Slashdot Mirror
Apple Asks Security Experts To Examine OS X Lion
An anonymous reader writes "For as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true. But Apple's looking to change that. This past Thursday, Apple doled out a beta of OS X Lion to developers. In conjunction with that, Apple is also reaching out to noted security experts and offering them free previews of OS X 10.7 so that they can take a look at Apple's new security measures and reach back to Apple with any thoughts and concerns they might have. Indeed, Apple is becoming a lot more security conscious these days, not only in terms of reaching out to security researchers but also in its personnel hires."
as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true.
I'm sorry, what? Windows is "safer" than OS X? "In fact"?
They sure have increased their emphasis on security, now that they are in a position where insecurity might allow their customers to treat the devices that they own as such...
I'm certain they have their own internal security experts, but if they were going to reach out to outside experts, they should have done it a lot sooner.
It has been on Slashdot and other web publications many times. Google is your friend.
The burden of proof lies on the one making the assertion.
http://www.google.com/search?q=whats+more+secure+windows+7+or+mac+os+x&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a#hl=en&client=firefox-a&hs=YIo&rls=org.mozilla:en-US:official&&sa=X&ei=ZrdqTa2aEom-sAOkuPj9Cw&ved=0CBMQvwUoAQ&q=what's+more+secure+windows+7+or+mac+os+x&spell=1&bav=on.1,or.&fp=3f40f95b1b9c7c0d
BEGONE FANBOI, BEGONE!!
I'm not saying its true, but it seems a lot of people do say that's true.
Yes, we all know the FUD has been flying, he was asking for actual data.
Still waiting for the first Mac OS X virus in the wild...
"For as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true."
Have any quotes or links to back that up, Mr. Submitter?
This space left intentionally blank.
So they're asking for free work? I mean, it's not like we as a community (or security experts as a community) can take advantage of the knowledge put into these fixes. Not to mention that security consultants' time is expensive.
Posted by Anonymous. Not the 133+ haxors, but rather Steve Ballmer.
Say hello to my little sig.
How about paying reputable security researchers (or testers) to evaluate the software?
you ever heard about Pwn2Own? OSX got cracked in about 2 minutes in one of the more recent contests. It was the first OS to be taken down. Win7 took awhile longer, since they already have experience in dealing with security issues (~90% market share tends to get you targeted a hell of a lot more).
http://www.google.com/search?q=whats+more+secure+windows+7+or+mac+os+x&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a#hl=en&client=firefox-a&hs=YIo&rls=org.mozilla:en-US:official&&sa=X&ei=ZrdqTa2aEom-sAOkuPj9Cw&ved=0CBMQvwUoAQ&q=what's+more+secure+windows+7+or+mac+os+x&spell=1&bav=on.1,or.&fp=3f40f95b1b9c7c0d
Followed a few of those links, they say the opposite.
I'm not saying its true, but it seems a lot of people do say that's true.
"I'm not saying that Obama is a communistic atheistic muslim terrorist transvestite, but it seems a lot of people do say that's true."
That's not an argument, it's a drive-by shooting.
http://en.wikipedia.org/wiki/Pwn2Own
Pwn2Own contests regularly have Safari/Mac software as a valid winning target.
Is it good data? Maybe not. But the point is that Mac's aren't targeted much because the Windows desktop share is much larger (some figures say 90%). So while they can get viruses, it's not a valuable target for botnets.
Still waiting for the first Mac OS X virus in the wild...
http://www.symantec.com/security_response/threatexplorer/azlisting.jsp?azid=O
OSX.* near the bottom of the list. There's 13 on that list.
The problem is that security experts like to point out potential things that bad people could do, instead of actual bad things that bad people are doing. OS X is still one of the least attacked platforms out there, and most of the exploits that security researchers talk about finding are the sort that aren't going to be exploited by the people doing the exploiting. For example a LOT of the exploits that they talk about are for if you actually have physical access to the computer. Well I'm sorry to tell you, if you have physical access to the computer you're already boned!
wow a Free OS! That will get lots of time and interest from highly paid security experts...
If they were actually interested in improving security they would put their money where their mouth is and start a bug bounty.
"For as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true. "
"Security researchers won't hesitate to point out the opposite is, in fact, true when paid to do so."
There, fixed it for ya.
Say hello to my little sig.
"security researchers won't hesitate to point out that the opposite is, in fact, true"
Without a citation or naming said researchers, I assume that anonymous/samzenpus pulled this out of their ass.
This link avoid the FUD at edibleapple, http://news.cnet.com/8301-1009_3-20036218-83.html
(too lazy to login)
I wonder what Steve will be thinking, cooped up in his emerald coffin six0feet under. Something like, HA! And they said I couldn't take it with me! HA! HA! HA!
Yeah !!
Windows is really easy to lock down and control from a central location in a corporate environment.
I can't even imagine what deploying and maintaining 1000+ macs would be like.
Rod Taylor
Apple has been insisting for years that OSX has zero viruses. Users start to think they're invincible and run any downloaded binaries without a second thought.
Apple is also releasing security updates (but less frequently than Microsoft). In addition, since Apple products "just work", sometimes they have to reduce security in order to make the product easier to use.
You're waiting days are over!
http://news.techworld.com/security/5392/worlds-first-os-x-virus-hits-apple/
It's amazing to me how you even mention that OS X might be susceptible to malicious users, and all the mac boys start foaming at the mouth.
No it isn't FUD, do some research online, Just about every hacking contest sees OS X go down in a ball of flames in minutes, Just about every patch cycle from apple sees more security vulnerabilities patches than are found in all MS products combined in a year. Many security researchers have been pointing out Apples Lax Security practises for a long time, seems they might finally be getting the message now that there share of the pie is significant enough to warrant it being an issue.
Hmmm... Security issues? Or is it more likely that a talented hacker would rather hack a £1500 Macbook Pro rather than a crappy generic Windows laptop?
Click Here to Install Silverlight!
Work in a place with 1500+ mac's and it's hell
Question is... are there any restrictions on what the "security experts" can report? Is this a way to legally limit what they are allowed to say... in exchange for preview copies they sign a nondisclosure agreement to only report the issues to Apple? It seems that if Apple was really serious about security they would allow the experts (and others) to have access to the source code.
...when /. wasn't completely over-run with nauseating Apple fanbois.
It's not bad actually... You need a MacMini server x2 to replicate each other, and push out the managed settings. You can authenticate machines via AD/OD/OpenLDAP. You can host the home folders off any NFS/AFP server. Netboot, netrestore etc makes deploying easy.. I'm looking after 150 Macs at the moment, as well as a host of PC's, and I don't have many issues. It' s just me.
Well, the pwn2own losses for OS X have all been due to flaws in Safari. While still serious it's hardly proof of OS X being inherently less secure than Windows or Linux.
Greylisting is to SMTP as NAT is to IPv4
As soon as there is a virus that has actually affected macs worldwide come back to gloat. Hacking with rules is like doing science in a lab. Look how messed up global warming theories are.
Also one would think that Apple's 90% share of computers above 1000$ would make a better target than cheap ass pcs.
http://www.betanews.com/joewilcox/article/Apple-has-91-of-market-for-1000-PCs-says-NPD/1248313624
Someone doesn't want to wait until the next Pwn2Own?
And there's one actual virus on that list ... which, if you read the description, you'll see is a proof of concept. Wow, OS X is just as insecure as Windows!
GMAFB. You can talk about pwn2own all you want, but in the real world, no rational person doubts that OS X users are much, much safer from malware of all kinds than Windows users are. The market share argument doesn't hold water either, because in the "Classic" Mac OS days, there were in fact large numbers of genuinely dangerous Mac viruses in the wild -- not as many as PC (Windows and DOS) viruses to be sure, but a hell of a lot of them, as opposed to the effectively zero there are now. The millions of installed OS X machines running with default out-of-the-box setups would be a juicy target for malware authors, precisely because of the casual attitude most OS X users take toward security. If you're going to come up with a reason why this hasn't happened yet, other than just admitting OS X is inherently more secure than Windows, you're going to have to do better than a link to a Symantec list or a contest that represents security threats very different from those most users of all OSs face in everyday use.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
There are no viruses in the wild for OS X. There are, however, Trojans in the wild. Not the same thing. However Apple users by and large are quite arrogant and care-free about the security of their OS, and IMO are just asking for it. BTW, you can easily run OS X in a non-admin account without issue, which is more than can be said for Windows 7, which is irritating as all hell unless you run as an admin. At least OS X has that going for it.
Still waiting for the first Mac OS X virus in the wild...
McAfee lists 48 known "viruses" for OSX. Most appear to be Trojans giving remote access or subverting DNS. I perused a few of the McAfee descriptions, and it was not immediately clear whether these infections would be self-propagating (as one would ordinarily expect of viruses). Just like other *nix threats, they require the user to actively run the infecting program and enter a privilege-escalating password.
While not a Mac user or fan (Linux user, mostly), I am also mystified by the characterization of OSX as being less secure then Windows. Even turning to social engineering as a security hole, it's not certain that Mac users would be easier to subborn than Windows users.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
According to this link, Pwn2Own was about cracking browsers, not operating systems. Seems to me that there is a difference.
