Slashdot Mirror
PC Mag - Mac OS X Insecure
Suki writes "In this recent story a PC Mag writer concludes that "Panther and Jaguar were not better at outrunning vulnerabilities than Windows" and as my personal fav. ends by asking "How cocky are you feeling now, Mac elite? Hmm. Suddenly it's gotten pretty quiet around here." The article discusses many previous Windows security holes against a recent Mac OS X security flaw."
Sorry to say you're wrong. If someone takes root access on your machine (which the security vuln. mentioned in the article allowed an attacker to do) your box becomes the toy of the 0\/\/N3r, and can be used in any ddos or other illegal scheme they fancy. Does it matter if the spam I'm getting comes from a hole produced by a virus or a human hacker?
Just because compromising windows machines is down to an easily automated science (read virus), doesn't make them more or less secure than a mac, if the mac has such a large flaw as it recently did.
You say
It sounds like this is just the same "Flaw" in OSX's DHCP settup. There was a thread on this earlier. They essentially use a server to assign a number of items as well as IP. If I reacall correctly, this was never that big of a security flaw (at least not moreso than any other standard DHCP setup)
This is just some guy on a soapbox blabering on about how this "flaw" proves that OSX is just as bad as any Microsoft product. Hopefully others can see past this guy's rhetoric.
There should be a moderation category "Dumbest Comment EVER"
... that you don't put your email in your attribution or anywhere in the article.. Luckily, thanks to Google, your bio reveals your email to be:
Lance_Ulanoff@ziffdavis.com
Share and enjoy!
If you want to read a well thought out and constructive rebuttle to this article, click here.
Everyone talks about us Mac zealots, and yet no one ever talks about the Anti-Mac zealots, and let me tell you there are a lot of them.
Actually the problem is a default setting. You have to go into the obscure program to disable the default.
If you don't use a DHCP / LDAP server then its recommended that you turn it off.
This is from the apple site:
You don't use a directory service
lol yes silly ac, but the first rule of computer secutity is that if the "bad guy" has physical access to the machine, the game's over. The "good guys" lose, and the "bad guys" win.
If I've used my 1337 cat-burgular skills to break into Exodus, and actually have access to the machine itself; I'm not going to waste time useing my 1337 hacking skills or my (presumably) equally-1337 CD of hacking tools. I'll simply crack open the machine, rip out the drive, take it home, and read the data I want at my leisure.
cya,
john
Imagine all the people...
Wow, this writer for PC Magazine obviously has some issues when it comes to attitudes. This article is written mostly as an "IN YOUR FACE" to the Mac community. I also find humorous the huge, honkin' HP advertisement right in the middle of the article.
Anyway, while it may be true that there have been some insecurities with OS X (as you'll have with _any_ operating system), most of them have been what I'd classify as low-risk. Go read all the advisories for them, they all require either physical access to the local box/network or are vulnerabilities with the open source components of OS X (like OpenSSL) that affect everybody in our (Geek) community.
So quite frankly, I see this as overreacting on the writer's part and worse, it's not terribly objective and horribly whiney.
(btw, as you read my sig, you'll say I'm just as bias and you're right. But I'm not whining am I?)
I just wasted your mod points! HA!
"Actually to be fair, you don't run as the administrator account in XP by default."
As others have noted, yes, you do. The main user you are asked to create when you setup a machine is an admin, and that is the account that most home users use.
dmiessler.com -- grep understanding knowledge
Meanwhile, we can already see what happens when Apple has a broadly popular product that cuts across platforms. The Apple iPod is the number one MP3 player, and now that its companion computer utility, iTunes, is available for both the Mac and the PC, it has become a hack target. In fact, Jon Lech Johansen, the same Norwegian who cracked the DVD security code, recently circumvented the iTunes music protection scheme.
An event like that occurring makes sense to me, since iTunes' popularity makes it a target worth hacking -- and whatever mystical Mac mojo there may be, it didn't go far in protecting a popular Apple product.Steve Jobs stated when the iTunes music store was announced that the DRM would be hacked. The point was to provide a DRM solution that was not restrictive to honest users. That was delivered.
