Slashdot Mirror
PC Mag - Mac OS X Insecure
Suki writes "In this recent story a PC Mag writer concludes that "Panther and Jaguar were not better at outrunning vulnerabilities than Windows" and as my personal fav. ends by asking "How cocky are you feeling now, Mac elite? Hmm. Suddenly it's gotten pretty quiet around here." The article discusses many previous Windows security holes against a recent Mac OS X security flaw."
The hole he's referring to requires some particular circumstances before it's even viable.
The attacker must:
Be on your local network
Already have control of your DHCP server
If both of the above are true, you already have much more serious problems.
While I agree that remote root/admin is bad juju, in this case it's hardly equivalent to the Windows remote admin exploits to which he's comparing it.
So an attacker who can gain access to your network -- over a wired connection or wirelessly -- can trick an affected system into trusting a rogue machine, and when the compromised machine reboots, take it over and even attack other systems on the network.
So, a guy has to get on my network, set up another machine as a trusted server, wait for me to reboot, and then...? Is this a fair comparison to email viruses, etc...?
My cube's been up for 90 days. I plan to take it down and upgrade it eventually. Does this mean I'm going to be vulnerable?
Whatever.
-- The world is watching America, and America is watching TV.
Excellent comments. Please post them in our forum:
s p,
http://discuss.pcmag.com/pcmag/start/?msg=32413
-----Original Message-----
From: ***
Sent: Thursday, December 11, 2003 10:24 AM
To: Ulanoff, Lance
Subject: Eureka
Hello.
in your piece at http://www.pcmag.com/article2/0,4149,1408953,00.a
you have this to say in conclusion:
Ultimately, those on the Mac fringe have to face facts: Panther and Jaguar were not better at outrunning vulnerabilities than Windows. I expect other gaps will emerge, and while the Mac OS may still draw far fewer attacks, this discovery might suck a little wind (or is it Windows?) out of Mac radicals' sails. They can scarcely claim this was a minor hole. OS root access is serious stuff. How cocky are you feeling now, Mac elite? Hmm. Suddenly it's gotten pretty quiet around here.
So, that's all it takes for you? One potentially serious loophole in an
OS to declare it "no better at outrunning vulnerabilities than
windows"?
Have you recently counted the number of Cert advisory reports that have
come out for XP? Last I checked, more than a month ago, it was in the
40-some range. For XP alone. This year only. For the past few weeks,
those reports have come in bundles of 3-to-5 at a time. Nearly every
other week.
While gaining root access is serious on a Unix machine, you also need
to point out the fact that to be able to gain access to this loophole,
you absolutely need to be on the same subnet as the compromised
computer. Therefore shielding 60%-some percent of home Mac installation
(as those connect to the interner through some phone connection like
PPP) and a great deal (don't have numbers) of the remaining 40% still
not at risk, provided their Cable or ISDN, [A]DSL ISPs have done their
work properly.
It's not like one could attack the entire machine simply by sending an
email containing some VBL script. Right?
Of course I'm a Mac head. And I'm still as cocky as I've been since
roughly 1988. Because every time I see those IT folks around here
struggling to keep the company running when the next wave of Win
trouble appears, I'll be smiling at my desk, uninterrupted, and
occasionally offering to help (okay... I'm just pointing them to some
Linux site or Apple.com... but hey... I seriously believe that would
help
them).
Keep us entertained.
Have a good day.
12.10.2003
Internet Explorer Spoofing Vulnerability Found
12.10.2003
Security Experts Warn of New Way to Attack Windows
This same "exploit" Apple claims is normal. One "exploit" will not make Mac users eat crow. Let's see some real OS X viruses and Apple having to release so many patches that it moves to a monthly bug release program first.
"The objective of securing the safety of Americans from crime and terror has been achieved." -- John Ashcroft
What you can claim accurately is that Apple fixes holes promptly and fairly quickly, and that the MacOS X architecture does not have flaws which result in two or three active IE holes in the wild right now.
