if my previous post sounded to somebody like "ego massaging", sorry for that. I just wanted to illustrate how ?poor? we live in here. Countries like Czech rep. Slovak rep., Hungary of course belongs more to Central Europe than it's eastern part, but still ? we had a socialist regime here for a long time. Sadly, some of the thinking ?goverment should take care of us? still prevail in people's mind
I just want to warn all of you, living in ?West? ? don't let the leftist parties to fool you in a way ?we should donate money to help the industry? or ?more money for poor?. We had enough of that in the past and sadly (at least in Slovakia), we somewhat still do.
I'll end with all of this crap ? we are quite off topic. Sorry for that also.
I liked the story about what conditions are really like in Eastern European countries and I disagree with people who say these countries are actually "central." Historically, I think it's fair to refer to anything that was once behind the Iron Curtain, "Eastern Europe" and a bit nit-[icky to argue about it.
That being said however, it's a fact that a lot of viruses and generally nefarious sites come out of former Eastern bloc countries (Serbia in particular).
I also think that the last place anyone would go for advice on "left" parties is someone who is from behind the former Iron Curtain. they are experts on totalitarianism because they lived through it recently, but progressive or left wing parties in the West have nothing to do with the kind of "socialism" (totalitarianism) practised by the Soviet states.
IMO just as the average American only knows socialism as a mythical boogy-man and has no idea what it really entails and how it really works, the average person from the former Soviet states only knows capitalism as a kind of fairy-tale or "good" myth and has no idea what it really entails or how it works. What actually works is something between the two mythical extremes.
I'm confused. I know Snow Leopard will work with my early 2008 8 core Mac Pro, but will my computer be able to take full advantage of all the 64 bit goodness?
I'm sorry did you notice the Safari RSS exploit here on Apple Insider? Its there on both Windows and OS X. Just goes to prove that people could if they wanted to target OS X and Apple products. However, the author is 100% correct and you are wrong. It easier to target Windows because you have a 90% chance that the consumer is going to be using Windows. If you made a Mac Virus based on an exploit you would have to target less than 10% of computers before Apple made a patch. In my house we have 4 Windows PCs and a Macbook that runs OS X and Windows. So in my case if I designed I virus for a Mac, it would have nowhere to go in my house. I could maybe send it to one friend I know who has a Mac. He could maybe pass it to his sister's Mac. Beyond that its the same difficult odds. And how would I send the virus? Email, I doubt anyone using a Mac would be fooled and then the WIndows recipients would wonder what it was, I would be found out and Apple would issue a patch. Website, again less than 10% of visitors would be Mac and probably less so who have the exact version my exploit targets. It would be more prudent for me to target Windows, well because their users tend also to be less savvy.
The recent worm for Windows for example has hit what 3 million computers mostly in Asia. You take that out of over 1 Billion active Windows PCs (most of which are already patched, because Microsoft acts quickly these days, as I suppose Apple would as well) and you see out of your total install base, less than even 1% get infected or about .3% in this case. So if you take 10% of macs you would get what .003% of the entire computer market infected by your virus/trojan if you had similar success rate. Its not worth it all.
Sorry, but you lose. You are confusing application security flaws that can be exploited with system security flaws that can be exploited. The Safari RSS issue you cite is specific to that app. It is the security of the OS that keeps application exploits from infecting the operating system.
I'm confused. I know Snow Leopard will work with my early 2008 8 core Mac Pro, but will my computer be able to take full advantage of all the 64 bit goodness?
Raise your hand if you know of an 8-core 32 bit processor from Intel.
Prince McLean's, aka Daniel Eran Dilger, latest article on the Road to Snow Leopard is so even-handed and balanced. Usually, people attack him for being too biased!
I wonder if Daniel, deliberately implied the security by obscurity myth to get others to do the heavy lifting for him. I'm quite sure he has argued against it in the past.
People seem to attack Dan no matter what he says, even though you can check his record easily enough and see that he is right the vast majority of the time.
Here, (at least in my opinion), he seems to have tried deliberately to be less biased and less emotional (and in my opinion succeeded admirably), and some people *still* jump all over him.
Everyone knows the "security by obscurity" myth is a bit of a red herring. None perhaps more so than Dan who has written about it many times. There is however *something* to the myth in that it takes a bot-net to do any real damage nowadays and most commercial virus activity does focus on windows for that reason. In other words it's a (small) factor but a real one.
My take on this article is that this is exactly what the author was getting at. I think it's a great article and the tiny nod to the obscurity myth was just right.
