March 10, 2006 1:41 PM PST

This week in Apple

The war of words is heating up over Apple Computer's Mac OS security.

The Mac maker released a security update for its operating system on Wednesday to plug 20 holes. The patch arrived after two weeks of intense scrutiny of the safety of OS X, prompted by the discovery of two worms and the disclosure of a vulnerability that was deemed "extremely critical" by security monitoring company Secunia.

The update added a function called "download validation" to the Safari Web browser, Apple Mail client and iChat instant messaging tool. The function warns people that a download could be malicious when they click on the link. Before that change, clicking on a link could have resulted in the automatic execution of code on a Mac.

However, experts say the patch doesn't completely fix a high-profile Mac OS X flaw, leaving a toehold for cyberattacks. Apple failed to address a key part of the problem: The fix should be at a lower, operating-system level, experts said. It is now still possible for hackers to construct a file that appears to be a safe file type, such as an image or movie, but is actually an application, said Kevin Long, an analyst at security specialist Cybertrust.

Meanwhile, a Mac hacking contest is raising the hackles of many Mac fans. An individual who won such a contest last month by gaining root control of a machine using an unpublished security vulnerability called it "easy pickings."

On Feb. 22, a Sweden-based Mac enthusiast set up his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.

Within hours of going live, the "rm-my-mac" competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later, this poor little Mac was owned, and this page got defaced."

However, many observers criticized the validity of the competition because participants were given local client access to the target computer.

The contest raised the ire of a university systems engineer in Wisconsin, who invited hackers to break into his Mac. Dave Schroeder asked hackers to alter the home page hosted on a Mac Mini that is running Mac OS X 10.4.5 with the latest security updates.

The system has two local accounts, and has SHH and HTTP open--"a lot more than most Mac OS X machines will ever have open," Schroeder said on his Web site.

But the event ended early after information emerged that the contest had drawn the scrutiny of the chief information officer at the University of Wisconsin-Madison, whose network Schroeder's Mac Mini was on.

"The Mac OS X 'challenge' was not an activity authorized by the UW-Madison," Brian Rust, a university spokesman, said in an e-mailed statement. "Once the test came to the attention of our CIO, she ended it...Our primary concern is for security and network access for UW services."

See more CNET content tagged:
Apple Intel Mac Mini, hacker, Apple Mac OS, Apple Macintosh, Apple Mac OS X

24 comments

Join the conversation!
Add your comment
CNET Yellow is as Yellow does
CNET has done it again. Totally glossing over the fact that the
initial "30 minute" hacker was already IN the computer when he
"hacked" it.

CNET also completely FAILED in mentioning that the second
Wisconsin contest, while up for far more than 30 minutes, was
NEVER HACKED.
Posted by Wowie Zowie (161 comments )
Reply Link Flag
I'm starting to realise..
...that I should maybe just remove CNET from my RSS feeds and
stop feeding them with ad revenue.
Posted by privatec (75 comments )
Link Flag
Where's the Journalism?
Or is it just about page views? No one's an apple fanboy here, but
if you are gonna bring up a story, qoute it properly. give the whole
story, or make complete references. Pretty soon, I can see you
guys putting up a headline saying, "Windows Vista Kills
Developers", when the actual story is two developer are killed in car
crash, they were driving while beta testing windows vista on a
tablet pc and not paying attention on the road. Stop the
sensationalism and get back to journalism. Or maybe im expecting
too much.
Posted by biggstuu (281 comments )
Reply Link Flag
What's Worse than Windows?
When it comes to security, what's worse than Windows? We're talking a patch a day; maybe two!
Posted by lrd123 (50 comments )
Reply Link Flag
I am so tired of hearing this.
Hey, Apple isn't in the business of making a computer so 'safe' that
the dumbest person on the planet can't get a virus. I run both apple
and windows and have yet to get a virus mostly because I don't
download questionable attachments off the web about free porn or
medicational products. If there is a virus that can randomly attack
my computer from the internet without me doing anything report
on that, but otherwise who cares.
Posted by zfish7 (3 comments )
Reply Link Flag
Gotta pile on here
This article is titled THIS WEEK IN APPLE but there's not much to report, is there? So don't bother writing the article. Plus, there are several errors, omissions and obfuscations in the article anyway. The security patches are LAST WEEK'S news, not this week's. The hacking thing was this week, but it's a non-story because the Swedish hack wasn't a hack and the other one was more a story about a guy at a University that took matters into his own hands and got his hands slapped. Snooze.

I gotta pile on with the other commentators here -- this seems more about CNET's page views and ad revenue rather than about reliable, accurate, and newsworthy journalism. That's too bad. What I fear is that it may be a sign of things to come.

All that said, I have to also give CNET props for even attempting journalistic endeavors in the entirely overhyped world of information technology and personal electronics. I love computers and all -- I make my living with them -- so I can only imagine how hard it is for them to sort the wheat from the chaff when it comes to selecting stories to cover.

