Slashdot Mirror
Apple Asks Security Experts To Examine OS X Lion
An anonymous reader writes "For as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true. But Apple's looking to change that. This past Thursday, Apple doled out a beta of OS X Lion to developers. In conjunction with that, Apple is also reaching out to noted security experts and offering them free previews of OS X 10.7 so that they can take a look at Apple's new security measures and reach back to Apple with any thoughts and concerns they might have. Indeed, Apple is becoming a lot more security conscious these days, not only in terms of reaching out to security researchers but also in its personnel hires."
as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true.
I'm sorry, what? Windows is "safer" than OS X? "In fact"?
They sure have increased their emphasis on security, now that they are in a position where insecurity might allow their customers to treat the devices that they own as such...
"For as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true. "
Say, what? Is this FUD? No, seriously. I am unaware of *any* study that makes a compelling case for OS X being more insecure than Windows. Care to back up that assertion? Link?
Visit Jonesblog and say hello.
I'm certain they have their own internal security experts, but if they were going to reach out to outside experts, they should have done it a lot sooner.
"For as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true."
Have any quotes or links to back that up, Mr. Submitter?
This space left intentionally blank.
So they're asking for free work? I mean, it's not like we as a community (or security experts as a community) can take advantage of the knowledge put into these fixes. Not to mention that security consultants' time is expensive.
Posted by Anonymous. Not the 133+ haxors, but rather Steve Ballmer.
Say hello to my little sig.
How about paying reputable security researchers (or testers) to evaluate the software?
The problem is that security experts like to point out potential things that bad people could do, instead of actual bad things that bad people are doing. OS X is still one of the least attacked platforms out there, and most of the exploits that security researchers talk about finding are the sort that aren't going to be exploited by the people doing the exploiting. For example a LOT of the exploits that they talk about are for if you actually have physical access to the computer. Well I'm sorry to tell you, if you have physical access to the computer you're already boned!
wow a Free OS! That will get lots of time and interest from highly paid security experts...
If they were actually interested in improving security they would put their money where their mouth is and start a bug bounty.
"security researchers won't hesitate to point out that the opposite is, in fact, true"
Without a citation or naming said researchers, I assume that anonymous/samzenpus pulled this out of their ass.
This link avoid the FUD at edibleapple, http://news.cnet.com/8301-1009_3-20036218-83.html
(too lazy to login)
I wonder what Steve will be thinking, cooped up in his emerald coffin six0feet under. Something like, HA! And they said I couldn't take it with me! HA! HA! HA!
Yeah !!
Click Here to Install Silverlight!
...when /. wasn't completely over-run with nauseating Apple fanbois.
Someone doesn't want to wait until the next Pwn2Own?
They should take a hint from Ubuntu. Their names always raise some complaint, but they are funny, intriguing and more importantly they sound like new stuff. Cat ++; is meh.
It took them 8 months to fix a 10.6 simple kernel privilege escalation exploit I submitted to their security team last year.
It's x86-specific; otherwise, I would've sent it to the iPhone jailbreak hackers instead of Apple.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
lemmy guess: HBGary? Tanja Nijmeijer must be using Macs
IIRC, this is the version in which they will no longer deliver a Java VM. This alone will drop the vulnerability and patch count significantly. Can anyone with the preview confirm that it is/is not included?
Life isn't pwn2own. Now that Mac has finally joined Ubuntu in having a built-in app store, distrust of web-based software downloads should become intense enough to nearly eliminate malware. Whenever I'm presented with a person that says "go download this," my response is "when will this be in the Software Center." It's not a question, it's a statement. If it's not in Apple's, Google's, or Canonical's app store, there's a reason for that, and I'm not downloading it until I know what that reason is.
It is disappointing to see the comments thus far have not bothered to mention what potential security improvements are likely to be in the final version of Lion and how effective they might be. So far the ones I've heard mentioned include:
I'm sure in more security oriented forums there will be some good analysis of these new features, how well implemented they are, and how effective they are likely to be. The Mac App Store offers some potential security improvements by standardizing application updates and pushing them out more quickly and widely and hopefully encouraging developers to make more use of security frameworks already present. Personally, I think the sandboxing combined with the Mac App Store could be a huge boon to security if Apple can get enough developers on board, but I'm not sure if Apple will go that route. Hopefully feedback from experts will help push them in that direction.
The summary is fucking awful in a long line of terrible abstracts which link to terrible articles and paraphrase things which aren't usually in the original article.
How much did edibleapple.com pay for this, incidentally? I note that this website had only 4 adverts on the linked page - amazing, well done! Usually I have to search for the 15 words of content within the advert.
Enough is enough, slashdot is not fucking AOL!
Maybe we'd get better service from AOL. When's the buyout?
Here's the facts:
Microsoft Windows
1) People go and find exploits and write viruses/malware etc.
2) Microsoft patches and fixes these exploits.
3) Windows becomes more secure. Repeat step 1-3.
Apple OS X
1) People don't really bother to find exploits or write viruses/malware for OS X, because more people use PCs than Macs.
2) Vulnerabilities and exploits remain un-patched.
3) Apple gloats that OS X is more secure than Windows.
Look at the development tools. On Windows, you have Visual Studio which makes writing exploits rather easy. It can show you a memory dump of any address, help you debug programs with a very easy UI, and Microsoft is kind enough to provide Detours to let you hook functions in system libraries.
