Mac OS X Safety

Discussion in 'macOS' started by dilap, Feb 28, 2015.

  1. dilap, Feb 28, 2015
    Last edited: Feb 28, 2015

    dilap macrumors 6502a

    Joined:
    Apr 18, 2014
    Location:
    London, UK
    #1
  2. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #2
    First off, there are no viruses in the wild for OS X. There are malware, but not viruses. That article is about crapware, and the last time I checked, my Mac never had crapware installed like what occurs on many PCs

    I think if you practice safe computer and don't click on links in an email that you don't recognize or has flags raised as a possible phishing attempt or click on a download of an app you're not familiar with, you're going to be fine.

    I think that article is just click bait pure and simple and OS X is as stable and locked down as before. True there is malware out there and the list is growing but you can avoid it fairly easily.
     
  3. dilap thread starter macrumors 6502a

    Joined:
    Apr 18, 2014
    Location:
    London, UK
    #3
    That's exactly what I thought. Due to the lack of viruses for OS X, everyone is trying to attack the reputation of Apple, and trying the get basically famous by discovering something, so they make something 100x once then it already is. Like you said, as long as you don't do anything stupid, you will be fine
     
  4. SlCKB0Y macrumors 68040

    SlCKB0Y

    Joined:
    Feb 25, 2012
    Location:
    Sydney, Australia
    #4
    The same is true on all platforms, Windows included. The problem is that there a lot of careless or stupid users out there.
     
  5. AFEPPL macrumors 68030

    AFEPPL

    Joined:
    Sep 30, 2014
    Location:
    England
    #5
    From the fence... theres a really good resource called the security vulnerability datasource, they are independent of any of the factions. What it does do is allow you to go and look at what has been reported or is known about at a given time for a given product or vendor. The number of viruses/malicious code out there that use or exploit these vulnerabilities is pretty much irrelevant. So don't count things like "viruses", count the underlying issue once only.

    You have to be careful how you read it and what meaning you extrapolate from the numbers. For example OS X is actual 4th in the list of the top 50 products in terms of the total number of "distinct" vulnerabilities. (964), Windows is lower (just at 5th with 728). Lower the placement number in the list, the worse the product is. Both examples above span the same timelines approximately, so are pretty much comparable. Chrome is 3, Firefox is 2 and linux kernel is number 1. So security or venerability goes beyond just a the OS - but remember, both those browsers are on BOTH OS platforms.

    You could also take for example Microsoft as a vendor, whom has 5012, where as Apple only (i say "only" in the sense it's less, rather than it's a small number) has 3210 reports. However, from the fence again and in the interest of being fair, the same issues are doubled up on the MS platform under the vendor search with the server and desktops lines, then reporting multiple times under the desktop line for XP, 7 and 8 etc. You then have IE etc etc. So again, without pouring JetA1 on a the proverbial fire you have to think about what each line actually means.

    From a true security point of view, the difference is actual not night and day between the two most argued about platforms....

    Here's the link to the resource - I'll let each individual conclude their own reality based on where and what they want it to be. http://www.cvedetails.com/top-50-products.php

    So for those shouting linux/unix/OS X is more secure... Hmmmm.
     
  6. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #6
    It's not irrelevant at all. Just because a vulnerability exists, doesn't mean it has been exploited. Every OS and every application has vulnerabilities, and a great number are patched before they are ever exploited. If no malware exists in the wild that exploits a vulnerability, there is no threat to the user.
     
  7. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #7
    Its been easier for virus/malware makers to exploit Windows then OS X, so I think while you should practice safe computing regardless of the platform. For windows, you definitely need some antivirus software.
     
  8. AFEPPL macrumors 68030

    AFEPPL

    Joined:
    Sep 30, 2014
    Location:
    England
    #8
    Think you might want to compare that against those that have and haven't been patched first. A vulnerability by definition means there IS a threat to the end user like it or not. Just because a virus or a malware program exists means nothing if no one has it :p

    If you want to cause damage where would you focus your efforts?
    On a platform that makes up single digits, or one that makes up the majority?
     
