Slashdot Mirror
Microsoft: Macs 'Not Safe From Malware, Attacks Will Increase'
An anonymous reader writes "Microsoft researchers have analyzed a new piece of Mac malware that uses a multi-stage attack similar to typical Windows malware infection routines. In a post titled 'An interesting case of Mac OSX malware' the Microsoft Malware Protection Center closed with this statement: 'In conclusion, we can see that Mac OSX is not safe from malware. Statistically speaking, as this operating system gains in consumer usage, attacks on the platform will increase. Exploiting Mac OSX is not much different from other operating systems. Even though Mac OSX has introduced many mitigation technologies to reduce risk, your protection against security vulnerabilities has a direct correlation with updating installed applications.'"
Possibly a biased source, but not exactly a shocking conclusion. The OS X kernel is a massive amount of C and embedded C++ code. On top of that is a huge pile more code. It's not going to be bug free, and at least some of those bugs will be exploitable. It does about the same set of things as other modern operating systems to reduce the damage that a compromised application can do (e.g. making it easy to run apps in sandboxes), but any network-exposed system running arbitrary code is vulnerable, the only question is whether the effort involved in finding and exploiting a vulnerability is greater than the reward.
I am TheRaven on Soylent News
Maybe we need a new motto? You can have it easy to use, affordable or secure. Choose two.
No.
http://en.wikipedia.org/wiki/Irony
Beware of the Leopard.
I’m most concerned that this malware uses a three-year-old flaw in Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac. Here’s the corresponding security bulletin: MS09-027 - Critical.
Most of this has been known by, well, knowledgeable users by a long time. Most of the malware now comes via third party software or stupid users. It really doesn't matter what platform you use, as hackers will find a way around to get the best bang.
:)
All three largest OS - Windows, OS X and Linux - are pretty much equivalent now. In fact, OS X is probably less so than Windows or Linux (and I use mac!).
In before all the stupid replies that Linux cannot be hacked.
If anyone has a lot of viruses to examine, it's Microsoft!
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
No matter how 'secure' a system is, as long as end users have the ability to install software, systems will still be at risk. Its just part of the deal.
If your particular systems are attacked or not, depends on your market share.
---- Booth was a patriot ----
While I will agree with lack of surprise from /.ers, most of my colleagues that enjoy their Macs like to tout "invulnerability" to malware. Mac-pride makes them brave/foolish to the point they will not bother with anti-virus. I think they are more the norm than exception for Mac users. Once the Mac OS reaches a high enough number of users, there will be a significant surprise for most users.
The thing is OSX doesn't really fit into ANY of those categories =P
It's about marketshare. IT has only ever been worthwhile for virus writers to target a platform that is popular enough to warrant a return on investment, whether that be fame or clandestine botnet software.
People always used to use half baked arguments trying to claim that OS X was mroe secure because it was "unix" or some crap, despite OS X being very insecure for most of it's run.
Aside from being common sense this is supported with some pretty solid mathematics, not least an article in an IEEE journal showing there is a certain percentage of marketshare that would attract malware. We are now seeing this with OS X and we have seen it previously with Android.
What will be interesting is how Apple react. Will they tighten the grip they have on their users and restrict them even more, or actually get off their buts and increase their security and respond to problems in a mature and timely manner.
If you ignore ACs because they are anonymous - you're an idiot.
...a poorly written Microsoft product leaves a vulnerability open for exploitation, yet it is Microsoft who provides an internal assessment and statement that Macs are "not safe from malware".
anyone who is interested can look up security vulnerabilities by vendor.
Not only was it opportunistic but the vulnerability comes from A MICROSOFT PRODUCT(It was an office for mac issue)!
If I were apple and feeling particulary snarky I would send out an email to my users warning about microsoft software including the microsoft
post and recommend that they not use Office for Mac and switch over to Libreoffice for a more secure computing experience.
I suppose there could be some people stupid enough to say that, but I haven't seen much of it (unless you count obvious troll posts). In fact, a misconfigured linux system is one of the easiest to hack -- but we're discussing malware, not hacking. Since most linux distros are using repositories for all the third-party software (vs non-tech users zooming around the web downloading "10,000 similies!") malware for linux is pretty darned rare -- much more so than windows or os x. Unless, of course, one counts all the android trojans -- I don't because to me android is a completely unique OS that happens to use some linux code.
Caveat Utilitor
Android is a great example how malware just gets there, around the obstacles when the market share is right. It's even on their official store.
Repositories also wouldn't work if Linux had the same market share as Windows, or hell, even OS X. You just cannot do everything via such system, and there needs to be a way to install software off from the "official" platforms. Hell, most of slashdot constantly argues against this too (DRM).
Am I the only one who thinks the headline sounds kind of like a threat?
I'm gonna go ahead and cite the Ken Thompson hack here:
"It's been more than twenty years since I read Thompson's marvelous paper, but I believe I correctly recall his fundamental point: UNIX, and every system like it, can NEVER be "secure". It doesn't matter how many layers of anti-virus software, "internet worm protection", "firewall" or any other buzzword -- systems like UNIX (including all versions of Linux, Macintosh OSX, and all versions of WinXP) will NEVER be secure. Thompson published his paper and revealed his hack in order to demonstrate this point. "
Closed sourced, open source, free, paid, whatever it is it will never be fully secure and people are foolish to believe anything to the contrary.
I dunno, Linux seems to be all three to me. It's braindead-easy to install these days -- hell, my mom can do it by herself, which is definitely not true for Windows.
It's free, and it's pretty secure, only sacrificing security for usability in intentional, configurable ways (i.e. "should I require a password on console login?")
Most of this has been known by, well, knowledgeable users by a long time. Most of the malware now comes via third party software or stupid users. It really doesn't matter what platform you use, as hackers will find a way around to get the best bang.
As one of my great compatriots once said: Artificial intelligence will soon best the natural one, but there's no adequate substitute for natural stupidity.
Ezekiel 23:20
In before all the stupid replies that Linux cannot be hacked. :)
I assume you mean cannot get drive-byes. Linux is hacked in broad scene rather often. Linux does not get viruses in the sense that its never happened.
I assume you mean there is likely to be similar security holes in a bleeding edge easy to use distro as windows which may be true.
Linux is extremely hard to compare security on as you can everything from a full on SElinux setup to whatever ASUS use to distribute.
I think rapid updates all security wholes are fixed within a week (worse case) and a low user base make Linux so unattractive for virus spreading that no one needs to worry. When there a successful virus for Linux, then Linux security becomes non-hypothetical and decisions can be made on the security convince trade-off (as of now its just all inconvenience for malware threats).
Fact of the matter is, basically all computing requires more trust than should really be granted. We trust Microsoft to patch their vulnerabilities now that malware manages to find ways in through ever more creative means. We trust Apple to have an OS that was never really vulnerable to start with, and we trust GNU/Linux distributions and other free operating systems to have clean repositories and to be free of backdoors. We rely on non-OS, internet-connected software companies to produce software that isn't vulnerable to bringing problems in from the Internet.
