Slashdot Mirror
Apple's Unlikely Security Mentor: Microsoft
snydeq writes "Apple has much to learn about securing an operating system, and it could learn how from Microsoft, Roger Grimes writes in the wake of further evidence that Macs are more vulnerable to attack than Windows machines. 'It's taken Microsoft 10 years to turn security from a weakness into a strength. Apple can use the lessons learned by Microsoft to manage a quick turnaround. Apple has already hired one of Microsoft's former security leaders, Window Snyder, and it has adopted a modified form of Microsoft's Security Development Lifecycle programming practices. Apple has the benefit of seeing how Microsoft fixed its past mistakes.'"
MS is the typical fast followers - let someone else test the market; then jump in and take advantage of the new market while learning from the pioneer's mistakes. then push big to capture the market and crowd everyone else out. Once you're in you can expand and improve your product. It's been pretty effective for them over the years.
I'm a consultant - I convert gibberish into cash-flow.
Once Mac was safe, supposedly due to obscurity. Actually it is still reasonably safe when configured right. But Apple will not take Microsoft's path. I really see this leading to the shift from MacOS to iOS in the Macs. Completely locked down and protected by gatekeepers.
Which wouldn't be so bad. I would give Unix/BSD/Linux/GNU a new place to fight for users.
Meanwhile actual hackers, like the guys who won the Pwn2own contests by beating OSX security, now say OSX Lion is more secure than Windows (even though they previously freely admitted Snow Leopard was trailing Windows' latest offering in that department.)
"Both Miller and his co-author in the book The Mac Hacker's Handbook, Dino Dai Zovi of Trail of Bits said that from a security perspective, Snow Leopard was little better on Leopard, but that Lion is a "significant improvement." Zovi describes the level of security in Lion as "Windows 7 plus plus." Apple hired the inventor of the BitFrost security system for OLPC, Ivan Krstic, two years ago in an effort to beef up core OS security. Krstic's methods in BitFrost mirror closely what has now been implemented in Lion."
If all else fails, immortality can always be assured by spectacular error.
There are lots of "security professionals" who actually have very little technical knowledge, let alone technical knowledge specific to security.
Having vague ideas on a process doesn't mean having to hire a particular person.
What's actually going on here, Apple?
Most security professionals (and even famous hackers, like pwn2own winners) today acknowledge that Microsoft security development practices are very good, and so are their latest OS. Everbody who has not devolved into pure fanboism understands that this can be the case even if they still have a higher volume of issues than Mac have for now.
Could only be better if his last name was "Gaard."
Maybe he loved his work so much that he had his name changed. Which would make him not right in the cranium area.
It is interesting to read the previous Slashdot article about the insecurity of Apple networks. The people pooh-poohing the research all get modded up to +5 and the actual researchers responses never do.
The main point is you cannot secure any version of OSX in an enterprise configuration. With the most recent versions of Windows you can.
It's a she, and her real name is Mwende.
I feel sorry for people that don't drink, because when they get up in the morning, that's as good as they're gonna feel
Am I the only person who finds it odd that a former Microsoft employee is named Window?
Well, if he's going to be named after a Microsoft product, at least, for the most part, Windows is generally successful. Apple never would've hired him if he was named after Microsoft Bob,. . . We all know that Bobs don't make good consultants,. . .
'It's taken Microsoft 10 years to turn security from a weakness into a strength"
Really? A strength? Seriously?
Is that why we got the ping of death back in Vista/Win7/2008 because of a forked TCP stack?....
Because Security is a "Strength" for Microsoft?
Honestly, while security *may* be better [and I'm not sure that's true] at MS, it certainly IS NOT a strength of theirs.
If that's the view of the moron who wrote this - I'll trust everything else written with the same level of massive skepticism. [i.e. It's clear a moron wrote this - so I'll trust everything else in here just as much as I'd trust any other moron.]
The only thing "strong" about windows security is the botnets that grow to 100,000 computers strong
Until MS expunges the litany of windows-running botnets from my inbox I'm not buying that BS. If they can take down the botnets, I'll acknowledge they've taken security seriously from a consumer protection standpoint. They can trot around the ring all day long yelling "We're tough on security now!" and I'll sit back with an "I'll believe it when I see some results" attitude. Put up or shut up. Ya I know, fat chance, but that's my opinion on it.
