Recenty some of the information security community’s members and the media are supporting each other for different reasons and, thereby, in the process of creating another urban legend.
_Facts_
At a conference called CanSecWest Vancouver 2007 delegates were given the chance to access one of two Macs through a wireless access point. Apparently these Macs had no programs running at the time. It is important to know that:
1) after 22 hours no attackers managed to access the two Macs; hence the conference organizers decided to
2) change the contest and making it a bit easier for attendees to hack one of these two Macs by allowing the contestants to try to get in through the browser by sending URLs via e-mail, hence
3) after another 9 hours of hard work – Dino Dai Zovi managed to develop a new exploit permitting taking advantage of a vulnerability regarding Mac and Quicktime.
Lateron it was released that this vulnerability affected Windows PCs as well if they were running QuickTime and had Java enabled.
Also, the vulnerability was exploited using Safari and Firefox browsers.
_Media gets it Wrong_
First reporting about this in the mass media was Nancy Gohring – IDG News Service with a headline (Friday April 20, 2007) stating:
- “Dino Dai Zovi was able to remotely break into a Mac as part of a contest designed to illustrate security flaws in OS X”
Unfortunately, checking out the facts one discovers that this is NOT a remote exploit that made Windows infamous for its insecurity but INSTEAD a local exploit of an application.
A very nice summary about this you find here (well done by Daniel Eran Dilger):
- InfoWorld publishes false report on Mac security by Daniel Eran Dilger
_Security community is scare mongering or sloppy?_
For whatever reason, the security community got into the act by Tuesday April 24, 2007. Late morning (GMT) a French alerting service managed to repeat this error:
- FrSIRT Apple QuickTime Java Processing Unspecified Remote Code Execution Vulnerability
The alert also claimed that the impact would result in remot code execution. Another Danish alerting service around the same time released this alert:
- Secunia Apple QuickTime Java Handling Unspecified Code Execution – highly critical
Sans Handler’s Diary liked it so much it repeated Secunia and stated that the vulnerability was highly critical:
- SANS Handler’s Diary: Apple QuickTime Java Handling Unspecified Code Execution
It is hard to believe that a vulnerability with the following facts, namely:
a) the exploit code is not freely circulated on the Internet,
b) the user must be sent a URL and then visit a website – remember – do not visit non-trusted web sites
could be rated as highly critical. But the security community can even rank a vulnerability in Adobe Photoshop (April 25, 2007) as highly critical stating:
- “… could be exploited by attackers to take complete control of an affected system by tricking a user into opening a specially crafted file using a vulnerable application.
_Early Warning Systems – did they do any better?_
The US-CERT (at night using GMT as marker) was careful in stating that little was known and disabling Java should do the trick besides following the usual approach of not visiting untrusted web sites:
- Vulnerability involving Apple QuickTime and Java
While some services just copied the alerting service providers’ advisories, other early warning service providers operated by government agencies decided not to issue an alert, such as:
Because of the widespread media attention and the high level of risk assigned to the vulnerability by alerting services as well as the exploit affecting Windows users that had QuickTime installed (exploit was confirmed with Firefox for Windows – Safari for Apple), other EWS providers issued an alert early – stating all these facts and warning about these exaggerations, such as:
that specified that it was a local exploit and rated the vulnerability as being an elevated risk only (2 out of a 5-point ranking risk barometer) (workaround, free tool to limit Java risk also provided).
_CONCLUSION_
It is a competitive world out there for media trying to reach as many readers as possible. A similar situation is faced by security alerting services that need to convince their subscribers that the service the pay for helps protect them from exploits.
Also, public or private Early Warning Systems that operate a public-service for citizens need to show that their output produces added value.
However, crying Wolf too often or using fear-mongering too many times does neither increase trust nor confidentiality in the quality of the service provided. Finally, this vulnerability does most certainly not show in any way that the Apple OS X or the MacBook computer are now less secure than they were before last Friday (April 20, 2007).
The above also indicates that once somebody publishes a news story and/or an advisory, the sheep culture lets others follow without taking the trouble of carefully checking the facts and doing some tests if possible (some exceptions were mentioned above) before touting in the same horn. The result is that we have a major security event of something that could be considered quite minor (i.e. hacking contest at a conference finds an exploit but ….) and another urban legend is created in the IT security domain – namely – that MacBook computers are insecure.
_PS._
We are particularly curious to hear how the planned European Information Sharing and Alerting System also abbreviated EISAS will help improve situations as the one described above for the benefit of citizens and SMEs.
- Early Warning System – taking 8 steps toward developing key performance indicators that make sense
No Responses to “Mac’s not secure – media, information security services and early warning systems (EWS) creating another urban legend?”
There are no comments yet...Kick things off by filling out the form below.