Is Windows inherently more vulnerable to malware attacks than OS X?

Infoworld ^ | August 22, 2006 | Tom Yager

[Swordmaker]

It took an attack on a Windows production server, not devotion to Apple, to put that provocative title on this entry.

On August 13 at 3:04 AM, a Windows server that I've been running for all of two weeks--it just replaced an Xserve G5--was attacked by a new strain of malware. This worm/trojan/backdoor/proxy/IRCbot/DDOS agent shared some characteristics with a known exploit, but it went well beyond what was described. I believed at the time of the infection, and even more strongly now, that this exploit's latent damage potential has been underestimated. I view the terse and vague update on the CERT site regarding the less tenacious strain of this beast with a sense of foreboding.

The attack I encountered occasioned a re-examination of a common question: Is Windows more vulnerable to malware than OS X? I've encountered no clearer or more definitive proof point than this attack. To set the stage, I'll describe the malware's methods. The only victim requirement is that a Windows system--client or server from 2000 and XP on up, 32 and 64-bit--be on an Internet-accessible IP address and listening for socket requests to the Windows Server service. The attacker connects to the Windows Server service, overflows a fixed-length buffer and tricks the service into executing code contained in a portion of the buffer. The attack edits the Registry to turn off the Windows firewall and packet filter, disables notifications that you're running with reduced security, and opens your system to anonymous access. It then uses the Registry to insert plant a pair of Windows services that run with SYSTEM privileges. Processes owned by that pseudo-user can literally do anything, unchecked, to the local machine. The malware services launch and announce your exploited system's presence via IRC and IM. After that, an IRC bot or (sub)human driver can make your system do whatever it wants, including making it a nest for more malware. In my case, it was so eager to scan the Internet for other systems to infect that it locked my server's CPUs at 100 percent and gave itself away.

To nail itself in place, two services watch for and regenerate each other even if their files are deleted. The malware adds an entry to Administrator's login script, and it watches for a privileged invocation of Windows Explorer (like Finder) and attaches a malicious thread to that.

I've been giving it great deal of thought, and I came up with a reasons pointing to the likelihood that Windows is at greater risk of catastrophic attacks. It's not easy reading, but it was either this dense packing or a book-length blog post.

• All Windows background processes/daemons are spawned from a single hyper-privileged process and referred to as services.
• By default, Windows launches all services with SYSTEM-level privileges.
• SYSTEM is a pseudo-user (LocalSystem) that trumps Administrator (like UNIX's root) in privileges. SYSTEM cannot be used to log in, but it also has no password, no login script, no shell and no environment, therefore
• The activity of SYSTEM is next to impossible to control or log.
• Most of the code running on any Windows system at a given time is related to services, most or all of which run with SYSTEM privileges, therefore
• Successful infection of running Windows software carries a good chance of access to SYSTEM privileges.
• Windows buries most privileged software, service executables and configuration files in a single, unstructured massive directory (SYSTEM32) that is frequently used by third parties. Windows will notify you on an attempt to overwrite one of its own system files stored here, but does not try to protect privileged software.
• Microsoft does not sign or document the name and purpose of the files it places in SYSTEM32.
• Windows has no equivalent to OS X's bill of materials, so it cannot validate permissions, dates and checksums of system and third-party software.
• Windows requires that users log in with administrative privileges to install software, which causes many to use privileged accounts for day-to-day usage.
• Windows requires extraordinary effort to extract the path to, and the files and TCP/UDP ports opened by, running services, and to certify that they are valid.
• Microsoft made it easy for commercial applications to refuse a debugger's attempt to attach to a process or thread. Attackers use this same mechanism to cloak malware. A privileged user must never be denied access to a debugger on any system. My right to track down malware on my computers trumps vendors' interests in preventing piracy or reverse-engineering. Maintaining that right is one of the reasons that open source commercial OS kernels are so vital.
• Access to the massive, arcane, nearly unstructured, non-human-readable Windows Registry, which was to be obsolete by now, remains the only resource a Windows attacker needs to analyze and control a Windows system.
• Another trick that attackers learned from Microsoft is that Registry entries can be made read-only even to the Administrator, so you can find an exploit and be blocked from disarming it.
• Malicious code or data can be concealed in NTFS files' secondary streams. These are similar to HFS forks, but so few would think to look at these.
• One of the strongest tools that Microsoft has to protect users from malware is Access Control Lists (ACLs), but standard tools make ACLs difficult to employ, so most opt for NTFS's inadequate standard access rights.

