Slashdot Mirror
Apple Asks Security Experts To Examine OS X Lion
An anonymous reader writes "For as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true. But Apple's looking to change that. This past Thursday, Apple doled out a beta of OS X Lion to developers. In conjunction with that, Apple is also reaching out to noted security experts and offering them free previews of OS X 10.7 so that they can take a look at Apple's new security measures and reach back to Apple with any thoughts and concerns they might have. Indeed, Apple is becoming a lot more security conscious these days, not only in terms of reaching out to security researchers but also in its personnel hires."
as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true.
I'm sorry, what? Windows is "safer" than OS X? "In fact"?
I'm certain they have their own internal security experts, but if they were going to reach out to outside experts, they should have done it a lot sooner.
How about paying reputable security researchers (or testers) to evaluate the software?
http://en.wikipedia.org/wiki/Pwn2Own
Pwn2Own contests regularly have Safari/Mac software as a valid winning target.
Is it good data? Maybe not. But the point is that Mac's aren't targeted much because the Windows desktop share is much larger (some figures say 90%). So while they can get viruses, it's not a valuable target for botnets.
Still waiting for the first Mac OS X virus in the wild...
http://www.symantec.com/security_response/threatexplorer/azlisting.jsp?azid=O
OSX.* near the bottom of the list. There's 13 on that list.
wow a Free OS! That will get lots of time and interest from highly paid security experts...
If they were actually interested in improving security they would put their money where their mouth is and start a bug bounty.
"For as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true. "
"Security researchers won't hesitate to point out the opposite is, in fact, true when paid to do so."
There, fixed it for ya.
Say hello to my little sig.
Windows is really easy to lock down and control from a central location in a corporate environment.
I can't even imagine what deploying and maintaining 1000+ macs would be like.
Rod Taylor
Apple has been insisting for years that OSX has zero viruses. Users start to think they're invincible and run any downloaded binaries without a second thought.
Apple is also releasing security updates (but less frequently than Microsoft). In addition, since Apple products "just work", sometimes they have to reduce security in order to make the product easier to use.
No it isn't FUD, do some research online, Just about every hacking contest sees OS X go down in a ball of flames in minutes, Just about every patch cycle from apple sees more security vulnerabilities patches than are found in all MS products combined in a year. Many security researchers have been pointing out Apples Lax Security practises for a long time, seems they might finally be getting the message now that there share of the pie is significant enough to warrant it being an issue.
Click Here to Install Silverlight!
Work in a place with 1500+ mac's and it's hell
Question is... are there any restrictions on what the "security experts" can report? Is this a way to legally limit what they are allowed to say... in exchange for preview copies they sign a nondisclosure agreement to only report the issues to Apple? It seems that if Apple was really serious about security they would allow the experts (and others) to have access to the source code.
It's not bad actually... You need a MacMini server x2 to replicate each other, and push out the managed settings. You can authenticate machines via AD/OD/OpenLDAP. You can host the home folders off any NFS/AFP server. Netboot, netrestore etc makes deploying easy.. I'm looking after 150 Macs at the moment, as well as a host of PC's, and I don't have many issues. It' s just me.
Have any quotes or links to back that up, Mr. Submitter?
Why would the submitter need to provide those? It's not his claim, it's a direct quote from the article itself.
And yes, among security researchers the general consensus indeed does seem that OSX is quite poor from security standpoint and I applaud Apple on their efforts in trying to beefen it up. It's hard to point one to some direct quotes on this as it's mostly just a comment here or there, but here's atleast two links:
http://www.techrepublic.com/blog/security/security-vs-popularity/4403
http://pcworld.about.com/od/securit1/The-Truth-About-Apple-Securit.htm
Someone doesn't want to wait until the next Pwn2Own?
And there's one actual virus on that list ... which, if you read the description, you'll see is a proof of concept. Wow, OS X is just as insecure as Windows!
GMAFB. You can talk about pwn2own all you want, but in the real world, no rational person doubts that OS X users are much, much safer from malware of all kinds than Windows users are. The market share argument doesn't hold water either, because in the "Classic" Mac OS days, there were in fact large numbers of genuinely dangerous Mac viruses in the wild -- not as many as PC (Windows and DOS) viruses to be sure, but a hell of a lot of them, as opposed to the effectively zero there are now. The millions of installed OS X machines running with default out-of-the-box setups would be a juicy target for malware authors, precisely because of the casual attitude most OS X users take toward security. If you're going to come up with a reason why this hasn't happened yet, other than just admitting OS X is inherently more secure than Windows, you're going to have to do better than a link to a Symantec list or a contest that represents security threats very different from those most users of all OSs face in everyday use.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
There are no viruses in the wild for OS X. There are, however, Trojans in the wild. Not the same thing. However Apple users by and large are quite arrogant and care-free about the security of their OS, and IMO are just asking for it. BTW, you can easily run OS X in a non-admin account without issue, which is more than can be said for Windows 7, which is irritating as all hell unless you run as an admin. At least OS X has that going for it.
Still waiting for the first Mac OS X virus in the wild...
McAfee lists 48 known "viruses" for OSX. Most appear to be Trojans giving remote access or subverting DNS. I perused a few of the McAfee descriptions, and it was not immediately clear whether these infections would be self-propagating (as one would ordinarily expect of viruses). Just like other *nix threats, they require the user to actively run the infecting program and enter a privilege-escalating password.
While not a Mac user or fan (Linux user, mostly), I am also mystified by the characterization of OSX as being less secure then Windows. Even turning to social engineering as a security hole, it's not certain that Mac users would be easier to subborn than Windows users.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
According to this link, Pwn2Own was about cracking browsers, not operating systems. Seems to me that there is a difference.
