Feeds

Windows-style security hell stalks Mac OS X? Yeah, you wish…

Infowarrior's Richard Forno spells out the differences for the hard of thinking

  • alert
  • submit to reddit

3 Big data security analytics techniques

Since Apple released Mac OS X, even the PC industry trade publications have raved about its quality, design, and features.  PC Magazine even gave Mac OS X "Panther" a 5-star rating in October 2003. Perhaps it was because Macs could now seamlessly fit into the Windows- dominated marketplace and satisfy Mac users refusing to relinquish their trusty systems and corporate IT staffs wanting to cut down on tech support calls. Whatever the reason, Mac OS X has proven itself as a worthy operating system for both consumers and business alike.

Of course, as with all operating systems, Mac OS X has had its share of technical problems and even a few major security vulnerabilities. Nearly all were quickly resolved by Apple via a downloaded patch or OS update.  But in general, Mac OS X is solid, secure, and perhaps the most trustworthy mainstream computing environment available today. As a result, Mac users are generally immune to the incessant security problems plaguing their Windows counterparts, and that somehow bothers PC Magazine columnist Lance Ulanoff.

In a December 11 column [1] that epitomizes the concept of yellow journalism, he's "happy" that Mac OS X is vulnerable to a new and quite significant security vulnerability. The article was based on a security advisory by researcher William Carrel regarding a DHCP vulnerability in Mac OS X. Carrel reported the vulnerability to Apple in mid-October and, through responsible disclosure practices, waited for a prolonged period before releasing the exploit information publicly since Apple was slow in responding to Carrel's report (a common problem with all big software vendors.)  Accordingly, Lance took this as a green light to launch into a snide tirade about how  "Mac OS is just as vulnerable as Microsoft Windows" while penning paragraph after paragraph saying "I told you so" and calling anyone who disagrees with him a "Mac zealot."

In other words, you're either with him or with the "zealots."  Where have we seen this narrow-minded extremist view before?  

More to the point, his article is replete with factual errors. Had he done his homework instead of rushing to smear the Mac security community and fuel his Windows-based envy, he'd have known that not only did Apple tell Carrel on November 19 that a technical fix for the problem would be released in its December Mac OS X update, but that Apple released easy-to-read guidance (complete with screenshots) for users to mitigate this problem on November 26.  Somehow he missed that.

Since he's obviously neither a technologist (despite writing for a technology magazine) nor a security expert, let's examine a few differences between Mac and Windows to see why Macintosh systems are, despite his crowing, whining, and wishing, inherently more secure than Windows systems.

The real security wisdom of Mac OS lies in its internal architecture and how the operating system works and interacts with applications. It’s also something Microsoft unfortunately can’t accomplish without a complete re-write of the Windows software -- starting with ripping out the bug-riddled Internet Explorer that serves as the Windows version of "Finder."  (That alone would seriously improve Windows security, methinks.)

At the very least, from the all-important network perspective, unlike Windows, Mac OS X ships with nearly all internet services turned off by default. Place an out-of-the-box Mac OS X installation on a network, and an attacker doesn’t have much to target in trying to compromise your system. A default installation of Windows, on the other hand, shows up like a big red bulls-eye on a network with numerous network services enabled and running.* And, unlike Windows, with Mac OS X, there’s no hard-to-disable (for average users afraid to tweak things unfamiliar to them, that is)  "Messaging Services" that results in spam-like advertisements coming into the system by way of Windows-based pop-up message boxes. And, the Unix-based Mac OS X system firewall – simple enough protection for most users -- is enabled by default (in Mac OSX Server) and easy to find and configure in Mac OS X Client software (not that there's much that users need to worry about out-of-the-box anyway) -- something that Microsoft only recently realized was a good idea and acknowledged should be done in Windows clients as well.  I guess Lance didn't hear about that, either.

Then there's the stuff contributing to what I call "truly trustworthy computing."

When I install an application, such as a word processor, I want to know with certainty that it will not modify my system internals. Similarly, when I remove the application, I want to know that when I remove it (by either the uninstaller or manually) it’s gone, and nothing of it remains on or has modified my system. Applications installed on Mac OS X don’t  modify the system internals – the Mac version of the Windows/System directory stays pretty intact. However, install nearly any program in Windows, and chances are it will (for example) place a different .DLL file in the Windows/System directory or even replace existing ones with its own version in what system administrators of earlier Windows versions grudgingly called "DLL Hell."  Want to remove the application? You’ve got two choices: completely remove the application (going beyond the software uninstaller to manually remove things like a power user) and risk breaking Windows or remove the application (via the software uninstaller) and let whatever it added or modified in Windows/System to remain, thus presenting you a newly-but-unofficially patched version of your operating system that may cause problems down the road. To make matters worse, Windows patches or updates often re-enable something you’ve previously turned off or deleted (such as VBScript or Internet Explorer) or reconfigures parts of your system (such as network shares) without your knowledge and potentially places you at risk of other security problems or future downtime. Apparently, Lance doesn't see this as a major security concern.