For reference's sake, below are links to Dan's articles about why the "market share myth" he supported in this article doesn't work. They were written the better part of a year ago.
In the absence of good local job prospects it makes perfect rational sense for them to turn their efforts to computer crime instead. People like that are far more likely to only have an old 386 machine available to them rather than a shiny new Mac
Yes but they're employed by organized crime. And in organized crime there's lots of money for computer hardware investments. Mac OS is increasingly turning up in eastern European countries and even far eastern countries.
Sorry, but you lose. You are confusing application security flaws that can be exploited with system security flaws that can be exploited. The Safari RSS issue you cite is specific to that app. It is the security of the OS that keeps application exploits from infecting the operating system.
Arguably, any security flaw that affects the OS' default applications set and allows for external forces to take control of one's machine ought to be taken as seriously as any OS-level fault.
We've seen Macs taken over by simply visiting malicious web pages in Black Hat sessions at least twice. The attackers revealed very simple techniques to determine vulnerabilities (such as seeing what open source components' versions OS X was using, usually behind the latest ones because Apple has to take time to adapt them to its filesystem, etc., and go for the vulns the very latest Linux versions do eliminate). We have also had our scares when conflicting filetype determination systems could hide an executable as a data file. We've had a couple trojans, and I've been shown by a developer friend the very same trojan codec trick some guys suffered some time ago.
That OS X is certainly harder to crack (but not so incredibly difficult as many believe) and that it still hasn't reached 10% marketshare penetration; that current Mac piracy routes are more community-based (so that anything strange "gets reported" instantly); and that Mac people tend to meet in Mac-related places makes for a quite less attractive platform to exploit.
Wrong. He is right and the author - whom we now can identify as a clown writing elsewhere under his more real name and who has no accreditation whatsoever to discuss these matters - is typically sadly pathologically in error. Again.
Sorry, but you lose. You are confusing application security flaws that can be exploited with system security flaws that can be exploited. The Safari RSS issue you cite is specific to that app. It is the security of the OS that keeps application exploits from infecting the operating system.
Sorry, but you lose. Almost all malware these days spreads through application specific vulnerabilities. The lines have been blurred between system and application vulnerabilities anyway?a vulnerability in Safari like the Safari RSS vulnerability is actually caused by a vulnerability in an underlying system framework (in this case PubSub.framework). Internet Explorer and Windows Media Player are where most of the vulnerabilities in Windows lie, and that is how most malware is distributed. Those are definitely application vulnerabilities, but they ship with Windows obviously.
PS: Funnily enough QuickTime had the most vulnerabilities of any component in 2006 and 2007. When the numbers are tallied for 2008 I wouldn't be surprised to see QuickTime take the three-peat.
Arguably, any security flaw that affects the OS' default applications set and allows for external forces to take control of one's machine ought to be taken as seriously as any OS-level fault.
We've seen Macs taken over by simply visiting malicious web pages in Black Hat sessions at least twice. The attackers revealed very simple techniques to determine vulnerabilities (such as seeing what open source components' versions OS X was using, usually behind the latest ones because Apple has to take time to adapt them to its filesystem, etc., and go for the vulns the very latest Linux versions do eliminate). We have also had our scares when conflicting filetype determination systems could hide an executable as a data file. We've had a couple trojans, and I've been shown by a developer friend the very same trojan codec trick some guys suffered some time ago.
That OS X is certainly harder to crack (but not so incredibly difficult as many believe) and that it still hasn't reached 10% marketshare penetration; that current Mac piracy routes are more community-based (so that anything strange "gets reported" instantly); and that Mac people tend to meet in Mac-related places makes for a quite less attractive platform to exploit.
I don't think the Macs were "taken over", and certainly not by simply visiting a malicious webpage. The rules had to be relaxed so that the hackers either had direct access to the Mac, or the Mac's user was given an email with explicit instructions he had to follow to download a file and install it with an admin name and password. Even then, it could do little system-wide damage. And yes, we know about the codecs -- you have to visit a porn site, download a "special codec" for "viewing their proprietary video" and, again, type in your admin username and password in order to install it.
Yes, Daniel DOES frequently and eloquently argue against the security through obscurity myth. I don't think he was implying it in that argument. I think he was saying, EVEN IF their were viable viruses for Macs (more than the ONE OR TWO questionable ones mentioned above), EVEN IF an infected Mac could infect other Macs, it wouldn't get very far -- NOT because the Mac is obscure or lacks market share, but because of the nature of Mac computing. The reason Windows computing is in the state it is in, is NOT because it has greater market share, thus providing a more attractive target; it is in the sad state it is in because MS dumped Windows on all these corporate networks with a complete disregard for value and security. Windows became ubiquitous over night (largely due to being in the right place at the right time and people refusing to think differently), and now people are counting the cost.
