Forwarding Address: OS X

Thursday, March 24, 2005

Mac fanatics: right or wrong?

Recently I read an article about a Symantec report suggesting that OS X will be prone to more attacks from malware authors in the future. "No big news there", I thought. At least I thought that until I read the follow-up article that suggested some Mac fans were personally incensed by this suggestion. "Strange that", thought I.

So over on my personal blog (forgive me this indulgence) I wrote this musing on this issue annd was going to leave it at that but then I realized that a) I don't allow comments on my blog so no one would be able to refute me, b) I was truly curious what other Mac users really think about this, outside the confines of a reporter's selective quoting and c) FA OSX is the perfect place for just such a discussion.

My original post in full:
Anyone who knows me knows I love the Mac. Hell, I own six of them. So it pains me when the truly rabid Mac fanatics knee-jerkingly attack anyone who claims the Mac is anything but the second coming of absolute technological perfection. And it's happening again in response to Symantec's assertion that the Mac's growing popularity as a consumer platform will make it an increased target for hackers and malware (OSX 'at risk from attack'):
In its seventh bi-annual Internet Security Threat Report, Symantec said over the past year, security researchers had discovered at least 37 serious vulnerabilities in the Mac OS X system. According to Symantec, as Apple increases its market share ó with new low cost products such as the Mac mini ó its userbase is likely to come under increasing attack.

"Contrary to popular belief, the Macintosh operating system has not always been a safe haven from malicious code," Symantec said. "Out of the public eye for some time, it is now clear that the Mac OS is increasingly becoming a target for the malicious activity that is more commonly associated with Microsoft and various Unix-based operating systems," the report said.

Evidently this position is bringing them heaps of scorn and abuse (Security Outrage at Symantec's OS X claims) as Mac users leap to "protect" their platform with a veritable onslaugh of no-facts:
"What a load of FUD," said one anonymous IT manager. "Anyone with the smallest sense of knowledge about any of these operating systems knows that the biggest issue with Windows security is the basic design flaws that it keeps dragging on from its past eras, to ensure compatibility."

True, and absolutely of no relevance to the Mac. Mac security does not enjoy an inverse relationship to Windows security but I like the deftness with which this poster managed to slip into the Windows bashing.
But any idiot can see that an OS which requires [a] root password before installing any software is inherently going to stop more viruses than an OS like Windows which doesn't. Grow up and quit whining."

Actually this idiot (me) doesn't see that since the default install for OS X gives the initial user Admin privs and plenty can be done to compromise the system with those, including turning it into an open mail relay or ftp server. Granted it's nigh impossible to exploit the OS in this this way automatically but tricking people into installing software is pretty damned trivial.

Extra points for slipping in the unconnected Windows bashing at the end, and a personal insult towards the original article's author.

Here's my take: OS X lacks the inherent design flaws that make Windows so dead easy to compromise, it's true. So does Linux. So what? As the Mac grows in popularity the same script-kiddie tricks that work against Windows won't be usable against the Mac but that doesn't mean that jackasses won't pioneer new and better ways.

This head-in-the-sand superiority isn't protection and doesn't make the platform any safer. To those Mac users who continue to spout it I have two words for you: Maginot Line.

We Mac users are an opinionated and intelligent bunch so please weigh in. What do you think the future of Mac security holds?

16 Comments:

  • As a long-time Mac user, I am concerned that the increasing popularity of OS X will lead to more security issues. However, I think that Symantec may be sounding the alarm a bit prematurely, and the 'form over function' comment probably didn't win any friends among the Mac faithful.

    By Ryan, at 8:18 AM  

  • I'm with you.

    Apple's use of a UNIX base does give it some protection over Windows' "hooks into the system at the expense of security" design. (Which actually is kind of funny, Windows ACLs could provide finer-grained security than OSX, but Microsoft is forced to leave so many holes open in the name of backwards-compatibility...)

    However, if you know OSX's history, it's based on a very old BSD code base, and only recently has the BSD team at apple made any real progress at modernizing kernel internals and the user-space tools that user them. There are plenty of holes and bits that have been fixed over the last 10 years in the other *BSDs that haven't necessarily made it to OSX's codebase. I would not be surprised at all by Symantec's claims.

    By Benjamin Reed, at 8:31 AM  

  • There is a big difference between a remotely compromising the system and a trojan horse. There is no way to design an operating system that is safe from a trojan horse attack.

    Yes, OS X has had and will have security vulnerabilities - some of those may even be able to be exploited remotely. I will remain alert, but I am not greatly concerned and I definitely will not be running out to buy a company's security software based only on their own analysis.

