Windows vs Mac Security

sdhorne writes "There is a good technical discussion over at InfoWorld on the merits of launchd and what is lacking in a comparable Windows secure solution. It is a throw back to the UNIX vs Windows security discussion that has been hashed out for many years." From the article: "it always traces back to Microsoft's untenable policy of maintaining gaps in Windows security to avoid competing with 3rd party vendors and certified partners. Apple's taking a different approach: What users need is in the box: Anti-virus, anti-spam, encryption, image backup and restore, offsite safe storage through .Mac, and launchd. Pretty soon any debate with Microsoft over security can be ended in one round when Apple stands up, says 'launchd', and sits back down."

Re:Well written, but

[alps]

http://developer.apple.com/macosx/launchd.html

What's launchd?

[peterdaly]

Was I the only Mac user who didn't know what launchd was off the top of my head?

In Mac OS X v10.4 Tiger, Apple introduced a new system startup program called launchd. The launchd daemon takes over many tasks from cron, xinetd, mach_init, and init, which are UNIX programs that traditionally have handled system initialization, called systems scripts, run startup items, and generally prepared the system for the user. And they still exist on Mac OS X Tiger, but launchd has superseded them in many instances. These venerable programs are widely used by system administrators, open source developers, managers of web services, even consumers who want to use cron to manage iCal scheduling, and they can still be called with launchd.

The launchd daemon also provides a big performance boost to your system. At any given time, only those daemons that are actually used are launched; combined with the fact that daemons can shut themselves down and be relaunched as needed means that you can reduce the average memory footprint of the system.

http://developer.apple.com/macosx/launchd.html

Re:What's launchd?

[Kadin2048]

It's not really a wrapper as much as it's a replacement.

The story I heard was that a bunch of Apple engineers got tasked with improving OS X boot times, and the problem they kept running into was the way that init worked. In order to create a good way of launching stuff simultaneously (when possible) and generally making everything boot quickly, they ended up just writing a new system for launching services, and the result was launchd. It also minimizes the number of running daemons at any one time, saving memory and processor cycles, and can start and stop them as-needed. Apparently you can also do some neat stuff like actually feed programs commands rather than just start/stop, but I've never used that.

I think Apple's hope was that other UNIX-ish systems might like the launchd concept and replace init with it, but I'm not sure that the faster boot times will really be worth the retraining costs for systems that aren't booted up often.

The things I dislike about launchd, aside from the traditional UNIX objection to anything which is New And Therefore Bad, is that its config files are XML instead of flat text, which I find obnoxious, and that it makes it marginally more difficult to see what services are running on a given system. You can be running a local mailserver but not have a daemon active, because launchctl will bring up postfix as needed. If you're not looking for it, you can miss the fact that postfix is set up. (However you can program it to bring up particular services and leave them -- in fact you can use init and cron normally, if you like.)

I still use cron for scheduled tasks as well, because I've never wanted to figure out how to replicate cron with Apple's stuff, but I'm told it can do that, too.

Overall I think it's pretty neat, and for a desktop-UNIX system it's a major step forward. For a server or non-desktop environment, I think the benefits are more mixed.

Re:What's launchd?

[bnenning]

launchd is open source; it even uses the Apache license instead of the APSL.

Re:What's launchd?

[n8_f]

You can be running a local mailserver but not have a daemon active, because launchctl will bring up postfix as needed.

Launchd will bring postfix up as needed. But, launchctl is what you want to use to see what launchd has loaded. And that is loaded, not necessarily running. The command you want to use is "sudo launchctl list". For example, mine shows org.postfix.master and com.openssh.sshd, which aren't actually running but will be activated when there is traffic on the specified ports. Of course, you'll also notice org.xinetd.xinetd. Nothing by default runs under xinetd, but if you've added a server, it could be in /etc/xinetd.d rather than in the launchctl list.

