Do Macs Have an Edge Against APTs?

itwbennett writes "Macs aren't being hit with advanced persistent threat (APT) attacks, but that doesn't mean they're invulnerable, say researchers at iSec Partners. Speaking at the Black Hat conference in Las Vegas Wednesday, iSec founder Alex Stamos and his team of researchers took a look at the typical stages of an APT attack — and compared how the Mac would do versus Windows 7. Their conclusion: Macs provide good protection against the initial phases of the attack, but once the bad guys are on the network, it's a whole different story. 'They're pretty good for [protecting from] remote exploitation,' Stamos said. '[But] once you install OS X server you're toast.'"

Here We Go Again ...

[WrongSizeGlass]

Wash. Rinse Repeat.

Macs aren't as vulnerable because they don't have a big enough footprint so they aren't stumbling upon the infected sites or aren't being targeted directly. Windows, including Windows 7, is still more prevalent and more vulnerable.

How many times are we going to get the same stories? If the user is willing to do anything the app or websites tells them to, well, you can't protect them.

Re:Here We Go Again ...

[russotto]

Macs aren't as vulnerable because they don't have a big enough footprint so they aren't stumbling upon the infected sites or aren't being targeted directly. Windows, including Windows 7, is still more prevalent and more vulnerable.

How many times are we going to get the same stories?

Until the Microsoft propaganda machine stops pumping them out, I suppose.

Re:Here We Go Again ...

If the user is willing to do anything the app or websites tells them to, well, you can't protect them.

Not just that, but most complex software is full of undisclosed and undiscovered vulnerabilities. Just because a piece of software is fully patched as of today doesn't prevent the bad guys from finding or exploiting undiscovered vulnerabilities. And they're not likely going to share those exploits with Apple (or Microsoft, or Google, or Red Hat, or Oracle, or [insert vendor here]).

Two words (or rather a hyphenated number/word and another word): 0-day exploits. Patching and not doing stupid things are great first steps, but they're not the end-all be-all of stopping exploitation.

Re:Here We Go Again ...

[EreIamJH]

Wash. Rinse Repeat. Macs aren't as vulnerable because they don't have a big enough footprint so they aren't stumbling upon the infected sites or aren't being targeted directly.

I don't buy this reasoning. Malware writers would quite happily release malware for OSX if they could make it work. Just look back 20yrs ago - there was plenty of malware for Amigas and Ataris, even though their numbers were measured in thousands rather than millions.

Re:Here We Go Again ...

[Billly+Gates]

"Macs aren't as vulnerable because they don't have a big enough footprint so they aren't stumbling upon the infected sites or aren't being targeted directly"

I am so sick of hearing this nonsense through every single security story. It is not true and never was and was made up by Microsoft. Read the article ... or please read the summary? The article stated that mac's have weak default security and have more services that can be compromised open. The drivel about them always being equal in security and somehow it is always marketshare is a lie.

Usually Apple is more secure until the last 2-3 years.

Windows XP pre service pack 3 did not check for buffer overflows in strings and other primptives. Therefore it had as many security holes as swiss cheese not to mention IE executed all ActiveX controls and they had full administrative access. DCom/Com+ had more holes you could use. So they were hacked more.

Today, most malware targets flash and java which is multiplatform and never updated. After all updates make all operating systems more secure. But flash is very old in most computers. I will simply target flash and can pawn both a pc and a mac.

Re:Here We Go Again ...

[Jerry]

Apparently you've never read about James Plamondon and his "Technical Evangelists". The Combs-3096.pdf is a collection of his training manuals and describes "The Slog", and a real jewel you'll love called "The Stacked Panel". Then, I suppose, you've forgotten about the stuffed ISO committees, or the scam which gave expensive laptops to journalists in exchange for favorable stories about VISTA?

When his "work" was revealed in the Combs vs Microsoft trial Plamondon did a Mea Culpa, and now decries the tactics he used to help Microsoft establish market dominance. Too little, too late.

Re:Here We Go Again ...

[Jerry]

Two points:

1) That old saw about Microsoft being vulnerable because of its market share is hog wash. There were over 3 million viruses and Trojans released last year. Were it a simple matter of market share percentages than about 12% of those would be Linux viruses and another 10-15% would be Mac viruses. But, they are not. Well over 99% of them are Windows viruses. Only 19% of Internet web servers are running Windows but they are the source of essentially all malware.

2) Blaming Windows users for security holes that Microsoft keeps secret from them is worse than obscene. It's fanboism to the extreme.

That 4,300,000 Windows zombie bot farm discovered last year wasn't all Windows because they were hard to break into, and the handful of command & control computers weren't Linux and Mac because they are easy to break into.

Re:Here We Go Again ...

[obarthelemy]

maybe because at the time, these thousands were a very large slice of a much smaller pie ?

Re:Here We Go Again ...

[Sable+Drakon]

Security by obscurity isn't security at all. It's akin to walking around without health insurance and hoping you don't get injured. Same thing happens, when you do get attacked/injured, it's a world of hurt and quite possibly game over.

Re:Here We Go Again ...

[arkane1234]

command-q
(snare drum rimshot) ... ugh ...

Re:Here We Go Again ...

[ka9dgx]

As long as the user has no way to quickly and safely run something in a sandbox, this will continue happening.

IMHO, Once you give them the ability to run programs in a default deny environment, users can manage things fairly well.

See also: http://www.ranum.com/security/computer_security/editorials/dumb/

Re:Here We Go Again ...

[Gadget_Guy]

Do you have any evidence to suggest that Microsoft is behind this story in some way? Any at all?

Apparently you've never read about James Plamondon and his "Technical Evangelists".

So the answer is no then.

Surely attempting to demean a study and its researchers by alluding to bad things done by a completely separate group of individuals (without any evidence linking the two) is exactly the kind of behaviour (of Plamondon) that you are decrying. The fact that Microsoft had technical evangelists does not mean that the opposition's products are without criticism, nor that such criticism will be sponsored by Microsoft. I have yet to see any indication that Robert McMillan or iSec Partners are shills for any company.

Re:Here We Go Again ...

[jc42]

The article seems unlikely to be MS propaganda. Note that the writer quotes that one investigator (Rob Lee) as saying that he's never seen a compromised Mac, and he advises his clients to replace their compromised MS-Windows machines with Macs to prevent re-infection. Would a MS-paid writer be likely to put such suggestions in their article?

This does bring up a curious aspect of the "logic" behind all the claims that poor little MS is being picked on because it's so popular. If this were true, you'd think that a sensible person would simply refuse to buy anything with a MS logo. True, if you buy a Mac or Ubuntu or whatever rather than Windows, you machine might be attacked sometime in the remote future. But, since we "know" that no commercial systems are totally secure, it would make sense to choose a system that might be attacked in the far future over one that you know will be attacked repeatedly on the first day and probably compromised in the near future. You don't need to know the technical reason for this; you just need to be sensible enough to trade likely near-future failures for possible far-future failures.

So I'm puzzled about who might be behind all this "MS is only attacked because it's so popular" propaganda. I wouldn't think MS's marketers would be so stupid as to tell everyone such a good reason to avoid their brand. I wouldn't think a Windows fanboy would say this either, because it would amount to admitting that they intentionally bought a machine because it was highly likely to be compromised. But there doesn't seem to be any good reason for other vendors to make this suggestion, either, since it amounts to saying that their security isn't any better than Microsoft's. So who is really behind this bizarre bit of logic? Who profits from it?

Re:Here We Go Again ...

[artor3]

While I agree with your conclusion (that Windows is a less safe OS than Linux), your first point is completely illogical. The number of viruses released in a given year can be a function of market share without being a 1:1 function of market share. Criminals will always target the OS with the largest numbers of technically unsavvy users. Why double your efforts to increase your pool of potential victims by only ~10%?

Until a non-Windows OS is installed on a plurality of machines, Windows will be the primary target and have the most hackers going after it. The Pwn2Own contests have shown that Macs are plenty vulnerable when people are willing to put in the effort to go after them.

Re:Here We Go Again ...

This just makes too much sense so it must be wrong. lol

Here's another question on the subject:
As well wouldn't people have a better chance of finding an exploit in a system their more familiar with?

I've always found it funny how some people put their system of choice on a pedestal. Everything can be exploited period. The hardware and software involved is just too complex to plug ever hole. True some, like Windows, seem to be in too much of a rush to market with new "gee whizz" features to catch some of the exploits they should. But no matter how "cool" you may think Justin Long is, Steve Jobs is not the second coming, and Apple products are not the blessed rewards to the faithful.
It's just a computer and OS, it will have flaws. You can count on it.

Re:Here We Go Again ...

[thegarbz]

I don't buy this reasoning. Malware writers would quite happily release malware for OSX if they could make it work. Just look back 20yrs ago - there was plenty of malware for Amigas and Ataris, even though their numbers were measured in thousands rather than millions.

So you reason that malware writers would do something because 20 years ago in a very different environment for different reasons people did something? The comparison is absurd.

Firstly 20 years ago malware looked different and had completely different goals. The vast majority of them were written for comical / destructive purposes not to make money. These days malware is a business and the ultimate goal is not to have malware which affects the user experience but rather is invisible to the user meanwhile exploiting system resources for profits (botnets). Some are still destructive such as the malware which encrypts portions of your harddisk and demands a ransom, and others just exist to serve you ads. One thing in common is profit, and that wasn't the game 20 years ago.

