PDA

View Full Version : Mac OS X security myth exposed


MacBytes
Jun 24, 2004, 02:50 PM
Category: Reviews
Link: Mac OS X security myth exposed (http://www.macbytes.com/link.php?sid=20040624155041)
Posted on MacBytes.com (http://www.macbytes.com)

Approved by Mudbug

Mudbug
Jun 24, 2004, 02:50 PM
There's a myth? What myth?

michaelrjohnson
Jun 24, 2004, 03:09 PM
I hate when I read articles that quote "facts" or "common perceptions". In this case, it's the perception that Mac OS X is secure. It is simply untrue that OS X has been touted as a "Secure" operating system; in fact, it *has not*. Not by Apple, not by anyone else (except for Techworld staff). It has been touted as "Stable" and they are two very different things.

A common discussion is that of Mac OS X's *percieved* security. But that refers to (rightly so) the lack of attacks on the OS. The lower volume of threats agains Mac OS X does not make it more secure OS. It makes the OS *seem* more secure to its users. But anybody who is in tune to these facts is aware that Mac OS X is just as vulnerable (as the company's statistics present, moreso, in fact) but much less seceptable.

Apple is aware of these distinctions, and of it's lower security threshold than other OSs. We will see much tighter security in OS X 10.4, in efforts to counter these "facts".

stcanard
Jun 24, 2004, 03:10 PM
It's odd how every single article that talks about comparing security manages to come up with a completely different set of statistics then any other article supposedly talking about the same thing.

kenkooler
Jun 24, 2004, 03:11 PM
The difference is that many of these "holes" rely on services that are turned off by default on Mac OS X

yamabushi
Jun 24, 2004, 03:40 PM
Secunia's comparison by number of security advisories is ridiculous. Not only does this ignore numerous security problems, it also ignores the fact that many advisories are solutions and not problems themselves. For example their own list of advisories for OSX includes at least nine updates from Apple that each fix numerous security holes.

Secunia fails to distinguish reports of new known vulnerabilities from patches to correct the same. Secunia also ignores the vast number of existing known vulnerabilities and whether or not each has been addresssed. They also treat any disk access as equally dangerous access to the system when this is not the case. There are numerous other misleading assumptions they make that together eliminate almost all of the value of their reports.

aarond12
Jun 24, 2004, 04:44 PM
The difference is that many of these "holes" rely on services that are turned off by default on Mac OS X

The author is just spreading FUD.

He COULD be correct, however, that Windows is more secure than Mac OS X... if you turned ALL the services on, enabled root access, changed your root password to nothing or "password", and attached your Mac directly to the 'net without a firewall or router.

What a dumba$$...

-Aaron-

spaz
Jun 24, 2004, 05:02 PM
this will just be another thing for people to argue about for years to come.

ask a Mac user how many times their computer has been brought down by "security holes" and then ask a PC user the same question.

'nuff said.

Abstract
Jun 24, 2004, 05:03 PM
But you can say that about any security report...

While I'm not too sure what to make of their statistics, I do believe their generalization that Mac OSX isn't more secure than other operating systems. I know that MichaelJohnson above said that OSX is more "stable" than other systems, and that Apple never claimed to be more "secure", try telling that to everyone else. This news is supposed to dispel the illusion and high-and-mighty attitude of Mac (or Windows-alternative) users that their system is safer.

But even from their own numbers, Mac OSX has fewer vulnerabilities than other platforms, and although 33% of them are deemed major, that's 33% of only 36, or 12 major vulnerabilities. If Microsoft had 46 vulnerabilities and only 30% were critical, then OSX is still better off. Other OSes had more than 50 vulnerabilities.

unoriginl
Jun 24, 2004, 05:32 PM
The claims made by this author aren't even substantial given his own numbers. He says that "Mac OS X doesn't stand out as particularly more secure than the competition, according to Secunia." But if you look at the numbers given, OS X had almost 22% fewer advisories than Windows. That *IS* significant. Furthermore, with OS X almost 45% FEWER of those advisories were for enabling system access. I'd say that's significant too.

Nobody ever said OS X had no vulerabilities.

Jayson

bousozoku
Jun 24, 2004, 05:50 PM
Techworld and Secunia--a match made in heaven. Funny how they keep beating this worn out drum.

Yes, there are plenty of security flaws in Mac OS X, not as many as in Windows but quite a few. The trouble is that you have to turn on various services to allow the vulnerabilities to be exploited because they're turned off by default. Even then, the URI flaw was huge and could have caused disaster, so why didn't someone take advantage of it?

It's funny how Secunia, which seems to sell security services, tends to downplay patches. They have all this big, bold text telling of flaws but only a tiny bit of text to say that a patch is available. They also don't mention that Software Update can be set to download and install the patches automatically. It's almost as if they want Macintosh users to feel the need to hire them to make certain that their company's machines will be secure. Odd, that.

stcanard
Jun 24, 2004, 05:55 PM
I do believe their generalization that Mac OSX isn't more secure than other operating systems.

It all depends on your context.

The first point is that Panther (and you have to be careful, this is different from Jaguar, which I am not sure about) by default ships in a more secure configuration than the current Red Hat, Windows XP, and Windows XP SP1.

This is due to having a very conservative set of services running, the firewall turned on by default, and a setup that pushes the user away from running in a root account.

What you do with the system once you get it makes all the difference, though. You could turn off the firewall, start a wu-ftp server and open sendmail relay, and have one of the most insecure systems available if you want.

The second point is that any analysis of relative security cannot rely solely on the number of advisories; the severity and the ease of exploit must also be factored in.

