Slashdot Mirror
PC Mag - Mac OS X Insecure
Suki writes "In this recent story a PC Mag writer concludes that "Panther and Jaguar were not better at outrunning vulnerabilities than Windows" and as my personal fav. ends by asking "How cocky are you feeling now, Mac elite? Hmm. Suddenly it's gotten pretty quiet around here." The article discusses many previous Windows security holes against a recent Mac OS X security flaw."
The hole he's referring to requires some particular circumstances before it's even viable.
The attacker must:
Be on your local network
Already have control of your DHCP server
If both of the above are true, you already have much more serious problems.
While I agree that remote root/admin is bad juju, in this case it's hardly equivalent to the Windows remote admin exploits to which he's comparing it.
Excellent comments. Please post them in our forum:
s p,
http://discuss.pcmag.com/pcmag/start/?msg=32413
-----Original Message-----
From: ***
Sent: Thursday, December 11, 2003 10:24 AM
To: Ulanoff, Lance
Subject: Eureka
Hello.
in your piece at http://www.pcmag.com/article2/0,4149,1408953,00.a
you have this to say in conclusion:
Ultimately, those on the Mac fringe have to face facts: Panther and Jaguar were not better at outrunning vulnerabilities than Windows. I expect other gaps will emerge, and while the Mac OS may still draw far fewer attacks, this discovery might suck a little wind (or is it Windows?) out of Mac radicals' sails. They can scarcely claim this was a minor hole. OS root access is serious stuff. How cocky are you feeling now, Mac elite? Hmm. Suddenly it's gotten pretty quiet around here.
So, that's all it takes for you? One potentially serious loophole in an
OS to declare it "no better at outrunning vulnerabilities than
windows"?
Have you recently counted the number of Cert advisory reports that have
come out for XP? Last I checked, more than a month ago, it was in the
40-some range. For XP alone. This year only. For the past few weeks,
those reports have come in bundles of 3-to-5 at a time. Nearly every
other week.
While gaining root access is serious on a Unix machine, you also need
to point out the fact that to be able to gain access to this loophole,
you absolutely need to be on the same subnet as the compromised
computer. Therefore shielding 60%-some percent of home Mac installation
(as those connect to the interner through some phone connection like
PPP) and a great deal (don't have numbers) of the remaining 40% still
not at risk, provided their Cable or ISDN, [A]DSL ISPs have done their
work properly.
It's not like one could attack the entire machine simply by sending an
email containing some VBL script. Right?
Of course I'm a Mac head. And I'm still as cocky as I've been since
roughly 1988. Because every time I see those IT folks around here
struggling to keep the company running when the next wave of Win
trouble appears, I'll be smiling at my desk, uninterrupted, and
occasionally offering to help (okay... I'm just pointing them to some
Linux site or Apple.com... but hey... I seriously believe that would
help
them).
Keep us entertained.
Have a good day.
What you can claim accurately is that Apple fixes holes promptly and fairly quickly, and that the MacOS X architecture does not have flaws which result in two or three active IE holes in the wild right now.
The other thing that you can claim is that Apple appears to perform more thorough testing of their security patches. I have been using OS X since beta and I have yet to have applied a patch that has caused any real pain. Windows on the other hand......Well, I cannot count the wasted hours I have spent either rolling back an update or scrubbing the hard drive clean and doing a reinstall due to Windows either seriously corrupting things or even worse, outright killing a machine. In fact, at our lab it was a W2k security update that killed a machine dead that was responsible for us replacing all of our W2k systems with 17in iMacs running OS X. I simply got tired of the grief associated with maintaining a Windows computer. We use our systems to get work done, not to goof around with maintaining Windows.
Visit Jonesblog and say hello.
You can find a better article about the OS X vs. Windows with respect to viruses here.
I have never been able to shake my perception of PC Magazine/ZD as just a shill for their biggest advertisers. Just ask yourself: Who butters their bread?
Actually, this is one of the more mind-bogglingly stupid articles from a Windows apologist I've read in a long time. It's even worse than most Slashdot wintrolls.
For the record, I'm not a Mac user and my few attempts at using it ended in annoyance and frustration. It does not, however, take a genius to recognize the logical leaps inherent in the author's petulant outburst.
To wit:
1) A single flaw does not compare to the egregious history of security problems on Windows.
2) The conjecture that if Mac OS were more used than Windows, it would have the same vulnerability rate is just that, conjecture, and it is unsupported in the article.
3) The iTunes/iPod "hack" is not comparable to an operating system comprimise. It is a comprimise of a digital restrictions management (DRM) system. DRM systems are known to be inherently vulnerable and practically insecurable. Nobody but deluded content industry executives expect DRM systems to have any more than brief protection. Also, once broken, they can't be fixed.
4) The swipes at Mac "zealots" are irrelevant ad hominems
5) The complaint about the complexity of MacOS X is silly. All software is complex. Some is just done worse than other.
There's nothing here to see.
I take issue with your statement that Unix design is more elegant. I feel that NT is a wonderful, modern, design, with inherently more built-in security features than BSD or Linux variants.
Unix is a 35 year-old design that has stood the test of time _because_ of its elegance. It's based on 6 commands (open, close, read, write, fork and exec), takes an "everything's a file" approach, and relies heavily on small, reusable componets that are easier to fix and isolate than large monolitic code. The complexity if Unix likes in the mixing of those simple pieces.
Think of it as the difference between Playdough (Windows) and Lego (Unix). Windows is like a big lump of playdough. Sure it's pliable in the beginning, but over time it hardens into a big, unusable clump that needs to be tossed (reloaded). Unix on the other hand is like legos. Its modular design lends itself to be mixed and matched into unlimited configurations.
When it comes to security, it's easier for coders to get their brains around smaller, more manageable code. Windows is so big and unwieldly, they're going to have to do a fourth rewrite if they ever hope to build something that's even close to being secure. Why else has Microsoft been promising security for almost two years since they announce "Trustworthy Computing" and yet they're worse off than they've ever been.
Like I said in the original post, next month we'll see a whole slew of major new problems with Windows, and Mac and the other Unix variants will probably be free from any major known flaws. Just like we have for years.
Ruby on Rails Screencast
2) The conjecture that if Mac OS were more used than Windows, it would have the same vulnerability rate is just that, conjecture, and it is unsupported in the article.
Actually on the 12/02/03 episode of the linux show, Eric Raymond made a very good point that pretty much debunks this particular piece of FUD spread by Microsoft and Windows apologists. He said that if the number of bugs/vernerabilities of a piece of software were merely a function of the number of deployments of the software, then we would see far more bugs and vernerabilities in Apache, which currently has 67% of webserver deployments, than in Microsoft IIS, which only has 20%. Instead we see the exact opposite with far more bugs and vernerabilies in IIS. So, unless MS or Mr. Ulanoff can provide proof for their claims, then they are just spreading FUD!