Slashdot Mirror
Apple Uncommunicative About Security Holes
blackmonday writes "Kieren McCarthy of Techworld argues that Mac OS X is rife with security holes, and that Apple is doing a 'half-hearted' job of patching their operating system security holes, and has a 'strange habit of pretending a big problem is of no significance.' As a Mac user I find this an intriguing article in light of the Sasser Worm and its recent variants." Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.
Well, let's see: If Apple has been uncommunicative about the presence (or absence) of any security holes, it is simply because they would rather not publicize the presence of particular holes. It's good policy for their OS while also maintaining an open source presence with Darwin that allows for public scrutiny. It should also be noted that Apple is also working towards approval of certain security ratings from assorted groups and governmental agencies, but they are not publicizing that either. They would rather maintain a low profile and have good reasons for doing so. After all, the core of OS X, the NeXT OS has a long history of a presence in intelligence and security circles (NSA, CIA, FBI etc...).
I read the linked article and was absolutely stunned at how superficial the evidence was given the claims being made. If one is going to make such statements, one would think there would be a little more substance, but hey the article certainly has garnered some attention, so perhaps that was the sole goal of the author? Or if one were likely to believe in conspiracies, one might guess that the author was put up to writing the article by a potential competitor? In science, we have to publish "disclosures" that establish corporate or political linkages. Perhaps it is time for the news media to do the same?
Visit Jonesblog and say hello.
It seems possible that they intentionally keep quiet when they find a security hole. As long as your users get your patch, no good can come of more people knowing about the security hole.
_____
Thank you.
The whole thrust of the article seems to be "There might be dozens of holes in OSX, how do we know?". Seems making an argument like that, they shouldn't be comparing it to another proprietary system like Windows but instead Linux or *BSD. And then they mention a hole in Apache? WTF? Not Apple's problem.
I thibnk that it would be in Apple's best interests to quietly eliminate security issues before anyone tries to exploit them. Apple is about solutions, right?!
Microsoft is just as guilty and then some. They try to hide these things from the public until they are an absolute threat. Mac users aren't as abundant as windows users, so the base for people finding these holes is much smaller.
-Less damage to the Apple brand
-Less desire for virus writers to write viruses for Macs -- if it's not widely covered in the media, then how do you know if your virus works? No bragging rights == no desire to make such viruses
-More security - if you don't publish holes but quietly fix them, then the chances of script kiddies (biggest cause for net viruses according to a study I read a while ago) exploiting such holes is much, much less.
Of course, it sucks from an end-user viewpoint, but *only* if such a virus actually infects your computer!
Condemnant quod non intellegunt.
I would say that Apple are working on the information behind the scenes but keeping quiet about it to keep it more low key.
As soon as you making the public more aware then you'll probably get a lot more "kiddie hackers" trying to show off...
>>Well, let's see: If Apple has been uncommunicative about the presence (or absence) of any security holes, it is simply because they would rather not publicize the presence of particular holes. In other words security through obscurity ? Who does that remind you of? And how successful has that policy historically been ? hmmm...
What people fail to realize is that there are literally hundreds, if not thousands, of people own Macs and many of them are now connected to the Internet.
Imagine the havoc an OSX based worm would wreak at an art school or a large interior design firm. This kind of stuff needs to be taken more seriously by Apple.
I won't say that maybe Apple isn't doing all it could on security holes- I will mention that I've never heard of a mac worm, a root exploit that's actually been carried out against a mac, and so forth. But maybe there's some sort of story about Apple being a little behind on patches occasionally.
However, with all due respect to Techworld and the author, this is really a pathetic attempt at a story. Biases half-truths, no principle of charity (regardless of Apple's good record of *actual* security exploits- not the whole story, but a major part of it) with a comparison to Windows security where somehow Microsoft comes out on top, no hard figures, a poor understanding of security as a whole, and, though it may be a low blow, not very good prose (it seems rushed- i.e. one statement is "Apple's half-hearted effort to these holes can be found here." There's really no proof (hard or soft) for any of the assertions in the article.
In conclusion, there's really really nothing to see here.
RD
Because less than 1% of the total market share of consumer PCs is inconsequential!
In short: they don't matter.
I am getting sick and tired of so called "Tech Security" companies who create FUD just to sell their products.
"Slashdot, where telling the truth is overrated but lying is insightful."
I read the article - I can't believe that the editors (are there any?) let this article see the light of day. Sure, there are security holes in Mac OS. It's a given that any OS has some kind of bug or flaw that, when properly exploited, will cause a DOS, crash or improper security. But this author is speculating (or, using speculation as source material).
Any OS based on a solid Unix core (Darwin, Linux, AIX) is going to be much more secure than any Windows kernel - at least at this point. It remains to be seen if Microsoft can build a reliable, secure kernel.Oh, and by the way, how many flaws, and how bad are they, are in Linux and Mac OS compared to windows? Having administered global networks of >1000 Windows workstations and servers, I'll take a similarly sized Linux network ANY day, if security is paramount.
Windows is insecure. So is MacOS X, Linux, BSD, Solaris etc if run by an incompetent admin. One system I had to fix was a hardened install of Solaris that was running VNC server without a password because the local admin was too lazy to walk over to a terminal to type commands. However, by the same token. Windows, MacOS X, Linux, BSD, Solaris etc are all secure if run by an admin that knows what they are doing.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Macintosh machines are such a small percentage of the personal computer market they're not really an interesting target for virus makers. Kind of like Linux in a sense: however secure it's supposed, it hasn't really been put to the test and never had to withstand, in desktop installs, the kinds of attacks Windows (and DOS before it) have always been through.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
So, Apple is half-hearted about security vulnerabilities because they released a bunch of patches? I fail to see how this is in any way a bad thing. Releasing information about exploits in a closed-source system is kinda stupid. At least Apple is patching these things before they become a problem.
/tmp, ~, and anywhere else the user decides to place low restrictions for themselves (say, for me, my /filez partition).
On the most part though, it's a lot easier to administrate a *nix system and keep it secure than it is to do so with a Windows system. It all, for me, comes down to the root/user system. You have a root that you don't use normal stuff for, and so therefore it's a lot more difficult to place undetectable things on a computer on the basis that the only places someone with user access to your comp has is in user-defined places. Namely,
As much as people want to bitch about how "insecure" *nix systems are, frankly, they're just better designed from a coding perspective than Windows. Windows seems to have been spending a lot of its time playing catchup with features, and now they're feeling the brunt of not practicing efficient coding, and the result is going to be Longhorn (supposedly... I don't know how many times I've heard the "The Next Windows is going to be better" argument... pretty much since 3.1), which is, in effect, a major overhaul and an attempt to make Microsoft's Station Wagons a bit more like BeOS' Batmobiles.... but it seems like it's more likely to become a 12-cylander Viper with the amount of resources they're claiming it's going to need to consume.
I'm happy with my fuel efficient tank that'll work on any road, thank you very much.
(Apologies to Neal Stephenson for borrowing the metaphor)
Karma: Non-Heinous
Microsofts policy is the holes dont exist, Apples is they exist and when we find them we fix them.
"Slashdot, where telling the truth is overrated but lying is insightful."
As long as there are operating systems and, likewise, semi-to-fully intelligent people who look them over..there will always be, in some form,..."holes". Any system must be absolutely isolated from any outside sources of activity to even be viewed as semi-secure. My PC with my own OS in the middle of my padded room connected to nothing but cables to my inverter may be secure...but the fella drooling in the corner has given me some reason for concern....
Does this guy even read the things he's linked to? Specifically the eEye Quicktime exploit page which mentions: "Vendor Status: Apple has released a patch for this vulnerability. The patch is available via the Updates section of the affected applications. This vulnerability has been assigned the CVE identifier CAN-2004-0431."
And on the AFP hole, Apple released a patch the same day they were told about the problem. Talk about turnaround time and microscopic exploit windows!
I think this guy just wants people to get riled up about Apple. All I've gotten pissed off about is him. Thanks a bunch, a**hole.
...an "Apple", with "holes" in it, which could be exploited by "Worms"...
Well, I thought it was funny, at least.
A comment in response to the Scobleizer blog said it best:
Not only does the article offer only very little in the way of evidence, but the whole point of the article appears moot. My favorite quote at http://secunia.com/advisories/11539 (linked from the article):
"Solution:
Apply Security Update 2004-05-03."
(The article is dated "04 May 2004")
Winner of the most ass-kissing Macinista post of the day.
Why should Apple take exploits in OS X seriously? Isn't it true that vulnerabilities are never exploited until a patch is available?
MacBook Pro. Worst name since the Bicycle
Name me one software company that goes out of their way to advertise or publicize their security problems. Microsoft certainly doesn't.
.. and users too, I guess), and MS has made it plain they won't fix these problems unless there is bad publicity.
The holes are generally publicized by outside parties (like @stake and Secunia in this article) who somehow make their living finding these problems (1. find bugs 2. ??? 3. profit!)
We hear about MS's bugs so much because they affect so many people, there are so many of them (bugs
A colleague submitted a bunch of local exploit reports to Apple months ago with no reasonable response. I certainly don't read mail on my iBook.
Slashdot: Where nerds gather to pool their ignorance
Why do articles without facts like this one and the one recently circulating about european labels fearing Apple's dominance of the music industry suddenly hit the web and then are referenced ad naseum by web sites?
Is there a concerted campaign here?