All of these are essentially untrue, or are relying on means of security that can't be verified or well tested until something comes out in the wild. We instead rely on updates after the fact, and on feeble attempts by some to make programs to remove malware.
Even in the privileged/unprivileged user landscape that modern OSes are capable of using, too many users desire more credentials on their local computers than they need in order to perform the very basic tasks that a computer user does on a daily basis. In the early days I too was guilty of this, but learned. Unfortunately when there are combinations of vectors to infect the local user and then local root exploits even a good privileges model won't work.
We should demand more out of our browser developers and more out of our plugin developers. That is the single biggest category of infection route, and I'm sorry, but software that voluntarily brings in and deploys the exploit simply by visiting a markup-language page is completely unacceptable. Fix the bugs before worrying about new features.
Do not look into laser with remaining eye.
First of all, it must be said that the word "mac fan boy" is one of the most ingenious PR actions against apple. The statement of Microsoft that "macs are not safe" is a too obvious PR spin along the same lines. Any operating system is vulnerable as long as users can modify operating systems. This is not for discussion. What matters is how fast these vulnerabilities are handled and communicated and corrected. Apple as well as Linux distributions have handled vulnerabilities in the past pretty well and I feel quite safe both using a mac or using linux boxes.
http://www.youtube.com/watch?v=L_mrNQBLSMU
When they came for the communists, I said "He's next door. Take him away. Goddam commies."
It comes down to the more popular your OS is, the more problems you will get with security.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
When Microsoft puts out updates, they just put out the updates.... most of the time in single-fixes which are individually selectable and uninstallable. (Doesn't always work but they try) They do it like this because business depends on compatibility and continued operations of their apps. So if a particular update or patch breaks an important app, it can be rolled removed or at least identified and skipped.
Apple doesn't care about that. Apple will push updates and bundle them with anything they like including feature removal and things users don't want.
So what I foresee happening is that Apple will bundle a critical security fix with something else which the users don't want and they will refuse to update their machines.
Some people here are "fans" of a particular brand or whatever. I'm none of those. I just call them as I see them. But if someone must insist I'm a hater of this or a shill for that, I run Fedora Linux on most of my stuff but I hate Gnome3 so I'm going to CentOS until the people out there get their heads on straight and listen to the users.
Since most linux distros are using repositories for all the third-party software (vs non-tech users zooming around the web downloading "10,000 similies!") malware for linux is pretty darned rare -- much more so than windows or os x.
Of course most OSX third party software is coming from the Mac App Store these days, so the same applies.
Android is a great example how malware just gets there, around the obstacles when the market share is right. It's even on their official store.
No. There is virtually no malware for the iOS, which is in the same ball park as far as market share is concerned. So it's not just market-share. Security, including walled gardens, make a huge difference.
don't you think?
It's like rain, on your wedding day.
It's the free ride when you've already paid.
It's the good advice that you just didn't take
but who would have thought... it figures...
Sour grapes, much? Jeez. The only malware A) is a Java problem and B) uses Office as the transmission medium.
Even now, I notice that Apple still doesn't automatically update software by default, so, the only people who tend to install the update are those who are security-minded anyway.
False. By default OSX automatically checks for updates on a weekly basis.
Additionally, your claims as to what sales staff say is hearsay. And given you're an AC and your one checkable claim was wrong, it's not worth much.
Interesting that the GP said "easy to use" and you changed that to "easy to install". Which of corse isn't the same thing at all. For sure, Linux is not easy to use. But lets quantify that - it's less easy to use than the other 2 mainstream desktop OSs.
Let me remind you, Android is not Linux and Linux is not Android.
android sufferes same fate as any other closed source products.
Syncronised company pushd updates, etc.
Most Linux distributions will not have those attack vectors common to Androids.
At the end of the day, even now, its not news, that Android is actually closed soure.
Apple: PCs 'Not Safe From Malware, Attacks Will Increase'
I mentioned the installation thing because that's traditionally been one of the confusing bits about Linux.
Use is pretty simple -- you have a menu, it has stuff in it, you click on it. When you want something you don't have you fire up Ubuntu Software Center and go get it.
More like the pot calling the kettle black...
"virtually no malware" != "no malware"
It will get tougher as people figure out how to do the things Apple tells them they don't want them to do.
Installing Linux *has* been an issue -- perhaps I'm just older, but it was a serious pain in the ass back in the day.
What distribution(s) have you tried, and what have you been trying to do on them?
[citation needed]. It's 1.65% according to Wikimedia's stats (includes wikipedia.org traffic - a top 6 site), 5.22% if you include Android.
Not that "OMG Apple is evil," but that "Mac users need to wake the fuck up and think about security."
I've met more than a few Mac users who really believe that "Macs can't get viruses," and such things. They don't patch their shit, have weak passwords, etc, etc. They think the magic Apple fairy will protect them from all harm.
I argued they were like someone living in a rich gated community that left their door open all the time. Nobody had broken in because nobody had really tried, but they weren't really secure.
Well, that's over now. MS is most likely correct, this shit will just increase. So Mac users need to get with the program. They need to install those Office updates, they need to patch their OS, they need to think about getting a virus scanner. Basically, they need to start being proactive about their security.
Achievement unlocked:
Falling for the Alanis Morisette troll.
Support the EFF and Creative Commons. The war is coming, and they're supporting you...
Microsoft exec: "More people are going to be trying to attack Macs... and we've got the receipts to prove it!"
You really need to reassess your perception of mac users. Scads of CS/IT people use macs because its so UNIX-like
Good-bye
If you donâ(TM)t know they are there, who were you replying to?
The other day my NAS reported to me that there are some virus files it quarantined in the Mac backup sparsebundle. So of course i run out and install Sophos on the mac and do a full scan. Turns out it was my Win XP VM that got hosed. So in this case, macs DO get PC viruses.
Good-bye
Shouldn't a company's researchers research to improve their own products?
I've been a professional software developer for a few decades now, and done my fair share of running Linux, including Ubuntu. And, Ubuntu sucks.
Last year, I installed Ubuntu via wubi. It worked great, for a while. At some point, an update caused some kind of grub/kernel incompatibility. Ubuntu never managed to boot again.
So then I decided to install Ubuntu in its own partition and dual boot instead. Surely that would work. And it did, for a while. I foolishly allowed Ubuntu to try to update itself to the latest release. The update failed, and once again, Ubuntu never managed to boot again.
In disgust, I wiped Ubuntu from my system, and I'm back to Windows 7 full time. Linux has some real and serious advantages, but I'm tired of the bullshit. I will happily pay for something that is more reliable on the desktop.
And don't even get me started on Unity...
Have you read your own link?
