DealsOnTheWeb Daily Deal: OneCall's Weekend Sale - 20 Great Items at Great Prices All Weekend Long
SANS Institute: 'Mac OS X is Not Entirely Free of Troubles'
by , 2:55 PM EST, November 29th, 2005
The SANS Institute last week issued its list of the Top 20 vulnerabilities across all operating systems, including details of what it considers to be critical vulnerabilities in Mac OS X. The company wrote: "Although Mac OS X has security features implemented out of the box such as built-in personal firewall, un-necessary services turned off by default and easy ways to increase the OS security, the user still faces many vulnerabilities."
The SANS Institute also took Apple to task for not being more specific when issuing patches, thus keeping them from identifying which parts of the operating system are most vulnerable. The firm noted that the Safari Web browser contains "multiple vulnerabilities ... and in certain cases exploit code has also been posted publicly."
Rohit Dhamankar, who is the security architect for 3Com's TippingPoint and is the Top 20 list editor for SANS, told Robert Lemos of SecurityFocus: "There are some people that feel that, if they are running Mac OS X, then all is well. That is no longer true." As Mr. Lemos points out in his article, anti-virus software maker Symantec owns SecurityFocus.
Mr. Lemos wrote that "highlighting vulnerabilities in Mac OS X was intended as a wake up call" by SANS. While Mr. Dhamankar acknowledged that he was not "saying you have to worry about the entire operating system," he did want to make it clear that, in SANS' view, "Mac OS X is not entirely free of troubles."
While Mac OS X has yet to suffer from the widespread Trojan Horse, spyware and virus attacks seen in the Windows world, SecureMac.com CEO Nicholas Raba told Mr. Lemos: "Mac OS X is currently more secure than Linux or Windows only for the fact that the shares of users is smaller thus the (number of) researchers discovering the flaws is smaller."
Open Source Vulnerability Database content editor Brian Martin added that Microsoft has issued 89 OS patches so far in 2005, while Apple has released 81 such fixes. Mr. Martin said: "A lot of the people who do vulnerability research started with Unix, and a lot of hackers have moved to Apple Mac OS X because it is cool and they can do anything they could do on Unix."
The SANS Institute recommends keep Mac OS X's firewall on and running Software Update at least once a week to keep the system current. Its Top 20 list also features links to sources where users can obtain more information about Mac security.
Observer Comments
If you follow the link to the SANS site and read the vulnerabilities, you'll notice that none of them are for a current version of Mac OS or Safari. Most of them are related to 10.3.9 or earlier, and versions of Safari included in Tiger releases prior to 10.4.3.
Nobody reasonable expects that they are completely, magically protected from all problems and vulnerabilities because they're running Mac OS. Something as complex as an operating system will probably never be completely secure. To expect that as a user is naive, and to criticize imperfection as a security organization or IT professional is disingenuous.
Citing old software as vulnerable, and citing no current vulnerabilities or exploits, reveals that this is non-news story.
QuoteGuest wrote:
Every one of the things SANS talked about has been patched, and a LARGE amount of the stuff patched is actually Apple applying patches of OSS code residing in OS X. In other words, they're passing along someone *else's* fixes. . . .
. . . In fact OS X users are NOT facing many more vulnerabilities, because if they were, there would be exploits. There would be stuff in the wild. Heck if we had viruses in proportion to the market share, OS X should have well over a thousand viruses in the world today, maybe two thousand.
. . . The installed Mac base is far larger than the installed base susceptible to the SQL Slammer virus, yet OS X has still not seen a single virus.
The "Oh our puny market share is all that keeps us safe" BS is just that: BS.
OS X is safer because it's inherently safer, and Apple has buttoned it down from the outset. Windows is inherently UNSAFE because it's been largely written without any security in mind. . .
. . . COULD a virus be written? Of course. Would it be effective? not very likely.
