"Does this mean that the Mac system itself is flawed?"

"Anytime you illegally break into a machine, it's a hack"

Lets put a little of truth here! Yes the flaw is serious enough that it can compromise a user via a malicious we site. Ok we have a problem here!!

However on Mac OS X, the exploit will have the result that one can get user privileges on the system, that's all, there is not administrator or root access possible vie this flaw. In other words the all system can not be compromised by any way.

On Windows, if this flaw exists, well it can have more severe results, on windows it is easier to get full provileges....

Also this is not a hack, a hack means that a hacker can compromise a machine and get full privileges of a sitting mac, which is not the case here. Again this flaw needs the user action, this is not hacking, so saying that one can anytime get into the machine is plain lie.

Perform a real test...

First get four very ordinary people. Two women and two men. Get four computers. Two Macs and two PC's. Give a Mac to one of the women and man. Give a PC to one women and a man. Have them all connected to the internet (Broadband) at the same time, letting them surf to their hearts content and letting them go anywhere from knitting to fishing and from gambling to porn. Let them continue at this for lets say twelve hours. After twelve hours check the systems for virus, adware, spyware, malware and outright hijacks. Only then we will see which system holds its mettle in the most ordinary conditions. To be fair add another man and women and give them a PC loaded with the most popular Linux operating system (Ubuntu as of this date) and have them do the same. Which operating system do you think will hold up with the test of time?

Safari is NOT part of the Mac operating system.
It is only a program shipped with the OS.
They are two very distinct and separate entities.
No one in the computer business believes that any operating system or browser is unbreakable.
A zero-day exploit can be created for anything. Apple has been releasing regular security updates as soon as possible following a demonstrated exploit. QuickTime was last patched in March and January to fix a flaw disclosed by the Month of Apple Bugs project.

I don't think Safari is part of the Mac operating system. It is an application, "safari.app", and can be erased. Yes, it is installed by default, but you can very easily change that when you customize the OS installation and us another browser.
As you say: "Disabling Java stops the vulnerability" and
removing qtjava.jar, the Java extension in QT also "mitigates" the "bug". I'd be looking for a "java fix", not an OS/QT fix directly (though one I'm sure will come out). This java vulnerability (if I might call it that) might reach everywhere java is used. Please correct me if I am wrong in my thinking.

Just wondering what turning off JavaScript has to do with this. Bad naming aside, JavaScript would not seem to have any connection to an exploit targeting a Java .jar file. This is what the rest of the articles describes as being at the root of the of the vulnerability and potential exploit.

To provide a brighter shade of detail here:

To win the contest there had to be external access to the MacBook Pro. NEVER was there any need to have root access. If you read this anywhere, just toss it off as ignorance. All the cracker needed was user access, at whatever level the current user account happened to be. Therefore, we are not truly talking about the Mac being 'PWNed' or owned in the sense that the system of the Mac has been cracked. Only the user account was cracked. The result is that anything remote that the user of that account can do, the cracker can do. If this is a normal user account without administrator privileges then there is no way the cracker can compromise the system of the Mac.

Once the contest cracker had access to the user account they THEN had to take one more step to win: They had to open and read a file that had been planted on the computer that gave specific instructions about how to declare they had won to the folks holding the contest. If they can't open that file, they can't win. The file had privileges set so that 'everyone' can read it.

Just to reiterate: This is a JAVA problem, NOT JavaScript. It is the Java implementation in QuickTime that is at fault. Apple have a specific implementation of Java they write specific to QuickTime. It is a specific file set that is NOT shared with the rest of the Java implementation in Mac OS X. This is why this exploit has nothing at all to do with the rest of Mac OS X. The precise method used to exploit Java in QuickTime has NOT yet been published and most likely will not be published until it has been fixed by Apple. Hopefully that will be soon.

Also: This is the very FIRST time a Mac has been officially cracked. I have read of some so-called crack in Australia that never had its method documented. Ignore it. It is bogus. It is troll fodder.

