Mac OS X Security Criticisms Countered

Paradox writes "In response to the recent PC Magazine story criticizing Mac OS X security, technologist/author Richard Forno has written a rebuttal criticizing the author and raising some good points about the fundamental differences between Windows and Mac OS X. Considering Lance Ulanoff's tone during his article, a rebuttal from the Mac OS X community was inevitable." Forno's conclusion: "Trustworthy computing must be more than a catchy marketing phrase. Ironically, despite a few hiccups along the way, it's becoming clear that Mac OS, not Windows, epitomizes Microsoft's new mantra of 'secure by design, default, and deployment'."

Slow site

article text, reprinted as permitted by author. Enjoyez-vous.

Muckraking, the PC Way
Richard Forno
12 Dec 03
Copyright (c) 2003 by Author. Permission granted to reproduce in entirety with credit given.


Richard Forno is a security technologist, author, and the former Chief Security Officer at Network Solutions.


Since Apple released Mac OS X, even the PC industry trade publications have raved about its quality, design, and features. PC Magazine even gave Mac OS X "Panther" a 5-star rating in October 2003. Perhaps it was because Macs could now seamlessly fit into the Windows- dominated marketplace and satisfy Mac users refusing to relinquish their trusty systems and corporate IT staffs wanting to cut down on tech support calls. Whatever the reason, Mac OS X has proven itself as a worthy operating system for both consumers and business alike.

Of course, as with all operating systems, Mac OS X has had its share of technical problems and even a few major security vulnerabilities. Nearly all were quickly resolved by Apple via a downloaded patch or OS update. But in general, Mac OS X is solid, secure, and perhaps the most trustworthy mainstream computing environment available today. As a result, Mac users are generally immune to the incessant security problems plaguing their Windows counterparts, and that somehow bothers PC Magazine columnist Lance Ulanoff.

In a December 11 column [1] that epitomizes the concept of yellow journalism, he's "happy" that Mac OS X is vulnerable to a new and quite significant security vulnerability. The article was based on a security advisory by researcher Bill Carrel regarding a DHCP vulnerability in Mac OS X. Carrel reported the vulnerability to Apple in mid-October and, through responsible disclosure practices, waited for a prolonged period before releasing the exploit information publicly since Apple was slow in responding to Carrel's report (a common problem with all big software vendors.) Accordingly, Lance took this as a green light to launch into a snide tirade about how "Mac OS is just as vulnerable as Microsoft Windows" while penning paragraph after paragraph saying "I told you so" and calling anyone who disagrees with him a "Mac zealot."

In other words, you're either with him or with the "zealots." Where have we seen this narrow-minded extremist view before?

More to the point, his article is replete with factual errors. Had he done his homework instead of rushing to smear the Mac security community and fuel his Windows-based envy, he'd have known that not only did Apple tell Carrel on November 19 that a technical fix for the problem would be released in its December Mac OS X update, but that Apple released easy-to-read guidance (complete with screenshots) for users to mitigate this problem on November 26. Somehow he missed that.

Since he's obviously neither a technologist (despite writing for a technology magazine) nor a security expert, let's examine a few differences between Mac and Windows to see why Macintosh systems are, despite his crowing, whining, and wishing, inherently more secure than Windows systems.

The real security wisdom of Mac OS lies in its internal architecture and how the operating system works and interacts with applications. Its also something Microsoft unfortunately cant accomplish without a complete re-write of the Windows software -- starting with ripping out the bug-riddled Internet Explorer that serves as the Windows version of "Finder." (That alone would seriously improve Windows security, methinks.)

At the very least, from the all-important network perspective, unlike Windows, Mac OS X ships with nearly all internet services turned off by default. Place an out-of-the-box Mac OS X installation on a network, and an attacker doesnt have much to target in trying to compromise your system. A default installation of Windows, on the other hand, shows up like a big red bulls-eye on a network with numerous network services enabled and running. And, unlike Win

Curious..

[Metallic+Matty]

You could have found a fairly accurate rebuttle right here at . as well.

Minus the trolls and such.

Re:Don't always assume a smear campaing

[NaugaHunter]

From the original article:
How cocky are you feeling now, Mac elite?

While the original article's criticism may not have come from "zealous hate", it certainly didn't come from impartial journalism. This and other statements like it definitely tinted it from simple reporting to an apparent attack, complete with the subliminal childish prat-calls.

Yeah yeah.

[mindstrm]

My summary of the situation:

- Nothing is totally secure, if it's at all useful.

- Windows is demonstrably NOT secure. IT's been riddled with nasty bugs for years.. and for Joe Average, WHY doesn't matter.

- OS X is without question far more secure than windows, and less buggy. That is not to say it's immune, or that it can't be hurt ever, but several factors both in low-level design, and in user interface design, specifically how easily users can turn on and off certain services, makes it less prone to exploits.

- Yes, it has a smaller market share, and hence, less attention is focused on it, and that certainly IS a factor.. but it doesn't change the fact that mac users don't have to worry about viruses on a dialy basis at the moment. It also isn't the only factor, and hardly means "Oh it's just as insecure as windows"

The #1 insecurities in windows are related to bad design... and a narrow interpretation of how the computer will be used in a network environment. Having all these services listening by default is bad. Having them difficult to shut off is even worse.

