Microsoft: Macs 'Not Safe From Malware, Attacks Will Increase'

An anonymous reader writes "Microsoft researchers have analyzed a new piece of Mac malware that uses a multi-stage attack similar to typical Windows malware infection routines. In a post titled 'An interesting case of Mac OSX malware' the Microsoft Malware Protection Center closed with this statement: 'In conclusion, we can see that Mac OSX is not safe from malware. Statistically speaking, as this operating system gains in consumer usage, attacks on the platform will increase. Exploiting Mac OSX is not much different from other operating systems. Even though Mac OSX has introduced many mitigation technologies to reduce risk, your protection against security vulnerabilities has a direct correlation with updating installed applications.'"

"Get the Facts"

[tripleevenfall]

All we need here is a statement about the "viral nature" of the kernel. And that OSX eats old people's medicine for food.

Re:"Get the Facts"

[Kotakee]

Most of this has been known by, well, knowledgeable users by a long time. Most of the malware now comes via third party software or stupid users. It really doesn't matter what platform you use, as hackers will find a way around to get the best bang.

All three largest OS - Windows, OS X and Linux - are pretty much equivalent now. In fact, OS X is probably less so than Windows or Linux (and I use mac!).

In before all the stupid replies that Linux cannot be hacked. :)

Re:"Get the Facts"

[clang_jangle]

In before all the stupid replies that Linux cannot be hacked. :)

I suppose there could be some people stupid enough to say that, but I haven't seen much of it (unless you count obvious troll posts). In fact, a misconfigured linux system is one of the easiest to hack -- but we're discussing malware, not hacking. Since most linux distros are using repositories for all the third-party software (vs non-tech users zooming around the web downloading "10,000 similies!") malware for linux is pretty darned rare -- much more so than windows or os x. Unless, of course, one counts all the android trojans -- I don't because to me android is a completely unique OS that happens to use some linux code.

Re:"Get the Facts"

[Kotakee]

Android is a great example how malware just gets there, around the obstacles when the market share is right. It's even on their official store.

Repositories also wouldn't work if Linux had the same market share as Windows, or hell, even OS X. You just cannot do everything via such system, and there needs to be a way to install software off from the "official" platforms. Hell, most of slashdot constantly argues against this too (DRM).

Re:"Get the Facts"

All we need is MS to say these things during a 30 second television commercial starring 2 mildly amusing actors and then suddenly everyone would love MS for saying this.

Re:"Get the Facts"

[LordLimecat]

Linux also has a whopping 0.7% market share as far as web browsing is concerned, so its probably not a very high priority as far as malware writers are concerned.

Re:"Get the Facts"

[K.+S.+Kyosuke]

Most of this has been known by, well, knowledgeable users by a long time. Most of the malware now comes via third party software or stupid users. It really doesn't matter what platform you use, as hackers will find a way around to get the best bang.

As one of my great compatriots once said: Artificial intelligence will soon best the natural one, but there's no adequate substitute for natural stupidity.

Re:"Get the Facts"

[nzac]

In before all the stupid replies that Linux cannot be hacked. :)

I assume you mean cannot get drive-byes. Linux is hacked in broad scene rather often. Linux does not get viruses in the sense that its never happened.

I assume you mean there is likely to be similar security holes in a bleeding edge easy to use distro as windows which may be true.
Linux is extremely hard to compare security on as you can everything from a full on SElinux setup to whatever ASUS use to distribute.

I think rapid updates all security wholes are fixed within a week (worse case) and a low user base make Linux so unattractive for virus spreading that no one needs to worry. When there a successful virus for Linux, then Linux security becomes non-hypothetical and decisions can be made on the security convince trade-off (as of now its just all inconvenience for malware threats).

Re:"Get the Facts"

[TWX]

Fact of the matter is, basically all computing requires more trust than should really be granted. We trust Microsoft to patch their vulnerabilities now that malware manages to find ways in through ever more creative means. We trust Apple to have an OS that was never really vulnerable to start with, and we trust GNU/Linux distributions and other free operating systems to have clean repositories and to be free of backdoors. We rely on non-OS, internet-connected software companies to produce software that isn't vulnerable to bringing problems in from the Internet.

All of these are essentially untrue, or are relying on means of security that can't be verified or well tested until something comes out in the wild. We instead rely on updates after the fact, and on feeble attempts by some to make programs to remove malware.

Even in the privileged/unprivileged user landscape that modern OSes are capable of using, too many users desire more credentials on their local computers than they need in order to perform the very basic tasks that a computer user does on a daily basis. In the early days I too was guilty of this, but learned. Unfortunately when there are combinations of vectors to infect the local user and then local root exploits even a good privileges model won't work.

We should demand more out of our browser developers and more out of our plugin developers. That is the single biggest category of infection route, and I'm sorry, but software that voluntarily brings in and deploys the exploit simply by visiting a markup-language page is completely unacceptable. Fix the bugs before worrying about new features.

Re:"Get the Facts"

Which brings us to iOS, which is nowadays Apple's major OS, while OSX becomes more and more a "hobby" for Apple.

Apple's development efforts appear to be headed towards convergence of iOS and OSX, or perhaps more accurately: OSX being subsumed into iOS. It may not be long before Apple desktops and laptops are running iOS with mouse support.

Re:"Get the Facts"

[jellomizer]

It comes down to the more popular your OS is, the more problems you will get with security.

Re:"Get the Facts"

[BasilBrush]

Since most linux distros are using repositories for all the third-party software (vs non-tech users zooming around the web downloading "10,000 similies!") malware for linux is pretty darned rare -- much more so than windows or os x.

Of course most OSX third party software is coming from the Mac App Store these days, so the same applies.

Re:"Get the Facts"

[BasilBrush]

Android is a great example how malware just gets there, around the obstacles when the market share is right. It's even on their official store.

No. There is virtually no malware for the iOS, which is in the same ball park as far as market share is concerned. So it's not just market-share. Security, including walled gardens, make a huge difference.

Re:"Get the Facts"

Web browsers are the one crucial link in the security chain, similar with add-ons.

With the past record in mind, browser makers are wising up, but add-on makers are still in the stage of viewing security as something they can strap on when there are no other projects or features on the table, and if there is money left to pay Tata for those.

Realistically, the OS has to step in and to the job. One can't just rely on a browser, or add-on makers for this. The browser not just should run in a separate context as the user, each tab and window should run in a different context, so a compromise in one browser tab isn't able to get to another.

It is harder to do than in times past where the majority of intrusions were via direct incoming attacks, and where a simple firewall coupled with a NAT or even a SOCKS server was good enough.

It will have to be the OS makers who have to handle the dirty work that the browser and add-on makers cannot/will not do.

Re:"Get the Facts"

Let me remind you, Android is not Linux and Linux is not Android.
android sufferes same fate as any other closed source products.
Syncronised company pushd updates, etc.

Most Linux distributions will not have those attack vectors common to Androids.

At the end of the day, even now, its not news, that Android is actually closed soure.

Re:"Get the Facts"

"virtually no malware" != "no malware"

It will get tougher as people figure out how to do the things Apple tells them they don't want them to do.

Re:"Get the Facts"

[Snowbat]

[citation needed]. It's 1.65% according to Wikimedia's stats (includes wikipedia.org traffic - a top 6 site), 5.22% if you include Android.

Re:"Get the Facts"

[PNutts]

There is virtually no malware for the iOS

"virtually no malware" != "no malware"

In the context of this discussion he was correct. The real world is not binary.

Re:"Get the Facts"

downloading "10,000 similies!"

I invoke Godwin's law.

Re:"Get the Facts"

[PNutts]

[citation needed]. It's 1.65% according to Wikimedia's stats (includes wikipedia.org traffic - a top 6 site), 5.22% if you include Android.

Here's his citation (according to StatOwl). Aren't statistics cool?

Re:"Get the Facts"

[Billly+Gates]

Popularity is one thing.

What I find dangerous is Apple users do not use anti virus products that monitor, sand box, and provide active protection. Windows XP is crap and easy to exploit. Today Windows 7 has ASLR, DEP, signed device drivers (64 bit users), secure boot if you have EFI, UAC, etc. IE 9 is sandboxed, activeX is disabled on the web, abstraction and layers between the OS .dlls and IE .dlls, etc.

MacOSX does not have this level of protection and with no anti virus scanner it is very easy to hack a mac with flash or java. Esepcially an older one which are numerous. Sure it has a lot less users than Windows but you do not have to try so hard to get in. Most Windows machines are in offices with I.T. departments who manage them and lock them down while Apple is for consumers who think they are secure to just click on everything.

Its a bad combo even if it only has %15 marketshare.

Re:"Get the Facts"

[wavedeform]

I basically agree, but the fact that there continue to be jailbreaks for iOS means that there are serious security holes. Luckily, people seem to be more interested in jail breaking than other exploits.

Re:"Get the Facts"

[BasilBrush]

The days of being able to jailbreak by visiting a website are long gone. You have to physically connect the phone to a computer in order that it can be re-flashed.

It's not relevant to what downloaded software/websites/document malware could do.

Re:"Get the Facts"

[wavedeform]

If by "long gone" you mean "not currently available," then OK. Un-thethered exploits reportedly still exist, though:
http://www.engadget.com/2012/05/03/iphone-4-receives-untethered-ios-5-1-jailbreak/
http://www.jailbreaknation.com/pod2gs-untethered-5.1-jailbreak-to-support-all-devices-including-iphone-4s-ipad-23-atv3-a5a5x

Re:"Get the Facts"

[MightyYar]

All three largest OS - Windows, OS X and Linux - are pretty much equivalent now.

So this story finally got me motivated to update ClamXAV and scan my drive. It's been running for a couple of hours now, and so far it has found 4 viruses/trojans... Windows viruses :) They are apparently sitting in my Gmail account, which I mirror locally. One of them is a windows screensaver virus of some kind sitting in my Downloads folder.

I'll get back to putting clam on my FreeBSD server as well. My Windows machine is obviously protected (with AVG).

Re:"Get the Facts"

[BasilBrush]

What I mean by long gone is that it last worked on 4.3.3, which was superseded in July 2011. (We're on 5.1 now, and there has been several point releases in between). And it's never worked in any way, on any version, on latest hardware (iPhone 4S or new iPad).

Un-thethered exploits reportedly still exist

The use of the term "Untethered" is unintuitive and not quite what you think it is. "Tethered" means you need to connect to a computer every time the phone is rebooted. Untethered means it will reboot with the jailbreak still operative even if you're not connected to a computer.

Either way, you still need to be connected with a cable to a computer to do the actual jailbreaking. The jailbreaking software runs on the computer.

Re:"Get the Facts"

[Tyler+Eaves]

I'd rather have a virus than run anti-virus. I'm firmly convinced it would be less destructive to system performance.

Re:"Get the Facts"

[Gr8Apes]

Where to start?

OSX is effectively sand boxed already, all unix systems are. None require a base root process to spawn an escalated privilege process like Windows does, even today in its latest incarnation - it's part of that fundamental insecurity built into the very foundation of windows. All *nix systems can elevate a process by providing proper credentials. So, properly setup, there's almost nothing that can be done on a *nix system unless additional credentials are supplied.

There is nothing like Active X on any system but Windows - thank goodness.

Since Apple makes all its own hardware/software, effectively all drivers are all signed.

Apple has been using EFI for years.

Regarding DLLs/Shared objects, no OS allows generic dynamic code injection into system code from an unprivileged account, except. of course, Windows.

Macs have had EFI, actual process security that didn't need UAC's bandaid, sandboxed processes, and well defined abstraction layers for years. Additionally, Apple introduced ASLR in 10.5, completing full ASLR in 10.8. DEP has existed since 10.6.

Java issues have been addressed, which were the same for Windows, mind you. Flash, well, flash is easily just removed. It's the only safe way to operate on any system as far as flash is concerned. It's very similar to running around a gun-powder factory with lighted sparklers. It's just not a good idea.

My final take on this is you had to be trolling.

Re:"Get the Facts"

[hairyfeet]

The reason why you don't see Linux desktops getting targeted is for multiple reasons, 1.-interoperability is shit, the lack of a unified platform that keeps third parties from touching Linux with a 50 foot pole also keeps away malware writers because the best they could score is say...40% of UBUNTU users, but that same attack probably wouldn't work on RHEL without serious tweaking, or on PCLOS, or on Mepis, you get the picture, 2.- Malware writers want powerful machines because the more powerful the machine the more they can remain hidden while cranking out the spam or spreading the bug. Not to slam Linux users but you DO have a shitload of "How to save that PC from the dump" articles which would give an outsider the impression they are more likely to find a P4 than an i7, and 3.-Malware writers are criminals and criminals are notorious for being lazy. they don't want to have to constantly rewrite their bug because something got fiddled with between Ubuntu maniac monkey and nutty narwhal and their shit got broke. With both Windows and Apple having quite clearly labeled life cycles this makes it easy to know how long a bug could be good for.

If you want to see how badly Linux would get pwned if it was on the radar simply look at android. it has tons of ordinary users, is using the Linux kernel, and has been royally assraped by the malware guys. in the end you simply cannot defeat reality which is thus: ALL Operating Systems are EXTREMELY complex, with literally millions of lines of code all having to interact perfectly and this isn't even counting the third party stuff. hell I doubt even Linus can tell you with 100% certainty when you launch say network manager every single call it will make and what every interaction is, its simply too complex. More than 90% of the planet are NOT geeks, hell they don't even come up to the level of a power user of any system, they know just enough to get it to function and that is it, and finally the malware guys figured out long ago its the USER that is the juiciest target, after all it is they that have the keys to the kingdom so by using social engineering they have become quite adept at getting past the defenses by having their "man/woman on the inside" aka the user, help them achieve their goals.

So it doesn't matter what OS you use, you practice safe computing you'll be fine, practice stupid computing you'll be pwned. For those that think the repos are safe might want to look at how long the repos were handing out an infected Quake 3, try a year and a half. If a malware writer truly wants to target Linux there are ways, target some of the software that isn't as heavily monitored or like I said simply target the users and you're in like flynn.

Now you watch as I get modded down for pointing out reality, to be followed by those that treat Linux as a religion (Some call them Freetards, I call them FOSSies because they remind me of Moonies) scream that it just isn't possible, that linux's magical goodness could never be tainted by malware crap...hmmm...where did I hear that before? Oh yeah those that bowed at the altar of Jobs, aka "The Cult of Mac". Wouldn't it be smarter to simply use the best tool for the job and be on your guard? But those that treat tech like ballclubs won't quit rooting for the home team, even when they strike out.

Re:"Get the Facts"

[Billly+Gates]

If Apple uses ASLR and DEP I retract that part then and apologize.

