Slashdot Mirror
Computer Security Still Totally Inadequate
Several news sources are running articles detailing the lack of computer security on all platforms. Symantec foretells a dark future for Firefox and Mac users describing their security as a "false paradise". Kernel developer and Red Hat fellow, Allan Cox stated in his recent interview with O'Reilly that "even the best systems today are totally inadequate". He goes on to say that "We are still in a world where an attack like the Slammer worm, combined with a PC BIOS eraser or disk locking tool, could wipe out half the PCs exposed to the Internet in a few hours," Cox said. "In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them."
Is that so? Here's a two'fer
CVE-ID: CAN-2005-2529
Available for: Java 1.4.2
Impact: Malicious system users can gain elevated privileges.
Description: This is specific to the implementation of Java on Mac OS X. The utility used to update Java shared archives is susceptible to a privilege escalation vulnerability from local system users. This update addresses the issue by performing additional clean-up before launching the utility on behalf of unprivileged users. This issue does not affect systems prior to Mac OS X v10.4. Credit to Dino Dai Zovi for reporting this issue.
Nevermind RTFA, did you even read the summary?
"Symantec foretells a dark future for Firefox and Mac users describing their security as a "false paradise"."
I hate that. I've fixed more people's computers by simply removing these crappy security suites than I ever have needed to fix viruses and hacks. A firewall, reasonable use restrictions (not installing Chinese software cracks), not using IE/Outlook, and running an occasional anti-virus anti-spyware scan are plenty.
If you need more then switch to Linux.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
This, in fact, should reduce the IE's attack surface several-fold.
.VBS/.JS script stored on the local machine (which is trusted to do anything anyway), yet a lot of MS and third-party components is in CATID_SafeForScripting for no reason at all.
n /fq99-032.mspx n /fq99-037.mspx n /MS02-055.mspx n /MS02-065.mspx n /ms02-055.asp n /ms03-038.asp n /MS03-038.mspx e chnet/security/bulletin/MS03-038.asp
... and many-many-many more of these holes (just search for "kill bit" with the quotes)
MS has made a huge mistake when IE 4.x-6.x relied on CATID_SafeForScripting/CATID_SafeForInitializing COM component categories to make decisions whether it's safe to use the COM component from a JavaScript/VBScript.
CATID_SafeForScripting is not needed when the COM component is accessed from a stand-alone
IE has a kill bit feature which allows disabling certain scriptable COM components based on their GUIDs. And most IE security fixes are, in fact, just registry updates adding more of those "kill bits".
Examples: http://www.microsoft.com/technet/security/bulleti
http://www.microsoft.com/technet/security/bulleti
http://www.microsoft.com/technet/security/Bulleti
http://www.microsoft.com/technet/security/Bulleti
http://www.microsoft.com/technet/security/bulleti
http://www.microsoft.com/technet/security/bulleti
http://www.microsoft.com/technet/security/Bulleti
http://www.microsoft.com/technet/treeview/?url=/t
throw new SuccessException("Sig read successfully");
well actually, they have a line of mac products.
-- lol pwned
Number of PC viruses in 2004: 30
Number of Mac viruses ever:26
Do the math. Oh, and most of the stuff that SAM flagged...
MS Word macro viruses: 533
Sources:
Mac Viruses by the numbers
30 PC viruses played havoc in 2004
Check out my sci-fi/humor trilogy at PatriotsBooks.
First I saw them talking about Mac... then I thought well - it's BSD based now, which has been around practically forever.
... not "hack into" and "gain")
Then I saw them mention a root kit for OSX and wondered to myself what good that would do without actually having a way to gain control in the first place.
(See definition of rootkit from wikipedia: "A root kit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes."
Note the words "after cracking" and "maintain"
Sounds like a bunch of malarky disguised as solid information to scare people who aren't aware of more advanced computer concepts.
It is in symantec's best intrest to not only cry wolf, but to breed the wolves they will protect you from. This is why symantec funds the breeding grounds for viruses -- funding hacker conventions, providing public downloads of working exploits thru their public sites.
