“Just because you use a Macintosh, don’t think you’re any more secure than a Wintel user. A sharp increase in the number of flaws being discovered in Mac OS X suggests that the Apple operating system may soon be every bit as prone to malicious attacks as Windows systems, according to a report from the SANS Institute, a security training and research firm.” This time no MSNBC, boys and girls, this is MacWorld.com. In the meantime, have fun with Apple’s new commercials.
Are pretty cute. Pretty well done, but will they play them over and over on tv until I want Apple to burn in hell for them? I don’t know. We’ll see.
“About 52 vulnerabilities were discovered in Mac OS X in 2005; 17 have been uncovered so far this year…”
“The number of vulnerabilities reported last year was more than twice the number from 2004, when 24 flaws were discovered… Out the flaws uncovered last year and so far in 2006, at least a third were considered critical, Sarwate said. During the past few months, users of Apple’s Safari Web browser also faced their first zero-day attack, which is an attack targeted at unpatched vulnerabilities.”
OMG! The sky is falling!
Seriously… statistally these flaws are not that critical. How many users have been affected? Has a catastrophe occured?
Apple has made a fairly good consciencious effort to fix these flaws, maybe not as speedily as some would like, but they have been, and will continue to improve. Sure, vulnerabilities will be found, and I still can’t eliminate zits 100% but that’s life.
IMHO Jb
Brian Krebs of the Washington Post did a little study about Apple and its security practices, with an emphasis on “time to patch.
http://blog.washingtonpost.com/securityfix/2006/05/a_time_to_patch_…
Everyone and their mom is feeling compelled to tell us that OS X isn’t perfect. It needs to relax a little. Even if it is a perfectly legit claim (and they seem overblown), no one is going to do anything until a major attack occurs.
What would these companies like us to do? Go spend $50 on some anti-virus software for viruses that aren’t there but might be?
Of all the exploits I’ve heard of for OS X, they have all been via Safari. And then, most if not all (memory fails me) have required you to then install whatever it makes you download.
Spare me.
I am sure, the anti-virus motivation does exist. But you also have to agree that to a large extent OS X might not be as secure as you want it to be. While your statement is correct regarding the fact that so far there have been no serious implications of these vulnerabilities, it would be fair to assume that they will become an issue in the future.
Then there is the issue of media coverage and hype. It would be logical to assume a backlash from all the Apple hype going around. You can’t expect to only have good publicity. With frequency of Apple related articles on this site, it’s only fair that we hear about the negative aspects of Apple’s products as well.
…Apple better get their $*%# together really fast because all the bad press is going to nullify all their marketing attempts.
Just think about it, how is it possible that one guy discovers several Mac OS X flaws at one time?
What method has he employed to discover these flaws?
Copy the method or hire the guy.
Apple is too much of a trusting of a company, people in the world are frigging evil. Think like them, “how can somebody fsck my code?”
Take turns fscking each others code. Make it a contest. Something, anything. But stop these exploits or I swear, Apple is finished.
If Apple is taking a page out of Microsoft’s “market share growth through giving IT a job” they better think otherwise, MS already rules that area and there is no room for competition.
I’m no Mac user, but to me it just looks like people are jumping on the bandwagon. There was a time a short while back when a whole slew of people were writing articles about the security of OS X, and how hard it would be to write malware for it. Then eventually, there was an article saying maybe OS X did have vulnerabilities possibly because of its BSD layer. And it seems like since then, it’s just been snowballing, different writers/security sites trying to outdo each other to bring the startling revelation that OS X has security holes. The main thing here is not even about OS X, but how these trends get started in tech writing and then everybody gets onboard if they sense they have an audience. I suppose that’s where Dvorak really fits in. He takes ridiculous shots in the dark, and if he attracts an audience then the tech writers know what to write about next. They NEED OS X to have holes so they have something to write about, because they’re bored with writing about how secure it is.
Edited 2006-05-02 20:55
OS X 10.4 was released in October 2003.
OS X 10.5 was released in April 2005. 10.5 included a dissying pile of updates, both in view and behind the scenes, including stuff like heavy modification to the kernel and support for 64-bit.
In January 2006, OS X became multi-platform.
Meanwhile, aside from some security updates and the like, Microsoft has been selling pretty much the same OS for 4 or 5 years.
Similarly, Safari has been changing rapidly while Internet Explorer has been coasting for ages.
I’m not listing this to make excuses; a vulnerability is a bad thing no matter how it got there. I’m just thinking that it might be wise to wait for Vista to come out before making too many comparisons of the number of vulnerabilities found on the two platforms.
