Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Does this mean OSX isn't secure? :(
- Thread starter MythicFrost
- Start date
- Sort by reaction score
Thanks for the response... good to know, not gonna waste my time, if someone steals my computer and wants to read my grad papers on behavior management and autism then by all means go right ahead...
Yeah... I wonder why.
Apple's market share has only increased in that period - so the obscurity theory falls apart.
Just a quick look at your computer management console, users and groups on windows would be enough...
Why do you need so many user groups or SUPPORT_bla.bla accounts?
If your on snow leopard, do a get info on the main drive the OS is on. Take a look at the permissions groups. See anything funny in there? Try deleting it. You can't. BACK DOOR!
Precisley. Safari is neither OS X, nor is it embedded into OS X. Furthermore, one reason most financial institutions run *NIX based systems and servers is for the unmitigated security. The overriding reason for the proliferation of +millions of viruses in the wild is that with Windows, it's actually been possible to hack, compromise, and write self-replicating viruses for. Back in the nineties, while the previous Mac OS held only 4-9% market share, there were 20,000 viruses in the wild, capable of compromising the system - so much for the security through obscurity myth.
It's perfectly understandable IMO for an OS to be hackable due to a silly human downloading and authenticating some bad software. You get what you deserve as a dumb user.
What I find INEXCUSABLE is for a brand new modern OS to leave out a feature that can prevent system takeover hacks targeted at users just minding their own business, surfing the web, and NOT downloading or authenticating anything.
Windows has full ASLR (doesn't it?). OS X still doesn't. So let's nevermind the "users are dumb" stuff. I'm not dumb. I'm just surfing. If my OS lets itself get infected from pure surfing, I'm gonna complain.
I have no idea what you are talking about. I just copy pasted the comments from the article in the OP.
The thing is for more than 2 years I have being reading in MR that Macs are safer, that you get all kinds of viruses with PCs, etc.
Truth is only argument I heard favoring this point is that Macs are never attacked, which can be explained by a more secure architecture AND/OR very low market share (without counting the US, probably less than 5% in the resto of the world).
Truth is, Apple always respond to vulnerabilities later than Windows and Macs are not as exposed as Windows as they are never in corporate environments.
Basically I just wanted to know what fanbois have to say about this (which seems nothing so far)
Anyone cares to respond to the Microsoft guy I pasted on my post instead of repeating that "if there are no viruses is because is better"? Does anyone actually believe that if anyone gave away $1000000 for a Mac virus in a contest, it would take more than one day for someone to get the money (same for Windows)?
The guy actually has arguments. Where are yours? I am actually beginning to think that actually Windows is safer. It's just the natural target.
The guy actually has arguments. Where are yours? I am actually beginning to think that actually Windows is safer. It's just the natural target.
And why, do you suppose, that it has been both "the natural" and "the successful" target, amongst the fairly large share of UNIX servers around the globe?
Again, read this guy's post: he claims that vulnerabilities for UNIX servers are bigger than for Windows (and I do believe UNIX servers are equally attacked). But anyway, we are not talking about servers here, but the OS itself. About you as an user and how your OS in your computer is more or less secure.
Again, you come with the "virus actually attack Windows" argument, which again, can be explained not only by design but also by numbers.
Question again: what in OSX design make it more secure than Windows? Apparently, obvious things like Address Space Layout Randomization is not implemented in OSX as it is on Windows. I would say that by design, Windows is more secure than OSX. Any argument against?
Macmel, maybe I am confused in the quoting and responding you did... did you write this?
"IIS had 8 vulnerabilities since 2003, ZERO of which were rated "highly" or "extremely" critical, and only four rated at "moderate" which means they're at worst DoS attacks, all of which were in optional off-by-default components.
Apache has had 26 in the same time period, including 2 "highly critical" (remote code execution) and 10 "moderate" vulnerabilities.
How do you explain that? Not a SINGLE reported remote code execution vulnerability against IIS. Not even one. In 6+ years. Seriously, how are you arguing against that?
American Express is using IIS on at least three of their websites:
http://searchdns.netcraft.com/?posit...canexpress.com
Although those are just public facing sites. Their on-premise extranets are much more likely to be IIS.
Intel and AMD both use IIS:
http://searchdns.netcraft.com/?posit...host=intel.com
http://searchdns.netcraft.com/?restr...sition=limited
Look at the top uptimes for webservers tracked by netcraft:
http://uptime.netcraft.com/up/today/top.avg.html
Out of the top 50, only ONE is running Apache! All of the rest are Windows Servers!"
That what I took issue with, the unreferenced and untrue statements about the IIS vulnerabilities - if you were quoting someone else then my issue is with him/her.