His email address: Lance_Ulanoff@ziffdavis.com
His brief bio here
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
I could be wrong on this, but I believe home doesn't even ask you to set up a user. It just sets up Administrator as the default account, with no password. I should know for sure, but it's been 6 weeks or so since I did a Home install, but at any rate I think that's how it works.
"Windows Me offers tremendous reliability and stability improvements..." -- Paul Thurott
No power user account in XP home, either they can do everything (administrator) or nothing (user).
Jaysyn
There is a war going on for your mind.
AFAIK, Joe Blow can write to / on a new 10.2 install. This is madness.
/etc/hosts >> /hosts.txt
/dev/null to /bin/bash (or whatever). apparently somebody at apple actually thought about security BEFORE they shipped the product. evn if yo install any application, the best you can do is install it into ~/Applications. if you want to install it into /Applications, then it asks for a admin user AND a password. make shit up in chat rooms. not /.
then, apparently, you don't know jack. you absolutely cannot write to / unless you (and follow this carefully):
1) open up a terminal
2) type sudo
3) then type say: cat
4) type password
you my friend, are full of shit. now, if like me, you create another user, which i always run at, then i have to open the term, su to an admin user, then sudo. osx turns off root by default. to enable it, you have to go into net info, and specifically enable root, THEN, you have to change it's terminal from
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
iTunes (2?) update that would rm -r your HD if it had a space in it. Also 10.2.8 gave me more kernal panics then I can count.
Actually, Power Users can do almost everything an Admin can do. They can't create Admin accounts, and they can install most programs. A nice reference table comparing accounts is at http://www.bc.edu/offices/help/meta-elements/doc/a rticles/html/SW-WinXPUserAccounts.shtml
Wrong. Windows is easier to write viruses for. You simply have to get someone to open an email message in Outlook, and a virus will automatically spread itself. If you wrote a virus for Mac OS (or linux, or any other OS), it would have to convince every person it was sent to, not only to open the email message but to intentionally run it. There's where the problem with Windows lies, and why no other OS is as virus-prone as Windows.
Mac OS X is not a secure OS, neither is windows or linux. A secure OS is one that is competently adminned with all services except the bare essentials disabled, all patches applied and is constantly auditted for holes.
"security is a process, not a product" - Bruce Schneier
So Mac OS X has security problems, so what? so does do linux and windows. Too bad for those two mac os certainly makes up with its superior gui and os design.
Anyone notice this?
Please, please, tell me that he's not trying to convince us of his "Apple cred" by noting that the last time he used a Mac in a serious capacity was ten years ago?
Dear Mr. Ulanoff,
I read your article about how serious security problems exists on the Mac platform just like Windows , and I must say that you are full of shit, to put it mildly. While some real or percieved security issues will always exist in all networked platforms. The share of these problems on the Windows platform is exponentially more than that of the Mac or Linux. I suspect this is primarily because of the fact that networking and hence "security" on windows are an after thought hack job which were added in mid to late nineties, after someone hammered the reality and importance of the internet through Bill Gates' thick skull. And also due the fact that MS drains quality out of good engineers as only MS seems to be able to do, hence the crap products!
Specifically about these issue, here are some points to remember, this "exploit" is only possible on Mac OS X if ALL of these are true:
1) In Directory Access, you check to enable NetInfo in the Services tab (Unchecked by default)
2) In Configure Netinfo you check "Attempt to connect using broadcast protocol" (Unchecked by default)
3) In Configure Netinfo you check "Attempt to connect using DHCP protocol" (Unchecked by default)
4) in Directory Access, LDAPv3 is enabled in the Services tab (Enabled by default)
5) In Directory Access LDAPv3 Configure, "Use DHCP-supplied LDAP Server" is enabled (Enabled by default)
6) A malicious person already is on your network.
7) The malicious person already controls your DHCP server.
