Network News

X My Profile
View More Activity

A Time to Patch III: Apple

Over the past several months, Security Fix published data showing how long it took Microsoft and Mozilla to issue updates for security flaws. Today, I'd like to present some data I compiled that looks at Apple's performance on this front.

Here's what I found: Over the past two years, after being notified about serious security flaws in its products, it took Apple about 91 days on average to issue patches to correct those vulnerabilities. I also found that almost without exception, open-source Linux vendors were months ahead of Apple in fixing the same flaws.

You can download a copy of the charts I put together either in HTML format or as a Microsoft Excel file. I spent a long time on this research, but that doesn't mean it is free of typos and so forth. If you spot one, or a discrepancy in the data, please drop me line and I will update the data as necessary.

In this analysis, I looked primarily at the last two years' worth of patches issued to fix serious security bugs in Apple's Mac OS X operating system, as well as various Apple software applications that run on top of OS X. That task turned out to be a tad more difficult than I first imagined because Apple's security advisories do not assign severity levels to patched security flaws, as do Mozilla's and Microsoft's. What's more, each advisory contains usually no more than a short paragraph describing the vulnerability. For the most part, Security Fix only examined patches that fixed flaws which Apple said either allowed "arbitrary" or "remote code execution," meaning attackers could exploit them to install, run or manipulate programs on the user's machine.

It appears that Apple found about one-fourth of the flaws without any help from outside researchers. Despite the fact that I freely shared all of the data I had collected, Apple refused my requests to learn the dates when those flaws were first uncovered. I fail to see the reasoning behind that stance, unless Apple thought the information would skew its time-to-patch numbers in the wrong direction. I also encountered the same resistance from several researchers who had discovered a handful of the flaws I examined, as noted in the spreadsheets.

Also, Apple took issue with how I classified some of the vulnerabilities I looked at. Even though the company officially eschews severity ratings, it didn't have any problem assigning numbers to the flaws listed in my spreadsheets, with those flaws earning a "1" deemed the most serious and those with a "4" the least worrisome. Apple's assessment is evident from reviewing the following spreadsheet (which was based upon an early mock-up of my research), available in HTML or Microsoft Excel format.

When I first began this project back in January, I put in calls to the Apple public-relations folks but didn't hear back from anyone for a couple of weeks. At first, I was told that Apple executives were not interested in talking with me for this story. Two months later -- after I shared my initial findings with Apple -- the company changed its tune, and I was informed that someone would be made available to answer any questions. Nearly two months and a number of phone calls and e-mails after that, I finally got someone from Apple on the phone to talk about security in OS X.

That someone was Bud Tribble, Apple's vice president of software technology, who explained why he believes measuring OS X patch times against those for the Linux vendors isn't exactly (in his words) "comparing apples to apples."

"We serve a very broad market that includes a lot of consumers, and it's important to us when we come up with a software update that it's easy to install and that it works right the first time" -- which requires a lot of quality-assurance testing, Tribble said. He added that while the typical Linux user is probably adept enough to devise a workaround for a rushed patch that interferes with or breaks other applications, the typical Mac user "simply expects things to work with single button click, and that means we have to take time to do that correctly."

It's worth noting here that Apple has somewhat extensively modified its versions of Samba and Apache, the file-sharing and Web server components that account for some of the differences in patch times between OS X and various Linux distributions. In addition, Apple does have to do a fair amount of testing to make sure fixes are compatible with older versions of OS X.

Tribble said that while Apple wasn't satisfied with an average three-month turnaround on security fixes, Apple considers its performance on the most-serious security holes to be far better than that. "I think if you look at that spreadsheet you'll see that for the most critical bugs there we averaged about 50 days." (He left out the fact that even on Apple's own spreadsheets, they don't provide patch times for one-third of the most critical flaws, so Tribble's numbers can't be independently confirmed.)

Asked whether Apple plans to add more information to its bulletins -- such as guidance on discerning critical flaws from less-serious ones -- as well as workarounds for companies who wish to test patches before deploying them in their business operations, Tribble said "no" but added that the company's plans on that front "weren't set in stone."

"We don't want to get into a situation where users are ignoring noncritical updates," he said.

Given Tribble's comments about the sophistication of the average Mac user, I asked him whether he thought Mac users would be any more savvy than Windows users in spotting "social engineering" attacks that try to trick the user into installing programs that compromise the systems security and integrity.

"I agree the user's ability to deal with their computer is a big part of the equation on security, but it cuts both ways," Tribble said. "In the case of the Mac, the attention we pay to ease of use and transparency of the system actually leads to our users behaving a lot more securely, because there are less ways to get into trouble on the Mac. It might be true that Windows users are walking around with more fear around security, but I don't think you can draw a conclusion that that fear is effective at making them any safer."

Maybe not, but a growing number of security experts are warning that attackers and researchers alike are beginning to take a real interest in finding and exploiting OS X flaws.

That speculation has been encouraged in part by the emergence of malware designed to target OS X. In March, Apple was forced to release a security patch to fix a weakness exploited by OS X.Leap.A, a Trojan horse program that spread by exploiting the way Apple's iChat instant messaging program handles file transfers.

"There are still only a handful of folks dedicating time to understanding the actual exploitation of Mac systems. However, more and more are getting interested," said Kevin Finisterre, a security researcher at Digital Munition. Finisterre is perhaps best known as the author of Inqtana, a proof-of-concept worm targeting OS X that can spread via a vulnerability in Apple's Bluetooth software, which the company patched last year.

Ed Skoudis, a consultant for Washington-based Intelguardians and incident handler for the SANS Internet Storm Center, said that a "significant amount" of research is currently going on in the computer underground into vulnerabilities in OS X and Safari, Apple's default Web browser. Skoudis pointed out that Apple also is vulnerable to password-stealing Trojan horse programs that use security flaws in OS X applications like Safari to load themselves in system memory and therefore do not require the victim's permission to run.

"Some of the [vulnerabilities] we're seeing lately on Safari -- where you surf to a given Web site, and code there can hack your machine or install malicious code on it -- are very familiar to Windows users," he said.

Skoudis predicted that one of the more likely avenues for exploiting OS X systems in the near future may be Apple's Bootcamp program, which will allow users to boot new Intel-based Macs into either Windows or OS X. With both operating systems on the same hard drive, he said, a piece of malware that infects the Windows side could be configured to copy code onto or delete files from the Mac side.

I felt that Tribble sort of dodged my question as to whether Mac users would be any less susceptible than Windows users to attacks that try to trick them into executing programs or clicking on links that might arrive unbidden in e-mails or instant messages. So I put the question to John C. Welch, a security administrator for the Kansas City Life Insurance Co. and a lifelong Mac user. Welch said he believes the average Mac user "is just as dumb as the average Windows user" when it comes to security.

"A non-technical user is just that, plus there is a certain amount of arrogance in the Mac community that might even make them more susceptible to these kinds of attacks," he said. Welch added that he too believes Trojan horse programs would soon present a potent threat to OS X users.

"Some Apple users are arrogant enough to tell you that it is physically impossible for a virus to work on OS X because Linux won't allow it, and that's just silly," he said. "People tend to focus on pure viruses, where in fact the real danger is and always has been Trojans."

But how does all of this speculation about pending Mac attacks relate back to the timeliness of Apple security updates? Part of the answer has to do with the way Apple works with the security research community. Some researchers have a policy of releasing information about the flaws they've discovered if they feel the vendor is not responsive enough or takes too long to fix the problem. When the researcher also releases code demonstrating how to attack the flaws to install malicious code, it increases the likelihood that bad guys will use the instructions to carry out attacks.

While most of the researchers I spoke with said Apple has quite recently become more responsive to security researchers who report bugs, most also said the company has substantial room for improvement on this front.

Jay Beale, a senior research scientist with George Washington University's Cyber Security Policy and Research Institute and another security consultant for Intelguardians, said watching Apple's interaction with the researchers reminds him of Microsoft's attitude roughly five years ago.

"Microsoft got religion because they had to. Worms, viruses and botnets demonstrated the need," Beale said. "Apple's got the same kind of vulnerability, but hasn't been targeted as much because of their smaller market share. They're going to need to change the way they think soon, because the bad guys are going to start developing the same kind of malware for OS X."

Tom Ferris, a researcher who has reported numerous security flaws in Apple applications, said sometimes two to three weeks elapses before a live person at Apple responds to security flaws he submits.

"I've been dealing with Apple since late last year and I just get the impression they're basically where Microsoft was at years ago," Ferris said. "The problem with slower response times is that for a lot of these bugs, I'm probably not the only person who found them."

Even with a faster response time and increased cooperation with researchers, the security of the operating system will continue to depend a great deal on how quickly Mac users apply software patches. While OS X ships with a feature that notifies the user when patches are available, some Mac users turn those notices off or put off installing updates.

