Secunia said there are potential vulnerabilities in the Mac OS X operating system, first noticed by Tom Ferris. The firm described the holes as ‘highly critical‘, meaning that systems could be compromised if crooks dive in. Secunia said the potential holes are in version 10.4.6, but other versions might be affected too.
This is indeed unfortunate, and as always, I’m sure everyone hopes that these vulnerabilities will be fixed soon.
But please let’s not start another OS X vs. Linux vs. Windows security debate, or how because OS X is gaining popularity more of this kind of thing will start popping up. We all know. There’s no need to state that the sky is blue.
That said, OS X >>> Linux/Windows. 🙂
Because OS X is gaining popularity more of this kind of thing will start popping up.
Also, the sky is blue.
Also, the sky is blue.
I concur. The sky is most definitely blue over here.
“Also, the sky is blue.”
You, obviously, do not live on the Oregon coast. 🙂
“Because OS X is gaining popularity more of this kind of thing will start popping up. ”
Just as Linux.
OSX has sales figures. Linux has hope and dreams.
…and documented installs of tens of thousands of desktops.
Whereas I personally know only exactly 1 (one) person owning a Mac.
“…and documented installs of tens of thousands of desktops.
Whereas I personally know only exactly 1 (one) person owning a Mac.”
Because for sure, you personally know tens of thousands persons owning a Linux Desktop …
Anyway, there is at least one million of Macs sold each quarter (http://www.apple.com/pr/library/2006/jan/18results.html).
So far away your tens of thousands persons you “personally know” owning a linux desktop.
Tens of thousands linux users is what we have in Denmark alone. Not that it counts much compared with the millions of windows users, though.
“Because for sure, you personally know tens of thousands persons owning a Linux Desktop …
Anyway, there is at least one million of Macs sold each quarter (http://www.apple.com/pr/library/2006/jan/18results.html).
So far away your tens of thousands persons you “personally know” owning a linux desktop.”
While I generally agree with you, the numbers can be a little deceiving.
Yes, Apple may sell at least a million macs every quarter, but how many of those macs continue to run OS X and not have their OS replaced with Linux or some other operating system?
documented installs of *Nix versus people who you know that may run OS X……?
I personally know 3 people who have windows installed (my mom & dad, my sister and my neighbour), and over 20 which have a macintosh. Does this mean OS X has ~90 % market share? By your logic it would…..
“Because OS X is gaining popularity more of this kind of thing will start popping up. ”
How is it possible for someone to post something so idiotic???
Forget the stupidity of what you are suggesting, OS X ISN’T getting more popular outside of a few sub-percentage points.
And do you realize that you a claiming that code written over the past decade in OS X is going to MAGICALLY start to developing security problems due to more people using OS X???
Shame on you for littering the Net with stupidity. And shame on you for parroting the Microsoft Security Nightmare Damage Control Meme.
Why Windows is riddled to its very foundation with security problems is utterly manifest compared to OS X, Linux, and other operating systems. And it has absolutely nothing to do with ‘popularity’.
There is a sad and desperate need in the Windows world for OS X to be seen as just riddled to the core with exploits as Windows. I guess after a decade of being the joke of the computing world over security Windows users have developed a bitter desire to lash out with a schoolyard type “You Are Too!!!” respone to computer security.
Emm, in reality, the sky is BLACK. You only see light being refracted through particles in the atmosphere.
Blue light bends more than other colours in the spectrum, so therefore you perceive that the sky is blue.
BTW, there is an interesting twist to this. When the two Mars rovers sent back their first pictures from MArs surface, NASA falsely coloured the sky reddish/pink, from its natural blue, as they believed the general population thought the sky should be red.
In reality, all planetary objects with a dense enough atmosphere will have “blue” skies
Emm….. when in reality, they will all be black
No, in reality, the sky is blue, and you even explained why.
sky |sk?| noun (pl. skies) (often the sky) the region of the atmosphere and outer space seen from the earth
Color my friend is only a sensation in the human brain. The sky or the region of atmosphere and outer space seen from the Earth is mostly black, only light refracted due to the non-uniform optical density (due to different layers of air) appears blue (which covers the entire sky).
