[AKcrab]

The company is downplaying the issue but one security company at least is concerned that the vulnerabilities could be extremely serious. Secunia has given the five - yes, five - patches a "highly critical" rating and warned that they may allow hijacking, security bypass, data manipulation, privilege escalation, denial of service and system access.

In other words, it makes Microsoft's current Sasser problems look no more than a nasty nip. The difference of course is that Windows is the vast majority of the market and Macs account for only three percent of operating systems. There isn't a worm exploiting the holes as yet but the company is strongly advising users to download and install the patches as the OS looks like an easy target at the moment.

This strange habit of pretending a big problem is of no significance was also displayed last month, when Apple explained that it was "aware" of a Trojan horse that could be used to compromise its systems and was investigating it, but refused to say any more, commenting only that it has an excellent track record of patching holes.

Worst. Article. Ever.

Link
You may leave feedback to the article here.

[itai195]

Meant to post this in the lounge?

Personally I am not that surprised -- I'm not convinced Apple has made much of a commitment to security.

[AKcrab]

Originally posted by itai195:
Meant to post this in the lounge?

Indeed I did.

[ryju]

Originally posted by itai195:


Personally I am not that surprised -- I'm not convinced Apple has made much of a commitment to security.

FileVault?

[gorickey]

[Convinced]

Buying a Dell...

[/Convinced]

[itai195]

Originally posted by ryju:
FileVault?

That's a feature, and every OS has it. I mean testing for vulnerabilities and fixing them. We get these little monthly security updates, but Apple isn't very transparent about the whole process and they certainly don't talk about security much.

[djohnson]

Last time I checked, OS X was one of the most secure OS out there... Next to microcrap, it is darn near perfect.

[::maroma::]

Originally posted by itai195:
That's a feature, and every OS has it. I mean testing for vulnerabilities and fixing them. We get these little monthly security updates, but Apple isn't very transparent about the whole process and they certainly don't talk about security much.

I would argue that releasing monthly security updates shows that Apple is very committed to security in OS X. And if OS X was indeed "riddled with security holes", where are the cases of security breaches?

[olePigeon]

They kinda left out that the Trojan Horse wasn't real, and it was just a proof of concept that absolutely no one addressed. Then it was patched in the security update.

[itai195]

Originally posted by ::maroma:::
I would argue that releasing monthly security updates shows that Apple is very committed to security in OS X. And if OS X was indeed "riddled with security holes", where are the cases of security breaches?

I don't think it matters -- probably the main explanation for that is the 'obscurity' one often bandied about. I'm not saying that the OS is riddled with security holes, but I personally wouldn't be surprised if it has a bunch.

[mitchell_pgh]

OS X is considerably more secure out of the box the XP. The fact that there is a firewall is for starters a very big deal.

Also the fact that we aren't always running as root is another major component.

We also have the advantage of the entire open source community behind SSH, SFTP, Apache etc. etc.

Our entire core is based on Open Source. While this gives hackers a blueprint of the foundation of the OS, it also permits them to patch it.

[::maroma::]

Originally posted by itai195:
I don't think it matters -- probably the main explanation for that is the 'obscurity' one often bandied about. I'm not saying that the OS is riddled with security holes, but I personally wouldn't be surprised if it has a bunch.

I agree that there are most likely many security holes in OS X. I think any OS has many security holes. The difference is whether or not the company that makes the OS is willing to patch these holes with regularity. Apple does. I'm not sure about MS.

[itai195]

XP also comes with a firewall, and service pack 2 will improve it and also turn it on by default.

MS is very good about writing the security patches, what they're not as good at is delivering them.

[mitchell_pgh]

Originally posted by itai195:
XP also comes with a firewall, and service pack 2 will improve it and also turn it on by default.

MS is very good about writing the security patches, what they're not as good at is delivering them.

I don't agree. Security patches shouldn't kill software which is the case with SP2 (unfortunately the only way to get the OS to be secure). Also, it's still patchwork.

While OS X isn't perfect, XP has KNOWN vulnerabilities beyond SP2, and I'm not talking about trojans...

[mitchell_pgh]

Originally posted by ::maroma:::
I agree that there are most likely many security holes in OS X. I think any OS has many security holes. The difference is whether or not the company that makes the OS is willing to patch these holes with regularity. Apple does. I'm not sure about MS.

