My current IP address is 66.44.243.16 and will probably stay that way for many many days, and my firewall is OFF.

So, do me. (Not a silly DOS, hit me with something I can frame & hang on the wall)

... if you can.

I wish they had a better description of the vulnerabilities, the SAN site is rather geeky.

Of course we are not entirely secure, nothing is.

As far as I can see none of these vulnerabilities applies to anyone running 10.4.3.

I sometimes think people create these stories just in case someone does find a Mac OS exploit: then they can say "I told you so".

If you follow the link to the SANS site and read the vulnerabilities, you'll notice that none of them are for a current version of Mac OS or Safari. Most of them are related to 10.3.9 or earlier, and versions of Safari included in Tiger releases prior to 10.4.3.

Nobody reasonable expects that they are completely, magically protected from all problems and vulnerabilities because they're running Mac OS. Something as complex as an operating system will probably never be completely secure. To expect that as a user is naive, and to criticize imperfection as a security organization or IT professional is disingenuous.

Citing old software as vulnerable, and citing no current vulnerabilities or exploits, reveals that this is non-news story.

Every one of the things SANS talked about has been patched, and a LARGE amount of the stuff patched is actually Apple applying patches of OSS code residing in OS X. In other words, they're passing along someone *else's* fixes.

Most of the flaws SANS says exist in OS X also exist in Linux and other Unix distributions, yet all they say about linux is 'know what's running and choose hard passwords.'

IOW, it's just hype for Symantec to sell more snake oil.

In fact OS X users are NOT facing many more vulnerabilities, because if they were, there would be exploits. There would be stuff in the wild. Heck if we had viruses in proportion to the market share, OS X should have well over a thousand viruses in the world today, maybe two thousand.

What's that? Still nada?

Viruses have been written to attack software packages that had just 15,000 copies installed worldwide.

The installed Mac base is far larger than the installed base susceptible to the SQL Slammer virus, yet OS X has still not seen a single virus.

The "Oh our puny market share is all that keeps us safe" BS is just that: BS.

OS X is safer because it's inherently safer, and Apple has buttoned it down from the outset. Windows is inherently UNSAFE because it's been largely written without any security in mind.

Apache is by FAR a more widespread Web server than Windows IIS is, yet IIS is BY FAR the most attacked and penetrated.

Why? because the majority of Apache builds run on some form of Unix, IIS runs on Windows.

COULD a virus be written? Of course. Would it be effective? not very likely.

"You praise me with faint damns."

I mean, c'mon.

Mac OS X's catchphrase: "Not entirely free of troubles"?

What was the header for windows? "Welcome to Hell"?

Quote

Guest wrote:
Every one of the things SANS talked about has been patched, and a LARGE amount of the stuff patched is actually Apple applying patches of OSS code residing in OS X. In other words, they're passing along someone *else's* fixes. . . .
. . . In fact OS X users are NOT facing many more vulnerabilities, because if they were, there would be exploits. There would be stuff in the wild. Heck if we had viruses in proportion to the market share, OS X should have well over a thousand viruses in the world today, maybe two thousand.

. . . The installed Mac base is far larger than the installed base susceptible to the SQL Slammer virus, yet OS X has still not seen a single virus.

The "Oh our puny market share is all that keeps us safe" BS is just that: BS.

OS X is safer because it's inherently safer, and Apple has buttoned it down from the outset. Windows is inherently UNSAFE because it's been largely written without any security in mind. . .

. . . COULD a virus be written? Of course. Would it be effective? not very likely.

Well, what do ya know.... some poor soul took me up on my offer, and he's pingin the hell outa me with humongous packets.

... and I'm still here. (I told ya, DOS's don't count. Any kid can do that. Do something serious why don't ya.)