On the Mac? Honestly, you have to admit that Xcode and other development tools are much less robust than Microsoft's. You'd have to work a lot harder to create malware.
There's no -1 for "I don't get it."
Here's the only metric that really counts in my book.
If you've ever done desktop support for your friends and family, count up the times you've had to go in and clean up a rooted, malware-laden mess on Windows, either by running a full, time-consuming, malware scan and removal, or just doing a reformat and reinstall. Now do the same thing for your OS X user friends. Adjust for market share and compare the numbers.
Yeah, brb, going over to friend's house for free beer after I fix his Windows infection.
nothing to do with wanting to improve "security." they want to improve "security" like they have on the iOS platform. im scared for my os x :(
I haven't seen any comments referring to the new RAT for Mac nor have I even seen mention of it on Slashdot.
I tried getting some once. My Mac wouldn't let me. :/
Already found about 30 security related bugs. I don't care if you are Microsoft, Linux or Mac, when you release a Beta, there will be problems found.
Apple's problem in corporate environments is there complete and utter lack of understanding and support of a real enterprise. They want to play make believe at enterprise support but they don't take it seriously. It is a disaster and only getting worse. We've been looking at integrating Macs in to a lab (and we are going to) but will need 3rd party software to make it work well.
Some big noteworthy things they've done recently are discontinue servers and screw over virtualization. So you can't buy a blade server, the most popular kind of server, for Macs anymore. You can buy a Mac mini, an overpriced tiny little desktop thing ($1000 for a Core 2 Duo server box) and use that, or you can buy a Mac Pro tower. That's it. No rack servers. Ya that is real enterprise support.
In terms of virtualization VMWare fully supports OS-X server, client tools and all... However Apple won't license it to run on anything but Mac hardware. So if you want Mac VM servers you have to buy a Mac Pro tower and find a place to put that, then get VMWare Fusion on it, which is a desktop solution, not a server one, then virtualize OS-X server on that. That Big rack of high availability, bare-metal ESXi servers that you run Windows, Linux, etc on? Nope, fuck you can't run OS-X on it because Apple says so.
Apple will never get big in corporate environments until they get real with enterprise support. Not half assed solutions, real support.
Better than merely reducing the attack surface of the platform by not including Java, Apple has also begun working with Oracle/Sun and contributed to OpenJDK. This should provide more timely updates to folk using Java on Mac OS X.
If you mod me down, I shall become more powerful than you could possibly imagine.
Not specifically security related but does anyone have any idea what version of rsync has shown up in the beta? The version that ships with 10.6 is rather outdated so it'd be great if this (pretty important) tool were brought in line with where rsync is now.
No matter how many times you repeat that claim, it's still unsupported by the evidence. Mac OS (7/8/9) had a much smaller market share than Mac OS X has today, and a dramatically smaller user base, and yet there were many virus, aheh, "available" for it, whereas there are none on Mac OS X. Furthermore, it's widely known that Apple takes the lion's share of profits in the PC industry, despite selling far fewer systems. It does this by selling systems at the top end of the market, which it dominates (something like 90% of all laptops for which people are willing to pay more than $1000 are Apple computers). Obviously those people would be a rather more lucrative pool of victims, yet they remain almost entirely unexploited. There are other reasons, but those are sufficient to shatter your claim.
If you mod me down, I shall become more powerful than you could possibly imagine.
Roughly 10% of the total PC market is Apple. Apple has roughly 0% (zero percent) of the enterprise PC market, which is roughly half of the overall PC market (the number of installed systems is smaller than the consumer market, but consumers tend to refresh less often). So, Apple apparently has about 20% of the consumer market these days.
There are automated, automatically propagating exploits for obscure BBS systems, for IIS back when it was a tiny sliver of the web server market, for data base systems installed on a tiny fraction of web servers, in numbers utterly dwarfed by the installations of a single model of MacBook Pro.
What's it gonna take for y'all to give up on the "market share" ghost?
If you mod me down, I shall become more powerful than you could possibly imagine.
they better get the security experts at HBGary on this shit pronto!
Dear Slashdot,
I don't want to veer off-topic, but this redesign is a mess. Comments have the score randomly disappear from them (the only "fix" is to find the problematic parent and expand it), and every few times I load a hidden comment, my entire browser content area turns gray.
I'm not complaining about the look, although for what it's worth I did like the old one better. I'm complaining about the fact that I literally cannot use the new layout because it is broken on a relatively popular browser (Firefox 3.6 on OS X).
We can haz fix?
R.Mo
True.
IIS and SQL Server injections were on the rise when Solaris was still king of the internet server market a decade ago. Windows Server back then was not the dominant player yet had most of the backdoors. The reason Windows has more viruses and trojans is due to activeX and shoddy design for IE and Windows. Not because it was the dominant client operating system.
I would mod you up if I had points. I have been refuting this until I am blue in the face.
It has nothing to do with popularity. Fact is in 1999 all you had to do was wrote a few lines of code in C++ to do a delete a partition and put it in an ocx container for activeX and voila! Anyone visiting your site lost their hard drive! Yes security was that bad in the 1990s with Windows.
http://saveie6.com/
Is the speed at which an OS gets compromised a viable metric for its security? I mean, imagine (I'm talking hypothetically here) MacOS had 1 open bug that allows someone to compromise the system in 10 min, and Windows had 15 open holes, which of which would require 1 day to circumvent. Which OS is more secure? If you ask me, I'd say Windows because right now the MAC OS would be a better target. But that can change overnight if Apple released a patch. Quite often people also say that Mac OS is not targeted because of their market share. That IS a security advantage, even if it was given to them for free. For the average Joe, measuring security in a product should boil down to how likely is that his machine gets compromised, with all factors involved, including likelihood that someone cares. I think my Mint box is much more secure that my Windows box. Not because Mint is free of holes, but because no one really cares to hack me. And to me, at the end of the day that's all that matters.