If I used a sig over again, would anyone notice?
They should take a hint from Ubuntu. Their names always raise some complaint, but they are funny, intriguing and more importantly they sound like new stuff. Cat ++; is meh.
It took them 8 months to fix a 10.6 simple kernel privilege escalation exploit I submitted to their security team last year.
It's x86-specific; otherwise, I would've sent it to the iPhone jailbreak hackers instead of Apple.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
I should have said "will be." It's going to be March 9 through 11.
If I used a sig over again, would anyone notice?
Work in a place with 1500+ mac's and it's hell
Work in a place with 1500+ Mac users and it's hell. There, fix that for you.
a great deal of these 'vulnerabilities' in OS X are from open source software projects which release the advisories.
i guess you haven't seen any security updates from Ubuntu/Redhat or any other UNIX, before have you?
when you release a UNIX distro with a ton of software using many different packages, frameworks and programmers with varying levels of appetite for security completeness, you are going to run into a myriad of issues.
MS also have their issues, but you can't compare apples with oranges.
However Apple users by and large are quite arrogant and care-free about the security of their OS, and IMO are just asking for it.
That's an odd take.
Anyway, as things stand right now, being "care-free" about viruses/malware is warranted. Once some actual outbreak occurs, or malware becomes more than a handful of trojans on pirated copies of Photoshop and iWork, the care-free days are over. But until then, what's wrong with accepting reality as it is as opposed to worrying about what might someday come to pass (but for over a decade now, hasn't)?
GMAFB.
Is it good data? Maybe not.
Meaning I'm implying it's data, but probably only that. I said no such thing as MACS ARE SECURE HURR.
I actually don't care about this topic, AC asked for data.
And if I really want to, I can spin it the other way with Windows XP:
http://blogs.chron.com/techblog/archives/2008/07/average_time_to_infection_4_minutes_1.html
Which means that there are viruses that scan the internet for open security holes regularly at random IP addresses to infect other machines.
OH NO XP IS INSECURE, WE SHOULD ABANDON IT!
No, not really, it just means you should keep it patched, and not used EOLed OSes. If you are unlucky to have an XP without any SP for whatever reason, you should not connect it to the internet, and patch it offline.
So what is my point? The internet is dangerous where known and unknown threats can be found, but there are simple steps for each OS (car analogy: wear seatbelts) to help keep you safe, such as regular patching.
Just because it's not widespread doesn't mean it doesn't exist. I don't see the harm in exercising a little caution and common sense when downloading and installing apps, even on OS X.
IIRC, this is the version in which they will no longer deliver a Java VM. This alone will drop the vulnerability and patch count significantly. Can anyone with the preview confirm that it is/is not included?
There are very few true viruses in the wild at all these days. The great majority are actually trojans or worms.
The statistics bear this out. 2003-2011, Mac OSX had 2.6x as many vulnerabilites at Windows 7. Plus a higher percentage were serious vulnerabilities.
http://secunia.com/advisories/product/27467/?task=statistics
http://secunia.com/advisories/product/96/?task=statistics
And there's one actual virus on that list ... which, if you read the description, you'll see is a proof of concept. Wow, OS X is just as insecure as Windows!
Alcatraz has had a number of jailbreaks. My grandmother's white fence has had 0 jailbreaks. My grandmother's fence is more secure than Alcatraz!
Just because few people take advantage of such a system doesn't mean anything. Mac has a tendacy to pull out a large patch every few months or so - that's insecurity at its finest. Obviously if they had larger market share in this day and age, they'd be more viruses.
Have any quotes or links to back that up, Mr. Submitter?
Is it just me, or do a lot of the Mac fan-boys not know how to use Google before they open their moth and insert their foot?
http://www.tomshardware.com/news/pc-windows-apple-mac-osx,9557.html (second google hit, btw)
No it isn't FUD, do some research online, Just about every hacking contest sees OS X go down in a ball of flames in minutes
Yes, minutes... After the contest enters the phase where you can load files remotely. And minutes later, Windows and Linux go down (everyone attacks the Mac first, because pwn2own means you get to keep the computer you pwn, and everyone wants the Mac).
Just about every patch cycle from apple sees more security vulnerabilities patches than are found in all MS products combined in a year.
Not remotely true. However it is true that in pure numbers, Apple patches more vulnerabilities than MS. These are primarily in Open Source products included with Mac OS X, and is seen as a strength, not a weakness. Also, Mac OS X patches tend to be local vulnerabilities, while Windows patches are far more often remote vulnerabilities, which are significantly more critical.
Many security researchers have been pointing out Apples Lax Security practises for a long time
Yet somehow the sky has never fallen. It's possible that Mac OS X is theoretically less secure than Windows, but it's absolutely certain that Mac OS X is, in actual real world usage, significantly more secure than Windows. Hands down, no-contest.
Pwn2own and "patches per year" are interesting metrics, but the only thing that matters is whether a user has to worry about their computer being compromised, and Mac users don't, Windows users do. It's as simple as that. Everything else is academic and hand-waving side-stepping of the actual issue.
seems they might finally be getting the message now that there share of the pie is significant enough to warrant it being an issue.
Apple has had sufficient market share since the beginning of consumer viruses and malware. There were plenty of Mac viruses back when their market share was far lower than it is now. It's absurd to claim that there are essentially zero malware for Macs because of market share, when their market share is large enough for thriving third-party software and hardware. Market share plays a role, but is not *the* primary reason.
What this indicates is that Apple is being proactive in making sure Macs remain as secure as they are today, and not resting on their laurels.
