The myth of the more secure mac os

[Corny]

I kinda wrote this for another post, but I think it deserves it's own thread.

did you see the latest security update for mac os?
"just" 88 holes.

http://support.apple.com/kb/HT4077

but WHAT kind of holes:

• Code Execution through
  • spell check ( ! )
  • audio and video playback
  • mounting of images
  • converting of floating point numbers ( !!! )
  • opening of postscript files
• disabling firewall rules through reboots
  
• guest account with file access working in afp although disabled
  
• root access through directory service and other os services
  
• ftp access to files not in the ftp share/root ..
  
• take over of chat servers ..
  
• bugs, stack overflows and more in virtually every picture format
  
• remote login without restrictions through OLD passwords

not that through ANY of these you could completely own a mac machine. mac heads are just lucky that nobody cares about them - yet.

quite enlightening is also this article

In cracking competitions, it is regularly the Apple systems which are cracked first by attackers. Miller has argued for some time that Mac OS X is among the comparatively insecure operating systems. Apple users are currently "safer, but less secure", he said. While malware authors don't concern themselves with the relatively small number of Apple users, Miller said, the size of the market share is no longer a valid argument in targeted attacks such as operation Aurora: "Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town."

http://www.h-online.com/security/news/item/Mac-OS-X-safer-but-less-secure-Update-957981.html

 

[Paws]

I guess hackers/crackers don't target MacOS that often because it requires them to buy such an expensive machine first to toy around with it - and they don't have the money for it or don't want to support Apple that way. Security through capitalism and elitism

I want BeOS back

 

[seven2go]

As MAC users seem to be pretty smug about their "security" if I were a hacker I might shift my efforts toward MAC's as the payoff, percentage wise, would be much higher.......

 

[Corny]

I want BeOS back

http://www.haiku-os.org/

 

[Paws]

http://www.haiku-os.org/

BeOS, not some half-assed alpha version project

 

[bankside]

I want os/2 back.

 

[MidnightPrism]

mac heads are just lucky that nobody cares about them - yet.

Which means we are more secure until people care.

One of the days there might be as many things to worry about as on Windows, until then I will keep my Mac.

 

[Corny]

Which means we are more secure until people care.

you didn't get the point. they are more safe because nobody cares. they are not more secure.

 

[andysayshi]

The day that any of the 20 Mac machines I administer, or any of the friend's Mac machines I occasionally support, are infected with just one piece of Malware, I will most certainly take notice.

 

[T-Rexx]

Charlie Miller didn't just hack the Mac (via Safari) at this year's Pwn2Own. He also hacked Microsoft's PowerPoint, OpenOffice.org and a selection of Adobe apps. He gave a presentation of fuzzing techniques, and how anyone might use them to attack a system, or to test a program for vulnerabilities.

Peter Vreugdenhil took control of a Windows 7 (64 bit) machine through a vulnerability in IE 8 on the first day of the competition.

Miller is upset that developers take such a passive attitude toward security. They sit back and wait for someone to announce an exploit, then they patch it. There is no reason that software developers could not test their software for vulnerability to fuzzing techniques before release.

This isn't rocket science. Everyone knows how hackers exploit these programs. But, despite all the problems it creates, neither Microsoft nor Apple have ever really been very concerned about security.

That's what upsets Charlie Miller.

 

[Corny]

^ the point is that Mac OS is not more secure than any other OS. If you look at the patch notes from apple itself - they just fixed more dangerous and severe holes than MS in the complete last year.

And @andysashi: depending on the kind of malware you would not. read the recent "shadow in the cloud" reports? saw what kind of manpower they needed to investigate this?

 

[hotatlboi]

I agree that Apple's software is not necessarily much more secure than Win in a fundamental sense, though it is less vulnerable since very few exploits are ever publicly used.

Apple has historically been in a better position for several reasons though aside from the general security through obscurity/lack of cracker motivation explantion.

