DealsOnTheWeb Daily Deal: OneCall's Weekend Sale - 20 Great Items at Great Prices All Weekend Long
Security Researcher Slams OS X For 'Ancient Flaws'
by , 4:40 PM EST, January 26th, 2006
Mac OS X has many security problems that have remained unfixed despite the fact that they were repaired in other operating systems over a decade ago, security researcher Neil Archibald told ZDNet Australia. Reporter Munir Kotadia wrote that Mr. Archibald "speculates that should Apple's market share continue to increase, users of the platform could actually end up less secure than users of other platforms such as Microsoft Windows or Linux."
Mr. Archibald added that Apple has left its code "relatively under-audited, which leaves a lot of low-hanging bugs." As an example, he cited the now-patched "dsidentity" bug, which affected Mac OS X v10.4. It "could have easily been exploited to grant a non-privileged user with admin rights and allow that user to create and remove root user accounts," Mr. Kotadia wrote.
Another flaw that remains unpatched "could allow memory corruption and hand control of a process over to an attacker," according to Mr. Kotadia. Mr. Archibald said that Apple is aware of that flaw's existence but has been slow to respond to it. "It expects security researchers to wait indefinitely to release the vulnerabilities and offers no incentive for them to do so," the security researcher said.
In the long-term, he added, "Apple's impressive security record is likely to be tarnished if the company continues to grow its market share while undervaluing security researchers and not properly auditing its code." The security problems exist in both the Intel and PowerPC versions of Mac OS X, Mr. Archibald noted.
An Apple spokesperson told Mr. Kotadia that the company won't "comment on what other people say about Mac OS X."
Thanks to The Inquirer for the link.
Observer Comments
Thu Jan 26, 2006 6:21 pm Subject: *Could* happen
QuoteNeil Archibald wrote:
...should Apple's market share continue to increase, users of the platform could actually end up less secure than users of other platforms such as Microsoft Windows or Linux.
Well, yes, but it's all very subjunctive. "Likely to be", "could have easily have been", "could actually end up". Future tense, all. No past tense. It hasn't happened, it's not happening, but it could happen.
Still, as ever, there is no need to be complacent. How many exploited bugs have there been?
Having looked at the ancient flaws, the ones mentioned all appear to be in the Darwin/BSD layer, in specific commands - which may not be executed by the typical OS/X user at all.
At some point you need to prioritise work (even Apple only has limited programming resources) and I would guess the first question for Apple will be : Does it affect the 95% of users who only use OS/X at the GUI level / how serious is it? I know there are security holes in code I've written but at the end of the day, there is always a trade off - making a fix might be a 1-line change but it will need to be retested, etc.
But hey, what better way is there to buy publicity for a security consultancy than finding flaws in 'unbreakable' systems like OS/X or Oracle, as opposed to Internet Explorer? Or are they spending their time looking at this code for the good of everyone?
Thu Jan 26, 2006 9:21 pm Subject: guy's looking for a job
Fri Jan 27, 2006 2:30 am Subject: I use the "Secunia test"
Often people make snap decisions first, and then start looking for reasons to justify what they have already decided. That is what this kind of "expert" is for.
People don't want to give the Mac a chance because they don't want to try anything new, or they don't want all the time they spent learning windows workarounds to go to waste. But it sounds terrible when you SAY it like that, so they go hunting for better sounding reasons.
This is why people will take seriously the idea that a Mac might have a vulnerability someday, and thus stick with windows that is failing constantly.
Fri Jan 27, 2006 6:00 am Subject: Proof is in the pudding
QuoteGuest wrote:QuoteGuest wrote:
>>Is it just me, or does it sound like he is looking for money to keep quiet?
That is exactly what is going on. He is also trying to sell these "Auditing" tools to Apple. Likely Apple wouldn't bite so he came out with this story to try to force them.
Yeah, and we can see how unsuccessful those auditing tools are for M$, so why should Apple buy them?
Well we don't know yet as we haven't seen the end result - my understanding is that MS only recently started using code auditing.
Of course, what automatic code auditing doesn't pick up is when you've deliberately designed a system that will allow an e-mail to automatically run a program. It will just tell you if there is a buffer-overrun in it!
And the problems with Windows have primarily been the second type.
Actually most of them are now fixed, and I think MS have probably learnt their lesson well, but it will take years for them to regain their reputation.
(One way that you can tell they are fixed is by looking at the type of hacks people are trying - Trojans and Spyware have become far more popular than the virus and worm, as Windows has become more robust against the latter. 'Phishing' can target users of any system).
The problem is that we are now in an era when people seize on any 'vulnerability' in Windows, Linux or OS/X as if they are all equally bad (the problems, not the OS)- and public understanding is poor enough that this creates a smoke-screen.
Recent Headlines - Updated Friday, July 18th, 2008
- Fri., 4:30 PM
- iPO Apple Store Spotlight - Bloomberg LP - Financial Information on Your iPhone
- 2:50 PM
- iPO Just a Thought - Seven Days (and Counting) Trying to Get an iPhone
- 2:15 PM
- AAPL Drops 3% in Afternoon Trading, Deferred Revenue Accounting Earning Attention
- 12:05 PM
- iPO Review - Jensen JiMS-525i
- 11:05 AM
- Apple in Art
- 10:40 AM
- iPO Free on iTunes - AtomTV, Black In America, Strange Days on Planet Earth, & More
- 9:15 AM
- TMO's DealsOnTheWeb.com - JBL On Stage II Speaker System w/RF Remote Control: $67.99 Delivered
- 8:20 AM
- StrangeCharm - Particle Debris and a New iPhone (2G)
- 7:30 AM
- TMO Quick Tip - Build Your Own Twitter Client
The Mac Observer Reader Specials
- Download Typestyler, still the Ultimate Styling Tool for Internet, Print and Video Graphics. Works great in Classic with a Native OS X Version on the way. Free Tryout: www.typestyler.com
- OWC: NewerTech miniStack FireWire/USB 2.0 HD & Hub Up to 1.0TB of Performance Storage + FW/USB2 Powered Hubs - convenient & sleek 6.5" x 6.5" x 1.5" Featured: 500GB $169.99; 750GB $209.99; 1.0TB $339.99
New MacPro Memory 800Mhz With Apple Spec Heat Sink 2GB $104 / 4GB $172 / 8GB $338. Click to Maximize your Macs...
Mac observers can now play Party Poker for Mac as well as Mac casino games by going to MacPokerOnline.com.
RamJet Memory: MacBook 1Gig $39, 2Gig $78, 4Gig $195! Mac Pro 2Gig $115, 4Gig $189! 500G Seagate SATA II $139! Click hereFor the latest Apple products use Ciao a comparison website to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate cell phones.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
Apple 15-inch MacBook Battery: $75 
New iMac Intel Core 2 Duo 2.4GHz 20-inch Al with Wireless Kdd & Mouse: $1199 
Overstock.com: $1.00 SiteWide Shipping - This Weekend Only 
J&R ComputerWorld's Weekend Sale - Save on TVs, Digital Cameras, Games & Tons More 
OneCall's Weekend Sale - 20 Great Items at Great Prices All Weekend Long 