It is disappointing to see the comments thus far have not bothered to mention what potential security improvements are likely to be in the final version of Lion and how effective they might be. So far the ones I've heard mentioned include:
I'm sure in more security oriented forums there will be some good analysis of these new features, how well implemented they are, and how effective they are likely to be. The Mac App Store offers some potential security improvements by standardizing application updates and pushing them out more quickly and widely and hopefully encouraging developers to make more use of security frameworks already present. Personally, I think the sandboxing combined with the Mac App Store could be a huge boon to security if Apple can get enough developers on board, but I'm not sure if Apple will go that route. Hopefully feedback from experts will help push them in that direction.
Doesn't matter. The submitter stated it as a fact. The article doesn't make much of a case for it either.
I won't say that OS X has a perfect security record, but Windows historical has an abominable security record. Things are much better now, but I still read about vulnerabilities in Windows 7 and IE, and Microsoft still patches very frequently after 0-day exploits come out.
Besides, the techrepublic link you posted still says that OS X's security architecture is much stronger than Windows and only really makes a case for saying that Apple's secrecy and slow patching are the problem, in addition to applications like Safari. Granted, Safari is distributed with OS X, but saying that the OS itself is insecure is very different from saying that individual applications are to blame.
Still, it's really an incredible claim to say that any OS can be more insecure than Windows. The reason Windows will always have security problems is the legacy baggage, including old APIs and developer expectations of users having administrator rights out of the box. A complete rewrite of Windows and elimination of any expectations of backward compatibility will be needed to address the fundamental security flaws in Windows' architecture.
This space left intentionally blank.
Easy, get OS X Server, make a standard disk image and either use NetBoot or have them reimaged regularly. Not that hard, there are numerous mailing lists and Howtos for it.
As arrogant as Mac users happen to be, it seems they are always half as arrogant as PC users.
http://www.rootstrikers.org/
Amazing. The market share argument has been shown to be utter crap, over and over again, and you people just keep repeating it. Is it some kind of religious belief with you? Mac users get accused of fanaticism a lot, and not without justification, but I swear there's nobody more fanatical in the computer world than a Mac hater on a roll.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
Look at the development tools. On Windows, you have Visual Studio which makes writing exploits rather easy. It can show you a memory dump of any address, help you debug programs with a very easy UI, and Microsoft is kind enough to provide Detours to let you hook functions in system libraries.
On the Mac? Honestly, you have to admit that Xcode and other development tools are much less robust than Microsoft's. You'd have to work a lot harder to create malware.
There's no -1 for "I don't get it."
Hard to say. What's worse, smugly saying "My computer just works, and it's totally safe" or "I can build a more powerful PC for half as much as your shiny Mac!". I guess we're all douchebags. Since I use both, I guess that makes me a confused douchebag. :)
There are very few true viruses in the wild at all these days. The great majority are actually trojans or worms.
You do know that, "worm" is a subset of, "virus" right?
My grandmother's white fence has had 0 jailbreaks. My grandmother's fence is more secure than Alcatraz! Just because few people take advantage of such a system doesn't mean anything.
It means a lot to your grandmother. I'm sure she's much happier living in a nice house with a nice white fence, than she would be living in Alcatraz. And in either location, she hasn't had her living space broken into.
I don't care if it's 90,000 hectares. That lake was not my doing.
Work in a place with 1500+ mac's and it's hell
Care to explain what makes it hell? I'm genuinely curious.
I don't care if it's 90,000 hectares. That lake was not my doing.
Here's the only metric that really counts in my book.
If you've ever done desktop support for your friends and family, count up the times you've had to go in and clean up a rooted, malware-laden mess on Windows, either by running a full, time-consuming, malware scan and removal, or just doing a reformat and reinstall. Now do the same thing for your OS X user friends. Adjust for market share and compare the numbers.
Yeah, brb, going over to friend's house for free beer after I fix his Windows infection.
Thats a news site, in other words a newspaper. ... stupid, isn't it?
Citating a newspaper is kinda
angel'o'sphere
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Lies, damned lies, and statistics. Considering that Windows 7 has only been out 493 days as of this posting, and 2979 days have elapsed since the beginning of 2003, that means that one vulnerability is announced every 8.6 days on average for Windows 7, versus one vulnerability every 19.9 days on average for OS X.
Slashdot's first reaction to VMware
If you're referring to a security auditing tool, I've heard not a peep about a new one. Do you have a source? If you're referring to something else, maybe you should define your acronym :)
I tried getting some once. My Mac wouldn't let me. :/
Thats a news site, in other words a newspaper. ... stupid, isn't it?
Citating a newspaper is kinda
angel'o'sphere
Thats a news site, in other words a newspaper. ... stupid, isn't it?
Citating a newspaper is kinda
angel'o'sphere
Did you bother to read the article and the quotations from Security experts. Just because it's in a newspaper doesn't mean its wrong.
So what is my point? The internet is dangerous where known and unknown threats can be found, but there are simple steps for each OS (car analogy: wear seatbelts) to help keep you safe, such as regular patching.
There are no secure systems out there. There are only some system less vulnerable than others. The problem with Windows is that its history of security is very pathetic. You assume that regular patching is the panacea to Windows security. Just last week, MS acknowledged a zero day flaw in SMB. How is regular patching going to guard against a zero day? The main problem for MS has been that Windows is coming from a design which never had security in mind in the beginning. Whereas Unix dealt with the challenges of networks, security, and multiple user access decades ago, MS has bolted on security time and time again.