If I used a sig over again, would anyone notice?
While Ive never personally claimed anything beyond more "security" by obscurity... I would point out that at many of the hacking contests, the people targeting OSX do so specifically because they feel it is a smaller target. (fewer competitors? Easier to be the "only" one to know about a specific issue? whatever)
I will say that OSX has been phenomenally more stable than windows. Windows 7 was long overdue, and has held up pretty well, but it is stil a bit if a pain in the ass.
I am glad to hear that Apple is finally thiking more about security. They have relied on obscurity and "we have a Unix foundation" to get by for too long. They ceertainly have to tools and expertise... They just haven't had much of a reason until lately. If Apple starts really putting the Unix underpinnings in OSX to use, thinks about security, and does with the *nix enterprise management tools what they have with the GUI.. Windows could be in trouble in the enterprise... Not that Apple has ever really shown any interest in the enterprise...
They should take a hint from Ubuntu. Their names always raise some complaint, but they are funny, intriguing and more importantly they sound like new stuff. Cat ++; is meh.
It took them 8 months to fix a 10.6 simple kernel privilege escalation exploit I submitted to their security team last year.
It's x86-specific; otherwise, I would've sent it to the iPhone jailbreak hackers instead of Apple.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
I should have said "will be." It's going to be March 9 through 11.
If I used a sig over again, would anyone notice?
Work in a place with 1500+ mac's and it's hell
Work in a place with 1500+ Mac users and it's hell. There, fix that for you.
Obama is a communistic atheistic muslim terrorist transvestite
atheist AND a muslim? props to him if he can pull that off
Actually, Windows 7 works great with a standard User account, with one exception - it won't let you install fonts. I really wish there was a separate permission somewhere for that.
a great deal of these 'vulnerabilities' in OS X are from open source software projects which release the advisories.
i guess you haven't seen any security updates from Ubuntu/Redhat or any other UNIX, before have you?
when you release a UNIX distro with a ton of software using many different packages, frameworks and programmers with varying levels of appetite for security completeness, you are going to run into a myriad of issues.
MS also have their issues, but you can't compare apples with oranges.
well, for instance, you have never been able to get past windows logon by simply entering a few thousand spaces as your password.. cant say the same about fadintosh
However Apple users by and large are quite arrogant and care-free about the security of their OS, and IMO are just asking for it.
That's an odd take.
Anyway, as things stand right now, being "care-free" about viruses/malware is warranted. Once some actual outbreak occurs, or malware becomes more than a handful of trojans on pirated copies of Photoshop and iWork, the care-free days are over. But until then, what's wrong with accepting reality as it is as opposed to worrying about what might someday come to pass (but for over a decade now, hasn't)?
GMAFB.
Is it good data? Maybe not.
Meaning I'm implying it's data, but probably only that. I said no such thing as MACS ARE SECURE HURR.
I actually don't care about this topic, AC asked for data.
And if I really want to, I can spin it the other way with Windows XP:
http://blogs.chron.com/techblog/archives/2008/07/average_time_to_infection_4_minutes_1.html
Which means that there are viruses that scan the internet for open security holes regularly at random IP addresses to infect other machines.
OH NO XP IS INSECURE, WE SHOULD ABANDON IT!
No, not really, it just means you should keep it patched, and not used EOLed OSes. If you are unlucky to have an XP without any SP for whatever reason, you should not connect it to the internet, and patch it offline.
So what is my point? The internet is dangerous where known and unknown threats can be found, but there are simple steps for each OS (car analogy: wear seatbelts) to help keep you safe, such as regular patching.
lemmy guess: HBGary? Tanja Nijmeijer must be using Macs
http://news.cnet.com/8301-10789_3-9973703-57.html
BEGONE FANBOI BEGONE!!
Just because it's not widespread doesn't mean it doesn't exist. I don't see the harm in exercising a little caution and common sense when downloading and installing apps, even on OS X.
IIRC, this is the version in which they will no longer deliver a Java VM. This alone will drop the vulnerability and patch count significantly. Can anyone with the preview confirm that it is/is not included?
There are very few true viruses in the wild at all these days. The great majority are actually trojans or worms.
The statistics bear this out. 2003-2011, Mac OSX had 2.6x as many vulnerabilites at Windows 7. Plus a higher percentage were serious vulnerabilities.
http://secunia.com/advisories/product/27467/?task=statistics
http://secunia.com/advisories/product/96/?task=statistics
And there's one actual virus on that list ... which, if you read the description, you'll see is a proof of concept. Wow, OS X is just as insecure as Windows!
Alcatraz has had a number of jailbreaks. My grandmother's white fence has had 0 jailbreaks. My grandmother's fence is more secure than Alcatraz!
Just because few people take advantage of such a system doesn't mean anything. Mac has a tendacy to pull out a large patch every few months or so - that's insecurity at its finest. Obviously if they had larger market share in this day and age, they'd be more viruses.
No it isn't FUD, do some research online, Just about every hacking contest sees OS X go down in a ball of flames in minutes
Yes, minutes... After the contest enters the phase where you can load files remotely. And minutes later, Windows and Linux go down (everyone attacks the Mac first, because pwn2own means you get to keep the computer you pwn, and everyone wants the Mac).
Just about every patch cycle from apple sees more security vulnerabilities patches than are found in all MS products combined in a year.
Not remotely true. However it is true that in pure numbers, Apple patches more vulnerabilities than MS. These are primarily in Open Source products included with Mac OS X, and is seen as a strength, not a weakness. Also, Mac OS X patches tend to be local vulnerabilities, while Windows patches are far more often remote vulnerabilities, which are significantly more critical.
Many security researchers have been pointing out Apples Lax Security practises for a long time
Yet somehow the sky has never fallen. It's possible that Mac OS X is theoretically less secure than Windows, but it's absolutely certain that Mac OS X is, in actual real world usage, significantly more secure than Windows. Hands down, no-contest.
Pwn2own and "patches per year" are interesting metrics, but the only thing that matters is whether a user has to worry about their computer being compromised, and Mac users don't, Windows users do. It's as simple as that. Everything else is academic and hand-waving side-stepping of the actual issue.
seems they might finally be getting the message now that there share of the pie is significant enough to warrant it being an issue.
Apple has had sufficient market share since the beginning of consumer viruses and malware. There were plenty of Mac viruses back when their market share was far lower than it is now. It's absurd to claim that there are essentially zero malware for Macs because of market share, when their market share is large enough for thriving third-party software and hardware. Market share plays a role, but is not *the* primary reason.
What this indicates is that Apple is being proactive in making sure Macs remain as secure as they are today, and not resting on their laurels.
Life isn't pwn2own. Now that Mac has finally joined Ubuntu in having a built-in app store, distrust of web-based software downloads should become intense enough to nearly eliminate malware. Whenever I'm presented with a person that says "go download this," my response is "when will this be in the Software Center." It's not a question, it's a statement. If it's not in Apple's, Google's, or Canonical's app store, there's a reason for that, and I'm not downloading it until I know what that reason is.
It is disappointing to see the comments thus far have not bothered to mention what potential security improvements are likely to be in the final version of Lion and how effective they might be. So far the ones I've heard mentioned include:
I'm sure in more security oriented forums there will be some good analysis of these new features, how well implemented they are, and how effective they are likely to be. The Mac App Store offers some potential security improvements by standardizing application updates and pushing them out more quickly and widely and hopefully encouraging developers to make more use of security frameworks already present. Personally, I think the sandboxing combined with the Mac App Store could be a huge boon to security if Apple can get enough developers on board, but I'm not sure if Apple will go that route. Hopefully feedback from experts will help push them in that direction.
The summary is fucking awful in a long line of terrible abstracts which link to terrible articles and paraphrase things which aren't usually in the original article.
How much did edibleapple.com pay for this, incidentally? I note that this website had only 4 adverts on the linked page - amazing, well done! Usually I have to search for the 15 words of content within the advert.
Enough is enough, slashdot is not fucking AOL!
Maybe we'd get better service from AOL. When's the buyout?
Easy, get OS X Server, make a standard disk image and either use NetBoot or have them reimaged regularly. Not that hard, there are numerous mailing lists and Howtos for it.
That's nothing compared to putting up with PC users. They are far more irritating that any Mac user I've ever run into.
http://www.rootstrikers.org/
As arrogant as Mac users happen to be, it seems they are always half as arrogant as PC users.
http://www.rootstrikers.org/
Amazing. The market share argument has been shown to be utter crap, over and over again, and you people just keep repeating it. Is it some kind of religious belief with you? Mac users get accused of fanaticism a lot, and not without justification, but I swear there's nobody more fanatical in the computer world than a Mac hater on a roll.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
Here's the facts:
Microsoft Windows
1) People go and find exploits and write viruses/malware etc.
2) Microsoft patches and fixes these exploits.
3) Windows becomes more secure. Repeat step 1-3.
Apple OS X
1) People don't really bother to find exploits or write viruses/malware for OS X, because more people use PCs than Macs.