Its good to hear and I am not a troll. I use that argument for people saying how bad Windows is when infact its just XP that is almost 11 years old now that got the bad rap. Windows 7 is much more secure if you ask any enteprise that had migrated to it. The help desk calls for malware go way down.

Still I find the fact that Mac users say with a smile they do not run anti virus software disturbing. It is such an easy target and you know the users will never know what hit them while you raid their bank accounts as they will refuse to believe they are prone to infections. After all anti virus software is updated daily so eventually my malware would get caught on a Windows based PC. The posts here on slashdot all talk about a user clicking something. Not getting a drive by download from flash.

I hate flash with a passion and unfortunately some sites still require it. Most kids use Youtube for music today and much of the older uploads have no h.264 counterpart. So anti virus is needed for Mac users if they ever do anything important like banking and taxes online.

Re:"Get the Facts"

[Billly+Gates]

Its better today. I use Avast! on my Windows PC and it only slows it down by 5 seconds on bootup. Not everything is garbage like Norton 360 or MCaffee of 2002-2008 which would halt your PC for 5 minutes on startup. That was insane!

I check my student loans online and occasionally do banking. I can't risk it. Avast! is not bad but sucks on the mac. Unless you have flashblock on your browser if you came here on slashdot exactly one month ago and you ran Windows you are infected and 0wned right now! Believe it or not a bad flash based ad here used an exploit and Avast caught it.

I had my wow account raided because my exwife let the kids play flash and java games unpatched with a crappy anti virus product. She logged into me and got my password. It blew big time.

Anti virus software sucks but not all of it is bad and I wish in a perfect world I didn't need it.

Re:"Get the Facts"

[clang_jangle]

While there is a lot of truth to what you say, at this time, nost popular Linux distos are by far the easiest to secure and to run securely without having to be a super expert technical user. Windows can be just as secure in the right hands, but ironically requires a much higher level of expertise to do so. I'm no windows expert, so I feel usafe to the point I would never put any bankig or other critical info ito a windows machine, I do it in Linux and BSD all the time though, because I know enough to do it securely. I'm sure you're knowledgeable enough with windows to be safe, but I want my non-tech users on Mint or Ubuntu. Not to mentio that whole slew of issues that comes up with "microsoft" amd "trust", DRM -- I had to reformat my mp3player once after big foolish enough to let WMP access it -- it decided a bunch of indie music was "pirated" and wouldn't let those files play! It also hogged about have the flash drive creatig unnecessary database files. Nasty stuff, that WMP.

Re:"Get the Facts"

[hairyfeet]

I'm sorry friend but you are mistaken, unless you call sliding a single slider in UAC as some complex action. Win 7 can autosandbox the browser (your choice of IE or any Chromium based) and run it in low rights mode which is actually SAFER than surfing in Linux where running a single program in a much lower set of permissions is far from simple, and then simply add one of several free AVs that also sandbox (My two favorites are Avast and Comodo Internet Security, both work well) and frankly the user need not know anything. The OS will autoupdate, autosandbox, scan ALL pages before load, hell my 71 year old dad is as clueless about tech as they come and his PC has been on the net 24/7/365 running Win 7 since Oct 09 and hasn't has a single problem or bug, the worst problem he has had is he didn't know how to update his browser (it kept telling him there was an update but he kept pushing the X instead of the update button) and that was it.

If you want to know the REAL reason why you see much more infected Windows? let me tell you a true story about the only person i ever threw out of my shop. He comes in, buys a PC from me, and wants me to install limewire. I tell him "I'm sorry but Limewire doesn't exist anymore, they got shutdown by the feds and anything calling itself Limewire now is just a virus pretending to be the real deal. There are several alternative such as Emule and BT if you wish me to install one of those" so what does he do? He promptly goes home with his new PC, Googles "New limewire" and when the AV naturally wouldn't let him install it first he tried to disable and then he removed the AV altogether! Why did he do that? Because the program told him to! When I finally threw him out of my shop (demanding I fix it for free after he broke it by refusing to listen to my instructions or call) he was yelling "It says right there that it IS Limewire so you make it work dammit!

So if you want to know why there are plenty of infected Windows machines its because of the dancing bunnies problem. It doesn't matter how simple or secure you make the OS if the user has install rights because all you have to do is wave the right cookie, be it porn, piracy, hell I've seen users infect their PCs for a CHANCE of winning some iShiny, then all can be bypassed. MSFT thinks they are gonna fix this by going the Apple way with an appstore but it won't work, as porn and piracy won't be offered in the appstore and that will be enough of a cookie to lure victims. Whether you choose to admit it or not to run Linux you HAVE TO have more than moderate PC skills or have a full time admin (such as yourself) willing to work for free simply because you have to know how to deal with updates breaking drivers and other Linux "quirks" one simply doesn't run into on OSX or Windows. Hell simply the fact you have to install it, know what partitions are and what sizes to make them, Google for drivers that aren't included and understand how to find out the exact make/model of said hardware to properly install Linux already puts you above a good 80% of the population. if you wish to argue that let me take away install rights for all my customers who would only be allowed to let me remote in and install approved software? Windows would never get bugs either.

But that argument simply doesn't hold water when the vast majority are on their own, without so much as a geek in the family to guide them. In fact I would argue that them getting Linux installed correctly and having it fully functional for even a year would probably be impossible, since they simply wouldn't have the skills required. Linux is only friendly IF everything works OOTB AND it works after every upgrade, two situations which at least in my experience are about as likely as Santa dropping me off a dozen porn stars for Xmas.

Re:"Get the Facts"

[clang_jangle]

Check out Mint LXDE, starting with version 11. I still prefer Debian, but Mint LXDE is absolutely amazing for it's incredible ease of install. Nearly any modern common hardware will Just Work with that distro, and it can easily be installed, configured, and maintained by the most clueless of newbs. Your info is definitely out of date. There will occasionally be need for an expert no matter what OS a person chooses, but I'd say at this point Mint is rigt u there with OS X for being an idiot-proof system that Just Works. Really slaughters Windows in that regard, as well as on the security front. I know you know a lot about windows, and I respect your choice, but if you're talking ease of security for non-technical users you simply cannot beat Mint.

Re:"Get the Facts"

[hairyfeet]

The installs aren't the problem friend, in fact I'd be the first to say that many of the more modern distros have gotten nearly as simple as Windows (which Win 7 asks a grand total of 4 questions, the hardest of which is what password you would like) when it comes to ease of setup.

Nope the problem is the driver model is shit and this causes an insane number of breakages. Take Mint for example, when many were telling me "Mint does it right!" I downloaded the version from a couple of revs back and let it upgrade to current via GUI, as one would have to do if they were a normal user given a desktop, correct? Well what happened? It broke HORRIBLY, the Wifi was toast and no longer able to hook up to the network, the video was having weird artifacts and the audio would often be nothing but a clicking noise and static after a reboot.

So I would have to 1.-Know which things are broken , 2.-How to describe them to someone in the forums, 3.-Be given a bunch a CLI gobbledygook that WILL often have to be tweaked because I've found the driver model is picky as hell, no simply downloading a Mint driver but instead has to be for the EXACT make/model/firmware with ZERO variation allowed,4.-Have the skills to understand WHY the CLI mess doesn't work AND the skills to fix the problems with the correct syntax and finally, 5.-Be able to get the whole mess imported using nothing but a CLI, where even the slightest mistype or even miss copying a bracket can hose the system.

So I'm sorry friend but while the OOTB experience has gotten frankly first rate until a free distro offers a 10 year update cycle like Windows does or figures out how to fix the driver subsystem being a mess it really is NO comparison. Compare this to Windows, where thanks to the combination of a ton of drivers on the DVD plus WU having even more drivers if the PC is less than 4 years old (which is what most users would be messing with, most consumers don't refurb PCs) it will all "Just work" and continue to work until the OS is EOL which in the case of Win 7 is 2020, and if you plug in a new device Windows will autoinstall the driver if it has one or pop up a little "Would you like me to find drivers for this?" if it don't which will then call WU when you click yes and its all taken care of FOR the user. Now I have searched and the ONLY OS in Linux land with anywhere close to a 10 year length of support is RHEL under support contracts, which is $400 a year or $4000 if one were to keep the PC the entire 10 years.

believe me friend, as a retailer I HAVE run the numbers, tried ALL the flavors, because frankly the cost of Win 7 OEM cuts into my profits but sadly no matter which version you name I can drag a couple of boxes out at the shop and if I simulate just 3 years of ownership (by taking the version from 3 years ago and upgrading to current) it WILL break, leaving my customers pissed off and ruining my rep. I'm sorry but no matter how you slice it the numbers just don't work. Wish it weren't so, but at $35 an hour a single borked driver costs me more than an $89 copy of Windows Home and I can tell you there is NO way in hell the average user would have the skillset to accomplish this on their own. If you have a spare laptop or HDD for your desktop feel free to try the experiment yourself, you'll find its sadly all too true, the upgrade mechanism is just horribly borked in Linux no matter which distro you pick, even bog standard hardware will often get shat upon, sorry.

Re:"Get the Facts"

[rtb61]

Does it really come do to more popular products or does it come down to greed. Not to accuse M$ of purposefully producing and releasing malware to attack and damage a competitor, yet never forget M$ is not just M$.

M$ is owned by investors and the big banks own a chunk just as they do of Apple. Now those big banks, let's be honest are just chock a block full of psychopathic criminals. Would they pay to produce malware to attack a companies product and then bet via puts the value of the companies stock will fall and bet via calls that their competitors will rise. How many damaging simultaneous hacks would be required to cripple a companies sales of it's flagship product. Would these same bankster douche's also promote those stories via their advertising controlled marketing channels.

Something sure stinks and I don't think it's just scruffy hackers who never clean up around the hardware. Never forget there were a bunch of investors that bet the airlines stock would fall just before 9/11 and due to some very high up people being involved nothing was done about it.

Re:"Get the Facts"

[ratboy666]

First, an observation -

Use CentOS instead of Redhat. Anyway, Windows XP offered 10 year support and it isn't at all clear that other Windows will offer this.

Second, a question -

Borking on updates? That is very wrong. I am curious as to what Linux version (vendor/distribution) to what.

In other words, what was the attempted upgrade? Was it a security update, a version (point) upgrade, or a major upgrade? Which vendor, and what was the start version and desired end version?

Sorry for asking in such detail, but I am very curious. I just went through a similar problem (after a point upgrade to Fedora 16, wireless stopped being reliable until the next point upgrade, a couple of days later). I just want to get a larger scale sense of the issue.

Re:"Get the Facts"

[Alex+Belits]

While there is a lot of truth to what you say

Don't be an idiot. What hairyfeet says is nothing but Microsoft talking points. It has no validity whatsoever.

Re:"Get the Facts"

[clang_jangle]

I have one friend who's as non-technically-inclined as they come, using Ubuntu on a Dell laptop for over four years now without incident. The original install from 2008 is now current, and only twice in those four years was I called in to correct minor stuff broken/changed by updates. In those two cases, she still had the use of the laptop and OS, we're talking *little* things like links in email stopped bringing up the browser. She has needed far less help than my windows-using friends in the past four years, so as I said, sir -- your info is out of date. :)

Re:"Get the Facts"

[bob')DROP+TABLE+user]

None require a base root process to spawn an escalated privilege process like Windows does, even today in its latest incarnation - it's part of that fundamental insecurity built into the very foundation of windows.

What is that process? UAC is what provides that barrier - much like linux sudo, you don't just get to launch an un-trusted process as root without some confirmation.

All *nix systems can elevate a process by providing proper credentials. So, properly setup, there's almost nothing that can be done on a *nix system unless additional credentials are supplied.

Windows is the same way - when properly set up. IF there is a vulnerable process or binary, that is owned by root, and has the setid bit on, it doesn't matter. No prompting.

There is nothing like Active X on any system but Windows - thank goodness

But there are browser plugins, and just because there is a sandbox, doesn't mean it is impossible to break out.

Regarding DLLs/Shared objects, no OS allows generic dynamic code injection into system code from an unprivileged account, except. of course, Windows

This hasn't been true since the "UAC band-aid". If you are trying to compare current securities, you can't argue that "Windows is insecure because Windows XP is insecure", by that logic, Max OS 9 didn't have ASLR, but that doesn't mean apple is an inherintly insecure platform.

Macs have had EFI, actual process security that didn't need UAC's bandaid, sandboxed processes, and well defined abstraction layers for years.

Why is UAC a band-aid? Is sudo a bandaid? So you want process security, but don't like the fix? I'm a little confused here. While I don't know anything about EFI (except what I found on wikipedia), unless apple has something magic they also call EFI, I don't see how that's relevant. I also don't understand how abstraction layers have anything to do with inherent OS security.... There is a false sense of security by running non-windows. Malware authors are risk-reward. Why write a virus to turn your computer into a mindless zombie but only target a small market share (I won't quote numbers, since I don't know them, and don't feel like looking them up, but Mac market share Windows market share). If most malware authors focus on 1 thing, then that OS will get the hardest hit. On a properly set up system, it isn't easy - the problem is improperly set up systems. If I turn off my AV, turn off UAC, and run as administrator, ya, its gonna be way easier to exploit my system. If I run my linux machine with no root password, and run myself as root, its not going to be secure. Really, I'm more curious on your claims about windows security, because they seem a little bit.... off....

Re:"Get the Facts"

[hairyfeet]

First of all CentOS does NOT offer 10 year support cycles, nor do they backport squat. CentOS is run by a small company that USED to pay for RHEL licenses for their devices and then decided it was cheaper to "leech" so you are only gonna get what they are using. Even RHEL doesn't offer support beyond 5 years unless you have a full service contract which as I said compare $4000 to $89 and its no contest. Second I guess you missed it but MSFT announced that ALL VERSIONS WILL GET TEN YEARS which was the mandatory length for business version but they have extended that to ALL versions from Start to Ultimate. That means Vista gets until 2017 minimum, win 7 2020, Win 8 2022.

And as i told you feel free to try the experiment yourself, take the version from 3 years ago (I have done this with ubuntu/Mint, PCLOS, Fedora (because I had a nut swear that Fedora didn't do that) PCLOS, OpenSUSE, so pick your poison) and slap it on your average laptop or desktop and upgrade it to current. The last time I did this was when Ubuntu 11 came out as I can't afford to blow tons of bandwidth every 6 months but I honestly don't see you pulling it off with a new release as one still has to upgrade to current. Now realize that in those 3 years 1.-Both major DEs have been tossed aside for new DEs so that entire subsystem is gonna end up a mess, and 2.-Pulseaudio was introduced which frankly is STILL a buggy POS IMNSHO.