Oh, forgot to memtion. His IP is 81.243.19.63

Quote

ireid2k wrote:

If any 12 year old with lackeys can hack into an OS X system then your gonna get gas attacks, fogging bathroom Windows on a daily basis. Windows is a major SECURE OS. Security is posible, (posible, my Spanish isn't that great(phew)) BUT its not OS X unless it's NOT SECURE, cause IT'S 100% SUCKS.

That being said: Apple has made every attempt to KEEP the MAC MINI from being updated so someone says: 'oh yeah, the Mini finally stopped stinking!' lol

Sorry, I'm rambling again. . .

Quote:

While Mac OS X has yet to suffer from the widespread Trojan Horse, spyware and virus attacks seen in the Windows world, SecureMac.com CEO Nicholas Raba told Mr. Lemos: "Mac OS X is currently more secure than Linux or Windows only for the fact that the shares of users is smaller thus the (number of) researchers discovering the flaws is smaller.


How about "While OS X has YET to suffer from EVEN ONE Trojan Horse, Spyware, or virus attack as opposed to the daily grind in the Windows world...."

Quote

Guest wrote:

Quote

ireid2k wrote:

If any 12 year old with lackeys can hack into an OS X system then your gonna get gas attacks, fogging bathroom Windows on a daily basis. Windows is a major SECURE OS. Security is posible, (posible, my Spanish isn't that great(phew)) BUT its not OS X unless it's NOT SECURE, cause IT'S 100% SUCKS.

That being said: Apple has made every attempt to KEEP the MAC MINI from being updated so someone says: 'oh yeah, the Mini finally stopped stinking!' lol

Sorry, I'm rambling again. . .

Just ignore it - it's another one of those anonymous plonkers that quotes a pro-Apple post and re-jigs it to say the opposite. Self-assumed humour rarely is more than mildly amusing. But it's at least a change from poker spamming.

call me when my computer is currently at risk... not when it was at risk a year ago

TRO

Apple issued a security update this afternoon. It fixed a number of things. Run Software Update or visit http://docs.info.apple.com/article.html?artnum=302847

I'm interested in hearing more about what happens. Hilarious your first hit was pretty much a script kiddie.

D/L it now....

Wings: Why do you leave your filewall off? I mean, there's not a likely chance you'd be attacked, but why not take minimal protection?

is using a computer from Belgium; bot or his own ?
Should be reported to:
abuse@skynet.be

I guess the virus protection people want to spread a little FUD around so that they can get the expanding OS X market to pony up some dough and buy their snake oil too. Sorry, no thanks, been runnin' OS X since the beginning, zero problems.

Wish my friend had invested in some protection, though. His Windows system went down like Thai hooker after d-loading something nasty. Couldn't even boot his system afterwards.

Yeah, Windows security sure does suck, assuming that it even exists as something more than a theoretical possibility. But even the yokels buying Wal-Mart PCs know that by now.

"There are some people that feel that, if they are running Mac OS X, then all is well. That is no longer true."

Yeah, because of all the virsues and exploits for OS X. Hey, wait a minute... There aren't any.

Thanks alot for the report, SANS Institute.

Quote

A winbot lost in Candyland wrote:

If any 12 year old with lackeys can hack into an OS X system then your gonna get gas attacks, fogging bathroom Windows on a daily basis.

But... Oh my god, a Mac user giving out his IP address and asking for it can't even be hacked?

Ugh. Reality's cutting through the haze, again. Time to pop some more oxycontin.

Dean,

I started getting port scans & pings-of-death (although I never died) so much that my bandwidth started to go downhill, so I changed IP numbers. Even though I said in my challenge that a DOS attack wasn't what I was inviting, that's essentially what happened. And I just don't have the bandwidth to support a bunch a kids trying to find an open PC port on a machine that isn't a PC.

Hmmm. . . seems like Bizarro ireid2k has struck again! Lol

Quote

coaten wrote:

Quote

Guest wrote:

Quote

ireid2k wrote:

If any 12 year old with lackeys can hack into an OS X system then your gonna get gas attacks, fogging bathroom Windows on a daily basis. Windows is a major SECURE OS. Security is posible, (posible, my Spanish isn't that great(phew)) BUT its not OS X unless it's NOT SECURE, cause IT'S 100% SUCKS.

