Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

munkery

macrumors 68020
Dec 18, 2006
2,217
1
As we've hit upon in the last few posts, the severity of an exploit is mitigated by the likelihood that one will run across the exploit. Munkery focussed on the former, and ignored the latter.

So, there is no such thing as botnets?

http://threatpost.com/en_us/blogs/tdl4-rootkit-now-using-stuxnet-bug-120710

And, corporate and government networks never get compromised?

http://bits.blogs.nytimes.com/2011/06/22/security-professionals-say-network-breaches-are-rampant/

I am not stating the probability is 100%.

I am saying the probability is greater for the users of Windows.

If any reactivity is unwarranted, it is the reactivity directed against the fact that the probability of exploitation is greater in relation to Windows.
 
Last edited:

Hyper-X

macrumors 6502a
Jul 1, 2011
581
1
I work with corporate firewalls, you say it's a big issue then you need to show me how it can happen, using everyday terminology otherwise what you keep linking has little to no value. Every firewall doesn't work like how sans.edu points out and I hardly believe they've tested every corporate firewall structure as many companies implement firewalls either at the hardware, software, firmware or a combination of either of them differently.

The demonstration/article clearly shows he's at the computer terminal, inside the LAN on a 192.xxx.xxx.xxx ip address. If the person already has local access to the machine there's no need to use exploits as he's right in front of the machine.

You seem to believe that security is all about 1 giant defense when in fact security is all about creating layers. Not a single form of defense/protection/security is sufficient. What kind of layers does a malicious user have to work around just to create that situation in order for it to happen?

I keep asking you give me a clear and cut situation that can put me at that sort of risk and you keep not answering my question, again the ball's in your court to put out those details. Otherwise, no offense, but everything you're saying about how unsecure Windows, IE9 or whatever Microsoft product you seem to hate is like the guy walking the streets telling everyone the world's going to end. I could walk outside my house right now and get run over by a car, does that mean every time I choose to go outside I should put myself in a military tank just to check the mailbox?

Who are these "security professionals"? Professionals in almost every field have been wrong many times over. People used to say broadband internet like ADSL/Cable would be a leap backwards because you're always online and could put you at serious risk from malicious people on the internet, do you see people rushing to purchase dial-up modems due to those claims?

Neither are a virus, or trojan. Stuxnet is a worm but was of no significant risk to any major area in the USA because it requires a very specific set of circumstances to be satisfied to even be considered annoying, that's assuming the user had dropped all forms of security levels to near absent. FWIW you could've also mentioned Melissa and the ILOVEYOU virus too then.

tld4 was overstated, exaggerated and is neither a virus, trojan or worm, it falls under the category of a rootkit. Many corporate systems were not affected, the issue has been patched, the fix is very easy. There's no proof of the claims of the amount of infected machines. Anyone can be a security professional and make a claim about "nearly 1 million machines were infected..." I hear that sort of stuff everyday in Starbucks by other customers trying to strike up a conversation.

What I want is proof, I'm not asking for anything hard if the claims are genuine and authentic. If anything's a major risk to my machines then the person making the claims of the problems should IMHO be able to show me exactly, how to recreate the situation that would put my system at risk. A link to an internet article is not proof, anyone including me can post up a very convincing article and make claims about anything.

Possible but again insignificant. Do you have any recent articles other than those from late 2010? I swear most of your links contain outdated information.

Most consumer machines are not running IIS services, in Feb 2011 SP1 was released to Windows 7 which took care of some of it however it's not a complete solution. There is a workaround, if you really fall into the specific situation that might put you at risk, which adds an "access control entity" to restrict arbitrary access.

http://support.microsoft.com/kb/2264072

If you're a security researcher, then you know a maliciously crafted website is required for a browser exploit.

http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker/2011/20110402
So what you're saying is that I MUST visit a boobytrapped website for this to put me at risk. So anyone using moderate to normal security settings on most modern browsers put themselves at very little risk since most browsers will tell you that you're about to visit a untrusted or risky site. If that's not enough most antivirus/internet security suites are more than capable of even ensuring you can't even go to sites like that. It's different if a user chooses to go forward to that site despite warnings, but I'd argue that the security risk is more about the user than it is about the machine.
 
