Posted on 08/21/2005 5:35:07 PM PDT by bizzyblog
As a 20-year Macintosh user going back to when the machines didn't even have hard drives, I confess to being a big fan of Apple and the Mac OS.
I also confess to being a nearly-insufferable Mac evangelist (some would say "delete 'nearly'") until about seven years ago, when, as a result of Windows 98, the differences between Windows and the Mac as a platform for the average user became so small that they didn't matter. Those differences remain small, despite the exceptionally cool advances in the Mac OS through Jaguar, Panther, and Tiger.
(snip)
Also cooling my ardor for the Mac is the remarkable air of condescension still present in "the Mac community," which is pretty amazing considering Apple's puny market share. I believe that the attitudes of too many current Mac users prevent a lot of those who might consider ditching Windows from doing so, simply because they don't want to be seen as joining what has almost become a cult (some would say "delete 'almost'").
So, in the interest of knocking Mac users down a peg or two, I offer three reasons, based on news of the past week or so, that we in "the Mac community" should cool it on the arrogance. At the same time, I'll knock down three myths about the Mac and its users (bolds are mine in all three reasons).
REASON 1--Exploding the myth that Mac users are so much more civilized than the rabble who use PCs:
Seventeen injured during used laptop sale
(Excerpt) Read more at bizzyblog.com ...
So he claims... but then he left Mac when "Windows 98 was released" ... and his experience obviously does not include OSX.
1.) The security on OSX is better than Windows. Not flawless, but unambiguously better. FreeBSD networking core plus pervasive and well-implemented encryption (best I've used) of the system goes a long way toward staying in control of one's system. I'd like them to expand on capabilities-based security though.
2.) Better development platform than Windows (or Linux). Not ideal, but better conceived for sure, and with some very slick features.
3.) It just works, and is feature rich. Trite, but this is the one part of the Mac image that is actually true. Again, not perfect but far, far better than either Linux or Windows.
The strength of the Mac computer is Mac OSX and the fact that OSX can target an extremely well-defined platform for the most part. Very good software as software goes. From an intrinsic performance standpoint, The PPC Macs have never been stellar performers no matter how much Apple tries to assert to the contrary.
I use a lot of platforms (Linux,Solaris,Windows,OSX). Linux and Solaris will scale better, Linux is faster on the same hardware, but the cleanliness and completeness of the OSX user environment is top-notch. Windows is not the best at anything, though it does have the worst security out of the bunch, but it beats Linux and Solaris for basic usability.
You run it in Windows XP in Microsoft VitrualPC... not a problem.
How about a car, that when hit, exhibits no damage? No dents, no scratches, no break-ins... regardless of how bad the other drivers are. Unless the bad driver is behind your wheel...
Security by Obfuscation??? It is Windows users who obfuscate this issue...
I think you are referring to that old canard "Security by obscurity."
Let's see... In the past two years, crackers have written a virus that attacked a hardware router with fewer than 40,000 installed base. They've written a virus that invaded a cell phone with fewer than 25,000 manufactured. The previous Mac operating system (OS9.2 and lower) had 113 viruses (including all variations) created for it by crackers.
Macintosh OSX has been in use for over five years, yet in those five years these crackers have come up with how many viruses for OSX??? ZERO.
There have been two trojans reported that impacted fewer than ten users who were greedy enough to think that a 400k file was a cracked version of Microsoft Office for Mac... and gave it permission to install on their computer and had it erase their user files... but it left the system untouched and operational. There have also been a couple or three proofs of concept announced (usually by an anti-virus company spreading FUD) who'e vulnerabilities were patched within a week of their announcement... all of them required ROOT access to work.
A expert programmer in both the Windows invironment and in various forms of Unix as well as a security expert, stated that on a scale of 1 to 10, where 1 is the difficulty of writing a Windows virus, the Mac comes in at a 9. Crackers write viruses for the accolade of their peers... and the greatest accolade would be for writing a virus that brings down the "arrogant, condescending, and smug" Mac users! Where is it, For-q?
