Bruce Johnson wrote: ---------- > > <http://www.kb.cert.org/vuls/id/CRDY-636R79> note, "no statement from > > vendor", the usual > > response to serious security problems. > > No comment on CERT's web site does NOT mean no action is being taken.
No, it doesn't mean no action is being taken, it does mean the vendor hasn't publicly responded one way or the other, or at least hasn't responded to CERT'S notification, which they should since that's where a lot of people who actually care about security look. ------- > > Before one cries 'Wolf' you may want to see just how many canids are > really around.... I'm not crying wolf, the security whole exist, and did in fact exist when os x was just a glint in apple's eye! I didn't say it was being exploited on a massive scale, that there was a pre-written exploit for the script kiddies. That does not mean it hasn't been exploited or won't be exploited. in fact, it's likely that it was exploited on a limited basis by some simply to practice their skills, though they may not have done it on a large scale, and may not have been caught. the fact that there isn't a publicly known serious instance of this security hole being exploited does not mean it did not happen. things that aren't detected don't usually become public, serious security breaches rarely become public even if detected. there is no basis to assume this hole was never exploited. > > 10.3.5 included the fixed libpng? > <http://docs.info.apple.com/article.html?artnum=25791>. Yes, apple has released a patch/update to correct the problem, which is good and what they should do. however, they are still misleading users. unless you click the security link, all you see is that it fixes the more minor security hole where a users machine may freeze. only after reading the other page do you see that there was in fact a far more serious hole where arbitrary code cold be executed. it is misleading to say that a minor problem has been fixed and provide a link to where you admit a far more serious problem existed but has now been fixed. It is also bad security practice to not release information on a security bug until it is patched, particularly when the information is very widely available, as it was in this case. those using os x for sensitive financial and other applications, and those who suspect an intrusion, need to know about a bug as soon as it is discovered and documented. would you tolerate an auto maker who didn't tell the public about a break failure problem until after they had a fix, even if people weren't dying yet? or would you want to know right away so you could modify your' driving habits? would it not be a good reason to sue an auto maker when a death did occur? the point is, security holes exist, and will exist, it's only prudent to run a hardware firewall as they are cheap and provide substantial security enhancement. a software firewall, run on the same machine as the browser, will often not protect the user from security holes that stem from system software (as in this case) as opposed to application code (i.e. the browser, whichever browser you use). again, apple is actually being less forthcoming than microsoft on these issues, and that is not a good thing for the user. as a side note, my machine has in fact been broken into, though not recently as far as i know....I believe it was a vulnerability in netscape which was made public a week later. my machine started sending a large amount of data (as indicated by the modem lights, they aren't useless) while i was viewing a static web page. i disconnected, on further investigation i found i had been left with a cookie containing the name of my boot drive. this information should not be available to other machines on the net, the only possible use of that piece of data was to make incursion easier in the future. most likely my hard drive was being scanned, possibly for cache files which often contain credit card information (often in "plain text", i.e. not encrypted), possibly for registration codes for software, possibly for other reasons. i was on a dial up connection, had not been logged on long, and wasn't doing anything "interesting". it was a "random" attack. if your' machine is on a broadband connection, particularly if it is "always on" and has a static ip, you are far more vulnerable, as attempts take less time, information on your' machine can be accumulated over time (and often is by serious crackers), and if an incursion should happen, the high speed connection means that a lot of data can be recovered from your' machine very quickly. even encrypted cache files are not very secure if the attacker decides to crack them on their machine, if it takes 2 days to get your credit card number it's not a big problem for them to do it later. if you have sensitive business information on your machine, you may well be targeted by those who practice corporate espionage for a living, or by a competitor (though less common). these people do not report the security flaws they use to break in to vendors or CERT, they do not announce them on hacker bulletin boards. they are not interested in bragging that they've found a hole. they are interested in using that hole and then trying to sell the information they've obtained, or being paid to get more information or sabotage a system. it's entirely possible that the "libpng" hole has been exploited by a few people on mac and other bsd systems, it's unlikely it would have been detected, properly used it might not even be detected by a firewall, particularly on a server which normally sends large amounts of data (as opposed to a machine used for browsing, which mostly receives information and sends little). the more sophisticated, even the more sophisticated amateurs, will modify logs and often manage to erase any log of their activity that is created (though this too is sometimes monitored and used for detection, and sometimes it's the only mistake an intruder makes). also, apple is being far less open about security issues than microsoft, this is a bad practice. apple products have historically had better written code, and been a smaller market segment and attracted less effort on the part of crackers. both of those things are now changing, bsd (the underlying frame work of os x, from which a great deal of code is used unchanged) is becoming a larger target and more effort is being spent to crack these systems. no, there hasn't been a huge, widely spread email virus on the mac yet, but those actually only represent one type of vulnerability, are quickly detected, and a solution is quickly available. direct attacks against a user's machine, or a corporate web server tend to be far more subtle and harder to detect. Larger companies, no matter who's server software they are running, use sophisticated traffic analyses to try and hopefully detect intrusion, data theft or data modification. these larger, more aggressively monitored systems are still cracked occasionally, though they usually at least have a log and can find out how much damage was done, and occasionally who did it, and they can usually block the attempt in the future (or at least detect it immediately and respond more quickly). it's simply prudent to be a little cautious, and to not hide your head in the sand. crying wolf, hardly. just pointing out that there are bad guys out there, and your' mac is not fort knox, nor should it be, but using a firewall, and keeping up with security updates are the least you should do if you do more than play games on your' computer (even if you just don't want your' personal email abused). if your' machine has sensitive business or personal information, or is used for online purchasing, it's the least a responsible person should do. or you can wait until the first widespread mac virus (aka the quicktime virus that spread by files through any medium, and wiped out data because of a simple bad security choice on apple's part. the fix was easy, fixing the damage wasn't) and then act surprised. apparently some feel you should wait until you are robbed before you bother to lock your' house, i consider that irresponsible and have no pitty for fools who don't bother to do the easy things to stop most security problems cold. -- President George W. Bush, Vice President Richard B. Cheney, Secretary of Defense Donald H. Rumsfeld, and Attorney General John D. Ashcroft have committed violations and subversions of the Constitution of the United States of America. <www.VoteToImpeach.org> They should be charged with high treason and imprisoned frankly. If there is no rule of law there can be no civilization. -- G-List is sponsored by <http://lowendmac.com/> and... Small Dog Electronics http://www.smalldog.com | Refurbished Drives | -- We have Apple Refurbished Monitors in stock! | & CDRWs on Sale! | Support Low End Mac <http://lowendmac.com/lists/support.html> G-List list info: <http://lowendmac.com/lists/g-list.shtml> --> AOL users, remove "mailto:"; Send list messages to: <mailto:[EMAIL PROTECTED]> To unsubscribe, email: <mailto:[EMAIL PROTECTED]> For digest mode, email: <mailto:[EMAIL PROTECTED]> Subscription questions: <mailto:[EMAIL PROTECTED]> Archive: <http://www.mail-archive.com/g-list%40mail.maclaunch.com/> Using a Mac? Free email & more at Applelinks! http://www.applelinks.com