So I'm sorry friend it just doesn't work. Not a single one of the above distros when upgraded to current using the GUI (which is the ONLY way a consumer level user will have the skill upgrade) will have SOMETHING broken. and all the hardware was the same stuff you see on a good 90% of consumer hardware, AMD,Nvidia, and Intel chipsets, realtek and Sigma sound, Realtek and SiS networking, Aetheros, Broadcom, or Intel wireless, pretty bog standard stuff.

I've done the math and it just don't work any way you slice it. the ONLY way one can take a distro from 3 years ago and upgrade to current is to do clean installs and remember my time is $35 an hour and the customers will NOT have the skills nor the inclination to accomplish that feat so a single 6 month upgrade would again cost MORE than Win Home. Feel free to perform the test yourself, but I can't afford to blow another 7+Gb worth of data when I have caps just to show you what I already know, and that is the current upgrade mechanism takes a giant shit all over drivers. Again with Windows drivers work for the life of the OS which is 10 years. you can't even take a driver from 5 years ago and get it to work with the newest kernel without serious fiddling or a recompile which again out of the skills range of normal users.

But this is why Walmart gave up on selling low cost Linux machines, because they saw the same thing that I saw, the upgrades shat on drivers so they had to spend more in support than they saved on a copy of Starter or Home. God what I wouldn't give to find a legit source for Starter because when WinXP is EOLed I bet I'll have a lot of boxes go to the dump (If I don't break down and do what some of the other shops are doing and just sell them with Win 7 Pirate) because no matter how you work the math Linux just doesn't work in the home sector. Hell the user below you brings up Dell Ubuntu boxes without even knowing Dell has to run their own repo (which is horribly out of date and falling farther behind, so a Dell Ubuntu box is a security risk) just to keep the drivers working. ask Dell how much they make per unit, I did, they won't tell you. I would surmise that is because the cost of running their own repo has them LOSING money on each sale I'm sorry friend but I simply can't afford to run my own repo, I would be bankrupt within the year. No sale.

Finally if you want to know the scope then do as I said, download the version from 3 years ago (whatever was current then) and upgrade to current. You yourself ran into it with wireless and I can tell you that is the norm NOT the exception. i have tried regular to LTS, LTS to regular, and L

Re:"Get the Facts"

[exomondo]

The days of being able to jailbreak by visiting a website are long gone.

As in the previously known bug has been fixed, no reason to believe there aren't more that could be exploited.

Re:"Get the Facts"

[BasilBrush]

Except that the jailbreakers have been quick in the past to find jailbreaks for new versions. 10 months of not finding a way to do it is a long time.

I don't think anyone is holding their breath expecting jailbreakme.com to work on iOS 5.0 onwards. But it's certainly in the realms of possible rather than impossible.

Re:"Get the Facts"

I suppose if you can't refute it then a response like this is all you've got.

Re:"Get the Facts"

[exomondo]

Except that the jailbreakers have been quick in the past to find jailbreaks for new versions. 10 months of not finding a way to do it is a long time.

So i'm guessing you're not familiar with times between versions of Jailbreakme then?

Re:"Get the Facts"

[BasilBrush]

So i'm guessing you're not familiar with times between versions of Jailbreakme then?

Before you post something stupid, you might want to look at the development history yourself. https://github.com/comex/star_

Re:"Get the Facts"

[exomondo]

Before you post something stupid, you might want to look at the development history yourself. https://github.com/comex/star_

Before you post something stupid maybe you should read what you're attempting to respond to, here it is again:
So i'm guessing you're not familiar with times between versions of Jailbreakme then?

Now if you were familiar with the times between versions of Jailbreakme you'd see they have historically been quite large.

Re:"Get the Facts"

[BasilBrush]

And there you go. I tried to stop you saying something stupid and you did it anyway.

JailBreakMe is a website that could and was updated at any time without a version number change. 1.0, 2.0, 3.0 were simply marketing. It didn't go from 1.0->2.0-->3.0 without intermediate changes.

It's now dead.

Re:"Get the Facts"

[Gr8Apes]

I use a different machine for general flash use for the kids. It's also a completely unprivileged account. I've been considering whether I could go to a pure LiveCD type installation to allow for flash etc, which IMNSHO is about the only "secure" way to run flash. Fortunately mine don't youtube yet.

All that said, I will note that there has been only one widespread malware vector exploited on OSX, and that was the Java vector mentioned above that is now closed. While some decry the 3 months Apple took to close it, versus the 3 weeks for other OSes, it did have one positive outcome: Oracle decided to take full ownership of the OSX version of Java, so hopefully in short order we'll have full parity between all versions on all systems, at least as far as can be done on VMs alone.

Re:"Get the Facts"

[Gr8Apes]

None require a base root process to spawn an escalated privilege process like Windows does, even today in its latest incarnation - it's part of that fundamental insecurity built into the very foundation of windows.

What is that process? UAC is what provides that barrier - much like linux sudo, you don't just get to launch an un-trusted process as root without some confirmation.

Windows has a fundamental security issue that it cannot spawn nor escalate a security token higher than the parent token. In short, that means to do something as root, you have to be or ask a root process to do it for you. UAC isn't really a privilege escalation function, it's more of a watchdog function that acts as a gatekeeper whenever something asks to write something to certain areas of the system. This is fundamentally different than requiring proper credentials to write something to a location, which is how other OSes (BSD, OSX, Linux, IRIX, AIX, HP UX, etc, etc) all work. In those, unless you're a moron, you're not running as root or the equivalent, and you must provide the proper credentials before a write can occur.

There is nothing like Active X on any system but Windows - thank goodness

But there are browser plugins, and just because there is a sandbox, doesn't mean it is impossible to break out.

That's just a red herring. I don't think anyone will argue that ActiveX was a good idea at this point. To be honest, ActiveX is symptomatic of MS's total lack of understanding of how security should work. And yes, I will claim that publicly, since their security architecture is fundamentally upside down compared to every other system out there.

Regarding DLLs/Shared objects, no OS allows generic dynamic code injection into system code from an unprivileged account, except. of course, Windows

This hasn't been true since the "UAC band-aid". If you are trying to compare current securities, you can't argue that "Windows is insecure because Windows XP is insecure", by that logic, Max OS 9 didn't have ASLR, but that doesn't mean apple is an inherintly insecure platform.

AFAIK, dynamic code injection into system code (in-memory) from an unprivileged thread was still possible as in 2008 R2 as of Jan 2010. That dates after the Win7 release. I know, because I considered (only briefly) doing it myself when I was researching the (as of then) undocumented removal of security token manipulation routines.

Macs have had EFI, actual process security that didn't need UAC's bandaid, sandboxed processes, and well defined abstraction layers for years.

Why is UAC a band-aid? Is sudo a bandaid? So you want process security, but don't like the fix? I'm a little confused here.

Read above - UAC is essentially a watchdog process that attempts to intercept calls to write to specific areas in the system. Compare that with actual security requiring proper credentials, and you'll see why UAC is a bandaid. Comparing UAC to sudo is like comparing a sundial to a fine Swiss made timepiece. While they both appear to give indications of time, the latter has much more functionality and there are many posts out there to demonstrate just how powerful sudo is on allowing unprivileged users access to perform specific privileged actions.

While I don't know anything about EFI (except what I found on wikipedia), unless apple has something magic they also call EFI, I don't see how that's relevant. I also don't understand how abstraction layers have anything to do with inherent OS security....

EFI, properly UEFI, was listed by GP. GP actually has Apple to thank for bringing UEFI out into the mass market, since they were the first, and pretty much only ones running UEFI for quite a while. (Just try finding an UEFI Intel motherboard for sale more than 6 years afte

Re:"Get the Facts"

[exomondo]

And there you go. I tried to stop you saying something stupid and you did it anyway.

So what was the timeline between vulnerabilites for the releases? Oh that's right you don't know, but don't let facts get in the way of your idiot assertions.

JailBreakMe is a website that could and was updated at any time without a version number change.

Yeah, that's a pretty standard feature of a website. The actual code and the vulnerabilities it exploited weren't regularly updated though, don't believe me? Go and have a look, the source code is all there...if you understand it.

1.0, 2.0, 3.0 were simply marketing. It didn't go from 1.0->2.0-->3.0 without intermediate changes.

And those intermediate changes were not necessarily new vulnerabilities, but then if you were familiar with jailbreakme then you'd know that.

It's now dead.

Wrong again.

Re:"Get the Facts"

[BasilBrush]

So what was the timeline between vulnerabilites for the releases? Oh that's right you don't know, but don't let facts get in the way of your idiot assertions.

I was the one that showed you the repository, fucktard. You were pretending to be an expert having consulted Wikipedia.

"It's now dead.
Wrong again.

Dead as in no longer being developed. At all. Not since last August. Of course the obsolete web-site is still there. Are you really that dumb?

Re:"Get the Facts"

[exomondo]

I was the one that showed you the repository, fucktard.

But your conclusion demonstrated you don't have the faintest idea what it contains because if you actually have a look at the code changes you'll see updates mostly regarding device compatibility, not new exploits, they don't come around that often.

You were pretending to be an expert having consulted Wikipedia.

Nope, just linked to it so you could see the releases more easily and the cross-reference with the code in the repo, but i suppose you didn't do that because you still don't get that 10 months is nothing if you look at the previous times between exploits. Just look at it, it's all there, you even linked to it...so you obviously have no understanding of what you linked to.

Re:"Get the Facts"

[Alex+Belits]

Refute what? Microsoft's soundbites? hairyfeet frothing at the mouth about how he dislikes things and people? There is no discussion happening here.

Re:"Get the Facts"

[bob')DROP+TABLE+user]

It seems like you want your cake and to eat it too. Yes, Windows had broken security. Badly. And they made some mistakes - big ones. But you can't compare Windows 98 to Mac OSX. Android malware (which I could be off on) is because they have an open market place - in the wild exploitation is a whole different problem. Someone mentioned the dancing bunnies problem - you can't fix stupid. And because of that, you can't call an OS secure/insecure because the user can be tricked to running a malicious binary with elevated privileges. Maybe I'm missing something here -

Windows has a fundamental security issue that it cannot spawn nor escalate a security token higher than the parent token. In short, that means to do something as root, you have to be or ask a root process to do it for you.

Is the root process the OS...? I'm going to need an example here, because I'm not really aware of a good reason to elevate your permissions in the middle of a task. So if you cannot spawn a privileged process from within yourself without asking a "root" process (like say... the OS?) why is that a problem? Can you give me an example of a different OS, a parent process spawning a more priveleged process that it fully controls? Or why you'd ever want that? Doesn't that BREAK security? I would really appreciate an example here. I understand the security token concept, and that you cannot just blindly elevate it... because well... that makes sense.... But I don't see the request to this mythical fundamental root process..... For that matter, can you arbitrarily elevate your process to root in the middle of execution without some kind of OS intervention, or say, the OS having to do it for you?

UAC isn't really a privilege escalation function, it's more of a watchdog function that acts as a gatekeeper whenever something asks to write something to certain areas of the system.

I'm not quite sure that you are describing UAC... UAC happens when a process is launched with elevated privileges - AND if properly configured, requires credentials to be entered. Please provide an example of a process that MID PROCESS does this before accessing a system area....

I'll give you a solid example of why: Try creating a service that runs with no privileges, serves many users, and allow said users to execute OS calls as themselves, with only their own privileges. You would want to do this to exploit the OS's security handling and auditing which are certified instead of writing your own. You are allowed to request credentials.

oooook.... So let me understand this, you have a specific use case, which a different OS handles better.... You have not proven that windows security is fundamentally broken, just that this use case is.... And maybe windows isn't the best choice for what you want. Since i haven't done this exact process, I can't speak to its ease or difficulty on any OS... But how is that limitation proof of insecurity? I can't use my TV as a boat, but that doesn't mean its fundamentally broken... or insecure...

AFAIK, dynamic code injection into system code (in-memory) from an unprivileged thread was still possible as in 2008 R2 as of Jan 2010. That dates after the Win7 release. I know, because I considered (only briefly) doing it myself when I was researching the (as of then) undocumented removal of security token manipulation routines.

Still not really sure how easy this is... Since the process security model should not allow this.... Are we talking possible as in "There is a Windows API InjectCodeToMemory(0xaddr,"exec virus")" or, an exploit exists that allows that.... Thanks for the UEFI/EFI clarification... Again... security relevance? Microsoft doesn't make hardware... so this is really just a note that apple introduced a technology... which I guess is proof that Macs are safer? Not really sure on that one... Same with abstraction - how does abstraction = security? more abstraction = larger at

Re:"Get the Facts"

[catmistake]

to me android is a completely unique OS that happens to use some linux code.

I agree completely... Android is precisely as distinct an OS as any other linux distro. Slackware isn't Ubuntu, they look totally different! Gentoo isn't Red Hat, and if you can't tell the difference, you're probably a UNIX admin.

Oh well.

[lanswitch]

Isn't it ironic...

Re:Oh well.

[Known+Nutter]

No.

http://en.wikipedia.org/wiki/Irony

Re:Oh well.

[VortexCortex]

Isn't it ironic...

Absolutely! Positively, Without a Doubt! Why, That's EXACTLY how you use that word! Stunning use of vocabulary and sentence structure too! Where did you attend school? I want to commend your English teacher for doing such a fine job and recommend them for a Nobel prize in Education!

Re:Oh well.

[martinX]

http://www.youtube.com/watch?v=L_mrNQBLSMU

Re:Oh well.

[Cito]

don't you think?

It's like rain, on your wedding day.
It's the free ride when you've already paid.
It's the good advice that you just didn't take
but who would have thought... it figures...

Re:Oh well.

Possibly.
http://en.wikipedia.org/wiki/Linguistic_prescription

Re:Oh well.

[hendridm]

More like the pot calling the kettle black...

Re:Oh well.

[dyingtolive]

Achievement unlocked:
Falling for the Alanis Morisette troll.

Re:Oh well.

[smallfries]

Have you read your own link?

Microsoft claims that malware infections will rise on OSX in the future, and as evidence they dissect an exploit that only works on an obsolete version because it is fixed in the lastest version. Your signature is oddly appropriate.

Re:Oh well.

It's like cock, in your faggot mouth. It's like my balls sitting on your head....

Re:Oh well.

[MightyYar]

Words change. Go to a Renaissance fair if you don't believe me.

Re:Oh well.

I tweezed my pubes the other day. Wanna see?

Re:Oh well.

It's like cock, in your faggot mouth. It's like my balls sitting on your head....

If your balls are on his head and not on his chin, my guess is that you're busy too.

Re:Oh well.

Still not ironic.

Re:Oh well.

[gcerullo]

BEST RETORT EVAR!

