or Connect
AppleInsider › Forums › General › General Discussion › Pwn2Own contest winner: Macs are safer than Windows
New Posts  All Forums:Forum Nav:

Pwn2Own contest winner: Macs are safer than Windows

post #1 of 41
Thread Starter 
Charlie Miller, the security expert who won both this and last year's CanSecWest Pwn2Own security contests by exploiting Macs running Safari, repeated in an interview that he'd recommend Macs to typical users as a safer alternative to Windows PCs.

Following both Pwn2Own contests, numerous sensationalist headlines played up the idea that a Mac had been "cracked in seconds," conspicuously neglecting to mention what Miller called "the many days doing research and writing the exploit before the day of the competition," enabling him to discover the bugs and develop a way to successfully exploit them on the first try at the event.

Macs less secure, more safe

In an interview with Tom's Hardware, Miller stated, "I'd say that Macs are less secure for the reasons we've discussed here (lack of anti-exploitation technologies) but are more safe because there simply isn't much malware out there. For now, I'd still recommend Macs for typical users as the odds of something targeting them are so low that they might go years without seeing any malware, even though if an attacker cared to target them it would be easier for them."

Miller also offered some suggestions for users. "For all operating systems, make sure you keep your system up to date. Thats the best thing you can do. On a PC, I'd recommend running some AV software to help clean up when things go bad. Otherwise, just be smart, pay attention, and hope for the best. It is possible to really lock down your computer (running noscript for example) and make it safer, but in my opinion its not worth the trouble and the loss of functionality you experience."

Mac security software not recommended

When asked whether having outgoing firewalls, anti-spyware or anti-malware software, or not being logged in as a root user would have done anything to limit the extent of the exploits on the Mac that he demonstrated at the last two security events, Miller said, "None of those protections would have probably worked, or at least there were potential workarounds. The best thing the user could have done is not click on the malicious link. Of course, in some cases such as a man-in-the-middle attack, even this wouldn't have helped."

While neither of the exploits gained root access, Miller pointed out that "just [cracking into] running as the user is still very bad. I could have still watched keystrokes as you went to an online bank, read your calendar and address book, sent emails, etc. In real life, one or all of these things would have occurred."

No market for Mac malware

Repeating comments he made earlier, Miller noted that "Mac bugs arent really valuable," pointing out that while the CanSecWest award of a new Mac notebook and the $5,000 "is a lot of money, its really not that much when you consider what a bad guy could make with an exploit for an unknown vulnerability in, say, IE 8 running on Vista."

In a separate interview, Miller estimated that a researcher with an exploitable Windows vulnerability "could easily get $50,000 for that vulnerability. Id say $50,000 is a low-end price point." The huge difference in vulnerability valuations between the Mac and Windows reflect the fact that there is no demand for creating malware on the Mac.

This winter Gregg Keizer wrote about Miller in Computerworld: "Criticizing security software for its cost both in dollars and in the processor cycles it consumes Miller admitted that he doesnt bother running any on his Macs. 'I dont think it protects me as well as it says,' he argued. 'If I was worried about attacks, I would use it, but Im not worried.'"

At the time, Miller had taken Apple to task for recommending in a support document that Mac users consider installing antivirus software. Computerworld said Miller pooh-poohed Apples recommendation using the same logic as many longtime [Mac] users," and quoting Miller as saying, "Windows has 90% of the market, but [attackers] give it 100% of their time."

Vista's NX and ASLR malware counter-measures

While tech journalists and security vendors have been confidently announcing that the increasing popularity of Apple's Macs would eventually create a market for Mac malware, those warnings haven't materialized since they got started around 2003, just as Microsoft's efforts to ship what would become Windows Vista started to derail due to an epidemic of malware tainting Windows XP.

Microsoft was forced to start over with Vista several times and was distracted by the need to address immediate security problems in Windows XP. That resulted in Vista being delayed until the beginning of 2007. Once it did arrive, Vista introduced sophisticated new measures to make it more difficult for malicious crackers to inject code.

One is support for the CPU's NX bit, which allows a process to mark certain areas of memory as "Non-eXecutable" so the CPU will not run any code stored there. This is referred to as "executable space protection," and helps to prevent malicious code from being surreptitiously loaded into a program's data storage and subsequently executed to gain access to the same privileges as the program itself, an exploit known as a "buffer overflow attack."

A second security practice of Vista is "address space layout randomization" or ASLR, which is used to load executables, and the system libraries, heap, and stack into a randomly assigned location within the address space, making it far more difficult for crackers to know where to find vulnerabilities they can attack, even if they know what the bugs are and how to exploit them.

