’t any out there
People that write these things for financial gain typically want them to be undetectable. That very attribute is giving you the sense that they must not exist, I think that is a naive conclusion given that we know people have demonstrated this type of malware.
You will notice win7 also repelled day 1 efforts, they are not even bothering with direct peer to peer exploits for the last few years, the whole contest is attacking a machine by browsing or email.
From the wikipedia page
No they didnt install a virus, the simply proved you can force writing of files to the hard drive and run executable files. However if you can do that, you can do so with any program you might want to including installation of viruses.
No OS is somehow magically able to repel a virus because its a virus. A virus is a program if the program has permission to execute, it does, period.
I wasn’t saying it was relevant to the topic (someone asked for a cite, so I dug one up!)
I was just:
Pointing out the absurdity (to me) that the company that made one of the LEAST secure OSes EVER now has a (apparently) unassailable rock-solid reputation for security
OK. Giving the hacker all the information needed to enter the Mac after he failed for a full day without it (these “test rules” repeated each year), he broke in, which proves my Mac is as likely or more likely to load malware than any Windows system the tens or hundreds of thousands viruses and other malware written for that platform.
So a bank manager goes home for the night after turning off all burgler alarms and leaving the bank’s doors and vault open, and after pasting to the doorknob a map of the building’s layout with a huge “Welcome” in red letters printed at the top. The bank is robbed.
This starts a worldwide debate as to whether locked banks, locked vaults, functioning burgler alarms and no Welcome maps are any safer than a bank with all the security of a wide-open tent.
Ok, Pwn2Own is a STAGED contest. During the first stage, only network access to the (default configuration) OS is allowed-- I believe *no *machines have ever been hacked during the first stage before, but I’m not looking that up and I’m not providing a cite, so take that with a grain of salt.
The second stage, you are given a password and the goal is to prove you can break the “sandbox” the OS/browser creates between the Internet and the local filesystem. This is the stage at which the exact type of malware talked about in the original post of this thread is invariably demonstrated on Safari/OS X. The reason is, if you can defeat the sandbox, you can install executable code on the client’s machine. Obviously, you need to be able to log-in to the computer to do this, so obviously the password to the computer is provided.
There are also additional stages which aren’t relevant to the discussion.
Let’s be 100% clear:
Nobody’s saying Apple is completely incompetent at basic OS security (i.e. they lose stage 1 of Pwn2Own), that’s a ridiculous assertion. Don’t get your Apple-loving underpants in a bunch over this. That said, there is a lot of room for improvement from Apple on this front, and I would argue that (measured objectively) fully-updated OS X is not as secure as fully-updated Windows 7.
Pwn2Own provides the User password because, for *the exact type of attack we’re talking about *(that is, a user visiting a webpage, not a remote code execution), they need to log into the machine to open the browser and visit the damned webpage. Duh. Of course the password is provided. That is the point.
Regardless of the security of OS X, it’s secure enough to defeat the casual “write it for a lark” virus writers, and doesn’t have the installed base to be desirable to the criminal virus writers. The guys winning Pwn2Own are “white hat” hackers, usually ones who have already reported the security hole to Apple, or who do so immediate after winning the contest. In one case, Pwn2Own was won using an exploit that Apple had already been made aware of weeks before, but at the time of the contest they still hadn’t patched it.
But the answer to the question asked in the original post of this thread is still yes. Yes, it’s possible. Yes, that exact scenario has been demonstrated-- several years in a row-- at Pwn2Own and elsewhere. Yes, yes, yes.
We’re not talking about “entering” the Mac (whatever that even means), you’re moving the goalposts. We’re talking about the Mac user visiting a website and, with no additional action on their part, ending up with a malicious program installed.
To demonstrate that exploit, you have to be able to log in to the Mac to visit the website in the first place. So yes, of course they give out the Mac’s password. How else could it possibly work?
The next part of the problem is you have to move fast, new exploits are discovered all the time and are usually fairly quickly patched. So you basically have to
Know the OS well enough to find exploits on your own
Find a new exploit.
Find a way to propagate it
Exploit Opal
Benefit from it/seek recognition before its discovered by others and/or patched.
Therefore you end up needing a team to work quickly, teams usually cost money.