And why do similar comments like "security through obscurity" come up here as criticism when little or no real examples are shown via the article?
Is this place (and the web) being used for a FUD campaign?
hmmmm....
I know M$ is putting a lot of money in Apple. Maybe same same way of working now ;) Ah well...
If you're a big fear mongerer here is an idea- don't do anything on a computer that is sensitive.
Don't cheat on your wife online, don't keep sensitive data about your self or other people on a system connected to the internet, and those nuclear weapons designs you carry around on your lap top... try encrypting them or something.
...Another idea: Trust in your legal system! if someone really wants to get ya, I doubt it will be by hijacking your macintosh, try not to worry so much- it'll give you grey hair.
If an article is written that makes an assertion, and then completely fails to back up that assertion, then it is fairly likely that the article is not worth reading and is full of falsehoods.
Don't publicize such articles by posting them on Slashdot.
I find it humorous that it is stated Apple released 5 security patches for OS X, when in effect they released one security patch for different flavors of OS X. In all cases this is the same patch for 10.2, 10.3, and both server variants.
Considering Apple releases one security patch every month or two, I would hardly consider that as evidence of weak security policys.
How many different patches were released for XP within the last 6 months compared to Apple? I thought so...
Looking through Secunia's website - who I'd never heard of before reading this article HINT HINT - it appears as if Apple patched the very exploits the TechWorld article is harping on. This quote seems to have been blown way out of preportion by Kieren McCarthy:
He turned that quote into a slew of accusations about Apple being unresponsive over exploits and bugs. Man they're so unresponsive they provided me with a free security update not but a few days ago! Damn that Apple and their unresponsiveness! Maybe they'll release Quicktime 6.5.2 to unfix the problem they fixed of malformed Quicktime files crashing QT with the 6.5.1 update. I'm sure there are some real security exploits in OSX that are something to actually worry about. The ones outlined in this article...not so much.
I'm a loner Dottie, a Rebel.
You can root any Mac with nothing more than a DHCP server. This is by design, according to Apple, and will never be fixed.
Hear hear! Well spoken, Bruce!
I think what really matters is how secure an OS is when installed with the defaults. Windows is completely open... At least all the Linux installers I've used asks the user to create a root username and pass, then tells the user that they shouldn't usually log in as root and gets them to create another user.
-Derick
While Apple seems to be patching fairly regularly, the last security update (the group of 4) was a little lacking in that it offered no explanations. Microsoft (which has gotten good at revealing weaknesses) at least gives a full technical explanation, often right down to the files affected. As I work in IT, I'm often left installing patches with Apple with no clue what they're doing under the hood (a bad situation to be in, but worse if we didn't patch at all). Fortunately, Mac users are a very small minority at my company. Also, the guys who's putting together some of the patches seem to be falling asleep at the wheel. The last Quicktime upgrade (33 MB) apparently include 18 MB of the Quicktime logo for each of language it supports: Not So Quickthinking on this page. That's just lazy work.
Who is to say that certain virus protection companies are hoping that virus infections in OSX start to become wide spread. I know that most mac users do not use virus scanners, and the virus scanners that are available seem to only list windows viruses with about 1000 very old Mac viruses. To allow widespread security breaches promotes the creation of viruses, which in turn, promotes the creation and sales of antivirus software.
And whoever modded you "Informative" should have followed your links. The "white spots" problem is old news and doesn't affect the current line of powerbooks or the previous line either (which I own one of). It's like saying MS has jumped the shark in 2004 because Windows 95 came out so late. Thanks for playing, Fonzie.
Eww aah... five patches. Maybe Apple should have followed MS's lead from last month and rolled them all up into one patch to rule them all. :)
> I will mention that I've never heard of a mac worm, a root exploit that's actually been carried out against a mac, and so forth.
Now you're mixing two different things. First, a worm on the scale of blaster/sasser is not likely to happen soon on a Mac, if you look at how they spread: they just attack random IP adresses. Guess how often they'll hit a Mac. Spreading a Mac worm this way will be quite slow. The problem is mostly single root exploits. A remotely rooted Mac is possible, but unless it's a high profile site, how would you know about it? Do you think I'll make the news if my iBook gets rooted? Check this thread: you can get remotely rooted if AFS is on (meaning if you turned on Personal File Sharing). The lesson: don't let your guard down just because you're not running Windows.
I think what really matters is how secure an OS is when installed with the defaults. Windows is completely open... At least all the Linux installers I've used asks the user to create a root username and pass, then tells the user that they shouldn't usually log in as root and gets them to create another user."
True enough, Windows out of the box has more services running that can cause problems. However I've yet to see a "server" that was an out of the box install. As soon as you start selecting which packages to install you are undergoing the task of hardening the system, this can be done on most oporating systems to at least some degree. I dont find it too different to block ports at the firewall rather then at the service level. Just think of it as layer 3 vs layer 4 switching.
Immanuel Kant was a real pissant
Who was very rarely stable,
Heidegger, Heidegger was a boozy begger
Who could think you under the table,
David Hume could out-consume,
Wilhelm Freidrich Hegel.
And Wittgenstein was a beery swine
Who was just as schloshed as Schlegel.
There's nothing Nietzche couldn't teach ya
'Bout the raising of the wrist.
Socrates himself was permanently pissed.
John Stuart Mill, of his own free will
On half a pint of shandy was particularly ill.
Plato, they say could stick it away,
Half a crate of whiskey everyday.
Aristotle, Aristotle was a bugger for the bottle,
Hobbes was fond of his dram,
And René DesCartes was a drunken fart
"I drink, therefore I am."
Yes, Socrates himself is particularly missed,
A lovely little thinker but a bugger when he's
pissed.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
It puts a smile on my face to see Apple getting ripped on just like MS in the press for holes in their OS. Me and you could argue all day over which OS is better or more secure or stable, but any person who visits this site and does not agree that if the market share was 1:1 there would be just as many viruses and worms for all the OSs whethere they were Windows, OS X, Redhat, Lindows, or frigging Palm OS. I once read somewhere that if you printed off the code for Windows Xp and stacked it in a pile, it would be taller then the Empire State building. Regardless of how true you think that statement is, it would be impossible to release something that large without massive holes and bugs. I don't care who you are and what you make, but when you do that much of it, and you have that many people touching it, there are going to be flaws. The bottom line is that all OSs require people like us to keep them updated and people like Symantec and McAfee to protect them. If you fail to do those things and put your machine behind a firewall then god bless you. I work for a Fortune 50 company and we got hit with Blaster back in the Fall of last year because we used SMS to release patches. No one actually bothered to realize that about 50 percent of our machines in the company had broken SMS installs. No one bothered to listen to me screaming during the meetings to turn automatic updates on, so we pay the price. Such is life, live and let die and fire anyone who is ignorant enough to not update their machines.
http://jayceecorder.blogspot.com
Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.
I bitch a lot about Slashdot for its biased summaries and viewpoints, but this time I have to applaud it for sounding rational. If only this sort of calm, rational perspective was applied to all the articles posted!
Just felt like pointing it out. Good job in this instance.
He had to send his PowerBook back to Apple and was pretty pissed off at the result. And that's just one of his tirades about the dealing with Apple experience.
It's rumored that he ended up smashing the shit out of it in the end.
It really kind of turns you off to paying extra for the priveledge of owning a Mac.
Apple didn't develop the patch on one day. @stake and Eeye follow responsible disclosure policies. Apple has known about these problems for weeks, and the announcements were timed to follow the patches.
Apple is hiding the fact that this is a REMOTE ROOT exploit in Apple developed code. There have been issues before, but they have come from external projects, like OpenSSL and Apache. This is a huge deal, and if Microsoft understated the importance of a patch like this, Slashdotters would be all over them.
Microsoft's experience with this has made them too sensitive. Everything is "critical" now, which makes it hard for SysAdmins of hundreds of machines to tell the difference between "change window" critical and "shutdown the site and patch all night" critical.
Folks... I'll refute: there is no problem with the Mac. Trust me. It's all under control. Move along now.
Man, I haven't read such an obviously antagonistic bit of tripe like that in a long time. Mentioning 5 possible exploits which all require default-off services to be enabled, only one of which could lead to a system-wide compromise under 99% of normal circumstances, then calling "Sasser" trivial in comparison (sorry.. "a blip") is not only completely incorrect but is irresponsible journalism.
The AFS vulnerability, which is the only process in the whole list which runs under root privs, would require someone be running AFS (the Apple equiv of NFS) over the Internet. It has been known for a very long time that NFS is *ONLY* for internal trusted networks. AFS is turned off by default on Macs, and the vast majority of users (certainly almost all home users) would never need to enable it.
The Quicktime vuln would only affect files owned by the executing user. Certainly a pain in the ass, but not fatal or prone to "zombification" of your computer like Sasser.
The Apache vulns, IIRC, are of the DOS type (one is a memory leak condition). Irritating, but not critical, unlike Sasser.
Kieren McCarthy should be ashamed of himself for writing such a disingenuous load of crap as that article. Microsoft's history of disclosure and cooperation with security research firms is ** FAR ** from unblemished.
I have something in common with Stephen Hawking...
It seems that Windows XP and OSX were both inspected for security by the same person who was respnsible for security at the Stalag 13 Prisoner Camp in "Hogan's Heros". Both XP and OSX have more holes in them than Stalag 13 had.
