Slashdot Mirror
PC Mag - Mac OS X Insecure
Suki writes "In this recent story a PC Mag writer concludes that "Panther and Jaguar were not better at outrunning vulnerabilities than Windows" and as my personal fav. ends by asking "How cocky are you feeling now, Mac elite? Hmm. Suddenly it's gotten pretty quiet around here." The article discusses many previous Windows security holes against a recent Mac OS X security flaw."
The hole he's referring to requires some particular circumstances before it's even viable.
The attacker must:
Be on your local network
Already have control of your DHCP server
If both of the above are true, you already have much more serious problems.
While I agree that remote root/admin is bad juju, in this case it's hardly equivalent to the Windows remote admin exploits to which he's comparing it.
I have been trying to say this exact statement forever to the Linux community.
-----
I was tired of the "We use Macs because they don't get attacked by viruses and hackers" refrain from Mac nuts.
I generally counter with what is apparently a secret carefully hidden from Mac zealots: "That's because only a fraction of the world uses Macs. What's the point of attacking a niche market? No one will notice!"
----
I think we have to remember as he is only talking about OSX, everything he is saying also applies towards Linux... It is about time we recongnized this, and start making changes in the Kernel to secure the OS, instead of adding value add features that only a small part of the population will ever use.
So an attacker who can gain access to your network -- over a wired connection or wirelessly -- can trick an affected system into trusting a rogue machine, and when the compromised machine reboots, take it over and even attack other systems on the network.
So, a guy has to get on my network, set up another machine as a trusted server, wait for me to reboot, and then...? Is this a fair comparison to email viruses, etc...?
My cube's been up for 90 days. I plan to take it down and upgrade it eventually. Does this mean I'm going to be vulnerable?
Whatever.
-- The world is watching America, and America is watching TV.
Vulnerabilities happen in any system. No software is perfect. The question would be which OS has more significant security vulnerabilities. A factual comparison of the numbers here is far preferred to a fanatical appeal to emotion. I found the article to be slanted somewhat.
Excellent comments. Please post them in our forum:
s p,
http://discuss.pcmag.com/pcmag/start/?msg=32413
-----Original Message-----
From: ***
Sent: Thursday, December 11, 2003 10:24 AM
To: Ulanoff, Lance
Subject: Eureka
Hello.
in your piece at http://www.pcmag.com/article2/0,4149,1408953,00.a
you have this to say in conclusion:
Ultimately, those on the Mac fringe have to face facts: Panther and Jaguar were not better at outrunning vulnerabilities than Windows. I expect other gaps will emerge, and while the Mac OS may still draw far fewer attacks, this discovery might suck a little wind (or is it Windows?) out of Mac radicals' sails. They can scarcely claim this was a minor hole. OS root access is serious stuff. How cocky are you feeling now, Mac elite? Hmm. Suddenly it's gotten pretty quiet around here.
So, that's all it takes for you? One potentially serious loophole in an
OS to declare it "no better at outrunning vulnerabilities than
windows"?
Have you recently counted the number of Cert advisory reports that have
come out for XP? Last I checked, more than a month ago, it was in the
40-some range. For XP alone. This year only. For the past few weeks,
those reports have come in bundles of 3-to-5 at a time. Nearly every
other week.
While gaining root access is serious on a Unix machine, you also need
to point out the fact that to be able to gain access to this loophole,
you absolutely need to be on the same subnet as the compromised
computer. Therefore shielding 60%-some percent of home Mac installation
(as those connect to the interner through some phone connection like
PPP) and a great deal (don't have numbers) of the remaining 40% still
not at risk, provided their Cable or ISDN, [A]DSL ISPs have done their
work properly.
It's not like one could attack the entire machine simply by sending an
email containing some VBL script. Right?
Of course I'm a Mac head. And I'm still as cocky as I've been since
roughly 1988. Because every time I see those IT folks around here
struggling to keep the company running when the next wave of Win
trouble appears, I'll be smiling at my desk, uninterrupted, and
occasionally offering to help (okay... I'm just pointing them to some
Linux site or Apple.com... but hey... I seriously believe that would
help
them).
Keep us entertained.
Have a good day.
