the iPhone is not a Smartphone - my first reaction to the keynote

[marcol]

A great amount of power to compromise our windows boxes I guess. It occurs to me the IPhone is going to be even more vulnerable to exploits than if they used native code, due to all the holes in Safari.

Darn, I think you're right. I think I'll give up Safari and OS X altogether and just go with IE and Windows. I hear they never have any security issues.

 

[marcol]

Waste of time, just an iPod mp3 player

microsoft review zune
http://www.bestdvdtools.com

Welcome to TreoCentral. That's a pretty mysterious first post. Care to explain?

 

[Pearl_Diva]

Darn, I think you're right. I think I'll give up Safari and OS X altogether and just go with IE and Windows. I hear they never have any security issues.

The other day, I had to install MORE security XP updates. Vista is out, yet XP still need updates. They didn't even secure the 7 year old(I think) OS yet!!

 

[surur]

The other day, I had to install MORE security XP updates. Vista is out, yet XP still need updates. They didn't even secure the 7 year old(I think) OS yet!!

I think it means they continue to secure it. Or would you rather be forced to upgrade to Vista or Leopard because MS stopped supporting XP?

Surur

 

[surur]

Welcome to TreoCentral. That's a pretty mysterious first post. Care to explain?

I think he's saying MS can make a better music smartphone than Apple can. While that remains to be seen, the IPhone has obvious areas which are extreme letdowns.

Surur

 

[Pearl_Diva]

You should see how many updates I have! It's annoying installing updates monthly. It should have had it's holes plugged LONG ago! It's like they need to just rewrite the code entirely to make it more secure!

 

[MacUser]

The other day, I had to install MORE security XP updates. Vista is out, yet XP still need updates. They didn't even secure the 7 year old(I think) OS yet!!

Yup...it's highly disturbing. Alas, I do have a PC I keep around...oh the shame...

 

[marcol]

It should have had it's holes plugged LONG ago!

I think XP is made of holes and when they're all gone it won't exist anymore

 

[MacUser]

I think XP is made of holes and when they're all gone it won't exist anymore

LOL...then the choice of Vista Extreme, Pro or Ultimate...

 

[surur]

It doesn't help when Apple exports holes, like the quick-time flaws, and now the safari remote code execution and spoofing ones.

Isn't it funny that Apple is promoting Safari development on the IPhone for security reasons, when the only way to hack the Mac in a recent test was through a safari.

MacBook hacked in contest at security event
Zero-day vulnerability in Safari Web browser used to commandeer a MacBook in hack-a-Mac contest at CanSecWest conference.
By Joris Evers
Staff Writer, CNET News.com

Published: April 20, 2007, 4:03 PM PDT
Last modified: April 20, 2007, 8:09 PM PDT

Macaulay, a software engineer, was able to hack into a MacBook through a zero-day security hole in Apple's Safari browser. The computer was one of two offered as a prize in the "PWN to Own" hack-a-Mac contest at the CanSecWest conference here.

The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook--a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day.

Macaulay teamed with Dino Dai Zovi, a security researcher until recently with Matasano Security. Dai Zovi, who has previously been credited by Apple for finding flaws in Mac software, found the Safari vulnerability and wrote the exploit overnight in about 9 hours, he said.

"The vulnerability and the exploit are mine," Dai Zovi said in a telephone interview from New York. "Shane is my man on the ground."

Apple spokeswoman Lynn Fox declined to comment on the MacBook hack specifically, but provided Apple's standard security comment: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."

Dai Zovi plans to apply for a $10,000 bug bounty TippingPoint announced on Thursday if a previously unknown Apple bug was used. "Shane can have the laptop, I want the money," Dai Zovi said. TippingPoint runs the Zero Day Initiative bug bounty program.

A TippingPoint representative said the company would pay, after looking at the vulnerability. "If it is an actual zero-day in Safari that's fine with us," said Terri Forslof, manager of security response at TippingPoint.