Last edited:

JAT

macrumors 603
Dec 31, 2001
6,473
124
Mpls, MN
You guys have won me over. Clearly, all anti-malware efforts for Windows OSes should stop, since there is no threat. I'll go start telling everyone.
 

munkery

macrumors 68020
Dec 18, 2006
2,217
1
@Hyper-X

So, there is no such thing as botnets?

http://threatpost.com/en_us/blogs/tdl4-rootkit-now-using-stuxnet-bug-120710

And, corporate and government networks never get compromised?

http://bits.blogs.nytimes.com/2011/06/22/security-professionals-say-network-breaches-are-rampant/

I am not stating the probability is 100%.

I am saying the probability is greater for the users of Windows.

If any reactivity is unwarranted, it is the reactivity directed against the fact that the probability of exploitation is greater in relation to Windows.
 

Hyper-X

macrumors 6502a
Jul 1, 2011
581
1
You guys have won me over. Clearly, all anti-malware efforts for Windows OSes should stop, since there is no threat. I'll go start telling everyone.
Actually it's the opposite, malware is a threat to everyone, not just limited to Windows PC users. Windows garners a lot of attention over any other desktop OS due to reasons we all already know.

I have no idea where you're going with that. Windows already has more attention than any other OS regarding any threat so it stands to make sense that it's going to have higher occurrences almost in proportion to it's marketshare across all other OS's.

When did I ever say that there's no botnets or that corporate systems never get compromised?

Munkery, if what you're saying is that there are security issues with Windows, then you have zero arguments from me, in fact I'd go as far as to state you're missing a whole lot more that I'm aware of that's lacking in all of your links combined.

However as 1 other person appears to understand is that security issues must be weighed against the probability of each host (likelihood) of encountering. That determines the overall risk level of that initial threat. I'm not saying any of the issues you put out is insignificant, the overall risk level which incorporates the probability and circumstances which must be satisfied makes the risk level insignificant.

MattInOz said:
Your controls are not enforceable in practice without paying dedicated office police. Even then could you ban drinks being served in meetings or would you ban the laptop, either is just going cause a venue change.
I think you went on a tangent there with your example but I get what you're saying. However my example is just that, an example of how controls can be implemented to mitigate risks to an acceptable level, not be a perfect example of how a risk can be brought down to zero chances of it ever occurring.

When it comes to security, there's a problem when you implement too much as much as not enough. I'm sure you know what too little can do. However too much is spending too much resources which may affect productivity and in people's cases, motivation. The ideal way to implement security is to find out just how much you need, then if there's a situation that calls for tighter controls, implement them then reassess the residual risk. The risk management process is a never ending cycle.

Let's take smoking, in many places in the US, there are designated smoking areas. The chances of a non-smoker encountering second-hand smoke is much lessened and it would appear that everyone is happy. Smokers have a place to smoke and non-smokers don't have to work in a smoke filled environment. There's no need for cigarette police to be around, the perfect solution would be to make cigarettes illegal however you'd have a lot of unhappy people as you would satisfied folks with such a measure.
 
Last edited:

munkery

macrumors 68020
Dec 18, 2006
2,217
1
@Hyper-X

The marketshare argument is unfounded.

Various examples disprove the marketshare argument.

Linux has more examples of malware than OS X despite Linux having a smaller marketshare.

IIS has more examples of malware than Apache despite Apache having a greater marketshare and Apache being released several years prior to IIS.

Windows has disproportionately more examples of malware than other OSs in relation to the respective marketshares of the OSs.

Beyond that, I guess we have to agree to agree.