Miller told Tom's Hardware "the NX bit is very powerful. When used properly, it ensures that user-supplied code cannot be executed in the process during exploitation. Researchers (and hackers) have struggled with ways around this protection. ASLR is also very tough to defeat. This is the way the process randomizes the location of code in a process. Between these two hurdles, no one knows how to execute arbitrary code in Firefox or IE 8 in Vista right now. For the record, Leopard has neither of these features, at least implemented effectively. In the exploit I won Pwn2Own with, I knew right where my shellcode was located and I knew it would execute on the heap for me."

Snow Leopard security

While Apple did implement some support for NX and ASLR in Mac OS X, Leopard retains dyld, (the dynamic loader responsible for loading all of the frameworks, dylibs, and bundles needed by a process) in the same known location, making it relatively trivial to bypass its ASLR. This is slated to change later this year in Snow Leopard.

With the much larger address space available to 64-bit binaries, Snow Leopard's ASLR will make it possible to hide the location of loaded code like a needle in a haystack, thwarting the efforts of malicious attackers to maintain predictable targets for controlling the code and data loaded into memory. Without knowing what addresses to target, the "vast majority of these exploits will fail," another security expert who has also won a high profile Mac cracking contest explained to AppleInsider.

The future of malware

That indicates that long before the Mac installed base becomes large enough to become attractive to the kinds of malicious attacks that pundits have long anticipated, Apple will close off the remaining points of access for exploiting Mac OS X just as Microsoft has done with Vista. The main difference will be that Mac users are more likely to quickly adopt Snow Leopard this year after it is released. Of course, Mac OS X already has other security features that prevent the easy installation of difficult to remove malware.

In contrast, after more than two years since its launch Vista adoption is still well below a third of the Windows active installed base, leaving far greater exposure for PC users and a vibrant market for Windows malware that's unlikely to go away anytime soon.

Additionally, the vast majority of netbooks, the only segment of the shrinking PC market that analysts see any hope for growth in, continue to run Windows XP rather than Vista. Microsoft hopes to get its new version of the Vista operating system, called Windows 7, running on netbooks some point this year after it is released for desktop and full sized notebook users.

Mac versus iPhone security

Despite having some of the same Safari-related vulnerabilities as the Mac, the iPhone was not exploited during the CanSecWest contest, even though the contest held out a $10,000 prize for cracking smartphones, double that offered for cracking desktop systems.

Speaking of an exploit that a researcher had successfully used against Safari on the Mac, Terri Forslof, manager of security response at 3Com Inc.'s TippingPoint security group, told Computerworld, "People wondered why wouldn't it work on the iPhone, why didn't he go for the $10,000. The vulnerability is absolutely there, but it's a lot tougher to exploit on the iPhone."

The article also apparently cited Forslof in saying, "'There was an exploit at the show that could have broken the iPhone,' said. [sic] 'But the researcher said that the $10,000 wasn't enough to part with that level of vulnerability.'" That indicates that there is a market for iPhone vulnerabilities (at least more than on the Mac desktop), but that those bugs are also harder to discover and successfully exploit.

The article also said that "in some cases TippingPoint wasn't able to pin down the exact phone or operating system version early enough to give researchers the lead time they needed to work up an exploit of a vulnerability they might have already uncovered," further shaming the "cracked in seconds" headlines applied to the Mac cracks, as if those successful attacks had been invented and performed at the event Hollywood-style in moments.

Computerworld also reported that that "one researcher had prepared an exploit for a vulnerability on a BlackBerry Touch emulator, but the BlackBerry model used in the contest was the Bold. 'There was enough difference [between the two] that his exploit wasn't working,' Forslof said."
post #2 of 41
I disagree with the statement that Macs, even though safer, are less secure. Are you telling me that with 10% of the market share, not a single virus-writer bothered to have some fun to make a Mac virus? The statement would be false, as evidenced by the fact that Linux has had several viruses written for it, proof-of-concept or otherwise, and its market share is about a tenth as large as that of Mac OS X.

No. There are other reasons. For one, you have to type in a password to make any system changes or install software. And for another, the UNIX operating system simply has less holes than Windows NT.
post #3 of 41
Hats off to Charlie Miller and AI for succinctly summing up the current state of Windows/OS X security in a nutshell.

Enough with the metaphors, already!
post #4 of 41
My only criticism of what appears to have been an otherwise very well written article was dubbing Windows 7 as the "next version of the Vista operating system" instead of the "next version of the Windows operating system".