  9. SlCKB0Y, Feb 28, 2015
    Last edited: Feb 28, 2015

    SlCKB0Y macrumors 68040

    SlCKB0Y

    Joined:
    Feb 25, 2012
    Location:
    Sydney, Australia
    #9
    You're talking about publicly reported vulnerabilities. I would argue that because the whole Linux kernel is open source (as is a significant part OS X), the following things apply which make reported vulnerabilities a bad metric as to the overall security of a platform:

    1. For Linux, pretty much every vulnerability is publicly reported. Microsoft would not disclose the vast majority of vulnerabilities discovered in-house. Bug bounties will also have an NDA attached.

    2. Being open source, the Linux kernel code is heavily studied and is under a tremendous amount of scrutiny. Code review makes the discovery of bugs and vulnerabilities more likely. In 2014 we saw a number of non-kernel exceptions to this.

    3. A publicly reported vulnerability in Linux almost always means a patch has been issued, or will be issued imminently. Microsoft recently allowed 90 days to pass and they still hadn't issued a fix for a discovered vulnerability.

    The bottom line is that whether you are talking about Windows or OS X, most malware do not exploit a vulnerability in the OS code to get into the system, they simply get the user to do the install for them by pretending to be something else.
     
  10. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #10
    False. A vulnerability means there is potential of a threat. It does not mean that a threat actually exists.
    That is true for proof-of-concept malware that does not exist in the wild.
    The "market share theory" has been debunked countless times. It is a false assumption.
     
  11. AFEPPL macrumors 68030

    AFEPPL

    Joined:
    Sep 30, 2014
    Location:
    England
    #11
    Only in your mind - the rest of the IT world don't thinks so!!!
    Im not talking PoC, using your logical if you don't have the virus, its not a problem and doesn't exist..

    A vulnerability - means its ACTUALLY exists and is an issue, not that it could exist.
    This is why all the patches have just come out for things like bash, shellshock, POODLE.

    I guess these are all fictional too?