I work for the Department of Redundancy Department.
With a ten-year head start, Windows still sucks.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I certainly can't believe that Microsoft had a security leader named "Window".
"Lack of speed can be overcome. In the worst case by patience." --Znork
.. or a hole in the wall.
Considering the phenomenal market share Windows holds in the computer usage domain, no doubt there will be problems. Regardless of whether or not the Windows security model you speak of is broken or not, Its security problems are there for Apple to observe.
The more you know, the more you have to say and the more you should listen.
Broken how?
Her first name is actually Mwende
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
"Mostly fixed"? Excuse me, but which company just recently made a big ugly hack to at least partially patch the huge security hole caused by stupidity of third-party software vendors whose software without any good reason requires administrator privileges to run?
Look at MS as been aggressive at fixing things since XP, even providing free security software. Also look at end users MS has been for most part educating end users that they have to do preventive measures to keep their computers safe. Mac users generally think their OS is safe right outta the fox. I know i will be called a troll for saying this but its a fact and Leo Laporte for people who know who that is pretty much said that and yes he uses mac most the time.
You seem a bit confused. The malware you refer to was "scare ware" which used social engineering to convince users to install it on their machines. That's not something a PC OS can do much to prevent. It didn't harm the system itself which is something I'd expect an OS to try to prevent. Apple did end up fixing this for users by releasing software that identified this particular program and recognizable variants and removing them. That's a customer service not patching a security vulnerability. Different scare ware would still work. To date Mac users still haven't been infected by anything harmful other than through user stupidity. I'm not saying that it can't and won't happen or that the Mac OS is invulnerable. It's just your casting of recent events is wrong. Also, there has been no malware discovered on unjailbroken IOS devices either. You can thank the App Store for that. The 2 situations where you could even jailbreak an IOS device as a web drive by (version 1.0 and the one reported this summer) have been fixed. What compute device cannot be compromised if its in the physical possession of the perpetrator?
Umm... Apple? without requiring even a third party software??
oh nos...
Broken how?
For a start:
"Application Helly Kitty Screen Saver wants to: Do crap you don't understand"
Do you press 'OK' or 'Cancel'? (Or whatever buttons Windows puts up in the UAC box, I haven't used it in months)
Really? A strength? Seriously? Is that why we got the ping of death back in Vista/Win7/2008 because of a forked TCP stack?.... Because Security is a "Strength" for Microsoft?
You'll notice a great majority of the exploits are found in old code. They've got quite rigorous security practices now, and their new code is benefiting greatly from it. I don't know if I'd say security is a strength of their products right now, as there's plenty of old code left to exploit. But they're certainly on the path to get there.
So what should Helly (sic) Kitty Screen Saver do as an alternative then? I suppose it could split up the program into two separate processes running with different credentials, just like other programs do to avoid UACs.
But how is some badly written third party software a symptom of a broken security model?
Let's see... The NT family of Windows has full security infrastructure based on user accounts and access privileges. However, that security infrastructure was completely turned off by default when Microsoft decided to merge the WinDOS family into Windows XP so that you could run legacy WinDOS software and software written by idiots without any additional setup. And now, starting with Vista, we've got yet another security infrustructure built on top of the first one which is supposed to emulate access restrictions inside otherwise unrestricted administrator account. Does that sound like a sane security design to you?
But how is some badly written third party software a symptom of a broken security model?
Because Microsoft has encouraged such behaviour in the past ('sure, feel free to write any old crap in the program files tree'), and now continues to support it so as not to break those badly written applications.
And because UAC messages are absolutely useless in most cases. The most common one seems to be 'Access Hard Disk'. What does that mean? Is it trying to write a config file to its own directory or install a rootkit? How am I supposed to tell?
Exploitable bugs are one thing. Building complete security infrastructure and then basically throwing it out the window and building another much weaker and completely superfluous one on top of it is quite another.
I would press 'Cancel', for sure, considering I've never wanted this "Helly Kitty Screen Saver" to launch.
I get your point, though. Most users would click 'OK' without reading the dialog box (if they haven't already disabled the UAC...)