Not really surprising

[TheRaven64]

Possibly a biased source, but not exactly a shocking conclusion. The OS X kernel is a massive amount of C and embedded C++ code. On top of that is a huge pile more code. It's not going to be bug free, and at least some of those bugs will be exploitable. It does about the same set of things as other modern operating systems to reduce the damage that a compromised application can do (e.g. making it easy to run apps in sandboxes), but any network-exposed system running arbitrary code is vulnerable, the only question is whether the effort involved in finding and exploiting a vulnerability is greater than the reward.

Re:Not really surprising

[realityimpaired]

Possibly a biased source, but not exactly a shocking conclusion.

That's the problem. While the conclusion is hardly surprising, and is in fact what many people have been predicting for years, a lot of people are going to say "oh, it's Microsoft, FUD!" and ignore it. Interestingly, using many of the same vectors a virus for Linux is equally possible, it's just that most virus writing these days is done for profit, and it's not a big enough target to make it worth their time.

Re:Not really surprising

[drerwk]

Until MS ports Office to Linux, Linux is safe from this particular vulnerability.

Re:Not really surprising

Virus ? Seriously you can craft some damned document in postscript that can thrash any system that has the ps interpreter.
PS is a turing complete language. You can pull some crazy stuff with this shit.

Re:Not really surprising

[Dunbal]

a lot of people are going to say "oh, it's Microsoft, FUD!" and ignore it.

Nah that's the thing about having 90% market share - you don't get ignored even when it _is_ FUD.

Re:Not really surprising

[Entropius]

Will it actually thrash it so that it requires a reboot, or just soak up all the CPU cycles on one core until the user gets around to running top and killall -9? (I guess this basically boils down to: does postscript have a fork call?)

Re:Not really surprising

[Megane]

The OS X kernel is a massive amount of C and embedded C++ code.

Except the kernel isn't the problem. I haven't heard a single word about this recent malware crap that indicates it exploits the kernel or somehow achieves supervisor mode. Nor have I heard a single word about user-less exploits, as opposed to how you could simply install Windows, connect to the network, and have it owned within an hour, if not minutes.

All this has been user land exploits, which require a user to do something. Some of them haven't even required the user to do something stupid, other than to go to "bad" web sites. But stop babbling about the kernel when it's not involved.

Re:Not really surprising

[Zemran]

It was also found that the Titanic was not unsinkable... Shock Horror !!!

I do not think that any intelligent person thought that Macs are unsinkable/invulnerable, just that they are much harder to attack than a Windows box. Same with Linux, of it can be, it is just much more safe than Windows.

Re:Not really surprising

[martin-boundary]

Nope, and yes, it's Microsoft FUD to some extent.

It's true that *abstractly*, any computer system has bugs and vulnerabilities, and if you attach it to an untrusted network and if this network has a lot of malware that targets the system then compromises will happen, in direct proportion to the quantity of malware in circulation and the number of bugs and vulnerabilities in said system, which itself is proportional to the amount of code etc.

But having said that, malware is not very smart or adaptable and this has nothing to do with the profit motive: every tiny change in a target system requires a rewrite or an addition to the malware code, and the more additions there are the bigger and more conspicuous the malware becomes, which makes it easier to recognize.

That's why patching systems is effective, the malware is too dumb to smoothly react to the unexpected. It's also why predominantly Microsoft and to some extent Apple systems are more vulnerable than Linux systems. Microsoft OSes are hyper identical (available APIs, installed software, etc), so malware can be quite dumb and still be successful. Apple systems are a monoculture too. But OSes that come in kits and have lots of alternative subsystems that must be configured by users/owners, like Linux, are inherently safer. The malware just has too many variations to consider when it tries to invade. Note that systems like Android are also more vulnerable, like Apple systems, because the needs of user friendliness and unified user experience result in monoculture again.

And thats where the commercial/consumer world is shooting itself in the foot. As the installed base grows, the cluster of identical machines grows at the same rate. Whereas in the more chaotic world of Linux/*BSD, the total installed base can grow but it's ok to fracture into alternative distros and flavours, and it suffices for the number of incompatible alternative clusters to grow at the same rate as the total installed OS base, so you can have more and more clusters which are all of a limited size and any malware can only affect one or two clusters at a time.

Re:Not really surprising

[binarylarry]

While kind of true, Linux is so widely used on public networks that it's easily the most secure out of Mac OSX, Windows and Linux.

That's not to say it's impervious but no one got fired for running Linux. ;)

Re:Not really surprising

you could simply install Windows, connect to the network, and have it owned within an hour, if not minutes

Only if the Windows you installed is XP, in which case, you got EVERYTHING that you deserved for installing a 13-year-old operating system onto an unprotected network....

-AC

Re:Not really surprising

[dynamo52]

... no one got fired for running Linux

That's because by the time they had a fully functional system, there were so many obscure configurations, custom scripts, and dirty hacks required that they are the only one who knows how to administer it.

Re:Not really surprising

[andydread]

Yes but unfortunately

Re:Not really surprising

[jones_supa]

Does someone know what's the case with Windows 7? Let's say I install the original gold master of Win7 and apply no patches, leave it with a public IP address but don't otherwise do anything. Is the box vulnerable?

Re:Not really surprising

[MtViewGuy]

Leo Laporte on the "This WEEK in Tech" and "MacBreak Weekly" podcasts have said several times over the last 5-6 years that the reason why Macs running OS X haven't been hit with malware was that until very recently, there wasn't enough Macs out there to justify the effort to write malware that can infect these machines.

But now, with the terrifying success of the "Flashback" malware, it's now open season on Mac users. As such, Apple may have to develop a true Internet security suite with automatic virus/malware definition protection updates akin to Microsoft's own Security Essentials 4.0 for Windows XP/Vista/7 so all Internet activity can be closely monitored and all virus and other malware activity immediately stopped in its tracks.

Re:Not really surprising

[phantomfive]

Apple is doing something to mitigate malware problems, though.

What's the biggest attack vector for malware? Users installing it themselves. What is Apple doing to stop it? Making their App store the primary source for all software installs.

Re:Not really surprising

[__aaltlg1547]

But the monoculture of Apple and to a lesser extent Windows is also what makes those systems so useful to so many people. You don't have to understand every intricacy of software systems that branch like a wild vine to get something done on a stock Windows or Apple system.

The same thing that makes the Apple and Windows system so vulnerable to malwares is what make it so easy for a user or an administrator to comprehend how to use and configure it. And this is for the same reason. It's inefficient for humans to understand a number of intricate systems rather than to just have a working knowledge of one kind of system and then deploy that wherever they can use it.

Re:Not really surprising

[__aaltlg1547]

It's not widely used because it's secure. It's widely used because it's cheap, and it's easily capable of doing the job in back-end environments where it can be locked down and prevented from running arbitrary code at the user's whim.

Re:Not really surprising

[PNutts]

Does someone know what's the case with Windows 7? Let's say I install the original gold master of Win7 and apply no patches, leave it with a public IP address but don't otherwise do anything. Is the box vulnerable?

The Microsoft Exec that claimed early in Windows 7 lifecycle backtracked from those comments. Combined with the security patches released since it's release the answer is Yes.

Anyone who thinks otherwise hasn't connected to a network yet.

Re:Not really surprising

I've seen this mentioned of MS operating systems more often than Linux or any *nix based system. Don't pretend that MS doesn't have it's huge unwieldy share of incompetent sysadmins who (I have actually watched this happen) will download an unvetted binary blob from a questionable website to install on the company server because they didn't want to have to write a simple script. Luckily there was a backup from that morning, because the server was completely owned before we (tried) to leave for the day.

Re:Not really surprising

Did you not see where OP mentioned "oriinal old master of Win7 and apply no patches"? And you proceeded to say "Yes, if you install all patches since release"? Are you effectively claiming "No, Win7 default install unpatched will be owned in a matter of hours once connected to a network"?

Re:Not really surprising

[Billly+Gates]

Actually its drive by downloads. Clicking something is so 1990s.

Flash and Adobe make it easy. Use a php webserver and exploit it with a bad ad. The owner will not know and your users will get infected instantly through flash. Wordpress is a classic example.

Linux is targetted to for these reasons. Mostly to serve malware and I gave up trying to warn people here as they are so drunk with the coolaide.

Re:Not really surprising

[Billly+Gates]

If that gold master copy is not behind a firewall it will be owned in 30 minutes.

Before you go about saying MS sucks the same can be said about Linux and MacOSX. In a rewipe on my machine which contains an old gold master OEM Windows 7 there are 160 updates for the OS and Office. That is a lot but an older Fedora 13 laptop I have around has 130 updates as well. My guess is so does MacOSX.

The grandparent is incorrect. No most malware in 2012 does not require the user to do anything but browse a page. BAM, flash is executable complete with a full compiler with no trust relationship at all! Flashback could get your mac owned even if you close that dialogue box on Java update. Seriously.

My anti virus software even notified that slashdot served a fake virgin ad that tried to 0wn my system. If you ran Windows and no anti virus 4 weekends ago your system is hosed. People need to learn and be aware of the dangers of flash, pdf, and ajax. Windows XP and IE 6 are no longer the security threats and have not been in 10 years.

Re:Not really surprising

There have been *dozens* of OSX exploits where you get owned simply by visiting a website and the attacker gets root access. Open your eyes. Or maybe you're purposely lying.

Re:Not really surprising

[mjwx]

Possibly a biased source, but not exactly a shocking conclusion.

What other software maker on this planet would know more about being vulnerable to malware then Microsoft?

They are pretty much the foremost experts in that field.

Re:Not really surprising

[Air-conditioned+cowh]

Until MS ports Office to Linux, Linux is safe from this particular vulnerability.

They don't need to. Office 2007 works flawlessly on Linux under Wine.

Re:Not really surprising

[RyuuzakiTetsuya]

Flashback isn't nearly as bad as most on windows

Yes. Macs are vulnerable to intrusion. But the problem with analyzing OSX's security versus windows isn't that windows is popular, but windows has gone its own way for permissions and security for the last two decades. Everyone else is running a UNIX-like. While UNIX-likes aren't completely safe, the security model was designed to treat user land as inherently untrustworthy.

While a root priv escalation exploit might in theory be trivial, I doubt we'll see one used due to the finicky nature of such exploits.

Re:Not really surprising

If that gold master copy is not behind a firewall it will be owned in 30 minutes.

Before you go about saying MS sucks the same can be said about Linux and MacOSX.

In relation to Linux being 'owned' within 30 mins, any citations or evidence?
Let's assume a popular desktop Linux distro, say Ubuntu, Fedora etc.

Re:Not really surprising

[Megane]

I see you didn't bother to link to even one of them.

Re:Not really surprising

[cyber-vandal]

Bullshit. Office 2007 doesn't even work flawlessly under Windows.

Re:Not really surprising

[MacWiz]

My initial take from the headline was that Microsoft was not predicting anything, but rather promising. The other thing about having such a large market share is that it leads to aggressively protecting that market share.

"Even though Mac OSX has introduced many mitigation technologies to reduce risk, your protection against security vulnerabilities has a direct correlation with updating installed applications."

As someone who used OS9 for most of my work until late 2010, it seems as if updating to OSX and updating all of my applications has actually reduced protection against security vulnerabilities.

Re:Not really surprising

[exomondo]

I see you didn't bother to link to even one of them.

Did you have your head in the sand last month? Heard of Flashback?

Re:Not really surprising

[tlhIngan]

All this has been user land exploits, which require a user to do something. Some of them haven't even required the user to do something stupid, other than to go to "bad" web sites. But stop babbling about the kernel when it's not involved.

Most modern malware exist in userland these days because it's the most effective and still does what you want.

First, userland hacks will never trigger any sort of alert to authenticate, and most OSes support some way to start up automatically on login, also accessible by the user. Next, the malware can really do a lot of things - if you want access to user data, you got it, if you want to send spam, no admin required. If you want to DDoS some machine, ditto.

The infection vector is often manually installed onto vulnerable sites, but the payload can be run as a normal user in most circumstances. Sure, it's a lot harder to hide and any elevated application can nuke and kill them, so you have to counteract it by using plausible sounding executable names and making it so that each piece looks out of each other.

As long as security is taken without respect to Dancing Pigs, all users are vulnerable. It doesn't matter what OS you run - Windows, Linux, OS X, etc., or what permissions you run them at (admin only, user only), they're all vulnerable. Hell, people who buy shell accounts for Linux are often user-only and may get infected if they do much with it.

Re:Not really surprising

[Anubis+IV]

Possibly a biased source

"Possibly"? It's FUD, but it's FUD of the best type, since it has an element of truth to it.

That said, I wouldn't mind more of this sort of "research". I'd love to hear Google's research on how well Facebook maintains the privacy of its users.

Re:Not really surprising

[Billly+Gates]

Linux is the number one target for serving malware ads through PHP and other flaws.

Re:Not really surprising

[crutchy]

if your claim is true (seems possible), it is because of flaws in the php apps themselves that are exploited via xss, sql injection, etc. many app developers don't follow simple rules such as sanitizing inputs and escaping outputs. this doesn't have anything to do with the OS running the server though; it just happens to be that linux is the most popular web server OS. there are probably plenty of ex-mscse's pretending to be linux experts and not having a clue how to secure a linux production web server though; who can blame them though, what with no dialog boxes or anything.

Re:Not really surprising

[crutchy]

you're an idiot for thinking linux has anything to do with the security of php apps

user-friendly software deemed insecure, news at 11

Maybe we need a new motto? You can have it easy to use, affordable or secure. Choose two.

Thank you captain obvious

[sl4shd0rk]

Thanks MS. Another opportunistic moment to point out to the world your not the only f*uck-up in the solar system.

MS is the vector apparently

[drerwk]

I’m most concerned that this malware uses a three-year-old flaw in Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac. Here’s the corresponding security bulletin: MS09-027 - Critical.

Re:MS is the vector apparently

[drerwk]

And I suppose to be fair in attentive os x users.

The voice of experience

[sootman]

If anyone has a lot of viruses to examine, it's Microsoft!

Re:The voice of experience

[arbiter1]

Accepting the fact your OS has flaw's is first stepping to make a secure OS, Apple for years claimed their OS didn't have any. Know all mac fan boys are finding out the hard way and its only gonna get worse.

Re:The voice of experience

[Joce640k]

How to use an apostrophe

Re:The voice of experience

[FreedomOfThought]

I had to read this 3 or 4 times to understand what you were trying to say.

Re:The voice of experience

Accepting the fact your OS has flaw's is first stepping to make a secure OS, Apple for years claimed their OS didn't have any. Know all mac fan boys are finding out the hard way and its only gonna get worse.

[citation needed]

Can you please provide references to where Apple has claimed this. This line has been repeated so often that it has its own name: Artie MacStrawman.

Do a search for that term and tell me what you find.

