Network News

X My Profile
View More Activity

A Time-to-Patch: Apple 2006

Apple computer users mostly stayed off the radar screens of the criminal hacker community in 2006, even as the Cupertino, Calif., software company learned of an unprecedented number of serious security holes in its Mac OS X systems and other software. At the same time, many of those same flaws have made Web surfing more precarious for Apple's largest and fastest growing customer base -- Microsoft Windows users.

In a study of updates that Apple shipped last year to remedy serious security holes in products such as QuickTime and iTunes, Security Fix found that the company released patches to plug at least 104 critical security vulnerabilities. That is more than twice the number of severe security holes that the company patched in all of 2004 and 2005 combined.

Unlike other software makers, Apple doesn't rate the severity of software security flaws it discovers and patches. So, as with the previous time-to-patch analysis, the 2006 study looked solely at weaknesses that Apple's advisories said could provide attackers a way to remotely compromise the integrity of a targeted system.

More than two-thirds of the vulnerabilities included in this analysis were reported or disclosed by outside researchers. Security Fix contacted dozens of independent researchers who discovered Apple flaws to compile this report. Apple officials have repeatedly declined requests since December 2006 to provide data or any kind of meaningful response to this study.

On average, Apple took about 82 days to fix the most serious vulnerabilities in its software products last year. This figure represents a measurable improvement over Apple's 2004 and 2005 time-to-patch times, when Apple fixed security problems, on average, within about 91 days of notification. However, I should note, that Apple declined to disclose the dates that in-house researchers first learned of nearly one-third of the flaws examined in this study, so the true time-to-patch number may be higher (Apple also declined to provide missing dates for the 2004-2005 study.)

That's just a hunch, of course, but it's based on evidence collected during this review.

The study also shows that the company managed to correct flaws much more rapidly last year when it came to vulnerabilities that researchers detailed for Apple at the same time as they demonstrated them to the rest of the world. In the dozen cases during 2006 when Apple first learned of a vulnerability after a researcher posted proof of it online, the company fixed the problems in an average of 23 days -- or about 72 percent faster than it remedied privately reported vulnerabilities.

a06ptch.jpg

A chart detailing the time it took for Apple to issue its most important patches from 2006 is available here in Microsoft Excel format, and here in plain HTML.

The practice of publicly airing details on previously undocumented and unpatched security flaws -- known in the industry as "full disclosure" -- stands in stark contrast to the private notification approach favored by software vendors, which industry heavyweights such as Apple and Microsoft like to call "responsible disclosure."

The software makers charge that when researchers publish details about unpatched security holes, criminals also get access and are more likely to attack computer users. During the time a patch is being created, the companies argue, customers become caught in the middle.

But advocates for full disclosure counter that responsible disclosure naively assumes that the vendor and the researcher are the only ones who know about the security weakness. More importantly, the argument continues, full disclosure shines a public spotlight on security problems, thereby preventing vendors from dragging their feet in fixing them.

Bruce Schneier, chief technical officer for security firm BT Counterpane, believes computer users are always better served by full disclosure.

"Things just don't get fixed quickly otherwise," he said. "That is the mechanism by which consumers know what they're buying, because there's no transparency in the market today. Report your vulnerabilities to Apple, fine, but you also have to publish them. This is how we as a species get smarter."

A researcher who asked to be identified by his online pseudonym "drunkenbatman," practiced full disclosure at least twice last year with his findings, posting images on his Web site that caused crashes for people who visited the site with Apple's Safari Web browser.

"I think these kinds of stats are valuable data because they show that there are consequences for responsible disclosure, in that if it gets disclosed openly, it gets fixed faster," drunkenbatman said in an online chat with Security Fix. "I know apologists will say, 'Well, yes, but Apple takes 90 days because they can integrate it with their existing development cycle, which makes things of a higher quality.' But it's not the customer's job to worry about what's easier for Apple."

Researchers chose full disclosure with Apple in 2006 more often than they did in the prior two years combined. In 2004 and 2005, Apple learned of serious vulnerabilities just four times through full disclosure.

Last year, researchers told Apple and the rest of the world about more than a dozen previously unknown and serious security flaws. (Several vulnerabilities detailed in the accompanying chart were publicly disclosed before a patch was available, but they are not highlighted as full disclosure because other researchers had at an earlier date privately provided Apple details of the same flaws.)

