Thursday, April 5, 2012

Myth Busted: Apple is Not Hacker Proof

from community.rapid7.com / Marcus J. Carey 

The first thing I'd like to say is that I am an Apple fanboy and can usually be found defending them vigorously like any loyal fanboy would. I hear time and time again from other Apple users that Apple products are "hacker proof", which is a total myth. My buddy Jayson Street says Apple products are perceived as shiny magical things, which I guess adds to the myth.

Mac users are so use to hearing about exploits that only affect Windows users. I have to admit some exploits that target Macs are lame, but every once in a while there comes something that Mac users need to pay attention to. Ladies and gentlemen, now is the time to pay attention because this myth is being busticated in a major way at the moment.

Apple hasn't provided an OS X product update for a critical Java vulnerability (CVE-2012-0507), which was patched by Oracle as of February 15, 2012. This is a big deal because Apple users account for about 15% of Internet traffic. Mac users are wide open to exploitation if they are running the Java plugin in their browsers and attackers are actively leveraging the Java attack across the Internet.

The actual exploit it widely available, which means that it will appear all over the Internet. Here is a screen capture of me exploiting my "fully patched" MacBook Pro running OS X version 10.7.3 with Metasploit.
apple_hacked_cve-2012-0507.png
I created a video to show Mac users how to disable to Java plugin in Firefox, Safari, and Chrome. Disabling the Java plugin will prevent your system from being compromised from the CVE-2012-0507 exploit. In general you should always have the Java plugin disabled unless it is absolutely necessary. You never know when there is a zero day exploit lurking around the corner.

I was sad visiting the Apple Store yesterday knowing that every Mac in sight was exploitable (See image below). I asked a couple of the Apple Geniuses if they heard of the issue, and they told me they were unaware of it, which means few customers or owners know as well. We surely need to put this myth to rest and pray for Apple to update as soon as possible. One final request if you made it this far, please tell everyone you know to disable Java plugins.

apple_store_java.jpg

4 comments:

  1. Isn't it ironic that most Mac exploits take advantage of weaknesses in 3rd party programs like Adobe Reader, FlashPlayer, Microsoft Office, and Java-- all of which are notorious for providing a degraded (non-Mac-standard) user experience even when they are not being attacked by malware.

    People feel obliged to install these programs because they have become popular on the majority (Windows) platform. Content creators prefer to "write once and deploy everywhere" Thus we end up with a "Lowest common denominator" effect where we Mac users are forced to use these shoddy programs, or do without the content.

    Java applets have always been an abomination. I endorse disabling Java.

    ReplyDelete
    Replies
    1. "Isn't it ironic?" -- Hint: No, it isn't. You, as a good American patriot, would appear to be unable to use "irony" correctly, and therefore deploy the mere word almost everywhere, whether it fits or not. In your sentence, it doesn't fit. Try another word: "telling, strange, coincidental, apparent, funny,... " all of which would probably fit what you are trying to say. Stop using "ironic" without understanding what it means!

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. where can I see the video to disable the Java Plub in in my Macbook

    ReplyDelete