Slashdot Mirror
PC Mag - Mac OS X Insecure
Suki writes "In this recent story a PC Mag writer concludes that "Panther and Jaguar were not better at outrunning vulnerabilities than Windows" and as my personal fav. ends by asking "How cocky are you feeling now, Mac elite? Hmm. Suddenly it's gotten pretty quiet around here." The article discusses many previous Windows security holes against a recent Mac OS X security flaw."
He raises good points (I actually read the article), but one thing that OSX will always have over current versions of Windows, however, is the fact that in OSX you don't run as root/admin by default when you start off or create new users.
Until this is fixed, the same attacks will be much more effective against Windows users just because of the rights the current user has on the box.
dmiessler.com -- grep understanding knowledge
and a known patch is on the way. it's a very easy vulnerability to avoid. there's no virus yet...
was it worth the rant, or has he just been waiting a long time to make it?
Creationists are a lot like zombies. Slow, but powerful and numerous. And they all want to eat our brains.
He's basically saying that since there was one widely-reported Mac security hole, Macs are as insecure as Windows? Odd comparison.
Mind you, I'm not too overwhelmed with his research; if he'd been paying attention, he'd have caught the SSH vulnerability the other month. It's not like Macs have been immune, and nobody with any clue claims they are.
What you can claim accurately is that Apple fixes holes promptly and fairly quickly, and that the MacOS X architecture does not have flaws which result in two or three active IE holes in the wild right now.
Apple isn't perfect, they're just pretty good. Microsoft isn't evil, they're just not as good as they should be. It's perfectly reasonable to use those two facts in making one's security decisions.
It's pretty sad when Windows-users feel they have to start defending themselves by pointing out that other operating systems are vulnerable too. The last paragraph pretty much says all in that regard...
But the mindlessly superior retort is always the same, "No, it's because the Apple OS does not have the same holes as Windows. OS X is just a better operating system."
Whatever. All OSes have their inherent problems, but next month, when Microsoft racks up another suit of deathly insecure vulnerabilities, OS X will probably be fixed and free from defects for another couple of months.
I'm not a Mac fanatic, but it's because OS X is based on Unix, and Unix is more elegant in its design that gives OS X its better security.
Ruby on Rails Screencast
Mac OS X gets one flaw and it's suddenly on par with the truckload of Windows security problems? What a funny little man...
.. This article was nothing more than +1 Flamebait. The author sounds like a little boy who finally gets to say "I told you so! I told you so!" when there really isn't anything to be told. All OSs have undiscovered holes and problems. The key is how fast the vendor deals with the problem.
Trolling is a art,
First, let's get the obvious stuff out of the way. THIS VULNERABILITY IS NOT ON BY DEFAULT ON OSX! You have to go into an obscure app (Directory Access) that most users don't know about, and turn on an option that most users don't need, in order to be vulnerable. Also, this vulnerability was never exploited.
How can this idiot compare that to the hundreds of millions of computers ACTUALLY INFECTED by Windows vulnerabilities like Nimda, Code Red, Melissa, Klez, Sobig.f, and thousands of others? Using Windows is like buying random illegal drugs on the street to treat a headache.
The MacOS is not without its flaws, but Windows is the swiss cheese of the secure computing world. It's very telling that the author didn't allow for any feedback or provide his email address.
- Vincit qui patitur.
sigh. this argument gets old. unix is designed to be more secure than windows. not only that, but it IS more secure than windows. no amount of screensaver errors, cocoa text field overflows, or netinfo exploits will change this. the day windows is more secure than mac os x is the day i can get by without ever needing the root (Administrator) account with access to everything. yes. everything. install apps, install libraries, use current apps, develop apps (with the exception of kernel code but this needs root no matter what OS).
- tristan
Typical Windows User: Stupid virus, now I've got to use my restore disks. Stupid popups, I only want to look at the porn I ask for. Stupid spyware, I can't believe adaware only found 26 new spyware programs today.
Typical Mac User: Stupid virus, my computer is fine, but my ISP is down. Stupid popups, oops forgot to check the option in Safari, okay better now. Stupid spyware, it made me hit cancel when it tried to install itself.
Now understand I'm talking about the standard consumer, of course there are many of us that can keep the windows problems at bay.