2) Vulnerabilities and exploits remain un-patched.
3) Apple gloats that OS X is more secure than Windows.
Look at the development tools. On Windows, you have Visual Studio which makes writing exploits rather easy. It can show you a memory dump of any address, help you debug programs with a very easy UI, and Microsoft is kind enough to provide Detours to let you hook functions in system libraries.
On the Mac? Honestly, you have to admit that Xcode and other development tools are much less robust than Microsoft's. You'd have to work a lot harder to create malware.
There's no -1 for "I don't get it."
Hard to say. What's worse, smugly saying "My computer just works, and it's totally safe" or "I can build a more powerful PC for half as much as your shiny Mac!". I guess we're all douchebags. Since I use both, I guess that makes me a confused douchebag. :)
There are very few true viruses in the wild at all these days. The great majority are actually trojans or worms.
You do know that, "worm" is a subset of, "virus" right?
However Apple users by and large are quite arrogant and care-free about the security of their OS.
As opposed to all the fucking geniuses running Windows. Haven't you walked into an office and seen the idiots at just about any PC who have trouble selecting a font?
My grandmother's white fence has had 0 jailbreaks. My grandmother's fence is more secure than Alcatraz! Just because few people take advantage of such a system doesn't mean anything.
It means a lot to your grandmother. I'm sure she's much happier living in a nice house with a nice white fence, than she would be living in Alcatraz. And in either location, she hasn't had her living space broken into.
I don't care if it's 90,000 hectares. That lake was not my doing.
Work in a place with 1500+ mac's and it's hell
Care to explain what makes it hell? I'm genuinely curious.
I don't care if it's 90,000 hectares. That lake was not my doing.
Here's the only metric that really counts in my book.
If you've ever done desktop support for your friends and family, count up the times you've had to go in and clean up a rooted, malware-laden mess on Windows, either by running a full, time-consuming, malware scan and removal, or just doing a reformat and reinstall. Now do the same thing for your OS X user friends. Adjust for market share and compare the numbers.
Yeah, brb, going over to friend's house for free beer after I fix his Windows infection.
nothing to do with wanting to improve "security." they want to improve "security" like they have on the iOS platform. im scared for my os x :(
I haven't seen any comments referring to the new RAT for Mac nor have I even seen mention of it on Slashdot.
Lies, damned lies, and statistics. Considering that Windows 7 has only been out 493 days as of this posting, and 2979 days have elapsed since the beginning of 2003, that means that one vulnerability is announced every 8.6 days on average for Windows 7, versus one vulnerability every 19.9 days on average for OS X.
Slashdot's first reaction to VMware
I tried getting some once. My Mac wouldn't let me. :/
Apple has been insisting for years that OSX has zero viruses.
This is wrong. Stop spreading this myth. Apple has NEVER made any such claim. Please show me where Apple makes a claim that OS X has zero viruses.
So what is my point? The internet is dangerous where known and unknown threats can be found, but there are simple steps for each OS (car analogy: wear seatbelts) to help keep you safe, such as regular patching.
There are no secure systems out there. There are only some system less vulnerable than others. The problem with Windows is that its history of security is very pathetic. You assume that regular patching is the panacea to Windows security. Just last week, MS acknowledged a zero day flaw in SMB. How is regular patching going to guard against a zero day? The main problem for MS has been that Windows is coming from a design which never had security in mind in the beginning. Whereas Unix dealt with the challenges of networks, security, and multiple user access decades ago, MS has bolted on security time and time again.
Whether you want to admit it, Windows has security problems and sometimes there's very little a user can do about it or even detect it. I remember the last time I got a trojan. I was visiting a news site. Somewhere in one of the ads, it planted a trojan. This wasn't some dark corner of the internet. This was the Atlantic Monthly. Getting rid of the trojan required a fresh install.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Already found about 30 security related bugs. I don't care if you are Microsoft, Linux or Mac, when you release a Beta, there will be problems found.
Just about every patch cycle from apple sees more security vulnerabilities patches than are found in all MS products combined in a year.
Although this is patently false, all this proves is that Apple is better at discovering and patching vulnerabilities than Microsoft is. The total number of vulnerabilities in an OS at any one time is an unknowable figure. For all we know there are thousands of vulnerabilities in Windows and only hundreds in Mac OS. If that were the case then the fewer number of vulnerabilities found and patched by Microsoft each month would only prove that many vulnerabilities remain un-patched and the many number of vulnerabilities found and patched by Apple means that fewer vulnerabilities remain un-patched.
Therefore, because of the fact the actual total number of vulnerabilities is unknown in any one system, your metric of measurement is meaningless.
You realize that "Clicking on the file" is not a virus right? Viruses must by definition replicate without user interaction.
That's like me sending you a dos batch file on windows and you being dumb enough to run it. If we're extending the definition of virus to "anything some dumbass might run that could hurt their system" then every operating system has an infinite number of viruses just waiting to nail it.
When it comes to security, the problem is the person operating the computer. Malware and viruses don't just magically appear on a system unless there is a remote exploit, and even then it often takes user interaction to make it work.
It doesn't matter how secure you think your favorite operating system is. If someone has admin rights on that machine, then it will be vulnerable to the first NataliePortmanNekkedWithGrits.* that person downloads and runs.
~X~
Apple's problem in corporate environments is there complete and utter lack of understanding and support of a real enterprise. They want to play make believe at enterprise support but they don't take it seriously. It is a disaster and only getting worse. We've been looking at integrating Macs in to a lab (and we are going to) but will need 3rd party software to make it work well.
Some big noteworthy things they've done recently are discontinue servers and screw over virtualization. So you can't buy a blade server, the most popular kind of server, for Macs anymore. You can buy a Mac mini, an overpriced tiny little desktop thing ($1000 for a Core 2 Duo server box) and use that, or you can buy a Mac Pro tower. That's it. No rack servers. Ya that is real enterprise support.
In terms of virtualization VMWare fully supports OS-X server, client tools and all... However Apple won't license it to run on anything but Mac hardware. So if you want Mac VM servers you have to buy a Mac Pro tower and find a place to put that, then get VMWare Fusion on it, which is a desktop solution, not a server one, then virtualize OS-X server on that. That Big rack of high availability, bare-metal ESXi servers that you run Windows, Linux, etc on? Nope, fuck you can't run OS-X on it because Apple says so.
Apple will never get big in corporate environments until they get real with enterprise support. Not half assed solutions, real support.
Better than merely reducing the attack surface of the platform by not including Java, Apple has also begun working with Oracle/Sun and contributed to OpenJDK. This should provide more timely updates to folk using Java on Mac OS X.
If you mod me down, I shall become more powerful than you could possibly imagine.
With reports of the Leap-A program infecting some Macs, it’s important to keep the news in perspective. While Leap-A has the potential for mischief, it’s not anything like a crippling Windows virus that periodically brings the rest of the computing world to its knees. More important, as explained below, this incident doesn’t expose a security hole in the Mac operating system. Rather, it’s a piece of malware that can be easily rebuffed by vigilant Mac user.
Source
Faster! Faster! Faster would be better!
Not specifically security related but does anyone have any idea what version of rsync has shown up in the beta? The version that ships with 10.6 is rather outdated so it'd be great if this (pretty important) tool were brought in line with where rsync is now.
No matter how many times you repeat that claim, it's still unsupported by the evidence. Mac OS (7/8/9) had a much smaller market share than Mac OS X has today, and a dramatically smaller user base, and yet there were many virus, aheh, "available" for it, whereas there are none on Mac OS X. Furthermore, it's widely known that Apple takes the lion's share of profits in the PC industry, despite selling far fewer systems. It does this by selling systems at the top end of the market, which it dominates (something like 90% of all laptops for which people are willing to pay more than $1000 are Apple computers). Obviously those people would be a rather more lucrative pool of victims, yet they remain almost entirely unexploited. There are other reasons, but those are sufficient to shatter your claim.
If you mod me down, I shall become more powerful than you could possibly imagine.
Roughly 10% of the total PC market is Apple. Apple has roughly 0% (zero percent) of the enterprise PC market, which is roughly half of the overall PC market (the number of installed systems is smaller than the consumer market, but consumers tend to refresh less often). So, Apple apparently has about 20% of the consumer market these days.
There are automated, automatically propagating exploits for obscure BBS systems, for IIS back when it was a tiny sliver of the web server market, for data base systems installed on a tiny fraction of web servers, in numbers utterly dwarfed by the installations of a single model of MacBook Pro.
What's it gonna take for y'all to give up on the "market share" ghost?
If you mod me down, I shall become more powerful than you could possibly imagine.
they better get the security experts at HBGary on this shit pronto!
Dear Slashdot,
I don't want to veer off-topic, but this redesign is a mess. Comments have the score randomly disappear from them (the only "fix" is to find the problematic parent and expand it), and every few times I load a hidden comment, my entire browser content area turns gray.
I'm not complaining about the look, although for what it's worth I did like the old one better. I'm complaining about the fact that I literally cannot use the new layout because it is broken on a relatively popular browser (Firefox 3.6 on OS X).
We can haz fix?
