The Mac Observer

Skip navigational links

DealsOnTheWeb Daily Deal: OneCall's Weekend Sale - 20 Great Items at Great Prices All Weekend Long

Security Researcher Slams OS X For 'Ancient Flaws'

by , 4:40 PM EST, January 26th, 2006

Mac OS X has many security problems that have remained unfixed despite the fact that they were repaired in other operating systems over a decade ago, security researcher Neil Archibald told ZDNet Australia. Reporter Munir Kotadia wrote that Mr. Archibald "speculates that should Apple's market share continue to increase, users of the platform could actually end up less secure than users of other platforms such as Microsoft Windows or Linux."

Mr. Archibald added that Apple has left its code "relatively under-audited, which leaves a lot of low-hanging bugs." As an example, he cited the now-patched "dsidentity" bug, which affected Mac OS X v10.4. It "could have easily been exploited to grant a non-privileged user with admin rights and allow that user to create and remove root user accounts," Mr. Kotadia wrote.

Another flaw that remains unpatched "could allow memory corruption and hand control of a process over to an attacker," according to Mr. Kotadia. Mr. Archibald said that Apple is aware of that flaw's existence but has been slow to respond to it. "It expects security researchers to wait indefinitely to release the vulnerabilities and offers no incentive for them to do so," the security researcher said.

In the long-term, he added, "Apple's impressive security record is likely to be tarnished if the company continues to grow its market share while undervaluing security researchers and not properly auditing its code." The security problems exist in both the Intel and PowerPC versions of Mac OS X, Mr. Archibald noted.

An Apple spokesperson told Mr. Kotadia that the company won't "comment on what other people say about Mac OS X."

Thanks to The Inquirer for the link.

Observer Comments

Show: Subjects Only | Full Comments
Close Name:LaurieF -   TMO Forum Mod Posts: 3506 Joined: 15 Jun 2001
Subject: *Could* happen

Quote
Neil Archibald wrote:
...should Apple's market share continue to increase, users of the platform could actually end up less secure than users of other platforms such as Microsoft Windows or Linux.


Well, yes, but it's all very subjunctive. "Likely to be", "could have easily have been", "could actually end up". Future tense, all. No past tense. It hasn't happened, it's not happening, but it could happen.

Still, as ever, there is no need to be complacent. How many exploited bugs have there been?

Close Name:JulesLt Posts: 136 Joined: 06 Jul 2005
Subject:

Having looked at the ancient flaws, the ones mentioned all appear to be in the Darwin/BSD layer, in specific commands - which may not be executed by the typical OS/X user at all.

At some point you need to prioritise work (even Apple only has limited programming resources) and I would guess the first question for Apple will be : Does it affect the 95% of users who only use OS/X at the GUI level / how serious is it? I know there are security holes in code I've written but at the end of the day, there is always a trade off - making a fix might be a 1-line change but it will need to be retested, etc.

But hey, what better way is there to buy publicity for a security consultancy than finding flaws in 'unbreakable' systems like OS/X or Oracle, as opposed to Internet Explorer? Or are they spending their time looking at this code for the good of everyone?

View Name:Guest
Subject: Well the summary sounds right
View Name:Guest
Subject:
View Name:Guest
Subject:
View Name:Guest
Subject:
Close Name:fartheststar Posts: 213 Joined: 04 Jan 2004
Subject: guy's looking for a job

that's it.

View Name:Guest
Subject: Why is this even newsworthy?
View Name:Guest
Subject: Get to it Apple...
View Name:Guest
Subject: What Flaws?
View Name:Guest
Subject: Re: What Flaws?
Close Name:Mav Posts: 1175 Joined: 17 Oct 2003
Subject: I use the "Secunia test"

Secunia often tends to be, how to put it diplomatically, conscientious in its reporting of OS x security flaws.

But I've never heard anything about this from them.

So I'm taking this with a grain of salt.

View Name:Guest
Subject:
View Name:Guest
Subject:
Close Name:algr Posts: 282 Joined: 07 Aug 2003
Subject:

Often people make snap decisions first, and then start looking for reasons to justify what they have already decided. That is what this kind of "expert" is for.

People don't want to give the Mac a chance because they don't want to try anything new, or they don't want all the time they spent learning windows workarounds to go to waste. But it sounds terrible when you SAY it like that, so they go hunting for better sounding reasons.

This is why people will take seriously the idea that a Mac might have a vulnerability someday, and thus stick with windows that is failing constantly.

Close Name:algr Posts: 282 Joined: 07 Aug 2003
Subject:

Quote
programming in OS X is too complicated


Here is another good example of coming up with reason-after-decision.

Close Name:Rainy Day Posts: 607 Joined: 07 Jun 2005
Subject: Levity

Quote
algr wrote:
Quote
programming in OS X is too complicated


Here is another good example of coming up with reason-after-decision.