It’s also worth noting that the article doesn’t give much mention to the severity of the vulnerabilities they list. A (admittedly very) quick look through their top 20 list suggests that Windows has still had more critical vulnerabilities found, and it looks like all of the critical vulnerabilities affecting OS X on that list have already been patched. The same doesn’t appear to be true for Windows.
10.4 was released in april 2005…as for 10.5 its release date has not even been announced. We just now they’ll talk about it in June.
Sorry, I meant 10.3 and 10.4.
I’ll put the facts straight:
– How many (non-techie) of my friends have been affected by malware or virii on Windows ? 100%
– How many of the mac users I know (I know quite a few) had those problems? 0.0 as in 0 percent, 0 persons.
Might it come some distant day ? For sure. Has it come? Not yet. So you expect me to buy your crappy anti-virus software? Computer Virii are the new Axis of Evil. The only ones benefiting from the existence of evil are the ones who are dedicated to fighting it.
When I get a dual core mac I am definitely not using the second core to scan for hypothetic virii.
I have to agree with this one. I’ve had my Mac hooked up directly to the internet for months. No viruses, spyware, not even an errent popup. I’ve had my XP machined owned by blaster after just 2 hours connected to the internet.
Yeah, I’m sure you can make XP secure. You run Windows Update and a virus checker and a spyware scanner, etc, and you’ll probably be fine. But frankly, I don’t have the patience for that crap. I can’t deal with the fact that VirusScan always seems to want to eat CPU for lunch when I’m trying to do a Matlab simulation. I can’t deal with the fact that every time I log in to a machine in our computer lab, I have to wait a minute for the virus scanner and spyware scanner. I can’t *stand* Windows update, which requires far more clicking than OS X’s software update (both, of course, pale in comparison to apt-get, but I digress…)
The proof is in the pudding. My mom’s new iMac has been purring along without a single hitch for almost two months That’s way longer than her XP machine ever went without a problem.
Boy, this sure is confusing. Exploits are one thing and viruses are quite another, but the media WANTS these two different things to mix inside a joe’s mind. Even if there’s an exploit that crashes Safari or makes some script run, it doesn’t mean that a virus will appear that’ll spread by itself. I fail to understand how it’s going to infect other Safaris. Anyone out there knows?
These entire articles are beyond a joke, the amount of user interaction needed to exploit these services and the fact that the rest the service is actually disabled by default.
Sure, so Apache might have an exploit, which is fixed pretty quick, but is it turned on by default? No.
SSH has the ‘potential’ to be exploited, but is it turned on by default? No.
No OS is completely secure, but what matters, is how quick it takes for the company to respond to the exploit/vulnerbility.
So instead of having an average patch time of 130 days (Like Microsoft) for a serious flaw, Macs have that turned around in weeks.
The media, as usual, because of the lack of knowledge will get and run stories with complete fud in them, you have to wonder who their ‘sponsors’ or owners are to get these articles on front pages etc.
I’m surprised that this Mac site has taken the bait.
The is a huge difference between bug fixes and exploits compared to Virus’s/Trojans/Malware.
The recent articles saying Leap.A is a virus/Trojan is false, normal people would recognize it as Malware.
There has only been a couple of Virus’s/Trojans, software exploits are inevitable, again, depends on the fix time.
Edited 2006-05-02 22:15
From SANS : “During the past few months, Apple Safari browser users faced their first zero-day attack. A zero-day attack is one that causes damage to users even before the vendor makes a patch available.”
If you do the math you will see that the number zero-day attacks for Safari went from 0 to 1, representing an unprecedented increase of INFINITY %. Frightning isn’t it 😉
Here”s something from the same article to make you feel better : “OS/X still remains safer than Windows, but its reputation for offering a bullet-proof alternative to Windows is in tatters.”
Strange how all the media chose to emphasise the second part of that sentence huh ?
And they fail to explain why one zero-day attack that managed to affect zero users justifies saying that OSX’s reputation is “in tatters?” Even if you wanted to go that direction, you’d still have to say that the problem was in Safari, not OSX. *Every* web browser has vulnerabilities in this way, and this particular one is largely due to an over-permissive default file download setting.
Even if you wanted to go that direction, you’d still have to say that the problem was in Safari, not OSX. *Every* web browser has vulnerabilities in this way, and this particular one is largely due to an over-permissive default file download setting.
See, that’s the kind of denial I think could become a problem for OS X.
I’m not jumping on the bandwagon saying OS X is going to become a sieve when it comes to security, but to say that OS X is secure because a vulnerability affected Safari and was largely due to a permissive default file download setting is, well, dangerous. Particularly when so many Windows vulnerabilities actually reside in IE and are a result of poor permission settings on things like ActiveX controls. Plus, Safari was simply the vector for the attack, not the vulnerability itself (which was actually to do with the way OS X identifies file types), as if often the case with IE.
