Massive Mac OS X Update Shatters Illusion of Security

PC World ^ | 11/11/10 | Tony Bradley

[dayglored]

> Did Microsoft write this?

No, but it almost sounds like they paid the guy who did write it. :)

It's just a typical anti-Apple slam. It even quotes Charlie Miller, as if he's somehow relevant. *yawn*

Show me the viruses that successfully infect OS-X, other than human engineered ones that attack -any- OS by fooling the operator. Show me even one virus that infects OS-X without the operator's cooperation letting it in. Then maybe there will be an argument that OS-X has inherent insecurities. Until then, it's just operator stupidity or naivete, and that happens for Windows and Linux and everything else exactly the same way.

All software has vulnerabilities. You find 'em, you fix 'em. Such is life.

Really, these so-called journalists should get our of their mothers' basements more often.

[dayglored]

>> Far too many people set up their windows boxes with their main account being an administrator account.

> And those who set up Windows with limited user accounts often find that their non-Microsoft apps break.

Generally speaking:

1. Install and initially configure all applications as Administrator.

2. Run the applications as a normal (limited) user.

3. Do updates and system-wide configuration changes only as Administrator.

Most applications will play nice, with the above.

Not all -- InstallShield still requires that the user be at least a member of the "Administrators" group; prior to 2008 the user could only be The Administrator. Ridiculous!!

[dayglored]

BTW, Windows 7 is is nearly the same (good) state of security with regard to inherent OS vulnerabilities, as OS-X. It’s really come a long way, and I don’t want my comment above regarding OS-X to be misunderstood as implicitly slamming Windows — as of Win7 they’re reaching par.

[Ramius]

Talking about Apple and security in the same sentence is only done by those who have never attempted to support them in an enterprise.

FileVault? Seriously?

[dayglored]

> Talking about Apple and security in the same sentence is only done by those who have never attempted to support them in an enterprise. FileVault? Seriously?

You're talking data security, I presume, not OS vulnerability, which was the topic. Nevertheless...

Have you looked into TrueCrypt? It's not a panacea, but it's a heck of a lot more capable than FileVault, and allegedly more flexible and stable in most comparable situations.

[dayglored]

> Anyone that still uses windows for any serious work is just ignorant (office environments will be forgiven for now).

[cough] AHEM.

I use Windows for serious work (in addition to OS-X, Linux, NetBSD, and others). Both in my office environment, and at home for pleasure.

Are you talking about me?

[Swordmaker]

Another breathless FUD article claiming that Apple Mac OSX is not secure... even though there are no viruses in the wild and only 19 known Trojans in four Trojan families in the wild (which the OS WILL tell you you are downloading and warn you not to install). This article is Mostly FUD... PING!

These articles are released like clockwork EVERYTIME Apple releases an update. It never fails. Release an update... and someone writes one of these claiming "SEE! SEE! Macs are not secure! They fixed something... They Patched a vulnerability... it had a flaw! It wasn't perfect!"

Vulnerabilities are NOT EXPLOITS! This is especially true if the vulnerability is prevented from being exploited by other protections that have been put in place such as data being placed in non-executable memory locations where such vulnerabilities can do no damage.

Yes, Apple included in the upgrade from Mac OSX.6.4 to OSX.6.5 some 134 security patches and fixes... but 55 of them were fixes to Adobe Flash (a third party software whose upgrades are normally handled completely separately in Windows), others were patches for Apache, patches for UNIX™ utilities that are included with OSX but not part of OSX but needed updating, CUPS, PHP, Python Programing Language, and also including 16 for the optional install X-11 that allows UNIX™ apps to run natively.

Windows patches DO NOT INCLUDE such third party updates or patches and require these to come from the publishers them selves. Apple includes them with their updates... and gets DINGED for them by the authors of these FUD articles.

Please, No Flame Wars!
Discuss Issues, Software, and Hardware.
Don't attack people!
Please Ignore the anti-Apple thread trolls!

Apple FUD article Ping!

If you want on or off the Mac Ping List, Freepmail me.

[Sir_Ed]

Wow, Puget’s gone?? What happened?

On topic...I downloaded the security update, thanks,

Ed

[dayglored]

And people wonder why Apple told Adobe to dissociate their buggy, insecure software from OS-X as of the new Macbook Airs.

If I were Apple I'd be tired of getting dinged for Adobe's crapware too.

As you say, "Vulnerabilities are NOT Exploits". Of course, this is true for Windows and other OSes as well. The problem with Windows is so many of the vulnerabilities WERE exploited in the wild.

I don't actually care how many vulnerabilities got patched. They're fixed now. I only care about the ones that remain! :)

[Swordmaker]

In addition, this update, being a point update, collects all the security updates since the last point updates and includes them in the distribution... so some of these have already been issued. . . and are, in effect, being counted twice. I though I recognized some of these.

They are included in the point updates because some people skip the minor updates. This corrects that failing. Their machines get updated all at once. If you have been conscientious and done the incremental updates as they were released, then the older, all ready installed ones will not be installed with the update.

Note also, that the total number of "vulnerabilities" varies according to who is reporting the count. I've seen it reported between 131 to 134 to 141... depending on whether you included the OSX Server or not... and perhaps some other things. No one is bothering to check on the aging and check which are just new to this release. I know the Adobe Flash ones are, as are the Java updates. There are also a bunch of updates to HP network printer drivers with security fixes (in CUPS) as well... also apparently included in the count.

[dayglored]

> Wow, Puget’s gone?? What happened?

He had received a number of warnings from JimRob. I speculate that he drew enough fire for his attitude and comments that the Mods decided he had become a liability.

