Featured Article: Monday's Mac Gadget - Want Full Remote Control Action? Check Out Mira!
TMO Reports - Cutting Through the OS X Security Rhetoric
by , 2:45 PM EDT, May 2nd, 2006
Much has been written about future, potential problems with OS X security, but so far no widespread documented issues have occurred. On the heels of Monday's report from The SANS Institute that Mac OS X vulnerabilities are on the rise, The Mac Observer took a look at some of the recent rhetoric surrounding the operating system's security.
With Apple launching a new series of TV ads, one of which touts the fact that Mac OS X is virus-free, it seems that the company will also need to combat some of the misinformation being spread by the media, as well as deal with accusations that it's not responding fast enough to vulnerabilities when they're reported.
For example, an Associated Press story that ran on CNN's Web site on Monday described a computer user named Benjamin Daines who had "clicked on a series of links that promised pictures of an unreleased update to his computer's operating system." According to the article, "a window opened on the screen and strange commands ran as if the machine was under the control of someone -- or something -- else."
The promised pictures of an unreleased OS X update sounded like the OSX/Leap-A Trojan horse that hit the Internet in February. While it affected very few users, it did prompt media reports that OS X was on the verge of suffering the same problems that have been plaguing the Windows world for the past several years.
When contacted for comment, Johannes B. Ullrich of The SANS Institute took exception with the attack being characterized as a virus, but he did say that it "sounds very much like the 0-day from earlier this year. The exploit would wrap a shell script inside an archive file, which would auto execute as the user access it via Safari. The user would typically see a command shell pop up."
He added: "We did see a number of uses of this exploit. I wouldn't characterize them as a virus, as they didn't self-replicate. They fall more in the category of 'bots' as they will then connect back to some kind of command and control server to allow the attacker to execute additional commands.
"Such a bot would be able to perform any action the user would be permitted to perform. For example, the bot would be able to connect to network services, send e-mail or modify/delete files owned by the user."
Apple Responding in a Microsoft-Like Manner?
Tom Ferris, a security researcher whose uncovering of five OS X vulnerabilities was publicized by Secunia last week, agreed with Mr. Ullrich's assessment when contacted via e-mail. He was also featured in that Associated Press story, warning that Apple's slowness to respond to security issues reminded him of Microsoft's attitude three years ago. ""They didn't know how to deal with security, and I think Apple is in the same situation now," he was quoted as saying.
An Apple spokeswoman told the AP reporter that Apple will fix the vulnerabilities reported by Mr. Ferris in its next OS X update. She also said that the issues wouldn't enable someone to execute code on a Mac and in fact haven't been exploited in any real world situations that the company is aware of.
Mr. Ferris, however, told The Mac Observer that it took Apple three attempts to fix a core vulnerability in Safari, and it's possible that that flaw is what was exploited in Mr. Daines' situation. He did add, though, that he would expect a malware author to "code the exploit in a way where you would not see anything pop up on your screen. It would just install his malware in the background, under the context of the logged in user."
Give and Take
Elsewhere on the Web, the recent flurry of OS X security talk prompted tech-oriented editorials on both sides of the issue. In a Washington Post blog, for example, Brian Krebs assembled an exhaustive list of the security patches issued by Apple over the past two years and found that the company averaged 91 days to fix each one. He wasn't able to determine the length of time for a fix for all of them, however, because in some cases either Apple or the researcher who found it wouldn't divulge a date.
Mr. Krebs started the project in January and was initially rebuffed by Apple when he asked to speak to someone there about it. Eventually, though, the company allowed him to talk to Bud Tribble, its vice-president of software technology, who said that the lag time between a vulnerability's discovery and a patch has a lot to do with the QA process. "[A Mac user] simply expects things to work with single button click, and that means we have to take time to do that correctly," he said.
Mr. Tribble also pointed out that Apple averaged around 50 days to patch the most critical bugs, although Mr. Krebs noted that the company wouldn't give discovery dates for about a third of them, so it wasn't possible to obtain independent confirmation of that figure. The Apple executive did say, however, that the company wants to improved its turnaround time for security fixes.
While it's obvious that Mac OS X is currently a more secure and stable operating system than Windows XP, several of the security experts contacted by Mr. Krebs felt that hackers are starting to pay more attention to it by virtue of Apple's higher profile, which could lead to an onslaught of malware that users aren't ready to counter. One also noted that with cracked copies of OS X running on cheap PCs, malware authors also now have an inexpensive way to develop their exploits.
Not everyone is crying fire at the first sign of smoke, however. Scott Bradner on Monday published a column at Network World in which he noted: "There have been a few actual OS X attacks found in the wild (that is, the software is being used, not just a security-expert exercise) but not many. Last I read, there were fewer than five, compared with many thousands for Windows (even if many were exploiting the same underlying vulnerabilities)."
"OS X is not going to be vulnerability-free," he concluded, "but I do expect it to show significantly fewer vulnerabilities than Windows has. That does not mean OS X users can ignore security -- at the very least, enable the built-in personal firewall -- but it does mean you should not stay with Windows because you think it will be safer."
Observer Comments
Wed May 03, 2006 1:55 am Subject:
You've replaced one bit of begging the question by another. You're correct, to an extent, in saying that the pedestal placing requires proof. However, six years down the track without a guaranteed replication of a virus in the wild is pretty good empirical proof.
Also you claim that many errors go unnoticed - it's certainly possible - as far as we know, we've never had an undetected error. But you state that this is because it isn't a highly targeted OS - as well as question-begging, it's also a non-sequitur.