Certainly nobody would have called Mac OS X Leopard the "next version of the Tiger operating system".
post #5 of 41
It's a good article. I hope people actually read it all the way through before making stupid comments.
post #6 of 41
No viruses, no spyware - 2.5 years - no problems.
2011 13" 2.3 MBP, 2006 15" 2.16 MBP, iPhone 4, iPod Shuffle, AEBS, AppleTV2 with XBMC.
Reply
2011 13" 2.3 MBP, 2006 15" 2.16 MBP, iPhone 4, iPod Shuffle, AEBS, AppleTV2 with XBMC.
Reply
post #7 of 41
It's Mac! Apple's platform is perfect and impenetrable! Any alternate theory to this iron-clad truth just doesn't compute. This guy is a liar! I know better than he does, because I'm a Mac user!

etc, etc.

Quote:
Originally Posted by archer75 View Post

It's a good article. I hope people actually read it all the way through before making stupid comments.

post #8 of 41
No viruses, no spyware - 20 years - no problems.
I know there were some viruses for the classic Max OS, but never used
AV software and never got hit by a virus.

Now I am working as a locked down user.
Rarely using the administrator account, and when I use the admin account
I don't use teh Intarweb.
post #9 of 41
So he says they are safer due to less userbase. He also states that security wise if somebody wanted to its easier to right malware and virus's for macs.

So if macs get more market share then it will be more and more likely to get targeted.

So i wouldnt really say they are safer. Its like saying the Sun cant explode because it hasnt yet.
post #10 of 41
"In a separate interview, Miller estimated that a researcher with an exploitable Windows vulnerability "could easily get $50,000 for that vulnerability. I’d say $50,000 is a low-end price point." The huge difference in vulnerability valuations between the Mac and Windows reflect the fact that there is no demand for creating malware on the Mac."

So this low-life son-of-a-bitch finally admits that "researchers" sell exploits to the bad guys. So much for the so-called altruistic motives of these slimy worms. If it can be proven that someone like Miller offered his exploit for sale he should be prosecuted and thrown in jail. He's no different than an arms dealer selling guns to the Mexican drug cartels.
post #11 of 41
Too often, people discuss two separate (sometimes related) security issues as if they are the same thing: a hacker manually attacking one machine, vs. mass malware attacks. They're not the same. Individuals have sat down and hacked into individual target Macs many times, and they will again. Every OS will always have bugs left to catch. But nobody has ever made a successful self-spreading Internet virus or worm for OS X. As a result, saying that it's easy to do so is somewhat empty talk--year after year. (I do believe the day will come--but I've kept fearing that since 2001 and nothing has happened. When it does, I expect it to be quickly understood and stamped out.)

Quote:
Originally Posted by lkrupp View Post

"In a separate interview, Miller estimated that a researcher with an exploitable Windows vulnerability "could easily get $50,000 for that vulnerability. I’d say $50,000 is a low-end price point." The huge difference in vulnerability valuations between the Mac and Windows reflect the fact that there is no demand for creating malware on the Mac."

So this low-life son-of-a-bitch finally admits that "researchers" sell exploits to the bad guys. So much for the so-called altruistic motives of these slimy worms. If it can be proven that someone like Miller offered his exploit for sale he should be prosecuted and thrown in jail. He's no different than an arms dealer selling guns to the Mexican drug cartels.

Why do you assume ALL researchers are criminals just because SOME are? And why are you sure Miller is a criminal? Just because a cop knows the price of heroin doesn't mean he's a drug dealer. Most security researchers do nothing but good, even if they know the price of a Windows vulnerability.

After reading this, YOU now know the price is $50,000+. Does that make you a criminal?

P.S. Miller does use some hyperbole: "no" demand for Mac malware is an awfully extreme statement. I'd go with "much less." The Mac-using demographic is worthy of attack, and the prestige of a successful widespread Mac malware attack IS worth something to some people.
post #12 of 41
Quote:
Originally Posted by macosxp View Post

I disagree with the statement that Macs, even though safer, are less secure. Are you telling me that with 10% of the market share, not a single virus-writer bothered to have some fun to make a Mac virus? The statement would be false, as evidenced by the fact that Linux has had several viruses written for it, proof-of-concept or otherwise, and its market share is about a tenth as large as that of Mac OS X.

No. There are other reasons. For one, you have to type in a password to make any system changes or install software. And for another, the UNIX operating system simply has less holes than Windows NT.

I agree when it comes to viruses, and most likely with spyware/malware. The spyware/malware issue seems to primarily affect IE users due to its support of the über-security compromised ActiveX control (which is why I always tell people to use IE only if they have to access a site that requires it, and also to not use software such as Windows Media Player, because it allows for embedded IE).

