Clean System to Zombie Bot in Four Minutes
Amadaeus writes "According to the latest study by USA Today and Avantgarde, it takes less than 4 minutes for an unpatched Windows XP SP1 system to become part of a botnet. Avantgarde has the statistics in their abstract. Stats of note: Although Macs and PC's got hit with equal opportunity, the XP SP1 machine was hit with 5 LSASS and 4 DCOM exploits while the Mac remained clean. The Linux desktop also was impenetrable, but only was only targeted by 0.26% of all attacks." See also our story on the survival time for unpatched systems.
Although Macs and PC's got hit with equal opportunity, the XP SP1 machine was hit with 5 LSASS and 4 DCOM exploits while the Mac remained clean
Yes, yes, we know this is not surprising, since the exploits in question target Windows specifically, and therefore obviously will not affect Macs.
But the larger points you should take away from this is twofold:
1. The simple fact of the matter is that, for whatever reason, Macs are clearly affected far less than PCs by all types of exploits. This is not because of just marketshare. But whatever the reason, it is true nonetheless. But this brings be to:
2. Even a completely unpatched Mac OS X 10.0.0 machine would not be vulnerable to any kind of remote attack, because no ports whatsoever are open to the outside world, and on most consumer Mac OS X systems, never will be. The fundamental and intrinsic security design and considerations of Mac OS X are just better, period. Even local exploits, such as might travel freely and easily on Windows via email, aren't as possible or practical on Mac OS X (e.g., a potential Mac exploit of this nature that spread via email would have to have its own MTA or a lot more complexity than a simple script on Windows where Outlook and the OS does all the work for you). Yes, marketshare, i.e., the chances of the next host encountered being a Mac, certainly doesn't hurt, but that is not the sole or primary reason Macs aren't vulnerable. No effective automatic vectors of infection or spread, either local or remote, exist, period. When external ports are opened, they usually represent open source services such as apache and OpenSSH, which as a matter of course are usually updated long before theoretical exploits become reality because of the intense scrutiny and peer review such products receive by the community.
When will people learn, that after three and a half years of Mac OS X, with the market growing, it's not just because of "marketshare" that Macs are rarely affected by these types of issues? Can people admit that it's possible that security decisions that were simply and fundamentally better than those of Microsoft were made? I get a kick out of articles that trumpet "MACS JUST AS INSECURE AS WINDOWS" when a text shell script is "discovered", one that must be run by someone with root or physical access no less, with no worthwhile vector or method of automated propagation of any kind![1] This is in the face of completely remote and automated exploits that can hit a Windows machine in minutes of being on the network, or exploits that own your machine by simply visiting a web page, or viewing an email message in Outlook (yes, these have continued to exist, some even very recently).
[1] For the nit-pickers out there, copying itself to other remote Mac OS X system volumes to which the local user has root-equivalent access and has manually connected to doesn't exactly rise to the level of the unprivileged, automatic propagation we see in the Windows world.
Our gateway box is a Win2k machine. It hasn't been patched in months upon months because it would tie up the connection for a long time. (Downloading patches over 28.8 is slow and we have eight computers in the house sharing that connection.) That gateway machine is totally clean. No spyware, no worms, etc. This is confirmed by proper antivirus and anti spyware software.
I'm just posting this an in interesting observation. This makes sense because a zombie on a dialup line is pretty damn worthles anyway.
If you've installed any programs from Download.com, Cnet.com or ZDnet.com, beware.
I started getting reports of malware being attached to a program I work on and discovered the affected parties had obtained their copies of the program from Download.com. I had never submitted the program to them, but someone else had -- and they'd contaminated it with malware while they were at it. I complained, and the program was removed. (Actually, they first switched the links to the official server, but removed it when I complained further that they needed to tighten up their submission procedures.)
While Download.com is no longer distributing my program, they are still distributing malware attached to other programs (just went to their site to confirm it) via xeol.net and probably others. They don't seem too interested in fixing the problem. I also sent a complaint to the FBI's cybercrime division, and they apparently weren't interested, either.
Talk her into a Mac, if you can.
I'm serious. As a child, I was an "Apple II for all" kid. Then I became one of those "Macs are too easy and wimpy" teens. In college, however, I became a "Hey, I can do work, I'm an addict!" person. Then I became a security wonk, and I'm a "Gee, why can't I find hardly any information on hardening OS X? It's not perfect" kind of person.
I don't believe it's possible for the average user to run Windows cleanly. You have to know too much. I've heard my security-wonk coworkers joke about how much spyware they had after a scan (and yeah, they're not great security wonks, but they were well above me on the food chain). If yer average security wonk can't keep his stupid box clean, then there's a problem with both the box and the user, not just the user.
I don't believe that OS X is perfect. There are exploits that work. Safari has some of the same problems IE does (minus the whole hooked-into-the-OS-issue). You have to look really hard to find the issues, though. And for getting actual work done, they're a wonder. The built-in software does much of what regular users need. The interface is pretty and clean. And with BSD underneath, I've found that they a lot easier for linux-geek techie friends to suss out.
I've come to the conclusion that Macs really are the best computers for most of the population. You don't get owned out of the box. You can download your security patches on modem--they come separate from the OS updates. You can safely read The Register. Even my Classic-emulated Office doesn't crash on OS X.
Hardware costs are pretty much at parity for brand-name devices. The cost problem tends to be with replacing software. But there is a useful shareware community for Macs, Fink is pretty well-regarded, and commercial software can be found. Consider how much a password-sniffing Trojan might cost and cough it up.
Thus endeth annoying advice.
What I say does not represent the views of my employers, my friends, my cats, or myself.