12/16/2003: Technologica
Macs Are Not Invulnerable
Or, a tree falling in a particularly remote forest
from PC Mag
This is a significant hole. The original report, found on Carrel.org, puts a frightening spin on the problem:
"A series of seemingly innocuous default settings can cause an affected Mac OS X machine to trust a malicious machine on a network for user, group, and volume mounting settings."
So an attacker who can gain access to your network - over a wired connection or wirelessly - can trick an affected system into trusting a rogue machine, and when the compromised machine reboots, take it over and even attack other systems on the network.
The truth is that the Mac OS is just as vulnerable as Microsoft Windows. Overall, maybe OS X is better than Windows, but that's not the point. Panther, for example, is a great OS, but it's also complex, and complexity leaves room for gaps - some small, some not.
No big surprise, but I was struck by the unabashed glee with which the PC guys are laying in to Mac peeps. "Eat Crow" they keep shouting. I don't want to get in to a OS Holy War here, (cause I'm multicultural) but its fun to watch geeks fight.
More
Macs Are Not InvulnerableWindows Isn't the Only System With Serious Flaws
Commentary
By Lance Ulanoff
PC Magazine
Dec. 11
- I know this is wrong, but in one respect I was happy to learn earlier this month about the discovery of a significant security hole in the Jaguar and Panther versions (10.2 and 10.3, respectively) of the Apple operating system (OS).
I was tired of the "We use Macs because they don't get attacked by viruses and hackers" refrain from Mac nuts.
I generally counter with what is apparently a secret carefully hidden from Mac zealots: "That's because only a fraction of the world uses Macs. What's the point of attacking a niche market? No one will notice!"
But the mindlessly superior retort is always the same, "No, it's because the Apple OS does not have the same holes as Windows. OS X is just a better operating system."
Given this recent development, my question is, "Will you be stuffing that superior attitude in your crow or eating it separately, sir?"
A Major Mac Breach
This is a significant hole. The original report, found on Carrel.org, puts a frightening spin on the problem:
"A series of seemingly innocuous default settings can cause an affected Mac OS X machine to trust a malicious machine on a network for user, group, and volume mounting settings."
So an attacker who can gain access to your network - over a wired connection or wirelessly - can trick an affected system into trusting a rogue machine, and when the compromised machine reboots, take it over and even attack other systems on the network.
The truth is that the Mac OS is just as vulnerable as Microsoft Windows. Overall, maybe OS X is better than Windows, but that's not the point. Panther, for example, is a great OS, but it's also complex, and complexity leaves room for gaps - some small, some not.
From Mac Fan(atic) to Windows User
OS X 10.x may not be as widely used as Windows (let's face it, it isn't) but some of its devotees seem far more fanatical than Windows users. Those who toil in Windows - me, for instance - care about their OS to a certain degree, but hardly feel the need to jump to its defense or come up with ridiculous conspiracy theories to explain why, say, Bob bombed or Windows Me stank.
So I am by no means a Windows apologist or Microsoft partisan. I began my computing career as a Mac patriot, in fact. I used a Mac SE/30 with PageMaker version 1.2 and laughed at the lowly IBM PS/2, which could just hobble along on the subpar Windows 3.0 and had virtually no font support. I trained people on Macs, converted entire print production systems over to the Mac and PageMaker, and salivated over every software upgrade and hardware enhancement.
But even back then, I had this gnawing suspicion that 18-month software development cycles could somehow hurt the platform. Before the tide really turned, however, I switched to PCs. I had joined PC Magazine, and the editorial staff used them.
My introduction to the PC came at precisely the same time as Microsoft launched Windows 3.1. I was no longer focusing on the Mac, and Microsoft had finally released a viable GUI. It didn't beat the then-current Mac OS (System 7), but it was a start, and of course, people began buying millions of PCs with Windows 3.1 preloaded.
The rest is history.
The Target Everyone Loves to Hit
When Microsoft released Windows 95 three years and some months later, for the first time there was a degree of parity between the graphical interfaces. I found things to grumble about, but they were minor.