Windows is less safe and less secure than OS X, Linux, and many other OSs.
 
Last edited:

Hyper-X

macrumors 6502a
Jul 1, 2011
581
1
@Hyper-X

The marketshare argument is unfounded.
Untrue. Microsoft has a variety of operating systems that goes beyond just raw marketshare. Apple does not have any product remotely equivalent to Windows XP, not even close to its overall use worldwide, and still officially supported by the company. 8 years of exposure means a lot of time for development both proactive and malicious to occur.

Linux has more examples of malware than OS X despite Linux having a smaller marketshare.
Linux in itself has zero marketshare, Linux is GNU, nobody sells Linux and claims ownership thus there is no official source of support for Linux. Redhat is the closest thing I can think of that might challenge my comment however... Red Hat does not sell Linux. It takes the software packages developed by Linux volunteers, tests them, assembles them into a working operating system and ships the result on a compact disc along with a manual and a promise of support.

IIS has more examples of malware than Apache despite Apache having a greater marketshare and Apache being released several years prior to IIS.
Again insignificant risk levels. Quantity of available malware does not mean higher risk levels. Besides, Apache may have a higher marketshare, it still doesn't change the fact that IIS is the preferred platform for Fortune 1000 companies. That in itself creates a situation where malware would prefer to target IIS systems.

It would be like saying you can sing 20 songs whereas I only know 4 songs. On the surface it might seem that you're 5 times better than I am but knowing more songs does not equate to you being able to sing them well. Last time I checked, the security issues which plague both IIS and Apache web platforms are very close.

Windows has disproportionately more examples of malware than other OSs in relation to the respective marketshares of the OSs.
Odd, especially when you look at the iPad which has a disproportionate amount of malware available for iOS than any other tablet OS platform. Does this mean we should all ditch our iPads and trade for Android 3.x?

Windows is less safe and less secure than OS X, Linux, and many other OSs.
I had a feeling you wanted to say this all along, many other OS's... how many other OSs are out there and their total count being used globally? OSX has yet to prove itself more secure than OpenBSD, by comparison OSX is a huge gaping hole of issues compared to it. Does this mean people should jump ship and run for the OpenBSD hills? How many issues have surfaced about OpenBSD, what 2 in 20 years? If security was that big of an issue with you Munkery, why aren't you on OpenBSD which is clearly, without question, much more secure than OS X anything? I have a pretty good theory, it's called "Apple fanboy". I don't mean it in a derogatory way, heck there's likely more Windows fanboys out there and I've challenged many of their statements as well.

The real question is what is less secure and what are the real-world risk levels towards users both home and businesses. You say Windows is less secure than OSX, however the question still remains, how much less does "less secure" actually mean, Munkery you obviously don't know and I don't either since I keep asking you to provide examples of how I can put myself at risk by offering my machine as a guinea pig. I got you to reveal just 1 thing which was I had to visit a boobytrapped website to exploit my browser. Here I am trying to help you out by deliberately trying to find these boobytrapped websites on purpose meaning I'm trying to intentionally do something stupid and I can't find anything where my browser, firewall and/or total protection software hasn't already warned me or flat our prevented me from visiting any of those risky sites. Part of the issue is using search engines. Google already does a good job knocking out many if not all of those booby trapped sites, so I had to resort to other more primitive methods in order to have my machine compromised, and still no luck. :(

A bullet, if used right can kill any person, however a bullet alone can do no significant harm. Circumstances must be set in motion for it to raise its inherent risk level to something that can potentially harm someone. Guns alone are not dangerous as without any ammunition it's no better than an equivalent striking object.

There is something called acceptable risk, nothing in this world would be what it is now without it. The food you eat, the car you drive, the water you drink, the air you breath, the data you interact with online... all puts you at risk because you don't go around confirming the validity of what is actually safe, you accept the risks based your own personal reasoning. Is there a chance that you might inhale something that'll get you killed in a week? Sure, however does this mean you should stop breathing all together or start buying cans of sealed air, no. How likely is this to happen in your situation? Probably not very likely, very insignificant if anything... so go out and enjoy the fresh air my friend!
 
