Linked by Thom Holwerda on Fri 20th May 2011 20:37 UTC
Apple I have personally tried to pretty much let the whole MAC Defender trojan thing pass by, since we're not a security website. However, we have an interesting turn of events this week. An article over at Ars Technica quotes several anonymous Apple Store employees as saying that the infection rate of Macs brought into the Apple store has gone up considerably. More interestingly though, Apple's official policy states that Apple Store employees are not allowed to talk about infections to anyone - they're not even allowed to inform Mac owners if they find the infection without the customer's knowledge. Another interesting tidbit: Apple mandates the use of Norton Antivirus on company Macs, according to one Apple Store genius.
Thread beginning with comment 474125
To view parent comment, click here.
To read all comments associated with this story, please click here.
Thom_Holwerda
Member since:
2005-06-29

Everything including a web browser and basic image rendering libraries wouldn't be deeply embedded into the kernel.


Lolwut? Where do you people come up with this stuff?

Privileged separation would be implemented in a strong manner instead of the wet cleanex separation between regular users and administrators.


You realise that when it comes to access control, Windows NT is miles ahead of vanilla UNIX and Linux, right? You need SELinux to come even somewhat close to the kind of fine-grained control NT allows, and then SELinux is a complicated mess.

Reply Parent Score: 5

apoclypse Member since:
2007-02-17

" Everything including a web browser and basic image rendering libraries wouldn't be deeply embedded into the kernel.


Lolwut? Where do you people come up with this stuff?

Privileged separation would be implemented in a strong manner instead of the wet cleanex separation between regular users and administrators.


You realise that when it comes to access control, Windows NT is miles ahead of vanilla UNIX and Linux, right? You need SELinux to come even somewhat close to the kind of fine-grained control NT allows, and then SELinux is a complicated mess.
"

Yep. But its so stupidly complex that people just stick with the tried and true regular and superuser. The issue with Windows is the culture. This is MS's fault for not designing their 9x system with security in mind. They basically trained users for more than two decades to run as administrator on their machine, and by extension developers were trained to write their software needing admin rights for no apparent reason.

Apple's OS is not inherently more secure than something like Windows 7 or even XP for that matter, but the culture is the main differentiator. Apple has trained their users and developers to at least heed an application that needs super user rights. Nothing installs on your system without your knowledge, nothing touches system wide files without you knowing, downloaded applications don't run without telling you that they are from the web.

As of late I have had to deal with the stupid Windows Defender trojan on Windows 7 machine's at the company I work for, it basically borks your whole system to try to get you to buy the application. By comparison the Mac Defender trojan is relatively harmless as it can't really do anything without your consent, a simple delete will get rid of it. A simple delete can't rid of Windows Defender, its a multi step process that may not get your machine to the way it was before the trojan did its damage.

I do think Apple should stop reinforcing naive users belief that nothing dangerous can happen to their machine "because its a Mac". I also think that they should take at least some minimal precautionary steps to mitigate this issue now before it gets worse. The first one being not having Safari open downloaded files by default. I always turn that off as I don't like not knowing whats on my system without my consent. I think the Downloads folder bounce in the Dock is enough to let users know that there is something there and let them make the choice of opening the file or not.

Reply Parent Score: 3

jabbotts Member since:
2007-09-06

Well, the primary point was questioning the claim that Microsoft takes the security of it's end users more seriously than any other comapny. (it was stated definitively too, as in "no other company never ever")

Can you honestly say that with a strait face Thom? Are you suggesting that Microsoft does infact put more effort into delivering a secure OS than any other "company". Default windows puts default OpenBSD to shame maybe?


But, to respond to your question; "where do you people get this stuff" and recognizing that this is not a security website and your not a security expert as you've mentioned in the past.

http://www.esecurityplanet.com/trends/article.php/3933491/Is-Linux-...

Filtering out obscurity attributes like popularity and non-tech attributes like user skill level..


Windows7 is an improvement over past Windows distributions, however;


"From day one, the development of the Unix operating system (upon which Linux is based) was premised on the idea that the user should have minimal interaction with the operating system kernel," explained Bob Williams, a security consultant at The Binary Guys. "That is to say that the operating system does not regard the user as a god."

The OS regards every interaction of the user with suspicion. Any flavor of Linux is basically operating on the same idea.

"The development of the Microsoft OS from the earliest DOS system to the present Windows 7 is just the opposite," said Williams. "Even a guest account in Windows is tightly connected to kernel at a very fundamental level. If the guest account is given access to a printer function, for example, the account is given escalated privileges to the kernel."