No, because Java does automatic array bounds checks, which makes normal buffer overflow vulnerabilities impossible - one of the most common kind if security flaw in C apps.
The illegal we do immediately. The unconstitutional takes a little longer.
--Henry Kissinger
What software run in a school/business environment needs to be run as an administrator? Stop spreading FUD.
It's not FUD.
I work in a small OCR shop. We scan alot of legal documents and convert them to PDF using Adobe Capture (not my choice, I prefer OCRShopXTR).
Capture, both the OCR and scanning components, will either refuse to run or keep crashing if not run as an administrator. Same goes for Kodak's scanning software (which is, incidentally, some of the worst and most user-unfriednly software I have ever seen). Adobe Acrobat will not run properly as a user without r/w to Program Files.
There would probably be an even bigger list if I dodn't have to run nearly everyone as a power user anyway (there's Winamp too, but we don't use that at work).
And please note I don't blame MS for this. Everything since Win2K has a had a great system of ACL's and user privs, but the devs have been lazy and not bothered to follow the MS's recommendations and are still stuck in the 9x days (although some of MS'ssoftware suffers from the same problems), so because half of the software out there doesn't run in an unpriveliged environment, MS's are half-forced into making everyone an administrator.
Stupid I know, but to call the GP "FUD" is disingenuous.
Moderation Total: -1 Troll, +3 Goat
I don't kid myself the lack of OS X viruses is because of something in the OS making them impossible (or even difficult) to create.
Actually, I think it is pretty difficult to create an internet worm or virus that will infect OS X machines and propagate. Some of this is due to circumstance and some of it is due to a better design. Circumstantially OS X machines are still not common, so any worm or virus that wanted to quickly spread to them would have to be cross-platform or very intelligently targeted. Either is a hurdle for malware authors to overcome.
Secondly, the user base for OS X is composed of a lot of geeks and security guys, so a propagating worm is much more likely to run afoul of someone's well configured firewall, ACL, IDS, etc. and be identified quickly.
Architecturally, OS X does a good job of warning users, by default, when a downloaded file is executable, thus partially mitigating that avenue of attack. Root users are an extreme rarity, local privilege escalation is non trivial, and the system does a fair job of restricting access to vital functions via the admin password. Many users will just enter it anyway (if they admin their own machine) but not all of them and it is enough to make many users suspicious (possibly helping to identify a virus early).
Also vectors for spreading a worm are pretty hard to come by. On windows worms go after known or unknown vulnerabilities, usually in exposed system services like RPC. OS X has no exposed system services by default on any version of the OS. Windows has firewalled them recently with XP SP 2, but still has them exposed behind that firewall and wide open on other versions of windows. Outlook and IE are common vectors for viruses via web pages and e-mail, as well as P2P protocols and IM. Both outlook and IE are very poorly designed with security a tertiary concern. Outlook automatically runs all sorts of executable files due to its buggy implementation and automatically fetches remote files from the internet without user intervention, by default. IE has been pounded on again and again and most of the obvious bugs have been shaken out, but it remains a good target because it runs with escalated privileges far beyond what a web browser needs. It also incorporates Active X by default which is basically a way to run arbitrary code without a sandbox on your system, inherently trusting remote web sites. That is some pretty piss poor security. All of this has has added security measures bolted on, but the fundamental problems are still there.
Contrast this with Safari and Mail.app and you'll see programs that, while not perfect, at least don't make huge, fundamental security mistakes in their basic architecture. I'm sure eventually someone will get a worm to propagate via a hole in unpatched versions of Safari or Mail.app, but I am also skeptical that it will go very far or have much effect. Patching is another important concern. So far OS X has a good track record for timely security fixes and has a well thought out mechanism for software updates. Everyone I know updates their OS X boxes regularly, because the OS asks them to, while only some Windows users do the same.
Basically, worms and viruses can propagate on OS X, but the deck is well stacked against them. It is not an easy target or a particularly profitable target. Either of those things might change in the future, but as things stand it does not look like OS X will ever suffer from the same level of problems with regard to worms and viruses that Windows currently does. OS X does make it difficult to create a successful virus or worm.