The successful hack comes a day after Apple release its fourth security update for Mac OS X this year. The update repairs 25 vulnerabilities.

CanSecWest organizers set up the MacBooks connected to a wireless router and with all security updates installed, but without additional security software or settings.

Its a good thing you did not have to install any patches for OSX last month though... or did you?

Apple patches more than a dozen holes in OS XBy Dan Goodin in San Francisco → More by this author
25 May 2007 22:42
Five uber updates in as many months

Apple has released an update that patches more than a dozen OS X vulnerabilities, several of which can lead to the remote execution of malicious code.

The most serious vulnerability resides in an OS X feature called mDNSResponder, which enables computers to locate and connect to devices such as printers and webcams on a local network. An attacker could use it to execute code by sending malicious packets to Macs connected to the same subnet, making the exploit ideal for use in internet cafes and offices.

Code exploiting the vulnerability has already been circulated by Immunity, a company that provides intelligence to security providers, according to Immunity's CTO, Dave Aitel.

"Remote roots like this don't come out every day," he said of the vulnerability.

Apple credited Michael Lynn of Juniper Networks for reporting the vulnerability. Lynn was the Cisco security researcher whose bosses threatened him with legal action in 2005 after publicly discussing vulnerability details in Cisco routers.

Yesterday's update was the fifth time in as many months that Apple has released to patch multiple security holes in its software. Apple has released other security patches this year, most recently to fix a high-profile vulnerability in QuickTime that allowed a hacker in a contest to publicly hijack a brand new MacBook Pro.

Among the other serious holes plugged in yesterday's update is flaw in OS X's CoreGraphics. That vulnerability could allow attackers to run code on a victim's machine by enticing users to open a maliciously crafted PDF file. ?

Surur

 

[surur]

You should see how many updates I have! It's annoying installing updates monthly. It should have had it's holes plugged LONG ago! It's like they need to just rewrite the code entirely to make it more secure!

Maybe its because Windows to patching seriously, unlike OSX?

March 21, 2007
Report Says Windows Gets The Fastest Repairs
By Andy Patrizio


UPDATED: Microsoft is frequently dinged for having insecure products, with security holes and vulnerabilities. But Symantec (Quote), no friend of Microsoft, said in its latest research report that when it comes to widely-used operating systems, Microsoft is doing better overall than its leading commercial competitors.

The information was a part of Symantec's 11th Internet Security Threat Report. The report, released this week, covered a huge range of security and vulnerability issues over the last six months of 2006, including operating systems.

The report found that Microsoft (Quote) Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.

During this period, 39 vulnerabilities, 12 of which were ranked high priority or severe, were found in Microsoft Windows and the company took an average of 21 days to fix them. It's an increase of the 22 vulnerabilities and 13-day turnaround time for the first half of 2006 but still bested the competition handily.

Red Hat Linux was the next-best performer, requiring an average of 58 days to address a total of 208 vulnerabilities. However, this was a significant increase in both problems and fix time over the first half of 2006, when there were 42 vulnerabilities in Red Hat and the average turnaround was 13 days.

The one bright spot in all of this is that of the 208 Red Hat vulnerabilities, the most of the top five operating systems, only two were considered high severity, 130 were medium severity, and 76 were considered low.

Then there's Mac OS X. Despite the latest TV ads ridiculing the security in Vista with a Matrix-like Agent playing the UAC in Vista, Apple (Quote) has nothing to brag about. Symantec found 43 vulnerabilities in Mac OS X and a 66 day turnaround on fixes. Fortunately, only one was high priority.

Like the others, this is also an increase over the first half of the year. For the first half of 2006, 21 vulnerabilities were found in Mac OS X and Apple took on average 37 days to fix them.

Bringing up the rear were HP-UX from Hewlett Packard (Quote) and Solaris from Sun (Quote). HP-UX had 98 vulnerabilities in the second half of 06 and took 101 days to fix them. Sun, though, really dragged its feet, taking on average 122 days to fix 63 vulnerabilities. It wasn't doing much better in the first half of 06, either. It took 89 days to fix 16 vulnerabilities.

