Apple's OS X Is Subject to a Big Mac Attack

by Preston Gralla

Fellow Windows users have probably had the same experience I've had when it comes to Mac owners --- listening to them claim that unlike Windows, their systems are impervious to assault.



For years I've been telling them they're wrong, and they rarely listen. But now I have hard evidence.



If there were any doubt that the Mac is far from a fortress, the recent release of an Apple patch fixing 13 security flaws in OS X should put them to rest.



Among the security holes is one that would allow an attacker to remotely execute malicious code, and take over someone's system. There's also a spoofing flaw and a way to knock down SSL protection to a less-secure version, among others.



Need more evidence that the Mac is vulnerable? The SANS Institute has listed Mac security flaws among its list of top 20 security issues. The institute notes "Although Mac OS X has security features implemented out of the box...the user still faces many vulnerabilities."



There's no doubt that right now the Mac is more secure than the PC. But Vista includes a more hardened operating system, and more security features, and by the time it comes out, I wouldn't bet that the Mac will be more secure.



As for now…if you're a Mac user, it's time to get used to the security patching process.


What do you think about Mac security?


17 Comments

tbridge777
2005-11-30 13:03:46
FUD much?
Preston, Preston, Preston. Where to start?


Security Updates have long been a feature of Mac OS X, dating back to 10.0, I believe. Software Update has brought them to our attention for quite some time. They tend, however, to be not nearly as major a patch as their windows cousins, which always end up coming out after some new virus, malware, spyware or sony rootkit has taken advantage of the door left swinging in the wind by our friends at Microsoft.


Apple's very aggressive with patching potential holes in their software, and have been since 10.0 shipped. Insinuating otherwise, well, makes you a windows guy steeped in Fear, Uncertainty and Doubt. ;)


Tom Bridge

roger69
2005-11-30 13:28:24
Linux and BSD too, don't forget
It's worth noting that yesterday's Apple Security Update included patches to the following:



  • apache

  • apache mod_ssl

  • curl

  • openssl

  • sudo

  • syslog


  • These are all open source applications that are found not only in Mac OS X, but in Linux and BSD. Apache is also available for Windows and has the same security issues.


    The security update also included patches for Safari, CoreTypes (used by Safari), and the password server of OS X.


    All this aside, let's be very clear: there are hundreds of viruses, worms and trojans released every week, every day of the year. 99.9% of these are specifically designed to attack Windows.


    It's not that OS X, Linux, or BSD are "more secure" - although I continue to maintain that the underlying design of these operating systems is superior to the Windows design where applications are so integrated into the operating system that the security holes of the application are also security holes in the operating system.

    trollll
    2005-11-30 13:29:31
    FUD warning
    anyone who describes their systems as "impervious to assault" just stuck a target on their forehead. i don't care if you advise governments on security policies, calling your system invulnerable just proves ignorance.


    that said, how many worms and viruses have you heard of for windows lately?


    now how many for macs? they exist, but so comparably few of them that i definitely have to agree with tom on this one...


    make a reasonable argument if you want to get taken seriously on this subject.

    themas
    2005-11-30 13:43:41
    Symptoms
    I go for symptomatology. Now what that is?
    Symptomatology does NOT care why homeopathic drugs work (or do not work, depending on who pays the metaanalysis). It is not scared by ideas like satanic interference or more users. It just shows what the symptoms are and does not explain the reasons. In one word: purely descriptive.
    Okay.
    Here one widely known fact and three descriptions.


    Fact: Windows OS is given a lot of security updates and fixes. So is Mac OS or free U**xes. So no difference. No shame in detecting flaws and patching them up.


    1. Count viruses on Windows-varieties. Count viruses (viri, I know) on Mac OS X. Any questions.
    2. Count the Macs. Yes, the machines. In households AND in bigger trusts or publishing companies or how ever you call that. How many? Or, more precisely: How many Millions? Yes, Millions? Okay; who tells me that NOONE knows the Mac so there will never be viruses because Macs are too rare and too unattractive for virusmakers.
    3. What will be the glory for the one who writes a good, hard virus for Macs? Breaking into what ist commonly known as one of the last fortresses against viruses? More or less than the six-Gazillionth virus on a Wintel machine....