I wonder if Apple will be asking HBGary to have a look at the security
"I've been hearing "The only reason every Mac isn't infested with malware is that they're not a big enough chunk of the market for it to be worth the effort." for so many years the effect has worn off. Year after year - You know, it really gets old hearing that excuse. If that really is the case, I hope it continues." - by Cheech Wizard (698728) on Sunday February 27, @04:38PM (#35333006) Homepage
Ok then, explain this: Do pickpockets operate on "crowds of 1" only, vs. massive crowds of potential possible victims in crowded city streets, train or bus stations, or malls?
ANSWER = No, they do NOT!
Pickpockets (and yes, online criminals too) go where their efforts expended to "do the job" are most effective for the BEST "ROI" (return-on-investment), from a single method of attack (codebase in malware)!
(And, just like pickpockets? THAT is done by going where the MOST POSSIBLE VICTIMS (users) ARE... & currently (and for decades now), that is on Windows).
You think share of market doesn't matter?
Today's ( & this past decade's), online criminal is NO DIFFERENT than the street pickpocket... and they are BOTH AFTER YOUR MONIES!
Thus - It makes sense for them to attempt to attack Windows on that very same basis (as it IS "where the crowds are").
NOW, ONTO ACTUAL STATISTICS/FACTS & FIGURES of UNPATCHED KNOWN SECURITY VULNERABILITIES: (MacOS X vs. Windows 7)
---
Vulnerability Report - Microsoft Windows 7:
http://secunia.com/advisories/product/27467/
Unpatched = 6 of 57 Secunia advisories
---
vs.
---
Vulnerability Report - Apple Macintosh OS X:
http://secunia.com/advisories/product/96/?task=advisories
Unpatched 9 of 150 Secunia advisories
---
NOT ONLY HAS THE CURRENT MacOS X BUILD SHOWN MORE OVERALL SECURITY ADVISORIES THAN DOES WINDOWS 7, BUT, IT ALSO HAS MORE KNOWN OUTSTANDING UNPATCHED KNOWN SECURITY VULNERABILITIES THAN DOES Windows 7... period!
(So, "argue with the numbers"... & good luck!)
Lastly - I hope one of you tries the "local/local network" vs. "remote" tactic "spin-CON-troll" too, because I'll use what I used on the Linux crew a few days back in regards to THAT little "trick" too, due to how malwares today are being constructed... & they are NOT "your dad's oldsmobile" anymore...
APK
P.S.=> Here's a list of problems MacOS X has had in its tenure, for those of you that are interested, that I've been compiling for a few years now - So, "chew on these" (35 of them, or thereabouts...):
---
MacOS X - A Worm for Your Apple MacOSX:
http://www.beskerming.com/commentary/2007/07/18/222/A_Worm_for_Your_Apple
---
MacOS X - Another Mac Trojan/Fake Codec - Security Watch:
http://blogs.pcmag.com/securitywatch/2007/11/another_mac_trojanfake_codec.php
---
Apple's FaceTime for Mac debuts with security holes:
http://www.theregister.co.uk/2010/10/21/apple_facetime_security_hole/
---
Apple Patches OS X Flaws:
http://www.eweek.com/c/a/Apple/Apple-Patches-OS-X-Flaws/
---
Apple patches QuickTime to root out 15 ugly vulns:
http://www.theregister.co.uk/2010/12/09/apple_patches_quicktime_again/
---
Appleâ(TM)s Snow Leopard Is Less Secure Than Windows, But Safer:
Every single year, OSX loses the Pwn2Own competition first. Windows and Linux always go down on the same day.
Perhaps because everyone wants the Mac and focuses the most intensely? Desirability in a hacking contest with local network access != real world security exposure.
In my decade+ IT career, I've never seen a Mac rooted or infected with a virus beyond a Office macro. Curious, no?
Also curious that I've seen Linux boxes routinely rooted (usually by IRC-bot-seeking scriptkiddies) and Window machines infected with spyware at an average of around 1 a week out of a population of about 75-100.
Please help metamoderate.
By default instead of leaving it set OFF.
And yep, I know that the threat profile has changed, but come on. Why leave the system open to any other systems behind whatever other hardware firewall there is - if there is - services running or no?
Uh... you do realize that the only reason most known vulnerabilities for Mac OS X are "known" is because they are in Open Source bits, right? And that basically none of Windows is Open Source? This means that the number of known unpatched vulnerabilities in Windows should inherently be smaller, not because there are fewer unpatched vulnerabilities, but because its source code has not undergone the same level of external scrutiny.
Also, most of the things on your list are not vulnerabilities, and the few that were are almost all reports about Apple having fixed those vulnerabilities. The only one I saw that did not fall into that category was a DNS cache poisoning bug. Besides being difficult to exploit usefully, it applies to a DNS server daemon that doesn't even run in Mac OS X unless you explicitly enable the name server by editing config files (or in the GUI in Mac OS X Server).