However, the ability to have a malicious website insert executable code could still allow an attack of sorts, particularly of the type mentioned here (a keylogger for example quite probably would not need an administrative password to run for the currently logged in user).

I'm not aware of any Linux-based viruses. I would think they would be just as difficult to implement as a MacOS-based virus for exactly the same reasons. I'm sure there are trojans and worms out there, just as there are for the Mac. And just as those for the Mac, they would most likely require some sort of user intervention (hey, double-click this file that looks like it might be a picture but really is code), and will wouldn't be able to affect system files or processes without an admin password.

I believe Windows has generally been more susceptible because most users use a single login account which is a member of the Administrators group, and as such, has full reign of the system. Additionally, it's monolithic kernel has allowed some level of communication between so-called user and system processes.
post #13 of 41
so Miller did not get root access with his attack, even though the Mac was running in Admin mode. he is right of course that he could still steal information, spoof emails, and invade/erase a user's files. but that is not turning the Mac into a bot like the Cornflicker worm does to PC's with no individual effort needed. it's a focused one-at-at-time attack that is labor intensive and slow to reward. the NSA might do it to spy on you, but for a crook phishing is a lot easier way to steal someone's bank account info quick (i get about one sophisticated phish email a month).

no doubt with more effort on that individual Mac he could then crack the password(s) that would finally give him total root control of the computer and install any programs and do anything (most consumers use relatively simple pw's). but crooks aren't going to go through that much extra work with a single random consumer just to set up a single bot unit or look for financial info hit-and-miss (although business computers with lots and lots of money in their accounts to access are a whole other matter ...).

all of which adds up to the Mac's practical security advantage. it's not just the market share, it is the inefficient (for the crook) extra trouble it takes. we'll see in a few months what Snow Leopard does for its improved technical security. and next wednesday we'll see what the Cornflicker bots do to everyone else.
post #14 of 41
Quote:
Originally Posted by lfmorrison View Post

My only criticism of what appears to have been an otherwise very well written article was dubbing Windows 7 as the "next version of the Vista operating system" instead of the "next version of the Windows operating system".

Certainly nobody would have called Mac OS X Leopard the "next version of the Tiger operating system".

He may have been referring to the fact that Windows "7" (in reality, Windows 6.1) is an update to Vista (6.0).

Quote:
Originally Posted by majortom1981 View Post

So he says they are safer due to less userbase. He also states that security wise if somebody wanted to its easier to right malware and virus's for macs.

So if macs get more market share then it will be more and more likely to get targeted.

So i wouldnt really say they are safer. Its like saying the Sun cant explode because it hasnt yet.

Please refer to:

Quote:
Originally Posted by archer75 View Post

It's a good article. I hope people actually read it all the way through before making stupid comments.



Quote:
Originally Posted by djames42 View Post

I'm not aware of any Linux-based viruses. I would think they would be just as difficult to implement as a MacOS-based virus for exactly the same reasons. I'm sure there are trojans and worms out there, just as there are for the Mac. And just as those for the Mac, they would most likely require some sort of user intervention (hey, double-click this file that looks like it might be a picture but really is code), and will wouldn't be able to affect system files or processes without an admin password.

While I can't speak from the point of view of an actual Linux user, my first thought would be that Linux might actually be harder to exploit due to the extreme fragmentation of window managers, applications, drivers, and other underlying frameworks that is inherent to the Linux world. You could uncover an exploitable bug in KDE, but that'd still leave out all the people using Gnome, Xfce, etc. etc. etc.
post #15 of 41
Quote:
Originally Posted by copeland View Post

No viruses, no spyware - 20 years - no problems.
I know there were some viruses for the classic Max OS, but never used
AV software and never got hit by a virus.

This is why I don't buy the "security through obscurity" argument. Pre-Mac OS X had viruses and yet the marketshare was significantly smaller and there was no widespread internet to help propagate viruses. Now with 10% of computers in the US being Macs and over 60% of $1000+ PCs being Macs (ie: people with money to burn) it makes no sense that there are considerably less viruses (including weak proof-of-concepts) for that argument to work.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #16 of 41
Quote:
Originally Posted by Alfiejr View Post

no doubt with more effort on that individual Mac he could then crack the password(s) that would finally give him total root control of the computer and install any programs and do anything (most consumers use relatively simple pw's). but crooks aren't going to go through that much extra work with a single random consumer just to set up a single bot unit or look for financial info hit-and-miss (although business computers with lots and lots of money in their accounts to access are a whole other matter ...).

I'm guessing that would be very difficult. The passwords stored in the netinfo database files are are readable only by root. One would have to get root access first before they could then gain access to the password hashes.
post #17 of 41
Quote:
Originally Posted by Shunnabunich View Post

He may have been referring to the fact that Windows "7" (in reality, Windows 6.1) is an update to Vista (6.0).