Whether you want to admit it, Windows has security problems and sometimes there's very little a user can do about it or even detect it. I remember the last time I got a trojan. I was visiting a news site. Somewhere in one of the ads, it planted a trojan. This wasn't some dark corner of the internet. This was the Atlantic Monthly. Getting rid of the trojan required a fresh install.
Well, there's spam egg sausage and spam, that's not got much spam in it.
You realize that "Clicking on the file" is not a virus right? Viruses must by definition replicate without user interaction.
That's like me sending you a dos batch file on windows and you being dumb enough to run it. If we're extending the definition of virus to "anything some dumbass might run that could hurt their system" then every operating system has an infinite number of viruses just waiting to nail it.
When it comes to security, the problem is the person operating the computer. Malware and viruses don't just magically appear on a system unless there is a remote exploit, and even then it often takes user interaction to make it work.
It doesn't matter how secure you think your favorite operating system is. If someone has admin rights on that machine, then it will be vulnerable to the first NataliePortmanNekkedWithGrits.* that person downloads and runs.
~X~
Apple's problem in corporate environments is there complete and utter lack of understanding and support of a real enterprise. They want to play make believe at enterprise support but they don't take it seriously. It is a disaster and only getting worse. We've been looking at integrating Macs in to a lab (and we are going to) but will need 3rd party software to make it work well.
Some big noteworthy things they've done recently are discontinue servers and screw over virtualization. So you can't buy a blade server, the most popular kind of server, for Macs anymore. You can buy a Mac mini, an overpriced tiny little desktop thing ($1000 for a Core 2 Duo server box) and use that, or you can buy a Mac Pro tower. That's it. No rack servers. Ya that is real enterprise support.
In terms of virtualization VMWare fully supports OS-X server, client tools and all... However Apple won't license it to run on anything but Mac hardware. So if you want Mac VM servers you have to buy a Mac Pro tower and find a place to put that, then get VMWare Fusion on it, which is a desktop solution, not a server one, then virtualize OS-X server on that. That Big rack of high availability, bare-metal ESXi servers that you run Windows, Linux, etc on? Nope, fuck you can't run OS-X on it because Apple says so.
Apple will never get big in corporate environments until they get real with enterprise support. Not half assed solutions, real support.
Better than merely reducing the attack surface of the platform by not including Java, Apple has also begun working with Oracle/Sun and contributed to OpenJDK. This should provide more timely updates to folk using Java on Mac OS X.
If you mod me down, I shall become more powerful than you could possibly imagine.
With reports of the Leap-A program infecting some Macs, it’s important to keep the news in perspective. While Leap-A has the potential for mischief, it’s not anything like a crippling Windows virus that periodically brings the rest of the computing world to its knees. More important, as explained below, this incident doesn’t expose a security hole in the Mac operating system. Rather, it’s a piece of malware that can be easily rebuffed by vigilant Mac user.
Source
Faster! Faster! Faster would be better!
No, they are offering interested parties a chance to do free work, if it interests them to do so. They're not creating any obligation on the security experts to provide their time if they don't want to.
Not specifically security related but does anyone have any idea what version of rsync has shown up in the beta? The version that ships with 10.6 is rather outdated so it'd be great if this (pretty important) tool were brought in line with where rsync is now.
No matter how many times you repeat that claim, it's still unsupported by the evidence. Mac OS (7/8/9) had a much smaller market share than Mac OS X has today, and a dramatically smaller user base, and yet there were many virus, aheh, "available" for it, whereas there are none on Mac OS X. Furthermore, it's widely known that Apple takes the lion's share of profits in the PC industry, despite selling far fewer systems. It does this by selling systems at the top end of the market, which it dominates (something like 90% of all laptops for which people are willing to pay more than $1000 are Apple computers). Obviously those people would be a rather more lucrative pool of victims, yet they remain almost entirely unexploited. There are other reasons, but those are sufficient to shatter your claim.
If you mod me down, I shall become more powerful than you could possibly imagine.
Roughly 10% of the total PC market is Apple. Apple has roughly 0% (zero percent) of the enterprise PC market, which is roughly half of the overall PC market (the number of installed systems is smaller than the consumer market, but consumers tend to refresh less often). So, Apple apparently has about 20% of the consumer market these days.
There are automated, automatically propagating exploits for obscure BBS systems, for IIS back when it was a tiny sliver of the web server market, for data base systems installed on a tiny fraction of web servers, in numbers utterly dwarfed by the installations of a single model of MacBook Pro.
What's it gonna take for y'all to give up on the "market share" ghost?
If you mod me down, I shall become more powerful than you could possibly imagine.
Dear Slashdot,
I don't want to veer off-topic, but this redesign is a mess. Comments have the score randomly disappear from them (the only "fix" is to find the problematic parent and expand it), and every few times I load a hidden comment, my entire browser content area turns gray.
I'm not complaining about the look, although for what it's worth I did like the old one better. I'm complaining about the fact that I literally cannot use the new layout because it is broken on a relatively popular browser (Firefox 3.6 on OS X).
We can haz fix?
R.Mo
Yes, we all know the FUD has been flying, he was asking for actual data. Still waiting for the first Mac OS X virus in the wild...
That noone is even bothering to write viruses for OSX speaks volumes for the situation.
I've been hearing how the MAC platform is secure...since...back before they even had a preemptive kernel or a sane security model when apps and the OS crashed regularly. This is/was obviously bullshit.
Perception is everything... windows is viewed to be less secure because it is by far a bigger target. All social engineering / botnet efforts are focused on it to maximize attacker ROI.
If an OSX luser received an email telling them to download and run a program to see if they won $1million ... what precisely would make the outcome of that exercise any better than the same situation twoard a windows vista/7 user?
