Apple Asks Security Experts To Examine OS X Lion 417
An anonymous reader writes "For as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true. But Apple's looking to change that. This past Thursday, Apple doled out a beta of OS X Lion to developers. In conjunction with that, Apple is also reaching out to noted security experts and offering them free previews of OS X 10.7 so that they can take a look at Apple's new security measures and reach back to Apple with any thoughts and concerns they might have. Indeed, Apple is becoming a lot more security conscious these days, not only in terms of reaching out to security researchers but also in its personnel hires."
Am I reading this correctly? (Score:4, Insightful)
as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true.
I'm sorry, what? Windows is "safer" than OS X? "In fact"?
Re: (Score:2)
Re:Am I reading this correctly? (Score:5, Informative)
http://www.wired.com/gadgetlab/2009/09/security-snow-leopard/ [wired.com]
http://www.tomshardware.com/news/hack-windows-security-snow-leopard,8704.html [tomshardware.com]
Re:Am I reading this correctly? (Score:4, Informative)
Charlie Miller is the kind of fireman who doesn't mind screaming FIRE! in a theater every now and then, just so he can make a point to stress his own relevance extinguishing fires. Every time anything is published on OS X security, this guy is quoted along with some title of some books he wrote. He might know a lot about OS X security and the way you could theoretically exploit it, but that's hardly a measure how secure OS X is compared to other operating systems.
Every time I read an article that brings up the 'small market share' that makes OS X 'less attractive to malware writers' I know I can safely disregard anything in it. People have been saying this for decades, meanwhile OS X market share has almost quadrupled, many Mac users are the kind of people with disposable income and credit cards, yet *no* viruses *whatsoever* have *ever* managed to succesfully exploit Macs. Not a *single* one. No matter how much bigger the Windows market share is, you'd expect at least one or two prolific malware writers to give it a shot, just to make a point, or to make a market out of the 10% of Macs already out there.
Both articles linked are just like that. A summary of security features OS X doesn't have, and/or a list of 'critical security flaws' and how fast they are solved, and a concluding remark that 'OS X users do not have to worry _yet_, because OS X market share is still not high enough for it to be interesting'. We'll talk yet another decade from now and see how many OS X viruses have surfaced in the mean time...
Re:Am I reading this correctly? (Score:5, Informative)
You're joking, right? Apple is historically months behind in patching publicly disclosed vulnerabilities in core libraries they share with other Unix-like systems (Samba and Java are two key examples). Overall code robustness is abysmal in any Apple product I've assessed--they fall over with trivial fuzzing or a few hours of analysis. They're an absolute pain in the ass to deal with when trying to resolve a responsibly reported vulnerability: they often don't seem to have qualified people triaging inbound reports, and when they do finally acknowledge the correct severity of a reported issue it can take years before they finally push out a fix. And to top it all off, their core security counter-measures (e.g. ASLR and NX) are useless as anything more than marketing fluff because they're not implemented consistently.
Seriously, I've been in the security field for almost 15 years and dealt with reporting vulnerabilities to dozens of companies. Microsoft is a pain to deal with because of their compatibility matrices and long release cycles, but they're generally competent. Whereas Apple is just an absolute train-wreck. The only reason every Mac isn't infested with malware is that they're not a big enough chunk of the market for it to be worth the effort. If they ever cross the magic 15% threshold they're in for a very rude awakening.
Re:Am I reading this correctly? (Score:4, Insightful)
Re: (Score:2)
Do you really think you are going to get a malware author to comment on why they don't write viruses for Macs?
Re: (Score:2, Funny)
someone refusing to give their opinion on the internet?
Re: (Score:2, Insightful)
And they will still be saying that when/if Mac reaches 49% of the market. "It's less than half of the computers sold, not a big enough target".
Re:Am I reading this correctly? (Score:5, Insightful)
I've been hearing "The only reason every Mac isn't infested with malware is that they're not a big enough chunk of the market for it to be worth the effort." for so many years the effect has worn off. Year after year - You know, it really gets old hearing that excuse. If that really is the case, I hope it continues.
I completely sympathize. I've become tired of the same old excuses why faster-than-light travel isn't possible, just like you and the Apple malware thing. I mean, come on. Why don't they come up with new material?
10% of the personal computing market is Apple. That's it. Now, sure some of the remaining 90% aren't running Windows, but we know that since 2011 is The Year of Linux, the conversion isn't complete, so as of today the majority are.
Some excuses are repeated because they're... valid.