Microsoft claims that malware infections will rise on OSX in the future, and as evidence they dissect an exploit that only works on an obsolete version because it is fixed in the lastest version. Your signature is oddly appropriate.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
Interesting that the GP said "easy to use" and you changed that to "easy to install"
But it is easy to use. You can use it all day and never touch a command line ever, just like Windows and OSX.
It's just advantageous to use a command line for things that would drive you batty in any GUI. This is why OSX has bash and Windows has PowerShell.
Oh, right, Microsoft thought so little of the command line they went and wrote a whole new one that even aliases the unix commands like cp, mv, and rm.
Twit.
--
BMO
yes, until mom needs word processor (cloud services like google doc don't count), and the ability to watch movies their kids email her of a newborn. The point is, while you could help your mom install linux or whatever other app she needs initially, she can't go out and download or buy additional software on her own, and then install it on her own.
I enjoy linux as any other, but I don't think it passes the grandma test yet.
It's hard to say if grandma is really in a worse position here with Linux. As we know, usually you have all the programs (browser, word processor, movie player...) already installed, while in Windows you have to install all kinds of stuff separately.
That being said, Linux is indeed having bad problems supporting third party stuff. There is currently no easy and unified ways of installing apps or drivers if they come outside of the distribution. :(
Unfortunately there's lots of brokenness like that in Linux distros. Things work generally nicely, but when you even slightly fall off the beaten path, there is not enough robustness to handle the condition. You might get some completely wrong error message and somewhere deep is just a script failing with an obscure "Invalid argument".
There should be more attention for things like this than the hipster desktop environment of the month...
Words change. Go to a Renaissance fair if you don't believe me.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
The vulnerability is in MS Office for Mac. Don't run MS Office, and you're safe from this particular malware.
This is on MS to fix, not Apple.
Please RTFA before saying this is a "MacOS vulnerability"
Affordable has nothing to do with it. Convenience and security are the pair that can't come together.
There is virtually no malware for the iOS
"virtually no malware" != "no malware"
In the context of this discussion he was correct. The real world is not binary.
[citation needed]. It's 1.65% according to Wikimedia's stats (includes wikipedia.org traffic - a top 6 site), 5.22% if you include Android.
Here's his citation (according to StatOwl). Aren't statistics cool?
Are they using more than the browser? "Using Linux" implies the OS, not apps. But if this their first PC experience they don't have years of behavior to undo.
"Linux has some real and serious advantages, but I'm tired of the bullshit. I will happily pay for something that is more reliable on the desktop."
Then do what I did and switch to Debian. I ran slackware from 1997 - 1999 then RH until last year. No probs at all since, very little if any "setup" (mainly the printer/scanner), and my favorite tweaks that I've carried around for years. I've tried it on 3 different machines so far, and same thing: no probs.
C|N>K
I basically agree, but the fact that there continue to be jailbreaks for iOS means that there are serious security holes. Luckily, people seem to be more interested in jail breaking than other exploits.
The existence and completeness of a GUI does not make it easy to use.
The days of being able to jailbreak by visiting a website are long gone. You have to physically connect the phone to a computer in order that it can be re-flashed.
It's not relevant to what downloaded software/websites/document malware could do.
If by "long gone" you mean "not currently available," then OK. Un-thethered exploits reportedly still exist, though:
http://www.engadget.com/2012/05/03/iphone-4-receives-untethered-ios-5-1-jailbreak/
http://www.jailbreaknation.com/pod2gs-untethered-5.1-jailbreak-to-support-all-devices-including-iphone-4s-ipad-23-atv3-a5a5x
All three largest OS - Windows, OS X and Linux - are pretty much equivalent now.
So this story finally got me motivated to update ClamXAV and scan my drive. It's been running for a couple of hours now, and so far it has found 4 viruses/trojans... Windows viruses :) They are apparently sitting in my Gmail account, which I mirror locally. One of them is a windows screensaver virus of some kind sitting in my Downloads folder.
I'll get back to putting clam on my FreeBSD server as well. My Windows machine is obviously protected (with AVG).
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
This is what I don't get. When my son was 1 year old, I spent 5 minutes showing him that the mouse moved the cursor on the screen, and that the menu had programs. A hour of playing and he was using the system with no problems. Another 5 minutes and he knew how to properly boot and shut down the machine. If a 1 year old child can capably use the system, it seems pretty self derogatory for anyone to claim it is difficult.
Just as bad is the claims that it is hard to install. I couple of weeks after his second birthday, I formatted his hard drive, handed him Ubuntu 5.10 and told him to install it himself. He had no problems installing it. And, no, he couldn't even read.
As you point out, just because you CAN use a command line, in no way implies that you MUST.
What I mean by long gone is that it last worked on 4.3.3, which was superseded in July 2011. (We're on 5.1 now, and there has been several point releases in between). And it's never worked in any way, on any version, on latest hardware (iPhone 4S or new iPad).
Un-thethered exploits reportedly still exist
The use of the term "Untethered" is unintuitive and not quite what you think it is. "Tethered" means you need to connect to a computer every time the phone is rebooted. Untethered means it will reboot with the jailbreak still operative even if you're not connected to a computer.
Either way, you still need to be connected with a cable to a computer to do the actual jailbreaking. The jailbreaking software runs on the computer.
How is less than zero probs possible? I run it on the desktop all day, every day since 1997. And the latest debian has zero probs, you are having even less than that?
C|N>K
Some of the software included by Apple (eg Flash) went for a long, long time without being update.
I'd rather have a virus than run anti-virus. I'm firmly convinced it would be less destructive to system performance.
TODO: Something witty here...
You'd have to be specific. There were complaints that one particular point release of OSX didn't ship with the latest version of Flash. But the update to Flash had only happened 4 days before. i.e. It didn't arrive early enough to be in the GM.
4 days certainly isn't a "long, long time". But it does show what a snivelling whine fest the tech media has become.
It's affordable. More money cost, less time cost. Is your time worthless?
Can you be Even More Awesome?!
False. By default OSX automatically checks for updates on a weekly basis.
Additionally, your claims as to what sales staff say is hearsay. And given you're an AC and your one checkable claim was wrong, it's not worth much.
If you're logged in as an admin user. If you're logged in as a limited user, it automatically checks for updates every week when you next log in as an admin user...
It's very easy to set or change the interval for auto updates, but if you're using the security feature of limited user accounts (which, by the way, are capable of installing software and running updates, you are offered a window in which to temporarily log in as an admin for just the thing you're doing), it's NOT AUTOMATIC. You have to either deliberately log in as an admin, or deliberately run software update.
Can you be Even More Awesome?!
We expect crappy arguments and nasty tactics from a guy with such a handle. Windows still has the worst security concept with UAC and they still cannot be fucked to make users think about changing context for doing system administration. That will in turn make people click "OK" once too often. And then they are PWNED. MacOS X and Linux do it right because they are Unix, not a 1988 PC like WINDOWS.