Stu
"IIS had 8 vulnerabilities since 2003, ZERO of which were rated "highly" or "extremely" critical, and only four rated at "moderate" which means they're at worst DoS attacks, all of which were in optional off-by-default components.
Apache has had 26 in the same time period, including 2 "highly critical" (remote code execution) and 10 "moderate" vulnerabilities.
How do you explain that? Not a SINGLE reported remote code execution vulnerability against IIS. Not even one. In 6+ years. Seriously, how are you arguing against that?
American Express is using IIS on at least three of their websites:
http://searchdns.netcraft.com/?posit...canexpress.com
Although those are just public facing sites. Their on-premise extranets are much more likely to be IIS.
Intel and AMD both use IIS:
http://searchdns.netcraft.com/?posit...host=intel.com
http://searchdns.netcraft.com/?restr...sition=limited
Look at the top uptimes for webservers tracked by netcraft:
http://uptime.netcraft.com/up/today/top.avg.html
Out of the top 50, only ONE is running Apache! All of the rest are Windows Servers!"
That what I took issue with, the unreferenced and untrue statements about the IIS vulnerabilities - if you were quoting someone else then my issue is with him/her.
Stu
It's interesting that you post an exchange between two anonymous people discussing their views on certain aspects of security in each OS... But what bit exactly do you expect anyone to reply to? It's a conversation between two people, half the time arguing about incorrect terminology and the other half correcting the misunderstood aspects of OS operations in the specific context of the conversation.
Edit: Why are you talking about a $1,000,000? DO you have a $1,000,000 to put up to prove your point? No? So why are you telling me it'd "only take a day" as if you've done the experiment? YOU ARE SPECULATING about something that hasn't happened in the real world, please don't try and form your argument around it.
Sorry to burst your bubble, but this isn't comprehensive conclusive PROOF of anything. Proof is the documentation of irrefutable facts.
It is a conversation between two guys in which one of them is explaining why the general arguments used against Microsoft are wrong.
I'm not saying is proof of anything, I'm just saying the guy is giving arguments why Windows by design is safer than OSX.
I don't know enough about computers to say it is or itsn't so. All I know is OSX doesn't have ASLR, for example, or their general lazyness to correct vulnerabilities (to the point they downgraded flash to a previous vulnerable version with the release of their latest OS and it took more than 3 weeks to solve in .1). On the Mac side, I only hear the "we don't have virus argument".
I did not form any argument on the $1000000 experiment. Everytime Macs are put to the test, they are the first to be hacked. You say this guy was working on a Mac before the contest, but do you think the guy had never worked on a PC? I am absolutely convinced that if Mac market share becomes significant (over 20%) we will live a veru different situation but that is not part of the argument.
Now COLD YOU PLEASE GIVE ME A REASON WHY OSX IS SAFER THAN WINDOWS?
I did not write anything. It's just a conversation between two guys regarding OSX security versus Windows security. The fact why they start talking about UNIX servers escapes me, as my understanding is OSX is based on UNIX, but is still a unique OS. Anyway, the argument that Windows servers are widely used and are more secure than Unix still holds according to your correction.
Now that you ask it, things that are mentioned in that conversation I would like to see discussed:
- The top server applications for Windows Server (IIS, SQL Server) have way, way better security track records than their Linux equivalents.
- Users do not have write access to system directories on Windows. They never did. Even Administrators don't have write access by default on Vista or Win7 without elevating.
- One of the key advantages of the registry is its security model. Users have read/write access only to their per-user hive, and have only read access to the system hive.
- Apps on Windows do not run as root. Most installers require admin privileges because this is how managed environments control who can and can't install software, and because admin privileges are required to register per-machine shared libraries, per-machine association handlers (like file extension / MIME type handlers, etc), and so on. But lots of applications can install per-user as well, or only install per-user (like Google Chrome) and don't ever require admin privileges to install.
-Applications on OS X frequently requires root privileges in order to install (like, say, Firefox, VMWare, Quicksilver, etc). In fact, one big gap in the OS X security model is that every installation asks the user for their password without a Secure Attention Sequence, meaning that it's trivial to steal a Mac user's password.
- Security on Snow Leopard is a joke. There's no ASLR, no SAS or UIPI. NX support still isn't as good as Windows. BOTH systems grant read-only access to system files by default.
Youre wrong here... only a few apps require admin pass to install its those that need some kernel extensions installed.
You can drag firefox anywhere from .dmg and it will work without any password... every user can have his own firefox even.
I was questioning the source and relevance of the material. The anonymous 'expert' argues only against specific statements made by an evidently misinformed individual. The 'expert' hasn't really explained much to substantiate the claim that windows is supposedly so secure.
With regards to the so called "we don't have a virus argument", its been explained earlier in the thread how the nature of the OSX framework makes it difficult to infect a mac with malicious software. As a result, there isn't currently a problem with viruses on the OSX platform. What more is there to argue?
As said earlier, no OS is infallible, however the claims that it is such a massive deal in OSX are totally unsubstantiated with any real evidence. This is the whole problem with this thread and why it got stupid and pointless many pages ago.
Heres my (rather blunt and possibly unfair) summary of the thread. The chronology isn't especially accurate:
Page 1: OSX is dangerously vulnerable! This guy on the net said so!
Page 2: How is it?
Page 3: Its really insecure look at the vulnerabilities!
Page 4: Without human error (typing in your password) How exactly will that damage OSX?
Page 5: 'Cos its SOOOO vulnerable! *Claims of being proven many times* Windows is soooo much more secure. Microsoft is evil! Conspiracy theories! Back Doors! NSA!!!! Vague theory about fruit.
Page 6: I can't see any recent problems with malicious software on OSX. I can't say the same for windows. Provide the evidence. This thread is stupid. Dogs, Trees, Hitler and Aliens.
Page 7: This guy on the net said so! And there aren't enough macs for a hacker to bother with, which explains why there is no malicious software on osx.
Page 8: OK - so hackers ignore these supposedly GAPING holes because there are only tens of millions of macs around?!?!? And the article you provide as evidence finishes with "I still think you're pretty safe, I wouldn't recommend antivirus on the Mac."
Page 9: Windows is sooo secure, ANOTHER guy on the net DESTROYS the argument against him!
Page 10: So a clueless anonymous guy makes an argument and another anonymous guy argues the semantics of the proposed argument and posts some questionable links, so it must be right?
Page 11: I don't know enough about computers to know either way! Apart from the total lack of malicious software on macs and the contrary for Windows, Windows is more secure than OSX!
Page 12: Where's your proof?
AD INFINITUM.
You've pointed out some of the holes, good for you! As said much earlier in the thread, no OS is totally infallible. So how do these cracks make OSX vulnerable exactly? No one has been able to show this yet. As a testament of this there is a complete lack of OSX specific malicious software gaining entry through these cracks IN THE REAL WORLD. Yet in this same REAL WORLD windows (and its appalling track record) is a superior system?
Macmel - in that case we are in accord - OS X is no more inherently secure or safer than any other OS connected to the Internet.
The fact Windows is more widely deployed does in my opinion make it less safe, but certainly no less secure than OS X.
I don't use Macs because they don't have viruses, I use Macs because in my personal opinion they deliver a better user experience than Windows. In fact I would go further and suggest that lack of viruses for Mac wasn't even on my list of reasons to move away from Windows - in 20 years of using Windows I never actually got a virus and so I suppose blindly hoped my track record of safe and sensible surfing and good eMail control would mean this would continue with Macs. It has so far.
The various techniques to avoid buffer overflows and such currently employed in later versions of Windows *should* assist in the fight against exploits, but the fact is vulnerabilities are still emerging even with these techniques.
The threat landscape now is no longer the OS - the threats are almost always client application based and not just web browsers. In recent months Adobe Acrobat, Windows Media Player, and many others have all been the subject of major vulnerabilities - its not the OS that is the issue now so much as the poor coding that has and does exist in apps that we use.
Of course an OS without apps might as well be a teapot made of chocolate - so until developers start coding securely the underlying OS will always be deemed to be vulnerable, its fashionable to point the finger at the OS and its creator rather than the code that is actually compromised.
Stu
The fact Windows is more widely deployed does in my opinion make it less safe, but certainly no less secure than OS X.
I don't use Macs because they don't have viruses, I use Macs because in my personal opinion they deliver a better user experience than Windows. In fact I would go further and suggest that lack of viruses for Mac wasn't even on my list of reasons to move away from Windows - in 20 years of using Windows I never actually got a virus and so I suppose blindly hoped my track record of safe and sensible surfing and good eMail control would mean this would continue with Macs. It has so far.
The various techniques to avoid buffer overflows and such currently employed in later versions of Windows *should* assist in the fight against exploits, but the fact is vulnerabilities are still emerging even with these techniques.
The threat landscape now is no longer the OS - the threats are almost always client application based and not just web browsers. In recent months Adobe Acrobat, Windows Media Player, and many others have all been the subject of major vulnerabilities - its not the OS that is the issue now so much as the poor coding that has and does exist in apps that we use.
Of course an OS without apps might as well be a teapot made of chocolate - so until developers start coding securely the underlying OS will always be deemed to be vulnerable, its fashionable to point the finger at the OS and its creator rather than the code that is actually compromised.
Stu