1. One of the main problem with Windows was that the default account was the administrator account which had full permissions to everything. Thankfully Microsoft has disabled this by default in recent versions.

2. Apple has historically been much more proactive about security. When an exploit was found, it is usually patched immediately. Microsoft has been known to wait weeks or even months to patch something until it became absolutely necessary because it was being exploited. Thankfully again MS seems to be taking a more proactive approach to security in recent years.

 

[Corny]

I agree that Apple's software is not necessarily much more secure than Win in a fundamental sense, though it is less vulnerable since very few exploits are ever publicly used.

hu? it's no less vulnerable.
if you are running around naked you are more vulnerable to attack than in an knight's plate armor - even when there are no weapons available.

most of the recent "big" hacks have been due to previously unknown "0 day" exploits - those where there is no patch and no other "publicly used exploit" available.

Apple has historically been in a better position for several reasons though aside from the general security through obscurity/lack of cracker motivation explantion.

and as we all know - security through obscurity does not work

2. Apple has historically been much more proactive about security. When an exploit was found, it is usually patched immediately.

this is not true. did you see the linked patch notes? 88 holes in one patch? this is nothing that they fixed immediately, this is hardly proactive. probably only company worse on that behalf is oracle ..

 

[Gamby6]

I guess hackers/crackers don't target MacOS that often because it requires them to buy such an expensive machine first to toy around with it - and they don't have the money for it or don't want to support Apple that way. Security through capitalism and elitism

I want BeOS back

You know there are different versions of hacked osx out on the internet free to download. My friend installed it on his computer with vista on other partition and it worked like charm(no driver problem at all like some people experience). He used it only until novelty wore out cuz he didn't have mac softwares and there aren't many free software to choose like pc does.

 

[cityboy-stl]

I want os/2 back.

I'll second that. I loved OS/2.

 

[Corny]

You know there are different versions of hacked osx out on the internet free to download.

well it's not really a free download, you still need mac os .. or a pirated version of it.

but the "hackintosh" stuff only runs on very specific hardware.

 

[hotatlboi]

hu? it's no less vulnerable.
if you are running around naked you are more vulnerable to attack than in an knight's plate armor - even when there are no weapons available.

Perhaps vulnerable was the wrong word. I was attempting to distinguish between security in a fundamental sense (that the Mac OS might not be fundamentally more secure) and a practical sense.

Whether or not it is more secure, the Mac OS is less likely to be exploited due to the FAR fewer number of exploits that exist in the Mac ecosytem.

To use your analogy, you are generally less vulnerable running around naked on a beach than if you are a knight with armor running around a battlefield. The number of threats a Mac computer will face is generally far less, therefore it is less likely to be exploited.

 

[Corny]

see in german we have just one word for it "sicherheit". but in english there is safety - and security.

and that's what I say: using a mac is safer because it's less of a target (still), but a mac is not more secure.

 

[Corny]

not entirely on-topic since it is iPhone OS but still.

want to hack a locked down iPhone?

No problem, connect a switched off phone to an ubuntu machine and switch it on.

oops.

bad linux .. bad linux .. oh wait

german computer magazine heise security also managed to do it under windows. and not only could they read the standard "files", but also the database .. with stored textst etc ..

nobody (not even apple themselves) knows yet what the exact problem is (probably a race condition), but um well .. yeah but what exactly is this passphrase being used for when there is nothing really encrypted or anything on the system? it's just like a person asking your for a secret code, but you can chose just to walk past this person, ignore it and take the cookies

 

[maxpowr9]

Corny as I said before many times. I equate Apple security to cracking a house safe and finding $20 in it. Clearly not worth the effort. Why bother cracking a safe for little payload when you could rob a bank for better results with the (hypothetically) same tactic. Not that I am advocating robbery/hacking in any way.

Like your post above, any person can "unlock" Apple product. If Apple PC's market share does for some strange reason explode, you will see their OS crippled.