Apple's Unlikely Security Mentor: Microsoft

snydeq writes "Apple has much to learn about securing an operating system, and it could learn how from Microsoft, Roger Grimes writes in the wake of further evidence that Macs are more vulnerable to attack than Windows machines. 'It's taken Microsoft 10 years to turn security from a weakness into a strength. Apple can use the lessons learned by Microsoft to manage a quick turnaround. Apple has already hired one of Microsoft's former security leaders, Window Snyder, and it has adopted a modified form of Microsoft's Security Development Lifecycle programming practices. Apple has the benefit of seeing how Microsoft fixed its past mistakes.'"

Apple just doing what MS has done for years

[Registered+Coward+v2]

MS is the typical fast followers - let someone else test the market; then jump in and take advantage of the new market while learning from the pioneer's mistakes. then push big to capture the market and crowd everyone else out. Once you're in you can expand and improve your product. It's been pretty effective for them over the years.

Meanwhile

[CharlyFoxtrot]

Meanwhile actual hackers, like the guys who won the Pwn2own contests by beating OSX security, now say OSX Lion is more secure than Windows (even though they previously freely admitted Snow Leopard was trailing Windows' latest offering in that department.)

"Both Miller and his co-author in the book The Mac Hacker's Handbook, Dino Dai Zovi of Trail of Bits said that from a security perspective, Snow Leopard was little better on Leopard, but that Lion is a "significant improvement." Zovi describes the level of security in Lion as "Windows 7 plus plus." Apple hired the inventor of the BitFrost security system for OLPC, Ivan Krstic, two years ago in an effort to beef up core OS security. Krstic's methods in BitFrost mirror closely what has now been implemented in Lion."

Re:Meanwhile

[goombah99]

sigh... windows security was highly compromised by a few very simple things. It encouraged users to be Admins by making simple tasks require admin, its registry required modifying system resource handles by untrusted apps, and it had no way to tag files as tainted after a download to warn users when they opened them.

Then the access controls that were implemented swung the pendulum too far too early. Unix permissions on a mac are useful while not being terribly difficult to maintain. The OS will take care of keeping all the critical ones set for you.

Macs also of course have a sophisticated ACL, but prior to LION no one seriously used it. It remains to be seen how it will get used.

The big new hopes are the No-Execute, randomized addressing, and sandboxing.

Sandboxing has been in macs since 10.4 but it is only coming into regular use in 10.7. For example Safari uses it to separate parsing from display. It's built into the OS, as it should be, so you are not relying on app makers to implement their own. It works really really well. but it's poorly documented.

I dont' see why anyone would think that Apple is a follower of MS. Well I guess we can credit MS for showing how bad designs can trap you in ways you can't shake off later without breaking everything.

Re:Meanwhile

[jimicus]

IMV, Apple products/features over the course of the last 5-8 years follow a fairly straightforward model which can be broken down into a few steps.

1. Release Not-Terribly-Shiny Version 1.0. It may not be the most sophisticated in the world, it may have a whole heap of issues. But it will be released. The rest of the world says "ho-hum". It probably won't sell spectacularly, but it won't be an abject failure. (See also: First generation iPod. First generation iPhone. OS X when first released.)
2. Release Shiny Version n+1. It fixes most of the issues of the previous version. Technologically it's unusual for it to do anything new, anything that the competition doesn't already do. But what it does it executes with so much style, so much polish that the rest of the industry is left looking rather pathetic and scrabbling to catch up. It sells spectacularly. (See also iPhone 3G)
3. Apple will rest on its laurels. There will be updates to their products, but by and large they'll be relatively minor increments rather than ground-breaking "my God that's amazing" ideas. These will be released as Shiny Version 3.0 and 4.0. (See also iPhone 3GS, OS X versions 10.3-10.4).
4. The rest of the industry will catch up. Products will appear that compete with Apple's equivalent on features, price and polish. Then, just as people are starting to seriously question Apple and wonder what they're doing...
5. Repeat steps 2-4.

If I'm right, the iPhone 5 won't be a huge breakthrough over the iPhone 4. It may have a few tweaks here and there, but it won't be "Steve, take me now!" fantastic. The iPhone 6, however, will probably be leaps and bounds ahead of the 5.