Re:The voice of experience

[whisper_jeff]

Accepting the fact your OS has flaw's is first stepping to make a secure OS, Apple for years claimed their OS didn't have any.

Uh, no. They didn't. The fact that they've regularly and consistently provided security updates shows that they recognize that they have flaws in their OS that need patching. What they have claimed is that they don't have a lot of viruses, which is absolutely true. Due to Macs not being worth targeting because of a smaller user base, malicious attacks against Macs were very rare compared to PCs (which is always the benchmark they compared themselves to). So their claim was true.

They have never, however, claimed they don't have flaws and their actions demonstrate clearly that they know they do have flaws that need fixing once spotted.

Re:The voice of experience

[burne]

Do I need to point out that the recent incident with FlashBack would have been impossible without gaping holes in Adobe's Flash, Oracle's Java and Microsoft Office?

Microsoft makes a office-suite with no easy way to notify users of available updates and blames Apple for the gaping holes in Office?

Re:The voice of experience

[Nerdfest]

Well, there is a mechanism available to notify users of these updates, but I'm guessing MS is not that interested in handing over 30% of their price. I think Apple's exclusion of 3rd party repositories from their marketplace is pure greed. The Linux model they borrowed from should have been more blatantly copied. I think Windows should do the same, but I think they're following the iOS approach for Metro that locks users to a single market.

One of the best features of Ubuntu, etc, is the single channel for software updates and patches.

Re:The voice of experience

Apple has gone out of its way to portray their systems as being immune or otherwise unsusceptible to malware, even if they cagily do so without specifically stating it! Furthermore, they have a history of only grudgingly acknowledging that the OS has flaws, and also of patching it haphazardly and/or slowly and/or quietly.

They have gone to great lengths to cultivate the mistaken impression amongst the unwashed masses that their OS is better than Windows because Windows gets exploited, insinuating that theirs doesn't...

As such, for MOST of the Apple user base, this exploit comes as a complete shock to their perception of reality...

-AC

Re:The voice of experience

[sootman]

When did MS first accept that their OS had flaws? Because securing Windows was about a 12-year journey.

Re:The voice of experience

[makomk]

Oracle had closed that "gaping hole" several months earlier, it's just that Apple are really slow at releasing security fixes for serious vulnerabilities in third-party software they bundle with their OSes.

Re:The voice of experience

[BronsCon]

As for "mac fan boys", if you mean "someone who stupidly claims that Mac OS is completely impervious to malware" I challenge you to name an actual person who fits this mythological description

My boss, even after I told him I had found FlashBack on our PM's Mac and removed it.

Re:The voice of experience

[breser]

Microsoft has included AutoUpdate in Office for years. Every few months when they put out an update it pops up and downloads it for me. You can get to it by going to the Help menu and choosing Check for Updates in any Office Application if for some reason you want to run it manually. Maybe they could do a better job, but I think your statement that there is no easy way to notify users is fundamentally false.

Re:The voice of experience

[PNutts]

Apple for years claimed their OS didn't have any.

Citation needed. From the Apple Support Communities site (non-authoritative): To deal with the Malware, Apple recommends disable Java for anyone with 10.6.7 or less who can't upgrade.

Here's a link from Apple's support site posted in 1998 describing how to protect yourself against viruses in Mac OS 8.1.

  I'm too lazy to look for older links.

Re:The voice of experience

[jbolden]

Mac fanboys aren't finding out much of anything the hard way. Most of them have spent years in a relatively virus and spyware free world without having to worry too much. Not perfect but rather good, while Windows users live in a constant state of war.

And it may or may not get worse. Apple has a lot of potential security in place that can be implemented almost instantly if security becomes a top priority; Microsoft was introducing new security features as the virus and spyware wars started. Apple's other substantial advantage is that unlike Microsoft Apple has a user base that supports them in rapid breaking changes i.e. a weak culture of binary compatibility. Which means that Apple can force security measures in place quickly and expect application developers to roll out updates in weeks.

What Apple users may find out is what they've been finding out. That there are advantages to government over anarchy and Apple does a great job managing its platform.

Re:The voice of experience

[gcerullo]

Well, there is a mechanism available to notify users of these updates, but I'm guessing MS is not that interested in handing over 30% of their price.

Yes, they think it's better to hand over 50%, or more, selling through retail. I think you'll find that future versions of Office for the Mac will be App Store apps going forward.

Actually, Office has had a mechanism to notify users of available updates since at least Office 2004 which was the last version of Office I used. Personally I find iWork for the Mac a much better office suite than MS Office. MS Office may be slightly more powerful in some of it's capabilities but it is archaic.

Re:The voice of experience

[gtall]

Maybe Apple simply doesn't trust the rest of the would-be app stores. What are they going to do, allow MS to set up an app store for Macs given MS's reputation for security? And just how do they police new app stores to make sure they are doing all the checks Apple is doing? Greed probably has little to do with it, rather fear of the iStuff turning into the cesspool that is MS probably has a lot more to do with it.

Re:The voice of experience

[RazorSharp]

It's not like all apps in Ubuntu's repository are free. It just makes sense that more software on Linux repositories would be free given the nature of the users. Many of those who have made desktop Linux a reality have done so because they believe software should be free and open. The people who made Mac OS X a reality did so because Apple paid them to so Apple could sell computers.

If Microsoft and Apple had the same market philosophy as Canonical and Red Hat and others then Linux probably would have never come about (at least, as the phenomenon it has become).

For me, I haven't downloaded much off the Mac App store but the ones I've paid for were games. When looking for an application that actually does something, I usually switch over to Ubuntu. Free software will always be nipping at the commercial vendors' heels, all the way up until it catches up and pounces.

Re:The voice of experience

[Nerdfest]

You can install software from any source on a Mac (for now), and are not limited to their marketplace. It is quite obviously about either greed or a forthcoming lockdown.

Re:The voice of experience

[Nerdfest]

Free or not, I think operating systems should have a central update mechanism that can be used by any repository. With Windows, etc, you need to check for updates in many cases manually, from a variety of sources. Apple had the opportunity to build it in and didn't.

Re:The voice of experience

It usually goes:

PC: I got a virus again

Mac: I haven't gotten a virus in a long while. I don't have to worry about it as much and it's nice to not have to spend so much energy on the PIA de jour.

PC: Damn Fanboi's think their OS doesn't get viruses. (waiting on update 45 / 116). They're dicks.

Re:The voice of experience

Within TWO MONTHS, February vs. April, not "several months" and Apple moved responsibility for Java to Oracle back in 2010. This is legacy support only. Going forward, it's not problem just like keep Flash updated isn't their problem now.

No one is safe

[nurb432]

No matter how 'secure' a system is, as long as end users have the ability to install software, systems will still be at risk. Its just part of the deal.

If your particular systems are attacked or not, depends on your market share.

Re:No one is safe

Malware can exist without physical installation, even if this is not persistent between boots of course, furthermore even without the *users* ability to install software, every system can be subject to priviledge escalation of such a priviledge system is actually in place (assuming the OS is not an entirely self contained system with no means to write anything).

Re:No one is safe

[jbolden]

We've just seen multi billion dollar virus written for the embedded systems in nuclear reactors and power regulators. It ain't just market share.

Re:No one is safe

[nurb432]

That was a targeted attack, so it really doesn't count.

Re:No one is safe

[nurb432]

What i was trying to say that even if we did have a system with zero holes, as long as users can "install/execute" something on their own, it will never be secure.

Re:No one is safe

[jbolden]

Those were 2 different attacks by 2 different groups. The regulators were here. We've also seen the chinese test some capabilities.

Maybe fair would be you get attack for:

a) Market share
b) Corporate espionage
c) Military

Re:No one is safe

[Alex+Belits]

Users installing trojans is not a security vulnerability, it's users being stupid.

Making it UNNECESSARY for a user to install software by running a random executable found by google search is a good decision by OS developers and distributors. However security is only meaningful from the point of view of user who is aware of such as thing as "security" in the first place. What means, worms and drive-by installations of malware are true security threats -- a user who uses computer in a safe manner is still vulnerable to them if his system is insecure. "Run this executable as root/Administrator, and ignore all warnings" is not.

Re:No one is safe

If you take all the software available for windows and put it in a repository. It would be no different from "running a random executable". There are not enough people in the world to verify that amount of software. Be glad that nobody uses Linux.

Re:No one is safe

[Alex+Belits]

Linux distributions have maintainers.

There are not enough people in the world to verify that amount of software.

If there are enough people to write software, there certainly are enough to maintain packages.

Be glad that nobody uses Linux.

Oh, I see. More Microsoft marketing subcontractors.

Re:No one is safe

If there are enough people to write software, there certainly are enough to maintain packages.

Please explain how you are going to find enough people with sufficient skills to go through source code of millions of piece of software and determine that it contains no Trojan or other security vulnerability (after every single source code checkin). And that is assuming every single thing is open source and that there are no binary blobs or other proprietary software in the repository. If what you say is to be true ou need atleast 10 times the amount existing software developers.

Also if you found a vulnerability in some software, if the repository does not have the ability to 'remote kill' then all the people who installed the software are screwed.

Oh, I see. More Microsoft marketing subcontractors.

Actually open source has worse enemies than that. It includes the million+ companies developing closed source software. Microsoft will continue to be a billion dollar company for at-least next 50 years. All the mid to small companies can easily be killed by 100 or so engineers cloning their proprietary product and giving it away for free.

Nobody atMicrosoft gives a shit about comments on Slashdot. These days it simply is irrelevant. The actual influential blogs are filled with ms fanboys and I don't think microsoft is going to waste money when they get it for free. But if you want to engage in paranoid theories, its your choice.

Re:No one is safe

[Alex+Belits]

Please explain how you are going to find enough people with sufficient skills to go through source code of millions of piece of software and determine that it contains no Trojan or other security vulnerability (after every single source code checkin).

Simple. Unless someone else is volunteering, developer company has to be the maintainer, and software is built on the distribution's build servers. If they produced malware, there are buoild logs, sources, full paper trail pointing to the people responsible, and their agreement with distribution when they became the maintainers.

Also if you found a vulnerability in some software, if the repository does not have the ability to 'remote kill' then all the people who installed the software are screwed.

But it does. Auto-update procedure does exactly that with the old version.

Actually open source has worse enemies than that. It includes the million+ companies developing closed source software.

Had. Now there are none left -- market got monopolized by Microsoft, Adobe and their few close "friends", so commercial distribution "binaries for money" is already dead for everyone else. No one has a glimmer of hope for breaking into that market, ever. Even games switched to pseudo-service model with subscriptions and DLC.

Microsoft will continue to be a billion dollar company for at-least next 50 years.

Wishful thinking.

All the mid to small companies can easily be killed by 100 or so engineers cloning their proprietary product and giving it away for free.

All mid to small proprietary software companies that make their money on licensing fees, died in 80's. Along with almost all big and giant ones. There is nobody there but few remnants clutching pieces of the market they managed ot once monopolize -- Microsoft, Adobe, Autodesk, Altium. No one will ever enter their market as a replacement, they will die, and then there will be none of them.

Nobody atMicrosoft gives a shit about comments on Slashdot. These days it simply is irrelevant.

Sure, they do. They want to present their opinions as relevant, intimidate developer, bury them under bogus complaints to misdirect future development, create an impression that Microsoft is winning.

The actual influential blogs are filled with ms fanboys and I don't think microsoft is going to waste money when they get it for free.

What "influential blogs"? Who reads "blogs" anyway?

But if you want to engage in paranoid theories, its your choice.

There is nothing paranoid about pointing out things that Microsoft was multiple times caught doing.

Will be a surprise to most OS X users

[Stem_Cell_Brad]

While I will agree with lack of surprise from /.ers, most of my colleagues that enjoy their Macs like to tout "invulnerability" to malware. Mac-pride makes them brave/foolish to the point they will not bother with anti-virus. I think they are more the norm than exception for Mac users. Once the Mac OS reaches a high enough number of users, there will be a significant surprise for most users.

Re:Will be a surprise to most OS X users

[arbiter1]

I been saying it for years it was only a matter of time before it happens, Apple painted a picture of 100% secure OS for years now they are eating their words.

Re:Will be a surprise to most OS X users

[jbolden]

I've been on /. and using a Mac for about a dozen years with no anti-virus and no adware protection. No hint of problems.

There is nothing foolish about it. There just isn't much incidence of infection. Once there is a high incidence then I'll start running security junk.

Re:Will be a surprise to most OS X users

I would ask you to show me where on the Apple website they paint this picture of 100% security but I won't because I know that you can't. In fact if you'd like to look at their website it says that "no system can be 100 percent secure" and then points you to other resources for security. Of course it was only a matter of time before Apple computers started to experience security threats, but I doubt Apple is eating their words, especially with the security features they'll be adding in the next version of Mac OS X

Re:user-friendly software deemed insecure, news at

The thing is OSX doesn't really fit into ANY of those categories =P

People have been saying this for a long time.

[metrix007]

It's about marketshare. IT has only ever been worthwhile for virus writers to target a platform that is popular enough to warrant a return on investment, whether that be fame or clandestine botnet software.

People always used to use half baked arguments trying to claim that OS X was mroe secure because it was "unix" or some crap, despite OS X being very insecure for most of it's run.

Aside from being common sense this is supported with some pretty solid mathematics, not least an article in an IEEE journal showing there is a certain percentage of marketshare that would attract malware. We are now seeing this with OS X and we have seen it previously with Android.

What will be interesting is how Apple react. Will they tighten the grip they have on their users and restrict them even more, or actually get off their buts and increase their security and respond to problems in a mature and timely manner.

Re:People have been saying this for a long time.

[flyingfsck]

Hmm, since Linux has by far the largest market share, then by your logic, it must have the most viruses. Yes, Windows probably has the largest market share on desktop machines (a dying breed), but Linux leads on computers overall, by a wide margin. Samsung alone sells hundreds of millions of Linux machines each quarter. So where are the Linux viruses? The difference is in the design, which is not dependent on market share.

Re:People have been saying this for a long time.

This always makes me laugh.

Desktop space is always what has been talked about. You don't have a lot of direct execution of apps by users on a server.

Moreover, you're going to spout the usual BS about "The desktop is dying"?

That has only been bruited about for...20+ years now?

Desktop = Rasputin?

Re:People have been saying this for a long time.

[flyingfsck]

OK, so compare viruses on servers then. Linux clearly runs the vast majority of servers compared to Microsoft. So how does Windows Server stack up security wise? The difference is in the design.

Re:People have been saying this for a long time.

[benjymouse]

It's about marketshare.

No it is not. It is about yield.

Two things have been happening over the past years
* OS X has increased in market share
* Windows and apps running on Windows have grown

Re:People have been saying this for a long time.

So where are the Linux viruses?

In google play.