There are indications that Apple is investing more resources in communicating with the security research community. Tom Ferris, a researcher who in last year's analysis was critical of the time it took Apple to respond to reports of new vulnerabilities, said the company has since improved on that front.

"Their response time has been a lot better for me than it was last year. I'm not getting the old automated response back, I'm actually getting a live person now," said Ferris, who reported seven of the holes featured in this study. "They seem to be taking these reports a lot more seriously, but they still have a long way to go as far as internally finding these vulnerabilities themselves."

Market Shared?

The feedback I received most frequently from the Mac community when I posted the results of Apple's 2004-2005 time-to-patch analysis last year went something like this: "Who really cares whether Apple takes three months or nine months to fix a problem, so long as nobody is really attacking the platform?"

One popular response is that the paucity of attacks against the Mac vs. Windows machines has more to do with Apple's relatively small market share than it does the security of the underlying operating systems. If Apple only held a larger share of the market for Internet users, the idea goes, malware writers would shift their focus to begin attacking Mac users.

This theory holds that plunderable security holes in the Windows platform and Windows software are so bountiful and lucrative that cyber criminals simply can't be bothered to attack a relatively unfamiliar platform just to gain a few extra victims. With the advent of Intel-based Macs and a steadily growing Apple market share, that notion may soon be tested.

But one reality is becoming harder to ignore with each successive patch update from Cupertino: Increasingly, cross-platform Apple staples like iTunes, QuickTime -- and now Safari for Windows and the iPhone -- are beginning to blur the very definition of market share, at least from a security standpoint. The reality is that the implications of Apple's patch times now extend well beyond their potential impact on the core Mac user base.

For example, tens of millions of Windows users who own some version of an iPod also have iTunes installed. Apple's iPhone -- which already has somewhere close to a million users (the majority of them no doubt Windows customers) -- could bring its own share of security risks.

Apple recently ported Safari for use on Windows. About 20 percent of the serious flaws Apple patched last year were due to vulnerabilities in Safari or key Safari components.

"Apple's real platform is media -- not the operating system -- and that has much more market share or penetration than any other Apple product," said Dino Dai Zovi, a security researcher who has reported numerous vulnerabilities to Apple over the past several years.

Bundled with iTunes is QuickTime, an application that harbored approximately one-third of the most serious software vulnerabilities that Apple patched in 2006. In nearly all of those cases, the QuickTime flaws were similarly exploitable on both Windows and Mac systems, most often by merely getting the user to view a specially-crafted image file or video file.

In early December 2006, a computer worm powered by a QuickTime flaw spread rapidly among social networking site MySpace.com's 80 million users. The "QuickSpace" worm, as it was later dubbed, replicated by leveraging a flaw in the way QuickTime videos were embedded in Web pages. The payload was crafted to steal MySpace user names and passwords from people who visited a hijacked MySpace page. More than 100,000 MySpace users had their credentials filched as a result of the worm, which used compromised MySpace pages to blast out online ads for adult Web sites.

With such a high-profile demonstration of how this new weapon could be used, one might think that Apple would have sewn up the vulnerability in a matter of days. It did ... sort of: Apple provided an update that fixed the problem, but the patch was made available only for MySpace administrators and users. It took Apple until March 5 to plug the QuickTime hole in publicly available patch -- almost three months to the day after the QuickSpace worm first surfaced.

QuickTime flaws are among the arsenal of tools now embedded in the likes of "Mpack" and "IcePack," two of the more prevalent exploit creation kits sold on underground forums. In June of this year, thousands of legitimate Web sites were seeded with Trojan horse programs created with Mpack, dropping password-stealing programs on machines when users visited the sites without the aid of the latest QuickTime patches.

Indeed, the fact that we're now seeing Apple programs like QuickTime showing up in these mass exploit tools appears to be a recognition by criminal hackers that at least this Apple component has achieved a sufficient market share to become a target worthy of automated attack, drunkenbatman said.

Earlier this month, criminals embedded a similar exploit in online ads that ran on job search giant Monster.com. The result: Nearly 50,000 people had their personal information and/or Monster.com login credentials stolen.