> a recent OS X security flaw
That's the significant word, I think. A single one
They will never know the simple pleasure of a monkey knife fight
- Number of Macs reported/suspected to be cracked by recent vulnerabilities: ZERO
- Number of Windows PCs known to be cracked by recent vulnerabilities: MILLIONS
So... I'm feeling pretty damn cocky, thanks for asking.I've been a Mac user for four years now, but I still regularly use Windows and occasionally Linux. To me, Mr. Ulanoff seems to embody the worst type of Mac user - the cynical ex-user. All the Mac users I've talked to aren't snobby or "elite" but almost every single ex-mac user is. It's almost like they were upset that they had to leave MacOS and now all they do is spit insults at anyone who thinks that Macs are cool.
I feel bad for anyone who feels the need to put a group of users down simply due to their choice in tools. That goes for the "Mac elite" that Mr. Ulanoff has to deal with as well.
I understand that a lot of you here on Slashdot are new to the Mac (since OS X) but those of us who have been on Macs for longer recognize this type of junk tech writing for exactly what it is: an attempt to stir the shit and increase readership. It's probably easier to sell advertising on your site or magazine if you can create just the right anti-Mac tempest in a teapot and sell a few more copies or increase your web site hits. This tactic used to run under the headline "Apple going out of business" or "Apple to close up." Now that's mutated into a "critique" of security or speed claims or whatever. Sadly, there is a fraction of Mac users out there who are still willing to take this bait and play into the game. I'm not even looking at the article. Been there, done that. I recommend that you stare out the window and observe the slow but steady growth of the grass outside--that would be far more productive that playing into this kind of shameless, professional trolling masquerading as tech reporting.
--Rick "If it isn't broken, take it apart and find out why."
Wrong. There is something to be said for how security is considered in the design of an OS. For Windows, it wasn't much of a consideration, which contributed heavily to why there have been so many systemic vulnerabilities.
The system was designed to be user-friendly, not secure. They got their market-share because of that fact. I think it is much easier to make a secure system user-friendly than to make a user-friendly system secure. Microsoft is finding that out as well. You reap what you sow.
My beliefs do not require that you agree with them.
Notes From Under *nix: blas.phemo.us
Then you can go here to discuss what a steaming load this "commentary" is. Oh, my gosh. Someone who already has access to your network can put a malicious machine on it that will lead to your Mac being owned when it reboots. That's so freakin' simple. Not like those astonishingly difficult Windows attacks of sending emails, setting up websites and/or having users download spyware. The sky is obviously falling. AAAAAHHHHHHH!
Mac OSX has a bad set of settings. Yep, that happens. That is a bug. Likewise, there were other bugs on OSX that were actually just as bad if not worse (they use a lot of OSS and they will have the same faults as the OSS world does).
The real problem is that Mac OSX (and most other systems) have a fundementally sound architecture, while none of the the current Windows do. I suspect that Longhorn is taking a long time to get around these huge design holes, but the current ones have them and there is nothing that can really stop these. In fact, MS has confirmed it numerous times in gov. and court hearings.
So yes, the *nix based system will continue to have holes (in fact what system does not), but they have a much more sound design from the ground up. Hopefully, Longhorn will as well.
I prefer the "u" in honour as it seems to be missing these days.
Personally I would not have made that choice, but at least there was check box to turn off the default DNS trust. If only windows came with checkboxes to remove its bugs. And I dont mean like checkboxes that say "turn off scripting and cripple my browser please".
In fact mac has not even fixed the so-called hole because its not neccessarily a mistake.
In any case the SSH vulnerability, and the screen-locker vulnerability were in fact true holes created by mistakes. These are what should be scrutinized. But these did not lead to widesperead network worms at least. they did not arrise out of a insecure by desing attitude that pervades all the Active-X philosopy, the power-user-by-default philosophy, the standards crushing embrace-and-extend, the optional log-in password philosophy, or the add features rather than fix bugs philosophy that rightfully inspires all the anti-windows zealotry.
Some drink at the fountain of knowledge. Others just gargle.
Apache killed it. Apache runs 70% of the web. IIS receives 90% of the attacks and hacks.
Claiming that OS X sufers fewer hacks because it's a smaller market is a post hoc fallacy.
You can tell a great deal about the character of a man by observing those who hate him.
If you have to change your configuration from the default in order to have a secure system, then you have a security hole. Most of the really big microsoft security hacks are things just like this - the system is configured open by default when it should be configured closed by default.
