Apple Patches Massive Holes In OS X

Trailrunner7 writes with this snippet from ThreatPost: "Apple's first Mac OS X security update for 2010 is out, providing cover for at least 12 serious vulnerabilities. The update, rated critical, plugs security holes that could lead to code execution vulnerabilities if a Mac user is tricked into opening audio files or surfing to a rigged Web site." Hit the link for a list of the highlights among these fixes.

HAHA!

"if a Mac user is tricked into opening audio files or surfing to a rigged Web site."

I own a Mac G3, and STILL haven't been tricked into using OS X!

I just patched a massive hole

[exley]

in your mom.

(May as well just get that one out of the way)

Re:I just patched a massive hole

I'm afraid your patch provides insufficient coverage.

Re:I just patched a massive hole

[maxume]

A lot of the people that read the site are in their 40s, 50s and 60s (I'm not). That makes their moms mostly 60+.

Go dude, go.

Re:I just patched a massive hole

[tiberus]

More like you fell in...

(Well, like exley said...)

Re:I just patched a massive hole

I just want to know when they're going to patch that damn hole in their logo. It's been there for decades!

Re:I just patched a massive hole

[e2d2]

I noticed. But where on earth did you find that helmet shaped like a wookie head from? ..Oh snap, that's not a helmet. My bad!

Also dude, the preferred nomenclature is vaginal-space challenged.

Re:I just patched a massive hole

[ushering05401]

Also dude, the preferred nomenclature is vaginal-space challenged.

I thought 'switcher' was the preferred nomenclature.

Re:I just patched a massive hole

in your mom.

(May as well just get that one out of the way)

This is Apple we're talking about. Mac users have no interest in that type of hole...

Re:I just patched a massive hole

At least we're getting some...

Re:I just patched a massive hole

Insightful? WTF /.

Cover your eyes

[mwvdlee]

Quick Apple fan-boys, cover your eyes and do not read any further.
It's the only way you can continue claiming OS-X is soooooo much more safe and secure than that certain other OS.

Re:Cover your eyes

Let me put it to you this way: None of the malware-infested machines I have cleaned up in the last few days were running OS X, just Windows.

There has been a huge spike in infections since that exploit that hit Google was made public-- we're seeing the return of drive-by infections on Windows, it's a whole lot of fun.

Meanwhile, I go home at night and surf with impunity on my Mac running OS X, just like I've done for the last 8 years.

Re:Cover your eyes

[amicusNYCL]

You just couldn't wait to post that, could you? FYI: every piece of software needs updates, and there is still always one piece of software that will be more secure than the others. I don't know if OSX is more secure than Windows 7, but both of them will continue to receive updates, that fact doesn't make either of them less secure.

Re:Cover your eyes

[RyuuzakiTetsuya]

Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old

Re:Cover your eyes

[e2d2]

Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old

How would you know? Zero-day means a non-public exploit.

Re:Cover your eyes

[AHuxley]

Anything posted on some forum, whispers in an irc chat?
Anything new floating around for a Mac running 10.6 that will do an IE and pop the browser/OS from a remote site?
Most still need the user to enter his/her password as a application/codec.
Mac are still safe to surf with for now.
Macs have a list of malware and loggers, the pre OS 10 had lots too.
But nothing in the wild to infect just yet with a site visit.
If anything existed outside law enforcement, spooks and one off professional solutions, every Mac AV vendor would have a youtube vid up.
A link to buy protection at a fair price after the 2 to 3 mins of safari getting infected after following a link and their product saving the day.

Re:Cover your eyes

[Dumnezeu]

No, it can't. Well technically, it can be exploited, but IE runs sandboxed in Win 7 so the exploiter can't really do much.

Re:Cover your eyes

[SSpade]

Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old

How would you know? Zero-day means a non-public exploit.

Safari was released in early 2003.

Internet Explorer 6 was released in August 2001.

So the unfixed Internet Explorer bugs have been around quite a bit longer than Safari has. So Safari is unlikely have any bugs older than this IE bug, zero-day or otherwise.

(OK, there could be crusty KHTML era bugs left in the Safari code-base, but there's not much of that code left untouched)

Re:Cover your eyes

[Erikderzweite]

Vupen Security has confirmed code execution on IE7 and IE8 as well, even in sandboxed mode.

Re:Cover your eyes

[amicusNYCL]

Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old

Regardless of whether or not your statement about IE in Windows 7 is accurate, that doesn't have anything to do with an update for OSX somehow implying that OSX is less secure than it was yesterday.

Re:Cover your eyes

[jo_ham]

But it is.

And patching vulnerabilities that are found just makes it more so.

Sorry, what was your point again?

Re:Cover your eyes

[recoiledsnake]

Link?

Re:Cover your eyes

[tacarat]

Saying that OSX is less secure due to these vulnerabilities is how MS said that Linux was less secure than windows. These aren't OS vulnerabilities, they're application vulnerabilities (well, for the programs I recognize as a non-Mac person). The OS itself is fine. The trick is, of course, that some of these things are included practically by default. So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.

That's not to say that Mac users have free license to ignore proper security practices. Trojans, poor/shared passwords and not updating their software can leave them as vulnerable, if less targeted, than PC users. Given that one of the problems is with flash (and the fix is as simple as an update), I wonder if there's a good enough of a target out there for hacking Mac WOW players through flash ads hijacks.

Before you flame, I will say that if you're on /. and a Mac lover, I sincerely doubt you're one of the problem kids for updates on most any system you control.

Re:Cover your eyes

[h4rr4r]

Could it use/harvest saved passwords? Open new browser tabs? Launch perhaps an app that would run the escalation exploit from this morning?

Re:Cover your eyes

[e2d2]

LOL, ok now i get it. OP's point was valid. IE6 really does have bugs in the wild that are older than firefox itself. Mozilla is pretty old so that would be possible, but not FF technically.

Re:Cover your eyes

[Tim+C]

Not in the default configuration it can't.

Re:Cover your eyes

[Erikderzweite]

http://www.vupen.com/english/advisories/2010/0135

Re:Cover your eyes

[amicusNYCL]

Meanwhile, I go home at night and surf with impunity on my Mac running OS X, just like I've done for the last 8 years.

You think you're the only one? My machine at home runs an unpatched version of XP SP3 (legally licensed, I just don't really bother to update it). I don't run a virus scanner, nor a software firewall, nor a memory-resident malware scanner. My current machine has never been infected (~2 years or so, since Crysis). My machine before that (same config) got infected once, when my roommate was porn browsing in IE.

The point? You don't need to run something other than Windows if you want to avoid infection, you just need to use your computer intelligently. It seems like you're saying that OSX is the platform for people to be as stupid as they want and still manage to avoid infection. That, my friend, is changing (as evidenced by the 7 patched vulnerabilities in Flash player).

Re:Cover your eyes

[TrancePhreak]

The pwn2own contest would say otherwise. Mac is usually the first to go down.

Re:Cover your eyes

[chentiangemalc]

With default Windows 7 settings, the current exploit doesn't work. IE8 in XP without DEP protection. It CAN theoritically be expolited with DEP but haven't seen any current exploits that work around DEP protection. Also running with non-admin privileges (recommended, and default in vista & windows 7) reduces the attack surface (i.e. backdoors can't be installed without taking advantage of some other vunerability) so the IE vunerability is a bit overblown, following good security practices (which are default in vista & windows 7) already prevent the known attacks.

Re:Cover your eyes

[EvanED]

So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.

Not saying you're in this group, but a lot of people around here have no problem counting IE vulnerabilities against Windows.

Re:Cover your eyes

[Capt.DrumkenBum]

There are 2 computers sitting on a table one costs $1199, and the other costs $729. Which are you going to try to hack?
$1199 = Cheepest MacBook Pro.
$729 = Dell Vostro with comparable specs.

Re:Cover your eyes

[daveime]

that doesn't have anything to do with an update for OSX somehow implying that OSX is less secure than it was yesterday

What kind of fanboi drivel is this ?

They've just patched 12 serious vulnerabilities, how could it NOT be less secure yesterday before the patch than it is now after the patch ?

Re:Cover your eyes

[amicusNYCL]

That's exactly my point - read the first post in the thread and my reply. Someone responded to that with a non-sequitor about IE and you saw my reply. The original poster seemed to imply that Apple releasing an update somehow decreased the perceived security of OSX.

"Fanboi", huh? Exactly which company do you think I'm a huge fan of?

Re:Cover your eyes

[shutdown+-p+now]

So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.

So far as I have seen, problems with user-space components such as Notepad are indeed counted as Windows issues. Which makes perfect sense, since Notepad is present out of the box, and the box says "Windows" on it.

Similarly, OpenBSD has a fork of Apache 1.3 in their base system. If a vulnerability is found in that, then surely it's an OpenBSD vulnerability (hence the difference between base system and ports).

If Apple ships Flash plugin that way, then they have to deal with any security issues that may cause.

Re:Cover your eyes

[shutdown+-p+now]

His point is that you can't take a Windows vulnerability, and write a /. comment around it that basically amounts to "and that's why Windows security sucks", but when a similar vulnerability is found in OS X, write another /. comment around it that amounts to "well, shit happens, but anyway, now it's even more secure than ever" - it's hypocritical. Either both vulnerabilities indicate systemic problems, or neither one does.

Re:Cover your eyes

[prockcore]

You hack whichever's easiest, considering pwn2own had $10k cash prizes.

Re:Cover your eyes

It's only secure until its cracked.

Re:Cover your eyes

[daveime]

You *have* to be a fanboi to post here ... you must take a side, there is no fence-sitting allowed on Slashdot.

You can take the "M$ sucks" route for infinite karma heaven, or the "A$$le sucks" route for instant karma hell. The "Linux (no dollar sign of course, this is FOSS) sucks" route simply leads to much debate and handwringing, with unknown karma effects ... look on that path as something like Buddhism.

Where we go from here, that's a choice I leave up to you. (oblig. Matrix reference)

Can we get this stickied ? Oh, damnit, I thought we were on a forum for a minute :-(

Re:Cover your eyes

[jo_ham]

Well, it really depends *who* says it - the marketing departments at MS and Apple both tout "OS X/Windows is more secure than ever" - from a marketing standpoint they obviously aren't going to say anything else. From a certain perspective both are true - both Windows and OS X are more secure than ever, since they have been patched up - whether there are still a thousand other holes doesn't really change that, it just infers that there are no other problems which is where it gets muddy.