If any 12 year old with a windows machine can hack into the system then your gonna get the attacks that Windows suffers with on a daily basis. Windows is a major OS but it still has a long way to go to be SECURE. Security is posible, (my Windows XP machine is up-to-date and patched and virus scanned and spyware scanned (phew) BUT its still not SECURE. My OS X machine is also updated and security installed. . . and just like my Windows machine its STILL NOT SECURE, cause NOTHING 100% foolproof.
That being said: Apple has made every attempt to KEEP its system secure BEFORE anything can happen. Windows has to wait till someone says: 'oh yeah, theres a hole in my life raft thats why I'm sinking!' lol
Sorry, I'm rambling again. . .
Quote:
While Mac OS X has yet to suffer from the widespread Trojan Horse, spyware and virus attacks seen in the Windows world, SecureMac.com CEO Nicholas Raba told Mr. Lemos: "Mac OS X is currently more secure than Linux or Windows only for the fact that the shares of users is smaller thus the (number of) researchers discovering the flaws is smaller.
How about "While OS X has YET to suffer from EVEN ONE Trojan Horse, Spyware, or virus attack as opposed to the daily grind in the Windows world...."
QuoteGuest wrote:Quoteireid2k wrote:
If any 12 year old with lackeys can hack into an OS X system then your gonna get gas attacks, fogging bathroom Windows on a daily basis. Windows is a major SECURE OS. Security is posible, (posible, my Spanish isn't that great(phew)) BUT its not OS X unless it's NOT SECURE, cause IT'S 100% SUCKS.
That being said: Apple has made every attempt to KEEP the MAC MINI from being updated so someone says: 'oh yeah, the Mini finally stopped stinking!' lol
Sorry, I'm rambling again. . .
Ummm, what .... ?
Tue Nov 29, 2005 7:53 pm Subject: OSX Security updates this afternoon
Apple issued a security update this afternoon. It fixed a number of things. Run Software Update or visit http://docs.info.apple.com/article.html?artnum=302847
Tue Nov 29, 2005 9:01 pm Subject: How goes the challenge, Wings?
Tue Nov 29, 2005 10:12 pm Subject: Thanks Al.
Tue Nov 29, 2005 11:59 pm Subject: Looks like the attacker
is using a computer from Belgium; bot or his own ?
Should be reported to:
abuse@skynet.be
Wed Nov 30, 2005 6:41 am Subject: Yesterday's Challenge
Dean,
I started getting port scans & pings-of-death (although I never died) so much that my bandwidth started to go downhill, so I changed IP numbers. Even though I said in my challenge that a DOS attack wasn't what I was inviting, that's essentially what happened. And I just don't have the bandwidth to support a bunch a kids trying to find an open PC port on a machine that isn't a PC.
Hmmm. . . seems like Bizarro ireid2k has struck again! Lol
Quotecoaten wrote:QuoteGuest wrote:Quoteireid2k wrote:
If any 12 year old with lackeys can hack into an OS X system then your gonna get gas attacks, fogging bathroom Windows on a daily basis. Windows is a major SECURE OS. Security is posible, (posible, my Spanish isn't that great(phew)) BUT its not OS X unless it's NOT SECURE, cause IT'S 100% SUCKS.
That being said: Apple has made every attempt to KEEP the MAC MINI from being updated so someone says: 'oh yeah, the Mini finally stopped stinking!' lol
Sorry, I'm rambling again. . .
Ummm, what .... ?
Wed Nov 30, 2005 1:45 pm Subject: Not To Rain On Anyone's Parade...
But if OS/X can't be hacked, why is Apple bothering to release so many security fixes? As a PR gimmick maybe?
Look, any OS is vulnerable if somebody wants in badly enough. All they need is a hole, and there are still undiscovered holes in OS/X. As well as XP and all the versions of Linux and Unix and lord knows what else out there. It's the nature of the beast.
What OS/X has is a breather. A head start. DO NOT believe yourself invulnerable, because that's the kind of thinking that "improved" the Titanic's lines by removing the "clutter" of the additional lifeboats...