Not quite true. Of course it is technically, but to develop applications which typically live in kernel space in most operating systems, say device drivers, you don't necessarily need root. On a GNU system (with its native kernel, the Hurd, not Linux) you don't need root for this. Only to change the microkernel you would need root, but the idea of using a microkernel is that it hardly ever needs to be changed.
12.10.2003
Internet Explorer Spoofing Vulnerability Found
12.10.2003
Security Experts Warn of New Way to Attack Windows
This same "exploit" Apple claims is normal. One "exploit" will not make Mac users eat crow. Let's see some real OS X viruses and Apple having to release so many patches that it moves to a monthly bug release program first.
"The objective of securing the safety of Americans from crime and terror has been achieved." -- John Ashcroft
What you can claim accurately is that Apple fixes holes promptly and fairly quickly, and that the MacOS X architecture does not have flaws which result in two or three active IE holes in the wild right now.
The other thing that you can claim is that Apple appears to perform more thorough testing of their security patches. I have been using OS X since beta and I have yet to have applied a patch that has caused any real pain. Windows on the other hand......Well, I cannot count the wasted hours I have spent either rolling back an update or scrubbing the hard drive clean and doing a reinstall due to Windows either seriously corrupting things or even worse, outright killing a machine. In fact, at our lab it was a W2k security update that killed a machine dead that was responsible for us replacing all of our W2k systems with 17in iMacs running OS X. I simply got tired of the grief associated with maintaining a Windows computer. We use our systems to get work done, not to goof around with maintaining Windows.
Visit Jonesblog and say hello.
You are right, Macs are just as suseptable to poor coding as Windows is, but I think the difference is patching.
I've patched a friends windows box, and it isn't fun. Mac is really damn easy, plus there is the incentive that Apple general sends us goodies down the pipe every once and awhile.
Oy linux, though, pain in the arse. ~_^
forget it.
You can find a better article about the OS X vs. Windows with respect to viruses here.
I have never been able to shake my perception of PC Magazine/ZD as just a shill for their biggest advertisers. Just ask yourself: Who butters their bread?
Is being secure the same as security? Let us take a look and see. Starting out let us compare raw numbers.
Building A has one broken window, that is kind of small and can only be breached if you can get passed the outer gate (with its own security), and have the right (specialized) equipment.
Building B has many broken windows, and windows breaks as fast as they fix them. Many of the broken windows can be breached from down the street. The latest broken window could allow anyone to imitate building C, and only when you have entered the building do you realize that you have been duped into entering Goat's house of cx.
Which building is more secure?
The issue is that security is offered in LEVELS. No place is 100% secure, however some places offer much higher levels of security, providing a safer place to be.
So which building is more secure?
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Security is only as good as how often the users patch.
The focus on patch management starts becoming embarrassing. Not too long ago, the mantra was, "Security is only as good as how often you update your antivirus scanner", or "Security is only as good as your firewall".
It's sad that so few people realize that patch management is part of the problem, and not a solution. It's only a question of time that the patching process fails in a blatantly obvious way (in part it already did for Slammer and the Blasters, but you could blame the users, so few people questioned the basic idea).
Don't get me wrong, being alert about patches (and applying them when necessary) is a good thing, but the current fuzz about it is beginning to blind users and admins. Patching is not the final answer to our security problems, just a workaround that appears to work (mostly from a software vendor perspective, it's a nice way of shifting responsibility).
In reality, I doubt there are many serious Mac users who ACTUALLY BELIEVE that the Mac OS is infallible. Now, someone who just bought a Mac because "Macs are cool, and totally safe and stuff" might have just gotten the dose of reality he sought to dispense. As for the rest of us, who had no such pretensions: big whoop. Warts and all, I'll agree that the Mac OS is superior to Windows, but would like to believe I know too much to have a false sense of security.
i don't think that is entirely true. i know lots of kids who used to write virii, and they wrote them for microsoft machines because that was the machine that they had. these would also be the same people that would defend the IBM/Micro$oft machine to the death in a windows/mac debate, but that was the platform they had. mostly, i guess, is that they didn't want to even bother with mac users.
I see Windows, I see Mac. I see Linux on the rack.
I take issue with your statement that Unix design is more elegant. I feel that NT is a wonderful, modern, design, with inherently more built-in security features than BSD or Linux variants.
