Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intego's "Year In Mac Security" Report

Posted by kdawson on from the almost-popular-enough dept.

david.emery notes the release of Intego's "Year In Mac Security" report (PDF), adding: "Mac OS X and iPhones that haven't been jailbroken fare pretty well (although vulnerabilities exist, there's not been a lot of exploitation). Apple does come in for criticism for 'time to fix' known vulnerabilities. Jailbroken iPhones are a mess. The biggest risk to Macs are Trojan horses, often from pirated software."

31 of 132 comments (clear)

  1. So, avoid pirated Mac software... by Chris+Tucker · · Score: 4, Informative

    ...and let Software Update do it's thing with Security Updates.

    Don't go online as Root, and really try not to open email attachments that claim to be "Nude Photos of (insert female athlete name here)"

    Really, how hard is that?

    --
    Guaranteed! This comment 100% Anthrax free!
    1. Re:So, avoid pirated Mac software... by silentace · · Score: 5, Insightful

      So you basically said what PC users do everyday (the ones that don't ever get viruses)...

    2. Re:So, avoid pirated Mac software... by mario_grgic · · Score: 2, Informative

      Both Mail and Finder will warn you that what you are opening has been downloaded from the internet and ask you to confirm you want to execute it.

      Each file you download is put into a quarantine and your answer to the question is recorded.

      You generally don't have to worry about opening non-executable files like images, zip files, video files etc. But, you of course, do have to worry about shell scripts, apple scripts, applications and application documents that contain java script (like PDF if you use Adobe reader which almost no one on a Mac does, since Preview app is so much better and it's there on each Mac)

      Any savvy user should already know all these things no matter what platform they use.

      --
      As the island of our knowledge grows, so does the shore of our ignorance.
    3. Re:So, avoid pirated Mac software... by lseltzer · · Score: 3, Informative

      The public exploits only affect IE6 users on XP.

      Private exploits could affect IE7 users on Vista or even IE8 users on XP, but not if they activate DEP. If you activate DEP even XP users are protected. IE8 users on Vista and Win7 are effectively protected by DEP/ASLR.

      So, in effect, if you update even just to year-old technology you're protected.

    4. Re:So, avoid pirated Mac software... by shutdown+-p+now · · Score: 2, Informative

      I guess you missed the IE8 zero day exploit just last week? It's only the latest way in which PC users get owned through no fault of their own.

      It's not like OS X never had glaring 0-day exploits of its own, so what's your point?

    5. Re:So, avoid pirated Mac software... by dave562 · · Score: 2, Insightful

      Except for those exploits that target Acrobat, or Flash, or .. or .. or.

      Microsoft has made some improvements with DEP and IE8 on Win7, but there are still far too many vulnerabilities in commonly used and widely distributed applications to make me comfortable with Windows.

  2. Biggest Mac security threat... by Anonymous Coward · · Score: 2, Funny

    Installing Windows.

    1. Re:Biggest Mac security threat... by x2A · · Score: 2, Funny

      Yep, I'm still installing it... started last october... it's still only on 78% :-/ What the bet it'll crash at 99%? You know it's like a fundamental law of the universe; the longer any computer process takes, the more likely it will crash when it gets to 99%.

      --
      The revolution will not be televised... but it will have a page on Wikipedia
    2. Re:Biggest Mac security threat... by x2A · · Score: 2, Informative

      Oo you definitely don't want to be deplugging usb drives, you kind of need them to keep their plugs so you can plug them in.

      As for unplugging... what does that? Kernel panic sounds very linuxy, but I've never had that happen, and I've been plugging 'n unplugging up to three usb drives at a time on it (a client of mine's stock has become somewhat disorganised and lost track of what's faulty and what they've used themselves, and as testing harddrives themself is much quicker 'n easier on Linux as you can just badblocks the drive, completely partition 'n filesystem independant, I volunteered. So I was production lining a load of drives, different sizes, using three usb interfaces) ... and yeah, all without problem, apart from when a drive actually did have bad sects, but it didn't affect the machine or anything.

      --
      The revolution will not be televised... but it will have a page on Wikipedia
    3. Re:Biggest Mac security threat... by gyrogeerloose · · Score: 2, Informative

      As for unplugging... what does that? Kernel panic sounds very linuxy, but I've never had that happen, and I've been plugging 'n unplugging up to three usb drives at a time

      I think what he was trying to get at is what sometimes happens on a Mac if a user unplugs an external drive without un-mounting it first, a quirk that Macs have had since at least the System 7 days. I'm not sure why OS X will still occasionally have trouble handling that situation gracefully (although ninety-nine times out of one hundred the only "bad" result is a dialogue box that pops up advising you not to do that again) but it's not really a big deal as long as you remember to follow the proper procedure for disconnecting an external drive on any OS.

      --
      This ain't rocket surgery.
  3. 'Pretty well' isn't good enough by Anonymous Coward · · Score: 2, Interesting

    Apple doesn't care enough about security.

