1. Are you ready for the Galaxy S20? Here is everything we know so far!

Gizmodo posts article "OSX isn't as secure as everyone claims it is." Is the world ending ?

Discussion in 'Computers' started by IOWA, Apr 20, 2012.

  1. IOWA

    IOWA Mr. Logic Pants
    Thread Starter

    OS X Isn't as Secure as Everyone Claims It Is


    1. Download the Forums for Android™ app!


  2. linuxrich

    linuxrich Well-Known Member

    Yes, OS X (and any other Unix like system you may care to mention, including android.) is more secure and stable than Windows. However, the word 'more' implies a scale! To get near to impervious, you need to be looking at a hardened OS like something running SELinux or AppArmour for example.

    Even if you accuse Apple of not reacting quickly enough to a problem that existed from the end of last year, that's nothing new. Apple has a reputation for not releasing patches very quickly. If you want an example of a quick patch for a reported vulnerability, try Googling 'Wicd privilege escalation".
    EarlyMon likes this.
  3. IOWA

    IOWA Mr. Logic Pants
    Thread Starter

    I disagree, vulnerabilities are always found faster in OSX than any other OS.
    Pwn2Own - Wikipedia, the free encyclopedia
  4. linuxrich

    linuxrich Well-Known Member

    Finding vulnerabilities fast is good, as long as they also get patched fast!
    IOWA likes this.
  5. IOWA

    IOWA Mr. Logic Pants
    Thread Starter

    Isn't that the truth.
  6. talikarni

    talikarni Newbie

    One big problem is so many people get so emotional, and try to pass off their opinions as facts. Lets look at this from reality and from a 16+ year PC and network tech (me):

    FACT: Most malware/virus infections come from something the user did or downloaded, or failed to update with the latest patches.

    With that in mind, OSX users tend to be the least educated about the dangers of internet usage so they will be lulled into this whole "OSX is safe because it is not Windows" mentality and false sense of security. They will tend to click on anything and everything without worrying about the consequences.

    FACT: Macs are just as prone to hardware problems as any other PC.

    Power surges, lightning, etc does not care what kind of device it is, it will zap anything not properly protected. The hardware inside of a Mac are made by the same manufacturers that produce hardware for other PCs, so they are just as prone to hardware failure as any other computer, regardless of OS. Based on my years of dealing with them, if you look at the generalized percentage of computers in a town based on OS and manufacture basis, I have actually found a higher percentage of Macs have hardware problems within the first year. This is for mainstream systems like Macs, Dell, HP, Compaq, Acer, etc, ignoring custom built systems (usually by a hack of a system builder or shop that hired high school kids that barely know how to find a registry entry).
    If you look at linux users, they tend to have the last number of hardware problems, mostly because they are also educated enough to maintain their systems and keep dust and hair from building up inside their cases and causing shorts.

    From only an OS standpoint, no OSX is NOT more secure than anything else because they tend to catch bugs the slowest, they release patches the slowest, they patch the exploits the slowest... so yes OSX could be considered les secure than Windows 7, and massively less secure than Linux.
    TheyCallMeBT, IOWA and EarlyMon like this.
  7. EarlyMon

    EarlyMon The PearlyMon
    VIP Member

    Practice safe browsing, and don't trust Java.

    The number of known Linux viruses was higher than for OS X last I checked, fwiw.

    But it's all about malware - and viruses are just one class of malware.

    Failure on the part of the security industry to educate to this properly is what causes issues for many owners of all PCs - and phones - regardless of OS.

    Instead, they want to sensationalize everything - because in the end, they're selling products, services or mindshare to their writings.

    Security begins at home.

    That requires clear education first, sensationalism from our pals in the press last.

    Updates, anti-virus, anti-malware, etc etc, aren't great differentiators of anything.

    It really has to be about user education.

    I had one industry peer who just kept insisting on sending me email with documents with viruses in them. So, before forwarding those on from OS X, I had to always scan my documents for PC viruses after opening emailed documents on a Mac. I'd find PC viruses, and then I'd have to solve those before sending the document on (and give my pal heck for doing it again).

    Did I just say that OS X was better in some sneaky way? No.

    What I'm saying is this: Everything is connected to everything.

    Malware isn't a problem that we ought get comfortable breaking down into operating systems (even though I used to myself, that's changed), we have to think globally.

    Anyway - these are just my opinions, but I hope I've created some mind viruses with some of these ideas. ;) :) :D
    mikedt, nkk, 9to5cynic and 2 others like this.
  8. nkk

    nkk Android Expert

    Thank you!