The other thing that you can claim is that Apple appears to perform more thorough testing of their security patches. I have been using OS X since beta and I have yet to have applied a patch that has caused any real pain. Windows on the other hand......Well, I cannot count the wasted hours I have spent either rolling back an update or scrubbing the hard drive clean and doing a reinstall due to Windows either seriously corrupting things or even worse, outright killing a machine. In fact, at our lab it was a W2k security update that killed a machine dead that was responsible for us replacing all of our W2k systems with 17in iMacs running OS X. I simply got tired of the grief associated with maintaining a Windows computer. We use our systems to get work done, not to goof around with maintaining Windows.
Visit Jonesblog and say hello.
You can find a better article about the OS X vs. Windows with respect to viruses here.
I have never been able to shake my perception of PC Magazine/ZD as just a shill for their biggest advertisers. Just ask yourself: Who butters their bread?
Is being secure the same as security? Let us take a look and see. Starting out let us compare raw numbers.
Building A has one broken window, that is kind of small and can only be breached if you can get passed the outer gate (with its own security), and have the right (specialized) equipment.
Building B has many broken windows, and windows breaks as fast as they fix them. Many of the broken windows can be breached from down the street. The latest broken window could allow anyone to imitate building C, and only when you have entered the building do you realize that you have been duped into entering Goat's house of cx.
Which building is more secure?
The issue is that security is offered in LEVELS. No place is 100% secure, however some places offer much higher levels of security, providing a safer place to be.
So which building is more secure?
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
I take issue with your statement that Unix design is more elegant. I feel that NT is a wonderful, modern, design, with inherently more built-in security features than BSD or Linux variants.
Microsoft's security troubles are caused by weak sucurity practices carried over from Win 3.1 and 95 to support legacy apps that were not designed to support security. Those weak practices combined with a useful, widely used, interprocess mechanism (COM, which BSD and Linux have no equivalent), are responsible for the vast majority of security issues under Windows.
Actually, this is one of the more mind-bogglingly stupid articles from a Windows apologist I've read in a long time. It's even worse than most Slashdot wintrolls.
For the record, I'm not a Mac user and my few attempts at using it ended in annoyance and frustration. It does not, however, take a genius to recognize the logical leaps inherent in the author's petulant outburst.
To wit:
1) A single flaw does not compare to the egregious history of security problems on Windows.
2) The conjecture that if Mac OS were more used than Windows, it would have the same vulnerability rate is just that, conjecture, and it is unsupported in the article.
3) The iTunes/iPod "hack" is not comparable to an operating system comprimise. It is a comprimise of a digital restrictions management (DRM) system. DRM systems are known to be inherently vulnerable and practically insecurable. Nobody but deluded content industry executives expect DRM systems to have any more than brief protection. Also, once broken, they can't be fixed.
4) The swipes at Mac "zealots" are irrelevant ad hominems
5) The complaint about the complexity of MacOS X is silly. All software is complex. Some is just done worse than other.
There's nothing here to see.
no point in generating revenue for them to produce more pap like this character's "analysis".
If English was good enough for Jesus, it's good enough for everyone else.
it seems far more constructive to discuss the merits here (which I am sure he will read)...
Heehee, (giggle), that was a good one.
Get real. This guy's job is to generate ad revenue by bringing in eyeballs. Writing an inflammatory article does just that. Having done so, he goes home. He doesn't give a shit whether he's right or wrong, and he certainly won't be following up the "community's" response. He will laugh all the way to the bank, however.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
I take issue with your statement that Unix design is more elegant. I feel that NT is a wonderful, modern, design, with inherently more built-in security features than BSD or Linux variants.
Unix is a 35 year-old design that has stood the test of time _because_ of its elegance. It's based on 6 commands (open, close, read, write, fork and exec), takes an "everything's a file" approach, and relies heavily on small, reusable componets that are easier to fix and isolate than large monolitic code. The complexity if Unix likes in the mixing of those simple pieces.
Think of it as the difference between Playdough (Windows) and Lego (Unix). Windows is like a big lump of playdough. Sure it's pliable in the beginning, but over time it hardens into a big, unusable clump that needs to be tossed (reloaded). Unix on the other hand is like legos. Its modular design lends itself to be mixed and matched into unlimited configurations.