Well, sure. But in that sense, Windows XP (in reality Windows 5.1) was an update to Windows 2000 (in reality, 5.0). And then so was Windows Server 2003 (in reality Windows 5.2).

To look at it from the other side of the fence, Mac OS X version 10.3.0 was called Panther. The next version of Panther was version 10.3.1. On the other hand, the next version of Mac OS X was version 10.4.0, called Tiger.

Microsoft generally labels such minor updates as "Service Packs".
post #18 of 41
Quote:
Originally Posted by lfmorrison View Post

Well, sure. But in that sense, Windows XP (in reality Windows 5.1) was an update to Windows 2000 (in reality, 5.0). And then so was Windows Server 2003 (in reality Windows 5.2).

To look at it from the other side of the fence, Mac OS X version 10.3.0 was called Panther. The next version of [b]Panther[/v] was version 10.3.1. On the other hand, the next version of Mac OS X was version 10.4.0, called Tiger.

Microsoft generally labels such minor updates as "Service Packs".

No disagreement there, although I might add that neither XP nor 2003 was intended to mislead consumers about the version number to artificially inflate the sense of "advancement", the way 7 is. 2003 refers to the year, like Windows 95 and 98 did, and XP was just a name (perhaps they were tired of using years for everything). So perhaps Dan just felt it bore pointing out. Apple didn't call OS 10.1 "Mac OS 11", they called it 10.1. But anyway, that's another thread.
post #19 of 41
Quote:
Originally Posted by lfmorrison View Post

Well, sure. But in that sense, Windows XP (in reality Windows 5.1) was an update to Windows 2000 (in reality, 5.0). And then so was Windows Server 2003 (in reality Windows 5.2).

You do have a point but so does the author as the differences were very slight in relation to the underlying code. Some apps were added, some taken off and there was the Fischer Price UI change that we all know and love to make it more consumer friendly over business, but I think that most of it was pretty much just a facelist which it does make it more of a lateral, rather than a forward move.

Quote:
To look at it from the other side of the fence, Mac OS X version 10.3.0 was called Panther. The next version of Panther was version 10.3.1. On the other hand, the next version of Mac OS X was version 10.4.0, called Tiger.

Microsoft generally labels such minor updates as "Service Packs".

While the duration between Apple's point releases and MS' Service Packs were inline, that is the only similarity between the two. Apple's point releases are major revisions to the code from the kernel to the UI, while their point updates are mostly bug fixes and performance updates, with very little attention given to new features unless needed. Service Packs offer bug fixes and performance updates just like Apple's point updates, though they are more likely to add some new features that the original OS did not have, but that is to be expected in the world of SW when you are selling the same OS so many years later.

It's hard to see why Apple is able to release a drastically new OS much more often that MS when you think about it. Apple has limited HW to support, is using a lot more open-source code and has incorporated a module design that allows for dynamic transitions of one area without affecting the rest of the widget. A 64-bit OS between Mac OS X and Windows illustrates this last part well.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #20 of 41
Quote:
Originally Posted by lfmorrison View Post

My only criticism of what appears to have been an otherwise very well written article was dubbing Windows 7 as the "next version of the Vista operating system" instead of the "next version of the Windows operating system".

Certainly nobody would have called Mac OS X Leopard the "next version of the Tiger operating system".

"Windows" is not an operating system, it's a brand name.

There is little or no OS technology similarities between Windows 3.1, Windows CE, Windows NT. So referring to Windows 7 as the next version of Windows Vista is useful because it says something about what Windows 7 actually is (it's built on Vista, not the XP code base that netbooks currently use), while calling it the "next Windows" is just marketing babble.

For the same reason, we take pains to call the Mac system software prior to Mac OS X the "classic Mac OS." But since there have been no branches in Mac OS X since it was released, nor any other unrelated products sold under the Mac OS X brand, there's no reason to call Leopard a version of Tiger.

If Apple starts using "Mac OS X" to refer to completely unrelated products with no similarities, then we'll have to start drawing the link between Tiger to Leopard to Snow Leopard explicitly, but you already know that they're related because Apple isn't just marketing a meaningless name.
post #21 of 41
Quote:
Originally Posted by nagromme View Post


Why do you assume ALL researchers are criminals just because SOME are? And why are you sure Miller is a criminal? Just because a cop knows the price of heroin doesn't mean he's a drug dealer. Most security researchers do nothing but good, even if they know the price of a Windows vulnerability.

After reading this, YOU now know the price is $50,000+. Does that make you a criminal?