    I had to yell at my roommate freshman year because he complained that the school wanted him to have antivirus on his Mac. It is amazing how many people think that just because a virus will not run on their computer, it will never exist on their computer. As if lines of code are sentient to the point of knowing which victims to occupy.

    EarlyMon likes this.
  9. mikedt

    mikedt 你好

    My thinking is, if you don't need Java, remove/uninstall it. At least if one uses Chrome, it doesn't automatically run. Instead you get asked, there is Java on this page, do you wish to run it? Yes or no.
    EarlyMon likes this.
  10. mrspeedmaster

    mrspeedmaster Android Expert

    By and large, the recent Mac malware scare has been grossly overblown.
    These malware had a total infection of 600K. In less than 3 weeks, it has gone down to 30k.

    (source: Kapersky (and corroborated with Symantec) Kaspersky: Number of Macs infected by Flashback drops to 30,000 - Update - The H Security: News and Features)

    That is a very small infection. The duration of this problem is very small relative to other infections.

    On the other hand, Microsoft had a zero day exploit that went un-patched for 6 months. The Duqu was far nefarious and can be exploited with a true-type font. It was a bootkit. A bootkit is far the most dangerous because it is resident in memory and upon boot, the NT kernel cannot detect it.

    Microsoft pushes out emergency fix to block Duqu zero-day exploit

    I work with about 300 computers. 60 macs and the rest are PCs. PCs tend to get infected easily. This is just a wake-up call for mac but by and large, I'd say macs can be very safe if you harden them.

    I can run zenmap/wireshark/nessus and scan the network and find vulnerabilities in various open ports on Windows in minutes.
    You can run a Python script and nuke a harden 64 bit Win7 machine from a rooted Android phone.

    Yes, a phone can DDOS a Winbox in seconds. There are buffer-overflows attacks that when a Window user launches Window Media player, can easily root the entire computer in minutes. Again, exploit you can do from a phone/tablet.

    for this very reason we have wifi on completely separate firewall networks. And machines that need to be on our wifi networks need certificates which excludes most android devices.

    I'm more scared of exploits that can be launched without user-intervention. The kind that finds open ports and spreads like wildfire.
    E.G. Conficker.

    In 2005-2006 , I remembered it clearly. It spread to 3 million computers in 24 hours. You didn't need to open an email or go to a website. It scanned the network, found port flaws and injected itself. That was the worst nightmare in career. Every client, every vendor, every business partner we knew were infected.

    Social engineering attacks like facebook likes, javascript injections, flash/pdf hijacks can be locked down.
    None of our macs were infected because we run a proxy server, run IDS (snort), users don't have admin access to install Flash and Java was disabled.
    Seems like most people here are wise to not open mysterious emails or go to bad websites.

    But what do you do if you get hijacked just by being on a certain computer network? Now this is what I am more scared of.

    If I had to compare something like Mac Flashback to Windows' Duqu, I take the Mac trojan any day of the week. Bootkits scare the living daylights out of me. The Flashback trojan can be fixed with a command line delete. Some of the Windows malware I dealt with were much, much harder - boot in safe mode, delete registry keys, scan for boot-level memory inprints. You needed actual physical hardware access in most cases. On the mac, you just SSH into it and 2 lines and you are done.

    Linux can just be as dangerous. I work with engineers and they all run super-users. They don't understand permissions vis-a-vis groups so they just chmod 777 everything. I can just SSH in as a "regular" non-root user, go to their /etc directory and start playing with their host files, firewall rules,etc as a non-root user.

    I also tutor high-school and college student web developers who run linux. Whenever I have access to their laptops/workstation to check something out, all the permissions are wide-open. Who the hell 777 their entire var folder? I've seen it way too many times.

    And I've been into data centers where even harden linux servers have SELINUX disabled just because having it on has been problematic w/ certain apps.
  11. IOWA

    IOWA Mr. Logic Pants
    Thread Starter

    Compared to how little Mac's are on the market(low millions) vs PC(Billions!), this is not a little infection.

    Kind of like these zero day exploits?

    Charlie Miller to reveal 20 zero day security holes in Mac OS X -- Engadget

    So can, and are, PC's that run Linux and Windows.

    The same thing can be done to any computer system, using various but similar methods.

    Agreed. User interventionless exploits are by far the worst, and exist for every operating system on the plant. Not one to this day can say otherwise.

    Which can happen to any operating system.

    Why do users have Admin access on PC but not Mac? If you restricted Admin access on the PC, would it not have the same effect?

