Re: New Patch Fixes 43 Flaws In OS X, Many Serious

"GreyCloud" <mist@xxxxxxxxxxx> wrote in message
news:aYGdnea1Ufu_TPbZnZ2dnUVZ_s-dnZ2d@xxxxxxxxxxxxxx
Daniel Johnson wrote:
Guffaw!!! There are many flavors of Unix out there.

And they all have setuid bits.

Yeup. Now do you know what these are for?

Yes. Any further questions?

[snip]
If Apple wished, they could well obtain the right to use this
brand in their marketing. But this would have *no* security
implications.

Then it is obvious then that your recent remarks about OS X not being a
Unix is incorrect then. You can't have it both ways.

I think I am being consistent: Unix is a brand, and Apple can
join in it if they wish. They haven't, and probably wont. If they
did, it would have no security implications.

What's the problem?

[snip]
So has the "Macintosh" brand, for that matter.

Rather obvious. So why state the rather obvious?

Because, where it comes to the "Unix" brand, people
seem to think it's somehow different. That it identifies
something more solid, like a particular codebase.

If this were so it might have security implications,
but it is not so. "Unix" is like "Windows" or "Macintosh";
a brand that covers several *different* codebases of
varying quality.

[snip]
If Apple had used the actual Tru64 kernel, rather than the one from
NeXTStep, it might be more impressive.

Might be? It is impressive.

Perhaps "would be" would please you more? Apple *did not*
use the Tru64 kernel but the NeXTStep one. And, far more imporantly,
the NeXTStep userspace as well.

You might also be informed that the Mach kernel was developed by
Carnegie-Mellon a long time ago. Has nothing to do with Next Step o/s.

It's a component of NeXTStep, and of Mac OS X, and of many
other OSes.

Yet these OSes are often very different, because Mach is only
a small part of them. So it is with any kernel, of course.

The Next Step part has to do with the GUI layer and an improved way of
doing things over what C could do. You'll find that the Next Step headers
are in Objective-C form rather than the C only form.

Of course. This is really quite elementary.

But not much more. It is not like an insecure userspace is in any
way mitigated by a secure kernel.

Funny that the kernel controls the user space.

It does not control it *that* much; security breaches
are still possible. Even privilege escalation.

[snip]
No. OS X's kernel is Mach. They've put some bits of BSD
in there for improved compatibility, which is fine, but not
important for security.

Yes it is. BSD a long time ago has been hand over hand scrutinized for as
many flaws as they could find. It also has been hacked and messed with by
a lot of smart college students.

This doesn't help you much, because those smart college
students were not scrutinizing Mac OS X or NeXTStep
or Mach.

Even if the BSD bits that Apple added to the product are
*complete* vulnerability free, it does not matter: this does
nothing to mitigate the vulnerabilities inherited from NeXT,
or the new ones added by Apple since.

Security is not something you can sprinkle on like jimmies
on an ice-cream cone.

Security is in OS X. What part of that do you not understand?
It is far better than what you'll ever find in windows.

It isn't.

It's got a tiny marketshare, so it is not profitable to exploit,
and it has a savvier userbase than Windows. But, IMHO,
that's all there is to it.

[snip]
That would be a long and not very relevant post;
they are quite different OSes.

No, not really. At the core things are done essentially the same way.
I've never seen XSun crash, nor have I seen Quartz crash. I have seen
XFree crash.

I can only assume that "the core" means "the microkernel"; both
use Mach derivatives which are naturally similar in some
respects, but this isn't important for security: what matters
is the quality of the code, far more than the design of it.

In any case, a microkernel is a small part of an OS; the vast majority
of what it does is not "in the core" in that sense.

Quartz, for instance, is not, and neither is X-Windows. And they
are very very different.

Again, read the book that I've mentioned. And guess what? The book
covers Solaris, OS X, BSD, and Linux. They all do the same things from a
code point of view. How it actually is done at the kernel level is
another matter.

This is quite untrue. If your book is telling you that applications
on OS X work like applications on Unix, then it is trash.

The whole userspace is different. (If anything the differences
favor Mac OS X, too.)

I've seen a rootkit for Solaris and finally Sun fixed that. I haven't
seen a rootkit for OS X yet. The one that is suffering a bit from being
hacked right now is Linux at the 2.6.xx level.

If this is so, then presumably "doing the same thing from
a code point of view" did not save it.

You can ignore things like the Dashboard Debacle, but
they remain very illustrative; in this case that no amount
of chanting "Unix! Unix!" makes your OS secure.

Guffaw!!! And no amount of denial about windwoes will make their security
track record any better than its dismal past attests to.

You will observe how careful I am to bash Mac OS X rather
than to pimp Windows. :D


.

Relevant Pages

  • Re: New Patch Fixes 43 Flaws In OS X, Many Serious
    ... Then it is obvious then that your recent remarks about OS X not being a Unix is incorrect then. ... I think I am being consistent: Unix is a brand, ... it would have no security implications. ... So it is with any kernel, ...
    (comp.sys.mac.advocacy)
  • [Full-disclosure] SSANZ - Server Systems Administration NZ.
    ... Security Hardening & Security Installs/tweaks. ... What is involved in a Full Security Audit? ... csf -a 125.238.144.110 ...
    (Full-Disclosure)
  • Re: You dont know what you dont know...
    ... Said he was collecting stones for his garden! ... this sort of thing means you're going to have to look at security quite ... Certainly get rid of potential hiding places and introduce more external ...
    (uk.rec.scouting)
  • Re: a few questions re firewalls
    ... <snip Microsoft's badness> ... I'd rather have about one security hole ... script kiddies, and therefore less likely to be exploited via the latest ... I would imagine that some sort of neural network or similar AI ...
    (comp.security.misc)
  • Re: Please advise on new build (Core 2 Duo/P965)
    ... Microsoft Media Center Remote $38.99 ... If you get OCZ or Kingston ... 450W included with a case (even a halfway decent brand) is ...
    (alt.comp.hardware.pc-homebuilt)
Loading