Re: spyware on macs ?
- From: TheLetterK <theletterk@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 25 Oct 2005 20:12:45 -0400
Oxford wrote:
Can you back up this assertion? No one in the security field seems to agree with your assessment.TheLetterK <theletterk@xxxxxxxxxxxxxxxxxx> wrote:
but we aren't talking about "ease of target" we are talking about "ease to infect",
The two concepts are very closely related. Why would any virus writer try to attack OS X in the first place? Whatever virus they release will spread slowly, and attack a more difficult (but not, by any means, impenetrable) target in the process. Why would they bother when Windows targets are so much more prevelent and easier to compromise?
hogwash, an easy target is what gets hit the most, it has nothing to do with "marketshare". if OSX was "equally" easy to "hit" it would "equally" be "hit".
Statistics plays a huge role in determining infection rates and probability of being targeted.
It's a technical reason OSX doesn't get viruses,
Right--the statistical difficulty of actually infecting large numbers of completely defenseless OS X boxes. It's just too rare a target for virus writers to bother with.
this isn't about statistics, it about "ease of target". get that through your thick head.
No, you've asserted that it is not related to statistics. 'Proof' would require some sort of credible supporting evidence. Something you have yet to provide.
the reason is far more technical in nature,
Well, if you consider statistics to be 'technical'.
i've already proven it's not related to any "statistics".
Yes, yes it is. Each 'node' would take ~20 times longer to find for a Mac virus than it would for a Windows virus. This is due to Apple's low share of the userbase. Virus propogation times would slow to a crawl, simply because there aren't very many Macs to act as zombies for virus propogation.
Stats have very little to do with it, if 100% of the macs were not on the net, then you might have a point, but a good 80% are on the net, and ZERO have been infected over 4.5 years of use.
Yes, with a userbase that hovers somewhere below 5%. Thus, it's a difficult target to hit, simply because each potential target is so rare. It would be like a human virus that could only *possibly* effect 5 out of 100 people.
it's not any more difficult to hit than 5% of exposed windows machines.
plus you are are completely forgetting, 95% of the windows machines sold are not on the internet,
Can you prove this? I didn't think so.
only about 60% are online, the way that so called "5%" of macs are. lots and lots of pcs are never tied to the internet. cash registers, signage, dumb factory terminals, etc, etc, etc, etc.
Yes, many are not. But the vast majority are.
Playing with semantics now? Well, by that logic Windows doesn't have very many viruses either--they're almost all worms and trojans.
the fact is a good 15 million osx macs are connected to the net 24/7/365, so don't you think "one measly virus" would of infected the population by now?
One did. The fake word installer virus.
post a reference, bet you can't
http://secunia.com/virus_information/9393/as.mw2004.trojan/
and that isn't a virus, read the link before you post next time.
Because propogation time for Mac viruses is prohibitively high, the target 'audience' is miniscule, and the task is a bit more difficult?
no, but there are some serious security mistakes in windows. in OSX, not so much.
The mistakes Microsoft made were assuming that technical superiority is more effective than simple (but less versitile) procedures. Windows *is* technically more secure than OS X is. In practice, securing it is so far beyond the average user that it might as well be swiss cheese.
Really? then please explain why there are 64,00+ viruses for MS based PCs and NONE for OSX? It seems you completely forgot to think before writing your comment.
so it's basically impossible to remotely enter a mac,
Well, if you feel so secure, leave your Mac outside your firewall and post your IP addy for the world to see.
go knock on this IP, 70.57.60.154 it's open, why can't you get in? hum?
It's illegal, you know.
I, for one, am glad that Apple did show a bit of foresight and chose to include a good firewall by default. Now, if they could just be bothered to turn it on by default... I'm doubly glad that you aren't administrator for any of my boxes. Your lack of knowledge regarding security is appaling, as is your trust in Apple to provide solutions.
firewalls are for wimps, they are basically unneeded on OSX.
That's why Apple includes one?
Apple has to bow to the ignorant, not having one would be a missing "check off" item, so the people that don't understand security would be mistakenly afraid. It's sad really when MS's weaknesses forces honest companies to cheapen up their products.
my systems are always on, no passwords, sharing is on, come get me or any mac user for that matter.
I wouldn't even consider it--but post your IP addy out here. I wonder how long it would take for someone you annoyed to bring down your unsecured Mac. Probably not very long, considering just how open OS X actually is by default.
You must be paranoid, I have hundreds of machines with no passwords, no firewalls, all work perfectly, none have been breached. It's the difference of OSX compared to Linux or Windows.
Right, keep digging that hole oxtard.
Can you justify this statement, or is just another example of your favored tactic--'proof by declaration'.
1) 30+ years of unix, Live 24/7 network development. No other consumer OS is this battle tested on the Internet.
OS X isn't particularly 'battle tested'. It uses a kernel that was, until OS X came out, extremely rare. It's only saving grace is the use of the FreeBSD tools. However, FreeBSD is probably the least secure of all of the BSD distributions... OS X is even less so for the inclusion of new and untested software, as well as a relatively untested kernel.