Re: (Score:2)
Watch out. Just a few year ago you would have said "5% of the personal computing market is Apple."
market share (Score:5, Insightful)
There are automated, automatically propagating exploits for obscure BBS systems, for IIS back when it was a tiny sliver of the web server market, for data base systems installed on a tiny fraction of web servers, in numbers utterly dwarfed by the installations of a single model of MacBook Pro.
What's it gonna take for y'all to give up on the "market share" ghost?
Mod parent (Score:4, Informative)
True.
IIS and SQL Server injections were on the rise when Solaris was still king of the internet server market a decade ago. Windows Server back then was not the dominant player yet had most of the backdoors. The reason Windows has more viruses and trojans is due to activeX and shoddy design for IE and Windows. Not because it was the dominant client operating system.
I would mod you up if I had points. I have been refuting this until I am blue in the face.
It has nothing to do with popularity. Fact is in 1999 all you had to do was wrote a few lines of code in C++ to do a delete a partition and put it in an ocx container for activeX and voila! Anyone visiting your site lost their hard drive! Yes security was that bad in the 1990s with Windows.
A developer's perspective (Score:2)
Look at the development tools. On Windows, you have Visual Studio which makes writing exploits rather easy. It can show you a memory dump of any address, help you debug programs with a very easy UI, and Microsoft is kind enough to provide Detours to let you hook functions in system libraries.
On the Mac? Honestly, you have to admit that Xcode and other development tools are much less robust than Microsoft's. You'd have to work a lot harder to create malware.
Re: (Score:2)
This is nothing special, I can do the same with GDB (or rather, DDD.) And GDB/DDD will work on (indeed, come with) OS X.
Re: (Score:3)
Re:Am I reading this correctly? (Score:5, Funny)
No kidding. I use Plan 9, and I have never gotten malware. Definitely it's due to its better security architecture.
Re:Am I reading this correctly? (Score:5, Insightful)
Apple is historically months behind in patching publicly disclosed vulnerabilities in core libraries they share with other Unix-like systems (Samba and Java are two key examples).
This is interesting because as of Lion, Apple isn't maintaining a JVM. Samba isn't even running by default. That doesn't mean it isn't an issue, but it also doesn't mean OS X is particularly vulnerable as a desktop as a result. The small number of exposed services makes many of those potential vulnerabilities fairly moot. Add onto that the default sandboxing for some services and the increased use in the next version, probably has a lot more real world impact than rate up updating libraries that are not exposed on the majority of users' systems. For example, the zeroconf daemon exploits a few years ago were problematic on numerous OS's but were completely ineffective against OS X because of the MAC sanboxing.
Overall code robustness is abysmal in any Apple product I've assessed--they fall over with trivial fuzzing or a few hours of analysis.
It seems like some Apple products are really hit and miss in this regard. Some of the developers are very security conscious and some seem to give little or no thought to security at all.
They're an absolute pain in the ass to deal with when trying to resolve a responsibly reported vulnerability: they often don't seem to have qualified people triaging inbound reports, and when they do finally acknowledge the correct severity of a reported issue it can take years before they finally push out a fix.
That has not been my experience. My former company submitted a small number of vulnerabilities to Apple through the public facing bug report system, and they were reasonably responsive, replying within a week or two and doing a good job of crediting us with the fix in the next security patch.
And to top it all off, their core security counter-measures (e.g. ASLR and NX) are useless as anything more than marketing fluff because they're not implemented consistently.
Their NX is well implemented from my understanding. Did you have a specific complaint about it? ASLR is only applied to libraries, but is applied widely in Lion. The sandboxing is well implemented but not ubiquitous and is more widely applied to userspace apps in Lion (we'll see how far). The malware detection is half assed and I've heard nothing about improvements in Lion. But it sounds like most of your complaints in this regard are already on the table in Lion.
The only reason every Mac isn't infested with malware is that they're not a big enough chunk of the market for it to be worth the effort.
You are way, way, way oversimplifying. Their market share is plenty to be attractive. Not having to fight other bot operators over the Mac market share would be very profitable. There are worms now with dozens of different Windows attacks fighting over the small share of vulnerable Windows systems, adding macs to that would be a considerable increase. Also, if you work in network security you are no doubt aware of the trend towards malware that mines data such as account info and credit card and bank account info. Macs would be a goldmine in that regard. Rather, I think OS X's lack of exploitation has to do with good choices for default services, some sandboxing, lack of malware author familiarity with non-windows development, and failure to properly create multi-vector worms that contain OS X attacks in conjunction with Windows attacks. Market share alone does not explain what we see in the wild.