Secondly 20 years ago malware travelled differently. The vast majority of it spread via physical media and relied people moving it from one machine to the other. The majority of malware today spreads via infection over the network whether automated or via social engineering.

Thirdly and critical to your understanding of why OSX isn't a target, modeling of virus spread has shown that only a small percentage of possible targets need to be immune to stop a spreading virus in its tracks, not 100% as you may think. If by chance your carefully written virus manages to infect one of the only 10.9% of total users who run OSX, there is a very good chance it won't spread further as the computer may be isolated from others by a horde of windows machines preventing the spread of malware. Why risk that when 85% of the remaining users run Windows and thanks to Microsoft's brilliant backwards compatibility you can exploit holes in nearly all of the target market at the same time?

It is simply uneconomical for the modern malware author to target OSX. If you think otherwise I'm sure you'll eat your words if OSX becomes even remotely popular among the general internet population.

Oh and Safari users were smarter than IE users a few days ago and thus don't fall for social engineering attacks, remember ;-)

Re:Here We Go Again ...

[Daniel+Dvorkin]

I think russotto wasn't calling TFA Microsoft propaganda, but rather calling WrongSizeGlass' "Macs are only secure because they're less popular" comment Microsoft propaganda. Which it is, of course. Any argument that relies on security-through-obscurity is wrong, no matter how you try to dress it up. WrongSizeGlass and the zillion other posters who repeat this tired canard may not realize they're propagandizing for Microsoft, but that's what they're doing, sure enough. They should at least demand payment for their services.

Re:Here We Go Again ...

[dave562]

Microsoft gets attacked because the Line of Business applications run on Windows. How many large accounting systems, ERP systems, etc. run on OSX? Know anyone running a factory on OSX? How about a firm doing R&D and drafting blueprints and other technical documents on OSX?

OSX is not a target because there are very few people running OSX who have access to the systems with information that dedicated, skilled attackers want to get to. With Apple's incessant focus on the consumer space, little is likely to change in that regard. Likewise, the developers who develop those large scale systems are never going to target OSX because the install base is too small. As applications continue to move toward the cloud and distributed systems that are accessed via a web browser, there will be even less reason to run them on OSX. They will continue to run on Windows and *nix boxes.

People buy Windows because of the software that runs on Windows. Windows systems can be made secure. More often than not, security comes at the cost of useability and few organizations are willing to make the trade off. Even organizations that should be secure (Lockheed Martin for example) still get hacked because it is tough to do security well, and it is even tougher without buy in from the rest of the organization.

Security has been mostly solved. Between diskless workstations, Citrix-esque VDI for known good clean boots and software white listing, it is possible to spin up secure application environments. The trouble comes in when a person wants to work on their business application, and also check email, or browse the web, or, or, or. Every other task a user demands their workstation be able to do opens them up to another exploitation vector.

Re:Here We Go Again ...

[fuzzyfuzzyfungus]

Wash. Rinse Repeat. Macs aren't as vulnerable because they don't have a big enough footprint so they aren't stumbling upon the infected sites or aren't being targeted directly. Windows, including Windows 7, is still more prevalent and more vulnerable. How many times are we going to get the same stories? If the user is willing to do anything the app or websites tells them to, well, you can't protect them.

You appear to have missed the bit where TFA was almost the exact opposite of the usual:

According to the security researchers quoted, OSX was essentially never the initial foothold/desktop attack; but was judged to be as weak, or weaker, than alternatives when it came to the post-foothold internal attack phase.

Most Mac/Security stories are an argument between the "It's just obscure" camp and the "superior by design" camp. This article asserts "Obscure(enough to rarely/never be the social engineering initial target) and inferior by design(in that various OSX features are comparatively weak in the face of sophisticated attackers who have finished stage one)"....

Re:Here We Go Again ...

[LordLimecat]

If the user is willing to do anything the app or websites tells them to, well, you can't protect them.

Reading up on Pwn2Own results, and reading the security update notes on major browsers / flash / acrobat would prove really informative. Most of the viruses Ive seen are not from incompetent users.

Re:Here We Go Again ...

[LordLimecat]

Malware writers would quite happily release malware for OSX if they could make it work

History disagrees.

In the first [Pwn2Own] contest, Dino A. Dai Zovi and Shane Macaulay worked together to take down the first MacBook Pro.[5] On the second day of the conference Macauley sent an email which redirected the user to a malicious site. The site was able to infect the machine with a client-side Javascript vulnerability which allowed arbitrary command execution.[6]

Each subsequent year isnt much better.

And why so smug anyways, Safari is already exploited on windows, as are Firefox, Quicktime, Java, Acrobat reader, and Flash-- all of which are usually installed and vulnerable on Macs (unless you think that PDFs somehow arent as dangerous on OSX).

Wasnt there a story some months back about a PDF that could launch arbitrary code on all 3 common platforms (OSX, Linux, Windows)? Yea, enjoy your smugness while it lasts.

Re:Here We Go Again ...

[LordLimecat]

Because of... wait for it... market share.

Re:Here We Go Again ...

[LordLimecat]

That old saw about Microsoft being vulnerable because of its market share is hog wash. There were over 3 million viruses and Trojans released last year. Were it a simple matter of market share percentages than about 12% of those would be Linux [osnews.com] viruses and another 10-15% would be Mac viruses. But, they are not. Well over 99% of them are Windows viruses. Only 19% of Internet web servers are running Windows but they are the source of essentially all malware.

Logic fail. If there is an 80% chance that you will make $100 by wearing blue on mondays, and this is public knowledge, what percentage of people do you think will wear blue on mondays? 80%, or all of them?

Blaming Windows users for security holes that Microsoft keeps secret from them is worse than obscene.

And trying to pretend that most exploits arent through cross platform browser plugins is just ignorant.

Those inflated virus numbers probably also include the fact that viruses are recompiled and repacked daily-- and thus need a different virus definition to detect. How, you might ask, can they afford to do that? Because theres MONEY involved.

Last-- you can always tell when someone doesnt know diddly about viruses when they start referring to "the number of viruses". Its irrelevant, an infection is an infection, and Macs can get infected by arbitrary code as easily as windows can.

Re:Here We Go Again ...

[dbIII]

"MS is only attacked because it's so popular"

It's a fanboy response that goes right back to the early MSDOS days. It is of course currently irrelevant considering the number of other devices on the internet now. All those routers, modems, webservers etc out there are also popular and available 24/7 in hundreds of thousands per model or OS version to provide a potential botnet beyond the wildest dreams of a cracker - yet malware is currently only a Microsoft platform problem.

Re:Here We Go Again ...

[CharlyFoxtrot]

Talking of Mr. Zovi, here's what he says about Lion :

"[...] now, they are also more secure than PCs, thanks to several crucial security improvements in the operating system itself, Mac OS X 10.7 So says Dino A. Dai Zovi, an independent security consultant. Those operating system features now put Lion ahead of Windows 7, the latest version Microsoft’s operating system, whose leadership was forged from the fire of relentless attacks by hackers and malware writers, he says."

Re:Here We Go Again ...

[CharlyFoxtrot]

Until a non-Windows OS is installed on a plurality of machines, Windows will be the primary target and have the most hackers going after it. The Pwn2Own contests have shown that Macs are plenty vulnerable when people are willing to put in the effort to go after them.

The guy who won all those Pwn2Own contest says that OSX Lion's security is now better than Windows 7.

Re:Here We Go Again ...

[dgatwood]

Try a contest where the first person to break any platform gets to choose which hardware he/she wins, and see if it still falls first. Just saying.

Re:Here We Go Again ...

[1729]

OSX is not a target because there are very few people running OSX who have access to the systems with information that dedicated, skilled attackers want to get to.

That's simply not true. For example, OS X is very popular among scientists and engineers at many of the national labs.

Re:Here We Go Again ...

[mehemiah]

do mac users use adobe reader instead of preview? I'd like to see that data out of pure curiosity

Re:Here We Go Again ...

[CharlyFoxtrot]

Reading up on Pwn2Own results, and reading the security update notes on major browsers / flash / acrobat would prove really informative. Most of the viruses Ive seen are not from incompetent users.

In Lion all those are now separated into independent processes and sandboxed. Should make things a lot more secure.

Re:Here We Go Again ...

[farrellj]

I don't care how many pieces of malware are created aimed at Windows, Linux, MacOS or other flavours of Unix...the result that speaks for itself is that every year that they have had a hacker competition to see who can compromise and root a system where they compared Windows, Linux and MacOS, each of which has been secured by native experts...Windows has *always* been compromised, and I think it was always the *first* one compromised. MacOS, when it was compromised was second, and Linux was either the last compromised, but most of the time it stood up to all the punishment and remained secure.

So numbers really don't matter, it's how well it can survive in the wild that counts!

ttyl
          Farrell

Re:Here We Go Again ...

[farrellj]

One correction...one year, the Mac was compromised first.

Re:Here We Go Again ...

[mysidia]

I don't buy this reasoning. Malware writers would quite happily release malware for OSX if they could make it work. Just look back 20yrs ago

Invisible/deceptive malware is directly against the Apple Human Interface design Guidelines. And developers targetting OS X are extremely respectful of Apple's application design rules.

Re:Here We Go Again ...

[mysidia]

Yeah, Macs are so secure that they were the first to fall at Pwn2Own for five years in a row.