Alfred Huger, vice president of engineering for Symantec Security Center, said the real problem is with Web applications, where two-thirds of all vulnerabilities are found. Operating systems are fairly minor, and despite the long time periods, the vendors are doing "an ok job, just not stellar."

The response from vendor's mentioned in the report was mixed. A Microsoft spokesperson issued a statement to internetnews.com that said in part "As a part of this industry, Microsoft continues to adapt to address these threats and continues to work with others in the industry to protect customers as a whole."

Anuj Nayar, manager of Apple's Mac OS X and developer relations, would only say "Apple takes security very seriously and has a great track record of addressing vulnerabilities before they affect you."

Sun specifically disputed Symantec's data and conclusions in a statement emailed to internetnews.com:

"Symantec's data on security vulnerabilities simply does not match Sun's. We can't verify Symantec's sources and consider their report on Sun inaccurate. From 7/1/06-12/31/06 we published 54 Security Sun Alerts, of which 36 were for Solaris - substantially less the 63 Solaris vulnerabilities claimed in the Symantec report. Past analysis of our vulnerability response shows we responded within five days for the vast majority of vulnerabilities, but averages are skewed by a small minority of 3rd party applications (or code) that are included/bundled with Solaris. Sun responds to all reports of security vulnerabilities, and we stand by our reputation and established track record of responding to security vulnerabilities with Sun Alerts and a quick turnaround time for patches.

Analyst Charles King with Pund-IT said Microsoft has had to be aggressive about dealing with security issues because it's such a big target. In that regard, the company has met the challenge.

"I think in a way that a culture of having been under attack for a decade or more has led to the company taking a very proactive approach to fixing those problems," he told internetnews.com. "In the last 24 months, they've taken a very aggressive stance toward the security of their system. In review after review of Vista, despite its faults, the security of the system has been considerably better than XP."

By contrast, King said there have been complaints in the past about Apple's lack of response to security issues. But as the Mac and Linux gain marketshare, they will have to respond much quicker.

"Are the old models of response to security issues going to be able to fly or will those companies start to take some serious publicity hits from these increasing vulnerabilities and a relatively lackadaisical response to fixing those vulnerabilities?" he asked.

This article was Updated to include comments by Sun Microsystems that were received after the original story was filed.

http://www.internetnews.com/security/article.php/3667201

Surur

 

[mikec#IM]

secure...

Security is all relative.

The only virus that ever hurt me was on an Mac SE way back in the day, when of course there were no virus's on Macs because they were so secure ;-).

Ever since then, I've never had an issue on Windows, mainly because I didn't blindly open attachments and ran anti-virus (and of course, using Opera).

Did get hit by a few nasty malware things, but that was my own fault trying to get cracks/warez and pr0n using IE. In both cases, cleanup was just a google away.

Actually, Safari for Windows does a decent job stopping nasty things.

And by the way, Vista is actually pretty damn good (with 2GB RAM, of course )

 

[braj]

Vista sucks for me, 64 bit though so possibly that is part of the problem. I really wish I had gotten a slower, more expensive Mac. After you factor in all of the other costs of ownership Macs really aren't that bad of a deal. Too bad I have proprietary software I have to run on Windows.

 

[Pearl_Diva]

That's my problem. There's not enough cross-platform software. It's either Windows or nothing. I'd have moved to Mac several years ago if it weren't for that!

 

[mikec#IM]

hmmm

I would agree x64 is a huge issue. Actually, 99 percent of people shouldn't run it...first, there is no reason to (unless you are doing servers or databases), and second, the lack of drivers sucks.
Maybe in a year they will improve that.

As for the Mac, I like them, but after you add in all the apps I use, the Mac is MUCH more expensive than a PC. Lots of stuff free on Windows, much less on Mac).