Wed May 03, 2006 6:09 am Subject: hmm i wonder is this article a retort or editorial?
Wed May 03, 2006 3:52 pm Subject: Re: all I hve to say is LOL
Wed May 03, 2006 4:06 pm Subject: Core Inherent Issues Between Windows and OS X
For all the guests saying "it's only time..." or "it's such a small target audience" or "OS X security is theoretical" ... let me just slap some sense into yo lame arses.
If you've already forgotten, Microsoft started it's days in DOS, and _to_ _this_ _day_ DOS is still the underpinning to Windows. Windows is *only* just that, a "windowing system" built on top of an OS.
Mac has done the same thing, but the system it's built on top of has YEARS of experience in network environment before DOS even existed in the form that is MS-DOS. Finally, in the 90s, Microsoft thought they better do something about the network thing. Meanwhile, all of us were starting to surf because of interlinked servers running, you guessed it, variants of Unix, allowed us to connect.
Do you see my point? Where you scoff at the security of OS X as being theoretical, or over-hyped, or whatever, you're basically saying that the engine it runs on, which has been out there in the real world, standing firm and strong because of so many individuals making it more and more robust, is just a figment of our imagination.
Grow up, do some research, read about the machines you work and live on before spouting such ignorant blissful ideas.
Unless Gates gives the command to rewrite Windows on top of a *nix variant, there will ALWAYS be an inequality between the OS X and Windows, and one will always be playing catch up.
You can compare stats of servers, home use, business use, real use, virtual use, whatever you can think of and each and every time, you will find a *nix variant will continue to dominate in terms of reliability, security, and modularity.
Wed May 03, 2006 9:28 pm Subject:
Thu May 04, 2006 5:32 am Subject: Faws in OS X do not automatically equate to insecurity
Fri May 05, 2006 8:58 pm Subject: Re: Metavurt
You really need to research before posting. 
"If you've already forgotten, Microsoft started it's days in DOS, and _to_ _this_ _day_ DOS is still the underpinning to Windows. Windows is *only* just that, a "windowing system" built on top of an OS."
This was true of the 9x line. It is not true of the NT line, which was designed by the same person who designed DEC's VMS. See here:
http://www.windowsitpro.com/Articles/Index.cfm?IssueID=97&ArticleID=4494
A quote "Most of NT's lead developers, including VMS's chief architect, came from Digital, and their background heavily influenced NT's development"
XP's DOS box is backwardly compatible, but it is not "the underpinnings" of Windows. Windows XP is not a shell on top of DOS, any more than OS X is a shell on top of MacOS 9.
The rest of your post is equally clueless.
And speaking of security, TMO was hacked this morning, as a matter of curiousity what kind of servers does TMO run on? Bryan?
Fri May 05, 2006 10:13 pm Subject:
Recent Headlines - Updated Monday, October 6th, 2008
- Mon., 4:20 PM
- TMO Reports - Antitrust case Against Apple, AT&T To Proceed
- 2:25 PM
- iPodObserver - kickBACK iPhone Clear Case Introduced with Kickstand
- 2:05 PM
- AAPL Drops 8.4% Amidst Broader Tech Selloff
- 1:50 PM
- 9to5Mac: Apple's Brick is a New Manufacturing Process
- 1:30 PM
- iPodObserver - NPD: A Third of iPhone 3G Buyers are Switchers
- 12:50 PM
- Nick DePlume Resurfaces, Says Apple's Gone Soft on Rumors
- 10:30 AM
- Hot Forum Topic - Has Apple Sold 10 Million iPhones?
- 9:55 AM
- Dragoman 1.4 Gets German Localization
- 9:20 AM
- Dream Capture 2.2 Adds H.264 Support
- 8:45 AM
- Monday's Mac Gadget - Want Full Remote Control Action? Check Out Mira!
- 8:10 AM
- SEC Launches Investigation in Jobs Heart Attack Rumor
- 7:30 AM
- TMO Quick Tip - iCal: Finding Shared Calendars
The Mac Observer Reader Specials
- Download Typestyler, still the Ultimate Styling Tool for Internet, Print and Video Graphics. Works great in Classic with a Native OS X Version on the way. Free Tryout: www.typestyler.com
- OWC: Burn DVDs, DVD-DL, CDs, DVD-Ram - FAST! Superdrive upgrades from OWC starting from $31.99 with options for nearly every Mac. Models with Lightscribe, Blu-Ray too!
New MacPro Memory 800Mhz With Apple Spec Heat Sink 2GB $88 / 4GB $138 / 8GB $274 - Click to Maximize your Macs...
Mac observers can now play Party Poker for Mac as well as Mac casino games by going to MacPokerOnline.com.
RamJet Memory: Mac Pro FB-DIMMs: 2Gig kit $95, 4Gig Kit $179, 8Gig Kit $355! MacBook 2Gig Kit $78, 4Gig Kit $149! Click hereFor the latest Apple products use Ciao a comparison website to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate cell phones.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
DCT HH201 Mini 4 ports USB 2.0 Hub: $5.59 Delivered - $2.40 Drop 
Refurbished MacBook Deals at the Apple Store from $899 
Home-Use Tempered Glass Weight Scale with Large LCD Digital Display: $19.99 Delivered 
2-Pack HP15 Remanufactured Inkjet Cartridge Combo: $15.95 Delivered 
2-Pack Canon L50 Compatible Toner Cartridge: $53.85 