True, there aren't *many* Mac only networks yet (outside of graphics bureaux), maybe a few college campuses come close. EVENSO, the Mac didn't start life as a drone or dumb terminal on a big corporate network, a network which COMPLETELY RELIES on IT departments to secure the outside, with little per computer in-built security other than virus-scanning software. Whether on a large network behind a firewall, or on its own right on the internet, the Mac is more secure inside and out. And Macs are certainly not turned into spam-bots unbeknownst to their owners.
When and if Mac networks become *ubiquitous* they will be a little different by nature, because Macs started life with a bit different philosophy; and now there is STILL the opportunity to take the time to look ahead and plan for the time when they do in fact become ubiquitous (despite the one or two *exploits* being trumpeted about as though that somehow makes the Mac *just as* -- and those are the words used -- vulnerable as Windows). Whoa. Because Macs do not have the same kind of vulnerabilities (NOT due to luck or the fact they are obscure or few in number), Apple has the luxury of PROACTIVELY preparing for some battles, rather than reacting every other day to all the various threats faced by Windows which must continually act to put out the fires on a number of very real and SERIOUS exploits (not merely theoretical threats or self-discovered vulnerabilities). I just read of some 8 million recently infected PCs that are phoning home to goodness knows where because the return path is still obscure to researchers. These PCs are actually phoning home right now as I type. Where's the hew and cry?
Apple is not simply shoving its product out the door without any regard for its users (I know, I know, that foolish sentiment is just the coolaid talking), and on top of that trying to sell software or services to patch holes that have already been exploited before you buy your next PC. Apple, already ahead of the game, is working on the next level of security, from the FOUNDATION up, again.
Yeah, I too had a virus under OS 9, back in the day...I think (some 11-12 years ago I would guess). My Mac acted funny about restarting or something for a couple of days there. Ahhh, those were the days.
Besides the obvious creative reasons for using Macs, small businesses use them PRECISELY BECAUSE they have counted the cost, have weighed the security implications and have decided they want more responsible computing that is inherently more proactive on the security side -- rather than putting money into IT and Support specialists and anti-virus software. It is a calculated decision. It is a proactive decision and not a naive, head-in-the-sand one.
Yeah, Apple users: poor, naiive bastards with a religious fixation and their heads in the sand who are only concerned with style and who like toy computers which can't do anything useful nor need a degree or full-time support to use as intended. Apparently, we like the latest gizmos; and YET, we use our Macs for at least 5 years each (24/7 I'm using a PowerMac G4 at least six yrs old, and a PowerMac G5 at least 4 and haven't needed a single hour of professional support, EVER). Yeah, go figure. I'll happily keep my head in the sand about security under those terms. I have to say, I trust Apple a little more than MS. Call me a fool affected by the RDF. Whatever. You can't pay me to use Windows, because I have used it.
rhowarth, you have no sense of how we live in so called „poor eastern European countries“. I can guarantee that most of the programmers here have at least as good live standard than most people in western Europe . Average income of qualified programmer here (Slovak Republic) is about 3000 Euros. Most of the serious programmers take much, much more. Given to lower prices of commodities live standard is quite good.
Trust me, economy boom here still persists (even in the current hard economic times). People are building new houses (no, not from straw) and have quite good cars (mostly VW, Skoda – newer ones, Peugeots, BMWs). We have now almost as good live standard as people in Italy, Spain or Austria.
Of course, there are also quite a lot people without higher education, working as common worker, mainly in car industry (Audi Q7s and Porsche Cayenne are made in Slovakia, also Kia, Peugeots). But these people also don't leave in shacks.
People in Ukraine and Bulgary or Romania are living in much worse conditions, but also, not in shacks. They just can't afford the goods.
Oh, I'm quite young IT consultant from Slovakia, currently writing from my MacBook Pro 17" with 20" Cinema display, using Time Capsule and iPhone. Driving VW Passat Combi. Sounds poor to you? Trust me, capable and intelligent young people don't have much problems with money here. Oh, we have just changed our currency to Euro.
What I am confused about are those who think that people are struggling in Slovakia and are low paid. I've just gone to wikipedia to find out Slovakia's statistics - on the basis of GDP percapita (via PPP) - its on par to New Zealand and most other countries, and I wouldn't call New Zealand poor by any stretch of the imagination.
rhowarth, you have no sense of how we live in so called ?poor eastern European countries?. I can guarantee that most of the programmers here have at least as good live standard than most people in western Europe . Average income of qualified programmer here (Slovak Republic) is about 3000 Euros. Most of the serious programmers take much, much more. Given to lower prices of commodities live standard is quite good.