What do you suggest to prevent those "broken" users to do this?
Make it more annoying by requiring them to type a password, and not allowing them to disable this kind of messages? (Comparable to what Linux does?).
I really can't think of two companies that approach the problem from such different directions:
Don't blame me, I voted for Baltar.
Pardon me if I'm not overwhelmed.
MS: "Yeah, your home is like Fort Knox - no one will break in through the new stuff we built. Mumble mumble mumble"
Me: "What was that mumbling?"
MS: "Well, everything is really secure, except the old stuff - like, you know, the doors and windows. That's old stuff. You can't hold us responsible, even if we built it. Only the new stuff matters and it's like a rock! No one will break in through the roof or walls!"
Me: "Ah, yeah - I feel so much better already!"
Sheesh.
If the new stuff is SO much better, and it's all that old crap code, then go back and fix it. Until then, I'll assume security doesn't matter much to you since while they can't break the "new" code - there's loads of old code that's full of holes. The practical experience is "it's full of holes." I don't much care where they come from.
[And even then, I don't yet buy the "Well the new stuff is so much better." because I don't see much evidence of it.]
-Greg
hey, celebrity's moms aren't fair game, leave Blooscreena out of this.
'It's taken Microsoft 10 years to turn security from a weakness into a strength.
Microsoft security isn't a strength, it's mediocre at best. This statement is just blatantly false.
Apple have problems but they are fixable because they started with a solid proven design, UNIX. Microsoft never had that advantage.
restaM is a security teacher. restaM is Master written backwards. To learn from a restaM you do everything the opposite way. If they do A you do !A. If they advice you to do B you do !B. This is how Apple can learn from Microsoft the security lessons. oops sorry. snossel !
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Comment away, maybe that'll make Linux relevant on desktops.
Ubuntu works better than windows on desktops. It's more secure, it's free, doesn't need a virus scanner because it's designed properly, and it comes with bucket loads of great software at no extra charge.
But if you like expensive, slow, and bug ridden OS's that team with viruses feel free to use windows. It's totally up to you.
There is a typo in the summary and here is the correction:
"It's taken Microsoft 100 years to turn security from a weakness into a strength and it is still not as good as Unix."
The important part being it's not as good as _ANY_ Unix, free or non-free.
I think the writer meant 'shambles' but spelled it wrong and it somehow it got spell checked to 'strength'.
Considering the phenomenal market share Windows holds in the computer usage domain, no doubt there will be problems.
NO.
Ex: Apache, the most popular and very secure web server.
Regardless of whether or not the Windows security model you speak of is broken or not, Its security problems are there for Apple to observe.
There is nothing to learn there. Windows "security" consist of kludges built on top of unworkable model -- it's best when it is least consistent. Apple just has to consistently use security model it already has.
Contrary to the popular belief, there indeed is no God.
Because Microsoft has encouraged such behaviour in the past ('sure, feel free to write any old crap in the program files tree') and now continues to support it so as not to break those badly written applications.
That is incorrect. To get Windows certification you had to save your settings under the user's profile. Doing this lets software run under limited user accounts and allowed for roaming profiles so users could login on any workstation and have their configuration follow them.
Since Windows NT 3.1, Microsoft have proper permissions system so you did not have to run as Administrator. In all the API documentation they told developers what they had to do to work correctly. Unfortunately because Windows 9x was the more popular OS developers could ignore Microsoft's pleas.
It was not Microsoft's fault that developers did the wrong thing. Eventually Microsoft was bound to piss people off by changing the defaults so that their software would stop working. Sure enough, they did it with Vista and everyone got surprised. But they did have a decade's notice of the API change, so the developers only had themselves to blame.
And because UAC messages are absolutely useless in most cases. The most common one seems to be 'Access Hard Disk'. What does that mean? Is it trying to write a config file to its own directory or install a rootkit? How am I supposed to tell?
I agree. It is very frustrating that they do not have an "Advanced" button to let us see what the software is wanting to do. I suppose the problem could be that malicious apps could lie to the OS about what they were going to do with the elevated permissions.
