03/07/2006, 9:40am, EST
Tuesday, March 7th
Mac OS X Security Challenge launches
"Anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are 'unpublished'. But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction."
Local accounts could allow hackers to exploit many 'unpublished' (as noted by the "gwerdna" hacker) and older known security vulnerabilities that Apple has not yet addressed. However, most users will not offer hackers these accounts, thus dramatically distorted the overall security picture of Mac OS X, according to Schroeder.
The challenge invites hackers to alter the web page at test.doit.wisc.edu, hosted on PowerPC-based Mac mini running Mac OS X 10.4.5 with Security Update 2006-001 and two local accounts; the creators note that the machine has both SSH and http ports open, which is "a lot more than most Mac OS X machines will ever have open."
Filed under: Apple
,
, 4
,
,
,
,
,

subscribe to comments
for this article
If I were Jobs, I'd have my lawyers all OVER their ass, both in order to extract said retraction AND to send a message that other companies who have a *vested interest* in making the Mac look as bad on security as PCs had better not try CHEATING as a method to making the Mac look bad.
Oh, please. They publish crap on-line. If we're going to force ZDNet to publish apologies, they'll be spending all their time just trying to keep up with Dvorak's crap. And then all web-sites would be forced to post apologies because they all post crap
(Wait, a news organization using sensationalism to push sales. Man, when did that start happening in the world???)