The False Promise of Browser Security

TechNewsWorld ^ | 10/11/2006 | Jack M. Germain

[Swordmaker]

The old saw that Apple computers are not vulnerable to adware, spyware and viruses is pure bunk, said Mark Loveless, senior security researcher at security firm Network Access Control.

The Clueless interviewing the clueless.

[Swordmaker]

Security wise, all browsers are equal... Right, Sure... PING

This article reads like FUD...

If you want on or off the Mac Ping List, Freepmail me.

[TheBattman]

The old saw that Apple computers are not vulnerable to adware, spyware and viruses is pure bunk, said Mark Loveless, senior security researcher at security firm Network Access Control. "All browsers have problems -- period," he said.

OK - I'll bite. When Mr. Mark Clueless demonstrates ONE - just one - adware/spyware/or virus that my PowerMac or iBook can be "infected" with, I will be more than happy to back him up. I'm waiting....

[tubebender]

The only option is for software developers to augment security by third-party programs that will limit exposure," he concluded.

This FUD brought to you by _________ ________ (fill in the blanks)

[bwteim]

""The entrance is within the bowels of browsers. That's where the success is," [Grossman] said."

And Mark Loveless's opinion belongs at the discharge point...

[LeGrande]

Most of the hackers I know would kill to be the first to truly hack the Apple OSX system (with anything, virus, Trojan, etc.). The bragging rights would be huge. The problem is that unless the user allows the 'program' to run it can't. So the only practical way to do that would be to insert code into safari or firefox and that is really tough to do without crashing the program. That would probably be impractical too because it still wouldn't have any way to make it to the protected memory area (without the users explicit permission).

Since most Mac users are probably like me (almost totally unprotected) and not worried at all about viruses, etc. I would think that if anyone was capable of taking over Macs it would be a much larger installed base of usable machines for them, with a ton of naive users, than those in the windows world. Since that isn't the case, there must be a reason why not.

The only reason that I can think of (other than they simply can't take over the Macs) is that the windows machines are so easy to take over that they can't be bothered trying anything else. Either way, Macs win : ) (and linux too)

[doc1019]

I’m glad that Mac users have weathered the storm so far, but to quote a my favorite book “Pride goeth before destruction, and a haughty spirit before a fall”, Proverbs 16:18.

Your turn will come, just a matter of time (I personally hope it never happens as my next ‘puter will be a Mac.).

[ShadowAce]

[ladyinred]

Apple, on the other hand, arrogantly says that its Safari browser is secure and that no one bothers them, Loveless said, but now hackers are starting to build attacks against it.

Well, so much for that theory. I am an Mac user, Safari of course, and just had a major hit of identity theft via the computer. Epassporte.com has my money and they do not cooperate at all with your bank, the law enforcement agencies, no one! BEWARE !

[LeGrande]

Your turn will come, just a matter of time

Oh I am sure some sophisticated phishing attack might get a few Mac users, but all of the normal methods, buffer overflow, root level access, tightly integrated systems exploits, simply aren't there for Mac hackers to exploit.

I am getting back into programming on the Mac and the first thing I do for fun is to try and figure out how to exploit the machine to get the most out of it. So far the best I can come up with is some scripting code in Python because it is interpretive. Or simply code something nasty with a legitimate program that I can back door. But Microsoft already does that don't they?

I was talking to a Microsoft security programmer the other day and his biggest complaint was that the hackers use the security releases to figure out how to hack the system so that people that don't upgrade are then vulnerable. He thinks that the 'fixes' often cause more problems than they solve, a two edged sword.

He also said that for Vista, Microsoft doesn't plan to offer any security patches, they think it will be perfect out the door. Interesting huh.

[doc1019]

I’m not a conspiracy buff by any means, but sometimes I feel that Microsoft is doing this or purpose. Each version of Windows is supposed to eliminate all these intrusion problems, yet they either still exist or new problems crop up.

Microsoft has a gazillion programmers and a gazillion dollars and they can’t come up with a piece of software that can’t be penetrated by amateur hackers????!!! As Yoda would say, “a break give me”.

[Echo Talon]

if you want your computer to be 100% secure then unplug it and turn it off.

[LeGrande]

if you want your computer to be 100% secure then unplug it and turn it off.

