[DM-MUG] Researcher cracks Mac in 10 seconds

Matthew Nuzum newz at bearfruit.org
Fri Mar 20 11:17:29 CDT 2009 

On Fri, Mar 20, 2009 at 10:21 AM, Arne Quanbeck <dmmug at arnequanbeck.com> wrote:
> This "attack" is what used to be standard behavior until malware became an
> issue. A couple of things to note:
>
> Recent versions of Mac OS X prompt when opening program files downloaded
> from the Internet. The user is given the option to view the site, cancel, or
> continue opening the file. Most versions of Windows don't have this feature.
>
> It MAY be possible (I'm not in front of a Mac to test this hypothesis) to
> cause Safari to prompt for a download location (and let the user cancel) by
> setting the download folder to a directory where the user doesn't have write
> permissions. Sites could still nag the user by putting hundreds of download
> links on a page. This is the reason IE for Windows now uses the information
> bar. An ActiveX (Windows/IE) attack used this method of wearing out a user's
> resolve to the point that they would click "Run".   The key difference here
> is that the ActiveX attack would RUN the malicious code, while the Safari
> issue at its worst only puts the malicious code in the user's downloads
> folder.
>
> The article could be read to imply the ability of the malicious site to put
> files anywhere on a user's hard drive, but this claim is not present in the
> quoted material. It would also be inconsistent with the problem description
> and proposed solution.
>
> Unless you are running Safari on Windows, it is probably safe to mark this
> one part security, nine parts FUD. This of course assumes the article is
> accurate.
>

Not FUD. The CanScanWest website says that in order to be considered
hacked ("owned" or "pwned" in this context):

What is owned? Must demonstrate...

    * loss of information (user data)
    * incur financial cost

(from http://cansecwest.com/ )

So this security professional gave a URL to the person operating the
fully updated Mac and within 10 seconds had gained some of the user's
personal information and/or caused them to incur financial cost.

Apple representatives were present to verify the attack and verify how
it worked so that they could patch it in a future update.

-- 
Matthew Nuzum
newz2000 on freenode, skype, linkedin, identi.ca and twitter

More information about the DMMUG mailing list