A Little .Mac Security Flaw 328
deleuth writes "The de facto online connectivity software sold along with many Apple computers, .Mac, has a Web interface through which users can check their 'iDisk' while away from their own computer. However, there is no Log-Out button in this Web interface, so most users just close the browser and walk away... not realizing that their iDisk has been cached by the browser and that anyone who wants to can open up the browser, go back to the link in History, and get into their iDisk completely logged in. From here, files can be downloaded and/or deleted. This seems like a minor security flaw via bad interface design, and podcaster Klaatu (of thebadapples.info) posted this on the discussion.apple.com site, only to have his post removed by Apple. Furthermore, feedback at apple.com/feedback has gone unanswered. The problem remains: there is no way for the average computer user to log-out of their iDisk on public computers. A quick review of any public terminal's browser history could bring up all kinds of interesting things."
Huh? (Score:5, Informative)
After accessing your iDisk in Firefox:
In Safari:
Or if you remember to do so before visiting .Mac's iDisk page:
Problem solved.
So yes, there are ways for the average user to log-out of their iDisk from a public terminal. They just simply have to use the existing facilities at their disposal.
Yaz.
Re:When Will Apple Learn (Score:3, Informative)
I see no proof of this. Apple responds relatively quickly to security holes and releases regular patches and updates.
Huh? You seem to have conflated their corporate policy, which is sometimes very stupid, with their security policy, which is generally good. The two have nothing to do with each other. Apple's overzealous moderation of their own forums is well known, and unfortunate. But it has nothing to do with how well they manage their OS security and how well they respond to exploits.
Re:Huh? (Score:5, Informative)
Re:No, incident does prove Apple is lacking ... (Score:4, Informative)
Apple has a bug reporting system and an email for security issues. Use them, not the forums, if you want to make sure the post is actually evaluated by someone with understanding of... well, anything technical.
Re:No, incident does prove Apple is lacking ... (Score:5, Informative)
How? What is the causal connection? Unless you have specific information about Apple's internal organization, and the relationship between the people who admin their forums and the people who work on OS security, the only connection is the one in your mind. Apple is not a monolithic entity with the ever-vigilant head of Steve Jobs on constant watch. It's a large corporation with multiple divisions, each of which has their regions of control and expertise. The decision to nuke posts about a security flaw, while stupid and short-sighted, does not immediately mean that Apple's OS security people are lax or lazy. They may be working on a fix already. They may not. They may roll it out in a week. They may not. And an article may appear tomorrow which proves that this security "flaw" was vastly overrated and is not that serious.
If you wanted to critique Apple's security prowess you could compile a list of known security flaws, with their severity and a list of how long it took Apple to patch them. That would be a logically constructed argument. However, this is Slashdot, so I won't hold my breath. This is the same lax "logic" which leads to a lot of the Microsoft bashing around here, and it looks stupid no matter which way it's pointed.
Other Apple security controversy (Score:5, Informative)
http://www.theregister.co.uk/2007/12/15/apple_security_fixes/ [theregister.co.uk]
Re:No, incident does prove Apple is lacking ... (Score:1, Informative)
Re:When Will Apple Learn (Score:5, Informative)
You would think that, during this time, Apple would have used the opportunity to develop and internal culture, policies and procedures, as well as infrastructure for dealing effectively with security issues. However, the complete opposite appears to be the case.
Apple has failed miserably to publicly and actively address such issues. It also fails to respond in anything that could be called a rapid manner to reports of exploitable security holes. Taking actions such as deleting posts that point out security problems makes the situation worse, not better. Failing to publicly document the existence, status and nature of defects makes the situation worse, not better. Being secretive makes the situation worse, not better.
You are incorrect in so many ways, I find it hard to begin.
1. There is no proof what so ever that Apple's install base is the reason Macs are more secure than Windows. Having network servers off by default and having a default web browser that doesn't run code written in C++, visual basic, and whatever the hell else ActiveX supports these days to be FAR more important than the install base. There are reasons that in the past, if you took a Windows computer out of a brand new box, hooked up via a DSL or Cable modem that your machine was hacked before you were finished logging in for the first time, and it isn't because of the installed base (you do remember that don't you). The Windows machine has active network servers running.
2. Apple doesn't ignore security updates and issues. They fix them. Sometimes even before someone posts about them. If you don't like their update schedule and want Apache or whatnot to be running up-to-date you can install from the CVS just like the Linux and BSD people do. To me it's like saying Red hat doesn't respond rapidly to security holes. If you want a day zero fix, update from CVS. For the common user all of this is irrelevant, since their default install isn't listening to network traffic. Apple has also included other under the hood improvements, just like all other venders, to minimize the risk of buffer over flows.
I'm sorry, Apple's not walking some kind of security minefield just getting lucky all the time. Just like Linux isn't. Unix style security just works very well and is easy to manage. Your computer isn't magic, there's a reason why Microsoft's operating systems are getting owned all the time. There are a LOT of reasons for this, most of them boil down to bad default installs and the environment Microsoft has created within it's developer community. An environment that fosters laziness and has typically done very little to stop their bad practices. Things like making applications that require the admin to be login in order to run. Which in turn leads to the floor level tech just giving everyone admin access.