R.Mo
Yes, we all know the FUD has been flying, he was asking for actual data. Still waiting for the first Mac OS X virus in the wild...
That noone is even bothering to write viruses for OSX speaks volumes for the situation.
I've been hearing how the MAC platform is secure...since...back before they even had a preemptive kernel or a sane security model when apps and the OS crashed regularly. This is/was obviously bullshit.
Perception is everything... windows is viewed to be less secure because it is by far a bigger target. All social engineering / botnet efforts are focused on it to maximize attacker ROI.
If an OSX luser received an email telling them to download and run a program to see if they won $1million ... what precisely would make the outcome of that exercise any better than the same situation twoard a windows vista/7 user?
I imagine in either case the attacker would include instructions for bypassing UAC/security prompts as is quite normal for many popular legitimate software installs from the Internet today.
Fooling lusers is easier than finding vulnerabilities and a system is only as secure as its weakest link.
Apple has had sufficient market share since the beginning of consumer viruses and malware. There were plenty of Mac viruses back when their market share was far lower than it is now. It's absurd to claim that there are essentially zero malware for Macs because of market share, when their market share is large enough for thriving third-party software and hardware. Market share plays a role, but is not *the* primary reason. What this indicates is that Apple is being proactive in making sure Macs remain as secure as they are today, and not resting on their laurels
Can I ask what makes OSX more secure than windows vista/7 when faced with the problem of a user being tricked into loading malicious software? Complete with instructions for bypassing any UAC/security warning prompting they may encounter?
I would love to see someone provide a cogent answer for this one simple question... Most successful attacks on the masses are social engineering that expliot no systems vulnerabilities of any kind.
I get your perception = reality = security idea but it is in fact a lie... security by obscurity.. It is critically important to understand the underlying reality...
The IPhone is a good model of protecting the user from themselves but personally I would only submit to that level of lockin and single vendor control after I am long since dead.
How do you protect the user from themselves while still preserving choice and an open ecosystem?
You could do least privledge but even then malicious code has access to all of the data the user cares about! You could virtualize and sandbox everything but programs often need to interact and interchange data.
It is in fact a very difficult question...one that no general purpose operating system vendor currently has an luser proof response.
True.
IIS and SQL Server injections were on the rise when Solaris was still king of the internet server market a decade ago. Windows Server back then was not the dominant player yet had most of the backdoors. The reason Windows has more viruses and trojans is due to activeX and shoddy design for IE and Windows. Not because it was the dominant client operating system.
I would mod you up if I had points. I have been refuting this until I am blue in the face.
It has nothing to do with popularity. Fact is in 1999 all you had to do was wrote a few lines of code in C++ to do a delete a partition and put it in an ocx container for activeX and voila! Anyone visiting your site lost their hard drive! Yes security was that bad in the 1990s with Windows.
http://saveie6.com/
Never really thought of it like that, always thought of a virus as being something that requires a running program to infect and spread by.
A worm, OTOH, doesn't necessarily attach itself to a running program.
In common parlance today, "virus" has become a bit of an umbrella term for more-or-less any sort of malware. If you want to be strict about it, that's not correct, but let's face it - as far as the general public is concerned, that ship sailed a long time ago.
Is the speed at which an OS gets compromised a viable metric for its security? I mean, imagine (I'm talking hypothetically here) MacOS had 1 open bug that allows someone to compromise the system in 10 min, and Windows had 15 open holes, which of which would require 1 day to circumvent. Which OS is more secure? If you ask me, I'd say Windows because right now the MAC OS would be a better target. But that can change overnight if Apple released a patch. Quite often people also say that Mac OS is not targeted because of their market share. That IS a security advantage, even if it was given to them for free. For the average Joe, measuring security in a product should boil down to how likely is that his machine gets compromised, with all factors involved, including likelihood that someone cares. I think my Mint box is much more secure that my Windows box. Not because Mint is free of holes, but because no one really cares to hack me. And to me, at the end of the day that's all that matters.
I wonder if Apple will be asking HBGary to have a look at the security
There are no viruses in the wild for OS X. There are, however, Trojans in the wild.
There aren't enough OS X systems to make a virus worthwhile. It probably wouldn't be able to spread due to all the non-infectable Windows installs out there. Now, you might be able to write a virus that infected both, but once you've got to 90% why bother with the last 10%? Especially given that adding a second platform is probably going to require at least as much effort as the first, possibly much more depending on the type of vulnerability and the restrictions it places on your payload.
"I've been hearing "The only reason every Mac isn't infested with malware is that they're not a big enough chunk of the market for it to be worth the effort." for so many years the effect has worn off. Year after year - You know, it really gets old hearing that excuse. If that really is the case, I hope it continues." - by Cheech Wizard (698728) on Sunday February 27, @04:38PM (#35333006) Homepage
Ok then, explain this: Do pickpockets operate on "crowds of 1" only, vs. massive crowds of potential possible victims in crowded city streets, train or bus stations, or malls?
ANSWER = No, they do NOT!
Pickpockets (and yes, online criminals too) go where their efforts expended to "do the job" are most effective for the BEST "ROI" (return-on-investment), from a single method of attack (codebase in malware)!
(And, just like pickpockets? THAT is done by going where the MOST POSSIBLE VICTIMS (users) ARE... & currently (and for decades now), that is on Windows).
You think share of market doesn't matter?
Today's ( & this past decade's), online criminal is NO DIFFERENT than the street pickpocket... and they are BOTH AFTER YOUR MONIES!
Thus - It makes sense for them to attempt to attack Windows on that very same basis (as it IS "where the crowds are").
NOW, ONTO ACTUAL STATISTICS/FACTS & FIGURES of UNPATCHED KNOWN SECURITY VULNERABILITIES: (MacOS X vs. Windows 7)
---
Vulnerability Report - Microsoft Windows 7:
http://secunia.com/advisories/product/27467/
Unpatched = 6 of 57 Secunia advisories
---
vs.
---
Vulnerability Report - Apple Macintosh OS X:
http://secunia.com/advisories/product/96/?task=advisories
Unpatched 9 of 150 Secunia advisories
---
NOT ONLY HAS THE CURRENT MacOS X BUILD SHOWN MORE OVERALL SECURITY ADVISORIES THAN DOES WINDOWS 7, BUT, IT ALSO HAS MORE KNOWN OUTSTANDING UNPATCHED KNOWN SECURITY VULNERABILITIES THAN DOES Windows 7... period!
(So, "argue with the numbers"... & good luck!)
Lastly - I hope one of you tries the "local/local network" vs. "remote" tactic "spin-CON-troll" too, because I'll use what I used on the Linux crew a few days back in regards to THAT little "trick" too, due to how malwares today are being constructed... & they are NOT "your dad's oldsmobile" anymore...
APK
P.S.=> Here's a list of problems MacOS X has had in its tenure, for those of you that are interested, that I've been compiling for a few years now - So, "chew on these" (35 of them, or thereabouts...):
---
MacOS X - A Worm for Your Apple MacOSX:
http://www.beskerming.com/commentary/2007/07/18/222/A_Worm_for_Your_Apple
---
MacOS X - Another Mac Trojan/Fake Codec - Security Watch:
http://blogs.pcmag.com/securitywatch/2007/11/another_mac_trojanfake_codec.php
---
Apple's FaceTime for Mac debuts with security holes:
http://www.theregister.co.uk/2010/10/21/apple_facetime_security_hole/
---
Apple Patches OS X Flaws:
http://www.eweek.com/c/a/Apple/Apple-Patches-OS-X-Flaws/
---
Apple patches QuickTime to root out 15 ugly vulns:
http://www.theregister.co.uk/2010/12/09/apple_patches_quicktime_again/
---
Appleâ(TM)s Snow Leopard Is Less Secure Than Windows, But Safer:
Every single year, OSX loses the Pwn2Own competition first. Windows and Linux always go down on the same day.
Perhaps because everyone wants the Mac and focuses the most intensely? Desirability in a hacking contest with local network access != real world security exposure.
In my decade+ IT career, I've never seen a Mac rooted or infected with a virus beyond a Office macro. Curious, no?
Also curious that I've seen Linux boxes routinely rooted (usually by IRC-bot-seeking scriptkiddies) and Window machines infected with spyware at an average of around 1 a week out of a population of about 75-100.
Please help metamoderate.
You clearly have little concept of the differences between Windows and OS X (well, beyond "Windows sucks but Apple is cool, dude" anyway) so I'll try to explain it in simplistic terms.
Viruses and Trojans propagate easily through Windows systems because there is a common platform across many machines in which a piece of malware can run, and because a lot of Windows users run in administrator mode with deeply-embedded applications running with similar permissions, malware can get deeply into the system. Yep, a lot of that is bad design of the OS but that's how it is.
A UNIX-like system is not susceptible to the same type of malware propagation because there are many different variants of UNIX that don't frequently run common binaries (i.e. programs need to be compiled for each specific type of UNIX). However, a bigger barrier to virus propogation is the fact that UNIX instills in you from the outset to do as much as possible as a normal user and just change to root when you need to.