Color my friend is only a sensation in the human brain. The sky or the region of atmosphere and outer space seen from the Earth is mostly black, only light refracted due to the non-uniform optical density (due to different layers of air) appears blue (which covers the entire sky).
Wow, such insight. I was wondering, do you have any information on how to “talk to girls”?
Thought not 🙂
If colour is only a sensation in the human brain, and we all have brains, I’d say it’s safe to state that something is a certain colour.
Now you’re getting pedantic solely for the purpose of disagreeing.
I am not sure whether it was here or on slashdot where there was a link to an article showing the various system calls needed to render one html page with an image. Basically, linux required a lot less (compared to XP), and so left fewer possible ‘holes’ in the system.
Now, we all consider OS X a UNIX.. I’d just love to see a similiar diagram for OS X, maybe it is less complicated, more complicated, or similiar to other *NIXs… Maybe such a diagram can give us an idea at the scale of the potential issue (I know this would not consider important things such as the general architecture of the OS, and add-on applications?)
Or, am I missing the point? Because OS X is POSIX compliant (is it?) do the system calls remain the same?
Also, TFA does not suggest what the hole could be, if it is in iLife, etc, the question must be asked… where do we draw the line between the Operating System and the Packaged Operating System?
Actually, it was to serve a web page, using Apache v. IIS.
I am not sure whether it was here or on slashdot where there was a link to an article showing the various system calls needed to render one html page with an image. Basically, linux required a lot less (compared to XP), and so left fewer possible ‘holes’ in the system.
It was here and on Slashdot IIRC.
You’re referring to the number of system calls required to serve up a webpage on the internet; it was a comparison between Apache/Linux (replace Linux with any *NIX as the results will be around the same) and Windows 2003/IIS 6.
The statement made was the fact that when there are more complex moves, there are more likelihood of things going wrong; hence the corner stone of engineering that should always be aheard to; KISS; Keep It Small, Stupid!
Microsoft seems to have this fetish that they should make things more complicated than they need to be, so that they can most about how ‘complex Window is!” and how “difficult it is to get things working!” – its the typical martyr syndrome, the ‘look at me! I suffer! I have to deal with such complex problems!” <– Which they created *snicker*
Has there been anything serious said, and not based on rumors, about Apple dropping the Mach 3 kernel? Since Mac OS X is based on FreeBSD, maybe they should go entirely Free/OpenBSD based, even right down to the kernel. OpenBSD OS with FreeBSD hardware and functionality could really do something for their OS if the guts of the system are a best-of-breed BSD combo kernel OS, would you guys disagree?
Free and Open BSDs are both good, but I’d suggest using [Open]Solaris for a replacement kernel if ever Apple would, for some unknown reason, decide to switch.
No, the best choise is NetBSD. It has already all (or almost all) the Mach’s systems calls Apple needs to “switch” without strong mods to the kernel.
I love Apple, and have only bought their stuff over the years.
But I will not buy another Macintosh or any Apple device for myself, my friends or anyone until Apple has a proven track record of security once again.
These exploits are totally inexcusable. A few is ok because it’s a brand new OS, but now we got over 75 or so and it’s mounting fast just like Windows.
I’m wondering if Steve jobs is making good on this quote:
“If I were running Apple, I would milk the Macintosh for all it’s worth — and get busy on the next great thing. The PC wars are over. Done. Microsoft won a long time ago.”
— Fortune, Feb. 19, 1996
Sorry Steve and the nice folks at Apple, but you’ve pissed me off and it’s my money. I will not pay for a expensive inferior operating system.
Just get it right by Leopard or else.
Dude, it’s time for you to move back to DOS.
As the post right below yours reads, there is ONLY 1 unpached exploit & it happends to be the one on this artical.
Maybe you should invest your money in Microsoft… I hear they started focusing on security a few years ago… Trusted Computing anyone?
Just get it right by Leopard or else.