By Brian Krebs  |  September 4, 2007; 8:00 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Storm Worm Dwarfs World's Top Supercomputers
Next: E-Greeting Card Giant Unaffected By Storm Worm

Comments

You last paragraph:

Earlier this month, criminals embedded a similar exploit in online ads that ran on job search giant Monster.com. The result: Nearly 50,000 people had their personal information and/or Monster.com login credentials stolen.

is totally unrelated to Apple's security. Yet, it lead the reader to believe Apple's software is somehow related.

It's odd that "security researchers" find all these flaws with Apple's operating system and applications software when I've been using them for over 21 years and have never had a problem, especially in the last six or seven.

Posted by: Paul | September 4, 2007 9:02 AM | Report abuse

Migod the fanboys are here already.

Posted by: Rick | September 4, 2007 9:21 AM | Report abuse

Click Brian's link on the Monster.com affair:

"It generates Trojans that probe for the absence of several software security updates holes that then permit the program to deliver its viral payload. Among the many weapons in its arsenal are exploits for recently patched security vulnerabilities in Apple's QuickTime and Microsoft's Windows Media Player. It also includes exploits for multiple Web browsers, including Internet Explorer, Firefox and Opera."

I see QuickTime included in the list vulnerable software being exploited by the trojan.

Frankly, the fanboys help no-one.

Apple isn't a football team to be supported come what may. When they don't so as they should -- look at those delays in patching -- people need to say so publicly, so that they *have* to take notice.

As Bruce Schneier has said before, the temptation is for software companies is to treat vulnerabilities as a PR matter not a technical problem. Therefore, they need to be kept honest by the force of well-founded public approval/disapproval.

As an Apple user my heartfelt thanks to you, Brian, for making this research public.

Posted by: Mike | September 4, 2007 10:18 AM | Report abuse

I love bloggers like this. As in the previous comment, I have used Apple computers since 1988 and have never had an OS or software problem, other than those from Microsoft Office products. News must be slow today, to complain about the "slowness" of Apple's response to a few non-vulnerable software holes, when Microsoft OS systems remind me of swiss cheese.

Posted by: Richard | September 4, 2007 10:21 AM | Report abuse

I've done this same time-to-patch analysis with Microsoft and Mozilla for the past three years, so no one is singling out Apple on patch times.

Also, while I went over the chart time and again, it may still have typos or tiny errors. If anyone finds an error, please let me know either by posting a comment here or by dropping me a mail at brian-dot-krebs-at-wpni-dot-com

Thanks.

Posted by: Bk | September 4, 2007 10:29 AM | Report abuse

Fanman here Windows dweebs...

Wake me up when there is any real news, about a real threat, to a real Mac user, will you?

Mac is not a natural home for juvenile, miscreant Windows lemmings.

Posted by: Jon T | September 4, 2007 10:41 AM | Report abuse

Millions of PCs must be toiling away as slaves to malware introduced through "serious security holes in products such as QuickTime and iTunes." Good thing this outbreak of Apple-enabled malware is so well documented in your article. Otherwise, the use of the term 'serious' would be so much breathless hyperbole and "potentially serious" or even just 'potential' would be more accurate.

Based on the results so far, Apple's due diligence (no matter how it's derived) seems to be fine. Making it sound like something 'serious' is wrong when no actual data exists to support that conclusion (which reminds me of the Airport hacks but that's another rant) is unwarranted. When the successful hack comes AND is exploited I'm sure that Apple will, like any large, slow-moving animal, throw more resources at the problem.

Posted by: Judge C. Crater | September 4, 2007 10:55 AM | Report abuse

If your column has convinced any Mac users to:

1. Make sure their firewall is actually on, and
2. Look into some security software (I use the Intego Suite)

...then you will have done a real service. Apple is running behind in some ways (particularly in vetting web pages before loading them) and the first big Zero Day mac-focussed attack could cause a lot of pain and hardship. For now, Macs run clean, but it's easier to stop an epidemic before it ever gets started.

Posted by: Keyword | September 4, 2007 10:56 AM | Report abuse

Krebster actually makes a good point that with increasing cross-platform Apple apps, the risk factor is not just Mac installations, but QT/Itunes (largest install base)

Safari for Windows, I think everyone agrees, is not a real contender for any market share. Iphone is also different enough from Macs that may not be a significant problem for 1-2 years -- although the fact that all iphone apps are running as root seems problematic.