If they ever cross the magic 15% threshold they're in for a very rude awakening.
People said the same thing with 5% and 10%. Part of the joy of arbitrary goalposts in internet forums is the lack of accountability. They're so easy to shift over time... unless, of course, you have specific reasons and data to suggest why 15% would be the specific number we need to consider.
Re: (Score:2)
Like everyone you mix up market share with install base. ....
Who cares how many "compputers" a company is selling per year? Only investors
The install base of Macs is likely around 30% in 1st world countries.
The Mac is per definition more secure, despite of your good points, as a user is not ru
Comment removed (Score:4, Interesting)
Re: (Score:3)
Re: (Score:3)
See also, Pwn2Own results.
...all from one guy (Charlie Miller), who does nothing much beyond his level best to hunt down any vuln in OSX, and only manages to do it with semi-local machine access.
Doesn't quite jibe with the real world, where you only find the odd and rather blatant trojan for OSX (and trust me - if you get infected by one of those, you're also likely the type to give your bank account number to guys in Nigeria...)
Re: (Score:2)
Re: (Score:2)
Baloney, Apple had ACL and Code signing, memory randomization, and disk encryption long before Windows rolled theirs out.
Not true for "ACL", if by that you mean "supporting ACLs on files"; NT had that in NTFS since Day One, OS X picked it up later (it originally just had the UNIX permission-bits model - ACLs showed up in either Tiger or Leopard, I forget which). I can't speak for the others, as I don't know when they showed up in Windows, but I'd still not assume OS X had them first.
Re: (Score:2)
Windows picked up OS-integrated file-level encryption with EFS in Win2k, and volume-level encryption with Bitlocker in Vista. I don't think OSX does full volume level stuff to this day; but 10.3 and later supported using encrypted disk images for user home directories. There isn't really a 1 to 1 equivalence between the two a
Re:Am I reading this correctly? (Score:5, Informative)
as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true.
I'm sorry, what? Windows is "safer" than OS X? "In fact"?
Every single year, OSX loses the Pwn2Own competition first. Windows and Linux always go down on the same day. No matter what version has been current, OSX has always been less secure than Windows when both are up to date on patches. If Apple changes its security culture, it could mean big things for Apple in corporate environments.
Re:Am I reading this correctly? (Score:5, Insightful)
If Apple changes its security culture, it could mean big things for Apple in corporate environments.
I don't think I'll live to see the day that I hear, "Nobody ever got fired for buying Apple," like I've heard for both IBM and Microsoft.
Corporations buy the OS that the applications run on. Period. Security will forever be a redheaded stepchild.
Re: (Score:3)
"You're fired."
Re: (Score:3)
Apple is making serious inroads in healthcare largely on the strength of its appeal to tech-savvy doctors and researchers and the clout they have in affecting purchasing decisions.
Not really. What you are seeing is people bringing in MacPros to run legacy hospital software under Parallels or some other similar system. Nobody is buying large volumes of Macs nor are they using Macs for servers. The iPad might change that - the healthcare industry has been trying to find a decent tablet since Moses dropped his and the battery life / size / simple UI are really appealing. But Apple doesn't really seem to want to go play with the big boys, nor are there big system integrators nuzzling
Re: (Score:3, Interesting)
Every single year, OSX loses the Pwn2Own competition first.
Could just be that the hackers want the mac the most ;-)
Re: (Score:3)
...err, "hacker", singular. Charlie Miller.
Re: (Score:2, Insightful)
Pwn2Own has never been about "which is more secure". It's *always* been about glory and headlines. It's also been said at least twice (2009 and 2010) that a primary motivation for hacking the Macbook was because it was considered more valuable.
Want to see which is the most secure OS? Hook a Win 7, OS X, and standard Linux install (let's say Ubuntu) up to an unfiltered network port and see which drops first.
Re: (Score:2)
Pwn2Own has never been about "which is more secure". It's *always* been about glory and headlines. It's also been said at least twice (2009 and 2010) that a primary motivation for hacking the Macbook was because it was considered more valuable.
Citation needed, I've read interviews of these people on many occasions and have never heard that.
Want to see which is the most secure OS? Hook a Win 7, OS X, and standard Linux install (let's say Ubuntu) up to an unfiltered network port and see which drops first.
Probably none will; remotely exploitable holes in a default install (requiring no user interaction) are practically non existent due to inbound firewalls.