Macs presented a challenge, and are highly desirable to own, so it's no surprise that security researchers concentrated efforts on pwn1ng them, so they could walk away with the coolest toy participating in Pwn2own

In other words... it's a contest that tends to select a predictable result every time: whichever the platform is most desirable hardware, as far as the participants are concerned.

So the contest wasn't objective. It would be objective if they had offered the same reward (e.g. $5k cash), regardless of which platform was successfully pwned by the contestant.

Re:Here We Go Again ...

[Divebus]

Hmmm...

1) Hacker sets up server with a big trap door
2) Hacker takes the machine he wants to win and drives the browser through the big trap door
3) Hacker willingly executes the instructions he set up in the big trap door
4) Hacker wins a new MacBook Pro

That doesn't sound like a random attack in the wild to me. Compare that to MS servers sitting in a room somewhere minding their own business with absolutely no human interaction. They get hacked if you just wait long enough.

"Click Here to See the Dancing Monkeys" is self inflicted "hacking".

Re:Here We Go Again ...

[chthon]

And malware for Mac, I had to remove some in 1990 and 1991.

Re:Here We Go Again ...

[LO0G]

To be fair, Lockheed-Martin was hacked because they depended on a 3rd party (RSA) for a critical part of their security infrastructure.

When RSA subsequently had a massive data compromise, instead of letting their customers know what happened, they downplayed the ramifications of the breach. And RSA just won a pwnie for their efforts.

Not that that changes your response in any significant way.

Re:Here We Go Again ...

[Your.Master]

You get $10k per target, which substantially exceeds the machine price, so while it's not perfectly objective it's not that far out of whack.

I do find this argument funny because it's essentially identical to the argument "Windows Exploits are more common because so many more people have Windows and therefore it's more rewarding to exploit Windows".

Re:Here We Go Again ...

[LO0G]

Actually, *every* year, the Mac was compromised first.

Re:Here We Go Again ...

[stms]

Your argument presumes that people usually buy things for logical reasons and that when people make logical arguments they usually do it logically and for logical reasons. None of which is true.

Re:Here We Go Again ...

[iserlohn]

Microsoft has some very dirty laundry in this area, and the GP just wanted to point out the similarities between those cases, and this specific case.

That's my objective reading of this thread, of course, you are free to add your own bias.

Re:Here We Go Again ...

[benjymouse]

Try a contest where the first person to break *any* system gets $10.000 or $15.000. Then you have pwn2own. And then you'll see that the attackers attack the system they believe most vulnerable first. Or they risk someone else does it. What you'd rather have, a MB pro + $5000 or a HP/Dell + $15.000?

Re:Here We Go Again ...

[oztiks]

I don't know whats worse. Microsoft's propaganda machine or Apple's "sweep it under the carpet" regime.

Re:Here We Go Again ...

[ozmanjusri]

I don't know about iSec, but McMillan/IDG have a long history of being cosy with Microsoft, both financially, with product placement, and with repeating Microsoft PR stories. It's not exactly secret - just Google it.

Re:Here We Go Again ...

[Gadget_Guy]

That's my objective reading of this thread, of course, you are free to add your own bias.

I'm going to assume that this is a joke, although on Slashdot you can never quite tell!

It would make a good signature, though!

Re:Here We Go Again ...

[TheRaven64]

Wasnt there a story some months back about a PDF that could launch arbitrary code on all 3 common platforms (OSX, Linux, Windows)?

Only if you used Adobe's PDF reader. Given its security track record, you'd have to be crazy to do so. On OS X, the default PDF reader is Preview, which ships with the OS. On *NIX, there's typically some xpdf derivative like Evince. Windows is the only platform where the majority of users put up with Adobe Reader for PDFs.

It's like saying that a vulnerability in bash works on Windows, Linux, and OS X. Sure, you can run bash on Windows - I did for a while - but it's not something that most users do.

Re:Here We Go Again ...

[Gadget_Guy]

Tell you what, why don't you google it and provide us with the appropriate link showing a financial link since you are the one making the allegation. Repeating press releases doesn't count, because that is why companies write press releases. If that is corruption, then all companies are doing it wrong.

Re:Here We Go Again ...

[TheRaven64]

Competition. If you put a Windows machine in a botnet, then it will be being attacked by those other 3 million malwares, and you may lose it. Insecure machines are probably already compromised, so you have a harder job because whatever malware is installed will be fighting you. In contrast, if you write a successful Mac worm, then that gives you a botnet comprising almost 10% of the total computers online with no competition.

Re:Here We Go Again ...

[hairyfeet]

Uhhh...tell me how EXACTLY telling the equivalent of "water is wet" a MSFT propaganda piece? You sir might want to read this article on OSNews by the title of OS X - Safe, Yet Horribly Insecure or is OSNews MSFT propaganda? it points out the Apple implementations of serveral technologies, when it has them, simply aren't up to snuff. Technologies such as DEP and ASLR either are not implemented or are implemented poorly.

Now Apple was able to get away with that with relative impunity simple because they weren't worth the effort as malware writers like most criminals are a lazy sort of creature and will ALWAYS go for the biggest bang for the least work. It is like that old saying, you rob banks because that is where the money is. You attack Windows because it has been trivially easy to get little Suzy to run your "LOL_Kittehs.screensaver.exe" trojan nasty.

Is this REALLY so surprising? It isn't like any of the other OSes have held up very well when being targeted either. On OSX you had MacDefender followed by MacGuardian which caused Apple to give their infamous order to the Applecare guys "Do NOT say the word Malware and do NOT help those....people!" and on the Linux side we've seen Android pounded pretty regularly as well as the KDELook screensaver bug someone put out for shits and giggles awhile back, as well as this article that shows how trivial it is to infect Linux if you get the user to help you which is how nearly all modern nasties spread nowadays.

So why hasn't Linux and OSX been pounded before now? it ain't brain surgery folks it is because it just wasn't worth the effort for sub double digit userbases. And before some Linux fanboi trots out the old "but but but...Linux is used on servers!" I would point out you don't see Linux admins running "LOL_Kitteh.Screensaver.py" and if you do they should be given a nice white jacket and placed somewhere where they can't hurt anyone. We are talking DESKTOPS, not servers, routers, your toaster, or your remote controlled Linux thermostat. DESKTOPS are were the money is at for malware writers, because they have nice fat broadband connections they don't monitor for shit, they are MUCH more likely to be clueless about best security practices, much more likely to run funny software from the net if you wave a cookie in front of them, etc. it is simply easy money whereas grizzled non-sociable Linux admins don't play that.

So saying Windows is targeted because that is where the money is at is no different than saying the sky is blue and water is wet. If you want an easy target grandma on WinXP is about as easy as you can get. to their credit someone at MSFT FINALLY got hit with the clue stick and the whole "Hey lets all run as admins!" bullshit finally died with Vista, and now that I've switched the majority of my customers and family to Windows 7 I've seen infection rates go waaaaaay down. Did I magically give them a brain transplant? did my years of bashing my head against the wall trying to teach them best security practices FINALLY get through their heads? oh hell no! It is the fact MSFT makes the default a regular user now and has tech like ASLR, DEP, file and registry virtualization, and you can even do as I did and add SEHOP from Server 2K8 to Windows 7 to lock it down even tighter. this with a good sandboxing AV like Comodo or Avast free and we finally have a decent OS that is pretty locked down.

Now that Windows will be getting harder as XP is replaced by 7 it will be OSX's turn to start to worry. Apple being hip has gotten through to some who saw after MacDefender there is money there, and like blood in the water to sharks they WILL come.

Re:Here We Go Again ...

[Cato]

"Only 19% of Internet web servers are running Windows but they are the source of essentially all malware."

Absolute rubbish - JavaScript and iframe infections (often used to serve drive-by downloads of malware) affect all web servers, and often only require a stolen FTP password to work, or a PHP app with a security hole. The majority of web servers are still Linux, and that's where the the majority of web app served malware is.

This is often not Linux's fault - if the user has an FTP password saved on their Windows FTP client and that gets stolen, for example. If it's a web app vulnerability it's sometimes OS independent, but in some cases Linux features like /proc/environ are used as part of the exploit.

Re:Here We Go Again ...

[Joce640k]

The story came out a few hours ago and you want documented evidence now?

Microsoft has a loooong history of astroturfing, starting fake grass roots campaigns, etc.

OTOH, yes. There's a reason Macs don't have viruses and it's not because Macs are more secure, it's because there's no need for them in botnets yet (there's no shortage of Windows machines in sight so why go to the bother of coding for Mac...?)

Re:Here We Go Again ...

[AmiMoJo]

You are implying that Macs must be more secure then, but that doesn't stack up either. Most viruses for Windows are trojans because Windows 7 is well protected against drive-by infections, and there are several browsers to contend with (IE7/8/9, Firefox 3/4, Chrome, Safari).

If they can trick a Windows user into clicking through all the warnings and entering their password to install some malware then they can trick a Mac user too. Your argument about Amiga and Atari viruses misses an important point: Back then viruses were written for the lulz, these days they are written for profit. Businesses respond to demand, and Mac OS only represents 7.4% of the market.

Re:Here We Go Again ...

[AmiMoJo]

The work needed to target MacOS is probably more than 2x because there are still plenty of XP machines out there which are an easy target compared to Vista and 7. IE9 doesn't support XP either, but is a critical update for Vista and 7 users.