I am a huge fan and user of Linux but I tell you now, categorically, the above facts DO NOT AUTOMATICALLY MAKE YOU SAFE!
UNIX "presents" applications to the network ("daemons") that have been started from their own shell and if you manage to crash those daemons, then you can force the system to drop to a shell prompt. If that daemon was running with root permissions, then it will drop to a root shell prompt and you then have unrestricted access to the system to do what you like - this type of attack is known as a "buffer overflow attack" because it's purpose is to crash the daemon by sending either too much data for it to process or badly constructed data. And this is precisely why modern UNIX systems usually try to run daemons at normal user level, rather than root, so that in the case of a crash, it drops to a user shell only in which you can do a lot less damage because you are far more restricted at a permissions level.
Another form of attack is "brute forcing" where you try to break open an application by continually trying to send, say, a valid password to log into the system.
In both cases, such attacks need to be directed at a specific application, maybe even a specific version of that application with a known vulnerability that can be exploited. However, because it's possible to drive attacks from an automated program, a lot of machines can be tested very quickly for vulnerabilities.
If you have enough knowledge of what you are doing and don't believe me, make sure your machine is logging everything and then stick it in the DMZ of your home router, maybe run up Wireshark packet sniffing at the same time. I guarantee you that if not immediately, then within minutes you will see signs that something out on the Internet is having a look at what's running on your machine - a common one is brute forcing the SSH daemon where syslog will show you spurts of activity of something trying to get access to your machine by systematically trying common account names.
What's worse in your case is Apple markets their machines as being easy to use but, the fact is, you need to know a lot about UNIX before you can be relatively confident that you are safe. Incidentally, I got seriously into UNIX security about 8 years ago when I put a home server on the Internet, stupidly left an FTP service running, it got buffer overflowed and a script got installed on it to kick users from an IRC channel. I found out about it when my ISP disconnected my account due to complaints and it took me over two weeks of sending them logs and emailing them to get it reinstated. Suffice it to say, I've never been hacked since.
The moral of the story is "Don't get too complacent" and you'd be far better off reading a few books about UNIX security now rather than sitting there thinking it will never happen to you.
Gentoo Linux - another day, another USE flag.
By default instead of leaving it set OFF.
And yep, I know that the threat profile has changed, but come on. Why leave the system open to any other systems behind whatever other hardware firewall there is - if there is - services running or no?
He is lying, made up a big number to sound cool. Having worked in large environments with both platforms, the tools for managing large OSX deployments are as good or better than Windows and significantly less expensive.
(see below).
Interesting, because the market share of servers running that version of ftpd is significantly less than the desktop OSX market.
Weird. I believe it is impossible anyone took the time to exploit it.
You fail at statistics. Wow. I would dare say, Epic Fail.
Uh... you do realize that the only reason most known vulnerabilities for Mac OS X are "known" is because they are in Open Source bits, right? And that basically none of Windows is Open Source? This means that the number of known unpatched vulnerabilities in Windows should inherently be smaller, not because there are fewer unpatched vulnerabilities, but because its source code has not undergone the same level of external scrutiny.
Also, most of the things on your list are not vulnerabilities, and the few that were are almost all reports about Apple having fixed those vulnerabilities. The only one I saw that did not fall into that category was a DNS cache poisoning bug. Besides being difficult to exploit usefully, it applies to a DNS server daemon that doesn't even run in Mac OS X unless you explicitly enable the name server by editing config files (or in the GUI in Mac OS X Server).
Not all vulnerabilities are created equal. That's what makes comparisons of vulnerability counts useless. As long as Windows supports AutoRun in any form, it will continue to be so far behind Mac OS X that it isn't really even in the race just from that one fundamental design flaw alone.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Why do you think compromising those web servers was so valuable to the cracker? Because it was the gateway to compromising a metric fuck tonne of home and business desktop PC systems, onto which keyloggers were installed, and from which data was harvested. To that end: the systems on the desktop which became parts of giant zombie PC fleets were not running Mac OS X, they were (and are) running Windows. Furthermore, within the context of the web server market, you seem to have failed to understand that platforms with tiny slivers of market share, dwarfed by Mac OS X installations, were routinely compromised. If your beloved "market share theory of OS security" were true, then crackers wouldn't bother with these tiny slivers, they would have been attacking Apache/UNIX, rather than the much smaller market share of IIS/Windows or the then-infintessimle market share of the various BBS systems and database systems which were actually exploited, routinely. System architecture matters, and the system architecture of Mac OS X is holding up pretty well, by comparison in the real wild world of automated exploitation of computer systems.
If you mod me down, I shall become more powerful than you could possibly imagine.
One would think it was so obvious that it didn't merit mention, but apparently there are those who will argue against this obvious truth to their last breath.
If you mod me down, I shall become more powerful than you could possibly imagine.
Uh, where have you been? Have you seen the sea of Apple logos on the MacBook Pros cradled in the arms of developers at hacker development conference any time in oh, say, the past six or seven years? Do you actually *know* any software developers?
If you mod me down, I shall become more powerful than you could possibly imagine.
You're in some strange fantasy world. Corporations are often the target of attacks, but zombie fleets are not much comprised of T3 connected corporate desktop systems. The corporate systems get discovered and cleaned up routinely, so most zombie fleets consist mainly of home user systems. The bottleneck isn't the WiFi connection, it's the DSL or Cable Modem connection, which offers the zombie PC greater bandwidth to the internet than most corporate PCs have anyway. (Not every corporation resembles Google with respect to internet bandwidth to the desktop).
If you mod me down, I shall become more powerful than you could possibly imagine.
Well, my "stats" are not particularly controversial. Do your own homework, and prove me wrong, if you think I'm wrong.
If you mod me down, I shall become more powerful than you could possibly imagine.
"not because there are fewer unpatched vulnerabilities, but because its source code has not undergone the same level of external scrutiny." - by dgatwood (11270) on Monday February 28, @12:30PM (#35339432)
The RUSSIANS HAVE Windows NT-based OS source:
---
http://news.softpedia.com/news/Microsoft-Shares-the-Windows-7-RTM-Source-Code-with-Russia-146738.shtml
---
Thus, Windows HAS "undergone that same level of scrutiny", AND, from better than mere "security researchers" but instead, from "hacker/cracker" types themselves!
So... hate to "burst your bubble" on that note, but... there 'tis!
(And, where does a HUGE portion of malware come out of? The Communist block, inclusive of .ru, .su, & .cn domains as just SOME 'examples thereof'... I know this, 1st hand, from populating a custom HOSTS file vs. known malicious sites/servers/domains-hosts for 17++ yrs. now...)
---
"As long as Windows supports AutoRun in any form." - by dgatwood (11270) on Monday February 28, @12:30PM (#35339432)
This is & WAS very EASILY DISABLED, either via a powertoy from MS called "TweakUI", or via manual registry hacking... for a decade++ or more now in fact!
---
MS has issued patches for that too, as far back as Feb. 2009, AND also, so you know, recently, as well:
http://www.microsoft.com/technet/security/advisory/967940.mspx
---
( So, SO MUCH FOR THAT from you, eh? )
---
"it will continue to be so far behind Mac OS X that it isn't really even in the race just from that one fundamental design flaw alone.." - by dgatwood (11270) on Monday February 28, @12:30PM (#35339432)
Windows is "behind" alright... less known security vulnerabilities... so, I agree on THAT note, lol!
---
"This means that the number of known unpatched vulnerabilities in Windows should inherently be smaller" - by dgatwood (11270) on Monday February 28, @12:30PM (#35339432)
It is, and I put up data showing that VERY thing, no less, AND, from a reputable + respected source for said data, in SECUNIA.COM!
APK
P.S.=> There is only 1 place MacOS X is superior to Windows... GETTING ITS ASS KICKED:
Because:
---
1.) MacOS Xt certainly hasn't taken the "lion's share" (pun intended) of market here
2.) NOR is MacOS X giving a better showing than Windows on KNOWN security vulnerabilities unpatched either...
---
Period! apk
Well, I am a security professional. These guys make us look bad, and need to be challenged. Not to worry, though. Mac OS X has never been a stationary target. It's security architecture has continued to improve, and will continue to improve. And the Bad Guys (TM) already know the economics of the situation. They'll exploit Mac OS X at their earliest opportunity, and continue to look for ways to do so. Lying about it, or remaining silent when others lie, won't help that.
If you mod me down, I shall become more powerful than you could possibly imagine.
Here is information regarding the only threat of those 13 that is marked as a Virus
http://www.symantec.com/security_response/writeup.jsp?docid=2006-110217-1331-99/
OSX.Macarena
Risk Level 1: Very Low
Discovered: November 2, 2006
Updated: February 13, 2007 1:01:55 PM
Type: Virus
Systems Affected: Macintosh, Macintosh OS X
OSX.Macarena is a proof of concept virus that infects files in the current folder on the compromised computer.
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Low
Distribution
Distribution Level: Low
No comments.
Apple diagnostic technicians should probably be called "Apple Veterinarians"... cat names and all that
Everytime APK posts I have a weird flashback to TimeCube.com
This must be what Acid flashbacks are like.