    By Anonymous, at 9:08 AM  

  • Though Iíd probably be considered a fanatic, I definitely agree that MacOS X will be subject to increasing negative pressure from attacks. Itís more secure, but not as secure as it could be.

    Even with incredible security, I can imagine countless user error situations. When my mom is faced with a dialogue to authenticate, she doesnít question it, she just types her password. I donít think thereís any way she could learn enough to be sufficiently aware.

    By Ken, at 9:26 AM  

  • Are there security holes? No doubt.

    Are there viruses? No.

    Are there likely to be viruses? No.

    Is it possible for their to be viruses? Perhaps. But most of the viruses that infect Windows use Outlook Express and/or Internet Explorer security holes.

    Mac doesn't have that to worry about.

    Anti-virus software for OS X remains, at this point, a complete waste of money (unless you reall think that somehow you are going to receive a Windows virus and forward it to someone else, which is highly unlikely).

    The biggest danger remains, as others have said, a trojan horse... something that appears to be something worthwhile that someone downloads and installs and gives their admin password to.

    No OS is, or ever will be, more secure than a user with a password.

    A separate issue is whether or nor Symantec can be trusted as a source of reliable and independent evaluation for security information. I tend to be a bit skeptical when someone with a vested interest comes out with a claim like this.

    Note that they also recently said that Firefox was less secure than IE:

    http://news.google.com/news?q=firefox+explorer+symantec+21-vulnerabilities&scoring=d

    How did they say that? Well they carefully chose a 6 month period where there were "security vulnerabilities" in both, and said that Firefox had more for longer amounts of time. Which was, strictly speaking, true. However, as most people know, not all security issues are created equal. Internet Explorer is so connected with the OS that it can make you vulnerable even if you do not use IE.

    If I were cynical, I might wonder whether Symantec has seen Microsoft incorporate free anti-spyware software into its OS and would like to position itself for a take-over from Microsoft in case they decide to add free anti-virus protection to Windows.

    As I've said before, Windows is inherently insecure with some security added on. OS X is fundamentally secure with some vulnerabilities, but they are not equally as dangerous, nor do I ever think they will be.

    By Timothy Luoma, at 10:15 AM  

  • I don't really see what there is to discuss about this.

    -> Yes, Windows is less secure than MacOS X because Unix was designed for security from the ground up.

    -> Yes, MacOS X, with added popularity, will become more attractive to virus writers. And with most users running as Admin, and with the few security flaws *every* OS has, it's not unlikely that viruses will become more of a problem than they are now. Especially Trojans and others that employ social engineering.

    -> Yes, Windows has made great progress on the security front. But it's still basically insecure with security strapped on top. They'll have to do a lot of work before that changes.

    -> Yes, Symantec has blown this way out of proportion to call attention to its products, and made it sound like there were already a greater number of exploits than before. There aren't, and they've admitted as much. The only viruses available for OS X right now are essentially Macro Viruses from Word and a few proof-of-concepts.

    I really don't see why there's all this hoo-hah. All of what's making people shocked right now was obvious from the moment Apple switched from OS 9 to the Unix-based OS X. It was one of the main complaints people voiced against the move.

    By Uli Kusterer, at 10:47 AM  

  • Symantec got what they wanted: free press.

    By Patrick, at 11:21 AM  

  • Contrary to previous posters I think that Mac OS X's Unix background makes it less secure than it was before (in the OS 9 days).

    I think that in the coming months and years we will see more and more compromised Mac OS X boxes. Not necessarily through virus/trojan-like attacks but through attacks on vulnerabilities in popular *nix utilities. Lots of OS X users use the built-in services like ftp and webservers. Loads use pre-compiled binaries for things like PHP and then install scripts like phpBB/PHPNuke. A vulnerability in Apache or PHP or phpBB is likely to be platform agnostic and can hit Windows, *nix and Mac users alike.

    If you read the latest Apple security bulletins you'll see that there are often patches to things like SSH, Apache, CUPS etc. All stuff that's installed by default and easy to enable (though not enabled by default).

    In addition Apple's insistence on asking for an admin password for pretty much every install means that users are asked so often that they often don't think twice when asked for one.

    Therefore I think that there is no reason for Mac users to be complacent. There haven't been any big outbreaks yet. We still use one of the most secure systems around, but as OS X use grows this will change. While we will never have the amount of viruses and exploits Windows has WE WILL BE ATTACKED, if only as collateral damage through a *nix-utility security issue.