When it comes to security, it's easier for coders to get their brains around smaller, more manageable code. Windows is so big and unwieldly, they're going to have to do a fourth rewrite if they ever hope to build something that's even close to being secure. Why else has Microsoft been promising security for almost two years since they announce "Trustworthy Computing" and yet they're worse off than they've ever been.
Like I said in the original post, next month we'll see a whole slew of major new problems with Windows, and Mac and the other Unix variants will probably be free from any major known flaws. Just like we have for years.
Ruby on Rails Screencast
Sorry, but i'm on a W2k machine here at work.
Just checked Start -> Control Panels -> --------
i have no Service control panel.
If this mythical beast is not located in the Control panels where mere mortals live - wherefore art those average users who could find it?
(after 3 minutes of looking around, and because i (conned) the guys at work to give me Admin privs on this machine (99% users here do not) - i found the gizmo under the Administrative Tools applications folder under the start menu.. AFTER i "turned on" that folder in my start menu - for clarity)
if that's "easy to use, checkbox for all services" i'm Paris Hilton.
guns kill people like spoons make Rosie O'Donnell fat.
I don't think you stress the password thing enough - a mac administrative user can't wipe the system clean without knowing the password, while a windows admin can.
.rhosts file or chmod's a uid/euid change program as 4755, clears the screen and resumes the install. A good uid (user ID) exploit program usually masquerades as something else and if placed in the right location, will probably never be found unless being watched for.
You may not think that's a big deal, but I've seen some good hacking done via console usurption -
root is installing software and gets phone call (or goes to the can - I've seen both happen). As soon as root user walks away, the guy at the terminal next to him suspends the install, adds his name to a
On the other hand, a hacked mac admin account where the password is known gives full access on macs and probably won't on UNIX unless the user was root (hacking a sudoer probably won't give you full access). Essentially, OSX relies more on passwords for security and Unix relies more on a specific user (root) for security and both have their advantages and disadvantages.
On Windows, though, an admin user is an admin user and has full permissions to do anything they want, including create more admin users or wipe the entire OS. The only good thing about Windows in this respect is that it is more difficult to remotely control the machine because of its single user origins.
I love using my XP Pro box for games - it dual boots linux, and has been amazingly stable for a MS OS, but I keep it safely behind a UNIX firewall for a reason - I don't like patching daily, I don't like the endless stream of worms I see trying to get in, and I don't want to give easy access to the script kiddie hackers that hit my firewall 100s of times every day (yes, they're logged and their IP automatically blocked after 50 failed attempts [hey, I'm generous - and I've screwed up login at least 5 times in a session myself]... now if only I could ban DHCP so they'd permanently go away...)
Plus, this man's logic is flawed. When he typed that, he had not posted the article. No one knew about it. No noise would therefore be made until he had posted it.
Sorry.
And I don't know, this looks like noise to me.
I really dislike smug people. People who try and beef up a weak argument with me-feel-good smugness like the classic "I told you so," and "well, it looks we was right all along, chaps," don't have an argument worth arguing.
Maybe they're trying to make themselves feel better about having Windows. Denial is always a possibility.
Politics is derived from two words - poly, meaning many, and tics, meaning small blood-sucking insects.
Not quite.
In the NT kernel, most (all?) objects have ACLs associated with them which allows much finer granularity than under a traditional UNIX-y kernel.
Imagine UNIX with finer-grained security. Now run many network-enabled services without the end-user's knowledge. Add automatic execution of downloaded code in the form of ActiveX controls, and remove the ability of those running the binaries to examine the source code.
Now revise everything in the system several times, adding new APIs while keeping existing ones more or less intact. Don't worry about establishing system-wide conventions among development teams -- they have better things to do.
Add the need to throw in nifty technologies to dethrone competitors.(1)
Now stop and think about how you've gained your acceptance. Realize that what people like to use at home will carry across to work. Realize further that people don't want to deal with permissions, or ACLs, not having administrative access, and not being able to play the latest-greatest game.
