Macs Are Not Invulnerable

PC Magazine ^ | Dec. 11 | Lance Ulanoff

[Bush2000]

Macs Are Not Invulnerable
Windows Isn’t the Only System With Serious Flaws

Commentary
By Lance Ulanoff
PC Magazine

Dec. 11— I know this is wrong, but in one respect I was happy to learn earlier this month about the discovery of a significant security hole in the Jaguar and Panther versions (10.2 and 10.3, respectively) of the Apple operating system (OS).

I was tired of the "We use Macs because they don't get attacked by viruses and hackers" refrain from Mac nuts.

I generally counter with what is apparently a secret carefully hidden from Mac zealots: "That's because only a fraction of the world uses Macs. What's the point of attacking a niche market? No one will notice!"

But the mindlessly superior retort is always the same, "No, it's because the Apple OS does not have the same holes as Windows. OS X is just a better operating system."

Given this recent development, my question is, "Will you be stuffing that superior attitude in your crow or eating it separately, sir?"

A Major Mac Breach

This is a significant hole. The original report, found on Carrel.org, puts a frightening spin on the problem:

"A series of seemingly innocuous default settings can cause an affected Mac OS X machine to trust a malicious machine on a network for user, group, and volume mounting settings."

So an attacker who can gain access to your network — over a wired connection or wirelessly — can trick an affected system into trusting a rogue machine, and when the compromised machine reboots, take it over and even attack other systems on the network.

The truth is that the Mac OS is just as vulnerable as Microsoft Windows. Overall, maybe OS X is better than Windows, but that's not the point. Panther, for example, is a great OS, but it's also complex, and complexity leaves room for gaps — some small, some not.

From Mac Fan(atic) to Windows User

OS X 10.x may not be as widely used as Windows (let's face it, it isn't) but some of its devotees seem far more fanatical than Windows users. Those who toil in Windows — me, for instance — care about their OS to a certain degree, but hardly feel the need to jump to its defense or come up with ridiculous conspiracy theories to explain why, say, Bob bombed or Windows Me stank.

So I am by no means a Windows apologist or Microsoft partisan. I began my computing career as a Mac patriot, in fact. I used a Mac SE/30 with PageMaker version 1.2 and laughed at the lowly IBM PS/2, which could just hobble along on the subpar Windows 3.0 and had virtually no font support. I trained people on Macs, converted entire print production systems over to the Mac and PageMaker, and salivated over every software upgrade and hardware enhancement.

But even back then, I had this gnawing suspicion that 18-month software development cycles could somehow hurt the platform. Before the tide really turned, however, I switched to PCs. I had joined PC Magazine, and the editorial staff used them.

My introduction to the PC came at precisely the same time as Microsoft launched Windows 3.1. I was no longer focusing on the Mac, and Microsoft had finally released a viable GUI. It didn't beat the then-current Mac OS (System 7), but it was a start, and of course, people began buying millions of PCs with Windows 3.1 preloaded.

The rest is history.

The Target Everyone Loves to Hit

When Microsoft released Windows 95 three years and some months later, for the first time there was a degree of parity between the graphical interfaces. I found things to grumble about, but they were minor.

Microsoft's less-than-stellar OS security took a while to become apparent. In fact, the problem wasn't epidemic until a few years after the Internet took off. Windows' market domination makes it a target for the virus authoring community.

The OS also bears the burden of user wrath because those who depend on Windows so often feel let down. But nothing drives me crazier than Mac true believers shaking their heads and grinning at me every time another Windows virus hits.

This past summer was particularly difficult. As Blaster and SoBig wreaked havoc across the Internet and with millions of Windows PCs, Mac users would tell me with mock sympathy, "This wouldn't happen if we all ran Macs".

We don't, of course, and again, that's the point.

If the Tables Were Turned

The discovery of this OS X security hole will be like a tree falling in a particularly remote forest. So few people actually use Macs (notwithstanding, of course, what you see in the alternate universe of movies, where everyone appears to use them), that I think it's unlikely this problem will have any long-term effect. Hackers are unlikely to exploit this hole the way they have Windows failings.