Re: (Score:3, Interesting)
Re:Am I reading this correctly? (Score:4, Interesting)
You mean, once the contest enters the phase where you can run a program remotely, people attack the Mac first, because they want to win the Mac, and Windows and Linux are successfully attacked minutes later.
Re:Am I reading this correctly? (Score:5, Informative)
You mean, once the contest enters the phase where you can run a program remotely, people attack the Mac first, because they want to win the Mac, and Windows and Linux are successfully attacked minutes later.
No, he means exactly what he said. OSX is less secure then Windows. Charlie Miller (the guy who takes down the Macs first) has mentioned this in an interview here [threatpost.com]. While Apple has improved their security, they are still behind Windows.
Many pundits have made a lot of the fact that the Mac was the first to be exploited in the Pwn2Own contest. Was the choice of the Mac as the first target because the hardware/operating system combo was more desirable as a prize than the commodity Windows laptops of the other competitors? Or was it just because Macintosh exploits occur with much less frequency than Windows exploits and would therefore be more newsworthy?
So until this year, applications on Apple were way easier to exploit than Windows. This is because Apple had weak ASLR and no DEP while Windows had full ASLR and DEP. This year, Snow Leopard has DEP, so its no longer trivial to exploit. In fact, I have lots of bugs in Safari that I easily could have exploited on Leopard but will be very difficult on Snow Leopard. So it used to be that that it was much worse, but now its mostly comparable (although still slightly behind)
Re: (Score:2)
You missed the last part of Charlie Millers answer to the question about security on Apple about how it compares to Windows.
now its mostly comparable (although still slightly behind).
That means that OSX security is mostly comparable but still slightly behind, ie not as good/less secure.
Re: (Score:2, Insightful)
I'm telling you, no matter what Charlie says, and no matter what the theory behind which is more secure or not is, the 100% truth is that Macs are significantly more secure in practice, which is all that matters for the user.
Re:Am I reading this correctly? (Score:4, Insightful)
Look Node, you can tell me what you wish and believe whatever you wish. The facts have shown the opposite of what you wish to believe here. They showed that Macs are less secure, with showing how they are less secure and you are more then welcome to try to rephrase, alter and/or change anything you wish but it won't change the facts that have been laid bare before you.
As I mentioned in my other post, if you wish to still state otherwise, please show something to back it up. Your answers to every post have been your own claims with nothing to back it up, which amounts to nothing when compared to the facts. If you wish for me to take you seriously, you'll have something to back it up that is a creditable source (no random posts of someone making random claims). I've shown Charlie Miller who has a track record of 3 years showing the weakness of the Mac OS and his experience of this as my facts, I should be able to honestly expect something along these lines from you if you are correct in your statements about the Mac OS's security. If the Mac OS is as secure as you are claiming, then you should be able to find many, MANY security-backgrounded people who will agree with you.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Your first post claimed that people attacked the Mac first due to the fact that they wanted to win the Mac. Charlie Miller stated that he attacked the Mac because Apple is an easier target, which does dispute exactly what you wrote. He doesn't attack it because he wants to win the Mac, its just the easier target due to its weaker security.
Re: (Score:2)
They all fall within minutes of each other. It's not like he hacks it in real time. You prepare your payload, then deploy it during the competition. That's why the Macs fall first, because people attack it first.
Re: (Score:3)
Sure, if this is what you wish to believe. I've shown you the facts and even gave you the links from the mans mouth about why they really do fall first (being that they are the easiest target). You have tried to re-phrase and alter your answer but it doesn't change the reality. Its not because people attack it first, it's due to the fact they are the easiest target. You can reply to this claiming something else thats just a slightly altered answer yet again, it won't change the truth.
If you do wish to claim
Re:Am I reading this correctly? (Score:5, Insightful)
So it may be less secure. That doesn't mean that it isn't safer. If I had an unlocked house in the middle of the countryside with no one else around, I'd be safe, but not secure. If I had an apartment in the ghetto with with bars on the windows and locks on the doors, I'd be secure, but hardly safe. Granted, the situations aren't that extreme here, but it bugs me when people conflate the two. While I don't believe that security through obscurity is solely responsible for the general lack of Mac malware, there definitely are less people making an effort at exploiting it compared to Windows.
Re: (Score:2)
Windows and Linux always go down on the same day.
That's strange since Linux has never been a target at Pwn2Own...
Re: (Score:2)
OK, I'll bite. What does Apple have to do to "change their security culture"?
Use POSIX-standards of security and auditing? Check.
Have noted security experts examine their OS before its released? Yeah, that's TFA.