On a worldwide network it certainly is the most battle tested consumer OS.
sure if you are sitting in front of the machine and have a startup CD, there is a way in, but a virus writer would be awfully busy trying to do that worldwide.I can exploit my own Macs fairly easily--it's how you shore up their defenses you know.
No, a malicious cracker could attack your *printer service*. If there is a vulnerability in this component, then it could allow the attacker access to the machine as a whole. And there is more than just a printer service running.
2) Known insecure networking ports are turned off by default.
Go run an nmap scan against an OS X box with the firewall turned off (this is it's default state, by the way).
Great, you can attack my printer!
go for it... gosh, that's were I store all my gold! Maybe you could have my printer, print fake $$ and have it automatically mail them to yourself? That seems about the level of your intelligence on this matter. Bottom line, there is nothing you can do to break into a default OSX install, it's locked down tight.Oxtard, can you become any more of an idiot? It must be a challenge to continually lower the bar.
Let's see... in the last security update for 10.4.2, the following holes were patched:
3) Automatic Software Update is turned on by default.
The same is true for most consumer operating systems these days. It's a good thing too, because OS X has plenty of holes OOTB.
Where are these holes? waiting...
* ImageIO
CVE-ID: CAN-2005-2747
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Viewing a maliciously-crafted GIF image may result in arbitrary code execution.
Description: By carefully crafting a corrupt GIF image, an attacker can trigger a buffer overflow in ImageIO which may result in arbitrary code execution. Several components of Mac OS X utilize ImageIO including WebCore and Safari. This update addresses the issue by performing additional validation of images.
CVE-ID: CAN-2005-2746
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: When using auto-reply rules, Mail.app may expose the contents of encrypted messages.
Description: Mail.app includes the contents of messages when processing auto-reply rules. If a message being processed was encrypted, the automatically generated response will include the decrypted message contents. This could allow an attacker to intercept the message. This update addresses the issue by ensuring that unencrypted responses to encrypted messages are not generated. Credit to Norbert Rittel of Rittel Consulting for reporting this issue.
CVE-ID: CAN-2005-2745
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: Using Kerberos Version 5 for SMTP authentication Mail.app may disclose sensitive information.
Description: When using SMTP authentication with Kerberos Version 5, Mail.app may append un-initialized memory to a message. This update addresses the issue by updating Mail.app. Credit to the MIT Kerberos team for reporting this issue. This issue was resolved in Mac OS X v10.4.2 by Security Update 2005-007.
* malloc
CVE-ID: CAN-2005-2748
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Insecure file handling may result in local privilege escalation.
Description: When certain environmental variables are set to enable debugging of application memory allocation, files with diagnostic information are created insecurely. This could allow a malicious local user to alter arbitrary files. This update addresses the issue by disallowing malloc debugging in privileged programs. Credit to Ilja van Sprundel of Suresec LTD for reporting this issue.
* QuickDraw Manager
CVE-ID: CAN-2005-2744
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Viewing a maliciously-crafted PICT image may result in arbitrary code execution.
Description: By carefully crafting a corrupt PICT image, an attacker can trigger a buffer overflow in QuickDraw Manager which may result in arbitrary code execution. Several components of Mac OS X utilize QuickDraw Manager, including Safari, Mail, and Finder. This update addresses the issue by performing additional validation of images. Credit to Henrik Dalgaard of Echo One for reporting this issue.
* QuickTime for Java
CVE-ID: CAN-2005-2743
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: An untrusted applet may gain elevated privileges.
Description: The Java extensions bundled with QuickTime 6.52 and earlier allow untrusted applets to call arbitrary functions from system libraries. This update addresses the issue by limiting these calls to trusted applets. Systems running QuickTime 7 or later are not affected by this issue. Systems running Mac OS X v10.4 or later are also not affected by this issue. Credit to Dino Dai Zovi for reporting this issue.
* Ruby
CVE-ID: CAN-2005-1992
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Ruby applications utilizing the xmlrpc module may be vulnerable to arbitrary code execution.
Description: The Ruby xmlrpc/utils module utilizes the method Module#public_instance_methods to determine which methods may be invoked remotely using XML-RPC. A change between different versions of Ruby caused this method list to unintentionally include methods that may be used to execute arbitrary Ruby code. This update addresses the issue by updating the xmlrpc/utils module. This issue does not affect systems prior to Mac OS X v10.4.
* Safari
CVE-ID: CAN-2005-2524
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: Maliciously crafted web archives could potentially allow cross-site scripting.
Description: It is possible to view web archives served from remote sites in Safari. Maliciously crafted web archives may be rendered as content from sites they did not server them. This update prevents remote web archives from being loaded. Safari web archives were introduced in Safari 2.0. This issue was resolved in Mac OS X v10.4.2 by Security Update 2005-007.