I imagine in either case the attacker would include instructions for bypassing UAC/security prompts as is quite normal for many popular legitimate software installs from the Internet today.
Fooling lusers is easier than finding vulnerabilities and a system is only as secure as its weakest link.
Apple has had sufficient market share since the beginning of consumer viruses and malware. There were plenty of Mac viruses back when their market share was far lower than it is now. It's absurd to claim that there are essentially zero malware for Macs because of market share, when their market share is large enough for thriving third-party software and hardware. Market share plays a role, but is not *the* primary reason. What this indicates is that Apple is being proactive in making sure Macs remain as secure as they are today, and not resting on their laurels
Can I ask what makes OSX more secure than windows vista/7 when faced with the problem of a user being tricked into loading malicious software? Complete with instructions for bypassing any UAC/security warning prompting they may encounter?
I would love to see someone provide a cogent answer for this one simple question... Most successful attacks on the masses are social engineering that expliot no systems vulnerabilities of any kind.
I get your perception = reality = security idea but it is in fact a lie... security by obscurity.. It is critically important to understand the underlying reality...
The IPhone is a good model of protecting the user from themselves but personally I would only submit to that level of lockin and single vendor control after I am long since dead.
How do you protect the user from themselves while still preserving choice and an open ecosystem?
You could do least privledge but even then malicious code has access to all of the data the user cares about! You could virtualize and sandbox everything but programs often need to interact and interchange data.
It is in fact a very difficult question...one that no general purpose operating system vendor currently has an luser proof response.
True.
IIS and SQL Server injections were on the rise when Solaris was still king of the internet server market a decade ago. Windows Server back then was not the dominant player yet had most of the backdoors. The reason Windows has more viruses and trojans is due to activeX and shoddy design for IE and Windows. Not because it was the dominant client operating system.
I would mod you up if I had points. I have been refuting this until I am blue in the face.
It has nothing to do with popularity. Fact is in 1999 all you had to do was wrote a few lines of code in C++ to do a delete a partition and put it in an ocx container for activeX and voila! Anyone visiting your site lost their hard drive! Yes security was that bad in the 1990s with Windows.
http://saveie6.com/
Never really thought of it like that, always thought of a virus as being something that requires a running program to infect and spread by.
A worm, OTOH, doesn't necessarily attach itself to a running program.
In common parlance today, "virus" has become a bit of an umbrella term for more-or-less any sort of malware. If you want to be strict about it, that's not correct, but let's face it - as far as the general public is concerned, that ship sailed a long time ago.
Is the speed at which an OS gets compromised a viable metric for its security? I mean, imagine (I'm talking hypothetically here) MacOS had 1 open bug that allows someone to compromise the system in 10 min, and Windows had 15 open holes, which of which would require 1 day to circumvent. Which OS is more secure? If you ask me, I'd say Windows because right now the MAC OS would be a better target. But that can change overnight if Apple released a patch. Quite often people also say that Mac OS is not targeted because of their market share. That IS a security advantage, even if it was given to them for free. For the average Joe, measuring security in a product should boil down to how likely is that his machine gets compromised, with all factors involved, including likelihood that someone cares. I think my Mint box is much more secure that my Windows box. Not because Mint is free of holes, but because no one really cares to hack me. And to me, at the end of the day that's all that matters.
They sure have increased their emphasis on security, now that they are in a position where insecurity might allow their customers to treat the devices that they own as such...
I'm not convinced this actually counts as a troll. Apple left old and well-known vulnerabilities in third party libraries unpatched on the iDevices, right up until people started using them to jailbreak.
There are no viruses in the wild for OS X. There are, however, Trojans in the wild.
There aren't enough OS X systems to make a virus worthwhile. It probably wouldn't be able to spread due to all the non-infectable Windows installs out there. Now, you might be able to write a virus that infected both, but once you've got to 90% why bother with the last 10%? Especially given that adding a second platform is probably going to require at least as much effort as the first, possibly much more depending on the type of vulnerability and the restrictions it places on your payload.
Every single year, OSX loses the Pwn2Own competition first. Windows and Linux always go down on the same day.
Perhaps because everyone wants the Mac and focuses the most intensely? Desirability in a hacking contest with local network access != real world security exposure.
In my decade+ IT career, I've never seen a Mac rooted or infected with a virus beyond a Office macro. Curious, no?
Also curious that I've seen Linux boxes routinely rooted (usually by IRC-bot-seeking scriptkiddies) and Window machines infected with spyware at an average of around 1 a week out of a population of about 75-100.
Please help metamoderate.
You clearly have little concept of the differences between Windows and OS X (well, beyond "Windows sucks but Apple is cool, dude" anyway) so I'll try to explain it in simplistic terms.
Viruses and Trojans propagate easily through Windows systems because there is a common platform across many machines in which a piece of malware can run, and because a lot of Windows users run in administrator mode with deeply-embedded applications running with similar permissions, malware can get deeply into the system. Yep, a lot of that is bad design of the OS but that's how it is.
A UNIX-like system is not susceptible to the same type of malware propagation because there are many different variants of UNIX that don't frequently run common binaries (i.e. programs need to be compiled for each specific type of UNIX). However, a bigger barrier to virus propogation is the fact that UNIX instills in you from the outset to do as much as possible as a normal user and just change to root when you need to.
I am a huge fan and user of Linux but I tell you now, categorically, the above facts DO NOT AUTOMATICALLY MAKE YOU SAFE!