Last edited:

munkery

macrumors 68020
Dec 18, 2006
2,217
1
Linux in itself has zero marketshare, …..

Linux marketshare is currently around 1% if you do not include Android, which brings that pretty close to 2%.

http://www.ubuntu.com/

http://fedoraproject.org/

http://www.opensuse.org/en/

Last time I checked, the security issues which plague both IIS and Apache web platforms are very close.

Can you provide a link to a public and unpatched zero day that affects fully patched Apache?

I provided one for IIS.

http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker/2010/20100811

Odd, especially when you look at the iPad which has a disproportionate amount of malware available for iOS than any other tablet OS platform. Does this mean we should all ditch our iPads and trade for Android 3.x?

I think you have been misinformed.

http://bit.ly/iZceu4

http://www.computerworld.com/s/arti...cover_more_Android_malware_on_Google_s_Market

You say Windows is less secure than OSX, however the question still remains, how much less does "less secure" actually mean,

Here is a comparison of OS X to Windows:

1) Until Vista, the admin account in Windows did not implement DAC in a way to prevent malware by default. Also, Windows has a far greater number of privilege escalation vulnerabilities that allow bypassing DAC restrictions even if DAC is enabled in Windows.

Much of the ability to turn these vulnerabilities into exploits is due to the insecurity of the Windows registry. Also, more easily being able to link remote exploits to local privilege escalation exploits in Windows is due to the Windows registry.

Mac OS X does not use an exposed monolithic structure, such as the Windows registry, to store system settings. Also, exposed configuration files in OS X do not exert as much influence over associated processes as the registry does in Windows.

Mac OS X Snow Leopard has contained only 2 elevation of privilege vulnerabilities since it was released; obviously, neither of these were used in malware.

http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/ -> guide to develop exploits to bypass UAC by manipulating registry entries for kernel mode driver vulnerabilities.

https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf -> more complete documentation about Windows kernel exploitation.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=win32k+ -> list of incidences of kernel mode driver vulnerabilities.

http://threatpost.com/en_us/blogs/tdl4-rootkit-now-using-stuxnet-bug-120710 -> article about the TDL-4 botnet which uses a UAC bypass exploit when infecting Windows 7.

2) Windows has the potential to have full ASLR but most software does not fully implement the feature. Most software in Windows has some DLLs (dynamic link libraries = Windows equivalent to dyld) which are not randomized.

http://secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf -> article overviewing the issues with ASLR and DEP implementation in Windows.

Also, methods have been found to bypass ASLR in Windows 7.

http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf -> article describing bypassing ASLR in Windows 7.

Mac OS X has full ASLR implemented on par with Linux. This includes ASLR with position independent executables (PIE). DLLs in Windows have to be pre-mapped at fixed addresses to avoid conflicts so full PIE is not possible with ASLR in Windows.

3) Mac OS X Lion has DEP on stack and heap for both 64-bit and 32-bit processes. Third party software that is 32-bit may lack this feature until recompiled in Xcode 4 within Lion. Not much software for OS X is still 32-bit.

But, not all software in Windows uses DEP; this includes 64-bit software. See article linked in #2.

4) Mac OS X implements canaries using ProPolice, the same mitigation used in Linux. ProPolice is considered the most thorough implementation of canaries. It is known to be much more effective than the similar system used in Windows.

http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf -> article comparing ProPolice to stack canary implementation in Windows.

5) Application sandboxing and mandatory access controls (MAC) in OS X are the same thing. More specifically, applications are sandboxed in OS X via MAC. Mac OS X uses the TrustedBSD MAC framework, which is a derivative of MAC from SE-Linux. This system is mandatory because it does not rely on inherited permissions. Both mandatorily exposed services (mDNSresponder, netbios...) and many client-side apps (Safari, Preview, TextEdit…) are sandboxed in Lion.