That being said: Apple has made every attempt to KEEP the MAC MINI from being updated so someone says: 'oh yeah, the Mini finally stopped stinking!' lol

Sorry, I'm rambling again. . .

Ummm, what .... ?

Quote

Anonymous wrote:

Yeah, because of all the "virsues!" and exploits for OS X only take a minute to do. There aren't any like that on Windows.

Thanks alot for the report, SANS Institute.

Quote

Closet Milton Bradley's Candyland Fanatic wrote:

If any 12 year old with lackeys can hack into an OS X system then your gonna get gas attacks, fogging bathroom Windows on a daily basis.

But... Oh my god, a Mac user giving out his IP address and asking for it can't be hacked once he turns off the computer.

Ugh. Free King Kong trailers aren't enough to entice iTMS movie sales. Time to listen to some more Bill Conti.

Apparently since they can't hack your computer, they've decided to come back here and rewrite your words. They even have to make new messages to do that because they can't hack and edit the original messages. Losers.

Is this another case of WEAPONS OF MAC DESTRUCTION ?

But if OS/X can't be hacked, why is Apple bothering to release so many security fixes? As a PR gimmick maybe?

Look, any OS is vulnerable if somebody wants in badly enough. All they need is a hole, and there are still undiscovered holes in OS/X. As well as XP and all the versions of Linux and Unix and lord knows what else out there. It's the nature of the beast.

What OS/X has is a breather. A head start. DO NOT believe yourself invulnerable, because that's the kind of thinking that "improved" the Titanic's lines by removing the "clutter" of the additional lifeboats...

By the way, to the poster that said IIS was more hacked than Apache? Go look at IIS 6 stats. Then look at a comparable period for Apache. Might surprize you.

Be prudent, not complacent. Protect yourself instead of grandstanding. Or one day the headline will read "OS/X users caught napping by unprecedented "Death Knell" virus."

"But if OS/X can't be hacked, why is Apple bothering to release so many security fixes? As a PR gimmick maybe? "

Or maybe because unlike a certain other OS, they like to be ahead of the game and release the patches so no one WILL use the exploits. MicroSoft, while doing a decent job sometimes, still is notorious for waiting until the bomb hits before doing something to patch their troubles.

" DO NOT believe yourself invulnerable"

This is the big lie that people who talk about Mac security keep repeating: that we Mac users think we're invulnerable. This is pure b.s. and is just one more way to denigrate us (such as dropping in the words fanatic, or kool-aid, or distortion field into a Mac article to describe us -- it's colorful, but not really true). We don't think we're invulnerable; but compared to the software Windows users have to run now, today, in order to keep their peace of mind and their computers working, we are sitting pretty. And the day something does hit, Apple and we will be ready for it.

"Protect yourself instead of grandstanding."

Protect against what? There are NO virii out there. No trojans. Nothing. There is nothing to protect against in that regard. Running firewalls against other exploits is as much as is needed, but shelling out dough for anti-virus software right now isn't necessary. We run our updates -- and if you read through those updates from yesterrday, they're pretty esoteric stuff and nothing Wings' DOS kiddies were going to remotely bother. There is nothing else to do right now -- the only other option would be to turn the computer off and pack it in the closet. But, for me, I'd rather use it for ass long as I can before I have to start loading anti-virus, anti-popup, anti-spyware, anti-yadyada stuff on it.

Quote

Dean Lewis wrote:
Apparently since they can't attack your feelings well, Mac fans decided to come back here and rewrite history that the G5 PowerMac was the first 64-bit desktop. OS X's Mail makes new messages that hacks and edit your original messages. Hey you hosers.