ALL of these have to be true for there to be any problem whatsoever! While there may be reasons for some people to allow 1-5 to exists (To enable NoConf administration) but these people (Sys Admins) would know to make sure 6 and 7 are not possible. And if 6 and 7 happen you already have more serious problems unrelated to Mac OS X.
On other hand if you are a user/sysadmin who randomly enables random features and then allows the network and dhcp server to be compromised, you are are freaking idiot and deserve what is coming to you.
The reason it is quite "here" Mr. Ulanoff, is because you are trying to use your brain and there is no one home!
he said its S-T-A-B-L-E on good hardware, not secure.
I'm not sure your example of "installing" mozilla is substantively different than the way an ordinary user could "install" many peice of software in Linux, namely put them in your home directory and run. You only need root access if the program needs to run as a different user (esp. root) or to put it in a place like /usr/bin, because often users can't write there. It seems the only difference is that OS X lets you put this new software in with all the software installed by the admin. That's not good (because then there're indistiguishable to a cursory examination), but not so bad.
I would think a bigger question is whether you can modify or replace existing programs. It sounds like and answer is yes, and that IS bad news. Another question is, can you cause the program you've added to run automatically for other users (or by root at next boot)? I don't know. I haven't used OS X enough.
"You call it a new way of thinking; I call it regression to ignorance!" -- Operation Ivy
...or you could just turn off image downloads. Opera makes this incredibly easy, as does Mozilla or Firebird. If you turn off image downloads in your browser, not GET is sent for the image, and thus, no revenue is generated. Then you can feel free to GNU/Troll all you want on their forums.
Just to be picky: that sudo command won't work.
/etc/hosts >> /hosts.txt <ENTER>
/bin/sh <ENTER> /etc/hosts >> /hosts.txt <ENTER>
if you meant:
sudo cat
type password
Then this won't work, since the shell redirect is running in the shell of the non-admin user. However, if you meant:
sudo
type password
cat
Then it would work.
Bryan Chaffin from The Mac Observer goes into some of the points mentioned in the original article: The Back Page: PC Apologist Asks If We Mac Users Are Now Humble
One interesting point made is that those who say that Mac OS X suffers fewer security and virus problems than Windows only because there are fewer Mac users just don't have a leg to stand on.
Also, in the home version your local account does not have a password, and accounts without passwords are denied inbound network access.
But, if you download something, or receive an email with malicious code, it runs on the local machine - Denying inbound network access doesn't mean a whole lot.
Not to muddy the waters, but even if the root account is disabled, you can 'sudo su' which the prompt then tells you that you are indeed root.
"HAHAHAHAH!! Mac OS X isn't perfect! Duh, I'm so smart!"
Is this guy for real? How does a vulnerability which involves an attacker having to break into your home network (much less a corporate one), take over a machine and then set it up as a rogue DHCP server anywhere near equivalent to something like Blaster, which spread automatically, with no machine spoofing required? Honestly, if your network is so utterly open to attack that it's a trivial task to spoof a DHCP server, there are bigger problems than OS X's security flaw there.
The claim that Mac OS X would have more viruses if it was more popular holds some merit, but it says nothing about the lethality of those viruses. OS X has all sharing network services off by default, unlike Windows, shutting down a large avenue for virus propagation. Mail shows the entire file name of an attachment, preventing attackers from hiding extensions. Mail also does not automatically execute attachments. Furthermore, any application wishing to do anything as administrator has to ask for a password by default, and root is disabled by default. This is not the case in Windows, where tales of administrator accounts with blank passwords abound. While there may be more attempts at writing viruses for OS X if it was more popular, far fewer of them would actually reach the scale of damage that things like Blaster did. Windows is an ideal virus propagation platform not just because it's popular, but more importantly, because it's default setup is insecure as well.
The problem with Windows Services is more about the Architecture of the Services themselves. You go and turn off what you consider a useless, memory intensive service that you have no use for later find out that 1 tidbit of it has made 50 other Services interdependent on it and thus breaking the usefulness of your OS.
