Apple Releases 31 Security Fixes

Agram writes, "This week Apple has released fixes for 31 vulnerabilities in its OS, although reportedly a number of known flaws remain un-addressed (according to the instigator of the Month of Kernel Bugs, 'Apple hasn't fixed any of the bugs published during [MoKB], except for the AirPort issue'). Earlier this year, in a move reminiscent of Microsoft's past patching faux pas, Apple released a 'fix' the installation of which broke features unrelated to the targeted flaw. With the growing number of low-level flaws, one has to wonder if Apple's 'more secure' argument still stands. Earlier this month, Microsoft released 6 fixes. Linux does not seem to fare much better. Despite all of these fixes, exploits remain in the wild for each platform. Perhaps, security-wise, the OS choice really boils down to a 'pick-your-poison X user-base' equation?"

Attacks Still Low

Apple has known security bugs and yet people still focus on killing Windows boxes. I'd like to know Apple's secret.

Re:Attacks Still Low

A script kiddie can completely take over a critical windows server.

Did you read about the security vulnerabilities [apple.com]? They're practically all privilege escalation! Remember root-my-mac-mini [zdnet.com.au]? The script kiddie that breached OS X was probably using one of these vulnerabilities then, six months ago.

THAT is the biggest reason. Unixes run far more of the internet than windows does, making it a prime target for someone who wants to cause trouble or steal information.

Your argument seems to be that OS X runs on loads of servers, which makes it a great target.. First off it doesn't run on loads of servers, it has no presence in the server market. Second the vulnerabilities are mostly all in WiFi drivers, PPPoE code, and Safari. Why would hackers going after servers be looking in client code?

Also you can only apply the fixes to 10.3 and 10.4. Never mind <10.3 users, they can pay $99 for security, and never mind if they have a machine which won't run 10.3, they can buy a new Mac. This is like MS charging for SP1.

If MS came out with a massive load of critical security fixes like this, which had all been around for ages and in use by hackers, they would be quite rightly ridiculed. When Apple comes out with this disgrace

• "You can't go by numbers of critical vulnerabilities alone, maybe MS patches loads they don't tell us about",
• "Mac OS X runs the internet, hackers are much more interested in breaking OS X than Windows, which no-one runs",
• "So what if OS X has had critical, unpatched vulnerabilities which hackers have been exploiting for months? At least OS X doesn't have spyware and viruses!"

I wish I was exaggerating but people really are posting these; it's bizarre the double standards some people on slashdot have.. We should at least like and dislike Apple and Microsoft for the right reasons, there are many reasons to prefer Apple but security just isn't one of them.

Re:Attacks Still Low

In my last job, I had to support Mac OS 10.2 clients and servers. It was a nightmare as there is a severe problem with samba in OS X server which would easily cause a DOS attack on the box. I had to disable access to windows clients which were primarily IT and accounting employees. Apple has a terrible patch policy. I feel that they are a large enough company to release patches at least 2 versions back considering they like to do a release every 1-1.5 years. Imagine if Microsoft released a new vista every year. That would be a support nightmare. Of course Microsoft can't even get a start menu change done in a year...

Apple can develop great products, but they sure can't support them very long. Someone at apple needs to learn about maintaining software. Essentially you have to pay for security patches every two to three years. I end up running the latest OS release because safari and a few other things rarely see patches once its a version behind.

Before someone points out that apple is smaller than Microsoft, consider that smaller companies and groups maintain patches to their linux distros for far longer than Apple does with a commercial OS. I suppose some projects have worse policies... for instance FreeBSD EOL'd a bunch of stuff recently. I'm not in a position to back port patches when I get a few releases done with MidnightBSD yet since I don't have many developers. Apple does have developers.

   

Re:Attacks Still Low

``A script kiddie can completely take over a critical windows server. It's far harder to get your code executed as admin or with admin priviliges on a linux,unix,or OSX machine.''

Yes, because buffer overflows are so much harder to exploit on non-Windows OSes, and it's so much harder to get someone to type "sudo make install" than to get them to do the equivalent on Windows.

Re:Attacks Still Low

99% of all windows users run as admin. 100% of all windows server administrators log in with a admin level account and do lots of things as admin they they should not.

99% of the things malware wants to do, do not require elevated privileges.

NO APP NEEDS WRITE ACCESS TO THE C:/WINDOWS directory... NONE! yet the microsoft morons designed it that way because of the stupid registry.

Broken application that require write access to Windows system areas are 100% the fault of the app developer. It's got *nothing* to do with Microsoft.

No developer has had an excuse for releasing software that writes to places like C:\Windows for ca. 7 - 8 years.

Let's ignore the fact that most services under Unix lately do not run at the system level but under a protected user that does not have ADMIN access... but hey you were hoping that nobody noticed that.