"The smug thought that you don't have to patch regularly just because you use a Mac will eventually get you burned," Finisterre said.

Welch said he, too, believes that at some point an attack is going to surface that "shocks the Mac community out of its complacency" on security issues. But he also believes that increased scrutiny of potential flaws in Apple's operating system will benefit Mac users more than it will harm them.

"As OS X becomes more popular, we're starting to see more people attacking it to find security holes, and in general the more eyes you have on this stuff, the better off you are in the long run," he said.

By Brian Krebs  |  May 1, 2006; 4:35 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Hired Internet Gun Sentenced to Two Years
Next: Suit Levels Spyware, Typosquatting Allegations at Yahoo

Comments

In the article, Mr. Krebs keeps referring to OS X as a Linux distribution. I know it's a unix variant, but it isn't Linux, is it?

Posted by: James | May 1, 2006 6:38 PM | Report abuse

What are you finding on the Microsoft side?

Posted by: Michelle | May 1, 2006 6:46 PM | Report abuse

This caught my eye: "... other open-source Linux vendors were months ahead of Apple..." Initially I took this to be a slip of the tongue, but later on I saw: "... measuring OS X patch times against those for other Linux vendors ..."

You do understand that Mac OS X is not a version of Linux, and is not an open source OS in the usual sense of the word? True, its Darwin underpinnings are an open-source OS foundation that draws from both Linux and BSD, but many if not most of the flaws being covered are in the proprietary layer above it.

Furthermore, I do think it's appropriate to distinguish between Linux distributions -- often run largely by volunteers and aimed at a more technical audience -- and Mac OS X, developed by a large public company and aimed largely at home consumers and small businesses.

Apple is widely and correctly criticized for not being more forthcoming about the details of its security fixes. But it's not correct to suggest that updates can be pushed out as rapidly -- and without as much testing -- as for Linux distributions.

Posted by: Russell | May 1, 2006 6:52 PM | Report abuse

Regarding this quote: "With both operating systems on the same hard drive, he said, a piece of malware that infects the Windows side could be configured to copy code onto or delete files from the Mac side":

Windows by default cannot write to the Macintosh partition; you need a third-party tool to enable this. (Unless you want to allow for the possibility of an intrepid malware author to create a file system driver to include with his virus...)

Posted by: Russell | May 1, 2006 6:57 PM | Report abuse

Mac OS is NOT Linux. That's a pretty basic error.

Posted by: andrew | May 1, 2006 7:19 PM | Report abuse

Mac OS is Debian Unix with a pretty shell.

Posted by: coder | May 1, 2006 8:00 PM | Report abuse

it's fun to watch everyone nitpick about whether Mac OS X is linux or unix or BSD or some combination of the three and totally ignore the point of this article. typical.

Posted by: Anonymous | May 1, 2006 8:02 PM | Report abuse

This is a key statement that you seem to have not quite given much prioity to:

"We serve a very broad market that includes a lot of consumers, and it's important to us when we come up with a software update that it's easy to install and that it works right the first time" -- which requires a lot of quality-assurance testing, Tribble said.

A bad patch may/will effect ALL users immedeiately. Hence you have to test it, test it, and test it again before release. This always takes more time due to the many permutations of application software Apple offers, and the complexity of the test S/W to try everything possible. This extra test time is something large Commercial Unix based vendors like Apple must do. I think of the long release/test time as a plus for Apple. If the patches came out to fast, I would be very concerned they weren't being tested adequately. Customers will always remember if the patch was bad, but they will never remember the date it was issued.

Posted by: Dan Grove | May 1, 2006 8:24 PM | Report abuse

Wow! Apple was unresponsive? Down right arrogant? Try dealing with their customer support people. Any problems with their crApple laptop is the fault of the user, not design flaws covered by the extended AppleCare.

Posted by: michael | May 1, 2006 8:32 PM | Report abuse

I like the article, excepting the confusing comparison of OSX to Linux, which it certainly isn't.

I would have appreciated at least one paragraph discussing third-party virus and trojan scanning programs available to the OSX platform, or even a mention that there aren't any, if that's the case.

I've gotten many a cold shoulder from the consumer relations people at Apple as well; that's their largest weakness, in my opinion.

Posted by: shark | May 1, 2006 8:48 PM | Report abuse

Apple must be outsourcing customer support with Netgear.

Posted by: gerg | May 1, 2006 9:09 PM | Report abuse

As Brian is pointing out, the security fixes for Apple can take up to 3 months from the time of discovery.

I just wanted to point out that I have read year after year about how Apple is more stable than other OS's. Many have made the point that if Apple was on 90% of the desktops, that it would be hacked to death within weeks.

I believe that is true. Apple's "security" is nothing more than the fact that it's a small target for hackers and not due to superior design.

Posted by: John | May 1, 2006 9:19 PM | Report abuse

I think the point of the "Linux" comment was to show the stupidity of many of the Mac-heads out there. Of course it isn't Linux.

Read Russell's comments and then click:

http://www.rixstep.com/

Read up on Opener, etc. Apple flubbed the underpinnings of OS X. It still is fixable and I would have thought the switch to Intel would have been a good time for the company to move developers to a better file system. Furthermore, Apple should have used the transition to repair code it has butchered. Remember when Apple told us about their commitment to open source? What happened? Plain old greed.

They really need to quit thinking about iPods and get with it on the software front. The company and OS are taking a well-deserved beating in the media. Yet we have the same old "lack of interest" responses from the company about security.

I say bring on the critics.

Posted by: Sully | May 1, 2006 9:22 PM | Report abuse

Henny Penny! The sky is falling! A popular OS is vulnerable to anyone who opens up a program they didn't purposefully download. This is NEWS, I tell ya. This has never happened in the history of computing... oh, really... uh, yeah.. uh huh.. Oh, I see. Every OS is vulnerable... oh. I guess this isn't news after all. So why are you reading this??? Move along, nothing to see here...

Posted by: don rumsfeld | May 1, 2006 9:54 PM | Report abuse

It's good to see that someone is finally pointing out that Apple is a company that's even more protective of its intellecual property than Microsoft is. The more market share they garner, the larger a target they will become and if Apple were the size of Microsoft there would be virtually no difference between them. The only difference until this point has been that Macs have been used for botique purposes but if their use was widespread they'd be as big a target as Microsoft systems.

Thus, they've enjoyed the benefit of being exclusive and small.

Posted by: Scandalous | May 1, 2006 9:57 PM | Report abuse

This article is misleading because it doesn't differentiate between a potential security flaw and a security problem. Counting potential security flaws and time to fix them ignores the fact that Apple machines rarely have problems unlike Windows machines which are a nightmare to maintain. In fact, I have been using Macintoshes heavily since 1984 and I've never had a single security problem. It makes no sense to penalize Apple for not spending more time on things that are not a problem for them.

Posted by: Henry Harris | May 1, 2006 10:19 PM | Report abuse

Henry, Help me understand your criticism. You say the article is misleading because it doesn't differentiate between a potential security problem and security problem. First off, how is it misleading? I state very clearly what I set out to learn and how I got the data. Also, it's not my intention to "penalize" anyone. One of the things I wanted to accomplish with this piece was to let people look at the data all in one place and make their own judgments.

Also, are you saying a vulnerability is not a security problem until there is a mass mailed virus or worm going around exploiting it?

If I heard a theme amongst every person I interviewed for this story it was that yes, Apple has had a great ride so far in terms of avoiding the kinds of attacks that have been visited upon Windows, but that that era may soon be coming to a close, and that Mac users might want to adopt a more vigilant stance on security. Whether their predictions turn out to be true will be evident in the months and years to come, but as they say, the past is no guarantee of future performance.

Posted by: Bk | May 1, 2006 10:31 PM | Report abuse

Henry is right on this one. Potentially, my hard drive could crash and I would lose access to all my files. Potentially, an envelope I lick to seal could have LSD on it. Potentially, my car could be hit and I could be killed by a drunk driver. Potentially, the world could end on June 6. Etc., etc. Are those risks newsworthy? Call me careless, but I'll stick with Mac security until I hear of something more imminent than what you're writing about. The past may not be a guarantee of future performance, but it certainly is an indicator.

Posted by: Larry Smith | May 1, 2006 10:59 PM | Report abuse

There's always room for security improvement. No vendor will ever get out critical patches quickly enough. Users will always fall for tricks, and in all of these cases, enough vulnerabilities will exist for it to be worth *someone's* time to exploit them. The comparisons against Microsoft and Linux are invalid because there is more to be done on *any* operating system to improve its security.

Apple's approach is sluggish, sure. The reduced volume of updates probably helps encourage users to take them seriously, but that's some very subtle social engineering on Apple's part. The question is, how quickly does a vendor have to get a patch out to make a difference in the spread of the exploit?