Re:Meanwhile

[timster]

Yeah but, on the other hand, talking to hackers, even information security experts, isn't really good enough. There are too many opinions out there and not enough facts.

The first problem is that we don't have any sort of useful objective metric to compare the security of various operating systems. "Number of vulnerabilities found" is unfair to the popular ones. "Severity of the worst vulnerability found" is useless because everyone has remote root exploits found from time to time.

And even an objective metric doesn't measure what really matters: the threat ecosystem. Windows had lax security for years, even years during which the Internet was common, and nobody cared much. But this lax environment bred an ecosystem of hackers, and especially criminal hackers, dedicated to compromising Windows machines for profit. Then Microsoft was asleep at the switch for a while and allowed this problem to grow out of control. Melissa should have been a gigantic red flag but they pretended that it wasn't their problem and that everyone should just buy a virus scanner.

Once this sort of problem has taken root it is very difficult to eliminate. Once there was a large group of intelligent, highly-motivated individuals with experience in breaking into Windows computers, they weren't going to disappear just because Microsoft released some patches. It took a substantial security effort over many years and even still the Windows-based criminal community is likely to be much larger than the OSX one or the Linux one or the iPhone one, even by proportion to user base (although I am not aware of any actual surveys).

Even if OSX were easier to break into in an objective sense, these people have experience with Windows and they're probably not eager to switch to a new system. So Apple has an easier time of things and this could remain the case for a while as long as they are aggressive about going after new threats. I do think they are correct to recommend against virus scanners in general, since foisting the problem of security off on a third-party (and usually an incompetent one) only masks the real problems.

Not unlikely at all

Most security professionals (and even famous hackers, like pwn2own winners) today acknowledge that Microsoft security development practices are very good, and so are their latest OS. Everbody who has not devolved into pure fanboism understands that this can be the case even if they still have a higher volume of issues than Mac have for now.

Re:Not unlikely at all

[bberens]

It takes a long time for "common knowledge" to change. Take for example American cars. Whether you think they're on par or not they have made a lot of progress in catching up with foreign manufacturers but are still largely considered inferior products.

Re:Obscurity Lost

[gubers33]

Apple is still on safe due to obscurity, the corporate world almost strictly uses MS, while Apple has grown its user base in recent years, they have not touched the corporate market. Anyone will attempt to go after corporate before personal users because the reward is greater. MacOS is still the most vulnerable OS on the market. Yes, you can lock it down changing a lot of settings, but you can do additional configuring on Linux and Windows machines. MacOS doesn't lose Pwn2Own the quickest every year for no reason.

Re:Is that former MS Employee truly named "Window"

[show+me+altoids]

It's a she, and her real name is Mwende.

Security is a *strength* for MS? Really!? Who knew

[GSloop]

'It's taken Microsoft 10 years to turn security from a weakness into a strength"

Really? A strength? Seriously?

Is that why we got the ping of death back in Vista/Win7/2008 because of a forked TCP stack?....
Because Security is a "Strength" for Microsoft?

Honestly, while security *may* be better [and I'm not sure that's true] at MS, it certainly IS NOT a strength of theirs.

If that's the view of the moron who wrote this - I'll trust everything else written with the same level of massive skepticism. [i.e. It's clear a moron wrote this - so I'll trust everything else in here just as much as I'd trust any other moron.]

sounds like doublespeak

[v1]

It's taken Microsoft 10 years to turn security from a weakness into a strength

The only thing "strong" about windows security is the botnets that grow to 100,000 computers strong

Until MS expunges the litany of windows-running botnets from my inbox I'm not buying that BS. If they can take down the botnets, I'll acknowledge they've taken security seriously from a consumer protection standpoint. They can trot around the ring all day long yelling "We're tough on security now!" and I'll sit back with an "I'll believe it when I see some results" attitude. Put up or shut up. Ya I know, fat chance, but that's my opinion on it.

Re:At least...

[kakyoin01]

Considering the phenomenal market share Windows holds in the computer usage domain, no doubt there will be problems. Regardless of whether or not the Windows security model you speak of is broken or not, Its security problems are there for Apple to observe.

