Is Mac OS X really as secure as it says it is?

[raymondu999]

As some of you may or may not know, recently there was CanSecWest, where three laptops were put up for teams to try to crack. The team who cracked a particular laptop, can take it home as the prize. The rules were that they were allowed to only exploit security flaws that no one knew of before... and the first team to crack a system would win it. The contenders were:

MacBook Air (Mac OS X, naturally)
Fujitsu U810
A Sony Vaio

between the sony and fujitsu, one was running linux ubuntu 7.10, the other, vista.

Now, the thing is, the OS X device was first to be cracked. Now... that makes us wonder, doesn't it? Is Mac OS X really secure, when it was cracked the earliest? Some people are now saying that Mac isn't really virus-resistant, it just hasn't got any viruses written for it!! Hmmm...

Not that I'm of the same train of thought. I agree it's a possibility, but I've been using macs for around 6 years now... and well... yeah...

CanSecWest link:
http://www.channelregister.co.uk/2008/03/28/mac_hack/

 

[clevin]

I think we had quite some discussion for this already.

I personally think this ZDNet articles says it well (at least its title is good)
http://www.zdnet.com.au/news/softwa...ut-not-so-secure/0,130061733,339288090,00.htm

safe, but not secure.

 

[mr.light]

I believe it is secure. AV software companies have a vested interest in convincing you that your system is in danger. I've been using Apple products since the Apple IIe and have never had a virus. Ever. If you choose to believe the argument about no viruses because of low market share, that is your choice. I choose to believe OS X is secure.

 

[notjustjay]

Now, the thing is, the OS X device was first to be cracked. Now... that makes us wonder, doesn't it? Is Mac OS X really secure, when it was cracked the earliest? Some people are now saying that Mac isn't really virus-resistant, it just hasn't got any viruses written for it!! Hmmm...

My understanding was that the vulnerability used to crack the Mac was actually cross-platform, and could just as easily have been used to take down the Windows PC as well. But, it garners far more media attention to crack the Mac, and having done so, the contest rules forbade the same technique from being used to also crack the PC (or else it would have fallen at the same time).

As far as the Mac not having any viruses written for it -- why do you think this is? Are the hackers simply not interested? Apple has been touting "no viruses" for years, as have all of us die-hard Mac fans, and the media too. In all this time, not one single hacker has thought it worth the while to write a virus so he can forever be known as the guy that proved them all wrong? They'd rather stick with the anonymity of being just another guy who wrote just another one of the 100,000's of viruses for Windows?

I don't buy that. At all. There were certainly viruses for older Macs. The reason there aren't any now is because the OS is secure. Not to say it can't be done, or won't eventually be done, but for now, it hasn't been. People are definitely trying. There are demonstrations of vulnerabilities and trojan horses, but no true viruses. To me, this says all I need to know about the security of the platform.

 

[clevin]

My understanding was that the vulnerability used to crack the Mac was actually cross-platform, and could just as easily have been used to take down the Windows PC as well.

no, its not. its a security hole in safari. safari isn't available for linux, and safari for windows has negligible pc market (and is not part of original system configuration in the contest) even if you assume same mechanism can be performed in windows.

the contest rules forbade the same technique from being used to also crack the PC

Im not sure thats true, do you have any official rules so I can check?

(or else it would have fallen at the same time).

This is totally false, the contest rule on 2nd day is to hack system with fresh original system, safari is NOT part of original windows vista.

 

[notjustjay]

no, its not. its a security hole in safari. safari isn't available for linux, and safari for windows has negligible pc market (and is not part of original system configuration in the contest) even if you assume same mechanism can be performed in windows.

Im not sure thats true, do you have any official rules so I can check?

This is totally false, the contest rule on 2nd day is to hack system with fresh original system, safari is NOT part of original windows vista.

I stand corrected if I'm wrong (and the third point was predicated on the first, so if wrong, both are wrong). As far as the rule about not being able to use the same technique twice, I saw it on one of the (very long) blog analyses of the event, I'd have to dig up a link for you.