Microsoft's security troubles are caused by weak sucurity practices carried over from Win 3.1 and 95 to support legacy apps that were not designed to support security. Those weak practices combined with a useful, widely used, interprocess mechanism (COM, which BSD and Linux have no equivalent), are responsible for the vast majority of security issues under Windows.
Actually, this is one of the more mind-bogglingly stupid articles from a Windows apologist I've read in a long time. It's even worse than most Slashdot wintrolls.
For the record, I'm not a Mac user and my few attempts at using it ended in annoyance and frustration. It does not, however, take a genius to recognize the logical leaps inherent in the author's petulant outburst.
To wit:
1) A single flaw does not compare to the egregious history of security problems on Windows.
2) The conjecture that if Mac OS were more used than Windows, it would have the same vulnerability rate is just that, conjecture, and it is unsupported in the article.
3) The iTunes/iPod "hack" is not comparable to an operating system comprimise. It is a comprimise of a digital restrictions management (DRM) system. DRM systems are known to be inherently vulnerable and practically insecurable. Nobody but deluded content industry executives expect DRM systems to have any more than brief protection. Also, once broken, they can't be fixed.
4) The swipes at Mac "zealots" are irrelevant ad hominems
5) The complaint about the complexity of MacOS X is silly. All software is complex. Some is just done worse than other.
There's nothing here to see.
no point in generating revenue for them to produce more pap like this character's "analysis".
If English was good enough for Jesus, it's good enough for everyone else.
ALL operating system are insecure. No exceptions. It is the responsibility of the OS vendor to find, fix and release patches for vulnerabilities. It is the responsibility of the user to apply those patches and secure his box. The issue here is not that OS X has a vulnerability. The issue is that Windows has a larger installed based and thus being a more lucrative target has MORE of its vulnerabilities exploited. MS is consistently late releasing fixed and then once the fixes are released, the sheer installed base of windows works against it. Around 80-87% of US internet users are on dial up. Most likely 90% of dial up users use Windows. A clean WinXP install requires over 128MB of downloaded patches. Exactly how many dialup users will ever patch their systems? MS owes its users at a minimum a monthly CD of patches in the mail at NO charge if it wants to be a responsible internet neighbor. That alone would remove the most common reason why MS systems are so vulnerable.
it seems far more constructive to discuss the merits here (which I am sure he will read)...
Heehee, (giggle), that was a good one.
Get real. This guy's job is to generate ad revenue by bringing in eyeballs. Writing an inflammatory article does just that. Having done so, he goes home. He doesn't give a shit whether he's right or wrong, and he certainly won't be following up the "community's" response. He will laugh all the way to the bank, however.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
I take issue with your statement that Unix design is more elegant. I feel that NT is a wonderful, modern, design, with inherently more built-in security features than BSD or Linux variants.
Unix is a 35 year-old design that has stood the test of time _because_ of its elegance. It's based on 6 commands (open, close, read, write, fork and exec), takes an "everything's a file" approach, and relies heavily on small, reusable componets that are easier to fix and isolate than large monolitic code. The complexity if Unix likes in the mixing of those simple pieces.
Think of it as the difference between Playdough (Windows) and Lego (Unix). Windows is like a big lump of playdough. Sure it's pliable in the beginning, but over time it hardens into a big, unusable clump that needs to be tossed (reloaded). Unix on the other hand is like legos. Its modular design lends itself to be mixed and matched into unlimited configurations.
When it comes to security, it's easier for coders to get their brains around smaller, more manageable code. Windows is so big and unwieldly, they're going to have to do a fourth rewrite if they ever hope to build something that's even close to being secure. Why else has Microsoft been promising security for almost two years since they announce "Trustworthy Computing" and yet they're worse off than they've ever been.
Like I said in the original post, next month we'll see a whole slew of major new problems with Windows, and Mac and the other Unix variants will probably be free from any major known flaws. Just like we have for years.
Ruby on Rails Screencast
I have never seen someone get so seriously bent over such flawed logic.
There are several things to consider:
While complexity may provide an opening for flaws, it does not atutomically mean the code is flawed if it is complex. People who care that there code is used ( Apple Engineers) can surmount the problems that complexity poses.