The GP's original point, I believe, was to totally discount that OS X is secure/more secure than Windows because of these patched vulnerabilities. No one is really claiming that there won;t be vulnerabilities found, but it doesn't negate a claim that the OS itself is pretty good when it comes to security. Not immune, and not perfect, but not bad.

While we're on it of course, I do take issue with the headline. "Massive Holes" really isn't accurate - at least, not in the context of other security updates. These are no better or worse than other security holes that have been fixed in OS X before, but the summary and headline dress it up like they just discovered that half the fence was missing and your troops are giving free bagels to the enemy as they usher them in through the gaps.

It is good that critical flaws are being corrected though, regardless of how they are reported.

Re:Cover your eyes

[DJRumpy]

Massive Holes? I wouldn't consider any of these critical vulnerabilities, except for the ever so popular Flash sponge.

* CoreAudio (CVE-2010-0036) -- A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution.
            Seems this could crash your audio player.

* CUPS (CVE-2009-3553) -- A use-after-free issue exists in cupsd. By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service. This is mitigated through the automatic restart of cupsd after its termination.
            A remote attacker may cause an unexpected application termination of cupsd. I don't see this happening on a home network, and unlikely on a firewalled work network. In any case, an irritant and nothing more.

* Flash Player plug-in (7 vulnerabilities) -- Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42.
            This one unfortunately is serious. Its also due to a flaw in the Adobe Flash Player plug-in.

* ImageIO (CVE-2009-2285) -- A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
            Crashes your Preview or whatever image viewing app your using.

* Image RAW (CVE-2010-0037) -- A buffer overflow exists in Image RAW's handling of DNG images. Viewing a maliciously crafted DNG image may lead to an unexpected application termination or arbitrary code execution.
            I seriously had to look this one up. DNG is apparently an Adobe raw image format. I don't see this one as massive either.

* OpenSSL (CVE-2009-3555) -- A man-in-the-middle vulnerability exists in the SSL and TLS protocols. A change to the renegotiation protocol is underway within the IETF. This update disables renegotiation in OpenSSL as a preventive security measure. The issue does not affect services using Secure Transport as it does not support renegotiation.
            This one appears to affect everyone, from OS X, to Windows, to Apache: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

Re:Cover your eyes

[mystikkman]

That doesn't say anything about sandboxing or DEP, like you claimed it would "confirm", got any more references to back up your claim?

Re:Cover your eyes

[shutdown+-p+now]

The GP's original point, I believe, was to totally discount that OS X is secure/more secure than Windows because of these patched vulnerabilities.

Yes, and GGP's original point was that the original assertion that OS X is more secure than Windows is based on precisely such Slashdot stories as this one.

Re:Cover your eyes

[TiberiusMonkey]

To be fair MS themselves used to make a big deal out of claiming that IE was Windows and they couldn't be separated. That not being true didn't stop them.

Re:Cover your eyes

[AHuxley]

One off professional solutions for a cash prize by a ex NSA worker.
Where are the in the wild hacks?
Where are the step by step scripts and FAQ's for setting up a Mac trap?
We have one very very very smart person showing up with a prize to win at this time.

Re:Cover your eyes

Seems to me that removing flash would remove the exposure. On a side note, if you don't run a virus scanner, how do you know if your PC is infected, other than the obvious crash symptoms? I seriously doubt a Mac would be infected just by browsing a porn site while it's almost a given on XP.

Re:Cover your eyes

[amicusNYCL]

Hmm.. I used to hate Microsoft, back when I had to develop for IE6, but with steps in the right direction for IE8 and Windows 7 I'm feeling less hatred and more optimism. I used to have not much of an opinion on Apple, but now I think Apple is my most hated company (somehow they overtook Sony). Google is sort of like a fun uncle who always comes over bringing gifts, but you're not sure if he just does that because he wants to molest you. I gave up on Linux after a terrible experience trying to install Debian many years ago, but now I've got my little EeePC with Xandros which has never done me wrong.

I'm not sure where that leaves me..

Wait, I know: I'm an Opera fanboy! I can live with that.

Re:Cover your eyes

[mystikkman]

Why not just hear it from the horse's mouth?

From http://blogs.zdnet.com/security/?p=2941

Why Safari? Why didn’t you go after IE or Safari?

It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.

It’s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn’t have anti-exploit stuff built into it.

With my Safari exploit, I put the code into a process and I know exactly where it’s going to be. There’s no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don’t know where it is. Even if I get to the code, it’s not executable. Those are two hurdles that Macs don’t have.

It’s clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that’s only half the equation. The other half is exploiting it. There’s almost no hurdle to jump through on Mac OS X.

Re:Cover your eyes

[DJRumpy]

You mean the one with cheaper/slower celeron with less L2 cache, slower DDR2 800 Mhz memory, a cheaper/slower integrated graphics solution, no firewire, a cheaper battery, mono audio speaker, VGA Out Only, no bluetooth standard, no Cam standard, and no optical digital audio output?

Comparable specs?

Re:Cover your eyes

[TwiztidK]

Over the past few years I've met several people who claim to run XP without any anti-malware or firewall and never have any issues as they only browse websites they trust. I can't say I'm an expert as far as computer security goes, but I have heard reports of numerous sites, even those many people trust, being compromised and loading malware or exploiting code on people who visit them.

The point? You're not "us[ing] your computer intelligently" if you don't use any run some sort of security software just as a precaution.

Re:Cover your eyes

[amicusNYCL]

how do you know if your PC is infected

That's a good point, most of the time I don't have a reason to believe that but if I suspect something funny is going on I'll fire up Malwarebytes or something like that to check on it. I've got one or two anti-malware programs installed, I just run them on an as-needed basis instead of constantly scanning.

Re:Cover your eyes

[amicusNYCL]

The point? You're not "us[ing] your computer intelligently" if you don't use any run some sort of security software just as a precaution.

That's a good point.

I'm not saying I only browse sites I trust (porn certainly needs to be watched occasionally), but when I'm browsing I'm using either Opera or Chrome, neither of which seem to get targeted. Not using IE (for anything) is actually the #1 security tip I can give to any Windows user. The only time I'll ever run IE is when I'm developing a site in Opera and I want to test it. I've got a toolbar button to open the current page in IE so it doesn't even need to go to its home page or anywhere else, it goes to the one page I'm working on and that's it, and then I close it. My days of downloading pirated material are also behind me, so that also probably had a significant impact on the average time between infections.

That being said, I'm feeling that with the increased focus on Flash player vulnerabilities, and my complete lack of faith in Adobe, that my days of browsing without explicit protection will be coming to an end relatively soon.

Re:Cover your eyes

[Thinboy00]

I just RTFA'd; when I was reading I said to myself "there are holes in SSL and TLS? WTF when did this happen?! Why didn't I hear about it anywhere?"

Re:Cover your eyes

That's nice. And out of date. OS X does memory address randomization, and supports to NX bit.

Re:Cover your eyes

[DJRumpy]

This is actually a valid complaint, although this link is actually referring to hacking done under Leopard, not Snow Leopard. Snow Leopard is still missing a full implementation of ASLR, and that leaves it vulnerable to some exploits.

Vista was the first Windows OS to implement ASLR, and it was assumed that Snow Leopard would do the same, but that didn't happen, or at least not fully. They have prevented 'data' from being executed as arbitrary code (DEP), but they still don't randomize all of the OS components. Only some key pieces, but not all.

Re:Cover your eyes

[The+End+Of+Days]

You casually dismissed three vulnerabilities that could lead to arbitrary code execution, two of which live in OSX system libraries. I'm not too sure you're being objective. The other possibility: you are talking straight out your ass.

I guess my question is which is it?

Re:Cover your eyes

[TheRaven64]

Because Safari hasn't been around that long. Even if it contained but that were exploitable since Safari 1.0, it still wouldn't have any vulnerabilities that went unpatched for as long as the one in IE.

Re:Cover your eyes

[TheRaven64]

Well, except get access to the authentication credentials for my Internet banking site and transfer all of my money to a numbered Swiss account as soon as I log in. Good thing it can't get at my Freecell high scores though...

Re:Cover your eyes

[TiberiusMonkey]

That should read *IE was an integral part of Windows*, sorry.

Re:Cover your eyes

[Lars+T.]

The pwn2own contest would say otherwise. Mac is usually the first to go down.

Because for pwn2own you need a zero-day exploit - how high are the chances to find a 0day for Windows and nobody else having it out in the wild until that one day in the year of pwn2own? OTOH, Charlie Miller was sitting on his last winner for over a year, and nobody else found that exploit during that year.

Re:Cover your eyes

[DJRumpy]

Not at all. Your only looking at the end result as evaluating risk from that, and not the vector of infection.

The flash update wasn't 'dismissed' and I noted it was a serious issue, but the fault lies with Flash. It is an abomination.

The MP4 vulnerability would require someone actually get their hands on a specifically crafted MP4. The typical user either creates their own MP4's from their own audio CD's, or downloads them from iTunes on a Mac. If they are getting them from seedy sources, then they pretty much get what they deserve

The last one I wouldn't consider a huge risk simply for the fact that I had never heard of the format. It would require someone that works with raw image data who happens to get an Adobe DNG image that has this vulnerability. This isn't like some drive by hijacking. I don't see this as a likely path to infection.

Re:Cover your eyes

[Piquan]

That's how most MP4s come into existence. But an MP4 (or a TIFF for that matter) can be put up onto a webpage by an attacker, and rendered by the browser without the user needing to explicitly download and run it. If visiting a maliciously-crafted website can lead to arbitrary code execution, I'd say there's a serious problem. (I haven't investigated the particular flaws closely enough to tell if that is the case. However, based on the advisory, it seems quite likely.)