There have been several substantial CASH prizes for writing a viable, transmittable and self propagating virus for the Mac (the last offering had to be withdrawn because of legal reasons) but all of them have gone unclaimed.
The US Army and the FBI have selected Macintosh OSX computers because of their inherent security...
The challenge is out there... write your virus. We are not worried.
well I guess if you can't win on points and logic, just resort to name calling. Although I don't expect to see that on FR, I've been seeing it more and more lately.
really? I worked with Army and FBI guys all the time. I have never ever ever once seen/heard of them using a Mac. I'm not saying they don't ever use it, but they must not really be into it as they never use is and Windows is their standard desktop.
As far as the challenge, give me a link to the current challenge and the payout so I can determine if it's worth the money. Since there's a good chance I'll go to jail and have to pay restitution I'll need to see what the rules are before proceeding.
That was the legal reason it was cancelled. The prize was $25,000.
I guess it was out there for a limited time, but those hackers smart enough knew they couldn't claim the prize. So in essence it was never a real offer.
http://www.us-cert.gov/cas/alerts/SA05-229A.html
I told you the latest one was cancelled for legal reasons. It was, however, a real offer... as were the others.
I guess you just have to do it to hoist us on our own petards... but I suspect it will be you who is hoisted.
CVE-ID: CAN-2005-1344
Available for: Mac OS X Server v10.3.9
Impact: The htdigest program contains a buffer overflow, which, if used improperly in a CGI application, could allow a remote system compromise.
Description: The htdigest program contains a buffer overflow, and could be used in a CGI application to manage user access controls to a web server. This update fixes the buffer overflow in htdigest. Apple does not provide any CGI applications that use the htdigest program. Apache 2 ships only with Mac OS X Server, and is off by default. This issue was fixed for Apache 1.3 in Security Update 2005-005. Credit to JxT of SNOsoft for reporting this issue.
CVE-ID: CAN-2004-0942, CAN-2004-0885
Available for: Mac OS X Server v10.3.9
Impact: Multiple security issues in Apache 2.
Description: The Apache Group fixed two vulnerabilities between versions 2.0.52 and 2.0.53 (the Apache Group security page for Apache 2 is located at http://httpd.apache.org/security/vulnerabilities_20.html). Apache 2 is updated to version 2.0.53 (the previous version was 2.0.52). Apache 2 ships only with Mac OS X Server, and is off by default.
CVE-ID: CAN-2004-1083, CAN-2004-1084
Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.2
Impact: Apache 2 example configurations do not fully block access to resource forks, ".ht" files, or ".DS_Store" files.
Description: Apache 2 ships only with Mac OS X Server, and is off by default. It is important that administrators who enable this server manually are aware of the files that should be blocked to avoid security exposures. A default Apache 2 configuration blocks access to files starting with ".ht" in a case-sensitive way. The Apple HFS+ filesystem isn't case-sensitive when performing file access, and maps resource forks of files to path names. The Finder may also create .DS_Store files containing the names of files in locations used to serve webpages. This update modifies the sample Apache 2 configuration to show how to restrict access to these files and resource forks. This issue was fixed for Apache 1.3 in Security Update 2004-12-02. Additional information is available here.
CVE-ID: CAN-2005-2501
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Opening a malicious, rich text file could lead to arbitrary code execution.
Description: A buffer overflow in the handling of maliciously crafted rich text files could lead to arbitrary code execution. This update prevents the buffer overflow from occuring.
CVE-ID: CAN-2005-2502
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Opening a maliciously crafted Microsoft Word .doc file could result in arbitrary code execution.
Description: A buffer overflow in AppKit that is responsible for reading Word documents could allow arbitrary code execution. Only applications such as TextEdit that use AppKit to open Word documents are vulnerable. Microsoft Word for Mac OS X is not vulnerable. This update prevents the buffer overflow.
CVE-ID: CAN-2005-2503
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: A malicious user with physical access to a system could create additional local accounts.