Let's see a timetable comparing update times with exploit extinction times. I think you'll need a pretty big chart, because even once patches are released, the exploits continue.

All of this rumbling is nothing more than finger-wagging at Apple and statement of the obvious: one day OS X will eat a big one. It won't be pretty. I'm hoping I'm out of the IT business by then. But in the meantime, can the FUD. Drop the comparisons. Campaign not to chastise Apple -- they have a couple smart people in Cupertino, you know -- and do your part to educate end users about the genuine risks and the need to take it seriously. In the end, it's not about who sold the machine, it's about who bought it.

Posted by: thornrag | May 1, 2006 10:59 PM | Report abuse

This matches my experience - I've reported several bugs and it took ages (half-to-full year!) for them to even respond and commonly it took a major release for a real fix.

Apple's ahead of Microsoft in certain areas - largely because their architecture is fundamentally much cleaner (although they've strayed in key places) and they don't mind breaking backwards compatibility for broken apps - and they do seem to have gotten more serious (the last two emails to their security group actually received a response) but it still feels like they don't take it anywhere near as serious as either the Linux distributions or Microsoft, particularly since so many of these bugs are very similar indicating that problems were being patched one-off without a company-wide examination to see how many similar problems remain.

Posted by: Chris Adams | May 1, 2006 11:00 PM | Report abuse

Does anyone else find it disturbing how many of these articles insist that OSX is where Windows was five years ago? This sounds much more like Microsoft propaganda, meant to make people think Windows is somehow so much further ahead of Apple, than they really are. I mean, articles about having to format your harddrive because spyware and malware has become so entangled with the operating system is flat out pathetic. Either way, at least the XML nature of OSX's configuration files make it much easier to CLEAN up after a potential attack than could EVER occur on Windows with its god awful proprietary and prone to error registry. Sure, you could call wolf millions of times, and inevitably you are bound to be right. Eventually some OSX machine will be compromised, but through what, Ichat, Safari? What is a mac user to do then? Obviously, as most people on Windows do, switch software. Genetic diversity in biology is the only thing keeping whole populations of species from caving to a single disease outbreak, and the same is true with computer software. Luckily, like windows users have the choice of firefox and opera, so the same is true on OSX. The OS itself leaves no ports open, and the firewall is always on in OSX, even if you choose not to block any ports by default. This means the likelihood of remote attacks is minimal at best. IPFW also offers stealth modes which Window Firewall will be lucky to have at best. Vista itself is likely to have lax firewall rules by default, because most admins would rather sacrifice security for laziness. I personally find this article to be a fluff piece because it totally neglects the fact that no OS is totally secure, but some are built on solid technology, and some actually go out of their way to make it easy to undo damage which in this case is OSX and nearly any Unix based OS. I can't say the same for windows. Maybe continuous declines in market-share and another batch of tens of thousands of malware for windows, and Microsoft will finally learn and rebuild their OS with security in mind, rather than tacked on as an after thought.

Posted by: Joe | May 1, 2006 11:12 PM | Report abuse

I have wandered how long it would take for the hackers to get into the new Mac's especially since the change to the Intel chip.

I cant help but to notice that from 84-recent Apple has been somewhat exclusive and of a much smaller market. Now that user's are more able to get the mac os, the hackers are also getting the os, and they dont have intentions of just doing media and art. they intend to exploit every avenue of weakness they can find just like they have for Microsoft. all this to say, Apple has SEEMINGLY stumbled upon a battle unaware.

I would like to see a comparison between the hacking ability and number of instances of the new mac on the intel chip vs. the power pc chip.

Posted by: Youthful Perspective | May 1, 2006 11:26 PM | Report abuse

I see your one sidedness quite offensive and would expect as much from a persaon putting down a platform that by and far anihilates Windoze by leaps and bounds. I seem to see it more and more that people are so offended by Mac being reveled as a great product. The arguments are mostly "Maybe Apple is good - but if you look closely you will notice it can not transport or fit under your nails. Therefore Apple must be a bad product." Apple used a blue instead of a yellow for its desktop. Horrible Apple!" I honestly belive Apple is a good product, I wish people would stop bashing on it just because they have made a couple headlines through their innovation.

Posted by: Apple is great | May 1, 2006 11:43 PM | Report abuse

Perhaps I did not see it,but did you anywhere do a comparison of the number of machines that became infected because Apple was slowing patching something? Perhaps a relative comparison to Microsoft or even Linux?

There is a qualitive difference there. Changing, I admit, and Apple needs to change with the times. But I do believe the conclusions you appear to have drawn in your article are a bit misleading. I have Macs, PCs, Linux, and Mainframes here. They are each very good at what they do, but in terms of having to deal with Virus stuff - the PC's are far more work than any of the others. Followed by Linux, followed by the Macs, followed by the Mainframes. (Except for Linux on the mainframe, which is slightly better than on Intel, but not much!)

Posted by: Paul | May 1, 2006 11:45 PM | Report abuse

Wow! I'm a typical home-business end user and this is a valuable history. Thank you for including hyperlinks to the relevant Apple docs.

Posted by: JS | May 1, 2006 11:46 PM | Report abuse

This article does not have a legitimate base. It sounds more like (in my own words): "Mac may become infected, they are not as good as people think, etc...)
In reality I don't care about it. All I know is that I was fed up with Windows PC's, the constant crashing, new viruses every day, pass the hot potato tech support approach, buggy hardware drivers, constant clean up and so on. I have been a Mac user for close to two years, have broadband connection, and only performed one reistallation of the OS, that was because I sold one of my Macs and did not want the buyer to have my personal data in his posession, so wiped of the drive and reloaded. I am a happy camper, honestly. This article does not make justice to Apple, the time and efforts could have been better used. As with any system, you can be tricked with an email and a link to a fake (look ilike website), give away personal information thinking you are on "ebay" , "paypal" or a "Bank" and not even a Mac can save you from it. Apple have done a great job for many years, but some people in the industry have a hard time accepting it.

Posted by: N.A. | May 2, 2006 12:24 AM | Report abuse

"...here is a certain amount of arrogance in the Mac community..."

wow, im amazed at some of the replies here, you sure did prove this point.

Posted by: lyle | May 2, 2006 12:36 AM | Report abuse

The author states facts about Apple's latency to patch security vulnerabilities in its software and you Apple polishers jump all over him.

Nowhere does this article claim that Apple's OS is where Windows was 5 years ago. Nowhere does the article say Apple makes a bad product, or that Windows is better.

The article simply states that it takes Apple approximately 91 days to patch its vulnerabilities. He provides you with the numbers that prove his statement. He interviewed Apple who, unwittingly and inadvertantly, proved his points to be true.

You make me ashamed to be a Mac user. Grow up, will ya!

Posted by: So defensive... | May 2, 2006 12:36 AM | Report abuse

This finger-wagging bandwagon is a media stunt, and a lame one at that. So it's a white-hot topic to talk about Apple. Traffic is pretty heavy right about now huh? Clap. Clap. Clap. The enthusiasm for decrying OS X vulnerability/response time is flatly suspect.

An analogy:

Over the years in a far away country, fires have increasingly ravaged the landscape, burning millions of acres. It is a common topic of serious concern, and thousands of watch towers are constructed and manned in an attempt to prevent the rapid spread and rampant destruction.

Meanwhile, in our own country, fires are unheard of. Occasionally a small fire is started, and several square feet are burned. Nevertheless, the climate here is more wet, thanks to the jetstream, and the fires that do spring up have a far more difficult time spreading. In fact, thanks to changes in the jetstream over the past 6 years, *no major fire has EVER broken out.*

Along comes a host of itinerant journalists (new to our country)
and they see an opportunity...

"we have a chart here comparing the rate of construction of watch towers..."

Posted by: Josh G. | May 2, 2006 12:43 AM | Report abuse

Imagine someone traveling to a small town and learning that everyone there leaves their doors unlocked under the assumption that they all know each other and it's a small town and so security doesn't matter. This traveler points out to them that crime is rising everywhere--small town and large--and that perhaps it's not the wisest thing to do. The traveler also points out that perhaps because the local sheriff hasn't dealt much with crime because it has not been a problem in the past, the sheriff might be a bit slack in their response. Then, after speaking with the sheriff, the traveler reports that, indeed, the sheriff is laboring under the same assumption as the rest of the populace--we're a small town where everyone knows everyone else, we're safe enough.

At that point, the town's people run the traveler out of town at gunpoint because they don't want to hear anymore "scary" news. After all, this place is paradise to the residents, and they can't stand to have their fragile emotional investments in their town threatened.

Posted by: small-town minds | May 2, 2006 12:57 AM | Report abuse

So the security issue I had with an attacker breaking ssh, installing a root kit on a patched OSX earlier this year, and doing who knows what, and I am not supposed to be concerned about Apples slow patching.

