There’s a lot of people that misunderstand security risks. This includes popular bloggers on popular weblogs, like Infinite Loop it would appear.
And speaking of exploiting bugs, a related report on the increase of malware in the last year focuses on the doubling of Linux threats, but specifically warns that Macs are likely to become “the biggest alternative target to Windows in 2006,” between the errors made in system development, the recent processor switch, and the growing demand for zombie machines to spew spam and host malicious web sites, we could have a big problem on our hands.
Aside from being a run-on sentence, this statement is completely horrid in another way: it’s misleading. By default, Mac OS X does not ship with any network services running. None. Not a one. Out of the box Mac OS X is not sharing files, running SSH, sharing its printers, or even exposing the CUPS configuration page to anything but the loopback port — and most consumers are running it in that default configuration. If you portscan a fresh install of Mac OS X, you get bupkis.
Reported security issues are almost always local security issues. That is, you’re at the machine and you found a way to compile this program or inject this data into this other program and then you can run code as root (privilege escalation attacks). This requires you to already have access to an account on the machine. While there are a few that are remote attacks, again, the remote services are off by default.
Contrast this to Windows, or even many Linux distributions, where services are run on the public ports by default. Doing this opens the machines to network-based attacks such as overflows and injections and whatnot. That’s what lets so many Windows machines become network zombies. Because the Mac ships with nothing running, there’s no door to get a foot into, and even with outstanding security issues for the local side, the system is secure enough on the public side that your standard machine is safe.
This is not to say that there will not always be security bugs in shipping software. There will be. What you do as an administrator (and you administer that Mac Book Pro or iMac whether you think of it that way or not) is limit your exposure to the world to prevent such things as a remote takeover from happening. You do this by turning off your network services that are not in use, turning on the firewall so that if anyone gets it they can’t get out, locking your screen when you’re not at the computer, and taking your portable with you if you’re going somewhere. Basic security.
The media wants Mac OS X to be as vulnerable as Windows. They want to believe the Windows pundits that claim that it’s a matter of popularity. They want to believe that Apple isn’t ready for popularity or that the system is too user-friendly to be secure. They want to believe that Apple hasn’t found a way to eat its cake and have it, too. Well, they did.
Sure, there are things like trojans and JavaScript bugs and whatnot that will come up now and again, but that’s everyone’s concern and not entirely in the realm of preventability on Apple’s side (well, JavaScript is). So it comes down to whose users are smarter about security? Those that use an OS that requires security training before plugging in the ethernet cable for the first time, or those that haven’t had a problem with malicious code since the Autostart worm?
The users will learn what little they need to do on their part. The system will take care of the rest. Don’t eat candy from strangers, and don’t run programs if you don’t know and trust where they came from. Life’s lessons apply to computers, too.
Don’t forget arbitrary code execution through other apps. There have been a few holes like this through Safari in the past few years. While it doesn’t exactly allow a superuser access to the system, it’s dangerous enough to draw legitimate concern.
I think the operating system is much more secure with how easy the OS is to use for the average user. Ever tried to explain to a Windows user how to check their networking preferences? Talk about a nightmare. I’m still extremely convinced that the reason Macintoshes have so few security concerns is cause the interface allows a much greater control over the operating system than Windows or Linux.
You’re wrong here and the original article is right I’m afraid.
Most windows botnets are not installed via worms but via flaws in Internet Explorer and/or Outlook. The same could easily be done on a Mac via flaws in Safari or other parts of the OS, for example via this set of unpatched bugs:
http://secunia.com/advisories/19686/
Most botnets don’t care about being root either – having control over a user account is all that is needed to run an IRC bot, send http/smtp etc. And even if they do want root, there’s been no shortage of local root bugs in OS X – I’m sure there’s still more to come.
It’s not something you can just wave your hand and dismiss the issue that easily with. That’s extraordinarily naive.