However, that does not mean that the UAC is broken. It gives some protection when running as an admin, but it is even better when running as a limited user as it means you do not need to plan ahead to run some software as an admin user just because you will eventually want to make a system-wide change.
This article is total nonsence, malware can only be resistant to the end user not downloading and clicking on and entering the admin password, why it deserves a slashdot mention is beyond me.
NO.
Ex: Apache, the most popular and very secure web server.
Oh, well excuse me for referring to the operating systems that most everyone uses on a daily basis on personal computers. Which this article is, as you may or may not know, primarily about.
The more you know, the more you have to say and the more you should listen.
My mistake, I had only skimmed the original article. Servers are mentioned. But no need to get all RAWR about it, bro.
The more you know, the more you have to say and the more you should listen.
People automatically assume it's a guy? That's chauvinistic.
Also, she has been head of security at Mozilla. I guess the summary didn't want to throw a third party into the debate.
http://www.usatoday.com/tech/news/computersecurity/2008-06-17-mozilla-window-snyder_N.htm
And Unix still isn't as good on security as mainframe platforms from IBM or Unisys. Your point?
Ex: Apache, the most popular and very secure web server.
Ironically, Apache is, in fact, a very good example proving GP's point, since it has more known exploits than the less-popular IIS.
And now, starting with Vista, we've got yet another security infrustructure built on top of the first one which is supposed to emulate access restrictions inside otherwise unrestricted administrator account
You're confused. That is not how UAC works, at all. The underlying security system is the same that has always been in NT OS family - changed are the defaults (no longer root by default), and UAC is really nothing more than sudo.
Uhhh... Windows does require them to enter their password unless you're logged in with an admin account.
WTF? This is not a Windows default, never has been in the past and certainly isn't now. I'm not sure why any Administrator would do that.
I know! It certainly IS ironic that Microsoft would employ someone named Mwende!! L0lZ!!one
You have claimed that popularity of OS increases the amount of successful attacks. I have demonstrated that popularity of well-designed product has no such effects despite being a more valuable target for attackers.
This means (if you are too thick to notice) that you are wrong.
Except you're comparing an application whose primary 'target' is a trained system administrator, vs operating systems that get stuck on millions of pieces of non-expert-driven consumer hardware, so I'd hardly say that your analogy is a sound one.
And yes, Apache has had vulnerabilities in the past.
--Jeremy
Jesus was a liberal
Yeah, good UNIX proven design
Like setuid servers (not!) where even simple bugs allow an attacker direct root access
Like the hopelessly inadequate me-us-world security coarse-grained security which requires proper ACLs to be bolted on top.
Like you cannot set up proper inheritance of security from parent folder, leading admins to design strange processes to wake up and chmod files.
Like the almighty root to rule them all. No separation of duties there. (Windows has proper separation of duties based on privileges. Even admin does not own all privileges, for instance the admin *cannot* write to or clear the security log).
Like the UNIX idea of a "token" which are just UIDs hard-wired to user accounts. (Windows has *real* process tokens which can be manipulated per process, e.g. stripping certain privileges from a process even if it runs under an admin account).
Windows security design is not perfect, but it is a god deal better designed and more capable than the "UNIX proven design". Why do you think SELinux was developed by the NSA? Because Linux with its "proven design" was woefully inadequate for government work - a task for which Windows is certified but only few Linuxes - those with SELinux).
We keep hearing about this "superior" Unix security design. But it is always referred to in the abstract with no details. Maybe it is some magical fairy or Apple dust?
Yes, a good admin can lock down a Linux with apparmor or SELinux pretty tight. Both apparmor and SELinus are solutions which compensates for the initial inadequate design.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
You have claimed that popularity of OS increases the amount of successful attacks.
Pardon? Please quote me on that claim.
This means (if you are too thick to notice) that you are wrong.
Thanks, I'm sure you feel better about yourself now. Give yourself a pat on the back.
The more you know, the more you have to say and the more you should listen.
This is an example of how OS X is inherently superior to Windows for security, without even arguing the technical underpinnings.
Windows developers can't even write a dialog box that doesn't confuse the user (and Microsoft does nothing to help them conform, like Apple does). It's all downhill from there.
I only skimmed the summary and was trying to figure out how Roger Grimes could be the name of an OS.
