|
A friend of mine recently was trying to convince me how inferior OS X is. In doing so, he attempted to make an argument that OS X's security is actually worse than that of Windows, and that the only reason that OS X has so many fewer viruses is because it makes up such a small portion of the market. I know this argument is pretty invalid, but he showed me an article to support his statement.
http://www.zdnet.com.au/news/securit...9241748,00.htm I have a strong feeling that this article is either exaggerating, the contest was rigged, or that it's just plain inaccurate, but could somebody verify this for me? Thanks. |
The article offers no sources at all, and no proof. It's just an "It's so, because I say so" article.
There's nothing stating the vanilla state of the Mac, what services were on, how patched it was, if it was behind a firewall, etc... I wouldn't put too much credence in it. If it was so easy, millions of Macs would be compromised (there are 10+ million Mac users out there), why aren't they? |
This is an older story that received wide attention. The critical point is that "Participants were given local client access to the target computer...", which to obtain actually is the hardest part in hacking a machine.
I don't know how about you, but I personally would not give someone an account on my computer just because he asked for it, so I'm still feeling pretty safe. ;) cheers, pink |
Ah yes.. THAT'S the rub that I could not recall. The "hacker" had local access. Which basically FUDifies this article.
|
This contest is a Bad Example in more than one way:
• Participants got user accounts on the machine to be hacked, that's pretty unusual in the wild. It does not equal physical access to the machine though, when anything goes as soon as some guy boots off his iPod... The hack was the equivalent of you owning the intranet server in the server room you happen to have an account on because some clueless admin runs it as a fileserver at the same time. Bottome line: The machine was more vulnerable than the avearage server box, but it shouldn't have been 0wned nonetheless. • The box got 0wned by a 0-day exploit that wasn't published. That could have happened to an OpenBSD box admin-ed by Theo de Raadt himself, there's no way to defend against this kind of stuff. Of course, OpenBSD would be a lot less vulnerable as they pass their time actively auditing code for weaknesses before some elite hax0r does and Apple would be well inspired to keep up with what they patch. The clueless sensationalism of the press-followup should not keep you from seeing that Apple still has a lot of progress to make in QA and security. Stupid stuff like arbitrary shell script execution in Safari should be completely impossible to get out of the door without being shot on sight. It looks like for now Apple completely lacks a serious approach to security and that will bite them sooner or later, the overwhelming stupidity of that even worse big competitor nonwithstanding. |
Here is the original thread from when the article came out (at least I think its the right one).
|
Like much of what you read in media, it was trumped up to sell magazines and create traffic to their site. Their target market, Windows users, eat it up and don't question it. We know they are liars and a fraud, but since we're not their target market they don't care.
It was staged carefully, creating a situation that would not happen in the real world. Ask your friend how many viruses there are for Mac OS (not counting the theoretical one that was tested in a lab but can't actually replicate in the wild). |
|
MBHockey: That is far past due its expiration date.
Security-wise, Windows has gained a higher security rating than OS X (EAL4+) which is the highest of any common consumer OS. But this is more or less just required for gov't use. |
Quote:
Take a Mac and any PC today. Find two non-technical users. Give them the computer with no instructions or help whatsoever. I guarantee that the PC will have a virus and/or spyware on it before the Mac. "higher security rating"...lol. Corporate and government security ratings are worthless. They mandate that if you have "Feature X" you're secure. The problem is "Feature X" is all too often a Windows-only security feature. In the company I work at there is an entire department dedicated to Windows security...and about 50% of the systems in here have sypware of some sort or another. |
Just as an example, my friends think that by just having anti-virus/spyware, and a firewall, they are 'secure'. Why do you think there is Mac OS X, Firefox, Linux (Debian, gentoo, a zillion other distros), OpenOffice, OpenGL, Thunderbird, and more? Because they know that they can do something better than MS
Take a look at all the options: http://mshiltonj.com/software_wars/current/ EDIT: LOL! My PC just got a blue screen of death! |
I think that OSX could be alot more secure...but for now it is fine.