Trust me, economy boom here still persists (even in the current hard economic times). People are building new houses (no, not from straw) and have quite good cars (mostly VW, Skoda ? newer ones, Peugeots, BMWs). We have now almost as good live standard as people in Italy, Spain or Austria.
Of course, there are also quite a lot people without higher education, working as common worker, mainly in car industry (Audi Q7s and Porsche Cayenne are made in Slovakia, also Kia, Peugeots). But these people also don't leave in shacks.
People in Ukraine and Bulgary or Romania are living in much worse conditions, but also, not in shacks. They just can't afford the goods.
Oh, I'm quite young IT consultant from Slovakia, currently writing from my MacBook Pro 17" with 20" Cinema display, using Time Capsule and iPhone. Driving VW Passat Combi. Sounds poor to you? Trust me, capable and intelligent young people don't have much problems with money here. Oh, we have just changed our currency to Euro.
Quote:
Originally Posted by Davdoc
While Mac OSX is indeed withstanding the test from malware so far, the mentioning of several technological advancements is still not very accurate, much like the rest of the whole series here. Basically, many features can be enabled on a 32-bit system, just that Mac OSX didn't do it (not that Windows was doing it either). These features, however, are not necessarily exclusive to 64-bit environment and the author should not pretend as if he really knows the story.
Examples:
(In the article)
This is already present to an extent in today's Leopard Server, which runs some services, such as the Apache web server, as 64-bit processes. Using the vmmap command reveals that no memory allocated by these 64-bit apps is both writable and executable. On 32-bit Intel systems, while no memory is marked as both writable and executable, the legacy x86 processor design does not enforce the permissions bits, but 64-bit CPUs do. This feature prevents exploits from injecting malicious executable code into memory and tricking the app to run it as it if were its own instructions.
...
Segment-based (not used extensively by modern OS) and paging-based protection can be enforced strictly since i386. A more advanced feature introduced by AMD through AMD64, and now available in all new Intel and AMD processors, is the NX/XD bit this paragraph inherently refers to. However, this feature can be enabled in 32-bit mode if PAE is enabled (because bit 63, the NX bit, of page table is only available with the special page directory referencing structure under PAE). Windows XP SP2 has it under DEP when PAE is enabled (it indeed uses a different approach when PAE is disabled) and yes it is only available after AMD Opteron, but for the processor operating mode it can be done under 32-bit (Legacy) mode.
(In the article)
Another security weakness in the x86 architecture solved in the move to 64-bits is the use of registers for function call arguments. This makes exploits using return-into-libc techniques much more difficult. On 32-bit x86, function arguments are passed directly on the stack, so when an attacker has overwritten the stack segment, they can completely control the arguments passed to a function that they cause the compromised program to "return into," according to a security researcher.
...
Another misinterpretation of parameter passing. x86 (or for the sake, x64) near/far/procedure/across-privilege-level calls always push CS:EIP (or CS:RIP) onto the stack and pop them upon returns; passing parameters through more registers have nothing to do with the exploits used by malwares which modify stack and hence the return address.
It is indeed other technologies (like ASLR mentioned later, among others) that make return-to-libc attacks harder. It's doable under 32-bit system, but not as robust (although, again, not exactly what the article mentioned).
The author for this series should really update a bit more about technological details, or we should just all read Apple's marketing materials instead of getting some "insider" info.
Thank you for correcting the article; I was reading it and even with my very immature understanding of the x86 architecture, it isn't as bad as people try to make out. There are a lot of security features available but are never used because it would cause portability issues in their code and performance penalties.
What Apple should be doing is going the full monty when it comes to security and start using these features - lord knows it isn't as though they're going to move off the x86 architecture anytime soon - its the architecture that keeps on going even in the face of things that appear in the surface to he superior (in terms of engineering elegance).
This article doesn't say much about any changes in the software security model for OS X. Any improvements in there? Also, 32bit apps still run on 10.6, how are they shielded against the issues mentioned in the article?
Going 64-bits is a great thing and I think the industry is about 10 years late in this aspect. So SL is highly awaited. Look at XP 64bits and Win7 64-bits, they are very very robust. Security wise better but security is not iron clad ever, we must understand that.
The Mac's " security by by obscurity has advantages in "slowing down" a determined hacker. The security model and strength of OS implementation makes it a lot harder. This is OSX vs Windows architecture for the OS and its driver model. The fact that a platform is pervasive does not make it any easier. If it is simpler and quicker then, it is better incentive to a hacker to do so.
