Slicing the Apple

Discussion in 'NZ Computing' started by Mickey Mouse, Aug 14, 2007.

  1. Mickey Mouse

    Mickey Mouse Guest

    Black Hat conference speaker discusses simple approach to exploit OS X
    through open-source vulnerability vectors.

    "Miller said his formula for finding a zero-day flaw on a Mac is this: "Find
    an open-source package that they use that's out of date--there's, like I
    said, plenty of those." He then suggested reading through the change log for
    the current version of any of the above open-source software to find a
    useable bug that's been fixed in the newer version but still vulnerable to
    Mac OS X users. Miller said by doing this, "you won't have to worry about
    static analysis or fuzzing or any of that stuff.""

    http://news.com.com/8301-10784_3-9759132-7.html?part=rss&subj=news&tag=2547-1_3-0-5
    Mickey Mouse, Aug 14, 2007
    #1
    1. Advertising

  2. In message <f9rjib$qjg$>, Mickey Mouse wrote:

    > "Miller said his formula for finding a zero-day flaw on a Mac is this:
    > "Find an open-source package that they use that's out of date--there's,
    > like I said, plenty of those." He then suggested reading through the
    > change log for the current version of any of the above open-source
    > software to find a useable bug that's been fixed in the newer version but
    > still vulnerable to Mac OS X users.


    One of many reasons why closed-source vendors will never "get" open source.
    Lawrence D'Oliveiro, Aug 14, 2007
    #2
    1. Advertising

  3. Mickey Mouse

    thingy Guest

    Mickey Mouse wrote:
    > Black Hat conference speaker discusses simple approach to exploit OS X
    > through open-source vulnerability vectors.
    >
    > "Miller said his formula for finding a zero-day flaw on a Mac is this:
    > "Find an open-source package that they use that's out of date--there's,
    > like I said, plenty of those." He then suggested reading through the
    > change log for the current version of any of the above open-source
    > software to find a useable bug that's been fixed in the newer version
    > but still vulnerable to Mac OS X users. Miller said by doing this, "you
    > won't have to worry about static analysis or fuzzing or any of that
    > stuff.""
    >
    > http://news.com.com/8301-10784_3-9759132-7.html?part=rss&subj=news&tag=2547-1_3-0-5
    >


    And so the moral is, using/buying a commercial applications/OS based on
    OSS is a bit daft. The same applies to commercial vendors using "their"
    applications derived from OSS on a MS platform....

    And this in no way proves/shows that using "purely" commercial software
    is better than OSS....

    regards

    Thing
    thingy, Aug 14, 2007
    #3
  4. Mickey Mouse

    Shane Guest

    thingy wrote:

    > Mickey Mouse wrote:
    >> Black Hat conference speaker discusses simple approach to exploit OS X
    >> through open-source vulnerability vectors.
    >>
    >> "Miller said his formula for finding a zero-day flaw on a Mac is this:
    >> "Find an open-source package that they use that's out of date--there's,
    >> like I said, plenty of those." He then suggested reading through the
    >> change log for the current version of any of the above open-source
    >> software to find a useable bug that's been fixed in the newer version
    >> but still vulnerable to Mac OS X users. Miller said by doing this, "you
    >> won't have to worry about static analysis or fuzzing or any of that
    >> stuff.""
    >>
    >>

    http://news.com.com/8301-10784_3-9759132-7.html?part=rss&subj=news&tag=2547-1_3-0-5
    >>

    >
    > And so the moral is, using/buying a commercial applications/OS based on
    > OSS is a bit daft. The same applies to commercial vendors using "their"
    > applications derived from OSS on a MS platform....
    >
    > And this in no way proves/shows that using "purely" commercial software
    > is better than OSS....
    >
    > regards
    >
    > Thing


    I think his point is, OSS is better supported than software provided by
    major vendors?
    --
    Q: What is the difference between a mathematician and a philosopher?
    A: The mathematician only needs paper, pencil, and a trash bin for his
    work - the philosopher can do without the trash bin...
    Shane, Aug 14, 2007
    #4
  5. Mickey Mouse

    thingy Guest

    Shane wrote:
    > thingy wrote:
    >
    >> Mickey Mouse wrote:
    >>> Black Hat conference speaker discusses simple approach to exploit OS X
    >>> through open-source vulnerability vectors.
    >>>
    >>> "Miller said his formula for finding a zero-day flaw on a Mac is this:
    >>> "Find an open-source package that they use that's out of date--there's,
    >>> like I said, plenty of those." He then suggested reading through the
    >>> change log for the current version of any of the above open-source
    >>> software to find a useable bug that's been fixed in the newer version
    >>> but still vulnerable to Mac OS X users. Miller said by doing this, "you
    >>> won't have to worry about static analysis or fuzzing or any of that
    >>> stuff.""
    >>>
    >>>

    > http://news.com.com/8301-10784_3-9759132-7.html?part=rss&subj=news&tag=2547-1_3-0-5
    >> And so the moral is, using/buying a commercial applications/OS based on
    >> OSS is a bit daft. The same applies to commercial vendors using "their"
    >> applications derived from OSS on a MS platform....
    >>
    >> And this in no way proves/shows that using "purely" commercial software
    >> is better than OSS....
    >>
    >> regards
    >>
    >> Thing

    >
    > I think his point is, OSS is better supported than software provided by
    > major vendors?


    yes, totally. We use Redhat extensively and even their patch level
    concentrates more on major bugs and fixes once the OS version starts to
    get a little long in the tooth....personally I don't think you can beat
    Debian for speed of bug fixes, security and stability....pretty much
    each package has a maintainer and it is actively looked after....leaves
    RH dead....

    Any commercial vendors I have come across who use OSS tools packaged up
    in their solution eg Sophos are definitely second rate....and my
    experience has been that they dont know the OSS packages they used much
    either....

    regards

    Thing
    thingy, Aug 14, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Silverstrand

    Apple introduces the Mighty Mouse

    Silverstrand, Aug 2, 2005, in forum: Front Page News
    Replies:
    3
    Views:
    692
    PUTALE
    Aug 7, 2005
  2. Silverstrand

    HEXUS.beans :: Apple Announces Video iPod

    Silverstrand, Oct 13, 2005, in forum: Front Page News
    Replies:
    17
    Views:
    1,019
    XhArD
    Oct 15, 2005
  3. Silverstrand
    Replies:
    0
    Views:
    744
    Silverstrand
    Oct 21, 2005
  4. Rich
    Replies:
    8
    Views:
    1,062
  5. GraB

    Apple sues Apple over iPod

    GraB, Mar 29, 2006, in forum: NZ Computing
    Replies:
    2
    Views:
    624
    shannon
    Mar 29, 2006
Loading...

Share This Page