No, seriously. Windows more secure than OSX? Put up or shut up. Release some code or go home.
Non impediti ratione cogitationus.
Dispute my points then, big talker... I see that ALL you apparently have here, is somekind of ATTEMPT (puny one) @ ad hominem attacks on myself (thinking you're "clever" (lol, not)).
I.E./To wit:
"Everytime APK posts I have a weird flashback to TimeCube.com This must be what Acid flashbacks are like." - by RyuuzakiTetsuya (195424) on Monday February 28, @02:07PM (#35340338)
WoW... really "on topic" that one, eh? Not...
---
"No, seriously. Windows more secure than OSX? Put up or shut up. Release some code or go home." - by RyuuzakiTetsuya (195424) on Monday February 28, @02:07PM (#35340338)
Ok then, from my initial post, some words of others I am "putting up" to SHUT YOU UP, easily:
APK
P.S.=> Want more? See my 1st reply in this thread exchange, then... & GOOD LUCK disproving my points (as you can see, others have tried, + FAILED HUGE on their replies, point-by-point, already):
http://apple.slashdot.org/comments.pl?sid=2014606&cid=35339624
Ah, man... I just GOTTA say it, as-per-my-usual: "too, Too, TOO EASY... just '2EZ'", everytime..., lol!
However, what do I get in reply vs. solid verifiable facts I posted here in this exchange, in my 1st reply here:
http://apple.slashdot.org/comments.pl?sid=2014606&cid=35336798
Ad hominem attacks & off topic b.s. replies like this fool RyuuzakiTetsuya has done? LOL, please... apk
What's worse in your case is Apple markets their machines as being easy to use but, the fact is, you need to know a lot about UNIX before you can be relatively confident that you are safe. Incidentally, I got seriously into UNIX security about 8 years ago when I put a home server on the Internet, stupidly left an FTP service running, it got buffer overflowed and a script got installed on it to kick users from an IRC channel. I found out about it when my ISP disconnected my account due to complaints and it took me over two weeks of sending them logs and emailing them to get it reinstated. Suffice it to say, I've never been hacked since.
The moral of the story is "Don't get too complacent" and you'd be far better off reading a few books about UNIX security now rather than sitting there thinking it will never happen to you.
I know you love to act like you're all high and mighty and l33t, but all you are is an idiot blowhard who can't see the forest for the trees. OS X installs default to having zero services (FTP, SSH, whatever) enabled, and in my experience inexpert OS X users are unlikely to try to enable any. The pref pane isn't really obscure, but it is in a place where they tend not to look, in part because they aren't looking for it -- one truism about inexpert users is that they don't usually think in terms of setting up one computer as a server for another. No services equals no network vulnerability, short of finding remote exploit holes in the TCP/IP stack.
The one and only principle you MIGHT need to teach UNIX-naive OS X users is "don't turn anything in the Sharing section of System Preferences on if you don't know what you're doing". They do not need to be shell wizards before being confident that they're safe from the type of hacking you ranted about.
Irrelevant to my point, which was that the source is not out in the open and therefore the known vulnerabilities for that source are likewise not out in the open. Therefore, the odds of any single security bug in Mac OS X getting pointed out publicly are much greater than the odds for a similar bug in Windows simply because the disclosure is much more likely to occur in a public forum or through a publicly visible commit log.
The fact remains that you don't know how many internally known vulnerabilities there are in Windows because you don't have access to Microsoft's internal bug tracking system. Similarly, you don't know how many vulnerabilities there are in the closed source portions of Mac OS X, but you do know how many have been discovered in the open source portions because those bugs are reported out in the open.
Therefore, the fact that Mac OS X contains lots of open source means that you would expect the number of publicly known bugs to be much higher even if the total number of internally known bugs is comparable or lower. In effect, this means that the number of publicly known vulnerabilities is completely useless as a metric of software quality because it has no real relationship to the number of exploitable bugs.
More to the point, the crackers usually already know about the bugs whether they're discussed publicly (as with open source bugs and announcements by legitimate security researchers) or not. The disclosed vulnerabilities, therefore, are largely uninteresting. What matters is the total number of vulnerabilities known to the bad guys, which as I explained above, is not strongly correlated with the number of vulnerabilities known to the general public.
Read what the Microsoft bulletin said again. It says AutoRun is still in full force, but only for optical media. Although that does diminish the impact (by preventing people from unknowingly spreading malware by moving flash drives from machine to machine), the fundamental vulnerability is very much still present. Malware producers can still infect a CD manufacturing plant with malware and cause millions of discs from multiple manufacturers to infect Windows boxes on insertion. This is not a theoretical vulnerability, either; people have actually gotten infections from commercial software discs in the past. So they might have put a lock on the front door with that change, but they still left the window right next to it completely ajar with a footstool below it for your convenience.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Here's another one for you, "hot off the presses" TODAY no less, below & beyond my init. post here's list":
---
Backdoor Trojan For Windows Ported To Mac OS:
http://apple.slashdot.org/story/11/02/28/1559229/Backdoor-Trojan-For-Windows-Ported-To-Mac-OS
---
By the by: I never ONCE said Windows was without bugs & unfixed security vulnerabilities either... so, trying to "put words in my mouth" I never said? Please - POOR tactic troll!
---
"Put up or shut up." - by RyuuzakiTetsuya (195424) on Monday February 28, @03:48PM (#35341138)
On bugs in MacOS X? I did, by the truckload:
http://apple.slashdot.org/comments.pl?sid=2014606&cid=35336798
AND I JUST GAVE YOU YET ANOTHER, right here, above... lol!
So... Put up WHAT?
Code I've done over the past 17++ yrs. here that did well in the eyes of respected others, since you are attempting to attack me on that basis (ad hominem on YOUR part, as usual)??
Sure - I can do that, you know (yes, YOU in particular, DEFINITELY know that)...
Question is, can you?? LOL, nope.
(Afaik? Well - You've NEVER been in written publication, much less for commercially sold & Ms-TechEd 2 yr. in a row FINALIST level work, as I have (amongst many others, & I suspect before YOU were EVEN BORN)).
AND ON MacOS X vulnerabilities I noted (as just examples thereof over time)?
Heh, you had BEST look at what the OP you quoted said... he even knew not all of them are fixed - I cited those, specifically, from SECUNIA!
There's MORE OF THEM UNPATCHED on MacOS X, than there are on Windows... period!
(So, sure, some of what I put up are fixed, I never said they were not... they were ONLY EXAMPLES to the effect that what Apple implied on TV)
E.G.-> "MacOS X is sure, PC's are not" etc./et al, is COMPLETE BULLSHIT! That list of errors alone, and the fact they even occurred, proves it...
---
"Exploit something or go back to writing shitty Delphi code that's worthy of thedailywtf.com. - by RyuuzakiTetsuya (195424) on Monday February 28, @03:48PM (#35341138)
My code's also NEVER been found to bear errors in it either, & it surely did well over time:
----
Windows NT Magazine (now Windows IT Pro) April 1997 "BACK OFFICE PERFORMANCE" issue, page 61
(&, for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program increasing its performance by up to 40% via my work) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row 2000-2002, in its HARDEST CATEGORY: SQLServer Performance Enhancement).
WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)
PC-WELT FEB 1998 - page 84, again, my work is featured there
WINDOWS MAGAZINE, WINTER 1998 - page 92, insert section, MUST HAVE WARES, my work is again, there
PC-WELT FEB 1999 - page 83, again, my work is featured there
CHIP Magazine 7/99 - page 100, my work is there
GERMAN PC BOOK, Data Becker publisher "PC Aufrusten und Repairen" 2000, where my work is contained in it
HOT SHAREWARE Numero 46 issue, pg. 54 (PC ware mag from Spain), 2001 my work is there, first one featured, yet again!
Also, a British PC Mag in 2002 for many utilities I wrote, saw it @ BORDERS BOOKS but didn't buy it... by that point, I had moved onto other areas in this field besides coding only...
Being paid for an article that made me money over @ PCPitstop in 2008 for writing up a guide that has people showing NO VIRUSES/SPYWARES
"Irrelevant to my point, which was that the source is not out in the open and therefore the known vulnerabilities for that source are likewise not out in the open." - by dgatwood (11270) on Monday February 28, @04:00PM (#35341250)
No, YOU said Windows source was closed... funny:
I showed you, with backing proof/documentation no less, that MS DOES LICENSE OUT THE SOURCE TO WINDOWS (and, ever since Windows 2000 onwards) so others can "pore over it"...
I used the russkies (blood line cousins of mine in fact, slavic descent here is why I note that)... they are NOTORIOUS for creating malware & online exploits...
(OR, does RBN not "ring a bell" to you?)
---
"Therefore, the odds of any single security bug in Mac OS X getting pointed out publicly are much greater than the odds for a similar bug in Windows simply because the disclosure is much more likely to occur in a public forum or through a publicly visible commit log.." - by dgatwood (11270) on Monday February 28, @04:00PM (#35341250)
WTF? Man - You must NOT "hang around" here very much... for nearly a DECADE here, most of what you saw was TOTAL "Anti-Microsoft/Anti-Windows" propoganda!