UNIX "presents" applications to the network ("daemons") that have been started from their own shell and if you manage to crash those daemons, then you can force the system to drop to a shell prompt. If that daemon was running with root permissions, then it will drop to a root shell prompt and you then have unrestricted access to the system to do what you like - this type of attack is known as a "buffer overflow attack" because it's purpose is to crash the daemon by sending either too much data for it to process or badly constructed data. And this is precisely why modern UNIX systems usually try to run daemons at normal user level, rather than root, so that in the case of a crash, it drops to a user shell only in which you can do a lot less damage because you are far more restricted at a permissions level.
Another form of attack is "brute forcing" where you try to break open an application by continually trying to send, say, a valid password to log into the system.
In both cases, such attacks need to be directed at a specific application, maybe even a specific version of that application with a known vulnerability that can be exploited. However, because it's possible to drive attacks from an automated program, a lot of machines can be tested very quickly for vulnerabilities.
If you have enough knowledge of what you are doing and don't believe me, make sure your machine is logging everything and then stick it in the DMZ of your home router, maybe run up Wireshark packet sniffing at the same time. I guarantee you that if not immediately, then within minutes you will see signs that something out on the Internet is having a look at what's running on your machine - a common one is brute forcing the SSH daemon where syslog will show you spurts of activity of something trying to get access to your machine by systematically trying common account names.
What's worse in your case is Apple markets their machines as being easy to use but, the fact is, you need to know a lot about UNIX before you can be relatively confident that you are safe. Incidentally, I got seriously into UNIX security about 8 years ago when I put a home server on the Internet, stupidly left an FTP service running, it got buffer overflowed and a script got installed on it to kick users from an IRC channel. I found out about it when my ISP disconnected my account due to complaints and it took me over two weeks of sending them logs and emailing them to get it reinstated. Suffice it to say, I've never been hacked since.
The moral of the story is "Don't get too complacent" and you'd be far better off reading a few books about UNIX security now rather than sitting there thinking it will never happen to you.
Gentoo Linux - another day, another USE flag.
By default instead of leaving it set OFF.
And yep, I know that the threat profile has changed, but come on. Why leave the system open to any other systems behind whatever other hardware firewall there is - if there is - services running or no?
He is lying, made up a big number to sound cool. Having worked in large environments with both platforms, the tools for managing large OSX deployments are as good or better than Windows and significantly less expensive.
(see below).
Interesting, because the market share of servers running that version of ftpd is significantly less than the desktop OSX market.
Weird. I believe it is impossible anyone took the time to exploit it.
You fail at statistics. Wow. I would dare say, Epic Fail.
Uh... you do realize that the only reason most known vulnerabilities for Mac OS X are "known" is because they are in Open Source bits, right? And that basically none of Windows is Open Source? This means that the number of known unpatched vulnerabilities in Windows should inherently be smaller, not because there are fewer unpatched vulnerabilities, but because its source code has not undergone the same level of external scrutiny.
Also, most of the things on your list are not vulnerabilities, and the few that were are almost all reports about Apple having fixed those vulnerabilities. The only one I saw that did not fall into that category was a DNS cache poisoning bug. Besides being difficult to exploit usefully, it applies to a DNS server daemon that doesn't even run in Mac OS X unless you explicitly enable the name server by editing config files (or in the GUI in Mac OS X Server).
Not all vulnerabilities are created equal. That's what makes comparisons of vulnerability counts useless. As long as Windows supports AutoRun in any form, it will continue to be so far behind Mac OS X that it isn't really even in the race just from that one fundamental design flaw alone.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Why do you think compromising those web servers was so valuable to the cracker? Because it was the gateway to compromising a metric fuck tonne of home and business desktop PC systems, onto which keyloggers were installed, and from which data was harvested. To that end: the systems on the desktop which became parts of giant zombie PC fleets were not running Mac OS X, they were (and are) running Windows. Furthermore, within the context of the web server market, you seem to have failed to understand that platforms with tiny slivers of market share, dwarfed by Mac OS X installations, were routinely compromised. If your beloved "market share theory of OS security" were true, then crackers wouldn't bother with these tiny slivers, they would have been attacking Apache/UNIX, rather than the much smaller market share of IIS/Windows or the then-infintessimle market share of the various BBS systems and database systems which were actually exploited, routinely. System architecture matters, and the system architecture of Mac OS X is holding up pretty well, by comparison in the real wild world of automated exploitation of computer systems.
If you mod me down, I shall become more powerful than you could possibly imagine.
One would think it was so obvious that it didn't merit mention, but apparently there are those who will argue against this obvious truth to their last breath.
If you mod me down, I shall become more powerful than you could possibly imagine.
Uh, where have you been? Have you seen the sea of Apple logos on the MacBook Pros cradled in the arms of developers at hacker development conference any time in oh, say, the past six or seven years? Do you actually *know* any software developers?
If you mod me down, I shall become more powerful than you could possibly imagine.
You're in some strange fantasy world. Corporations are often the target of attacks, but zombie fleets are not much comprised of T3 connected corporate desktop systems. The corporate systems get discovered and cleaned up routinely, so most zombie fleets consist mainly of home user systems. The bottleneck isn't the WiFi connection, it's the DSL or Cable Modem connection, which offers the zombie PC greater bandwidth to the internet than most corporate PCs have anyway. (Not every corporation resembles Google with respect to internet bandwidth to the desktop).
If you mod me down, I shall become more powerful than you could possibly imagine.
Well, my "stats" are not particularly controversial. Do your own homework, and prove me wrong, if you think I'm wrong.
If you mod me down, I shall become more powerful than you could possibly imagine.