Like modern Windows services do, you mean ?

Windows web server, buffer overflow = admin access. Linux web server, buffer overflow = user acces. Big different there. granted if you are silly and let apache user read the shadow passwords file your fault for not setting up security right.

IIS runs as its own user. A buffer overflow only nets you the privilege level of that user.

Why Windows security is terrible and OSX is better

Personally I interpret the article summary as anti-Apple FUD. Everyone has security problems, and everyone can do better. I'm not - at all - trying to say that Apple shouldn't be better. They should. But there are two huge problems that make Windows worlds worse than anything else, and will continue to do so until they're actually fixed... Until then, comparing Windows to OS X in desktop* security is merely FUD.

I. ActiveX. ActiveX is DESIGNED to give a web server full control over your machine. With Flash or Java, even if they're enabled a website can only do stuff if they also exploit a - very rare - flaw in your Virtual Machine. In ActiveX, if you let that control run it can basically do anything. They have some checks to try to block the probably-worst applets, but in the end it runs the code unprotected. Until ActiveX is limited to a VM, it should be totally disabled.

I'd personally guess that this alone accounts for more regular attacks than everything-else-put-together. Don't use ActiveX. And if you're not using ActiveX, there's little reason to use IE...

II. Administrator use is chronic. Basically nobody runs OSX in root or sudo-d mode. LOTS of people run Windows routinely in Administrator mode, for a few main reasons: 1) Lots of software only runs that way, and switching is a pain. NO user app should need to be root to run. 2) LOTS of software is very hard to install so a nonAdmin can use it properly, for starters because it only works on the account it was installed into.

I will completely admit that if all the ISVs behaved perfectly 1 & 2 wouldn't be a problem - but it is VERY plausible for Microsoft to exert enough control to make this better for the vast majority of users. Also, I don't believe all these ISVs do it just to be stupid - my guess is that the structure of Windows makes it MUCH easier to do it that way.

  3) Lots of software that shouldn't even need admin privs to install does for no good reason. (I presume because of the way DLLs and the registry work they need to modify system folders even if they're only going to run as a local user - but that's definitely a Windows problem that it's structured that way.) And once you give those pieces of software admin privs, they can do anything - like installing themself as System so you can't kill them even WITH admin privs. All software should be installable with the MINIMUM possible privs. (Obviously system software or a virus checker needs admin privs.)

There are plenty of smaller reasons to be unhappy with Windows security, and I'm not trying to say I love their track record. I didn't address at all the fact that it comes out of the box extremely remote exploitable, (average of ~20 minutes for an unpatched box to be exploited on the internet - and several hours to download the patches!) But those are problems other OSes at least sometimes have and you can make reasonable comparisons. Until the two above are fixed, you shouldn't even COMPARE Windows desktop* security to OS X or Linux.

*Note that I said desktop. While there are some problems, neither of the above super-problems is a server problems. In fact, if you have to choose a server OS, you should probably choose based on what your admin is experienced in - better to have a well administered box than ANY badly admined box.

Re:Attacks Still Low

Or, more importantly, the cracker is more likely to have a Windows box kicking around to practice on. A Linux box is also likely. A PowerPC Mac, however, was not. With the Intel switch, it is possible for a cracker to install a pirate copy of OS X in a VM or on a spare machine and do whatever they like to it, so this level of 'protection' goes away. It will be interesting to see what effect this has.

Re:Attacks Still Low

Perhaps Steve Jobs doesn't invoke the same "I'm gonna get him!" feeling in the black hats that Bill Gates does. Or maybe it's that darn reality distortion field...

Re:Attacks Still Low

Any program files that might have a negative impact on the OS X system must be authorized with the Admin password.

Wrong. The attacker can simply use a privilege escalation exploit.

Re:Attacks Still Low

I think that it is pretty simple. It is not the number of security bugs that is the issue, it is their severity, and their remote exploitability. Despite the statistics from the article, my department (which has 500 computers, with a mix of windowsXP, OSX and Linux) has had not a single security breach of a Linux or OSX system, but lots of breaches of Windows systems. Part of it is that the OSX and Linux security problems are situations where a local user can escalate his priveledges, something which is serious, but does not necessarily cause security problems. The other part of it is that the worst WindowsXP security breaches come through ad- and spy-ware that come from routine web surfing. This is not considered a bug in WindowsXP (if we just classed ActiveX and IE as security problems, we would have to list that as a windowsXP bug every month/day/week, and the numbers would change pretty quickly).

Anyway, as we all know, don't trust statistics because 82.35% of statistics are made up on the spot.