[quote="Guest"]

Quote

Anonymous wrote:

Yeah, because of all the "virsues!" and exploits for OS X only take a minute to do. There aren't any like that on Windows.

Quote

Anonymous wrote:

Stop the smoking iMacs. Apple's security updates causing kernel panics suck harder the Twinkie tax and fifth generation iPods.

Nicholas Raba said: "Mac OS X is currently more secure than Linux or Windows only for the fact that the shares of users is smaller thus the (number of) researchers discovering the flaws is smaller."

Wrong. Raba's statement implies that there's a direct correlation between the level of security of an operating system and its share of users, but the ratio of Windows viruses and exploits to Mac viruses and exploits is something like 80,000+ to ZERO, while the ratio of Windows users to Mac users is more like 12:1 depending on who you ask. If Nicholas Raba's statement had any truth to it, there should be THOUSANDS of Mac exploits and viruses. But there aren't. There have been no actual reported security exploits and ZERO viruses or trojan horses. Why? Because OS X is more secure and better designed, and because the Mac has a better quality of user.

Quote

Guest wrote:

Quote

Anonymous wrote:

Yeah, because of all the "virsues!" and exploits for OS X only take a minute to do. There aren't any like that on Windows.

Stop smoking crack. Windows security sucks harder than your Mom when offered a Twinkie and a fifth of scotch.

Quote

Anonymous wrote:

Stop smoking crack. Windows security sucks harder than your Mom when offered a Twinkie and a fifth of scotch.

Quote

Anonymous wrote:

ROFLMAO! Good one.

"But if OS/X can't be hacked, why is Apple bothering to release so many security fixes? As a PR gimmick maybe? "

To keep it safe, obviously. Finding and patching rough spots before they can be malicously exploited is a good practice.

"Look, any OS is vulnerable if somebody wants in badly enough."

Liar. You can't put vulnerabilities into an operating system by wishing and hoping. No matter how badly someone wants to break into OS X, a backdoor won't suddenly appear just to answer their prayers.

Coding isn't some mystic and arcane discipline. If you write code that can't be exploited, then it won't be. Period. Just because Microsoft can't put together an operating system that isnt teeming with security holes, doesn't mean a safe OS is some impossible and miraculous feat.

"What OS/X has is a breather. A head start. "

That's bullshit through and through. Head starts don't last for over four years. It is the anthem of every clueless "security expert" and FUD-thrower out there, though.

Not one year has gone by that we haven't all been reminded that there's this big, looming, mythical malware threat looming on the horizon, ready to strike OS X like deadly murder. And not a year goes by that the myth doesn't come to pass, because it is, after all, only a myth.

"Be prudent, not complacent. Protect yourself instead of grandstanding."

Mac users should protect themselves from a non-existant threat? Hey, you should work for Symantec.


"Or one day the headline will read "OS/X users caught napping by unprecedented "Death Knell" virus.""

That little "prediction" became obvious bullshit several years ago. It's little more than a sales slogan for anti-virus companies who find they have no place on the Mac platform.

Quote

a winbot trying to escape the facts wrote:

No! Apple's stock is climbing to 70+ dollars! Gotta think... Gotta think... Gotta stay disconnected from reality... I know! I'll pop some oxycontin AND huff some aerosol! That'll do the trick! Okay now, let's see if it works...


Yeah, because of all the "virsues!" and exploits for OS X only take a minute to do. There aren't any like that on Windows.


Ooh, it did. Man, do I feel better.

Quote

Screwed by Apple Care wrote:

No! Apple's Mighty Mouse is climbing to 50+ dollars to offset the cost of having them free with the iMacs! Have to fight... Have to crow... Have to save Maggie have to save Jack... Hook is back! I'll pop some Mac Mini covers AND create some of my bathroom gasl! That'll trick my house guests! Okay now, let's see if Works doesn't suck as much as SimpleText...


Yeah, because of all the "virsues!" and exploits for OS X only take a minute to do. Windows has a much better track record of fixing bugs.