One other point people seem to be missing is that the majority of Windows viruses are trojans, i.e. they trick the user into installing them. There is no reason why that would be less effective on Mac users.

Re:Here We Go Again ...

[rtfa-troll]

• The story is stupid;
• the story is put up by an organisation which regularly fronts for Microsoft;
• the story matches Microsoft's style
• Microsoft puts up such stories regularly
• Microsoft hides it's astro-turfing regularly

This is certainly not enough to get a conviction in a court of law, but it's definitely "evidence" Let's have a look at one of the sentences.

Macs provide good protection against the initial phases of the attack, but once the bad guys are on the network, it's a whole different story. "They're pretty good for [protecting from] remote exploitation," Stamos said. "[But] once you install OS X server you're toast."

This is a standard "dog whistle" for the non-technical / security afraid. Notice that the paragraph structure completely negates the information structure. OS X server has nothing to do with whether the bad guys are local or remote. To me or you this sounds like two different bits of information. A) there's some local exploit (which isn't backed up in the article) and B) OS X server is vulnerable. To the target audience, who know that networks are dangerous this translates as:

If you connect your OS X laptop to a network it's toast.

This is a typical Microsoft non sequitur and in it's self is "evidence"

Now it's clear, we don't have enough "evidence" to secure a criminal conviction. Even a civil case, "on the balance of probabilities" would be difficult against Microsoft's highly paid lawyers and a less than fully technical jury. However, we have evidence and even if, as it could be in theory this is just a copycat article, you know and I know that most such communication is paid for by Microsoft.

Re:Here We Go Again ...

[Gaygirlie]

One other point people seem to be missing is that the majority of Windows viruses are trojans, i.e. they trick the user into installing them. There is no reason why that would be less effective on Mac users.

To be honest, I believe THIS is the whole truth here: more-or-less all current viruses and malware are installed because the user does something to install them. Like e.g. planting a payload inside a pirated game or application is quite popular, works well, and it's totally and completely the user who is at fault. Not the OS. There is NO OS to date that can protect against that. No Linux, no OSX, no Windows.

Re:Here We Go Again ...

[dkf]

Reading up on Pwn2Own results, and reading the security update notes on major browsers / flash / acrobat would prove really informative. Most of the viruses Ive seen are not from incompetent users.

In Lion all those are now separated into independent processes and sandboxed. Should make things a lot more secure.

Ought to make Safari more stable too, since the suck that is flash will be less coupled to the rest of the browser. Even without the improvement in security, that's still a Good Thing.

Re:Here We Go Again ...

[dkf]

do mac users use adobe reader instead of preview?

I've never seen one who does; preview's a decent PDF viewer (and does other things too such as image viewing). I don't know if it supports all the features of Acrobat Reader, but being without the "run arbitrary javascript without any attempt at safety" feature is Just Fine With Me.

Re:Here We Go Again ...

[mikael_j]

Yeah, sure, MacDefender was a big nasty thing that required you to install it yourself, ooooh scary...

And yes, it required several "ok" clicks as well as the user inputting his/her admin password for the machine. Classic trojan behavior.

I actually stumbled upon a MacDefender "downloader site", do you know what it did? It showed a website that looked vaguely like a Finder window with a small "ZOMG VIRUSESSES!!!!11one" popup in the middle while it forced a download of the installer. Had I then actually run the installer it would still have required me to actively install MacDefender. Yeah, it's still malware but those making this out to be some elaborate technical super-virus need to have their heads checked, it's a simple trojan.

Re:Here We Go Again ...

[CheerfulMacFanboy]

Yeah, Macs are so secure that they were the first to fall at Pwn2Own for five years in a row.

That's because you need 0-days to win Pwn2Own. One that hasn't been discovered (and exploited) yet by somebody else before the day of Pwn2Own.

Re:Here We Go Again ...

[mikael_j]

And also the first to be attacked. The contest isn't a simultaneous attack on all platforms, it is done sequentially with OS X being the first in line (and thus the first to fall). It's like claiming Joe is more bullet-proof than Jim because the gunman shot Jim first...

Re:Here We Go Again ...

[VGPowerlord]

Only if you used Adobe's PDF reader. Given its security track record, you'd have to be crazy to do so. On OS X, the default PDF reader is Preview, which ships with the OS. On *NIX, there's typically some xpdf derivative like Evince. Windows is the only platform where the majority of users put up with Adobe Reader for PDFs.

...and here's where the "monopoly" card bites Microsoft. They can't include a (different) PDF reader with the OS, because if they did, Adobe would sue them for anti-competitive behavior.

Hell, the threat of anti-competitive lawsuits from Symantec keep Microsoft from shipping their own (already written) anti-virus with the OS!

Re:Here We Go Again ...

[Lumpy]

If you were doing it would you go after the Crap $800 dell running windows or the juicy $1600 Macbook Pro.

Get a clue as to how Pwn2Own works.

Re:Here We Go Again ...

[tgd]

You're puzzled who might be behind the propoganda because, perhaps, its not propoganda.

The fact of the matter is, if you are creating a targeted attack on a system, you don't care in the slightest what platform its on -- you are going to hand craft the attack for your specific target using no matter what vectors you have to. Look at Stuxnet as an example.

If you are creating a generic attack, where the value is in numbers, not in a specific target (stealing people's financial information, creating a spambot network, etc) you want to target the biggest pool of potential victims. Thats a pretty simple calculus to do. If you've got some reason to believe that you can get 10% of users to take an action that compromises their security and gets you your vector of attack, are you going to focus on 10% of 40m or 10% of 800m people? Odds are there are usable vectors of attack on both platforms, but the odds are a lot higher you'll have a substantial return on investment if you target the pool that is 10-20x bigger, unless you've got some reason to think you can target 90% of the small pool and only 2% of the large pool. (And, Mac elitism aside, I think the percentage of really dumb users is even across all the OS platforms -- *including* Linux).

Re:Here We Go Again ...

[tgd]

The numbers don't work out as well as you think. If you've got a pool of, say, a half million Linksys routers to target, some percentage of which are vulnerable, or a pool of 500m installed XP systems, some percentage of which are vulnerable, you're a lot better off focusing on XP than a Linksys router. (And the numbers for any given model of a router aren't anywhere near that when you count firmware and hardware revision changes.)

Plus, if you target a router (a $50 device with a slow CPU) you have high odds that whatever you're doing will cause a noticable degradation of the services from that device and its cheap to replace. If you use a small sliver of processing on a PC, its a) expensive to replace and b) less likely to be noticed.

Plus, there isn't economically usable data on a router. You can't easily MitM SSL, there aren't passwords or bank records, there aren't browser windows you can scrape data from or add proxies to.

And, if you think Malware is only a Microsoft problem, you are clearly not even peripherally associated with the infosec industry.

Re:Here We Go Again ...

[Merk42]

So any time anyone says anything bad about Mac, it's astroturfing from Microsoft? Gotcha. Better let the people here know too.

Re:Here We Go Again ...

[Rockoon]

We know for certain that OS/X is not secure, that there are in fact (A) unpatched local privilege escalation vulnerabilities, and (B) Safari is vulnerable to drive by code execution initiated by simply loading a web page.

Combine these two, and the conclusion that "Macs are only secure because they are less popular" is most certainly true.

Going further, Apple is also incapable of protecting iOS in spite of their extensive efforts to lock it down, that it too is vulnerable to drive-byes that will entirely root the thing (considered a feature by many, since they hate the Apple lock-down)

A citation for (A) is here and a quick search reveals that this vulnerability was known at least 5 years ago yet is still unpatched.
A citation for (B) isnt needed. The latest patch for Safari fixed 47 known drive-by remote code execution exploits, the patch before that fixed 57 known drive-by remote code execution exploits.

Re:Here We Go Again ...

[CheerfulMacFanboy]

So I'm puzzled about who might be behind all this "MS is only attacked because it's so popular" propaganda

Might have something to do with the fact that the first machine to fall at Pwn2Own since its inception in 2007 has been a Mac, every time. (2011 Pwn2Own writeup)

The magic word is "Zero-Day". If you find 10 exploits for Windows a month before Pwn2Own, chances are high every single one of them have been exploited by somebody else the day of the contest - meaning you can't win with them. While Charlie Miller will dig out something he has found for last years contest, but nobody else did in the meantime.

So yeah, the fact that Macs keep "winning" Pwn2Own proves that Windows is attacked more. Not that its safer.

Re:Here We Go Again ...

[Rockoon]

Apparently there is a Router/Modem Botnet that you are fucking clueless about.

Clueless people should not open their mouths about the very subjects that they are clueless about.

Re:Here We Go Again ...

[MobileTatsu-NJG]

Routers, webservers, etc don't have a human driving them. Think about it.

Re:Here We Go Again ...

[CheerfulMacFanboy]

Try a contest where the first person to break *any* system gets $10.000 or $15.000. Then you have pwn2own.

Try a contest where you can crack a system with an exploit that isn't 0day. Then you'd have something more real world - but not Pwn2Own.

Re:Here We Go Again ...

[Xest]

"You're puzzled who might be behind the propoganda because, perhaps, its not propoganda."

Exactly. I'm suprised the GP is so puzzled trying to find the mystical actor behind rumours that can't quite possibly true, whilst missing the more realistic, and most sane explanation- that the rumour is in fact true.

I don't know why it's so difficult to grasp. When the iPhone was the most popular smartphone platform for a while it was also getting the most vulnerabilities and exploits against it, now Android is.

