I'd frankly prefer this alleged downpour of 0days (and yes, I know
most of the Month of Apple Bugs issues will be technically "0day"),
because then they'd get fixed.

As I said in my previous message, I'd imagine some of these issues
will indeed require some trojan/social engineering mechanism. Those
have almost zero interest for me.

What I do have interest in is:

- Privilege escalation vulnerabilities
- Vulnerabilities in default running services from remote (e.g.,
mDNSResponder)
- Vulnerabilities in stock shipping services (that are not enabled by
default) from remote

And yes, mDNSResponder does run as root. So if there's a problem
there, isn't it better for it to be disclosed and fixed than hoarded
by a bunch of l33t kidd1ez?

I do obviously expect Apple to fix legitimate issues with software,
even if they are things that only enable or make easier trojan/social
engineering type behavior. But even "serious" issues that still need
to have some kind of local access to the machine (and/or require the
user to visit a malicious web site or download and run malicious
software) won't be of any meaningful security consequence to most
desktop Mac OS X users.

What's needed, that Mac OS X, to date, hasn't had, is some vector for
easy mass propagation. Until that exists, any Mac OS X malware
(unless it's exploitable from remote with no user interaction) will
have very little overall practical impact on the platform.

Ultimately, I'm not sure settling the "smug dust" will do anything
expect get people who will never have any computer skills beyond
those of a simple user to reconsider their decision to buy Mac, when
the alternative (Windows) is manifestly worse, for a variety of
reasons. Almost all of our new Mac purchases in adademia/research/
government markets (aside from the geek/IT/etc. types, and aside from
those who specifically are now getting a Mac because they have
options for running Windows or other x86 OSes in a reasonable way)
are because people are fed up with all the malware, vulnerabilities,
and security issues (or what they perceive them to be, anyway) on
Windows. Obviously there is a hell of a lot of complexity and nuance
to this issue, but the fact is that people making the decision for
that reason are frankly making the right choice, and are generally
very satisfied with that choice. What some now seem content to do is
attempt to "swing back the pendulum", almost attempting to "prove"
that Mac OS X is not only insecure, but possibly even more insecure
than Windows, or at least insecure enough so that you "probably
shouldn't bother switching" from the majority platform - and if
that's not the intent, that's still an effect of *unfair* bad press.
What's "unfair" bad press? How about when, for example, there is
coverage about, oh, I don't know, a general 802.11 vulnerability that
affects multiple chipsets and multiple operating systems, including
Windows and Linux, but instead gets made out by the press to appear
as ONLY an Apple/Mac OS X problem, and on their new, high volume
flagship notebook no less? How is that helpful? People who claim to
be concerned about "security" should be even more concerned with that
disparity.

The fact is that the (correct) perception that the Mac platform is
generally more secure is a PR win for Apple. Fixing security issues
is also a very good thing. But I'm guessing that the Month of Apple
Bugs will be super-sensationalized, and will be made out by some in
the press to make it appear that Mac OS X is a huge pile of poorly
designed swiss cheese, when that's not true. (Some conveniently-
anonymous "security researchers" - and no, I'm not pointing fingers
at anyone in particular - like to claim it is, but of course, it's
been five and a half years since Mac OS X has been out, and there
hasn't been anything of practical consequence that has affected the
Mac platform. And it's not only because of marketshare.)

So for me, it's a double-edged sword. But mostly, I'm happy that
January will result in quite a few, including some hopefully high-
profile, issues getting disclosed and fixed in OS X. I instead hope
it doesn't end up being a free-for-all that results in confusing
ordinary consumers into thinking that Mac OS X is really just as bad
as Windows, and it's only been because Mac OS X has been so "boring"
until now that it's been protected from the onslaught.