Windows does not have MAC. The system that provides sandboxing in Windows, called mandatory integrity controls (MIC), does not function like MAC because it is not actually mandatory. MIC functions based on inherited permissions so it is essentially an extension of DAC (see #1). If UAC is set with less restrictions or disabled in Windows, then MIC has less restrictions or is disabled.

http://www.exploit-db.com/download_pdf/16031 -> article about Mac sandbox.

http://msdn.microsoft.com/en-us/library/bb648648(v=VS.85).aspx -> MS documentation about MIC.

https://media.blackhat.com/bh-eu-11/Tom_Keetch/BlackHat_EU_2011_Keetch_Sandboxes-Slides.pdf -> researchers have found the MIC in IE is not a security boundary.

6) In relation to DAC and interprocess sandboxing in OS X in comparison with some functionality of MIC in Windows 7 (see #5), the XNU kernel used in OS X has always had more secure interprocess communication (IPC) since the initial release of OS X.

Mac OS X, via being based on Mach and BSD (UNIX foundation), facilitates IPC using mach messages secured using port rights that implement a measure of access controls on that communication. These access controls applied to IPC make it more difficult to migrate injected code from one process to another.

Adding difficulty to transporting injected code across processes reduces the likelihood of linking remote exploits to local exploits to achieve system level access.

As of OS X Lion, the XPC service has also been added to implement MAC (see #5) on IPC in OS X. (http://developer.apple.com/library/...stemStartup/Chapters/CreatingXPCServices.html)

7) Windows has far more public and/or unpatched vulnerabilities than OS X.

http://www.vupen.com/english/zerodays/ -> list of public 0days.

http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker -> another list of public 0days.

http://m.prnewswire.com/news-releas...-vulnerability-in-microsoft-os-110606584.html -> article about 18 year old UAC bypass vulnerability.

8) Password handling in OS X is much more secure than Windows.

The default account created in Windows does not require a password. The protected storage API in Windows incorporates the users password into the encryption key for items located in protected storage. If no password is set, then the encryption algorithm used is not as strong. Also, no access controls are applied to items within protected storage.

In Mac OS X, the system prompts the user to define a password at setup. This password is incorporated into the encryption keys for items stored in keychain. Access controls are implemented for items within keychain.

Also, Mac OS X uses a salted SHA1 hash, which is still considered cryptographically secure. It is more robust than the MD4 NTLMv2 hash used in Windows 7.

http://www.windowsecurity.com/articles/How-Cracked-Windows-Password-Part1.html -> article about Windows password hashing.
 
Last edited:

NT1440

macrumors G5
May 18, 2008
14,442
20,387
Odd, especially when you look at the iPad which has a disproportionate amount of malware available for iOS than any other tablet OS platform. Does this mean we should all ditch our iPads and trade for Android 3.x?

Uh, got anything to back that up? From what I've been reading all over the web Android has a pretty significant malware problem.
 

munkery

macrumors 68020
Dec 18, 2006
2,217
1
Oh noes!
 

Attachments

  • Screen shot 2011-07-25 at 8.31.15 PM.png
    Screen shot 2011-07-25 at 8.31.15 PM.png
    22.5 KB · Views: 50

AppleScruff1

macrumors G4
Feb 10, 2011
10,026
2,949
OSX is obviously a very secure operating system, to say otherwise is a bit foolish. Is it 100% secure in every possible way? No, but it's pretty darn good no matter how you look at it, Windows users included.
 

jnpy!$4g3cwk

macrumors 65816
Feb 11, 2010
1,119
1,302
munkery, thanks for the interesting posts. Apple really seems to have turned the corner with respect to security and is now doing interesting, creative things to improve security. Lion is now equipped with some great new options for application developers to improve security; I hope that Mozilla and Google developers dive right in with Lion-optimized versions of their browsers.
 

