Mac OS X security myth exposed

Techworld ^ | 24 June 2004 | Matthew Broersma, Techworld

[Bush2000]

24 June 2004

Mac OS X security myth exposed

And thousands of other products and OSes given security rundown.

By Matthew Broersma, Techworld

Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia.

The stats, based on a database of security advisories for more than 3,500 products during 2003 and 2004 sheds light on the real security of enterprise applications and operating systems, according to the firm. Each product is broken down into pie charts demonstrating how many, what type and how significant security holes have been in each.

One thing the hard figures have shown is that OS X's reputation as a relatively secure operating system is unwarranted, Secunia said. This year and last year Secunia tallied 36 advisories on security issues with the software, many of them allowing attackers to remotely take over the system - comparable to figures on operating systems such as Windows XP Professional and Red Hat Enterprise Server.

"Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed."

Its new service, easily acessible on its website, allows enterprises to gather exact information on specific products, by collating advisories from a large number of third-party security firms. A few other organisations maintain comparable lists, including the Open Source Vulnerability Database (OSVDB) and the Common Vulnerabilities and Exposures (CVE) database, which provides common names for publicly known vulnerabilities.

Secunia said the new service could help companies keep an eye on the overall security of particular software - something that is often lost in the flood of advisories and the attendant hype. "Seen over a long period of time,the statistics may indicate whether a vendor has improved the quality of their products," said Secunia CTO Thomas Kristensen. He said the data could help IT managers get an idea of what kind of vulnerabilities are being found in their products, and prioritise what they respond to.

For example, Windows security holes generally receive a lot of press because of the software's popularity, but the statistics show that Windows isn't the subject of significantly more advisories than other operating systems. Windows XP Professional saw 46 advisories in 2003-2004, with 48 percent of vulnerabilities allowing remote attacks and 46 percent enabling system access, Secunia said.

Suse Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58 percent of the holes exploitable remotely and 37 percent enabling system access. Red Hat's Advanced Server 3 had 50 advisories in the same period - despite the fact that counting only began in November of last year. Sixty-six percent of the vulnerabilities were remotely exploitable, with 25 granting system access.

Mac OS X doesn't stand out as particularly more secure than the competition, according to Secunia. Of the 36 advisories issued in 2003-2004, 61 percent could be exploited across the Internet and 32 percent enabled attackers to take over the system. The proportion of critical bugs was also comparable with other software: 33 percent of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30 percent for XP Professional and 27 percent for SLES 8 and just 12 percent for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19 percent.

As for the old guard, Sun's Solaris 9 saw its share of problems, with 60 advisories in 2003-2004, 20 percent of which were "highly" or "extremely" critical, Secunia said.

Comparing product security is notoriously difficult, and has become a contentious issue recently with vendors using security as a selling point. A recent Forrester study comparing Windows and Linux vendor response times on security flaws was heavily criticised for its conclusion that Linux vendors took longer to release patches. Linux vendors attach more weight to more critical flaws, leaving unimportant bugs for later patching, something the study failed to factor in, according to Linux companies. Vendors also took issue with the study's method of ranking "critical" security bugs, which didn't agree with the vendors' own criteria.

Secunia agreed that straightforward comparisons aren't possible, partly because some products receive more scrutiny than others. Microsoft products are researched more because of their wide use, while open-source products are easier to analyse because researchers have general access to the source code, Kristensen said.

"A third factor is that Linux / Unix people are very concerned about privilege escalation vulnerabilities, while Windows people in general are not, especially because of the shatter-like attacks which have been known for six years or more," he said. "A product is not necessarily more secure because fewer vulnerabilities are discovered."

[Swordmaker]

The sword cuts both ways: the court disagreed. Nice try.

Excuse me, Bushie, but the court may have disagreed but the Software Engineers put on the stand BY MICROSOFT'S ATTORNEYS stated under oath that Internet Explorer was an integral and essential part of the operating system and that it COULD NOT BE REMOVED.

If it isn't, why aren't these MS engineers residing in Leavenworth???

[Swordmaker]

Unpatched Mac boxes are just as readily exploited.

Now you have made a bald assertion. It is up to you to prove your case. We maintain they are not. All you have to do to prove us wrong is to show us that Macs ARE as readily exploited.

I again demand: SHOW US THE EXPLOITS IN THE WILD!

Put up, or shut up, Bush.

[HAL9000]

14 million is the OS X number only. I have no idea how many old ones are out there.

If Mac OS 9 and older versions are included, the total number of active Mac users is about 25 million.

[Swordmaker]

"This exploit gives the attacker a root shell on the target system. Compromising the system further is a trivial process. "

Apple patched this vulnerability on May 3rd, 2004 by a standalone security update and system updates for 10.2.8 and 10.3.3. Systems that haven't been patched since May should be patched immediately.

Further research shows that this exploit could only be used on system with ROOT already activated by the legitimate user. Without the password, root cannot be activated. Root is inactive by default on all shipped OSX systems. It also required the attacker to be sitting AT THE TARGET COMPUTER. The attacker had to have access to an already existing user account on that computer... if all of these conditions were met, then, yes, the attacker could have escalated his access IF he was logged on to the computer within 2 minutes of the Root user logging off but leaving Root activated. This vulnerability could not be executied over the internet or even over an intranet.

"A vulnerability has been reported in Mac OS X, allowing malicious web sites to compromise a vulnerable system. "

Solution: Apple has issued Security Update 2004-06-07, which addresses the vulnerability by presenting users with a dialog box the first time a file is launched automatically.

This is the 19th security issue Secunia listed that I agreed was a "critical vulnerability". It existed ONLY IN A PROOF OF CONCEPT and, as you can see above, was long ago repaired by Apple.