Re:Obscurity Lost

[gubers33]

For malware, yes it is better to target a home user. For exploiting a machine to gain access to their network and steal information, corporate. Not all exploits are malware related.

Re:Security is a *strength* for MS? Really!? Who k

[PhrostyMcByte]

Really? A strength? Seriously? Is that why we got the ping of death back in Vista/Win7/2008 because of a forked TCP stack?.... Because Security is a "Strength" for Microsoft?

You'll notice a great majority of the exploits are found in old code. They've got quite rigorous security practices now, and their new code is benefiting greatly from it. I don't know if I'd say security is a strength of their products right now, as there's plenty of old code left to exploit. But they're certainly on the path to get there.

Re:At least...

[next_ghost]

Let's see... The NT family of Windows has full security infrastructure based on user accounts and access privileges. However, that security infrastructure was completely turned off by default when Microsoft decided to merge the WinDOS family into Windows XP so that you could run legacy WinDOS software and software written by idiots without any additional setup. And now, starting with Vista, we've got yet another security infrustructure built on top of the first one which is supposed to emulate access restrictions inside otherwise unrestricted administrator account. Does that sound like a sane security design to you?

Re:At least...

[0123456]

But how is some badly written third party software a symptom of a broken security model?

Because Microsoft has encouraged such behaviour in the past ('sure, feel free to write any old crap in the program files tree'), and now continues to support it so as not to break those badly written applications.

And because UAC messages are absolutely useless in most cases. The most common one seems to be 'Access Hard Disk'. What does that mean? Is it trying to write a config file to its own directory or install a rootkit? How am I supposed to tell?

Re:what has Snyder achieved?

[synthesizerpatel]

I first met Window about 12 years ago, she was sharp and capable when it came to security. I doubt much has changed. In terms of achievement, not every achievement ends up being a big publicized event where implementors are handed plaques to commemorate the occasion. Security is a boring and incremental effort when you're trying to improve process.

So, I guess I'm a little biased with the (weak) personal connection, but don't hate just because you don't know who she is or what she's done.

Weird

[iluvcapra]

I really can't think of two companies that approach the problem from such different directions:

• Apple has a very top-down developer/third party attitude about its relationship with developers. It loves them and everything, but they take the interpretation of their developer documentation very seriously, they don't give product or platform roadmaps, and they will change, deprecate and remove APIs such as their wont. To Apple, the computer buyer is the customer, and the developers are a sort of collateral operation. Microsoft sees developers as their main customers, and go to extraordinary lengths to make sure that if a program ran under some version of Windows, it will always run without the developer having to update -- if it runs once, Microsoft considers that a contract. This makes the platform much more stable and predictable but allows all sorts of bad behavior to go uncorrected.
• Apple leverages lots of open source projects to provide the middleware on their platform; granted they sometimes leverage quite old versions of open source projects. Microsoft is committed to in-house development of the complete system -- you'd never see Microsoft ship OpenSSH, KHTML, or a Ruby interpreter with their operating system, they're much more apt to ship their own tools to accomplish the same things, with all the benefit and risk that entails.
• Microsoft is committed to the PC as a platform for computing, and differentiating the "power" of a Real Computer to things like mobile devices or appliances, so they don't countenance things like sandboxes, curated app stores, the principle of least privilege -- they're much more deferential to developers. Apple is happy to impose much tighter restrictions system-level restrictions (in Lion, apps aren't even allowed to traverse the filesystem directly anymore, all of this happens outside the apps address space), and Apple is much less grandiose and much more practical about designing programming environments.
• Apple sees the ultimate security of the system as the vendor's responsibility. Microsoft sees the ultimate security of the system as the user's responsibility. Pick your poison.

Re:Security is a *strength* for MS? Really!? Who k

[GSloop]

Pardon me if I'm not overwhelmed.

MS: "Yeah, your home is like Fort Knox - no one will break in through the new stuff we built. Mumble mumble mumble"
Me: "What was that mumbling?"
MS: "Well, everything is really secure, except the old stuff - like, you know, the doors and windows. That's old stuff. You can't hold us responsible, even if we built it. Only the new stuff matters and it's like a rock! No one will break in through the roof or walls!"
Me: "Ah, yeah - I feel so much better already!"

Sheesh.

