Slashdot Mirror
Apple Releases 31 Security Fixes
Agram writes, "This week Apple has released fixes for 31 vulnerabilities in its OS, although reportedly a number of known flaws remain un-addressed (according to the instigator of the Month of Kernel Bugs, 'Apple hasn't fixed any of the bugs published during [MoKB], except for the AirPort issue'). Earlier this year, in a move reminiscent of Microsoft's past patching faux pas, Apple released a 'fix' the installation of which broke features unrelated to the targeted flaw. With the growing number of low-level flaws, one has to wonder if Apple's 'more secure' argument still stands. Earlier this month, Microsoft released 6 fixes. Linux does not seem to fare much better. Despite all of these fixes, exploits remain in the wild for each platform. Perhaps, security-wise, the OS choice really boils down to a 'pick-your-poison X user-base' equation?"
"A computer is a tool to let you do things"
It can also be a tool that others use against you.
"it is not supposed to do thinking for you"
Strange then that artificial intelligence research is almost as old as computing itself.
I'm not going to change your sheets again, Mr. Hastings.
Precisely!
What we're seeing is Apple fixing issues that cannot be successfully exploited on 90%+ of the Mac machines in existence. Worms like Code Red or Blaster wouldn't be able to find enough hosts due to the default security setup of OS X. The only folks who would be vulnerable would be the ones who know enough about internet hosting to enable a service.
While there's no guarantee that these users are significantly more educated, they do at least know that they're running a potentially exploitable service. This is in direct opposition to the situations that made Code Red and Blaster possible. Had IIS Personal Server not enabled itself without the knowledge of most users, it's highly likely that Code Red would have failed to spread. (Especially since a security patch had been available in both cases.)
Javascript + Nintendo DSi = DSiCade
Perhaps, security-wise, the OS choice really boils down to a 'pick-your-poison X user-base' equation?
Yeah, like, everyone knows that all OSes are, like, equal in all respect. It's not like they were designed differently or anything. It's all just 1s and 2s anyway. Every computer gets cloggged up with worms, viruses, and malware. It's just that there are more Windows users out there, and the Mac users just keep quiet about their virus infestations, so they can keep the Sacret Cult of the Mac going strong. I know plenty of Mac users who have to do clean installs all the time because their machines get so clogged up with worms and viruses. All of these whiners talk like that's not true!
Read the EFF's Fair Use FAQ
A computer is a tool to let you do things, it is not supposed to do thinking for you.
A tool should be designed for a given skill level and environment so it works properly for most people. You wouldn't design a new blowtorch that superheats the air in lower latitudes and kills everyone when you turn it on. By default, it should behave reasonably and if some freak wants to mess with it, they can. That said, Windows in particular does a terrible job of doing what users expect it to safely. OS X does a better job, partly because the ecosystem in which it operates is different and partly for technical reasons. It does, however, do a good job of working by default for that set of users and ecosystem.
Some really common tasks, like running a random game from a Web page when I'm not sure I can trust it, are really, really, really hard on Windows. Given that so much malware is out there, this should not be the case. The computer does not have to "think for you" in order to sensibly inform the user and give them the choices they need. For example, no program not pre-installed on Windows should be able to read your e-mail address book or send e-mail messages without the user specifically authorizing that behavior. "The program 'Marsblast.exe' would like to read your e-mail addresses and connect to the internet in a way normally used to send e-mail. (Stop it from reading my addresses and sending mail)(let it read my addresses and send mail once)(always let it read my e-mail addresses and send e-mail)(advanced options)." This functionality is not impossible to create and if MS were in a competitive market where they had to give customers what they want, this would have been in Windows 2000.
Do you honestly think people go Hrm, this program is pretty seedy, but I'm going to run it anyway! .
The real problem is people go Oh, I received an electronic fax, that's not a program and people like you just say No you dolt, that was an exe file, gawd how stupid are you!?
This is what I think the real problem is: Suggesting that people accept faulty software and their own failings.
Here's an idea: a big red button on the side of the computer. You hold it in, and executables can be created. Tell people that big red button lets other people change the way their computer works and no matter how the computer instructs them otherwise, to only push and hold that button in when they are unhappy about how their computer works and feel the need to change it.