Why this can't happen under OS X:

• OS X has no user account with privileges exceeding root.
• Maximum privilege is extended only to descendants of process ID 1 (init or Darwin's launchd), a role that is rarely used and closely scrutinized.
• Unlike services.exe, launchd executes daemons and scheduled commands in a shell that's subject to login scripts, environment variables, resource limits, auditing and all security features of Darwin/OS X.
• Apple's daemons have man pages, and third parties are duty-bound to provide the same. Admins also expect to be able to run daemons, with verbose reporting, in a shell for testing.
• OS X Man pages document daemons' file dependencies, so administrators can easily rework file permissions to match daemons' reduced privileges.
• Launchd can tripwire directories so that if they're altered unexpectedly, launchd triggers a response.
• If an attacker takes over a local or remote console, any effort to install software or alter significant system settings cannot proceed without entering the administrator's user name and password, even if the console is already logged in as a privileged user. In other words, even having privileges doesn't ensure that even an inside hacker can arrange to keep them.
• OS X has a single console and a single system log, both in plain text.
• OS X's nearest equivalent to the Registry is Netinfo, but this requires authentication for modification. In later releases of OS X, it is fairly sparse.
• Applications have their own per-user and system-wide properties files, private Registries if you like, stored in human-readable files in standard locations.
• Every installed file is traceable to a bill of materials that can verify that the file is meant to exist, and that it and all of its dependencies match their original checksums. Mac users, back up and protect your Receipts folder!
• The directories used to hold OS X's privileged system executables are sacred. Anything new that pops up there is immediately suspect.
• OS X does not require that a user be logged in as an administrator to install software. The user or someone aiding the install needs to know the name and password of a local administrative user to complete the install. On a network, most software is installed using Remote Desktop, an inexpensive Systems Management Server-like console.
• The UNIX/POSIX API, standard command-line tools and open source tools leave malware unable to hide from a competent OS X administrator. It takes a new UNIX programmer longer to choose an editor than it does to write a console app that walks the process tree listing privileged processes. Finding the owners of open TCP/UDP ports or open files is similarly trivial. The "system" is not opaque.
• Basic OS X features can be put to use to make life miserable for malware. For example, Windows' hackable restore points are done better by OS X's ability to create encrypted, read-only disk images. They're simpler than archives, and you can mount them as volumes anywhere in your file hierarchy.
• Likewise, OS X Server will image any Mac client or server's local drives and maintain safe copies that can be used not only for restoration, but which can be booted from to guarantee that there's no trace of infection.
• When erase-and-reinstall is the only way to be sure, OS X Server automates it. It can safely capture the affected Mac's active drives before having that Mac boot from the fresh install image.

So, after all this, do I have enough to judge Windows inherently more vulnerable to severe malware than OS X? I do.

I've been writing about these shortcomings for years, and it always traces back to Microsoft's untenable policy of maintaining gaps in Windows security to avoid competing with 3rd party vendors and certified partners. Apple's taking a different approach: What users need is in the box: Anti-virus, anti-spam, encryption, image backup and restore, offsite safe storage through .Mac, and launchd. Pretty soon any debate with Microsoft over security can be ended in one round when Apple stands up, says "launchd," and sits back down.

[Echo Talon]

odds would say that one had to, somewhere at some time. :)

[rlmorel]

Regardless of whether the author is biased or not, I base my estimation of whether Windows is inherently more or less secure than a UNIX box on empirical observations:

1.) Proportionally, how many spyware/malware/antivirus packages exist and are used for UNIX boxes vs. Windows boxes?

2.) In my institution, I am allowed to place a UNIX box on the network with no virus protection. I am not allowed, under any circumstances to do so with a Windows box.

While a UNIX box's security seems nearly completely dependent on how it it configured, the same is not true for Windows. A UNIX box can be configured out of the box to be tighter than a gnat's ass, but a Windows box, even perfectlly configured, is vulnerable without various 3rd Party programs, and even then, only up the latest deviant creation by some malicious person out there gets around it. Then the 3rd party protective program must be fixed.

OSX and other UNIX variants seem to be vulnerable to human engineering exploits, that is something that tricks you into entering your password thinking it is an appropriate thing to do.

[rlmorel]

I will accept those odds as well!

[rlmorel]

Heh, I just noticed your tagline...

My brother, who runs his own company doing PC support, calls Internet Explorer "Internet Exploder"...:)

[ShadowAce]

[TechJunkYard]

.. Microsoft's untenable policy of maintaining gaps in Windows security to avoid competing with 3rd party vendors and certified partners..