We must understand the drive behind who write viruses. The skill level is also varied. OSX demands a much higher skill level to get a proper virus that can self propagate and causes destruction. So no matter how pervasive the installed base is, the success effect really depends on the ease and speed of delivering results.
A hacker can be very determined, but the lack of skills will seriously compromise that success. Of course, the person can get lucky ....
Comments
if my previous post sounded to somebody like "ego massaging", sorry for that. I just wanted to illustrate how ?poor? we live in here. Countries like Czech rep. Slovak rep., Hungary of course belongs more to Central Europe than it's eastern part, but still ? we had a socialist regime here for a long time. Sadly, some of the thinking ?goverment should take care of us? still prevail in people's mind
I just want to warn all of you, living in ?West? ? don't let the leftist parties to fool you in a way ?we should donate money to help the industry? or ?more money for poor?. We had enough of that in the past and sadly (at least in Slovakia), we somewhat still do.
I'll end with all of this crap ? we are quite off topic. Sorry for that also.
I liked the story about what conditions are really like in Eastern European countries and I disagree with people who say these countries are actually "central." Historically, I think it's fair to refer to anything that was once behind the Iron Curtain, "Eastern Europe" and a bit nit-[icky to argue about it.
That being said however, it's a fact that a lot of viruses and generally nefarious sites come out of former Eastern bloc countries (Serbia in particular).
I also think that the last place anyone would go for advice on "left" parties is someone who is from behind the former Iron Curtain. they are experts on totalitarianism because they lived through it recently, but progressive or left wing parties in the West have nothing to do with the kind of "socialism" (totalitarianism) practised by the Soviet states.
IMO just as the average American only knows socialism as a mythical boogy-man and has no idea what it really entails and how it really works, the average person from the former Soviet states only knows capitalism as a kind of fairy-tale or "good" myth and has no idea what it really entails or how it works. What actually works is something between the two mythical extremes.
I'm sorry did you notice the Safari RSS exploit here on Apple Insider? Its there on both Windows and OS X. Just goes to prove that people could if they wanted to target OS X and Apple products. However, the author is 100% correct and you are wrong. It easier to target Windows because you have a 90% chance that the consumer is going to be using Windows. If you made a Mac Virus based on an exploit you would have to target less than 10% of computers before Apple made a patch. In my house we have 4 Windows PCs and a Macbook that runs OS X and Windows. So in my case if I designed I virus for a Mac, it would have nowhere to go in my house. I could maybe send it to one friend I know who has a Mac. He could maybe pass it to his sister's Mac. Beyond that its the same difficult odds. And how would I send the virus? Email, I doubt anyone using a Mac would be fooled and then the WIndows recipients would wonder what it was, I would be found out and Apple would issue a patch. Website, again less than 10% of visitors would be Mac and probably less so who have the exact version my exploit targets. It would be more prudent for me to target Windows, well because their users tend also to be less savvy.
The recent worm for Windows for example has hit what 3 million computers mostly in Asia. You take that out of over 1 Billion active Windows PCs (most of which are already patched, because Microsoft acts quickly these days, as I suppose Apple would as well) and you see out of your total install base, less than even 1% get infected or about .3% in this case. So if you take 10% of macs you would get what .003% of the entire computer market infected by your virus/trojan if you had similar success rate. Its not worth it all.
Sorry, but you lose. You are confusing application security flaws that can be exploited with system security flaws that can be exploited. The Safari RSS issue you cite is specific to that app. It is the security of the OS that keeps application exploits from infecting the operating system.
I'm confused. I know Snow Leopard will work with my early 2008 8 core Mac Pro, but will my computer be able to take full advantage of all the 64 bit goodness?
Raise your hand if you know of an 8-core 32 bit processor from Intel.
Prince McLean's, aka Daniel Eran Dilger, latest article on the Road to Snow Leopard is so even-handed and balanced. Usually, people attack him for being too biased!
I wonder if Daniel, deliberately implied the security by obscurity myth to get others to do the heavy lifting for him. I'm quite sure he has argued against it in the past.
People seem to attack Dan no matter what he says, even though you can check his record easily enough and see that he is right the vast majority of the time.
Here, (at least in my opinion), he seems to have tried deliberately to be less biased and less emotional (and in my opinion succeeded admirably), and some people *still* jump all over him.
