Archive for August, 2007
Leopard hacked beyond recognition and not even out yet
Posted by Nico Yan in Uncategorized Wednesday, 29 August 2007 08:35 No Comments
Apple applauds Mac OS X as the most secure and most advanced operating system in the world. Microsoft in turn has adopted a more modest marketing approach, in spite of the Wow campaign, and is comparing Windows Vista mainly with Windows XP. In terms of security Vista is just the safest Windows version available and nothing more. The same argument is not valid for Apple. With the Cupertino-based company it is all or nothing, which means that it’s generally all. Just take the example of Safari 3 Beta browser for Windows. "Apple engineers designed Safari to be secure from day one," stated a message posted on the Apple official website. The reality? Security researchers turn up no less than 18 security vulnerabilities for Safari 3 in the browser’s first day on 32-bit and 64-bit Windows Vista and Windows XP.
Charles Miller from Independent Security Evaluators has really made a name for himself after he managed to hack the iPhone. Still, the security researcher from Independent Security Evaluators seems to have an affinity for fresh Apple products. Or at least this is the direction underscored by his
presentation at Black Hat 2007 in Las Vegas: "Hacking Leopard: Tools and Techniques for Attacking the Newest Mac OS X." Miller cites Apple with the following: "Mac OS X delivers the highest level of security through the adoption of industry standards, open software development and wise architectural decisions."
Security was also Apple’s focus with Safari and iPhone and we have been able to see how well that turned up. But the upcoming release of Mac OS X, Leopard, scheduled for October 2007 is in a very poor condition in terms of security according to Miller. It is nothing but a joke compared to Windows Vista. And this is one aspect that emphasizes the differences between the next version of the world’s most attacked platform and an operating system with an inexistent threat environment.
Miller’s conclusion is worrisome for future Leopard users: "Why Hacking Macs is Easy." According to Miller Macs are just as easy to hack as they are to use. "To help users, there are lots of 50+ suid root programs" revealed the security researcher. Suid Root is designed to help with the silent elevation of privileges in Unix and Unix based operating system such as the Mac OS X. Unix has had, a long time before Vista, access control capabilities, an equivalent to the User Account Control. Still, Suid Root is a design flaw, because allowing for silent and automatic elevation of privileges means inviting kernel level exploits.
In contrast, nothing similar to the Unix setuid/suid or sudo functionality can be found in the design of UAC in Vista. There is only one way that a service, application or process can gain elevation of privileges in Vista and that is only through the user.
Moreover, Apple does not "bother users with burdensome updates." All the open source solutions included in Mac OS X are not kept up to date including OpenSSH, OpenSSL, Apache, Samba, Cups. "The Samba on Mac OS X had an exploitable remote root vulnerability in it…it hadn’t been updated since February 2005," Miller stressed focusing on open source as an attack vector.
But of course there’s always the "safe from day one" Safari. Apple’s browser, and by the way version 3 is going by default into Leopard, launches the following programs on execution: "Address Book, Finder, iChat, Script Editor, iTunes, Dictionary, Help Viewer, iCal, Keynote, Mail, iPhoto, QuickTime Player, Sherlock, Terminal, BOMArchiveHelper, Preview and DiskImageMounter." Any security vulnerability residing in any of these applications can be exploited via Safari.
In the end Miller exposes Apple security for the joke that it is saying that the company "makes exploitation fun," mainly because creating exploits for Mac OS X is like going back in time to the software of 1999. The reason? "Apple doesn’t randomize anything: the location of the stack, the location of the heap, the location of the binary image, the location of dynamic libraries and (to top it all off) heap is executable." By contrast Windows Vista introduces a security mitigation called Address Space Load Randomization (ASLR).
Popularity: unranked
Related posts
Do I Need It?
Posted by Nico Yan in Uncategorized Wednesday, 29 August 2007 06:38 No Comments
When someone is told that he/she needs an insurance it will mean that they are prone to accidents or they are getting old. I don’t have any insurance because we can’t afford having 2. My wife actually has 2 but the first one she got automatically from a credit card company. The other one she got from a really good insurance company, its good because it combines insurance and savings, which is the best thing I ever heard.