I’m sure Apple is quaking in their booties, and spending an extra billion on quadruple checking the code in their OS for fear of losing you as a customer, as we all know you are the only thing between profitability and bankruptcy for Apple.
Grow up, and get real. All code bases as complex as OS X (or Linux, Windows, BSD, etc) are going to have vulnerabilities. Get over it.
Oh, and by the way, you aren’t important enough for any company, let alone Apple, to give two little shits about you. Quit being so high on yourself, and quit wasting my bandwidth with your stupid comments.
Just get it right by Leopard or else.
I’m not a big mac fan and have never owned a mac but don’t you think you’re kind a jumping the gun here?
Suppose “exploits” such as these continue on the Mac. What will you do? Move to Windows? Not gonna get safer there. Move to a Linux or another BSD system? Might be worth looking into but their are exploits there as well.
Maybe you should just stick the the command line and use only text based browsers and mail clients. But even then, somebody just might get you.
I wasn’t trying to troll, I have been a Mac user ever since they came out. I currently have over $14 thousand in Apple toys bought over the last few years for myself and friends/family. I’m sure the webmaster of this site can confirm my browser and monitor size (30″)
It really peevees me that I worked hard to convince people Mac’s were better, only to now get this “I thought Mac’s were secure” crapola tossed in my face. I could explain away a few exploits, but now it’s a deluge. I’m mad I got egg on my face and conned by Apple.
Now to those who say all operating systems have exploits, your right. But it’s the amount and frequency that matter.
For instance OS 9 had very few after Apple took corrective action when they first stared appearing. But Mac OS X is supposed to be way more secure, and it’s not. It’s racking up exploits much like Windows is.
I give you these links as evidence
http://www.ciac.org/ciac/bulletinsByType/vndr_apple_bulletins.html
http://www.ciac.org/ciac/bulletinsByType/vndr_ms_bulletins.html
I just want a worry free computing enviroment, not to be glued to the internet trying to stay one step ahead of the bad guys.
That’s why I bought a Mac and have stuck with the company all these years, if they can’t deleiver then I might as well save money and buy a PC.
Dude. Chill. Turn on your “Software Update” in your Preference Panel. If security holes exists; the nice men at Apple will fix them.
OS 9 was “secure” ’cause it had no command line and internally worked bassackwards from any other OS on the planet; and would likely take PPC asm guru to come up with a decent exploit.
When you here of MASS infected OS X systems being taken down; then
b!tch at Apple. Since there are NO ( that’s 0, Z-E-R-O) cases of any users being infected or exploited, I’d say Apple’s track record is still in tact.
They are FAR from perfect and have been a little slow in the past on a security hole or two; but with a track record like they have I suppose it would not be hard to do.
I don’t know what to tell you. Only fanboys ever stated that OSX was perfect or immune to this. Everyone knows such things will happen, and everyone knows that as an OS grows, and its userbase grows the pressures on it grow. It also becomes something more heavily looked at for problems, and those who might use those flaws will be more tempted to act on them. To think anything else is foolish and just a form of denial.
I don’t know how OS9 could be considered solid. It was one of the worst OS ever made. Just about anyone, mac users included would take win95/98 or linux over it. It didn’t need a vulnerability to go down. It was afraid of itself.
That all said. OSX is still the most worry free platform out there. And so far nothing has happened to any level to be truly worried. All these have show is people should once and for all get it out of there heads that Macs are some how immune to this kind of thing. Also it will come down to the users in the end. For apple to make something that will be immune to such things, they would have to create something very user un-freindly. No one wants that, so there will always be a level of risk. Windows world isn’t much different. Many/Most people use it with little issue. Many people use windows with no extra security measures and never have a single issue, they simply don’t use foolish things.
You could cage off the woods to protect people from bears. But then you have ruined the view of the woods and stops you from enjoying it. You could also just let people be aware of the dangers of bears, and at the same time they get to enjoy nature freely with no cage. But if you have people who insist they should be able to walk anywheres in the woods and poke bears with sticks and have no issues, well there is very little you can do for those people.
“…very little you can do for those people.”