The rationale for configuring the system this way is that it's easier to administer - you just plug it in and it starts working. This is why Microsoft used to configure the system insecure by default. This is why Apple is still configuring the system insecure by default. But part of what you're plugging in, with no authentication at all, is your authentication system. So if the thing that tells you what authentication system to use lies, you're hosed.
This is less severe than the recent Microsoft bugs because the attack is hard to do from the outside of a firewall. So probably Apple is not going to get the kind of bad publicity for this security hole that Microsoft has gotten for, e.g., the Blaster worm. But this is actually a much worse security hole, in a sense, because there is no Software Update coming down the pike that fixes it - Apple has, so far, taken the position that this is a feature, not a bug.
Because the number of people who run software update automatically is much higher than the number of people who pay attention to security alerts and do what is recommended in them, this particular security hole is going to remain on pretty much every MacOS X install in existence. So I can see why the guy from the PC magazine is acting all smug.
The right thing would be for Apple to fix this, but I don't see them doing it - there's no way to secure the DHCP transaction, and there's no way to secure the LDAP transactions either. I hope there's someone in a back room at Apple working on closing this gap, but they've been silent on the issue so far, other than maintaining that because it's a configuration thing, it's not a problem.
If we suddenly had a way to make perfect copies of objects as big as, say, cars, I imagine that thousands of shiny red Mustang convertible clones would instantly appear on the road. Most of us would find that wrong.
What? What? What? Being able to make perfect copies of objects the size of cars would, I think, be the greatest moment in the history of humanity! Hello!?! The end of hunger? The end of want? The end of shortages of essential, life-saving medicines? Barrels of clean water for the third world? Bueller? Bueller?
If we were in a position to do this (and how would it be *stealing* anything, anyway? The original is still in possession of the owner, so - guh! - it's copyright infringement at best ;), then I think IP rights would be the last thing on anybody's mind, because *the capitalist system would be instantly destroyed*! Frankly, I'd welcome that. Capitalism may be the best of a bad bunch of socio-economic systems right now, but if something demonstrably better shows up, most people would take it in an instant.
Although maybe it's possible that he just really, *really* hates Mustangs.
The guy's an idiot. Even ignoring a ridiculous brain-dead analogy like replicated Mustangs, the fact he can compare OS X's few security holes (and I don't even *use* OS X - I'm no fan) to the gaping net that is Windows shows he must be blowing somebody to keep writing this garbage...
You must think in Russian.
You forgot one important thing - you must also reboot. If you don't reboot your Netinfo daemon doesn 't pick up the new information supplied by the poisoned DHCP server. So the attacker must also trick you into restarting your computer.
In short, yes this is a potential exploit but an extremely unlikely one. By the time the attacker does all of these things he probably would have been better off just walking over to your computer and stealing it from you.
Sapere aude!
OSX has the out of box simplicity edge while still having all these services off?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
"If the Macintosh OS ever became dominant, the tables would turn, and there would be just as many reports of viruses, security holes, and attacks on it as we currently have with Windows."
Apparently the author thinks that it is impossible for the dominant OS, whatever that may be, to be more secure than Windows. He belives that a products percentage of proliferation in the marketplace determines its security. Not the programming.
He's saying that UNIX based operating systems with as much exposure as Windows will be subject to as many vulnerabilities and exploits as Windows is. He thinks it is not possible for an operating system to be made more secure and less vulnerable.
In effect, what he is saying is that Windows is the best the human race can do. This is it. This is the culmination of our species ability to write software. No operating system can ever improve on the constant barrage of patches and updates that must be done to keep Windows safe.
Obviously, while humans can not ever write flawless code, I certainly hope for our sake someone somewhere can do it better than Microsoft. If that someone is Apple, great. If it's a Linux distro, that's fine, too. But I am certainly going to hold on to the belief that there exists the possibility that an OS can be as dominant as Windows without being as insecure. Otherwise, we don't have much to look forward to in the realm of computing, do we?
Unix is more elegant, but the fact that it grew up together with the Internet as a networked OS. This was not an afterthought. Neither was multiple users and security. When you work with something long enough, it becomes second nature and solid and secure. How did Windows start out? Single user. No Internet. No concept of services/daemons. You machine was its own little island. It was all about the single user GUI in the office to do one task.