This is worth considering also:


The biggest security problem with Windows, however, still lies in too few eyes watching for threats -- and way too long a lag in fixing the issues. It can literally take months for Microsoft to address a security issue adequately.

"It cannot be said any more that Windows is a closed source system. It seems as if the folks that investigate and exploit Windows know more about how the code works than Microsoft does," said Williams.


And, the mechanisms to update Windows and Windows based software are still a mess. I have one central mechanism to update my Debian install and third party repositories are easily plugged into that same mechansims. It does not just check for updates from Debian. With Windows, I'm still visiting Microsoft Update, then Lenovo Updates, then any other hardware manufacturers driver updates, then Flash update utility, then Adobe Reader update utility, and so on.. and so on..

On the Linux based OS side;

- peer review is the norm due to the open source nature of development

- as mentioned above, security by design inherited from it's roots as a networked multi-user OS

It's not all roses and sunshine for Linux based distributions as the article does point towards weak configurations as something to watch for.

Now, outside of the article; if a graphic library has a vulnerability it's going to still be running at the user's privileged level on a Linux based system. I've also not seen a graphics library provide a remote code execution vuln. On Windows systems, I believe jpg rendering has delivered remote code execution as has the library that renders animaged mouse pointers because these both get to run in kernel space rather than being seporated from the kernel.

Right now, we can also point to DLL relative vulnerabilities in Windows including Win7. Microsoft can't fix it without breaking backward compatibility. The official stance is that third party program developers must go back over all there code and re-write it to use full path DLL calls; to fix something that is a flaw in the OS itself.

http://www.informationweek.com/news/security/vulnerabilities/228000...

If you prefer Security Now:
http://www.grc.com/sn/sn-263.htm

in short:


So get this. What has been discovered, and a security firm called Acros, it's a Slovenian firm, they disclosed last Thursday that what they call "binary planting," other people call "application DLL load hijacking," they disclosed that this was a flaw in iTunes which Apple had fixed, but that another 40 applications that they had discovered were doing the same thing.


and


Steve: Yes. How friendly. Now, Microsoft has responded. There's a knowledge base article 2264107. So that's support.microsoft.com/kb/2264107. This is one of a number, I mean, Microsoft's scurrying around now. What's interesting is that they have told people they're not going to fix this. They've said something about maybe in a future service pack, but that they're not going to fix this. Now, the problem is they kind of can't because fixing it would mean changing the order in which DLLs are found, which everything is dependent upon.


But if you want the details, here's the first block of text, you can read on from there:


Steve: So, yeah. Once again we're with Microsoft and Windows, not surprisingly. A big new problem that's got the security community buzzing because it's not directly Microsoft's problem, although it relates to the way Windows works. Apple knew about this four months ago, in March. And one of the fixes they made to iTunes fixed it. The problem is that as many as more than 200 Windows apps are implicated in this problem.

So here's the story. In the past there's been various ways of malware exploiting the order in which Windows searches the hard drive for pieces of applications that are loading. For example, certainly, probably all Windows users have seen these DLL files, Dynamic Link Libraries. The idea is that many applications have an executable portion, the so-called EXE, the E-X-E; and then also may have more code that's not in that EXE, but are in DLLs. And when the application runs, Windows looks to see what other DLLs are necessary. Some applications load the DLLs that they need dynamically, thus the word "dynamic link loading." They load them, like, explicitly. If they know they're going to need it, then they'll say, hey, I need the following DLL.

Well, Windows has a sequence that it goes through for searching for the DLL that an application has asked for, when the application uses something called LoadLibrary, which is the function in Windows that applications use, asking Windows to please load this library for them into their application space. Windows looks at the directory from which the application was loaded first. If it's not there, then it looks in the system directory. If not there, it looks in the 16-bit system directory. If not there, in the Windows directory. If not there, in what's called the Current Working Directory, which is sort of like the current path that you're logged into, for example, if you're using a DOS box. And then if still not found, it looks through the path environment variable, which typically has tons of different directories that are enumerated.

So what malware guys have exploited in the past is the idea that, if there was some way for them to get a malicious DLL named the same as a good DLL, and somehow get it in one of those places upstream in that sequence that Windows uses for searching, then they could get their DLL to load first.

Reply Parent Score: 2

Vanders Member since:
2005-07-06

You need SELinux to come even somewhat close to the kind of fine-grained control NT allows, and then SELinux is a complicated mess.


Sadly, this. In all my years as a Linux Sysadmin, I've only ever been able to figure out one command for SELinux: setenforce permissive. Bah.

Reply Parent Score: 4

Nth_Man Member since:
2010-05-16

Supposing that you really need ACL (I've never needed them), you can see:
http://www.tuxradar.com/answers/644

Reply Parent Score: 2