(For Pete's sake, look @ the "Bill Gates BORG" icon/avatar they use to mark posts here even!)
---
"The fact remains that you don't know how many internally known vulnerabilities there are in Windows because you don't have access to Microsoft's internal bug tracking system." - by dgatwood (11270) on Monday February 28, @04:00PM (#35341250)
You know, MAYBE I DO, or maybe I don't... how do you know I don't work for MS, for example?
(And, you don't, afaik @ least, have access to Apple's internal lists either so... your point? It's MOOT, and goes for you also...)
---
"Similarly, you don't know how many vulnerabilities there are in the closed source portions of Mac OS X." - by dgatwood (11270) on Monday February 28, @04:00PM (#35341250)
This? THIS MAKES ME LAUGH: What is MacOS X based on @ its core?? BSD!
(Where did Apple get THAT from? Hmmm?? At least MS didn't outright "rip" code from VMS, or OS/2, etc. as Apple did... sure, they hired on D. Cutler from VMS, but he didn't AND COULDN'T outright use VMS core/kernel code, not without opening up MS to a HUGE lawsuit I imagine!)
I don't think the same can be said for Apple... because they acknowledge that MacOS X is derived from BSD, and is in fact, a UNIX itself!
---
"but you do know how many have been discovered in the open source portions because those bugs are reported out in the open." - by dgatwood (11270) on Monday February 28, @04:00PM (#35341250)
Well, like you said of MS above, & Windows being "closed source" (even though it's LICENSED to others as I proved)? Goes for MacOS X then too!
I.E.-> You have NO WAY of knowing what's up in its closed portions too... unless YOU work for them!
---
"Therefore, the fact that Mac OS X contains lots of open source means that you would expect the number of publicly known bugs to be much higher even if the total number of internally known bugs is comparable or lower.." - by dgatwood (11270) on Monday February 28, @04:00PM (#35341250)
And, IT IS HIGHER! MacOS X does just plain have MORE UNPATCHED KNOWN SECURITY VULNERABILITIES, period...
(I showed you ALL that much from SECUNIA.COM in fact (along with the list I posted of other bugs in MacOS X over time too (some patched, some not))
The point was this:
To show that the MacOS X/Apple commercials on TV were COMPLETE BULLSHIT (as to "MacOS X is more secure" type crap!)
---
"In effect, this means that the number of publicly known vulnerabilities is completely useless as a metric of software quality because it has no real rela
darkComet's a payload, not a vulnerability.
Post an exploit or shut up. I'm seriously tired of your unhinged rants.
Non impediti ratione cogitationus.
1st - See subject-line above & "mince words" ALL YOU LIKE, doesn't change a thing about that new problem in MacOS X that JUST CAME OUT TODAY!
"darkComet's a payload, not a vulnerability." - by RyuuzakiTetsuya (195424) on Monday February 28, @05:14PM (#35342006)
Yes, "GEE, I GUESS THAT MAKES IT OK!" (not)... lmao!
(It's just out there "doing good" for MacOS X, eh?)
---
"Post an exploit or shut up.." - by RyuuzakiTetsuya (195424) on Monday February 28, @05:14PM (#35342006)
I just DID... & you're caught "flat-footed" by it, as it is BRAND NEW, lol, no less... & it certainly isn't doing MacOS X users a "favor", now is it?
Nope!
---
"I'm seriously tired of your unhinged rants." - by RyuuzakiTetsuya (195424) on Monday February 28, @05:14PM (#35342006)
No, what you're "tired of" is trying to "take me on" & failing, everytime... lol!
HOWEVER - On the converse/flipside, here?
LMAO - I love tearing up you FUD spreading b.s. artists from the "Pro-*NIX" camp... as it's just "too, Too, TOO EASY - just '2EZ'" everytime!
APK
P.S.=> Now, since you RAN from posting anything you've done of note in respected written publications in the arena of the computer sciences (because, you CAN'T, lol)?
Well, ok: Here are some unpatched KNOWN SECURITY VULNERABILITIES that ARE exploitable, AND UNPATCHED, and from a reputable source:
MacOS X UNPATCHED SECURITY VULNERABILITIES
http://secunia.com/advisories/product/96/?task=advisories
(That's MORE than Windows 7 has, mind you!)... apk
Look, I'm sorry, I'm a simple security consultant, a mere mortal, nothing more than that.
When I read phrases like "market share", my brain starts to hurt & braincells scream their last dying breaths... I'm *just* a bloke wot fixes stuff, nothing more.
Please, go now. Go find someone who lives on that higher plane of "tax dollars", "margins" and "pre-tax profits" because your words are now going fuzzy and are spinning around... I need to go lie down now...
Gentoo Linux - another day, another USE flag.
"Ask, & YE SHALL RECEIVE":
"Post an exploit or shut up." - by RyuuzakiTetsuya (195424) on Monday February 28, @05:14PM (#35342006)
Ok, & REMOTELY EXPLOITABLE too:\
FROM -> http://secunia.com/advisories/38066/
---
PERTINENT QUOTE/EXCERPT:
Apple Mac OS X "strtod()" Floating Point Parsing Memory Corruption
Unpatched. Secunia Advisory 12 of 12 in 2010. 2,181 views.
Release Date: 2010-01-12
Secunia Advisory ID: SA38066
Solution Status: Unpatched
Criticality: System access
Impact: DoS
Where: From remote
Short Description:
A vulnerability has been discovered in Mac OS X, which can be exploited by malicious people to potentially compromise a vulnerable system. [Read More]
---
Oh man, I just GOTTA do it:
ROTFLMAO!
---
" I'm seriously tired of your unhinged rants." - by RyuuzakiTetsuya (195424) on Monday February 28, @05:14PM (#35342006)
LMAO - apparently not, because I have kicked your ASS, yet again... & I answer all questions put to me, with proofs (just like you asked for above, lol, much to your OWN dismay, as per your usual)...
APK
P.S.=> Want more of them? Ok, see here (as to MacOS X being "more secure than Windows7"):
http://secunia.com/advisories/38066/
That shows the rest of the UNPATCHED VULNERABILITIES on MacOS X... & new NEWS/NewsFlash:
IT'S MORE THAN WINDOWS 7 HAS, period... apk
NOTE: Currently, there is no application known that can be used as attack vector.
...and?
What's the point of an exploit if there's no attack vector?
Non impediti ratione cogitationus.
"What's the point of an exploit if there's no attack vector?" - by RyuuzakiTetsuya (195424) on Monday February 28, @05:42PM (#35342298)
First of all, the exploit IS remote, and they (like anyone else) CANNOT be sure that by now, there isn't such a programmed exploit (or, what you're calling a vector).
HOW CAN I SAY THAT? LOOK AT THE DATE OF IT = 1/12/2010 -> MORE THAN 1 YEAR OLD NO LESS!
(Plenty of time for it to have been used/abused, and you have to remember 1 thing: Not every malware-maker/hacker-cracker (whatever) gives away the fact they have a working exploit in code... that'd be DUMB from THEIR PERSPECTIVE, in fact!)
Yes - It's remotely exploitable, AND VERY old, and still unpatched...
A REMOTE EXPLOIT no less (dumb move by Apple imo - even MS usually IMMEDIATELY chases the remotely exploitable ones, right away, MOST times!)
APK
P.S.=> My point here, was simple: TO SHOW THAT ALL THE B.S. FROM THE MacOS X Commercials by Apple on T.V. was JUST THAT - PURE BullShit!
After all - Windows 7 has less unpatched bugs going on in its codebase, than does MacOS X!
Quite a LOT more in fact... lol, and IT SURE GOT A "RISE" OUT OF YOU, now, didn't it? Never let them see you "sweat", & you ought to try that sometime... apk
It is closed source. The fact that source code has been shown to specific third parties under nondisclosure does nothing to change that fact. I'd be surprised if any closed source piece of software exists that has not at some point been similarly made available to at least one third party under NDA. That's not the same thing as Open Source, in which the source code is out there with public change logs and bug tracking such that almost every single security bug is disclosed to the entire world the moment it is discovered.
Which are completely beyond the average Windows user. As far as I'm concerned, an OS is only as secure as it is in the default configuration. If, as installed, an OS has a hole so big you can drive a truck through it, the fact that they provide mortar and a bunch of bricks so that you can patch the hole yourself doesn't really change anything. By that standard, a ten-year-old Linux distro has no security holes because you can recompile BIND, Apache, OpenSSL, etc. yourself. It's a ludicrous argument.
Most of the wannabes do, sure. They rely on people not patching their machines for long periods of time. The people who created those exploits in the first place, however, don't generally sit around trolling the list of patched vulnerabilities. By the time there's a patch out there, the bulk of the potential targets are going to be protected before they can roll an attack, leaving only a small percentage of stragglers. For maximum impact, the serious hackers are exploiting zero-day holes.
My thoughts are that the facts you give do not prove what you think they do.
Also, the articles you are pointing to this time are pretty much harping about ASLR differences. While ASLR is nice and all, that's only one very small aspect of total OS security, and one that is no more or less important than sandboxing, privilege separation, etc. No OS is the best at every aspect of security.