Well, I am a security professional. These guys make us look bad, and need to be challenged. Not to worry, though. Mac OS X has never been a stationary target. It's security architecture has continued to improve, and will continue to improve. And the Bad Guys (TM) already know the economics of the situation. They'll exploit Mac OS X at their earliest opportunity, and continue to look for ways to do so. Lying about it, or remaining silent when others lie, won't help that.
If you mod me down, I shall become more powerful than you could possibly imagine.
Here is information regarding the only threat of those 13 that is marked as a Virus
http://www.symantec.com/security_response/writeup.jsp?docid=2006-110217-1331-99/
OSX.Macarena
Risk Level 1: Very Low
Discovered: November 2, 2006
Updated: February 13, 2007 1:01:55 PM
Type: Virus
Systems Affected: Macintosh, Macintosh OS X
OSX.Macarena is a proof of concept virus that infects files in the current folder on the compromised computer.
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Low
Distribution
Distribution Level: Low
No comments.
Apple diagnostic technicians should probably be called "Apple Veterinarians"... cat names and all that
Everytime APK posts I have a weird flashback to TimeCube.com
This must be what Acid flashbacks are like.
No, seriously. Windows more secure than OSX? Put up or shut up. Release some code or go home.
Non impediti ratione cogitationus.
Also, most of the things on your list are not vulnerabilities, and the few that were are almost all reports about Apple having fixed those vulnerabilities. The only one I saw that did not fall into that category was a DNS cache poisoning bug. Besides being difficult to exploit usefully, it applies to a DNS server daemon that doesn't even run in Mac OS X unless you explicitly enable the name server by editing config files (or in the GUI in Mac OS X Server).
From the parent poster above yours.
Put up or shut up. Exploit something or go back to writing shitty Delphi code that's worthy of thedailywtf.com.
Zero drive-bys for OSX versus... how many ever for Windows, I can't even count anymore.
Non impediti ratione cogitationus.
Irrelevant to my point, which was that the source is not out in the open and therefore the known vulnerabilities for that source are likewise not out in the open. Therefore, the odds of any single security bug in Mac OS X getting pointed out publicly are much greater than the odds for a similar bug in Windows simply because the disclosure is much more likely to occur in a public forum or through a publicly visible commit log.
The fact remains that you don't know how many internally known vulnerabilities there are in Windows because you don't have access to Microsoft's internal bug tracking system. Similarly, you don't know how many vulnerabilities there are in the closed source portions of Mac OS X, but you do know how many have been discovered in the open source portions because those bugs are reported out in the open.
Therefore, the fact that Mac OS X contains lots of open source means that you would expect the number of publicly known bugs to be much higher even if the total number of internally known bugs is comparable or lower. In effect, this means that the number of publicly known vulnerabilities is completely useless as a metric of software quality because it has no real relationship to the number of exploitable bugs.
More to the point, the crackers usually already know about the bugs whether they're discussed publicly (as with open source bugs and announcements by legitimate security researchers) or not. The disclosed vulnerabilities, therefore, are largely uninteresting. What matters is the total number of vulnerabilities known to the bad guys, which as I explained above, is not strongly correlated with the number of vulnerabilities known to the general public.
Read what the Microsoft bulletin said again. It says AutoRun is still in full force, but only for optical media. Although that does diminish the impact (by preventing people from unknowingly spreading malware by moving flash drives from machine to machine), the fundamental vulnerability is very much still present. Malware producers can still infect a CD manufacturing plant with malware and cause millions of discs from multiple manufacturers to infect Windows boxes on insertion. This is not a theoretical vulnerability, either; people have actually gotten infections from commercial software discs in the past. So they might have put a lock on the front door with that change, but they still left the window right next to it completely ajar with a footstool below it for your convenience.
Check out my sci-fi/humor trilogy at PatriotsBooks.
darkComet's a payload, not a vulnerability.
Post an exploit or shut up. I'm seriously tired of your unhinged rants.
Non impediti ratione cogitationus.
Look, I'm sorry, I'm a simple security consultant, a mere mortal, nothing more than that.
When I read phrases like "market share", my brain starts to hurt & braincells scream their last dying breaths... I'm *just* a bloke wot fixes stuff, nothing more.
Please, go now. Go find someone who lives on that higher plane of "tax dollars", "margins" and "pre-tax profits" because your words are now going fuzzy and are spinning around... I need to go lie down now...
Gentoo Linux - another day, another USE flag.
NOTE: Currently, there is no application known that can be used as attack vector.
...and?
What's the point of an exploit if there's no attack vector?
Non impediti ratione cogitationus.
It is closed source. The fact that source code has been shown to specific third parties under nondisclosure does nothing to change that fact. I'd be surprised if any closed source piece of software exists that has not at some point been similarly made available to at least one third party under NDA. That's not the same thing as Open Source, in which the source code is out there with public change logs and bug tracking such that almost every single security bug is disclosed to the entire world the moment it is discovered.
Which are completely beyond the average Windows user. As far as I'm concerned, an OS is only as secure as it is in the default configuration. If, as installed, an OS has a hole so big you can drive a truck through it, the fact that they provide mortar and a bunch of bricks so that you can patch the hole yourself doesn't really change anything. By that standard, a ten-year-old Linux distro has no security holes because you can recompile BIND, Apache, OpenSSL, etc. yourself. It's a ludicrous argument.
Most of the wannabes do, sure. They rely on people not patching their machines for long periods of time. The people who created those exploits in the first place, however, don't generally sit around trolling the list of patched vulnerabilities. By the time there's a patch out there, the bulk of the potential targets are going to be protected before they can roll an attack, leaving only a small percentage of stragglers. For maximum impact, the serious hackers are exploiting zero-day holes.
