Leopard the most vulnerable OS of the year????
 

I found this on another site that was well a flame war between a bunch of idiots about Mac Vs PC and how Apple announced they should have virus protection.

http://www.pocket-lint.co.uk/news/ne...-minutes.phtml

Claims it was a malware attack through Safari, so I guess it required user interaction.

Oh here is another more in depth article on the subject.

http://www.dailytech.com/Apples+Safa...ticle11299.htm

Pfft, from the second article, published March 31, 2008:
I'm assuming "soon" means sometime in the next decade. :rolleyes:

I am so not qualified to pronounce in my own person, but FWIW I've spoken to a computer security professional (in meatspace) who said that it was indeed about market share and that there was no inherent reason why UNIX-type systems can't be afflicted with malware, once the evil little buggers decide to give them their full attention. I do so hope that isn't true. OTOH, I ran Windows, with OE and IE yet, for 12 years without catching anything, and said professional did agree that most malware requires you to do something schtoopid. Perhaps people who have been virused from trying to ogle Anna Kournikova's boobs, for example, have a vested interest in pretending they got hit by something that proliferated all by itself. But as i said, I am no expert, just paranoid and/or lucky.

What articles like this recent one point out about Apple's tendencies worries me:
http://www.macworld.co.uk/business/n...S&NewsID=23798

So apparently Apple is often slower than other companies in responding to and patching holes in Java. The argument goes that people would have a window of opportunity in which to study the patches issued for other OSes for clues to the nature of the vulnerability, and then put together an exploit for OS X before Apple gets around to patching their version. And since it's something cross-platform, there might be more people with the know-how to write an exploit for Java, compared to some OS X specific vulnerability.

I don't have a clue whether or not this is within the capabilites of Java gone bad, but as of 10.5.6, there are still at least two unpatched "admin" to "root" privilege escalation vulnerabilities. Since most people continue to use the default "admin" account, Java is a component of some web pages, and pretty much everyone surfs the web and Java is enabled by default, if it were possible to chain a Java exploit to a privilege escalation, it seems like it could mean that once again, most Macs could be "rooted" just by visiting a malicious web page...

They were also the last big company to patch the DNS exploits that affected everyone. Their patching and updating system is not quick and they are often the last developer to patch known issues when comparing them to everyone else, even the open source community.

I do not use safari though and most exploits seem to exploit webkit browsers on the Mac. I haven't read one yet that says they exploited firefox, not sure if that is relevant or not though.

Marketshare will only increase attention, and in that respect it should increase relative percentages of viruses, but it does nothing to explain why there are zero viruses for OS X.

"Experts" have been saying that OS X would fall victim to viruses "soon," since the beta, and it's more than a little old at this point.

You are completely wrong. There are viruses for OS X and they do exist, remember the QT codec exploit?

There are no viruses that self propagate in the wild for Unix or Linux, and of course OS X. That doesn't mean that they can't.

Remember the ARD client exploit that was patched a few months back? The one that gave any old user root privs? yeah, OS X isn't bullet proof.

It's the self propagation that matters, and no one has managed to do it. That's why there are no OS X viruses in the wild, and increased market share won't change it.

Actually, not really anymore. Most exploits for windows require user interaction or a program to be installed. I haven't had a virus on any of my windows boxes for years, since like 2000 or so.

I don't install crappy or questionable third party apps. I don't go to malicious websites. I don't use programs that require codecs. I monitor my processes and see what is running in the background. On occasion I run some sort of system scan to make sure nothing is under the radar that I can't see.

The bottom line is, MS is on top of their product when it comes to security patches and updates.

How long did it take Apple to patch the DNS exploit? Several months after Cisco, MS, and everyone else patched it.

Even the malware writers targetting Windows don't rely on using only viruses these days. For example, one of the most recent attacks:
http://www.eweek.com/c/a/Security/Ha...osoft-IE-Flaw/

Compromise a legitimate site's web server to host malicious code, let the users come to you, and exploit vulnerabilities in the client software. Macs would be just as vulnerable if confronted by this sort of threat if someone were to target a neglected vulnerability in OS X. Even if the malware doesn't propagate beyond that inititial compromise, that's small comfort to the individuals affected.