If the Macintosh OS ever became dominant, the tables would turn, and there would be just as many reports of viruses, security holes, and attacks on it as we currently have with Windows. As one Macophile I spoke with noted, no one has even bothered to exploit this security flaw. I doubt anyone will.

Meanwhile, we can already see what happens when Apple has a broadly popular product that cuts across platforms. The Apple iPod is the number one MP3 player, and now that its companion computer utility, iTunes, is available for both the Mac and the PC, it has become a hack target. In fact, Jon Lech Johansen, the same Norwegian who cracked the DVD security code, recently circumvented the iTunes music protection scheme.

An event like that occurring makes sense to me, since iTunes' popularity makes it a target worth hacking — and whatever mystical Mac mojo there may be, it didn't go far in protecting a popular Apple product.

Who's Crowing Now?

Ultimately, those on the Mac fringe have to face facts: Panther and Jaguar were not better at outrunning vulnerabilities than Windows.

I expect other gaps will emerge, and while the Mac OS may still draw far fewer attacks, this discovery might suck a little wind (or is it Windows?) out of Mac radicals' sails. They can scarcely claim this was a minor hole. OS root access is serious stuff.

How cocky are you feeling now, Mac elite? Hmm. Suddenly it's gotten pretty quiet around here.

[Dont Mention the War]

Muckraking, the PC Way
Richard Forno
12 Dec 03
Copyright (c) 2003 by Author. Permission granted to reproduce in entirety with credit given.

comments

Richard Forno is a security technologist, author, and the former Chief Security Officer at Network Solutions.

---

Since Apple released Mac OS X, even the PC industry trade publications have raved about its quality, design, and features.  PC Magazine even gave Mac OS X "Panther" a 5-star rating in October 2003. Perhaps it was because Macs could now seamlessly fit into the Windows- dominated marketplace and satisfy Mac users refusing to relinquish their trusty systems and corporate IT staffs wanting to cut down on tech support calls. Whatever the reason, Mac OS X has proven itself as a worthy operating system for both consumers and business alike.

Of course, as with all operating systems, Mac OS X has had its share of technical problems and even a few major security vulnerabilities. Nearly all were quickly resolved by Apple via a downloaded patch or OS update.  But in general, Mac OS X is solid, secure, and perhaps the most trustworthy mainstream computing environment available today. As a result, Mac users are generally immune to the incessant security problems plaguing their Windows counterparts, and that somehow bothers PC Magazine columnist Lance Ulanoff.

In a December 11 column [1] that epitomizes the concept of yellow journalism, he's "happy" that Mac OS X is vulnerable to a new and quite significant security vulnerability. The article was based on a security advisory by researcher William Carrel regarding a DHCP vulnerability in Mac OS X. Carrel reported the vulnerability to Apple in mid-October and, through responsible disclosure practices, waited for a prolonged period before releasing the exploit information publicly since Apple was slow in responding to Carrel's report (a common problem with all big software vendors.)  Accordingly, Lance took this as a green light to launch into a snide tirade about how  "Mac OS is just as vulnerable as Microsoft Windows" while penning paragraph after paragraph saying "I told you so" and calling anyone who disagrees with him a "Mac zealot."

In other words, you're either with him or with the "zealots."  Where have we seen this narrow-minded extremist view before?  

More to the point, his article is replete with factual errors. Had he done his homework instead of rushing to smear the Mac security community and fuel his Windows-based envy, he'd have known that not only did Apple tell Carrel on November 19 that a technical fix for the problem would be released in its December Mac OS X update, but that Apple released easy-to-read guidance (complete with screenshots) for users to mitigate this problem on November 26.  Somehow he missed that.

Since he's obviously neither a technologist (despite writing for a technology magazine) nor a security expert, let's examine a few differences between Mac and Windows to see why Macintosh systems are, despite his crowing, whining, and wishing, inherently more secure than Windows systems.

The real security wisdom of Mac OS lies in its internal architecture and how the operating system works and interacts with applications. It’s also something Microsoft unfortunately can’t accomplish without a complete re-write of the Windows software -- starting with ripping out the bug-riddled Internet Explorer that serves as the Windows version of "Finder."  (That alone would seriously improve Windows security, methinks.)