AppleScruff1

macrumors G4
Feb 10, 2011
10,026
2,949
In practical terms, not much different from Windows.

There's nothing wrong with Windows, especially Windows 7. There are more vulnerabilities/malware for Windows regardless of the reason one chooses to use, but I would expect that considering it's widespread reach. It's really not difficult or time consuming to keep Windows systems secure.
 

Hyper-X

macrumors 6502a
Jul 1, 2011
581
1
Linux marketshare is currently around 1% if you do not include Android, which brings that pretty close to 2%.

http://www.ubuntu.com/

http://fedoraproject.org/

http://www.opensuse.org/en/
This supports what I said previously. Marketshare implies a market in which the percentage or proportion of the total available market or market segment that is being serviced by a company. Ubuntu is based on the Linux kernel but funding for Ubuntu has no impact on support and/or development for other Linux-based variants such as Debian, Mint, Slackware, etc.

OS X is based on the FreeBSD kernel however zero dollars goes towards the support and development of any Unix products. Being that it is OS X does not mean OS X = Unix.

Android is based on Linux, however that doesn't mean Android = Linux. Refer to below, straight from Android Wiki.

Android is a software stack for mobile devices that includes an operating system, middleware and key applications.[7][8] Google Inc. purchased the initial developer of the software, Android Inc., in 2005.[9] Android's mobile operating system is based on the Linux kernel. The Android Open Source Project (AOSP) is tasked with the maintenance and further development of Android

I think you have been misinformed.


Regarding the iOS 4.3 specific category.
http://latimesblogs.latimes.com/tec...d-in-apples-iphone-ipad-operating-system.html

http://support.apple.com/kb/HT4564

The following is iOS 4.2 specific to illustrate a history of such vulnerabilities.
http://support.apple.com/kb/HT4456

Munkery, you said it yourself that a browser hijack requires me to visit a boobytrapped website. Okay, so a kid is in danger if he/she hops into a van down-by-the-river that says "Hop in, I have candy". So what's the solution, stop having kids?

Link to Secunia's Half Year Report 2011 --> http://secunia.com/blog/238

Research shows that for the majority of vulnerabilities there are patches available on the day of disclosure. While 0-days still represent a significant threat, we actually have the power to neutralise a larger part of the risk than what is commonly perceived.

Cybercriminals do not need 0-day vulnerabilities – there are always plenty of opportunities in unpatched programs.
 
Last edited:

munkery

macrumors 68020
Dec 18, 2006
2,217
1
To quote myself:

I am not stating the probability is 100%.

I am saying the probability is greater for the users of Windows.

If any reactivity is unwarranted, it is the reactivity directed against the fact that the probability of exploitation is greater in relation to Windows.

Comex is really the only guy finding locals in iOS and it takes him almost a year to do so. Only 3 over 2010-2011 as of today. 2 found by Comex.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Apple+iOS+gain+privileges

Let's compare that to EoPs in Windows in 2010 and 2011.


Look at how fast Apple responded to Jailbreakme which was not being exploited maliciously in the wild (about a week) -> https://forums.macrumors.com/posts/12946208/

Look at how fast MS responded to a vulnerability that was used in two different incidences of malware in the wild:

The vulnerability that was exploited by TDL-4 remained unpatched for many months from the time it was discovered via Stuxnet in July 2010 until it was patched on Dec. 14, 2010 (http://www.microsoft.com/technet/security/bulletin/MS10-092.mspx).

This task scheduler bug was being used in the wild in TDL-4 during some of that time frame. This is shown via press releases about TDL-4 using the task scheduler bug prior to the vulnerability being patched.

Dec. 7, 2010 -> http://threatpost.com/en_us/blogs/tdl4-rootkit-now-using-stuxnet-bug-120710

Munkery, you said it yourself that a browser hijack requires me to visit a boobytrapped website.