Re:Cover your eyes

[JDeane]

I ran into a machine about two weeks back. The only obvious symptom was that when I tried to run Spybot the program would just close. This machine was stable and fast too.... really scary stuff some of the new crap. Then I took a peek at the AVG they where running, all up to date on version 8 point something (I use AVG too and knew that version 9 had already come out so this was messed up too the spyware or what ever it was had even taken over AVG lol)

I finally used an old trick of renaming the .exe for Spybot and it ran fine then and even recognized the infection although it could not clean it at least it gave me a name to google and removal instructions.

This infection came from Limewire so I can't blame XP or IE for this one, it was all user ignorance (not stupidity just not aware of file sizes and how bad something.mp3.exe can be lol)

So I guess the moral of the story on this one is that with the new stuff you might be infected and not even know it, and user security is even more vital then any other type.

Re:Cover your eyes

[JDeane]

Opera and a good hosts file can go a long way in keeping the riff raff off your system.

http://www.mvps.org/winhelp2002/hosts.htm

Its not security by itself but I find it combined with some other stuff really helps (I install this little thing on almost every machine I get my hands on, even an out dated version is better then nothing)

A cool side benefit of this hosts file is that it blocks a lot of ads (I guess by extension a lot of ads possibly loaded by compromised web pages?)

Re:Cover your eyes

[w0mprat]

These aren't OS vulnerabilities, they're application vulnerabilities (well, for the programs I recognize as a non-Mac person). The OS itself is fine. The trick is, of course, that some of these things are included practically by default. So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.

Disagree.. a bit. If notepad is included by default on Windows (and is seldom removed/disabled from installations) then for all practical purposes it is part of the OS.

The same must apply to the standard apps with any OS distribution package.

Such default bundled applications are all attack surface area.

Saying that OSX is less secure due to these vulnerabilities is how MS said that Linux was less secure than windows.

Agree. Linux security is difficult to quantify, thus too easy for Microsoft to spread FUD. Linux is a collection of open source projects from all over the place (who calls the kernel one project?). Security can vary greatly from one package to the next, and vary between distros depending on the selection. MS naturally overlook the impressively hardened distro's out there, and look for examples in the more slack projects.

Re:Cover your eyes

[Hucko]

Your #1 tip should be #2. #1 should be IMMEDIATELY password protect all accounts with a strong password, which is the default tip for all OSes (Can someone tell me if any semi-mainstream OS can do passphrases or common non-alphanumeric characters? Passphrases seem to be easier to remember than passwords.)

Re:Cover your eyes

[Gr8Apes]

Unfortunately for you and MS, the core DLLs at the root of many of "IE"'s vulnerabilities are actually "core" pieces of the OS and can and are, in fact, exercised by other applications as well. "Uninstalling" IE, or never installing it, still results in an OS with these DLLs in place.

So yes, IE vulnerabilities ARE part of the MS OS vulnerabilities, but trust me, these are the least of MS's problems. The core issue is that the OS was "designed", if you could call it that, by the equivalent of 8th graders from a security stand point, and that might be unfairly insulting 8th graders. The OS is completely backwards in its outlook on security compared to any modern in use OS. It runs on a highest privileged token, which is "masked" or "filtered" in an effort to give "least privileges". You then "elevate" yourself by removing these privileges. Why is this a problem? If you need to do anything important, like, say, change passwords of users, then your process must run with that privilege all the time. So any flaw anywhere can be exploited to expose that privilege. In the newest version of 2008 R2 most of the token manipulation routines have been "broken" regarding any meaningful elevation, thus forcing this wrong-headed approach down your throat. Unless, of course, you don't mind injecting code into some random DLL that runs as "SYSTEM" somewhere.

Compare that with *nix for example, where your process runs with no privileges, so a flaw has no privileges when exploited... and you can see why security people that actually know anything RUN from an MS installation.

Re:Cover your eyes

[EvanED]

Unfortunately for you and MS, the core DLLs at the root of many of "IE"'s vulnerabilities are actually "core" pieces of the OS and can and are, in fact, exercised by other applications as well. "Uninstalling" IE, or never installing it, still results in an OS with these DLLs in place.

That depends on what you mean by "the OS". As far as I'm concerned, IE is less a part of "the OS" than, say, KDE or Gnome is on Linux (or at least Qt and GTK). At least one of libraries are more core to 99% of Linux users than the IE DLLs are to Windows users.

The rest of your post is a bit of a red herring; I made no statement regarding the overall security model of Windows.

Re:Cover your eyes

[tacarat]

So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.

Not saying you're in this group, but a lot of people around here have no problem counting IE vulnerabilities against Windows.

Actually, I'm with this group. MS made IE "part" of Windows, good choice or not. Any problems it has becomes an OS problem by their own design.

This is one reason I wonder if Tinycore Linux may be one of the more secure flavors out there. A minimal distribution at initial install and you pretty much have to add any sort of functionality beyond hardware setup, the GUI and some basic utilities (thankfully including an application manager/downloader). I love playing with distros, but if you install full gnome/kde suites and such, that's a lot of potential bugs. Open or closed source, a 10Meg distro is probably easier to audit by smaller groups, possibly even by a single person who really loves what they're doing. Not having apps until you install them helps reduce the "out-of-sight, out-of-mind" or endless list of new updates you can get with more robust operating systems.

Re:Cover your eyes

[tacarat]

Yep, and that's the trick. At the very least OSS models do allow for distros to fix the software they ship themselves. I'd only give a group a pass on that if they can't fix the code themselves. In this case, one might consider Linux, BSD and other OSS based operating systems to be held to a higher standard than the traditional closed source project. It's broken AND you can fix it. Things like that are why some distros make me want to slam my head against a wall. Why are there 20 versions of notepad? Pick one, maintain it and we can install something else ourselves if it suits our needs.

Vi and Emacs would be an exception to that...

Re:Cover your eyes

[EvanED]

Actually, I'm with this group. MS made IE "part" of Windows, good choice or not.

I'll agree with you through XP... but it's not really part of windows, not any more. Not any more than Notepad.

Re:Cover your eyes

[tacarat]

I mentioned it in a previous post, but I'm having some fun with Tinycore linux for that reason. There's practically nothing installed from the get go. A 10meg OS floating around in 2g of laptop RAM is rather fun. Now I just need time to configure it for WINE and see how my games work on it. I wonder how it stacks up against hardened distros for basic security.

Re:Cover your eyes

You hack whichever's easiest, considering pwn2own had $10k cash prizes.

Since you're talking pwn2own, then hack the Mac, since it's easiest.

No I'm not trolling, go read the last few contest details, the guy that won it said it first.

Re:Cover your eyes

[tacarat]

Funny you mention that. I used to hit my systems with 98lite and what have you, but around XP I just deleted the icons and had foxfire/firefox take it's spot. It didn't occur to me to even see if I could uninstall IE from my current W7 system...
Something to ponder for later on.

Re:Cover your eyes

A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution.
                        Seems this could crash your audio player.

Or execute arbitrary code. Like something that installs a rootkit, or wipes your hard disk, or uploads your password files, etc.

handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
                        Crashes your Preview or whatever image viewing app your using.

Or executes arbitrary code. Like something that... well I'm repeating myself now.

A buffer overflow exists in Image RAW's handling of DNG images. Viewing a maliciously crafted DNG image may lead to an unexpected application termination or arbitrary code execution.
                        I seriously had to look this one up. DNG is apparently an Adobe raw image format. I don't see this one as massive either.

Sigh.
Do you really have that much trouble with reading comprehension?
Let me explain a little. You go online and visit a web site. Embedded in that site is a TIFF or DNG, or maybe you grab a mp4 off a torrent or a warez site. Boom, thankyou, now you're exploited. This type of vulnerability is how the guys at the pwn2own contest keep cracking into Mac (and Windows, and Linux).

I think people would be a little less cavalier about the whole "safe Mac" image if Apple didn't spend so much time and money promoting Macs as 'virus free'. Seriously, when was the last time there was a big issue with a Worm on any platform? It's just not the MO of most malware these days to self-propegate. These days the standard MO is to drop a rootkit and join into a botnet, and do its best not to cause problems on the system or network. While I'll admit the Mac is still more secure against true Viruses, that's such a small part of what's out there to ruin your day that Apple deserves to be called out for it.

And just for the record, I own a couple Macs myself; not a fanboy, and not a hater, of any OS.

Re:Cover your eyes

[IntlHarvester]

You are overlooking that Safari considers certain filetypes "safe" (including MP4, not sure about TIFF or DNG) and opens them by default. Its quite possible these vulnerabilities could be rigged to "drive by" a casual web surfer with no user interaction.

Furthermore Finder has a preview function which is activated by simply single-clicking on a file, which could be another vector to attack an 'innocent' user.

Re:Cover your eyes

[EvanED]

It didn't occur to me to even see if I could uninstall IE from my current W7 system...

You probably can't uninstall IE in the sense that you want (then again, you probably can't uninstall Notepad either). I guess I wasn't being entirely fair, because the IE DLLs* are actually somewhat vital to the system: at the very least, for rendering help files.

That said, I think that might be all; in particular, the IE and Windows Explorer processes are definitely not tied together like they used to be. (This is true starting with Vista, and maybe even XP SP3, I can't check that easily at all.)

* More precisely, the MSHTML DLLs, which are used by IE and other programs

Re:Cover your eyes

That depends on what you mean by "the OS". As far as I'm concerned, IE is less a part of "the OS" than, say, KDE or Gnome is on Linux (or at least Qt and GTK). At least one of libraries are more core to 99% of Linux users than the IE DLLs are to Windows users.

is anyone really disputing that IE, GTK, or Qt may/mat not be part the OS that ships them?

Re:Cover your eyes

[cbhacking]

While there is a bug in IE8, including the Win7 implementation, none of the stuff I've seen regarding it says that IE8 on Win7 is vulnerable. They managed to exploit IE8 on XP by working around DEP, but made no mention of ASLR, which is a feature that makes DEP work-arounds vastly harder and is found on Vista and up. Additionally, they made no mention of Protected Mode, the process-level sandboxing that is used by IE on Vista and up (requires UAC to be enabled).

You have absolutely no evidence whatsoever that there isn't some vulnerable code in OS X that hasn't been around at least that long; the very nature of a 0-day bug is that the exploit comes out before the vulnerability is known.