Re:People have been saying this for a long time.

Do you even know what you're talking about?

Properly configured, Windows Server 2008 stacks up perfectly well against any other mainstream server OS... I would even go so far as to say, a freshly installed, out-of-the-box, with default settings, Server 2k8 installation is MORE SECURE than most Linux distros (again, assuming a brand-new, straight-up-default install)...

The difference is in the design indeed....

-AC

Re:People have been saying this for a long time.

[spire3661]

The standard 'big box' desktop is on its way out. Pocket computers and docking stations are the future, bank on it.

Re:People have been saying this for a long time.

So you are banking on iOS?

Re:People have been saying this for a long time.

[BronsCon]

I was not aware that there was a docking station that provided peripheral (including USB, printing, and mass storage) support, an extended displa, and a full hardware keyboard and trackpad (or mouse/trackball.whatever via USB) for an existing iDevice. In fact, I'm still not aware that there is, even after reading your link.

My Motorola Atrix 4G has this and I am typing this reply from it right now. I think spire3661 might be banking on WebTop, an Android extenstion (by Motorola Mobility, now owned by Google, so likely to become a mainstream Android feature) which runs a full desktop Linux distro (modified Ubuntu in the case of my Atrix). Nothing like it for iOS as far as I'm aware, and I'm saying this as someone who works with OSX daily, has used an iPhone 3G as a primary phone for several months, and whose wife owns an iPad, iPod Touch, and iPhone 4s, all of which I have used to some extent.

In considering switching back to iPhone, I looked for a LapDock replacement and found nothing suitable.

Re:People have been saying this for a long time.

Windows servers are almost always just file servers on LANs, not application servers. Toss in mail/exchange servers and that's about 90% of the WS market. As such they can spread malware but won't be running it.

Re:People have been saying this for a long time.

[shutdown+-p+now]

So how does Windows Server stack up security wise?

Why don't you tell us? Go to Secunia, look at the numbers of vulnerabilities (known & fixed, and severity), and post them. You might also want to look at the other parts of server stack - e.g. IIS vs Apache, or MySQL vs MSSQL.

Re:People have been saying this for a long time.

The standard 'big box' desktop is on its way out.

Ahh, another tech dickhead who claims to know the future based largely on his own severely limited world view and regurgitating the false prophecies of other like-minded fools on the Interwebs. One thing is for sure, if Steve Jobs's tiny dick miraculously rose up from his grave you'd be there so suck it and pat yourself on the back after sucking down the gravy.

Re:People have been saying this for a long time.

[metrix007]

I don't see the conclusion your post seems to be implying. Could you clarify?

Re:People have been saying this for a long time.

[Alex+Belits]

Because the number of vulenrabilities admitted by developers has nothing to do with number of vulnerabilities that exist. Linux developers label any bug as a security vulnerability if there is even a slightest suspicion that it may be exploited for something, somehow.

Re:People have been saying this for a long time.

[shutdown+-p+now]

Secunia is not the "number of vulnerabilities admitted by developers". It's the number of vulnerabilities that are made public one way or another - the company doesn't even have to acknowledge for something to be registered as a vulnerability.

All exploits are either exploits or not - e.g. any buffer overflow is a potential arbitrary code execution attack, unless proven otherwise. That said, when a vulnerability is very hard to exercise, it would generally be given the appropriate severity, so you can compare them on those. Or, if you don't trust their ratings, look at the details, and judge for yourself.

So, anyway, are we going to see some factual numbers, or not?

Re:People have been saying this for a long time.

[Alex+Belits]

Secunia is not the "number of vulnerabilities admitted by developers". It's the number of vulnerabilities that are made public one way or another - the company doesn't even have to acknowledge for something to be registered as a vulnerability.

Sure, it does. Until then, it's "unconfirmed".

All exploits are either exploits or not - e.g. any buffer overflow is a potential arbitrary code execution attack, unless proven otherwise.

Even buffer overflows now usually come in a more complex form than "someone left string on stack and didn't bother with size limits" -- it's off-by-one integers, integer overflows, weird unchecked dereferencing, etc. While still dangerous, they are now automatically labeled as "arbitrary code execution" and fixed without anyone bothering to dig any deeper. Likely only a very small fraction of those are exploitable, and even smaller fraction would be exploited even if every malware author in the world switched to writing Linux exploits.

That said, when a vulnerability is very hard to exercise, it would generally be given the appropriate severity

No. See above. All arbitrary data corruption in anything open source is automatically labeled as "arbitrary code execution". Windows doesn't have this kind of standard.

, so you can compare them on those. Or, if you don't trust their ratings, look at the details, and judge for yourself.

Then why don't Microsoft "security researchers" go and do just this? Take all known "arbitrary code execution" bugs, try to write proof of concept exploits, record success rate per time periods. See how many of those are comparable to known Windows vulnerabilities -- each with known exploits.

So, anyway, are we going to see some factual numbers, or not?

Not unless Microsoft geniuses already did that, and found something they like.

Re:People have been saying this for a long time.

All arbitrary data corruption in anything open source is automatically labeled as "arbitrary code execution". Windows doesn't have this kind of standard.

What teh fuck are you talking about. "anything open source" includes 99% useless shitty software that is clones of some better superior tool and 1% of useful software. Its laughable that your propaganda is so transparent. Linux kernel continues to have dozens and dozens of verified exploitable security bugs. In every single version they add a new kernel bug. It helps to root almost every single android phone. There are countless rooted Linux boxes serving malware to windows PCs. Most boxes use some shitty open source database that allows attackers to get local user access, and from then with the dozens of working linux priviledge escalation bugs you can get root. It is too simple.

Re:People have been saying this for a long time.

[Alex+Belits]

How is this copypasta in any way relevant to anything being discussed?

Re:People have been saying this for a long time.

[Alex+Belits]

Most boxes use some shitty open source database that allows attackers to get local user access, and from then with the dozens of working linux priviledge escalation bugs you can get root. It is too simple.

This is the only thing that deserves being responded to.

Databases are fine. There are PHP (and only PHP for some reason) scripts written by incompetent "programmers" that allow to write local files. Occasionally it's even possible to write an executable file, and, with more luck, cause it to run as a web server user. Where usually the "exploit" ends because there are no "dozens of working linux priviledge escalation bugs" anywhere outside of your imagination. Most Linux boxes that are broken into, are abandoned or maintained by people who can't run anything on any OS without messing up. When anything happens with any system that is supposed to be maintained by sane and competent people, it's news at the scale of at least minor war, usually stolen passwords are involved, and everything is up and running, clean and patched, before anyone can notice.

Re:People have been saying this for a long time.

Where usually the "exploit" ends because there are no "dozens of working linux priviledge escalation bugs" anywhere outside of your imagination.

hahaha..

http://www.exploit-db.com/exploits/18411/

http://www.exploit-db.com/exploits/18280/

http://www.exploit-db.com/exploits/18163/

http://www.exploit-db.com/exploits/17391/

http://www.exploit-db.com/exploits/17787/

lol.. I got bored copy pasting because there are just so many bugs that are found out. Why do linux developers suck so bad? They are continuing to plug leaks while hackers continue to find bugs. Ofcource I know these are probably patched by now, but if you want unpatched ones you need to pay ;-) they are not for free.. hehe. Meanwhile windows kernel has had very little bugs so far and most windows security exploits are due to buggy drivers, msoffice, flash, pdf, ,etc vulnerabilities. If you cant see this difference then you are a stupid person and you should kill all your friends and then kill yourself. :-D

Most Linux boxes that are broken into, are abandoned or maintained by people who can't run anything on any OS without messing up

lol wut? Blame the user. Nice OSS strategy. linux only works if its locked down.. like on android.. or you are forced to hire a person to administer it .. like on servers. for general use case.. linux is a complete failure.

Re:People have been saying this for a long time.

[Alex+Belits]

All those are patched, and only became known BECAUSE they were patched.

lol wut? Blame the user. Nice OSS strategy. linux only works if its locked down.. like on android.. or you are forced to hire a person to administer it .. like on servers. for general use case.. linux is a complete failure.

There is nothing that can be done to provide any kind of security if the user writes software that actively undermines security and runs it on his system.

Windows "advocates" like yourself are trying to conflate it with "don't go to suspicious web sites and pray that there are no exploits on legitimate ones" and other pseudo-common-sense recommendations given to Windows users to somehow decrease the exposure to attacks. In reality, on a secure OS, developer has to write software in a secure manner, AND IT WILL WORK. When a moron with PHP writes something that executes a string submitted in a form, it's his and only his fault.

When the user clicks on a URL -- any URL -- and a piece of malware immediately takes over the system, it's the problem with software being insecure, and any "safe" behavior that is supposed to avoid it, merely delays the inevitable. It may be still stupid of user to click on every link, but the security problem is with the software, not the user.

But But

Please can no one chime in with the comment that Apple said Macs can't get virus's. They never said that. Not even in the "I'm a mac, I'm a PC" advert. They said they can't get a windows virus.

Any one who continues to believe apple said they can't get a virus or continues to believe such foolishness, really shouldn't be commenting somewhere like slashdot.

Re:But But

Macs don't get pc viruses, they get mac virusus.
Are you happy now ?

Re:But But

Much better! Thanks

Re:But But

[spire3661]

The other day my NAS reported to me that there are some virus files it quarantined in the Mac backup sparsebundle. So of course i run out and install Sophos on the mac and do a full scan. Turns out it was my Win XP VM that got hosed. So in this case, macs DO get PC viruses.

Funny

[iMouse]

...a poorly written Microsoft product leaves a vulnerability open for exploitation, yet it is Microsoft who provides an internal assessment and statement that Macs are "not safe from malware".

Re:Funny

When malware uses 3rd party vulnerabilities to attack Windows, Slashdot is all "LOL Windows is so insecure. What a piss-poor OS."

When malware uses 3rd party vulnerabilities to attack OS X, Slashdot is all "LOL it's Microsoft's fault because they are a 3rd party vendor who introduced a vulnerability in OS X."

Ahhh Slashdot. I stopped taking you seriously years ago because it became obvious to me that most posters around here simply are not intellectually honest.

Re:Funny

Are you suggesting that the average person IS intellectually honest? Do you live in your parents basement or something?

Re:Funny

Does not matter. Operating system is vulnerable, and attackers don't care about the story or the irony behind vulnerability.

Re:Funny

[dontmakemethink]

I believe the term "takes one to know one" has never been more fitting.

But it's true, Macs are now plentiful enough to attract the attention of malware purveyors, and the fact that the target market is so unsuspecting must be making them salivate. It's certainly in M$'s best interests to make this known, and they're doing the Mac fanboi's a favor by putting them on alert.

And before someone sharp-shoots me on the apostrophe, it's acceptable to use one when otherwise the plural forms a misleading word. "Fanbois" looks French...

Re:Funny

Why the hell is a system with Microsoft Office on the Internet?

Their cheese has holes in it too.

Sayeth holiest-of-all-cheeses manufacturer's research division, with as many difficult words as they could muster.

Fingerpointing isn't all that productive, as in it doesn't get you less holey cheeses, even if it is entirely understandable from their point of view. They've been pointed at for decades. Of course, they started out with ignoring the fingers and ignoring the reasons of the fingerpointing for at least a decade. So now you can see them think (FSVO 'think') that the shoe is on the other foot. And in a sense, apple is acting just as irresponsibly as they were. But instead they could be teaming up and learning something instead of doing some more fingerpointing of their own.

It just isn't seemly.

Security vulnerabilities by vendor

[Presto+Vivace]

anyone who is interested can look up security vulnerabilities by vendor.

Did anyone else notice...

[voss]

Not only was it opportunistic but the vulnerability comes from A MICROSOFT PRODUCT(It was an office for mac issue)!

If I were apple and feeling particulary snarky I would send out an email to my users warning about microsoft software including the microsoft
post and recommend that they not use Office for Mac and switch over to Libreoffice for a more secure computing experience.

Re:Did anyone else notice...

[Amarantine]

Not only that: this particular exploit doesn't even work any more in Lion. Only Snow Leopard and earlier.

Re:Did anyone else notice...

Good point. I guess they would make them switch over to their "Pages", though :)

Re:Did anyone else notice...

Actually, they'd be better off recomending their own product iWork instead. Gains them enough additional users to be able to brag about it and since OSX supports PDF natively, there's not interchange/exchange issues with files. Simply save as PDF and be done with it as almost everyone can handle that format

Re:Did anyone else notice...

[gstrickler]

And, it doesn't work if you've applied any of the Office patches in the past 3 years. Patches that Office (by default) notifies you about weekly.

Very opportunistic.

Still, they are correct that attacks will increase, and anyone who has refused to install security patches in a needs to change their habits, or they will eventually be infected.

Re:Did anyone else notice...

[antdude]

And there are Office Mac updates coming out in a couple days with the monthly Tuesday schedule. I remember seeing Office Mac 2008 will have updates which is good for my client's old Mac OS X 10.5.8 that is unsupported by Apple. I wonder when MS drops support on Office Mac 2008.

Re:Did anyone else notice...

[gstrickler]

I don't know, but I'm sure you can find it on MS website, look for software support life cycle.

They just stopped supporting Office 2004 in Jan of this year.

Re:Did anyone else notice...

[antdude]

I found it. I really hate MS' web site design. It ends in about eleven months. :(

Re:Did anyone else notice...

[gstrickler]

You made two errors:

1. You assumed MS has a design to their web site.

2. You didn't use google to search "site:microsoft.com"

"...Attacks will increase"

[BoogeyOfTheMan]

Am I the only one who thinks the headline sounds kind of like a threat?

Re:"...Attacks will increase"

[TheStonepedo]

We are not alone... unless it's just you and me who read it that way. If that is the case we're paranoidly alone together.

Old news

I'm gonna go ahead and cite the Ken Thompson hack here:

"It's been more than twenty years since I read Thompson's marvelous paper, but I believe I correctly recall his fundamental point: UNIX, and every system like it, can NEVER be "secure". It doesn't matter how many layers of anti-virus software, "internet worm protection", "firewall" or any other buzzword -- systems like UNIX (including all versions of Linux, Macintosh OSX, and all versions of WinXP) will NEVER be secure. Thompson published his paper and revealed his hack in order to demonstrate this point. "

Closed sourced, open source, free, paid, whatever it is it will never be fully secure and people are foolish to believe anything to the contrary.

Re:Old news

[Raenex]

I'm gonna go ahead and cite the Ken Thompson hack here:

You don't give a proper cite (as in a link), but a quick search shows that you're quoting somebody on a laid back wiki (c2 is definitely not the same league as Wikipedia) who incorrectly remembers what Ken Thompson's fundamental point was.