 

[clevin]

there is nothing cross-platform about the safari's security hole. (case in point, two previously disclosed safari security holes on windows, do not affect OSX)

The test is about OS security, what is cross windows-osx is safari, which is, honestly, by all counts, a negligible thing on windows, talk about unfair exaggeration.

webkit is available for linux, but engine is not browser, and it is even less used than safari for windows. Its just totally biased to accuse windows and linux are unsafe just because apple offers safari for windows.

I can imagine this type of absurd reasoning from something like roughlydrafted or MDN, both are extremely masterful at distorting and double standard reasoning. lol

 

[MisterMe]

As some of you may or may not know, recently there was CanSecWest, where three laptops were put up for teams to try to crack. ...

This issue has been discussed to death. However, a little research reveals that the CanSecWest contest is not a true test of anything. Nobody breached any of the targets on the first day. On the second day, the contestants were give physical access to their chosen targets and were allowed to install software on them. They chose social engineering as their attack vector. The rules of the contest did not allow their "victims" to defend against the break-in attempt.

Ignorant people are impressed by the fact that the contest was won by breaching a Mac. I am not.

 

[clevin]

On the second day, the contestants were give physical access to their chosen targets and were allowed to install software on them.

actually, that was the 3rd day. on 2nd day, no third party app was allowed to be installed. and MBA was hacked through safari on that day.

where did u get your impression tho?

 

[Sun Baked]

Windows users are still more likely to click on your link and download a hack vector than Mac users -- which is why they continue to write for Windows.

If they are going to attack anything from Apple it'll be an iPod Touch or iPhone based exploit -- a lot more people are likely going to download a trojan for those ....

 

[clevin]

Windows users are still more likely to click on your link and download a hack vector than Mac users -- which is why they continue to write for Windows.

thats true 100 percent when we look at absolute numbers

im not sure how true it is when we look at relative proportion of users. if u have an opinion on this, please use solid data to convince me...

 

[chrono1081]

If you read the articles you will see that the kid spent two weeks writing the exploit that he launched from a website he visited. Not to mention if you see the stuff that appears on windows machines I feel 100% safe on my mac. In fact, I use it to scan viral infected hard drives so my windows computer doesnt get screwed up.

 

[domain]

At the risk of beating a very dead horse:

I'm not entirely sure why there is so much fanfare regarding what happened here, though based on the various news reports i've read, they are for the most part full of incomplete or downright inaccurate information.

The first day was an attempt at remote exploitation, of which all systems remained unscathed, the second day was default installed applications, and the third included 3rd party apps as well.

The funny thing about the Mac exploit was it required local access/user direction which at that point becomes fairly moot... having local access and/or protecting stupid users from themselves is pretty much a given security issue. The other point they all seemed to make was the "it took 2 minutes to break the Mac" which was horribly misleading since the exploit was already prepared beforehand. What's worse, there isn't even any description regarding to what ends this "exploit" could be used for other then "you will need to be able to read the contents of a designated file". I guess we will have to wait until Apple prepares a patch for the details to be released, but I would be very interested to know if this supposed "exploit" resulted in privilege elevation without direct user intervention.

 

[clevin]

having local access and/or protecting stupid users from themselves is pretty much a given security issue. The other point they all seemed to make was the "it took 2 minutes to break the Mac" which was horribly misleading since the exploit was already prepared beforehand. .

1. protecting "stupid users" is the exactly same tough job for windows. to a lesser extend. linux, as well. there is no excuse here

2. again, its about comparison. 2 min is obviously misleading. but ppl has time to prepare for vista as well, and ubuntu

3. why is that so hard to accept hacker's own word that he targetted mac because "it was easiest for him"? he is the hacker. why somebody who aren't capable writing codes would think they know better than hacker himself?

 

[Eraserhead]

thats true 100 percent when we look at absolute numbers

im not sure how true it is when we look at relative proportion of users. if u have an opinion on this, please use solid data to convince me...

There are 1 million pieces of malware in the wild according to Symantec. For the Mac there was that Leopard pictures virus, and there was the porn one last autumn, so a total of 2.

I think there are probably about 20 for Linux, and a similar number for Mac OS Classic.

So 2:999958 isn't bad . And is much better than the market share ratio.

 

[clevin]

There are 1 million pieces of malware in the wild according to Symantec. For the Mac there was that Leopard pictures virus, and there was the porn one last autumn, so a total of 2.