It is sad to me that Apple is taking the same stance as Microsoft when confronted with big gaping security holes. Not considering it a big priority.
This only makes me want to move away from OSX and stick with Linux or BSD Unix instead. At least they put a priority in fixing security holes.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Three letter agencies are the biggest threats facing the world today. Parent has no credibility whatsoever.
THe article cites Secunia, and provides a link. Secunia, in turn, provides direct linkage to an @stake advisory which discusses a remote hole in OS X arising from the handling of longer passwords, and says that the hole is exploitable. Sure sounds like pretty direct evidence to me.
With all due respect, this is much ado about nothing. Let's examine some of the claims:
* Some older vulnerabilities in Apache 2 can be exploited by malicious people to inject malicious characters into log files and cause a DoS
Who is running Apache 2? Are most OS X users running their own web server in the first place? This isn't an Apple issue. Anyone who is running Apache, which includes all flavors of Unix as well as Windows has the same issues, but of those, the 2.x tree?? A tiny minority probably not even worth mentioning. This isn't necessarily Apple's responsibility unless they've branded Apache 2 and offered it as some core feature.
* Two vulnerabilities in the IPSec implementation can be exploited by malicious people to conduct MitM attacks (Man-in-the-Middle), establish unauthorised connections, or cause a DoS.
Again, this is an OpenSSL issue, not an Apple issue, and it has nothing specifically to do with Apple. The circumstances under which this exploit would be taken advantage of are pretty limited. That's not to say any of these issues shouldn't be addressed, and maybe Apple should more accurately call attention to these vulnerabilities but they aren't really the issues justified by the FUD being spewed.
* A vulnerability within AppleFileServer can be exploited by malicious people to compromise a vulnerable system.
Ok, this may be ONE issue so far that is attributable to Apple.
* An unspecified vulnerability exists within the CoreFoundation when handling environment variables. This may potentially be a privilege escalation vulnerability. This has not been confirmed, though.
WTF? An "unspecified vulnerability" that "has not been confirmed"? Did the lawyers from SCO write this article?
* An unspecified vulnerability exists within RAdmin when handling large requests. This may potentially be a system compromise issue. This has not been confirmed, though.
More unconfirmed vulnerabilities? Nice FUD.
I'm here to make them your friend.
i dont have to worry about worms, viruses and exploits because im on a mac!!!!!!!!!!
oh shit..
Secunia has given the five - yes, five - patches a "highly critical"
IS that all! My God Apple are doing a sterling job, I wonder how many good old MS have? Seriously, yes it is a shame that Apple doesn't write 101% perfect code but I think you will find that the average OS X user does in-fact use the prescribed patches. As I have done today.
This strange habit of pretending a big problem is of no significance was also displayed last month
Habit? Since when did Apple make it a habit of ignoring anything? Surely he must meant Microsoft?
This article is utter, utter drivel. Yes it's important for Apple to keep on their toes, yes it's ultra important for OS X users not to be complacent. However this article is just endorsed flambé bait. I suggest Keiren finds another profession.
As one poster on the Techworld discussion board comments:
Your headline by itself is possibly even actionable as an untruth, maybe a slander - I'd be very careful, if I were you. I hope for your sake that you got it vetted by Techworld's legal department before "going to press".
I dont' spend much time talking about my heart condition, so when people ask me about it, I give them odd looks, explain it away and generally dismiss it.
Mind you, I don't have a heart condition, or at least, not one any doctor has identified. I guess I *could* have one and just don't know it. Sure I do some of the things that could lead to a heart condition. Don't smoke but do drink. Don't eat fast food but do enjoy butter on my baked potato, that sort of thing.
I think that this journalist is trying to spread FUD about the Apple dieing of a heart condition it doesn't have.
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
Yeah, isn't it a shame when companies follow specs?
I read this article and thought it utter FUD. First the guy asserts that Mac OS X is rifed with security holes, when really compared to Windows there just aren't that many. But it seemed his real complaint is that not a lot of people are talking about the security holes. I mean, in all honesty, why would Apple talk about the security holes, unless they were so plagued by them that consumers were continously calling up complaining, there really is no reason to talk about a security hole.
Investigate it, acknowledge it, and patch it-- that's what I see as the typical course of action, even for Microsoft, and Apple does this reasonablly well. In fact, most of my knowledge about the various Apple related security holes comes directly from Apple in their knowledge-base articles related to the various security patches. It's only randomly that I hear about a security hole that will also effect Apple from a third party source, before I hear it from Apple. But I'll admit to most of my security subscriptions tend to cater to the PC, for obvious reasons.
Also, it seems to me that Apple spends a fair amount of time patching security holes in the various open source solutions its using/tying in with Mac OS X. Which means that technically many of these security holes are also effecting Linux, and Unix machines as well. Like the security update from yesterday or the day before address issues in Apache, IPSec, OpenSSL, and CUPS.
The guy mentions the QuickTime flaw, which was patched weeks ago by Apple, per normal, in a quite automated QuickTime update. He then also mentions that "trojan" that never was. Basically a proof of concept idea that was published, but works technically not that much differently on a Windows machine. Basically, someone can change the icon of an application to that of an MP3 file, and run code when double-clicked. Did anyone besides Intego consider this a big deal, even Symantec scoffed at it, and scolded Intego, though they did duly post a low level security warning.
The truth is, to my knowledge Apple doesn't rate security updates. An update is either a normal bug fix or feature addition, or its a security update. Apple expects all its users to Apple each of their security patches, and to the best of my knowledge has never used a security patch to ship in unwanted software or system changes. So why complain that Apple hasn't called the security updates a "critical" security update. The knowledge base typically includes who original posted the hole/flaw, and the item number, so you can go read the details yourself, and look at the rating attribute.
Blah, blah, blah...isn't this just more of I'm looking, scraping, scrouning for something bad to say about Apple security. I guess, I'd be more forgiving, if the article actual focused in on the various security issues, as opposed to chastising Apple for what, not taking out a press release about them?
So Microsoft discovered a vulnerability, patches it, releases it. A few weeks later a bug, or virus, is written that uses the information given by Microsoft and it basically disrupts the internet, or at least major corporations. Why? Most people don't patch their systems instantly, or are becoming jaded to logging on every other week to a "Updates are Ready To Install" message in their system tray.
Apple issues updates to their operating system that include security holes as well, and usually just "theoretical" vulnerabilities. They just issue the update, don't detail people on what's being fixed, and in the end you have what appears to be a more secure operating system.
How can kiddies write a script to take advantage of a vulnerability if they don't even know what the vulnerability is?
So why is there even such a "discussion" or "commotion" about this? There isn't. These "Security companies" just want to be able to issue a press release with their name plastered all over it and can't do so with Apple. So they cry foul to ZDnet, or whatever, and now get their name mentioned in the press!
I remember reading the one article from a company called eEye and the guy quoted was labelled as the "Chief hacking officer." What "corporation" would have an executive officer named the "Chief hacking officer" ?
I don't think Apple is trying to hide security information. We simply don't hear about it since no one cares about it.
If you -really- want to read up on all the holes, bugs, and blips known to be associated with OS X, go over to Apple's support site and support forums. If their is a problem, or potential problem, with OS X, odds are it has been discussed over their.
The information is out there.
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
Lets u begin what 2 of those 5 'highly critical' advisories, according to that linked page haven't been confirmed yet. One does indeed wonder that if Apple is allegedly not taking them seriously, and this reporting place is, why are they not in fact confirmed. Perhaps we can argue just as well that Secunia is doing a 'half-hearted' job at testing.
Ok now see how one can go off half cocked? this is the statement from McCarthy " Apple explained that it was "aware" of a Trojan horse that could be used to compromise its systems and was investigating it, but refused to say any more"
Im not really sure what more one would want them to say? Perhaps "OH MY GOD THIS IS A DISASTER!" Well clearly its not. But if you want to hype it for an article sure whatever. Perhaps you want want to know exactly when it'll be fixed. Good let them give you some fictional date that they makeup before they have actually investigated it. But hey sure you can hype in your article.
To be annoyingly pedantic, apache isnt part of the OS. Additionally most people dont use the (Apache) built in web server. I should also mention that none of the 3 articles linked about the Apache problem are listed as 'highly critical' anyway. (2 moderate and one 'less')
IPsec ones.. both moderate. So this leaves us with 2 unconfirmed, 2 moderates, and 1 left of privilege escalation. I cant say much about it as I dont know anymore than the rather curt descriptions.
The really best part is is what is claimed to be "Apple's half-hearted effort to these holes" Links to a page on a security update for them. But hey if you need to hyper that a fix means nothing is being done because you have an article deadline.. then sounds like you are doing a "half hearted" job.
We can add that the "trojan" they refer to requires that the file be embedded in an apple-specific disk image format and can not be triggered by a normal download... and anyone in a position to convince someone to run the "trojan" has plenty of other avenues of attack.
And that's the real problem I wish Apple would catch on to.
The biggest security problem in Windows is one that most people, and most "official" security announcement sites, don't even pay attention to... and that is the tight integration between Internet Explorer and the rest of the system. It still amazes me that people don't routinely pillory Microsoft for the way their cynical legal tactics to bypass their agreement with the DoJ have made IE and Outlook the biggest virus distribution systems in the world.