Description: A malicious user who has full physical access to a system could create additional accounts by forcing an error condition. This update prevents the error conditions from occurring at the login window.
CVE-ID: CAN-2005-2504
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: The System Profiler information about whether or not a Bluetooth device requires authentication is misleading.
Description: Selecting "Require pairing for security" in Bluetooth preferences correctly sets the device to require authentication, but in System Profiler the device is labeled with "Requires Authentication: No." This update changes System Profiler to accurately reflect the Bluetooth security settings. This issue does not affect systems prior to Mac OS X 10.4. Credit to John M. Glenn of San Francisco for reporting this issue.
CVE-ID: CAN-2005-2505
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: Buffer overflow via a command line argument for applications using the CoreFoundation framework.
Description: The incorrect handling of a command line argument within the CoreFoundation framework can result in a buffer overflow that may be used to execute arbitrary code. This issue has been addressed by improved handling of command line arguments. This issue does not affect Mac OS X 10.4. Credit to David Remahl of www.remahl.se/david for reporting this issue.
CVE-ID: CAN-2005-2506
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Passing a malformed date to the CoreFoundation framework can cause applications to stall.
Description: The parsing of Gregorian dates in the CoreFoundation framework is vulnerable to an algorithmic complexity attack that could result in a denial of service. This update modifies the algorithm to parse all valid dates within a fixed processing time. Credit to David Remahl of www.remahl.se/david for reporting this issue.
CVE-ID: CAN-2005-2525, CAN-2005-2526
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: The CUPS printing service will not print unless it is restarted.
Description: When handling multiple, simultaneous, print jobs, the CUPS printing service can stop printing because it incorrectly tracks open file descriptors. In addition, if CUPS receives a partial IPP request and a client terminates the connection, the printing service will then consume all available CPUs. If the service is restarted, then printing will resume. This update corrects the handling of multiple, simultaneous print jobs and partial requests.
CVE-ID: CAN-2005-2507
Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.2
Impact: A buffer overflow in Directory Services could lead to remote execution of arbitrary code.
Description: A buffer overflow in the handling of authentication can lead to arbitrary code execution by a remote attacker. This update prevents the buffer overflow from occurring.
CVE-ID: CAN-2005-2508
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: The privileged tool dsidentity has several security flaws that can result in non-administrative users adding or removing identity user accounts in Directory Services.
Description: This update addresses this issue by removing dsidentity and its documentation. This issue does not affect systems prior to Mac OS X 10.4. Credit to kf_lists[at]digitalmunition[dot]com and Neil Archibald of Suresec LTD for reporting this issue.
CVE-ID: CAN-2005-2519
Available for: Mac OS X Server v10.3.9
Impact: Insecure temporary file creation could lead to a local privilege escalation.
Description: slpd insecurely creates a root-owned file in the world-writable /tmp directory. This update moves the creation of the file to a directory that is not world-writable. This issue does not affect Mac OS X v10.4.
CVE-ID: CAN-2005-2513
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: VoiceOver may read content from secure input fields.
Description: Under certain circumstances, secure input fields may be read by VoiceOver services. This update stops VoiceOver from exposing the content of these fields. This issue does not affect systems prior to Mac OS X v10.4.
CVE-ID: CAN-2004-1189
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: An authenticated user could execute arbitrary code on the KDC host, compromising a Kerberos realm.
Description: A heap buffer overflow in password history handling code could be exploited to execute arbitrary code on a Key Distribution Center (KDC). This issue does not affect Mac OS X 10.4. Credit to the MIT Kerberos team for reporting this isue. Their advisory for this vulnerability is located at http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt
CVE-ID: CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, CERT VU#885830 VU#259798 VU#623332
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Multiple buffer overflow vulnerabilities could result in denial of service or remote compromise of a KDC.
Description: This update upgrades Kerberos for Macintosh to version 5.5.1, which contains fixes for this issue. The Kerberos security advisories for these issues are located at http://web.mit.edu/kerberos/www/advisories/
CVE-ID: CAN-2005-2511
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Kerberos-enabled logins when using LDAP can result in root compromise.