Apple currently has major security problems that will only grow if their OS gains more market share.
Small pointless nitpick: You mean 'installed base', not 'market share'.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Ex: Apache, the most popular and very secure web server.
Apples != oranges, people don't sit in front of Apache all day who can be tricked into making exploits available.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
http://www.zone-h.org/news/id/4737
Fandroids hate facts.
And NT never supported completely turning off it's security infrastructure, let along did so by default (sure, there was the Administrator default that made it mostly ineffective, but that has been always the case in the NT family before and never was new).
Given that Apple have now revealed themselves to be every bit as evil as Microsoft (as opposed to just wanna-be evil, as the more perceptive of you will have known for at least the past decade) it's not surprising that these two scum-infested megacorps are now talking.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Since Windows NT 3.1, Microsoft have proper permissions system so you did not have to run as Administrator. In all the API documentation they told developers what they had to do to work correctly. Unfortunately because Windows 9x was the more popular OS developers could ignore Microsoft's pleas.
Even though NT 3.1 was released before Windows 95!
Lion is so secure it reports back to Apple everything you have stored on your computer. Instead of worrying about who is trying to break in (remember most corporate data loss happens from the inside) maybe people should be watching what apps like the "App Store" are doing and what information is leaving your computer. Try this, have a legal copy of lion downloaded on one mac. Go to the app store on another mac and it shows 29.99 then move the downloaded copy of lion to any folder on the mac that still shows the purchase price. Open the app store again and no longer will use see the option to purchase but it shows as installed. Now take it one step further. Remove the lion file again, open the store and it shows 29.99 again. Now take a usb drive attach it to your mac again. Copy lion dmg to the usb hard drive to any folder you would like to create. Go back to the app store and it shows as being installed again. This all with out making any preference changes to the app store or any other app. Apple is real time scanning your system and sending information back to Apple. They are also doing this with your entire iTunes library (icloud anyone). This is just something to thing about. I am sure all the Apple fan boys will defend Apple and slam me for this but I had everyone in my family get macs for the last 15 years so I would not have to fix their Windows machines. Even though I am a long time Linux user I did like macs but now I will not touch them or anything else Apple makes.
How is it chauvinistic? It is reasonable to expect in a significantly ,male dominated field that a person with a gender neutral name may be male.
If you ignore ACs because they are anonymous - you're an idiot.
There should never be such a question in the first place. If "Deny" is not the only possible answer, security model is broken.
Please note that Microsoft imitated Unix/Linux sudo (and PolicyKit) prompt, that serves a completely different purpose there -- ask a user to confirm that he really intends to perform a system administration task. Untrusted software can't trigger those things in the first place.
Contrary to the popular belief, there indeed is no God.
I had a great laugh!
Those infected Windows bot machines probably don't realize that security is now a strength of Microsoft.
I wonder if there are any studies that show the percentage of infected Macs vs the percentage of infected Windows machines vs the percentage of infected Linux machines.
Based on my anecdotal observations, I'm guessing the results will not have Microsoft shining for their security prowess. And if we're only looking at the latest OS'es, Win7 vs Lion, I'm guessing the results will be even worse for Redmond...unless they, or their PR firms, do the study.
yeah, it should totally say, "the software: foo wants to install a rootkit. If you do this, your system will be fubar."
Everyone has known that for 20 years
There should never be such a question in the first place. If "Deny" is not the only possible answer, security model is broken.
I disagree. Any security model that makes things that hard to use would fail in the broader community because people would just turn it off. Look at how many people disabled UACs now because they seemed annoying. Imagine how many people would just run as Administrator all the time if it seemed impossible (and not merely annoying) to use all your old software under your proposed security model.
Actually, you do not have to imagine. You just need to look at Windows 2000 or XP for that exact user experience. How many people around around here (who should know better) still claim that it was impractical (or even impossible) or to run as anything less than an administator account? That too much software just fails? That is the perception when running under the security model that you suggest. That is why they did not protect themselves with the sensible security settings that were on offer in the past, and it is also why the vast majority do not use the operating system that does use that model despite the fact that it is free and has a large selection of free software.