MacOS X is complex because it DOES MORE. Samba,NFS, CUPS, X11, SSH, shells... and is INFINITELY more configurable.
XP et all is complex because it does marketing and because it attempts to deliberately obscure configurability and portability of code. These are essentially arbitrary complexities that are in direct conflict with good code practices.
Just do what you do best
Arnold "Red" Auerbach.
Sorry, but i'm on a W2k machine here at work.
Just checked Start -> Control Panels -> --------
i have no Service control panel.
If this mythical beast is not located in the Control panels where mere mortals live - wherefore art those average users who could find it?
(after 3 minutes of looking around, and because i (conned) the guys at work to give me Admin privs on this machine (99% users here do not) - i found the gizmo under the Administrative Tools applications folder under the start menu.. AFTER i "turned on" that folder in my start menu - for clarity)
if that's "easy to use, checkbox for all services" i'm Paris Hilton.
guns kill people like spoons make Rosie O'Donnell fat.
When I went from OS 9 to OS X, I knew that I was giving up a large amount of security to get a *nix base and loads of features never before seen in a Mac "OS". I think that was well worth it.
What else that has definitely made it worth the move is that Apple has been very fast, IMHO, in offering patches for security holes (note: the recent cookie vulnerability).
There are dozens, maybe hundreds of more holes in Windows and we all know that many of them will never be fixed.
At least Apple acknowledges security holes and makes effort to fix them.
-A
There some computer systems that simply dont need net access, but have it anyway just because in 2003 it's the norm to have some box in the chain that does.
If they really wanted to make systems safe they can isolate any machine that does not need to be networked, and there are lots of machines and job functions that dont need to be. But we've all forgotten the not so distant past, when no one had a net connection. Rememeber the cheapest network protocol? SneakerNet!
Still, the Windows folk must be pretty desperate if they are seizing upon one outdated configuration default as equivalent to the dozens of Windows flaws, emerging at a rate of about one a month, most of which are exploited by known and destructive worms.
I don't think you stress the password thing enough - a mac administrative user can't wipe the system clean without knowing the password, while a windows admin can.
.rhosts file or chmod's a uid/euid change program as 4755, clears the screen and resumes the install. A good uid (user ID) exploit program usually masquerades as something else and if placed in the right location, will probably never be found unless being watched for.
You may not think that's a big deal, but I've seen some good hacking done via console usurption -
root is installing software and gets phone call (or goes to the can - I've seen both happen). As soon as root user walks away, the guy at the terminal next to him suspends the install, adds his name to a
On the other hand, a hacked mac admin account where the password is known gives full access on macs and probably won't on UNIX unless the user was root (hacking a sudoer probably won't give you full access). Essentially, OSX relies more on passwords for security and Unix relies more on a specific user (root) for security and both have their advantages and disadvantages.
On Windows, though, an admin user is an admin user and has full permissions to do anything they want, including create more admin users or wipe the entire OS. The only good thing about Windows in this respect is that it is more difficult to remotely control the machine because of its single user origins.
I love using my XP Pro box for games - it dual boots linux, and has been amazingly stable for a MS OS, but I keep it safely behind a UNIX firewall for a reason - I don't like patching daily, I don't like the endless stream of worms I see trying to get in, and I don't want to give easy access to the script kiddie hackers that hit my firewall 100s of times every day (yes, they're logged and their IP automatically blocked after 50 failed attempts [hey, I'm generous - and I've screwed up login at least 5 times in a session myself]... now if only I could ban DHCP so they'd permanently go away...)
One of the security updates (October, I think) disabled the log-in button on the log-in screen, so you had to hit after typing your password to log in. Apple released an updated update within a week. I think that's the worst wide-spread flaw in any recent Apple update.
You didn't install anything, you mounted and copied. You need root (sudo) access to to an actual install on OS X. So in a way you both are correct, you DO need root to install, but it can be circumvented if instead of "installing" you merely mount an image file and copy the executable out.
"It's better to be a pirate then join the Navy"
Plus, this man's logic is flawed. When he typed that, he had not posted the article. No one knew about it. No noise would therefore be made until he had posted it.
Sorry.
And I don't know, this looks like noise to me.
