Microsofties weigh in on Apple security news

[Play4keeps]

http://www.linuxworld.com/news/2008/032708-gone-in-2-minutes-mac.html

It might not rise to the level of gloating, but in light of the beating that Windows Vista is taking in Apple's TV ads, it's clear that some members of Microsoft's security team are, ahem, taking note of some recent news items about Mac OS X security issues.

In this post from yesterday, for example, Microsoft's Jeff Jones starts by saying that he doesn't put a lot of stock in hacking contests such as the one this week at a CanSecWest conference. Then he continues:

"Okay, having said that, given how obnoxious and misleading I find those Mac OS X ads and how they've spent millions of dollars publicly criticizing Windows Vista security improvements, I find it ironic and apropos that Mac OS X was the first machine to be owned in the PWN 2 OWN contest at CanSecWest today."

On his blog, Microsoft's Robert Hensing notes that the Mac was hacked within 10 minutes of the start of the contest's second day. "Wonder what took so long? " Hensing writes.

On a related note, Jones also offers his take this week on reports comparing Microsoft vs. Apple vulnerability patching.

As documented by Jones himself, there have been signs of improvement in Windows Vista's security, but given Microsoft's history of security problems, it will be interesting to see how people react to their posts.

What do some of you think about this.

 

[clevin]

Im not surprised, M$ is being kind since they didn't throw our a windows vs. osx ads to exaggerate the whole thing.

Still, M$ has larger marketshare, same security problem will be amplified 19 times in their case. So they'd better taking care of their own business first.

Eventually, I hope Apple take its head out of sand and put users' safety at a higher position in their priority list, above those items about how they can make more money.

 

[Eraserhead]

Really they should both know better than to criticize security, taking the higher ground and all that.

Now all it is is two pots, calling each other black.

 

[Much Ado]

Now all it is is two pots, calling each other black.

And Linux, the kettle, watches smugly from the corner.

 

[Queso]

Haven't Microsoft learned by now that the moment they start going on about security the black hats start writing worms to knock them back down a peg or two? Redmond need to just keep their mouths shut and keep working on closing vulnerabilities quietly. The public will get the message soon enough.

 

[chagla]

if most people on earth were using mac os x instead of windows, there would be just as many malicious programs as there are for windows today. it is simply correlated with market share. same goes for linux. nothing extra ordinary about any of these operating systems, people are smart. they will figure something out.

the only way to protect a machine 100% is not going on the network.

 

[Sky Blue]

if most people on earth were using mac os x instead of windows, there would be just as many malicious programs as there are for windows today.

nonsense

 

[chagla]

nonsense

lets wait and see for mac osx to become the dominant operating system and only then your comment will be valid.

and my guess is...well...never.

oh, and here's something for you to look at. - http://www.linuxworld.com/news/2008/032708-gone-in-2-minutes-mac.html

 

[Agathon]

if most people on earth were using mac os x instead of windows, there would be just as many malicious programs as there are for windows today. it is simply correlated with market share. same goes for linux. nothing extra ordinary about any of these operating systems, people are smart. they will figure something out.

And your evidence is... not there.

I know people like saying this, but there is absolutely no proof of it, and considerable reason to doubt it (i.e. we should have had some small amount of malware by now. Even the Classic OS had that. But no...).

 

[clevin]

And your evidence is... not there.

I know people like saying this, but there is absolutely no proof of it, and considerable reason to doubt it (i.e. we should have had some small amount of malware by now. Even the Classic OS had that. But no...).

i put it in the middle

I used from mozilla to firefox before and after the popular spread of firefox, I would say that technologically maybe gecko and Unix are better than trident and windows. but small marketshare is also a significant factor.

Firefox has more than expect security problem once it got popular. If history means anything to you.

This contest, altho doesn't change the whole picture, also serves as a proof.

The good thing about firefox and Unix/Linux, is that, IMHO, they patch very quickly, so users don't get exposed to security risks.

And that, should be where apple heading. Empty slogan of security won't hold very long, a procedure need to be established by apple to taking care of their customers in such situation.

 

[Tallest Skil]

and my guess is...well...never.

You lose either way with that statement.

You're saying that his comment will only be valid when OS X is the marketshare leader, but you say that will never happen. It is not the marketshare leader now, and is widely agreed that his comment is currently valid.

 

[cohibadad]

It is interesting the Microsoft guys find the Apple ads offensive. It's all marketing marketing marketing. I wish Apple could just put out informative ads that show how their systems may meet the needs of users but they would undoubtedly flop. A short ad showing some colorized dancer with an ipod hanging out of their ear listening to a catchy song sells ipods. And a Mac ad banging away at something like security/viruses (which every PC owner who runs anti-virus/adware/malware can relate to) sells Macs.

 

[jonbravo77]

It is interesting the Microsoft guys find the Apple ads offensive. It's all marketing marketing marketing. I wish Apple could just put out informative ads that show how their systems may meet the needs of users but they would undoubtedly flop. A short ad showing some colorized dancer with an ipod hanging out of their ear listening to a catchy song sells ipods. And a Mac ad banging away at something like security/viruses (which every PC owner who runs anti-virus/adware/malware can relate to) sells Macs.

You are absolutely correct. And to be honest those Mac Vs. PC ads is what turned me to buy a mac. They had a sense of truth about them that hit home with all the pc's I've had.

I've said this before in another post. My belief is that Macs are more secure because the people writing the viruses and malware use macs, why screw up the platform they use...