At the very least, from the all-important network perspective, unlike Windows, Mac OS X ships with nearly all internet services turned off by default. Place an out-of-the-box Mac OS X installation on a network, and an attacker doesn’t have much to target in trying to compromise your system. A default installation of Windows, on the other hand, shows up like a big red bulls-eye on a network with numerous network services enabled and running. And, unlike Windows, with Mac OS X, there’s no hard-to-disable (for average users afraid to tweak things unfamiliar to them, that is)  “Messaging Services” that results in spam-like advertisements coming into the system by way of Windows-based pop-up message boxes. And, the Unix-based Mac OS X system firewall – simple enough protection for most users -- is enabled by default (in Mac OSX Server) and easy to find and configure in Mac OS X Client software (not that there's much that users need to worry about out-of-the-box anyway) -- something that Microsoft only recently realized was a good idea and acknowledged should be done in Windows clients as well.  I guess Lance didn't hear about that, either.

Then there's the stuff contributing to what I call "truly trustworthy computing."

When I install an application, such as a word processor, I want to know with certainty that it will not modify my system internals. Similarly, when I remove the application, I want to know that when I remove it (by either the uninstaller or manually) it’s gone, and nothing of it remains on or has modified my system. Applications installed on Mac OS X don’t  modify the system internals – the Mac version of the Windows/System directory stays pretty intact. However, install nearly any program in Windows, and chances are it will (for example) place a different .DLL file in the Windows/System directory or even replace existing ones with its own version in what system administrators of earlier Windows versions grudgingly called "DLL Hell."  Want to remove the application? You’ve got two choices: completely remove the application (going beyond the software uninstaller to manually remove things like a power user) and risk breaking Windows or remove the application (via the software uninstaller) and let whatever it added or modified in Windows/System to remain, thus presenting you a newly-but-unofficially patched version of your operating system that may cause problems down the road. To make matters worse, Windows patches or updates often re-enable something you’ve previously turned off or deleted (such as VBScript or Internet Explorer) or reconfigures parts of your system (such as network shares) without your knowledge and potentially places you at risk of other security problems or future downtime. Apparently, Lance doesn't see this as a major security concern.

Further, as seen in recent years, Microsoft used the guise of a critical security fix for its Media Player to forcibly inject controversial Digital Rights Management (DRM) into customer systems.[2] Users were free to not run the patch and avoid DRM on their systems, but if they wanted to be secure, they had to accept monopoly-enforcing DRM technologies and allow Microsoft to update such systems at any time in the future.  How can we trust that our systems are secure and configured the way we expect them to be (enterprise change management comes to mind) with such subtle vendor trickery being forced upon us? Sounds like blackmail to me.  (Incidentally, Lance believes the ability of a user to "hack" their own system to circumvent the Apple iTunes DRM makes the Macintosh a bigger "hack target" for the purposes of his article....apparently, he's not familiar with the many nuances of the terms "hack" and "hackers" or knows that power-users often "hack" their own systems for fun.)  Were Apple to do such a thing, Mac users would likely revolt, and Apple's credibility seriously damaged.

What does that say about trusting an operating system's ability to perform in a stable and secure manner? Windows users should wonder who’s really in control of their systems these days. But Lance is oblivious to this, and happy to exist in such an untrustworthy computing environment.

On the matter of malicious code, Lance reports being "driven crazy" when Mac users grin at not falling victim to another Windows virus or malicious code attack. He's free to rebuild his machine after each new attack if he wants, and needs to know that Mac users are grinning at not having to worry about such things getting in the way of being productive.  You see, because of how Mac OS X was originally designed, the chance of a user suffering from a malicious code attack - such as those nasty e-mail worms - is extremely low. Granted, Mac users may transmit copies of a Word Macro Virus if they receive an infected file (and use Microsoft Word) but it’s not likely that – again, due to Mac OS X's internal design – a piece of malicious code could wreak the same kind of havoc that it does repeatedly on Windows. Applications and the operating system just don’t have the same level of trusted interdependencies in Mac OS X that they do on Windows, making it much more difficult for most forms of malicious code to work against a Macintosh.