- Dave

On Dec 20, 2006, at 1:01 PM, Mark Senior wrote:

> No offence intended, but this is precisely the sort of attitude
> that makes security researchers want to rain down 0days, to settle
> the smug-dust. (Actually the main reason is not users, but
> companies that deny vulnerabilities, or sit on them for years at a
> time. That's becoming a lot less prevalent; Oracle is one of the
> last major dinosaurs in that camp).
>
> If anyone on this list is in Edmonton AB, I'll bet them a beer or
> three, at the bar of the winner's choice, that there will be a
> Rendezvous (Bonjour, mDNSResponder, whatever they're calling it
> this week) vulnerability. This looks to me like one of the
> juiciest targets: a relatively new piece of software, installed
> practically nowhere outside of OS X, remotely listening by default,
> and as Jay Beale has pointed out, even if you turn on the OS's
> built-in firewall it's still not blocked. And, if memory serves
> (I'm not at a Mac right now) it runs as root.
>
> I have no inside info - I don't know anyone involved, and I am not
> aware of any mDNSResponder vulnerabilities.
>
> Cheers
> Mark
>
> On 12/20/06, jot wrote:
> > Coming to a Mac near you in January...
>
> It's coming, but whether it's coming to a Mac near me is questionable.
>
> My guess is that each "bug" will involve at least one of the
> following IFs:
>
> 1. User must be tricked into clicking a URL
> 2. User must be tricked into opening a malicious file
> 3. User must have a specific poor configuration on their system (such
> as those Dave mentioned)
>
> If that is the case, then the threat does not change for Mac users.
> There are already exploits available to attack those with such
> vulnerabilities.
>
> You *still* don't have to outrun the bear.
>
> jot
>
>
>

0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?,0?ô0?] 
DM0
 *?H?÷


0S10 UUS10U
Equifax Secure Inc.1&0$UEquifax Secure eBusiness CA-10
050829160720Z
150829160720Z0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0?0
 *?H?÷



0?èHQÜ%wË ktëùNßM}V?ïȶÂ#¹.³S*?¥I|R±%ö3?~?cëG:!+·Ä? ÇL$ò­©«
8)?¿.Æ01qL|?I?¿Öm²\×[¼'¯íG̪»´V ?ëùçe><|¯÷?°
æp;?Ã??

£?0?0U

ÿ
?0U?RRbG,k,
¸iñ©7,#$0U
#0?Jx2RÛY6^ßÁ6@jG|L¡0U

ÿ0

ÿ09U2000. , *?(http://cr
l.geotrust.com/crls/ebizca1.crl0
 *?H?÷


%ñDX3wç֍ת· ?7kæÞßµ±z°c_?+åLÓPpGOsÉ>ف¬ÐDÓ±Ü-++?ü}£Z??d£Áù'öTï¡*)ÿw~G²?¨ø
Oµö¬U~ºbSJh,óN¨GTaßs\ÇDØéR#êeb¨Åg0?00?? 

0
 *?H?÷


0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0
060921213052Z
070921213052Z0¾10 UUS10U Wisconsin10UMadison1(0&U
University of Wisconsin-Madison1#0!UFaculty - Staff - Students10UDavid Schroeder1 0 *?H?÷


das (at) doit.wisc (dot) edu0 [email concealed]?0
 *?H?÷



0????èöÆ?³G¡J[¨×
Qò?sJ?'Uî.øë
ÂC«ÓmÂ?5(¢?äðÛ¢1?Hµ8iä¬C°«é£ Ê¢4ÝsR|F?Sû?©¶2±ï?Æ?´zó?¬ÿPïí?ð?ÖÜ5àò?ݐ?ÕÍnæ?y
>ªÛ% ?ä¹

£p0n0U

ÿà0;U40200 . ,?*http://crl.geotrust.com/cr
ls/wisconsin.crl0U#0??RRbG,k,
¸iñ©7,#$0
 *?H?÷


¯?Ïè®`:ÍDD?¼7µ(?AÞÈæZ_?Ù
xmæÀ!ÖÓr?óÌ~X²8Ưâ"ô0%¶Â¸:Â!Í?ü?KË
CÏ?6õëÒ?5Ѭ?
:Ñat¡q"ٝöï­ÍA???±},ߪ&KÐ]9ev¬ëgxDEåð·Ë1?â0?Þ

00?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0 + ?
§0 *?H?÷

1 *?H?÷


0 *?H?÷

1
061220223918Z0# *?H?÷

1Æ`ÈÉNä^?r¶¿iLæýÖ?¢0¡ +

?71?00?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0£*?H?÷

1? 0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0
 *?H?÷



?7 µ?«Üß?]TÕxìsýÇqGd'Òé½î*j¼¨¶k>äÃqÛEìõi?À»>?¹ü×°s¼ÌÜpZ¸òð§îäò7lE?
S
xH¼?X?
³Å&À âHìE.Q>²O{Vä¡ÿ??¥i¹I? B
J~?T邼V
q

[ reply ]