    Of course, but if I had to compare a Windows trojan to Stuxnet, I'd take the Windows trojan all day. Boot/Rookits are not friendly, but again, can happen to any operating system.

    Well of course, if you leave permissions wide open anyone can stumble in and screw things up. I blame the user, not the operating system in these instances.

    That's just odd. Why would they do that???

    I think the bottom line here is, all operating systems can be compromised. As long as there is just *one* way to compromise an operating system, no operating system is safer than the other.
  12. mrspeedmaster

    mrspeedmaster Android Expert

    How do explain conficker?

    As for "what users downloaded"?

    This is a bit of false security. Just because you think you are safe by "safe habit websurfing, being mindful of openining attachments, not enabling javascript, disabling, flash, blah,blah, you are safe."

    How do you account for buffer-overflow attacks due application flaws. So if you are listening to music ON a network attached to another machine running music, you can get hijacked because their was a buffer overflow memory error in the app.

    Example. Send a print spool to a machine with printer sharing. No user downloading of files involved.

    Microsoft Security Bulletin MS10-061 - Critical : Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290)

    These types of remote buffer over-flow type stuff occurs weekly. MS keeps on top of some of them but they can go months un-patched. No one can keep up on all the vulnerabilities. Not even Microsoft.

    Here are some more. Just by being a network, you can use a phone to craft a welform packet and BLAMMO.

    CVE-2011-2013 : Integer overflow in the TCP/IP implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, a
    CVE-2011-3406 : Buffer overflow in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Director
    CVE-2011-1268 : The SMB client in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2

    And here is a bluetooth vulnerability
    CVE-2011-1265 : The Bluetooth Stack 2.1 in Microsoft Windows Vista SP1 and SP2 and Windows 7 Gold and SP1 does not prevent access to obj

    Or non-root zero escalation.

    Windows 7 UAC Buffer Overflow Privilege Escalation 0-day | Greyhat-Security.com

    Or just being on a certain network

    Microsoft Security Bulletin MS11-095 - Important : Vulnerability in Active Directory Could Allow Remote Code Execution (2640045)

    Some machines can't be patched for whatever reason. I have a Windows 95 machine connected to a $300K drum scanner. The drum scanner software ONLY runs on Windows 95 per the company. You CANT update/patch it.

    I have Windows servers where there are server apps used by my industry that CANT be patched or updated. The vendors specifically prohibits updates that may break their apps. These are $40-100K apps.
    EarlyMon and IOWA like this.
  13. IOWA

    IOWA Mr. Logic Pants
    Thread Starter

    No doubt there are tons of security holes in Windows, I'm not advocating that by any means. But the same/similar can be said of any operating system.

    I maintain my stance, that as of today, there is no such thing as a completely secured operating system.
    EarlyMon likes this.
  14. mrspeedmaster

    mrspeedmaster Android Expert

    Linux is a an odd-beast in the enterprise or in our business. And this is where I see the greatest threat/risk because OF THE USERS.

    Mac and PC users can work as non-super users for 99.999% of their tasks.
    PC users - excel. Mac Users - graphics design/video.

    Linux users tend to be engineers, programmers, etc. If they are doing spreadsheets, they don't need to be on Linux.

    They need to install apps, test configurations,etc if they are designing a web-application. They need to sudo a majority of the time. Many of the linux users think they're technical by going to some website and running sudo apt-get install .... I see guys right after they login, they run sudo -s.

    They are not very remote-management friendly.
    This is why I fear the most.

    A few months ago, one guy installed darkstat, ethergape and etherpeg (so he can see jpegs of what people are browsing). Thankfully, the switch he as one wasn't multicasting. If he was smart, he could have cloned a mac-address of a server and host a squid proxy server.

    When one linux employee leaves, we change a lot of passwords across several machines.

    I spend a lot of time checking people's installs. mySQL password open? Host narrowed down? No funny PHP script installed in a subfolder,etc..
    mikedt and IOWA like this.
  15. IOWA

    IOWA Mr. Logic Pants
    Thread Starter

    I never understood why it is such a "hassle" for people to turn SU on and off. It takes all of half a second to do it. Especially if that person works in a data center and such.

    Kind of like my pet peeve with people who don't take advantage of UAC on newer windows boxes. I understand every scheme has it's flaws, but it doesn't mean we should take advantage of the security measures we do have. Right?
    mikedt likes this.
  16. mikedt

    mikedt 你好

    Isn't there a more modern drum scanner that you can replace it with? What happens if the drum scanner breaks and spare parts are not available? Is the company that made it still in existence and do they supply spare parts? Probably not, if they're not supporting and updating the software.