The XML vs. flat file debate has been fought all over the web, so I won't rehash it here, but I think the benefits of machine-parseability are worth it and it uses Apple's standard plist format, so it is consistent the rest of the OS.

Overall, launchd is a huge step forward. Apple has open-sourced it and it would be interesting to see it implemented in other systems. Perhaps Solaris can use it in exchange for giving us ZFS (10.5).

Unfortunately his reasoning is flawed.

[mellon]

I think the conclusion that he draws is probably correct, but he doesn't really seem to explain why. The reason that systems like OS X and Linux are safer than Windows is not that launchd runs a shell, but that both Linux and OS X tend to run processes that don't need privileges as root.

This is a substantial win. However, if you manage to compromise a process that is running as root, you do have full control of the machine, and you can install your own privileged software on the machine without an authentication prompt appearing on the console.

Also, most of the man pages on OS X are woefully out of date, so giving the existence of these as a reason for why security is better on OS X is unfortunately a cruel joke. Third party apps from the Open Source community do often have better documentation, but the basic man pages from OS X are often years out of date - this is one of my pet peeves about OS X, I will admit.

It sounds like the hack he's describing occurred because he'd installed third-party software that ran as a service with an open port, as SYSTEM (i.e., with full privileges) and that took over his machine. The reason this is less likely (not impossible, just less likely) is because if you are running a third party server process on OS X, it's probably a piece of open source software like Apache, which has been vetted to within an inch of its life, because it is open source, and the many people who care that it is secure have the freedom to check that it is secure. And it probably doesn't run with full privileges, as the author says.

Anyway, like I said, he's right, but his reasoning is a little foggy. And it's important to be aware of the ways in which it's foggy, because this is your best chance of avoiding having your machine hacked.

Anti-virus software in the box?

[sjonke]

What users need is in the box: Anti-virus[....]

If it is, it's hidden pretty well. Macs don't come with anti-virus software.

Re:Anti-virus software in the box?

[kalidasa]

He's talking about OS X Server, not OS X. He doesn't distinguish between them himself, but if you look at the whole article, you'll see that he's comparing Windows Server to OS X Server; and OS X Server does have anti-virus and anti-spam services built-in as part of its mail services.

Re:But what if Microsoft offered it all together?

[nuzak]

So, what MS needs to do is licence their OS to sublicensors. They can include whatever extra security tools, browsers, media players and the like they want. Would probably work out for MS fairly well, and would definitely allow a properly integrated security system.

Psst. They're called OEMs. Try buying a PC from a big-box store these days without Mcafee or Norton on it.

Re:Market Share

[n2art2]

to be honest I would go after OS X. Why? Because no one else is. Those who get known are those who, "think different."

Re:UNIX and viruses

[140Mandak262Jamuna]

I've heard it mentioned many times that Macs do not suffer from viruses because they have a smaller market share,

When people say something like that, hold them by hand and take them over to netcraft.com and show them the market share of Web servers. Apache has been owning >60% of it for a long long time compared with ~20% share for IIS. And point out that almost all the worms attack IIS and not Apache. The reason why Windows/IIS remain vulnerable is because MS wrote them, not becuase of their high/low market share.

Re:Well written, but

[macshome]

Pimping myself here a bit, but our article on launchd might be of more help to sysadmins. It later formed the basis for the wikipedia article and has thrilling Jordan Hubbard comments to boot!

.Mac is not "safe".

offsite safe storage through .Mac

dot Mac is not in any way secure / "safe storage". Unfortunately I bought a subscription before I realised how dangerously unsecure it is. When I started to configure Backup, I thought I'd do some digging first to see what was going on. It turns out that credentials are sent in plaintext. Communication between the user and mac.com is not encrypted. Storage on iDrive is also not encrypted. Backup archives have no encryption.