The exploit in question was in MS Office. Before you divulge your propaganda shit, maybe you could read the original piece ??
Where to start?
OSX is effectively sand boxed already, all unix systems are. None require a base root process to spawn an escalated privilege process like Windows does, even today in its latest incarnation - it's part of that fundamental insecurity built into the very foundation of windows. All *nix systems can elevate a process by providing proper credentials. So, properly setup, there's almost nothing that can be done on a *nix system unless additional credentials are supplied.
There is nothing like Active X on any system but Windows - thank goodness.
Since Apple makes all its own hardware/software, effectively all drivers are all signed.
Apple has been using EFI for years.
Regarding DLLs/Shared objects, no OS allows generic dynamic code injection into system code from an unprivileged account, except. of course, Windows.
Macs have had EFI, actual process security that didn't need UAC's bandaid, sandboxed processes, and well defined abstraction layers for years. Additionally, Apple introduced ASLR in 10.5, completing full ASLR in 10.8. DEP has existed since 10.6.
Java issues have been addressed, which were the same for Windows, mind you. Flash, well, flash is easily just removed. It's the only safe way to operate on any system as far as flash is concerned. It's very similar to running around a gun-powder factory with lighted sparklers. It's just not a good idea.
My final take on this is you had to be trolling.
The cesspool just got a check and balance.
The reason why you don't see Linux desktops getting targeted is for multiple reasons, 1.-interoperability is shit, the lack of a unified platform that keeps third parties from touching Linux with a 50 foot pole also keeps away malware writers because the best they could score is say...40% of UBUNTU users, but that same attack probably wouldn't work on RHEL without serious tweaking, or on PCLOS, or on Mepis, you get the picture, 2.- Malware writers want powerful machines because the more powerful the machine the more they can remain hidden while cranking out the spam or spreading the bug. Not to slam Linux users but you DO have a shitload of "How to save that PC from the dump" articles which would give an outsider the impression they are more likely to find a P4 than an i7, and 3.-Malware writers are criminals and criminals are notorious for being lazy. they don't want to have to constantly rewrite their bug because something got fiddled with between Ubuntu maniac monkey and nutty narwhal and their shit got broke. With both Windows and Apple having quite clearly labeled life cycles this makes it easy to know how long a bug could be good for.
If you want to see how badly Linux would get pwned if it was on the radar simply look at android. it has tons of ordinary users, is using the Linux kernel, and has been royally assraped by the malware guys. in the end you simply cannot defeat reality which is thus: ALL Operating Systems are EXTREMELY complex, with literally millions of lines of code all having to interact perfectly and this isn't even counting the third party stuff. hell I doubt even Linus can tell you with 100% certainty when you launch say network manager every single call it will make and what every interaction is, its simply too complex. More than 90% of the planet are NOT geeks, hell they don't even come up to the level of a power user of any system, they know just enough to get it to function and that is it, and finally the malware guys figured out long ago its the USER that is the juiciest target, after all it is they that have the keys to the kingdom so by using social engineering they have become quite adept at getting past the defenses by having their "man/woman on the inside" aka the user, help them achieve their goals.
So it doesn't matter what OS you use, you practice safe computing you'll be fine, practice stupid computing you'll be pwned. For those that think the repos are safe might want to look at how long the repos were handing out an infected Quake 3, try a year and a half. If a malware writer truly wants to target Linux there are ways, target some of the software that isn't as heavily monitored or like I said simply target the users and you're in like flynn.
Now you watch as I get modded down for pointing out reality, to be followed by those that treat Linux as a religion (Some call them Freetards, I call them FOSSies because they remind me of Moonies) scream that it just isn't possible, that linux's magical goodness could never be tainted by malware crap...hmmm...where did I hear that before? Oh yeah those that bowed at the altar of Jobs, aka "The Cult of Mac". Wouldn't it be smarter to simply use the best tool for the job and be on your guard? But those that treat tech like ballclubs won't quit rooting for the home team, even when they strike out.
ACs don't waste your time replying, your posts are never seen by me.
If you could kindly analyze their "Research" (more Science Whoring For Dollars), you would find out that it is indeed a Microsoft-based, userland Exploit ! Not at all a MacOS X issue !
Apple now requires all new MacOS X applications to create a proper sandboxing profile,
Apple now requires all new Mac App Store applications to create a proper sandboxing profile. Non-App Store apps need not do so.
Buffer Overflows work on any microprocessor equally well. At least as long as a procedure call will dump the program counter onto the data stack. If it doesn't, a virtual function table somewhere inside memory will do equally well.
Not just UNIX-like, OS X is CERTIFIED UNIX.
http://en.wikipedia.org/wiki/Single_UNIX_Specification
Actually, only Leopard and Snow Leopard are certified; Lion isn't (and pre-Leopard versions weren't).
You sound like one of those idiots who continuously start flame threads about GIMP because it's not a drop-in-replacement for a $600+ program.
--
BMO
Moving from Windows to iPad or a similar device is gradual. I don't think that a lot of people throw out their desktops and buy tablets. They most likely buy the tablet and use it when they are not near the desktop or alongside the desktop. That means if there is a problem (they don't know how to do something), they can always go to the desktop and do that there. The tablet is just an addition. Or at least it is at first.
On the other hand, replacing the OS removes the old OS*. So, if I am stuck and don't know how to do x on Linux, I have to google it, maybe download, compile and install some software that's not in the repository. I can't just go to Windows and do what I need there. If some device does not have drivers for Linux, that's it, there is no way to use it. On the other hand, if the device is not compatible with a tablet, I can still use the desktop with that device.
* I know, there are ways around that - dual booting and keeping the old OS inside a VM. I personally do not like dual booting because I do not like rebooting, so I just stay with the OS that has more features and for me it means Windows (because of games). Using a VM with the old OS is better, but then again, it raises a question - why have all that trouble? If there are problems with hardware support, a VM won't help you most of the time (it can pass USB and SCSI devices to the guest OS, but not PCI ones) and you still need to have a license for the guest OS (or pirate it), so no money (or morals) is saved. Also, keeping Windows in a VM reduces game performance, so if I want to sometimes play games on my PC I have to have Windows.
Artie MacStrawman.
You read like someone who hasn't got a real argument.
No, it's not a strawman when it's just an accusation.
It's more of an ad-hominem.
Learn your fallacies.
The complete GUIs on Linux mean cross platform applications aren't different from other platforms. Libre/Open Office on Linux is identical to Libre/Open Office on Windows or OSX. GIMP on Windows is pretty much the same as GIMP on Linux (I haven't used it on Windows). WoW on Linux operates identically to WoW on Windows except that framerates are higher on Linux.