Safari has a very specific list of things it will run, and the list is getting shorter every day. Even with the listed problems, simply turning on the firewall prevents outbound communication even in the event of being compromised, which is an additional layer of protection. Normal user accounts cannot turn off the firewall. You would have to create of of these vulnerable files, such as a GIF or ZIP, inject the proper code into the proper place, hope that the code is actually runnable (all of those “advisories” speculate that the code could be run, but only prove that they can crash the program. None go as far as to inject actual code into the files), join it with a local root exploit to run “ipfw flush” and then install whatever other software it needed to run.
Could it be done? On the presumption that the listed problems allow for code injections rather than just being crashers, possibly. Will it? Highly unlikely. Crashers are not synonymous with injectors. Combined with the newer security features of the processors that the Mac runs on (marked executable and data pages), this becomes even less likely. A crash, sure. Injection? No.
Run? It’s a gif. Put it on a webpage and wait. If (and past history suggests that it will) that results in code execution, then it’s game over. As for firewalls, who filters outbound? Most macs don’t by default.
allow tcp from any to any outsays mine for example.
Do you filter port 80 outbound? That’s all a lot of botnets need – they report back and get their commands via http, and http is as good a way of doing a DDOS as any. There’s no need to be root at all in any of this.
As for calling me “extraordinarily naive”, please be less rude. You know nothing about me. I provided arguements, not handwaving.
“Outbound communication” was a wording error. What I meant by that was that even if the code were to run and listen on a port, with the firewall open unauthorized inbound requests would be denied. The program would need to connect to and maintain a connection with a server to get commands. After some looking into it, this is also how a good deal of networks run, so that point would be moot.
Yet it still comes back to code and data pages. On the Intel Core series of chips, there are security features that protect against just this sort of problem. Unless explicitly denoted otherwise, a memory page is a data page and will not be run; the program will generate an exception and die instead. Past experience, I’m presuming, means “Windows” and PowerPC. Those are a whole other beast in this area.
I’ll grant that the majority of Macs today are PowerPC and that it has no built-in protection against overflow attacks, but the number of such attacks that are possible on the Mac are dwindling. And now that the image problems are public, you can be sure there will be an update very soon with a fix for those. Software Update notifies users weekly and the majority of them will update.
Simply because one OS vendor has been lax in this area doesn’t mean they all are, and certainly not to the point of turning the world into a network of slave Macs…
Non-executable pages have been around for a while on various OS and archs. They raise the bar a bit, but are by no means in-fallable.
If macs were popular, there would have been a mac botnet by now. There’s been linux/unix ones (aimed at servers admitedly), and I don’t see OS X as being more secure.
If macs were popular, there would have been a mac botnet by now
That’s conjecture, and an unprovable statement. That’s the problem with this style of comment, it’s all prediction based on how a different operating system has behaved in its popularity. You can’t make predictions about Mac OS based on how Windows has been affected. They just don’t work together like that.
In fact, that’s my entire point about this. People are saying “If Macs were popular, a thing would happen!” left and right but there’s absolutely no way to prove that. We can go over the specifics left and right and never reach that conclusion simply because it doesn’t have that critical mass of popularity. I could just as easily say that there would be BeOS or Amiga botnets by now if they were popular. (I’d include Linux, but that’s one of the primary botnet providers these days because of old practices.)
Well, I’ll call it day here, but I think since every other OS under the sun has enough security holes to allow botnets etc to be installed, why would OS X be different?
Some of the security bugs being found in OS X now are stuff that was fixed 10 years ago in UNIX. Some of the code just isn’t good.
See for example this
http://randomstring.livejournal.com/29563.html
Given flaws like that (to gain local root) and the long string of code execution bugs in Safari, I think saying “OS X would have had botnets if it is popular” is rather more than speculation.
And just to be clear, when I talk about OS X security, I’m not necessarily comparing to MS here – not least since I never use MS Windows.
Too bad it’s already wrong:
http://blog.washingtonpost.com/securityfix/2006/03/when_macs_attack.html
And if you read the article at all, you would see that this was a flaw in PHP. That’s something that, even on Mac OS X Server, you have to manually enable to run.
Again, the default install of Mac OS X will not silently gain bots.