Exactly

If an exploit does nothing more than let you play solitare someplace you shouldn't, then it doesn't matter. And the thing is, even if OS X is only as secure as Windows (which I'd dispute), it's still good for overall security of the Internet. One of the biggest problems with the Internet today is that if 95% of the computers run one operating system, it becomes easier to write exploits that affect the majority of people.

On the other hand, if 50% of the people were running OS X, then no exploit could harm more than half the people at any given time. So in the long run, perversely, OS X is beneficial to the security of Windows.

Re:Attacks Still Low

I'm sorry but I don't agree with this marketshare thing.

If someone is standing on the corner going 'neener neener you can't hit me' someone out of spite regardless of any reward is going to do it. The fact that they've been touting they can't be hacked for several years now and they still haven't been hacked says to me that it's not easy to do/not able to be done as easily as it is on Windows.

Plus a lot of the 'security' problems don't focus on the exploits of IE and simple browsing hijacking your system with crap. That's the largest problem facing most IT departments that I've run across in the last year or two, not the OS itself being hacked but something stupid the browser does destroying the system.

No OS...

...will ever be perfect (except for GODOS). All we can hope for is the most amount of intuition and the least amount of irritation.

If you are depending soley on your choice of OS

for security, you have already lost the battle. Staying(relatively) secure involves a few simple steps that most people still won't listen to:

1. Run a firewall and only open what you need to be opened
2. Most importantly: DONT CLICK ON STUPID SHIT! Don't run seedy programs etc. It's amazed how many Windows users get infected like that

Those obviously won't protect against 100% of threats, but very few things in life are guarenteed.

Re:If you are depending soley on your choice of OS

for security, you have already lost the battle. Staying(relatively) secure involves a few simple steps that most people still won't listen to:

They shouldn't have to listen; the system should be designed for security from the ground up.

2. Most importantly: DONT CLICK ON STUPID SHIT! Don't run seedy programs etc. It's amazed how many Windows users get infected like that

Relying on user education is #5 on the Six Dumbest Ideas in Computer Security [ranum.com].

Re:If you are depending soley on your choice of OS

Almost no regular user is thinking about the security implications of his or her computer use. Therefore, the OS designer should do it for them, to prevent damage to other users.

If they are sophisticated enough to think about security at every step, power users can disable or change security features manually.

A computer, to most people, is a tool to write stuff, communicate, and have fun. It's not, in their minds, a tool to promote security. So why not have the machine be as secure as possible automatically?

Re:If you are depending soley on your choice of OS

1. Run a firewall and only open what you need to be opened

Do you honestly think anyone but a network administrator has any idea what you just said?

2. Most importantly: DONT CLICK ON STUPID SHIT! Don't run seedy programs etc. It's amazed how many Windows users get infected like that

Do you honestly think people go Hrm, this program is pretty seedy, but I'm going to run it anyway! .

The real problem is people go Oh, I received an electronic fax, that's not a program and people like you just say No you dolt, that was an exe file, gawd how stupid are you!?

Those obviously won't protect against 100% of threats, but very few things in life are guarenteed.

This is what I think the real problem is: Suggesting that people accept faulty software and their own failings.

Here's an idea: a big red button on the side of the computer. You hold it in, and executables can be created. Tell people that big red button lets other people change the way their computer works and no matter how the computer instructs them otherwise, to only push and hold that button in when they are unhappy about how their computer works and feel the need to change it.

That's what root is supposed to be for- whether they be called Administrator or sudo doesn't make it any more or less safe. The fact that Non-root can install software is a security weakness. The fact that the user can run as administrator and not know it is a security weakness.

My mother in law has been actively computing since 2002 without any viruses or "computer problems of any kind" simply because she has to call me in order to remount /home without -o noexec, or sudo for anything. I wish there were a red button sometimes because she's pretty good about knowing when to call me, but because she honestly thought she had to "Runas" in order to read a fax (after all, that's what the email from her son said to do!), she doesn't mind not knowing her own root password.

Free software is not supposed to be 'much better'

Linux (if you need a URL for Linux, you are probably at this site by mistake) does not seem to fare much better.

Vendors of commercial software would have you believe, free is supposed to be much worse: "Free and worth every penny"...

That it is even on par is great. If it is better, even if by "not much" — that's terrific!..

Personally, I'd rather the world used FreeBSD [freebsd.org], of course, instead of imitations like "MacOS"/"Darwin", or "Linux" :-)

Slashdot

Dear Slashdot editors,

your readers are all technically literate. Please don't post stories where dumb ideas like "how secure an operating system is = number of potential security holes fixed". That kind of stuff is for pointy haired bosses, not technically literate people.

Thanks!

Please

The issue is having an actual usable vector for mass-propogation, resulting in the massive downtime and recovery time, billions of dollars of lost productivity, and tens of thousands of manhours in remediation. That's not to say no one could ever find some suitable vector for propagation that can strike large numbers of Mac OS X users effectively; just that it's very unlikely for a variety of reasons, not the least of which is that these days, most Mac OS X computers aren't exposed in such a way that anything could effectively spread en masse remotely without user interaction.

Almost everything relies on some form of user interaction, and yes, these things are still bad, especially ones that take advantage of some shortcoming in the OS. What's laughable about the submission is that it makes it look like it's "bad" that Apple fixed oh-so-many vulnerabilities, and then complains that it's not fixing enough. Apple does fix issues reported to them, period. And yes, we all have stories about this or that outstanding bug or vulnerability that is still open, but Apple has markedly, hugely improved, mostly because of listening to feedback from customers, particularly enterprise customers, in the security arena. It does have a way to go, and whether or not any fix is "fast enough" will always be subjective.

No one sane ever said Mac OS X was invulnerable. It has bugs and vulnerabilities like any OS. Apple responds to them. Someone will always think they're not responding fast enough, or correctly, or what have you, but the fact remains that Mac OS X has been on the market for over 5 years, and there has yet to be any substantial issue that has been exploited on any scale. And no, it's not exclusively because of marketshare.

Re:Please

I don't care if the "average Mac user" thinks that Mac OS X has no bugs, is invulnerable to everything, and will dance a jig if they ask.

Effectively, for almost all desktop users in any environment, Mac OS X is much more secure, much less attacked, and much safer to use from a malware perspective, for almost all average users, period. Some of the reasons are due to marketshare, some are helped in part by marketshare, some are because of architectural decisions, and some are a mix of multiple reasons. But regardless of what someone "thinks", Mac OS X is still a manifestly safer OS for an "average user", and there is simply no disputing that.

If you want to get people to understand that even Mac OS X has bugs, great. (Duh?) If you simply want to make stupid people no longer stupid, that probably won't work. The average person doesn't care. All the average person knows, when they make the switch for example, is that their Windows box was packed with spyware and adware and then "got slow" and had multitudes of typical Windows problems that typical people have, and they don't have the same problems with their Mac.

Do Macs have problems and bugs and vulnerabilities? Yes. Will anyone win the pissing match of "which one is better" when it's not done for any reason other than to be a pissing match, like this article seems to be doing? No.

Re:Please

...Also, since Apache is not running by default on OS X, it would hit a tiny number of users and most would not care...

...Apple is an Apache contributor and has released security patches in the past...

Precisely! :)

What we're seeing is Apple fixing issues that cannot be successfully exploited on 90%+ of the Mac machines in existence. Worms like Code Red or Blaster wouldn't be able to find enough hosts due to the default security setup of OS X. The only folks who would be vulnerable would be the ones who know enough about internet hosting to enable a service.

While there's no guarantee that these users are significantly more educated, they do at least know that they're running a potentially exploitable service. This is in direct opposition to the situations that made Code Red and Blaster possible. Had IIS Personal Server not enabled itself without the knowledge of most users, it's highly likely that Code Red would have failed to spread. (Especially since a security patch had been available in both cases.)

What the URL

First of all whats the URL for Linux? and second what's a URL?

Arnt most of the "flaws" actually trojans?

In which case you have to execute them (and thus give your username and password or do some other action) to even run them and let them do their bad things?

I mean give me a fucking break I could write a trojan in 5 minutes that makes you delete your entire user folder... that doesnt make it a flaw unless your talking about the jackass who executed it instead of following the simple rule of the internet..... DONT RUN ANYTHING YOU HAVE NO CLUE IS SAFE... that means shutting off open up safe files after download too!

And likewise wasnt a bunch of the "flaws" proven to be so reliant on certain things to happen at certain times that it would be next to impossible to actually get them to do anything but kernal panic?

You know what, you're right!

My linux laptop is all crudded up with 9000 spyware bonzi buddy applets, and my OSX work machine was just discovered to be a spam zombie spewing out half a billion UBE's per week.

Bad, Apple, bad. *thwacks Apple with rolled up newspaper*

Don't break any fixes anymore, you're supposed to be perfect.

Makes sense

I would imagine that in a parallel dimension where Apple's OS is by far the most widely used in the world, with Windows being a distant second, Mac OS would be known to have the most insecurities or viruses. All of the hackers with no lives who actively exploit these things (as well as the hackers with lives who report their findings so they can be fixed) would be focused on this OS because of its immense user base.

I'm not saying that it would be as insecure or virus-ridden as Windows really is, but in that parallel dimension it would have more known issues than Windows would because nobody would care about targeting the 2% of the market using Windows.