Too bad this one was all chaff, no wheat. Please, CNET -- more wheat!
Posted by jmproffitt (3 comments )
Reply Link Flag
UUUHHHH, 2 worms, so what!
after 5 years of Mac OS X in existence, it gets 2 little worms and
everyone is making a fuss. Windows XP alone has over 94,000
vulnerabilities, so 2 on a Mac is nothing at all.
Posted by mcobian (14 comments )
Reply Link Flag
so...
So this is a recap of all of the ridiculous stories C|Net followed
this week that generated lots of comments, or what? I don't get
it, the article (ahem) offers nothing new, it's not even a recap,
it's a rehash of an article published two days ago. C|Net, you're
done. I'll get my info from Siracusa and Gruber and take you
guys off my radar. What a sham[e]... I found this site by
arbitrarily typing news.com into my browser 5-10 years ago
(who remembers anymore) and now it's time to say goodbye.
Just like Macworld, MacCentral, Wired, and ZDNet (I know, same
co.) this site is now useless. In an age of syndicated *****, C|Net
lacks the ability to "get a scoop" so they're resorting to
Dvorakesque flame baiting... impressive.
Posted by (12 comments )
Reply Link Flag
agreed
what cnet passes for journalisim these days is beyond a joke, is
belongs in the IT equivelent of the gutter press
Posted by l.evans (5 comments )
Link Flag
It's more than security...
Frankly, I couldn't care if there were 10 or 10,000 viruses for the
Mac OS out there (10,000 is still probably less than what assails
Windows these days).

People like Mac because it's simple and elegant. Someone
stopped and thought "hey, let's do something in one step rather
than ten". I've got antivirus on my Mac, and if it were to find
something, it wouldn't make me throw my hands up in surrender
and go buy a brick of a Dell laptop.

When are people going to understand that it's more than just
security that we care about?
Posted by jharder (11 comments )
Reply Link Flag
Longhorn (Vista) Security Test
I think Windows Longhorn (aka Vista) should be put to the
security test too. The real story that CNET should be reporting
on is how OS X stacks up against VISTA on security, or vice
versa. Sure Windows Longhorn looks better than XP, but the
kernel which its based on is such a mess. Not to mention how
you'll have to upgrade to a newer machine to run Longhorn.
Which I say to MS.. bite me! Jim Allchin knows how much of a
mess Longhorn is and supposedly we'll retire from MS as soon
as its out the door, or so he says. Truth is, you can't believe
anything MS tells you these days. Their like a crooked politician
running a deceitful campaign to an audience currently owned by
them. Truthfully its nothing but broken promises on their part
and yet people continue to pay for it. And now they want to
market the crap out of Windows to all the sheep being fooled by
its supposed security.

Honestly this bashing of OS X won't ease the security woes that
Vista will be in the end.

Ultimately Vista will lose.
Posted by ServedUp (413 comments )
Reply Link Flag
Enough!!!
All the theoretical debates and gloom and doom forecasts about OS X security are really getting old.

I sure wish there were a way to get an accurate indication from ACTUAL OS X users of how many of them: A) have experienced any down-time as a result of a system invasion, B) have experienced any degrading of system performance, C) have lost any files/data as a result of a security breach, or D) have had their security software indicate any problem whatever.

As a iBook user, my input is "none of the above." And I know, I know---Mac users have been lucky so far, but just wait.......
Posted by Norseman (1319 comments )
Reply Link Flag
CNET, give it up.
CNET, you really are unbalanced with all of this Mac security stuff. You have no useful information for people, and are doing nothing but spreading undue fear. Enough already!
Posted by kylegas (81 comments )
Reply Link Flag
Lets get all the facts on the table
How many challenges to MAC OSX system security were there in the entire event that is being reported, and what exactly were their contexts.

What does it mean to have local access to MAC OSX versus whatever other kind(s) of access that there could be.

What is the official Apply rejoinder to this CNET bonfire

How is it possible to set up THE most secure OSX system -- what services off, what kinds of accounts, what permissions withheld from untrusted users, what definition of trusted user etc

What vulnerabilities and what threats apply to this most secure OS-X configuration. See notions below regards meaning of vulnerability and meaning of threat.