That's what root is supposed to be for- whether they be called Administrator or sudo doesn't make it any more or less safe. The fact that Non-root can install software is a security weakness. The fact that the user can run as administrator and not know it is a security weakness.
My mother in law has been actively computing since 2002 without any viruses or "computer problems of any kind" simply because she has to call me in order to remount
I've been following Mac news for about 3ish years since I switched. It seems that on the run up to the Vista release there has been a bit of a Spike in "Macs aren't as secure as you think" articles. Is this a stealthy "Get the facts" campaign?....
Personally I interpret the article summary as anti-Apple FUD. Everyone has security problems, and everyone can do better. I'm not - at all - trying to say that Apple shouldn't be better. They should. But there are two huge problems that make Windows worlds worse than anything else, and will continue to do so until they're actually fixed... Until then, comparing Windows to OS X in desktop* security is merely FUD.
I. ActiveX. ActiveX is DESIGNED to give a web server full control over your machine. With Flash or Java, even if they're enabled a website can only do stuff if they also exploit a - very rare - flaw in your Virtual Machine. In ActiveX, if you let that control run it can basically do anything. They have some checks to try to block the probably-worst applets, but in the end it runs the code unprotected. Until ActiveX is limited to a VM, it should be totally disabled.
I'd personally guess that this alone accounts for more regular attacks than everything-else-put-together. Don't use ActiveX. And if you're not using ActiveX, there's little reason to use IE...
II. Administrator use is chronic. Basically nobody runs OSX in root or sudo-d mode. LOTS of people run Windows routinely in Administrator mode, for a few main reasons: 1) Lots of software only runs that way, and switching is a pain. NO user app should need to be root to run. 2) LOTS of software is very hard to install so a nonAdmin can use it properly, for starters because it only works on the account it was installed into.
I will completely admit that if all the ISVs behaved perfectly 1 & 2 wouldn't be a problem - but it is VERY plausible for Microsoft to exert enough control to make this better for the vast majority of users. Also, I don't believe all these ISVs do it just to be stupid - my guess is that the structure of Windows makes it MUCH easier to do it that way.
3) Lots of software that shouldn't even need admin privs to install does for no good reason. (I presume because of the way DLLs and the registry work they need to modify system folders even if they're only going to run as a local user - but that's definitely a Windows problem that it's structured that way.) And once you give those pieces of software admin privs, they can do anything - like installing themself as System so you can't kill them even WITH admin privs. All software should be installable with the MINIMUM possible privs. (Obviously system software or a virus checker needs admin privs.)
There are plenty of smaller reasons to be unhappy with Windows security, and I'm not trying to say I love their track record. I didn't address at all the fact that it comes out of the box extremely remote exploitable, (average of ~20 minutes for an unpatched box to be exploited on the internet - and several hours to download the patches!) But those are problems other OSes at least sometimes have and you can make reasonable comparisons. Until the two above are fixed, you shouldn't even COMPARE Windows desktop* security to OS X or Linux.
*Note that I said desktop. While there are some problems, neither of the above super-problems is a server problems. In fact, if you have to choose a server OS, you should probably choose based on what your admin is experienced in - better to have a well administered box than ANY badly admined box.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
In my last job, I had to support Mac OS 10.2 clients and servers. It was a nightmare as there is a severe problem with samba in OS X server which would easily cause a DOS attack on the box. I had to disable access to windows clients which were primarily IT and accounting employees. Apple has a terrible patch policy. I feel that they are a large enough company to release patches at least 2 versions back considering they like to do a release every 1-1.5 years. Imagine if Microsoft released a new vista every year. That would be a support nightmare. Of course Microsoft can't even get a start menu change done in a year...
Apple can develop great products, but they sure can't support them very long. Someone at apple needs to learn about maintaining software. Essentially you have to pay for security patches every two to three years. I end up running the latest OS release because safari and a few other things rarely see patches once its a version behind.
Before someone points out that apple is smaller than Microsoft, consider that smaller companies and groups maintain patches to their linux distros for far longer than Apple does with a commercial OS. I suppose some projects have worse policies... for instance FreeBSD EOL'd a bunch of stuff recently. I'm not in a position to back port patches when I get a few releases done with MidnightBSD yet since I don't have many developers. Apple does have developers.
MidnightBSD: The BSD for Everyone