Everyone knows the "security by obscurity" myth is a bit of a red herring. None perhaps more so than Dan who has written about it many times. There is however *something* to the myth in that it takes a bot-net to do any real damage nowadays and most commercial virus activity does focus on windows for that reason. In other words it's a (small) factor but a real one.
My take on this article is that this is exactly what the author was getting at. I think it's a great article and the tiny nod to the obscurity myth was just right.
The Unavoidable Malware Myth: Why Apple Won't Inherit Microsoft's Malware Crown
Five Factors Shifting the Future of Malware and Platform Security
In the absence of good local job prospects it makes perfect rational sense for them to turn their efforts to computer crime instead. People like that are far more likely to only have an old 386 machine available to them rather than a shiny new Mac
Yes but they're employed by organized crime. And in organized crime there's lots of money for computer hardware investments. Mac OS is increasingly turning up in eastern European countries and even far eastern countries.
Prince McLean's, aka Daniel Eran Dilger
So this is DED? Say no more. Barf.
Sorry, but you lose. You are confusing application security flaws that can be exploited with system security flaws that can be exploited. The Safari RSS issue you cite is specific to that app. It is the security of the OS that keeps application exploits from infecting the operating system.
Arguably, any security flaw that affects the OS' default applications set and allows for external forces to take control of one's machine ought to be taken as seriously as any OS-level fault.
We've seen Macs taken over by simply visiting malicious web pages in Black Hat sessions at least twice. The attackers revealed very simple techniques to determine vulnerabilities (such as seeing what open source components' versions OS X was using, usually behind the latest ones because Apple has to take time to adapt them to its filesystem, etc., and go for the vulns the very latest Linux versions do eliminate). We have also had our scares when conflicting filetype determination systems could hide an executable as a data file. We've had a couple trojans, and I've been shown by a developer friend the very same trojan codec trick some guys suffered some time ago.
That OS X is certainly harder to crack (but not so incredibly difficult as many believe) and that it still hasn't reached 10% marketshare penetration; that current Mac piracy routes are more community-based (so that anything strange "gets reported" instantly); and that Mac people tend to meet in Mac-related places makes for a quite less attractive platform to exploit.
Raise your hand if you know of an 8-core 32 bit processor from Intel.
I think you meant to say dual quad-core processors.
OS 9 had viruses and less of a presence than OS X. I've seen OS 9 viruses spread through a network.
good point.
Sorry, but you lose. You are confusing application security flaws that can be exploited with system security flaws that can be exploited. The Safari RSS issue you cite is specific to that app. It is the security of the OS that keeps application exploits from infecting the operating system.
Sorry, but you lose. Almost all malware these days spreads through application specific vulnerabilities. The lines have been blurred between system and application vulnerabilities anyway?a vulnerability in Safari like the Safari RSS vulnerability is actually caused by a vulnerability in an underlying system framework (in this case PubSub.framework). Internet Explorer and Windows Media Player are where most of the vulnerabilities in Windows lie, and that is how most malware is distributed. Those are definitely application vulnerabilities, but they ship with Windows obviously.
PS: Funnily enough QuickTime had the most vulnerabilities of any component in 2006 and 2007. When the numbers are tallied for 2008 I wouldn't be surprised to see QuickTime take the three-peat.
Arguably, any security flaw that affects the OS' default applications set and allows for external forces to take control of one's machine ought to be taken as seriously as any OS-level fault.
We've seen Macs taken over by simply visiting malicious web pages in Black Hat sessions at least twice. The attackers revealed very simple techniques to determine vulnerabilities (such as seeing what open source components' versions OS X was using, usually behind the latest ones because Apple has to take time to adapt them to its filesystem, etc., and go for the vulns the very latest Linux versions do eliminate). We have also had our scares when conflicting filetype determination systems could hide an executable as a data file. We've had a couple trojans, and I've been shown by a developer friend the very same trojan codec trick some guys suffered some time ago.
That OS X is certainly harder to crack (but not so incredibly difficult as many believe) and that it still hasn't reached 10% marketshare penetration; that current Mac piracy routes are more community-based (so that anything strange "gets reported" instantly); and that Mac people tend to meet in Mac-related places makes for a quite less attractive platform to exploit.
@snafu
I don't think the Macs were "taken over", and certainly not by simply visiting a malicious webpage. The rules had to be relaxed so that the hackers either had direct access to the Mac, or the Mac's user was given an email with explicit instructions he had to follow to download a file and install it with an admin name and password. Even then, it could do little system-wide damage. And yes, we know about the codecs -- you have to visit a porn site, download a "special codec" for "viewing their proprietary video" and, again, type in your admin username and password in order to install it.