That design is dangerous for security reasons as well as being just a pain in the ass.
The notion of Services in OS X and Services within XP are not the same beast.
Exactly, it's actually the root account and not the user account that installs the programs. Think of it as a GUI version of sudo.
Windows has an equivalent, "Runas", so the same thing should be possible in theory. Unfortunately it's not set up that way by default and there are still a few programs that require admin-like priveledges. (not by nature mind you, just because of sloppy coders)
You can run a Windows machine as a "User" (aka restricted user), and use runas for installing programs. Almost everything works, but you have to muck with permissions on files and various things. (iow, it's a pain in the ass to set up, but if MS handled that it would work fine)
Control panel -> Administrative Tools -> services. easy as pie. That's not to say that the average windows user has a clue what a service is, let alone how to turn it off. The problem is that unnecessary services are on by default. But, hey, it's the age old compromise; out of the box simplicity vs. configurability.
Sure, unless you happen to turn off the RPC service, in which case the services panel will no longer work! Classic MS incestuous garbage; in order to use the GUI to enable/disable services you must have the (formerly horribly insecure) Remote Procedure Call service running!
Installing Mozilla and many other apps that do not require system file changes do not require root. Many basic apps are in .app bundles and do not have files beyond that.
/Applications folder does require a user that is in the admin group. A non-admin user cannot write files to /Applications. It does not require the additional step of actually logging in as root.
Basic application install into home directories obviously do not require more than the user's permissions.
Installing to the
Installing files that are owned and controlled only by root (system files, etc), require a sudo login (ie. root uid execution).
The default *nix permissions used on MacOS X are pretty decent.
One of the keys to the permissions though is not that anyone can install an app (ie to their home directory), but that if they did, when they run the app, their user (and this apps they run) still doesn't have any ability to damage the system.
-Alex
Um. As an administrator user, yes,
echo "foo" > /bar
works. What happens if I try to modify any meaningful directory, though?
dhcp150% echo "foo" >zsh: permission denied:
dhcp150% echo "foo" >
zsh: permission denied:
dhcp150% echo "foo" >
zsh: permission denied:
dhcp150% echo "foo" >
zsh: permission denied:
Furthermore, your original test case appears to only work for an administrator. (People seem to forget that "administrator" is a separate concept from "root user" under OS X.) Create a standard user and try to create a file in the / directory; at least on my 10.3 system, it gets a "permission denied" error.
I'm not convinced you've made an airtight case against any "seasoned administrator" ever letting OS X into production.
You can still do everything that root can do, and as McDutchie said, it's a graphical sudo.
/etc /var or other BSD directories by default, and you cannot write to them as an administrator unless you go into command line. The core OS is protected, and even a sudo user does not have root privs.
:)
Oh no you can't!
You cannot see the
Do a 'man sudo' or look at the code. sudo is not the same as root...it is very far from it.
And, his description of a hack is via a CLI, not a GUI. I would be very impressed if someone could hack the GUI install arbitrarily to gain access to a CLI and inherit the sudo privs from the installer.
Essentially, you'd have to have the new terminal process inherit the privs from a GUI process. Now that I've got to see!
How does a default setting regarding a specific directory's permissions plus the fact it doesn't use /etc/passwd make it "unfit for production"?
/etc. That's just how it works. It uses the NetInfo database. This is one of the few actually well-documented parts of OS X. /etc is a vestigial limb, it's a dummy file which is involved in startup but it is not actually used for real user info. It's used in single user mode because single user mode is an emergency startup mode used for debugging, and NetInfo doesn't launch in this mode unless you launch it, because part of the single user mode's hypothetical purpose is to debug problems with NetInfo!
OS X doesn't use
You might as well call Linux unfit for production because you can do some potentially nasty security-related things in some versions of Lilo.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Possibly the drag and drop installs have everything the application needs in the app package. If it installs anything in the library or system folder, that might be when you need admin access. Just a guess...
"This is you left and that's your left. This is your right and that's your right. You're gonna die!