However, in his haste to make headlines, the data doesn't add up. Yes, QT/Itunes vulns are a problem, but according to his own data they are the ones getting patched the quickest. So Apple is aware of the problem and is doing something. Problems on the Mac platform -- for better or worse -- are minor league security issues -- despite Krebster's repeated attempts to puff up the problems.

Posted by: Charlie | September 4, 2007 11:29 AM | Report abuse

"I have used Apple computers since 1988 and have never had an OS or software problem"

I can say the SAME thing about my use of Microsoft products. So, what does either statement prove? Nothing.

"Wake me up when there is any real news, about a real threat, to a real Mac user, will you?"

That's an ignorant statement. Basically says I'm going to put my head in the sand until something bad happens.

The key here, regardless of the software maker: the best defense is a good offense!

There is no security through obscurity!

Posted by: TJ | September 4, 2007 11:33 AM | Report abuse

@TJ:
Most of these statements are ignorant. Or as Chris Pirillo described it: 'smugly stupid'. Best of all of course is Charlie. He's got a shrine to Brian at home. Performs rituals every night - as soon as it's lights out in the other trailers in the park.

Posted by: Rick | September 4, 2007 11:41 AM | Report abuse

Posted by: Oh yeah, Pirillo hates Macs | September 4, 2007 12:00 PM | Report abuse

It's hard to argue with the basic principle that it's a good idea to keep Apple's security feet to the fire with well reasearched reporting.
And it's undeniable that Apple (not the mac platform) is becoming a much larger security target with their music/video content-driven expansion into the windows jungle.
Unfortunately, IMHO, BK's analysis does not have the necessary granularity to be of much use, since their is no stratification whatsoever between different levels of risk, and platforms, both of which would obviously have a large impact on the urgency of fixes. Of course, that limitation is due to Apple's lack of communication, but it still makes the analysis fairly useless since important events are diluted out with unimportant ones.

And as to the interesting philosophical question of full vs responsible disclosure, I'm surprised no one has suggested the obvious answer, which is to responsibly disclose with a time limit to force action if desirable.

Posted by: cbum | September 4, 2007 12:32 PM | Report abuse

@cbum:

Granularity? Hello? There's a statistical table there. You apply the granularity you want, fanboy. Bk makes a few observations, as do others, and leaves the driving to you. It that makes your girdle pull and tear at the wrong places, don't blame them.

Posted by: Nyckelord | September 4, 2007 12:43 PM | Report abuse

always nice to be remembred. And you do have to wonder about Krebster's fans boyz -- a bit too quick to attack?


Since they won't go granular, let me give it a try:

My point is that Krebster raises an excellent point that QT (and Itunes) are now popular enough that "Security through Obscurity" doesn't work. Not sure about Itunes; the Mac version seems very very different from the PC version (both suck, but the PC REALLY sucks, and I don't think it is a direct port).

So on his chart he lists 27 QT vulns (for 7.04, 7.1 and 7.1.3). Average time for those was 74 days, although the length for 7.1 and 7.1.3 were much longer.

I'll let you draw your own conclusions. My own are that Apple may be slow -- and it also an issue this year that they seem to have resource allocation problems in the OS division (slippage of Tiger ship dates) -- but that the majority of the vulns out there are not QT based -- they are in the standard problems.

I also find it interesting that Krebster hasn't gone through the list where Apple has not patched some of UNIX apps that ship with MacOSX, as those are some of the easiest way to get into a MacOSX installation.

Posted by: Charlie | September 4, 2007 1:09 PM | Report abuse

Charlie Charlie Charlie...

Posted by: Karl Johan | September 4, 2007 1:16 PM | Report abuse

Call Mac users names all you want, but I think they are just railing because this sort of reporting is desperately trying to compare Mac to windows and there is really no comparison from a security standpoint.

What of Maynor and Ellich? That was just a lot of bunk I guess. I have to totally agree with Gruber. I mean, Krebs and Ou said it would all come out and then, guess what? Nothing... Cash that check from Microsoft.

I think the real fanbois are seeing their monopoly share evaporate. I think they are getting tired of seeing all those Apples on laptops. I think it's getting time to panic.