Every time you add another layer of complexity you make it less likely that someone to succeed. Only a small fraction of all users are mac users, a tiny fraction of those can program in mac environments, a tiny fraction of those know OS writing intimately enough to pick apart the OS, and only a small fraction of those are so inclined to do so.
You have alot of forces working against a virus, and not all viruses work well enough to infect a broad enough base. I have a certain begrudging respect for the people that do this kind of stuff, it is not easy.
The contestant does not need the password. They can have a judge log into the machine and visit the website without the contestant knowing the password.
Question about the Mac password comments: Do we mean an admin password? Or just the password of a user, without admin rights?
It would be harder to put malware on a Mac without using a password that had admin rights attached to it. If users can prevent some exploit by not doing everyday work with admin rights, it’s worth working this way (I always have).
beowulff, I actually quite like your Pope analogy, because it can be extended to illustrate the problem a lot of people are having with your position.
As you posit, it is extremely unlikely that the Pope is currently infected with AIDS. If you were to have sex with the Pope today, you could be pretty much certain that you’d remain disease-free, far moreso than if you banged your average streetwalker.
Now, imagine that fact is used to successfully convince every potential john in the world to have sex with the Pope instead. How do you think the odds would stack up then?
Same deal with Macs. Yes, if you personally were using a Mac right this moment, you would have a lesser chance of a passive malware infection than someone using an unprotected Windows machine. The problem is, that rationale isn’t sustainable. Convince enough people to go over to the Mac side, and the protection you’d gained from security-by-obscurity falls apart as malware authors target that platform instead.
I know your original question dealt only with the practicalities of the current landscape, but I (and, I imagine, others) honestly can’t help but read further into it…besides fodder for a “switch to Macs” argument, what use could there be for that information?
Sure - at some time in the future it may be possible that the malware situation on OS X is as bad as Windows. I’ve never stated that OS X is immune to attack. But today is not that day.
To imply that OS X users need to worry about contracting malware by browsing a website today is FUD of the worst kind. There are threats that Mac users need to be concerned with, and those are IMHO, far more dangerous than any drive-by attack is likely to be. Trojans and other social engineering attacks are much harder to prevent, and are much more likely to seriously compromise a user’s security (e.g. - giving away your bank account information).
So, I prefer to rank the threats, and spend 0% of my worry about drive-by attacks (while at the same time, following all of the Mac news sites to see if anything significant develops).
Can it really be the case that two (or three, or any number really) quite different operating systems are, at a technical level, equally vulnerable to attacks? It seems unlikely the chips would just happen to fall that way.
Sure it would be - that’s probably why you won’t find anything in this thread apart from people factually answering a GQ (“Yes, it is possible,”) while taking care to explain that it is not a practical concern and elaborating on the reasons why the current user experience is that you can indeed browse where you like without undue concern about a rogue website installing malware on your Mac.
To modify your Empire State Building analogy so that it is actually isomorphic to the positions taken in this thread:
Now I know that the thread has advanced a bit since this comment, but this kind of false belief held quoted above really baffles me.
The key in the adobe thread: 100.
Huh? 100? Now why in the world would any body do that?
Why would any programmer hard code a limit to a code loop?
Hard coding is a no-no in programming standards, period.
Hard coding to fixed numbers in loops always leads to errors, why is why it’s never done.
It’s much safer to put dynamic limits, such as [pseudocode]email.addressbook.length - 1 [/pseudocode]
And fundamentally the ridiculousness of the above assertion hinges on the fact that people with last names starting with ABC are not more likely to be hit with malware than people with last names starting with XYZ.
In the end, the OS with the best engineering comes out on top. Unix and Linux have five decades worth of system engineering and philosophy strengthening every line of code against each other.
Windows is pure utter rotten dipalidated outmoded pathetic laughable ugly shit.
I can’t tell whether OS or political threads attract more fanboys.
I maintain Macs, Linux and Win boxes in our home office. I’m such a slut.
After X years of seeing the “Hi Opal” reference, I’d never seen it seem so … tawdry. Not sure why.
Chronos, one of the bastions of rigour, has completely stunned me with such a hastily and sloppily constructed analogy. Rather than dig in your heels, ditch the ESB/truck analogy and think of something more apt. Your point will still stand but you’d be rid of such a bizarre distraction.
%@*#ing articles about technology that have no date information should be pitted. WTF people?