:-Derek

This is really getting old. In these artciles it would be nice to see a total number of real issues found with the Mac OS versus Windows XP or Vista. I view this as another failed attempt to crack the Mac OS. Bill should stop paying people to see if it can be done. He's wasting his money.

Small clarification about the Window ANI vulnerability.

You really don't need to click on the e-mail. If you have the preview pane open, as it is by default, and the hostile code shows up in that preview pane, you're owned. I haven't looked at the Quicktime vulnerability on a MAC so I can't comment on that.

I demonstrated this vulnerability in a SANS webcast from Tuesday. The webcast is archived at http://www.sans.org/webcasts/. Just click on the "Webcast Archive" link and then select the webcast from the 24th.

I find it interesting that the article specified "MacIntel."

If the exploit relies solely on Java code (JVM bytecode), then the CPU family should have no bearing. But, if the exploit is from, say, a buffer or stack overflow in the JVM, but which would cause the CPU to execute arbitraty machine code, then the code has to be native machine langauge code.

This would mean that different versions of the exploit would need to be written for MacIntel and MacPPC, and that the hacked or malicious Web server would have to have some way to know which one the user was using. Using the wrong one would cause a Java or browser application crash, but not ownership nor crashing of the system.

If this is the case, then it validates a concern I’ve long had about Apple switching to Intel x86 CPUs: while much of the Mac's vaunted immunity to malware is because the OS really is more secure, and part is because of the lower market share and thus fewer hackers bothering, I firmly believe that a significnt part is due to the fact that many more hackers know x86 machine language than know PPC machine language. The two are drastically different from each other, and incompatible with each other on a fundamental level.

If I'm right, then by switching to Intel x86 CPUs, Apple has forever removed this layer of protection-through-obscurity. It still has the more secure OS, and still somewhat protected by its relatively small market share, but now those Windows hackers who would want to try to hack the Mac have a much lower learning curve to surmount. Now they're writing code for a CPU that they already know the ML for. A major barrier has been removed.

So, I find it interesting indeed that the first truly serious Mac exploit may be specific to MacIntel (which would explain why it can also work on Windows, though if it were a pure Java JVM bytecode exploit, that would also be the case).

Has anyone tried this exploit on a MacPPC?

No system is inherently secure and no system can be absolutely secure. In any real life scenario, there will be a lot of native and third party applications running in the OS as well. So, ramblings about which OS has more issues and which OS is better are rather moot points. Lets first acknowledge that we have some very advanced, highly productive OS in the market place that support a wide range of hardware. As a person working in the IT industry, I am proud to see the astonishing technological growth these OSes, especially Mac, Windows and Linux showing.

Security is largely becoming a behavioral and ethical issue rather than a technological one. Just like in our social lives, there need to be code of conducts and ethical and moral frameworks in the virtual space as well.

So lets not get into mud slinging whenever a report about such issues comes out. It is a bit disappointing to see a flaw in one of these fine pieces of software, but we as a community will find technical and social resolutions to these issues.

Mac or windows or linux, java or .net or ruby I am so happy to be in the present. So vibrant, disparate, joy to work in...

Salim

When we accept a new customer at our locally run ISP, we must now assume that Windows PCs need disinfection, whether or not they have commercially available security software installed. It takes us a suite of five programs left on the desktop for the customer, and two or more used behind the scenes and over an hour of bench time on a relatively new machine to perform this for them.

This problem has grown by a factor of at least ten in just the last two years. The incidence of root kits and other persistent malicious software is astonishing and a significant portion of machines go into multiple hours of bench time. We now find and clean an average of 100-300 instances of infection and spyware per XP user/machine.

Mac customers consistently take a straight half-hour to get updates and our recommended browser, email, and media handling programs. If we were to advocate a platform, you can imagine which we'd prefer to work on more, since we offer these setups for a nominal fee as a welcome gift. The phrase we use is "relatively invulnerable" and the literal meaning still applies.