And the way Apple has integrated FTP with Finder and is increasingly using Webkit in basic utilities and applications really disturbs me. Web-enabled installers (that automatically run the installer on a disk image mounted over HTTP (!)) are a horrifyingly bad idea, and "fixing" one of the security holes by having the installer pop up a warning before it runs scripts in the package is just daft.
This is a much bigger problem, and like Microsoft's abuse of IE it's a basic design flaw rather than a patchable bug. If you're going to demand action from Apple, work on this instead of worrying about whether they played enough "mea culpa" cards when patching a buffer overflow.
>Microsofts policy is the holes dont exist, Apples is they exist and when we find them we fix them.
u rity
Compare:
microsoft.com/security
apple.com/sec
Which one is a security response site, with links to bulletins, patches, and descriptions of current incidents?
Which one is a page full of sales BS?
Hint: It's not what you expect.
but who really cares? Basically, virus writers have only one goal in mind: FAME.
Given that Apple only has 5% of the market share, spending your time writing a Mac virus is somewhat foolish in terms of investment/reward. Even if 50% of Mac users were infected with it, it would barely make the news because so few corporations use it.
It's when you talk about lost productivity and damage that viruses make the news.
Why don't go finish primary school before you open your cake hole?
If you are going to troll about improper spelling, at least do it in a complete sentence. Since you appear to have left out the the target of your statement, I assume you were trying to say, "Why don't I go finish primary school before you open your cake hole?"
Specs like Kerberos, which Apple doesn't use?
- One is simply very quiet about security period.
- The other one makes a huge deal constantly about how they are improving their security, how they've changed their ways this time really and they're sending all their programmers to a 4-week course on how to not write buffer overflows, and windows is the most secure OS more than any of the competitors, etc.... while simultaneously trying to keep things as hushhush as they practically can about vulnerabilities and publically and loudly blaiming public informedness about security vulnerabilities for the fact the security holes they wrote are being exploited.
One of these two companies is being silly. The other one is being actively hypocritical and duplicitous.Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Apply Occam's Razor.
What is more likely - that somebody else (assuming the security firm that reported it didn't write Sasser) discovered the flaw, wrote an exploit, and released it within days of Microsoft's detailed report.
-or-
Somebody read the detailed report, wrote the exploit, and released it into the wild a few days after reading.
Hmm. I wonder. %)
# # #
That said...I second the idea that there's no good reason to essentially provide the blueprints of either fix or exploit to anybody but the reporting party.
I know there is some issue with "What if the company gets the report, but doesn't do anything with it ?" - in which case documenting the flaw may be the only way to 'force' a company to fix it. However, it may be more strategic to release bits of the flaw-documentation at a time, so that over time the likeliness of an exploit becomes higher - but only by those with enough knowledge, rather than every script-kiddie on the block. A company would likely (hopefully) provide a fix before a full disclosure of the flaw would be given, understanding that exploits will be released into the wild at some point.
Apple apologists are the most amazing bunch of people that I have ever encountered.
*Takes bow* Thank you so very much. We're all honored being the most amazing people you've ever encountered! :-)
When it was revealed the Apple sold a $300 super-walkman that needed a $100 exchange for a refurbished iPod & battery after a year,
Wait... Did you see a battery door on the floor model or something? At what point did the salesman tell you about a cheap battery replacement program? Oh, you thought, "I payed $BIGDOLLARS for something and now you owe me the world." Next you'll tell me the cigarette manufactures owe you a lung transplant because they only had a warning label on the pack for a couple of decades before your disease.
Now the some bleating shit about security patches: "Apple is not revealing exploits to protect us"
Would would your reaction be if Steve Ballmer got up and said "patches do not matter, we are withholding them for your protection"?
Apple is withholding patches? Wow, they must have money to burn, ya know, developing patches for the sheer joy of it. Every time a problem has become public, I have a fix via software update within a few days. What? They need to deliver a white paper on the exploit, complete with code examples and a root kit too?
The argument "Well, the CIA used NeXT, so OSX is secure" holds no water either.
Well, how about, "The core of the OS is wide open for your inspection and repairs, so knock yourself out." Show me the exploits.
I hear Steve Jobs is going to ask you to drink the kool-aid! Get your cup ready!
Flamebait.
Name one. I haven't heard of ANY viruses for Mac OSX. Not that you couldn't write them. Not that there are not security holes in Mac OSX, as in every OS. Windows in fact is not particularly rife with them, it is just that it is the focus of all the hackers in the world. There are plenty of flaws in Linux too, and proprietry UNIX, BSD, the lot. Apple. to their credit, frequently issue patches to their system. To characterise these as "serious" when they present the same level of potential threat as they do in Windows would be misleading and would just confuse their client base, which is WHOLLY different to the user base of Windows. To call a flaw "serious" at the end of the day is a value judgement. There are few if any "serious" security flaws in Mac OSX because with 3% of the computers in the world they are just not the focus of any security hackers out there. An interesting analogy: when Apple introduced AAC and it was only available for months on the Mac no one hacked it. Two weeks after they released the Windows version of iTunes it was broken. It's all a question of focus.
The last line of the article is "Apple's half-hearted effort to [patch] these holes can be found here. While Secunia's full rundown on the problems can be found here."
The first link goes to a very complete page that details Apple's security updates back to Sept 2003. It looks fully-hearted to me. This page states "For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available." Sounds reasonable.The second link details a security notice that was released on May Fourth with some security issues. The fix is to dl the patch Apple released on the third.
Nothing to see here. This guy is taking a non-issue, spreading around some FUD and hoping that soemone will bite.
Funny, Microsoft gets attacked at slashdot for taking too long to patch an issue, and Apple gets a free pass for ignoring them?
Well, I dunno, I think it's less that than just that slashdot is naturally reactive. They aren't reacting to Apple at all. They're reacting to the article. And this article is very poorly written. It goes into basically nothing except Apple's presentation in the ASU dialog box of update descriptions, while failing to give any hard data or really any evidence whatsoever as far a whether Apple is taking any amount of time to patch security holes.
If this guy had actually gathered some sort of hard data that gave an indication of whether Apple actually was taking excessive amounts of time to patch security holes, or whether people weren't installing ASU updates, or Apple was trying actually to hush up security vulnerabilities, I think you'd see a very different reaction. There was one time that Apple took a little bit too long to be reasonable to fix a security hole and when the slashdot story on the subject came out they were rightfully bashed for it. However in the absense of any hard data we're left only with the ability to respond to the article, and well, look at the article.. about the only response possibly is "poorly formulated, poorly researched rant".
Perhaps a good way to test your theory would be to post to the slashdot front page a really *bad* article attacking Microsoft's security practices and see if people agree with it or if they go "wait, this doesn't make sense".
I'm actually a moderately well known individual in the security community, but I'm posting this anonymously because, well, the subject line (and, I suppose, Author field).
I've been an Apple user, off and on, since the IIgs days. There's always been a good amount of zealotry about the product line, but what can you say? The gear is pretty good, and has a good reputation. Unfortunately, no small amount of that reputation is maintained through absolutely vociferous defense of any arbitrary behavior.
I'm not just talking about buffer overflows. When Apple's DHCP implementation made it trivial for anyone on the LAN (even a coffee shop wireless network) to remotely take full control of the machine, the response was not one of confident correction but defensive redefinition -- "It's not a bug, it's a feature, you unintelligent carbon rod." And when Apple became the first operating system ever to be exploitable via its generic text forms -- the response really was yet another circle-the-wagons-and-apply-the-double-standard. And in case you don't believe me about the obsessive, O'Reillyian hijinks going on here -- look at the Boingboing response to what's just an open-and-shut data/executable confusion vulnerability. "OS9 is vulnerable too" is not a defense. "But you need to GET the file first" isn't a defense either -- that is , um, sort of the point of a Trojan horse. "An antivirus company came up with this" -- no way, you mean antivirus companies actually try to find security problems? This type of alternation between non-sequitor and ad-hominem is par for course. And don't say it's always this way -- there's no other operating system vendor who either themselves or through their users reacts to security risks like this. Not Microsoft, not the various Linux distributors (who really are getting hammered), not Sun or SGI, and certainly not Theo or his security-obsessed users. Everyone else seems to have realized it's safe to openly acknowledge and repair faults. Apple is the exception. "Like pulling teeth" comes to mind.
People, this is technology, not politics, and I don't even like this kind of behavior in politics. The more apologism there is for Apple failures -- and yes, even the eternally scrappy upstart from Cupertino can screw up, just look at your Powerbook monitors -- the less likely we are to actually see what ultimately we all want, which is correctly behaving technology.
That's all I have to say on this.
I think you're looking for:
http://www.apple.com/support/security/
Which links to the list of known security issues (and non-issues) in KB Article 61798.
Damn, clicking that link to Apple's security site sure was hard!
"While Apple seems to be patching fairly regularly, the last security update (the group of 4) was a little lacking in that it offered no explanations ... As I work in IT, I'm often left installing patches with Apple with no clue what they're doing under the hood"
Apple's description of the patch was rather terse (AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords. Credit to Dave G. from @stake for reporting this issue."), but it provides the reference (CAN-2004-0430) that provides full details. Admittedly, this did require a google search, or reading the usual advisory lists. But it's certainly not hidden from anyone who wants the detail.
Enable 3D printed prosthetics!
