Windows vs Mac Security

sdhorne writes "There is a good technical discussion over at InfoWorld on the merits of launchd and what is lacking in a comparable Windows secure solution. It is a throw back to the UNIX vs Windows security discussion that has been hashed out for many years." From the article: "it always traces back to Microsoft's untenable policy of maintaining gaps in Windows security to avoid competing with 3rd party vendors and certified partners. Apple's taking a different approach: What users need is in the box: Anti-virus, anti-spam, encryption, image backup and restore, offsite safe storage through .Mac, and launchd. Pretty soon any debate with Microsoft over security can be ended in one round when Apple stands up, says 'launchd', and sits back down."

Well written, but

[MECC (8478)]

Pretty soon any debate with Microsoft over security can be ended in one round when Apple stands up, says 'launchd', and sits back down."

It seemed pretty wello written. That said, I which he would have said a little more about launchd, at least enough to explain why it gives OSX an advantage. It would have also been nice to have had some kind of side-by side comparing Windows and OSX, like how the windows System pseudo-user trumps the admin user, and how there is not way to trump the OSX root user.

Why this can't happen under OS X:

I don't know if I'd go that far. OSX isn't 100% immune - it just has more common sense.

Re:Well written, but

[alps (673371)]

http://developer.apple.com/macosx/launchd.html [apple.com]

Re:Well written, but

[macshome (818789)]

Pimping myself here a bit, but our article on launchd [afp548.com] might be of more help to sysadmins. It later formed the basis for the wikipedia article and has thrilling Jordan Hubbard comments to boot!

Re:Well written, but

[fruitbane (454488)]

"I don't know if I'd go that far. OSX isn't 100% immune - it just has more common sense. "

This is, I think, the best summary I've ever read of OS X's inherent security advantage. No OS could really succeed and be 100% air-tight at the same time, IMO. And user- and developer-friendliness does often mean compromises that lead to security problems, but the article that this discussion refers to covers a lot of it well and MECC (parent) summarized succintly and effectively.

OS X, as an OS, has more common sense built-in.

Re:Well written, but

[MECC (8478)]

whereas Windows is an animal which continues to be re-invented

I'm not sure that 're-invented' is how I'd describe windows, or their efforts at security.

Re:Well written, but

[ackthpt (218170)]

I'm not sure that 're-invented' is how I'd describe windows, or their efforts at security.

In the past Microsoft have commented that they have completely ditched the code Windows was written with and re-written from ground up, to try to address myriad flaws. That's pretty drastic. I've done it with small projects which simply grew too large and unwieldy because they were never expected to scale to newer demands* Microsoft is effectively doing this with Vista and yet... there still appear to be security flaws. Something wrong with that picture. Could be they're just a victim of their success and such a massive undertaking of code is approaching the event horizon just before the black hole.

*You know the type.. you develop some nifty little tool to summarise information for your own use and someone sees it and says, "Hey! That thing does in seconds what I spend a week doing! I need it, set me up with it!" Next thing you know your little tool has to be user friendly, go to printers, be in colour, etc. Continually piling in changes makes it fragile so you step back, figure what it all needs to do and how to achieve the goals and then recode, with an eye toward more scalibility and unforeseen features later.

slashdot this

[RichMan (8097)]

Anyone notice the link at the bottom of the article?

Links to slashdot submit article. http://slashdot.org/submit.pl [slashdot.org]

Cute.

What's launchd?

[peterdaly (123554)]

Was I the only Mac user who didn't know what launchd was off the top of my head?

In Mac OS X v10.4 Tiger, Apple introduced a new system startup program called launchd. The launchd daemon takes over many tasks from cron, xinetd, mach_init, and init, which are UNIX programs that traditionally have handled system initialization, called systems scripts, run startup items, and generally prepared the system for the user. And they still exist on Mac OS X Tiger, but launchd has superseded them in many instances. These venerable programs are widely used by system administrators, open source developers, managers of web services, even consumers who want to use cron to manage iCal scheduling, and they can still be called with launchd.

The launchd daemon also provides a big performance boost to your system. At any given time, only those daemons that are actually used are launched; combined with the fact that daemons can shut themselves down and be relaunched as needed means that you can reduce the average memory footprint of the system.

http://developer.apple.com/macosx/launchd.html [apple.com]

UNIX and viruses

[rice_burners_suck (243660)]

Viruses are definitely part of the umbrella concept we often call "security." I've heard it mentioned many times that Macs do not suffer from viruses because they have a smaller market share, and virus authors invest their time into attacking more dominant systems. People who say this generally go on to say that as the Mac gains a larger market share, the number of viruses available for it will grow. I think this is of little consequence.

Macs are based on UNIX. It's not faked to appear like UNIX, it is actually UNIX. The permissions system means that a common virus could damage a user's home directory, but the system for the most part would remain unaffected, including other users. It is still possible to write root-kit style viruses that take advantages of subtle bugs in the operating system and other software to gain control of the system, but this is significantly more complicated to do, and IIRC it was Theo from the OpenBSD project who said that attacks like this require many steps that often must take advantage of many vulnerabilities to elevate priviledges, and by fixing even one bug, a whole category of vulnerabilities (even if other bugs remain) becomes inaccessible to a would-be attacker. This, in addition to much of the code underlying OS X being available for hacking up by anybody, in addition to other projects actually hacking on this code (improvements from projects like Samba, Apache, GCC, FreeBSD, even various Linux projects, make it into Darwin and OS X.... and most of all the fact that users don't run as administrators, all of these reasons make it much less likely that viruses could be as damaging as on Windows.

Re:UNIX and viruses

[140Mandak262Jamuna (970587)]

I've heard it mentioned many times that Macs do not suffer from viruses because they have a smaller market share,

When people say something like that, hold them by hand and take them over to netcraft.com and show them the market share of Web servers. Apache has been owning >60% of it for a long long time compared with ~20% share for IIS. And point out that almost all the worms attack IIS and not Apache. The reason why Windows/IIS remain vulnerable is because MS wrote them, not becuase of their high/low market share.

Re:UNIX and viruses

[wfberg (24378)]

[..]say that as the Mac gains a larger market share, the number of viruses available for it will grow. I think this is of little consequence.[..] The permissions system means that a common virus could damage a user's home directory, but the system for the most part would remain unaffected, including other users [..] and most of all the fact that users don't run as administrators, all of these reasons make it much less likely that viruses could be as damaging as on Windows

I think this is thinking too much from the perspective of old-school "format c:" destructive virusses.

Today's malware isn't purely destructive anymore; in fact, little incentive exists to create a virus that merely destroys stuff.

Today we're seeing worms that are used to send spam or perform DDOS attacks, and ransomware that encrypts your files and will only unlock them after you pay up.

Access to a user's home directory is perfectly adequate for ransomware. Access to networkresources is sufficient to turn your computer into a zombie. Privileged system access is not the holy grail; access to specific resources are.

User-based security offers no protection against this. Instead people often install programs to limit access to, for example, network resources - a software firewall that will inspect a process to see if it's legit before letting it use the network. Likewise we will need a security subsystem that prevent programs to write to files not created by them. For example; firefox should be able to upload a word document (read permissions) perhaps, but surely only word or openoffice should be permitted to (over)write it.

This is more along the lines of capabilities, but it could be grafted onto user-based security systems (just run processes as different users and give those users permissions only to write to their own files and/or read from their own directories, with some exceptions (e.g. the filemanager)).

Todays programs are so flexible and scriptable, not to mention just plain big and unverifiable, let alone complex and exploitable, that simply saying 'these programs have been deemed safe by an administrator, so they can access all your files if you run them' is no longer an adequate means of making sure applications stay within bounds. We really need to make programs stay on their own turf. Not just files; how about that registry? Why the hell should every program be able to read all of it, and write almost all of it, even keys that belong to a different program?

It's not just windows; MacOS lacks such stuff at the moment too (though it will undoubtedly be much easier to integrate into it than into Windows). Really only SE Linux is set up to handle this sort of thing.

Re:UNIX and viruses

[Laur (673497)]

The permissions system means that a common virus could damage a user's home directory, but the system for the most part would remain unaffected, including other users.

In reality, this is not an important distinction for home users. I don't know about you, but I don't care a whole lot about by system, I can re-install everything without too much trouble. Replacing years of digital family photograghs, financial records, etc. in my home directory? Impossible. This is why I backup my home directly regularly, but don't bother with the system.

Unfortunately his reasoning is flawed.

[mellon (7048)]

I think the conclusion that he draws is probably correct, but he doesn't really seem to explain why. The reason that systems like OS X and Linux are safer than Windows is not that launchd runs a shell, but that both Linux and OS X tend to run processes that don't need privileges as root.

This is a substantial win. However, if you manage to compromise a process that is running as root, you do have full control of the machine, and you can install your own privileged software on the machine without an authentication prompt appearing on the console.

Also, most of the man pages on OS X are woefully out of date, so giving the existence of these as a reason for why security is better on OS X is unfortunately a cruel joke. Third party apps from the Open Source community do often have better documentation, but the basic man pages from OS X are often years out of date - this is one of my pet peeves about OS X, I will admit.

It sounds like the hack he's describing occurred because he'd installed third-party software that ran as a service with an open port, as SYSTEM (i.e., with full privileges) and that took over his machine. The reason this is less likely (not impossible, just less likely) is because if you are running a third party server process on OS X, it's probably a piece of open source software like Apache, which has been vetted to within an inch of its life, because it is open source, and the many people who care that it is secure have the freedom to check that it is secure. And it probably doesn't run with full privileges, as the author says.

Anyway, like I said, he's right, but his reasoning is a little foggy. And it's important to be aware of the ways in which it's foggy, because this is your best chance of avoiding having your machine hacked.

Concept Versus Implementation

[99BottlesOfBeerInMyF (813746)]

Conceptually, I agree that LaunchD is a really slick idea and I really hope Linux and the BSDs take a good hard look at this code and the possibility of adopting it. That said, it is not a security panacea by any means, just one more clean, sensible implementation that leaves less room for a vulnerability. The thing that makes me hesitate to laud this feature, however, is the implementation. Apple has a lot of smart people working for them and a lot of old school UNIX geeks to whom secure programming is as natural as breathing. They also have a lot of coders and managers who realize that OS X is not a primarily security minded OS. Sure, it is better than Windows and on par with a desktop Linux distro, but it isn't a locked down OpenBSD install or a super secure Linux distro. They don't focus their efforts on security and it shows sometimes when they introduce new code. LaunchD replaces a number of time tested bits of code and while it is (IMHO) a much cleaner, nicer design I haven't a clue about how well written and tested it is, especially from a security perspective. I'd feel a lot better about claiming it as a security feature if I knew some white hats had pounded on it for a while and exposed anything Apple did not bother to think of. I'd feel a lot better if the OSS community in general jumped on it and adopted it, thus helping with this security testing and adding more eyes.

I like LaunchD. I like OS X as a desktop. Lets just not get carried away here with random claims about security. OS X is inherently more secure than Windows, but that really isn't saying a lot. I'm not willing to just assume LaunchD is secure in and of itself, let alone that it will play a big part in securing the OS as a whole.

the article may have some good points, but...

[by Anonymous Coward]

I have to take it with a large rock of salt when I see

OS X has no user account with privileges exceeding root.

being offered as a "reason why OS X is more secure than Windows."

The article claims that Administrator on Windows is equivalent to root; and that SYSTEM is more powerful than Administrator (and by implication more powerful than root). This is nonsense.

Administrator is indeed less powerful than SYSTEM. However, Administrator is equivalent to a user on the sudoers list and/or with group write access to system directories. SYSTEM is the correct equivalent to root.

We may quibble about how well Administrator accounts are protected from trojans; or whether non-Administrator accounts on Windows are of much use; those are valid arguments. However, claiming that, somehow, SYSTEM on Windows is magically more capable than root is ridiculous.

If anything, Windows has a somewhat better design in that it is possible to set up privileged accounts with a specific power that only root has on UNIX, yet not have any of the other root powers. However, this capability is quite underutilized, and in many ways is undermined by other (unfortunate) decisions that Microsoft made.

Anti-virus software in the box?

[sjonke (457707)]

What users need is in the box: Anti-virus[....]

If it is, it's hidden pretty well. Macs don't come with anti-virus software.

Interoperability is a threat

[140Mandak262Jamuna (970587)]

When you own 90% of the market, not being interoperable with others is a commercial advantage. Yes, security is compromised, but it (MS) has trained corporations and individuals it is THEIR (I mean user's) responsibility to install and update "critical" security updates and install firewalls and antivirus software and keep them up to date. Now MS is going to sell anti-virus products. It is going to profit from the shoddiness of its own product. It is a great scam if you can get into it.

As long as corporations confuse interoperability with "windows compatibility" the scam will go on. Only when the commercial user who forks over billions of dollars to MS every year demand true interoperability and injects real competition, it will end. There is no advantage in being the first among the users pushing for it. Pepsi will not care as long as Coke is also spending relatively the same amount of money for similar services. But someday somewhere some corp will bite the bullet and spend what it takes to break the vendor-lock in, and only after that the security situation will improve.

I think he has some points there

[guruevi (827432)]

Apparently this guy had the experience switching from Mac -> Windows and see what happens. A lot of people say it has to do with market penetration (Thanks to the M$ FUD) but nothing is less true. There are far more hosts running on any flavor of Unix or using the GNU tools or somewhat compatible tools for that matter than Windows hosts connected to the Internet.

The biggest flaw in Windows is stuff running as SYSTEM. Try this in Windows: schedule a command in a terminal to run cmd.exe the next minute using the "at" command. As you will notice, you will get your cmd.exe... running as SYSTEM. You don't even have to be a very privileged user to do that, kill your own explorer.exe and start explorer.exe in that cmd.exe you have and guess what: you're running your system as SYSTEM. This would be like running Bash, KDE or Gnome as root, although possible, you can't elevate root out of standard user rights. Same thing for hooks into IIS (.NET) or any other application, they can all elevate to SYSTEM without too much trouble. Would be like suggesting to run Bind or Apache as root, and as any Unix guru would say: Blasphemy! Blasphemy! and you would feel the vibration of Rich Stevens (http://en.wikipedia.org/wiki/W._Richard_Stevens) spinning in his grave at the speed of the fan running in the server.

A few points

[Foolhardy (664051)]

The LanManServer service (aka Server) is mostly implemented in kernel mode in srv.sys, so most of the user-mode tirade is irrelevant.
[From the article]

SYSTEM is a pseudo-user (LocalSystem) that trumps Administrator (like UNIX's root) in privileges. SYSTEM cannot be used to log in, but it also has no password, no login script, no shell and no environment, therefore
The activity of SYSTEM is next to impossible to control or log.

SYSTEM doesn't trump Administrator(s): since either can control the kernel, they both represent full control. SYSTEM can't magically bypass security descriptors any more than administrators can; both have but indirect end runs available. SYSTEM's profile has the global system environment. In Win32, shells have considerably less importance, but SYSTEM processes can still have them. SYSTEM's actions can certainly be audited, so I'm not sure what they meant by impossible to log.

Most of the code running on any Windows system at a given time is related to services, most or all of which run with SYSTEM privileges, therefore [...]

There are lots of services running as low privilege LOCAL SERVICE and NETWORK SERVICE. Perhaps there could be more. Note that a single svchost can represent several services.

Windows will notify you on an attempt to overwrite one of its own system files stored here, but does not try to protect privileged software.

The binaries that implement system services are protected by system file protection. SFP isn't a security feature; it's there to work around buggy installer behavior.

Windows requires that users log in with administrative privileges to install software, which causes many to use privileged accounts for day-to-day usage.

This isn't true on a domain where the admin has designated installable packages, and RunAs works fine for installation programs that are written properly.

Microsoft made it easy for commercial applications to refuse a debugger's attempt to attach to a process or thread.

I'm not sure what's meant by this, but if your kernel is owned on any OS, a rootkit can be installed to evade any kind of debugging.

Access to the massive, arcane, nearly unstructured, non-human-readable Windows Registry, which was to be obsolete by now, remains the only resource a Windows attacker needs to analyze and control a Windows system.