By the way, to the poster that said IIS was more hacked than Apache? Go look at IIS 6 stats. Then look at a comparable period for Apache. Might surprize you.
Be prudent, not complacent. Protect yourself instead of grandstanding. Or one day the headline will read "OS/X users caught napping by unprecedented "Death Knell" virus."
Thu Dec 01, 2005 5:00 am Subject: Raba is full of shyte.
Nicholas Raba said: "Mac OS X is currently more secure than Linux or Windows only for the fact that the shares of users is smaller thus the (number of) researchers discovering the flaws is smaller."
Wrong. Raba's statement implies that there's a direct correlation between the level of security of an operating system and its share of users, but the ratio of Windows viruses and exploits to Mac viruses and exploits is something like 80,000+ to ZERO, while the ratio of Windows users to Mac users is more like 12:1 depending on who you ask. If Nicholas Raba's statement had any truth to it, there should be THOUSANDS of Mac exploits and viruses. But there aren't. There have been no actual reported security exploits and ZERO viruses or trojan horses. Why? Because OS X is more secure and better designed, and because the Mac has a better quality of user.
Fri Dec 02, 2005 2:25 pm Subject: To Guest 12/2/2005 7:51 AM
Awkward subject title, but the only way I could think of to identify the poster...
Your post is self-contradictory. Let's look at the first two points:
-- I said --
"But if OS/X can't be hacked, why is Apple bothering to release so many security fixes? As a PR gimmick maybe?"
-- You said --
"To keep it safe, obviously. Finding and patching rough spots before they can be malicously exploited is a good practice."
Which means you admit OS/X has "rough spots". In other words, vulnerabilities. Which, had anyone cared to (and knew about) they could have exploited.
Conclusion: Prior to the patch OS/X *WAS* vulnerable. In fact, with the Safari browser hole it was just as vulnerable as Windows has ever been. "Extremely critical" vulnerability, remember?
Which makes your second point contradictory:
-- I said --
"Look, any OS is vulnerable if somebody wants in badly enough."
-- You said --
"Liar. You can't put vulnerabilities into an operating system by wishing and hoping. No matter how badly someone wants to break into OS X, a backdoor won't suddenly appear just to answer their prayers."
Um...need I say anothing else?
Never the less, to make my point crystal clear I'll continue.
While it's true wishing and hoping won't create a hole where none exists, it's impossible to find every hole before release. I will repeat that. It is *NOT HUMANLY POSSIBLE* to find every vulnerability in something the size and complexity of OS/X.
The same is true for Windows, every flavor of Linux, BSD, Unix. Or BeOS. Or even the ancient (but still thriving) CP/M.
Even as we speak there *ARE* (and I'm dead sure of this) more vulnerabilities in OS/X. And if somebody wanted to they'd find them. Just as these recently patched vulnerabilities were found.
Using short words here: OS/X is *STILL* vulnerable to some attack. Just as it has been in the past. Just as it will always be. Just as every OS on earth still is vulnerable.
Let's explore further, shall we?
-- You said --
"Coding isn't some mystic and arcane discipline. If you write code that can't be exploited, then it won't be. Period. Just because Microsoft can't put together an operating system that isnt teeming with security holes, doesn't mean a safe OS is some impossible and miraculous feat."
Ok, first of all coding *is* an arcane discipline, more art than engineering. While best practices do exist the problem domains solved by software aren't well understood (in the engineering sense) and the nearly infinite number of possible interactions makes it impossible to guarantee something the size of an OS can be "safe".
It can be "safer". Well known attack vectors can be blocked. Nasty suspicious SOB's can spend their nights coming up with new attacks and making sure the OS is guarded against them.
But you will never eliminate every vulnerability. Designers can't think of everything.
The sad truth is a successful exploit needs only *1* hole in the right place. Out of the millions of lines of code only 1 mistake.