Not all vulnerabilities are created equal. That's what makes comparisons of vulnerability counts useless. As long as Windows supports AutoRun in any form, it will continue to be so far behind Mac OS X that it isn't really even in the race just from that one fundamental design flaw alone.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Why do you think compromising those web servers was so valuable to the cracker? Because it was the gateway to compromising a metric fuck tonne of home and business desktop PC systems, onto which keyloggers were installed, and from which data was harvested. To that end: the systems on the desktop which became parts of giant zombie PC fleets were not running Mac OS X, they were (and are) running Windows. Furthermore, within the context of the web server market, you seem to have failed to understand that platforms with tiny slivers of market share, dwarfed by Mac OS X installations, were routinely compromised. If your beloved "market share theory of OS security" were true, then crackers wouldn't bother with these tiny slivers, they would have been attacking Apache/UNIX, rather than the much smaller market share of IIS/Windows or the then-infintessimle market share of the various BBS systems and database systems which were actually exploited, routinely. System architecture matters, and the system architecture of Mac OS X is holding up pretty well, by comparison in the real wild world of automated exploitation of computer systems.
If you mod me down, I shall become more powerful than you could possibly imagine.
One would think it was so obvious that it didn't merit mention, but apparently there are those who will argue against this obvious truth to their last breath.
If you mod me down, I shall become more powerful than you could possibly imagine.
Uh, where have you been? Have you seen the sea of Apple logos on the MacBook Pros cradled in the arms of developers at hacker development conference any time in oh, say, the past six or seven years? Do you actually *know* any software developers?
If you mod me down, I shall become more powerful than you could possibly imagine.
You're in some strange fantasy world. Corporations are often the target of attacks, but zombie fleets are not much comprised of T3 connected corporate desktop systems. The corporate systems get discovered and cleaned up routinely, so most zombie fleets consist mainly of home user systems. The bottleneck isn't the WiFi connection, it's the DSL or Cable Modem connection, which offers the zombie PC greater bandwidth to the internet than most corporate PCs have anyway. (Not every corporation resembles Google with respect to internet bandwidth to the desktop).
If you mod me down, I shall become more powerful than you could possibly imagine.
Well, my "stats" are not particularly controversial. Do your own homework, and prove me wrong, if you think I'm wrong.
If you mod me down, I shall become more powerful than you could possibly imagine.
"not because there are fewer unpatched vulnerabilities, but because its source code has not undergone the same level of external scrutiny." - by dgatwood (11270) on Monday February 28, @12:30PM (#35339432)
The RUSSIANS HAVE Windows NT-based OS source:
---
http://news.softpedia.com/news/Microsoft-Shares-the-Windows-7-RTM-Source-Code-with-Russia-146738.shtml
---
Thus, Windows HAS "undergone that same level of scrutiny", AND, from better than mere "security researchers" but instead, from "hacker/cracker" types themselves!
So... hate to "burst your bubble" on that note, but... there 'tis!
(And, where does a HUGE portion of malware come out of? The Communist block, inclusive of .ru, .su, & .cn domains as just SOME 'examples thereof'... I know this, 1st hand, from populating a custom HOSTS file vs. known malicious sites/servers/domains-hosts for 17++ yrs. now...)
---
"As long as Windows supports AutoRun in any form." - by dgatwood (11270) on Monday February 28, @12:30PM (#35339432)
This is & WAS very EASILY DISABLED, either via a powertoy from MS called "TweakUI", or via manual registry hacking... for a decade++ or more now in fact!
---
MS has issued patches for that too, as far back as Feb. 2009, AND also, so you know, recently, as well:
http://www.microsoft.com/technet/security/advisory/967940.mspx
---
( So, SO MUCH FOR THAT from you, eh? )
---
"it will continue to be so far behind Mac OS X that it isn't really even in the race just from that one fundamental design flaw alone.." - by dgatwood (11270) on Monday February 28, @12:30PM (#35339432)
Windows is "behind" alright... less known security vulnerabilities... so, I agree on THAT note, lol!
---
"This means that the number of known unpatched vulnerabilities in Windows should inherently be smaller" - by dgatwood (11270) on Monday February 28, @12:30PM (#35339432)
It is, and I put up data showing that VERY thing, no less, AND, from a reputable + respected source for said data, in SECUNIA.COM!
APK
P.S.=> There is only 1 place MacOS X is superior to Windows... GETTING ITS ASS KICKED:
Because:
---
1.) MacOS Xt certainly hasn't taken the "lion's share" (pun intended) of market here
2.) NOR is MacOS X giving a better showing than Windows on KNOWN security vulnerabilities unpatched either...
---
Period! apk
Well, I am a security professional. These guys make us look bad, and need to be challenged. Not to worry, though. Mac OS X has never been a stationary target. It's security architecture has continued to improve, and will continue to improve. And the Bad Guys (TM) already know the economics of the situation. They'll exploit Mac OS X at their earliest opportunity, and continue to look for ways to do so. Lying about it, or remaining silent when others lie, won't help that.
If you mod me down, I shall become more powerful than you could possibly imagine.
Here is information regarding the only threat of those 13 that is marked as a Virus
http://www.symantec.com/security_response/writeup.jsp?docid=2006-110217-1331-99/
OSX.Macarena
Risk Level 1: Very Low
Discovered: November 2, 2006
Updated: February 13, 2007 1:01:55 PM
Type: Virus
Systems Affected: Macintosh, Macintosh OS X
OSX.Macarena is a proof of concept virus that infects files in the current folder on the compromised computer.
