Headlines were made the other day when a Macbook was hacked. That, in and of itself, is a little funny. I mean, imagine calling the local News Tribune "Stop the presses! Someone was able to hack into a Windows PC!"
Ok, so now the tech press is milking this for all it's worth. I've read dozens of articles on it, both in Mac Magazines and in PC magazines, and evn from sites that are blatantly anti-mac.
Here's the Nitty Gritty Details.
Dino Dai Zovi stumbled across an exploit for Safari that deals with Quicktime and Java that allowed him "user level shell access" to another Mac, wirelessly.
This earned him a 10,000 dollar prize.
The original contest stated that the mac must be hacked without anyone touching it, it had to be completely remote. Hardly a feat on a PC.
For 24 hours, all the hackers and security experts tried, but were unsuccessful. On the second day, they changed the rules, allowing the attacker to direct the target computer to a malicious website.
What many are not reporting is that this is a cross platform vulnerability, not a Mac vulnerability. It deals with Quicktime and Java, both of which are available for Windows.
Now, everyone is saying the mac was hacked, but not everyone is explaining how much access the attacker had.
Basically, in the target computer's home folder was a file called instructons.txt which had to be remotely accessed. The attacker must open and read this file, then follow the instructions to prove they had gained access.
So, how much access does the attacker have?
The attacker can:
read any unprotected files in your home directory
delete any unprotected files in your home directory
The attacker cannot:
install dangerous software
delete or access other user's files
change passwords
damage the OS
There was a second mac in the room. This one, for another 10,000 dollar prize, required a remote hack that gained root access. Root access would allow you to do all of the things I just listed that the attacker couldn't, and much more. That mac was never hacked.
So, was a mac hacked? Yes. Would I be worried about this? No. Is there a defense against this attack? Yes! Go to your web browser. Press command - , for preferences. Under the security tab, disable Java. Boom! You're done!
If you need Java enabled for a specific website, just turn it on and off again when done.
I expect that very shortly Apple will patch this and we can walk around with Java turned on again. In the meantime, this is one of the lamest hacks I've ever seen make front page news.
About Me
- MacDracor
- For me, this whole blogging thing started mainly as a way to get people to stop asking me the same questions over and over again "So, what's been going on?" Grumble. Now though, I've decided to branch out a bit and am posting reviews as well. If you are a developer and would like me to review your software, send me an e-mail at macdracor@gmail.com
0 comments:
Post a Comment