Mac pwned; fanbois say "Macs are great!"
In the second minute of the second day of the Pwn2Own competition, an attacker gained access to the Macintosh computer.
There are a number of miscomprehensions that I've noticed in various comments around the web:
1. "The hacker [sic] had physical access, what do you expect?!"
Actually, the attacker was not allowed to physically touch the computer.
2. "It doesn't demonstrate a vulnerability! It's not OS X's fault - it's the dumb user's fault for going to that web site in the first place!"
Yes, there are dumb users. I agree, OS X users are dumb users (sorry, couldn't resist that dig!). But the users don't have to be "dumb" in order to get attacked by this security flaw. Legitimate websites get attacked from time to time, with crackers managing to insert malicious javascript code into them. When users go to the compromised websites, the Javascript manages to take control over the browser process and use it for their own purposes.
A recent, hilarious example was Trend Micro. That's a legitimate website that many smart users go to, but it was still attacked with a malicious code insertion (I guess that proves that anti-virus isn't the be-all and end-all of computer security, huh?).
Safari should not put itself in the position where it can be convinced to access local files. Full-stop. Of course, Apple didn't have the slightest clue what it was doing when it programmed Safari, so there's really no surprise in the result. Safari is a buggy excuse for an internet-facing service.
3. "The Mac was attacked more visciously because the computer itself is more desirable as a prize than the other two computers; not that it is less secure. So this is a GOOD result for Apple because it shows that they have computers that people want!"
Nice way to turn an embarrasing defeat into a back-patting excercise. The winners don't just get the computer, they get $10,000. Ten thousand dollars can buy yourself a computer with more than one USB port!
It's sad to see that the winners of the competition will sign a non-disclosure agreement with Microsoft and Apple to help fix the vulnerabilities before they become well-known. It's simply a case of turd-polishing. The software won't get more secure, it will just become hardened through trial and failure.
Think about it, in terms of an analogy. It's like if an aeroplane crashed in Halifax, Nova Scotia, due to the right wing coming off during a throttle-up. Rather than make the connection between the wing and fusilage stronger, the plane manufacturers just implement a system whereby the plane refuses to throttle-up while flying over Nova Scotia. You wouldn't fly on that plane. No sane person would. But that's what the computer security situation is like right now.
Comments