Finally, you can still have your prefered security model if you want in Vista and Windows 7. Turn off UACs, run as a limited user and only software that you explicitly start with RunAs would be able to do those things that require UACs now. Or do what I do - set up people's computers as limited user and do not tell them the administator password. They have no option but to click Deny.
Buffer overflow was a 1960s problem.
The software industry in general has a very short attention span but Microsoft really dropped the ball on that and many others where they could learn from the mistakes of the past. People are generally pissed off when they see something for sale that obviously has very little in the way of QC and large flaws in the design. The Zune leap year bug is another example of not taking the time to test for the completely and utterly fucking obvious.
People shake their heads because really stupid problems occur over and over again. If it happens in a small team writing an application as a hobby it's unprofessional. If it happens in a huge company with the vast resources of Microsoft it starts to head down the road to criminal negligence.
It's not the Matrix. We had Dick and Bush in the Whitehouse.
I think that means we're stuck in Beavis and Butthead.
UAC is not much like sudo since it is not a security feature. It is not supposed to stop bad software doing bad things (since it can't, it's trivial to bypass), it's supposed to let users know that good software is doing system-level things.
http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
If you have a separate admin account UAC does work more like sudo. But that's not the default, sadly.
Yes, but I think 0123456's point was that many users would click "OK", and being administrators, they wouldn't have to type any password.
I think.
Or else, I fail to see how this dialog box would show that the security model is broken (according to him).
Well, what do you call forcing the user to always work with administrator privileges because Microsoft didn't have balls to stand up to idiot developers 10 years ago? I call it throwing the whole security infrastructure out of the window.
That's because you do not understand how computer and network security works.
No, you are just a rabid Microsoft basher who can't comprehend doing something in a way that you are not used to. But feel feel free to address any of the points that I raised.
Never seen an "Access Hard disk" prompt. Then again, I skipped Vista completely. Almost changed to using Ubuntu on my desktop, but then I actually enjoyed using 7. Now using OpenSUSE in a virtual machine for my Linux needs.
It is what it is.
Hide the admin account - to turn it on, set a ROT13 named reg key, and type a cryptic command in the CLI. And make the UAC box require password for every little thing, with scary warnings and icons. And put a dark red tint on the background.
I know tobacco is bad for you, so I smoke weed with crack.
Apache. 22 Advisories, comprising 40 Vulnerabilities. 2 Unpatched.
IIS. 6 Advisories, comprising 6 Vulnerabilities. 0 Unpatched. To be fair to Apache, which has been stuck at 2.2.x for some time, I'll even merge IIS 6 with IIS 7. That makes it...
IIS. 17 Advisories, comprising 17 Vulnerabilities. 1 Unpatched. Apache still loses, especially considering Apache 2.2.0 is actually 3 years newer than IIS 6.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
UAC doesn't automatically pop up in response to the program trying to do something. UAC pops up because the program specifically told Windows "I need to elevate" - there's no facility for it to tell Windows WHY. Perhaps there should be, but that's why it can't do it now.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
No Operating System is secure right out of the box. At least with Linix/Unix there is a huge difference between the System admin and an ordinary user and it is fairly common for most people who use *nix (this include Apple's OS) to login as a normal user. Were MS Windows differ's is the fact that most people grant themselves System admin privilege right out of the box and that makes a MS Windows OS less secure then a *nix OS. Any user who is logged into a *nix machine as a system admin for non system admin work is IMHO an idiot and that opinion has not changed for over 30 years.
It is possible to use MS Windows without virus protection and never get viruses if you are careful but since MS Windows is more targeted than any *nix OS this can be quite hard. As for Microsoft educating end users, really!
There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
That doesn't really happen with Ubuntu Linux. Normally the only times you will see that password prompt is when you are making changes to the system, or installing and uninstalling software, (making changes to the system), The real difference is most of our software comes from pretty secure repositories, so you aren't going to see a Helly Kitty screen saver in the first place. Under normal conditions you will never have to use your password except for authorizing update manager to install the updates, which we don't have to wait till some certain one day in the month to get. You can even set your personal machine to log you in without needing your password. I don't recommend this for laptops that leave your home or office though! Some of us even use ClamAV so that we do not pass on Windows malware to our friends that still use Windows. The problem is Windows users are trained from the start that they need to search the internet to find their applications and utilities. It a cold cruel world out their on the net, with many a dark alley just full of stuff waiting to bite them in the butt!
