[DM-MUG] Researcher cracks Mac in 10 seconds

Arne Quanbeck dmmug at arnequanbeck.com
Fri Mar 20 11:24:07 CDT 2009 

Was this the issue where there was no option to disable downloading?  
The link didn't work on my iphone.

On Mar 20, 2009, at 11:17 AM, Matthew Nuzum <newz at bearfruit.org> wrote:

> On Fri, Mar 20, 2009 at 10:21 AM, Arne Quanbeck <dmmug at arnequanbeck.com 
> > wrote:
>> This "attack" is what used to be standard behavior until malware  
>> became an
>> issue. A couple of things to note:
>>
>> Recent versions of Mac OS X prompt when opening program files  
>> downloaded
>> from the Internet. The user is given the option to view the site,  
>> cancel, or
>> continue opening the file. Most versions of Windows don't have this  
>> feature.
>>
>> It MAY be possible (I'm not in front of a Mac to test this  
>> hypothesis) to
>> cause Safari to prompt for a download location (and let the user  
>> cancel) by
>> setting the download folder to a directory where the user doesn't  
>> have write
>> permissions. Sites could still nag the user by putting hundreds of  
>> download
>> links on a page. This is the reason IE for Windows now uses the  
>> information
>> bar. An ActiveX (Windows/IE) attack used this method of wearing out  
>> a user's
>> resolve to the point that they would click "Run".   The key  
>> difference here
>> is that the ActiveX attack would RUN the malicious code, while the  
>> Safari
>> issue at its worst only puts the malicious code in the user's  
>> downloads
>> folder.
>>
>> The article could be read to imply the ability of the malicious  
>> site to put
>> files anywhere on a user's hard drive, but this claim is not  
>> present in the
>> quoted material. It would also be inconsistent with the problem  
>> description
>> and proposed solution.
>>
>> Unless you are running Safari on Windows, it is probably safe to  
>> mark this
>> one part security, nine parts FUD. This of course assumes the  
>> article is
>> accurate.
>>
>
> Not FUD. The CanScanWest website says that in order to be considered
> hacked ("owned" or "pwned" in this context):
>
> What is owned? Must demonstrate...
>
>    * loss of information (user data)
>    * incur financial cost
>
> (from http://cansecwest.com/ )
>
> So this security professional gave a URL to the person operating the
> fully updated Mac and within 10 seconds had gained some of the user's
> personal information and/or caused them to incur financial cost.
>
> Apple representatives were present to verify the attack and verify how
> it worked so that they could patch it in a future update.
>
> -- 
> Matthew Nuzum
> newz2000 on freenode, skype, linkedin, identi.ca and twitter
> _______________________________________________
> DMMUG mailing list
> Use this Address to send mail to the list:
> DMMUG at dmmug.org
> Use this page to modify subscription options:
> http://cialug.org/mailman/listinfo/dmmug

More information about the DMMUG mailing list