I couldn't agree more. My girlfriend installed a security update by accident on my system...

[olePigeon]

Originally posted by mitchell_pgh:
I don't agree. Security patches shouldn't kill software which is the case with SP2 (unfortunately the only way to get the OS to be secure). Also, it's still patchwork.

While OS X isn't perfect, XP has KNOWN vulnerabilities beyond SP2, and I'm not talking about trojans...

Software firewalls are stupid. It takes a user 1 click to download a Trojan that disables their firewall. Only way to go is a hardware firewall.

[mitchell_pgh]

Originally posted by olePigeon:
Software firewalls are stupid. It takes a user 1 click to download a Trojan that disables their firewall. Only way to go is a hardware firewall.

Not necessarily... I agree that they aren't nearly as good as a hardware firewall, but they are much better then nothing... It's one more layer...

[itai195]

Originally posted by mitchell_pgh:
I don't agree. Security patches shouldn't kill software which is the case with SP2 (unfortunately the only way to get the OS to be secure). Also, it's still patchwork.

While OS X isn't perfect, XP has KNOWN vulnerabilities beyond SP2, and I'm not talking about trojans...

Apple also releases security patches, so there's no real moral high ground there. What do you mean by killing software?

[mitchell_pgh]

Originally posted by itai195:
Apple also releases security patches, so there's no real moral high ground there. What do you mean by killing software?

XP SP2 crippled some software. Actually, it simply secured the OS more and some programs didn't handle the update well.

I realize OS X isn't bullet proof, but to say it's "riddled with security holes" isn't saying anything. In contrast to what? While there may be security problems, they aren't exploited to the degree that XP is...

[itai195]

Originally posted by mitchell_pgh:
XP SP2 crippled some software. Actually, it simply secured the OS more and some programs didn't handle the update well.

Are you beta testing SP2? I thought it wasn't out until May or June.

[mitchell_pgh]

Originally posted by itai195:
Are you beta testing SP2? I thought it wasn't out until May or June.

I work with the people at my university... I've seen it, but most of my comments are from what they have told me...

[itai195]

Originally posted by mitchell_pgh:
I work with the people at my university... I've seen it, but most of my comments are from what they have told me...

What they experience is hopefully just because it's a beta. Binary compatibility is usually at the top of the list for an OS upgrade...

[mitchell_pgh]

Originally posted by itai195:
What they experience is hopefully just because it's a beta. Binary compatibility is usually at the top of the list for an OS upgrade...

My friends comments exactly. Basically it hits the university even harder because some of the software we use is OLD

[funkboy]

Originally posted by itai195:
That's a feature, and every OS has it.

No it's not. FileVault is the only built-in feature of its kind, I believe. Windows cannot encrypt every single file on the volume automatically, decrypting as necessary, can it? Feel free to prove me wrong, that'd be a neat feature to have.

[itai195]

Originally posted by funkboy:
No it's not. FileVault is the only built-in feature of its kind, I believe. Windows cannot encrypt every single file on the volume automatically, decrypting as necessary, can it? Feel free to prove me wrong, that'd be a neat feature to have.

XP Pro has an Ecrypting File System feature, and it also supports multiple users. I think you can probably encrypt a whole volume, but at the least XP gives you directory- and file- level controls over encryption. Not sure if XP Home has any or all of this feature.

EDIT: I think it's Pro only, here's the marketing-speak from microsoft.com:

Encrypts each file with a randomly generated key. The encryption and decryption processes are transparent to the user. In Windows XP Professional, EFS can provide multiple users access to an encrypted document.

I'd imagine Linux has something very similar though I don't recall off the top of my head.

I think the point I wanted to make though is that FileVault probably isn't the type of security they're talking about. FileVault builds sensitive information protection into the OS, which is a nice feature, but I think they're talking about system level security.

[mitchell_pgh]

Originally posted by funkboy:
No it's not. FileVault is the only built-in feature of its kind, I believe. Windows cannot encrypt every single file on the volume automatically, decrypting as necessary, can it? Feel free to prove me wrong, that'd be a neat feature to have.

Hmm... interesting point.

[olePigeon]

Originally posted by itai195:
Apple also releases security patches, so there's no real moral high ground there. What do you mean by killing software?