Perspective: people are surprised by all the security updates that Apple releases. Fact: By default, NONE of the exploitable holes are available by DEFAULT out of the box. There are ZERO services running, so no remote vulnerabilities. ...which is a ton more secure than a Windows PC out of the box (and some linux boxes). The only time the Mac OS X system can be compromised is if the exploitable services are turned on. Most of these are exploits to open-source software such as Apache, OpenSSL, CUPS. Recently, AFS was patched and that isn't even running when you turn on a Mac.
I think this sums up the arguement nicely.... so why were people still ranting about BS after 47Ronin posted it?
I'm not anti-microsoft. I'm anti-bullshit. Which means I'm anti-microsoft.
I am a little annoyed at how Apple never admits that its software actually contains bugs.
:)
Very often I see messages like:
"This Final Cut Pro update 'improves compatibility' with XYZ files"
(i.e. it doesn't CRASH when loading them anymore)
or
"This update 'reduces the chance of an issue' with XYZ hardware"
(i.e. it doesn't CORRUPT your FILESYSTEM anymore)
I do appreciate the frequent updates, I just wish Apple wouldn't beat around the bush. They use words like "improve" and "issue" to conceal the fact that their product had a major flaw. Probably their lawyers figured they could get sued if they ever admitted any kind of fault. (heck, I wanted to sue them when they shipped me a system with a DOA hard disk and refused to take it back
Funny, it works for me, then again, why let facts cloud the issue?
Intrigued that you aren't using the inline spell checking that is a feature of most Cocoa applications. :)
My other sig is extremely clever...
"Despite the article's assertions, no evidence of widespread security problems"
How widespread could the problems really be? I mean... When you only have 3.2% market share, its not like the problems affect *that* many consumers.
I currently have no clever signature witicism to add here.
My point being that, first off Apple might want to be quiet about it because the majority isn't effected, and second the vunerabilities aren't nearly integral to the OS as most windows vulnerabilities are.
My apologies if this is redundant.
Ahem... The article mentioned Apache2. OSX does not have Apache2 bundled with it. AFAIK Apache 1.3.29 is bundled with the 10.3 install last I checked. Correct me if I'm wrong.
Connect the dots and draw your own conclusions as to why the author of the article would even mention software that has nothing to do with the OS in question.
So by that one can say this -> "I wrote a letter of complaint to McDonald's because I choked on the rotten pickle in my Whopper w/cheese."
'nuff said...
...on the "best" over to your shops then, of the three?
...publish the info about the exploit when you publish the patch. Even if you do not publish any info with a patch, the patch itself is what is reverse engineered to create an exploit. The descriptions that come along with patches are largely ignored because they do not provide nearly as much info as just reverse engineering the patch.
I think, therefore iMac.
You can make the case that more variety of OSes will reduce the severity of viruses and will make it a little harder for a virus to spread, but with the Internet effectively linking together millions of machines, a Mac OS X virus can (and will probably) someday spread itself around. Marketshare and/or user base really doesn't matter that much. Until someone finds a gaping and exploitable security hole in OS X that rivals the stupidity and shortsighted nature of those typically found on Windows, I'll continue to believe that.
--Rick "If it isn't broken, take it apart and find out why."
Typical. Fail to follow the sheep, time for slauter.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
This is FUD. Apple doesn't owe it to their customers to explain security holes. Why would they weaken their position so? Just keep quiet about it and fix it. And most of the security flaws of late were in third party packages that Apple didn't write.
The article has a sensationalist headline and it says that the OS X security holes, which never made it beyond proof-of-concept, because they were patched quickly, are more dramatic than SASSER, which has cost millions of dollars and possibly a few lives by knocking out banks and other financial institutions and the British Coast Guard. Holes that were never exploited and that aren't even exposed OOTB are worse than SASSER? Doesn't this fact prove this to be an agenda-driven article?
If not, then consider that @Stake, one of the cited sources, is Microsoft-owned and notirious for self-aggrandizing FUD designed to promote their services.
The reminds me of the FUD about an MP3 "trojan horse" vulnerability, which was blown way out of proportion as well. Such a theoretical virus was billed as an OS X vulnerability when it would in fact work in Classic as well. They tried to make a big deal about the fact that it was no longer safe to just double click on some file you downloaded. When was it ever?
(%i1) factor(777353);
(%o1) 777353
This is probably one of the worst examples I've seen of double standards at work.
Would you rather have a company tell you there is something wrong with the product than just shove the dirt under the carpet and pretend like nothing is wrong? I'm sorry, but Microsoft might not have the best reputation in the world, but at least they're not hiding the fact that security issues exist with their products. And here's a wakeup call to all you asshats that run around thinking things such as, "OH LINUX IS SEXURE!! ROX!!" Congratulations, you're retarded. Can you back that up? No, you can't.
If this was an article about Microsoft, it would be exactly like, "Oh, Microsoft at work lying to users!" Same old, same old. Cut the crap, face the facts, and accept it when people say no operating system is secure. Not even OpenBSD is secure (granted it is safe from remote attacks, however once you have an account, it's a playground). And you know what? It's not even an issue of security. Honestly, I've never had a problem with Microsoft and/or Windows. I've been using Windows since the days of DOS and Windows 1.1. Not *once* have I had a security issue.
Frankly, I wonder why you would rather have a company beat around the bush with you than come out and tell you that something is wrong. How exactly are you supposed to judge a company on how well they do when they don't even have the balls to admit to their problems?
So......
Apple and Microsoft are both big corp. entities;
as such the downplaying of security issues would be expected.
This strongly biased end user and multi platform support professional would like ad his 10 cents worth.
1. Apple and Microsoft both have services with discovered and
yet undiscovered flaws.
2. Apple and Microsoft both release security patches to address those flaws typically when *discovered*.
3. Apple tends to patch these flaws *before* they become a
problem for the end user base, discovery is typically done by the open source community on which many of these flaws were inherited.
4. Microsoft tends to patch these flaws after the end user base
has brought the problems to their attention, discovery is typically done by the end user base under extremely painful conditions.
5. Apple and Microsoft both have mechinisms for priv. separation, both suggest using them, only one really practices this at installation time (you guess).
6. Apple tends to use defaults that reduce system risk while increasing end user ease of use (sometimes this leads to potential damage).
7. Microsoft tends to use defaults that are historical in nature
while increasing system ease of use (scripting host, macros, com and wins?) but also tend to expose the end user in methods not easily understood by that end user.
Where am I going with this? this article is obviously a troll.
When asked about platform preference I suggest using the tool that is right at the time and place of need.
i.e. no money? linux and x86
i.e. money? modern mac hardware and OS X
i.e. you paying my bills? Solaris/Sparc Windows/X86
again, biased but hey!
Unix, an obscure operating system developed by bored researchers in an attempt to get a better game playing experience.
I rather doubt you really know the full details of what is going on under the hood in any operating system (unless you are an OS developer) and it isn't really necessary most of the time. Only when a problem occurs and then you investigate. IT support is hectic enough without wasting time on fine details. The details that Microsoft supply ... I would rather have Apple test that the patches are good rather than focus on saving a few Mbytes.
do not help fix a rather dated and insecure OS model.
The complaint about the Quicktime logo is a rather trivial one
You're a fucking tool. I guess that's why Microsoft tells people to update their systems, run firewalls, run antivirus softwear, and dumps time and money into Windows Update? Good call.
Microsoft has a policy to release free updates. Apple has a policy to charge money for their updates.
McCarthy seems to be quite the yellow journalist.
The "trojan" hype turned out to be about a neat little bit of icon and file type pasting on an application that also contained mp3 data, and not some real worm or the like. But here McCarthy is, still trumpeting it as if it were a big problem. The rest of his hype is of similar significance.
I know there black hats out there with dozens or more exploits for Mac OS. Why doesn't McCarthy track them down and do an article on the real holes instead?
Well, we know the answer, I think. That would take journalism. It's much easier to FUD it up than get real facts.
You're right, it's very often the case that worms and such are exploiting vulnerabilities for which Microsoft issues patches long before. However, there are a few reasons that's the case.
1) My very-non-expert understanding of Microsoft's update mechanism is that there are several semi-overlapping systems which are relevant, and that some or all of them do not default to running automatically. (I've never used Windows myself, so it's entirely possible that I'm mistaken about this. It's the impression I've acquired after listening to many Windows users.)
Contrast this to Apple's Software Update tool, which defaults to checking for updates once a week, and handles all hardware and firmware from Apple. It requires explicit permission from the user to perform upgrades, but it does take the liberty of downloading "important" updates before requesting a final go-ahead, making it as painless as possible.
2) Microsoft's patches have a pretty high incidence of causing problems for previously-working systems. My understanding is that this is often related to a very inflexible shared library system which encourages third-party developers to overwrite standard system DLLs with their own versions left and right, predictably causing problems upon future update.
While it is absolutely the case that updates from Apple occasionally cause problems, it seems to be relatively rare. I personally have no qualms about simply agreeing immediately to any update Apple offers me; I've been doing so for five years now, and I haven't had any cause to regret it yet.
So, yes, a very high percentage of systems out there are lacking patches which Microsoft has made available. But there are still some senses in which Microsoft is very responsible for that being the case.
"Apple's half-hearted effort to these holes can be found here."
Looks like TechWorld just need to patch their sentences.
Apple has known about these problems for weeks, and the announcements were timed to follow the patches.
Months actually.. this hole was discovered in february. It took Apple 3 months to patch it, and when they did patch it, eEye called foul because Apple neglected to tell anyone that if you don't apply the patch, you are vulnerable to a remote root exploit.