    1. Re:'Pretty well' isn't good enough by mario_grgic · · Score: 3, Informative

      The article you like to is talking apples and oranges literally. If the implication is that BSD bug is also a bug in OS X, then it's false. The bug is not present in OS X.

      iPhone on the other hand is a completely different beast and yes it is locked down platform mostly for the benefit of the users, so we don't have to worry if an application is safe to install and use.

      Yes, there may be security issues in iPhone apps, but even the security updates of applications go through the same review process, which may catch an omission in the review of the previous version (which is what happened in the case of the software discussed in the article).

      The review process is not perfect nor ideal, but I for one am thankful that someone else is testing the applications for me and I don't have to waste the time and money on tools to check what each app does and it it is safe to use on my phone.

      --
      As the island of our knowledge grows, so does the shore of our ignorance.
  4. Re:With great freedom comes great resposibility by rsborg · · Score: 3, Insightful

    Should it be any surprise that unmoderated software could introduce security vulnerabilities?

    Really, the main problem is that jailbreak processes don't try to change your default root password. So the vulnerability is that Apple supplied a default root password (that isn't workable without jailbreak), and the haxx0rs remove the protection but fail to force user to change or randomize (and remember/show to user) that password.

    Nothing bizarre about that.

    --
    Make sure everyone's vote counts: Verified Voting
  5. my summary of the white/sales paper - fluff mostly by prawn_narwp · · Score: 4, Insightful

    This is basically 7 total pages:

    * first couple pages on installing bitorrent'd software
    * Page 4 and 5 about people who installed openssh on their jailbroken iphones and didn't change their passwords
    * last page has citations back to their own blog

    The meat of it is about PDF, Java -- surely those have a more widespread effect right? But they spend a lot less words on those topics. Note that all the visuals have to do with the stupid ssh-admin-password and bittorent'd malware.

    Skip to the concluding paragraph -- they just have to emphasize the iphone again.

    I was going to say "I declare this posting unfit for Slashdot" but the good I see is that we can pick it apart to sort out the fluff.

    My rating system on severity overall on the entire population of apple products:

    1) pdf/java (5 stars)
    2) I-enabled-ssh-w/o-a-password (1 star - you're fault for being a retard)
    3) Charles Miller iphone vuln (5 stars when it wasn't patched)

  6. lose/lose by starbugs · · Score: 2, Funny

    lose/lose (from the article) seems like a fun game to play right before installing Debian.

  7. Re:we don't need economic buzz by icebike · · Score: 4, Funny

    We need an economist to explain us how the us, by privatizing gains and socializong losses turned into a fascist state.

    And an English teacher to straighten out that sentence.

    --
    Sig Battery depleted. Reverting to safe mode.
  8. Re:we don't need economic buzz by value_added · · Score: 2, Funny

    And an English teacher to straighten out that sentence.

    I think it's Korean.

  9. Re:With great freedom comes great resposibility by grouchomarxist · · Score: 4, Funny

    in a safe manor

    My security guards keep my manor safe.

  10. Re:With great freedom comes great resposibility by DNS-and-BIND · · Score: 2, Funny

    Please don't bash 20/20. Their scientific methodology might have been a little bit off, but their motives were in the right place. They were just trying to show that a major car manufacturer was corrupt...this is the media's job, isn't it? To expose corruption? Unless you can show that the car manufacturer has lily-white hands (and none of them do) please stop the bashing. These are educated, dedicated people who are doing a tough job under very difficult circumstances, and it's hard to get the stories to come out the right way 100% of the time.

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!
  11. Re:You can't handle the truth by x2A · · Score: 2, Funny

    "but doesn't mention that Adobe's own CS4 install tries to phone home"

    Riiight... cuz that's what trojans are famous for isn't it... checking to make sure that you're allowed to run then. My god I do wish trojans actually did do that, and better than other software does it. I'll admit on here, I don't legally own any trojans at all, which means all I have to do is make sure that they can phone home to verify this, and never have to worry about them again! Ahh... pleasant thoughts.

    --
    The revolution will not be televised... but it will have a page on Wikipedia
  12. WTF, people. by Anonymous Coward · · Score: 2, Interesting

    The ability to jailbreak is a security hole. Last I knew the techniques people use are remote code execution.

    For example as I recall the 1st gen jailbreak was to get a specially crafted TIFF file that exploited a buffer overflow when a page was loaded in Safari. Stop and think about that for a minute. This is the kind of behavior you don't want to be possible. Yet in the reality distortion field, it's a great thing suddenly. Users are totally unconcerned about this.

    I'm not sure if the exploit mechanism has changed since then, but... Personally, I stopped paying attention to iPhone when I witnessed that.