That means to be safe you have to have better than 6 sigma accuracy. Not humanly possible.
-- You also said --
"Not one year has gone by that we haven't all been reminded that there's this big, looming, mythical malware threat looming on the horizon, ready to strike OS X like deadly murder. And not a year goes by that the myth doesn't come to pass, because it is, after all, only a myth."
Absence of proof is not proof of absence. Just because nobody's done it doesn't mean it can't be done.
Here's a plausible way to do it:
1. Use a bot net and steathily scan for every OS/X system on the net. 100,000 machines scanning a dozen different addresses every 5 minutes or so wouldn't be a blip on the radar. use an IRC channel to report back to master node computers every so often.
This technology exists *right now*.
2. Build a virus/worm/whatever that takes advantage of a previously unknown vulnerability to root OS/X.
There have been such vulnerabilities in the past. There may be others still extant. Who expected an "extremely critical" flaw to exist in Safari?
3. Use the list of OS/X computers gathered in step 1 to pinpoint your targets. Send the worm. Because it's a short message to a particular computer the traffic will go undetected.
4. Once the target is infected wait for a period of time, say 30 days. Then trigger your payload. The payload might be something as simple as a hard drive reformat, triggered late at night, or the next time the computer is rebooted.
Or it might be something as complex as a bot that combs through your hard drive, looking for goodies like passwords, bank account numbers, etc.
It just depends on the motive of the individual who wrote the virus. Are they out to silence the mac fan-bois? Or are they looking to inflate their bank account?
Either way, most OS/X users will be crying real tears. Either from losing work they never thought to back up or from identity theft.
-- and finally you said --
"Mac users should protect themselves from a non-existant threat? Hey, you should work for Symantec."
Ask yourself some questions.
1. Do you have a UPS in case power fails? If not what's going to keep you from losing that 2 hours of work in progress you didn't save because "macs just work"?
2. Do you regularly back up your work? Do you have a copy of everything on your harddrive somewhere else (tape, LS-120, external hard drive, etc?) If not, what happens when the hard drive fails? Or the computer is stolen?
3. Do you have a NAT router, firewall, or other means of stealthing your computer's presence on the net? If not, what prevents someone from IDing your computer as an OS/X system at IP adress X?
4. Are you cautious about the software you download? Do you know it isn't a trojan horse that plays a neat game to your face but sends out spam behind your back? How often do you type in the admin password when an installation asks? Did you know the installation process runs with admin privileges? Do you know if the installation process has any flaws that can be exported?
5. Are you cautious about the websites you visit? Do you know if Safari has any other "extremely critical" flaws in it? *Have you already been infected* and don't know it? How could you tell?
6. Are you cautious about the email attachments you receive from Aunt Gertrude? She runs a Mac right? How could *she* be infected?
7. Do you apply system updates religiously? If not, would you be vulnerable to a reported flaw that *you did not fix*?
8. Do you let your computer run unattended? What's to keep bad things from happening while you're asleep?
I don't work for any AV company. Personally I think Apple, Microsoft, Sun, IBM, etc should supply AV software and updates for free just like they do bug fixes.
But there are lots of threats to your Mac out there. Some of them come from bad hardware, bad software, or just bad luck. Others come from bad people that make *millions* of dollars a year from computer crime.
Be prudent and don't grandstand, folks.
Case in point: Wings did a stupid thing. He published his IP address and dared anybody to hack his system. The result was a DOS attack even when he said don't do that.
Guess what? Bad guys don't follow the rules. Duh.
Maybe OS/X is the golden child and will never be hacked. Maybe. But there are 6 billion people on this earth. It only takes *1* to hack OS/X. All that's needed is the knowledge, patience, will, and desire.
Anyone willing to guarantee OS/X won't suffer a Pearl Harbor style attack? You'll recall part of the reason that attack was so utterly successful was complacency on the American side.
Be wary. Be cautious. And be safe.