    Conclusions: Up to you.

    brunolesartiste
    2005-11-30 13:49:11
    Shame on O'Reilly->
    Having been both a long time Windows and Mac user I've always appreciated the journalistic, tell it like it is, approach taken here at O'Reilly Network. How did this article pass through the editor to the live page?
    I know many Mac only users and not one of them claims that OS X is completely immune to attack. What OS is? I think what most techies, and Mac users, understand is that with Unix underpinnings alone any OS is more secure than Windows. Plus OS X does not have the massive security hole known as Explorer with no Outlook to spread the garbage to others. What you have is an OS that's an order of magnitude more secure.
    Much more secure? Yes. Perfect? Definately not.
    -bruno
    roger69
    2005-11-30 14:02:33
    Shame on O'Reilly->
    There's no editor. O'Reilly Network blogs are not edited, they're blogs.
    evr76
    2005-11-30 14:15:43
    Re: Apple's OS X Is Subject to a Big Mac Attack
    I especially love the blind faith that vista will deliver in terms of security. Don't hold your breath on that one...
    Virek
    2005-11-30 15:37:18
    This might help
    Just look at these :


    http://secunia.com/product/96/#statistics_solution


    against :


    http://secunia.com/product/22/#statistics_solution


    or this:


    http://secunia.com/product/22/#statistics_solution


    Feel free to browse deeper.


    Cheers.

    tomahawk
    2005-11-30 15:57:21
    Alrighty then
    Preston Gralla is the editor of WindowsDevCenter.com and OnDotNet. He is the author of Internet Annoyances, PC Pest Control, Windows XP Power Hound, and Windows XP Hacks, Second Edition, and co-author of Windows XP Cookbook.


    That pretty much explains everything.

    kollivier
    2005-11-30 16:11:24
    Where's the beef?
    First, of course OS X has security holes. All OSes do. This has never needed disproving, sorry to say. OS X users have been getting security updates for years - I don't think you're surprising any of them by telling them what they already know.


    Second, the argument is not, nor never was, about OS X being perfect in terms of security. That's a strawman argument if ever I read one. It's about OS X being *secure by design*, the same way Linux/Unix is. Intelligent permissions, closed ports by default, etc. People at O'Reilly should know this stuff.


    MS bolted security on, and only after huge vulnerabilities were discovered at that. SP2, anyone? *nix and OS X never had an "after the fact" addition of security features because they were there in the first place. Unix and its permissions system and security policies are decades old, and MS was obviously familiar with them - but, unlike Apple, they went with a different design instead. One with open ports, a running web server on every W2K machine (!) at one point, elevated permissions for IIS processes, and plenty of other decisions which just ignored security to save the user a click or two. Not to mention how it helped the virus/worm writers.


    It all leads me to wonder: How worried was MS about protecting their users *before* the massive security issues in Windows became painfully obvious? MS dropped the ball, and I mean seriously dropped it, for a vendor that wants to be in your living room, your ATM, and everywhere in between. To me, it showed that MS wasn't doing the things people like myself simply expected they were doing; checking their code, analyzing and dealing with potential security threats before they realize, etc.


    The bottom line is, Apple (and Unix) cared about security before it needed to, while MS cared about it only AFTER (and long after), it needed to. Proactive vs. reactive. Which do you prefer? Maybe Vista will have great security, but that's far from a fact yet, and from my perspective it's about 10 years after Windows should have had it. I take my business to companies that do things like security without being asked to, and don't wait until their core business is threatened to think about it. But perhaps I simply 'think different' on this.

    W2ed
    2005-11-30 23:19:01
    Dumb Question time...
    Has there ever been an OS that hasn't been vulnerable to an attack? Short of never logging onto a network or using discs created by anyone else, I've never known an OS that hasn't been vulnerable.


    I think the better question would be, which is more prone to attack? After all, short of valuable personal information, what reason is there to attack the Mac or Linux side? So that you could say that it could be done?


    Of course, this kinda makes me wonder if having someone attack us would, in fact, make us a status symbol, something not to be sneered at, but respected... (Note the sarcasm - Anyone with that much time on their hands needs serious help if they want to waste their time like that.)

    b_isikoff
    2005-12-01 07:41:51
    Disappointing
    "As for now…if you're a Mac user, it's time to get used to the security patching process."


    Er, what? I suppose he means I'm going to need to continue to update my system, including the security patches, as I have ... since getting the first version of OS X (i.e., for years).


    Occasional security vulnerabilities and patches are nothing new to OS X. Or *nix. Or Windows.


    I'm sorry Preseton hears from Mac-users who think their system is "invulnerable", but I was very disappointed to see this poorly thought out, ignorant (i.e., get used to patching your system), and mildly insulting and smarmy blog article here.


    I expected better from O'Reilly and their authors, blog-approval process or not.


    kollivier
    2005-12-01 08:56:31
    Dumb Question time...
    Are you aware of how many servers are running Linux? If virus writers could pull off an exploit that can infect a machine and spread itself, they could knock off huge portions of the Internet, which is the ultimate bragging right for some virus/worm writer.