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Low
Distribution
Distribution Level: Low
No comments.
Apple diagnostic technicians should probably be called "Apple Veterinarians"... cat names and all that
Everytime APK posts I have a weird flashback to TimeCube.com
This must be what Acid flashbacks are like.
No, seriously. Windows more secure than OSX? Put up or shut up. Release some code or go home.
Non impediti ratione cogitationus.
Dispute my points then, big talker... I see that ALL you apparently have here, is somekind of ATTEMPT (puny one) @ ad hominem attacks on myself (thinking you're "clever" (lol, not)).
I.E./To wit:
"Everytime APK posts I have a weird flashback to TimeCube.com This must be what Acid flashbacks are like." - by RyuuzakiTetsuya (195424) on Monday February 28, @02:07PM (#35340338)
WoW... really "on topic" that one, eh? Not...
---
"No, seriously. Windows more secure than OSX? Put up or shut up. Release some code or go home." - by RyuuzakiTetsuya (195424) on Monday February 28, @02:07PM (#35340338)
Ok then, from my initial post, some words of others I am "putting up" to SHUT YOU UP, easily:
APK
P.S.=> Want more? See my 1st reply in this thread exchange, then... & GOOD LUCK disproving my points (as you can see, others have tried, + FAILED HUGE on their replies, point-by-point, already):
http://apple.slashdot.org/comments.pl?sid=2014606&cid=35339624
Ah, man... I just GOTTA say it, as-per-my-usual: "too, Too, TOO EASY... just '2EZ'", everytime..., lol!
However, what do I get in reply vs. solid verifiable facts I posted here in this exchange, in my 1st reply here:
http://apple.slashdot.org/comments.pl?sid=2014606&cid=35336798
Ad hominem attacks & off topic b.s. replies like this fool RyuuzakiTetsuya has done? LOL, please... apk
Irrelevant to my point, which was that the source is not out in the open and therefore the known vulnerabilities for that source are likewise not out in the open. Therefore, the odds of any single security bug in Mac OS X getting pointed out publicly are much greater than the odds for a similar bug in Windows simply because the disclosure is much more likely to occur in a public forum or through a publicly visible commit log.
The fact remains that you don't know how many internally known vulnerabilities there are in Windows because you don't have access to Microsoft's internal bug tracking system. Similarly, you don't know how many vulnerabilities there are in the closed source portions of Mac OS X, but you do know how many have been discovered in the open source portions because those bugs are reported out in the open.
Therefore, the fact that Mac OS X contains lots of open source means that you would expect the number of publicly known bugs to be much higher even if the total number of internally known bugs is comparable or lower. In effect, this means that the number of publicly known vulnerabilities is completely useless as a metric of software quality because it has no real relationship to the number of exploitable bugs.
More to the point, the crackers usually already know about the bugs whether they're discussed publicly (as with open source bugs and announcements by legitimate security researchers) or not. The disclosed vulnerabilities, therefore, are largely uninteresting. What matters is the total number of vulnerabilities known to the bad guys, which as I explained above, is not strongly correlated with the number of vulnerabilities known to the general public.
Read what the Microsoft bulletin said again. It says AutoRun is still in full force, but only for optical media. Although that does diminish the impact (by preventing people from unknowingly spreading malware by moving flash drives from machine to machine), the fundamental vulnerability is very much still present. Malware producers can still infect a CD manufacturing plant with malware and cause millions of discs from multiple manufacturers to infect Windows boxes on insertion. This is not a theoretical vulnerability, either; people have actually gotten infections from commercial software discs in the past. So they might have put a lock on the front door with that change, but they still left the window right next to it completely ajar with a footstool below it for your convenience.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Here's another one for you, "hot off the presses" TODAY no less, below & beyond my init. post here's list":
---
Backdoor Trojan For Windows Ported To Mac OS:
http://apple.slashdot.org/story/11/02/28/1559229/Backdoor-Trojan-For-Windows-Ported-To-Mac-OS
---
By the by: I never ONCE said Windows was without bugs & unfixed security vulnerabilities either... so, trying to "put words in my mouth" I never said? Please - POOR tactic troll!
---
"Put up or shut up." - by RyuuzakiTetsuya (195424) on Monday February 28, @03:48PM (#35341138)
On bugs in MacOS X? I did, by the truckload:
http://apple.slashdot.org/comments.pl?sid=2014606&cid=35336798
AND I JUST GAVE YOU YET ANOTHER, right here, above... lol!
So... Put up WHAT?
Code I've done over the past 17++ yrs. here that did well in the eyes of respected others, since you are attempting to attack me on that basis (ad hominem on YOUR part, as usual)??
Sure - I can do that, you know (yes, YOU in particular, DEFINITELY know that)...
Question is, can you?? LOL, nope.
(Afaik? Well - You've NEVER been in written publication, much less for commercially sold & Ms-TechEd 2 yr. in a row FINALIST level work, as I have (amongst many others, & I suspect before YOU were EVEN BORN)).
AND ON MacOS X vulnerabilities I noted (as just examples thereof over time)?
Heh, you had BEST look at what the OP you quoted said... he even knew not all of them are fixed - I cited those, specifically, from SECUNIA!
There's MORE OF THEM UNPATCHED on MacOS X, than there are on Windows... period!
