Linked by Thom Holwerda on Fri 20th May 2011 20:37 UTC
Apple I have personally tried to pretty much let the whole MAC Defender trojan thing pass by, since we're not a security website. However, we have an interesting turn of events this week. An article over at Ars Technica quotes several anonymous Apple Store employees as saying that the infection rate of Macs brought into the Apple store has gone up considerably. More interestingly though, Apple's official policy states that Apple Store employees are not allowed to talk about infections to anyone - they're not even allowed to inform Mac owners if they find the infection without the customer's knowledge. Another interesting tidbit: Apple mandates the use of Norton Antivirus on company Macs, according to one Apple Store genius.
Thread beginning with comment 474141
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:

Well, the primary point was questioning the claim that Microsoft takes the security of it's end users more seriously than any other comapny. (it was stated definitively too, as in "no other company never ever")

Can you honestly say that with a strait face Thom? Are you suggesting that Microsoft does infact put more effort into delivering a secure OS than any other "company". Default windows puts default OpenBSD to shame maybe?

But, to respond to your question; "where do you people get this stuff" and recognizing that this is not a security website and your not a security expert as you've mentioned in the past.

Filtering out obscurity attributes like popularity and non-tech attributes like user skill level..

Windows7 is an improvement over past Windows distributions, however;

"From day one, the development of the Unix operating system (upon which Linux is based) was premised on the idea that the user should have minimal interaction with the operating system kernel," explained Bob Williams, a security consultant at The Binary Guys. "That is to say that the operating system does not regard the user as a god."

The OS regards every interaction of the user with suspicion. Any flavor of Linux is basically operating on the same idea.

"The development of the Microsoft OS from the earliest DOS system to the present Windows 7 is just the opposite," said Williams. "Even a guest account in Windows is tightly connected to kernel at a very fundamental level. If the guest account is given access to a printer function, for example, the account is given escalated privileges to the kernel."

This is worth considering also:

The biggest security problem with Windows, however, still lies in too few eyes watching for threats -- and way too long a lag in fixing the issues. It can literally take months for Microsoft to address a security issue adequately.

"It cannot be said any more that Windows is a closed source system. It seems as if the folks that investigate and exploit Windows know more about how the code works than Microsoft does," said Williams.

And, the mechanisms to update Windows and Windows based software are still a mess. I have one central mechanism to update my Debian install and third party repositories are easily plugged into that same mechansims. It does not just check for updates from Debian. With Windows, I'm still visiting Microsoft Update, then Lenovo Updates, then any other hardware manufacturers driver updates, then Flash update utility, then Adobe Reader update utility, and so on.. and so on..

On the Linux based OS side;

- peer review is the norm due to the open source nature of development

- as mentioned above, security by design inherited from it's roots as a networked multi-user OS

It's not all roses and sunshine for Linux based distributions as the article does point towards weak configurations as something to watch for.

Now, outside of the article; if a graphic library has a vulnerability it's going to still be running at the user's privileged level on a Linux based system. I've also not seen a graphics library provide a remote code execution vuln. On Windows systems, I believe jpg rendering has delivered remote code execution as has the library that renders animaged mouse pointers because these both get to run in kernel space rather than being seporated from the kernel.

Right now, we can also point to DLL relative vulnerabilities in Windows including Win7. Microsoft can't fix it without breaking backward compatibility. The official stance is that third party program developers must go back over all there code and re-write it to use full path DLL calls; to fix something that is a flaw in the OS itself.

If you prefer Security Now:

in short:

So get this. What has been discovered, and a security firm called Acros, it's a Slovenian firm, they disclosed last Thursday that what they call "binary planting," other people call "application DLL load hijacking," they disclosed that this was a flaw in iTunes which Apple had fixed, but that another 40 applications that they had discovered were doing the same thing.


Steve: Yes. How friendly. Now, Microsoft has responded. There's a knowledge base article 2264107. So that's This is one of a number, I mean, Microsoft's scurrying around now. What's interesting is that they have told people they're not going to fix this. They've said something about maybe in a future service pack, but that they're not going to fix this. Now, the problem is they kind of can't because fixing it would mean changing the order in which DLLs are found, which everything is dependent upon.

But if you want the details, here's the first block of text, you can read on from there:

Steve: So, yeah. Once again we're with Microsoft and Windows, not surprisingly. A big new problem that's got the security community buzzing because it's not directly Microsoft's problem, although it relates to the way Windows works. Apple knew about this four months ago, in March. And one of the fixes they made to iTunes fixed it. The problem is that as many as more than 200 Windows apps are implicated in this problem.

So here's the story. In the past there's been various ways of malware exploiting the order in which Windows searches the hard drive for pieces of applications that are loading. For example, certainly, probably all Windows users have seen these DLL files, Dynamic Link Libraries. The idea is that many applications have an executable portion, the so-called EXE, the E-X-E; and then also may have more code that's not in that EXE, but are in DLLs. And when the application runs, Windows looks to see what other DLLs are necessary. Some applications load the DLLs that they need dynamically, thus the word "dynamic link loading." They load them, like, explicitly. If they know they're going to need it, then they'll say, hey, I need the following DLL.

Well, Windows has a sequence that it goes through for searching for the DLL that an application has asked for, when the application uses something called LoadLibrary, which is the function in Windows that applications use, asking Windows to please load this library for them into their application space. Windows looks at the directory from which the application was loaded first. If it's not there, then it looks in the system directory. If not there, it looks in the 16-bit system directory. If not there, in the Windows directory. If not there, in what's called the Current Working Directory, which is sort of like the current path that you're logged into, for example, if you're using a DOS box. And then if still not found, it looks through the path environment variable, which typically has tons of different directories that are enumerated.

So what malware guys have exploited in the past is the idea that, if there was some way for them to get a malicious DLL named the same as a good DLL, and somehow get it in one of those places upstream in that sequence that Windows uses for searching, then they could get their DLL to load first.

Reply Parent Score: 2