    CVE-2014-4364 : An attacker can obtain WiFi credentials. An attacker could have impersonated a WiFi access point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even if that access point supported stronger authentication methods. This issue was addressed by disabling LEAP by default.
    CVE-2014-4426 : A remote attacker could determine all the network addresses of the system. The AFP file server supported a command which returned all the network addresses of the system. This issue was addressed by removing the addresses from the result.
    CVE-2013-6438, CVE-2014-0098 : Multiple vulnerabilities in Apache. Multiple vulnerabilities existed in Apache, the most serious of which may lead to a denial of service. These issues were addressed by updating Apache to version 2.4.9.
    CVE-2014-4427 : An application confined by sandbox restrictions may misuse the accessibility API. A sandboxed application could misuse the accessibility API without the user's knowledge. This has been addressed by requiring administrator approval to use the accessibility API on an per-application basis.
    CVE-2014-6271, CVE-2014-7169 : In certain configurations, a remote attacker may be able to execute arbitrary shell commands. An issue existed in Bash's parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement. This update also incorporated the suggested CVE-2014-7169 change, which resets the parser state. In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via HTTP headers.
    CVE-2014-4428 : A malicious Bluetooth input device may bypass pairing. Unencrypted connections were permitted from Human Interface Device-class Bluetooth Low Energy devices. If a Mac had paired with such a device, an attacker could spoof the legitimate device to establish a connection. The issue was addressed by denying unencrypted HID connections.
    CVE-2014-4425 : The 'require password after sleep or screen saver begins' preference may not be respected until after a reboot. A session management issue existed in the handling of system preference settings. This issue was addressed through improved session tracking.
    CVE-2014-4430 : An encrypted volume may stay unlocked when ejected. When an encrypted volume was logically ejected while mounted, the volume was unmounted but the keys were retained, so it could have been mounted again without the password. This issue was addressed by erasing the keys on eject.
    CVE-2014-3537 : A local user can execute arbitrary code with system privileges. When the CUPS web interface served files, it would follow symlinks. A local user could create symlinks to arbitrary files and retrieve them through the web interface. This issue was addressed by disallowing symlinks to be served via the CUPS web interface.
    CVE-2014-4431 : In some circumstances, windows may be visible even when the screen is locked. A state management issue existed in the handling of the screen lock. This issue was addressed through improved state tracking.
    CVE-2014-4432 : The fdesetup command may provide misleading status for the state of encryption on disk. After updating settings, but before rebooting, the fdesetup command provided misleading status. This issue was addressed through improved status reporting.
    CVE-2014-4435 : iCloud Lost mode PIN may be bruteforced. A state persistence issue in rate limiting allowed brute force attacks on iCloud Lost mode PIN. This issue was addressed through improved state persistence across reboots.
    CVE-2014-4373 : An application may cause a denial of service. A NULL pointer dereference was present in the IntelAccelerator driver. The issue was addressed through improved error handling.
    CVE-2014-4405 : A malicious application may be able to execute arbitrary code with system privileges. A null pointer dereference existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved validation of IOHIDFamily key-mapping properties.
    CVE-2014-4404 : A malicious application may be able to execute arbitrary code with system privileges. A heap buffer overflow existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved bounds checking.
    CVE-2014-4436 : An application may cause a denial of service. A out-of-bounds memory read was present in the IOHIDFamily driver. The issue was addressed through improved input validation.
    CVE-2014-4380 : A user may be able to execute arbitrary code with system privileges. An out-of-bounds write issue exited in the IOHIDFamily driver. The issue was addressed through improved input validation.
    CVE-2014-4407 : A malicious application may be able to read uninitialized data from kernel memory. An uninitialized memory access issue existed in the handling of IOKit functions. This issue was addressed through improved memory initialization.
    CVE-2014-4388 : A malicious application may be able to execute arbitrary code with system privileges. A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata.
    CVE-2014-4418 : A malicious application may be able to execute arbitrary code with system privileges. A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata.
    CVE-2014-4371, CVE-2014-4419, CVE-2014-4420, CVE-2014-4421 : A local user may be able to determine kernel memory layout. Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content. This issue was addressed through additional memory initialization.
    CVE-2014-4433 : A maliciously crafted file system may cause unexpected system shutdown or arbitrary code execution. A heap-based buffer overflow issue existed in the handling of HFS resource forks. A maliciously crafted filesystem may cause an unexpected system shutdown or arbitrary code execution with kernel privileges. The issue was addressed through improved bounds checking.
    CVE-2014-4434 : A malicious file system may cause unexpected system shutdown. A NULL dereference issue existed in the handling of HFS filenames. A maliciously crafted filesystem may cause an unexpected system shutdown. This issue was addressed by avoiding the NULL dereference.
    CVE-2014-4375 : A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel. A double free issue existed in the handling of Mach ports. This issue was addressed through improved validation of Mach ports.
    CVE-2011-2391 : A person with a privileged network position may cause a denial of service. A race condition issue existed in the handling of IPv6 packets. This issue was addressed through improved lock state checking.
    CVE-2014-4408 : A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel. An out-of-bounds read issue existed in rt_setgate. This may lead to memory disclosure or memory corruption. This issue was addressed through improved bounds checking.
    CVE-2014-4442 : A local user can cause an unexpected system termination. A reachable panic existed in the handling of messages sent to system control sockets. This issue was addressed through additional validation of messages.
    CVE-2014-4422 : Some kernel hardening measures may be bypassed. The random number generator used for kernel hardening measures early in the boot process was not cryptographically secure. Some of its output was inferable from user space, allowing bypass of the hardening measures. This issue was addressed by using a cryptographically secure algorithm.
    CVE-2014-4437 : A local application may bypass sandbox restrictions. The LaunchServices interface for setting content type handlers allowed sandboxed applications to specify handlers for existing content types. A compromised application could use this to bypass sandbox restrictions. The issue was addressed by restricting sandboxed applications from specifying content type handlers.
    CVE-2014-4438 : Sometimes the screen might not lock. A race condition existed in LoginWindow, which would sometimes prevent the screen from locking. The issue was addressed by changing the order of operations.
    CVE-2014-4439 : Mail may send email to unintended recipients. A user interface inconsistency in Mail application resulted in email being sent to addresses that were removed from the list of recipients. The issue was addressed through improved user interface consistency checks.
    CVE-2014-4440 : When mobile configuration profiles were uninstalled, their settings were not removed. Web proxy settings installed by a mobile configuration profile were not removed when the profile was uninstalled. This issue was addressed through improved handling of profile uninstallation.
    CVE-2014-4441 : File Sharing may enter a state in which it cannot be disabled. A state management issue existed in the File Sharing framework. This issue was addressed through improved state management.
    CVE-2014-4351 : Playing a maliciously crafted m4a file may lead to an unexpected application termination or arbitrary code execution. A buffer overflow existed in the handling of audio samples. This issue was addressed through improved bounds checking.
    CVE-2013-5150 : History of pages recently visited in an open tab may remain after clearing of history. Clearing Safari's history did not clear the back/forward history for open tabs. This issue was addressed by clearing the back/forward history.
    CVE-2014-4417 : Opting in to push notifications from a maliciously crafted website may cause future Safari Push Notifications to be missed. An uncaught exception issue existed in SafariNotificationAgent's handling of Safari Push Notifications. This issue was addressed through improved handling of Safari Push Notifications.
    CVE-2014-3566 : An attacker may be able to decrypt data protected by SSL. There are known attacks on the confidentiality of SSL 3.0 when a cipher suite uses a block cipher in CBC mode. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling CBC cipher suites when TLS connection attempts fail.
    CVE-2014-4443 : A remote attacker may be able to cause a denial of service. A null dereference existed in the handling of ASN.1 data. This issue was addressed through additional validation of ASN.1 data.
    CVE-2014-4444 : A local user might have access to another user's Kerberos tickets. A state management issue existed in SecurityAgent. While Fast User Switching, sometimes a Kerberos ticket for the switched-to user would be placed in the cache for the previous user. This issue was addressed through improved state management.
    CVE-2014-4391 : Tampered applications may not be prevented from launching. Apps signed on OS X prior to OS X Mavericks 10.9 or apps using custom resource rules, may have been susceptible to tampering that would not have invalidated the signature. On systems set to allow only apps from the Mac App Store and identified developers, a downloaded modified app could have been allowed to run as though it were legitimate. This issue was addressed by ignoring signatures of bundles with resource envelopes that omit resources that may influence execution. OS X Mavericks v10.9.5 and Security Update 2014-004 for OS X Mountain Lion v10.8.5 already contain these changes.
     