    Security through obscurity doesn't work. It never has and never will. It may hold off things for a while but the outcome is inevitable.
    (Although, to be fair, I don't think Symantec is able to do much about this, as they're pretty much geared towards traditional anti-virus detection and not on tcp/ip based attacks.)

    By Harold Bakker, at 11:36 AM  

  • In my experience with Linux, it was a common rule to only use a root account when it was required to get something done. I think Mac OS X users could benefit from doing the same.

    By Richard Moriarty, at 11:01 AM  

  • PR ploy aside (perhaps it is on the part of Symantec, but do such motives really matter all that much?) the net effect of such things may very well be to elevate the state of security awareness with Mac users.

    The commenters who point out that the need for users entering their user password too often is a very valid one: I've gotten to the point where if I can't readily ascertain why the installer for a piece of software absolutely must have me enter my password for installation, I toss the thing out instead.

    It is a very real danger that users will become complacent about entering thier passwords whenever asked (and given that this is the first line of defence against a trojen, it's an important issue).

    Ultimately my take is this: better users be too paranoid about security than not paranoid enough. We may never end up as fanatical about it as most Linux users are, but we can do a great deal better than most Windows users.

    By Chris, at 11:25 AM  

  • I've got one!!

    I am receiving loads of mail undeliverable transcripts to .mac email addresses similar to mine.

    Can't find discussion online relating to it tho. I'll run some anti-virus stuff when I get home tonight (it's not on this machine.)

    By Anonymous, at 5:53 AM  

  • Great work!
    [url=http://wzfzidfh.com/edgi/keef.html]My homepage[/url] | [url=http://crovklpr.com/ugdz/rhlf.html]Cool site[/url]

    By Anonymous, at 11:19 PM  

  • By Anonymous, at 11:19 PM  

  • Well done!
    http://wzfzidfh.com/edgi/keef.html | http://wvhmfwah.com/mrso/xucc.html

    By Anonymous, at 11:19 PM  

  • credit debt counseling, http://flsr.byu.edu/pictures/temp3/, [url=http://flsr.byu.edu/pictures/temp3/]credit debt counseling[/url]|
    tooth whitening, http://flsr.byu.edu/pictures/temp3/tooth-whitening.html, [url=http://flsr.byu.edu/pictures/temp3/tooth-whitening.html]tooth whitening[/url]|
    tropicana hotel, http://flsr.byu.edu/pictures/temp3/tropicana-hotel.html, [url=http://flsr.byu.edu/pictures/temp3/tropicana-hotel.html]tropicana hotel[/url]|
    football gambling, http://flsr.byu.edu/pictures/temp3/football-gambling.html, [url=http://flsr.byu.edu/pictures/temp3/football-gambling.html]football gambling[/url]|
    culinary college, http://flsr.byu.edu/pictures/temp3/culinary-college.html, [url=http://flsr.byu.edu/pictures/temp3/culinary-college.html]culinary college[/url]|
    card credit debt help self uk, http://flsr.byu.edu/pictures/temp3/card-credit-debt-help-self-uk.html, [url=http://flsr.byu.edu/pictures/temp3/card-credit-debt-help-self-uk.html]card credit debt help self uk[/url]|
    uk home loan house refinance mortgage rates, http://flsr.byu.edu/pictures/temp3/uk-home-loan-house-refinance-mortgage-rates.html, [url=http://flsr.byu.edu/pictures/temp3/uk-home-loan-house-refinance-mortgage-rates.html]uk home loan house refinance mortgage rates[/url]|
    mortgage bridge loan, http://flsr.byu.edu/pictures/temp3/mortgage-bridge-loan.html, [url=http://flsr.byu.edu/pictures/temp3/mortgage-bridge-loan.html]mortgage bridge loan[/url]|
    distance learning mba, http://flsr.byu.edu/pictures/temp3/distance-learning-mba.html, [url=http://flsr.byu.edu/pictures/temp3/distance-learning-mba.html]distance learning mba[/url]|
    college student loan consolidation, http://flsr.byu.edu/pictures/temp3/college-student-loan-consolidation.html, [url=http://flsr.byu.edu/pictures/temp3/college-student-loan-consolidation.html]college student loan consolidation[/url]|
    debt consolidation leads, http://flsr.byu.edu/pictures/temp3/debt-consolidation-leads.html, [url=http://flsr.byu.edu/pictures/temp3/debt-consolidation-leads.html]debt consolidation leads[/url]|
    play roulette, http://flsr.byu.edu/pictures/temp3/play-roulette.html, [url=http://flsr.byu.edu/pictures/temp3/play-roulette.html]play roulette[/url]|
    travelers auto insurance, http://flsr.byu.edu/pictures/temp3/travelers-auto-insurance.html, [url=http://flsr.byu.edu/pictures/temp3/travelers-auto-insurance.html]travelers auto insurance[/url]|
    culinary education, http://flsr.byu.edu/pictures/temp3/culinary-education.html, [url=http://flsr.byu.edu/pictures/temp3/culinary-education.html]culinary education[/url]|
    equifax credit report, http://flsr.byu.edu/pictures/temp3/equifax-credit-report.html, [url=http://flsr.byu.edu/pictures/temp3/equifax-credit-report.html]equifax credit report[/url]|
    small business loan bad credit, http://flsr.byu.edu/pictures/temp3/small-business-loan-bad-credit.html, [url=http://flsr.byu.edu/pictures/temp3/small-business-loan-bad-credit.html]small business loan bad credit[/url]|