It's not really rocket science, attackers will go where there's most to be gained from the attack, and that's often the platform with the most users.

Arguing against this, and saying there most be some secret actor working covertly to spread a rumour, for some unspecified gain which even the GP himself can't even figure out is irrational. It's the same mindset that people use to convince themselves that evolution can't possibly be real because they don't like the sound of god not being part of the cause of the living things on our planet, and so just insist there's something else, they just can't explain who or what that something else is when pressed- all they've decided is that the science led explanation is wrong and that's all there is to it.

It's Occam's Razor, there doesn't need to be some fantasy actor behind it all with unknown subversive goals, it could simply just be the truth instead. Why go searching for a conspiracy theory when a far more explainable, perfectly feasible, but most importantly, much more simple explanation is sat right in front of you?

Re:Here We Go Again ...

[dbIII]

You again? Who do you think sets the devices up in their homes or workplaces - mice?

Re:Here We Go Again ...

[LordLimecat]

You seem not to understand what you have to do in Pwn2Own. You have to gain full "arbitrary code execution" and "filesystem access" rights on the system being attacked with nothing more than a link. No user interaction except for clicking a link is allowed.

Read the quoted example again-- your numbers "2" and "3" are notably absent. You arent allowed to have the user run .dmg files or .sh files; that would sort of defeat the entire purpose of Pwn2Own.

That is, if they added one of these sorts of links to google's AdWords, they could begin infecting Macs immediately.

Compare that to MS servers sitting in a room somewhere minding their own business with absolutely no human interaction. They get hacked if you just wait long enough.

Er, thats utterly untrue. All of Microsoft.coms stuff runs on Windows; all their email on Exchange.
It is not possible to just "hack" a Windows server, unless you count bruteforcing a completely unsecured server running with a weak password and Remote Desktop enabled (which it is not, by default). Depending on your windows edition, the first step you are instructed to do is "secure your system", and until you click "OK", all incoming ports are blocked.

You really have absolutely no idea what you're talking about; can you please explain to me how youre going to hack Windows servers with no interaction whatsoever, and RDP disabled?

Re:Here We Go Again ...

[LordLimecat]

If you were doing it would you go after the Crap $800 dell running windows or the juicy $1600 Macbook Pro.

That was the ENTIRE point of my post. It was sort of an analogy, if you will-- Imagine the windows marketshare as the juicy Macbook Pro. Which are you going to target, as a hacker? Which will you spend all of your time trying to get?

And the second point I was making is that when Mac share becomes big enough, it doesnt seem like it will be an issue to exploit macs.

Re:Here We Go Again ...

[LordLimecat]

So yeah, the fact that Macs keep "winning" Pwn2Own proves that Windows is attacked more. Not that its safer.

A LARGE majority of the attacks on windows are from 3rd party, cross platform browser plugins. Explain to me why Mac would be safer than windows, this being the case.

Re:Here We Go Again ...

[dbIII]

if you think Malware is only a Microsoft problem

I was under the impression that different methods are used to crack into other platforms at the moment such as external attacks instead of invited in malware.

Re:Here We Go Again ...

[LordLimecat]

That may be; time will tell. But I remain convinced that whether or not it is slightly harder to hack an OS becomes irrelevant when there is money involved; the most important thing is to have least-privilege in place so the resulting infection is easier to clean.

Re:Here We Go Again ...

[LordLimecat]

Thats fine, and not terribly suprising. Win7 is two years old, to tell me that a OS that is less than a month old has newer and better features is what one would expect.

You misunderstand me if you think I am saying OSX sucks (though I certainly am not willing to pay the premium for it); Im saying that I dont think Windows is anywhere near as awful as people are trying to paint it, and that with enough incentive the Mac viruses will start rolling out. However clever the OSX coders were, they made some mistakes, and somewhere out there are blackhats every bit as clever focused on trying to find holes in the most popular systems.

Re:Here We Go Again ...

[LordLimecat]

. They can't include a (different) PDF reader with the OS, because if they did, Adobe would sue them for anti-competitive behavior.

I believe they could, if it werent their own. Im sure they could include Foxit, but it will never happen.

Re:Here We Go Again ...

[s122604]

If you were doing it would you go after the Crap $800 dell running windows or the juicy $1600 Macbook Pro.

Considering the cash prize in the competition is several thousand dollars, enough to buy the nicest computer of my choosing, (or a used car or whatever), I'd go after the one that could be hacked the quickest..

Re:Here We Go Again ...

[obijuanvaldez]

I think you have missed the point as well. WrongSizeGlass was not saying that Macs are secure because they are less prevalent but rather they are less vulnerable because they are less prevalent. You seem to be conflating the two concepts of vulnerability and security. Vulnerability is the possibility of attack and security is how well such an attack may be thwarted. Attacking more prevalent systems provides a much greater reward of exploit. This makes the most popular operating system far more vulnerable, that is more likely to be attacked, regardless of whether or not it is more or less secure than any other.

The real canard here is what WrongSizeGlass alluded to: the notion that Macs are less vulnerable because they are more secure. They could be more secure, but they are less vulnerable because they are less prevalent.

Re:Here We Go Again ...

[MobileTatsu-NJG]

Hey, you worked out how to use a question mark! Very nice!

Still, though, you skipped the 'think about it' part. In the context of malware, do you really not see the difference between a one-time install and a machine where somebody browses the web all day?

Re:Here We Go Again ...

[CharlyFoxtrot]

Lion also has all new privilege separation framework to help with that. From the Siracusa review :

"The idea is to break up a complex application into individual processes, each of which requires only the few entitlements necessary to perform a specific subset of the application's total capabilities.
[...]
Another example from Lion is the Preview application, which completely isolates the PDF parsing code (another historic source of exploits) from all access to the file system."

Together with the sandboxing it sounds pretty robust though time will have to tell.

Re:Here We Go Again ...

[scamper_22]

"If the user is willing to do anything the app or websites tells them to, well, you can't protect them."

This is simply not true. It might involve removing freedom and capability from the user, but it certainly can be done.

A few months back I had to clean up my mother's laptop because some malicious website said it had detected a virus she had to 'click' here to install their virus cleaner. Eventually I cleaned it up.

After, I told her never to install anything. She gave me this weird look and asked why would it let me install something dangerous?

At it's most basic, an OS could certainly do this. It could have a list of verified binaries it can run or only allow applications to be installed via an 'app-store' and you 'trust' the OS company to make sure things are on the up and up. There are various things that could be done in terms of application rights management.

For example, one nasty malicious attack I saw on Windows was one that actually replaced the network stack. Now this is certainly not a common operation. Why does the OS allow you to replace the network stack... even under 'admin' permissions. You should have to jump through another loop to replace such system level functionality. Maybe enter a 'system admin' mode.

There's simply a heck of a lot OS can do to protect users. These don't come without tradeoffs mind you, but a lot more can be done.

Re:Here We Go Again ...

[CptNerd]

And still no one is taking advantage of the ease of exploitation.

Re:Here We Go Again ...

[dbIII]

Look kid, I don't care if your life is so empty that you crave attention like last time. Just go troll somebody else instead of following me around.

Re:Here We Go Again ...

[CharlyFoxtrot]

I agree, nothing is 100% secure bugs are found in all operating systems all the time including the ones considered most secure. But of course that shouldn't prevent OS vendors from implementing modern security measures and Apple is keeping up with the latest trends, better securing most of the programs you mentioned (at least the Apple ones.) Windows has by all accounts made great strides in the security area recently, it'd be a shame to have OSX fall behind.

Re:Here We Go Again ...

[stewbacca]

You and I are smart and understand going after rich people would make more sense, but that's also why we aren't criminals. Criminals are dumb. I've read on here many times that most property crime occurs in poor neighborhoods, not rich ones. Criminals are too lazy to drive a few blocks I guess?

Re:Here We Go Again ...

[CheerfulMacFanboy]

A citation for (A) is here and a quick search reveals that this vulnerability was known at least 5 years ago yet is still unpatched.

I'll see your LMGTFY and raise you a "simply click a link on the same fucking page" to read "Vendor updates are available." And it has been available the very day this citation was written. And if you actually read the results instead of just looking at dates: that's a completely unrelated vulnerability, also long been fixed.

Re:Here We Go Again ...

[CheerfulMacFanboy]

So yeah, the fact that Macs keep "winning" Pwn2Own proves that Windows is attacked more. Not that its safer.

A LARGE majority of the attacks on windows are from 3rd party, cross platform browser plugins. Explain to me why Mac would be safer than windows, this being the case.

So your argument is that Macs are unsafe because they allow you to run Flash? Sure, as long as you stop complaining when Steve Jobs says how buggy and unsafe Flash is. Big chance, ehh?

But even if we talk about those attacks: not only don't they make Macs more vulnerable than Windows, they are also still only exploited with attacks aimed at Windows, even if they could be used against Macs (not all vulnerabilities in cross-platform browser plugins are also cross-platform - and by that I mean few are).

Re:Here We Go Again ...

[MobileTatsu-NJG]

Ah, you got my point. Thank you and have a good weekend.

Re:Here We Go Again ...

[Just+Some+Guy]

Why double your efforts to increase your pool of potential victims by only ~10%?

So that you have own 100% of that 10% market share instead of 1/1000th of the 90%.

Re:Here We Go Again ...