Description: When Kerberos authentication is enabled in addition to LDAP, it was possible to gain access to a root Terminal window. Kerberos authentication has been updated to prevent this situation. This issue does not affect systems prior to Mac OS X v10.4. Credit to Jim Foraker of Carnegie Mellon University and colleagues at MacEnterprise.Org for reporting this issue.
CVE-ID: CAN-2005-2509
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: A user can gain access to other logged-in accounts if Fast User Switching is enabled.
Description: An error in the handling of Fast User Switching can allow a local user who knows the password for two accounts to log into a third account without knowing the password. This update corrects the authentication error. This issue does not affect systems prior to Mac OS X 10.4. Credit to Sam McCandlish for reporting this issue.
CVE-ID: CAN-2005-2512
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Loss of privacy due to Mail loading remote images in HTML emails.
Description: When Mail.app is used to print or forward an HTML message, it will attempt to load remote images even if a user's preferences disallow it. As this network traffic is not expected, it may be considered a privacy leak. This update addresses the issue by having Mail.app only load remote images in HTML messages when the preferences allow it. This issue does not affect systems prior to Mac OS X v10.4. Credit to Brad Miller of CynicalPeak and John Pell of Foreseeable Solutions for reporting this issue.
CVE-ID: CAN-2005-0709, CAN-2005-0710, CAN-2005-0711
Available for: Mac OS X Server v10.3.9
Impact: Multiple vulnerabilities in MySQL, including arbitrary code execution by remote authenticated users.
Description: MySQL is updated to version 4.0.24 to address several issues. This does not affect systems running Mac OS X v10.4 as Tiger shipped with MySQL version 4.1.10a, which is patched against this issue. The MySQL announcement for version 4.0.24 is located at http://dev.mysql.com/doc/mysql/en/news-4-0-24.html
CVE-ID: CAN-2004-0079, CAN-2004-0112
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Multiple denial of service vulnerabilities in OpenSSL.
Description: OpenSSL is updated to version 0.9.7g to address several issues. The OpenSSL advisory for these issues is located at http://www.openssl.org/news/secadv_20040317.txt
CVE-ID: CAN-2005-2514
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: A buffer overflow could result in local privilege escalation and arbitrary code execution.
Description: The ping utility is vulnerable to a buffer overflow. This update prevents the buffer overflow from occurring. This issue does not affect systems running Mac OS X v10.4. Credit to Ilja van Sprundel of Suresec LTD for reporting this issue.
CVE-ID: CAN-2005-2515
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Users could open webpages while the RSS Visualizer screen saver is locked.
Description: It is possible to open displayed links from the RSS Visualizer in the background when the screen saver is configured to require a password. This update prevents the RSS Visualizer screen saver from opening a URL if a password is required to exit the screen saver. Credit to Jay Craft of GrooVault Entertainment, LLC for reporting this issue.
CVE-ID: CAN-2005-2516
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Clicking on a link in a maliciously-crafted rich text file in Safari could lead to arbitrary command execution.
Description: Safari renders rich text content using code that allows URLs to be called directly, which bypasses the normal browser security checks. This update addresses the issue by handling all links in rich text through Safari.
CVE-ID: CAN-2005-2517
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Information can be inadvertently submitted to the wrong site.
Description: When submitting forms in Safari on an XSL formatted page, data is sent to the next page browsed. This update addresses the issue by ensuring that form contents are submitted correctly. Credit to Bill Kuker for reporting this issue.
CVE-ID: CAN-2005-2520
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Recently-used passwords are visible via the password assistant.
Description: The password assistant provides an easy mechanism for selecting a good password. If an administrator uses the password assistant while adding multiple accounts, they will be able to view previously suggested passwords. This only occurs when password assistant is used more than once from the same process. This update addresses the issue by resetting the suggested password list each time the password assistant is displayed. This issue does not affect systems prior to Mac OS X v10.4. Credit to Andrew Langmead of Boston.com for reporting this issue.
