Re: 13 MASSIVE holes found in Safari...
- From: "Super Spinner" <Pepe.Smythe@xxxxxxxxx>
- Date: 5 Dec 2005 01:55:13 -0800
Wegie wrote:
> In article <2005120319521937709%micron@invalidnet>,
> Michelle Ronn <micron@xxxxxxxxxxx> wrote:
>
> > On 2005-12-03 19:44:41 -0800, Wegie <here@xxxxxxxxxxxx> said:
> >
> > > In article <tNydndFbWJDv_g_enZ2dnUVZ_sydnZ2d@xxxxxxxxxxxx>,
> > > "MuahMan" <muahman@xxxxxxxxx> wrote:
> > >
> > >>>> "The most severe of these are the vulnerabilities found in curl and the
> > >>>> PCRE
> > >>>> library used by Safari," said Thomas Kristensen, chief technology
> > >>>> officer
> > >>>> for security site Secunia, which rated Apple's updates as "highly
> > >>>> critical"--the second-highest danger ranking.
> > >>>
> > >>> And yet, not a one of them has been exploited.... Go figure.
> > >>
> > >> Then why release a patch if they can't be exploited?
> > >
> > > it goes back to apple's perfectionist nature, a product isn't complete
> > > until it's polished to a high sheen. they've been doing that since the
> > > woz days, this is no different. there have only been about 70 viruses
> > > in the company's history, just goes to show they really care about the
> > > product.
> >
> > This stuff cracks me up. Apple's security is good, but it is no where
> > near perfect. It cannot be.
> >
> > Please give me one, just one, technical reason that a virus cannot be
> > written for the Mac?
>
> there is not just one, but many reasons.
>
> 1) 30+ years of UNIX, Live 24/7 network development. No other consumer
> OS is this battle tested on the Internet.
>
And yet Apple releases monthly security updates.
Also, it's not exactly true to say that no other consumer OS is this
battle tested on the internet. Unix wasn't a "consumer OS" for the
vast majority of those 30 years, nor was it on the "internet" as we
know it today. Windows is the most battle tested consumer OS on the
internet by far, simply because it's the most used "consumer OS" "on
the internet". It's not proven that if Unix were a consumer OS (with
the ease of use for a consumer) with the same userbase as Windows that
it would fare much better security-wise. (As you likely know, there
have been huge Unix malware outbreaks in the past but they received
little attention simply because Unix was NOT a "consumer" OS with a
huge consumer userbase at the time of the outbreaks.)
> 2) Known insecure networking ports are turned off by default.
>
But most malware (and many viruses) use the normal http port (80),
which is wide open.
> 3) Automatic Software Update is turned on by default.
>
But Software Update only does weekly checks, so it can take up to a
week before a user applies a patch. Also, Software Update doesn't
apply patches automatically by default (or even not by default, last I
checked).
> 4) All administrative actions require a password. In other words, for a
> Virus to move from machine to machine, a Virus writer must go into every
> house/office then figure out the user's password, then hit return. (now
> you know why there are Zero viruses on Macs)
>
This is nice, but unfortunately can lead to password fatigue, so that a
virus that needs the password to install malware can prompt the user
and the user is likely to provide the password (especially if he thinks
that it's OK because he's on a Mac and Macs are 100% safe). Also
doesn't address the fact that the vast majority of malware nowadays are
trojans/spyware rather than viruses (i.e. self-propagation isn't the
main problem today).
> 5) Root administrator account is turned off by default.
>
Root may be turned off but "admin" is the default.
Also, general malware requires neither "root" nor "admin". For
example, viruses can spread through email attachments without root
coming into play (though they might require the user's admin password
to run).
> 6) Apple's quick response with security patches.
>
Isn't Apple using a monthly patch schedule like MS? So a hole can
exist for at least a month before a patch is released. And who knows
how many holes are in the system that Apple knows about but haven't
fixed. We KNOW there are dozens and dozens of holes (the reason for
the monthly security updates); the only question is whether Apple knows
about some of them and are sitting on them or whether they're ignorant
of all of them. You have zero proof one way or the other.
> 7) The open source nature of the operating system allows flexibility. If
> Apple doesn't provide the patch quickly enough I can download the source
> code and install it myself.
>
Most of the holes that Apple's security updates patch lies in code that
is closed. Second, when's the last time that you altered open source
kernel code yourself for your own system, and do you have the first
clue of how, what, where you'd do this?
> 8) Like Windows, Mac OS X provides an easy to use user interface which
> exposes many of its UNIX underpinnings making it easier to administrate
> for beginners.
>
And this prevents viruses and other malware??
> 9) Mac OS X by default supports secure encryption and communication
> protocols for authentication: Kerberos, SSH, VPN, MS-CHAP2, DIGEST-MD5,
> CRAM-MD5, DHX, OTP, SMB-NT, APOP.
>
All modern OSes support this, and it has nothing to do with malware.
> Many of these features are cited by the National Security Agency as
> pluses in favor of Mac OS X.
>
> Finally, many of Mac OS X's security problems are only theoretical and
> can never materialize, nor propagate in the wild.
> Apple contracts
> agencies to find security holes in its operating system before the
> hackers do. They work with the CERT (http://www.cert.org/) and the
> FreeBSD community (http://www.freebsd.org/security/) to address security
> issues. They also belong to FIRST (http://www.first.org/). In short
> Apple takes security seriously and if you work with Macs as I do you'd
> know it too.
>
If you'd said that they *don't* materialze or propagate (in practice),
then I'd agree, but you went too far with your "*Can never*
materialize, nor propagate in the wild" assertion. Sounds like famous
last words. The fact that Apple releases monthly security updates
means that the system has many holes and means that *somebody* is
uncovering said holes (thank God that they're "white hats"). It also
means that a "black hat" can, if he bothers to, reverse-engineer the
security updates to find what flaws were patched and write malware to
exploit the flaws before the patches are applied (Mac OS X's Software
Update only makes weekly checks, so it can take up to one week before a
security update is applied). Mac's marketshare is too small for
hackers to bother with, that's the real cause of Mac's "practical"
security. (Its "theoretical" security comes from the attributes that
you enumerated, but those don't prevent malware and are not the reason
that Mac OS X is free of malware in practice.)
NONE of the features you cited qualifies as a "technical reason that a
virus cannot be written for the Mac".
It doesn't matter to me anyway, I like my Mac for reasons other than
"security", since I've not received malware on my Mac or Windows
machines. I appreciate the advantages of the Mac that have nothing to
do with "security". Too many Mac fanboys have boiled down the Mac
advantage to simply "security", and argument that loses potency as time
goes on (the last major Windows malware outbreak was years ago, and
Vista will have the default user account as non-admin). This is why I
feel that it's much better to advocate the Mac by citing other
advantages (advantages that Apple can control, rather than relying on a
fault of Windows that MS is addressing), as was done in the 90's and up
until 2001 or so. This newsgroup was a lot more fun in those days when
"security" wasn't the only thing that Mac fans crowed about.
.
- References:
- Re: 13 MASSIVE holes found in Safari...
- From: Wegie
- Re: 13 MASSIVE holes found in Safari...
- From: Michelle Ronn
- Re: 13 MASSIVE holes found in Safari...
- From: Wegie
- Re: 13 MASSIVE holes found in Safari...
- Prev by Date: Re: Is courting the mass market good...
- Next by Date: Re: A MuahMan self-contradiction?
- Previous by thread: Re: 13 MASSIVE holes found in Safari...
- Next by thread: Re: 13 MASSIVE holes found in Safari...
- Index(es):
Relevant Pages
|