These links are basically tantamount to saying that a Ferrari is better than a Porsche because the cupholders are nicer. While one or the other might be better, it should be obvious to anyone with a modicum of common sense that using one minor feature as the sole basis for comparison is sheer foolishness.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Not that I care what some bloke I've never met on the other side of a computer screen somewhere in another part of the world thinks of me but here's a quick story.
I work in system security for a telecoms company, have done for 5 years now & spent about 20 years in tech support in telecoms & UNIX, also done more than my fair share of sysadmin work. (Yes, I'm *that* old.)
Yep, I used to think I was a pretty "l33t" guy, then my home Linux server got hacked about 8 years ago because I stupidly left an FTP daemon running. Several scripts were dumped on my machine that kept kicking people off of a few IRC channels, someone complained to my ISP and my connection got severed by them. After two weeks of emailing them and sending them logs, they accepted it wasn't me and reinstated my connection - being hacked is quite a humbling experience.
Since that time, I read up a lot on OS security, tried a lot of stuff myself and now I work as a security consultant for a telecoms company - it's interesting, it pays well, I'm happy.
I do a lot of auditing and hardening of customer servers, I see (and fix) a lot of security holes put on systems by people who were well intentioned but didn't fully understand what they were doing - passwordless accounts, unpatched daemons running, scripts doing some pretty scary things on systems. Not one of my customers is confident enough in their management abilities of those servers to trust them to be exactly the same as when they were delivered in shrinkwrapped boxes, so they get me to come in and close down any holes.
So if you choose to ignore my advice, that's your call, it makes no difference to me. But rest assured that one of the worst things you can do is not double check your systems on a regular basis and become too self-assured about your own security.
Gentoo Linux - another day, another USE flag.
Just answer that... in regards to BOTH MacOS X &/or Windows 7, and KNOWN security vulnerabilities!
APK
P.S.=> Now, onto the rest of the points in your post:
"As far as I'm concerned, an OS is only as secure as it is in the default configuration." - by dgatwood (11270) on Monday February 28, @06:03PM (#35342468)
You're going to be "upset" w/ yourself here, possibly: MacOS X is FAR from as "secure as it can be", because IF YOU SEARCH THE APPLE WEBSITE? You'll find guides for securing it, & FAR BETTER THAN IT IS OUT OF THE BOX!
---
"Also, the articles you are pointing to this time are pretty much harping about ASLR differences. While ASLR is nice and all, that's only one very small aspect of total OS security" - by dgatwood (11270) on Monday February 28, @06:03PM (#35342468)
Correct me IF I am wrong here, but... MacOS X doesn't implement ASRL, does it? Not afaik/iirc... only DEP (or, is it the other way around? Doesn't matter - I know it lacks one of them)
Ahem - MOST importantly, THIS NOTE though?
This merely illustrates an INFERIORITY IN SECURITY IN MacOS X vs. Windows 7, since Win7 uses BOTH DEP &/or ASRL!
---
"Which are completely beyond the average Windows user." - by dgatwood (11270) on Monday February 28, @06:03PM (#35342468)
Oh man... COME ON: I thought YOU were better than THAT!
TweakUI is beyond MOST USERS? Please... that's like saying any GUI is "beyond most users", because the MS PowerToy, TweakUI, is a GUI Win32 usermode app!
(There are, also & I omitted this earlier, iirc, options in either gpedit.msc OR secpol.msc MS mgt. console snap-ins also that are GUI easy to use too!)
So, you're NOT just "stuck" with .reg hacks (those are easy too, once they're in notepad, for use/reuse).
---
"I'd be surprised if any closed source piece of software exists that has not at some point been similarly made available to at least one third party under NDA." - by dgatwood (11270) on Monday February 28, @06:03PM (#35342468)
Yes, quite right & I HAVE BEEN THERE MYSELF with commercially sold ware I myself contributed code to - I had to submit a sourcecode list for attorneys (of ALL people, no less)...
---
"Most of the wannabes do, sure." - by dgatwood (11270) on Monday February 28, @06:03PM (#35342468)
Thanks for at least conceding that point of mine thusfar... apk
You fail at statistics. Wow. I would dare say, Epic Fail.
What? You can't understand that OSX has had more TOTAL vulnerabilities than Windows7, a higher percentage of which were serious vulnerabilities? Sure you can interpret the other way and look at the rate at which they were found, but that's a different argument.
What? You can't understand that OSX has had more TOTAL vulnerabilities than Windows7,
What? You can't understand that "OS X" corresponds not to "Windows 7", but to the entire Windows NT series, and that the equivalent of "Windows 7" would be something like "OS X Snow Leopard"? And that the only reason that, 2003-2008, Windows 7 had zero vulnerabilities was that, 2003-2008, Windows 7 didn't, err, umm, exist as a product, as it was released to manufacturing in the middle of 2009? (BTW, is it just me, or is "windowsteamblog.com" continuing in the grand tradition of "expertsexchange.com"? Why is steam condensed on your window worthy of an entire blog? :-))
Unfortunately, Secunia neither offers a page for the Windows NT family as a whole, nor for individual releases of Mac OS X (although they do offer pages for individual releases of iOS!), so there's no way to compare, for example, Windows 7 and OS X Snow Leopard, but if, for example, we compare Windows 7 and OS X statistics in 2010 (that being the only year in which both Windows 7 and OS X Snow Leopard were available for the entire year), we have 47 advisories for Windows 7, 20 of which are critical, and 6 of which, 4 non-critical, are unpatched, and 12 vulnerabilities for Snow Leopard, 8 of which are critical, and 2 of which, both non-critical, are unpatched. Statistics for 2009, where they were both available for approximately the same amount of time, and for 2011, where they are available for exactly the same amount of time, are left as an exercise for the reader.
Then again, if Windows 7 in its entirety has more lines of code than Snow Leopard in its entirety, that might just be a case of "the same number of vulnerabilities per line of code, or fewer vulnerabilities per line of code, but they have more lines of code", so it's not clear that, even once you compare particular OS versions, rather than comparing a particular version of one OS to all versions of another OS, you necessarily have an easy way for fanboys or foeboys of one particular OS to validly beat up another OS or defend a particular OS.
Nobody said it was. It does not, however, to my knowledge, ship with things turned on that are more insecure than an emo kid.
In principle, no. In practice, the average computer user has never heard of AutoRun, much less TweakUI. That's why the default state must have at least a certain minimum level of security or you're screwed.
I don't think you realize just how little the average computer user knows about how computers work. A sizable percentage of Windows users don't know how to install software at all, relying only on the software that came preinstalled from Best Buy. Thus, even the act of downloading and installing TweakUI is beyond them....
So yeah. It's way beyond a significant percentage of Windows users. Way, way beyond.
Check out my sci-fi/humor trilogy at PatriotsBooks.
This is straight from Apple - I think you'll be surprised how much MORE you can security-harden a MacOS X setup:
"Nobody said it was. It does not, however, to my knowledge, ship with things turned on that are more insecure than an emo kid." - by dgatwood (11270) on Tuesday March 01, @01:40PM (#35349650)
---
APPLE SECURITY GUIDES FOR MacOS X:
http://www.apple.com/support/security/guides/
---
APK
P.S.=> I still think you underestimate people who own & use computers though... TweakUI is very simple to use, a "point-N-click" GUI affair! apk
UNIX "presents" applications to the network ("daemons") that have been started from their own shell and if you manage to crash those daemons, then you can force the system to drop to a shell prompt.
Err, umm, what? At least one UNIX has its daemons started directly by a system daemon, without an intervening shell. Even in UN*Xes that launch daemons from rc files, the shell running the rc file doesn't hang around forever.
If that daemon was running with root permissions, then it will drop to a root shell prompt and you then have unrestricted access to the system to do what you like - this type of attack is known as a "buffer overflow attack" because it's purpose is to crash the daemon by sending either too much data for it to process or badly constructed data.
No, buffer overflow attacks aren't intended to crash the daemon so you get to type at the (either non-existent or, if there are any cases where it exists, non-interactive) shell that started the daemon, buffer overflow attacks are typically intended to get the daemon to run code you stuffed into the buffer in question.
Safari/MacBook First To Fall At Pwn2Own 2011:
http://apple.slashdot.org/story/11/03/10/0319224/SafariMacBook-First-To-Fall-At-Pwn2Own-2011
(LMAO!)
APK
P.S.=> Now, couple that with the fact that MacOS X has had a REMOTE EXPLOIT http://apple.slashdot.org/comments.pl?sid=2014606&cid=35342402 , & one that's been open to attack for more than 1 year now? Please... apk
Safari/MacBook First To Fall At Pwn2Own 2011:
http://apple.slashdot.org/story/11/03/10/0319224/SafariMacBook-First-To-Fall-At-Pwn2Own-2011
(LMAO!!!)
APK
P.S.=> Now, couple that with the fact that MacOS X has had a REMOTE EXPLOIT http://apple.slashdot.org/comments.pl?sid=2014606&cid=35342402 , & one that's been open to attack for more than 1 year now? Please... apk