Windows vs Mac Security

sdhorne writes "There is a good technical discussion over at InfoWorld on the merits of launchd and what is lacking in a comparable Windows secure solution. It is a throw back to the UNIX vs Windows security discussion that has been hashed out for many years." From the article: "it always traces back to Microsoft's untenable policy of maintaining gaps in Windows security to avoid competing with 3rd party vendors and certified partners. Apple's taking a different approach: What users need is in the box: Anti-virus, anti-spam, encryption, image backup and restore, offsite safe storage through .Mac, and launchd. Pretty soon any debate with Microsoft over security can be ended in one round when Apple stands up, says 'launchd', and sits back down."

Well written, but

[MECC]

Pretty soon any debate with Microsoft over security can be ended in one round when Apple stands up, says 'launchd', and sits back down."

It seemed pretty wello written. That said, I which he would have said a little more about launchd, at least enough to explain why it gives OSX an advantage. It would have also been nice to have had some kind of side-by side comparing Windows and OSX, like how the windows System pseudo-user trumps the admin user, and how there is not way to trump the OSX root user.

Why this can't happen under OS X:

I don't know if I'd go that far. OSX isn't 100% immune - it just has more common sense.

Re:Well written, but

[alps]

http://developer.apple.com/macosx/launchd.html

Re:Well written, but

[ackthpt]

I'm not sure that 're-invented' is how I'd describe windows, or their efforts at security.

In the past Microsoft have commented that they have completely ditched the code Windows was written with and re-written from ground up, to try to address myriad flaws. That's pretty drastic. I've done it with small projects which simply grew too large and unwieldy because they were never expected to scale to newer demands* Microsoft is effectively doing this with Vista and yet... there still appear to be security flaws. Something wrong with that picture. Could be they're just a victim of their success and such a massive undertaking of code is approaching the event horizon just before the black hole.

*You know the type.. you develop some nifty little tool to summarise information for your own use and someone sees it and says, "Hey! That thing does in seconds what I spend a week doing! I need it, set me up with it!" Next thing you know your little tool has to be user friendly, go to printers, be in colour, etc. Continually piling in changes makes it fragile so you step back, figure what it all needs to do and how to achieve the goals and then recode, with an eye toward more scalibility and unforeseen features later.

Re:Well written, but

[macshome]

Pimping myself here a bit, but our article on launchd might be of more help to sysadmins. It later formed the basis for the wikipedia article and has thrilling Jordan Hubbard comments to boot!

Re:Well written, but

[Buran]

But at the same time Apple gets applauded for rolling EVERY SINGLE LITTLE POSSIBLE THING into their OS?

Because they don't force you to use any of it. You can delete any of the utilities that you want. Don't want ichat? Trash it.

On the other hand, good luck getting rid of Windows Messenger. It's even hidden in Add/Remove Programs and fixing that requires a hack well beyond most users.

Don't want to use Safari? Make it go poof.

On the other hand, you CANNOT get rid of Internet Explorer. And that's bad. IE is full of security holes and you can't get rid of it. Safari is far safer, and you can get rid of it.

What hypocrisy was that, again? There's a damn good reason MS gets blasted and Apple doesn't. (Well, it does, but nowhere near as much, and I just explained why.)

What's launchd?

[peterdaly]

Was I the only Mac user who didn't know what launchd was off the top of my head?

In Mac OS X v10.4 Tiger, Apple introduced a new system startup program called launchd. The launchd daemon takes over many tasks from cron, xinetd, mach_init, and init, which are UNIX programs that traditionally have handled system initialization, called systems scripts, run startup items, and generally prepared the system for the user. And they still exist on Mac OS X Tiger, but launchd has superseded them in many instances. These venerable programs are widely used by system administrators, open source developers, managers of web services, even consumers who want to use cron to manage iCal scheduling, and they can still be called with launchd.

The launchd daemon also provides a big performance boost to your system. At any given time, only those daemons that are actually used are launched; combined with the fact that daemons can shut themselves down and be relaunched as needed means that you can reduce the average memory footprint of the system.

http://developer.apple.com/macosx/launchd.html

UNIX and viruses

[rice_burners_suck]

Viruses are definitely part of the umbrella concept we often call "security." I've heard it mentioned many times that Macs do not suffer from viruses because they have a smaller market share, and virus authors invest their time into attacking more dominant systems. People who say this generally go on to say that as the Mac gains a larger market share, the number of viruses available for it will grow. I think this is of little consequence.

Macs are based on UNIX. It's not faked to appear like UNIX, it is actually UNIX. The permissions system means that a common virus could damage a user's home directory, but the system for the most part would remain unaffected, including other users. It is still possible to write root-kit style viruses that take advantages of subtle bugs in the operating system and other software to gain control of the system, but this is significantly more complicated to do, and IIRC it was Theo from the OpenBSD project who said that attacks like this require many steps that often must take advantage of many vulnerabilities to elevate priviledges, and by fixing even one bug, a whole category of vulnerabilities (even if other bugs remain) becomes inaccessible to a would-be attacker. This, in addition to much of the code underlying OS X being available for hacking up by anybody, in addition to other projects actually hacking on this code (improvements from projects like Samba, Apache, GCC, FreeBSD, even various Linux projects, make it into Darwin and OS X.... and most of all the fact that users don't run as administrators, all of these reasons make it much less likely that viruses could be as damaging as on Windows.