Re:stubborn institutional pride/hubris, etc...

[zgwortz962]

Honestly, Microsoft trying to put a Windows GUI on top of BSD is probably a bad move for them. The problem, as is always the issue with new OSes, is drivers.

Apple was able to get away with Mac OS X on top of BSD, using their own modern driver architecture (IOKit) because they had a relatively small hardware subset that they had to support (and you'll note they didn't even *try* and support a whole bunch of their older machines...). And it still took them 4 years to get the first version out the door.

For Microsoft to to the same thing would be tons more complicated, given the ungodly amount of hardware they have to support.

(Drivers are the long term bane of Linux and BSD as well -- The Linux driver model is, IMHO, a horribly antiquated mess needing a complete tear out and replacement. It's not going to get that anytime soon for the same reasons outlined above - too many new drivers to support. I'm not familiar with the BSD model, but if it's anything like the over 20 year old UNIX device model, I'm *very* glad Apple chose to use IOKit instead...)

IMHO, if Microsoft wants to produce a truly stable OS, they need to tear their kernel development away from the rest of the OS, and put everything else (especially IE) in a nice isolated sandbox. I would say the vast majority of Windows security holes are there because MS tries to integrate way too much high level functionality into the core OS.

Of course, if they do that, then they risk people adding their own sandboxes on top of their core OS (like Java...) and losing control of the application developers who currently are slaved to that highly integrated high level functionality...

So blown out of proportion ...

[Zwoop]

I still don't understand why this security "hole" got so much attention... Are people struggling to find problems with MacOSX? First of all, attacks like this is nothing new, just remember the old YP/NIS problems with broadcasting for the server, to mention just one example.

Secondly, when we wrote the DHCP LDAP option specs way back when, we explicitly documented this problem in the security section:

5. Security considerations

Security considerations discussed in [3], particularly with respect to the
provision of authentication information, are directly applicable here.
Additionally, it should be noted that providing LDAP server information by
a broadcast protocol such as DHCP may allow unauthorized clients to learn
the location of and authentication information for LDAP servers and hence
pose as valid clients. This presents a security problem when sensitive
information, such as user passwords, is published via LDAP servers.

The DHCP protocol provides no mechanisms for the client to verify the
validity and correctness of the received information. The security
considerations in [1] discuss several weaknesses, particularly the problem
with unauthorized DHCP servers.

This was written in 1997, note the last paragraph above. These issues has been discusses and documented in several RFCs, many years ago...

-- Leif

Re:The wierd thing...

[Trurl's+Machine]

is that Mac os 9 was completly safe to the outside world. AFIK there were no remote holes - now it did crash every ten to fifteen minutes on me, but I've never seen remote vulnerablitly.

You can see one anytime you want by just checking this test site. It works in a similar way as the infamous autostart worm that plagued MacOS Classic machines. The vulnerability works as follows:

1. You click on a link on a website like the above. It starts to download a stuffit-packed disk image to your desktop [without asking; that's the default configuration]
2. Stuffit unpacks and mounts the image [without asking; that's the default configuration]
3. Classic QuickTime sees a newly mounted image and initiates Autostart procedure [DEFAULT CONFIGURATION!]
4. Bingo - you allowed a remote source to execute arbitrary code on your system; and even under MacOS X, it started as a Classic layer process so it runs actually as root

The test site "attacks" you only with a very simple AppleScript applet that only opens your trashcan and that's it. But just think of the possibilites for a really malicious use. It was a very severe vulnerability for all vanilla-configured MacOS 9 (and earlier) machines; but unfortunately, also MacOS X machines with their Classic layer configured as the vanilla MacOS 9 were affected. THIS INCLUDES the MacOS X 10.3 "Panther". In fact, Classic layer always was and still is the biggest security hole in MacOS X, but that's another story. Anyway, Apple was crazy to provide Autostart option in QuickTime (who needs it, anyway?) but it was even more crazy to provide it as the DEFAULT configuration.

Re:Interesting Article

[bovinewasteproduct]

Windows XP doesn't suffer from that issue

Considering that only about 8% of the windows users are running XP (95, 98 and 2000 are the majority), then his comments still stand. The recent spate of articles on MS dropping support for Win98 has posted the ratios quite clearly.

BWP

Re:OSX is weak - here is some homework.

[pHDNgell]

The original point was about / being writable. The problem is that if / is writable (but not sticky), then it'd be possible to do this:

cp -r etc myetc; mv etc etc.old ; mv myetc etc

And then you control etc.

However, due to the sticky bit:

dustin2wti:/tmp/test 520% ls -ld . etc
drwxrwxr-t 3 root admin 102 15 Dec 14:10 ./
drwxr-xr-x 2 root wheel 68 15 Dec 14:10 etc/
dustin2wti:/tmp/test 521% mv etc newetc
mv: rename etc to newetc: Operation not permitted

(because of the sticky bit and my lack of ownership over etc)

Remember, renames are *directory* modifications, not file modifications. The sticky bit fills in the difference.