Now that we are seeing so many Macs out there, where are all the viruses? Huh? Wait and see? Thought so.

Right that there is no securiity through obscurity, that was only Microsoft FUD (some of the best they ever came up with, I might add). Any real analysis of Apple's marketshare (be it Quicktime, OS, etc... anyway you cut it) there is nowhere near the vuln ratio you see in Windows. If it were even close, we'd see hundreds of exploits. What do we have? A handful of vulns, most of which are mostly chest thumping by Windows fanboys.

Posted by: Brewer | September 4, 2007 1:35 PM | Report abuse

@Brewer:
You need to consult your physician about that. There are cures today. Modern medicine has made such progress. Don't give up!

Posted by: Rewbie | September 4, 2007 1:49 PM | Report abuse

Interesting article. I too have used Macs since the 80's. I have seen a few issues since. A recent one was when someone downloaded a fake superdrive update that reconfigured his airport. We solved it in no time but hacks for macs exist. No system is infallible, but I believe Mac's in general are by far the easiest and safest to use. Why would anyone want to hack a mac anyhow? Its not like the S&P 500 use them.....

Posted by: bikerider1 | September 4, 2007 1:54 PM | Report abuse

I can't take this anymore, Krebster. I'm going to close down my blog (or sell it) and then sell all my Macs. I can't take it anymore. Going to move to Hong Kong and become a waiter or something. I give up. Sorry for the way I harassed you all these months (and years). We'll be in touch.

Posted by: Charlie | September 4, 2007 1:58 PM | Report abuse

@Rewbie

Nice going, way to rebuff each point. Thanks for leaving my Mom out of it. :-)

Posted by: Brewer | September 4, 2007 2:25 PM | Report abuse

Richard> I have used Apple computers since 1988 and have never had an OS or software problem

Really? If you want to go back to '88, consider yourself extremely lucky--I spent a lot of time in the '90s cleaning viruses off of Macs. In fact, here's a little quote from Time magazine, September 26, 1988, when computer viruses were just beginning to surface in significant numbers:

"Another virus, called SCORES for the name of the bogus computer files it creates, first appeared in Apple Macintosh computers owned by Dallas-based EDS, the giant computer-services organization. But it spread rapidly to such firms as Boeing and Arco, and has since turned up in computers at NASA, the IRS, and the U.S. House of Representatives."

Yes, current Macs are far less prone to malware problems than Windows systems, statistically speaking. But why do all the Mac-lovers always trot out Windows to make Macs look good? It's nothing more than cheap misdirection. Why don't you compare MacOS to, oh, say, OpenBSD, or even Linux? Statistical vulnerability is one facet of the issue; targeted vulnerability is another, and people who confuse the two do so at their own peril.

[Before you call me a Windows fanboy, be assured I am not. I am writing this on a Linux box, which is my platform of choice. And the fact that I don't use Windows doesn't mean I throw caution to the wind.]

Also, you conspicuously don't mention hardware problems, but it needs to be said that Apple makes crappy power supplies. Again, if you've never had to deal with a dead Mac power supply, count yourself lucky.

Posted by: antibozo | September 4, 2007 3:14 PM | Report abuse

What we all need to see is a long term, side by side comparison of Mac vs. Windows "public" patches applied to both organized by type and severity. The length of time it takes for one vs. the other defines the importance of diligence and speaks volumes as to the approach a manufacturer takes to satisfying their customers, but it's not going to settle the dispute as to which OS is "better" in terms of patches, the only non-biased way to report true quality and quality control.

Does such a study exist? Link it, so we can see it, if so.

Speaking as a current iMac user but also a long time PC user since the early 1980's in both the personal and professional domain, my iMac does outperform a Vista PC with similar hardware and memory, and with 5% of the issues. I've got the firewall turned on, Firefox with latest patches, require password to install stuff, and found Mac versions of Cisco VPN client, Dreamweaver, Adobe PS CS3, Microsoft Office suite, and so on. Meaning, I don't run Parallel's virtual setup or partioned/dual booted my system because it wasn't necessary.to do so.

I suspect alot of modern Mac users are like me, very happy without "losing" anything vital and suffering reboots and screens of death less on the Mac than Windows. I emphasize... less, not zero, and of course both are imperfect.