It's completely wide-open to snooping attacks, and nobody should trust anything to it besides their weekly grocery list or other documents that they don't mind any snoopers (wireless interceptors or Apple employees) from freely browsing. I expect a major security breach is inevitable.. it's just a matter of time. It would take one person with a wireless snooper at Macworld, gathering hundreds of juicy high-profile targets to mess with - and dot Mac will be destroyed by a torrent of negative publicity.

Of the entire Apple product range, dot Mac is the one that is most stuck in the early 90's. It works.. but is a severely inadequate solution.

Re:Microsoft is just too nice?

[2nd+Post!]

Sigh. The issue isn't bundling. Read. Please read! The issue was illegally leveraging their OS monopoly to abuse/obstruct competitors.

Bundling is fine if OEMs, such as HP, Dell, and Compaq, can UNBUNDLE IE and install Firefox, for example. What happened was that Microsoft threatened Compaq with withholding OS licenses if they installed Netscape Navigator as the default web browser. Had they ONLY bundled, nothing would have been brought up against Microsoft.

I think he has some points there

[guruevi]

Apparently this guy had the experience switching from Mac -> Windows and see what happens. A lot of people say it has to do with market penetration (Thanks to the M$ FUD) but nothing is less true. There are far more hosts running on any flavor of Unix or using the GNU tools or somewhat compatible tools for that matter than Windows hosts connected to the Internet.

The biggest flaw in Windows is stuff running as SYSTEM. Try this in Windows: schedule a command in a terminal to run cmd.exe the next minute using the "at" command. As you will notice, you will get your cmd.exe... running as SYSTEM. You don't even have to be a very privileged user to do that, kill your own explorer.exe and start explorer.exe in that cmd.exe you have and guess what: you're running your system as SYSTEM. This would be like running Bash, KDE or Gnome as root, although possible, you can't elevate root out of standard user rights. Same thing for hooks into IIS (.NET) or any other application, they can all elevate to SYSTEM without too much trouble. Would be like suggesting to run Bind or Apache as root, and as any Unix guru would say: Blasphemy! Blasphemy! and you would feel the vibration of Rich Stevens (http://en.wikipedia.org/wiki/W._Richard_Stevens) spinning in his grave at the speed of the fan running in the server.

A few points

[Foolhardy]

The LanManServer service (aka Server) is mostly implemented in kernel mode in srv.sys, so most of the user-mode tirade is irrelevant.
[From the article]

SYSTEM is a pseudo-user (LocalSystem) that trumps Administrator (like UNIX's root) in privileges. SYSTEM cannot be used to log in, but it also has no password, no login script, no shell and no environment, therefore
The activity of SYSTEM is next to impossible to control or log.

SYSTEM doesn't trump Administrator(s): since either can control the kernel, they both represent full control. SYSTEM can't magically bypass security descriptors any more than administrators can; both have but indirect end runs available. SYSTEM's profile has the global system environment. In Win32, shells have considerably less importance, but SYSTEM processes can still have them. SYSTEM's actions can certainly be audited, so I'm not sure what they meant by impossible to log.

Most of the code running on any Windows system at a given time is related to services, most or all of which run with SYSTEM privileges, therefore [...]

There are lots of services running as low privilege LOCAL SERVICE and NETWORK SERVICE. Perhaps there could be more. Note that a single svchost can represent several services.

Windows will notify you on an attempt to overwrite one of its own system files stored here, but does not try to protect privileged software.

The binaries that implement system services are protected by system file protection. SFP isn't a security feature; it's there to work around buggy installer behavior.

Windows requires that users log in with administrative privileges to install software, which causes many to use privileged accounts for day-to-day usage.

This isn't true on a domain where the admin has designated installable packages, and RunAs works fine for installation programs that are written properly.

Microsoft made it easy for commercial applications to refuse a debugger's attempt to attach to a process or thread.

I'm not sure what's meant by this, but if your kernel is owned on any OS, a rootkit can be installed to evade any kind of debugging.

Access to the massive, arcane, nearly unstructured, non-human-readable Windows Registry, which was to be obsolete by now, remains the only resource a Windows attacker needs to analyze and control a Windows system.