UAC is a security feature. The article you have linked to describes the consequences of a bad (insecure) default configuration of said feature. UAC will still be active and do checks and elevate processes as required - it will just use the whitelist to suppress elevation prompts for specific processes. But process security still remains in full force, it's not all smoke and mirrors.
Even the article itself correctly states that, if you move the UAC slider to its highest setting (which is what it was in Vista) - effectively disabling the whitelist - the exploit is neutered. You don't need a separate non-admin account (anyway, with UAC on, admins are really more like "wheel" group).
Mark Russinovich says UAC is not a security feature:
http://www.networkworld.com/news/2007/021407-microsoft-uac-not-a-security.html
The whitelist trick is just one of many mostly unfixable holes in Windows that make win7 UAC in default mode trivial to bypass. As you say, pushing the slider to maximum gets you Vista-level security: better but still not secure. You need a separate admin account to get something close to sudo.
As vendors make their software more UAC friendly, MS will eventually be able to have a non-admin default account without it being too annoying. But we're still a few years from that, sadly.
The premise of this article is deeply flawed! Apple's products are is a *NIXs. Microsoft's are, well, Microsoft's.
Darwin is a BSD fork. It should take it's security cues from OpenBSD, not Microsoft. Apple excels at ease of use. OpenBSD shoves ease of use completely aside in favor of security. They both are excellent at what they do. Is Microsoft excellent at what they do? Are they excellent at security? Who is going to have more to teach in the real world that can be implemented tomorrow?
The only argument for a fit between Microsoft and Apple on this is that Microsoft has dealt with the behavioral issues of security. If you just spit your coffee at the screen then you know how I feel about that statement. Apple has NOTHING to learn from Microsoft about user experience and Microsoft has nothing to offer a *NIX that it can't get better (and with way less baggage) from OpenBSD.
Every rule has more than one consequence.
Can you give an example of how to circumvent UAC with slider on maximum and an "admin" account? (i.e. no password entered in UAC prompt, just OK/Cancel).
The reason why sudo asks for a password (even for user's password, like in Ubuntu by default) is to prevent input injection attacks. UAC doesn't do that because it relies on an OS mechanism to prevent input injection (isolated desktop). I'm not aware of any known ways to exploit this. Hence I'm claiming that UAC in this mode is exactly as secure as sudo is by default in Ubuntu - unless there's evidence to the contrary.
As for Mark's claim, it is misrepresented by the article you've linked to. Here is the primary source. He's not saying that it's not a security feature, but he's saying that it's not an impermeable security boundary. He then gives some examples of permeability, but note that none of them involve actually hijacking the elevated process. Instead, he points out the ability to spoof things - e.g. if you try to run an installer (some downloaded setup.exe in your ~/Downloads), and you have a malware running locally with normal user privileges, it could simply replace setup.exe with its own malicious version. When you try to run it, it asks for elevation, you give it (since you don't know it is replaced), and bingo - malware has root. But the exact same thing can be done with sudo!
Another example he gives is the ability for applications to draw directly on the desktop (which is only true when DWM - or rather compositing - is disabled). This way you can draw a different UI on top of an existing elevated application, e.g. replacing labels on its buttons so as to make the user to click where you want him to click. I don't know if this can be done with X (some kind of window that is visible but transparent for mouse clicks?).
At no point Mark says that it is possible for third-party app (potentially malware) to gain elevated privileges without going through an UAC prompt. He points out that it's possible to fake the prompt such that it pretends to be for a different app that has a legitimate need to elevate - a prompt like that would not pass close scrutiny, but not the cursory glance most users - even power users - give to the UAC dialog.
Again, this scheme also fully applies to sudo , in fact even more so - my hypothetical Linux malware, initially running under user account, would just hijack, say, Synaptic (by replacing the menu icon) to point to my patched version with the payload. When gksudo pops up, when it normally does with Synaptic - surely you would type your password and elevate - and then I fire off my payload.
