Mac Attack

Security in OS X is a pretty interesting topic to watch on the web. For every stereotypical Mac user, perfectly smug in the invulnerability of their operating system of choice, there is a detractor who claims Macs only seem secure because nobody uses them and thus nobody tries to break their security. The truth, as is usually the case in such things, surely lies somewhere in between. OS X generally has good defaults in terms of minimizing vulnerability surface (the number of places a bad guy has to pick and choose to attack at), something that Windows has only recently made a priority, with so many interfaces remotely exposed (interfaces like programmatic ones -- NETBIOS/RPC being the gateway for lots of different code-paths). Still, there are definitely bugs waiting to be discovered in the operating system that has only recently come under heavier scrutiny from the security community.

And sure enough, one was found just recently as a part of a contest run during the CanSecWest conference. Details are still coming out, and of course some Apple defenders* are pointing out that this was only a client-side vulnerability, not capable of creating a worm that could spread without user-action. Still, as skilled as Dino most certainly is, that he could come up with a working 0day in 9 hours doesn't exactly give one the impression that OS X is a hardened operating system set to rebuff all attackers the way some might claim.

I'm definitely bummed I didn't get to attend this year, as CanSecWest is probably the most consistently interesting security conference in terms of the people you meet and the topics presented. The relatively small size compared to so many of the mega-cons is refreshing. Hopefully this year's Safari 0day won't do to it what Michael Lynn's Cisco speech did for the attendance at Black Hat last year (getting through the hallways in Ceasar's Palace between sessions was like dropping a paper boat in a river -- you moved exactly as fast as the flood of people carried you).

*Full disclosure--I'm writing this now on my MacBook Pro. Does that give me license to go after over-zealous Apple defenders? For examples of such folks, see the Slashdot thread on this topic.