From the article:
Secunia has given the series of patches a "highly critical" rating, which it explained was due to the Apple's dismissive attitude to one of the holes. Secunia described a vulnerability within AppleFileServer that allows for a buffer overflow as an attempt to "improve the handling of long passwords", but security specialists @stake warned that it could lead to the full system access.
These were the same guys who fired one of their employees because they had the temerity to say something bad and substantial about Microsoft.
Link.
Pretty FUDdy article to me.
It would seem ot me that withholding specific information about what's being patched (ala the open source movement) would be a necessity in a mass-consumer market where closed source is involved. I'm surprised MS doesn't do more of the same, as it would likely decrease the number of worms released - if not the frequency.
If you're going to use the MS-method of "security through obscurity" you might as well do a good of obscurity. The open source "many eyes make all bugs shallow" ethos are quite similar, really. With few eyes, all bugs are obscure.
Security through obscurity is a good method of protecting yourself against mistakes that would be plainly obvious, were the source available. By not telling the person specifically what's being fixed, they avoid a fairly large vulnerability - they're basically saying, "There's a problem, but we fixed it" - a hacker would still have to figure out what the issue is. MS doesn't tend to do this.
I imagine MS would go more the route of apple, if they could. It seems as if MS updates break more often than MacOS updates. Combine this with the fact that MS stuff has a much larger deployment - particularly in business environments - and you run into a scenario where those that need to upgrade the systems need to know what's going on, at least to some degree.
I wonder if things would be different with Apple if they had a large industry deployment. I suspect they'd offer a special contract for such information, so as to prevent such hastles for the IT folks emplyoing apple tech, while at the same time trying to cut back on the "in the wild" information.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Yeah, well I've seen some of the exploits available for OSX that are not public. Most are either because apple has not fixed them yet, or because the people who found them don't want to get egg on apple's face.
But the holes are there, I've seen them.
Then again, I've seen way more unreleased stuff for windows. You think your windows boxes are secure, they are not. But OSX isn't a whole lot better.
Well, ummm... they have been competing with Microsoft for decades haven't they? What is one of the top complaints people have with Windows? Security flaws! Therefore, Apple wants to keep a closed mouth about their flaws. Seems simple logic to me
Hypocrisy is the 8th deadly sin.
Im not exactly sure how one hides published problems on public sites.
Can you clarify?
Right the fact is that you can root a OS X box with a DHCP server.
Uhh, you bitch that Apple doesn't tell you enough, yet you mis-read the article about Quicktime that you cite as an example of how Apple's patches are somehow defective. The article states that the QT patch is 33MB, the installer is 18MB, the internationalization stuff 15MB. I know. I know. All those numbers juz kinda run together when you're an IT professional.
Instead of "claiming" that OS-X has a horrible security issue, with practically no proof to back that statement up, I'd really LOVE to see a OS-X worm. In-fact, I would put up some money to the author of such a worm. Because up to this point, there has still been 0 serious security problems in OS-X.
I do tech support all over So. CA, for mac and pc clients. And I have made 10x as much money from running to the PC client's LAN and ridding it of worms, spyware, and such, than to my Macintosh clients.
I've been using OS-X since the original OS-X Public Beta, and have proudly upgraded ever since to the latest version (10.3.3). I seriously laugh at anyone that attempts to dog on OS-X's security (well, lack-thereof). I am proud to be able to take my 12" Powerbook G4 anywhere, and fix/troubleshoot anyone's computer or network without worrying about getting a virus, or worm, or anything.
I easily backup friends and clients PC's through firewire and OS-X (w/ NTFS Addin for Pre OS-X 10.2) and reinstall their system in a heartbeat, without worrying about getting a boot virus, or prefetch virus (what a pain!) or a random piece of sh*t adware software.
I am proud to own a Mac. And yes... I really do LAUGH in the face of anyone attempting to put down the Mac, when their reasons are 99% crap. (unless of course they are talking about playing games!)
In conclusion, I really would love to see a "outbreak" of a virus for OS-X. This happens DAILY for Windows. This event might actually let some reporters report that OS-X isn't so secure. But... until that day my friends... read 'em and weep.
Viva la OS-X!
- Insolence (Mac User/Evangelist)
I know this is slightly off topic but reading this article made me think it would be nice if people could clearly identify as part of their account i) They are a Mac freak. ii) They are a Windows freak. iii) They are a Linux freak. iv) They are just a freak. Then you could easily filter out those people who weren't just freaks. I mean geeks.
The most used product will always have the most exposed flaws.
Apache has demonstrated this is simply false.
Tweet, tweet.
Apache2 doesn't come with the consumer version of OSX, but OSX server does use it afaik.
I don't know if it's turned on by default there, either.
You don't see net viruses for Mac, Linux or BSD because you can't guarantee there's enough machines visible from an infected machine to substain growth.
With Windows, it's easy. You're more likely than not to find another machine like yours. Hence the effort of writing a virus is merited to gain control or create disruption.
With everybody else, it's more a case of "Oh, I found XYZ machine, I wonder how I can hack into it". It's an abberation. If you did write a virus, it'd probably not be useful except in certain corporate settings where they standardize on an OSX config or Linux distro. So it'd be for a private endeavor, you wouldn't see it on the Internet anyway or hear about it @Sophos or Symantec...
Thus you treat it singularly and special case it. The black-hat hacker puts the IP addy in his little black book.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Yeah, those damn companies. Bad bad bad! You think you can hide these inexistent flaws? These null security holes!? You think you can keep the public from these VULNERABILITIES that... we haven't found yet?! I say no! WRONG!
YOU will pay for your treacherous hiding of non-existing security holes. Just picture it: Some day, a non-existent hacker will get on his non-existent computer and create the ultimate blank computer virus and you'll see! Oh-hohoho... THEN it'll all come crashing down. You know it'll happen!
I'm going to go use Windows, which I KNOW has too many security flaws to count, and I KNOW will fail me at the drop of a hat. Go back to where you came from because I know I'm using a product that has REAL flaws. Bah!
I am NOT a number! I am a - oh wait, I'm number 761710. Look! 761710!
Which is by DHCP spec design. Have a problem with it, complain to the people that wrote the DHCP spec.
Strictly speaking, you're right. But viruses can spread so quickly these days that a lower hit rate would merely mean a Mac virus would spread over several days instead of several hours - and might be harder to detect since the total impact on network traffic would be lower.
Clear, Dark Skies
Good comment. I had a teacher that once said, "It doesn't matter what OS you run, it's only as secure as the admin."
"a lot of RIT's art students haven't a clue how they're computer works"
That's nothing... a lot of MIT engineering student don't have a clue how girls work. Laugh all you want, but the chance of these best and brightest minds being able to breed is remote at best.
as for charging money for updates, they only charge for MAJOR OS updates (like going from 98 to Me to XP which microsoft charges for as well.) Security and enhancement updates are free and frequent, the minute something becomes known they release a patch. Far cry from Microsoft who make a OS that will need a 4ghz prossesor to run according to inter microsoft memos and who take their sweet ass time to release it when Apple can code BETTER software and add new features in a year. Panther is almost a totally new OS from Jagure, as Jag was from X.1 Heck XP still has 1 service pack and Panther has had three in a year and Jag and X.1 even more.
Go back to your Unreal game kid and let the grownups talk
"Slashdot, where telling the truth is overrated but lying is insightful."
An artist understands how their tools work. A violinist can tell you how their violin works and do minor repairs.
A painter can probably make their own paint.
A sculptor is probably pretty mechanically adept.
But a graphic designer doesn't know how their tool (computer) works? Sounds more like an illustrator and less like an artist to me.
Unless your hedge trimmer runs sendmail, you missed the point. Why would you open up a port? Because you had a specific reason to, right? So you would know what the hell you were doing. Compare to the average windows user (still running SP1) who has no idea they are running a print server. What's more, all the controlls are in one window in the "System Preferences" and so I can go and see exactly what ports I have open on my firewall at any given time--and change them with a simple click of a box. Where is the windows equivalent?
You're right. Actually after a bit of digging it appears that both 1.3 and 2 are bundled in 10.3.
Now the question is which one is default when you enable web services? My guess would be 1.3.
--> http://vyruss.cjb.net/computing/FUD_essay.html
It's a bit long but this excerpt in particular seemed to relate perfectly to the subject being discussed:
That would be every single Windows user. All Windows versions.. at least all that are from the poisoned NT tree, actually make an RPC call back to themselves when they log in. If you disable RPC on a Windows box.. the box can't authenticate LOCAL users! How's that for clever design?
I'm not feeling witty so bite me
How many network ports are open when you install Mac OS X? NONE. not one. buy a mac, turn it on, put it on some network, run any port-sniffing utility against it, such as nmap from another machine, guess how many hits you get back? NONE. NOT ONE.
Now. Look at windows. for years m$ has wanted to facilitate the life of LAZY corporate network administrators and enable all kinds of services out of the box upon installing their operating system. This behavior has been "inherited" even in the more "personal" versions of windows.
NO OPERATING SYSTEM IS SECURE IN ABSOLUTE TERMS. Apple never made such claims, neither are mac os x users fooled into believing so. Security vulnerabilities are a fact of computing.
The key here is that security works in LAYERS. Just like Ogres and Onions, security has layers: Network, Operating System, Applications, User Education among a few.