The elevations people usually cite involve cases where things can be written by an unprivileged process which are then used by an elevated process. For example, there are various registry keys which a low-priv process can write which are executed by an elevating command prompt. The Ubuntu equivalent would be appending "alias sudo /my/sneaky/attack" to someone's .bashrc. Though this Windows once is a little worse since you can't (as far as I know) as a user inject things into gtk-sudo, which would be the main elevation route for most people.
I read a very long and interesting thread with Mark and others debating the details of this a few years ago, but of course now I can't find the link :( sorry.
Apache is not the most popular web server in the way you suggest. More websites are hosted on Apache than anything else, but that doesn't translate to more apache servers than anything else. Windows web servers tend to be run by corporations, and as such tend to have only a small number of sites on them. Apache tends to be run by ISP's, and other hosting companies who put large numbers of sites on them.
Website != server
By the way, Apache runs on Windows as well. And it's used quite a bit actually, particularly in cases where the site is running Java based code. Like so many, you assume Apache only runs on Linux/Unix. Comparing Apache security to Windows security is so far beyond apples and oranges to be just plain stupid.
Besides, Apache has had more vulnerabilities than IIS has had in the last 8 years. IIS pre-2003 was hugely vulnerable, but they rewrote it for IIS6 and rewrote it again for IIS7. And the security statistics are very much in IIS's favor.
If you need web hosting, you could do worse than here
Really? Care to prove that? Didn't think so. I'll do you the favor and show the real statistics.
IIS 6 has had 11 advisories in 8 years. Of which, none were Extremely critical, most of which are not exploitable by default, and require specific services to be enabled.
http://secunia.com/advisories/product/1438/?task=statistics
IIS 7.x has had 6 advisories in 4 years. Of which, none were Extremely critical, most of which are not exploitable by default, and require specific services to be enabled.
http://secunia.com/advisories/product/17543/?task=statistics
Let's look at Apache.
Apache 2.2.x has had 22 vulnerabilities in 6 years. Of which, none were Extremely critical.
Apache 2.0.x has had 40 advisories in 8 years, with the same level of ctiticality.
http://secunia.com/advisories/product/73/?task=statistics
Only 5% of Apache vulnerabilties were Highly critical, which amounts to 2 for 2.0.x and 1 for 2.2.x.
IIS 7.x has had 33% of 6, or 2 and IIS 6 has had 9% of 11, or 1.
So the facts are, Apache has had anywhere from 2-7x more vulnerabilities and roughly the same number of vulnerabilities.
That means, IIS is less likely to have a vunlnerability, but is more likely for it to be highly critical than Apache. So, in the end, it washes out.
If you need web hosting, you could do worse than here
The default is not to put Domain Users in the local administrators group. Maybe your administrator set things up that way, but it's not the default. Someone configured it to do that.
If you need web hosting, you could do worse than here
Were MS Windows differ's is the fact that most people grant themselves System admin privilege right out of the box and that makes a MS Windows OS less secure then a *nix OS.
That hasn't been the case since XP. Sys admin level changes need elevated privileges just the same as on *nix systems.
Have you actually read what I wrote?
Or read how those vulnerabilities are described? Apache has very high standard of what is called a vulnerability.
Contrary to the popular belief, there indeed is no God.
Secunia uses their own standard for criticality, and does not rely on the vendors reported standard. So Secunia evaluates both equally with the same standard.
So your argument is stupid, because it's irrelevant to this comprison.
If you need web hosting, you could do worse than here
Secunia uses their own standard for criticality, and does not rely on the vendors reported standard. So Secunia evaluates both equally with the same standard.
Really? Where are their standards? How would they even find out about IIS vulnerabilities that are not disclosed? Would they ignore vulnerabilities reported by Apache itself if they are below their minimal standards? Such as, say, each and every "path disclosure vulnerability" -- as in, a "successful attacker" can determine that user www has home directory "/home/www"?
Look at the actual description of vulnerabilities. Most of Apache ones, critical or not, are below what would be even considered worth mentioning for any piece of proprietary software, leave alone specifically IIS. In a perverse way you are right that popular software will have more REPORTED bugs, but their actual impact on security only depends on secure design of software, something that leaves Microsoft dead last in any software category.
Contrary to the popular belief, there indeed is no God.