Of course it can be hacked locally, any OS can...as for the 30 minutes...not many people can do that. I can get into all the macs in my school via single user mode no problem. even if they have open firmware password which can be reset by removing some ram. But, poorly protected windows machines can be hacked REMOTELY...in 30 minutes or less. And better protected systems can still be hacked easily...however, a properly maintained and protected windows system is as if not more secure than osx defaults. |
Rilex, how's this for something a bit further from its expiration date:
http://www.zdnet.com.au/news/securit...9200021,00.htm I mean seriously, you can't actually debate that Windows is a more secure consumer OS out of the box (or even after you've got The Computer Wiz from down the street to install all sorts of scanning atrocities) than MacOS X. Numbers don't lie :) |
Quote:
"Local" in that context means the attackers got accounts on the machine which makes it a lot easier to root it, but it still shouldn't be possible. |
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
If you'd like to explain how OS X magically manages to prevent a user from running a trojan that steals data via HTTP, then be my guest. And no, the authorization dialog box is not something that must come into play in this situation. |
Who said anything about Camino? I gave the troll jab because Security-wise EAL4+ means nothing more than said company adheres to the standards determined by the NSA. To me that means about as much as ISO certification...jack. An ISO qualified company doesn't necessarily put out flawless products. They just know how to cross their T's and dot their I's.
...:( and yes, the department does suck. I'm never been in a place that gets soooo much spam before. Oh well. Good thing I work on the Macs. My nickname, literally, is the Maytag Repair Man. |
Rilex, but how many trojans are there for MacOS X? How many for Windows?
How does grandma Betty who just received her Dell PC via FedEx manage to protect her PC against spyware and viruses out of the box? Grandma Betty is better off on a Mac. Why? Because MacOS X is more secure out of the box than any Windows PC. |
Be that as it may, if Betty gets hit by Safari arbitrary shell script execution because she didn't bother to update, she's in for a ride as well.
Also note that the bad security record of the competition does not mean that you get to brag with what is more due to less marketshare than remarkably better security. M$ certainly was very, very bad in the past security-wise, but they're now making a massive effort to fix it while Apple is still diddling along, because for now, none of their extremely stupid security blunders did really hurt them. Look at some real data if you need stats: http://blog.washingtonpost.com/secur...i_apple_2.html Don't get me wrong, overall Betty is probably still better off with a Mac, especially because she'll actually be able to use it, but there is no reason to be nearly as arrogant about it as some of the posters in this thread have been, indisputable facts nonwithstanding. |
Security vs Usability .....
I can make an unpatched XP box more secure than a Mac OS X box that is patched in a few easy steps. :D Disable any network connectivity (including a modem) set the password to a random string of letters and numbers that you are sure to forget. disable the Floppy disc and any other periferals. Lock in a water and air tight safe and dump in the deepest part of the ocean. I can promise you it will not get a virus or be hacked. I just hope you never want to use it again :) Yes the Article was seriously flawed i have to agree. its like testing your home's security system by giving the would be robber the alarm code? |
Quote:
|
I wonder if this post could be more productive perhaps. Is there list somewhere of common concerns for OSX security? Do we have one of those? Perhaps if we have concerns, legitimate ones, we should just send them to Apple. Honestly, they would want to know, what company simultanously has enough resources to find all the bugs they want to quash and actually fix them? I bet they'd like the help.
|
You may want to check out the URL in post #2 of this thread:
http://forums.macosxhints.com/showthread.php?t=56389 |
there are a few security related sites out there
Apple also has itd security announce list <security-announce@lists.apple.com> Im sure if you asked around on the Apple Discussion boards you would get some info on this. also checkout the developer.apple.com side of things |
You probably shouldn't rely on Apple-controlled resources as they openly censor anything they don't like.