Except poor honey on them and release the bears.
Just because a vulnerability exists doesn’t mean anyone is ever going to be affected by it. A vulnerability is not the same thing as a worm or a virus. Just relax. Sounds like you need to lay off the caffeine this weekend.
Troll… I bet this guy doesn’t even own a Mac.
But he succeded at trolling. lol
Mac OS X
Currently, 1 out of 69 Secunia advisories, are marked as “Unpatched” in the Secunia database.
Linux Kernel 2.6.x
Currently, 14 out of 79 Secunia advisories, are marked as “Unpatched” in the Secunia database.
Windows XP Pro
Currently, 27 out of 131 Secunia advisories, are marked as “Unpatched” in the Secunia database.
The Secunia “Mac OS X” exploit list doesn’t count the ones found recently by Tom Ferris.
The “1 out of 69” was like that since the 10.4.6 update.
Flaws in that comparison. For example, Red Hat kernel is heavily patched than the vanilla version therefore the number of advisories differ from distros to distros.
Another flaw is to compare the kernel vs the whole operating system which is pratically misleading. Here is an example of fair comparison with different operating systems:
Mac OS X
Currently, 1 out of 69 Secunia advisories, are marked as “Unpatched” in the Secunia database.
Fedora Core 5 (1 month after release)
Currently, 0 out of 7 Secunia advisories, are marked as “Unpatched” in the Secunia database.
Red Hat Enterprise 4
Currently, 0 out of 166 Secunia advisories, are marked as “Unpatched” in the Secunia database.
Fedora Core 4
Currently, 0 out of 111 Secunia advisories, are marked as “Unpatched” in the Secunia database.
Fedora Core 3
Currently, 0 out of 206 Secunia advisories, are marked as “Unpatched” in the Secunia database.
Ubuntu 5.04
Currently, 0 out of 135 Secunia advisories, are marked as “Unpatched” in the Secunia database.
Windows XP Pro
Currently, 27 out of 131 Secunia advisories, are marked as “Unpatched” in the Secunia database.
These reports are taken on april 22nd, 2006 straight from Secunia website. You will be the judge.
Wow, now if you would proceed and check locality and how critical those advisories are.
Tho more critical, the more worried you get. If they are also remote you should be panicking.
Wow, now if you would proceed and check locality and how critical those advisories are.
You mean like this one?
Linux Kernel Multiple Vulnerabilities
Partial Fix. Secunia Advisory 28 of 33 in 2005
Release Date:
2005-02-16 Secunia Advisory ID:
SA14295 Solution Status:
Partial Fix
Criticality:
Impact:
Unknown
Hijacking
Security Bypass
Exposure of sensitive information
Privilege escalation
DoS
Where:
From remote
Short Description:
Some vulnerabilities have been reported in the Linux kernel. These can be exploited by malicious, local users to gain knowledge of potentially sensitive information, cause a DoS (Denial of Service), or gain escalated privileges, or by malicious people to cause a DoS or bypass certain security restrictions. [Read More]
Here’s the link to the actual page which describes the multiple flaws: http://secunia.com/advisories/19686/
As far as the zip flaw goes, it exists in the BOMArchiveHelper application so if you’re not sure about opening a certain zip file, you can safely open it in the command line.
All the other vulnerabilities are pretty unavoidable though. I suppose to be extra safe, you could use Firefox for web browsing to avoid the HTML exploit.
People shouldn’t get so worked up about this though. It is virtually impossible to create 100% secure code. What matters is Apple’s reaction time in fixing known vulnerabilities.
If I understand correctly, LLVM could prevent a lot of security attacks by creating a sandbox for applications in the way that the Java VM does.
People shouldn’t get so worked up about this though. It is virtually impossible to create 100% secure code. What matters is Apple’s reaction time in fixing known vulnerabilities.
According to the discoverers of the vulnerabities, Apple was notified of
http://www.security-protocols.com/sp-x25-advisory.php
and
http://www.security-protocols.com/sp-x26-advisory.php
in January and February. The remaining four advisories do not list the notificaton dates.