Microsoft's less-than-stellar OS security took a while to become apparent. In fact, the problem wasn't epidemic until a few years after the Internet took off. Windows' market domination makes it a target for the virus authoring community.
The OS also bears the burden of user wrath because those who depend on Windows so often feel let down. But nothing drives me crazier than Mac true believers shaking their heads and grinning at me every time another Windows virus hits.
This past summer was particularly difficult. As Blaster and SoBig wreaked havoc across the Internet and with millions of Windows PCs, Mac users would tell me with mock sympathy, "This wouldn't happen if we all ran Macs".
We don't, of course, and again, that's the point.
If the Tables Were Turned
The discovery of this OS X security hole will be like a tree falling in a particularly remote forest. So few people actually use Macs (notwithstanding, of course, what you see in the alternate universe of movies, where everyone appears to use them), that I think it's unlikely this problem will have any long-term effect. Hackers are unlikely to exploit this hole the way they have Windows failings.
If the Macintosh OS ever became dominant, the tables would turn, and there would be just as many reports of viruses, security holes, and attacks on it as we currently have with Windows. As one Macophile I spoke with noted, no one has even bothered to exploit this security flaw. I doubt anyone will.
Meanwhile, we can already see what happens when Apple has a broadly popular product that cuts across platforms. The Apple iPod is the number one MP3 player, and now that its companion computer utility, iTunes, is available for both the Mac and the PC, it has become a hack target. In fact, Jon Lech Johansen, the same Norwegian who cracked the DVD security code, recently circumvented the iTunes music protection scheme.
An event like that occurring makes sense to me, since iTunes' popularity makes it a target worth hacking - and whatever mystical Mac mojo there may be, it didn't go far in protecting a popular Apple product.
Who's Crowing Now?
Ultimately, those on the Mac fringe have to face facts: Panther and Jaguar were not better at outrunning vulnerabilities than Windows.
I expect other gaps will emerge, and while the Mac OS may still draw far fewer attacks, this discovery might suck a little wind (or is it Windows?) out of Mac radicals' sails. They can scarcely claim this was a minor hole. OS root access is serious stuff.
How cocky are you feeling now, Mac elite? Hmm. Suddenly it's gotten pretty quiet around here.
2 Annotations Submitted
Tuesday the 16th of December, rafuzo noted:
This article dramatically oversimplifies a number of issues, the most glaring being the "hack vector", or the interface vulnerable to attack.
Given that NT uses the tcp stack and port scheme, naturally the number of exploits against that interface is limited essentially to how well you secure this (large, but finite) number of ports. In terms of vanilla script attacks that simply target unsecured ports, Windows and OS X are essentially as good as their respective firewalls.
But a firewall is only part of a proper security policy. Firewalls simply say who has access to get in, or essentially, who has keys to what doors. What it doesn't address (and is the purpose of a system security policy) is who gets to open the doors from the inside.
OS X, and indeed most modern UNIX systems, operate on a security policy of single-control; essentially, whenever some applications want to do something shady, they first have to check with a system daemon that verifies if they have permissions to do it. This daemon has access to certain files which can only be edited through the daemon, with proper authentication, first.
In Windows, their security system is set by the user THROUGH the application. Meaning the app has control over what it can or can't do. And security policies overlap or supercede one another; one windows app (say, a mailer) might not be able to run a worm script, but microsoft excel might do it for you. Thus there are potentially limitless avenues for attack for the clever hacker.
This subtlety is lost on the author. It's not the number of exploits, or how many people use them, or whatever. It's how fundamentally secure the system is. In this case, OS X has Windows beat by a mile, and until Windows starts stepping to the single choke-point security methodology, it always will.
Richard Forno has a much better rebuttal here.
Tuesday the 16th of December, prof_booty noted:
well put. i think no system made by humans can ever be completely secure. its the risk of living in the real world. that's why we need nano self assemblers.