Actually, most of the security patches have to do with exploits in standards implementation, like SSH2, TCP stack, etc. Less so to do with propriatary items like AppleShare.

At least, that's what I've noticed. The majority of Microsoft's security holes have to do with Microsoft crap.

[mitchell_pgh]

Originally posted by olePigeon:
Actually, most of the security patches have to do with exploits in standards implementation, like SSH2, TCP stack, etc. Less so to do with propriatary items like AppleShare.

At least, that's what I've noticed. The majority of Microsoft's security holes have to do with Microsoft crap.

Also, many of the items aren't major exploits. The average user doesn't use AFP, SSH2, ARD etc. etc.

[Partisan01]

Originally posted by olePigeon:
Software firewalls are stupid. It takes a user 1 click to download a Trojan that disables their firewall. Only way to go is a hardware firewall.

Ah yes the 'hardware firewall'. Just what exactly is that? Is it a device that has firewall rules imprinted directly onto a breadboard? That would be a hardware firewall. Even stand alone devices are running software that filters the packets. By the vary nature of what a firewall is it is impossible for one to not be implemented except in software at some level. Even at a chip level it would still be in software on the chip.

You seem to be referencing a Windows Firewall. The firewally included in OS X ipfw is pretty robust. If you're looking for an even better solution check out OpenBSD's pf. They even have CARP functionality in their newest release (an open source implementeation for HSRP). In systems where there is privilege seperation between the firewall software and the user running it, the chance of a trojan shutting it down would require a root privilege escalation. I have never heard of such a thing on *nix systems. Maybe a link or two would be helpful in proving your point.

I don't want to come across as tearing into you, I just felt it necessary to clear up a few issues about firewalls, and in the process maybe everyone can learn a little bit.

Nate

[Partisan01]

Originally posted by funkboy:
No it's not. FileVault is the only built-in feature of its kind, I believe. Windows cannot encrypt every single file on the volume automatically, decrypting as necessary, can it? Feel free to prove me wrong, that'd be a neat feature to have.

Windows does not have it by default, but you can accomplish the same things as FileValut with PGP. One would argue you can actually accomplish more because you can encrypt emails also, but since you have to pay for PGP I guess more features are never undesired.

nt

[mitchell_pgh]

Originally posted by Partisan01:
Windows does not have it by default, but you can accomplish the same things as FileValut with PGP. One would argue you can actually accomplish more because you can encrypt emails also, but since you have to pay for PGP I guess more features are never undesired.

nt

That being said, you could use PGP encapsulated in FileVault on OS X. We can also do the eMail thing...

[Beewee]

Personally I would rather have an OS with unexploited security flaws than an OS that gets hit by a new virus or worm about every month or so...

[ghost_flash]

Isn't the best way to secure anything is to hide the fact that one is concerned? Dilligence is still required, hence the updates.

It's like having a sign in the window of your home saying: "We call the police".
Duh. If you don't have it, does it mean you won't?

[theolein]

Originally posted by itai195:
Apple also releases security patches, so there's no real moral high ground there. What do you mean by killing software?

Batting for the other team today, eh? There are major differences in Microsoft's approach to security and Apple's, both in policy and implementation. Let's start with the sasser virus doing the rounds on Windows boxes at the moment: The actual vulnerability was discovered by a security company (not Microsoft) last October, i.e. October 2003. Microsoft released a patch for the vulnerability in January or Febuary 2004, i.e. they took 4 or 5 MONTHS to release a patch for a serious vulnerability. The vulnerability is especially serious because, up until XP SP2, the built-in firewall in Windows is not turned on by default. That means the port that SASS listens on is wide open on almost all XP Home systems. Not only that but the large amount of people using their notebooks at home and connecting to their companies through VPN's means that even a company firewall will not help much if one infected machine get's inside the network. Added to all this is the fact that Microsoft's patch killed many systems ability to connect to the internet.

The Windows permissions system, while offering finer grained control of security than the Unix one, very often means that a piece of software is unable to run unless the user is logged in as an administrator, added to which, getting around the hurdle and escalting the permissions has historically not been that difficult for trojans, viruses and worms.