Concept Versus Implementation

[99BottlesOfBeerInMyF]

Conceptually, I agree that LaunchD is a really slick idea and I really hope Linux and the BSDs take a good hard look at this code and the possibility of adopting it. That said, it is not a security panacea by any means, just one more clean, sensible implementation that leaves less room for a vulnerability. The thing that makes me hesitate to laud this feature, however, is the implementation. Apple has a lot of smart people working for them and a lot of old school UNIX geeks to whom secure programming is as natural as breathing. They also have a lot of coders and managers who realize that OS X is not a primarily security minded OS. Sure, it is better than Windows and on par with a desktop Linux distro, but it isn't a locked down OpenBSD install or a super secure Linux distro. They don't focus their efforts on security and it shows sometimes when they introduce new code. LaunchD replaces a number of time tested bits of code and while it is (IMHO) a much cleaner, nicer design I haven't a clue about how well written and tested it is, especially from a security perspective. I'd feel a lot better about claiming it as a security feature if I knew some white hats had pounded on it for a while and exposed anything Apple did not bother to think of. I'd feel a lot better if the OSS community in general jumped on it and adopted it, thus helping with this security testing and adding more eyes.

I like LaunchD. I like OS X as a desktop. Lets just not get carried away here with random claims about security. OS X is inherently more secure than Windows, but that really isn't saying a lot. I'm not willing to just assume LaunchD is secure in and of itself, let alone that it will play a big part in securing the OS as a whole.

the article may have some good points, but...

I have to take it with a large rock of salt when I see

OS X has no user account with privileges exceeding root.

being offered as a "reason why OS X is more secure than Windows."

The article claims that Administrator on Windows is equivalent to root; and that SYSTEM is more powerful than Administrator (and by implication more powerful than root). This is nonsense.

Administrator is indeed less powerful than SYSTEM. However, Administrator is equivalent to a user on the sudoers list and/or with group write access to system directories. SYSTEM is the correct equivalent to root.

We may quibble about how well Administrator accounts are protected from trojans; or whether non-Administrator accounts on Windows are of much use; those are valid arguments. However, claiming that, somehow, SYSTEM on Windows is magically more capable than root is ridiculous.

If anything, Windows has a somewhat better design in that it is possible to set up privileged accounts with a specific power that only root has on UNIX, yet not have any of the other root powers. However, this capability is quite underutilized, and in many ways is undermined by other (unfortunate) decisions that Microsoft made.

Re:But what if Microsoft offered it all together?

[CastrTroy]

It depends on how they offered it. If they made it impossible to uninstall, then yes, we would yell monopoly. However, if they made these features able to be uninstalled (or never installed in the first place) and easily replaced by third party tools, then I don't think we would have anything to complain about. I don't have any problems with MS including IE with the operating system, I just wish it could be removed from the system.

Re:But what if Microsoft offered it all together?

[Fordiman]

Actually, they're damned if they do something else entirely too.

They're just damned.

Damned Microsoft.

Re:Microsoft is just too nice?

[2nd+Post!]

And Apple could never do the things Microsoft does:
1) Threaten Compaq with withholding OS licenses if Compaq installed Netscape Navigator as the default browser
2) Threaten IBM with increased OS license fees if IBM did not drop OS/2

Those were the lynchpins of the antitrust lawsuit. If Microsoft had ONLY bundled, they would not face monopoly abuse charges. Then HP could have UNBUNDLED IE and installed Firefox, or IBM could have unbundled Windows and installed OS/2.

Apple's bundles can be unbundled. That is the critical difference. Drag Safari, Mail, Virex, Appleworks, iCal, and Quicktime to the trash, and the OS still works.

Fixed in "Next" version

[Dareth]

Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows 95 (whenever that gets out..) Is that out yet?

Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows 98 (whenever that gets out..) Is that out yet?

Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows 2000 (whenever that gets out..) Is that out yet?

Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows ME (whenever that gets out..) Is that out yet?

Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows XP (whenever that gets out..) Is that out yet?

Sorry to be redundant, have you heard this joke before already?

Re:Market Share

[Bartman_279]

If OSX had that kind of a market share, youd bet your ass that everyone would be breaking down its walls, in exactly the same way.

There are PLENTY of hackers out there, of every level, who would absolutely love to be able to point to themselves as the first "l33t hax0r" to write a real world OS X virus and "wipe that stupid little grin off their [Mac user's] smug little faces."

And in the six years OS X has been out, not one, NOT ONE, has succeeded.

Secure principles

[blakestah]

Mac is not dramatically more secure through launchd...

It is simple really. Six years into OS X, growing market share, and no viruses in the wild.

First principle. No ports open by default. Macs ship with a closed box. Plug it into the Internet, wait, and your machine will never get infected simply because it is not listening on any port, and no attacker has any foothold to get into the box. Over the years Windows has shipped with a wide variety of open ports, whether they be for netbios, smbd, messenger, IIS (on NT), or others. Many of these have been launching pads for viruses and worms.

Second principle. Design the OS from the ground up to support privilege descalation. That is, make it so that every action on the machine is executed with User privileges or less, unless you really need more privilege. Launchd is a part of this. On Windows, you still have ActiveX with escalatable privilege, and people get infected from web surfing or opening email.

That is really all it takes. Make it so a user cannot compromise the OS trivially, and there are no open ports, and you made a box as secure as a Mac. Once you start opening ports, you need to know what you are doing or you will be 0wn3d by some script kiddy. Make it secure by default, and force the user to take positive action to do anything that is a potential security problem (like installing executables from random places on the internet).