Various practices promote better security at various layers. Apple has consistently been better at this than Microsoft ever has. Let's look at a few random considerations:
In OS X, software updates are handled thru a dedicated software update program that functions within user-level permission constraints. On Windows, you open your fucking web browser and go to windowsupdate.com to upgrade your computer, while the software installation happens INSIDE THE FUCKING BROWSER, all this made possible thru this security-holes-ridden framework called ActiveX. Now, try to educate users to NOT click yes on ActiveX warnings when they're about to download "this really cool screen saver"?
Most windows installations have for years at least enabled file sharing by default, and various pieces of other crap running on port 139. Web sharing, IIS, web-based admin, RPC, the list goes on.
The core pieces of OS X that are affected by security considerations are open-source, part of the Darwin framework. While security holes will always be popping-up, this approach to operating system development and maintenance promotes maturity and better security.
Since Apple has fairly nicely layered its security model in its operating system, impact of security holes are typically less dramatic. Most of what this article is accusing Apple of is not publicly scream "OH MY FUCKING GOSH THERE ARE A BUNCH OF HOLES IN OUR SYSTEM". Indeed, they sometimes put a bit of a spin and don't feed rumors any further. Just because Apple doesn't return calls from sensational-headline-hungry journalists, does not mean they're not actively working with the people they should be working with: Security experts. Just look at Apple's release notes. They're doing exactly what they should be doing: citing advisories outlining the security holes for anybody to look them up, and publicly acknowledging and thanking the people who found them.
Kieren McCarthy's article is ridden with fallacies, here's one of my favorites: "In other words, it makes Microsoft's current Sasser problems look no more than a nasty nip". I rest my case.
Extraordinary Vacations. Exceptional Prices
Not that it isn't insightful, but it *is* funny too.
... I guess I better add something other than an MPU request)
(awww crap, can't post AC because I am in the UCSB subnet and some of my classmates are jackasses who cause AC posting to be disabled. JERKS!
As pointed out by others, Microsoft does release their patches for these worms. People just aren't updating.
Beyond the first fault (releasing software with holes in the first place), what are they doing wrong? They are releasing patches. They are advertising the fact that the patches are important. They have changed their windows update page to be more informative (the 1,2,3's of making sure your computer doesn't rape and pillage the internet). What more should they do?
Network Security: It always comes down to a big guy with a gun.
There was a little bit of tooth-cutting on an Atari 520ST, but the first computers I used very regularly were macs, and I eventually ended up with a job doing mac desktop support. After a few years of spending time with macs only, I started using and adminning linux. Redhat 3.03 was my first, newbie that I am.
Then for quite a while I was very torn about the two. Linux was clearly the sane choice for servers, but I found that they each frustrated me in about equal measures as a workstation. I went back and forth between running macos and linux on my macs. (Well, and a little beos.)
So when macosx was released, it felt as if it were written pretty precisely for me. There are still a few ways here and there in which it's not quite as good a unix as linux is, nor quite as good a desktop as paleo-macos was. But being almost as good at _both_ is truly a whole greater than the sum of its parts.
Honestly, Windows never even came into it. By the time I had enough familiarity with computers to be able to make any kind of judgement about platforms, it seemed very clear to me that Windows users were pretty regularly unhappy, and struggled with things that I'd just always taken for granted.
So, my bug was fixed in software that doesn't exist. At least they told me.
And I'm more amused than annoyed. At least one can submit bugs, and they generally have fixed all of them by the next major release. But open and communicative...not really.
Please note that I've had my subnet temporarily banned from Slashdot a couple times for posting "trolls" such as this. Is it still a troll if it's funny and leads to an interesting conversation? I like to post stuff that's borderline +5/-1, and the difference between the two is a lot less than you would believe--at least for me.
Must've been low on site traffic. Can't imagine that an article entitled "Microsoft Windows full of security holes" would've generated many hits ...
In my personal experience there are two types of Mac users in the world.
- The people that know what there doing and can fix almost any os issue they run into
- The people that don't have a feck'in clue, even if they lived on clue island.
In comparison windows users seem to be very different
- Know what there doing and secure there box's to the last
- Middle ground some stuff
- Don't know how to install a program, find it hard to use basic windows functions such as closing down there pc etc
- Those people that use windows but should be banned from using it because there a danger to themselfs
"WebTV: bringing the Internet into the shallow end of the gene pool since 1995" - Martin Bishop
From the second link (title):
" State networks shut down by Sasser worm "
From the first link:
"Secunia has given the five - yes, five - patches a "highly critical" rating and warned that they may allow hijacking, security bypass, data manipulation, privilege escalation, denial of service and system access.
In other words, it makes Microsoft's current Sasser problems look no more than a nasty nip."
"There isn't a worm exploiting the holes as yet but the company is strongly advising users to download and install the patches as the OS looks like an easy target at the moment."
Riiiight.
I love it when moderators make my point for me.
'nuff said! ;-)
IMAGINE if they ALL had gone out of their way to login with admin priviledges and had ALL enabled some network service on ALL the Macs for some reason, and imagine that this very particular service that is disabled by default (they all are in MacOS X) actually had an exploit and they had NOT applied a patch and someone had made a worm for this security flaw and let it loose... ... then something scary might happen !
Maybe we deserve this world ?
"...I've never heard of a mac worm..."
How about the Autostart worm, which relied on the Quicktime "AutoPlay CD/CD-ROM" feature? I believe there was another worm (distinct from a virus, of which there are about 60 specific to the Mac, none less than about 7 years old), but I can't recall the name.
"...a root exploit that's actually been carried out against a mac..."
OS X has as many exploits as BSD, OS 9 & earlier had very few exploits indeed; in both cases, however, no security hole could be exploted by simply VIEWING an email, it actually takes some skill on the part of the attacker.
"But maybe there's some sort of story about Apple being a little behind on patches occasionally."
That isn't what the article was complaining about (although, I would point out that Apple rarely takes more than a week to patch serious problems found in the OSS parts of their package, not up to 18 months).
A point about Techworld (and all other PC journalism) is that they are all sponsored by advertising for...guess what?...PCs! Considering the unethical ways Microsoft have been proven to act, it would be no surprise to me that Techworld (or the journalist concerned) may have been told that unless they publish [n] articles per year denouncing alternative operating systems they will be excluded from future press releases and product previews (that's a non-trivial threat in journalism, but one MS is entirely within it's rights to make). In fact, hasn't Microsoft had it's knuckes rapped for this kind of thing in the past...?
"Internet explorer is in fact part of explorer.exe, the windows shell."
The first time I read this sentence, I didn't see the "S" in shell.
Okay, I'll put my Mac bias away now...
by someone who had learned of the hole thru Microsoft's technical explanations of an old hole, I don't see why such a level of detail is a good thing.
Clear, Dark Skies
There are two kinds of generalization:
/. editors do have an obligation to inform their readership when an article is simply someone's unsupported opinion rather than well researched, verifiable information.
The insightful ones (mine), and the plain stupid ones (everyone else's).
But I agree, the
Unsupported opinion is what the comments are for.
I can remember reading articles six years ago begging M$ to change this policy. What did they do? Nothing. For those of us, subject to the law, that's negligence or endagerment or at the least, gross irresponsibility. So, at this rate maybe we'll be able to disable html and active scripts on outlook before the next ice age.
Jerks! So much for we listen to our customers.
Democrats and Republicans only disagree about how to enslave you
Wow, now there's a turn up for the books! Apple actually denies that there are any problems and that everything is perfect in Mac-land? What is the world coming to???
XML is like violence. If it doesn't solve the problem, use more.
It seems like the article writer seems to think that patches themselves are bugs... I was under the understanding that those problems are fixed by the patches, not exposed...
In other words, it makes Microsoft's current Sasser problems look no more than a nasty nip.
Okay, you just can't compare local, turned off by default (for most of them) exploits in OS X with a worm on XP that infects a service that CAN'T be disabled, and opens a REMOTE SHELL and FTP server. I mean come on, anyone could nmap their local subnet on the internet, and destroy at least 10 Windows computers by using those remote shells.
Oh, and a previous poster said they don't like downloading 50MB updates from Apple. Well, as far as all the updates I've gotten (going from 10.2.1 to 10.3.3), only actual system upgrades were bigger than 10mb or so. Security patches are usually small (1mb) unless they're QuickTime related, in which case they can be a couple of megs. But even 10.3.2 to 10.3.3, which gave us new iPhoto, iCal, etc. was less than 50mb!
If you want to experience shared library hell under linux, just ;-)
rpm -update glibc-new.rpm --force
Impossible to cure, at least for me.
There are various files changed and the old versions are not around anymore, the version of glibc.rpm that the distributor shipped tell me about a conflict when I try to --freshen files.
All the files changed have to match.
Now, before you tell me, let me say this: using --force is considered bad practice under linux, but is standard procedure for windows.
The following are just random thoughts, please stop reading here unless you got lots of time.
---------
I knew that "force" is bad, but I figured if it told me there was a conflict in only one file, I could try it and would only break one or two applications. Wrong. Well, first rpm died, then I somehow fixed that, right now vi dies. Lots of stuff still works.
I've been advised to just re-install, but I've already tweaked the distro in some places, because the default didn't understand that I used my cd-burner as an (install-from) cdrom, and I'm not sure the new install will treat my ext3 and reiserFs nicely. Or maybe if I build glibc myself, will the configure/install be smart enough to understand my system ?