In this day and age, if you cannot operate a Linux device, the problem isn't with Linux, but rather PEBKAC. Indeed many arguments about the subtle differences in GUI between current Windows and Linux desktops fall flat in light of the introduction of "screw you, you're going to take our UI and like it" Metro.
Your argument fails at so many levels that you are simply full of bollocks, thus the previous flame.
--
BMO
If Apple uses ASLR and DEP I retract that part then and apologize.
Its good to hear and I am not a troll. I use that argument for people saying how bad Windows is when infact its just XP that is almost 11 years old now that got the bad rap. Windows 7 is much more secure if you ask any enteprise that had migrated to it. The help desk calls for malware go way down.
Still I find the fact that Mac users say with a smile they do not run anti virus software disturbing. It is such an easy target and you know the users will never know what hit them while you raid their bank accounts as they will refuse to believe they are prone to infections. After all anti virus software is updated daily so eventually my malware would get caught on a Windows based PC. The posts here on slashdot all talk about a user clicking something. Not getting a drive by download from flash.
I hate flash with a passion and unfortunately some sites still require it. Most kids use Youtube for music today and much of the older uploads have no h.264 counterpart. So anti virus is needed for Mac users if they ever do anything important like banking and taxes online.
http://saveie6.com/
Its better today. I use Avast! on my Windows PC and it only slows it down by 5 seconds on bootup. Not everything is garbage like Norton 360 or MCaffee of 2002-2008 which would halt your PC for 5 minutes on startup. That was insane!
I check my student loans online and occasionally do banking. I can't risk it. Avast! is not bad but sucks on the mac. Unless you have flashblock on your browser if you came here on slashdot exactly one month ago and you ran Windows you are infected and 0wned right now! Believe it or not a bad flash based ad here used an exploit and Avast caught it.
I had my wow account raided because my exwife let the kids play flash and java games unpatched with a crappy anti virus product. She logged into me and got my password. It blew big time.
Anti virus software sucks but not all of it is bad and I wish in a perfect world I didn't need it.
http://saveie6.com/
"Better The Virus I know than the one I Don't"
"That being said, Linux is indeed having bad problems supporting third party stuff. There is currently no easy and unified ways of installing apps or drivers if they come outside of the distribution. :("
Is there a unified way for doing that in Windows 7 or OSX ? Every shittly little app comes with their own installer. So Linux does the standard stuff in an excellent manner, while you are in a crappy situation for everything with Windows. AppStore is for Win 8. Announced.
You seem to be confused between an admin user on OSX and admin or root on other OSs.
If you are a person that is trusted to have admin privileges on OSX, there is no recommendation to normally run as a second account which is not admin, nor does there need to be. Admin is not what you think it is. Is is not the same as root.
Admin doesn't have any extra privileges over a standard user except that that when elevated privileges are required, the admin password dialog you describe is presented. Contrary to your belief that dialog does not appear for non-admin users.
The whole point of admin accounts are they are given to people trusted to install and update software etc. So of course Software Update isn't intended to run for non-admin users. They cannot elevate permissions to install the software anyway. They are not trusted to do so.
While there is a lot of truth to what you say, at this time, nost popular Linux distos are by far the easiest to secure and to run securely without having to be a super expert technical user. Windows can be just as secure in the right hands, but ironically requires a much higher level of expertise to do so. I'm no windows expert, so I feel usafe to the point I would never put any bankig or other critical info ito a windows machine, I do it in Linux and BSD all the time though, because I know enough to do it securely. I'm sure you're knowledgeable enough with windows to be safe, but I want my non-tech users on Mint or Ubuntu. Not to mentio that whole slew of issues that comes up with "microsoft" amd "trust", DRM -- I had to reformat my mp3player once after big foolish enough to let WMP access it -- it decided a bunch of indie music was "pirated" and wouldn't let those files play! It also hogged about have the flash drive creatig unnecessary database files. Nasty stuff, that WMP.
Caveat Utilitor
No, it's not a strawman when it's just an accusation.
It's more of an ad-hominem.
Learn your fallacies.
I never said it was a strawman.
Yes that's right, you can't even win at pedantry.
The complete GUIs on Linux mean cross platform applications aren't different from other platforms. Libre/Open Office on Linux is identical to Libre/Open Office on Windows or OSX.
Cross platform apps are either equally shit on all platforms, or only any good on the primary development plaform. Libre/Open Office is shit on Linux, Windows and OSX. In fact worse on OSX because it digresses even further for platform standards.
In this day and age, if you cannot operate a Linux device, the problem isn't with Linux, but rather PEBKAC.
And now you make the mistake of confusing ease-of-use with able-to-use.
You're not clever enough for the ego you splurge around. I don't know what behavioural problem you have, but it's doing you no favours.
I'm sorry friend but you are mistaken, unless you call sliding a single slider in UAC as some complex action. Win 7 can autosandbox the browser (your choice of IE or any Chromium based) and run it in low rights mode which is actually SAFER than surfing in Linux where running a single program in a much lower set of permissions is far from simple, and then simply add one of several free AVs that also sandbox (My two favorites are Avast and Comodo Internet Security, both work well) and frankly the user need not know anything. The OS will autoupdate, autosandbox, scan ALL pages before load, hell my 71 year old dad is as clueless about tech as they come and his PC has been on the net 24/7/365 running Win 7 since Oct 09 and hasn't has a single problem or bug, the worst problem he has had is he didn't know how to update his browser (it kept telling him there was an update but he kept pushing the X instead of the update button) and that was it.
If you want to know the REAL reason why you see much more infected Windows? let me tell you a true story about the only person i ever threw out of my shop. He comes in, buys a PC from me, and wants me to install limewire. I tell him "I'm sorry but Limewire doesn't exist anymore, they got shutdown by the feds and anything calling itself Limewire now is just a virus pretending to be the real deal. There are several alternative such as Emule and BT if you wish me to install one of those" so what does he do? He promptly goes home with his new PC, Googles "New limewire" and when the AV naturally wouldn't let him install it first he tried to disable and then he removed the AV altogether! Why did he do that? Because the program told him to! When I finally threw him out of my shop (demanding I fix it for free after he broke it by refusing to listen to my instructions or call) he was yelling "It says right there that it IS Limewire so you make it work dammit!
So if you want to know why there are plenty of infected Windows machines its because of the dancing bunnies problem. It doesn't matter how simple or secure you make the OS if the user has install rights because all you have to do is wave the right cookie, be it porn, piracy, hell I've seen users infect their PCs for a CHANCE of winning some iShiny, then all can be bypassed. MSFT thinks they are gonna fix this by going the Apple way with an appstore but it won't work, as porn and piracy won't be offered in the appstore and that will be enough of a cookie to lure victims. Whether you choose to admit it or not to run Linux you HAVE TO have more than moderate PC skills or have a full time admin (such as yourself) willing to work for free simply because you have to know how to deal with updates breaking drivers and other Linux "quirks" one simply doesn't run into on OSX or Windows. Hell simply the fact you have to install it, know what partitions are and what sizes to make them, Google for drivers that aren't included and understand how to find out the exact make/model of said hardware to properly install Linux already puts you above a good 80% of the population. if you wish to argue that let me take away install rights for all my customers who would only be allowed to let me remote in and install approved software? Windows would never get bugs either.