Reading Full Disclosure mailing lists will probably be a lot more beneficial. |
Quote:
EDIT: I should add that I have had two relatively minor complaints about the way one of the boards functions expunged. |
Quote:
|
Quote:
I don't know - I hardly ever go to those forums due to the low signal-to-noise ratio there. |
Quote:
|
Quote:
There is a majority of clueless newbies and the occasional advanced fanboy pontificating. People with serious real-life experience will do anything but post to such a thought-policed forum because their contribution will most probably be deleted. They'd much rather hang out in places where "thinking different" is still possible. |
Here's some "signal" for you (while it lasts, anyway):
http://discussions.apple.com/thread....75176&tstart=0 Don't use "admin"! |
Quote:
I can't reproduce the problem that was discussed in that Apple discussions thread. I created a package using PackageMaker that installed a file into /usr/local/bin When I ran this pkg (by double-clicking on it) as an admin user, it asked for my admin password - i.e. it behaved as expected. I have yet to see the security problem that seemed to be the subject of that thread. (This was on 10.4.7) If you can demonstrate a problem, please explain in detail what steps you took. You should also submit your findings to product-security@apple.com |
Well, I put in a report to "product security" (thanks for the suggestion) and apparently it is a "known issue", and is "being addressed"...
In a nutshell, this could be used by a trojan which, if executed in an "admin" account, could write to any part of the the hard drive, with whatever permissions it wants (including setuid root), in the background without requiring any sort of password. Similar to the situation in "Panther" with its "StartupItems" and easy access "hooks", except the current issue isn't restricted to any specific directories. So the moral of the story - same old, same old - don't use an "admin" account for day to day stuff, and it's probably a non-issue. |
i read the thread provided by biovizier on the disscussions.apple site and i have to say that i find this story quite scary. in my opinion this is a big security hole.
i do not know anything about package making, so i am not able to make my on tests, but i believe the people who did. :( i hope apple will address this issue VERY quickly. - edit: Matt Broughton made 3 test packages (one with no Auth, one with AdminAuth and one with RootAuth) that try to install a directory in /usr/local, you can download them here. the NoAuth does not succeed, the one with AdminAuth installs WITHOUT asking for a password. the one with RootAuth asks for a password. |
Installer bug is real: here's a proof-of-concept
1 Attachment(s)
Quote:
http://webpages.charter.net/mbrought...llerChecks.dmg Just in case Apple notices it and the thread goes away, there's an archive of it attached to this post. You should definitely check such installers carefully by using Pacifist or similar tools, it would be perfectly admissible to shout "pwned" if you didn't and the installer did something nasty. Anyway, on an admin account, the AdminAuth.pkg will run the install process as root to create a directory, then a file in /usr/local , chown it to root and all of that without ever asking for authentication. The install log shows admin auth received to install but never asked for it. It should be remembered that the first account created on any Mac +is+ an admin account and it takes extra effort to change that, so everybody and his grandma is at risk here. To delete the directory, I did have to authenticate however. There's also a very interesting summary of this and last years vulnerabilities on OS X here: http://www.viruslist.com/en/analysis?pubid=191968025 |
It seems that Security Update 2006-007 (http://docs.info.apple.com/article.html?artnum=304829) fixes the Installer problem discussed in this thread. (I haven't tested it - I'm just going from the description in the above Apple doc)
|
I can confirm this - "Installer.app" now asks for authentication for installing these types of packages (or one that I had anyway), and more importantly, '/usr/sbin/installer' exits with the error message:
"installer: This package requires authentication to install." So trojans running in an "admin" account will be prevented from running in the background as "root" by this mechanism, at least. |
.
That is good news. :) But I do wonder why it took Apple so long. |
Every system , made by human , can be hacked or destroyed by human.
But Mac is a beauty so that hackers seldom hack it. To a beauty, you hardly let her pain,rite? So dont worry...Mac is always wonderful. |
Quote:
|
Quote:
|
| All times are GMT -5. The time now is 06:52 PM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.