    1. Re:WTF, people. by TJamieson · · Score: 2, Informative

      FWIW, this has changed about jailbreaking. What you said used to be true on the 1.x series of iPhone software, where everything always ran as root. Therefore, a hole in libTIFF lead to (remote) root code execution. Starting with the 2.x series, Apple finally forced the restricted user account named Mobile to be used instead of root. That made it so now a libTIFF exploit *also* would require a privilege escalation exploit rolled inside; made things much harder. Starting around the 2.x software, the new way to jailbreak is by exploiting Apple's software update mechanism built into each device (Google: iBoot). This means that to jailbreak newer software/devices, one is required to attach the device to the computer first; the exploit is then done via USB.

      --
      For the last time, PIN Number and ATM Machine are redundancies!
  13. Apple's DRM seems to be the main problem by DrXym · · Score: 3, Insightful

    If Apple didn't put such draconian limits on what a person could do with their own property, perhaps there wouldn't be the need to "jailbreak" it.

    1. Re:Apple's DRM seems to be the main problem by RMH101 · · Score: 3, Informative

      THis is missing the point. The reason jailbreaking is allegedly unsafe is because once jailbroken, you can install SSH, and if you're dumb enough to not change the default root password, you can get owned. You get warned about this specifically when you install SSH anyway. If the phone were sold "open" and you installed SSH, you'd have the same issue. The point is that if someone goes out of their way to install SSH on their phone (which is a pretty hardcore geek activity anyway) and doesn't change the root password, then they're kind of asking for trouble.

    2. Re:Apple's DRM seems to be the main problem by DrXym · · Score: 2, Insightful
      This means that any software I install on it gets at least a screening from a company that has a lot to lose by allowing malware on the phone.

      They also have a lot to lose by allowing apps like voip, instant messaging, map readers, voice search, flash player, browsers, podcasters, movie players, music players, file downloaders etc. etc.. Basically anything that competes with their tech, or offends the network, or they simply don't like on grounds of taste or any other arbitrary reason. They even ban apps with scripting / runtime capability even extending to the absurd banning of a C64 emulator lest somebody figure a way of using it to jailbreak the phone. It's not even the small fry that have been hurt - Google have had apps rejected.

      The restrictions are draconian, and it isn't surprising given the above, and the way the device is locked to certain networks (even outside of contract) that people want to jailbreak it.

  14. Talking through their hat since 2004 by argent · · Score: 3, Informative

    Back in 2004 Intego's big complaint about the Mac was that because it's based on UNIX, if you could get it to execute a shell script you could do anything on the computer, and that Applescript wasn't sandboxed. They never noticed that the same was true of CMD.EXE and VBscript on Windows, DCL on VMS, and every other native scripting environment on every OS, ever, anywhere.

    Intego's business model appears to be FUD.

  15. Re:With great freedom comes great resposibility by bdsesq · · Score: 3, Insightful

    Apple either supplies a default root password or it has to build in a backdoor. Otherwise there is no way to upgrade the OS. Which way do you think is more secure?
    The jail break issue isn't Apple's problem. It is a problem with people doing things they don't understand.
    Looks like the jail break is just another way to root kit a computer (phone).

  16. Re:With great freedom comes great resposibility by uglyduckling · · Score: 2, Informative

    Actually, the 'single sheet aluminium case' being a non-user serviceable part thing is a myth. My MacBook Pro came with printed instructions in a little booklet telling my how to open the back panel and replace the hard drive. It did have strict instructions not to attempt to replace the battery, but when I opened the case the battery was right there next to the hard drive so I'm not really sure why they say that.

  17. Re:With great freedom comes great resposibility by mdwh2 · · Score: 4, Insightful

    When people point out something the Iphone can't do, we hear "Oh it can, but you just have to jailbreak it". When we get stories about security holes, we hear "Oh that doesn't count, you just have to not jailbreak it".

    So er, which is it?

    The problem is that the Iphone is the only phone where "jailbreaking" is necessary to get basic functionality working (e.g., tethering, running applications that Apple don't like).

    Consider, do you ever hear people talking about "jailbreaking" in the context of any other phone?

    My 5800 works fine, not had a virus (indeed on any of my phones), never needed to hack it.

  18. Re:With great freedom comes great resposibility by iamhassi · · Score: 2, Interesting

    "The problem is that the Iphone is the only phone where "jailbreaking" is necessary to get basic functionality working"

    Correct. Something as simple as deleting a call is not possible on the iPhone without jailbreaking, which is shocking because on every cellphone I've used in the past 10 yrs I've had the ability to delete a phone call from the call log and it's a feature iPhone owners have been asking for since 2007. If you want to remove a single call you have to delete the entire phone call log

    Honestly I don't know how anyone can use their iPhone without jailbreaking it, unless they're not really using it as a smartphone so they're not installing applications, using data, etc.

    --
    my karma will be here long after I'm gone
  19. Re:With great freedom comes great resposibility by UnknowingFool · · Score: 2, Informative

    What? The jailbreak exploit has nothing to do with jailbreaking itself but the fact that most people that used the process installed SSH onto their iPhones and didn't change the default password on SSH. It had nothing to do with what Apple supplied on the phone but what 3rd parties modified the phone.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.