Come on "Apple Is Great" and others, don't delute yourself and think that BK is bashing anyone.

Posted by: Abigail Chase | May 2, 2006 12:58 AM | Report abuse

Hmmm, good try -- what you meant to say was: imagine in blissville they locked their doors at 10:30, while in crimetown they lock them at 8:00. Whew... I feel safer already.

Posted by: Josh G. | May 2, 2006 1:08 AM | Report abuse

I suppose Mac security vulnerability articles are currently a sort of 'man bites dog' phenomenon in the press. I think we can all agree that every computer user needs to patch regularly and that all OS vendors need to cut a reasonable balance between testing and timeliness. What I think is significant is that all these articles are still referencing OS.X.Leap.A, a 2 1/2 month old, lame trojan that wouldn't have registered a yawn in the Windows world. Since Leap.A came out and was quickly squashed there have been over 150 new Windows viruses, trojans and other malware. I'm still waiting for the article about that...

Posted by: IT Guy | May 2, 2006 1:13 AM | Report abuse

Has a virus in the wild (not a security company's test virus) ever infected OS X and caused damage to someone's data. No. Never heard of it happening. Has a trojan horse ever invaded a Mac running OS X without the users permission? No. If you consider the number of copies of OS X running every day vs. the number of malware invasions to those computers, the ratio of damaging infection/invasion per user makes OS X the safest operating system on the planet. By far.

Posted by: philads | May 2, 2006 1:58 AM | Report abuse

As Mark Twain once famously said, "Rumors of my demise have been greatly exaggerated." For another view of Mac OS X security, read Bradley: "Mac OS X gets wrong kind of attention" (at www.networkworld.com/columnists/2006/050106bradner.html) After you've read it, look up Bradner's credentials. Finally, think once more about Mr. Krebs' view.

Posted by: gbdoc | May 2, 2006 5:50 AM | Report abuse

Typo in above post: Bradner, not Bradley. Sorry

Posted by: gbdoc | May 2, 2006 5:52 AM | Report abuse

>Some of the [vulnerabilities] we're seeing lately on Safari
>where you surf to a given Web site, and code there can
>hack your machine or install malicious code on it -- are
>very familiar to Windows users

This quote is simply untrue, yet you didn't call him on it. Why not?

Posted by: Joplin | May 2, 2006 6:05 AM | Report abuse

Been a Mac user since early 1984. Never had a virus. But I think it's hubris to say Macs can't get viruses. Just because people say that, someone will devote himself to doing just that, and succeed, big-time. Couldn't we change that to "we've been very lucky so far, and hopefully our diligence will continue to stave off attackers." Hubris is hubris, and arrogance will fall. I'd like to think of the Mac as a great little operating system that some people believe is the best, but like all things, it has to keep earning its praise.

Posted by: Shooshie | May 2, 2006 6:05 AM | Report abuse

>So the security issue I had with an attacker breaking ssh,
>installing a root kit on a patched OSX earlier this year, and
>doing who knows what, and I am not supposed to be
>concerned about Apples slow patching.

Please be more precise - by "attacker breaking ssh" you are implying that either a)they were able to gain access to your machine via a genuine ssh attack or b)they were able to gain access to your machine by guessing your password.

If the former then presumably you have found a genuine bug in ssh, that is almost certainly not specific to Mac OS X? What is the ssh bug number so this claim can be verified?

If the latter then unfortunately choosing a weak password is something no system can protect you against - other than supporting key pairs to avoid the need to type passwords, which ssh (on any platform) supports.

It is worth pointing out Mac OS X ships with ssh access disabled out of the box - at some point you explicitly turned this feature on.

Posted by: Joplin | May 2, 2006 6:13 AM | Report abuse

You Mac users are funny!

Posted by: Fred | May 2, 2006 6:27 AM | Report abuse

BK, great writeup!

Upsetting though is the comparison to only Linux vendors. These simple aren't the same fruits.

Darwin is a derivative of FreeBSD and takes many of the concepts and drivers from Linux, FreeBSD and NetBSD. Why didn't you compare FreeBSD, NetBSD, and OpenBSD, DragonBSD, Darwin, Windows, Linux, and Solaris? Why all the Linux?

Granted, you pointed out that this comparison considered user-land related applications such as Apache and Samba, but there are so many other things.. Most of the patches listed were for core OS and things that are only available on an Apple.

I don't think you should've rushed this out. Surely somebody pointed out that the BSD's should be considered as well..

Posted by: Curious George | May 2, 2006 6:31 AM | Report abuse

How bout this, use firefox, im sure no one will hack through there. And uses Adium or AMSN if you are scared of viruses through Ichat.

Posted by: Raff | May 2, 2006 6:37 AM | Report abuse

> That speculation has been encouraged in part by
> the emergence of malware designed to target OS X.
> In March, Apple was forced to release a security patch
> to fix a weakness exploited by OS X.Leap.A,
> a Trojan horse program that spread by exploiting
> the way Apple's iChat instant messaging program
> handles file transfers.

Wrong. This trojan horse didn't "spread".

It was so poorly programmed it could only affect a minority of Mac OS X users and could only propagate in a local network using Bonjour/Rendezvous.

Posted by: Anonymous | May 2, 2006 6:37 AM | Report abuse

What a bunch of crock. . . the author compares Apple to Linux. . . not Apple to Microsoft. What obvious and transparent bull(). How does Apple compare with Microsot in responding to security issues? There were some anecdotal quipts suggesting that Apple was more lax than Microsloth where security was concerned but nothing you could hang a hat on. More shilling for Micro$oft. . .nothing to see here. . .move on. . .

Posted by: Geezle/2 | May 2, 2006 7:53 AM | Report abuse

Thanks curious. I did in fact look at comparing Apple to FreeBSD, OpenbSD, etc. Frankly, it was a matter of time. E.g., just getting to FreeBSD's security advisories is a nightmare (if you can get on, it's FTP site so if there are too many users on at the time, you don't get to view them). Also, there is no apparent structure to their database other than the dates on each file entry, which don't tell you much. Finally, for most of the patches I looked at in Apple, I could not find equivalencies in CVE listings for FreeBSD.

Posted by: Bk | May 2, 2006 8:44 AM | Report abuse

Geezle -- If you'd like to compare Apple to Microsoft, go right ahead. I've given you the data to do so. The charts I made for the Microsoft time-to-patch analysis are linked to in the very first sentence of this post.

Posted by: Bk | May 2, 2006 8:46 AM | Report abuse

I just wanted to point out the biggest barrier to potential hackers
of OS X is the cost of the system. Your average joe black hat is
probably not going to want to buy a pricey piece of hardware just to
run some proof-of-concept hacks on a tiny portion of the computer
using public. However, and this is a big however, the osx86 project
has been supplying hacked copies of OSX to run on any x86 based
machines that support the SSE2 and SSE3 intel instruction set. So,
when the cost of a mac system is dropped from the equation, and you
can run OSX on your home rig, why the hell not start hacking it?
Essentially, this whole group of osx86 hackers are not what you would
call casual computer users in the first place - and are likely to be
further motivated once they have the OS running to start hacking it.
Windows, while the most widely used, probably becomes a bit rote and
boring after a bit - hacking OS X is like starting a whole new game
for these guys. OS X is in trouble because of the intel switch more
than anything else in my opinion. Keeping the OS tied to a
proprietary and unpopular hardware platform ( the PPC processor) was
the safest defense Apple had.

Also, studies are routinely showing that more and more hackers are
devoting themselves to commercial endeavors. Hacking Macs is hardly
worth the effort for spam-lords. In this sense, it is still safe.
However, there is rampant ignorance among Mac users that the OS is
somehow a fortress. Obviously, it is not.

I write this as an avid OS X user, and I like apple's products in
general. They do a lot of QA - and that may be at odds with quick-
fixes, but there are few pressing threats for X, even once
vulnerabilities are found. The system runs quite well from the GUI
all the way down to the terminal. Personally, I love the platform
and my hope is that they will take the appropiate actions once the
need arises. They may be where MSoft was a few years back as you
pointed out - but Apple is a company that is quick to respond to new
realities. The company dropped their best selling product, the ipod
mini, overnight and replaced it with a vastly different product.
Obviously, it seems like a sure thing now - but how do you convince
the big wigs that 'yeah, this is making us money hand over first, but
we have one that is cooler!' Given the gutting of every new and good
idea from Vista, I don't think the MSoft similarities go that far.
Risk taking it not something Bill has a good track record with.
Jobs, for all his weaknesses and flaws, is a man willing to risk it
all if the payoff is good.

That said, I love OS X - but I'm no dummy either, and I honestly do
not like the slow security response. But, if my choice is windows
(ugh) or spending all day on linux config files and kernel rebuilds -
I have to go with OS X, the best of both worlds for me.

Anyway, my major point is that the hacks are going to come from the
osx86 crowd running on non-apple hardware. I'd put money on it.