Well life insurance is a good idea if you start early, so that you can retire rich (well not that rich) or if something happens you won’t leave nothing behind. If you have a house you should get a house insurance , which will help you build another roof for your family if something happens to your insured home. Finally get a car insurance , if something happens to your car, if it got stolen or you got into an accident *knock on wood* then you’ll have the money to make repairs or buy a new car.
Insurance is a good idea.. Are you insured?
Vista PWNZ MacOSX and Linux Distributions!
Posted by Nico Yan in Uncategorized Wednesday, 29 August 2007 04:46 No Comments
Microsoft did it again! Windows Vista is the safest operating system available on the market today, elevated from the position of the securest Windows platform, and three different distributions of Linux along with Mac OS X 10.4 Tiger are left to bite the dust. The data illustrated in the graphics included at the bottom of this article was put together by Jeff Jones, Strategy Director in the Microsoft Security Technology Unit. This is not the
first time that Jones has played the vulnerability counting game, but as far as the general conclusions go, absolutely nothing changed.
Windows Vista is still top dog, with all the other operating systems, including Windows XP, trailing the latest Windows platform from Microsoft. According to Jones, Microsoft patched a little over 20 vulnerabilities in Windows Vista since the debut of the year and through July 2007. In the same period, the Redmond company resolved approximately 40 security flaws in Windows XP. But the statistics really jump off the charts when it comes to Vista’s rivals.
Mac OS X 10.4 Tiger accounted for in excess of 130 vulnerabilities in the seven months of 2007. Surprisingly enough, although it was released only in March, Red Hat Enterprise Linux 5 Desktop is closely trailing Apple’s Unix based operating system with approximately 130 vulnerabilities. Novell SUSE Linux Enterprise Desktop 10 accounted for in excess of 145 security holes. Next comes the Ubuntu distribution of Linux with over 150 vulnerabilities and Red Hat Enterprise Linux 5 Workstation with almost 180 security holes.
You will be able to notice from the adjacent images that Vista is also the operating system with the least amount of Critical vulnerabilities. In the past three months from May until July, Microsoft fixes about the same number of vulnerabilities in Vista as it did in XP. Just over 10. The remaining operating systems however have been patched for more than 60 vulnerabilities each in the past three months, with the exception of Tiger with just under 60 security flaws. When taking into account the stripped down versions of Linux, Apple’s Mac OS X is left as the most insecure and the most patched operating system available.
Of course that there will always be disputes over if counting the actual volume of patched vulnerabilities is an exact measure of the security Windows, Linux or Tiger offer to their end users.
Popularity: unranked
Related posts
Showers!!
Posted by Nico Yan in General Thursday, 23 August 2007 08:35 No Comments
I got an officemate that will be married on the month of December, and me being married knows a thing or two about that topic. So we usually talk about this stuff and that stuff. Then we ended up talking about baby shower decorations , I kinda step back a little because it a woman’s forte but I’m kinda interested about this stuffs because of two things; One, me and my wife didn’t had it and Second, for future references.
After the talk and with my thirst for knowledge, I searched and found this Pooh’s Baby Days Baby Shower decoration. And it says;
Invite Winnie The Pooh and his friends to your shower, and they’ll bring all the fun and cuteness with them. Our sweet baby Pooh comes with neutral colors, perfect for either a boy or a girl. Everything from invitations to tableware is included.
There are also some decorations to choose from ex:
Popularity: unranked
Related posts
Miami Or Disneyland?
Posted by Nico Yan in Uncategorized Wednesday, 22 August 2007 12:55 No Comments
Work is very stressful specially when your boss depends on you more or you just have a lot of work to do. I have a new client account which is from Miami, Florida. And I’ve been chatting with the secretary about this and that. Make her be at ease, so that the work relation will not be shaky, if you know what I mean.
Anyways she is the secretary, so it mean she does a lot of work than me. We’ve talked about vacations and such. I told her that if ever I have plan I’ll go to Miami because the beach there is great. She told me that if I ever go there and go to the beach, she recommends some Orlando vacation rentals and some reunion resorts that will fit the budget.
But I said to her that it might not be an option, because my wife wants to go Disneyland. She haven’t been there and me also. And we have a daughter, if there is somewhere we should take her on our vacation it should be in Disneyland. I told the secretary that if ever that happens, my wife may have some Disney vacation rentals on her planner, my wife is that eager (well me too).
Popularity: unranked
Recent Comments