Posted on 08/10/2011 12:25:04 AM PDT by Swordmaker
OSX is getting better, but has a way to go, security researchers say
While still not great, the operating systems behind Apple desktops, laptops and phones are getting more secure, researchers at Black Hat say.
While not recommended for corporate use unless it’s in islands within larger networks, the OSX operating system has made strides, says Alex Stamos, who lead a team of researchers from iSec Partners that researched the OSX and Windows 7 operating systems.
Their conclusion is that Apple does pretty well, but Microsoft wins. Even so, earlier versions of Apple’s software were more vulnerable to initial exploitation than Win 7, but the latest Apple version known as Lion makes up ground.
Escalating privileges remains a problem on both operating systems, he says, with OS X having more potential soft spots than Win 7. But when it comes to network vulnerabilities, Apple is the loser. “OSX networks are significantly more vulnerable to network privilege escalation,” he says. “Almost every OSX server service offers weak or broken authentication mechanisms.”
Despite commonly held beliefs that Apple products draw less attention from attackers, some statistics seem to buck that notion, he says. For example, over the past three years, 1,151 common vulnerabilities and exposures (major bugs) have affected Apple products, including third party software. The number for Windows is 1,325, not that much higher, Stamos says.
Lion has made strides with the addition of an application sandbox that keeps applications isolated so if malicious executables boot up, they are contained, he says.
On the mobile side, independent researcher Dino Dai Zovi, says iOS does a pretty good job running applications in a sandbox. The operating system has a dynamic signing feature for applications in which the device itself has to approve applications before running them, not just accepting the Apple certificate that says they are approved.
He says Blackberries have better data protection than iOS, but they lack a sandbox for running applications. He says that Google’s Android mobile operating system is more vulnerable than iOS. Android is about as secure as a jailbroken iPhone that has lost many of its security features by virtue of being jailbroken, he says.
.
It's not a brute force attack. The time-consuming part is done long before they get there. Click a link. Done.
Maybe you can answer - why would someone hack the harder-to-hack/slower-to-hack computer and risk the $10,000?
Already answered. Because if you're trying to make a name for yourself as a security consultant, pwning the Mac gets your name on Gizmodo, Engadget, Wired, PC World, the Register, and even Free Republic. Pwning the Windows box gets you a mention somewhere halfway down the Risks Digest.
I DID read your post.
You are making things up again that are untrue.
The facts are known and were published at the time: Every contestant interviewed said they WANTED the Mac... and it was the juicy target that would make headlines. Being just another hacker who broke into another Windows computer is NOT news. Face it, thats "dog bites man" news relegated to nowhere news. They did not make the choice because the Mac was easier. That's been the case every year for the past three. No one asked the first year.
Just because YOU WANT it to be another reason, does not make it so. Reality is what it is. The crackers went after the Mac because they WANTED the Mac... And the prize money... and the fame.
Charlie Miller stated that his first year exploit, because it was a JAVA exploit, would have worked on all THREE target computers, but he really liked Macs and wanted the MacBook Pro! So that's what he went for. You simply don't read! Charlie does his work on Macs... And even stated that they are a "safer platform to use, but they have more vulnerabilities.". The second year, he wanted the MacBook Air for traveling, so he went after that... And said that again he had an exploit for both the Mac and the PC prepared using the same Java flaw that he'd found the year before when he'd found the other and saved for the next contest. It just required a different access with either Safari or IE.
Miller has a pet peeve because he wants them to have everything randomly located, not just the dynamic Libraries. He wants Apple to randomize the stacks and Data heaps as well. Apple doesn't think that's necessary, because on an Apple, those are located in non-executable memory locations and nothing can be executed from there anyway! That's why he says they are more "vulnerable." Apple's point is, if the cracker can't do anything with any malware he sticks there, what's the point of knowing where it is? So what? It can't run. Randomizing that data would slow down the system and add unnecessary overhead for dubious gain.
So... No answer is what you choose. Obfuscation. They will take the Mac because it’s what they want - and they aren’t worried that someone else could crack a Windows box faster and get the prize.
Sorry, your FUD about Windows 7 being insecure is just that - FUD. Sorry Shillmaker, you’re shown wrong again.
From the article:
Which platform has the most vulnerabilities, Sidelines? Which platform has the most Trojans? There are twenty-two known Trojans for the OSX Mac, all of which the OS will identify and block automatically. Which platform has ZERO auto-installing, auto-transmitting, auto-replicating computer virusesin the wild? (Hint, it's not Windows!) Which platform has the most exploits in the wild. Which platform has the most unfixed exploits in the wild RIGHT NOW. (Hint. It's not Apple.)
This article is STUPID for you to defend, Sidelines: only the headlines has the claim that OSX has a worse record. It's OWN EVIDENCE shows that over the last three years WINDOWS had 174 MORE vulnerabilities than did OSX, and that was using the count everything including the UNIX kitchen sink against OSX method of counting vulnerabilities for Apple! So where is the evidence for the Article's hyperbolic headline??? Certainly not there? Where is it???
The guy quoted was rightfully called on the carpet by the people in the original article's published location comments when they pointed out that what he kept referring to as "Apple OSX NETWORK" was really "UNIX Network", the gold standard for network security, and when asked for ANY examples of his "Apple OSX network priviledge escalation" he claimed were rife in "every Apple OSX NETWORK SERVICE" and he was NOT forthcoming with any at all... This from a conference FUNDED by Microsoft??? I call it FUD. And I think the lack of concrete evidence for that headline in the article or his statements proves it.
OSX is a certified trademarked UNIX. One of just four in the world so certified. It doesn't get that by being sloppy about UNIX Security Services.
And your little list means nothing... How serious were those vulnerabilities? Are they like the jailbreakme.com exploit where just visiting a website could compromise the OS?
What’s your qualification as compared to the experts at the Blackhat convention? Apple shill? Doesn’t cut it...
Face it - the experts - those who make money defending AND those who earn a living attacking - say that Apple isn’t as secure when it comes to enterprise security. That’s the experts - not a shill trolling for his chosen company.
You ARE an idiot who does not bother to read... It's NOT my "little list," Sidelines, it's THEIR "little list!" they are the ones who keep the list of "serious" vulnerabilities, not me. THEY are the ones who characterized the lists and enumerated them... Keep dancing. Too bad you don't do it very well.
One "expert" said it wasn't secure... The others disagreed... The headlines went with the one!
“It's a significant improvement, and the best way that I've described the level of security in Lion is that it's Windows 7, plus, plus,” said Dino Dai Zovi, principal of security consultancy Trail of Bits and the coauthor of The Mac Hacker's Handbook. “I generally tell Mac users that if they care about security, they should upgrade to Lion sooner rather than later, and the same goes for Windows users, too.” (Emphasis mine)
Charlie Miller, pwn2own winner from 2008 to 2011, has some nice things to say about Lion security here, but he does not explicitly compare it to Windows.
So for the last 2 years that Windows 7 has been out, it’s been more secure - in Dino Dai Zovi’s opinion - than Leopard and Snow Leopard. It’s only with the new Lion that it’s gotten back equal or a little better than Windows 7.
Thanks!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.