Edited 2006-04-22 08:40
The bulk of the calls are made to other userland frameworks/libraries, not the kernel. Changing the kernel to FreeBSD will probably not fix any of these problems. Unfortunately these userland libraries are deeply embedded into the system (like ReadBMP(), _cg_TIFFSetField()) as they rely on QuickTime’s ability to read different image formats.
Hi everyone…I looked at this with interest and agree with many of the comments above. I run Linux and Windows at home mostly…my brother is a MAC guy. I think that the comment that ALL complex code will have vulnerabilities is correct. If you try hard enough, holes will be found and exploitable.
So…I’m kind of getting to the point in my life where I don’t care about the “wars” about which OS is better than that one or whatever…it’s just in what you want it to do for you…some do things better than others, including security DEPENDING ON THE CONTEXT of the situation. I personally think that given intelligent computing by the user (something that is lacking a lot, addmittedly) that even Windows can be run in a pretty sucure manor. Linux even more so with SELinux or AppArmor in place. The MAC is a pretty well designed system too.
These kinds of things are good in that they increase the awareness that no matter WHAT kind of machine or setting you are in, you can be vulnerable. I would think that this is only the tip of the iceberg in the long run…that there will be many more weaknesses found in Windows, Linux and MAC. We need to learn to be intelligent (not paranoid) and protect our systems in whatever ways are the best for those environments.
I’m not sure if the “I’m Pissed” guy was trolling or not, but his viewpoint was extreme…
At least the MAC’s look pretty while being compromised.
How can a Media Access Control (MAC) look pretty?
Please, basic understand of English 101; the use of all capitals occurs when it is an acronymn; take SUN for example, which stands for Standford UNiversity (where Scott obtained his Economics degree from).
Mac is short for Macintosh; now, one could get anal and demand a fullstop to be put at the end of Mac to signify abrievity, but lets not get too anal.
Good hell… I could hear your anus clentching from here. Do you get upset that UNIX and Unix don’t follow your little acronymn rule?
Seriously,
I knew he was refering to MACintosh’s, I would assume that most people reading his post knew he was referring to MACintosh’s.
It is the small man, with no argument left that starts correcting others english.
Go outside and see the SUN. You are obviously suffering from SAD (seasonal affective disorder) after a long winter.
Or, do you correct the grammar in love letters that women send you…….an obviously good method to continue not getting (insert quip here).
From the article:
“Until the holes are filled in, don’t visit untrusted web sites, or open ZIP archives or images which come flying your way and that look a tad dodgy.”
Gee golly, that sounds like an easy exploit to me. Uh, so AFTER the “vulnerabilities” are fixed, I can go back to using my credit card on untrusted websites and unzipping “dodgy looking” files they “fly my way” all willy nilly?
Edited 2006-04-22 01:38
It was sarcasm.
Let Apple’s actions set the record straight, then we can point back at the victories/failures of their security process and derive conclusions.
Also coffee is a fluid solution.
The amount of and response time to vulnerabilities affects the overall security of an OS. Design of the OS and programming practices may affect the amount of vulnerabilities introduced and the ease to which they are fixed.
Holey Code, Batman!
Seriously. Grow up. All code is crap since it is invented by primates with keyboards. Some just have better bananas and trees.
What!?!?
Some have trees!?!?
I want that too
The recent security vulnerabilities are a marketing ploy, they’re trying to show us their still human. Humans make mistakes.
Edited 2006-04-22 04:18
Or does anyone else think calling something “Critical” or “Highly Critical” without stating if it is locally or remotely exploitable overly vague?
Is it local or remote?
Does it require a less privileged account on the system?
If remote does it impact a “default” install?
Does exploiting require user action (browser etc.)?
There is a light year of difference between local account escalation and a remote vuln in a default running service. I hate how everything is simply lumped into “Critical”.
I should not have to click through 6 links and read the entire fluffed report to get this information.
We have standards for everything else, how hard would it be to break it down into “Critical (status 1)” or “Critical (status 5)” depending on actual potential for exploit?