Thanks for your interesting columns.

Posted by: New York, NY | May 2, 2006 8:47 AM | Report abuse

First off, Kudos to BK for doing his part on reporting this story. It's humorous to see the "replies" of some of the Mac users and their invulnerable attitude towards their OS. I'm a Windows tech professional myself, and though I think M$ has put together shoddy product after product, full of band-aids, to simply say any one OS has no security concerns simply because it hasn't happened yet is close to saying there will never be a terrorist attack on a person's home soil.

Posted by: ShadPTR | May 2, 2006 8:50 AM | Report abuse

I find it quite funny that the press keeps bringing up Apple as a vulnerability. Why Apple? Out of all the OS' out there, why Mac OS X? All operating systems have security problems at different levels. However, Mac OS X has been safe for years and is still as safe as it was five years ago. Why start picking on it now? Is it because it is making the headlines more often as it rolls out brand new products every few months? Is it because there is some sort of idea out that having Windows on the new Intel Macs that the actual Mac machine is more at risk? Because if you ask me, this is just a bunch of bull. None of these assumptions are true. Mac's are much more secure for two good reasons: One, the OS is build off an open source environment (Unix) which has much lighter code then Windows making it harder to leave holes all over. Two, hackers do not develop viruses for an OS with only 6% of the computer market (same reason why software developers mostly develop software for Windows and not for Macs).

P.S Mac OS X is Unix based not Linux. Although Linux is also based of Unix, there is no real comparison there. Amateur mistake.

Posted by: MAF | May 2, 2006 9:07 AM | Report abuse

It's humorous to see this billed as a "story" to begin with. The story here is not about security or vulnerability. It's a shame I would need this caveat, but for the "Mac Users Suck" anti-fan boys, Macs are as vulnerable as any *nix flavor. No, the question is, why is there an explosion of articles about this topic right now? The real story is how Apple is THE white-hot center of tech discussion right now. Apple is ubercool, and some folks are getting tired of hearing about it.

Posted by: Josh G. | May 2, 2006 9:18 AM | Report abuse

I had virus protection on my Macs back in the late 80's early 90's. I am not security stupid and when there is something to worry about I will be as prepared as anyone else. How many viruses have infected machines with virus protection installed? Most of them, because it is a reactive solution. If something horrible happens and I have to revert to my backup and install protection I will. And maybe when someone really does lose a file to a virus Apple will respond more rapidly. This is like saying that an outdoor garment vendor that sells primarily to people in the desert doesn't respond quickly enough to reports that the seams of its jackets aren't really waterproof and rain is "on the way". Instead of buying and wearing a new raincoat in sunny weather I'll wait until it rains.

Posted by: bigEd | May 2, 2006 9:28 AM | Report abuse

The days of Apple OSX being the platform that doesn't have to worry about malicious code is rapidly coming to an end. With the shift away from viruses and worms away from the respect based underground community to more organized cybercrime, any vulnerability that can be exploited for monetary gain will be used. Windows, by far, has the lion's share of the installed computers, but as OSX gains in popularity, it will become a larger target. I think that Apple is all too aware of this and is taking advantage of its reputation while it lasts. I saw an Apple commercial last night where a person with an obvious cold represented a PC and talked about all of the viruses that affected Windows, while the person representing a Mac bragged about he wasn't infected. 2006 saw the first virus in the wild for OSX, and before the year is out we will probably see another. Apple realizes this and appears to be caching in on their bulletproof facade before it crumbles. The sad truth is that letting their users think they are immune contributes to the problem instead of working towards a solution.

Posted by: Scott Carpenter | May 2, 2006 9:32 AM | Report abuse

I suspect most of these articles are attempts by the cheapskates who purchase Windows PCs to try to make Macs look like overpriced anachronistic machines. I still stand by the argument that this article is an attempt at making a F5 Tornado out of dirt devil. No mac user is stupid enough to insist the OS is invincible, but how on earth can anyone say OSX is as vulnerable as Windows is? There is no way a Unix OS could ever have as many problems as Windows, because Microsoft appears to have engineered Windows with enough "goodies" and hiding places and holes to make Windows virtually child's play to hack and compromise. Unix based OSes at least had security built in from the beginning, as ANY OS should have. Windows isn't even worthy of being ran in anything other than a virtual machine sandbox, it really can't be trusted in today's world of privacy invasion, and terrorism.

Posted by: Joe | May 2, 2006 9:36 AM | Report abuse

The race to produce patches is an interesting sport, but releasing the patch is only half the battle. Once it is released, each user or system manager must install the patch.

Is there any data about the diffusion of patches in the installed base? How long does it take for 50% of the installed base to be protected, 75%? 90%? Do we ever achieve 100%?

If we say

time to achieve protection
= time to release
+ time to achieve (say) 90% coverage,

how long does it take to achieve true protection from a threat. How does that affect the comparison between vendors?

Posted by: Peter Stevens | May 2, 2006 9:51 AM | Report abuse

""
P.S Mac OS X is Unix based not Linux. Although Linux is also based of Unix, there is no real comparison there. Amateur mistake.
""

P.P.S.

Mac OS X runs on the Darwin variant of BSD, not licensed UNIX. Amateur mistake.

http://www.opengroup.org/openbrand/register/

http://www.unix.org/images/chronology_big.gif

Posted by: correction | May 2, 2006 10:08 AM | Report abuse

Everytime someone questions the sanctity of Mac security, the Mac user response tends to be to come up with artificial distinctions about the nature of the threats compared to those on Windows, or simply try to deflect by saying "Well, Windows has even more viruses, worms, etc." It's time for the MacOS community to hold themselves to the same standards and admit that their OS, like all others, is not invincible.

Posted by: JV | May 2, 2006 10:31 AM | Report abuse

Anyone who thinks any OS is invincible is lame. But to point out a miniscule number of flaws and jump for joy thinking that the OS is headed for a trainwreck like Windows is pretty lame also... Flaws and exploits are inevitable, but to have as many as Windows has had is beyond sheer coincidence, it is almost as though Windows were engineered to be so buggy and insecure. Sure you could say all the attention on windows brought these out, but can anyone seriously think an OS with such great innovations as DDE, WMF, NetBIOS, Registry, Universal PNP, could possibly ever be a secure OS? Some of these things are either overly complicated to lock people into the OS, or are old enough and neglected enough to inevitably be exploited for some sloppy programming. It seems like Microsoft's own "Innovations" are barely worth the security risks that they expose people to. It's about time that people start calling these "innovations" exactly what they are, security risks. What must Microsoft been thinking would happen with the introduction of the registry. They obviously didn't have the belief that the home user should have control over their settings, and configuration. Of all of Microsoft's innovations, this is one of the worst things they ever did, and it continues to make it difficult to recover from all the other problems inherent with windows. If Microsoft had the public's interest at heart, they would make it EASIER to recover from a malware attack, rather than making it easier for the malware to hide on the system. But again, Microsoft only is interested in pretending like they care about security, until they make major infrastructure changes to put the control back in the hands of the computer operater, I'd say any Unix based OS including OSX is far more secure than Windows will EVER BE.

Posted by: Joe | May 2, 2006 11:07 AM | Report abuse

It is my opinion that MS is the target of attack largely due to the number of business users involved and the kind of information that can be obtained. That information can be very valuable in the hands of the wrong people. The second group are the "let's bring down that evil MS empire and all the chumps using it" crowd. Somehow, the Mac world is overlooked because nobody (aside from the odd MS zealot) really has a hate-on for Apple. Plenty out their seriosuly have dark hate for MS.

That said, there will be attempts. Mac users should NOT be complacent -- but Apple should be doing more to stay in touch with it's market better. I'm on an Apple security 'heads-up' list that I found out about in some obscure article. Why doesn't Apple put EVERYONE on that same list who registers their new equipment? That could be one step of many to pro-actively preempt any attacks, while offering a sense of assurance to their users.

I think Apple has to do a MUCH better job of educating it's users.

Posted by: Sprocket999 | May 2, 2006 11:10 AM | Report abuse

May I suggest that, when presenting data of this nature, you include a graph. Most of us out here in radioland get lost in a forest of numbers and dates, so we miss trends or other features obvious in a simple graph. For example, you will find more than just an average response time if you plot your "time to fix" versus number [omitting the gaps]. I also suggest Adobe Acrobat as one format [since most folks are unlikely to have the same graphing software].

Posted by: Wayne Lanier | May 2, 2006 12:01 PM | Report abuse

The question of why tech writers are suddenly jumping all over OS X is partly because MS has taken SO long booting Vista out the door they have little new to write about concerning operating systems. And readers are sick and tired of consumer Windows malware stories and don't read them as much anymore. Additionally, many writers see a chance to stir up controversy and get some buzz, ala the John Dvorak effect. What a lot of them don't get is that it's one thing to write something controversial and quite another to be factually inaccurate. The latter will cost them.