What is missing?
Re: (Score:2)
I think it is a lot about the arrogance set by fanboys etc.
Re: (Score:2)
I don't know much about Apple's "security culture," but since you're asking what's missing from your list, the missing piece would be acting upon the information they receive and releasing security patches on a timely basis.
Re: (Score:2)
I don't know much about Apple's "security culture," but since you're asking what's missing from your list, the missing piece would be acting upon the information they receive and releasing security patches on a timely basis.
This is Apple's Achilles' heel, and what they're working to resolve. Look at the recent high profile security hires and it should be rather apparent they at least have a few dedicated people on it these days, when before they would just set a keyboard in a monkey's cage and wait him to pound in a fix.
Re: (Score:2)
Re: (Score:2)
OS X doesn't fail. It is either Java or Flash that gets the system in trouble.
You may have noticed that the Pwn2Own contest is run against stock systems.
Now that flash and java are not on the system when it ships lets see who fails first.
And just as a side note the person who crashes OS X first is an Apple hater.
If he was a windows hater I wonder which system would go down first......
Even with that OS X passes the first day of testing. So does windows.
It is only when they can get to the keyboard and send
No it won't (Score:5, Informative)
Apple's problem in corporate environments is there complete and utter lack of understanding and support of a real enterprise. They want to play make believe at enterprise support but they don't take it seriously. It is a disaster and only getting worse. We've been looking at integrating Macs in to a lab (and we are going to) but will need 3rd party software to make it work well.
Some big noteworthy things they've done recently are discontinue servers and screw over virtualization. So you can't buy a blade server, the most popular kind of server, for Macs anymore. You can buy a Mac mini, an overpriced tiny little desktop thing ($1000 for a Core 2 Duo server box) and use that, or you can buy a Mac Pro tower. That's it. No rack servers. Ya that is real enterprise support.
In terms of virtualization VMWare fully supports OS-X server, client tools and all... However Apple won't license it to run on anything but Mac hardware. So if you want Mac VM servers you have to buy a Mac Pro tower and find a place to put that, then get VMWare Fusion on it, which is a desktop solution, not a server one, then virtualize OS-X server on that. That Big rack of high availability, bare-metal ESXi servers that you run Windows, Linux, etc on? Nope, fuck you can't run OS-X on it because Apple says so.
Apple will never get big in corporate environments until they get real with enterprise support. Not half assed solutions, real support.
Re: (Score:2)
Also, one competition, especially one with such prizes as the actual computer being targeted, is hardly a measure of overall security and system design.
This is just one competition where the key is to crack something quickly so you can have a prize. This is hardly the defining mark of a platform's security, only one minor measure. People act as though it's the end-all benchmark of security. It's not, and I don't believe that anyone involved in the competition would agree that it is.
Re:Am I reading this correctly? (Score:4, Informative)
Re:Am I reading this correctly? (Score:4, Informative)
From the Charlie Miller interview mentioned elsewhere in this thread...
Another question from the Twittersphere: What OS/browser pairing to you use? Do you do anything special (beyond default settings) to secure yourself while browsing?
You're not trying to pwn me are you??? Have you ever heard the saying about the cobbler's kids not having shoes? That's me, I'm afraid. I use Safari on OSX with no special settings. This isn't the most secure combination, by any stretch of the imagination, but I like it. It's designed by Apple engineers to be easy to use and 'just work' and it does. The risk of malware is low, and hey, I'm a security expert right :) The risk of a targeted attack is real, except I don't think I'm important enough to be targeted! So I rely on security by obscurity, I guess
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Of course it is; look at how many patches Microsoft releases to improve Windows security. If Apple were better at their job they would release more patches, would they not? Obviously if Apple isn't constantly in firefight modes releasing patches, they're just being lazy. ;)
Re: (Score:2)
I agree. Citation needed, Bill. Citation needed.
Re:Am I reading this correctly? (Score:5, Insightful)
Yeah, it is fucking ridiculous.
Windows is a tire fire of botnets and viruses. There are banks who give free iPads to their high value transaction customers so their money transfers don't end up in a malware author's account.
Charlie Miller, the guy who wins the Mac every year at pwn to own, recommends users buy Macs and refuse to install FlashPlayer if they want to be as safe as possible. Just the fact that Mac OS X no longer comes with FlashPlayer and Java reduces the attack surface.
I mean, just Unix and Software Update alone are better advantages than anything Windows has. It doesn't matter that Windows 7 has some tricks the Mac doesn't have when Windows 7 runs 80% of XP malware.