"It is also possible to silently place arbitrary files in a known location, including script files, on a user's system using the "disk" URI handler. Files on disk images can be executed without using the "help" URI handler. "

Apple has issued patches:

Mac OS X 10.2.8: http://wsidecar.apple.com/cgi-bi...ethod=sa/SecUpd2004-05-24Jag.dmg

Mac OS X 10.3.3: http://wsidecar.apple.com/cgi-bi...ethod=sa/SecUpd2004-05-24Pan.dmg

This was another PROOF OF CONCEPT that was never found in the wild. Done been fixed already, Bush... eight months ago.

[Bush2000]

You're right, the first one's pretty nasty. Fortunately, that service is turned off by default. Luckily, the rest don't give root.

The latter two can be used in conjunction with a "stepping-stone attack"; that is, you use the defect to run unauthorized code, which can exploit buffer overflows in any existing process/service or launch a new one -- in order to elevate privilege. Once they can get you to run unauthorized code on your box, all bets are off.

[Bush2000]

I know these products. You might want to read the capabilites a little more carefully and get back to me.

No, you don't know these products. They will remove IE completely.

[Bush2000]

Bush, I have not denigrated you by appelations such as "fan boy", why do you insist on ad hominem attacks?

What's so denigrating about "fan boy"? It correctly states that you are a boy (true) and a fan of Apple (also true).

I have also read Secunia's web site and completely DISCOUNTED all but one of the 19 so-called "critical vulnerabilities" when I did read them

And therein lies the problem: You guys ALWAYS DISCOUNT any issue relating to OSX security. It's always a WINDOWS PROBLEM. In your mind, Macs can do no wrong.

[Bush2000]

Another Bush2000 outright LIE.

Mac market share in companies is MINISCULE. You know it. I know it. Don't pretend otherwise.

[Bush2000]

Excuse me, Bushie, but the court may have disagreed but the Software Engineers put on the stand BY MICROSOFT'S ATTORNEYS stated under oath that Internet Explorer was an integral and essential part of the operating system and that it COULD NOT BE REMOVED.

Who cares what the engineers testified to under oath. That's irrelevant. What's relevant is the court's finding of fact that IE was not an essential part of the operating system.

If it isn't, why aren't these MS engineers residing in Leavenworth???

Because it was a civil case -- and they obviously had a difference of opinion with the court. But that didn't make their testimony criminal.

[Bush2000]

We maintain they are not. All you have to do to prove us wrong is to show us that Macs ARE as readily exploited.

Look, it's obvious to me that no amount of convincing would ever be good enough for you trolls -- so I'm not going to waste my time. You're zealots. Which means you belong to the Cult of Mac. These lines from the article speak for themselves. You disagree with the conclusion. So be it.

"Mac OS X doesn't stand out as particularly more secure than the competition, according to Secunia. Of the 36 advisories issued in 2003-2004, 61 percent could be exploited across the Internet and 32 percent enabled attackers to take over the system. The proportion of critical bugs was also comparable with other software: 33 percent of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30 percent for XP Professional and 27 percent for SLES 8 and just 12 percent for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19 percent."

The facts speak for themselves.

[Bush2000]

This was another PROOF OF CONCEPT that was never found in the wild. Done been fixed already, Bush... eight months ago.

I've tried to hammer this into your skull a number of times -- but you still don't seem to get this. We're talking about OS security here. Whether there is actually an exploit IN THE WILD for any given OS bug is irrelevant. The fact that there are more exploits being written for Windows doesn't indicate that it is less secure -- it just means that hackers are more industrious on that platform and they find real rewards (whereas, on the Mac, with piddly 3-percent and declining market share, it just isn't worth the effort).

So your call for exploits IN THE WILD is a red herring. A straw man. It's not the issue. The issue is FUNDAMENTAL SECURITY -- and, on that score, Secunia (a respected security authority, unlike you guys) finds that OS X is no more secure than other OSes.

[antiRepublicrat]

No, you don't know these products. They will remove IE completely.

They will remove it completely on up to W2K, but not on XP. Look at the separate page for the XP version.

[antiRepublicrat]

Once they can get you to run unauthorized code on your box, all bets are off.

Many bets, but not all, if root hasn't been enabled.

[antiRepublicrat]

This news is a couple days old, but nobody's mentioned it yet. In yet another example of a reporter devoid of journalistic integrity, Maureen O'Gara has done it again, quote from NewsForge:

"It's just crazy," said one [OSDL] official, adding that the report's speculation on the patent strategy is "total fabrication as far as we can tell."

[antiRepublicrat]

Secunia (a respected security authority, unlike you guys) finds that OS X is no more secure than other OSes.

Except that they tend to unreasonable escalate the criticality of OS X bugs. Anyway, let's get back to an answer for an old question: Why does one version of Windows still have about 20 security bugs outstanding, and the Mac none? Do you think that has any impact on real-world security?

[general_re]

What are we referring to here?

[antiRepublicrat]

Just wanted to add that I think it's funny that we're here debating an article that was discredited by the source three days ago.

[antiRepublicrat]

What are we referring to here?

Sorry, now that I reread the post I see I wasn't very clear. It's about OSDL's reaction to this article about them. Basically, O'Gara is making stuff up as usual.

[general_re]

Okaaaaay, what O'Gara article?

Sorry if I seem obtuse - I must have missed this latest episode ;)

[Bush2000]

Many bets, but not all, if root hasn't been enabled.

Root is irrelevant. There have been many buffer overflow exploits in kernel-land which lead to elevate privilege. It isn't necessary for the user running the app to have root privileges.