And anyway, if XP is so secure, why are they scrapping it for a complete new rewrite - again? It's because it can't be fixed and it has more security leaks than a seive. Microsoft has tried and tried to reshape the Internet into what they want it to be and, thank god, it's failing. And in a way so stupendous that now those that get sacked regularly gotta go off and complain about it. Well boo hoo to them. I've never experienced a virus or worm on OS X or Linux/Unix and I don't suppose I will be anytime soon. There's a reason for that and m$ still doesn't get it.
I'll admit, right away, that I'm a Mac user. Then again, I'm also a Windows user, Linux user, SunOS user, etc. I'm really not *that* platform dependant. I guess I really don't understand the reasoning behind arguing over an OS. The argument is rather petty if you are not doing anything to improve upon the security of the operating system you favor. No OS is perfect, and no OS is totally secure.
I did find a few problems with the article (beside the fact that the author was bashing mac users who bash windows users...circular logic, anyone?). The author claimed that due to the fact that DVD Jon cracked quicktime encryption of ACC streams (used by the iTunes Music Store) doesn't mean it's going to bring either the MacOS or Windows to its knees. It's a f**king MP3 player for Chrissakes. Sure, vulnerability that could circumvent OS security might exist within iTunes, but the specific nature of DVD Jon's crack has nothing to do with OS security.
The author made this claim about the cross-platform iTunes "exploit" while failing to mention anything at all about Macros, and the possible for viruses that accompany them. To me, it seems that the author was grasping at straws without having any concrete evidence to back up his claims.
Whenever I read an article from one side of the OS wars bashing the other side, I tend to think that the author was in danger of missing his deadline and needed to come up with something in a hurry. Why does this issue never get old? Perhaps we should think about ways to make our OS of choice more secure rather than bashing others' flaws.
AgentOJ
This means anyone can walk up to your machine and boot it into single user mode and completely root you.
oh my god you mean someone with physical access could also somehow DNS spoof net info and get root access. Oh my alert the media.
The point is where one draw the line between ease of intergration versus security becomes cloudy once one gets to the point of requiring physical access to engage in a hack. The ONLY thing that I see distinguishing these analogous root attacks is that most people are aware of the single-user boot attack and though it was well documented the DNS attack was not well known and thus could have surprised a lot of people.
Fixing this now presents apple with a dilema. Consider that happens if they were to issue a security update that went around and turned off this feature. Suddenly all networks that had actually been using it suddenly stop working and some sysadmin has to figure out why then reconfigure every machine to turn it back on.
Thus you can see why they have not rushed to change the default. But one assumes that they will ship NEW os's and new computers with it turned off in the future.
this choice for easy configuration assuming the local network can be trusted dates back to the time of NFS. And NFS is still presents almost exactly the same potential security hole (if you remote NFS mount your home directory you just pulled your pants down, grabbed your ankles, and said "ah" if I can jack onto your network. ). NFS has not fixed this problem yet either cause doing so would break a lot of networks.
Some drink at the fountain of knowledge. Others just gargle.
I have a router now - see, I can learn :)
Some people tell me I should set up an old PC to run Linux and configure that as a router, but they don't seem to understand that:
* That requires significant effort on my part
* My router is small (paperback book size)
* It doesn't make loads of noise and consume loads of power.
* When I occasionally get problems with my connection (about once every 2 months), whatever the problem, it's usually solved by toggling the router power switch, and takes a few seconds.
But you can't tell some people...
How many Safari-related security problems have you seen reported? Compared to Internet Explorer?
.ASP or whatever - it's still VB)
How many ActiveX-related security problems have you seen on OS X?
How many scripting, or RPC, or buffer overrun-related problems have you seen on OS X?
Have you ever seen any AppleScript-related security problems like the VB-related ones on Windows? (you can call it macros, Windows Scripting Host,
Most of the problems I've seen on OS X thus far are problems in the open source pieces that affect that product across the industry, including distros in Linux. This is one of the few security flaws that is _native_ to OS X - I can't even remember the last one I've seen. And it does require you to go through plenty of hoops - having control over the local DHCP server, for instance.
Yes - we're going to see security problems with OS X. But not ridiculously stupid ones that could have easily been prevented like we've seen on Windows... I think it's silly to even put them in the same league with each other.