I have friends who take their Windows machine in twice a year to get malware cleaned off it. How can that possibly be safer than a platform that has no viruses?
And 90% of Mac users are using the latest version and receive patches automatically from Apple within a week. More than half of Windows users are on XP. It is pathetic.
> Apple is historically months
> behind in patching publicly
> disclosed vulnerabilities
> in core libraries they share
> with other Unix-like systems
First, we're talking about fucking Windows, not other Unix.
Apple is slower in deploying a patch than other Unix because it has to work for non-technical users, but then the patch goes out to 90% of the community within a week via their automatic Software Update system, and almost the entire 100% within a month. That removes the incentive to create a commercial exploit. There just aren't going to be enough users to exploit. On Windows, most machines are not up to date on their patches. It's results that matter — % of platform patched, value of exploits lowered — not just how fast you create a patch.
> Java
Mac OS X Lion does not ship with Java, and the Java that runs on it is made by Oracle.
Are you saying you recommend Windows over Mac to a non-technical user?
Even recommending another Unix to a Mac user is ridiculous, because they are not going to know how to patch it.
Really, the nerd-blindness in your comment is disheartening. Be practical.
What an honor to work for free (Score:2)
How about paying reputable security researchers (or testers) to evaluate the software?
Re:What an honor to work for free (Score:4, Informative)
They want the benefits of open source mentality without having to give back.
Umm, most all of their security frameworks are open source. The MAC framework was based on the TrustedBSD variant of the same, and although not required by the license, Apple has continued to keep their fork open source. They are giving back the source to tons of code. They are, in fact, a huge OSS contributor. For example, Webkit2, incorporating protected memory threads into Webkit directly is open source and written by Apple. Google wrote similar software, but kept it out of Webkit so that other Webkit based browsers did not automatically gain the same security/stability benefits as Chrome. It is a serious security improvement, Apple wrote it, and contributed it, and the OSS community is incorporating it to the benefit of all.
Click Here to Install Silverlight! (Score:2)
Click Here to Install Silverlight!
So? (Score:2)
Someone doesn't want to wait until the next Pwn2Own?
Enough with the felidae names already! (Score:2)
They should take a hint from Ubuntu. Their names always raise some complaint, but they are funny, intriguing and more importantly they sound like new stuff. Cat ++; is meh.
One Big Security Improvement In Lion (Score:2, Informative)
OpenJDK (Score:3)
Actual Security Conversation (Score:5, Informative)
It is disappointing to see the comments thus far have not bothered to mention what potential security improvements are likely to be in the final version of Lion and how effective they might be. So far the ones I've heard mentioned include:
I'm sure in more security oriented forums there will be some good analysis of these new features, how well implemented they are, and how effective they are likely to be. The Mac App Store offers some potential security improvements by standardizing application updates and pushing them out more quickly and widely and hopefully encouraging developers to make more use of security frameworks already present. Personally, I think the sandboxing combined with the Mac App Store could be a huge boon to security if Apple can get enough developers on board, but I'm not sure if Apple will go that route. Hopefully feedback from experts will help push them in that direction.
Metric that counts (Score:5, Insightful)
Here's the only metric that really counts in my book.
If you've ever done desktop support for your friends and family, count up the times you've had to go in and clean up a rooted, malware-laden mess on Windows, either by running a full, time-consuming, malware scan and removal, or just doing a reformat and reinstall. Now do the same thing for your OS X user friends. Adjust for market share and compare the numbers.
Yeah, brb, going over to friend's house for free beer after I fix his Windows infection.
Re: (Score:2)
Server versions of OS X come with ClamAV pre-installed....
Re: (Score:3, Insightful)
I'm certain they have their own internal security experts, but if they were going to reach out to outside experts, they should have done it a lot sooner.
Mac OS X Lion was only released to developers this last Thursday. [macrumors.com] Bringing in security people to look at it earlier than that would require putting them under NDAs, which makes them effectively insiders and defeats the purpose of getting outsiders to look at it (i.e. peer review and sharing research results with other researchers).
I know that Slashdotters assert Apple as evil, but good grief, rein in the jingoism, please.
Re: (Score:2)
I know that Slashdotters assert Apple as evil, but good grief, rein in the jingoism, please.
I think it's more about loving to hate. If you read the book first, you'll insist it is better than the movie. So if you already love Windows, you'll hate anything else. I never loved Windows, so I love everything and anything else. Any security expert that claims Windows is secure OTB has self-interest in non-security experts using Windows: i.e. it keeps them employed. This thing Apple is doing is likely the first time evar that any security expert made money with OS X concerning security. Counter examples
Re: (Score:2)
Windows is really easy to lock down and control from a central location in a corporate environment.
