The problem is, a LOT of the windows vulnerabilities require exactly the same thing that was required on the mac...a single click on a website.
From the article:
"While this is a significant flaw that needs to be patched, it is unlikely that anyone who wanted access to a system would be able to set up such a Rube Goldberg event chain to gain access to a specific users' files." They set this Rube Goldberg event chain all the time on windows, how many times is it because of what users do to their own systems? Again: "Windows does not do this. (ask for permission to install/change system files etc) Even the "new and improved" Vista does not ask for authentication. It asks the user to click Allow, after previously having asked the user to click Allow repeatedly. Guess what most users will do when prompted to Allow some executable to do some technical sounding thing in the Registry?" So the author describes security on both machines as having to force user input to allow changes, but only the mac guy is smart enough to hit cancel? Ridiculous. Vista gains a critical area in security and apparently it's not *exactly* as on a mac so it's a complete failure? More: "An anonymous user on Slashdot (an anonymous user..wow..hope he triple checked his sources. He should have perhaps checked a security vendors website or maybe even, oh...Apple?) described the exploit as involving a JavaScript routine. Sun's Java and Netscape's JavaScript share little in common apart from their names, but both are third party browser plugins that are not specific to Safari. Exploiting either one and calling it a "Mac exploit" is disingenuous." So who is being disingenuous? eWeek reports that it is not a java problem but a Quicktime bug. http://securitywatch.eweek.com/apple/quicktime_bug_affects_all_javaenabled_browsers.html The blog goes on to blame in several instances that 'third party software was to blame' for any exploit. "That also highlights a fact many 'security experts' don't seem to grasp: installing software changes your level of security. While Macs are quite secure when kept up to date, installing software and turning on new services can open one up to attack vectors that Apple can't control for you." Third party software?? It was a Quicktime bug...Apple. So now Apple installed Quicktime is third party software? This from Newsfactor: http://www.newsfactor.com/story.xhtml?story_id=51967 As it turns out, by enticing a user to visit a Web page containing a maliciously crafted Java applet, an attacker can exploit the QuickTime bug, leading to arbitrary code execution, according to an Apple bulletin. "The bug is considered "very serious," Apple said, and can be exploited through any Java-enabled browser, including Microsoft<http://www.cio-today.com/accuserve/accuserve-go.php?c=6098> [image: Relevant Products/Services]<http://www.cio-today.com/accuserve/accuserve-go.php?c=6098>'s Internet Explorer 7, Mozilla's Firefox, and Apple's own Safari. The vulnerability affects Macs and Windows PCs." So now we have even APPLE calling it a quicktime bug. Looks like roughlydrafted is being a little disingenuous. Mike On 5/11/07, Tom Piwowar <[EMAIL PROTECTED]> wrote:
>I admit it...you are right. Macworld lied...computerworld...dozens of news >organizations lied. MS paid big for this one. I take it all back. Nice review of the press reporting on the CanSecWest Mac crack at Roughly Drafted < http://www.roughlydrafted.com/RD/RDM.Tech.Q2.07/616874CC-35CE-49D3-B859-C2 719B6FF352.html> "Beyond the glaring error of conflating a remote exploit with something that requires a concerted effort between a user acting locally on the machine and an outside party, Gohring's article perpetuated a number of myths about Mac security."
************************************************************************ * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] ************************************************************************ * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header "X-No-Archive: yes" will not be archived ************************************************************************