What you say is true and mass generalizations are almost always unfair. However, the implication of the article, as I see it, supports ikrupp.

Quote:
The article also apparently cited Forslof in saying, "'There was an exploit at the show that could have broken the iPhone,' said. [sic] 'But the researcher said that the $10,000 wasn't enough to part with that level of vulnerability.'" That indicates that there is a market for iPhone vulnerabilities (at least more than on the Mac desktop), but that those bugs are also harder to discover and successfully exploit.

This clearly indicates that it is not just that the sedurity experts know what an iPhone exploit is worth, but also that they will not part with one for only 20% of what it is worth on the "market." For this to make sense, either they are waiting for a bigger legal prize to be offered (Who is going to do that?) or they are planning to sell the exploit.
Progress is a comfortable disease
--e.e.c.
Reply
Progress is a comfortable disease
--e.e.c.
Reply
post #22 of 41
Quote:
Originally Posted by lkrupp View Post

"In a separate interview, Miller estimated that a researcher with an exploitable Windows vulnerability "could easily get $50,000 for that vulnerability. Id say $50,000 is a low-end price point." The huge difference in vulnerability valuations between the Mac and Windows reflect the fact that there is no demand for creating malware on the Mac."

So this low-life son-of-a-bitch finally admits that "researchers" sell exploits to the bad guys. So much for the so-called altruistic motives of these slimy worms. If it can be proven that someone like Miller offered his exploit for sale he should be prosecuted and thrown in jail. He's no different than an arms dealer selling guns to the Mexican drug cartels.

Before you run after Miller with a pitchfork, keep in mind that spammers and virus writers are not the only market offering money for Windows exploits. There are also security companies who want exploits so they can offer fixes for vulnerabilities, or companies that want to develop their own security and need to know what bugs they must address, and so on.
post #23 of 41
Quote:
Originally Posted by Alfiejr View Post

so Miller did not get root access with his attack, even though the Mac was running in Admin mode. he is right of course that he could still steal information, spoof emails, and invade/erase a user's files. but that is not turning the Mac into a bot like the Cornflicker worm does to PC's with no individual effort needed. it's a focused one-at-at-time attack that is labor intensive and slow to reward. the NSA might do it to spy on you, but for a crook phishing is a lot easier way to steal someone's bank account info quick (i get about one sophisticated phish email a month).

no doubt with more effort on that individual Mac he could then crack the password(s) that would finally give him total root control of the computer and install any programs and do anything (most consumers use relatively simple pw's). but crooks aren't going to go through that much extra work with a single random consumer just to set up a single bot unit or look for financial info hit-and-miss (although business computers with lots and lots of money in their accounts to access are a whole other matter ...).

all of which adds up to the Mac's practical security advantage. it's not just the market share, it is the inefficient (for the crook) extra trouble it takes. we'll see in a few months what Snow Leopard does for its improved technical security. and next wednesday we'll see what the Cornflicker bots do to everyone else.

Yeah its a bit bunk so they can get into a single machine if you visit a porn site big deal it can't install anything and spread. I thought he needed root access to win oh wait OS X is to secure for that because I need enter a password to install something but I can open system preferences without a password Paul Thurott.
post #24 of 41
Quote:
Originally Posted by copeland View Post

No viruses, no spyware - 20 years - no problems.
I know there were some viruses for the classic Max OS, but never used
AV software and never got hit by a virus.

Now I am working as a locked down user.
Rarely using the administrator account, and when I use the admin account
I don't use teh Intarweb.

I remember years ago using a free Classic Mac OS virus software I think was called Disinfect. It never found a single virus on any of my work Macs since 1986.
post #25 of 41
I've been following this Pwn2Own contest for awhile now, and this article about Charlie Miller is being very selective of the facts they bring up. He also made statements that hacking in to a Mac is so easy, it's like child's play. The Safari vulnerabilities were so big that and easy to exploit, that he had the machine hacked in minutes. He also went on to say that he didn't bother trying to go after the Firefox or IE8 hack in Windows because it was just too difficult and not worth the effort.
Nils, who cracked all three (Safari, Firefox, and IE8) even made the decision to go after Firefox on the Mac because it was significantly easier than on Windows.
He even says that if a hacker wanted to target a Mac, it would be a lot easier for them. They say that they can hack in to these systems with relative ease, and that the only thing keeping Mac users safe is obscurity, and that hackers just aren't targeting Mac users yet. That doesn't make me safe. Just because I live in a nice neighborhood with no crime, it doesn't mean that I don't want a lock on my door.
So sadly, the Mac's success and larger market share is actually a security downside to us, who now have to worry about potential threats.
And as for selling these bugs for $50,000, Charlie Miller was referring to selling them back to Microsoft or Apple. His point was that these companies pay people to find these bugs, and find exploits for them, so why should he put in all this work to do the same thing and then just give that knowledge away?
post #26 of 41
Quote:
Originally Posted by lantzn View Post

I remember years ago using a free Classic Mac OS virus software I think was called Disinfect. It never found a single virus on any of my work Macs since 1986.