For instance, that OSX exploit that was publicized some time ago, where if someone managed to insert a rogue DHCP server into your LAN, and your system queried that server before it got to the real server, then assuming you had left your default settings they could give you a fake LDAP server which then opened your system up to a remote attack, by the statistics in this article counts as equivalent to the Windows hole that lead to the sasser worm.

Now, if you look at it logically, obviously one is far more exploitable than the other, and by inferrence leads to a more insecure system. But pulp journalism tends to prefer to avoid actual analysis, because it's easier to overwhelm with numbers.

jasonbw
Jun 24, 2004, 06:06 PM
kinda odd.

according to the secunda site, there are NO extremely critical advisories for windows xp. there are none for windows 2000, nor me, se, 98, 95 or NT

there are 53 advisories for ie 6 alone, 13% are extremely critical.
there are 44 for ie 5.5, 14% are extremely critical.
there are 34 for ie 5.01, 17% are extremely critical.

how is it that none of those advisories are counted towards any MS OS?

cabes
Jun 24, 2004, 06:48 PM
I'd like to see the percentage of Windows systems that have been compromised versus OS X, esp. Panther. I'm an IT professional that works with XP/95/98/NT4/2K/2K+3/Linux at work. I recently switched to OS X at home and certainly "feel" more secure than with Microsoft crap.

I just read of a guy who was installing XP and it got attacked before he had a chance to go to WindowsUpdate. That's a huge problem. There's no way OS X is less secure out-of-box. I want to see unbiased numbers, that's all.

The whole "enabled services" argument is entirely valid. Case: In the last 3 years NONE of the Apache security vulnerabilities have applied to me because I compile it with the LEAST amount of modules that I need. Plus my company's Linux box that I run the site on is behind a firewall, etc. I let nothing in but web traffic and that makes all the difference.

The moral of the story is to shutdown all services not necessary, restrict access to the remaining running services(firewall), configure the public services as with as few features as needed, keep up-to-date on your software, and try to stay away from the historically insecure services (FTP, telnet, SSH, webdav, smb, etc....).

Nermal
Jun 24, 2004, 07:50 PM
As soon as the word "Secunia" was mentioned, I stopped reading :rolleyes:

solvs
Jun 25, 2004, 12:55 AM
Wait... OS X has fewer security issues than the recent ones XP has had (not even including Win 2000 and NT), and OS X is less secure!?!

I still don't get it. The math is fuzzy. :confused:

Krizoitz
Jun 25, 2004, 09:41 AM
OS X is insecure? Sure if you start enabling things that are OFF by default. thats like saying the Pentagon isn't secure just because you could fire all your security gaurds, turn off the security systems and leave all the doors unlocked...

wbotich
Jun 25, 2004, 09:45 AM
Here's what I told them:

I am writing you in response to your recent article about security in Mac OS X and how it compares to other operating systems.

First off I want to point out a glaring omission in the article. The article states that Windows XP Professional had 46 advisories in 2003-2004 and sites the source as secunia.com. Well I went to secunia.com and the article fails to mention that now there are 66 advisories even though the statistics are only based on 46. Mac OS X on the other hand still only has 36.

The article then states that Mac OS X "had the highest proportion of 'extremely critical' bugs at 19 percent." Well, this is misleading because you use the word "proportion." Of course there is going to be a higher proportion of "extremely critical" bugs, Mac OS X has the least number of total advisories.

And if you look at the numbers, Mac OS X still performed 14% better than Win XP Professional on preventing system access. Not to mention that "vulnerabilities allowing remote attacks" doesn't tell us a whole lot. Mac OS X had a bug where the user had to click on a link on a website for the hole to be exploited. Somehow I don't think that compares to a worm invading your system without the user having to do anything.

I appreciate being shown that Mac OS X may not be as secure as I think. I think you went a step too far in portraying Mac OS X in the worst possible way. I expected a fair and balanced article and what I got were statistics used to depict OS X in a bad light--not to mention many of the statistics given were vague (as I described above). In the future I would like to see an article that actually did some in-depth research and compared these operating systems bug for bug--not some clever citing of vague statistics.

Mudbug
Jun 25, 2004, 09:58 AM
be sure and let us know if you get a response...

shamino
Jun 25, 2004, 10:02 AM
Wow. They're right. MacOS X is the least secure system on Earth.

That must be why we've had dozens of Mac virusses routinely crippling the internet for the past few years.

zulgand04
Jun 25, 2004, 10:44 AM
This is quite funny considering the big security problem going around the net today on windows machines with IE. That you just have to surf to any page and you could dl the trojan without knowning, now i call that a major security flaw!
Security flaw (http://news.com.com/Researchers+warn+of+infectious+Web+sites/2100-7349_3-5247187.html?tag=nefd.top)
-Neal

yamabushi
Jun 27, 2004, 11:25 PM
Need a secure OS? According to Secunia (http://secunia.com/product/832/) OS9 beats them all with just one advisory! :rolleyes: That is, if you use the same idiotic method of comparison as the author of this article.

themadchemist
Jun 28, 2004, 04:56 PM
It seems like a good bit of their information regarding vulnerabilities is derived from updates released by a given company fixing security flaws...Therefore, the more updates provided, the more problems the system must have. That makes PERFECT SENSE.

So much MORE sense than the idea that a company that provides many updates is more responsive...

This might be crazy folks, but maybe Apple just happens to be more on top of security flaws and more adept at taking care of them.

All I know is that the next time I get a virus on my Mac or someone takes control of my system, I'll check back in and let you know.