I agree with the "pick your poison" mentality, but in this real world case, it's the difference between choosing arsenic or just really strong orange juice.

Linux?

Could someone post a link to this Linux?

31 fixes

That's a fix for every day of the month!

so...

...what is being suggested is that the more complex a system becomes the more points of failure it has - wow, I need me a ticker tape parade.

It's hardly news that if someone goes looking for problems they find them - what is more revealing is the general response to the issues discovered:

Windows: 'well that's what you get when you write closed source crap and you try and bleed money out of your customers'.
Apple: 'That'll wipe the smiles off their smarmy faces'.
Linux: 'Oh we so good - look at how open source instantaneously fixes these problems, cures cancer and helps little orphans'.

all these above responses are of course propaganda (please refrain from using that awful, awful word "fud").

It's ironic that one of the hottest topics on slashdot, climate warming is accused of being one of the most tainted sciences but when it comes to something much simpler, the efficacy of patches on modern systems it turns into the biggest mud slinging match you could imagine.

Explain yourselves...

I thought it was a pretty well-established fact at this point that Mac OS X is considered to be more secure not because it is less vulnerable to attacks, but because it is a less desirable target for attacks. Think of OS X as, say, Sweden. It is safe to live in Sweden, not because they have a massive defense system, but because no one cares to attack them. Windows, according to this analogy, would be more like the U.S.: A huge defense system, but every hole in the security matters, because people are actually trying to get through. Anyone who has worked in software (which I imagine many Slashdotters have) can tell you that no software is secure, and anyone who tells you that their software is 100% secure is blatantly lying.

That said, what I really want to know is why big companies like MS and Apple don't explain more fully WHY they aren't releasing patches to known issues. As a software product manager, I spend a lot of my time determining what issues are deserving of patches, and there certainly ARE good reasons not to patch a bug, but I would probably take it an extra step and explain to my clients exactly why the decision not to patch was made. We don't necessarily want patches, we just want an explanation.

pfft. quantity of fixes means nothing

I fixed over 50 bugs in my web-game during the past two days. Does that mean I'm less secure than windos?

These numbers mean nothing at all.
First, it's the number of fixed bugs, not of existing bugs. If product A has 500 holes and fixes 5 of them, and product B has 50 holes and fixes 10 of them - these dumbwit journalists would tell you that product A is more secure.

Two, quantity alone means nothing. If product A has 5 remote root holes and product B has 20 spelling bugs - these dumbwit journalists would tell you that product A is more secure.

The worst thing is that they get paid for producing this kind of misinformation. No, wait - the worst part is that there are lots of people out there who don't know technology and actually believe that crap.

Come and see the snobbery inherent in Linux!

From the blurb: Linux (if you need a URL for Linux, you are probably at this site by mistake)

Fantastic! So what the poster is saying is that "If you're on slashdot and you're not a Linux geek you're out of place here".

Out of place as in not welcome for the most part too considering some of the groupthink that goes on.

Just try to get a valid, non-snobbish answer to a n00b Linux question around here. I dare you. Just like the snobs on #Linux. Try it there and you'll get the same.

The day I decided that Linux wasn't for me was the day I went to #Linux and asked for the name of a good distro a n00b could run without pulling out his hair. The response was directing me to DistroWatch or some-such site with nothing more than a list of distros. Out of 40 people this is the lone answer I got.* Great. And yet Linux users still claim Joe Sixpack is welcome to try to adopt? It sounds more like throwing down the gauntlet as opposed to inviting him in.


* Later I tried DSL and Mepis. While I found nothing "wrong" with them I do find overall Linux support lukewarm at best and I don't have the problems with windows that most claim to have. I just don't see a reason to switch yet. Maybe in a few more years when some of the zealots mature a bit and realize that supporting a product is more than just shouting "OMFG~! It's the best, if you don't like it you're just a fucktard!!11!!" and start producing apps a little bit better than Gimp I'll give it another go.

Mac OS X is still more secure, BY FAR.

"With the growing number of low-level flaws, one has to wonder if Apple's 'more secure' argument still stands."

No, no, one doesn't.

Number of Windows machines I've had to painstakingly remove highly virulent spyware/adware from: Dozens.
Number of Mac OS X machines I've had to painstakingly remove highly virulent spyware/adware from: ZERO.

This is far more than just anecdotal evidence; this is how things go in the real world. In the real world, 50+% of Windows machines are badly infected by spyware, and 0% of Mac OS X machines.

ZERO.

By far the most prevalent security and stability breaches "in the wild" are not rootkits or remote exploits... they're spyware and viruses, both of which are virtually exclusively Windows issues. You can claim that this is mostly or wholly due to the overwhelming dominance of Windows over all other operating systems (in terms of "market share"), but the fact remains.