Or should I just re-compile vi and every program that I need ? Well at least there is the option to do this with free source.
It would be nice to have an rpm --undo command, which reminds me that it would be nice to be able to tell your unzip to remove the files it just has unpacked.
I'm still trying to figure out what people mean by 'social skills' here.
Of course Apple systems are uncommunicative. All those Sasser and Blaster worms are Windows code only, so Apple systems are not spontaneously contagious to others. The only way the disease could be passed on would be if someone manually forwarded the e-mail.
The Artist stereotype Mac user is getting really old. Many of your artsy types are the die-hard Classic Mac OS users and are being dragged by their toenails to OS X. IMO, OS X is allowing engineers, scientists, and other techies to "come home" to the Mac. As seen on Slashdot, a lot of real geeks are also taking to it because you can get the best of both worlds.
Umm. Carbon maybe, but cocoa is an API with very little underneath it until you run flush with Carbon, Quartz X, and the BSD subsystem.
If you're really curious about the underlying strata, GNUStep has a fairly good copy.
While TFA seems pretty lame, there is a related issue that I think Apple should be taken to task for. That is, security updates should only patch security holes. They should never, never, never be used to roll out new functionality, or worse still cripple old functionality.
What I am ranting about is the fact that QT 6.5.1 crippled the QT APIs. Per iVolume, "Apple crippled all programming interfaces of QuickTime 6.5.1 so that applications have no chance to get hands on decoded audio data of songs in copy protected AAC format (extension ".m4p") even though the computer is authorized for the corresponding song." This is true, I checked.
My main point here is not to flame about DRM (though that's always fun) but rather to point out that Apple has used a security update as a trojan horse to remove valuable functionality from my system. I, and anyone else who cares about certain iTunes-LAME functionality or iVolume functionality, am stuck between the devil and the deep blue sea -- either install Apple's trojan and lose the use of these tools, or not install it and leave a security hole open. (N.b. I'll be quite surprised if those are the only two affected apps; they're just the ones I have personally confirmed to have been broken.)
It's irresponsible, short-sighted and just plain stupid because if they pull too many stunts like this their customers will stop trusting them and will hesitate to install "security" patches for fear of what other surprises they might contain (sound familiar?).
Eeye and @stake contacted the Apple security team after finding these bugs, and coordinated the timing of the announcements to follow the availability of the patch.
The controversial part of this practice is when the software vendor stalls the fix (which always happens). At what point does @stake go public with a vuln? Three months? A year? There are guidelines that all of these organizations have agreed to, but they aren't legally enforcable, and so there is a lot of gray area in how long a company can wait to release a fix, and how they must classify it afterwards.
Forgive me, but who is Kieren McCarthy? And how can he prove the existence of something that he by definition cannot know anything about?
And why does this always happen whenever Windows gets the shit kicked out of it?
Kieren McCarthy, whoever you are, I am sure this comes as no great news to you, but 1) you are full of it; and 2) you're a dupe - perhaps a paid dupe, perhaps an unpaid (and therefore even more duped) dupe.
My argument is only anecdotal, but even as such it offers much more substance and evidence than this charlatan.
I have never - and I literally mean never - come across a company so freaking security conscious as Apple. I mean, these guys are out in front and thinking and preparing for possible security vulnerabilities waaay down the line - years ahead.
All you have to do is read the programming tutorials to understand this.
And their grasp of Unix is excellent. These guys really know security, and for them security is a top, if not the top, priority.
Exposing a bug in OS X gets you an immediate response - and by 'immediate' I mean 'immediate': within a couple of hours at the most. And the contact you get becomes a liaison between you and the development team. And even more impressive, they actually keep after you to complement your information so they can get to the bottom of it.
Now honestly, Mr Kieren McBullshit, who else does this? Eat you know what and do you know what. You should be ashamed.
There used to be a time when Apple traced every hardware flaw back to the design phase - and corrected it. This thinking they have today about software and security echoes that type of thinking.
You might accuse Apple of many things, but lax on security is not one. My information is only anecdotal, but it's more than good enough for me: in terms of security, Apple are simply best.
So crawl back into the woodwork, Mr Microslave, until next Windows gets walloped by a simple hack written by a teenager sitting in his underwear at his computer halfway around the world.
We'll be waiting.
Well thank you for an actual thought out post. And I see your point. Its certainly a dancing game. Of course this is less 'hiding' and more 'managing' And as this whole thing started the lie was that apple was being unresponsive. This seems to be clearly untrue.
Also about when does a group decide to 'go public' with bug info? Well it seems to me that merely not getting a fix from the vendor is not a good enough criteria. I would think that there would have to be imminent risk of sever exploitation, or active exploitation that people would need to know about to take some kind of alternate action. As I said elsewhere magically calling 'critical' an unconfirmed 'moderate' issue because you want to write a story, make it look like you have some kinda axe to grind. Not to mention you look like a fool when someone decides to dig deeper.
up to this point, there has still been 0 serious security problems in OS-X.
The reason Macs have generally escaped the dubious attentions of bored script kiddies and social engineers is because the market share of OSX is so damn small that it's not really worth messing with.
I'd see an increase in attacks targetted at OSX in fact as evidence that Apple was growing their market share. I note that first big Internet-wide worm attack affected mostly BSD machines. The popular perception of "security" on the BSD/Mach-based OSX comes about not through inherent invulnerability and system-hardening but is a simple product of benign neglect by the world at large.
Da Blog
Apple doesn't owe it to their customers to explain security holes. Why would they weaken their position so? Just keep quiet about it and fix it.
The reason Macs have generally escaped the dubious attentions of bored script kiddies and social engineers is because the market share of OSX is so damn small that it's not really worth messing with.
I'd see an increase in attacks targetted at OSX in fact as evidence that Apple was growing their market share. I note that first big Internet-wide worm attack affected mostly BSD machines. The popular perception of "security" on the BSD/Mach-based OSX comes about not through inherent invulnerability and system-hardening but is a simple product of benign neglect by the world at large.
Da Blog
And the other 3? Apple should at least point to the relevant advisory.
I've never heard of a mac worm, a root exploit that's actually been carried out against a mac, and so forth.
Very few people these days have even ever *seen* a Mac operating (outside of their boutique retail stores), let alone heard about them. The reason Macs have generally escaped the dubious attentions of bored script kiddies and social engineers is because the market share of OSX is so damn small that it's not really worth messing with.
I'd see an increase in attacks targetted at OSX in fact as evidence that Apple was growing their market share. I note that first big Internet-wide worm attack affected mostly BSD machines. The popular perception of "security" on the BSD/Mach-based OSX comes about not through inherent invulnerability and system-hardening but is a simple product of benign neglect by the world at large.
Da Blog
And it is this ignorance that marks you, indelibly, as both a newbie and someone congenitally and strangely unable to use Google. Ever heard the phrase "Those who do not know history..."?
http://www.google.com/search?q=morris.worm+bsd
Morris Worm
Da Blog
"And the other 3? Apple should at least point to the relevant advisory."
Apple did. I'll quote more of the knowledge base article:
"* CoreFoundation: Fixes CAN-2004-0428 to improve the handling of an environment variable. Credit to aaron@vtty.com for reporting this issue.
* Apache 2: Fixes CAN-2003-0020, CAN-2004-0113 and CAN-2004-0174 by updating to Apache 2 to version 2.0.49.
* RAdmin: Fixes CAN-2004-0429 to improve the handling of large requests
* AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords. Credit to Dave G. from @stake for reporting this issue.
* IPSec: Fixes CAN-2004-0155 and CAN-2004-0403 to improve the security of VPN tunnels. IPSec in Mac OS X is not vulnerable to CAN-2004-0392."
Admittedly this is listed in the knowledge base article, not in the consumer description of the patch, but it doesn't seem unreasonable that a sysadmin would read the KB article for the patch before installing it.
Enable 3D printed prosthetics!
Apple has software update in system preferences. Does anyone know if the latest update to 10.3 (Panther) takes care of the security bugs?
I never udpate or patch my Windows XP box, nor does anyone else who shares the connection. *gosh!* Reason being, we are behind a pretty damn good NAT router and firewall. We've never had any problems what so ever with security and I would be the first to notice. I even run an Apache server, FTP server and VNC. And no anti-virus software either. *gosh!* So while all of you are moaning about how you patch your Windows from left to right, consider this: don't trust Microsoft and most certainly don't trust Apple. Use your common sense. Design your network so that it is protected from a single source. Setup your systems so that, in the even t things do get cocky, your data is safe and you can quickly clean your system completely, redeploy and apply the needed patch if need be. Ghosting can be quite useful in worst case scenarios. But to be honest, if you know your system well enough, you shouldn't need to patch anything and should have more dependable alternatives.
If they can't keep a box updated, they can't keep a home network secure with MSWindows.
That fact does not change just even if Microsoft force downloads the updates. All it does is reduce the likelihood that the home user knows his box is being admin-ed by someone else.
One thoughtless download-click-click, and inside the firewall is now enemy territory.
(Unless we can get Apple to default to installing a user account _and_ an admin account, and default to automatically logging in the user account, Macs will have the same problems in the same proportions. Linux boxes are a little better simply because a user who doesn't know what an admin account is has a difficult time setting a box up.)