(So, sure, some of what I put up are fixed, I never said they were not... they were ONLY EXAMPLES to the effect that what Apple implied on TV)
E.G.-> "MacOS X is sure, PC's are not" etc./et al, is COMPLETE BULLSHIT! That list of errors alone, and the fact they even occurred, proves it...
---
"Exploit something or go back to writing shitty Delphi code that's worthy of thedailywtf.com. - by RyuuzakiTetsuya (195424) on Monday February 28, @03:48PM (#35341138)
My code's also NEVER been found to bear errors in it either, & it surely did well over time:
----
Windows NT Magazine (now Windows IT Pro) April 1997 "BACK OFFICE PERFORMANCE" issue, page 61
(&, for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program increasing its performance by up to 40% via my work) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row 2000-2002, in its HARDEST CATEGORY: SQLServer Performance Enhancement).
WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)
PC-WELT FEB 1998 - page 84, again, my work is featured there
WINDOWS MAGAZINE, WINTER 1998 - page 92, insert section, MUST HAVE WARES, my work is again, there
PC-WELT FEB 1999 - page 83, again, my work is featured there
CHIP Magazine 7/99 - page 100, my work is there
GERMAN PC BOOK, Data Becker publisher "PC Aufrusten und Repairen" 2000, where my work is contained in it
HOT SHAREWARE Numero 46 issue, pg. 54 (PC ware mag from Spain), 2001 my work is there, first one featured, yet again!
Also, a British PC Mag in 2002 for many utilities I wrote, saw it @ BORDERS BOOKS but didn't buy it... by that point, I had moved onto other areas in this field besides coding only...
Being paid for an article that made me money over @ PCPitstop in 2008 for writing up a guide that has people showing NO VIRUSES/SPYWARES
"Irrelevant to my point, which was that the source is not out in the open and therefore the known vulnerabilities for that source are likewise not out in the open." - by dgatwood (11270) on Monday February 28, @04:00PM (#35341250)
No, YOU said Windows source was closed... funny:
I showed you, with backing proof/documentation no less, that MS DOES LICENSE OUT THE SOURCE TO WINDOWS (and, ever since Windows 2000 onwards) so others can "pore over it"...
I used the russkies (blood line cousins of mine in fact, slavic descent here is why I note that)... they are NOTORIOUS for creating malware & online exploits...
(OR, does RBN not "ring a bell" to you?)
---
"Therefore, the odds of any single security bug in Mac OS X getting pointed out publicly are much greater than the odds for a similar bug in Windows simply because the disclosure is much more likely to occur in a public forum or through a publicly visible commit log.." - by dgatwood (11270) on Monday February 28, @04:00PM (#35341250)
WTF? Man - You must NOT "hang around" here very much... for nearly a DECADE here, most of what you saw was TOTAL "Anti-Microsoft/Anti-Windows" propoganda!
(For Pete's sake, look @ the "Bill Gates BORG" icon/avatar they use to mark posts here even!)
---
"The fact remains that you don't know how many internally known vulnerabilities there are in Windows because you don't have access to Microsoft's internal bug tracking system." - by dgatwood (11270) on Monday February 28, @04:00PM (#35341250)
You know, MAYBE I DO, or maybe I don't... how do you know I don't work for MS, for example?
(And, you don't, afaik @ least, have access to Apple's internal lists either so... your point? It's MOOT, and goes for you also...)
---
"Similarly, you don't know how many vulnerabilities there are in the closed source portions of Mac OS X." - by dgatwood (11270) on Monday February 28, @04:00PM (#35341250)
This? THIS MAKES ME LAUGH: What is MacOS X based on @ its core?? BSD!
(Where did Apple get THAT from? Hmmm?? At least MS didn't outright "rip" code from VMS, or OS/2, etc. as Apple did... sure, they hired on D. Cutler from VMS, but he didn't AND COULDN'T outright use VMS core/kernel code, not without opening up MS to a HUGE lawsuit I imagine!)
I don't think the same can be said for Apple... because they acknowledge that MacOS X is derived from BSD, and is in fact, a UNIX itself!
---
"but you do know how many have been discovered in the open source portions because those bugs are reported out in the open." - by dgatwood (11270) on Monday February 28, @04:00PM (#35341250)
Well, like you said of MS above, & Windows being "closed source" (even though it's LICENSED to others as I proved)? Goes for MacOS X then too!
I.E.-> You have NO WAY of knowing what's up in its closed portions too... unless YOU work for them!
---
"Therefore, the fact that Mac OS X contains lots of open source means that you would expect the number of publicly known bugs to be much higher even if the total number of internally known bugs is comparable or lower.." - by dgatwood (11270) on Monday February 28, @04:00PM (#35341250)
And, IT IS HIGHER! MacOS X does just plain have MORE UNPATCHED KNOWN SECURITY VULNERABILITIES, period...
(I showed you ALL that much from SECUNIA.COM in fact (along with the list I posted of other bugs in MacOS X over time too (some patched, some not))
The point was this:
To show that the MacOS X/Apple commercials on TV were COMPLETE BULLSHIT (as to "MacOS X is more secure" type crap!)
---
"In effect, this means that the number of publicly known vulnerabilities is completely useless as a metric of software quality because it has no real rela
darkComet's a payload, not a vulnerability.
Post an exploit or shut up. I'm seriously tired of your unhinged rants.
Non impediti ratione cogitationus.
1st - See subject-line above & "mince words" ALL YOU LIKE, doesn't change a thing about that new problem in MacOS X that JUST CAME OUT TODAY!