But it is fair to say "less" problems, i.e. for me 95% less, seems to be true when running a Mac with the same high caliber commercial software as on a PC.

I consider that more relevant to this conversation than simply comparing the OS's distinctly.

-jim

Posted by: Jim Goldbloom | September 4, 2007 3:15 PM | Report abuse

It would be nice if Apple addressed every vulnerability in 10 days or less, but it doesn't. Does that make Apple devices or software more vulnerable than need be, probably. Does it make them more dangerous than anything related to Microsoft and Windows, hardly.

Apple can and should (and probably will) do more and do it faster as its position in media and computers and software rises. Lets encourage the company to do better as well.

But to equate the risks of using Apple software or products with Windows and Microsoft products (which some appear to be getting at), is a mistake and a sad joke at best.

Posted by: Bill | September 4, 2007 3:16 PM | Report abuse

Paul> I've been using them [Apple things] for over 21 years and have never had a problem, especially in the last six or seven.

What does that mean? Especially never?

Posted by: antibozo | September 4, 2007 3:35 PM | Report abuse

Fer' cryin' out loud security through obscurity aside it's not a question of which OS it's a question of how it's configured:

Windows default configuration: System Administrator with full file access no password required after login = Front Door Wide Open.

OS X default configuration: System Administrator with full file access password required to install software = Night-latch on.

Your best option regardless of OS: Limited user user access no power without admin password = Deadbolt locked.

Windows doesn't do itself any favors by making it a pain to operate as a limited user primarily because so many developers seem to assume that all users will have write access to C:/Program Files (and / or the registry)

It seems every report on security exploits mentions the effect on fully patched systems, but rarely do they mention the effect on limited user account (generally, I suspect, nothing unless a trogan can convince the limited user to supply the admin password to install said software)

BK, given that you're such an advocate of limited user accounts how about noting how they would be affected by any holes / exploits you write about.

Posted by: Norm | September 4, 2007 3:38 PM | Report abuse

jim goldbloom: agree completly, but reporting like you suggest would mean that "computer security columnists/bloggers" would have to stop sensationalizing security problems with Macs. Outside of the myspace QT problem, I can't think of a real security problem for the Mac in the past 5 years -- as as Krebster notes, QT is now more of a cross-platform thing than just a Mac thing.

That is why Krebster stepped in dodo with Maynor's wifi thing, and why he almost always makes a fool of himself when it comes to reporting on security on a Mac. Unfortantly, as mac-hater John Dvorak found out, 99% of the nasty security issues that drive Windows users crazy don't exist on a Mac. Maybe they will one day --clearly there are problems in the OS -- but there is precious little for bloggers/journalists to write about. Compare that to the Windows side, where security is probably the #1 or #2 problem for almost every Windows users.

And I'll be glad to pick up and go to HK when I stop seeing trolls out there trying to get hits by claiming "The sky is falling. The sky is falling."

Posted by: charlie | September 4, 2007 6:23 PM | Report abuse

Antibozo:
You're absolutely right. Apple's hardware can sometimes leave something to be desired. I have had problems with a power supply on one computer, in fact the one I'm using right now. It also did some weird things to the logic board. But never have I had a problem with an Apple OS. Yes, I know some of the earlier versions were less than stellar and perhaps because Apple was a small player during that time those OS problems received scant attention from few software vendors or fortunately hackers. Suffice to say that for the past 15 years I used a PC with several variants of Microsoft OS's at work, and got to know the IT folks on a first name basis as they tried to keep the machines clear of malware. At the same time at home, I have never experienced malware issues and also for the past five years at my new office which operates on OS-X. I can only surmise that there must be SOME difference in the quality of the operating systems that seems to render Apple's system(s) more defensible. In either case, as you point out, Apple should and will I suspect respond quicker to vulnerabilities as the use of Apple systems continue to expand. Linux, yes it is a superior OS from my observation, but requires perhaps more computerize in installation and use than many folks have. Perhaps. In the meantime, I will continue merrily on my way with a computer system and OS that I do not have to spent more than a minimal amount of time worrying about. Cheers.

Posted by: Richard | September 4, 2007 6:50 PM | Report abuse

I can say the SAME thing about my use of Microsoft products.