[UnknowingFool]

I don't about why MS doesn't include PDF reader as part of the OS historically but I know Apple paid Adobe so that they could incorporate it in OS X. Maybe money may have been the reason.

Re:Here We Go Again ...

[aristotle-dude]

Wash. Rinse Repeat.

Macs aren't as vulnerable because they don't have a big enough footprint so they aren't stumbling upon the infected sites or aren't being targeted directly. Windows, including Windows 7, is still more prevalent and more vulnerable.

How many times are we going to get the same stories? If the user is willing to do anything the app or websites tells them to, well, you can't protect them.

Yes, wash, rinse repeat is quite apt for this situation because I have heard that same excuse over and over again.

The article is talking about remote exploit vulnerability and how OS X is hardened against it to a greater degree than Windows for example out of the box. This attribute of OS X has nothing to do with how much or little marketshare it has. Also, the local security model has nothing to do with marketshare.

Re:Here We Go Again ...

[UnknowingFool]

Two things about the contest which skews your logic: the target machines are not tested in a race contest. It is turn based. So the first machine compromised doesn't mean it is the most insecure. Time to compromise is a better metric. Second, incentives skew the selection of which machine is selected first. Hence the name Pwn2Own. Now if the contest was changed to where it was a race and the winner got to select the prize, the results might be more interesting.

Re:Here We Go Again ...

[hairyfeet]

You DO realize that by your very own description that the VAST majority of Windows bugs "don't count" either? You see this is what I've always found funny about the Apple RDF, I mean here you are basically saying "If the user interacts, it don't count!". Well guess what friend? AV2xxx? User interaction. Security Tool and its variants? User Interaction. in fact I can't even remember when the last time I saw a drive by that actually infected a system because it is easier to get the user to do it through social engineering.

So if you are gonna go by that definition at least be consistent because by that definition Windows doesn't have any viruses either. or would that mean you'd have to "Think different"?

Re:Here We Go Again ...

[Ash-Fox]

And still no one is taking advantage of the ease of exploitation.

I feel this comic sums it up quite well.

Re:Here We Go Again ...

[toadlife]

The client applications that *access* those ERP systems run on Windows.

Re:Here We Go Again ...

[LordLimecat]

So your argument is that Macs are unsafe because they allow you to run Flash? Sure, as long as you stop complaining when Steve Jobs says how buggy and unsafe Flash is. Big chance, ehh?

So long as people blame Windows for Adobe's vulnerabilities, I will continue to point out that thats neither Microsoft's fault nor an area where Macs are safer.

Re:Here We Go Again ...

[1729]

Keep telling yourself that lie. I have a master in Mathematics with focus in Computer Aided Applied Mathematics and have been a long time member of MAA, ACM and IEEE but I never see a Mac unless I sneak over to the School of Business to have lunch with a colleague of mine

Good for you, AC. Now, how much time have you spent in the national labs? My experience is that among the physicists and computer scientists, a large majority use Macs, almost all of the rest use Linux boxes, and an almost negligible number use Windows. (On the desktop, that is; our supercomputers either run Linux or special purpose, stripped-down Linux-like kernels like IBM's CNK.)

Re:Here We Go Again ...

[mikael_j]

I never said that random Windows trojans are any nastier than MacDefender, I just don't understand why a trojan for OS X gets a shitload of media attention and "ZOMG DANGER!!1" reactions while no one even mentions trojans for Windows.

That a program can do bad things is hardly news, especially if it's a program the user just gave root/admin privileges to. Yet somehow even "geeky" websites went on about MacDefender like it was an advanced next-gen piece of malware, it was just a trojan with a few clever tricks to make the installer auto-download if the user was running Safari. I've seen plenty of those for Windows and I'd hardly consider them major threats.

Re:Here We Go Again ...

[dave87656]

If the user is willing to do anything the app or websites tells them to, well, you can't protect them.

True, but the fact remains that Windows backward compatibility with older Windows Apps makes it more open to attacks. Windows was a single user system essentially forced to me multi-tasking. Even WNT tried to remain compatible with drivers and software which followed this model. There has been some great end-user software for this. But, as a operating system. it is just plain less secure than a system which started out as a multi-user, protected OS and was adapted for a PC.

Windows has its advantages but security is not one of them.

Re:Here We Go Again ...

[Wovel]

Absolutely, and private defense contractors. Not t mention more of the systems mentioned in the GP run on Linux then Widows (In large enterprises).

Re:Here We Go Again ...

[Kalriath]

4) Hacker wins a new MacBook Pro

That doesn't sound like a random attack in the wild to me. Compare that to MS servers sitting in a room somewhere minding their own business with absolutely no human interaction. They get hacked if you just wait long enough

microsoft.com is a gigantic Sharepoint installation, and I think I've seen that get hacked a grand total of ONCE, ever.

Re:Here We Go Again ...

[Kalriath]

I actually stumbled upon a MacDefender "downloader site", do you know what it did? It showed a website that looked vaguely like a Finder window with a small "ZOMG VIRUSESSES!!!!11one" popup in the middle while it forced a download of the installer. Had I then actually run the installer it would still have required me to actively install MacDefender. Yeah, it's still malware but those making this out to be some elaborate technical super-virus need to have their heads checked, it's a simple trojan.

Dude, that's exactly how all the Windows trojans get installed too. Except they use Explorer windows or animated GIFs of Windows Defender showing viruses.

Re:Here We Go Again ...

[Kalriath]

Nah, they'd get sued by Adobe for not including theirs.

Remember, Microsoft are a popular target for lawsuits. If I recall correctly around the Vista release they had to re-introduce a defect in the Windows Kernel just because Symantec were using that defect to hook up their anti-virus and was threatening to sue because they fixed it.

Re:Here We Go Again ...

[jo_ham]

Amusing that your own links contradict you.

I assume you were hoping people would't actually follow them, and just put more stock in your comments because you have a link (a link to something that doesn't support your argument, but still).

Re:Here We Go Again ...

[jo_ham]

Nice troll attempt.

In my university setting (chemistry and chemical engineering), about 40% of the computers in lecturers' and researchers' offices are Macs, the rest are PCs. I saw one SGI machine, but I think it was holding up a book case.

 

Re:Here We Go Again ...

[ToasterMonkey]

1) That old saw about Microsoft being vulnerable because of its market share is hog wash. There were over 3 million viruses and Trojans released last year. Were it a simple matter of market share percentages than about 12% of those would be Linux viruses and another 10-15% would be Mac viruses. But, they are not. Well over 99% of them are Windows viruses. Only 19% of Internet web servers are running Windows but they are the source of essentially all malware.

That is horrible logic, there is no reason to assume malware writers would target operating systems in proportion to their market share, all other things being equal because there is evidence all around you that people don't make decisions that way. People don't invest in countries in proportion to their global standing for example, even among countries of similar caliber.

There's more fish by a wide margin in one lake so everybody goes there to fish, it's very simple.
You're also assuming malware writer's operations are on a scale that fishing in more than one lake at a time is feasible. Who do you think these vermin are...?

Next up, why do online games that allow team switching always wind up with unbalanced teams?

Article is crap

[topham]

"For example, Mac's Keychain software is vulnerable to what's known as a brute-force attack, he said."

Idiot alert, article is crap.

Re:Article is crap

[gumbi+west]

The NSA's guide to security Apples talks about how to make the keychain reasonably secure here. They notably, do not recommend turning it off or using third party software.

Re:Article is crap

[Jerry]

Totally.

Re:Article is crap

[517714]

"They" notably is Apple, not the NSA.

Re:Article is crap

[arkane1234]

Sure... it's a package manager for Debian.

Re:Article is crap

[dgatwood]

Idiot alert, article is crap.

Agreed. If they're talking about an authentication model in the context of mDNS, that's prima facie evidence that they don't know the first thing about Mac OS X... or mDNS. mDNS is:

• Not authenticated at all; it's a multicast service advertisement protocol. The service has security, not the advertisement.
• On Windows, too.
• And on most Linux distros.

And they seem to think Kerberos is insecure. Kerberos is, of course:

• An open, published standard.
• On Windows, too.
• And on Linux.

And the rest of their comments seemed to be about the ability to brute force passwords locally. Yeah. No kidding. You can do this... yup, you guessed it:

• On Windows, too.
• And on Linux.

As far as I can tell, there's basically nothing but pure FUD here, with no real information to back up the rather sweeping generalizations. As they say in Apple developer circles, specifics and Radar number or GTFO.

Besides, access to any machine on a network is generally access to the data flowing across it and the files stored on it. It doesn't really matter how secure the keychain is if half the corporate networks in the world are sending confidential email around in cleartext, sending passwords to web servers in cleartext, etc., and if all the user's email is stored in an unencrypted mail spool file on the hard drive. In the grand scheme of security problems, if you're worried about somebody brute forcing a keychain password, you're either trolling for article views or you've grossly overestimated the security of most corporate infrastructure.

Re:Article is crap

[gumbi+west]

Yep, that one is copyright Apple. Here is NSA's guide to hardening OS X. It does not recommend turning off keychain (though there are several other items it does recommend turning off).

Re:Article is crap

[517714]

It does not mention keychain. I see that as an oversight - not a recommendation of its security. If you assume otherwise, I hope you are not a system administrator.