I suppose that either means Mac viruses were still rare, even back then, or Disinfect wasn't very good.
post #27 of 41
Quote:
Originally Posted by lantzn View Post

I remember years ago using a free Classic Mac OS virus software I think was called Disinfect. It never found a single virus on any of my work Macs since 1986.

Any way you slice it, in terms of security, Macs have ALWAYS been the safer bet. This has been true historically, and still true today, whatever the reasons are.

I've surfed the net unimpeded for years now.

No antivirus/anti-malware/anti-spyware software required
No maintenance required
No slowdowns
More stability
. . . which all translates to more time just using the OS to get things done rather than tinkering with it and keeping an eye on it.


Well worth Ballmer's "$500 Apple-tax" . . . if that figure is even accurate.

I have to laugh at all the poor Windows users on Neowin, for example, constantly inquiring about "the best" antivirus software for Windows 7. Oh well, they'll never learn. They seem to enjoy Conficker cream pie. All just to run Crysis with whatever current hot-shit videocard is out there. Until of course, they outgrow games. And then just play with fine-tuning the antivirus And Windows itself just to keep things running.
post #28 of 41
Quote:
Originally Posted by Baron von Smiley View Post

I've been following this Pwn2Own contest for awhile now, and this article about Charlie Miller is being very selective of the facts they bring up. He also made statements that hacking in to a Mac is so easy, it's like child's play. The Safari vulnerabilities were so big that and easy to exploit, that he had the machine hacked in minutes. He also went on to say that he didn't bother trying to go after the Firefox or IE8 hack in Windows because it was just too difficult and not worth the effort.
Nils, who cracked all three (Safari, Firefox, and IE8) even made the decision to go after Firefox on the Mac because it was significantly easier than on Windows.
He even says that if a hacker wanted to target a Mac, it would be a lot easier for them. They say that they can hack in to these systems with relative ease, and that the only thing keeping Mac users safe is obscurity, and that hackers just aren't targeting Mac users yet. That doesn't make me safe. Just because I live in a nice neighborhood with no crime, it doesn't mean that I don't want a lock on my door.
So sadly, the Mac's success and larger market share is actually a security downside to us, who now have to worry about potential threats.
And as for selling these bugs for $50,000, Charlie Miller was referring to selling them back to Microsoft or Apple. His point was that these companies pay people to find these bugs, and find exploits for them, so why should he put in all this work to do the same thing and then just give that knowledge away?

It's been over 7 years now. Where's the beef? Alfter all these Pwn2Own contests and proof-of-concept lab experiments, we're still as safe as we were years ago. According to critics OS X should have been brought to its knees (a la Windows) years ago. But still nothing . . .
post #29 of 41
Although he says Mac are safer because people choose not to target them, there is more of a worry when it comes to a targeted attack. Marketshare aside, if they are easier to exploit, they are less secure. This could have implications for PCs too because someone doing a targeted attack on an organization may find it easier to break into the Mac and subsequently gain access to other machines meaning that organizations may trust them less on their internal networks.

One thing that not being a target does is make Apple's developers complacent when it comes to security issues and that's not a good thing. The concern is not so much over viruses and malware but things that can do much more serious damage to an individual. For example, if a scammer on ebay sends you a link that allows them to compromise your machine and monitor passwords to bank accounts. I consider this to be a much more serious issue than computer slowdown, popups etc.

Hopefully Apple will address security flaws in Snow Leopard and use more techniques to prevent such attacks from happening. It's a constant battle so a system will never become impenetrable but despite not being a target doesn't mean Apple shouldn't use the latest security techniques and it's clear that given how Vista implements measures Leopard doesn't, they are lagging behind in this area.
post #30 of 41
Weird...

http://blogs.zdnet.com/security/?p=2941

"Why Safari? Why didnt you go after IE or Safari?

Its really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs dont do. Hacking into Macs is so much easier. You dont have to jump through hoops and deal with all the anti-exploit mitigations youd find in Windows.

Its more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesnt have anti-exploit stuff built into it."
post #31 of 41
it's another era now. Nobody writes viruses anymore. Everyone steals worms, Trojan horses from mate's hard drive.
Worm copy-pasters simply can't afford a Mac. That's the most powerful antivirus tool.