Posted by: TJ | September 4, 2007 11:33 AM

The thing is you would be lying.

Posted by: Transformer | September 4, 2007 8:30 PM | Report abuse

@Transformer,

I suggest you make your point some other way than an ad hominem attack.

Posted by: TJ | September 4, 2007 9:19 PM | Report abuse

@Norm
"It seems every report on security exploits mentions the effect on fully patched systems, but rarely do they mention the effect on limited user account (generally, I suspect, nothing unless a trogan can convince the limited user to supply the admin password to install said software)"

This is a good point, particularly with respect to an exploit that wants to persist after a reboot, or that wants to attack a multi-user system (e.g. a server). On the other hand, there is a growing population of valuable information (e-mail messages, financial documents, etc.) that live in limited permission accounts (e.g. my home folder) or on web accounts; a browser running as a limited permission user still has full access to both of these targets, and a subset of the attacks on a given browser (particularly cross-site scripting attacks) will tend to be cross-platform.

So, I agree that limited permission accounts are a good start, but additional compartmentalization of risk is probably useful.

Posted by: Mark | September 5, 2007 12:24 AM | Report abuse

I will not make any outrageous claims.
I use a Mac. I have been using Macs since 1992.
I have not and never had any third party security software.
I have never had a virus, malware or outside attack on any Mac that I have used.
I have never ever used a Windows computer so I cannot make any valid comparisons

Posted by: Richard Dalziel-Sharpe | September 5, 2007 10:05 AM | Report abuse

Richard Dalziel-Sharpe:

If you have NEVER had any kind of security software installed on your Mac how the hell do you even expect to know if you got infected or not? I have seen malware on Mac systems that went undetected for 6 months because there was no Anti Virus software. They found a hole at one point, broke in and stayed there for 6 MONTHS!!!

Every person that uses any computer on the Internet should use security applications to protect themselves (even as added layers).

Posted by: Dave | September 6, 2007 2:31 PM | Report abuse

re "I have seen malware on Mac systems that went undetected for 6 months because there was no Anti Virus software."

You are either lying, or being disingenuous by not mentioning that your anecdote related to Mac OS 9 or earlier.

And if you don't know the difference between pre-OS X and post OS X, your simply ignorant.

Posted by: cbum | September 7, 2007 1:04 PM | Report abuse

cbum> And if you don't know the difference between pre-OS X and post OS X, your simply ignorant.

Did you even read what Dave was responding to?

Richard Dalziel-Sharpe> I use a Mac. I have been using Macs since 1992.

Posted by: antibozo | September 7, 2007 7:49 PM | Report abuse

antibozo,

yes I did. Your point?

I have no doubt Richard knows the difference. Moreover, his experience is pretty typical- I've used Macs since 1987, and never had an infection, and I checked.

Dave, however, ?

I have no quarrel with Dave's last point, but making things up to bolster an argument is pretty self-defeating.

Posted by: cbum | September 8, 2007 4:54 PM | Report abuse

cbum> yes I did. Your point?

Do I really have to explain it? It was Richard who asserted that he's never had a malware problem going back to 1992. Dave doesn't have to qualify his statement with what version he's talking about to make his point.

cbum> I have no quarrel with Dave's last point, but making things up to bolster an argument is pretty self-defeating.

What makes you think he's making things up? I've seen a few compromised (though I wouldn't say "infected") MacOS X boxes, and I've seen Linux and UNIX boxes with compromises that were years old. I wouldn't be in the least surprised to find a MacOS box of any vintage, including X, with a six-month-old compromise. In fact, given the mythic awe a lot of Mac users seem to feel regarding MacOS X, I would expect a Mac user with an ill-behaving system to ignore the possibility of compromise outright and assume the problem is with hardware or legitimate software.

Posted by: antibozo | September 8, 2007 5:48 PM | Report abuse

re: "What makes you think he's making things up?"

the fact that there is no OS X virus he could have detected with antiviral SW, as he claimed.

And if he was infact talking about something he discovered on a Mac running an almost decade-old OS without mentioning that small detail - not much difference to lying IMHO.

And you are being pretty vague as well, with your use of "compromised, but not infected..." ???

As I said, embellishing one's story with made up anecdotes does not help make one's case.