If the new stuff is SO much better, and it's all that old crap code, then go back and fix it. Until then, I'll assume security doesn't matter much to you since while they can't break the "new" code - there's loads of old code that's full of holes. The practical experience is "it's full of holes." I don't much care where they come from.

[And even then, I don't yet buy the "Well the new stuff is so much better." because I don't see much evidence of it.]

-Greg

Obvious point here

[1s44c]

'It's taken Microsoft 10 years to turn security from a weakness into a strength.

Microsoft security isn't a strength, it's mediocre at best. This statement is just blatantly false.

Apple have problems but they are fixable because they started with a solid proven design, UNIX. Microsoft never had that advantage.

Re:Obscurity Lost

[VGPowerlord]

From Ars, "In Lion, the sandbox security model has been greatly enhanced, and Apple is finally promoting it for use by third-party applications. A sandboxed application must now include a list of "entitlements" describing exactly what resources it needs in order to do its job."

Then there's privilege separation, which breaks up a complex application into individual processes, each of which requires only the few entitlements necessary to perform a specific subset of the application's total capabilities. Video decoding, PDF decoding, and HTML decoding are already handled this way in Lion. (Not to mention sandboxing Flash into it's own tiny little world.)

Windows doesn't have such fine-grained security controls (as least not to my knowledge), but there is a public API that a process can use to lower its privileges. IE is actually one of the programs that uses it.

The problem is, most programs (including things like Firefox) don't use this lower privilege mode.

Re:Obscurity Lost

[Daniel+Dvorkin]

Three years ago is forever in security terms. "Pwn2Own doesn't test Linux," in present tense, is a true statement; and knowing the relative vulnerability of Leopard, Vista, and Ubuntu 7 tells you next to nothing about how Lion, Windows 7, and Ubuntu 11 stack up against each other today.

Wow

[ArundelCastle]

People automatically assume it's a guy? That's chauvinistic.
Also, she has been head of security at Mozilla. I guess the summary didn't want to throw a third party into the debate.
http://www.usatoday.com/tech/news/computersecurity/2008-06-17-mozilla-window-snyder_N.htm

Re:At least...

[shutdown+-p+now]

Ex: Apache, the most popular and very secure web server.

Ironically, Apache is, in fact, a very good example proving GP's point, since it has more known exploits than the less-popular IIS.

Re:At least...

[shutdown+-p+now]

And now, starting with Vista, we've got yet another security infrustructure built on top of the first one which is supposed to emulate access restrictions inside otherwise unrestricted administrator account

You're confused. That is not how UAC works, at all. The underlying security system is the same that has always been in NT OS family - changed are the defaults (no longer root by default), and UAC is really nothing more than sudo.

Obvious? Not so much

[benjymouse]

... because they started with a solid proven design, UNIX. Microsoft never had that advantage.

Yeah, good UNIX proven design

Like setuid servers (not!) where even simple bugs allow an attacker direct root access

Like the hopelessly inadequate me-us-world security coarse-grained security which requires proper ACLs to be bolted on top.

Like you cannot set up proper inheritance of security from parent folder, leading admins to design strange processes to wake up and chmod files.

Like the almighty root to rule them all. No separation of duties there. (Windows has proper separation of duties based on privileges. Even admin does not own all privileges, for instance the admin *cannot* write to or clear the security log).

Like the UNIX idea of a "token" which are just UIDs hard-wired to user accounts. (Windows has *real* process tokens which can be manipulated per process, e.g. stripping certain privileges from a process even if it runs under an admin account).

Windows security design is not perfect, but it is a god deal better designed and more capable than the "UNIX proven design". Why do you think SELinux was developed by the NSA? Because Linux with its "proven design" was woefully inadequate for government work - a task for which Windows is certified but only few Linuxes - those with SELinux).

We keep hearing about this "superior" Unix security design. But it is always referred to in the abstract with no details. Maybe it is some magical fairy or Apple dust?

Yes, a good admin can lock down a Linux with apparmor or SELinux pretty tight. Both apparmor and SELinus are solutions which compensates for the initial inadequate design.

Re:Wow

[Zaiff+Urgulbunger]

I only skimmed the summary and was trying to figure out how Roger Grimes could be the name of an OS.