I had always wondered about that.

So Microsoft intentionally maintains poor security for economic reasons, or just doesn't know any better?

I think it's a bit of both.

[Uri’el-2012]

ET>oh boy an anal English teacher......

Sm>The Hills don't know if you exist, either...

ET>but the Lord does. :D

19 posted on 08/24/2006 3:11:13 AM MDT by Echo Talon

You don't demonstrate that you know the L-rd.

b'shem Yahu'shua

[Uri’el-2012]

Is Windows inherently more vulnerable to malware attacks than OS X?

Microsoft Windows(dos) was designed for one person.
Hence there was never any understanding of a hostile intent to crack the system.

BSD Unix on the other hand was written under contract
from DoD with a mission to defend against hostile attacks in a multi-user environment

Mac OSX was built on a variant of BSD with an additional twenty plus years of understanding of hostile intent.

When I worked at Bell Labs twenty plus years ago there were posters on the walls of cubicles stating :

4.3 > V

Among the world's best Unix programmers, BSD was always considered better than Unix

[Echo Talon]

because i used the word anal?

[Echo Talon]

Berkeley Software Distribution wow man hippies and stuff...

[Uri’el-2012]

No.

But because of your negative, condescending
supercilious attitude towards everyone
who thinks differently than you do.

You do not show the chesed of Y'shua.

b'shem Yahu'shua

[Echo Talon]

maybe if you would quit speaking in tongues i could understand you... :]

[Senator Bedfellow]

Most of these bullet points are simply wrong. Oh, well.

[Question_Assumptions]

Windows was written before computers were commonly networked to the Internet. And contrary to popular mythology that Microsoft helped the Internet explosion, let's not forget that Microsoft launched MSN as a proprietary network and one needed 3rd party Windows TCP/IP socket software (like Trumpet WinSock) to even connect to TCP/IP networks until Microsoft was dragged kicking and screaming to the conclusion that they couldn't control the Internet and added their own socket support.

[Swordmaker]

Most of these bullet points are simply wrong. Oh, well.

Please elucidate.

[Senator Bedfellow]

At random:

Apple's daemons have man pages, and third parties are duty-bound to provide the same.

My initial reaction is naturally "HAHAHAHAHAHA", and yours should be too. Find me the man page for the bfobserver daemon that ships with Xcode. Or save yourself some time and take my word for it that there isn't one. So much for "duty-bound". LOL.

[DesScorp]

"...and Swordmaker posting trash about windows and great articles about Apple."

And he would be absolutely right, at least on the subject of security. I'm an IT Manager, and my networks run everything from Solaris to Windows servers to Linux...my client machines are a big mix as well, but mostly Windows. And no other other operating system gives me as many headaches about security as Windows. Always have, and until they quit giving marketing the final say in Redmond, that's the way it'll always be. Microsoft has world class security people, but their job is to fix the problems from feautures that the marketing wing demands...they haven't been as involved in the design of the OS. Contrast that to groups like OpenBSD, which design their operating system from the ground up with security in mind....if they can't keep a feature secure, it simply doesn't ship.

I'm not the Apple fanboy that Sword is, but his points are mostly valid, and Apple's user experience is still superior to that of Microsoft's....windows has improved, for sure, and it's the best choice for certain kinds of usage, but Apple's are still a better OS. They've brought the prices down drastically on the high end...if they ever follow suit on the low-end (a sub $400 decently packed Mac Mini would be a good start), then I firmly believe you'd see a loss of market share from Redmond, with more business going to Cupertino.

How good is the OS X experience? After becoming familiarized with Apple's by having to learn their ins and outs to support users, I've decided to buy a 600 mhz G3 via Ebay to run OS X for my own personal use. With enough Ram it runs nicely.

[rlmorel]

OS X does okay on a G3.

I just retired an iMac that I was using as a Filemaker server, 600mH 192MB RAM, and it did fine. Hey, I wasn't demanding a lot of it except to not have the OS choke and crash while several users access it, and it stayed up for months running Panther.

OS X is a nice OS. I like it.

[Uri’el-2012]

Windows was written before computers were commonly networked to the Internet...........

34 posted on 08/24/2006 9:22:05 AM MDT by Question_Assumptions

Thats not quite true.

Personal computers perhaps,
but computers had been networked to Arpanet for decades prior to Windows

[Question_Assumptions]

Obviously. And Macs also had Appletalk going way back. I was talking about PCs, specifically.