    By Anonymous, at 10:49 PM  

  • credit debt counseling, http://flsr.byu.edu/pictures/temp3/, [url=http://flsr.byu.edu/pictures/temp3/]credit debt counseling[/url]|
    tooth whitening, http://flsr.byu.edu/pictures/temp3/tooth-whitening.html, [url=http://flsr.byu.edu/pictures/temp3/tooth-whitening.html]tooth whitening[/url]|
    tropicana hotel, http://flsr.byu.edu/pictures/temp3/tropicana-hotel.html, [url=http://flsr.byu.edu/pictures/temp3/tropicana-hotel.html]tropicana hotel[/url]|
    football gambling, http://flsr.byu.edu/pictures/temp3/football-gambling.html, [url=http://flsr.byu.edu/pictures/temp3/football-gambling.html]football gambling[/url]|
    culinary college, http://flsr.byu.edu/pictures/temp3/culinary-college.html, [url=http://flsr.byu.edu/pictures/temp3/culinary-college.html]culinary college[/url]|
    card credit debt help self uk, http://flsr.byu.edu/pictures/temp3/card-credit-debt-help-self-uk.html, [url=http://flsr.byu.edu/pictures/temp3/card-credit-debt-help-self-uk.html]card credit debt help self uk[/url]|
    uk home loan house refinance mortgage rates, http://flsr.byu.edu/pictures/temp3/uk-home-loan-house-refinance-mortgage-rates.html, [url=http://flsr.byu.edu/pictures/temp3/uk-home-loan-house-refinance-mortgage-rates.html]uk home loan house refinance mortgage rates[/url]|
    mortgage bridge loan, http://flsr.byu.edu/pictures/temp3/mortgage-bridge-loan.html, [url=http://flsr.byu.edu/pictures/temp3/mortgage-bridge-loan.html]mortgage bridge loan[/url]|
    distance learning mba, http://flsr.byu.edu/pictures/temp3/distance-learning-mba.html, [url=http://flsr.byu.edu/pictures/temp3/distance-learning-mba.html]distance learning mba[/url]|
    college student loan consolidation, http://flsr.byu.edu/pictures/temp3/college-student-loan-consolidation.html, [url=http://flsr.byu.edu/pictures/temp3/college-student-loan-consolidation.html]college student loan consolidation[/url]|
    debt consolidation leads, http://flsr.byu.edu/pictures/temp3/debt-consolidation-leads.html, [url=http://flsr.byu.edu/pictures/temp3/debt-consolidation-leads.html]debt consolidation leads[/url]|
    play roulette, http://flsr.byu.edu/pictures/temp3/play-roulette.html, [url=http://flsr.byu.edu/pictures/temp3/play-roulette.html]play roulette[/url]|
    travelers auto insurance, http://flsr.byu.edu/pictures/temp3/travelers-auto-insurance.html, [url=http://flsr.byu.edu/pictures/temp3/travelers-auto-insurance.html]travelers auto insurance[/url]|
    culinary education, http://flsr.byu.edu/pictures/temp3/culinary-education.html, [url=http://flsr.byu.edu/pictures/temp3/culinary-education.html]culinary education[/url]|
    equifax credit report, http://flsr.byu.edu/pictures/temp3/equifax-credit-report.html, [url=http://flsr.byu.edu/pictures/temp3/equifax-credit-report.html]equifax credit report[/url]|
    small business loan bad credit, http://flsr.byu.edu/pictures/temp3/small-business-loan-bad-credit.html, [url=http://flsr.byu.edu/pictures/temp3/small-business-loan-bad-credit.html]small business loan bad credit[/url]|

    By Anonymous, at 3:01 AM  

Post a Comment

<< Home