Sorry, but all 10.2.x boxes come with LDAP off and NetInfo on. All 10.3.x boxes come with LDAP on and NetInfo off. If these aren't the settings, then someone has changed them.
Yes, that's all boxes. I've seen and tested every version. My job is boring.
There are two types of people in the world: Those who crave closure
Dear Mr. Ulanoff,
/. and so seen by thousands) this paper shows up:
S X_ Shellcode_Assembly.pdf
/., not some backwater usenet), anyone could attack MacOSX boxes, *if* a vulnerability is discovered in it or in its running services.
I am writing to you just to send you a couple of informative references on general computer security. I promise to stick to the basics, and I am sure you will dig deeper if interested.
One of the basics of remote exploits is the ability to -once a remote vulnerability is discovered-, send malicious code snippets that get executed with privileges on the target computer. For instance, they might be sent exploiting a buffer overflow bug or a flawed service left running on an open port.
This is well known in the MS Windows world and even Linux, as they commonly share the same underlying hardware architecture (namely x86). There is plenty of information on how to build such malicious code snippets (basically anyone knowledgeable in x86 assembler can do it) as well as pre-built apps and scripts to send them. This is well known. It is also well known that a vulnerability must be present for the code to be able to be executed at all.
It is a common myth that -by following this logic-, other platforms that are less used, like for example MacOSX (subject of a security article of your own), are more secure because technical knowledge about them is less common (eg. PPC assembler language) and are not so commonly used. One might think the malicious code needs to be built by real gurus, few in number, that have no interest in doing that.
*However*, doing a trivial search on Google (also published on
http://www.securiteam.com/securityreviews/PPC_O
Is a no-nonsense compilation of MacOSX PPC malicious payloads and the rationale behind them. After copy-pasting from it, anyone can do remote attacks on MacOSX, *provided* a vulnerability is actually found. No vulnerability, no attack. The paper requires a low level of technical knowledge and actually has little merit (apart from being somewhat clear and concise).
So, using information freely available, easily found, in common knowledge (published on
So it *cannot* be possibly said that MacOSX achieves its high level of security by obscurity. It accomplishes it by *design*.
It is really sad that the old argument of 'security by obscurity' is being raised over and over. Read that paper.
Mr. Ulanoff, I promised you two links and I have provided only one. The other is not actually a link but a reference. Just walk to your nearest technical bookstore or Computer Science library, look for the PPC assembly and architecture books that have been publicily available for years. My cheapo college library has them, yours surely has.
I am looking forward to further informed security articles by you. Please do not hesitate to mail me should you need further references on this or any other technical question.
Best regards,
xxxxxxx
Exactly, it's actually the root account and not the user account that installs the programs.
Well, it depends on how it's set up. If you're making a package, you can determine if you want to require no authorization (as current user), admin, or root. It then installs as the user you authorized as.
I changed the root password to be different from the admin password for our computers at work, and I haven't had any problems installing anything (except flexlm, but I do that via a clui anyway).
"Giving money and power to government is like giving whiskey and car keys to teenage boys" P. J. O'Rourke
I'm a sysadmin and I'm not confused.
You seem to be confusing (or confounding) file-system permissions with the security API and sudo.
Sudo is a relative newcomer to the unix toolbox that provides a path to root access without needing a root password. It's configuration is controlled by the sudoers file. Sudo accomplishes its function by being a set-uid-root program. The sudoers file has no influence beyond sudo.
Apple's security API is another path to root access that allows one to perform root functions without a root password. If the security API does not grant you access, security is still enforced.
The kernel is the guy responsible for enforcing security at all times and nothing in userland can bypass the kernel security. The two systems above grant access by setting your effective user ID to zero, which tells the kernel that that process is allowed to do (nearly) anything.
When you say Apple's Security API doesn't recognize file system permissions, I'm not sure you understand what you're talking about, because it's the kernel's responsibility to enforce security, and it does. Apple's security IS Unix security. What you described in your "bug-report" isn't a bug, but rather a misunderstanding on your part of how Unix security works.