Ooh, it did. Man, do I feel iMac's plastic melting.

Awkward subject title, but the only way I could think of to identify the poster...

Your post is self-contradictory. Let's look at the first two points:

-- I said --

"But if OS/X can't be hacked, why is Apple bothering to release so many security fixes? As a PR gimmick maybe?"

-- You said --

"To keep it safe, obviously. Finding and patching rough spots before they can be malicously exploited is a good practice."

Which means you admit OS/X has "rough spots". In other words, vulnerabilities. Which, had anyone cared to (and knew about) they could have exploited.

Conclusion: Prior to the patch OS/X *WAS* vulnerable. In fact, with the Safari browser hole it was just as vulnerable as Windows has ever been. "Extremely critical" vulnerability, remember?

Which makes your second point contradictory:

-- I said --

"Look, any OS is vulnerable if somebody wants in badly enough."

-- You said --

"Liar. You can't put vulnerabilities into an operating system by wishing and hoping. No matter how badly someone wants to break into OS X, a backdoor won't suddenly appear just to answer their prayers."

Um...need I say anothing else?

Never the less, to make my point crystal clear I'll continue.

While it's true wishing and hoping won't create a hole where none exists, it's impossible to find every hole before release. I will repeat that. It is *NOT HUMANLY POSSIBLE* to find every vulnerability in something the size and complexity of OS/X.

The same is true for Windows, every flavor of Linux, BSD, Unix. Or BeOS. Or even the ancient (but still thriving) CP/M.

Even as we speak there *ARE* (and I'm dead sure of this) more vulnerabilities in OS/X. And if somebody wanted to they'd find them. Just as these recently patched vulnerabilities were found.

Using short words here: OS/X is *STILL* vulnerable to some attack. Just as it has been in the past. Just as it will always be. Just as every OS on earth still is vulnerable.

Let's explore further, shall we?

-- You said --

"Coding isn't some mystic and arcane discipline. If you write code that can't be exploited, then it won't be. Period. Just because Microsoft can't put together an operating system that isnt teeming with security holes, doesn't mean a safe OS is some impossible and miraculous feat."

Ok, first of all coding *is* an arcane discipline, more art than engineering. While best practices do exist the problem domains solved by software aren't well understood (in the engineering sense) and the nearly infinite number of possible interactions makes it impossible to guarantee something the size of an OS can be "safe".

It can be "safer". Well known attack vectors can be blocked. Nasty suspicious SOB's can spend their nights coming up with new attacks and making sure the OS is guarded against them.

But you will never eliminate every vulnerability. Designers can't think of everything.

The sad truth is a successful exploit needs only *1* hole in the right place. Out of the millions of lines of code only 1 mistake.

That means to be safe you have to have better than 6 sigma accuracy. Not humanly possible.

-- You also said --

"Not one year has gone by that we haven't all been reminded that there's this big, looming, mythical malware threat looming on the horizon, ready to strike OS X like deadly murder. And not a year goes by that the myth doesn't come to pass, because it is, after all, only a myth."

Absence of proof is not proof of absence. Just because nobody's done it doesn't mean it can't be done.

Here's a plausible way to do it:

1. Use a bot net and steathily scan for every OS/X system on the net. 100,000 machines scanning a dozen different addresses every 5 minutes or so wouldn't be a blip on the radar. use an IRC channel to report back to master node computers every so often.

This technology exists *right now*.

2. Build a virus/worm/whatever that takes advantage of a previously unknown vulnerability to root OS/X.

There have been such vulnerabilities in the past. There may be others still extant. Who expected an "extremely critical" flaw to exist in Safari?

3. Use the list of OS/X computers gathered in step 1 to pinpoint your targets. Send the worm. Because it's a short message to a particular computer the traffic will go undetected.

4. Once the target is infected wait for a period of time, say 30 days. Then trigger your payload. The payload might be something as simple as a hard drive reformat, triggered late at night, or the next time the computer is rebooted.