Re:Cover your eyes

[cbhacking]

For IE on Windows Vista or Win7 to do anything to the system, the user would also need to authorize the action. In fact, two levels of authorization would be needed: one to break out of the Protected Mode sandbox (normally, IE can't write anywhere on the file system outside a special "low integrity" folder, from which you can't execute any code). Second, the user would need to authorize Administrative permissions for writing to system files/folders/registry keys.

The fact that IE8 has a vulnerability doesn't mean that vulnerability can be exploited against an OS with modern security features and a user with even the vaguest hint of good sense.

Re:Cover your eyes

OS X still doesn't provide a complete ASLR implementation.

Re:Cover your eyes

[cbhacking]

Probably, since the browser has access to those anyhow.
Easily; you can do that with a bit of Javascript.
Nope. The Protected Mode (low-integrity process) sandbox prohibits the application IE from starting a different application. There is a way around it, of course, for things like when you download a .doc file and want to view it immediately rather than saving it. However, this presents the user with a warning prompt.

Re:Cover your eyes

You seem to be ignoring all the parts that say arbitrary code execution.

Re:Cover your eyes

[cbhacking]

Yep. Also, don't forget P2P programs - if your audio codec is vulnerable, somebody could put up a .m4a file on BitTorrent or whatever P2P system is used these days, and it could easily get spread around.

"Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution."
Emphasis added. This isn't a "crash iTunes" bug, this is a "copy all your local files + browser history to attacker, then turn your computer into a spambot" bug.

Re:Cover your eyes

[cbhacking]

Opera and Chrome have both had security issues, although admittedly they weren't widely targeted. On the other hand, both use the Flash plugin and whatever PDF viewer you have installed, so things like the Acrobat Reader exploit (malicious PDF) that's going around will work just fine. In fact, since Opera doesn't include application-level sandboxing (the way IE and Chrome do on Vista/Win7) there's actually one less layer of security to breach.

Re:Cover your eyes

[toadlife]

IE6 (to Safari): "Get off my lawn before I render you like a standards compliant style sheet! I've got bugs older than you!"

Re:Cover your eyes

[k.a.f.]

The pwn2own contest would say otherwise. Mac is usually the first to go down.

Because for pwn2own you need a zero-day exploit - how high are the chances to find a 0day for Windows and nobody else having it out in the wild until that one day in the year of pwn2own? OTOH, Charlie Miller was sitting on his last winner for over a year, and nobody else found that exploit during that year.

...that you know of.

Re:Cover your eyes

[mwvdlee]

This infection came from Limewire so I can't blame XP or IE for this one, it was all user ignorance (not stupidity just not aware of file sizes and how bad something.mp3.exe can be lol)

It IS stupidity, just not on the part of the user. It's the OS's stupid decission to not show file extensions by default. It's one of the first options I change on every Windows install. If other OS's hide file extensions too, they are equally stupid.

Re:Cover your eyes

[mwvdlee]

Regardless of whether or not your statement about IE in Windows 7 is accurate, that doesn't have anything to do with an update for OSX somehow implying that OSX is less secure than it was yesterday.

You're right.
It wasn't secure yesterday either, you just thought it was.

Re:Cover your eyes

The last one I wouldn't consider a huge risk simply for the fact that I had never heard of the format. It would require someone that works with raw image data who happens to get an Adobe DNG image that has this vulnerability. This isn't like some drive by hijacking. I don't see this as a likely path to infection.

Anyone who works in RAW image files would've heard of DNG. It's the default RAW format for a few cameras and it's the only fully open RAW specification I can recall. It's very easy to create a DNG, you don't need to work with raw image data (Adobe has a RAW file to DNG converter, and the specification is open).

Further still DNG is a derivative of the TIFF specification, so a vulnerability in the latter may arise from a vulnerability in the former.

Don't forget, just because you haven't heard of DNG, doesn't mean someone couldn't get you to download a DNG. The weakest link in a security chain is almost always the humans.

Re:Cover your eyes

[Dumnezeu]

Are you sure? Each browsing instance runs as its own process and AFAIK each process is sandboxed individually. That means cross-tabs access is still blocked. Correct me if I'm wrong.

^ And this, dear children, is the reason we should all be pushing for open-source; if IE were open-source, I wouldn't need to ask that question, I would just look over its source code

Re:Cover your eyes

[L4t3r4lu5]

Sounds like you Apple folk need real-time virus protection after all.

Sucks, doesn't it?

Re:Cover your eyes

[mdwh2]

None of the malware-infested machines I have cleaned up in the last few days were running OS X, just Windows.

I bet none of them were running AmigaOS, either.

Meanwhile, I go home at night and surf with impunity on my Mac running OS X, just like I've done for the last 8 years.

Meanwhile, I go home at night and surf with impunity on my computer running Windows, just like I've done for the last 10 years.

Re:Cover your eyes

[mdwh2]

If a computer is secure - as you claim - it shouldn't matter what most people try to hack.

Re:Cover your eyes

[Lars+T.]

OTOH, Charlie Miller was sitting on his last winner for over a year, and nobody else found that exploit during that year.

...that you know of.

That the judges of pwn2own know of. And nothing has appeared in the wild before or after - that the whole world knows of.

Re:Cover your eyes

[mdwh2]

Brilliant. Just brilliant. I always marvel at how Apple PC fans can twist and spin a bad point into a good point, even when the same argument is used as a bad point against PCs.

Next time there's an article about patches for Windows, and Apple fans are falling over themselves to get first post with the "Look how insecure it is" comments, I'll be sure to post your comment, and get +4 informative too.

Consider, Windows seems to have had far more patches than OS X, or so Apple fans tell us - so by your logic, it must be far more secure, right?

Re:Cover your eyes

[Gr8Apes]

I think you're missing the point - a large amount of the functionality of IE was moved into system DLLs, to make IE part of the OS proper during MS's claims that you couldn't remove IE.

Due to the incredible genius and well-disciplined engineering that comprises MS, that functionality became interdependent with other functionality that is part of the OS. So, in a way, MS was right, IE cannot be fully removed from the OS anymore without seriously reworking pieces of their architecture.

The rest of the post describes why this is a major problem due to MS's architecturally flawed security.

Re:Cover your eyes

[jo_ham]

Who said I didn't think patching Windows holes was a good thing, because it is.

Look, just because I like Apple doesn't mean I'm some rabid fanboy who won;t accept that other OSes might actually have redeeming qualities. As it stands now, while both Windows and Mac are more secure than they have been before, by virtue of patching holes, OS X is ahead - mainly because it is easier to start again as they did with OS X than it is to keep building on top of their old code. The are advantages and disadvantages to both approaches.

I fail to see how you can suggest that patching 6 vulnerabilities in an OS is a "bad point". I don't consider Windows patches to be a bad point either - the sooner it gets rid of security issues the better.

Re:Cover your eyes

[twoHats]

As a Linux person (and a techy geek) I am often asked to help my less fortunate brethren and sisteren with their broken systems. The latest was the young woman who could no longer play the music she had paid for because of an automatic update to iTunes. It only took a couple of hours of my time (not to mention hers) to get her back to the version that actually played music. Turned out to be a dependency that was not met in the form of a library.

OK! Who the hell does an update without checking dependencies? How do we now trust Apple to do updates correctly, including this one?

btw - this is on a macbook that has had wifi problems since it was new, known to Apple but never fixed. I think Apple has lost a fan in this young woman. Having been around since the beginning, i wasn't too surprised.

Re:Cover your eyes

[amicusNYCL]

Acrobat Reader most definitely does not have a home on any of my machines.

Re:Cover your eyes

[amicusNYCL]

Yes, that's right. Personally, I don't really care enough about OSX to think about its security, but the point was that releasing an update does not make a piece of software less secure (unless obviously the update contains vulnerabilities).

Re:Cover your eyes

[JDeane]

I would have known something was up since very rarely are mp3 files like 4Kb (I forget the exact size but it was truely tiny)

I agree everyone should change viewing to show all extensions it just makes things much safer. Especialy if your downloading stuff... first rule of the open sea's a pirate should learn "Trust nothing and no one"

Re:Cover your eyes

[toddestan]

He probably meant a Latitude. While it's true that you can throw in a enough crap to make the low end Vostro cost $700+, for that money you're much better off buying a Latitude (or a Thinkpad...) which compares better.

Re:Cover your eyes

[mindstrm]

I'm fairly certain any file I've saved, from safari at least, the first time it's opened, I get a warning saying "This is the first time this file downloaded from the internet has been opened - are you sure you want to proceed"

Re:Cover your eyes

[IntlHarvester]

The warning only appears for applications and certain filetypes like HTML. I have never seen appear for anything that opens in iTunes or Preview.

Re:Cover your eyes

Um, sorry, but in their anti-trust trial Microsoft themselves said IE was an essential portion of the OS.

Re:Cover your eyes

[EvanED]

Because I'm sure MS hasn't done anything to the codebase in the last decade...

(Hint: The place where I consider them separated begins with Vista, when Windows Explorer would no longer host the IE renderer.)

Twelve?

[Spyware23]

Apple's own security update page (http://support.apple.com/kb/HT4004) lists these six, where did Threatpost author get the number 12 from?:

Security Update 2010-001

*

CoreAudio

CVE-ID: CVE-2010-0036

Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2

Impact: Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to Tobias Klein of trapkit.de for reporting this issue.

*

CUPS

CVE-ID: CVE-2009-3553

Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2

Impact: A remote attacker may cause an unexpected application termination of cupsd

Description: A use-after-free issue exists in cupsd. By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service. This is mitigated through the automatic restart of cupsd after its termination. This issue is addressed through improved connection use tracking.

*

Flash Player plug-in

CVE-ID: CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800, CVE-2009-3951

Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2

Impact: Multiple vulnerabilities in Adobe Flash Player plug-in

Description: Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42. Further information is available via the Adobe web site at http://www.adobe.com/support/security/bulletins/apsb09-19.html Credit to an anonymous researcher and Damian Put working with TippingPoints Zero Day Initiative, Bing Liu of Fortinet's FortiGuard Global Security Research Team, Will Dormann of CERT, Manuel Caballero and Microsoft Vulnerability Research (MSVR).