Put another way, the NT kernel is inherently secure by design. The problem with Windows is the application flaws and default permissions and settings surrounding it.
OS X and it’s BSD underpinnings are inherently secure by design. If anything pokes a hole through that armor, it will most likely be due to application exploits or things like poorly thought out default settings that do it.
The “zero day exploit” may not have actually impacted anybody, but I hope at least it was a wake up call for the team at Apple, and maybe their users as well. You can’t take these things for granted.
I have maintained every since I switched to a Mac 2 1/2 years ago that they were vulnerable. Having restated that I will go on to say that the press seems to be taking great delight in blowing it all out of proportion. At this point a Mac out of the box running OS X is far more secure than a PC out of the box running XP.
What is happening should be viewed as a wake-up call to Mac users. It is time to start learning how to better secure your system. The tools are all there. I do not expect to see a successful major attack on OS X for some time yet. All this situation proves is that Mac users need to be sure they aren’t complacent to the point that they wait for that attack to happen before taking precautions.
Thom, that was unfair! I didn’t want to click on yet another “OS X is not perfect! Ahhh!!!” article in my OS News rss feed, but you ended the summary with “In the meantime, have fun with Apple’s new commercials.”
“Click.” 😉
Am I the only one who saw the ads and found them damn good? Sooo funny
Everyone’s saying recent events are harmless but a big wake up call to mac users … well some “security analyst” has rudely waken me from my afternoon nap and i still don’t see what the fuss is all about. As a user, does it change the way I use my Mac in any way? Not one bit. And I’ll still be safe.
I’m going back to bed.
Sure it sounds like stupid arrogance, but really, what habits do i need to change? Is there some Anna Kounikova mail I should avoid? Is there some special critical update different from my normal updates? Is there a serious need to install some third party firewall or anti virus?
None. I don’t have to do anything different than before, and I’m still safe. Now thats what I call security.
Edited 2006-05-03 04:10
“Sure it sounds like stupid arrogance, but really, what habits do i need to change? Is there some Anna Kounikova mail I should avoid? Is there some special critical update different from my normal updates? Is there a serious need to install some third party firewall or anti virus? ”
In all fairness, if every user utilized his/her common sense, the number of viruses, spyware packages, and adware packages on *any* OS would be very significantly decreased. The fact of the matter is that most users don’t use caution.
Infestations that don’t require any end-user interaction are a different matter; there have been cases in the past where even properly patched Windows machines with conscientious users have been hit en masse. Thankfully, this has not happened in the *nix or Mac world yet, and would be more difficult to implement for the attacker.
The bottom line is that using common sense will protect you from most attacks but not all. Just because there has not yet been an attack on a Mac or *nix vulnerability (that I know of, anyway) that requires no user intervention does not mean that it will not happen. The attitude of “I use a Mac (or *nix) so I am inherently safe” could prospectively turn out to be a very costly one.
Of course Thom jumps up and down in glee whenever he thinks he can somehow slam Apple. Sad really. The MacWorld article was reprinted from Computer World btw. SANs is simply justifying their existence and creating some press by this article which is deeply flawed. I didn’t know Win Amp was on the Mac for exmple. Oh thats right, it isn’t. The plain and obvious fact to anyone but a complete fool is that the Mac is far more secure than Windows and that current exploits are few and not of any consequence. Obviously no OS is invulnerable but all these hsyterical articles are obviously poorly researched because they are jsut an attempt t get some attention. The mere fact that anyone would compare OS X security issues to Windows shows how idiotic they get trying to make a point.
I worked on an OS, bug fixer… if that is all the bugs they have found then OS X is in good shape.
But seriously, they ARE getting fancier with OS X, adding features and fluff here and there. They should probably take a few releases to stabilize the OS once Leopard comes out. They will be so far ahead of Microsoft they can take the time to make the OS as solid as possible.
Did apple learn nothing from the switch campaign? It’s the same stuff all over. I own a mac, but these commercials make me not want to own one. Apple seams to still be trying to sell things as if they are competing against Win95. People don’t have problems with XP. It works. Furthermore, my mac locks up, safari crashes, it’s no better then any XP box I ever had.
And the digital camera support was laughable. The slow support of cameras by apple drives users nuts. If your camera isn’t on “the chosen list”, even if it has the same RAW format as other models. Or the real classics like the canon Rebel XT verses 350D, same camera, different name, but only one was supported, took apple months to fix it.
And in the end, Apple still doesn’t show the OS in the commercial, why do they same afraid to ever show the product, stop trying to be cute and failing, show people what you have. Show them how it actually works better.