CVE-ID: CAN-2005-2518
Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.2
Impact: A buffer overflow in servermgrd could lead to remote execution of arbitrary code.
Description: A buffer overflow in the handling of authentication can lead to arbitrary code execution by a remote attacker. This update prevents the buffer overflow from occurring.
CVE-ID: CAN-2005-2510
Available for: Mac OS X Server v10.4.2
Impact: Certain firewall policies created with the Server Admin tool are not always written to the Active Rules.
Description: When using multiple subnets and Address Groups, the firewall rules are not always written to the Active Rules, depending on the order in which the IP subnets were entered into the Address Group. This update addresses the issue by generating correct rules irrespective of any ordering within the Address Group. This issue does not affect systems prior to Mac OS X 10.4. Credit to Matt Richard of Franklin & Marshall College and Chris Pepper of The Rockefeller University for reporting this issue.
CVE-ID: CAN-2005-1769, CAN-2005-2095
Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.2
Impact: Multiple vulnerabilities in SquirrelMail, including cross-site scripting and SquirrelMail user preference modification.
Description: There are multiple vulnerabilities in SquirreMail prior to version 1.4.5. These fixes address cross-site scripting and an exposure that may allow attackers to modify user preferences. This update upgrades SquirrelMail to version 1.4.5. For more information, see http://www.squirrelmail.org.
CVE-ID: CAN-2005-2521
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: A buffer overflow could result in local privilege escalation and arbitrary code execution.
Description: The traceroute utility is vulnerable to a buffer overflow. This update prevents the buffer overflow from occurring. This issue does not affect systems running Mac OS X v10.4. Credit to Ilja van Sprundel of Suresec LTD for reporting this issue..
CVE-ID: CAN-2005-2522
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Clicking on a link in a maliciously-crafted PDF file in Safari could lead to arbitrary command execution.
Description: Safari renders PDF content using code that allows URLs to be called directly, which bypasses the normal browser security checks. This Safari issue does not affect systems prior to Mac OS X v10.4. This update addresses the issue by handling all links in PDF through Safari.
CVE-ID: CAN-2005-2523
Available for: Mac OS X Server v10.4.2
Impact: Multiple cross-site scripting issues in Weblog Server.
Description: Several cross-site scripting problems were discovered in the Weblog Server. This update improves the sanitizing of user input before redisplaying it. This issue does not affect systems prior to Mac OS X v10.4. Credit to Donnie Werner (wood@exploitlabs.com) of Exploitlabs.com and Atsushi MATSUO for reporting this issue.
CVE-ID: CAN-2005-0605
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: A buffer overflow could result in arbitrary code execution.
Description: An error in LibXPM may allow attackers to execute arbitrary code via a negative bitmap_unit value that leads to a buffer overflow. This issue does not affect systems prior to Mac OS X v10.4.
CVE-ID: CAN-2005-2096, CAN-2005-1849
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Applications linked against zlib are susceptible to denial of service attacks and potential execution of arbitrary code.
Description: By carefully crafting a corrupt compressed data stream, an attacker can overwrite data structures in a zlib-using application, resulting in denial of service or possible arbitrary code execution. This update address the issue by updating zlib to version 1.2.3.
I'll tell you what. Just to see how real your challenge is. Why don't you write a windows virus that does exactly what you claim. If you avoid prosecution, I'll write one for Macs.
A vulnerability does not an Exploit make... unless it is exploited. None of these vulnerabilities have been exploited and it is very unlikely they will be.
Did you read the solution? It is "Install an update." In case you didn't know, updating a Mac is much easier than updating a PC...
Why don't you select one of these vulnerabilities and build your virus around it... we'll be waiting.
It is amusing that you claim such vaunted computer knowledge but are incapable of including simple HTML code in your repliesot format it or to provide working links.
It makes me think you couldn't write a virus for a Windows machine, much less one for a Mac.
As I said I'll gladly create a virus against a known Mac vulnerability IF you do the same for Windows first.
Thank you.. that's better. I retract my comments.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.