  12. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #12
    I'm speaking from an end-user perspective. There are some in the IT world who are tasked with identifying and patching vulnerabilities, preferably before they are ever exploited.
    You obviously haven't read my thousands of postings over the years regarding malware. It's not, "if you don't have the virus, it's not a problem and doesn't exist", but rather, "if a virus doesn't exist in the wild, it's not a threat." The mere existence of a vulnerability doesn't pose a threat until an exploit is found in the wild. A vulnerability only provides the potential for a threat to be created, which doesn't happen in the vast majority of cases.
    No one said vulnerabilities are fictional. They exist in all software. They always have. Unless an exploit of a vulnerability is created and released in the wild, the presence of the vulnerability does not present a threat. An issue, yes; a threat, no. This is evidenced by the language in the CVE listing you posted, which uses phrases like “could have”, “could”, “supported a command”, “may lead to”, “may be able to”, “If… could have”. That means an exploit could have been created, posing a threat, but the vulnerability was patched before that ever happened.
     
  13. Fredn3ck, Mar 20, 2015
    Last edited by a moderator: Mar 20, 2015

    Fredn3ck macrumors newbie

    Fredn3ck

    Joined:
    Jan 24, 2015
    Location:
    USA
    #13
    Not to mention malware that is "FUD". If you know where to look (comrade) you will see FUD malware bought and sold at prices that would blow your mind. Why because it has the potential to make literally Millions by stealing from unsuspecting Banks, Corporations and Individuals.

    No Operating System is completely safe! OS X being somewhat open source might have a slight edge is this regard but there are no guarantees.
     

Share This Page