*

ImageIO

CVE-ID: CVE-2009-2285

Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8

Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution

Description: A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.2.

*

Image RAW

CVE-ID

Re:Twelve?

[mjschultz]

Apple's own security update page (http://support.apple.com/kb/HT4004) lists these six, where did Threatpost author get the number 12 from?

The Flash update is actually 7 vulnerabilities.

Re:Twelve?

From the article: "Flash Player plug-in (7 vulnerabilities)"

7 + 5 = 12

Re:Twelve?

There are 12 different CVE's, representing 12 unique vulnerabilities.

Therefore, there are 7 unique vulns fixed in the one Flash Advisory

Re:Twelve?

[Graff]

The Flash update is actually 7 vulnerabilities.

Moral of this story:
Avoid Flash and you can cut the amount of vulnerabilities approximately in half!

Re:Twelve?

[zippthorne]

The SSL vulnerability is somewhat disturbing. Read the date on the linked article.

Re:Twelve?

And you can avoid most of the internet at the same time.

Re:Twelve?

I was really hoping someone on here would have commented on the OpenSSL renegotiation blocking breaking Vidalia / Tor connectivity. Tor relies on OpenSSL, and can't complete a handshake after the update. Anybody know a workaround?

Re:Twelve?

[PitaBred]

Just the really shitty parts. Only turn flash on when you need it, youtube and the like

Re:Twelve?

[CaptDeuce]

Apple's own security update page (http://support.apple.com/kb/HT4004) lists these six, where did Threatpost author get the number 12 from?:

"Massive security holes" or "serious vulnerabilities" are worth two "ordinary" vulnerabilities.

Re:Twelve?

[_merlin]

Really? I've gone without Flash on my work PC for three months, and the only things it stops me from using that I actually care about are funny videos that people send around the office, and the web site of the company that made the hardcore orange juicing machine in the kitchen (we'd lost the manual). Most of the stuff that's actually useful doesn't need Flash.

Re:Twelve?

[ekhben]

May all of OS X's "massive holes" be so insignificant to me.

The most concerning is the TIFF vulnerability; fortunately that's a 10.5 issue, not a 10.6 issue. The second most concerning is the SSL vulnerability, but I've not trusted SSL alone for a while now. Still tossing up throwing out Firefox's trust anchor code and replacing it with an SSH style known-hosts setup... but the FF code is a total dog to work with. And I don't care. Mostly, I guess, I don't care. Thank you, my bank, for two-factor authentication.

Re:Twelve?

[noidentity]

Avoid Flash and you can cut the amount of vulnerabilities approximately in half!

Either "cut the amount of vulnerability in half" or "cut the number of vulnerabilities in half". Avoid count noun mismatch.

Re:Twelve?

[Graff]

Only turn flash on when you need it, youtube and the like

You can mostly avoid using Flash with Youtube. Many of the videos can now be viewed with H.264 so you don't need Flash there either.

Honestly I find very few sites that I need to enable Flash to view. Most of the sites that require Flash are annoying anyways and I'm glad to avoid them. A lot of sites want iPhone users to be able to view them and so they provide a non-Flash fallback that is a lot more usable than their main Flash page.

Re:Twelve?

[Graff]

Either "cut the amount of vulnerability in half" or "cut the number of vulnerabilities in half". Avoid count noun mismatch.

Good call, I thought it sounded awkward but I didn't have time to rephrase it. Thanks!

Re:Twelve?

The Flash update is actually 7 vulnerabilities.

So much for OSX being "more secure." 7 vulnerabilities in a single solution?!!

If that happened on a real PC had that all the Apple and Linsux fan bois would be frothing at the mouth.

Re:Twelve?

[Sleepy]

You wouldn't need Flash at all if Youtube would stream one of the many open standards.
HTML 5 addresses it, but Youtube is pretty cozy to Adobe.
It wasn't always that way... back in the day, you could get streaming video with HARDWARE acceleration.
CPU accel is not a big deal on most desktops, but with the new low-wattage Ion/Intel combos or ARM CPUs, it really does matter.

Re:Twelve?

[Graff]

So much for OSX being "more secure." 7 vulnerabilities in a single solution?!!

Except, of course, Flash is made by Adobe - not Apple. Apple is just installing Adobe's latest version of Flash which was recently released. If you really want to complain about Flash being a security problem then go yell at Adobe.

Re:Twelve?

Except, of course, Flash is made by Adobe - not Apple.

Well guess what fanboi, you can get Flash on Windows too. If this isn't an OSX problem where is the Microsoft Security Update? And why is Apple patching this, not Adobe?

Face it, Apple is way less secure than Windows.

Re:Twelve?

> You wouldn't need Flash at all if Youtube would stream one of the many open standards.

Pardon me, but the whole reason that YouTube beat ALL the competing video-sharing sites was because they chose ONE standard to host their videos. They made it easy to upload and convert just about ANY format by doing it on the server side!

They went with Flash because:

1. Flash is already on most desktops
2. Other video standards may require users to download software or codecs
3. Users don't like to have to install + configure software to use the Web
4. It provided a means of copy protection that other formats didn't

That's basically it. Doesn't mean Flash is superior, but if they had gone with one of the open formats, people would be saying "YouWhat??"

Re:Twelve?

ssssssh! on slashdot, apple get praised for fixing vulnerabilities, albeit late. microsoft on the other hand...

Re:Twelve?

[joost]

Just the really shitty parts. Only turn flash on when you need it, youtube and the like

Not even then. ClickToFlash plays H.264 in youtube, avoiding flash altogether.

Re:Twelve?

[Graff]

Well guess what fanboi, you can get Flash on Windows too. If this isn't an OSX problem where is the Microsoft Security Update? And why is Apple patching this, not Adobe?

Face it, Apple is way less secure than Windows.

There were also vulnerabilities in the Windows version. They were patched by Adobe a couple of months ago. Adobe just released the Mac version of the updates. Again, blame Adobe for being late to patch Flash for Mac, not Apple.

Apple is not patching Flash, they are just pushing out the latest version from Adobe since Flash is part of the default install for Mac OS X.

You might want to actually do some research before you make baseless accusations but I guess that's why you hide behind the "Anonymous Coward" feature...

Re:Twelve?

Score: -1, fails to engage in entertaining flame war with poster of unsolicited pedantic grammar correction ;)

Must be running bootcamp

The Apple commercials have told me that viruses and security holes are only possible in Windows, so I gather they are patching boot camp installs now

Re:Must be running bootcamp

[recoiledsnake]

It's interesting that many of these(like the image exploits) can be triggered by just browsing to a website(like the IE6/Google/China fiasco) or by mp4 audio/video files. Where are all the 'LOL M$ can't code' posters here?

Re:Must be running bootcamp

No - the Apple commercials tell you that viruses are a problem for Windows. Viruses tend to find MacOS too arrogant an environment to survive in.

Re:Must be running bootcamp

[gig]

It's viruses that are only possible on Windows. All operating systems have security holes, but only Microsoft systems get viruses. The Apple commercials very clearly refer only to viruses. The PC sneezes and acts like he has a cold, he's caught something, and the Mac can't catch it from him, he's immune to the viruses. Security holes are not covered at all.

Re:Must be running bootcamp

The Apple commercials have told me that viruses and security holes are only possible in Windows

[citation needed]

Never have I seen an Apple ad say that.

No OS X user I've ever known has ever had a malware problem, whereas nearly every windows user I have ever known has had chronic multiple malware problems. No matter what the MS fanbois say, it's obvious to anyone in the know that OS X is quite secure compared to wind'ohs.

BTW, love the hyperbole ("Massive", LOL) of TFS' headline.

Re:Must be running bootcamp

[dunezone]

Oh Sorry...

LOL A$$LE can't code

Wait, that doesn't look right.

Re:Must be running bootcamp

[LihTox]

Viruses tend to find MacOS too arrogant an environment to survive in.

Making our arrogance is an adaptive self-defense mechanism. So shove off, Windoze loser. :)

Re:Must be running bootcamp

Where are all the 'LOL M$ can't code' posters here?

I guess they are busy making security patches for OS X.

Re:Must be running bootcamp

Looks about right to me.

Re:Must be running bootcamp

[PitaBred]

The Apple commercials have told me that viruses and security holes are only possible in Windows

[citation needed]

http://www.youtube.com/watch?v=XiBLIGy_mpk

That citation enough for ya? It's not outright stated, but it sure as hell is very strongly implied

Re:Must be running bootcamp

[binary+paladin]

LOL M$ can't code

Re:Must be running bootcamp

[that+this+is+not+und]

You're kidding, right? Viruses actually were far worse in the past on other platforms. They were everywhere on the Amiga, for instance.

Security holes are not covered at all.

No, they're covered on a piecemeal basis. Whenever Apple's Marketing signs off on a bug fix it can be released.

Re:Must be running bootcamp

[smash]

Welcome to marketing spin. At least in apple's case, they have real world usage stats to back it up. Microsoft's "most secure windows ever" bullshit is generally spouted on OS release, with no historical evidence.

Note that end users don't particularly care if "in theory" an OS is less secure, so long as THEY don't end up getting owned, they don't really care about the theory of it all.

Re:Must be running bootcamp

[_Sprocket_]

Awww crap. You just killed my Bonzai Buddy. Thanks a lot.

Re:Must be running bootcamp

They've been over-ran by the stampede of Microsoft fanboys desperate for the rare chance to be smug.

Re:Must be running bootcamp

I read that as 'A$$HOLE can't code'

Then i read it again and realized what parent said

Then i thought about it and realized I read it right the first time.

Re:Must be running bootcamp

[dukeofurl01]

I think this is just assumed by now.

Re:Must be running bootcamp

[GoodNicksAreTaken]

They are busy patching their Macs.. LOL they got pwn3d d00d..

Re:Must be running bootcamp

[carou]

That citation enough for ya? It's not outright stated,

That would be a "no", then.

Re:Must be running bootcamp

[Sleepy]

Well the difference you are struggling to NOT understand is, only under MS do these exploits get to install ROOTKITS.

Re:Must be running bootcamp

Apple has been known to break app compatibility from time to time. Microsoft, on the other hand, has a team working hard to ensure that the next version of Windows will be able to run your viruses form Windows XP.