My thoughts are that the facts you give do not prove what you think they do.
Also, the articles you are pointing to this time are pretty much harping about ASLR differences. While ASLR is nice and all, that's only one very small aspect of total OS security, and one that is no more or less important than sandboxing, privilege separation, etc. No OS is the best at every aspect of security.
These links are basically tantamount to saying that a Ferrari is better than a Porsche because the cupholders are nicer. While one or the other might be better, it should be obvious to anyone with a modicum of common sense that using one minor feature as the sole basis for comparison is sheer foolishness.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Not that I care what some bloke I've never met on the other side of a computer screen somewhere in another part of the world thinks of me but here's a quick story.
I work in system security for a telecoms company, have done for 5 years now & spent about 20 years in tech support in telecoms & UNIX, also done more than my fair share of sysadmin work. (Yes, I'm *that* old.)
Yep, I used to think I was a pretty "l33t" guy, then my home Linux server got hacked about 8 years ago because I stupidly left an FTP daemon running. Several scripts were dumped on my machine that kept kicking people off of a few IRC channels, someone complained to my ISP and my connection got severed by them. After two weeks of emailing them and sending them logs, they accepted it wasn't me and reinstated my connection - being hacked is quite a humbling experience.
Since that time, I read up a lot on OS security, tried a lot of stuff myself and now I work as a security consultant for a telecoms company - it's interesting, it pays well, I'm happy.
I do a lot of auditing and hardening of customer servers, I see (and fix) a lot of security holes put on systems by people who were well intentioned but didn't fully understand what they were doing - passwordless accounts, unpatched daemons running, scripts doing some pretty scary things on systems. Not one of my customers is confident enough in their management abilities of those servers to trust them to be exactly the same as when they were delivered in shrinkwrapped boxes, so they get me to come in and close down any holes.
So if you choose to ignore my advice, that's your call, it makes no difference to me. But rest assured that one of the worst things you can do is not double check your systems on a regular basis and become too self-assured about your own security.
Gentoo Linux - another day, another USE flag.
You fail at statistics. Wow. I would dare say, Epic Fail.
What? You can't understand that OSX has had more TOTAL vulnerabilities than Windows7, a higher percentage of which were serious vulnerabilities? Sure you can interpret the other way and look at the rate at which they were found, but that's a different argument.
What? You can't understand that OSX has had more TOTAL vulnerabilities than Windows7,
What? You can't understand that "OS X" corresponds not to "Windows 7", but to the entire Windows NT series, and that the equivalent of "Windows 7" would be something like "OS X Snow Leopard"? And that the only reason that, 2003-2008, Windows 7 had zero vulnerabilities was that, 2003-2008, Windows 7 didn't, err, umm, exist as a product, as it was released to manufacturing in the middle of 2009? (BTW, is it just me, or is "windowsteamblog.com" continuing in the grand tradition of "expertsexchange.com"? Why is steam condensed on your window worthy of an entire blog? :-))
Unfortunately, Secunia neither offers a page for the Windows NT family as a whole, nor for individual releases of Mac OS X (although they do offer pages for individual releases of iOS!), so there's no way to compare, for example, Windows 7 and OS X Snow Leopard, but if, for example, we compare Windows 7 and OS X statistics in 2010 (that being the only year in which both Windows 7 and OS X Snow Leopard were available for the entire year), we have 47 advisories for Windows 7, 20 of which are critical, and 6 of which, 4 non-critical, are unpatched, and 12 vulnerabilities for Snow Leopard, 8 of which are critical, and 2 of which, both non-critical, are unpatched. Statistics for 2009, where they were both available for approximately the same amount of time, and for 2011, where they are available for exactly the same amount of time, are left as an exercise for the reader.
Then again, if Windows 7 in its entirety has more lines of code than Snow Leopard in its entirety, that might just be a case of "the same number of vulnerabilities per line of code, or fewer vulnerabilities per line of code, but they have more lines of code", so it's not clear that, even once you compare particular OS versions, rather than comparing a particular version of one OS to all versions of another OS, you necessarily have an easy way for fanboys or foeboys of one particular OS to validly beat up another OS or defend a particular OS.
Nobody said it was. It does not, however, to my knowledge, ship with things turned on that are more insecure than an emo kid.
In principle, no. In practice, the average computer user has never heard of AutoRun, much less TweakUI. That's why the default state must have at least a certain minimum level of security or you're screwed.
I don't think you realize just how little the average computer user knows about how computers work. A sizable percentage of Windows users don't know how to install software at all, relying only on the software that came preinstalled from Best Buy. Thus, even the act of downloading and installing TweakUI is beyond them....
So yeah. It's way beyond a significant percentage of Windows users. Way, way beyond.
Check out my sci-fi/humor trilogy at PatriotsBooks.
UNIX "presents" applications to the network ("daemons") that have been started from their own shell and if you manage to crash those daemons, then you can force the system to drop to a shell prompt.
Err, umm, what? At least one UNIX has its daemons started directly by a system daemon, without an intervening shell. Even in UN*Xes that launch daemons from rc files, the shell running the rc file doesn't hang around forever.
If that daemon was running with root permissions, then it will drop to a root shell prompt and you then have unrestricted access to the system to do what you like - this type of attack is known as a "buffer overflow attack" because it's purpose is to crash the daemon by sending either too much data for it to process or badly constructed data.
No, buffer overflow attacks aren't intended to crash the daemon so you get to type at the (either non-existent or, if there are any cases where it exists, non-interactive) shell that started the daemon, buffer overflow attacks are typically intended to get the daemon to run code you stuffed into the buffer in question.