Edited 2006-04-22 04:51
I presume they’re remote exploits since they involve Safari browsing a dodgy web page.
Did you read the information on the exploits? It was pretty clear.
What’s even funnier is that they are trying to give an excuse for the exploits found. Maybe now that Mac has joined the rest of the OSes we will finally see the fanboys wisen up.
What I do notice:
With OS X it is a sport to find holes in the os in the first place and with Windows it is a sport to exploit holes. It says a lot about users and their (lack of-) respect for the (lack of-) quality of their os.
Edited 2006-04-22 08:08
“OSX has sales figures.”
Doesnt have much market share though.
Considering that Win has a 95% of market, 131 flaw is very small number.
I will have to agree with this one. Everyone knows XP was and sorta is quite security hole-ridden. But the fact is a lot of them are getting fixed. I am not sure but if it is with everyone, but just like an experienced Mac user can make their system quite secure, so can an experienced XP user. I have used both Mac and XP and they are both great in their own right. Mac has the advantage of being based on Unix and all its proven track record whereas XP is written by a company who just wants to make more money and thats their bottomline. Its all about using the tools. OSes are tools for everyone if they stop to think about it. You can make your tools better and Linux provides that quite awsomely with all the package management, reconfigurations, kernel compilations and the fact that the darn code is available for anyone to mess with! That is great!
I have been using XP because I am so used to it, and yes I hate it that it has all these wholes but boy has it improved than when it first came out. And so has Mac. There is no one who will say that the first release of OS X was not without its problems. Same thing with XP. I am just trying to not blindly defend XP but to ptovide a balanced argument I guess. OS X is great but a bit slow for the stuff I need to do, and XP is simple but not in the class OS X is. But there are great 3rd party tools like nLite and so on that allow you total control over XP and that is great IMO. That is the next best thing to be given all the code. Microsoft is trying to patch things as well as they can and I have to say they have done a satisfactory job except for the unpatched vulnerabilities…its as if the whole world knows about these vulnerabilities other than Microsoft!
Basically my advice for those who are so paranoid about their security is to go and use the age olf implements of abacus, paper and pencil. The Roman and Greek civilazations were far more splendid in a way than ours and they did it without computers! Bottomline is there will be vulnerabilities, there will be flaws, there will be companies writing bad code on purpose to eke out more money from support. Software is a man-made construct and as such as it is, its imperfect. Deal with it. There is no one tool for the job.
Mac has the advantage of being based on Unix and all its proven track record whereas XP is written by a company who just wants to make more money and thats their bottomline.
Apple is concerned about making money; thats why they chose not to re-invent the wheel, use a proven concept, and build a great operating system off that; if the technology is out there in source form (Mach/BSD), then why the hell not use that, and lower the costs of development?
Microsoft on the other hand already had a UNIX licence; hell, they sold a UNIX of their own for several years – Xenix, which was based off the AT&T line of UNIX.
Microsoft chose, even with this great basis for a good operating system, to go out and re-invent the wheel, and create their own operating system – NT; the net result is that they isolated themselves from the rest of the technology world; whilst the UNIX companies were learning from security mistakes, improving scalibility, Microsoft was being the proverbial nigel no mate, off with its own marbles, refusing to work with any one.
Here we are now today with the world split into two camps; on one side you have the UNIX world, consisting of the commercial UNIX’s and opensource implementations (BSD/Linux), and on the other side we have the Windows world; a half baked, compatibility riddled, security prone API (win32), running ontop of a NIH (Not Invented Here! – http://en.wikipedia.org/wiki/Not_Invented_Here ) kernel which was developed as nothing more than a multimillion dollar ‘screw you’ to the UNIX world.
Fast foward to today, and with all the millions Microsoft have chucked at the problem, Windows NT still hasn’t distablised the UNIX establishment; they may have forced the UNIX world to lower their prices for hardware and software, but at the same time, companies are still willing to spend a premium for the superior solution.
So, tell them to bring back Xenix.
“Considering that Win has a 95% of market, 131 flaw is very small number.”
These two numbers dont really relate to eachother.