Re:Must be running bootcamp

[recoiledsnake]

Err huh why? Under Vista/7 with IE 8, they can't even get out of DEP or the sandbox. Forget about getting to logged in user access and then admin to install a root kit.

Re:Must be running bootcamp

This post brought to you from a Debian workstation behind an OpenBSD firewall...

"LOL neither M$ nor Apple can'tcode' ?

???

(and, no, behind my shiny OpenBSD router the recent Debian PKCS fiasco didn't affect me ;)

Re:Must be running bootcamp

No OS X user I've ever known has ever had a malware problem, whereas nearly every windows user I have ever known has had chronic multiple malware problems.

There you go bringing in actual exploits into a discussion about vulnerabilities. If I've said it once, I've said it a thousand times, "it't not the exploits that matter -every piece of software has exploits -it's the actual vulnerabilities." ... Umm, no wait ...

Re:Must be running bootcamp

Must be why most Apple commercials are banned in Europe under their Truth in Advertising laws.

Re:Must be running bootcamp

[BitZtream]

Interestingly enough, I just started Win7 on mine and the boot camp drivers were ready for patching :/

Re:Must be running bootcamp

[BitZtream]

We're trying to fix our exploited MacBooks so we can post, now sod off!

Re:Must be running bootcamp

Hmm? Isn't it actually pretty much established that every Microsoft OS IS more secure than the last along each product line (that is to say, the 9x line from 95 to Me, NT line up through Win7, the 16-bit chain that ended with 3.1.1)?

At least in recent history, XP SP2 is monumentally more secure than XP RTM, Vista is monumentally more secure than XP SP2, and Win7 is...well, it's not as monumental on the security front. More on making Vista's security usable.

Re:Must be running bootcamp

[L4t3r4lu5]

Sounds like they need to employ someone who can hunt down the evil bugs and smite them righteously, eh?

I don't know, maybe some kind of binary_paladin...

Re:Must be running bootcamp

[PitaBred]

You know, I'm not gonna say it directly, but I heard that carou wears dresses and is a good dancer, and knows how to put on makeup. Draw from that what you will.

Re:Must be running bootcamp

[carou]

Apple said things which were true, worded in such that might cause people to draw an exaggerated conclusion. PitaBred merely lied. You fail at logic.

Re:Must be running bootcamp

[binary+paladin]

Except that a most holy binary paladin would never do the bidding of the evil empire!

(Hahaha. Your post made my morning. Thanks!)

Very interesting the holes they patched

Here is a link to the full list

Re:Very interesting the holes they patched

What...what is this?

A refund?

[Monkeedude1212]

The only hole I want Apple to fix is the one they put in my wallet.

Re:A refund?

Security holes aside, isn't it a little bit backwards to bitch about the price of something that you voluntarily paid for?

Re:A refund?

you must be some democrat/liberal, wanting someone else to fix something you did...which was buy a mac.

Re:A refund?

[jgtg32a]

buyers remorse?

Re:A refund?

[geoffrobinson]

Did they put a gun to your head and tell you to buy something you didn't want? Or was it your wife or girlfriend?

Hopefully, you have just one of the two or you'll be paying for something far more expensive than a Mac.

Re:A refund?

I agree, these twats who are commenting on you are a bunch of steve jobs anus lickers

Re:A refund?

[Red+Flayer]

And you must be some current-day republican/asshat (there are no conservatives left), bitching and moaning in a non sequitur in the hope it'll get you some popularity points.

Re:A refund?

and you must be some sort of republican/conservative troll, so it doesnt matter what i type here, youre too stubborn to read it, so flibbeldy woogledy tofu bean silicon murfreesboro turkey bolts plumb burnfreeze tacobomb.

Re:A refund?

How about making a new big hole in your retarded head?

I can lend you my gun.

Re:A refund?

If you had to make a choice which Steve's anus would you rather lick you choose Jobs' or Ballmer's?

Ballmer might have had some nasty tacos for lunch, but with Steve's health problems I bet he eats really well now.

Jobs all the way!!!

Re:A refund?

[RocketRabbit]

Probably not. The only folks I hear complaining about the cost of a Mac are the folks who haven't ever bought one.

Re:A refund?

[Waccoon]

Apple eventually decided that nobody needs Java, and that made my Mac less valuable for development after I bought it. In effect, my Mac is now a paperweight.

Re:A refund?

Its true. Apple hardware is a premium product, and I was very skeptical of said cost. Having been given a Mac from work in 2008 ending my 15 year hiatus from Apple products, I was shocked with how nicely built it was. Now we have 4 Macs in our household.

A BMW is a premium product, but nobody slags someone for spending 10k more than an Acura / Lexus buyer if said person actually enjoys driving. (i.e. not just lookin like HAY I HAVE A LUXURY CAR)

Security Well

[Noelnonymous+Coward]

I've got a Mac G3, and have yet to be tricked into installing Mac OS X!

Re:Security Well

[amicusNYCL]

You already posted that in the first comment anonymously, and it wasn't funny then either.

Re:Security Well

[Noelnonymous+Coward]

Being that there are many reasons to post things, and to post anonymously, "funny" isn't always the primary intent. What was my primary intent? If you don't know, don't worry about it, and withhold comment. :) Besides, you're not a boor, and I didn't say something funny... But it's possible I might say something funny.

Re:Security Well

Just shut the fuck up.

Re:Security Well

[Arcady13]

I have a Mac G3. It is sitting in my basement collecting dust, because it is a worthless piece of shit.

Buy a computer from this century.

Re:Security Well

The original was correctly modded offtopic. As it is neither insightful, interesting, funny, underrated, or overrated. Its our way of saying, it should not have been posted regardless of the author's intent.

Re:Security Well

[amicusNYCL]

Being that there are many reasons to post things, and to post anonymously, "funny" isn't always the primary intent. What was my primary intent?

If it's necessary to have a discussion about your intent, how successful do you think you were in conveying it?

But it's possible I might say something funny.

Tell me a joke!

Re:Security Well

Yeah, but now since you've got him modded down AND your comment is plus 5, the whole thread somehow becomes hilarious again!

Re:Security Well

But it's possible I might say something funny.

Tell me a joke!

Ahem. Look closer.

Don't bother looking if you have X.4 or earlier

[oDDmON+oUT]

Sometimes newer isn't better.

Re:Don't bother looking if you have X.4 or earlier

[0racle]

It is when you want security updates from Apple.

image format bugs

[phantomfive]

Two bugs were found in their image libraries (arbitrary code execution bugs in TIFF and RAW-DMG). Makes me wonder if they even tested their image libraries at all when they were being written, because that kind of bug can usually be found in an image library by feeding it random data.

Re:image format bugs

[TrancePhreak]

Other companies got hit by those a long time ago and have since patched up their image libraries. Apple must have ignored it then and is now paying the price.

Re:image format bugs

[eulernet]

A few years ago, when Microsoft's Windows source code was leaked, a hacker found a problem in the handling of the standard BMP format (IIRC, it was an integer that was not considered signed, and it contained the size of the picture), which could allow arbitrary code execution.

What bothers me is that Apple's developers don't check if they have the same problems as their direct competitor.

Re:image format bugs

[DJCouchyCouch]

Using random data doesn't work if some structured data needs to be read first.

So you need non-random random data. :)

Re:image format bugs

[twidarkling]

But computers can't generate truly random data, it's always at least partially procedurally generated. Thus, any data from a computer you feed to it is non-random random data :p

Re:image format bugs

[ruiner13]

Speculate much? How do you know it is the same issue, especially considering you can't even seem to remember what the Windows bug actually was?

Re:image format bugs

[drinkypoo]

These sophomoric no-input-sanitization errors are the most common kind. didn't apple make one before with the iPhone and SMS or something? We've seen cellphones that don't check to make sure bluetooth data is valid. Firewire is a big mess because the hardware permits access to things it shouldn't.

Re:image format bugs

[phantomfive]

I don't know if you've ever written an image parser before, but sanitizing the data before you parse it can be really hard. If you think about it, the data itself can be almost random, considering a picture can be almost anything. To do a good job validating the data, you would almost have to re-implement the parser itself.

Not saying they shouldn't have caught these bugs, but it's a little harder than just validating the data as it comes in.

Re:image format bugs

[phantomfive]

Actually, if you are debugging an image parser library, I advocate commenting out all the obvious fails (like, this file doesn't have the right magic number, it's not a GIF) and then feeding the thing pure random data, seeing how it handles it. You never know what kind of bug might turn up. Of course you'll want the non-random random data as well, but the random random stuff is useful.

Re:image format bugs

[Archaemic]

Actually, I personally found and patched the TIFF bug. In January. Of last year. http://bugzilla.maptools.org/show_bug.cgi?id=1985
Feeding random data (aka fuzzing) might work, but 99% of the time, I'd imagine it'd just give you a corrupted image and bail out. You have to be clever about how you search for it. I found a known vulnerability patch posted by, of all people, an Apple employee, and tried to reverse engineer what he'd fixed. I found that the patch hadn't been applied on old version of the PSP system software, which is what I was targeting. After messing with this specific attack vector, I noticed that I could still crash system software version that did have the patch. After reading up on LZW compression (which is what part of LibTIFF had the vulnerability) and the TIFF specification of how they implemented LZW, I realized that the Apple patch was incomplete--it only tested for one value you could give it that was erroneous. By simply changing the equality they used (in two places) to an inequality, I tested for all erroneous values. Meanwhile, I tried to exploit the new unpatched vector on the PSP so that I could inject code. Failing this, I decided the best course of action was to submit a bug report to LibTIFF. It might seem a tad unethical to try and exploit the bug before reporting it, but I wasn't trying to exploit in for malicious purposes, and not on a desktop operating system. Regardless, I failed to make it do more than crash the PSP. Surely the best course of action here would be to patch it upstream before anyone else found it. (Incidentally, this "arbitrary execution" this is blown out of proportion. In its current state, it is extremely unlikely that it could provide ANY code execution. Just crashing. Although I don't know if it's IMPOSSIBLE for it to execute code with this vulnerability, it would take a lot of work to get anything valuable out of this. Mostly it's a DoS. They usually just attach "arbitrary execution" when there's even the vaguest possibility for code to be executed, regardless of whether or not such an exploit has been demonstrated.)