Or it might be something as complex as a bot that combs through your hard drive, looking for goodies like passwords, bank account numbers, etc.

It just depends on the motive of the individual who wrote the virus. Are they out to silence the mac fan-bois? Or are they looking to inflate their bank account?

Either way, most OS/X users will be crying real tears. Either from losing work they never thought to back up or from identity theft.

-- and finally you said --

"Mac users should protect themselves from a non-existant threat? Hey, you should work for Symantec."

Ask yourself some questions.

1. Do you have a UPS in case power fails? If not what's going to keep you from losing that 2 hours of work in progress you didn't save because "macs just work"?

2. Do you regularly back up your work? Do you have a copy of everything on your harddrive somewhere else (tape, LS-120, external hard drive, etc?) If not, what happens when the hard drive fails? Or the computer is stolen?

3. Do you have a NAT router, firewall, or other means of stealthing your computer's presence on the net? If not, what prevents someone from IDing your computer as an OS/X system at IP adress X?

4. Are you cautious about the software you download? Do you know it isn't a trojan horse that plays a neat game to your face but sends out spam behind your back? How often do you type in the admin password when an installation asks? Did you know the installation process runs with admin privileges? Do you know if the installation process has any flaws that can be exported?

5. Are you cautious about the websites you visit? Do you know if Safari has any other "extremely critical" flaws in it? *Have you already been infected* and don't know it? How could you tell?

6. Are you cautious about the email attachments you receive from Aunt Gertrude? She runs a Mac right? How could *she* be infected?

7. Do you apply system updates religiously? If not, would you be vulnerable to a reported flaw that *you did not fix*?

8. Do you let your computer run unattended? What's to keep bad things from happening while you're asleep?

I don't work for any AV company. Personally I think Apple, Microsoft, Sun, IBM, etc should supply AV software and updates for free just like they do bug fixes.

But there are lots of threats to your Mac out there. Some of them come from bad hardware, bad software, or just bad luck. Others come from bad people that make *millions* of dollars a year from computer crime.

Be prudent and don't grandstand, folks.

Case in point: Wings did a stupid thing. He published his IP address and dared anybody to hack his system. The result was a DOS attack even when he said don't do that.

Guess what? Bad guys don't follow the rules. Duh.

Maybe OS/X is the golden child and will never be hacked. Maybe. But there are 6 billion people on this earth. It only takes *1* to hack OS/X. All that's needed is the knowledge, patience, will, and desire.

Anyone willing to guarantee OS/X won't suffer a Pearl Harbor style attack? You'll recall part of the reason that attack was so utterly successful was complacency on the American side.

Be wary. Be cautious. And be safe.

Roger, of course it cannot be proven that OS X is invulnerable. Of course there are potential threats. The question is, how much should I worry? I think the only rational answer is "not much at all."

The frequent security updates (well, frequent compared to me winning the lottery) come to us because guess what, Apple pays some number of very bright programmers to worry about security full-time, run security test suites on every version, constantly update the threats, etc. etc.

These guys are productive. They find vulnerabilities that are so esoteric, no one can understand how to exploit them. They find vulnerabilities that can only happen under complicated and improbable conditions. They find vulnerabilities that only occur if you deliberately reconfigure your system in some way that no one would ever do on purpose. And once in a LONG while, they find something actually dangerous.

And they fix all of those, and send out security updates. The most obvious effect of this is that so far (more than four years) every single vulnerability that's been found has been patched before anyone could exploit it. The less obvious effect that if you set out to attack OS X, you know you have a lot of work to do. Nobody would do it for fun, and apparently not for profit either.

So yeah, some day maybe someone will successfully attack OS X. Tell you what: if you give me a dollar every day, I'll pay it back double when there's a serious, successful attack, affecting let's say one thousand machines. If we're both still alive, that is. I am 64 right now. What do you say?