Unlike Windows, Mac OS X requires an administrator password to change certain configurations, run the system updater, and when installing new software.  From a security perspective, this is another example of how Apple takes a proactive approach to system-level security. If a virus, remote hacker, or co-worker tries to install or reconfigure something on the system, they’re stymied without knowing the administrator’s password stored in the hardened System Keychain. (Incidentally, this password is not the same as the Unix 'root' account password of the system's FreeBSD foundation, something that further enhances security.)  In some ways, this can be seen as Mac OS X protecting a careless user from themself as well as others.

Lance also fails to recognize that Windows and Mac OS are different not just by vendor and market share, but by the fundamental way that they're designed, developed, tested, and supported. By integrating Internet Explorer, Media Player, and any number of other 'extras' (such as VB Script and ActiveX) into the operating system to lock out competitors, Microsoft knowingly inflicts many of its security vulnerabilities onto itself.  As a result, its desire to achieve marketplace dominance over all facets of a user's system has created a situation that's anything but trustworthy or conducive to stable, secure computing.  Mac users are free to use whatever browser, e-mail client, or media player they want, and the system accepts (and more importantly, remembers!) their choice.

Contrary to his article, the small market segment held by Apple doesn't automatically make the Mac OS less vulnerable to attack or exploitation. Any competent security professional will tell you that "security through obscurity" - what Lance is referring to toward the end of his article - doesn't work. In other words, if, as he suggests, Mac OS was the dominant operating system, its users would still enjoy an inherently more secure and trustworthy computing environment even if the number of attacks against it increased.  That's because unlike Windows, Mac OS was designed from the ground up with security in mind.  Is it totally secure? Nothing will ever be totally secure. But  when compared to Windows, Mac OS is proving to be a significantly more reliable and (exponentially) more secure computing environment for today's users, including this security professional.

If Lance is sleeping well believing that he's on an equal level with the Mac regarding system security, he can crow about not being overly embarrassed while working on the only mainstream operating system that, among other high-profile incidents over the years, facilitated remote system exploitation through a word processor's clip art function! [3]

Trustworthy computing must be more than a catchy marketing phrase. Ironically, despite a few hiccups along the way, it's becoming clear that Mac OS, not Windows, epitomizes Microsoft's new mantra of "secure by design, default, and deployment."

Who's crowing now?


[1] Macs Are Not Invulnerable
http://abcnews.go.com/sections/scitech/ZDM/mac_vulnerablility_pcmag_031211.html

[2] Microsoft Makes An Offer You Can't Refuse
http://www.infowarrior.org/articles/2002-09.html

[3] Buffer Overflow in Clipart Gallery (MS00-015)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/fq00-015.asp


# # # # #

Richard Forno is a security technologist, author, and the former Chief Security Officer at Network Solutions. His home in cyberspace is at http://www.infowarrior.org/.

[agitator]

ping

[Smogger]

That's what I have been saying all along.

Linux heads read up.

When *nix was the most popular OS on mini's and mainframes, and they were the ONLY computer connected to the Internet (or any networks for that matter) *nix was the BIGGEST target.

[quidnunc]

I just downloaded a firmware update for my G5 w/ Panther OS which plugged a security hole, so Apple is on the case.

[Bobibutu]

I have a router intrerfaced with my DSL connection. I am "Stealth" according to Gibson http://www.grc.com/

I do not worry - I'net user since '81

Arpanet user since '66

I have never had a problem.

Macs Rule!

Retired IBM Field Engineer.

[Bobibutu]

I am running Panther - osx 10.3.1

[Bush2000]

Of course, as with all operating systems, Mac OS X has had its share of technical problems and even a few major security vulnerabilities. Nearly all were quickly resolved by Apple via a downloaded patch or OS update. But in general, Mac OS X is solid, secure, and perhaps the most trustworthy mainstream computing environment available today. As a result, Mac users are generally immune to the incessant security problems plaguing their Windows counterparts, and that somehow bothers PC Magazine columnist Lance Ulanoff.

BS. It took Apple nearly two months to patch the DHCP critical flaw.