But that argument simply doesn't hold water when the vast majority are on their own, without so much as a geek in the family to guide them. In fact I would argue that them getting Linux installed correctly and having it fully functional for even a year would probably be impossible, since they simply wouldn't have the skills required. Linux is only friendly IF everything works OOTB AND it works after every upgrade, two situations which at least in my experience are about as likely as Santa dropping me off a dozen porn stars for Xmas.
ACs don't waste your time replying, your posts are never seen by me.
Check out Mint LXDE, starting with version 11. I still prefer Debian, but Mint LXDE is absolutely amazing for it's incredible ease of install. Nearly any modern common hardware will Just Work with that distro, and it can easily be installed, configured, and maintained by the most clueless of newbs. Your info is definitely out of date. There will occasionally be need for an expert no matter what OS a person chooses, but I'd say at this point Mint is rigt u there with OS X for being an idiot-proof system that Just Works. Really slaughters Windows in that regard, as well as on the security front. I know you know a lot about windows, and I respect your choice, but if you're talking ease of security for non-technical users you simply cannot beat Mint.
Caveat Utilitor
Does it really come do to more popular products or does it come down to greed. Not to accuse M$ of purposefully producing and releasing malware to attack and damage a competitor, yet never forget M$ is not just M$.
M$ is owned by investors and the big banks own a chunk just as they do of Apple. Now those big banks, let's be honest are just chock a block full of psychopathic criminals. Would they pay to produce malware to attack a companies product and then bet via puts the value of the companies stock will fall and bet via calls that their competitors will rise. How many damaging simultaneous hacks would be required to cripple a companies sales of it's flagship product. Would these same bankster douche's also promote those stories via their advertising controlled marketing channels.
Something sure stinks and I don't think it's just scruffy hackers who never clean up around the hardware. Never forget there were a bunch of investors that bet the airlines stock would fall just before 9/11 and due to some very high up people being involved nothing was done about it.
Chaos - everything, everywhere, everywhen
First, an observation -
Use CentOS instead of Redhat. Anyway, Windows XP offered 10 year support and it isn't at all clear that other Windows will offer this.
Second, a question -
Borking on updates? That is very wrong. I am curious as to what Linux version (vendor/distribution) to what.
In other words, what was the attempted upgrade? Was it a security update, a version (point) upgrade, or a major upgrade? Which vendor, and what was the start version and desired end version?
Sorry for asking in such detail, but I am very curious. I just went through a similar problem (after a point upgrade to Fedora 16, wireless stopped being reliable until the next point upgrade, a couple of days later). I just want to get a larger scale sense of the issue.
Just another "Cubible(sic) Joe" 2 17 3061
Last year, I installed Ubuntu via wubi. It worked great, for a while. At some point, an update caused some kind of grub/kernel incompatibility. Ubuntu never managed to boot again.
A few days ago, Windows 7 stopped booting without any interaction, nor updates on my part. It never booted again. Surely this means Windows is not ready for the desktop? Or maybe anecdotal evidence or just bad luck is completely worthless as "proof". You're not adressing the question you originally got either. Ubuntu has tools for all the things you describe, and it even offers to install codecs/java/flash during install time. I think you're a Windows shill that doesn't actually think, and that you've never use Ubuntu at all. I also think you're probably a pretty incompetent software developer, and if you do program, I want to stay the hell away from whatever shit your moron brain churns out.
Please start on Unity, I love people making asses out of themselves.
-- Linux user #369862
What the fuck is this bullshit? Normal people use applications, not the "operating system":
-- Linux user #369862
I have one friend who's as non-technically-inclined as they come, using Ubuntu on a Dell laptop for over four years now without incident. The original install from 2008 is now current, and only twice in those four years was I called in to correct minor stuff broken/changed by updates. In those two cases, she still had the use of the laptop and OS, we're talking *little* things like links in email stopped bringing up the browser. She has needed far less help than my windows-using friends in the past four years, so as I said, sir -- your info is out of date. :)
Caveat Utilitor
None require a base root process to spawn an escalated privilege process like Windows does, even today in its latest incarnation - it's part of that fundamental insecurity built into the very foundation of windows.
What is that process? UAC is what provides that barrier - much like linux sudo, you don't just get to launch an un-trusted process as root without some confirmation.
All *nix systems can elevate a process by providing proper credentials. So, properly setup, there's almost nothing that can be done on a *nix system unless additional credentials are supplied.
Windows is the same way - when properly set up. IF there is a vulnerable process or binary, that is owned by root, and has the setid bit on, it doesn't matter. No prompting.
There is nothing like Active X on any system but Windows - thank goodness
But there are browser plugins, and just because there is a sandbox, doesn't mean it is impossible to break out.
Regarding DLLs/Shared objects, no OS allows generic dynamic code injection into system code from an unprivileged account, except. of course, Windows
This hasn't been true since the "UAC band-aid". If you are trying to compare current securities, you can't argue that "Windows is insecure because Windows XP is insecure", by that logic, Max OS 9 didn't have ASLR, but that doesn't mean apple is an inherintly insecure platform.
Macs have had EFI, actual process security that didn't need UAC's bandaid, sandboxed processes, and well defined abstraction layers for years.
Why is UAC a band-aid? Is sudo a bandaid? So you want process security, but don't like the fix? I'm a little confused here. While I don't know anything about EFI (except what I found on wikipedia), unless apple has something magic they also call EFI, I don't see how that's relevant. I also don't understand how abstraction layers have anything to do with inherent OS security.... There is a false sense of security by running non-windows. Malware authors are risk-reward. Why write a virus to turn your computer into a mindless zombie but only target a small market share (I won't quote numbers, since I don't know them, and don't feel like looking them up, but Mac market share Windows market share). If most malware authors focus on 1 thing, then that OS will get the hardest hit. On a properly set up system, it isn't easy - the problem is improperly set up systems. If I turn off my AV, turn off UAC, and run as administrator, ya, its gonna be way easier to exploit my system. If I run my linux machine with no root password, and run myself as root, its not going to be secure. Really, I'm more curious on your claims about windows security, because they seem a little bit.... off....
First of all CentOS does NOT offer 10 year support cycles, nor do they backport squat. CentOS is run by a small company that USED to pay for RHEL licenses for their devices and then decided it was cheaper to "leech" so you are only gonna get what they are using. Even RHEL doesn't offer support beyond 5 years unless you have a full service contract which as I said compare $4000 to $89 and its no contest. Second I guess you missed it but MSFT announced that ALL VERSIONS WILL GET TEN YEARS which was the mandatory length for business version but they have extended that to ALL versions from Start to Ultimate. That means Vista gets until 2017 minimum, win 7 2020, Win 8 2022.