I think there are probably about 20 for Linux, and a similar number for Mac OS Classic.

So 2:999958 isn't bad . And is much better than the market share ratio.

i think the question asked is

"do you think windows users, generally as a whole, is more/less likely to fall in a security trap than mac users? when presented same chances"?

Its reall fascinating story, and Im really interested if anybody has any data.

 

[Pressure]

Remember that in these hacking contest, the contenders had physical access to the Mac.

They had the ability to plug a USB device in it and violate the code through that.

 

[clevin]

Remember that in these hacking contest, the contenders had physical access to the Mac.

They had the ability to plug a USB device in it and violate the code through that.

are you accusing the hackers cheating?

I don't think you get your facts straight.

remember mac wasn't treated differently by contest rules than vista or ubuntu.

 

[MisterMe]

1. protecting "stupid users" is the exactly same tough job for windows. to a lesser extend. linux, as well. there is no excuse here

...

You spend a lot of time here defending Windows. However, thousands of new Windows users have found their machines infected with various and sundry viruses and malware within seconds of going online for the first time. To claim or even to imply that the security problems of Windows are due mainly to "stupid users" is an insult to the intelligence of all of us who know better.

That said, it is reassuring to know that Vista is substantially safer in this regard. The fact that the contestants were not able to breach Vista on the first day of the contest is testament to this fact. Even this, however, does not change the fact that Vista is vulnerable to viruses and other malware in the wild. A quick visit to the SARC website reveals 573 Windows malware titles--and those are just the A's. The B's total 1271. Get the picture? How many of those were written by "stupid users"? I'm betting not many.

 

[clevin]

You spend a lot of time here defending Windows. However, thousands of new Windows users have found their machines infected with various and sundry viruses and malware within seconds of going online for the first time. To claim or even to imply that the security problems of Windows are due mainly to "stupid users" is an insult to the intelligence of all of us who know better.

I guess any honest discussion has to come back to my personality?

You got your facts wrong and I pointed out the mistakes, does that have to have a "deep twisted" intention behind it? I respect facts more than personal accusations.

I have 6000+ post, you can count yourself to see if Im just here to defend windows, or how much time I spend on it.

"stupid users" is a term i quoted from above, so I guess you really strongly dislike the way Mr. domain stated that term, do you?

and how exactly does sitting here spreading false information, like in your first post, show anything about "knowing better" ? (on this topic, I have read some of your posts before and I sure know you are knowledgeable in many areas ).

Even this, however, does not change the fact that Vista is vulnerable to viruses and other malware in the wild. A quick visit to the SARC website reveals 573 Windows malware titles--and those are just the A's. The B's total 1271. Get the picture? How many of those were written by "stupid users"? I'm betting not many.

How nice, I guess you really like those 1993-2002 malwares alot, and you didn't even bother to separate vista and xp now. Tell me again, did the contest include a xp machine?

 

[IJ Reilly]

How nice, I guess you really like those 1993-2002 malwares alot, and you didn't even bother to separate vista and xp now.

I may regret jumping into this debate, but in fairness the list doesn't distinguish between malware which is or isn't still in circulation, or which versions of Windows remain vulnerable to any one of them. Any way you look at this list, the vast number of breaches of Windows security over the years is impressive.

 

[Eraserhead]

I may regret jumping into this debate, but in fairness the list doesn't distinguish between malware which is or isn't still in circulation, or which versions of Windows remain vulnerable to any one of them. Any way you look at this list, the vast number of breaches of Windows security over the years is impressive.

Since 90% of malware was released in the last year that isn't too much of an issue, except that some of it won't run on Vista I suppose...

 

[clevin]

Since 90% of malware was released in the last year that isn't too much of an issue, except that some of it won't run on Vista I suppose...

those are the important numbers Im indeed interested to know, any source or links?

 

[ntrigue]

clevin is just playing devil's advocate. I have never had an Apple product that was exploited. My Windoze PC has had to be Restored an average of 2x per year from malicious code. I won't even start on my computer-ignorant family members; my brother called me with a fatal virus every month for a year before I made him get a Macbook.

 

[miniConvert]

Vulnerabilities in complex software are inevitable.

Just how secure is OS X? Only time will tell. But until it causes me, personally, a problem I'm not too concerned.