Rather than quote from a wiki, I'll quote from the actual Ken Thompson paper: "The moral is obvious. You can't trust code that you did not totally create yourself."

There's a big difference in the nature of the attack that Ken Thompson was talking about (trojan) versus software with security bugs. In reality, the sinister Ken Thompson trojan that infects binaries at a deep level (in his case, the compiler) is pretty rare and not the cause of the typical malware incidents seen in practice.

Re:Old news

[Alex+Belits]

The "hack" was a mental experiment with assumptions that were implausible at the time and clearly invalid now.

Re:user-friendly software deemed insecure, news at

[Entropius]

I dunno, Linux seems to be all three to me. It's braindead-easy to install these days -- hell, my mom can do it by herself, which is definitely not true for Windows.

It's free, and it's pretty secure, only sacrificing security for usability in intentional, configurable ways (i.e. "should I require a password on console login?")

More experience

Even worse, sales staff actually many customers their macs CANNOT get viruses. Even now, I notice that Apple still doesn't automatically update software by default, so, the only people who tend to install the update are those who are security-minded anyway. OSX is a sitting duck. But, everyone still defends it because a sales person told them "its based on unix", and "Apple wouldn't lie in their ads"

Re:More experience

[BasilBrush]

Even now, I notice that Apple still doesn't automatically update software by default, so, the only people who tend to install the update are those who are security-minded anyway.

False. By default OSX automatically checks for updates on a weekly basis.

Additionally, your claims as to what sales staff say is hearsay. And given you're an AC and your one checkable claim was wrong, it's not worth much.

Re:More experience

[redmid17]

Some of the software included by Apple (eg Flash) went for a long, long time without being update.

Re:More experience

[BasilBrush]

You'd have to be specific. There were complaints that one particular point release of OSX didn't ship with the latest version of Flash. But the update to Flash had only happened 4 days before. i.e. It didn't arrive early enough to be in the GM.

4 days certainly isn't a "long, long time". But it does show what a snivelling whine fest the tech media has become.

Re:More experience

[zippthorne]

False. By default OSX automatically checks for updates on a weekly basis.

Additionally, your claims as to what sales staff say is hearsay. And given you're an AC and your one checkable claim was wrong, it's not worth much.

If you're logged in as an admin user. If you're logged in as a limited user, it automatically checks for updates every week when you next log in as an admin user...

It's very easy to set or change the interval for auto updates, but if you're using the security feature of limited user accounts (which, by the way, are capable of installing software and running updates, you are offered a window in which to temporarily log in as an admin for just the thing you're doing), it's NOT AUTOMATIC. You have to either deliberately log in as an admin, or deliberately run software update.

Re:More experience

[BasilBrush]

You seem to be confused between an admin user on OSX and admin or root on other OSs.

If you are a person that is trusted to have admin privileges on OSX, there is no recommendation to normally run as a second account which is not admin, nor does there need to be. Admin is not what you think it is. Is is not the same as root.

Admin doesn't have any extra privileges over a standard user except that that when elevated privileges are required, the admin password dialog you describe is presented. Contrary to your belief that dialog does not appear for non-admin users.

The whole point of admin accounts are they are given to people trusted to install and update software etc. So of course Software Update isn't intended to run for non-admin users. They cannot elevate permissions to install the software anyway. They are not trusted to do so.

Re:More experience

Automatically updating and automatically checking for updates is not the same thing. Apple continues to default to the latter, which is what the poster actually said.

Re:More experience

[jc42]

Even now, I notice that Apple still doesn't automatically update software by default, so, the only people who tend to install the update are those who are security-minded anyway.

False. By default OSX automatically checks for updates on a weekly basis.

Stop! You're both right! ;-)

On all Macs I've encountered, there is an automatic check for updates done weekly, but it doesn't automatically update the software. It pops up a window showing the list of available updates (with links to explanations), and it asks if the updates should be done. There is a way to tell your machine "Always apply all updates without asking", but I've never seen this installed as the default.

So both of the above quoted claims are true, and are not in conflict.

Re:More experience

And given you're an AC

Now I find that very odd given:

ACs don't bother. You're filtered. I don't even know you're there.

So it seems that you are in fact a liar. From there we can assume that your lack of response to an AC is actually your inability to construct a sufficient counter-argument in that your obviously false excuse is exactly that.

I assume I will get no response because you claim you "don't even know i'm here", but we all know the real reason is that i called you out on your bullshit.

Article rife with logical fallacies and biases.

Biased source.
Hasty Generalization from a single instance.
Post hoc ergo propter hoc - They say that number of attacks is related to market penetration, but this is not true. Linux totally dominates on Internet servers, but is hacked less by an order of magnitude than windows servers.

Plus the people that use the system are different groups between mac and windows. Mac users tend to be college graduates in the liberal arts, so they are inherently more skeptical when they get an email asking them to click. Therefore they are much less likely to be infected even if the two systems were of equivalent security levels. Which they are not.

Re:Article rife with logical fallacies and biases.

[spire3661]

You really need to reassess your perception of mac users. Scads of CS/IT people use macs because its so UNIX-like

Re:Article rife with logical fallacies and biases.

Not just UNIX-like, OS X is CERTIFIED UNIX.

http://en.wikipedia.org/wiki/Single_UNIX_Specification

Re:Article rife with logical fallacies and biases.

[Guy+Harris]

Not just UNIX-like, OS X is CERTIFIED UNIX.

http://en.wikipedia.org/wiki/Single_UNIX_Specification

Actually, only Leopard and Snow Leopard are certified; Lion isn't (and pre-Leopard versions weren't).

what matters is how vulnerabilities are handled

[e**(i+pi)-1]

First of all, it must be said that the word "mac fan boy" is one of the most ingenious PR actions against apple. The statement of Microsoft that "macs are not safe" is a too obvious PR spin along the same lines. Any operating system is vulnerable as long as users can modify operating systems. This is not for discussion. What matters is how fast these vulnerabilities are handled and communicated and corrected. Apple as well as Linux distributions have handled vulnerabilities in the past pretty well and I feel quite safe both using a mac or using linux boxes.

GET THE FUCK OUT OF HERE!

Well ...that's it. I'm going back to Microsoft where it's safe!

A foreseeable difference between MS and Apple

[erroneus]

When Microsoft puts out updates, they just put out the updates.... most of the time in single-fixes which are individually selectable and uninstallable. (Doesn't always work but they try) They do it like this because business depends on compatibility and continued operations of their apps. So if a particular update or patch breaks an important app, it can be rolled removed or at least identified and skipped.

Apple doesn't care about that. Apple will push updates and bundle them with anything they like including feature removal and things users don't want.

So what I foresee happening is that Apple will bundle a critical security fix with something else which the users don't want and they will refuse to update their machines.

Some people here are "fans" of a particular brand or whatever. I'm none of those. I just call them as I see them. But if someone must insist I'm a hater of this or a shill for that, I run Fedora Linux on most of my stuff but I hate Gnome3 so I'm going to CentOS until the people out there get their heads on straight and listen to the users.

Re:A foreseeable difference between MS and Apple

[Billly+Gates]

Yeah if you own a mac less than 3 years old.

Flashback preys on older macs with no updates. XP has had 11 years of updates and still going in comparison. Microsoft does more than updates. They are active in destroying botnets and are doing many things right. They really are at least trying to up their reputation and care about the security issues of its products and platforms.

Re:A foreseeable difference between MS and Apple

[Sebastopol]

I think there are two kinds of fans: fans and zealots.

I'm a fan of Apple, but I have no problem criticizing their OS, apps, or philosophy. I want Apple to improve, and grumble when they drag their feet, or, start to follow trends in app/gui design (e.g., i've noticed the menubars of their apps aren't consistent, or that some apps are just fucking retarded: preview and iphoto... wtf?).

Zealots see their choice as infallible. Period.

We both have brand loyalty, but I think the former is more reasoned in their approach. I see the same thing with everything from political parties to musical instruments to woodworking tools...

-1 OT

Re:A foreseeable difference between MS and Apple

[jbolden]

So what I foresee happening is that Apple will bundle a critical security fix with something else which the users don't want and they will refuse to update their machines.

They have already bundled security fixes with feature removals and the users update. You don't buy Apple if you aren't willing to understand that ultimately Tim is in charge.

Want some cheese with your whine?

[RogueWarrior65]

Sour grapes, much? Jeez. The only malware A) is a Java problem and B) uses Office as the transmission medium.

Re:user-friendly software deemed insecure, news at

yes, until mom needs word processor (cloud services like google doc don't count), and the ability to watch movies their kids email her of a newborn. The point is, while you could help your mom install linux or whatever other app she needs initially, she can't go out and download or buy additional software on her own, and then install it on her own.

I enjoy linux as any other, but I don't think it passes the grandma test yet.

Re:user-friendly software deemed insecure, news at

[BasilBrush]

Interesting that the GP said "easy to use" and you changed that to "easy to install". Which of corse isn't the same thing at all. For sure, Linux is not easy to use. But lets quantify that - it's less easy to use than the other 2 mainstream desktop OSs.

Re:user-friendly software deemed insecure, news at

Have you by anychance used the new Ubuntu Software Center. I'd say that that is a fairly user friendly piece of software seeing as my own grandma can use it, and she's almost 83.

In other related news...

[hey_popey]

Apple: PCs 'Not Safe From Malware, Attacks Will Increase'

Re:In other related news...

War is peace!

Re:user-friendly software deemed insecure, news at

[Entropius]

I mentioned the installation thing because that's traditionally been one of the confusing bits about Linux.

Use is pretty simple -- you have a menu, it has stuff in it, you click on it. When you want something you don't have you fire up Ubuntu Software Center and go get it.

Re:user-friendly software deemed insecure, news at

Installing Linux has never been an issue. Using Linux is difficult, confusing and arcane, and I say that as someone who has tried to pick up Linux 4 different times unsuccessfully.

Re:user-friendly software deemed insecure, news at

[Entropius]

Installing Linux *has* been an issue -- perhaps I'm just older, but it was a serious pain in the ass back in the day.

What distribution(s) have you tried, and what have you been trying to do on them?

And I think that's their point

[Sycraft-fu]

Not that "OMG Apple is evil," but that "Mac users need to wake the fuck up and think about security."

I've met more than a few Mac users who really believe that "Macs can't get viruses," and such things. They don't patch their shit, have weak passwords, etc, etc. They think the magic Apple fairy will protect them from all harm.

I argued they were like someone living in a rich gated community that left their door open all the time. Nobody had broken in because nobody had really tried, but they weren't really secure.

Well, that's over now. MS is most likely correct, this shit will just increase. So Mac users need to get with the program. They need to install those Office updates, they need to patch their OS, they need to think about getting a virus scanner. Basically, they need to start being proactive about their security.

Re:And I think that's their point

[Billly+Gates]

I just got into a flamewar last week on Livejournal with such a mac user who told a user use a mac and you do not need anti virus. MS sucks bla bla bla Apple is the most secure OS by design and its impossible to infect etc.

I kindly pointed out that link which showed flashback with 500,000 infections and growing. His response was, well they clicked on something, macs are secure and your stupid for using a PC. I explained drive by downloads and he went on and on how he hadn't got infected in 18 years and there is no way he was going to run an anti virus scan.

That is the most dangerous threat. Windows users know better ... well mostly. Almost everyone has anti virus software and protection which monitors suspicious activity in the windows world. Mac users who use obsolete software and hardware is huge because Apple is expensive and lasts long. Jobs is a greedy asshole who will only give them updates for 3 years. Flash is not auto updated and nor is Java.

It might as well have a sign saying hackers come in! Your users will deny your existence and there is plenty of bank account numbers to steal. There is no way to know your infected unless a pop up shows and many universities say its 2003 all over again with constant malware ... but this time from Mac Users and not IE 6 users. It is bad out there with ditwitts like that person on livejournal and the Apple Store saying everything is fine and ignore Sycraft-fu, he is just jealous his is not as rich or as smart as you oh Mac user.

Re:And I think that's their point

[jbolden]

Well, that's over now

We'll see if it is over now. Sorry if I'm not too concerned. I've been hearing how the virus apocalypse would happen any day now for a dozen years. Meanwhile Apple has been slowly turning up the security and laying the ground work for a rapid shift if they ever need to.

Microsoft says Macs no safe

[Gumbercules!!]

Microsoft exec: "More people are going to be trying to attack Macs... and we've got the receipts to prove it!"

ACs donâ(TM)t bother...

[mevets]

If you donâ(TM)t know they are there, who were you replying to?

WTF?

[ibic00]

Shouldn't a company's researchers research to improve their own products?

Re:user-friendly software deemed insecure, news at

[Teckla]

I've been a professional software developer for a few decades now, and done my fair share of running Linux, including Ubuntu. And, Ubuntu sucks.

Last year, I installed Ubuntu via wubi. It worked great, for a while. At some point, an update caused some kind of grub/kernel incompatibility. Ubuntu never managed to boot again.

So then I decided to install Ubuntu in its own partition and dual boot instead. Surely that would work. And it did, for a while. I foolishly allowed Ubuntu to try to update itself to the latest release. The update failed, and once again, Ubuntu never managed to boot again.

In disgust, I wiped Ubuntu from my system, and I'm back to Windows 7 full time. Linux has some real and serious advantages, but I'm tired of the bullshit. I will happily pay for something that is more reliable on the desktop.

And don't even get me started on Unity...

Re:user-friendly software deemed insecure, news at

Or, you are just stupid. My parents use it, and they're both above 60. And they had less trouble switching from Gnome to Unity than the vocal part of the internet did.

Still won't buy Windows 8

You might be right Microsoft but I still won't buy Windows 8.

Re:user-friendly software deemed insecure, news at

[bmo]

Interesting that the GP said "easy to use" and you changed that to "easy to install"

But it is easy to use. You can use it all day and never touch a command line ever, just like Windows and OSX.

It's just advantageous to use a command line for things that would drive you batty in any GUI. This is why OSX has bash and Windows has PowerShell.

Oh, right, Microsoft thought so little of the command line they went and wrote a whole new one that even aliases the unix commands like cp, mv, and rm.

Twit.

--
BMO

Re:user-friendly software deemed insecure, news at

[jones_supa]

yes, until mom needs word processor (cloud services like google doc don't count), and the ability to watch movies their kids email her of a newborn. The point is, while you could help your mom install linux or whatever other app she needs initially, she can't go out and download or buy additional software on her own, and then install it on her own.

I enjoy linux as any other, but I don't think it passes the grandma test yet.

It's hard to say if grandma is really in a worse position here with Linux. As we know, usually you have all the programs (browser, word processor, movie player...) already installed, while in Windows you have to install all kinds of stuff separately.