Posted by: philads | May 2, 2006 12:45 PM | Report abuse

Apple has excellent customer support. Your issues are likely your fault if they will not take the computer back.

Posted by: someone_special | May 2, 2006 12:53 PM | Report abuse


You aint kidding. For the most part the Mac community is in denial. Now that people are focusing more on searching out Mac vulnerabilities the more dangerous it will become for the Mac end user. Mark my words, there will come a day when a critical vulnerability is found on Mac and a zero-day worm insues. It will likely take something like this to humble all of the Mac-heads out there.

btw, I am a Mac user.

"...here is a certain amount of arrogance in the Mac community..."

wow, im amazed at some of the replies here, you sure did prove this point.

Posted by: lyle | May 2, 2006 12:36 AM

Posted by: blast3r | May 2, 2006 1:06 PM | Report abuse

Well as usual the MACfans are having a UNIX/LINUX/BSD conflict... Who cares.. the entire point of the article is to say that APPLE is not forthcomming with information regarding what they are actually fixing, when they are getting fixed and the actual turnaround for a security fix. OSx users be wary, times are changing.

Posted by: DanTheMan | May 2, 2006 1:34 PM | Report abuse

"blast3r"
If you REALLY want to see denial, pop over to ZDNet. Anytime there is an article which exposes faults/flaws in WinXP, Vista, IE or just about anything Microsoft related, read some of the denial there. You won't see much arrogance, but a lot of vicious responses. The Mac community is pretty tame by comparison ; )

Posted by: Sprocket999 | May 2, 2006 1:36 PM | Report abuse

Abigail, I too am interested in reading more details about the OSX ssh exploit/rootkit install you mentioned. I'd especially like to know what tool{s} you used to detect and remove the rootkit.

{I'm one of those rare Mac users who actually uses ssh and accesses the shell.}

And thanks, BK; SecurityFix is a must-read for me. Please keep up the good work!

Posted by: KT | May 2, 2006 1:45 PM | Report abuse

Mac guys, stop defending against an insult unhurled. Brian was pointing out that Apple doesn't seem to be taking security very seriously, and backs it up with quantitative data. Geez, he even asks for corrections to his data. Have any of you looked at the data? Do you have corrections, or even a different interpretation of that data?

Also, a message for those of you saying "Sure but how many people have been hit by viruses on Mac versus Windows?" Just because the Great Mac Virus hasn't happened yet does not mean it won't ever happen. Apple (and Mac users) can reduce the risk by taking security seriously, and Brian has just pointed out that Apple isn't there yet when compared to the standards of Linux and Windows response rates.

Posted by: Dave | May 2, 2006 1:47 PM | Report abuse

Dave -- you state: "Apple doesn't seem to be taking security very seriously." For crying out loud, this statement is not "backed up by the data."

There is no such thing as "there yet." Comparing OS X response time to other linux/unix's response time is one factor out of many in a complex equation. Drawing a direct correlation between response time and safety contradicts the ultimate adjudicator: the Real World. In that arena, Apple is performing *extremely* well. Apple will speed up their response time as it becomes necessary. Why does this need explanation?

Also, I'm getting a real kick out of the "by the way, I'm a Mac user" comments. Yeah, some of my best friends are black! :-)

Posted by: Josh G. | May 2, 2006 3:34 PM | Report abuse

Josh G.

How do you find this statement to tie together? The reason I made that statement is because I AM a Mac user. When it comes to even discussing Mac issues as soon as someone says anything at all negative about Mac all hell breaks loose and you are called a Mac basher. I think the racial comment was totally unnecessary and offensive.

>Also, I'm getting a real kick out of the "by the way, I'm a Mac user" comments. Yeah, some of my best friends are black! :-)

Posted by: blast3r | May 2, 2006 3:46 PM | Report abuse

I am wondering why iTunes for Windows flaw and patch was included in the stats and tabulated in the results. One has to distinguish between number of flaws for OSX and time to patch versus all Apple software written for all devices (Newton, iPod, Quicktime and iTunes for Windows. Otherwise the data gathering becomes inaccurate). This article seems to be about Mac OSX operating system (which by the way is not another Linux distro, the author would be more accurate to state it was a BSD/Mach derivative). I always recommend to all my users to exercise caution no matter what operating system they are on.
I especially have to take extra steps for my Windows users. Anyways, all my Mac systems have some antivirus software installed on them, the firewall turned on and even tcp/wrappers and a few more in house tricks to lock them down. So far so good when compared to the security issues and break in I've had with Windows(terrible track record), Irix and the occasional Linux machine.

Posted by: saha | May 2, 2006 4:47 PM | Report abuse

Just because the inevitable would, could, or might happen, doesn't mean it will be irreparable on a Mac like it would be on Windows. Fact remains, Apple cares more about security simply because the OS itself is built on a solid stable and secure core. This article is nothing more than a scare tactic, until it happens, it is pretty pointless to keep crying wolf. Second, even if and when it does happen, I guarantee that it will be much easier to stop on a mac once you know the mechanism that it takes, and I guarantee it will get an immediate response from Apple, and I guarantee the damage will be pretty easy to contain and repair. I can't say any of these things for Microsoft and Windows.

Posted by: Joe | May 2, 2006 5:00 PM | Report abuse

blast3r:

I've got a laundry list of things Apple has done/is doing that annoy me or I may think are strategically stupid. Like charging for QuickTime Pro, to grab a low hanging fruit. I agree that brand loyalty should be driven by collective positive experience and trust, not blind fanaticism. Apple happens to be an example of a profit driven company with governing principles that I appreciate. I remain critical of their business practice precisely because I like them. Nevertheless, the issue at hand gets in under my skin because on and off over the past 6 weeks, Apple/vulnerability has been the subject of front page headlines in tech publications and articles from most of the major media outlets. This surge is not driven by any real problem. It is sensationalism, pure and simple. Hits skyrocket, readers respond. Sometimes it is important to call a spade a spade. Much ado about nothing, sound a fury, signifying nothing.

Posted by: Josh G. | May 2, 2006 5:11 PM | Report abuse

Josh -- Nevermind that I started this research into Apple patch times in early January before all of the "OS X worm" hype started, and as a natural extension of the same research I'd already completed and published on Windows and Mozilla time-to-patch stats: I still get lumped into the bandwagon.

Posted by: Bk | May 2, 2006 5:34 PM | Report abuse

Bk --

I apologize for the insinuation that you have timed this article to coincide with the current media fixation. Reviewing the timeline, I see your point. Still, I stand by my main issue, that these vulnerability questions are being used to discredit Apple, when the facts simply do not provide a reasonable basis.

Posted by: Josh G. | May 2, 2006 6:01 PM | Report abuse

I'm a certified Microsoft developer and work with them all day long. I've been programming on them since the mid 1980's. I OWN, as in "I put my own hard cold cash down on", MAC's. My current machine is a MacBookPro - dual core 2GIG CPU's, 2-GB RAM. It simply blows any Windows machine off the table, including my new $5000 Dell Workstation at the office. To be sure, I and any other competent programmer could create a virus or a worm that would attack MAC's, but it is much much more difficult to do this than with a hacked piece of #@$|~)+* junk like Windows. (And, "NO", to the NSA twits who browse these posts, I don't write viruses.) Most of the attacks will not be on the underlying operating system (which isn't Linux, by the way, it's plain vanilla FreeBSD and *is* completely standard open source), but on application software like Safari. Safari is Apple's web browser and is a pretty good one, but *ANY* web browser is inherently vulnerable to attacks. So, it ought not surprise anyone that MAC's or LINUX or UNIX boxes are vulnerable to attacks. That Apple took longer to come up a patch is also not a surprise. They (and every other free software project) makes use of information and fixes from the open source developer community. Apple adds to this mix their own paid developers and expertise.

And, as for speed of fixing bugs, there is a truely excellent open source version of Delphi available that has had the same posted bugs, "free for fixing" for months now. The bugs WILL get fixed when some developer has the time or the need to fix the bugs.

Posted by: Mike Brooks | May 2, 2006 6:52 PM | Report abuse

The argument of security through obscurity has been thoroughly debunked elsewhere. The fact is that MacOS X is a more secure OS then MS Windows. That is not an artifact of it's lesser numbers, it is due to better design.

MacOS X ships with no open ports (think 'doors') for remote exploits to act upon. In short, it's 'doors' come locked. That is unlike MS Windows which used to ship with many 'doors' open and still leaves a few. Fewer, or no, 'doors': Harder to break into. Not by accident: By design.

Furthermore MacOS X users operate, by default, in a less then full administrative role. In a Unix environment the full-access role is called "root", in Windows "Supervisor". The advantage of MacOS X users not defaulting to "root" is that when a change is made to the operating system explicit permission must be requested to do so and authorization granted with a password being entered.