And as i told you feel free to try the experiment yourself, take the version from 3 years ago (I have done this with ubuntu/Mint, PCLOS, Fedora (because I had a nut swear that Fedora didn't do that) PCLOS, OpenSUSE, so pick your poison) and slap it on your average laptop or desktop and upgrade it to current. The last time I did this was when Ubuntu 11 came out as I can't afford to blow tons of bandwidth every 6 months but I honestly don't see you pulling it off with a new release as one still has to upgrade to current. Now realize that in those 3 years 1.-Both major DEs have been tossed aside for new DEs so that entire subsystem is gonna end up a mess, and 2.-Pulseaudio was introduced which frankly is STILL a buggy POS IMNSHO.
So I'm sorry friend it just doesn't work. Not a single one of the above distros when upgraded to current using the GUI (which is the ONLY way a consumer level user will have the skill upgrade) will have SOMETHING broken. and all the hardware was the same stuff you see on a good 90% of consumer hardware, AMD,Nvidia, and Intel chipsets, realtek and Sigma sound, Realtek and SiS networking, Aetheros, Broadcom, or Intel wireless, pretty bog standard stuff.
I've done the math and it just don't work any way you slice it. the ONLY way one can take a distro from 3 years ago and upgrade to current is to do clean installs and remember my time is $35 an hour and the customers will NOT have the skills nor the inclination to accomplish that feat so a single 6 month upgrade would again cost MORE than Win Home. Feel free to perform the test yourself, but I can't afford to blow another 7+Gb worth of data when I have caps just to show you what I already know, and that is the current upgrade mechanism takes a giant shit all over drivers. Again with Windows drivers work for the life of the OS which is 10 years. you can't even take a driver from 5 years ago and get it to work with the newest kernel without serious fiddling or a recompile which again out of the skills range of normal users.
But this is why Walmart gave up on selling low cost Linux machines, because they saw the same thing that I saw, the upgrades shat on drivers so they had to spend more in support than they saved on a copy of Starter or Home. God what I wouldn't give to find a legit source for Starter because when WinXP is EOLed I bet I'll have a lot of boxes go to the dump (If I don't break down and do what some of the other shops are doing and just sell them with Win 7 Pirate) because no matter how you work the math Linux just doesn't work in the home sector. Hell the user below you brings up Dell Ubuntu boxes without even knowing Dell has to run their own repo (which is horribly out of date and falling farther behind, so a Dell Ubuntu box is a security risk) just to keep the drivers working. ask Dell how much they make per unit, I did, they won't tell you. I would surmise that is because the cost of running their own repo has them LOSING money on each sale I'm sorry friend but I simply can't afford to run my own repo, I would be bankrupt within the year. No sale.
Finally if you want to know the scope then do as I said, download the version from 3 years ago (whatever was current then) and upgrade to current. You yourself ran into it with wireless and I can tell you that is the norm NOT the exception. i have tried regular to LTS, LTS to regular, and L
ACs don't waste your time replying, your posts are never seen by me.
Even now, I notice that Apple still doesn't automatically update software by default, so, the only people who tend to install the update are those who are security-minded anyway.
False. By default OSX automatically checks for updates on a weekly basis.
Stop! You're both right! ;-)
On all Macs I've encountered, there is an automatic check for updates done weekly, but it doesn't automatically update the software. It pops up a window showing the list of available updates (with links to explanations), and it asks if the updates should be done. There is a way to tell your machine "Always apply all updates without asking", but I've never seen this installed as the default.
So both of the above quoted claims are true, and are not in conflict.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
I'm not saying it's not possible, but it's just not gonna happen that OSX ever becomes much of a target, and the main reason is because of Apple itself. iOS is the nice juicy ripe plum for all the malware developers.. who are, afetr all, only interested in maximizing their results.. previously, Windows was the biggest target, but now it's the mobile OS's....
The days of being able to jailbreak by visiting a website are long gone.
As in the previously known bug has been fixed, no reason to believe there aren't more that could be exploited.
Except that the jailbreakers have been quick in the past to find jailbreaks for new versions. 10 months of not finding a way to do it is a long time.
I don't think anyone is holding their breath expecting jailbreakme.com to work on iOS 5.0 onwards. But it's certainly in the realms of possible rather than impossible.
Except that the jailbreakers have been quick in the past to find jailbreaks for new versions. 10 months of not finding a way to do it is a long time.
So i'm guessing you're not familiar with times between versions of Jailbreakme then?
So i'm guessing you're not familiar with times between versions of Jailbreakme then?
Before you post something stupid, you might want to look at the development history yourself. https://github.com/comex/star_
Before you post something stupid, you might want to look at the development history yourself. https://github.com/comex/star_
Before you post something stupid maybe you should read what you're attempting to respond to, here it is again:
So i'm guessing you're not familiar with times between versions of Jailbreakme then?
Now if you were familiar with the times between versions of Jailbreakme you'd see they have historically been quite large.
And there you go. I tried to stop you saying something stupid and you did it anyway.
JailBreakMe is a website that could and was updated at any time without a version number change. 1.0, 2.0, 3.0 were simply marketing. It didn't go from 1.0->2.0-->3.0 without intermediate changes.
It's now dead.
I use a different machine for general flash use for the kids. It's also a completely unprivileged account. I've been considering whether I could go to a pure LiveCD type installation to allow for flash etc, which IMNSHO is about the only "secure" way to run flash. Fortunately mine don't youtube yet.
All that said, I will note that there has been only one widespread malware vector exploited on OSX, and that was the Java vector mentioned above that is now closed. While some decry the 3 months Apple took to close it, versus the 3 weeks for other OSes, it did have one positive outcome: Oracle decided to take full ownership of the OSX version of Java, so hopefully in short order we'll have full parity between all versions on all systems, at least as far as can be done on VMs alone.
The cesspool just got a check and balance.
None require a base root process to spawn an escalated privilege process like Windows does, even today in its latest incarnation - it's part of that fundamental insecurity built into the very foundation of windows.
What is that process? UAC is what provides that barrier - much like linux sudo, you don't just get to launch an un-trusted process as root without some confirmation.
Windows has a fundamental security issue that it cannot spawn nor escalate a security token higher than the parent token. In short, that means to do something as root, you have to be or ask a root process to do it for you. UAC isn't really a privilege escalation function, it's more of a watchdog function that acts as a gatekeeper whenever something asks to write something to certain areas of the system. This is fundamentally different than requiring proper credentials to write something to a location, which is how other OSes (BSD, OSX, Linux, IRIX, AIX, HP UX, etc, etc) all work. In those, unless you're a moron, you're not running as root or the equivalent, and you must provide the proper credentials before a write can occur.