I really dislike smug people. People who try and beef up a weak argument with me-feel-good smugness like the classic "I told you so," and "well, it looks we was right all along, chaps," don't have an argument worth arguing.
Maybe they're trying to make themselves feel better about having Windows. Denial is always a possibility.
Politics is derived from two words - poly, meaning many, and tics, meaning small blood-sucking insects.
In your install of Mozilla, you are just copying some files to you user Applications directory. You aren't accessing anything directories which as a user you are not allowed access to. For other software that installs for all users, or needs to change something in a directory for which you as a user don't have access, you'll have to run an install app. And that *has* to ask you for the root password, otherwise it can't do these things. As someone else said, it's the gui equivalent of sudo.
I have recently audited an xserver running the latest Jaguar. Within the first 20 minutes of looking, I found 3 command-line overflows for suid apps. These are textbook overflows and appear to be trivial to exploit. IMHO the developers have performed very little vulnerability (fuzz) testing against their privileged applications and services. Many many more bugs will be found. I encourage any newbie vulnerability researchers to get their hands on a copy of Jaguar ASAP. As mentioned in a previous post, file permissions are screwed up all over the system, and the amount of suid binaries is astonishing. You *will* find *many* vulnerabilities.
Not quite.
In the NT kernel, most (all?) objects have ACLs associated with them which allows much finer granularity than under a traditional UNIX-y kernel.
Imagine UNIX with finer-grained security. Now run many network-enabled services without the end-user's knowledge. Add automatic execution of downloaded code in the form of ActiveX controls, and remove the ability of those running the binaries to examine the source code.
Now revise everything in the system several times, adding new APIs while keeping existing ones more or less intact. Don't worry about establishing system-wide conventions among development teams -- they have better things to do.
Add the need to throw in nifty technologies to dethrone competitors.(1)
Now stop and think about how you've gained your acceptance. Realize that what people like to use at home will carry across to work. Realize further that people don't want to deal with permissions, or ACLs, not having administrative access, and not being able to play the latest-greatest game.
To gain home acceptance, ship a home edition of your operating system which allows the default user to do damned near anything on the machine. Make auditing of running services difficult and obscure. Above all else, don't confuse the user, or ask them to slow down even enough to realize that certain actions may compromise system security more than others.
Now stop and think about how little having finer-grained security really did to make the OS more secure overall.
The problem isn't that Windows lacks a "fundamentally sound architecture." The problem is all of the extra crap that gets thrown on top without really thinking things through.
1) I'll see your Java sandbox and raise you an ActiveX control!
Somebody get that guy an ambulance!
After reading the article, I bave two things to say:
1. These aren't exactly easily exploitable remote root's like windows has had 50 of. There really is no comparison.
2. Installing XP yesterday, I was r00ted before I could get to Windows Update. This is just. plain. ridiculous.
I don't know about you guys, but there really is no question of what OS to use if you really want it to work right, be stable, and be secure. NO QUESTION. "usability" is close enough in Linux for me. AND ISN'T A VIRUS EVERY FIFTEEN MINUTES SOME SORT OF USABILITY PROBLEM?>??
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
Bear in mind that at least UNIX was designed with multiple users and administrators in mind, whereas Windows most certainly never was.
-fred
Sign #11 of Slashdot overdose: You see the phrase 'moderate Republican' and you wonder if that would be a +1 or a -1.
Um, that's what I said.
Administrator account, password prompted during setup, Local account, no password prompted during setup, but full admin access except for inbound connections.
And if your system was rooted that fast, you didn't follow the recommendations
Step 1: Firewall ON
Step 2: Windows update
Articles like this caused me to cancel my subscription to PC Mag. This article confirmed I'm not missing anything. I wish he would tell his editor I don't subscribe because of articles like this. I've not had a single problem with OS X. I used to use Windows. A few weeks ago the network at a hospital where I work was brought down because of a virus. Earlier this year I watched as my campus network slowed to a crawl due to a worm that affeted Windows machines. And the article mentions this hypothetical problem with the Mac OS. Whatever. Glad to know I'm not missing anything now that I've cancelled my subscription.
Well, that's a little cocky :-). Here's a story - I had a Win2k machine that I used for ICS a year or so ago. It got hacked because I hadn't installed a firewall on it.