I think that was a joke.

Close Name:Rainy Day Posts: 607 Joined: 07 Jun 2005
Subject: Proof is in the pudding

Quote
Guest wrote:
Quote
Guest wrote:
>>Is it just me, or does it sound like he is looking for money to keep quiet?


That is exactly what is going on. He is also trying to sell these "Auditing" tools to Apple. Likely Apple wouldn't bite so he came out with this story to try to force them.

Yeah, and we can see how unsuccessful those auditing tools are for M$, so why should Apple buy them?

View Name:Guest
Subject: Who's paying these guys?
View Name:Guest
Subject:
View Name:Guest
Subject:
Close Name:JulesLt Posts: 136 Joined: 06 Jul 2005
Subject: We'll see

Well we don't know yet as we haven't seen the end result - my understanding is that MS only recently started using code auditing.

Of course, what automatic code auditing doesn't pick up is when you've deliberately designed a system that will allow an e-mail to automatically run a program. It will just tell you if there is a buffer-overrun in it!

And the problems with Windows have primarily been the second type.

Actually most of them are now fixed, and I think MS have probably learnt their lesson well, but it will take years for them to regain their reputation.

(One way that you can tell they are fixed is by looking at the type of hacks people are trying - Trojans and Spyware have become far more popular than the virus and worm, as Windows has become more robust against the latter. 'Phishing' can target users of any system).

The problem is that we are now in an era when people seize on any 'vulnerability' in Windows, Linux or OS/X as if they are all equally bad (the problems, not the OS)- and public understanding is poor enough that this creates a smoke-screen.

View Name:Guest
Subject:
Comment on this Article


You cannot edit your comments.   You cannot delete your comments.
Log in | Register | Having Problems? Reset TMO Cookies & Try Again
Username:   Password:   Log me on automatically each visit   

You are not logged in, and this post will appear as "Guest." Log in with your username and password from the TMO forums. If you do not have a username, you can register here.
Please note that guests are limited to including a maximum of two URLs per post.


Post A Comment
  Subject


  Your Comments



Please enter the word exactly as you see it in the image above. Registered users aren't prompted for this. Having trouble reading the image get a new one.


Recent Headlines - Updated Friday, July 18th, 2008

Fri., 4:30 PM
iPO Apple Store Spotlight - Bloomberg LP - Financial Information on Your iPhone
2:50 PM
iPO Just a Thought - Seven Days (and Counting) Trying to Get an iPhone
2:15 PM
AAPL Drops 3% in Afternoon Trading, Deferred Revenue Accounting Earning Attention
12:05 PM
iPO Review - Jensen JiMS-525i
11:05 AM
Apple in Art
10:40 AM
iPO Free on iTunes - AtomTV, Black In America, Strange Days on Planet Earth, & More
9:15 AM
TMO's DealsOnTheWeb.com - JBL On Stage II Speaker System w/RF Remote Control: $67.99 Delivered
8:20 AM
StrangeCharm - Particle Debris and a New iPhone (2G)
7:30 AM
TMO Quick Tip - Build Your Own Twitter Client
 

The Mac Observer Reader Specials

  • Download Typestyler, still the Ultimate Styling Tool for Internet, Print and Video Graphics. Works great in Classic with a Native OS X Version on the way. Free Tryout: www.typestyler.com
  • OWC: NewerTech miniStack FireWire/USB 2.0 HD & Hub Up to 1.0TB of Performance Storage + FW/USB2 Powered Hubs - convenient & sleek 6.5" x 6.5" x 1.5" Featured: 500GB $169.99; 750GB $209.99; 1.0TB $339.99
  • New MacPro Memory 800Mhz With Apple Spec Heat Sink 2GB $104 / 4GB $172 / 8GB $338. Click to Maximize your Macs...
  • Mac observers can now play Party Poker for Mac as well as Mac casino games by going to MacPokerOnline.com.
  • RamJet Memory: MacBook 1Gig $39, 2Gig $78, 4Gig $195! Mac Pro 2Gig $115, 4Gig $189! 500G Seagate SATA II $139! Click here
  • For the latest Apple products use Ciao a comparison website to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate cell phones.

  • Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
  • Special Report: WWDC 2008
  • Special Report: iPhone
  • __________
  • Help TMO Grow
  • Podcast: Mac Geek Gab
  • Podcast: Apple Weekly Report
  • TMO on Twitter!
  • New Media Expo 2008

Apple Stock Quote

  • AAPL: $165.15. Change Today: -6.66.
  • (Prices delayed up to 20 minutes.)
  • Discuss in our Apple Finance Board

Hot Topics

Apple iTunes

Top Deals From DealsOnTheWeb