"darkComet's a payload, not a vulnerability." - by RyuuzakiTetsuya (195424) on Monday February 28, @05:14PM (#35342006)
Yes, "GEE, I GUESS THAT MAKES IT OK!" (not)... lmao!
(It's just out there "doing good" for MacOS X, eh?)
---
"Post an exploit or shut up.." - by RyuuzakiTetsuya (195424) on Monday February 28, @05:14PM (#35342006)
I just DID... & you're caught "flat-footed" by it, as it is BRAND NEW, lol, no less... & it certainly isn't doing MacOS X users a "favor", now is it?
Nope!
---
"I'm seriously tired of your unhinged rants." - by RyuuzakiTetsuya (195424) on Monday February 28, @05:14PM (#35342006)
No, what you're "tired of" is trying to "take me on" & failing, everytime... lol!
HOWEVER - On the converse/flipside, here?
LMAO - I love tearing up you FUD spreading b.s. artists from the "Pro-*NIX" camp... as it's just "too, Too, TOO EASY - just '2EZ'" everytime!
APK
P.S.=> Now, since you RAN from posting anything you've done of note in respected written publications in the arena of the computer sciences (because, you CAN'T, lol)?
Well, ok: Here are some unpatched KNOWN SECURITY VULNERABILITIES that ARE exploitable, AND UNPATCHED, and from a reputable source:
MacOS X UNPATCHED SECURITY VULNERABILITIES
http://secunia.com/advisories/product/96/?task=advisories
(That's MORE than Windows 7 has, mind you!)... apk
"Ask, & YE SHALL RECEIVE":
"Post an exploit or shut up." - by RyuuzakiTetsuya (195424) on Monday February 28, @05:14PM (#35342006)
Ok, & REMOTELY EXPLOITABLE too:\
FROM -> http://secunia.com/advisories/38066/
---
PERTINENT QUOTE/EXCERPT:
Apple Mac OS X "strtod()" Floating Point Parsing Memory Corruption
Unpatched. Secunia Advisory 12 of 12 in 2010. 2,181 views.
Release Date: 2010-01-12
Secunia Advisory ID: SA38066
Solution Status: Unpatched
Criticality: System access
Impact: DoS
Where: From remote
Short Description:
A vulnerability has been discovered in Mac OS X, which can be exploited by malicious people to potentially compromise a vulnerable system. [Read More]
---
Oh man, I just GOTTA do it:
ROTFLMAO!
---
" I'm seriously tired of your unhinged rants." - by RyuuzakiTetsuya (195424) on Monday February 28, @05:14PM (#35342006)
LMAO - apparently not, because I have kicked your ASS, yet again... & I answer all questions put to me, with proofs (just like you asked for above, lol, much to your OWN dismay, as per your usual)...
APK
P.S.=> Want more of them? Ok, see here (as to MacOS X being "more secure than Windows7"):
http://secunia.com/advisories/38066/
That shows the rest of the UNPATCHED VULNERABILITIES on MacOS X... & new NEWS/NewsFlash:
IT'S MORE THAN WINDOWS 7 HAS, period... apk
NOTE: Currently, there is no application known that can be used as attack vector.
...and?
What's the point of an exploit if there's no attack vector?
Non impediti ratione cogitationus.
"What's the point of an exploit if there's no attack vector?" - by RyuuzakiTetsuya (195424) on Monday February 28, @05:42PM (#35342298)
First of all, the exploit IS remote, and they (like anyone else) CANNOT be sure that by now, there isn't such a programmed exploit (or, what you're calling a vector).
HOW CAN I SAY THAT? LOOK AT THE DATE OF IT = 1/12/2010 -> MORE THAN 1 YEAR OLD NO LESS!
(Plenty of time for it to have been used/abused, and you have to remember 1 thing: Not every malware-maker/hacker-cracker (whatever) gives away the fact they have a working exploit in code... that'd be DUMB from THEIR PERSPECTIVE, in fact!)
Yes - It's remotely exploitable, AND VERY old, and still unpatched...
A REMOTE EXPLOIT no less (dumb move by Apple imo - even MS usually IMMEDIATELY chases the remotely exploitable ones, right away, MOST times!)
APK
P.S.=> My point here, was simple: TO SHOW THAT ALL THE B.S. FROM THE MacOS X Commercials by Apple on T.V. was JUST THAT - PURE BullShit!
After all - Windows 7 has less unpatched bugs going on in its codebase, than does MacOS X!
Quite a LOT more in fact... lol, and IT SURE GOT A "RISE" OUT OF YOU, now, didn't it? Never let them see you "sweat", & you ought to try that sometime... apk
It is closed source. The fact that source code has been shown to specific third parties under nondisclosure does nothing to change that fact. I'd be surprised if any closed source piece of software exists that has not at some point been similarly made available to at least one third party under NDA. That's not the same thing as Open Source, in which the source code is out there with public change logs and bug tracking such that almost every single security bug is disclosed to the entire world the moment it is discovered.
Which are completely beyond the average Windows user. As far as I'm concerned, an OS is only as secure as it is in the default configuration. If, as installed, an OS has a hole so big you can drive a truck through it, the fact that they provide mortar and a bunch of bricks so that you can patch the hole yourself doesn't really change anything. By that standard, a ten-year-old Linux distro has no security holes because you can recompile BIND, Apache, OpenSSL, etc. yourself. It's a ludicrous argument.