Legitimate websites can inadvertently host drive-by-downloads via Flash ads.

https://threatpost.com/en_us/blogs/major-ad-networks-found-serving-malicious-ads-121210

Two major online ad networks--DoubleClick and MSN--were serving malware via drive-by download exploits over the last week, experts say, after a group of attackers was able to trick the networks into displaying their ads by impersonating an online advertising provider.

This goes for any other OS as well, a coder doesn't have to specifically target Linux Debian and may focus on exploited Firefox browser instead for example.

The different security mitigations of each OS determine the exploitability of any given client-side app running on the OS.

https://forums.macrumors.com/posts/13013889/

Link to Secunia's Half Year Report 2011 --> http://secunia.com/blog/238

And everything in that article applies more to Windows because of everything that has been already stated in this thread.
 

diamond.g

macrumors G4
Mar 20, 2007
11,064
2,420
OBX
Look at how fast Apple responded to Jailbreakme which was not being exploited maliciously in the wild (about a week) -> https://forums.macrumors.com/posts/12946208/

Look at how fast MS responded to a vulnerability that was used in two different incidences of malware in the wild:
It is interesting that iOS have been getting patches for vulnerabilities faster than OS X has. I also see why Apple has stopped internally supporting things like Java.
 

cmaier

Suspended
Jul 25, 2007
25,405
33,471
California
It is interesting that iOS have been getting patches for vulnerabilities faster than OS X has. I also see why Apple has stopped internally supporting things like Java.

It's a matter of expectations. People have been trained by MS to expect that their computers can suffer from malware. The first time that happens to an iPhone all hell will break loose.
 

diamond.g

macrumors G4
Mar 20, 2007
11,064
2,420
OBX
It's a matter of expectations. People have been trained by MS to expect that their computers can suffer from malware. The first time that happens to an iPhone all hell will break loose.

But based on comments here it already happens on Android phones so what is the big deal?
 

munkery

macrumors 68020
Dec 18, 2006
2,217
1
It is interesting that iOS have been getting patches for vulnerabilities faster than OS X has. I also see why Apple has stopped internally supporting things like Java.

The difference in the patching of iOS compared to OS X is due to whether or not the vulnerability has been publicly disclosed. Publicly disclosed vulnerabilities are patched as fast in OS X. Privately disclosed vulnerabilities are not patched as quickly for either iOS or OS X.

MS only sometimes rushes a patch if a vulnerability is being exploited in the wild. Typically, MS will only rush patches for remote vulnerabilities being exploited in the wild.

Publicly disclosed vulnerabilities that are not being exploited and local vulnerabilities that are being exploited in the wild are treated the same as privately disclosed vulnerabilities by MS.

The vulnerability that was exploited by TDL-4 remained unpatched for many months from the time it was discovered via Stuxnet in July 2010 until it was patched on Dec. 14, 2010 (http://www.microsoft.com/technet/security/bulletin/MS10-092.mspx).

This task scheduler bug was being used in the wild in TDL-4 during some of that time frame. This is shown via press releases about TDL-4 using the task scheduler bug prior to the vulnerability being patched.

Dec. 7, 2010 -> http://threatpost.com/en_us/blogs/tdl4-rootkit-now-using-stuxnet-bug-120710

http://www.vupen.com/english/zerodays/

http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker
 

NT1440

macrumors G5
May 18, 2008
14,442
20,387
It is interesting that iOS have been getting patches for vulnerabilities faster than OS X has. I also see why Apple has stopped internally supporting things like Java.

iOS is an operating system that is less than a gig. OSX if far larger with far more things to check out to make sure a patch doesn't break some other functionality.

Logic and reality both dictate that because of that, patching and testing iOS would be a faster process.

Makes sense, right?

It's like the rule of fixing a bug, you've fixed A but broke B,C, and D in doing so. Software isn't simple.
 