I can't even imagine what deploying and maintaining 1000+ macs would be like.
Re:The opposite??? (Score:5, Informative)
Re: (Score:2)
Easy, get OS X Server, make a standard disk image and either use NetBoot or have them reimaged regularly. Not that hard, there are numerous mailing lists and Howtos for it.
Re:The opposite??? (Score:5, Insightful)
Work in a place with 1500+ mac's and it's hell
Work in a place with 1500+ Mac users and it's hell. There, fix that for you.
Re: (Score:2)
Work in a place with 1500+ mac's and it's hell
Care to explain what makes it hell? I'm genuinely curious.
Re: (Score:2)
Re: (Score:2)
a great deal of these 'vulnerabilities' in OS X are from open source software projects which release the advisories.
i guess you haven't seen any security updates from Ubuntu/Redhat or any other UNIX, before have you?
when you release a UNIX distro with a ton of software using many different packages, frameworks and programmers with varying levels of appetite for security completeness, you are going to run into a myriad of issues.
MS also have their issues, but you can't compare apples with oranges.
Re:The opposite??? (Score:5, Interesting)
No it isn't FUD, do some research online, Just about every hacking contest sees OS X go down in a ball of flames in minutes
Yes, minutes... After the contest enters the phase where you can load files remotely. And minutes later, Windows and Linux go down (everyone attacks the Mac first, because pwn2own means you get to keep the computer you pwn, and everyone wants the Mac).
Just about every patch cycle from apple sees more security vulnerabilities patches than are found in all MS products combined in a year.
Not remotely true. However it is true that in pure numbers, Apple patches more vulnerabilities than MS. These are primarily in Open Source products included with Mac OS X, and is seen as a strength, not a weakness. Also, Mac OS X patches tend to be local vulnerabilities, while Windows patches are far more often remote vulnerabilities, which are significantly more critical.
Many security researchers have been pointing out Apples Lax Security practises for a long time
Yet somehow the sky has never fallen. It's possible that Mac OS X is theoretically less secure than Windows, but it's absolutely certain that Mac OS X is, in actual real world usage, significantly more secure than Windows. Hands down, no-contest.
Pwn2own and "patches per year" are interesting metrics, but the only thing that matters is whether a user has to worry about their computer being compromised, and Mac users don't, Windows users do. It's as simple as that. Everything else is academic and hand-waving side-stepping of the actual issue.
seems they might finally be getting the message now that there share of the pie is significant enough to warrant it being an issue.
Apple has had sufficient market share since the beginning of consumer viruses and malware. There were plenty of Mac viruses back when their market share was far lower than it is now. It's absurd to claim that there are essentially zero malware for Macs because of market share, when their market share is large enough for thriving third-party software and hardware. Market share plays a role, but is not *the* primary reason.
What this indicates is that Apple is being proactive in making sure Macs remain as secure as they are today, and not resting on their laurels.
Re: (Score:3)
Question is... are there any restrictions on what the "security experts" can report? Is this a way to legally limit what they are allowed to say... in exchange for preview copies they sign a nondisclosure agreement to only report the issues to Apple? It seems that if Apple was really serious about security they would allow the experts (and others) to have access to the source code.
Doesn't surprise me (Score:2)
It took them 8 months to fix a 10.6 simple kernel privilege escalation exploit I submitted to their security team last year.
It's x86-specific; otherwise, I would've sent it to the iPhone jailbreak hackers instead of Apple.
Re: (Score:3)
The statistics bear this out. 2003-2011, Mac OSX had 2.6x as many vulnerabilites at Windows 7. Plus a higher percentage were serious vulnerabilities.
http://secunia.com/advisories/product/27467/?task=statistics [secunia.com]
http://secunia.com/advisories/product/96/?task=statistics [secunia.com]
Re:The opposite??? (Score:4, Informative)
http://en.wikipedia.org/wiki/Pwn2Own [wikipedia.org]
Pwn2Own contests regularly have Safari/Mac software as a valid winning target.
Is it good data? Maybe not. But the point is that Mac's aren't targeted much because the Windows desktop share is much larger (some figures say 90%). So while they can get viruses, it's not a valuable target for botnets.
Still waiting for the first Mac OS X virus in the wild...
http://www.symantec.com/security_response/threatexplorer/azlisting.jsp?azid=O [symantec.com]
OSX.* near the bottom of the list. There's 13 on that list.