    So I do have to wonder - why is Windows frequently hit, while other OSes are not? And yes, Linux exploits DO occur, but they are small and isolated. Hackers must hit each box individually, which has a much smaller payoff than knocking down a million Win boxes. As a result, most exploits on Linux are about defacing web sites, stealing data and the like.

    simon_hibbs
    2005-12-01 09:23:37
    Oh no, not again!
    For a start, the headline of this post is factualy incorrect. There have been no actual reported incidences of these vulnerabilities being exploited, so OS X has NOT been SUBJECT to attacks, Big Mac or not. It has merely been theoreticaly vulnerable to them.


    This is the second post by Preston in the same partisan, deliberately missleading and outright factualy incorrect vein. For further laughs, see here:


    http://www.oreillynet.com/pub/wlg/6738


    This is a post about a 'virus' that was actualy a rootkit, and which was also incapable of propagating itself automaticaly or even infecting systems unless assisted by a superuser.


    Preston, perhaps you have personaly heard Mac zealots say their systems are invulnerable, but I never have. If this is a real phenomenon, perhaps you can point us to some online examples of such claims? If it's such a popular claim, made often enough to wind you up so much, surely there must be online examples in blogs or usenet, or discussion groups or such?


    Finaly, posturing about how great a product that is already several years late and not due for months if not years more, is hardly very impressive.


    Look, you're actualy a good author. I like the resources you edit and your articles have been very useful to me. I know you can do better than this.


    Simon Hibbs

    KarlRove
    2005-12-01 09:34:36
    i'll take that bet
    "But Vista includes a more hardened operating system, and more security features, and by the time it comes out, I wouldn't bet that the Mac will be more secure."


    I'll take that bet. I can probably make more money on this one than my apple stock if Microsoft's past security performance is any indicator.


    aristotle
    2005-12-02 21:20:39
    Re:

    You’ve claimed the sky is falling before:


    Linux Users: Welcome to the World of Malware
    http://www.oreillynet.com/pub/wlg/5828


    And well, nothing of the sort happened.


    You’ve also claimed previously that this was going to happen to the Mac:


    Mac’s New Slogan: Viruses for the Rest of Us
    http://www.oreillynet.com/pub/wlg/6738


    Again, nothing of the sort happened. Or that Firefox was a sieve:


    Bad News About Firefox Security
    http://www.oreillynet.com/pub/wlg/6459


    But… nothing of the sort happened.


    See a pattern yet?


    I think it’s safe to say your predictions are… unreliable. That you’d choose to continue making such bombastic proclamations despite past evidence that they’re wrong every time is almost comical.


    Every single argument and prediction claiming that alternative choices would suffer the same kind of problems as MSFT products do, whether it came from you or others, has so far been torn to shreds not only in argument, but also by all practical evidence where it has been available. Maybe the subject matters are really more complex than your simplistic extrapolations account for?


    To be fair, you get fairly close to the core issue in this article:


    Is Firefox Less Secure than IE?
    http://www.oreillynet.com/pub/wlg/7870


    Clearly, news like the Big Mac story you cite show that MSFT products are close to alternative choices in technical merit. The number of security fixes released for non-MSFT products show that indeed, all software has bugs. Stop the presses!


    So why would MSFT products specifically continue to suffer so many problems, when they aren’t a whole lot worse than the competition? Ask yourself what’s unique about MSFT, and you’ll have the answer.


    It’s their market position. MSFT response to security problems has always been marketing-driven, and there is no at all compelling reason for them to do anything to address these problems in any other way, whereas there are a whole number of very compelling reasons for them to care about other things first and foremost.


    And I don’t particularly hold that against MSFT. They’re doing what anyone in their position would sensibly do – which is exactly why no company must be allowed to have that position. (Whether or not other companies would be less aggressive than MSFT, as some claim, is beside the point.)


    Until such time as that position changes, upon hearing of issues with non-MSFT products, you will invariably look at the relative technical merits of MSFT products and the alternatives, and you will invariably predict that the alternatives will suffer the same problems as MSFT products every time, and you will invariably be wrong about it, because it will invariably not be about technical merit.


    Mark my words.

    dlevine
    2005-12-30 15:34:47
    Who are you people?!
    I dont know what any of you are talking about. Being a systems admin that is responsible for a few hundred Win2000, WinXP, Mac OS X, and RHEL 3 machines - I see plenty of faults on all sides. They all crash sometimes. They all need patching. Yes - all software has bugs, security holes, and faults. Once there is an equivalent market share across these platforms NOBODY can claim technical superiority.


    There is no way that anyone can tell me that one is head and shoulders above th rest. Hell - even my iSeries has faults.


    The only way to keep any OS or app relativley safe is to truly understand it, and not become complacent.


    I am just tired of ALL zealots. We are all in this together, and are smarter than that.