Non-human-readable? Never used the registry editor? The key and value names seem to be in English... It's like saying that a filesystem isn't human-readable because you need ls. There are no plans to make the registry obsolete for system configuration. In fact, the new boot loader's config database is a registry hive. As for owning the computer throught the registry, every key is protected by an ACL. There's nothing inherant in the registry that allows an attack, privilege escilation or otherwise.

Another trick that attackers learned from Microsoft is that Registry entries can be made read-only even to the Administrator, so you can find an exploit and be blocked from disarming it.

So then the admin takes ownership of the keys in question, forcibly with the SeTakeOwnershipPrivilege, and since the owner of an object can always set the DACL, the admin returns himself full control. Either that or use the SeRestorePrivilege to overwrite the key directly.

One of the strongest tools that Microsoft has to protect users from malware is Access Control Lists (ACLs), but standard tools make ACLs difficult to employ, so most opt for NTFS's inadequate standard access rights.

What's wrong with the shell's ACL editor? What's wrong with the default permissions?

OS X has no user account with privileges exceeding root.

Since root can ignore security, this isn't saying anything. In Windows, only the kernel can bypasss security.

Un

Re:Market Share

[Bartman_279]

If OSX had that kind of a market share, youd bet your ass that everyone would be breaking down its walls, in exactly the same way.

There are PLENTY of hackers out there, of every level, who would absolutely love to be able to point to themselves as the first "l33t hax0r" to write a real world OS X virus and "wipe that stupid little grin off their [Mac user's] smug little faces."

And in the six years OS X has been out, not one, NOT ONE, has succeeded.

Re:But it still has the rootkit fallacy

[Onan]

A minor point of clarification, but macosx does indeed have a root account by default, and many system processes run as it.

There is, by default, no valid password for this account, and the gui does not volunteer information about it as an account for people to log into. But the account very much exists, and is used.

Re:Concept Versus Implementation

[93+Escort+Wagon]

"Conceptually, I agree that LaunchD is a really slick idea and I really hope Linux and the BSDs take a good hard look at this code and the possibility of adopting it."

Up until a few weeks ago, people in the *nix world didn't want to look at launchd because of "contamination concerns" regarding Apple's open source license. However at the recent WWDC, Apple announced that launchd (among other things) is being relicensed under the Apache License - so hopefully that will do the trick for the open source crowd.

I realize that there are always going to be some GNU fanboys that won't touch anything unlesss it's under the GPL, of course.

Re:Well written, but

[curious.corn]

The go to the Desktop, open the nifty "My Computer" icon, clear the Address: field and type "http://www.slashdot.org", press enter. Boom! you're back to Internet Explorer.

simply removing a filthy icon from the QuickLaunch menu while leaving the whole pile of unsafe, vulnerable infrastructure INTACT, completely BETRAYS the meaning of the word UNINSTALL.

Sheesh... and people talk about Jobs's Reality Distortion Field

Re:Well written, but

[toddestan]

Don't want to use Safari? Make it go poof.

On the other hand, you CANNOT get rid of Internet Explorer. And that's bad. IE is full of security holes and you can't get rid of it. Safari is far safer, and you can get rid of it.

Deleting Safari on a Mac is about as effective as deleting iexplore.exe on a Windows PC as far as getting rid of the browser is concerned. Sure, you've just nuked the front end, but the backend still exists in the OS and is not easily removed. Have you ever heard of Webkit?

WebKit != Explorer

[tgv]

WebKit isn't Explorer. The Windows equivalent of the Finder, the Explorer, shares (many) DLLs with Internet Explorer; it even seems to share resources at run-time with it. The OSX Finder doesn't use WebKit (at least not up until now). The only thing you will damage by removing the WebKit framework is applications that use it to display HTML or provide other simple browsing functionality, not any system application. Under Windows though, you would take away the entire interface.