Does this mean Apple is beyond reproach? No, of course not. Apple has also released some very buggy system upgrades (The iTunes debacle a few years ago and the Panther Firewire bug come to mind), BUT, and this is where Apple has a definitely better approach to it's security than Microsoft, Apple has had the firewall turned on by default since it's inclusion in the GUI (10.2 had the commandline ipfw, but it wasn't turned on by default IIRC). Apple has also been much, and I mean much faster in releasing security updates to critical security vulnerabilities, usually within a week or two of the discovery of such a vulnerability. (Note that this doesn't include non Apple software such as Apache or PHP which, although they do get updated as well, generally wait longer until a Patch for OSX is released).

The Unix permissions system mean that while an exploit can do a lot of damage to someone who hasn't backed up their data, unless the exploit can get root permissions, it is limited in what it can do.

I must say though, that Apple's approach to the mp3 trojan is poor, from what I've seen. While the trojan is not that easy to get onto a system (it needs to preserve the resource forks) it is still a weak spot in an otherwise very good security system.

[BigMeatyChunks]

OS X also runs on a very tiny number of systems (in terms of variation in motherboards/CPUs/main hardware) so naturally the testing cycle to release a patch is shorter.

How many times has a major flaw hit PC users when there was no patch? The exploits always come weeks after there's a patch out. If someone gets hit then it's not Microsoft's fault a person is a total moron for not hitting Windows Update regularly no more than it's Symantec's fault a person gets a virus for not updating their virus definitions regularly.

No OS on the market today is free of needing patches.

[theolein]

Originally posted by BigMeatyChunks:
OS X also runs on a very tiny number of systems (in terms of variation in motherboards/CPUs/main hardware) so naturally the testing cycle to release a patch is shorter.

How many times has a major flaw hit PC users when there was no patch? The exploits always come weeks after there's a patch out. If someone gets hit then it's not Microsoft's fault a person is a total moron for not hitting Windows Update regularly no more than it's Symantec's fault a person gets a virus for not updating their virus definitions regularly.

No OS on the market today is free of needing patches.

The exploits and vulnerabilities in Windows are almost never hardware related. This should be obvious, because if the exploits were specific to certain hardware then their impact would not be as big as they are. The vulnerabilities in Windows are usually either related to a buffer overflow in a service listening on a specific port (blaster: rpc service on 135, sasser: lsass service on 445) or are due to Outlook's ability to execute code directly from a mail attachment.

[zen jihad]

Originally posted by Beewee:
Personally I would rather have an OS with unexploited security flaws than an OS that gets hit by a new virus or worm about every month or so...

What would the reaction be if a virus was released on OS X without a patch being made prior to it? People could say; Apple knew of this exploit, but remained quiet, and thus deserved bad press for doing nothing to prevent it. Or, Apple could just say they were unaware of this security flaw, and again, people would accuse them of not knowing their own OS.

Apple do seem to patch known vulnerabilities as they become aware of them; but they shoudn't start to become complacent about it.

[zen jihad]

If Apple had anywhere near the marketshare of MS, I'm sure we'd see similar levels of attacks on their OS. They don't, and MS seems to be good at making known their vulnerabilities, and then releasing pathes.

I wonde rwhat Apple would do if they were on the same level of playing field as MS, in regards to having their OS attacked?

[BigMeatyChunks]

Originally posted by theolein:
The exploits and vulnerabilities in Windows are almost never hardware related. This should be obvious, because if the exploits were specific to certain hardware then their impact would not be as big as they are. The vulnerabilities in Windows are usually either related to a buffer overflow in a service listening on a specific port (blaster: rpc service on 135, sasser: lsass service on 445) or are due to Outlook's ability to execute code directly from a mail attachment.

What it means is that an OS that has to work on more hardware is likely going to require more code and have more potential for bugs slipping through. I would wager that even Linux has more security holes on x86 than OS X does due to this factor.

[BigMeatyChunks]

Originally posted by Beewee:
Personally I would rather have an OS with unexploited security flaws than an OS that gets hit by a new virus or worm about every month or so...

Nobody gets hit with a worm on any platform if they have enough sense and responsibility to keep their software up to date.

Nobody who updated XP/2000 when the patch came out was affected by either Blaster or Sasser.

It's unpatched systems that get exploited regardless of platform or OS.

[gerbnl]

Originally posted by gorickey:
[Convinced]

Buying a Dell...

