Security Expert Says “No Magic Fairy Dust Protecting Macs….” Fanbois Weep

If you’re an Apple fanboi and you feel that Steve Jobs aura is the only security that your Mac needs, here’s a kick in the testicles for you. Dino Dai Zovi is highly critical of the Mac platform’s security and how Apple handles security issues, and warns Mac users that they need to be on guard:

Dai Zovi, a security researcher and co-author of “The Mac Hacker’s Handbook,” said on Wednesday that once hackers start to put substantial resources into targeting Apple’s computers, they will be at least as vulnerable as Windows machines.

“There is no magic fairy dust protecting Macs,” he said in an interview.

He demonstrates this by showing a brand new exploit that can steal data at the Black Hat Security Conference in Las Vegas this week:

The technique — dubbed “Machiavelli” — exploits a vulnerability in the Mac OS X kernel, the heart of the machine’s operating system. It only works on machines that have already been victimized, such as ones attacked with the pirated software. It can take control of Apple’s Safari browser, logging passwords to financial accounts and data on bank statements, Dai Zovi said.

Lovely. But it gets worse for the fanbois. Another flaw that will be shown at that same conference is a flaw in the iPhone that can allow a remote attacker to hijack the phone via SMS:

Using a flaw they’ve [Collin Mulliner and Charlie Miller] found in the iPhone’s handling of text messages, the researchers say they’ll demonstrate how to send a series of mostly invisible SMS bursts that can give a hacker complete power over any of the smart phone’s functions. That includes dialing the phone, visiting Web sites, turning on the device’s camera and microphone and, most importantly, sending more text messages to further propagate a mass-gadget hijacking.

“This is serious. The only thing you can do to prevent it is turn off your phone,” Miller told Forbes. “Someone could pretty quickly take over every iPhone in the world with this.”

How delightful. Of course when contacted by the news organizations that wrote the above stories, Apple as usual had nothing to say. I guess they were too busy ensuring that Palm Pre devices couldn’t sync to iTunes or something. At least we know where their priorities lie. It sure isn’t dealing with security issues as they’ve done a really craptastic job of that as of late.

Leave a Reply

%d bloggers like this: