Thank you for your article. Better to stick with WIndows again. It is so secure and well managed.

If you feel Windows is so secure, then why is MS issuing so many patches to update flaws within its own OS? Me thinks you need to re-evaluate your statement about Windows being so secure.

i think that bilogic might have been 'sarcastic'. see, that's what you do when you're trying to not be 'serious'.

It was a hoot teasing my Mac nut friends over the MoAB. Great fun!

No OS is 100% secure. Windows, OS X, Solaris, HP-UX, various Linuxes, etc... all have security holes and vendors are constantly issuing patches to plug those holes.

Some people think only Windows has security issues which is a little unfair to MS. On the other hand, MS was very late to get religion about security and they bear some of the responsibility for the hundreds of millions of compromised and compromisable PCs out there. MS is the bad guy mainly due to the success of their platform.

"Now that Apple is becoming more of a target, they should take advantage of the opportunity to improve fundamental platform security before we start seeing MORE exploits in the wild."

I believe that statement would be more accurate if it said "ANY exploits in the wild".

Is there any advice for us Mac users in regards to protecting ourselves against these threats? I currently don't have any virus protection on my G5 as I assumed there were no tangible threats, but in reality name brand virus protection software only catches 40%+/- of current bugs, and the heavy duty stuff will slow your computer down dramatically(even a quad-processor) So wzup? any advice?

Is there any advice for us Mac users in regards to protecting ourselves against these threats? I currently don't have any virus protection on my G5 as I assumed there were no tangible threats, but in reality name brand virus protection software only catches 40%+/- of current bugs, and the heavy duty stuff will slow your computer down dramatically(even a quad-processor) So wzup? any advice?

imagoph: "MS is the bad guy mainly due to the success of their platform."

Really? You should explain that to Microsoft who think they've made changes in Vista to make it more secure. Among those changes are requiring permission to install programs. That's been in MacOS X since it first shipped.

So which is it? Did Apple have a more secure system to begin with, or is Microsoft lying when they say Vista is more secure than XP?

Not much advice is needed macfan, just stay the course. Simply by using a Mac OS you're fairly safe through a combination of a quality OS and a bit of luck. No, Macs are not absolutely secure, but they are more secure and stable than Windows machines - ask most IT people who are familiar with both (-actually- familiar, not just that they've heard of Macs). On the luck side, if you were writing a virus, how likely would it succeed if you only targeted 5% of the machines out there as opposed to 95%? Which is the bigger prize?

Of course, Windows copies the Mac so much that eventually you figure they'll copy the security of the OS as well ;-)

re: "I currently don't have any virus protection on my G5 as I assumed there were no tangible threats, but in reality name brand virus protection software only catches 40%+/- of current bugs"

First, virus protection does nothing for "bugs" - those need to be fixed by a programs creators.

Second, there ARE NO tangible threats on Mac OS X, so you are just fine. Indeed, it would be close to impossible to design any protection before the threat even materializes.

Finally, please everybody stop equating vulnerabilities with exploits.

While there will always be vulnerabilities in complex software, including OS X, there have only been less than a handful THEORETICAL exploits, created by hackers with ties to antiviral companies as proof of principle demonstrations. There has to date never been any epidemic spread of malware on Mac OS X (there were a few for OS 9), although that will always remain theoretically possible.

Not much advice is needed macfan, just stay the course. Simply by using a Mac OS you're fairly safe through a combination of a quality OS and a bit of luck. No, Macs are not absolutely secure, but they are more secure and stable than Windows machines - ask most IT people who are familiar with both (-actually- familiar, not just that they've heard of Macs). On the luck side, if you were writing a virus, how likely would it succeed if you only targeted 5% of the machines out there as opposed to 95%? Which is the bigger prize?

Of course, Windows copies the Mac so much that eventually you figure they'll copy the security of the OS as well ;-)

"Finally, please everybody stop equating vulnerabilities with exploits."

What, and eliminate 25% of what Krebs writes about? Perish the thought.

"MS is the bad guy mainly due to the success of their platform."

BTW, I said that, not imgoph.

I suppose I should explain further. Let's assume the tables were turned as far as market share and over 95% of the PCs out there were OS X based and less than 5% were Windows based. Which platform do you think the bad guys would be attacking?

Now it may be true that in such a scenario that there would be far fewer exploits than Windows has had, but the number would not be zero and the number would be larger than the known OS X exploits of today.

Bad guys don't attempt to attack OS X because there is little or nothing to gain due to lack of market share. The bad guys figure out their potential ROI, time spent versus potential gain. It's a numbers game, the ROI is only sufficient if you have large numbers of target machines and they are easy to find.

In Microsoft's case, because they were so successful, the numbers we are talking about are HUGE. The large number of machines coupled with the very poor security in all Windows products before XP SP2, brought us to the state we are in today.

XP SP2 and Vista may not be perfect. Heck, I'll admit they aren't, but if every Windows box in existence today was reloaded with a clean copy of XP SP2 or Vista, properly configured with firewalling & virus scanning, the bulk of the exploits currently in the wild would drop significantly. Too bad the genie is already out of the bottle.

Ron, I am not a raving Mac fan, but pinning this all on market share is a bogus argument. Perhaps a more appropriate comparison would be...
if you had $100 glued to the front window of your store and $100 in a bank vault, which would be more likely to be stolen? Windows is the inherently more vulnerable OS.

BK, didn't the US Army adopt some MAC web servers several years ago? Did that work out for them? If I recall, there were predictions it would get MACs a lot more exposure to hacking attempts

Cbum -- Welcome back. While I can't argue with what I believe was your intended point -- that there are no known automated attacks to speak of "in the wild" against Mac users -- there were in fact exploits published for all of the flaws Apple patched this week. With a few exceptions, the MoAB people published exploit code for all of the bugs they detailed.

Brian,

I had no problem with your report - this time ;-)

I should have said "eveybody but bk" ...

I can't stand Macs - overpriced, very little choice of hardware, and the OS hurts my eyes - everything is white/silver/blue.

I don't like windows either: it looks like they invited Fisher Price to the table when they designed the look and feel of XP.

And will someone please shoot that dam Linux Penguin ;)

So now that I have established that I'm reasonably unbiased in my opinion...

Why don't people see the real light: that NO operating system is ever going to be perfect, as they are inherantly complicated by the job that they have to do, and this leads to mistakes/oversights/vulnerabilities, and at the end of the day we only have the problems that we do because there are some people that are sad enough to want to go out and exploit these problems.

If the scammers / virus writers / script kiddies decided to get real jobs and become decent citizens, then we would never be having these Windows/Mac/Linux bashing convresations.

I'm not saying the the companies that produce these operating systems are not at fault to some degree. They chose their line of work, they overcharge us for their products, and therefore they must adapt to the modern threats. But let's not be too stereotypical and blind in our accusations, as there are more people at fault: virus writers, scammers, and to a lesser degree those users that are so blind that they don't secure their computers to even a basic level.

I think that anyone who installs kazaa/limewire and such filesharing applications, with no antivirus and firewall, should be taken out and shot. I must see 2 or 3 kids a week with screwed laptops at the school where I work. I just turn around and laugh when they seem amazed they have got a virus!

I can't stand Macs - overpriced, very little choice of hardware, and the OS hurts my eyes - everything is white/silver/blue.

I don't like windows either: it looks like they invited Fisher Price to the table when they designed the look and feel of XP.

And will someone please shoot that dam Linux Penguin ;)

So now that I have established that I'm reasonably unbiased in my opinion...

Why don't people see the real light: that NO operating system is ever going to be perfect, as they are inherantly complicated by the job that they have to do, and this leads to mistakes/oversights/vulnerabilities, and at the end of the day we only have the problems that we do because there are some people that are sad enough to want to go out and exploit these problems.

If the scammers / virus writers / script kiddies decided to get real jobs and become decent citizens, then we would never be having these Windows/Mac/Linux bashing convresations.

I'm not saying the the companies that produce these operating systems are not at fault to some degree. They chose their line of work, they overcharge us for their products, and therefore they must adapt to the modern threats. But let's not be too stereotypical and blind in our accusations, as there are more people at fault: virus writers, scammers, and to a lesser degree those users that are so blind that they don't secure their computers to even a basic level.

I think that anyone who installs kazaa/limewire and such filesharing applications, with no antivirus and firewall, should be taken out and shot. I must see 2 or 3 kids a week with screwed laptops at the school where I work. I just turn around and laugh when they seem amazed they have got a virus!

Brian, can you explain to me how the Software Update bug makes me vulnerable as a OS X user?