Peace

 

[pastrychef]

nonsense

Agreed.

 

[kuwisdelu]

I've said this before in another post. My belief is that Macs are more secure because the people writing the viruses and malware use macs, why screw up the platform they use...

I think most virus writers use Linux.

 

[Eraserhead]

lets wait and see for mac osx to become the dominant operating system and only then your comment will be valid.

and my guess is...well...never.

Used .NET recently then? Unfortunately I have and its so much worse than Cocoa its not even funny, the difference is considerably larger than between OS X and Vista in quality.

Additionally as Apple is consistently targetting the top end of the market (very successfully too), based on the Pareto Principle within 5 years they are practically guaranteed to have a larger dollar share of the software market than Windows, even if they only have around a 15% share of the computer market in Europe, the US, Japan and the Asian Tigers.

Given that their frameworks are also far better, means that within 5 years a lot of the interesting software will be Mac only.

 

[Play4keeps]

I think most virus writers use Linux.

Im gonna go with this theory Linux/UNIX=MAC/tiny unix

"At any time linux users can unleash troubles"

Mostly if not all Linux users HATE windows if they do chance is they build/repair them and happily use Linux.

OSX/LINUX is a love hate relationship with

But with OSX fame comes Linux PainIma rapper
By the way they never got into the Linux box

 

[robert05au]

The wankers at microshaft show there true colors yet again and how jealous they really are.

The safari thing was a bad site which could allow any hacker access via pretty much any browser if the owner/user goes to that site.

Microshaft are forgetting one rather large thing IE has more problems than safari will ever have.

 

[scaredpoet]

I thik the proof is in the pudding:

Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.

The moral of the story? The weakest leak remains the carbon-based lifrform in front of the keyboard.

No computer, no matter how "secure," is completely safe from an authorized user who has been tricked into compromising the security of their system.

 

[mstens]

And Linux, the kettle, watches smugly from the corner.

Funny, in my professional life I've seen more hacked linux servers than I'd like to really think about. Truly hacked that is. Not a browser exploit. Linux is another pot, that has no justification in being smug.

 

[heatmiser]

I'm amused at how many folks are taking this personally. Do half of you own Apple stock?

 

[scaredpoet]

I'm amused at how many folks are taking this personally. Do half of you own Apple stock?

I think the MS folks took the situation more personally than anyone on this thread.

I DO wish these industry people would stop sniping about who has the more secure OS. Quite frankly, both OS X and Vista have problems they need to address. One can argue that Apple has had less time to address these issues, and has enjoyed obscurity but can no longer, but that just isn't the point.

Apple needs to understand that as its products approach wider acceptance (and perhaps even commoditization?), they will be under greater scrutiny. And smugness isn't going to cut it when it comes to addressing security weaknesses.

Microsoft... well, they just haven't learned, period. Countless criticisms have been made. It's a waste of energy to repeat them. And as other players (Linux, OS X) become less-than-niche, those lessons are only going to get harder.

And EVERYONE needs to realize that when you put a gullible bafoon in front of a computer, all bets are off. Unless you take away the mouse and keyboard, and cover up the ports with spackle.

 

[Eraserhead]

Funny, in my professional life I've seen more hacked linux servers than I'd like to really think about. Truly hacked that is. Not a browser exploit. Linux is another pot, that has no justification in being smug.

But Linux hasn't to my knowledge said that other OS's are insecure, therefore its a kettle. Don't worry its still just as black as the pot.

 

[ThirteenXIII]

what kind of security exploits do theyt alk about specifically?

wiht a little verbose scripting you could gain access to any level user you wanted to, to me thats pretty crazy.

anyone with some knowledge could create a executable script on a machine that could tkae advantage of that im assuming.


but since i dont write exploits or things of that nature...its out of my league.
heh

 

[jokarak]

The wankers at microshaft show there true colors yet again and how jealous they really are.

The safari thing was a bad site which could allow any hacker access via pretty much any browser if the owner/user goes to that site.

Microshaft are forgetting one rather large thing IE has more problems than safari will ever have.

I don't think the Jones quote was a sign of jealously. At least the bit that was quoted by the original poster seemed to indicate that Jones was irritated by the nature of the ads (which are obviously exaggerated and made to look MS in a bad light), and that although these hacking contests don't mean much to him personally, it was fitting that the Mac got hacked first due to what he perceives to be overstated security claims from Apple.

The second quote is more unkind, but then, it is just a snippet, and the smiley face seems to indicate a more humorous approach.

In any event, the hack used by the man that broke into the MB Air seems to have been a problem with Safari, and it might be an overstatement to say that the same hack would have worked with pretty much any other browser. I guess my question is a) could the original hacker use the same method on the the other two machines, or the rules only allow one "winner" per box? b) Is the hack known by other people who could try to exploit it (I know that the original hacker had to sign a non-disclosure agreement, just wondering whether other people could have come to the same idea independently) on the other machines, but failed?

Finally, to all those saying that the exploit used is a fault of the user, I would say that is another oversimplification. First, direct web attacks can be achieved by hacking into the ad servers of legit sites, and secondly, I can guarantee that 100% of us have gone to at least one or two sites that we weren't sure was safe and that we had never visited before (be it during research, random browsing or whatever, you are bound to find some interesting link to an unknown website - that is simply the nature of the web). The exploit was not a "Nigerian money transfer" scam, it was simply directing the person at the keyboard to go to a specific website and then have the Mac be attacked. It could have happened to anyone using Safari (at least we assume it is Safari).