Until I start getting calls from blue-haired grandmas to hand-pick bits of Hotbar and Bonzibuddy and porno pop-up daemons out of their Macs, I won't buy the "Macs aren't any more secure than Windows" FUD. And neither should you!

Linux *can* be more secured...

IMHO a technically inclined person can shave Linux down to the bare minimum services relatively easily. There are distributions that focus on rock-solid stability or security, and others that focus on being a Windows replacement.

Mach-O (Macho Man)

In case anyone happened to miss this on the MoKB site...

Be sure to have your speakers turned on and up.

http://projects.info-pull.com/mokb/MOKB-26-11-2006 .html [info-pull.com]

That's part of why my server is NetBSD on MIPS...

Anything that will trip up attacks (different OS, instruction set) can help. Certainly if there were a determined attacker who cared about getting into my server in particular the 'oddness' of it wouldn't stop them, but for worms expecting the usual suspects it should be enough.

No duh!

Perhaps, security-wise, the OS choice really boils down to a 'pick-your-poison X user-base' equation?

Yeah, like, everyone knows that all OSes are, like, equal in all respect. It's not like they were designed differently or anything. It's all just 1s and 2s anyway. Every computer gets cloggged up with worms, viruses, and malware. It's just that there are more Windows users out there, and the Mac users just keep quiet about their virus infestations, so they can keep the Sacret Cult of the Mac going strong. I know plenty of Mac users who have to do clean installs all the time because their machines get so clogged up with worms and viruses. All of these whiners talk like that's not true!

Whew!

Good thing I'm using Windows. Oh wait...

That's why...

I use CP/M [demon.co.uk]. I am not aware of any published security holes for it.

Philosophy of pick-your-poison

The philosophical differences are that the Linux user base can both find and fix the problems, but closed source can only find and report problems.

Although you multiply poison by the user base, the more people that use Linux the more secure it becomes. The more people that use an OS where the users cannot find and fix problems, the less secure it becomes as an overall platform.

A large part of the problem is finding it, and when a security flaw is found in Linux it is pretty much always fixed So, userbase for Linux is good because they can fix the problems themselves, or report it directly to someone who can.

But when you are sourceless, a large userbase can report a problem and they must depend on someone else to fix it. So, the more people that use it, the more people using it with a particular bug. Usually, the fix timeframe is based on Impact * number of reports, and although Microsoft has gotten pretty good about turnaround time for patches, they used to be horrible and if there's a lack of reports I suspect bugs will go unpatched for quite some time. However, you still have the issue that all closed source has: the user can't fix things for himself and that includes bugs.

Lastly, comparing OSX to Linux and WinXP isn't really fair to Apple... they're still relatively new to the scene and have a lot of bugs to shake out. And when comparing, you can't just say "N bugs in X OS over K days", you have to also multiply this by the impact. 31 local DoS security fixes is not as scary as 1 remote execution fix.

It Never Did

``With the growing number of low-level flaws, one has to wonder if Apple's 'more secure' argument still stands.''

It never did. First of all, you can't compare security of operating systems, because you can't eliminate bias from your tests. Secondly, Apple's OS is closed source, which you can never trust. Thirdly, much of the OS is written in unsafe languages (particularly C, C++, and, perhaps, Objective C - I don't know if the last is unsafe), and thus, the statistical probability that it will contain security holes is high. Finally, I don't think Mac OS X has been so thouroughly scrutinized by security experts as Windows has, so it's very well possible that Windows is more secure by now, regardless of it's starting position. However, we will never know that, because of the first point.

It really all comes down to...

...the user security model. *nix-based systems like Mac OS X, Linux and *BSD are just truly multi-user systems with security in mind from the beginning. Granted, networking and kernel bugs can still exist, but it's just a lot different with Windows.

Windows was designed to be a single user system (like pre-OS X versions of Mac OS), and has just had supposed "multi-user" capability grafted on to it over the years. It is my understanding that they wanted to go the *nix way with Longhorn/Vista, but it just was too darn hard to maintain precious backwards compatibility. I could be wrong, because I really know jack crap about Windows. I have Parallels/XP on my MacBook for testing, and that's about it. Any Windows zealots (are there *any* here?) please feel free to correct me if I'm wrong about this pseudo-grafted multi-user security thing. I'm proud to be an IT pro who can honestly say "I don't do Windows."

The authorization box in Vista sounds all wrong, and another futile attempt to copy the way *nix GUIs do it. The fact that they've tried to make a bash-like shell replace the DOS shell, along with the constant aping of the Aqua interface just shows that although they own the desktop market, they still fail miserably at stealing all the good ideas.

Guess I've gone off topic somewhat, but someone please at least mod me Interesting because the main point is security in Windows vs. security in *nix is just two entirely different ballparks.

I have to say that one of those fixes is...

the funniest vulnerability I've ever seen. OS X is vulnerable to arbitrary code execution via a carefully crafted font !?!

On the other hand, the recently announced problem with DMG files is down right scary.

MS FUD?

I've been following Mac news for about 3ish years since I switched. It seems that on the run up to the Vista release there has been a bit of a Spike in "Macs aren't as secure as you think" articles. Is this a stealthy "Get the facts" campaign?....

Security Device

There is a poster where I work. It reads: "The greatest security device ever created." Beneath that is a picture of a human brain. Unfortunately, the human brain is also the greatest security vulnerability ever created.

When you have behavior like computer users with administrator rights clicking "OK" on the "Install smiley faces now!" pop up, the vast majority of security breaches are due to poorly trained computer users and system/network administrators. If OS/X or Linux owned the desktop marketshare that Windows does, it still would not improve the behavior of the users and admins. I haven't found an O/S yet that trains people not to do stupid things on their computers.

Dedicated servers don't browse the web and install weather tracker toolbars, so they are a completely different discussion.

This is inevitable, but Apple can do better.

I think that this is inevitable. Mac OS X is a desktop OS, desktop customers demand shiny new features and Apple needs to compete with Microsoft in adding such features, otherwise it will fall behind in market share. These new features make for a supremely usable OS, but it means that development is always too fast. Security flaws are invariably human logic errors, and when a lot of new code is written really fast, errors are made. Conversely, take OpenBSD [openbsd.org], its pace of development is slow and thorough and due to its comprehensive code audit (which slows development) very few security holes are found in the code. As complexity escalates, so will the number of bugs and until Apple's workforce is replaced with androids (Which I'm sure will have a negative impact on its cool reputation) errors will continue to be made. Although inevitable, we need not accept that there should be quite as many flaws as there are - Apple is in a uniquely privilege position over microsoft in using the unix permission system and the mature core that mach and FreeBSD provides, it must not become complacent. Increasingly, it appears that Apple is becoming sloppy - There are reports of Apple not using automated bound checking and the such. Such arrogance is inexcusable from any developer, and as Apple's popularity increases poor security will invariably become more of an issue. Its time for Apple to seriously take stock of this issue.

All I hear is Charlie Brown's teacher

I can't hear you because I have my Powerbooks in my ears.

Apologies to Patrick Roy for stealing his quote.

No difference

Perhaps, security-wise, the OS choice really boils down to a 'pick-your-poison X user-base' equation?

I'd propose that it makes no difference in the long run. All OSes (or apps in general) have bugs and vulnerabilities. Security-wise, your job is to accept the fact, manage the risk, and make sure it doesn't get out of hand. Dealing with 500 Windows boxen vs. 500 Linux boxen vs. 500 Macs just changes what you need to watch for. You're still sitting on 500 targets, and if the information on those targets is attractive enough, the OS you're running won't matter. You'll still get slammed.

Bugs not fixed fast enough for

From the CNet article:

However, Apple's update does not address all publicly known flaws in the operating system. Over the past few weeks bug hunters, as part of an initiative called the Month of the Kernel Bugs, have published details on several new vulnerabilities in Mac OS X. One of those was tagged "highly critical" by security-monitoring company Secunia.

"Apple hasn't fixed any of the bugs published during the Month of Kernel Bugs, except for the AirPort issue," said "LMH," the code name of the security researcher who started the Month of the Kernel Bugs. "Apple users are still exposed to any potential risks related to those unpatched issues."

This reads to me that Apple hasn't fixed flaws found in November. As a reminder, the month isn't over yet; bugs can't be fixed instantly. The first impression is somebody whining "we found it, is it fixed yet why isn't it fixed yet we told you about it a whole week ago what's taking so long is it done yet?"

That's just my impression.

Fixes take time and testing; would you prefer that a half-assed fix be put in place?

As well they should.

The main point they should make is that OpenBSD doesn't bundle in lots of other software packages.

Therefore, they don't have people saying 'fixes for 31 vulnerabilities in its OS' ... as Apple patched 31 vulnerabilities, but most of them were not part of the OS (applications like FontBook and FontImporter) and not even maintained by Apple (like OpenSSL, PHP, Samba, perl).

Re:Eh?

1) nothing is unhackable.

2) Even before these patches you would be hard pressed to exploit any of these bugs just as your hard press to do anything with any of the bugs exposed in the month of fud.... er kernal bugs or whatever that guy called it.

Apple requires a lot of user interaction to exploit anything... on the other side of the coin, a xp box could just surf to a bad site and be completely hijaked if not properly protected from adware.