Would you settle for secure enough? Echo. Until you or anyone else can demonstrate that they can hack my computer I am not going to worry about my computers security.

On the other hand, it has been demonstrated countless times that you window's users can be very easily hacked. If you doubt me I can send you an e-mail that will make my point, all you have to do is be running XP and open the attachment with Outlook :^) Or if you prefer I could direct you to a couple of websites that will do more subtle things to your computer.

If you send me an email I will open any attachment. Do you want to see who crashes who first? This could be fun.

[LeGrande]

Nah, Microsoft's problems are all legacy and integration related. They have to keep all the old programs working and everything was based on old DOS crap. If they don't support the old programs customers won't/can't upgrade.

Microsoft also wants to make sure that their programs run fast so they put in nice little hooks (processor short cuts) for their own programs that no one else can use. But it turns out that those nice little 'hooks' opened them up for harmful exploits. Supposedly Vista has fixed all of those and that is one reason why it took them so long. Vista's primary reason for existence is to get control of the security issues and prevent piracy.

[steve-b]

"[Internet Explorer] and Firefox are about the same in terms of the access to vulnerabilities. The only distinction is that Firefox does not use ActiveX,"

John Doe and Joe Blow are about the same in terms of vulnerability to poison. The only distinction is that Joe does not pick and eat any old wild mushroom he comes across.

[Echo Talon]

if apple was SOOO secure then why does the govt use then exclusively?

[LeGrande]

if apple was SOOO secure then why does the govt use then exclusively?

Do you mean why "doesn't" the govt? Because it is easier to write programs for Windows than it is for the Mac? The only reason for owning a windows computer is because you use a program or programs that are only available on windows.

Apple made a big mistake back in the early years when it was the hot computer. They charged a lot of money for a development system (software and support) for a platform that was harder to program on than DOS. Microsoft was smarter, they gave it away for free and offered free support too.

Finally Apple now gives it away for free (since about 2001 or so I think), but they are playing catch up, big time. Now for the first time it is actually getting slightly easier to program Mac's than it is to program Windows.

[Swordmaker]

if apple was SOOO secure then why does the govt use then exclusively?

After the US Army's website running on Windows NT was hacked by a teenager and defaced, they switched to Macintosh xServes running OS X Server.

Despite the fact that the Army website is the target of hundreds of attacks every day, not one has succeeded since the switch to Mac systems in 1999. And uptime for the site is running at 99.995 percent.

Says the officer in charge who made the switch to Macs:

I wanted high-speed systems that could handle any application we needed, keep the site available 24 hours a day, not be vulnerable to every passing virus, and fend off hackers without my staff having to spend all their time applying security patches .
— Mark H. Wiggins, Lt. Col., U.S. Army, Ret. Former director, www.army.mil

Other comments on the US Army's choice of Apple Macintosh computers for their website:

The host Xserve and its backup are tied to an Xserve RAID storage system. Although the facility where www.army.mil resides already had a 200TB storage array, IT managers decided to go with Xserve RAID for the website because of its lower hardware and support costs. “The bang for the buck with Xserve RAID is fantastic,” site manager Cerniuk says. “And the performance is just outstanding.”

How many IT people does it take to run www.army.mil and its associated systems? Thanks to the simplicity and reliability of Xserve and Mac OS X Server, Cerniuk’s team consists of only three people including himself. As he notes proudly, “We have a small group that’s managing one of the largest sites in the world.”

And the switch to Apple solutions brought another benefit. “When we moved to a Mac OS — based system, we were able to focus less of our energy on security.” Now, instead of spending their time installing patches, Cerniuk’s staff is free to explore ways to make the site even more valuable to the Army community. In addition, the Mac systems are part of an overall multiplatform strategy that Cerniuk considers vitally important for any organization. “If you only have one type of system, you can be taken down by a single virus. Our diversity gives the Army better security.”

With the proven success of Mac systems at www.army.mil, Cerniuk often gets calls from other government webmasters considering a switch. What does he tell them? “Contact Apple, test it, and then deploy it.” And how has that advice been received? “We’ve converted some very staunch Windows folks.”

[Echo Talon]

pentagon? CIA?

[Swordmaker]

FBI