Most of the wannabes do, sure. They rely on people not patching their machines for long periods of time. The people who created those exploits in the first place, however, don't generally sit around trolling the list of patched vulnerabilities. By the time there's a patch out there, the bulk of the potential targets are going to be protected before they can roll an attack, leaving only a small percentage of stragglers. For maximum impact, the serious hackers are exploiting zero-day holes.
My thoughts are that the facts you give do not prove what you think they do.
Also, the articles you are pointing to this time are pretty much harping about ASLR differences. While ASLR is nice and all, that's only one very small aspect of total OS security, and one that is no more or less important than sandboxing, privilege separation, etc. No OS is the best at every aspect of security.
These links are basically tantamount to saying that a Ferrari is better than a Porsche because the cupholders are nicer. While one or the other might be better, it should be obvious to anyone with a modicum of common sense that using one minor feature as the sole basis for comparison is sheer foolishness.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Just answer that... in regards to BOTH MacOS X &/or Windows 7, and KNOWN security vulnerabilities!
APK
P.S.=> Now, onto the rest of the points in your post:
"As far as I'm concerned, an OS is only as secure as it is in the default configuration." - by dgatwood (11270) on Monday February 28, @06:03PM (#35342468)
You're going to be "upset" w/ yourself here, possibly: MacOS X is FAR from as "secure as it can be", because IF YOU SEARCH THE APPLE WEBSITE? You'll find guides for securing it, & FAR BETTER THAN IT IS OUT OF THE BOX!
---
"Also, the articles you are pointing to this time are pretty much harping about ASLR differences. While ASLR is nice and all, that's only one very small aspect of total OS security" - by dgatwood (11270) on Monday February 28, @06:03PM (#35342468)
Correct me IF I am wrong here, but... MacOS X doesn't implement ASRL, does it? Not afaik/iirc... only DEP (or, is it the other way around? Doesn't matter - I know it lacks one of them)
Ahem - MOST importantly, THIS NOTE though?
This merely illustrates an INFERIORITY IN SECURITY IN MacOS X vs. Windows 7, since Win7 uses BOTH DEP &/or ASRL!
---
"Which are completely beyond the average Windows user." - by dgatwood (11270) on Monday February 28, @06:03PM (#35342468)
Oh man... COME ON: I thought YOU were better than THAT!
TweakUI is beyond MOST USERS? Please... that's like saying any GUI is "beyond most users", because the MS PowerToy, TweakUI, is a GUI Win32 usermode app!
(There are, also & I omitted this earlier, iirc, options in either gpedit.msc OR secpol.msc MS mgt. console snap-ins also that are GUI easy to use too!)
So, you're NOT just "stuck" with .reg hacks (those are easy too, once they're in notepad, for use/reuse).
---
"I'd be surprised if any closed source piece of software exists that has not at some point been similarly made available to at least one third party under NDA." - by dgatwood (11270) on Monday February 28, @06:03PM (#35342468)
Yes, quite right & I HAVE BEEN THERE MYSELF with commercially sold ware I myself contributed code to - I had to submit a sourcecode list for attorneys (of ALL people, no less)...
---
"Most of the wannabes do, sure." - by dgatwood (11270) on Monday February 28, @06:03PM (#35342468)
Thanks for at least conceding that point of mine thusfar... apk
Nobody said it was. It does not, however, to my knowledge, ship with things turned on that are more insecure than an emo kid.
In principle, no. In practice, the average computer user has never heard of AutoRun, much less TweakUI. That's why the default state must have at least a certain minimum level of security or you're screwed.
I don't think you realize just how little the average computer user knows about how computers work. A sizable percentage of Windows users don't know how to install software at all, relying only on the software that came preinstalled from Best Buy. Thus, even the act of downloading and installing TweakUI is beyond them....
So yeah. It's way beyond a significant percentage of Windows users. Way, way beyond.
Check out my sci-fi/humor trilogy at PatriotsBooks.
This is straight from Apple - I think you'll be surprised how much MORE you can security-harden a MacOS X setup:
"Nobody said it was. It does not, however, to my knowledge, ship with things turned on that are more insecure than an emo kid." - by dgatwood (11270) on Tuesday March 01, @01:40PM (#35349650)
---
APPLE SECURITY GUIDES FOR MacOS X:
http://www.apple.com/support/security/guides/
---
APK
P.S.=> I still think you underestimate people who own & use computers though... TweakUI is very simple to use, a "point-N-click" GUI affair! apk
Safari/MacBook First To Fall At Pwn2Own 2011:
http://apple.slashdot.org/story/11/03/10/0319224/SafariMacBook-First-To-Fall-At-Pwn2Own-2011
(LMAO!)
APK
P.S.=> Now, couple that with the fact that MacOS X has had a REMOTE EXPLOIT http://apple.slashdot.org/comments.pl?sid=2014606&cid=35342402 , & one that's been open to attack for more than 1 year now? Please... apk
Safari/MacBook First To Fall At Pwn2Own 2011:
http://apple.slashdot.org/story/11/03/10/0319224/SafariMacBook-First-To-Fall-At-Pwn2Own-2011
(LMAO!!!)
APK
P.S.=> Now, couple that with the fact that MacOS X has had a REMOTE EXPLOIT http://apple.slashdot.org/comments.pl?sid=2014606&cid=35342402 , & one that's been open to attack for more than 1 year now? Please... apk