And it's hardly necessary: simply state that it's not a matter of if, but of when OS X viruses will become of problem, and no one can argue with that.

Posted by: cbum | September 8, 2007 11:32 PM | Report abuse

cbum> the fact that there is no OS X virus he could have detected with antiviral SW, as he claimed.

Dave didn't claim that he found an OS X virus; he said he's seen "malware" on a Mac that was undetected for six months because of the lack of anti-virus software. As we all know, anti-virus software typically detects things other than viruses as well.

Let's review:

Richard Dalziel-Sharpe> I will not make any outrageous claims. I use a Mac. I have been using Macs since 1992. I have not and never had any third party security software. I have never had a virus, malware or outside attack on any Mac that I have used.

Dave> If you have NEVER had any kind of security software installed on your Mac how the hell do you even expect to know if you got infected or not? I have seen malware on Mac systems that went undetected for 6 months because there was no Anti Virus software. They found a hole at one point, broke in and stayed there for 6 MONTHS!!!

What does this have to do with MacOS X? Richard asserts that he's never had Mac malware since 1992, while never using any third-party security software; Dave asks Richard how he could possibly know that he never had malware if he never used any software that would detect it.

Then you come along and claim Dave is making things up, and that he's being disingenuous by not stating what version of MacOS he's referring to. Huh?

Now you're claiming there is no MacOS X virus in existence that would be detected by anti-virus software. Without quibbling over the technical meaning of the term "virus", and ignoring the non-sequitur nature of your claim, will this do?

http://www.symantec.com/security_response/writeup.jsp?docid=2004-102218-1803-99

cbum> And you are being pretty vague as well, with your use of "compromised, but not infected...

There's nothing vague about distinguishing an infection from a compromise. I could go to the trouble of defining the various terms "virus", "malware", "worm", "infection", and "compromise", but I suspect you can figure out the distinction on your own with minimal effort. I can't provide details for ethical reasons.

Posted by: antibozo | September 9, 2007 1:26 AM | Report abuse

re: "will this do?"

Please. Did you even read that? (like: sites infected=0-2...) There were in fact a few of that caliber in the last couple of years, all proof-of-concept, non of which ever even spread in the wild, and it's old "news".

So no. Hence my assessment Dave's comment was made up.

The only Mac virus infections occurred before OS X came out, and were so rare each one was newsworthy.

And "what does this have to do with OS X?" ???

Well it is, after all, the OS on the Mac since 2000, and Dave made no indication he was talking about ancient history when talking about "his episode".

And yes, I can distinguish your terms, "compromise" being the least specific and hence suggesting you were moving the goalposts.

And "I can't provide details for ethical reasons" ... no, really?

How convenient. Time for me to sign off...


Posted by: cbum | September 9, 2007 2:25 AM | Report abuse

cbum> Please. Did you even read that? (like: sites infected=0-2...)

I see. So it doesn't exist because Symantec only knows of a few sites affected.

You were the one claiming nonexistence, and that someone you don't even know must have been lying. The key to saving face is not escalating.

cbum> The only Mac virus infections occurred before OS X came out, and were so rare each one was newsworthy.

You just made me snort water through my nose. I wish what you said were true; if MacOS viruses had been rare in the 90s, I would have spent a lot less time cleaning up Macs.

cbum> How convenient. Time for me to sign off...

Don't blame you.

Posted by: antibozo | September 9, 2007 2:49 AM | Report abuse

This article seemed interesting. Too bad I was unable to read it-the HP Advertisements are programmed to overwrite the copy for people using older systems. Shame on you guys for tolerating this abuse of us senior citizens. Mac OS 9.1, Netscape 7.01, unable to use Flash8.

Posted by: Paul Corsa | September 9, 2007 8:39 AM | Report abuse

Paul Corsa> Shame on you guys for tolerating this abuse of us senior citizens. Mac OS 9.1, Netscape 7.01, unable to use Flash8.

Um, you really can't blame the Post for the fact that you're using dangerously out-of-date software. Upgrade to OS X and Firefox 2. You'll have a better experience, and you won't be vulnerable to all manner of exploits. Senior citizens especially should be careful to keep software patched, since so many of them are living off fixed retirement incomes and thus can be so badly harmed by identity-based fraud.

Posted by: antibozo | September 10, 2007 2:12 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company