We mean Apple no harm.

People are lovers, basically. -- Engadget livebloggers at the iPad mini event.

Reply

We mean Apple no harm.

People are lovers, basically. -- Engadget livebloggers at the iPad mini event.

Reply
post #32 of 41
Now as Im thinking its been a year since I had my new macbook and it still runs as fast as I first opened it. It just blows my mind, because none of my friends who have PCs can say that. They constantly have to ask, fix and think about their computer getting slow or smthg.
Apple had me at scrolling
Reply
Apple had me at scrolling
Reply
post #33 of 41
Quote:
Originally Posted by iVlad View Post

Now as Im thinking its been a year since I had my new macbook and it still runs as fast as I first opened it. It just blows my mind, because none of my friends who have PCs can say that. They constantly have to ask, fix and think about their computer getting slow or smthg.

My experience with friends and family, non-geek division, suggests that the PC using public just has a totally different idea about computer ownership: you buy them dirt cheap, they work for a couple of years max, and you basically just throw them away and buy a new one.

It's not that they actually break, they just become unusable due to cruft, and for most folks it's easier to just buy another $400 box then it is to clean things out.
They spoke of the sayings and doings of their commander, the grand duke, and told stories of his kindness and irascibility.
Reply
They spoke of the sayings and doings of their commander, the grand duke, and told stories of his kindness and irascibility.
Reply
post #34 of 41
Quote:
Originally Posted by iVlad View Post

Now as Im thinking its been a year since I had my new macbook and it still runs as fast as I first opened it. It just blows my mind, because none of my friends who have PCs can say that. They constantly have to ask, fix and think about their computer getting slow or smthg.

My PowerBook was bornerr, made in December of 2004 and I can say the same, too. The only thing really making me want to upgrade right now is the gradually increasing number of apps and (especially) games that are Intel-only.
post #35 of 41
Quote:
Originally Posted by iVlad View Post

Now as Im thinking its been a year since I had my new macbook and it still runs as fast as I first opened it. It just blows my mind, because none of my friends who have PCs can say that. They constantly have to ask, fix and think about their computer getting slow or smthg.

Snow Leopard will make you happy as my benchmarks already show a worthwhile boost in performance.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #36 of 41
to understand what happens in the real world, you have to think like a crook, not a hacker.

- there are 10's of millions of PC's running XP around the world, and many are not updated with all the security patches. those are easy targets.
- there are 10's of millions of PC's running pirated XP (and Vista?) around the world. those cannot be easily updated with all security patches and so are even easier targets.
- you can use automated attack programs to get full root control of these PC's - you don't have to attack them one at a time manually. so you can get control of hundreds or even thousands in a short period of time to create your bot net.
- whereas the Macs you do have to attack manually to get root control one at a time if you want to create a bot. that takes much longer.
-you're doing all this for money - millions - not glory. and time is money.

so what are you going to do? Duh. goodbye Macs, hello Cornflicker.

there is another group of crooks taking a different approach, which is to attack individual business networks one at a time in order to get to their financial accounts and move money, steal credit card info, or perhaps economic espionage. this is all about servers, encryption, and the rest. we don't hear much about this. but a lot of smaller businesses are potentially vulnerable.
post #37 of 41
Quote:
Originally Posted by Alfiejr View Post

so what are you going to do? Duh. goodbye Macs, hello Cornflicker.

FYI, it's conficker.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #38 of 41
That article also stated that macs are easier to hack into.

The reason macs are safer is because there are less exploits for them. I hope Apple is reading that article and working to make their system harder to hack into.
post #39 of 41
The most troubling in all this is that Apple in fact has ignored several reported vulnerabilities, some of them for years!

The other problem is that Apple has done things to the underlying Unix that have caused vulnerabilities all their own. Sometimes only to adapt unix to the old Mac "way". A second problem is the extra time it takes Apple to update opensource packages, because their software engineers have to adapt every one to the tweaked unix Apple uses. All a "bad guy" has to do is check to see which packages are not updated, and expoit that.

My greatest fear is that someone will one day expoit some of those holes in the system and do irreparable damage to Apple's reputation as a safe platform.
post #40 of 41
I don't think an operating system should bet on obscurity as a method of security. But neither should Apple adopt the Vista approach of popping up a dialog box to confirm absolutely EVERY task the user wants to perform.

I think Apple currently has the edge because they release new OS versions quite rapidly compared to Microsoft. So if the current slow pace of Mac vulnerability research/development continues, Apple will always be a step ahead. But if it increases pace, that could be cause for concern.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Pwn2Own contest winner: Macs are safer than Windows