[/Convinced]

go! Go! GO!





bye...

[theolein]

Originally posted by BigMeatyChunks:
What it means is that an OS that has to work on more hardware is likely going to require more code and have more potential for bugs slipping through. I would wager that even Linux has more security holes on x86 than OS X does due to this factor.

Not true. Compare the open source Apache webserver (also included with OSX as the basis of personal websharing) with Microsoft's IIS. Apache has a greater marketshare than IIS (around 65% of the market compared to 30% of the market). Now compare the amount of vulnerabilities that have been found and exploited in Apache with those in IIS. IIS cleary has had many more vulnerabilities as well as exploits (Two very well known ones were nimda and code red). Marketshare was not the deciding factor.

[theolein]

Originally posted by BigMeatyChunks:
Nobody gets hit with a worm on any platform if they have enough sense and responsibility to keep their software up to date.

Nobody who updated XP/2000 when the patch came out was affected by either Blaster or Sasser.

It's unpatched systems that get exploited regardless of platform or OS.

This is a typical Microsoftie excuse: lu53r n00bi35 n33d t0 p4tch t3h 5y5t3m. It is also a bit simplistic.

Take the example of a new PC with Windows XP OEM preinstalled. If you're lucky it might have SP1, but definitely not all the security patches. That means you have to connect to the net to download all those patches. If you know what you're doing you'll have turned on the Windows firewall, which is off by default. But how many even know that that firewall even exists? Exactly, your average user has no idea. It takes less than three seconds to get infected with the blaster virus on an unpatched XP system (or 2k or NT for that matter). This actually happened to me about a month ago, when I attached a friend's XP system to the net to get a patch without thinking that the firewall might actually be turned off. It took exactly 3 seconds to get infected. And, normally, I would say that I know what I'm doing and would have turned on the firewall, because I know at least that it exists. Your average user doesn't, and why should they? It's not their responsibility to have a CS degree in order to use, what is in their eyes, simply a gadget.

[Angus_D]

Originally posted by olePigeon:
Software firewalls are stupid. It takes a user 1 click to download a Trojan that disables their firewall. Only way to go is a hardware firewall.

Only if the user has admin rights and is fooled into typing in their password into an authentication dialog.

[mitchell_pgh]

Originally posted by BigMeatyChunks:
Nobody gets hit with a worm on any platform if they have enough sense and responsibility to keep their software up to date.

Nobody who updated XP/2000 when the patch came out was affected by either Blaster or Sasser.

It's unpatched systems that get exploited regardless of platform or OS.

Software updates aside, the fact that OS X doesn't have a root account (by default), has a rather robust software firewall (turned on by default) and has few or no ports open (by default), is a testament to how Apple is approaching security. As stated before, many of the security updates do not patch average users systems. Most users don't use AFP, SSH, PHP...

Even if the Mac user base grew by 10X, I don't feel there would be a significant increase in malicious software.

[istallion]

Originally posted by theolein:
Not true. Compare the open source Apache webserver (also included with OSX as the basis of personal websharing) with Microsoft's IIS. Apache has a greater marketshare than IIS (around 65% of the market compared to 30% of the market). Now compare the amount of vulnerabilities that have been found and exploited in Apache with those in IIS. IIS cleary has had many more vulnerabilities as well as exploits (Two very well known ones were nimda and code red). Marketshare was not the deciding factor.

Does that comparison include all the modules added to Apache? AFAIK the featuresets don't lend themselves to just Apache vs. IIS.

[mitchell_pgh]

Originally posted by istallion:
Does that comparison include all the modules added to Apache? AFAIK the featuresets don't lend themselves to just Apache vs. IIS.

I find it funny that Microsoft can't create a web server for their OS that dominates the industry even with full knowledge of the OS.

That would be like Apple making Safari, but it being 1/2 as fast as IE.

[theolein]

Originally posted by istallion:
Does that comparison include all the modules added to Apache? AFAIK the featuresets don't lend themselves to just Apache vs. IIS.

Default Apache install, built from source.

[Michel_80]

Did not get this virus on my pc laptop because I update regularly. But I did buy a new desktop, and in the time I was downloading antivirus updates, I got the Sasser bug. Nightmare, only took about 10 minutes.

I am actually glad Apple doesn't have 90% of the market.