Re:Article is crap

[dgatwood]

My problem is that the article makes it sound like they've found lots of huge flaws in the way Mac OS X handles passwords, yet it doesn't give even one specific example. It also talks about authentication policies for services that don't even involve authentication. And then it implies that all of these supposed flaws are somehow specific to Mac OS X Server, when none of the things listed are specific to the Server version of Mac OS X (or even specific to Mac OS X, with the exception of Apple Remote Desktop, and even that is, IIRC, at least partially based on the VNC protocol, which isn't specific to Mac OS X).

I'm not saying that these folks haven't legitimately found security problems. I'm saying that the IT World article is pure crap, and with such an appalling information void, I can't even tell if they have found a legitimate problem or not....

Re:Article is crap

[TheRaven64]

Not sure if it's fixed now, but there was a report a few years ago that Apple was doing silly things with the Keychain. It used 128-bit AES, but the way that it used it meant that the effective key length was much shorter. This meant that it was feasible to brute-force the encryption.

Re:Article is crap

[Shag]

It does not mention keychain. I see that as an oversight - not a recommendation of its security.

Did you just imply that the National Security Agency is so bad at its job that when it examines an operating system for vulnerabilities, and writes up instructions on hardening it (which will presumably be used by other government agencies), key things are overlooked?

Re:Article is crap

[datapharmer]

Seriously. I got to that line and closed the tab. If 'it can be brute-force attacked' is the vulnerability then I guess the security is shot on anything that doesn't self destruct after 3 wrong password attempts. This story is my cue to get back to work....

Re:Article is crap

[datapharmer]

....it is an anonymous coward. consider the source.

Re:Article is crap

[517714]

It does not mention putting one's password on a Post-it note on the keyboard, but I hardly conclude that the omission should be considered an endorsement of such an act.

Re:Article is crap

[gumbi+west]

The Apple OS automatically starts using the keychain for lots of stuff. It does not automatically place your passwords on post-its under your keyboard.

Re:Article is crap

[gumbi+west]

Do you have your WPA key memorized, written down next to your laptop, or do you use a keychain?

Sysadmin decides.

[mjwx]

Windows server looked after by a good sysadmin == secure.
Mac server looked after by bad sysadmin == insecure.

As always, it's up to the people running it. Is any OS inherently secure, no, definitely not when there is a complete idiot looking after it.

Re:Sysadmin decides.

[Anubis350]

I'd argue that my car isn't secure, but I'm still going to make sure I lock the door when I park it. There's a difference between perfect, adequate, and "please break into my stuff". In everything.

Re:Sysadmin decides.

[mjwx]

I'd argue that both are closed source and therefor, by definition, their security can not be determined.

I wont argue that, but it is beside the point.

Put an incompetent nincompoop in charge of a Linux server and you should consider it as insecure as the most unpatched NT4 box. Security is done by people, not programs.

Re:Sysadmin decides.

[samkass]

Most of the core MacOS X systems are not closed source. You can download most of them here. It's true that a lot of the GUI is closed source, but if you're talking about a remote exploit, you're probably hitting a lot of open source packages.

Re:Sysadmin decides.

[arkane1234]

You could argue that, but you'd be laughed at since Darwin (OS/X) along with a majority of the daemons (sorry Windows guys, services) aren't closed source.
Careful :)

Re:Sysadmin decides.

[Daniel+Dvorkin]

Windows server looked after by a good sysadmin == secure.
Mac server looked after by bad sysadmin == insecure.

As always, it's up to the people running it. Is any OS inherently secure, no, definitely not when there is a complete idiot looking after it.

Yes, of course. But the relevant question for businesses deciding what kind of server setup to use is, "If this system is looked after by an average sysadmin, how secure will it be relative to our other choices?" Because in real life, no matter how much you tell yourself you only hire top-notch people (or, if you're the sysadmin, tell yourself you're top-notch) most servers and networks are going to have admins who are neither the best nor the worst, but somewhere in the middle.

Re:Sysadmin decides.

[mjwx]

Yes, of course. But the relevant question for businesses deciding what kind of server setup to use is,

Security is a conscious process, it doesn't matter what OS you use as long as that process is kept conscious. Contrary to what Apple and the Security Industry say, no software is inherently secure or more secure then the others, security is entirely dependent on your (the sysadmins) procedures and awareness.

As for which OS for business, that's a decision to be made according to the needs of the business.

"If this system is looked after by an average sysadmin, how secure will it be relative to our other choices?"

There is no such thing as an average sysadmin.

Everyone has different strengths and weaknesses, the good sysadmins identify their own weaknesses. The poor syadmins ignore them. Good sysadmins adapt to changing environments, poor sysadmins change environments to suit them.

Re:Sysadmin decides.

[Daniel+Dvorkin]

There is no such thing as an average sysadmin.

Right. Every sysadmin is a special snowflake. [rolls eyes]

Everyone has different strengths and weaknesses, the good sysadmins identify their own weaknesses. The poor syadmins ignore them. Good sysadmins adapt to changing environments, poor sysadmins change environments to suit them.

All of which is true, none of which changes the fact that in every job, there a few people who are very good at the job, a few who are very bad, and a whole bunch in the middle. Sysadmin work isn't so different from any other technical job as to change this.

Re:Sysadmin decides.

[julesh]

Yes. Of course, stastically, the good sysadmin is more likely than market share would suggest to be running the mac server, because good sysadmins have a tendency to avoid windows wherever possible...

Re:Sysadmin decides.

[mjwx]

Yes. Of course, stastically, the good sysadmin is more likely than market share would suggest to be running the mac server, because good sysadmins have a tendency to avoid windows wherever possible...

A good sysadmin can make anything secure and usable. They literally turn lead into gold (server iron into revenue).

But a good syadmin will avoid Mac because they make it so difficult to do anything useful with them. Want to avoid Windows, he deploys Linux, want an expensive proprietary solution, he'll have the IBM Rep on speed dial, "only another $40K for a system P processor card, a bargain sir".

Only a bad sysadmins are fanboys and make things harder on themselves.

Re:Sysadmin decides.

[mjwx]

Right. Every sysadmin is a special snowflake. [rolls eyes]

You're very good at missing the point.

There are no average sysadmins because you cannot define an average due to the huge number of variables involved.

I'm sorry for not pointing that out, I thought you'd be able to figure it out on your own from the other parts of my post.

All of which is true, none of which changes the fact that in every job, there a few people who are very good at the job, a few who are very bad, and a whole bunch in the middle

In the middle of what?

Is John the Linux sysadmin a bad sysadmin because he doesn't understand FISMO roles yet can configure Sendmail in his sleep. Or Bob the Windows sysadmin bad because he cant even navigate *nix command lines yet understands the deepest, darkest parts of Exchange.

Who is the average sysadmin?

It's a very large field and people have very specialised skillets. Which is why you hire the best man for the job, rather then trying to figure out a median and be happy with it. Yes I know, not everyone does this, but that's their problem.

Re:Sysadmin decides.

[Daniel+Dvorkin]

I get your point fine; I just disagree with it. Yes, sysadmin work is a very large field with specialized skillsets. So are programming, and medicine, and all kinds of other technical fields. Does this mean there's no such thing as an average programmer, or average physician, or what-have-you? I maintain that the traits which make a good X are to be found in a broad range among people who choose any of these careers, with most X's falling in the middle of that range. Yeah, in your example, if you decide on a Windows system, you hire Bob, and if you decide on a *nix system you hire Joe -- but in either case, odds are you're getting someone who's competent, but not particularly brilliant. It makes sense to keep this in mind when making the initial platform decision.

Re:Sysadmin decides.

[mcrbids]

Windows server looked after by a good sysadmin == secure.
Mac server looked after by bad sysadmin == insecure.

The sad part is that much (most?) of being a good sysadmin consists of ensuring that you install security updates regularly. I've been close enough to embarrassing hacks on several servers to know what happened, and all (but one!) have been hacked as a result of a poor update policy. (The last one was due to a weak root password + passwordAuthentication enabled on ssh)

For all my own systems, I demand a strong, default-deny firewall, and (most importantly!) regular, frequent updates. Tools like yum make this easy.

Yes, things like strictly firewalling your systems, moving services only used internally to nonstandard ports, disabling (or never installing) unneeded services, etc. are good ideas and I strongly recommend them all.

But first and foremost, make sure your system is up to date!

Re:Sysadmin decides.

[maxwell+demon]

Put an incompetent nincompoop in charge of a Linux server and you should consider it as insecure as the most unpatched NT4 box. Security is done by people, not programs.

Depends. If the server was well configured before he was put in charge of it, the Linux server might still be safe for quite some time, for the simple fact that he didn't yet find out how to change the settings. :-)

Try the summary

[tepples]

Anonymous Coward wrote:

Can someone explain what apt is, other than the package manager for ubuntu?

The package manager for Debian.

But seriously, if you read the summary, you see that it's referring to advanced persistent threats.

Metasploit

[phantomfive]

Metasploit only has a couple dozen exploits for OSX. On the windows side, it has a search field for Microsoft Security Bulletin ID. Metasploit is the lazy-man's way to hack, if you don't want to go through the trouble of finding your own exploits. That could partly explain the issue.

BSD is generally more secure than Windows

[nzac]

Not quite sure on the definition of an APT. Wikipeida says its generally a foreign state.
I would think that due to core system generally having less holes in it, getting in without user execution would be harder. I don't think it matters in the end as you would still execute something, but .dmg are not instantly ran like exe.

