Apple Releases 31 Security Fixes

Agram writes, "This week Apple has released fixes for 31 vulnerabilities in its OS, although reportedly a number of known flaws remain un-addressed (according to the instigator of the Month of Kernel Bugs, 'Apple hasn't fixed any of the bugs published during [MoKB], except for the AirPort issue'). Earlier this year, in a move reminiscent of Microsoft's past patching faux pas, Apple released a 'fix' the installation of which broke features unrelated to the targeted flaw. With the growing number of low-level flaws, one has to wonder if Apple's 'more secure' argument still stands. Earlier this month, Microsoft released 6 fixes. Linux does not seem to fare much better. Despite all of these fixes, exploits remain in the wild for each platform. Perhaps, security-wise, the OS choice really boils down to a 'pick-your-poison X user-base' equation?"

Re:Please

[AKAImBatman]

...Also, since Apache is not running by default on OS X, it would hit a tiny number of users and most would not care...

...Apple is an Apache contributor and has released security patches in the past...

Precisely! :)

What we're seeing is Apple fixing issues that cannot be successfully exploited on 90%+ of the Mac machines in existence. Worms like Code Red or Blaster wouldn't be able to find enough hosts due to the default security setup of OS X. The only folks who would be vulnerable would be the ones who know enough about internet hosting to enable a service.

While there's no guarantee that these users are significantly more educated, they do at least know that they're running a potentially exploitable service. This is in direct opposition to the situations that made Code Red and Blaster possible. Had IIS Personal Server not enabled itself without the knowledge of most users, it's highly likely that Code Red would have failed to spread. (Especially since a security patch had been available in both cases.)

No duh!

[Infonaut]

Perhaps, security-wise, the OS choice really boils down to a 'pick-your-poison X user-base' equation?

Yeah, like, everyone knows that all OSes are, like, equal in all respect. It's not like they were designed differently or anything. It's all just 1s and 2s anyway. Every computer gets cloggged up with worms, viruses, and malware. It's just that there are more Windows users out there, and the Mac users just keep quiet about their virus infestations, so they can keep the Sacret Cult of the Mac going strong. I know plenty of Mac users who have to do clean installs all the time because their machines get so clogged up with worms and viruses. All of these whiners talk like that's not true!

Re:If you are depending soley on your choice of OS

[mrsbrisby]

1. Run a firewall and only open what you need to be opened

Do you honestly think anyone but a network administrator has any idea what you just said?

2. Most importantly: DONT CLICK ON STUPID SHIT! Don't run seedy programs etc. It's amazed how many Windows users get infected like that

Do you honestly think people go Hrm, this program is pretty seedy, but I'm going to run it anyway! .

The real problem is people go Oh, I received an electronic fax, that's not a program and people like you just say No you dolt, that was an exe file, gawd how stupid are you!?

Those obviously won't protect against 100% of threats, but very few things in life are guarenteed.

This is what I think the real problem is: Suggesting that people accept faulty software and their own failings.

Here's an idea: a big red button on the side of the computer. You hold it in, and executables can be created. Tell people that big red button lets other people change the way their computer works and no matter how the computer instructs them otherwise, to only push and hold that button in when they are unhappy about how their computer works and feel the need to change it.

That's what root is supposed to be for- whether they be called Administrator or sudo doesn't make it any more or less safe. The fact that Non-root can install software is a security weakness. The fact that the user can run as administrator and not know it is a security weakness.

My mother in law has been actively computing since 2002 without any viruses or "computer problems of any kind" simply because she has to call me in order to remount /home without -o noexec, or sudo for anything. I wish there were a red button sometimes because she's pretty good about knowing when to call me, but because she honestly thought she had to "Runas" in order to read a fax (after all, that's what the email from her son said to do!), she doesn't mind not knowing her own root password.

Why Windows security is terrible and OSX is better

[arete]

Personally I interpret the article summary as anti-Apple FUD. Everyone has security problems, and everyone can do better. I'm not - at all - trying to say that Apple shouldn't be better. They should. But there are two huge problems that make Windows worlds worse than anything else, and will continue to do so until they're actually fixed... Until then, comparing Windows to OS X in desktop* security is merely FUD.

I. ActiveX. ActiveX is DESIGNED to give a web server full control over your machine. With Flash or Java, even if they're enabled a website can only do stuff if they also exploit a - very rare - flaw in your Virtual Machine. In ActiveX, if you let that control run it can basically do anything. They have some checks to try to block the probably-worst applets, but in the end it runs the code unprotected. Until ActiveX is limited to a VM, it should be totally disabled.

I'd personally guess that this alone accounts for more regular attacks than everything-else-put-together. Don't use ActiveX. And if you're not using ActiveX, there's little reason to use IE...

II. Administrator use is chronic. Basically nobody runs OSX in root or sudo-d mode. LOTS of people run Windows routinely in Administrator mode, for a few main reasons: 1) Lots of software only runs that way, and switching is a pain. NO user app should need to be root to run. 2) LOTS of software is very hard to install so a nonAdmin can use it properly, for starters because it only works on the account it was installed into.

I will completely admit that if all the ISVs behaved perfectly 1 & 2 wouldn't be a problem - but it is VERY plausible for Microsoft to exert enough control to make this better for the vast majority of users. Also, I don't believe all these ISVs do it just to be stupid - my guess is that the structure of Windows makes it MUCH easier to do it that way.

  3) Lots of software that shouldn't even need admin privs to install does for no good reason. (I presume because of the way DLLs and the registry work they need to modify system folders even if they're only going to run as a local user - but that's definitely a Windows problem that it's structured that way.) And once you give those pieces of software admin privs, they can do anything - like installing themself as System so you can't kill them even WITH admin privs. All software should be installable with the MINIMUM possible privs. (Obviously system software or a virus checker needs admin privs.)

There are plenty of smaller reasons to be unhappy with Windows security, and I'm not trying to say I love their track record. I didn't address at all the fact that it comes out of the box extremely remote exploitable, (average of ~20 minutes for an unpatched box to be exploited on the internet - and several hours to download the patches!) But those are problems other OSes at least sometimes have and you can make reasonable comparisons. Until the two above are fixed, you shouldn't even COMPARE Windows desktop* security to OS X or Linux.

*Note that I said desktop. While there are some problems, neither of the above super-problems is a server problems. In fact, if you have to choose a server OS, you should probably choose based on what your admin is experienced in - better to have a well administered box than ANY badly admined box.

Re:Attacks Still Low

[laffer1]

In my last job, I had to support Mac OS 10.2 clients and servers. It was a nightmare as there is a severe problem with samba in OS X server which would easily cause a DOS attack on the box. I had to disable access to windows clients which were primarily IT and accounting employees. Apple has a terrible patch policy. I feel that they are a large enough company to release patches at least 2 versions back considering they like to do a release every 1-1.5 years. Imagine if Microsoft released a new vista every year. That would be a support nightmare. Of course Microsoft can't even get a start menu change done in a year...

Apple can develop great products, but they sure can't support them very long. Someone at apple needs to learn about maintaining software. Essentially you have to pay for security patches every two to three years. I end up running the latest OS release because safari and a few other things rarely see patches once its a version behind.

Before someone points out that apple is smaller than Microsoft, consider that smaller companies and groups maintain patches to their linux distros for far longer than Apple does with a commercial OS. I suppose some projects have worse policies... for instance FreeBSD EOL'd a bunch of stuff recently. I'm not in a position to back port patches when I get a few releases done with MidnightBSD yet since I don't have many developers. Apple does have developers.