Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intego's "Year In Mac Security" Report

Posted by kdawson on from the almost-popular-enough dept.

david.emery notes the release of Intego's "Year In Mac Security" report (PDF), adding: "Mac OS X and iPhones that haven't been jailbroken fare pretty well (although vulnerabilities exist, there's not been a lot of exploitation). Apple does come in for criticism for 'time to fix' known vulnerabilities. Jailbroken iPhones are a mess. The biggest risk to Macs are Trojan horses, often from pirated software."

13 of 132 comments (clear)

  1. So, avoid pirated Mac software... by Chris+Tucker · · Score: 4, Informative

    ...and let Software Update do it's thing with Security Updates.

    Don't go online as Root, and really try not to open email attachments that claim to be "Nude Photos of (insert female athlete name here)"

    Really, how hard is that?

    --
    Guaranteed! This comment 100% Anthrax free!
    1. Re:So, avoid pirated Mac software... by silentace · · Score: 5, Insightful

      So you basically said what PC users do everyday (the ones that don't ever get viruses)...

    2. Re:So, avoid pirated Mac software... by lseltzer · · Score: 3, Informative

      The public exploits only affect IE6 users on XP.

      Private exploits could affect IE7 users on Vista or even IE8 users on XP, but not if they activate DEP. If you activate DEP even XP users are protected. IE8 users on Vista and Win7 are effectively protected by DEP/ASLR.

      So, in effect, if you update even just to year-old technology you're protected.

  2. Re:With great freedom comes great resposibility by rsborg · · Score: 3, Insightful

    Should it be any surprise that unmoderated software could introduce security vulnerabilities?

    Really, the main problem is that jailbreak processes don't try to change your default root password. So the vulnerability is that Apple supplied a default root password (that isn't workable without jailbreak), and the haxx0rs remove the protection but fail to force user to change or randomize (and remember/show to user) that password.

    Nothing bizarre about that.

    --
    Make sure everyone's vote counts: Verified Voting
  3. my summary of the white/sales paper - fluff mostly by prawn_narwp · · Score: 4, Insightful

    This is basically 7 total pages:

    * first couple pages on installing bitorrent'd software
    * Page 4 and 5 about people who installed openssh on their jailbroken iphones and didn't change their passwords
    * last page has citations back to their own blog

    The meat of it is about PDF, Java -- surely those have a more widespread effect right? But they spend a lot less words on those topics. Note that all the visuals have to do with the stupid ssh-admin-password and bittorent'd malware.

    Skip to the concluding paragraph -- they just have to emphasize the iphone again.

    I was going to say "I declare this posting unfit for Slashdot" but the good I see is that we can pick it apart to sort out the fluff.

    My rating system on severity overall on the entire population of apple products:

    1) pdf/java (5 stars)
    2) I-enabled-ssh-w/o-a-password (1 star - you're fault for being a retard)
    3) Charles Miller iphone vuln (5 stars when it wasn't patched)

  4. Re:we don't need economic buzz by icebike · · Score: 4, Funny

    We need an economist to explain us how the us, by privatizing gains and socializong losses turned into a fascist state.

    And an English teacher to straighten out that sentence.

    --
    Sig Battery depleted. Reverting to safe mode.
  5. Re:With great freedom comes great resposibility by grouchomarxist · · Score: 4, Funny

    in a safe manor

    My security guards keep my manor safe.

  6. Apple's DRM seems to be the main problem by DrXym · · Score: 3, Insightful

    If Apple didn't put such draconian limits on what a person could do with their own property, perhaps there wouldn't be the need to "jailbreak" it.

    1. Re:Apple's DRM seems to be the main problem by RMH101 · · Score: 3, Informative

      THis is missing the point. The reason jailbreaking is allegedly unsafe is because once jailbroken, you can install SSH, and if you're dumb enough to not change the default root password, you can get owned. You get warned about this specifically when you install SSH anyway. If the phone were sold "open" and you installed SSH, you'd have the same issue. The point is that if someone goes out of their way to install SSH on their phone (which is a pretty hardcore geek activity anyway) and doesn't change the root password, then they're kind of asking for trouble.

  7. Talking through their hat since 2004 by argent · · Score: 3, Informative

    Back in 2004 Intego's big complaint about the Mac was that because it's based on UNIX, if you could get it to execute a shell script you could do anything on the computer, and that Applescript wasn't sandboxed. They never noticed that the same was true of CMD.EXE and VBscript on Windows, DCL on VMS, and every other native scripting environment on every OS, ever, anywhere.

    Intego's business model appears to be FUD.

  8. Re:With great freedom comes great resposibility by bdsesq · · Score: 3, Insightful

    Apple either supplies a default root password or it has to build in a backdoor. Otherwise there is no way to upgrade the OS. Which way do you think is more secure?
    The jail break issue isn't Apple's problem. It is a problem with people doing things they don't understand.
    Looks like the jail break is just another way to root kit a computer (phone).

  9. Re:With great freedom comes great resposibility by mdwh2 · · Score: 4, Insightful

    When people point out something the Iphone can't do, we hear "Oh it can, but you just have to jailbreak it". When we get stories about security holes, we hear "Oh that doesn't count, you just have to not jailbreak it".

    So er, which is it?

    The problem is that the Iphone is the only phone where "jailbreaking" is necessary to get basic functionality working (e.g., tethering, running applications that Apple don't like).

    Consider, do you ever hear people talking about "jailbreaking" in the context of any other phone?

    My 5800 works fine, not had a virus (indeed on any of my phones), never needed to hack it.

  10. Re:'Pretty well' isn't good enough by mario_grgic · · Score: 3, Informative

    The article you like to is talking apples and oranges literally. If the implication is that BSD bug is also a bug in OS X, then it's false. The bug is not present in OS X.

    iPhone on the other hand is a completely different beast and yes it is locked down platform mostly for the benefit of the users, so we don't have to worry if an application is safe to install and use.

    Yes, there may be security issues in iPhone apps, but even the security updates of applications go through the same review process, which may catch an omission in the review of the previous version (which is what happened in the case of the software discussed in the article).

    The review process is not perfect nor ideal, but I for one am thankful that someone else is testing the applications for me and I don't have to waste the time and money on tools to check what each app does and it it is safe to use on my phone.

    --
    As the island of our knowledge grows, so does the shore of our ignorance.