    I've heard of many situations where a business goes on relying on an antique piece of machinery for some essential process. The machine breaks down, no spares are available, they're screwed. Thing is, what's the cost of the downtime if the your expensive drum scanner breaks down and is perhaps unrepairable, or the ancient Windows 95 PC dies?

    Presumably this antique Windows 95 machine is not connected to the public internet(or if it is, it's adequately firewalled) and it's only doing what it needs to do, so it should be pretty safe anyway.

    There is one business I know, I think it's on Youtube, they punch music rolls for player pianos. The software for the punch runs on an Apple II. Presumably if the Apple II dies they can get another one from Ebay, hopefully, along with the required 5.25in floppy drives.

    TBH I'd seriously think about changing your vendors, if they've got an attitude like that and not supporting their software. Are these "$40-100K apps" some kind of bespoke things that you can't get from another vendor?


    Thinking about this.... for $100,000 you can probably hire some devs to write you the whatever bespoke software, that is supported.

    Here's another thing, unpatched Windows servers on a network...didn't you mention Conficker earlier? It's still around.
    IOWA likes this.
  17. mrspeedmaster

    mrspeedmaster Android Expert

    you can buy "new" vintage spec computers. There are still companies that sell them.

    Many restaurant P.O.S. (point of sales systems) you see at places at Jack-n-Box and the likes source Windows 95/NT 4.0 computers new from resellers.

    I don't know where they source monitors (SVGA (800x600)) but they do.

    And of course, Windows 95 would never be on the network.
    mikedt likes this.
  18. IOWA

    IOWA Mr. Logic Pants
    Thread Starter

    Sounds like the Win98 machine we had when I worked in the print shop, completely firewalled from every other machine outside of an old printer the boss refused to replace lol.
    mikedt likes this.
  19. mikedt

    mikedt 你好

    I take it these have real parallel and serial ports, or even ISA slots if required for some old specialised interface cards.

    I've sure there's many examples of vertical applications, that organisations have to keep going for as long as possible. Maybe they can't afford to replace them or there is just no modern equivalent, e.g. who makes player piano roll punches these days?..something that was basically discontinued in the 1920s.

    Thing is though, they might be replace the PCs, but can they replace or repair the actual hardware. Your pricey drum scanner for example, can that still be repaired if it goes wrong? What is it, 15 years old now?

    I know about restaurant POS systems, they often use them here. The waiters carry some kind of handheld terminal to take the orders. If the system is old, can they still get replacement terminals for the ones that get broken, lost or damaged?


    Here's one I do remember, a couple of years ago a UK YMCA had to replace at considerable expense, its old Windows based but proprietary security CCTV recorder. It used Iomega Zip disks for recording and backups, that media is obsolete. Apparently the system still worked fine, but can't get Zip disks any more though.

    There's another example with pinball machines, people love to collect these and keep them going. There's a system called Pinball 2000, from the year it was made, The proprietary software it uses has to run on a Cyrix MediaGX PC motherboard, software won't run on anything else. Manufacturer is long since out of the pinball business, can't get new MediaGX PC motherboards either. Pinball enthusiasts will probably have to reverse-engineer the software, so it can be made to work on modern PC hardware. It's not Windows or DOS based either, it's completely proprietary.

    I'm thinking its rather risky to be relying on hardware or unsupported software that can't readily be replaced or repaired economically.

    Can't modern monitors with analogue inputs still deal with lower resolutions, like VGA and SVGA? They have to, because if one boots into Safemode, it is SVGA.
    IOWA likes this.
  20. alostpacket

    alostpacket Over Macho Grande?

    Gizmodo is very equal in their coverage.

    They troll all sides to any debate. :D
  21. Rukbat

    Rukbat Extreme Android User

    No operating system is secure against malware. The only things that affect how easily a particular computer will be compromised are - most important - how the computer is used and, less important - how many people are writing malware for that system.

    The only reason that Macs were effectively almost immune to viruses for decades is that no one who could write software for Macs bothered to write viruses. (Most viruses are written by script kiddies - people who couldn't write a line of code if you told them what to write - who use existing scripts that take advantages of vulnerabilities in Windows.) Since there was just about no Mac malware, even stupid, sloppy use of Macs wouldn't give you much chance of downloading any. (In 40 years of using computers, I've gotten hit with a virus exactly one time - it came on a Netware update disk from the vendor.)

Share This Page