Also, don’t go on about iLife, it’s included with a new mac, but it’s not free after that, soon as you upgrade or a new version comes out, you have to pay. So they can’t go comparing it to what windows comes with.
Is apple doomed to repeat themselves with the switch campaign. This sure looks it, it will turn people off more then anything.
People don’t have problems with XP. It works.
BULLSHIT. I don’t know a single person whose XP install “Just Works”. There is always some random glitch, some weird network connection dropping, random reboots, random slowdown, etc.
I’m sure you can get an XP install to a state of “just working”, but your average user doesn’t have that level of knowledge. Your average user bothers people like me to fix their damn computer for them. And you know what? It’s getting really annoying.
hmmm…
there seem to be so much debating on these issues that people start getting overly offensive/defensive to the point where it reminds me of big brothers protecting their younger brothers while at school but beat them up at home… they just do not tell of it…
Why do so many Mac users generally spend soooo much time telling you how no one without a degree in computer science could ever be satisfied owning a PC (which really is not the problem) running Windows (which is the real question/problem) compared to a Mac with OS X??
Many Mac users tend to think that Windows users a dumber people for some outasight reason and that they ‘choose’ the path of vulnerabilities and vira and all the rest of the badness one can arguably predicate the Windows world of.
Many Mac users also tend to see themselves as being immune to anything that might ever be out there of malware and such evil.
This is not going to stay that way just because users keep closing their eyes to threats that might be lurking. However, neither is the case for Windows users. If your OS presents you with security flaws and openings for others to exploit, do not shout to your neighbour that ‘my holes are smaller than yours’ or the likes…
Demand that your software developer in question fixes the problem. After all, if Apple would take themselves seriously not to mention their customers, they would not let it be a question of fewer security holes than Windows but a question of NO secutiy flaws at all!!!
Windows XP DOES work pretty well in many cases, however there IS the virus part that you cannot rule out unless you actively do something about it.
The device driver situation, I would say, is by a far notch better on Windows! Almost anything can be made working, sometimes after a bit of a hazzle but otherwise pretty easily. This is not generally the case when talking 3rd party ‘non Mac’ products… Why do I need to be limited by EyeTV’s drivers only allowing a certain (small) number of tv tuners work? -It’s because none of the vendors themselves bother…
But this is a different story.. but Windows CAN be easy to work with for different reasons than Apple’s products.
Also, why is Apple keeps making fun of the people they want to buy their products? they are effectively trying to tell people they are ‘silly’ not to have bought a Mac in the first case, eventhough it might be for any known or unknown reason?? I would much rather see Apple telling us about the advantages of their products, forgetting every comparison with PC’s and Windows even… Simply focus on their own front yard, Mac OS X and what it offers, mostly importantly HOW it offers it…
And for all you Mac users and your $50 price tags for annti virus software, try out ClamXAV… It is free and might stop you in sending those nasty Windows vira around, eventhough it might not harm your Mac to do so… It’s just common courtesy and kindness to your fellow friend — who is probably running Windows, by the way….
Journalism, the future of hype. Truly, where is this media going, if everybody makes mountains of mole hills. “OMG 0 to 1 Viruses = 100% increase! It’s as bad as Windows”. OS X will never be as bad as Windows.
Many Mac users also tend to see themselves as being immune to anything that might ever be out there of malware and such evil.
I guess it comes down to reported vurnabilities, and number of people actually affected by them. Again, all ports OFF by default, means the mac platform is not an ATTRACTIVE target, because you simply won’t get a large payback from your attack.
I just find it interesting that of all the things that got cut from Vista, the features Bill is copying from Steve stayed. Which seems to translate into: If you want Microsoft to enhance Windows, put the fear of God in them, by buying a Mac, even if it’s not going to be your primary platform. Just give Bill something to worry about….
“Just because you use a Macintosh, don’t think you’re any more secure than a Wintel user.”
That line could have just come out of some MS pr manager’s mouth, or a pro-MS ad, or an anti-Apple ad, etc. These are those types of lines one can hear in washing powder tv ads. And these types of lines are always successfull enough. It doesn’t really matter who’s safer, all it matters is what they can make people believe.
Still, such lines won’t negate the facts about OSX’s current features, XP’s current features, and Vista’s DNF-resembling features. And as always, saying that “their one’s no better than ours” won’t help you in the long term.
Viruses, trojans, etc. are not bound to platforms, architectures or operating systems. Still, the OS’s architectural differences can make a real difference in the types, numbers, harmfullness, propagation of these. And – wierdly (?) – pro-MS articles always fail to mention such topics.