Re: (Score:3)
And there's one actual virus on that list ... which, if you read the description, you'll see is a proof of concept. Wow, OS X is just as insecure as Windows!
GMAFB. You can talk about pwn2own all you want, but in the real world, no rational person doubts that OS X users are much, much safer from malware of all kinds than Windows users are. The market share argument doesn't hold water either, because in the "Classic" Mac OS days, there were in fact large numbers of genuinely dangerous Mac viruses in the wi
Re: (Score:2)
GMAFB.
Is it good data? Maybe not.
Meaning I'm implying it's data, but probably only that. I said no such thing as MACS ARE SECURE HURR.
I actually don't care about this topic, AC asked for data.
And if I really want to, I can spin it the other way with Windows XP:
http://blogs.chron.com/techblog/archives/2008/07/average_time_to_infection_4_minutes_1.html [chron.com]
Which means that there are viruses that scan the internet for open security holes regularly at random IP addresses to infect other machines.
OH NO XP IS INSECURE, WE SHOULD ABANDON IT!
No, not r
Re: (Score:2)
And there's one actual virus on that list ... which, if you read the description, you'll see is a proof of concept. Wow, OS X is just as insecure as Windows!
Alcatraz has had a number of jailbreaks. My grandmother's white fence has had 0 jailbreaks. My grandmother's fence is more secure than Alcatraz!
Just because few people take advantage of such a system doesn't mean anything. Mac has a tendacy to pull out a large patch every few months or so - that's insecurity at its finest. Obviously if they had larger market share in this day and age, they'd be more viruses.
Re: (Score:2)
Amazing. The market share argument has been shown to be utter crap, over and over again, and you people just keep repeating it. Is it some kind of religious belief with you? Mac users get accused of fanaticism a lot, and not without justification, but I swear there's nobody more fanatical in the computer world than a Mac hater on a roll.
Re: (Score:2)
My grandmother's white fence has had 0 jailbreaks. My grandmother's fence is more secure than Alcatraz! Just because few people take advantage of such a system doesn't mean anything.
It means a lot to your grandmother. I'm sure she's much happier living in a nice house with a nice white fence, than she would be living in Alcatraz. And in either location, she hasn't had her living space broken into.
Re: (Score:2)
Still waiting for the first Mac OS X virus in the wild...
McAfee [mcafee.com] lists 48 known "viruses" for OSX. Most appear to be Trojans giving remote access or subverting DNS. I perused a few of the McAfee descriptions, and it was not immediately clear whether these infections would be self-propagating (as one would ordinarily expect of viruses). Just like other *nix threats, they require the user to actively run the infecting program and enter a privilege-escalating password.
While not a Mac user or fan (Linux user, mostly), I am also mystified by the characterization of O
Re: (Score:2)
However Apple users by and large are quite arrogant and care-free about the security of their OS, and IMO are just asking for it.
That's an odd take.
Anyway, as things stand right now, being "care-free" about viruses/malware is warranted. Once some actual outbreak occurs, or malware becomes more than a handful of trojans on pirated copies of Photoshop and iWork, the care-free days are over. But until then, what's wrong with accepting reality as it is as opposed to worrying about what might someday come to pass (but for over a decade now, hasn't)?
Re: (Score:2)
There are very few true viruses in the wild at all these days. The great majority are actually trojans or worms.
Re: (Score:2)
There are very few true viruses in the wild at all these days. The great majority are actually trojans or worms.
You do know that, "worm" is a subset of, "virus" right?
Re: (Score:2)
As arrogant as Mac users happen to be, it seems they are always half as arrogant as PC users.
Re: (Score:2)
Comment removed (Score:4, Insightful)
Re: (Score:2)
Doesn't matter. The submitter stated it as a fact. The article doesn't make much of a case for it either.
I won't say that OS X has a perfect security record, but Windows historical has an abominable security record. Things are much better now, but I still read about vulnerabilities in Windows 7 and IE, and Microsoft still patches very frequently after 0-day exploits come out.
Besides, the techrepublic link you posted still says that OS X's security architecture is much stronger than Windows and only real
Re: (Score:2)
Have any quotes or links to back that up, Mr. Submitter?
Is it just me, or do a lot of the Mac fan-boys not know how to use Google before they open their moth and insert their foot?
http://www.tomshardware.com/news/pc-windows-apple-mac-osx,9557.html [tomshardware.com] (second google hit, btw)