@others
Yes, Daniel DOES frequently and eloquently argue against the security through obscurity myth. I don't think he was implying it in that argument. I think he was saying, EVEN IF their were viable viruses for Macs (more than the ONE OR TWO questionable ones mentioned above), EVEN IF an infected Mac could infect other Macs, it wouldn't get very far -- NOT because the Mac is obscure or lacks market share, but because of the nature of Mac computing. The reason Windows computing is in the state it is in, is NOT because it has greater market share, thus providing a more attractive target; it is in the sad state it is in because MS dumped Windows on all these corporate networks with a complete disregard for value and security. Windows became ubiquitous over night (largely due to being in the right place at the right time and people refusing to think differently), and now people are counting the cost.
True, there aren't *many* Mac only networks yet (outside of graphics bureaux), maybe a few college campuses come close. EVENSO, the Mac didn't start life as a drone or dumb terminal on a big corporate network, a network which COMPLETELY RELIES on IT departments to secure the outside, with little per computer in-built security other than virus-scanning software. Whether on a large network behind a firewall, or on its own right on the internet, the Mac is more secure inside and out. And Macs are certainly not turned into spam-bots unbeknownst to their owners.
When and if Mac networks become *ubiquitous* they will be a little different by nature, because Macs started life with a bit different philosophy; and now there is STILL the opportunity to take the time to look ahead and plan for the time when they do in fact become ubiquitous (despite the one or two *exploits* being trumpeted about as though that somehow makes the Mac *just as* -- and those are the words used -- vulnerable as Windows). Whoa. Because Macs do not have the same kind of vulnerabilities (NOT due to luck or the fact they are obscure or few in number), Apple has the luxury of PROACTIVELY preparing for some battles, rather than reacting every other day to all the various threats faced by Windows which must continually act to put out the fires on a number of very real and SERIOUS exploits (not merely theoretical threats or self-discovered vulnerabilities). I just read of some 8 million recently infected PCs that are phoning home to goodness knows where because the return path is still obscure to researchers. These PCs are actually phoning home right now as I type. Where's the hew and cry?
Apple is not simply shoving its product out the door without any regard for its users (I know, I know, that foolish sentiment is just the coolaid talking), and on top of that trying to sell software or services to patch holes that have already been exploited before you buy your next PC. Apple, already ahead of the game, is working on the next level of security, from the FOUNDATION up, again.
Yeah, I too had a virus under OS 9, back in the day...I think (some 11-12 years ago I would guess). My Mac acted funny about restarting or something for a couple of days there. Ahhh, those were the days.
Besides the obvious creative reasons for using Macs, small businesses use them PRECISELY BECAUSE they have counted the cost, have weighed the security implications and have decided they want more responsible computing that is inherently more proactive on the security side -- rather than putting money into IT and Support specialists and anti-virus software. It is a calculated decision. It is a proactive decision and not a naive, head-in-the-sand one.
Yeah, Apple users: poor, naiive bastards with a religious fixation and their heads in the sand who are only concerned with style and who like toy computers which can't do anything useful nor need a degree or full-time support to use as intended. Apparently, we like the latest gizmos; and YET, we use our Macs for at least 5 years each (24/7 I'm using a PowerMac G4 at least six yrs old, and a PowerMac G5 at least 4 and haven't needed a single hour of professional support, EVER). Yeah, go figure. I'll happily keep my head in the sand about security under those terms. I have to say, I trust Apple a little more than MS. Call me a fool affected by the RDF. Whatever. You can't pay me to use Windows, because I have used it.
rhowarth, you have no sense of how we live in so called „poor eastern European countries“. I can guarantee that most of the programmers here have at least as good live standard than most people in western Europe
Trust me, economy boom here still persists (even in the current hard economic times). People are building new houses (no, not from straw) and have quite good cars (mostly VW, Skoda – newer ones, Peugeots, BMWs). We have now almost as good live standard as people in Italy, Spain or Austria.
Of course, there are also quite a lot people without higher education, working as common worker, mainly in car industry (Audi Q7s and Porsche Cayenne are made in Slovakia, also Kia, Peugeots). But these people also don't leave in shacks.
People in Ukraine and Bulgary or Romania are living in much worse conditions, but also, not in shacks. They just can't afford the goods.
Oh, I'm quite young IT consultant from Slovakia, currently writing from my MacBook Pro 17" with 20" Cinema display, using Time Capsule and iPhone. Driving VW Passat Combi. Sounds poor to you?
