oh yea?
Apple Patches Serious QuickTime Bugs and thats only the bugs they know about... I hope you still feel secure in your glass house, keep throwing stones.
Who threw a stone...other than you?
Yes, Yeah. A flaw is not an exploit.
OS X has been out six years and there has yet to be a self-replicating, self-transmitting virus in the wild. OS X is not perfect... there are flaws... but finding a vector to transmit the malware and then get the malicious package to execute is extremely difficult on a Mac.
When someone demonstrates such an animal, THEN Mac users will start looking around for putty.
Do you know what that means?
If the application crashes... pretty obvious... the user will have to restart it. He may lose some unsaved data. That's called Denial of Service. Easily fixed and a minor inconvenience.
What about "arbitrary code execution"? "Arbitrary" means "based on random choice, rather than any reason or system" and that is exactly what happens... the arbitrary (read random) code that is executed has to already exist on the targeted computer... and it is randomly selected, not placed there and executed. Unless the attacker can KNOW where in the stack the malicious file is placed... and then KNOW the address of a specific code already on the target computer the attacker wants to execute... he then has to know how far to jump to get there... This is almost impossible to know, ergo any code that MIGHT get executed would be purely accidental and random.
For this to work, the malicious code would have be included in the bogus file and the Application (located in an entirely different memory location) would have to be compromised to cause the execution pointer to jump into the data stack in the correct memory location for the start of the malicious code and then continue executing from there. Very difficult...
Now add in the fact that OS X's data stacks are non-executable by design. PowerPC OS X Macs have had non-executable data stacks for years and some security people worried that with the jump to Intel processors, Mac stacks would be as vulnerable to attack as Windows stacks... however:
"The new Core 2 Intel processors include a bit that prevents code from being executed on the stack. On Intel-based Macintosh computers, this bit is always set to On" thus preventing the execution of ANY code found in a data stack.
Apple's security advisory hints at this in the first listed over flow where it says: "This issue does not affect Mac OS X." In actual fact, every one of the rest of the flaws, including the ballyhooed one from the Month Of Apple Bugs (MOAB), have only demonstrated the ability to crash the application in OS X.
Versions of MS Windows are vulnerable to a data overflow exploit AND malicious code execution.
The good news is that the new version of iTunes has a new sorting tab on the info dialog that I've wanted since I started using it.
Now if they just offered a secure mode for ripping CDs -- like Exact Audio Copy -- and support for multiple iPods, I'd be happy.
Of course, I'm using the PC version.