There is nothing like Active X on any system but Windows - thank goodness
But there are browser plugins, and just because there is a sandbox, doesn't mean it is impossible to break out.
That's just a red herring. I don't think anyone will argue that ActiveX was a good idea at this point. To be honest, ActiveX is symptomatic of MS's total lack of understanding of how security should work. And yes, I will claim that publicly, since their security architecture is fundamentally upside down compared to every other system out there.
Regarding DLLs/Shared objects, no OS allows generic dynamic code injection into system code from an unprivileged account, except. of course, Windows
This hasn't been true since the "UAC band-aid". If you are trying to compare current securities, you can't argue that "Windows is insecure because Windows XP is insecure", by that logic, Max OS 9 didn't have ASLR, but that doesn't mean apple is an inherintly insecure platform.
AFAIK, dynamic code injection into system code (in-memory) from an unprivileged thread was still possible as in 2008 R2 as of Jan 2010. That dates after the Win7 release. I know, because I considered (only briefly) doing it myself when I was researching the (as of then) undocumented removal of security token manipulation routines.
Macs have had EFI, actual process security that didn't need UAC's bandaid, sandboxed processes, and well defined abstraction layers for years.
Why is UAC a band-aid? Is sudo a bandaid? So you want process security, but don't like the fix? I'm a little confused here.
Read above - UAC is essentially a watchdog process that attempts to intercept calls to write to specific areas in the system. Compare that with actual security requiring proper credentials, and you'll see why UAC is a bandaid. Comparing UAC to sudo is like comparing a sundial to a fine Swiss made timepiece. While they both appear to give indications of time, the latter has much more functionality and there are many posts out there to demonstrate just how powerful sudo is on allowing unprivileged users access to perform specific privileged actions.
While I don't know anything about EFI (except what I found on wikipedia), unless apple has something magic they also call EFI, I don't see how that's relevant. I also don't understand how abstraction layers have anything to do with inherent OS security....
EFI, properly UEFI, was listed by GP. GP actually has Apple to thank for bringing UEFI out into the mass market, since they were the first, and pretty much only ones running UEFI for quite a while. (Just try finding an UEFI Intel motherboard for sale more than 6 years afte
The cesspool just got a check and balance.
And there you go. I tried to stop you saying something stupid and you did it anyway.
So what was the timeline between vulnerabilites for the releases? Oh that's right you don't know, but don't let facts get in the way of your idiot assertions.
JailBreakMe is a website that could and was updated at any time without a version number change.
Yeah, that's a pretty standard feature of a website. The actual code and the vulnerabilities it exploited weren't regularly updated though, don't believe me? Go and have a look, the source code is all there...if you understand it.
1.0, 2.0, 3.0 were simply marketing. It didn't go from 1.0->2.0-->3.0 without intermediate changes.
And those intermediate changes were not necessarily new vulnerabilities, but then if you were familiar with jailbreakme then you'd know that.
It's now dead.
Wrong again.
So what was the timeline between vulnerabilites for the releases? Oh that's right you don't know, but don't let facts get in the way of your idiot assertions.
I was the one that showed you the repository, fucktard. You were pretending to be an expert having consulted Wikipedia.
"It's now dead.
Wrong again.
Dead as in no longer being developed. At all. Not since last August. Of course the obsolete web-site is still there. Are you really that dumb?
I was the one that showed you the repository, fucktard.
But your conclusion demonstrated you don't have the faintest idea what it contains because if you actually have a look at the code changes you'll see updates mostly regarding device compatibility, not new exploits, they don't come around that often.
You were pretending to be an expert having consulted Wikipedia.
Nope, just linked to it so you could see the releases more easily and the cross-reference with the code in the repo, but i suppose you didn't do that because you still don't get that 10 months is nothing if you look at the previous times between exploits. Just look at it, it's all there, you even linked to it...so you obviously have no understanding of what you linked to.
Refute what? Microsoft's soundbites? hairyfeet frothing at the mouth about how he dislikes things and people? There is no discussion happening here.
Contrary to the popular belief, there indeed is no God.
Windows has a fundamental security issue that it cannot spawn nor escalate a security token higher than the parent token. In short, that means to do something as root, you have to be or ask a root process to do it for you.
Is the root process the OS...? I'm going to need an example here, because I'm not really aware of a good reason to elevate your permissions in the middle of a task. So if you cannot spawn a privileged process from within yourself without asking a "root" process (like say... the OS?) why is that a problem? Can you give me an example of a different OS, a parent process spawning a more priveleged process that it fully controls? Or why you'd ever want that? Doesn't that BREAK security? I would really appreciate an example here. I understand the security token concept, and that you cannot just blindly elevate it... because well... that makes sense.... But I don't see the request to this mythical fundamental root process..... For that matter, can you arbitrarily elevate your process to root in the middle of execution without some kind of OS intervention, or say, the OS having to do it for you?
UAC isn't really a privilege escalation function, it's more of a watchdog function that acts as a gatekeeper whenever something asks to write something to certain areas of the system.
I'm not quite sure that you are describing UAC... UAC happens when a process is launched with elevated privileges - AND if properly configured, requires credentials to be entered. Please provide an example of a process that MID PROCESS does this before accessing a system area....
I'll give you a solid example of why: Try creating a service that runs with no privileges, serves many users, and allow said users to execute OS calls as themselves, with only their own privileges. You would want to do this to exploit the OS's security handling and auditing which are certified instead of writing your own. You are allowed to request credentials.
oooook.... So let me understand this, you have a specific use case, which a different OS handles better.... You have not proven that windows security is fundamentally broken, just that this use case is.... And maybe windows isn't the best choice for what you want. Since i haven't done this exact process, I can't speak to its ease or difficulty on any OS... But how is that limitation proof of insecurity? I can't use my TV as a boat, but that doesn't mean its fundamentally broken... or insecure...
AFAIK, dynamic code injection into system code (in-memory) from an unprivileged thread was still possible as in 2008 R2 as of Jan 2010. That dates after the Win7 release. I know, because I considered (only briefly) doing it myself when I was researching the (as of then) undocumented removal of security token manipulation routines.
Still not really sure how easy this is... Since the process security model should not allow this.... Are we talking possible as in "There is a Windows API InjectCodeToMemory(0xaddr,"exec virus")" or, an exploit exists that allows that.... Thanks for the UEFI/EFI clarification... Again... security relevance? Microsoft doesn't make hardware... so this is really just a note that apple introduced a technology... which I guess is proof that Macs are safer? Not really sure on that one... Same with abstraction - how does abstraction = security? more abstraction = larger at
to me android is a completely unique OS that happens to use some linux code.
I agree completely... Android is precisely as distinct an OS as any other linux distro. Slackware isn't Ubuntu, they look totally different! Gentoo isn't Red Hat, and if you can't tell the difference, you're probably a UNIX admin.
The Admin and the Engineer