It, um, took a while for anyone to notice the patch. In fact, the only reason anyone did notice was because someone found some of the fruit of my research into this bug and then posted a link to the research in a new bug report. Funnily, they created a different patch, which, instead of preventing the infinite loop caused by the erroneous data, just tested to see if the loop was writing out of bounds. Perhaps both approaches should be used together. Defensive programming and all that. Regardless, I noticed this new bug report shortly afterward it was posted and pointed them back to the inexplicably ignored old bug report. Most Linux vendors applied the patch shortly after the new bug report was filed, but Apple lagged by a number of months, until 10.6.2 came out. This update backports the fix into 10.5.x. However, I've found that some projects (such as Qt) are still using ancient versions of LibTIFF that have had numerous bug and security fixes since they were last updated in the projects' trees. While Qt does try to use the system's version of Qt if it can, it's still kind of scary to think about what could happen if it falls back on its own version, as I've seen it do before when I try my "corrupted" TIFF on things like Arora.

Incidentally, I am TAing a computer security course this semester. I guess previous experience helps.

Re:image format bugs

[Lars+T.]

Two bugs were found in their image libraries (arbitrary code execution bugs in TIFF and RAW-DMG). Makes me wonder if they even tested their image libraries at all when they were being written, because that kind of bug can usually be found in an image library by feeding it random data.

Well, that's odd - one of those bugs is CVE-2009-2285: Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2

Re:image format bugs

[barzok]

Sure you're not thinking of the WMF exploit? http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability

Re:image format bugs

[phantomfive]

Wow, you went through all the effort of learning LZW compression solely because of an Apple patch? That is ambitious.

Re:image format bugs

[Duradin]

Attach sensor to computer. Point sensor at something non-computer. Use sensor feed to influence RNG. Have a nice day.

Re:image format bugs

[Archaemic]

LZW isn't that bad. And mostly, I just needed to know what it did WRONG, not how to do it RIGHT. I'd already learned how LZSS worked the previous year...for an also ambitious project that never really saw the light of day. Reverse engineering a compression format through raw tinkering and seeing how outputs changed was a lot of fun^H^H^Htedium. It helped that I had a lead that it was probably some derivative of LZ77.

Okay yeah I might have spent a lot of time on nothing substantial during this, but it did yield a security patch, which is a good thing. And besides, I was on winter break from college. It's a good time for doing nothing substantial.

Re:image format bugs

[Doctor_Jest]

paying the price for what? Because it took Apple so long to patch them? *shrug* I guess if you want to think of it like that, I can see your point. My question is how long was it in test? I don't know if there's a way to find that out. Did they just roll up the fixes into one large one, or was it just a long time testing in the field? I am always more likely to immediately install a security patch than a bug fix... we've seen from Microsoft and Apple that sometimes they should let their fixes percolate a bit longer.. :)

Personally, I always prefer they get the patch right before releasing it... and if there had been anything in the wild exploiting these bugs, I'm sure we'd have seen a patch sooner. (At least I hope so...) I don't love Apple (or Microsoft for that matter), but I give them both credit for not completely ignoring security... even if they're glacial about it from time to time. :) Microsoft's really coming around, but there's still much to do to make sure the gotchas don't return for the sake of backwards compatibility...

Re:image format bugs

Pretty sure Windows has also had a BMP exploit, and a GIF exploit, and several TIFF exploits, and ... you get the idea.

Mozilla has also had a history of image file vulnerabilities, nobody has a good a very good record in this department.

Re:image format bugs

[mr_da3m0n]

No no, I'm fairly certain he is reffering to the BMP handling exploit, which was refered to in one of the Stealing The Network series, I think it was "How to own the box". Not sure.

But I remember this clearly as well.

Re:image format bugs

[BitZtream]

No, but when they bring in external contributors to entropy they can be as sufficiently random as any source you can come up with.

Re:image format bugs

[eulernet]

Speculation ? I found the slashdot article:
http://it.slashdot.org/article.pl?sid=04/02/16/1737200

Re:image format bugs

[eulernet]

Here is the slashdot article:

http://it.slashdot.org/article.pl?sid=04/02/16/1737200

Re:image format bugs

[TrancePhreak]

From what I can see, MS fixed up the exploit in 2006.

Re:image format bugs

[Doctor_Jest]

1993 - 2006... that's quite a gap. (I suppose you're meaning that in 64-bit versions of Windows, the exploit doesn't exist?) So, my point is, people who decry Apple for "glacial" speed in patching vulnerabilities, we have many other examples (this one from MS being the most fresh in the news) of slow patching, and I further would say that it's alright. Responding to real, in-the-wild, exploits in a timely fashion is commendable, as is not rushing to patch a vulnerability that is either difficult to exploit (or not exploited in the wild at all), or does not pose an immediate threat.

Dare I say that both sides of that debate are wrong? :) Too fast opens up stability issues and too slow draws the ire of people who think you don't care about security... It seems like a lose-lose. But as long as it gets patched, I'm okay with it.

Different Day, Same Crap

[His+Shadow]

Has anyone driven a truck thru these gaping holes? Anyone? Beuller? When OSX is suffering from a deluge of viruses from all these supposed gaping holes in it's Architecture, please come back and let us know. Because while every operating system has vulnerabilities, only Microsoft was kind enough to make those vulnerabilities accessible by system wide scripting mechanisms that allowed millions of computer users the world over be the subject of attacks from the hundreds of thousands of pieces of malware constantly fighting to infect Windows PCs. The count (for those who think a security vulnerability makes Apple's points about viruses invalid) is about one hundred thousand to 0. This is being very generous. So, yes, as a matter of fact, there are no viruses for Mac OS X. Not virtually none, not almost none. None.

Re:Different Day, Same Crap

[smash]

Whilst I'm a mac user/fanboi and agree with most of your post - I'm sure there must be some vulnerabilities being exploited for MacOS out there somewhere. It ships with Apache, and a heap of BSD userland tools ffs. I'd say there are no commonly encountered viruses on MacOS... not necessarily NONE.

Re:Different Day, Same Crap

[Monkeedude1212]

So, yes, as a matter of fact, there are no viruses for Mac OS X. Not virtually none, not almost none. None.

As a matter of Fact, there ARE viruses for Mac OS X.

OS X uses various parts of the FreeBSD Security Framework and Filesystem.

They have viruses for FreeBSD that base their attacks on those parts, and it has been proven that they work just as well on a Mac as they do on that flavour of Linux.

Just because Mac users are not affected by the hordes of windows viruses that they catch (and yes, Macs catch the same viruses as Windows, they merely can't operate because they were designed to run on Windows) - doesn't mean that they are this completely immune and untouchable operating system. When OSX is suffering from a deluge of viruses from holes in it's architecture (if it ever comes to that), it will be too late to do anything about it. This news Article is merely trying to point out, that yes, these do exist, and Apple is working hard at closing them. The problem is whether they will be able to keep it up.

Next time, before hopping on your high horse about how completely virus free Macs are, do some research and learn the truth, don't spew the pamphlet Apple boxes with your machine. Because when you're wrong, you just look like an idiot fanboy.

Re:Different Day, Same Crap

[GoodNicksAreTaken]

You most have missed all the reports on the virus spread through torrents for Photoshop CS4 and iLife.

Re:Different Day, Same Crap

Please stop perpetuating the myth that there are no viruses for macs.

At last count, there were under a hundred. They are extremely rare, but please stop saying they don't exist. It just makes mac people look even more clueless to windows users. Apple even recommends people run antivirus software in several places:

Mac OS X 10.6 Help - http://docs.info.apple.com/article.html?path=Mac/10.6/en/11389.html
Run an antivirus program if you find any suspicious files or applications, or if you notice any suspicious behavior on your computer.

https://support.apple.com/kb/HT2128 - Safety tips for handling email attachments and content downloaded from the Internet
Distinguishing legitimate and malicious applications
Where you got the file is the most important indicator. Only download and install applications from trusted sources, such as well-known application publishers, authorized resellers, or other well-known distributors. It is also advisable to use antivirus software to scan any files before installation. A selection of third-party products may be found at the Macintosh Products Guide.

Re:Different Day, Same Crap

[mario_grgic]

Except you kids need to read on what people mean when they say a "virus". Hint: it's not the same thing as malware that user has to install themselves, and you need to rely on social engineering techniques to get them to install your malware for you (in the above case the lure of free Photoshop installation), etc.

Re:Different Day, Same Crap

[Lars+T.]

You most have missed all the reports on the virus spread through torrents for Photoshop CS4 and iLife.

Ans you"most" have missed that a Trojan isn't a Virus.

Re:Different Day, Same Crap

By "people" you mean YOU and by "virus" you mean WORM.

Re:Different Day, Same Crap

You most have missed all the reports on the virus spread through torrents for Photoshop CS4 and iLife.

Those were trojans hidden in installers (requiring admin-level password be entered) and one had to be downloading pirated software to be affected--so it's your own fault.

Re:Different Day, Same Crap

[Sorny]

You must not know the difference between a Trojan and a Virus.

Re:Different Day, Same Crap

[mario_grgic]

Actually, no. Both virus and worm are self replicating and propagating without user interaction. The only technical difference is that a virus attaches itself to an existing process, whereas a worm is standalone.

http://en.wikipedia.org/wiki/Computer_virus

http://en.wikipedia.org/wiki/Computer_worm

Huh? What? Erg?

Why the need for patches? Didn't the Steve Jobs fanbois tell us over and over again OSX was secure, it can never be hacked? It was so well coded it never crashes? I don't understand how the MOST SECURE OS EVER needs patching.

Re:Huh? What? Erg?

I like to call it 'Rainbows, Unicorns, and Bullshit'

RUB and FUD are two sides of the same coin, and if you believe either: you're an idiot.

You forget one simple thing...

There aren't enough macs out there to make the average scriptkiddie drool in anticipation.
They want the big score, and apple doesn't have enough market share to count.
That's not something to be proud of.

Re:You forget one simple thing...