To gain home acceptance, ship a home edition of your operating system which allows the default user to do damned near anything on the machine. Make auditing of running services difficult and obscure. Above all else, don't confuse the user, or ask them to slow down even enough to realize that certain actions may compromise system security more than others.
Now stop and think about how little having finer-grained security really did to make the OS more secure overall.
The problem isn't that Windows lacks a "fundamentally sound architecture." The problem is all of the extra crap that gets thrown on top without really thinking things through.
1) I'll see your Java sandbox and raise you an ActiveX control!
Somebody get that guy an ambulance!
After reading the article, I bave two things to say:
1. These aren't exactly easily exploitable remote root's like windows has had 50 of. There really is no comparison.
2. Installing XP yesterday, I was r00ted before I could get to Windows Update. This is just. plain. ridiculous.
I don't know about you guys, but there really is no question of what OS to use if you really want it to work right, be stable, and be secure. NO QUESTION. "usability" is close enough in Linux for me. AND ISN'T A VIRUS EVERY FIFTEEN MINUTES SOME SORT OF USABILITY PROBLEM?>??
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
Um, that's what I said.
Administrator account, password prompted during setup, Local account, no password prompted during setup, but full admin access except for inbound connections.
And if your system was rooted that fast, you didn't follow the recommendations
Step 1: Firewall ON
Step 2: Windows update
Well, that's a little cocky :-). Here's a story - I had a Win2k machine that I used for ICS a year or so ago. It got hacked because I hadn't installed a firewall on it.
Learning my lesson, I vaped the machine, then installed Win2k from a CD. Then I installed the ADSL modem drivers, and went to ZoneAlarm's website and installed Zone Alarm. Then I ran Windows Update, and got all the latest patches.
Finally I installed Norton Anti-Virus. It told me I had already been infected by a trojan (a different one to the one I had previously been hit by).
Basically, if you aint got all the patches on CD/HD, you can be hit quite easily during an install. It depends on the network you're using - on BT ADSL I used to get scanned all the time - I've moved to another provider, and I don't get anything like the number of attacks. My Dad is on dial-up, and he gets port-scanned about once every 30 seconds, sometimes more often.
Yes, this is 2k, not XP, but I believe it's not beyond the bounds of possibility that a similar thing could happen with XP. It's good news that MS is (thinking of) enabling the firewall by default in XP SP2 - but again, that's a service pack, that you have to download :)
And yes, you can have it downloaded, but by God, MS usually manage to make it as difficult as possible to just download the whole patch as one file that you can install later/on other PCs. Grr.
good points? He talks about ONE security hole in OS X. So because they found one flaw, it's just as insecure as windows. huh?
Ok, no OS is immune (not even the beloved linux) to security flaws. To compare one hole in OS X to thousands upon thousands in windows is stupid. I've heard the windows is more popular so thats why it has more viruses argument before and it's BS! Windows is insecure by design.
I use linux and Mac OS X exclusively. I haven't had a problem with either of them. It's kindof like locking your car door... can someone break in? Sure they can, so maybe you have the club or an alarm (or both)... can they still break in? Yes, it just takes a little more time and effort. Windows is like leaving your car unlocked and the windows rolled down. Linux and OS X at least lock the doors and set the alarm.
2) The conjecture that if Mac OS were more used than Windows, it would have the same vulnerability rate is just that, conjecture, and it is unsupported in the article.
Actually on the 12/02/03 episode of the linux show, Eric Raymond made a very good point that pretty much debunks this particular piece of FUD spread by Microsoft and Windows apologists. He said that if the number of bugs/vernerabilities of a piece of software were merely a function of the number of deployments of the software, then we would see far more bugs and vernerabilities in Apache, which currently has 67% of webserver deployments, than in Microsoft IIS, which only has 20%. Instead we see the exact opposite with far more bugs and vernerabilies in IIS. So, unless MS or Mr. Ulanoff can provide proof for their claims, then they are just spreading FUD!