From MoAB, "We are conducting further tests around Software Update and possible vectors to abuse this issue. So far, we have worked around Mail.app via crafted attachment, 'pushing' Safari to download the file (which is downloaded at the user Desktop folder automatically, by sending it as the associated MIME type application/x-apple.sucatalog+xml) and obviously locally opening the file."

So, they've managed to make Safari download a file and it is saved in my Safari download folder. Now what?

James -- That's exactly my point: It's not clear whether it's something users should be concerned about or not. Apple has not issued any sort of advisory that would let people know or recommend any workarounds -- if indeed they are needed.

I don't think Krebs has used a Mac for very long if at all. Someone should loan him one to use. He would sing it's praises in all caps after actually experiencing the Mac advantages. Somewhere he might even look up the difference between an exploit and a vulnerability. I'd like the name of one Mac OS X user who has lost data or even a 1% slowdown to a exploit. Come on Krebs, put up or shut up.

FYI...

- http://isc.sans.org/diary.html?storyid=2265
Last Updated: 2007-02-18 19:44:42 UTC ...(Version: 4)
"UPDATE: As of 17:00 EST, Clicking on Software Update again does not show the older updates. It appears Apple has fixed the problem."

.

Why are you publishing, without warning, the URL to the iChat MOAB posting (bug #29), which, still, contains a malicious JPEG file, as documented various places (including isfym.com) and which I mentioned to you in a private email? Doing so is a disservice to Mac users everywhere. Going to that page (with Safari and some other browsers) will, at minimum, hang your Mac.

Brian -- This kind of says it all:

James -- That's exactly my point: It's not clear whether it's something users should be concerned about or not. Apple has not issued any sort of advisory that would let people know or recommend any workarounds -- if indeed they are needed.

Posted by: Bk | February 17, 2007 03:12 PM

It would be nice to see some numbers with the MOAB stuff. I know people with Macs and we laugh at the MOAB stuff. We don't know anyone who leaves the streaming open on Quicktime. For over a year, I have used my Mac, but even apple hasn't made me a chatter as I have yet to open iChat. While I like to read the 'better' comments in the Comments section it's becoming hard to do with all the repeated, inane flames. Yes, people have preferences, but no system is totally secure. Aren't we adults and a little smarter for reading Brian's column AND posting?

" Finder, the Mac's ubiquitous file-search capability. " ... do you mean Spotlight? Finder is the file management application.

>"It should be very interesting to see ... Apple ... dedicate more resources to improving the base security of the operating system," said Gartner analyst Rich Mogull.

Why would that be interesting when the base security is - well - the foundation for a robust, secure system already? And by design. Would it be interesting to this analyst because it would indicate that someone, somewhere is paying attention to their advice?

And why is it necessary to quote yet-another sage-sounding Gartner analyst, anyway; when it comes to Apple's current OS, these "analysts" seemingly can't find their own butts with two hands and a good swift kick:

>"Now that Apple is becoming more of a target, they should take advantage of the opportunity to improve fundamental platform security before we start seeing more exploits in the wild."

"More"? "More" is relative, but what fact is the first use of "more", implicitly, referencing? Is Gartner itself doing the targeting? No one else seems to be.

Perhaps it's use is made necessary - for the analyst cited to pedal the fear, as it justifies the title and the salary. As for the second "more" - there being no known in-the-wild exploits, "more" equals "an"...

When will the analysts' spoutings be subject to a reasonable level of scrutiny, rather than being taken on par with papal bulls?

So there aren't any hackers anywhere on the planet that aren't chomping at the bit to compromise OS X in a meaningful and easily exploitative way? I find that very hard to believe. And given the fact that Fairplay has been hacked, it can't be because no one cares about hacking Apple software. It might just be that OS X is a little more bulletproof than the Windoze/Linux evangelists want you to believe.

Really, it makes me laugh when goons like Krebs tries to drum up some non-existent controversy about the state of Mac security when Windows has been plagued for years by viruses and other exploits. Kinda like how the MSM goes ga-ga because a has-been pop singer shaves her head while the whole country turns to poo (but that's for a different argument altogether).

One last thing to the Mac users -- if some Windoze bozo gives you grief about spending more money on a Mac, just say what I say -- "I'm willing to pay more for a superior operating system."

Still not a single Mac compromised...