[Prime Choice]

As long as humans are designing operating systems, those operating systems will be flawed in some way. This is true of MacOS, Windows and all manner of Unices.

Like the old saying goes, "To err is human. To really foul things up requires a computer." ; )

[DB]

I'm also "Stealth" on Gibson's site.

I'm running Win2k.

I've never caught a virus from the Web. I use one dedicated Win2k machine as a router and server. The machine is on 24/7.

[Hawkeye's Girl]

I own both PCs and Macs. They are both good in different ways. Being fanatical about an operating system is just silly IMHO.

[ShorelineMike]

BS. It took Apple nearly two months to patch the DHCP critical flaw.

And your point, Bush2000?

Mr. Forno's column said "… Nearly all were quickly resolved by Apple … " so for you to jump on Apple's taking two months to distribute a patch for this situation as a refutation of Mr. Forno's entire column is a scurrilous gesture worthy of That Site Which Shall Not Be Named.

Further, while you are attacking Mr. Forno's position, would you care to share with us all of the stories of your friends and colleagues running Mac OS X who were affected by this DHCP flaw?

[Bush2000]

Mr. Forno's column said "… Nearly all were quickly resolved by Apple … " so for you to jump on Apple's taking two months to distribute a patch for this situation as a refutation of Mr. Forno's entire column is a scurrilous gesture worthy of That Site Which Shall Not Be Named.

His fundamental argument is flawed. Apple has not "quickly resolved" its security issues. And regardless of Forno's opinions on Mac security compared to PCs, it is undisputed that serious flaws have been discovered, despite Mac kneepadders arguments to the contrary. Ulanoff wasn't trying to promote the notion that PCs are safer than Macs. Forno seems to have missed this point, as he launched into a "Macs-are-safer-than-PCs" tirade. That's not the issue. The issue is whether serious vulnerabilities exist in the Mac platform. They do. That is undisputable.

[The Duke]

I own both PCs and Macs. They are both good in different ways. Being fanatical about an operating system is just silly IMHO.

I agree COMPLETELY.

Even if MACs do RULE!!! ;)

[pt17]

Being fanatical about an operating system is just silly IMHO

IMHO, you're right.

[Swordmaker]

BS. It took Apple nearly two months to patch the DHCP critical flaw.

Bush, not one user has been hit by anything coming through your "criticial flaw" and the "flaw" was easily fixed by users by changing ONE SETTING to "No" from the factory default setting of "Yes." It did NOT require a "patch" although the newer versions of OS-X do come with the factory default set to "NO."

Carrel reported this as a "serious" issue... not "critical."

I told you this and provided proof of the easy fix in an earlier post on this same subject as did others.

You are a WINDOWS bigot.

[Bush2000]

Bush, not one user has been hit by anything coming through your "criticial flaw" ...

This is wishful thinking on your part, since (a) you can't possibly know that, and (b) an attacker wouldn't advertise his or her presence on your network.

...and the "flaw" was easily fixed by users by changing ONE SETTING to "No" from the factory default setting of "Yes." It did NOT require a "patch" although the newer versions of OS-X do come with the factory default set to "NO."

Whoopie. Out of sight, out of mind. The more you argue about this, the more it becomes obvious that you guys are delusional about security. This issue is only the tip of the iceberg.

[Bush2000]

Carrel reported this as a "serious" issue... not "critical."

LMAO! "Seriouuuuuuuuuuuus". Oooooh. So hackers can seriously format Mac users' hard drives.

[Woahhs]

I own both PCs and Macs. They are both good in different ways. Being fanatical about an operating system is just silly IMHO.

You have obviously never been designated the family IT department by all your windows using relatives. Never ceases to amaze me how they were smart enough to ignore my purchasing advice, but never seem to be able to fix their own problems.

[Woahhs]

The more you argue about this, the more it becomes obvious that you guys are delusional about security. This issue is only the tip of the iceberg.

So why don't you just sit back quitely and wait for the shipwreck with a pocket full of "told ya so"s? Why do you have this intense need to convince macaddicts they're vulnerable to a hypothetical boogie-man?