[jo_ham]

There aren't enough Windows with IIS installed to make the average script kiddie drool in anticipation in comparison to Linux/BSD with Apache. Oh wait.

If you don;t think the the chance to be the "first person to exploit the 'secure' OS X with a virus" isn;t driving some of these people then you are deluded. Or that genuine organised crime isn't going after the Mac platform (as a non-negligable marketshare) as well as Windows since it is amulti-million dollar industry compromising machines over the net. So far though, not much beyond proof of concept stuff and things that require user credential authentication.

It's no reason to be complacent (and the patching of vulnerabilities is not complacency), or the assertion that OS X is immune to threats, because it isn't. But it has proven to have a pretty good track record - not perfect, but pretty good. Continued work is still needed though.

Re:You forget one simple thing...

[mystikkman]

Huh what? That was an incoherent fanboi rant. IIS has around 21% vs. Apache at 46% and still IIS6 has holded out to be pretty good, especially comparing to Apache.

So far though, not much beyond proof of concept stuff and things that require user credential authentication.

There were tons of vulnerabilities in Safari and Quicktime etc. not to mention the ones in TFA that would work without user credentials.
And this is one in the wild. http://it.slashdot.org/article.pl?sid=09/01/23/0127253

But it has proven to have a pretty good track record - not perfect, but pretty good

Says who? According to TFA, an mp4 video or a picture could install spyware or delete all user files.Thats a pretty good track record? wtf? The only OS with a good track record would be OpenBSD. Apple's software usually has tons of holes.

Re:You forget one simple thing...

and hence why most attacks and exploits are against Apache based system. Apache has had significantly more vulnerabilities and more successfull exploits, it doesn't mean Apache is weaker though, it just has more installs and hence is a bigger target.

Re:You forget one simple thing...

[jo_ham]

Yes, my point about IIS vs Apache wasn't that there were more attacks against IIS, just that there are documented and exploited holes.

And yes, there have been many holes found in the various parts of OS X that have been fixed (and some yet to be fixed) but in terms of malware in the wild, there is practically none. There was a disk image that claimed to be Office for Mac on torrent sites that actually ended up deleting your files after you gave it your admin password, and a couple of other proof of concept attacks, but stuff actually out there roaming free in the wild is extremely rare - vanishingly so. I will not say "none" because it is clearly not true, and it allows the possibility of something to emerge, but for all the holes that have appeared in components of OS X, over the course of the life of the OS, no one has demonstrated stuff beyond possibilities.

The TFA does indeed say "could install spyware and delete files" - ie, if the hole is exploited. No one is denying that (and when the hole is closed, they can't) but so far, no one has been able to - the vector for attack has not been there. There was nothing in the wild that exploited some of these holes, and they have been nipped up before anything could be produced.

There are obviously other holes that have yet to be closed - including, as some security people have claimed, ones that have been open and exposed for a very long time (consider the guy who knew of two vulnerabilities and kept one to himself so he could exploit it the next year at the 'break OS X contest'). If that hole was known and vulnerable for a year, where are the in-the0wild exploits actually installing malicious software and keyloggers and so on? The hole was there for a malicious mp4 file, but the malware that exploited it was not.

I'm not not nieve enough to assume or assert that OS X gets a free pass on security, but the prior performance has been good compared to Windows, even with the difference in install base. It's in a similar position to Linux with regard to security holes (and shares holes with some BSD components that the OSS community is also exposed to).

Re:You forget one simple thing...

[mario_grgic]

What you are linking to is NOT a virus, but a malware that user has to download, authenticate themselves as someone allowed to install software and install it.

If you have a user willing to do that, then all bets are off.

The original assertion still stands though. No viruses (i.e. self propagating code that spreads from machine to machine without user intervention). There aren't any for OS X and I'm not aware of any for Linux/BSD etc either.

Re:You forget one simple thing...

[recoiledsnake]

Yes, my point about IIS vs Apache wasn't that there were more attacks against IIS, just that there are documented and exploited holes.

Err no. Apache/PHP has more than it's share of exploits whereas IIS6 or IIS7 barely have any.

Re:You forget one simple thing...

[recoiledsnake]

What you are linking to is NOT a virus, but a malware that user has to download, authenticate themselves as someone allowed to install software and install it.

If you have a user willing to do that, then all bets are off.

The original assertion still stands though. No viruses (i.e. self propagating code that spreads from machine to machine without user intervention). There aren't any for OS X and I'm not aware of any for Linux/BSD etc either.

When did the last "virus" according to your definition, hit Windows? XP SP2 turned on the firewall by default and Outlook stopped opening attachments automatically. I would like to see a reference to a

recent "self propagating code that spreads from machine to machine without user intervention" for Windows that was successful.

Re:You forget one simple thing...

[cbhacking]

Spreading between machines is a feature of worms. You might mean appending itself to ("infecting") files on your system - that is what a computer virus does. They're pretty rare these days even on Windows, although there have actually been some for Linux (none at present that I'm aware of).

Re:You forget one simple thing...

[stewbacca]

I dunno. Apple seems to be selling millions of new Macs each quarter for about 10 years now. When will there be "enough macs out there" for your hypothesis?

Re:You forget one simple thing...

[Desert_Scarecrow]

Really? You aren't aware of any for Linux/BSD? Not a single one? I sure hope you don't work in the security industry in any way, shape, or fashion...or if you do, you at least don't service my company or any of its clients.

"MASSIVE"?

[jjoelc]

I just wonder why the summary title says "MASSIVE holes..." when the original article "serious".. a bit of bias, perhaps??

More realistically, this is just another security update. Find me an OS that doesn't have them, and for similarly "obvious" or "easily found/fixed" (hindsight and armchair hacking being perfect of course) and I'll either switch right away, or dust off the old TRS-80 from my closet to run it on.

The way I see it, if you have a brain and use it while browsing, you are generally fine. But people are stupid. And if you are going to market your product to stupid people, you need to make sure you do everything you can to minimize the damage stupid people can do to others. (Stupid people generally deserve their own damages...)

Now to start the debate over which company is more in the business of marketing to stupid people...

Re:"MASSIVE"?

[smash]

You must be new here.

Re:"MASSIVE"?

[Doctor_Jest]

I thought the same thing when I read the headline vs. summary. :) Still, they are serious bugs, and I applaud Apple for patching them. Some feel they didn't do it in a timely manner, but I think I'd rather have a working patch than a quick "panic" patch like we have seen from other vendors. And since there are no recorded exploits in the wild, at least none that I've heard of, the timing of the security update isn't an issue with me. There is no perfect OS. But some are made better than others. I'll leave that to others to decide which. Actually there is a perfect OS. AmigaOS 1.3. Can't get much better than that on cheap, yet capable for its time, hardware. There, my Amiga bias is showing! :-)

OS distribution

Anyone out there know what the numbers are for mac osx and windows 7? How many users? Is it a comparable base, or has windows 7 already outstripped the number of mac osx users?

LOL, I'm reading this Mac/Windows security debate

...from my Ubuntu laptop. How nice it is to have an OS that doesn't even need antivirus, which is still recommended for Mac.

Re:LOL, I'm reading this Mac/Windows security deba

[smash]

You realize there are likely more exploits in the wild for Linux than OS X, right?

I say this as someone who has had a Linux box r00ted in the past...

That sort of complacency is exactly what makes you more likely be get owned - regardless of OS selection.

Windows Security

[Dunge]

How many times did I heard "I use Mac/Linux because there's no virus, no security problem and/or much safer". It's pretty much the same thing everywhere.

When MacOS X gets enough users? Maybe then

" When OSX is suffering from a deluge of viruses from all these supposed gaping holes in it's Architecture, please come back and let us know - by His Shadow (689816) on Wednesday January 20, @05:39PM (#30839078) Homepage

LOL... well, tell you what: When MacOS X gets enough users to merit online criminals attacking it (same with any *NIX variant out there for Personal Computers, & yes, that includes LINUX, BSD's (like MacOS X), etc. et al)? That's when it will happen.

Until then? "Stay tuned"...

The ONLY thing keeping MacOS X &/or Linux for example, 'safe', is "Security-By-Obscurity", & the fact that online criminals are just like ANY OTHER CRIMINALS: They gather where the most OTHERS gather, to maximize their surface area of attack - & guess where THAT is, online? Yes, that's right - Windows.

Windows has what? Roughly a 95% share of market out there for personal computing approximately?

Well - that "all said & aside", what the hell do you think goes through the mind of those doing the attacking (when they want to "hit" as many people as they can to victimize them, and maximize their criminal enterprise's profits)??

I.E.-> "LET'S ATTACK WINDOWS, IT IS THE MOST USED! WE WILL GET THE 'MOST MILEAGE OUT OF OUR ATTACK CODE' THAT WAY..."

So, they write their (for example) javascript code to attack Windows & its surrounding apps...

The Apple commercials? THEY ARE COMPLETE BULLSHIT, & ANYONE WITH ANY SENSE or KNOW-HOW IN THIS ART & SCIENCE/FIELD OF COMPUTING, REALIZES IT... "Security by Obscurity" is MacOS X & Linux's ally, & that's about it...

(Now, don't get me wrong: I like MacOS X, & Linux, as much as the next guy (they work, they are well-done by this point, & in general are as much a pleasure to use as Windows is)... but, I don't like hearing a bunch of misinforming market-speak bullshit lies, either).

HOWEVER:

IF ANYONE HERE TRIES TO TELL MYSELF OR OTHERS THAT IT'S "IMPOSSIBLE TO WRITE A VIRUS/WORM/TROJAN/SPYWARE/MALWARE-IN-GENERAL FOR LINUX or MAC OS X, THEN I SUGGEST THEY REALIZE THAT JAVASCRIPT (the main tool used to attack others online via webbrowsers & email programs as of the past 5++ yrs. now) RUNS ON THEIR OS' TOO... & THUS, THEY ARE JUST AS ATTACKABLE AS WINDOWS IS... EASILY!

APK

P.S.=> "Security-By-Obscurity" is the only so-called "security-advantage" that the *NIX variants on PC's have, & it's also their biggest enemy too (sales & market share, anyone?)... apk

Re:

[clint999]

If a computer is secure - as you claim - it shouldn't matter what most people try to hack.