Learning my lesson, I vaped the machine, then installed Win2k from a CD. Then I installed the ADSL modem drivers, and went to ZoneAlarm's website and installed Zone Alarm. Then I ran Windows Update, and got all the latest patches.
Finally I installed Norton Anti-Virus. It told me I had already been infected by a trojan (a different one to the one I had previously been hit by).
Basically, if you aint got all the patches on CD/HD, you can be hit quite easily during an install. It depends on the network you're using - on BT ADSL I used to get scanned all the time - I've moved to another provider, and I don't get anything like the number of attacks. My Dad is on dial-up, and he gets port-scanned about once every 30 seconds, sometimes more often.
Yes, this is 2k, not XP, but I believe it's not beyond the bounds of possibility that a similar thing could happen with XP. It's good news that MS is (thinking of) enabling the firewall by default in XP SP2 - but again, that's a service pack, that you have to download :)
And yes, you can have it downloaded, but by God, MS usually manage to make it as difficult as possible to just download the whole patch as one file that you can install later/on other PCs. Grr.
There have been lot of local vulnerabilities in all Unixes (just remember the decent hack of Debian's servers using a local kernel vulnerability). And the if there's a user program that has serious remote vulnerability, then that local vulnerability becomes remote too. And then just think of the case that you have several untrusted/stupid local users on the Unix box.
And also "well written" apps can have bugs too. So even limiting yourself only to well known and widely used open source applications and inspecting their source code quality yourself is no guarantee. Sure it makes the odds of a critical bug much smaller, but never zero. And as soon as you access the internet, your potentially vulnerable software could interact with malicious attacker's software, and you are at risk, only protected by the hope that there are no unknown and unpatched remote vulnerabilities in your software.
Ok, so this can get pretty theoretical, the risk can be really really small if you avoid running anything but the most well tested programs. But still, I agree with previous poster, no OS is perfectly secure, simply because that's impossible.
good points? He talks about ONE security hole in OS X. So because they found one flaw, it's just as insecure as windows. huh?
Ok, no OS is immune (not even the beloved linux) to security flaws. To compare one hole in OS X to thousands upon thousands in windows is stupid. I've heard the windows is more popular so thats why it has more viruses argument before and it's BS! Windows is insecure by design.
I use linux and Mac OS X exclusively. I haven't had a problem with either of them. It's kindof like locking your car door... can someone break in? Sure they can, so maybe you have the club or an alarm (or both)... can they still break in? Yes, it just takes a little more time and effort. Windows is like leaving your car unlocked and the windows rolled down. Linux and OS X at least lock the doors and set the alarm.
Hmmm... He hasn't made the Apple Death Knell Counter yet.
-- "At Microsoft, quality is job 1.1" -- PC Magazine, Nov. 1994
But yes, despite the exceptions the basic point is sound: Apple generally issue patches far faster than M$, those patches tend to be smaller and work better, and the OS itself has far fewer problems.
AS has been discussed elsewhere, the argument that more people write viruses for Windows because more people use it doesn't stand up either - there are proportionally fewer Mac viruses than even the much smaller market share would suggest. (Much as most web server exploits are for IIS, despite it having less than half Apache's share.) OS X is simply more secure. Not perfect, but better.
Ceterum censeo subscriptionem esse delendam.
Looks like Apple set the sticky-bit on /. Even though you can create a new file in /, you can't edit any of the important files there nor can you modify any of the files in /etc w/o sudo/su'ing first. (My experience is only w/ 10.3.)
2) The conjecture that if Mac OS were more used than Windows, it would have the same vulnerability rate is just that, conjecture, and it is unsupported in the article.
Actually on the 12/02/03 episode of the linux show, Eric Raymond made a very good point that pretty much debunks this particular piece of FUD spread by Microsoft and Windows apologists. He said that if the number of bugs/vernerabilities of a piece of software were merely a function of the number of deployments of the software, then we would see far more bugs and vernerabilities in Apache, which currently has 67% of webserver deployments, than in Microsoft IIS, which only has 20%. Instead we see the exact opposite with far more bugs and vernerabilies in IIS. So, unless MS or Mr. Ulanoff can provide proof for their claims, then they are just spreading FUD!