There's a big mess with OS X's security, according to security official Landon Fuller.
He's talking about a flaw that actually has more to do Java then OS X, but it's a flaw that has gotten Mr. Fuller steaming mad, mostly because even though Java's creator, Sun Microsystems, fixed the issue some six months ago, Apple has yet to fix it in OS X!
Fuller is so mad, in fact, that he has posted the attack code, which exploits the flaw, in hopes of forcing Apple to finally take action in fixing it.
ComputerWorld reports:
"Fuller's proof of concept code runs Mac's Say software to make the computer say "I'm executing an innocuous user process," but it could be adapted by criminals to run malicious programs on the computer."
ComputerWorld also writes that Security vendor SecureMac advises Mac users to disable Java in their Web browser at least until Apple fixes the issue and, they state:
"This vulnerability could be exploited to perform 'drive-by-downloads' commonly used as a means to infect computers with spyware, or any arbitrary command with the permissions of the executing user," the company said in a note on its Web site. "All a user has to do is visit a web page hosting a malicious Java applet to be exploited."
Even though Apple has acknowledged the issue, they have yet to give any clear time frame for fixing it. Personally, until it's fixed, I have decided to take the advice of SecureMac. Who knows, the last thing I want is for some criminal out there to use this Java flaw to somehow break into my bank account and transfer all my money - all two-dollars-and-a-quarter - from my account to theirs, somewhere in Nigeria!
Even though I laud people like Landon Fuller, and others by bringing these issue's to the front line so that Apple and others can fully address them, I'm not too sure I agree with them when they publish any of their proof of concepts - concepts that can help inspire and abet criminals in using them in order to scam us trusting souls out of our hard earned cash!
To me, this is totally irresponsible on their part. If I could prove that I was personally scammed out of my $2.25 by the direct actions of hackers who used any of these security proof of concepts, published by people like Fuller's, then I would be more than mad - I would sue them for any and all direct and indirect damages! I would be looking for damages that would go far and beyond the lost of my two-plus bucks too!
Security researchers, and security firms, are supposed to be in the business of helping to protect us from these criminals - not in actually aiding these same criminals by publishing their proof of concepts so that every Tom-Dick-and-Harry hacker out there can adapt them to and for their own nefarious ends!
I, for one, think that legislation should be adopted and put in place to help kept these so-called good guys (security researchers and firms) from potentially harming us indirectly by aiding these so-called - bad-guys! When people publish these proof of concepts, even though they may be motivated by good intentions, they none-the-less put us all in potential harm's way - and that's the way it shouldn't be!
The question is: who are these security experts really helping the most by posting their security proof of concepts? Themselves, we the consumer, or the criminal hackers out there?
To people like Landon Fuller and others, I say: "Thanks, but no thanks!" Surely there must be better ways of bringing Apple and other big companies to take their security more seriously then by publishing security proof of concepts that may, or may not, assist criminal hacker's in targeting us all the more.
And that's my 2 cents 4 this Thursday, May 21, 2009
4 comments:
The "bad guys" already had all the information they needed to take advantage of the issue for the past six months. At least with awareness of the issue, we can protect ourselves.
If there was no solution to protect ourselves, you might have a better point.
Also, why don't you sue Apple too, who left this publicly known vulnerability unfixed for 6 months?
Thanks anonymous and anonymous! Not sure if your one and the same, but as far as suing anyone, it was more of a tongue-in-cheek statement.
As far as all of the bad guys knowing this flaw, well, I don't believe they all knew, otherwise we would have seen attacks by now!
The security companies haven't picked up security security attacks, just the potential for one! Had all of the badies known of this, they would have made their presence know long before now. Publishing proof of concepts only peek their interest.
In the end, the post is simply my-two-cents, and as such is nothing more than my personal opinion. I've been known to be wrong on things, and maybe I'm wrong on this, but then again... maybe I'm right?
PS. I got to stop commenting when I'm dead tired! I make enough grammatical errors when I'm awake, let alone when I'm dead tired as I have just posted above!
Silly, silly, and very tired little old me. : O )-
Post a Comment