Thus in practice MacOS X users get to think "Hmmm, why is that silly little program asking for full access to my Mac? No!" unlike MS Windows users where anything run on their systems is pretty much free to rape the box.

Can MS Windows be configured so users operate with more sane levels of access? Yes, but it is difficult, requires knowledge to configure (meaning the folks most in need of this are the ones least likely to take, or be able to take, advantage of this), and this sort of configuration causes problems with many applications including MS's flagship product line, MS Office.

Does any of this imply MacOS X machines are invulnerable? No! But it does mean they are typically far LESS vulnerable. A MacOS X machine fresh from the factory is secure left on the Internet. The length of time a fresh-from-the-factory MS Windows machine remaining uncompromised plugged into the Internet is literally measured in minutes.

Yes, there are are, and will always be, flaws in operating systems and applications. Some will be technical in nature, some will be 'social engineering' in nature, and some will be bad design allowing the technical or social failings to happen.

Again, MacOS X is structured to make both technical and social failures less likely and less damaging. MS, in spite of many warnings years ago when it introduced it's architectures, has not designed systems resistant to failings, technical or social.

While the author's attempt to quantify security failures, and the length of time to resolve them, is interesting I confess to finding it a fairly pointless exercise. Without a more sophisticated analysis of the exact security issues each problem exposes, their potential for abuse, and the efficacy of the response, it's all arbitrary numbers applied far too hypothetically. While the GNU/Linux timelines are somewhat easy to come by the same isn't true for MS or Apple, and the severity ratings for all of them are woefully dissimilar.

My own metric is rather more pragmatic: Which OS do I have more confidence in? MacOS X, which has thus far proved to be a robust implementation of 30 years history of OS development? Or Windows XP, MS's "most secure OS ever" with it's notoriously poor design choices which require literally hundreds of dollars of 3rd party tools and constant monitoring to protect?

Which do you think?

And why are would you trust "the other"?

Posted by: Maggard | May 3, 2006 1:01 AM | Report abuse

Thank you Mike Brooks. The case can finally rest now. One fact stands as true today, Macs are safer and very well tought product. Let's give credit to it. I was a long time windows user and to keep up with a clean and safe machine was a great deal of insanity. Not to mention that I work for the State of NJ, and our techs are having heck of a hard time even when there may be no viruses present in the Windows work stations. I also worked on the side, setting up windows PC's for three small business in the area, and trust me it was almost impossible to walk out and not receive a call back stating the machine is acting up, or crashed or that something took over the system. My accountant for 2004 taxes uses Win PC, I did not return to her for 2005 Taxes because I've found her machine's web browser hijacked by malkware.

Posted by: N.A. | May 3, 2006 1:14 AM | Report abuse

Backup.
Continue to backup.
Never omit to backup.

Never trust a single application to do its own protection.
Never trust that any software is invulnerable; it can't be if it's running code of any sort.

Have two cupboards. Lock up, put the keys in a pocket that you have reinforced and then zip up the pocket is the analogy - since analogies seem to be popular here.

I look forward to being able to dual-boot (or triple, quadruple if it's available) a diversity of operating systems.

For the rest of the discussion, I migrated to OS X in order that I could spend my time using an operating system more productively than the increasing time I was spending on keeping my installation of XP patched and operable at the same time.

The cause of some equipment item not doing the job I acquired it for is of little interest to me.
I expect to be given plain user and maintenance instructions that will, if undertaken, keep that equipment operating at best output.

Unfortunately Microsoft's user instructions, followed to the letter, left me with an operating system more and more prone to glitches and compatibility symptoms as third-party vendors struggled to keep abreast of the torrent of security fixes that issued from Microsoft while I was still using XP. I haven't kept up with the situation since early 2004 and so I can't speak with authority about what I read about the latest XP security fix breaking many systems, but it looks as though nothing much has changed.

Equally, for OS X "updates", and especially since Macs are now coping with more and more peripherals as well as an explosion of applications, there are many users who lose productivity while fiddling with compatibility losses and their own fixes after a patch is applied.
I don't think that it's avoidable - the mucking up of some users configurations - with a major patch.
And so the logic of Apple refraining from rushing to patch with no active exploits happening is pretty much understandable.

Whoever mentioned upthread that applications are the problem is so right, and the peppering of the whole operating system with shots that could be better aimed at individual bits of software may make for a more meaningful discussion than this kind of "does/doesn't" one.
Safari could be a good parallel morality story for the IE/XP debacle - to a small degree.
I'd always recommend a diversity of browsers, even if a user doesn't want to diversify other applications that access networks.
A browser needs so much more active attention to security faults - and I'd really enjoy seeing an article comparing the work of the Firefox boys to that of other browser distributors. Useful discussion could happen :-)

And for the commenter upthread who implied that the XP built-in firewall is not capable of full-stealth, this was not correct with XP SP1a, which was a good hard shut-down when I was using it.

I've enjoyed my couple of years relaxing with such a smooth and stable system as OS X and I hope that the doomsday attack that everyone with much more technical expertise says is inevitable for OS X will come via Safari while I'm using Firefox or Opera or...

Posted by: birdie | May 3, 2006 1:37 AM | Report abuse

Good read.... and no matter what, a reasonable person should agree that the 3 month turn-around is subpar, and is something that needs improved. I commend this article for hopefully putting a fire under Apple's a$$.

That being said, it should be pointed out that many security flaws involve services that are not enabled, nor used by a significant majority of the Apple user-base. Not an excuse for THREE MONTHS, but I do believe many of the issues do not impact as many users as stressed.

Regardless-- the recent flaws involving Safari and files being represented as other files is very concerning. A new Finder in the upcoming version is certainly going to overhaul this and bring about many changes for the better.... but it's a shame they have gotten such bad press over something like this.

Let's not forget recent recent "hack challended" to break into a Mac Mini with FTP, and Apache running...... latest patches installed....... completely unsuccessful. The only time it was, was when the "chellenge" was done by someone givin an unreasonable amount of access to the box (ability for the hackers to add users by remote).

In this test, hackers were able to exploit flaws to escalate their standard user status to root, and then bring down the box and/or run malicious code. While this highlights a serious threat that needed addressed, it is not practical for over 99 percent of all OS X boxes.

Just my rant...... curious what the feedback will be. Much to be improved on, but still [in my opinion] the best OS on the market, without question.

cheers,
Alex

Posted by: Alex | May 3, 2006 8:49 AM | Report abuse

"Maggard"
Very nicely articulated, indeed!!

Posted by: BiffBop | May 3, 2006 8:54 AM | Report abuse

Can some of you even read? Its like you read the first 4 lines get all upset and move on.

His point was that apple needs to take a closer look at their security patches. Not that they are unsecure or that it is dangerous to use a mac.

The fact that not many macs get hacked is totally beside the point. Thats why he's talking about how as macs get more market share and how with the intel processors, more attention will be paid to macintosh. They dont get hacked now, but that is changing, which is why he made the article.

I swear, mac people are so much more defensive than PC people, you act like macs are perfect and have no problems yet practically everyone with a mac that I know has had plenty of problems with it, and mac people just put their fingers in their ears and yell at the top of their lungs.

Great article by the way, very informative and from my side totally ubiased. Yes Im a windows user but this didnt make me think any diffrently about macs, but I feel more informed.

Posted by: Jesus | May 3, 2006 11:27 AM | Report abuse

Hmmm. For context, my niche company does R&D and manufacturing, and does not currently own any Macs, though my kids own several. As a software designer since DOS 3, Trash 80's (whut?) and Apple II's, I have seen from the inside out Microsoft's "ship it now, fix it maybe" approach and their truly evil maneuvers like "poison that competitive program from within DOS or Windows itself". Radio Shack and Apple had a very different approach, back in the day, and thankfully Apple survived and prospered principally based on support from graphic designers (who needed highly complex but sound creative software) and schools, who needed useable software. In the 90's the Clinton administration got the justice department after Microsoft for anti-competitive and monopolistic behavior. The Bush administration then let Microsoft go free with some fines but no changes to their business model. Not exactly how AT&T, Standard Oil, or the railroad monopolies were treated. But what does my blather have to do with OS vulnerabilities? It's this: Evil doesn't tend to think deeply or design well, in my 30+ years of design experience. By and large evil is opportunistic and short sighted. And this is reflected in the consistently slipshod software that Microsoft has generated since the early 80's. From what I observe, Apple works much more from the heart, and this counts in very practical terms because the result is that BSD-Mac's have a much sounder underpinning than Windows-XYZ PC's, and will be much easier to protect than PC's. Time will bear this out, I am wagering, since my outfit's next computer purchases will include Mactels. For what I consider very practical reasons.