I would also think getting the user to execute malicious code would be significantly harder. Base apple software is generally usable so you don't need to find replacements. People who buy macs because they are macs will go apple for other software and the app store is generally easier to go to than the internet to search for program that you might need. The behaviour of having idiot users searching on the internet for unknown third-party solutions is not encouraged on OSX.

Re:BSD is generally more secure than Windows

[dgatwood]

And Mac OS X explicitly warns you if you are about to open an application downloaded from the Internet. This means that getting someone to run your code requires tricking them (through social engineering) into knowingly launching an application that they've never launched before, as opposed to tricking them into running your code by making it look like a JPEG file of Lindsay Lohan naked or whatever. Maybe Windows 7 does the same thing (I'm not sure), but that was at least historically a big problem on Windows.

Re:BSD is generally more secure than Windows

[Gadget_Guy]

It was Service Pack 2 of Windows XP that added that feature.

Re:BSD is generally more secure than Windows

[LordLimecat]

Windows has done this since time immemorial, and generally makes it a PITA to run any downloaded content.

Re:BSD is generally more secure than Windows

[TheRaven64]

Not the same thing. If you download a file on Windows 95 and have the default of hiding file extensions set, then you can get a .exe with an icon like an image file. You double click on it, expecting it to open in your image editor, and you are now running a trojan. The same was true of OS X until 10.5 (I think, maybe 10.6) - you could get a .app with an icon like an image or some other common file type, double click on it, and be running it. Now, you get a warning telling you that it's an application, telling you where it was downloaded from, and asking whether you really want to run it. If you're expecting an application, you click yes. If you're expecting a picture, you click no.

Re:BSD is generally more secure than Windows

[ljhiller]

Windows has done this since time immemorial, and generally makes it a PITA to run any downloaded content.

You can fix this by editing or deleting the :Zone.Identifier:$DATA alternate data stream of the file. The file loses its internetness.

Re:BSD is generally more secure than Windows

[Ash-Fox]

And Mac OS X explicitly warns you if you are about to open an application downloaded from the Internet.

That's been the case on Windows since XP.

Re:BSD is generally more secure than Windows

[dgatwood]

So why do so many people seem to fall for such tricks anyway? That's what I really don't get.

Re:BSD is generally more secure than Windows

[_0xd0ad]

More specifically: it was NTFS that enabled the feature. The flag is set in the file's metadata. FAT does not support file metadata, so if your hard disk is FAT it wouldn't matter if your OS supported the feature or not. Windows XP installs on a FAT partition by default, so generally, yes, SP2 added the feature to Windows, because that's when they made Internet Explorer set the flag and Windows Explorer check it before launching the file.

Specifically of note: even if your hard disk is NTFS, if you download a file to a FAT external hard drive or USB storage device, it can't store the flag, so you won't get the warning when you execute it.

If your disk is NTFS, you can easily see this feature in action. Execute the following from a command prompt:

cd "%userprofile%\desktop"
echo [ZoneTransfer] > calc.exe:Zone.Identifier
echo ZoneId=3 >> calc.exe:Zone.Identifier
more < calc.exe:Zone.Identifier

After that last line, it should have spit out the contents of the Zone.Identifier stream, so we know it's attached to the file properly. Minimize the command prompt window. There should be an executable file named "calc" on your desktop. It won't have the calculator icon, but that's because it's still empty. Right-click it and view its properties. The first thing you might notice is that, despite the fact that the file has an alternate data stream and we even were able to view its contents, the size of the file is reported to be 0 bytes, even its size on disk. Windows only reports the size of the primary data stream; in fact, you could completely fill up your hard disk with an alternate data stream and Windows would still report that the file was 0 bytes. The second thing you should notice is that there's a "Security" section that says the file might be blocked to help protect your computer. So the data stream you created works. Close the Properties window and go back to your command prompt. Execute the following:

type "%windir%\system32\calc.exe" >> calc.exe

Its normal icon should appear and if you hover over it, it should report a size now (but it still isn't counting the size of the alternate data stream you added). Now try running it. You'll get the security warning indicating that the file was downloaded from the internet. If you click Run (leave the box checked for "Always ask before opening this file"), the normal Windows Calculator app will open. Close it again.

Now, if you have one handy, plug in a USB device that is formatted FAT. Move the executable from your desktop onto the USB device (hold Shift and drag it). Double-click it. It opens, no warning - the metadata stream is gone. Drag it back to the desktop. Now, Windows Explorer caches the ZoneId, and if you run it, you'll still get the security warning. However, it no longer has the Zone.Identifier stream, which can be verified by (a) viewing its properties - the "Security" section is gone, (b) moving it into any other folder, such as My Documents, and running it from there - no security warning, (c) clearing Windows' cache by rebooting your computer or killing the "explorer.exe" process from Task Manger and re-starting it, or (d) executing from the command line again:

more < calc.exe:Zone.Identifier

It will respond with "The system cannot find the file specified."

Finally, regardless of whether or not the file has an alternate data stream, deleting the file will also delete any alternate data streams associated with it, so to clean up after this little adventure just delete the "calc" file from your desktop.

Re:BSD is generally more secure than Windows

[Ash-Fox]

So why do so many people seem to fall for such tricks anyway?

I would recommend reading this research paper to get a better idea on how users think.

Re:BSD is generally more secure than Windows

[dgatwood]

Not much in there has surprised me so far. SSL is something that users probably don't understand. It depresses me greatly, however, to think that the difference between a document and an application is something that users would not understand, which is what would be necessary for that phenomenon to explain people clicking "Continue" or "OK" on a dialog box warning that they are about to open an application downloaded from the Internet for the first time....

One thing that did surprise me greatly, however, was that the "Accept this certificate for this session" and "Accept this certificate permanently" checkboxes translate "Accept this certificate for this session/permanently, even when used for things other than their original purpose". Any rational person would expect the determination of trust in an otherwise untrusted cert to remain in the browser domain where the conditional trust can be evaluated based on usage, not to be pushed up into the SSL layer domain where a cert is either trusted or not in a binary fashion. The very idea that accepting a certificate as trusted for identifying a site and accepting a certificate as trusted for signing other certs is a fairly fundamental failure of the basic design of any app that does this. If such behavior is widespread, then that's just plain appalling. It should require a difficult and deliberate action to trust a new CA cert. I don't just mean clicking "OK" difficult. I mean "Copy the cert into a folder on your hard drive by typing a command in a Terminal window and entering your admin password to sudo" difficult.

once you install OS X server you're toast

[Culture20]

Good News! Apple is taking steps to making that impossible!

Oh boy a new buzzword.

[gumpish]

And one that is already occupied by another term in the realm of IT.

Advanced Persistent Threat, eh?

says that it's often easy to trick someone in any company into installing software that they shouldn't -- the first step in an APT attack.

In many APT attacks, the hackers first break into social media accounts belonging to friends of their victims.

Ugh... really? You couldn't just say "targeted attack"? What about spear-phishing? Too hard to spell? Dipshits.

"Brute-forcing" Keychain shouldn't be necessary...

[jasomill]

...unless we're talking about "unused" Keychain files.

Suppose a desktop Mac has been compromised. Then we can assume, for the purposes of security, that the local Keychain binaries have been compromised. Thus the attacker has free access to the cleartext of any keychain used ("unlocked") on the system. But this is hardly a flaw in Keychain, since it's true, by design, for any credential cache whatsoever.

Re:"Brute-forcing" Keychain shouldn't be necessary

[TheRaven64]

Nope, not true, unless there is a root compromise, rather than a normal user compromise. The keychain daemon runs as root. It communicates with other apps via Mach ports, which let it know the pid and the uid of the process requesting data. It then checks whether that binary has been modified since it last tried to access the keychain, and whether the (user, binary) has access to the specific key, and prompts the user to authorise it if it doesn't. If you find an exploit in Apache, for example, then this does not give you access to the keychains of logged-in users, you also need a root exploit.

So does Windows

[benjymouse]

And Mac OS X explicitly warns you if you are about to open an application downloaded from the Internet. This means that getting someone to run your code requires tricking them (through social engineering) into knowingly launching an application that they've never launched before, as opposed to tricking them into running your code by making it look like a JPEG file of Lindsay Lohan naked or whatever. Maybe Windows 7 does the same thing (I'm not sure), but that was at least historically a big problem on Windows.

In Windows, files downloaded from the internet has the origin written in an alternate datastream. If you execute such a file you get a warning (like in OS X), but then even if you choose to run the executable, it will run with low integrity. Low integrity is part of UAC and sandboxes the process so that it by default has only read access as the current user. Write access (safe a few cache locations) is completely blocked, safe a few safe cache locations. This is a major obstacle for anyone wanting to use a trojan to install malware. He cannot even infect the local user, bar som sandbox escape vulnerability or some more clever social engineering.

Comparison? What comparison?

[goodmanj]

" — and compared how the Mac would do versus Windows 7. "

I was promised a comparison between Mac vs Windows 7. The article totally failed to deliver. Sure, you can hack a Mac. But is it easier or harder than Windows?

I think you're right. Here's why:

[Burz]

The old Mac OS had about 10% market share in the 1990s, and OS X now has 10% market share. But there was was far more malware for the old Mac OS "back in the day". The false equivalency suggesting that differences in system architecture do not matter has worn very thin: Windows adherents ought to stop wearing it like it was a fig leaf.

They have no edges

[andreiolaru]

Macs don't have any edges! They are shiny and smooth.