What I am confused about are those who think that people are struggling in Slovakia and are low paid. I've just gone to wikipedia to find out Slovakia's statistics - on the basis of GDP percapita (via PPP) - its on par to New Zealand and most other countries, and I wouldn't call New Zealand poor by any stretch of the imagination.
rhowarth, you have no sense of how we live in so called ?poor eastern European countries?. I can guarantee that most of the programmers here have at least as good live standard than most people in western Europe
Trust me, economy boom here still persists (even in the current hard economic times). People are building new houses (no, not from straw) and have quite good cars (mostly VW, Skoda ? newer ones, Peugeots, BMWs). We have now almost as good live standard as people in Italy, Spain or Austria.
Of course, there are also quite a lot people without higher education, working as common worker, mainly in car industry (Audi Q7s and Porsche Cayenne are made in Slovakia, also Kia, Peugeots). But these people also don't leave in shacks.
People in Ukraine and Bulgary or Romania are living in much worse conditions, but also, not in shacks. They just can't afford the goods.
Oh, I'm quite young IT consultant from Slovakia, currently writing from my MacBook Pro 17" with 20" Cinema display, using Time Capsule and iPhone. Driving VW Passat Combi. Sounds poor to you?
While Mac OSX is indeed withstanding the test from malware so far, the mentioning of several technological advancements is still not very accurate, much like the rest of the whole series here. Basically, many features can be enabled on a 32-bit system, just that Mac OSX didn't do it (not that Windows was doing it either). These features, however, are not necessarily exclusive to 64-bit environment and the author should not pretend as if he really knows the story.
Examples:
(In the article)
This is already present to an extent in today's Leopard Server, which runs some services, such as the Apache web server, as 64-bit processes. Using the vmmap command reveals that no memory allocated by these 64-bit apps is both writable and executable. On 32-bit Intel systems, while no memory is marked as both writable and executable, the legacy x86 processor design does not enforce the permissions bits, but 64-bit CPUs do. This feature prevents exploits from injecting malicious executable code into memory and tricking the app to run it as it if were its own instructions.
...
Segment-based (not used extensively by modern OS) and paging-based protection can be enforced strictly since i386. A more advanced feature introduced by AMD through AMD64, and now available in all new Intel and AMD processors, is the NX/XD bit this paragraph inherently refers to. However, this feature can be enabled in 32-bit mode if PAE is enabled (because bit 63, the NX bit, of page table is only available with the special page directory referencing structure under PAE). Windows XP SP2 has it under DEP when PAE is enabled (it indeed uses a different approach when PAE is disabled) and yes it is only available after AMD Opteron, but for the processor operating mode it can be done under 32-bit (Legacy) mode.
(In the article)
Another security weakness in the x86 architecture solved in the move to 64-bits is the use of registers for function call arguments. This makes exploits using return-into-libc techniques much more difficult. On 32-bit x86, function arguments are passed directly on the stack, so when an attacker has overwritten the stack segment, they can completely control the arguments passed to a function that they cause the compromised program to "return into," according to a security researcher.
...
Another misinterpretation of parameter passing. x86 (or for the sake, x64) near/far/procedure/across-privilege-level calls always push CS:EIP (or CS:RIP) onto the stack and pop them upon returns; passing parameters through more registers have nothing to do with the exploits used by malwares which modify stack and hence the return address.
It is indeed other technologies (like ASLR mentioned later, among others) that make return-to-libc attacks harder. It's doable under 32-bit system, but not as robust (although, again, not exactly what the article mentioned).
The author for this series should really update a bit more about technological details, or we should just all read Apple's marketing materials instead of getting some "insider" info.
Thank you for correcting the article; I was reading it and even with my very immature understanding of the x86 architecture, it isn't as bad as people try to make out. There are a lot of security features available but are never used because it would cause portability issues in their code and performance penalties.
What Apple should be doing is going the full monty when it comes to security and start using these features - lord knows it isn't as though they're going to move off the x86 architecture anytime soon - its the architecture that keeps on going even in the face of things that appear in the surface to he superior (in terms of engineering elegance).
The Mac's " security by by obscurity has advantages in "slowing down" a determined hacker. The security model and strength of OS implementation makes it a lot harder. This is OSX vs Windows architecture for the OS and its driver model. The fact that a platform is pervasive does not make it any easier. If it is simpler and quicker then, it is better incentive to a hacker to do so.
We must understand the drive behind who write viruses. The skill level is also varied. OSX demands a much higher skill level to get a proper virus that can self propagate and causes destruction. So no matter how pervasive the installed base is, the success effect really depends on the ease and speed of delivering results.
A hacker can be very determined, but the lack of skills will seriously compromise that success. Of course, the person can get lucky ....