Finally how about a forthcoming, forthright, and concise tutorial on relative vulnerability and relative threat. Discuss threat in terms of potential hackers and then in terms of likelihood based upon historical statistics. Discuss vulnerability in terms of ease of making an impact (eg: can touch the store window with the right ladder versus need to be spiderman to touch the store window), and then discuss in terms of the degree of that impact (eg: you can graffiti the store window versus you can break the bullet proof glass). First define vulnerability and then define threat, using industry standard and academically pure definitions without twist or spin. Then define various alternative, security-sensitive, system configuratins. Then define -relative- considering vulnerability and threat AND these alternatives AND without failing to include other operating systems including UNIX, MS-WIN-2000, MS-WIN-XP-Pro, MS-WIN-XP-Home, touching for each of these the variety of alternate security related configurations that each of these might have, and have been found to -normally- have in the business world.
Posted by yen2ken (7 comments )
Reply Link Flag
Open Ports NO?
Yeah i believe all my ports are solid... if im silly enough to host a
website off my mac i would imagine, certain ports would open up...
leaving my mac vulnerable... unless all the porn on bit torrent turns
into mac virus nothing will stop me to download.... because any
programs i dont have prerequisite knowleage of place or downing
myself then ill just trash it... Its more like hacking those trendy
******* the bought into the mac craze, cause they bought an
ipod.... WEED OUT THE NONE BELIEVER HEATHENS
Posted by mzima (7 comments )
Reply Link Flag
MSN Messenger 10 Years Ago
Ok maybe not techinaclly 10 years ago, but this whole virus with Apple through Ichat I think it was is rediculous to take as something important. I remember on my very first computer there was a virus going around with MSN messenger. With in MSN messenger the virus would make comments to your friends with out you knowing it and to ask you to download things. Just thought I'd through that out there to see what you all thought.
Posted by t86y (6 comments )
Reply Link Flag
Where are the News?!
I came here looking for tech-news... can pleas someone give me
some links where the "real" news are? I`m just tired that C/net,
even proving their news are innacurate, they keep publishing trash.
This week in apple should really be, "this week bashing apple" even
Windows users might be tired of this "stupeedness". I really want
to get rid off the C/net RSS ****.
Posted by rleon (111 comments )
Reply Link Flag
Mac IS X Tiger Safety & Security videos
Way last summer I created some "Proof-of-Concept" videos with
the Mac OS X Safety & Security Maintenance as the topic. Those are
free QuickTime vidoes located at

<a class="jive-link-external" href="http://www.maccompanion.com/videocasts/MacSafetySecurity.htm" target="_newWindow">http://www.maccompanion.com/videocasts/MacSafetySecurity.htm</a>
Posted by pritchet1 (20 comments )
Reply Link Flag
C/NET=MS FUD MACHINE N.M.
N.M.=No Message
Posted by Byronic (95 comments )
Reply Link Flag
Truth versus CNet journalism
Why is it that CNet insists on always providing half the story?

Are they lazy? Do they promote an agenda? Are they just stupid?

I wish I new the answer. But for sure this article is high on my
list of really, really crappo writing.

Please CNet rewrite this with all the facts. Don't fall into the trap
of the Hicksville Daily which knows no better than to promote
FUD.
Posted by Jonthin (27 comments )
Reply Link Flag
Raising Hackles
From the above story:
"Meanwhile, a Mac hacking contest is raising the hackles of
many Mac fans."

Oh, my hackles are raised, but not by the contest. That's what
you, the reporter, and the rest of the CNET machine don't seem
to understand. "Mac fans" couldn't care less about that contest,
because we either think it was too much a set up or didn't
actually exist at all. You are reporting it again as fact, but
where, oh where, is your validation? If I make a website claiming
to have invented a perpetual motion computer that required no
external power source would you report that as fact? If so, let
me know, I'll get right on it.

No, "Mac fans" are have their collective hackles raised by the
ZDNet/CNET reporting on this issue. Motives are becoming
rather transparent, and I believe that even the hackles of some
"Windows fans" are starting to rise.

I personally had hoped that this site was going to let last week's
shenanigans pass without out a look back. Now I see that you
are still intent on letting us know that last week you said this
bad stuff about Apple. I can hardly take anything else that
comes from this site as credible. Therefore, the total amount of
ads that will be viewed by me in the future has reached zero.
I'm sure this will be great news for your advertisers.

Readers: Tired of CNet news' reporting? I urge you to find your
tech news elsewhere. As long as you continue to make
"Talkback" posts here and read the "Talkback" posts of others
you are continuing to contribute to CNet's revenue, and
encouraging more of this trash.
Posted by djemerson (64 comments )
Reply Link Flag
Achilees heel
The point is well taken that there have really been no serious hacks to date on the OSX platform. Two good reasons why: 1. It's based off a Unix kernel. 2. Hackers do not target it because of market share.

The Unix OS is one of the oldest still around these days and has proved itself as being very secure. Why it is not as popular now is the fact it's not as easy to learn as the GUI based OS's. All this is old news, but the first virus written (more of a computer science project to prove it could be done) was on Unix. It did prove that even the best could have a flaw. Unfortunately, it did escape into the wild and infected thousands of computers.

The point is, even though the OS wears a tough shell, do not take for granted that it will never ever be breached. From the attitude of the posts I read, all I hear is, "I don't need virus protection as my MAC will never get infected." Perhaps a few "hackles" need to be raised to change that attitude. The odds of being struck by lighning is very, very high, but I still have the common sense not to stand out in the rain during a thunderstorm.
Posted by Seaspray0 (9714 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.