OT Hackfesting: Mac Security

Kurt Granroth kurt+plug-discuss at granroth.com
Mon Apr 6 22:22:50 MST 2009 

Eric Shubert wrote:
> Lisa Kachold wrote:
>> Macintosh with OSX 10.5 is a fine distro, incorporating many of the same 
>> Nix-ian tools used by Linux.  Built upon a BSD variant, (BSDi, FreeBSD, 
>> NetBSD), OSX runs OpenSSH, SAINT, uses sudo, and ettercap, snort, xnu 
>> (mac address spoofing) and it also has some real security issues, WAIT, 
>> that's not a bug, it's a feature?
>>
>> A great many trojans are available with many personal and unusual slants 
>> on the age old virus themes:
>>
>> http://www.securemac.com/
>>
>> Once again we find people attempting to indulge in apples/oranges biased 
>> thinking comparing one distro's security to another.  
>>
>> http://pcworld.about.com/news/May232005id120964.htm
>>
>> But just like with Linux, if you are running a Mac OSX on a shared 
>> network, you are begging to be pwned.  If you surf without trust based 
>> controls for Javascript/Java, and use Mail without low level virus 
>> controls, you have the intelligence of a ten year old (before the brain 
>> can understand and equate risk and consequences).
>>
>> Symantec is one of the best tools; but  great many exist (use the Source 
>> young Jedi).
> 
> What do you mean by "shared network"? Isn't any network, well, shared?

I assume she is referring to a system with multi-user logins over a
network.  That is, could you log into a system with normal user
privileges and leave with root privs.

The answer is "yes".  There are multiple rootable attacks available for
OS X.  A few notable are the result of fundamental design flaws that may
never be fixed.

That said... Lisa, this email is scarcely more than FUD.  To paraphrase:
"Boo!  Your system can be pwned and you are a moron if you think
otherwise!"  Yet there isn't one mention of any specifics nor links to
any place that one could easily find specifics.  The SecureMac site
mostly lists detection tools.  Their section on notable viruses and
trojans (that I could tell) stopped at about version 10.1.

Again, there's no doubt that there are problems[1], but this post didn't
help :-(

[1] Two off the top of my head:
http://securityreason.com/exploitalert/5909
http://rixstep.com/2/4/20080919,01.shtml

More information about the PLUG-discuss mailing list