You computer is not made of magic, there are reasons Microsoft's operating systems suck and people complain about them and it's not because they are "not Apple and have a small install base".
Re:My testing (Score:4, Informative)
Re:My testing (Score:4, Informative)
Re:No, incident does prove Apple is lacking ... (Score:5, Informative)
Re:No, incident does prove Apple is lacking ... (Score:4, Informative)
Her response _also_ repeated the point that Apple (quite naturally) prefers receiving bugreports through the proper (secure) channels and not having to cull them from unrestricted forum postings.
Re:A minor flaw? Tosh. (Score:4, Informative)
And I thought it was over 5 percent now [macnn.com]...
Here's the thing. The only people that have to be worried are Mac users with a dot-mac account. I have an iMac but I wouldn't dream of getting
a place to share photos online (which I do for free with Photobucket)
your own personal web-space (which for personal use, Blogger does the job just fine for me)
email access anywhere, even on an iPhone (but the iPhone shows your regular ISP email anyway, which is set up the first time you plug your iPhone into your Mac thanks to the settings in the Mail program, and GMail is accessed anywhere with internet connectivity too)
remote access to your Mac (which I personally have never needed)
the ability to sync your favourite stuff to the computer you're using (my iGoogle page shows me all the stuff I usually bookmark on any computer I decide to log into Google
10GB of storage online for files (XDrive gives 5GB away for free, eSnips gies 5GB away for free, my photos on Photobucket, my videos that I want people to see on YouTube...)
Online backup if I don't have OS X 10.5 Leopard (or I can just buy Leopard and get all the new-fangled doohickeys too)...
What's the point? It's the equivalent of when people had CompuServe in the early-to-mid 90s. They'd pay through the nose to use a proprietary web browser and get access to groups that only other CIS users could use. It's the internet for people that don't know what's out there for nowt, a gated net community.
Re:When Will Apple Learn (Score:3, Informative)
I'm not sure how programming in Objective-C is safer than C++, but I don't know the very guts of both to see the difference, just enough to make programs. It doesn't look like Obj-C really slows down the writing of insecure code to me.
Re:Apple's response? (Score:0, Informative)
Re:When Will Apple Learn (Score:5, Informative)
However, there is one thing that I am very troubled by and it is simply this: Apple apparent arrogance and ignorance when it comes to security.
Apple is a mixed bag when it comes to security. They have employees they acquired from other companies specializing in Web technologies, graphics, video, and numerous other topics, as well as old-school Apple employees many of whom do not take security seriously enough. On the other hand they have all the Next employees and all the old-school Unix guys they've hired on to manage the guts, who live and breath security. As a result, in some ways Apple is way ahead of the game for security (like with their new sandboxing and signing frameworks in Leopard) and in others they seem oblivious. I can't think of another consumer desktop oriented OS that ships with so few services running, and with almost all of those sandboxed. Then you get to other things Apple, like some of their userland applications and Web services and you wonder that the same company could produce both of them. Apple is pretty schizo in this regard.
Apple has enjoyed a "blanket" of security because it is low profile and a niche. However, as its market share and mind share expands, this period of respite will soon fade.
I disagree. Apple is a juicy target for exploitation for many reasons. They are less likely to be exploited due to a number of market and social factors, but in general, Apple's security has been fairly sound and that is why they are not worm food. Further, I don't see Apple's security record becoming poor in the future. Apple, Linux, Solaris, etc. all have one major thing that will keep them more secure than Windows is today... motivation. If Apple's security starts to fail for their users, Apple loses money as they move away. Thus, Apple has direct financial motivation to fix the problem, and they will. This is the advantage of a free market. Microsoft, however, has a monopoly, so even when their users are screaming out for better security, MS loses very few, if any, if they ignore their customers and focus instead on locking in a new market and this latter action will make them more money. They have direct financial motivation to do little more than provide the appearance that they are doing something security-wise, and that is what they keep delivering.
You would think that, during this time, Apple would have used the opportunity to develop and internal culture, policies and procedures, as well as infrastructure for dealing effectively with security issues. However, the complete opposite appears to be the case. Apple has failed miserably to publicly and actively address such issues. It also fails to respond in anything that could be called a rapid manner to reports of exploitable security holes. Taking actions such as deleting posts that point out security problems makes the situation worse, not better. Failing to publicly document the existence, status and nature of defects makes the situation worse, not better. Being secretive makes the situation worse, not better.
Here is my experience with Apple's security response. My co-worker found a potentially exploitable hole in OS X. He went to Apple's Web site and reported it as a security bug in the bug report section, not commenting the forums that are for users not Apple employees. Apple sent him a message a few days later saying they'd look into it. A few weeks later the next security update for OS X came out and fixed the problem, including crediting my co-worker with discovering it. It was painless and quite rapid for that large of a project, considering the time for research, coding a fix, testing, and rollout, in fact a lot faster than our average response time to that same priority of bug (and we sell much more critical security devices). From everything I've seen, Apple responds fairly quickly to security issues reported to them and the only instances where there are major problems are where researchers refuse to give Apple details before p
Re:This is NOT a security flaw! (Score:1, Informative)