Non-human-readable? Never used the registry editor? The key and value names seem to be in English... It's like saying that a filesystem isn't human-readable because you need ls. There are no plans to make the registry obsolete for system configuration. In fact, the new boot loader's config database is a registry hive. As for owning the computer throught the registry, every key is protected by an ACL. There's nothing inherant in the registry that allows an attack, privilege escilation or otherwise.

Another trick that attackers learned from Microsoft is that Registry entries can be made read-only even to the Administrator, so you can find an exploit and be blocked from disarming it.

So then the admin takes ownership of the keys in question, forcibly with the SeTakeOwnershipPrivilege, and since the owner of an object can always set the DACL, the admin returns himself full control. Either that or use the SeRestorePrivilege to overwrite the key directly.

One of the strongest tools that Microsoft has to protect users from malware is Access Control Lists (ACLs), but standard tools make ACLs difficult to employ, so most opt for NTFS's inadequate standard access rights.

What's wrong with the shell's ACL editor? What's wrong with the default permissions?

OS X has no user account with privileges exceeding root.

Since root can ignore security, this isn't saying anything. In Windows, only the kernel can bypasss security.

Un

Re:But what if Microsoft offered it all together?

[CastrTroy (595695)]

It depends on how they offered it. If they made it impossible to uninstall, then yes, we would yell monopoly. However, if they made these features able to be uninstalled (or never installed in the first place) and easily replaced by third party tools, then I don't think we would have anything to complain about. I don't have any problems with MS including IE with the operating system, I just wish it could be removed from the system.

Re:But what if Microsoft offered it all together?

[Gryffin (86893)]

Apple's taking a different approach: What users need is in the box: Anti-virus, anti-spam, encryption, image backup and restore, offsite safe storage through.

Don't you think that if Microsoft offered this that everyone would cry monopoly?

Microsoft has been declared a monopoly in Federal court, and found guilty of anti-trust offenses related to abusing that monopoly in violation of the Sherman Anti-Trust Act.

Apple, on the other hand, is not a monopoly, and hence it would be perfectly legal for them to bundle anything they damn well felt like bundling.

Why is this so difficult to understand? Microsoft, because of their market position, is held to a different legal standard. End of story.

Re:But what if Microsoft offered it all together?

[KillerDeathRobot (818062)]

Why is this so difficult to understand? Microsoft, because of their market position, is held to a different legal standard. End of story.

It's not difficult to understand; it's annoying because it's the wrong argument, and it really muddies the debate. We don't need to hold Microsoft and Apple to different standards to show that one is better than the other. There is nothing wrong with MS bundling software with their OS. What was wrong was that they were forcing companies like Dell NOT to include competing software (such as Netscape).

It's a moot point any way though, because in this case we aren't even talking about the right thing. As someone else mentioned, we're talking about a system that is built to resist viruses and such, not virus scanning software bundled with the OS.

Re:But what if Microsoft offered it all together?

[Fordiman (689627)]

Actually, they're damned if they do something else entirely too.

They're just damned.

Damned Microsoft.

Re:Microsoft is just too nice?

[2nd Post! (213333)]

And Apple could never do the things Microsoft does:
1) Threaten Compaq with withholding OS licenses if Compaq installed Netscape Navigator as the default browser
2) Threaten IBM with increased OS license fees if IBM did not drop OS/2

Those were the lynchpins of the antitrust lawsuit. If Microsoft had ONLY bundled, they would not face monopoly abuse charges. Then HP could have UNBUNDLED IE and installed Firefox, or IBM could have unbundled Windows and installed OS/2.

Apple's bundles can be unbundled. That is the critical difference. Drag Safari, Mail, Virex, Appleworks, iCal, and Quicktime to the trash, and the OS still works.

Fixed in "Next" version

[Dareth (47614)]

Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows 95 (whenever that gets out..) Is that out yet?

Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows 98 (whenever that gets out..) Is that out yet?

Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows 2000 (whenever that gets out..) Is that out yet?

Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows ME (whenever that gets out..) Is that out yet?

Some of the criticisms in the article are perfectly valid, but many of them are (supposedly) going to be fixed in Windows XP (whenever that gets out..) Is that out yet?

Sorry to be redundant, have you heard this joke before already?