Posted by: evan1138 | May 3, 2006 5:27 PM | Report abuse

Those of you who falsely believe that the superior security of OSX is due solely to it's relatively low market share have got to be kidding me! Why do OS9 and the yet-to-be-released Windows Vista have thousands of Viruses each? They have much smaller market shares than OSX.

Windows XP is inherently more vulnerable than OSX. IE, Outlook, your CD drive, Word and Excel are all gateways to the execution of code without notifying the user on Windows at all. This cannot be done on OSX -- you need to type in a password to modify anything in the system.

Every Windows user has enough privileges and rights to modify certain files and parts of the OS to do serious damage. The OSX user does not have these privileges.

The two people that were infected with this iChat Trojan had special administrative privileges configured for their systems -- a difficult thing to do and something that the average Mac user will never do. In such a case, you're not really running a UNIX system since the OS has been tampered with knowingly by the user.


Posted by: crazierthanu | May 3, 2006 7:26 PM | Report abuse

BK, if you see this i just wanted to say nice work and i agree with you entirely. I would have liked to see a comparison to BSD and perhaps MS all lumped togethor, but it was educational nonetheless. I am proficient in all of these platforms and i have to say that OSX is in for some trouble. and before some jackass goes of on a "IVE BEEN USING MACS FOREVER AND IM INVINCIBLE". shut up. shut up now. in case you havent noticed, circumstances change, and were talking about the beginning of such a change now. the change is a combination of increase in market share and more importantly, a switch to X86 processors. before, macs were foreign machines, to simply program for one you had to go spend a ton to get one. Now, all on the same level. also, no one has brought up the security issues in Unix - YES UNIX. Id like to remind you all that Macs were built using an old Unix core as a backend - and apple hasnt patched some of those old holes in years. Linux, on the other hand, uses its own kernel, which it has carefully updated religiously. I bet that the first viruses/trojans will be targeting Unix, and they will be whoppers (arbitrary code, rootkits, as bad as it can get).

Posted by: Mirag3 | May 3, 2006 9:37 PM | Report abuse

"the change is a combination of increase in market share and more importantly, a switch to X86 processors."

Less importantly. Completely unimportantly.

The thousands of instances of malware out there... this is not "internet malware," nor is it "Intel malware." It's Windows malware. Designed for Windows, executing under Windows.

If the x86 processor is computerdom's Achilles' Heel, why doesn't Linux (which you don't need to "spend a ton" to buy) suffer from the same number of exploits as Windows, if not more?

As has been said, no computer is completely safe from attack. But there are _degrees_ of safety. Those who think that Macs using x86 processors will automatically unleash a virus flood clearly don't understand operating systems or computer programming very well.

Posted by: Rob | May 4, 2006 12:25 AM | Report abuse

I have read the comments section and I have to say to the Mac users, "Get over it".

The majority of Mac users who posted comments to this article showed their one eyed-ness very clearly. They seem to have taken the article as a bash at them and the precious Mac machines when in reality the article is only highlighting that Mac virus and worse Mac trojans are on the increase (undeniable) and are likely to only increase (also undeniable).

So to all those Mac users who are so offended by this article, don't complain when you just like Windows users are having to install monthly patches to protect your Macs. Don't get upset either when other Mac users through their inherited gullibility start infect others without their knowledge all because they think they are impervious to malicious attacks.

At the moment some 90% of Windows infections are distributed by gullible Windows users who don't understand the importance of patching, and you can bet your bottom dollar that when (yes when) Mac virus and trojans are prolific that the same will happen to Mac users too.

Wake up or be a victim, its' your choice, personally it makes no difference to me, I know how to maintain my PC and fix it when it goes down, how many Mac users can say that?

Posted by: Horus | May 4, 2006 2:31 AM | Report abuse

So let me see if I have this straight.

Apple takes longer to release patches than the folks that release patches for various Linux distros. And this is a big deal because... well, one of these days, there's going to be a real, honest-to-goodness virus for the Mac.

And some people think we're getting closer to that day because of a trojan that was released in February, which has garnered lots of attention, even though it didn't exploit a vulnerability in the operating sytem or an application and couldn't spread to other computers over the internet. It could only do something if a user downloaded the file, ran it and entered an administrative password.

None of these articles mentions that although there are 25-30 million Macs in active use (with say 50-60% of them running some version of Mac OS X) that there's never been a virus--not some proof of concept, not some inert trojan, something that exploits an operating system or application hole, causes damage and replicates itself to other machines across the internet.

The coventional wisdom says there aren't enough Macs out there to worthwhile for the attackers and malware writers to bother with--you know, security by obscurity. As usual, the conventional wisdom is wrong.

We have evidence that even a population as small as 12,000 machines have been targeted by attackers. The summary: every machine running a particular piece of software on the internet (12,000 machines) was taken out by a worm--in 45 minutes.

You can read the story at http://www.computerworld.com/securitytopics/security/virus/story/0,10801,93584,00.html.

If someone felt it was worthwhile to take out 12,000 machines, why not many millions of Macs? It's interesting why none of these articles ever mention this; they just keep repeating the "there aren't enough Macs to bother with" meme.

Macs are widely used in higher education (researchers and scientists at places like MIT and Stanford) and biotechnology. Heck, just about every Fortune 500 company with a creative department has Macs--imagine the havoc that could be caused by a successful attack.

Anyway, getting back to the Mac. Sure, Mac OS X is based on FreeBSD, but Apple added it's own security infrastructure. They don't talk much about it, but you can read all about it: http://images.apple.com/macosx/pdf/Mac_OS_X_Security_TB.pdf

Here's the bottom line: unlike Microsoft, who has lost control of their operating system as far as security goes, Apple has not. So until something more serious happens than lots of articles being written, they can take the time needed to release security patches that have been properly tested. Unlike most Linux distros, which are collections of programs, Mac OS X is a system. And when you make multiple changes to that system, that has to be tested thoroughly. Just patching ssh or Apache doesn't require release engineering of the entire distro, which is why they can release the patches faster than Apple does.

Remember, out of the box, there are no ports open and no network services running. There's nothing like Active X. Root is disabled. The articles tend not to mention that there's precious little for attackers to attack. This buys them some additional time to get patches out. Could Apple turn put out a patch in a week if they had to? I sure they could, but so far, they have rarely been put into that situation.

In general, the Mac community consists of many users that don't know anything about TCP/IP ports or network services, so they don't know to turn them on.

And then we have lots of developers, system admins, scientists and researchers that are clueful and usually take the proper precautions--they have good passwords, use secure protocols when needed, Software Update checks daily for updates, etc.

Compared to most platforms, there relatively few in the middle--enough knowledge to be dangerous and doing dumb things.

By design, Mac OS X keeps the clueless and the clueful safe, without getting in the way. As long as this design paradigm doesn't change, Apple and Mac OS X should be relatively safe from a widespread virus or trojan attack.

The switch from PowerPC to Intel doesn't change this. And the increase in marketshare doesn't change it either.

It's hard to imagine a scenario where Mac OS X becomes broken in a way we're not currently aware of to allow anything remotely close to what we have on Windows today, regardless of its marketshare. It's somewhat like saying that Volvos are safe cars, but they would become less safe if their marketshare increased. They would be 'targeted' more--there would be more accidents involving Volvos if more peopled owned them--but they wouldn't be any less safe.

Posted by: Al Willis | May 4, 2006 3:51 AM | Report abuse

I tend to agree with the article: arrogance, opaque advisories, and all that. But as I'm late to the party I'd only like to nitpick about the so called increase in Mac market share. See upthread. Well, there is no increase. At all. For some time Apple's market share is around 2% worldwide and 4% in the US.

http://www.pegasus3d.com/mac_sales.html

Posted by: beep beep beep beep | May 4, 2006 3:56 AM | Report abuse

Apple needs to pull their finger out.

Microsofts attitude towards security is almost right now. The only thing holding them back is their attempts to remain compatible with their past products, and that they continue to build upon a codebase that was not designed with security in mind.

Apple, on the other hand, has got an operating system that is secure by design and isn't bogged down by backwards compatability issues. Unfortunately, their attitude towards vulnerabilities and security seems to be lacking in crucial areas.

Apple can sort out their issues by changing their attitude - MS can only fix their problem by ditching their codebase and (mostly) forgetting backwards compatability.

I'd rather be in Apple's shoes, but they have to do something now.

Posted by: Michael Ward | May 4, 2006 6:06 AM | Report abuse

Why are people assuming that Apple's market share for computers is going to increase a lot? The articles I've read say there hasn't been much of a halo effect from the iPod; at most, maybe an increase from 3 to 4 percent of the market, which hardly seems enough to attract the attention of writers of malware.

Posted by: Naythaan | May 4, 2006 5:10 PM | Report abuse

Mac OS sux. Windows sux. 'nuff said.

Posted by: Anonymous | May 7, 2006 2:00 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company