That being said, Linux is indeed having bad problems supporting third party stuff. There is currently no easy and unified ways of installing apps or drivers if they come outside of the distribution. :(

Re:user-friendly software deemed insecure, news at

[jones_supa]

Unfortunately there's lots of brokenness like that in Linux distros. Things work generally nicely, but when you even slightly fall off the beaten path, there is not enough robustness to handle the condition. You might get some completely wrong error message and somewhere deep is just a script failing with an obscure "Invalid argument".

There should be more attention for things like this than the hipster desktop environment of the month...

Not mentioned in Article Summary...

[DJ+Particle]

The vulnerability is in MS Office for Mac. Don't run MS Office, and you're safe from this particular malware.

This is on MS to fix, not Apple.

Please RTFA before saying this is a "MacOS vulnerability"

Re:user-friendly software deemed insecure, news at

[__aaltlg1547]

Affordable has nothing to do with it. Convenience and security are the pair that can't come together.

Re:user-friendly software deemed insecure, news at

[PNutts]

Are they using more than the browser? "Using Linux" implies the OS, not apps. But if this their first PC experience they don't have years of behavior to undo.

Re:user-friendly software deemed insecure, news at

[inode_buddha]

"Linux has some real and serious advantages, but I'm tired of the bullshit. I will happily pay for something that is more reliable on the desktop."

Then do what I did and switch to Debian. I ran slackware from 1997 - 1999 then RH until last year. No probs at all since, very little if any "setup" (mainly the printer/scanner), and my favorite tweaks that I've carried around for years. I've tried it on 3 different machines so far, and same thing: no probs.

Re:user-friendly software deemed insecure, news at

Or use Windows/OSX on the desktops and Linux on servers (virtual or real).

Even fewer problems.

Re:user-friendly software deemed insecure, news at

In contrast, I've dealt with many Win7 systems that exhibited the exact same behavior. As soon as you update it (and spend thirty minutes letting it "configure updates" before restart and before boot), it's a gamble on whether it will work or not. Almost everyone I know who uses Win7 has had to reinstall it from scratch after a failed updated, and THEN they will typically skip the (important security update) that broke last time, leaving their system vulnerable. THEN they invariably get their shit owned, and they have to reinstall YET AGAIN. It's Windows XP all over again, just shinier.

Intel Chips vs PowerPC

[not_hylas(+)]

As soon as Apple went to the Intel chip rather than sticking with the PowerPC this was inevitable.
Job's excuse was the PowerPC chip's heat issue, just like the one we have now with the Xeon processors
(still waiting for that MacPro refresh Intel) so now we're stuck with a second class chip with a history of trouble, not to mention Microsoft rooting for the malware boys as well - way to go Apple ...

Re:user-friendly software deemed insecure, news at

[BasilBrush]

The existence and completeness of a GUI does not make it easy to use.

Re:user-friendly software deemed insecure, news at

[Belial6]

This is what I don't get. When my son was 1 year old, I spent 5 minutes showing him that the mouse moved the cursor on the screen, and that the menu had programs. A hour of playing and he was using the system with no problems. Another 5 minutes and he knew how to properly boot and shut down the machine. If a 1 year old child can capably use the system, it seems pretty self derogatory for anyone to claim it is difficult.

Just as bad is the claims that it is hard to install. I couple of weeks after his second birthday, I formatted his hard drive, handed him Ubuntu 5.10 and told him to install it himself. He had no problems installing it. And, no, he couldn't even read.

As you point out, just because you CAN use a command line, in no way implies that you MUST.

Re:user-friendly software deemed insecure, news at

Hey, dufus, he didn't say it did. What he said was that the Linux GUI is easy to use which it is. Please take your old fashioned OS zealotry hate and stuff it up your ass.

Re:user-friendly software deemed insecure, news at

But if this their first PC experience they don't have years of behavior to undo.

Everything is a trade-off. If you've been using Windows for a long time and you're ready for a change then yes there will be some things that are different. But that is the same with any new computing device. Many people are moving a lot of their personal computer use from Windows to the iPad and other tablets to a lesser extent. Where is the outcry over "undoing years of behavior" there? I think it's just an excuse people use who are set in their ways and isn't really a reflection of the majority of consumers.

MS Bull$shit, Part 1

It was a user-level exploit of a Microsoft Product.

Re:user-friendly software deemed insecure, news at

[inode_buddha]

How is less than zero probs possible? I run it on the desktop all day, every day since 1997. And the latest debian has zero probs, you are having even less than that?

MS Bull$hit, Part 4

Finally, the Researchers, who should better be called Science Whores pull an oft
en-heard argument straight Out Of Their Arses: Operating Systems are apparently
equally buggy and only popularity will determine the number of successful exploi
ts.
This is obviously an argument to whitewash the crappy Windows Security Posture:

A) Everything runs in Admin Mode

B) MS still can't be fucked to provide Sandboxing Infrastructure

C) Patching takes weeks, not a day or two

D) Type-safe Programming still non-existent and C/C++ are still widely used by M
S

Linux doesn't have the problems A to C, and it is still unheard-of to get a viru
s on Linux. That's despite the fact that millions of users now run Ubuntu and ot
her Linux distributions.

Re:MS Bull$hit, Part 4

Your last point states that C and C++ are not type-safe. WTF are you smoking?

Also The UAC Crap

..will nag users, who properly configured their system (admin+normal user) all the time for a password when they do some system changes. That is a horrible approach from a security-ergonomics point of view. At some point users will simply click "OK" all the time, even when a virus demands system-level privileges.
Microsoft bends over in an attempt to marry "user-friendlyness" (in reality the "MS DOS mode of computer operation") with modern security concepts (root vs normal account). They still don't understand what the concept of "Unix root operations" really means. I wait Until Windows 10 for them to get it. They already acknowledge that the Command Line Is A Good Thing. So about 30% of the Unix route traveled by Redmond.

Nice FUD

I am using Ubuntu for a long time now and I have none of your problems. It works almost like a TV for me (browsing and Office work, including printing).

No They Are Whores

And Will Write Anything For Money !

Re:user-friendly software deemed insecure, news at

[zippthorne]

It's affordable. More money cost, less time cost. Is your time worthless?

Oh yeah, Billy-Boy

[tn1970]

We expect crappy arguments and nasty tactics from a guy with such a handle. Windows still has the worst security concept with UAC and they still cannot be fucked to make users think about changing context for doing system administration. That will in turn make people click "OK" once too often. And then they are PWNED. MacOS X and Linux do it right because they are Unix, not a 1988 PC like WINDOWS.

FUDcrap

[tn1970]

The exploit in question was in MS Office. Before you divulge your propaganda shit, maybe you could read the original piece ??

Yes, Indeed FUD - Check The Facts

[tn1970]

If you could kindly analyze their "Research" (more Science Whoring For Dollars), you would find out that it is indeed a Microsoft-based, userland Exploit ! Not at all a MacOS X issue !

Re:MS Bullshit, Part 3

[Guy+Harris]

Apple now requires all new MacOS X applications to create a proper sandboxing profile,

Apple now requires all new Mac App Store applications to create a proper sandboxing profile. Non-App Store apps need not do so.

Stupid Argument

[tn1970]

Buffer Overflows work on any microprocessor equally well. At least as long as a procedure call will dump the program counter onto the data stack. If it doesn't, a virtual function table somewhere inside memory will do equally well.

Re:Stupid Argument

[tn1970]

Of course, when targeting a PPC system, the exploit must be coded in a different instruction set. But for a capable engineer that is not harder than x86.

Re:user-friendly software deemed insecure, news at

[bmo]

You sound like one of those idiots who continuously start flame threads about GIMP because it's not a drop-in-replacement for a $600+ program.

--
BMO

Re:user-friendly software deemed insecure, news at

[Pentium100]

Moving from Windows to iPad or a similar device is gradual. I don't think that a lot of people throw out their desktops and buy tablets. They most likely buy the tablet and use it when they are not near the desktop or alongside the desktop. That means if there is a problem (they don't know how to do something), they can always go to the desktop and do that there. The tablet is just an addition. Or at least it is at first.

On the other hand, replacing the OS removes the old OS*. So, if I am stuck and don't know how to do x on Linux, I have to google it, maybe download, compile and install some software that's not in the repository. I can't just go to Windows and do what I need there. If some device does not have drivers for Linux, that's it, there is no way to use it. On the other hand, if the device is not compatible with a tablet, I can still use the desktop with that device.

* I know, there are ways around that - dual booting and keeping the old OS inside a VM. I personally do not like dual booting because I do not like rebooting, so I just stay with the OS that has more features and for me it means Windows (because of games). Using a VM with the old OS is better, but then again, it raises a question - why have all that trouble? If there are problems with hardware support, a VM won't help you most of the time (it can pass USB and SCSI devices to the guest OS, but not PCI ones) and you still need to have a license for the guest OS (or pirate it), so no money (or morals) is saved. Also, keeping Windows in a VM reduces game performance, so if I want to sometimes play games on my PC I have to have Windows.

Re:user-friendly software deemed insecure, news at

[BasilBrush]

Artie MacStrawman.

You read like someone who hasn't got a real argument.

Re:user-friendly software deemed insecure, news at

[bmo]

No, it's not a strawman when it's just an accusation.

It's more of an ad-hominem.

Learn your fallacies.

The complete GUIs on Linux mean cross platform applications aren't different from other platforms. Libre/Open Office on Linux is identical to Libre/Open Office on Windows or OSX. GIMP on Windows is pretty much the same as GIMP on Linux (I haven't used it on Windows). WoW on Linux operates identically to WoW on Windows except that framerates are higher on Linux.

In this day and age, if you cannot operate a Linux device, the problem isn't with Linux, but rather PEBKAC. Indeed many arguments about the subtle differences in GUI between current Windows and Linux desktops fall flat in light of the introduction of "screw you, you're going to take our UI and like it" Metro.

Your argument fails at so many levels that you are simply full of bollocks, thus the previous flame.

--
BMO

As In

[tn1970]

"Better The Virus I know than the one I Don't"

So What ??

[tn1970]

"That being said, Linux is indeed having bad problems supporting third party stuff. There is currently no easy and unified ways of installing apps or drivers if they come outside of the distribution. :(" Is there a unified way for doing that in Windows 7 or OSX ? Every shittly little app comes with their own installer. So Linux does the standard stuff in an excellent manner, while you are in a crappy situation for everything with Windows. AppStore is for Win 8. Announced.

Re:user-friendly software deemed insecure, news at

Let me fix that.

Unfortunately there's lots of brokenness like that in {Mac OS X,Windows}. Things work generally nicely, but when you even slightly fall off the beaten path, there is not enough robustness to handle the condition. You might get some completely wrong error message and somewhere deep is just a script failing with an obscure "Invalid argument".

Do you know how many times I have to deal with people connected via wifi with "your cable is disconnected" network errors in windows? Who don't believe that there is no cable? Because Windows says it's disconnected? Or the fun of playing videos on mac that aren't handled by quicktime? apple-i key to change extension handling? I sure wouldn't have found that without google.

Re:user-friendly software deemed insecure, news at

[BasilBrush]

No, it's not a strawman when it's just an accusation.
It's more of an ad-hominem.
Learn your fallacies.

I never said it was a strawman.

Yes that's right, you can't even win at pedantry.

The complete GUIs on Linux mean cross platform applications aren't different from other platforms. Libre/Open Office on Linux is identical to Libre/Open Office on Windows or OSX.

Cross platform apps are either equally shit on all platforms, or only any good on the primary development plaform. Libre/Open Office is shit on Linux, Windows and OSX. In fact worse on OSX because it digresses even further for platform standards.

In this day and age, if you cannot operate a Linux device, the problem isn't with Linux, but rather PEBKAC.

And now you make the mistake of confusing ease-of-use with able-to-use.

You're not clever enough for the ego you splurge around. I don't know what behavioural problem you have, but it's doing you no favours.

Re:user-friendly software deemed insecure, news at

I will happily pay for something that is more reliable on the desktop.

I would too, in a heart beat. Unfortunately haven't found one yet, so Ubuntu it is.

Seriously, I've had just as many headaches on Windows.

Re:user-friendly software deemed insecure, news at

Most normal humans just use the browser and a scattering of other apps.

Re:user-friendly software deemed insecure, news at

[JonJ]

Last year, I installed Ubuntu via wubi. It worked great, for a while. At some point, an update caused some kind of grub/kernel incompatibility. Ubuntu never managed to boot again.

A few days ago, Windows 7 stopped booting without any interaction, nor updates on my part. It never booted again. Surely this means Windows is not ready for the desktop? Or maybe anecdotal evidence or just bad luck is completely worthless as "proof". You're not adressing the question you originally got either. Ubuntu has tools for all the things you describe, and it even offers to install codecs/java/flash during install time. I think you're a Windows shill that doesn't actually think, and that you've never use Ubuntu at all. I also think you're probably a pretty incompetent software developer, and if you do program, I want to stay the hell away from whatever shit your moron brain churns out.

Please start on Unity, I love people making asses out of themselves.

Re:user-friendly software deemed insecure, news at

[JonJ]

What the fuck is this bullshit? Normal people use applications, not the "operating system":

the weakest link

is the user.

average user keeps getting dumber as more and more people get computers, tablets and 'smart' phones.

users are too stupid, ignorant, and impatient to learn how to use technology and the internet properly and safely.

social engineering is the most dangerous attack method and no platform is safe -- not even apple's precious walled gardens.

more trolling

Really? Jesus fucking H Christ. What is with all the hate? All of these articles just tearing Google, Apple, and Microsoft down... What the fuck is going on here? Yes, there have been troll articles that have gone through before but it seems the intensity is getting WAAAAAY cranked up. I dunno man, it might be wise to skip Slashdot just to maintain sanity.

Overblown worry..

[doccus]

I'm not saying it's not possible, but it's just not gonna happen that OSX ever becomes much of a target, and the main reason is because of Apple itself. iOS is the nice juicy ripe plum for all the malware developers.. who are, afetr all, only interested in maximizing their results.. previously, Windows was the biggest target, but now it's the mobile OS's....

Re:user-friendly software deemed insecure, news at

That's nice. Now, try installing Ubuntu on Microsoft Virtual PC. Go ahead, I fucking dare you, nigger.

Re:user-friendly software deemed insecure, news at

This is what I don't get. When my son was 1 year old, I spent 5 minutes showing him that the mouse moved the cursor on the screen, and that the menu had programs. A hour of playing and he was using the system with no problems. Another 5 minutes and he knew how to properly boot and shut down the machine.

pfffttt...my child was fixing bugs in the linux kernel while he was in utero.

Re:user-friendly software deemed insecure, news at

Strange I've been running Ubuntu for years and no problem. On my desktop, on my laptop, on my media center and about 400 servers at the DC. I have to ask. "What are you doing wrong?"