Kind of a shame -- he's obviously a bright guy and his technical insights were valuable. But his obsession with finding flaws in Apple products and declaring them abject failures was often over-the-top, and inaccurate (note that the products are quite successful despite their flaws).

I wasn't there when it happened (I'm not sure what thread finally did it) so I can't say for sure beyond the speculation above.

[dayglored]

Hi Sword.

Pardon me for a minute here, I need to go on a rant. :)

Ya know, I REALLY don't give a damn if Apple, or Microsoft, or Linus, issues patches for 2 or 20 or 200 vulnerabilities.

Software has bugs and flaws and mistakes. Most get trapped and fixed before release, but a great number remain, and only get found and fixed later. THIS IS LIFE IN SOFTWARE.

Finding (and fixing) more flaws can mean the software was buggier, OR IT CAN MEAN THE TESTING WAS MORE THOROUGH. It works both ways.

I REALLY, REALLY wish people would focus on the important things, rather than these crap competitive contests about how many seconds it takes to run a scripted exploit (see Charlie Miller), or how many vulnerabilities were found and fixed (like this article or similar ones about Windows).

Excuse me, but it's just bullshit. It does not in fact mean diddly-squat about the ACTUAL security of the system. What matters is whether there are exploits, and whether bad guys are using them. Almost all of those exploits now target the USER, not the OS itself, and are largely independent of which OS the user is on!

And the fact is, all three major systems (Windows, OS-X, Linux) have gotten to the point where the USER is by far the weakest link. Not the inherent properties of the OS.

In my opinion, Windows as of Win7 has joined the other two in robustness, and the inherent weaknesses of the OSes are now down in the noise. What matters is getting the users to wise up and stop allowing trojans and similar malware onto their systems.

The competitive Windows vs. OS-X vs. Linux battles for "which operating system is more secure" have become irrelevant. And -SO- tiresome.

[End Rant]

Thanks for listening. :)

[Sir_Ed]

Thanks, Dayglored, I guess it was to be expected...

I’ll never understand his seething hatred of us who use Macintoshes.

Oh well...

Ed

[conservatism_IS_compassion]

Wow, Puget’s gone?? What happened?

He had received a number of warnings from JimRob. I speculate that he drew enough fire for his attitude and comments that the Mods decided he had become a liability.

Kind of a shame -- he's obviously a bright guy and his technical insights were valuable. But his obsession with finding flaws in Apple products and declaring them abject failures was often over-the-top, and inaccurate (note that the products are quite successful despite their flaws).

I wasn't there when it happened (I'm not sure what thread finally did it) so I can't say for sure beyond the speculation above.

This account has been banned or suspended.

Maybe just a suspension, I hope.

Hate to see a FReeper go; no man is an island and all that.
Of course JimRob and the Mods gotta call them as they see them, and that's that.

[dayglored]

> Maybe just a suspension, I hope. Hate to see a FReeper go; no man is an island and all that.

Maybe, I dunno. It's also possible, given that Puget displayed a fairly strong sense of pride, that he may choose to not return even if invited back. It's his choice to make, if it's only a suspension.

Or maybe to come back with a different handle. Such is life on the interwebs...

[conservatism_IS_compassion]

In my opinion, Windows as of Win7 has joined the other two in robustness, and the inherent weaknesses of the OSes are now down in the noise. What matters is getting the users to wise up and stop allowing trojans and similar malware onto their systems.

What's the deal, then, about upgrading from Win XP Pro to Win7? Is it a heroic task to get Turbotax to operate under 7 when you have legacy files from XP to deal with? Last I heard, you almost had to upgrade to Vista first . . .

And is the sys overhead worse on 7 than on XP? Considering that you could presumably get away from using ZoneAlarm with 7?

I hate antivirus software, almost as much as I hate viruses . . .

(My inquiry is for a relative; I myself am using an iMac . . .)

[conservatism_IS_compassion]

Yeah . . .

[Swordmaker]

Thanks for listening. :)

Great rant... I've been trying to get WindowsXP users to switch to Windows 7 for some time now... It is a GOOD OS... safe and secure... if a little quirky. But I agree with you. I would almost even feel pretty safe running it naked on the Internet like you can OSX.

[dennisw]

Exactly. Windows trolls who keep banging on OS X hoping to find something wrong with it are too full of themselves to know any better.

I switched to Apple for a day and found it too look fugly like a free Linux GUI. Only you have to pay for it. Windows 7 looks very nice. XP looked so ugly I always ran it in a mode that maked it look like Windows 98...... back then you could have claimed the Apple OS looked better than Windows

[dennisw]

Great rant... I've been trying to get WindowsXP users to switch to Windows 7 for some time now

Same here. In fact I got a friend to not buy a refurbished WinXP desktop. Instead he bought an HP laptop for $549 at Office Depot. It is a popular model since I see 141 reviews for it.
SPECS:
i3-370 CPU    .....  the latest from Intel...... slick, very fast and lo power for longer battery life
4 gig memory
17.3" screen
Win7 -- 64 bit
6 cell battery
500 gig hard drive @7200RPM

How much is a 17.3" Apple laptop? I'm afraid to even look......$1600 is my guess....... Yikes!!!! $2300 for a 17" screen Macbook. The HP even has a slightly larger screen. So the Apple product costs 4x as much

17-inch: 2.53GHz Macbook Pro

Intel Core i5

4GB Memory

500GB hard drive¹

ExpressCard/34 slot

Built-in battery (8-9 hour)²

Intel HD Graphics

NVIDIA GeForce GT 330M with 512MB

Ships: Within 24hrs

Free Shipping

$2,299.00