I'll take slow with good results over fast and a world full of botnets any day.

No one is saying that the Mac is immune, but the fact is that Chicken Littles have been running around saying that the Mac is going to be plagued by viruses "soon" since OS X first appeared. It hasn't happened, and that counts for a lot more than: "well, it could happen."

"It hasn't happened" means absolutely nothing. The "big impending exploit" could happen tomorrow and wreak havoc on your Mac. At that point, it doesn't much matter that Windows has more exploits than OS X - what matters then is that you got hit. The point is that Apple should be patching vulnerabilities as fast as the next guy, instead of resting on their laurels content with the fact that their OS receives much less attention from malware than its competitors.

I'm not advocating panic like certain AV software companies. I am fairly confident that my surfing habits don't expose me to undue risk and I believe OS X has a secure foundation in UNIX. However, I would feel even more confident if Apple move quickly and decisively on each vulnerability that came up rather than eventually "getting around to it".

True, but my point is that it "could happen tomorrow" is meaningless. No matter what platform you use or what precautions you take, it could always happen tomorrow. Market share doesn't change that and neither does AV software, or even a vigilant user. Throwing up the "could happen tomorrow" flag is a cop out used by the AV industry and too many tech "journalists" to scare up business.

I agree, security by obscurity is no longer really security. Also, claiming that there is nothing out there to exploit your product doesn't mean it can and will happen.

I was utterly surprised at the ARD exploits, and ARD admin is such a shoddy product when it comes to security. You try to give a user specific rights and it never works, so you have to end up giving them full rights for that one or two tasks (yeah I work for the government, bureaucracy....) they need it for, which then gives them the ability to root any machine.

What worries me is that I have a complete Mac network, which is something that is not that common. I have 30+ servers in and Open Directory and 6,500+ Mac clients out in user space. How can I make sure they are all secure? If apple can't deliver, and allow me to implement how can I make sure security is up to date?

You can't, and it doesn't matter what Apple delivers, or doesn't deliver. There is always risk.

All that Apple and third party vendors can do is try to reduce those risks. All that you can do is try to reduce your own risks and look at the history various vendors success as some indication of what their future success may (not will) be.

Let me rephrase that.

HUGE, no GINORMOUS DNS exploit found, every platform fixes it, Apple doesn't. What do I do? You are right I can't do anything.

I am not asking for a bullet proof OS as that is impossible, I am asking them to get their act together.

Sure, it would be nice if they came out with fixes faster, but if you're going to compare their speed with Microsoft's, do it fairly. Compare speed and accuracy. There have been plenty of incidents where Microsoft's speedy fix ended up creating more vulnerabilities.

I think Apple has had plenty of time to fix the admin->root privilege escalation vulnerabilites (i.e. system level access is possible without providing a password, from an admin account). The two I am aware of have been around for years (Panther and earlier), one well known for almost two years, and the perhaps lesser-known one has been used in an actual trojan. I think it's fair to call their efforts lackadaisical.

They could be considered to fall into the category of design flaws rather than bugs, and historically, Apple doesn't "fix" these for free - you get the security only after paying for the next version. We won't know for sure until it is released, but "Snow Leopard" is reported to be dropping PPC support so will PPC users even get the opportunity to install the fix? The last PPC Macs were of course sold mid-2006 or so - less than three years ago.

It will be interesting to see how deep Apple's commitment is to providing security support for (barely) legacy hardware and software - another area where Apple has received criticism.

I can tell you right now I have a problem with Open Directory and users that get negative UIDs. I am not the only deployment with this issue. I have paid for tier 2 or 3 support from Apple, meaning I get to talk directly to engineers. The smart guys.

I did tons of enterprise data captures, worked with their system's engineer (who was a really nice dude to work with) and I even found a work around for the problem. Apple was well aware of the issues with that product and their answer is that it has been scheduled to be fixed in a future relase of the OS, AKA - OS X 10.6 Server.

Where does that put me?

Still employed, I guess. :D

yeah but we are talking about my stress and sanity here Craig, LOL!:eek: