Mac OS X is less secure than Windows?

Discussion in 'macOS' started by iAppleseed, May 25, 2012.

  1. iAppleseed, May 25, 2012
    Last edited: May 26, 2012

    iAppleseed macrumors regular

    Joined:
    May 11, 2011
    #1
    I ran into an argument with a loyal Windows fan. He hates Macs. He'd marry Windows if he could. And I asked him how he can defend Windows as a better OS. He said security. At first, I laughed but then he started to make sense.

    Why was Mac OS X nearly virus free in the first place? Because it wasn't popular. Virus makers didn't care about OS X. Now, OS X's market share is getting huge and this caught the eyes of malware makers. Flashback. Apple took a long while to deal with it. Hacking. A Mac was hacked by a great hacker (I don't have the exact time, but I guess it was 4 minutes). And there you have it.

    And finally, he said that if Mac OS X became as popular as Windows, it's will be swarming with more viruses due to Apple's ignorance (based on the long time response to the Flashback trojan).

    What do you think?
     
  2. MacDawg macrumors P6

    MacDawg

    Joined:
    Mar 20, 2004
    Location:
    "Between the Hedges"
    #2
    I think you and your friend are woefully misinformed about most everything you said there
     
  3. Can't Stop macrumors 6502

    Joined:
    Dec 22, 2011
    #3
    RTFM for God’s sake.
     
  4. heisenberg123 macrumors 603

    heisenberg123

    Joined:
    Oct 31, 2010
    Location:
    Hamilton, Ontario
    #4
    i think your friend is incorrect, there still is no "virus" for OSX, OSX sells in the millions if thats not popular enough than macs will always be safe based on that logic
     
  5. Comeagain? macrumors 68020

    Comeagain?

    Joined:
    Feb 17, 2011
    Location:
    Spokane, WA
    #5
    The lack of popularity is not the only reason why there aren't any Mac viruses.
     
  6. Can't Stop macrumors 6502

    Joined:
    Dec 22, 2011
    #6
    OS 9 had a smaller marketshare than OS X has and there were many viruses for OS 9 back in the day. Your friend is nuts, one tinfoil hat away from rubber room.
     
  7. MonkeySee...., May 25, 2012
    Last edited: May 28, 2012

    MonkeySee.... macrumors 68040

    MonkeySee....

    Joined:
    Sep 24, 2010
    Location:
    UK
    #7
    There is too much wrong with your post. GGJstudios or Mal won't know where to start ;)
     
  8. iAppleseed thread starter macrumors regular

    Joined:
    May 11, 2011
    #8
    Please state as much as you can.
     
  9. Intell macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #9
    The UNIX base also helps as well. Exploits that have effect Mac OS X have used its default installed plugins like Flash and Java. Rarely or never the OS itself. The UNIX base keeps processes from gaining root access and root access can only be obtained via the user entering their administrator password when prompted for it. In Windows XP and older, if an account was an Administrator account, the admin abilities were always on and any process running under that user's login name had admin abilities. Vista and 7 tried to correct this with Microsoft's User Account Control. An admin account in Vista is a regular account that had the ability to run process as an admin if the system prompts the user to allow it.

    If you striped away all third party plugin from a fully up to date baseline installation of both Lion and 7, they'd be equally secured. My opinion is that 7 would fall first to some form of malware and to a hacking attempt. If you put Tiger and XP together with the same parameters as above, XP would fall much faster.

    Then there is the architecture difference. Even though Leopard was vulnerable to the Flashback malware, its package was Intell only. Because of this older PowerPC Macs couldn't get infected with it. While Apple is no longer making PowerPC Macs, the older ones are perhapse the most secure against malware and trojans. Just because it is becoming difficult to develop things such as malware for PowerPC machines.
     
  10. heisenberg123 macrumors 603

    heisenberg123

    Joined:
    Oct 31, 2010
    Location:
    Hamilton, Ontario
    #10
    IMO this is another reason windows is less secure, the majority of windows users that get viruses are the trigger happy people that say yes to every pop just to continue what they were doing, having to enter a password is more of a nucence and makes the person really think "why am i being asked to enter my admin password"
     
  11. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #11
    LOL! No kidding!
    There's your first clue. Anyone emotional about a machine isn't who I would trust for factual information.
    The Mac marketshare theory has been completely debunked more times than I can count. Mac OS 9 and earlier had many more instances of malware, including true viruses, even though they had much smaller marketshare and installed base. Now that marketshare has grown, the instances of Mac malware has decreased and the number of viruses that run on the current Mac platform has gone to zero.
    Any Mac user practicing safe computing was completely unaffected by Flashback... or any other Mac OS X malware that has ever existed in the wild.
    Hacking is very different than malware. Windows computers were hacked, as well. The average computer user will NEVER be hacked, as most hackers don't have any interest in what the average user stores on their computer.
    Apple's response time is irrelevant. Windows users aren't at the mercy of Microsoft's response time in dealing with malware. They use 3rd party antivirus apps, which update much faster than Microsoft responds. The same would be true for Mac users, if a Mac OS X virus were ever introduced in the wild.

    Your friend is ridiculously ignorant of the facts.

    Macs are not immune to malware, but no true viruses exist in the wild that can run on Mac OS X, and there never have been any since it was released over 10 years ago. The only malware in the wild that can affect Mac OS X is a handful of trojans, which can be easily avoided by practicing safe computing (see below). Also, Mac OS X Snow Leopard and Lion have anti-malware protection built in, further reducing the need for 3rd party antivirus apps.
    1. Make sure your built-in Mac firewall is enabled in System Preferences > Security > Firewall

    2. Uncheck "Open "safe" files after downloading" in Safari > Preferences > General

    3. Disable Java in your browser (Safari, Chrome, Firefox). This will protect you from malware that exploits Java in your browser, including the recent Flashback trojan. Leave Java disabled until you visit a trusted site that requires it, then re-enable only for the duration of your visit to that site. (This is not to be confused with JavaScript, which you should leave enabled.)

    4. Change your DNS servers to OpenDNS servers by reading this.

    5. Be careful to only install software from trusted, reputable sites. Never install pirated software. If you're not sure about an app, ask in this forum before installing.

    6. Never let someone else have access to install anything on your Mac.

    7. Don't open files that you receive from unknown or untrusted sources.

    8. For added security, make sure all network, email, financial and other important passwords are long and complex, including upper and lower case letters, numbers and special characters.

    9. Always keep your Mac and application software updated. Use Software Update for your Mac software. For other software, it's safer to get updates from the developer's site or from the menu item "Check for updates", rather than installing from any notification window that pops up while you're surfing the web.
    That's all you need to do to keep your Mac completely free of any Mac OS X malware that has ever been released into the wild. You don't need any 3rd party software to keep your Mac secure.
     
  12. Comeagain? macrumors 68020

    Comeagain?

    Joined:
    Feb 17, 2011
    Location:
    Spokane, WA
    #12
    See GGJStudios's and Intell's completely correct posts.
     
  13. Ger Teunis macrumors member

    Joined:
    Jan 2, 2010
    Location:
    In front of my Mac
    #13
    So here we are again; nerds-vs-nerds.

    Tell me one thing; if it was all about marked-share why was the flashback virus so widely spread? So the market share fake reason is debunked.

    How many REAL widespread virussus has been there for OSX since a LONG LONG time? one, yes one: because apple was a little late in publishing a SECURITY ISSUE IN JAVA. Not even defaultly installed on Lion.

    Stop whining and stop believing anti-virus-makers. They are preaching a new outbreak every 6 months. And we are still here on a safe os.

    Even better: mountain lion will be FULL of new security features, even more future proofing it!

    Windows is ONLY secure by installing a virusscanner, REQUIRED to install one. What does that tell you?

    My 2c
     
  14. Mal macrumors 603

    Mal

    Joined:
    Jan 6, 2002
    Location:
    Orlando
    #14
    Who's Hal? ;) But yes, the answers have already flowed forth, so... I will depart again.

    jW
     
  15. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #15
    It isn't a virus. It's a trojan. Roughly 600K users out of 50 million isn't exactly what I'd call widespread. It just got a lot of press.
    False. The answer is none. Flashback isn't a virus; it's a trojan that is completely avoidable by user action. There has never been a single Mac OS X virus in the wild.
     
  16. old-wiz macrumors G3

    Joined:
    Mar 26, 2008
    Location:
    West Suburban Boston Ma
    #16
    I'm only surprised betatest hasn't jumped in with his brilliant observations
    /s
     
  17. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #17
    1) Until Vista, the admin account in Windows did not implement DAC in a way to prevent malware by default. Also, Windows has a far greater number of privilege escalation vulnerabilities that allow bypassing DAC restrictions even if DAC is enabled in Windows.

    Much of the ability to turn these vulnerabilities into exploits is due to the insecurity of the Windows registry. Also, more easily being able to link remote exploits to local privilege escalation exploits in Windows is due to the Windows registry.

    Mac OS X does not use an exposed monolithic structure, such as the Windows registry, to store system settings. Also, exposed configuration files in OS X do not exert as much influence over associated processes as the registry does in Windows.

    Mac OS X Snow Leopard has contained only 4 elevation of privilege vulnerabilities since it was released; obviously, none of these were used in malware. Lion has contained 2 so far but one of these vulnerabilities doesn't affect all account types because of being due to a permissions error rather than code vulnerability.

    The following link shows the number of privilege escalation vulnerabilities in Windows 7 related to just win32k:

    http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=win32k+7

    More information about privilege escalation in Windows 7:

    http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/ -> guide to develop exploits to bypass UAC by manipulating registry entries for kernel mode driver vulnerabilities.

    https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf -> more complete documentation about Windows kernel exploitation.

    http://mista.nu/research/mandt-win32k-paper.pdf -> more complete documentation about alternative methods to exploit the Windows kernel.

    http://threatpost.com/en_us/blogs/tdl4-rootkit-now-using-stuxnet-bug-120710 -> article about the TDL-4 botnet which uses a UAC bypass exploit when infecting Windows 7.

    2) Windows has the potential to have full ASLR but most software does not fully implement the feature. Most software in Windows has some DLLs (dynamic link libraries = Windows equivalent to dyld) which are not randomized.

    http://secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf -> article overviewing the issues with ASLR and DEP implementation in Windows.

    Also, methods have been found to bypass ASLR in Windows 7.

    http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf -> article describing bypassing ASLR in Windows 7.

    Mac OS X has full ASLR implemented on par with Linux. This includes ASLR with position independent executables (PIE). DLLs in Windows have to be pre-mapped at fixed addresses to avoid conflicts so full PIE is not possible with ASLR in Windows.

    Using Linux distros with similar runtime security mitigations as Lion for a model, client-side exploitation is incredibly difficult without some pre-established local access. Of course, this is self defeating if the goal of the exploitation is to achieve that local access in the first place.

    See the paper linked below about bypassing the runtime security mitigations in Linux for more details.

    http://www.blackhat.com/presentatio...Europe-2009-Fritsch-Bypassing-aslr-slides.pdf

    The author only manages to do so while already having local access to the OS.

    3) Mac OS X Lion has DEP on stack and heap for both 64-bit and 32-bit processes. Third party software that is 32-bit may lack this feature until recompiled in Xcode 4 within Lion. Not much software for OS X is still 32-bit.

    But, not all software in Windows uses DEP; this includes 64-bit software. See first article linked in #2.

    4) Mac OS X implements canaries using ProPolice, the same mitigation used in Linux. ProPolice is considered the most thorough implementation of canaries. It is known to be much more effective than the similar system used in Windows.

    http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf -> article comparing ProPolice to stack canary implementation in Windows.

    5) Application sandboxing and mandatory access controls (MAC) in OS X are the same thing. More specifically, applications are sandboxed in OS X via MAC. Mac OS X uses the TrustedBSD MAC framework, which is a derivative of MAC from SE-Linux. This system is mandatory because it does not rely on inherited permissions. Both mandatorily exposed services (mDNSresponder, netbios...) and many client-side apps (Safari, Preview, TextEdit…) are sandboxed in Lion.

    Windows does not have MAC. The system that provides sandboxing in Windows, called mandatory integrity controls (MIC), does not function like MAC because it is not actually mandatory. MIC functions based on inherited permissions so it is essentially an extension of DAC (see #1). If UAC is set with less restrictions or disabled in Windows, then MIC has less restrictions or is disabled.

    http://www.exploit-db.com/download_pdf/16031 -> article about Mac sandbox.

    http://msdn.microsoft.com/en-us/library/bb648648(v=VS.85).aspx -> MS documentation about MIC.

    https://media.blackhat.com/bh-eu-11/Tom_Keetch/BlackHat_EU_2011_Keetch_Sandboxes-Slides.pdf -> researchers have found the MIC in IE is not a security boundary.

    6) In relation to DAC and interprocess sandboxing in OS X in comparison with some functionality of MIC in Windows 7 (see #5), the XNU kernel used in OS X has always had more secure interprocess communication (IPC) since the initial release of OS X.

    Mac OS X, via being based on Mach and BSD (UNIX foundation), facilitates IPC using mach messages secured using port rights that implement a measure of access controls on that communication. These access controls applied to IPC make it more difficult to migrate injected code from one process to another.

    Adding difficulty to transporting injected code across processes reduces the likelihood of linking remote exploits to local exploits to achieve system level access.

    As of OS X Lion, the XPC service has also been added to implement MAC (see #5) on IPC in OS X. (http://developer.apple.com/library/...stemStartup/Chapters/CreatingXPCServices.html)

    7) Windows has far more public and/or unpatched vulnerabilities than OS X.

    http://www.vupen.com/english/zerodays/ -> list of public 0days.

    http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker -> another list of public 0days. (Most if not all of the Apple vulnerabilities in this list were patched in the latest Apple security update -> http://support.apple.com/kb/HT5002)

    http://m.prnewswire.com/news-releas...-vulnerability-in-microsoft-os-110606584.html -> article about 18 year old UAC bypass vulnerability.

    8) Password handling in OS X is much more secure than Windows.

    The default account created in Windows does not require a password. The protected storage API in Windows incorporates the users password into the encryption key for items located in protected storage. If no password is set, then the encryption algorithm used is not as strong. Also, no access controls are applied to items within protected storage.

    In Mac OS X, the system prompts the user to define a password at setup. This password is incorporated into the encryption keys for items stored in keychain. Access controls are implemented for items within keychain.

    Also, Mac OS X Lion uses a salted SHA512 hash, which is still considered cryptographically secure. It is more robust than the MD4 NTLMv2 hash used to store passwords in Windows 7.

    http://www.windowsecurity.com/articles/How-Cracked-Windows-Password-Part1.html -> article about Windows password hashing.

    9) The new runtime security mitigation improvements to be included in Windows 8 have already been defeated.

    http://vulnfactory.org/blog/2011/09/21/defeating-windows-8-rop-mitigation/

    To put this into perspective, methods to bypass the new runtime security mitigations in Mac OS X Lion are not yet available.

    10)In regards to recent earlier version of Mac OS X:

    The following article relates to varying levels of security mitigations in different Linux distros but it is applicable in revealing that the runtime security mitigations in some earlier versions of Mac OS X prior to Lion were far from inadequate.

    http://www.blackhat.com/presentatio...Europe-2009-Fritsch-Bypassing-aslr-slides.pdf

    While Mac OS X Leopard/SL lack full ASLR, Windows Vista/7 have stack canaries (aka stack cookies) that are trivial to bypass.

    The following link shows the issues with stack canaries in Windows. -> http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf

    So:

    Windows Vista/7 = NX + ASLR
    Mac OS X Leopard/SL = NX + stack cookies

    These articles show that NX in combination with stack canaries is more difficult to bypass than a combination of NX and ASLR.
     
  18. wrldwzrd89 macrumors G5

    wrldwzrd89

    Joined:
    Jun 6, 2003
    Location:
    Solon, OH
    #18
    Wow, munkery's post was interesting reading. I was unaware of these technical details of both OSes. That being said... I think that OS X's biggest potential weakness is lack of user awareness. This problem afflicts Windows too, obviously. It's much more acute on OS X since most users don't have security software - this is in turn due to the lack of viruses / worms on OS X.
     
  19. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #19
    Mac OS X SL and Lion include XProtect by default. XProtect works with file quarantine to scan files to see if the files are malicious.

    Mac OS X Mountain Lion will include user defined code signing. The default state will require all software to be code signed. This will further reduce the potential to be affected by Trojans given that unsigned code will not be able to run unless the user has specifically setup the system to be allowed to do so.
     
  20. wrldwzrd89 macrumors G5

    wrldwzrd89

    Joined:
    Jun 6, 2003
    Location:
    Solon, OH
    #20
    Thanks, clears up my confusion on that matter ;)
     

Share This Page