31 vulnerabilities are 31 less vulnerabilitys OSX has vs XP. Finding more vulnerabilities doesnt mean your less secure or that your software is buggy, the flip side of the coin is very easily there could be 31 or more vulnerabilites in XP that have NOT been found.

Re:I predict...

All 3 of them?

Re:No Wonder Apple Marketshare Is Still Down At 2%

I keep looking for the sarcasm tags here. Where are they? Is this post for real?

Just yesterday I was down working with some developers. There were four rather old G4 Powerbooks and one new (3 months old) PC. Four PowerBooks running flawlessly. PC was already riddled with spyware and viruses and not working properly because of such. These poor people have an unusable computer because of all these security flaws...well...PC-specific flaws. Luckily they kept chugging along on their old Macs while the PC was being worked on.

Re:Will break MS-Entourage

Entourage is a steaming pile of crap anyway. My clients are about 75/20/5 PC/Mac/Other. I've seen Outlook get really slow and almost useless. However, I've seen the database (.pst) file get corrupted and lose messages maybe 2 or 3 times. With Entourage, I've seen the DB get corrupted and lose *all* data about the same number of times despite the lower usage. It's also much slower to resync with an Exchange server than Outlook and unless you dot every i and cross every t during setup, it often doesn't work at all. And I've never seen the feature where you just type in the username, password, and server name and it fetches the rest of the settings working.

So if you use Entourage - backup, Backup, BACKUP. And use something sane like Thunderbird or even Mac Mail unless you're actually syncing with an Exchange server (rather than a garden-variety IMAP service).

-b.

Re:And you though

I'll bite.

1)being the most used OS ibn the world gives you the bonus of the publicity. If you do something bad or have some pretty terrble bugs, half the planet will know about it. If apple have terrible bugs their 3 and a half users will know about it. And that's all.

Except Microsoft Windows isn't the most used OS in the world. A UNIX is- everybody who uses a web browser is looking at a web page- very likely to be served by a UNIX server. I think the sheer number of zombies (about 60% of Microsoft's user base) demonstrates that Windows users simply don't know that they're owned. The other 40% probably have professional UNIX admins running their network.

Or did you mean Operating system with the largest number of installations? That'd have to go to TRON- immensly popular in Japan, it's on just about every piece of industrial or business hardware there: I'm talking billions of deployments.

2) The bonus of the (in)simpathy. being the most used (and missused) OS in the worls affects the simpathy the user have for that products. Using MacOS or Linux makes you "cool" and "underground" so Windows will get that extra bashing.

I think accepting any bugs is a mistake. Note that Linux and FreeBSD both make honest efforts to fix their bugs- but unless someone has disclosed it to Security Focus, Microsoft won't fix it. They know just like everyone else that Bugs are defects and since Microsoft sold a defective product, they have to fix it. Of course, the fewer that are disclosed the better.

3)An OS is a TERRIBLY complex thing, and you ***will*** have bugs. There is only a matter of time.

Er, no. The reason defective software is available is because people just like you who think defective software is acceptable. If nobody thought defective software was acceptable, there simply wouldn't be any defective software. NASA (for example) makes defect-free software (albeit at a significant expense)- but usually failures are acceptable if the failures are graceful and recoverable. EROS and J2SE are two operating systems that work like this.

4)Everybody and their cats program (pr missprogram) for Windows. When a 6 years old boy begins programming, do you think they will program for Huniacs mainfrains or for Windows? Thus there will be more "hackers", "crackers", etc for the main OS.

I disagree. Up until distributed zombies became popular (thanks mixter), nobody targetted Windows simply because no gain could be had. Now zombies are used for everything from spamming to extortion. Six year olds aren't "bringing down windows" - I mean, I don't know if six year olds are bringing down windows. They're not bringing down UNIX, that's for certain (the oldest and most pervasive operating system ever), but if six year olds are bringing down Windows, I'd highly recommend you seek elsewhere.

If you want to maliciausly explote an OS to make Major damage/profit, do you want to target millions of Windows users or the 3 and a half Mac users?

You'll find very few people disagree with this, but people don't want to "maliciously" exploit an OS: they want to make profit. Spammers and spyware installers don't target Windows: they target ignorance. When ignorant people start buying Macintosh and UNIX desktops again, you'll probably see some real targets there. After all, would you rather have 1% of 1000, or 99% of 100?

Re:I predict...

"[...] OpenBSD whores will derail this entire discussion."

Damn. Gotta be a pretty cheap date to whore out for a BSD-licensed OS!

Seriously, man, you've got your terminology all wrong. Whores do it for money. While OpenBSD users don't object to getting paid for it, mostly we do it for free 'cuz we like it. That makes us sluts.

If you'd ever gotten laid without paying for it, you'd know about this stuff.