Further, as seen in recent years, Microsoft used the guise of a critical security fix for its Media Player to forcibly inject controversial Digital Rights Management (DRM) into customer systems.[2] Users were free to not run the patch and avoid DRM on their systems, but if they wanted to be secure, they had to accept monopoly-enforcing DRM technologies and allow Microsoft to update such systems at any time in the future.  How can we trust that our systems are secure and configured the way we expect them to be (enterprise change management comes to mind) with such subtle vendor trickery being forced upon us? Sounds like blackmail to me.  (Incidentally, Lance believes the ability of a user to "hack" their own system to circumvent the Apple iTunes DRM makes the Macintosh a bigger "hack target" for the purposes of his article.... apparently, he's not familiar with the many nuances of the terms "hack" and "hackers" or knows that power-users often "hack" their own systems for fun.)  Were Apple to do such a thing, Mac users would likely revolt, and Apple's credibility would be seriously damaged.

What does that say about trusting an operating system's ability to perform in a stable and secure manner? Windows users should wonder who’s really in control of their systems these days. But Lance is oblivious to this, and happy to exist in such an untrustworthy computing environment.

On the matter of malicious code, Lance reports being "driven crazy" when Mac users grin at not falling victim to another Windows virus or malicious code attack. He's free to rebuild his machine after each new attack if he wants, and needs to know that Mac users are grinning at not having to worry about such things getting in the way of being productive.  You see, because of how Mac OS X was originally designed, the chance of a user suffering from a malicious code attack - such as those nasty e-mail worms - is extremely low. Granted, Mac users may transmit copies of a Word Macro Virus if they receive an infected file (and use Microsoft Word) but it’s not likely that – again, due to Mac OS X's internal design – a piece of malicious code could wreak the same kind of havoc that it does repeatedly on Windows. Applications and the operating system just don’t have the same level of trusted interdependencies in Mac OS X that they do on Windows, making it much more difficult for most forms of malicious code to work against a Macintosh.

Unlike Windows, Mac OS X requires an administrator password to change certain configurations, run the system updater, and when installing new software.  From a security perspective, this is another example of how Apple takes a proactive approach to system-level security. If a virus, remote hacker, or co-worker tries to install or reconfigure something on the system, they’re stymied without knowing the administrator’s password stored in the hardened System Keychain. (Incidentally, this password is not the same as the Unix 'root' account password of the system's FreeBSD foundation, something that further enhances security.)  In some ways, this can be seen as Mac OS X protecting a careless user from themself as well as others.

Lance also fails to recognize that Windows and Mac OS are different not just by vendor and market share, but by the fundamental way that they're designed, developed, tested, and supported. By integrating Internet Explorer, Media Player, and any number of other 'extras' (such as VB Script and ActiveX) into the operating system to lock out competitors, Microsoft knowingly inflicts many of its security vulnerabilities onto itself.  As a result, its desire to achieve marketplace dominance over all facets of a user's system has created a situation that's anything but trustworthy or conducive to stable, secure computing.  Mac users are free to use whatever browser, e-mail client, or media player they want, and the system accepts (and more importantly, remembers!) their choice.

Contrary to his article, the small market segment held by Apple doesn't automatically make the Mac OS less vulnerable to attack or exploitation. Any competent security professional will tell you that "security through obscurity" - what Lance is referring to toward the end of his article - doesn't work. In other words, if, as he suggests, Mac OS was the dominant operating system, its users would still enjoy an inherently more secure and trustworthy computing environment even if the number of attacks against it increased.  That's because unlike Windows, Mac OS was designed from the ground up with security in mind.  Is it totally secure? Nothing will ever be totally secure. But  when compared to Windows, Mac OS is proving to be a significantly more reliable and (exponentially) more secure computing environment for today's users, including this security professional.

If Lance is sleeping well believing that he's on an equal level with the Mac regarding system security, he can crow about not being overly embarrassed while working on the only mainstream operating system that, among other high-profile incidents over the years, facilitated remote system exploitation through a word processor's clip art function! [3]

Trustworthy computing must be more than a catchy marketing phrase. Ironically, despite a few hiccups along the way, it's becoming clear that Mac OS, not Windows, epitomizes Microsoft's new mantra of "secure by design, default, and deployment."

Who's crowing now?

[1] Eureka! Macs Are Not Invulnerable
[2] Microsoft Makes An Offer You Can't Refuse
[3] Buffer Overflow in Clipart Gallery (MS00-015)

© 2003 by Author. All Rights Reserved. Permission granted to redistribute this article in its entirety with credit to author.

Richard Forno is a security technologist, author, and the former Chief Security Officer at Network Solutions (now owned by VeriSign.) His home in cyberspace is infowarrior.org.

* Shortly after Richard Forno wrote this piece, Microsoft issued a bulletin warning consumers what they should do before connecting their new PC to the Internet. So there - Reg editors

SANS - Survey on application security programs

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.