* SecurityAgent
CVE-ID: CAN-2005-2742
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: A user with physical access to the system may be able to bypass the "Require password to wake this computer from sleep or screen saver" setting.
Description: Under certain situations, the "Switch User..." button may appear even though the "Enable fast user switching" setting is disabled. This could cause the currently logged-in user's desktop to be displayed without authentication. This update prevents the "Switch User..." button from appearing when inappropriate. This issue does not affect systems prior to Mac OS X v10.4. Credit to Luke Fowler of the Indiana University Global Research Network Operations Center for reporting this issue.
* securityd
CVE-ID: CAN-2005-2741
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Malicious users may grant themselves rights to manipulate arbitrary files or perform other privileged actions.
Description: Authorization Services allows unprivileged users to grant certain rights that should be restricted to administrators, which may lead to privilege escalation. This update addresses the issue by adding restrictions to which rights unprivileged users can grant themselves.
Unfortunately, this same user can easily execute code as root on OS X. It just requires a password, which is so insanely easy to harvest I don't know where to begin. The naming vulnerability on OS X allows for all sorts of easy vectors of attack. All you have to do is convince the user that the package in question is a legitimate package. If, for example, you disguised a password harvester as an installer package few people would realize they were being exploited.
4) All administrative actions require a password.
Nothing special here. Even Windows does this, assuming you don't do something silly like run as administrator.
Most everyone on a Mac runs as an Admin, but Apple was smart enough to separate the privs of this user from a high level "root" user. MS, not so much.
This is a long standing vulnerability in OS X, that Apple has known about for years now.
If someone packaged a keylogger as some silly bit of freeware that required authentication to install, I guarantee you that they would get idiots to run it and reveal their admin password.
In other words, for Virus to move from machine to machine, a Virus writer must go into every house/office then figure out the user's password, then hit return. (now you know why there are Zero viruses on Macs)
Hardly. There are plenty of methods of falsifying or circumventing such a security procedure. A simple keylogger would solve that problem. There's also the tried-and-true method of just misnaming an installer and sending it to the user with a message like 'Click me for hawt pr0n!'.
How is a keylogger going to help you if you don't have access to the system?
you really need to think things through before you post. Sending a trojan installer isn't going to "install it" you still need to type a password, so unless the user knew you, you couldn't get in.Hardly. As the sucess of mass mailer worms has demonstrated, people are idiots. Your average Mac user is even *less* savvy when it comes to security, simply because most think they live in some perfect world with a fully secure operating system.
5) Root administrator account is turned off by default.
Unfortunately, if someone managed to exploit the user into revealing their password... this precaution would do no good.
Which is the same for any system.
Yet you still claim OS X is especially secure... why?
6) Apple's quick response with security patches.
Apple can't patch user stupidity.
Which is the same for any system.
Yet you still claim OS X is especially secure... why?
You still haven't explained how this prevents the *user* from being exploited.
9) Mac OS X by default supports secure encryption and communication protocols for authentication: Kerberos, SSH, VPN, MS-CHAP2, DIGEST-MD5, CRAM-MD5, DHX, OTP, SMB-NT, APOP.
And this prevents the user from being exploited... how?
ease, by using Kerberos, SSH, VPN, MS-CHAP2, DIGEST-MD5, CRAM-MD5, DHX, OTP, SMB-NT, APOP.
Finally, many of Mac OS X's security problems are only theoretical and can never materialize, nor propagate in the wild.
That's right--propogation difficulties are what keep viruses off OS X. It's difficult not because OS X is especially secure, but because OS X is just so rare.
Nah, it's because OSX is too rare to bother with--after 4.5 years of not caring, nobody has gotten in.
Corrected.
Your right, I can't. But that is because of the statistical difficulty of needing to expliot an OS X box.
They work with the CERT (http://www.cert.org/) and the FreeBSD community (http://www.freebsd.org/security/) to address security issues. They also belong to FIRST (http://www.first.org/). In short Apple takes security seriously and if you work with Macs as I do you'd know it too.
I do work with Macs, this is why I have absolutely no faith in Apple when it comes to dealing with security threats.
And now describe your latest "threat" that caused a breach of security using OSX, bet you can't.
.
- Follow-Ups:
- Re: spyware on macs ?
- From: Oxford
- Re: spyware on macs ?
- References:
- spyware on macs ?
- From: asdf
- Re: spyware on macs ?
- From: TheLetterK
- Re: spyware on macs ?
- From: TheLetterK
- Re: spyware on macs ?
- From: Oxford
- Re: spyware on macs ?
- From: TheLetterK
- Re: spyware on macs ?
- From: Oxford
- spyware on macs ?
- Prev by Date: Re: Front Row is now up and running on non-iMacs
- Next by Date: Re: RIAA a bit heavy-handed you say?
- Previous by thread: Re: spyware on macs ?
- Next by thread: Re: spyware on macs ?
- Index(es):
Relevant Pages
|