Hyper-X

macrumors 6502a
Jul 1, 2011
581
1
Comex is really the only guy finding locals in iOS and it takes him almost a year to do so. Only 3 over 2010-2011 as of today. 2 found by Comex.
I see you didn't check the Apple links I provided above, anyone can clearly see there's more than 3 and this is coming from Apple.

http://support.apple.com/kb/HT4564 - for iOS 4.3
http://support.apple.com/kb/HT4456 - for iOS 4.2

Look at how fast Apple responded to Jailbreakme which was not being exploited maliciously in the wild (about a week) -> https://forums.macrumors.com/posts/12946208/
The only thing I see here is your insistence that Apple's some amazing company without flaws and I'm guessing my comments blemish that pristine image which draws out your posts.

MS has been brilliant with their updates on many of their products and they support much more (significantly more) software than Apple. As such MS's software support mission is exponentially larger than Apple's small-scale software mission by comparison. Most consumers associate Microsoft as "just" a Windows-company. There are many other tools and software titles, fully supported, deployed/managed/operated on a number of computers which exceed the sum of all OS X users that has nothing to do with Windows and they support all their products rather well. It's easier to fulfill a mission which involves feeding only 20 people than it is about feeding millions for example.

Look at how fast MS responded to a vulnerability that was used in two different incidences of malware in the wild:
So you take a good example to support Apple's response time and lay it against a worst-case scenario from Microsoft? It'd be like you're trying to show the differences between a Mac and PC when a Mac is all new and shiny and you display a HP machine that's been dragged in the mud. Are you trying to say that MS responds to all security issues cited in your example?

Legitimate websites can inadvertently host drive-by-downloads via Flash ads.

https://threatpost.com/en_us/blogs/major-ad-networks-found-serving-malicious-ads-121210
We went over this earlier. Stuxnet was not a big issue, it was hardly even an annoyance. By comparison the whole Y2K bug was a bigger issue and the impact it had in reality was next to none. TLD4 has never been confirmed to be a widespread problem, there are no confirmed reports of affected Windows systems despite the potential for damage by the rootkit. The only thing these experts are able to agree upon is that is has the potential to harm millions of machines. The circumstances for TLD4 to even be a real problem is minuscule.

Again if you have any web link in which I could subject myself to any of what you've been saying, please post it in your reply or PM me with it because for the past few days I've been trying to get my Windows 7 machine exploited, I simply can't and I'm seriously trying and I can't seem to find anything being that I'm doing this on purpose. Now if I can't do this even when I put serious effort into accomplishing being exploited/hijacked, imagine what a typical user's chances of running into the issues you claim to be a serious level of threat, are going to be.

Yes, there are going to be those PC users that insist on using some China-cracked version of Windows, which may already contain exploits/trojans, who choose not to update Windows possibly to avoid detection from Microsoft, who choose not to use any form of internal protection, who surfs every possible website, uses P2P software to connect with anyone about anything as long as it's free, that's going to run into serious problems then post it up online and claim how terrible Windows is when they run into problems. This isn't uncommon, in fact there's a lot of people that fall into this category than what most would be led to believe.

The different security mitigations of each OS determine the exploitability of any given client-side app running on the OS.
Wrong, if that's the case try explaining Flash and Java on OS X. There's a reason why Apple is adamant about moving away from Flash and Java. MS Windows couldn't achieve absolute security using Flash and Java, apparently neither could Apple with OS X and Safari, imagine that.

------------------------------------------------------------------------------------------------------------------------
Security experts/researchers get paid by finding problems and figuring out what those problems can do, it'd be no different from a caveman discovering fire, however after assessing the potential damage fire can do (by subjecting his buddy by having him jump in the fire and stay there), that caveman then yells "fire no good", "fire kill", "you no use fire", "fire is evil". A more intelligent caveman can look at the situation and say "fire keep me warm when cold", "fire cook food, taste good", "fire no kill if I don't stand in fire", "no jump in fire, fire not kill", understanding that the real potential for harm is negligible to non-existant.
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.