The Mac Sucks!

According to Computerworld, Microsoft confirmed today that hackers are exploiting an unpatched bug in DirectX via Internet Explorer versions 6 and 7. A Microsoft representative quoted in the article says that “A user needs to be lured to navigate to a malicious web site or a compromised legitimate web site to be affected” but no further action is needed.

However, only users on Windows XP and Windows Server 2003 are vulnerable. Windows Vista and Windows Server 2008 are immune. Users running Internet Explorer 8 are also not vulnerable.

If you read many of the Windows and Internet Explorer security bulletins Microsoft has published since the release of Windows Vista, you’ll see that a lot of those vulnerabilities do not apply to Windows Vista and Windows Server 2008 (which incorporate the same security model). It should be clear from this that while Microsoft Windows is by no means immune to attack, great strides have been made in Windows security since the XP days.

Microsoft worked with security experts to improve the Windows security model for Vista. The result of this work is a reduced level of vulnerability to exploits like the one described above. While Vista security (and by extension, Windows 7) is by no means hacker-proof or invulnerable, it does seem to be more resilient than Windows XP to attack. Microsoft continues to take a proverbial beating in the media because the majority of Windows desktops are still running Windows XP (or earlier). Combine the number of XP systems with its weaker security, and you have a perfect recipe to make Microsoft products as a whole seem to “still” be insecure.

It will be interesting to see what happens in the Windows security space if Microsoft is successful in convincing most customers to upgrade to Windows 7 when it’s released. While I would not be so stupid as to suggest that Windows 7 will be a panacea and eliminate all the security problems in the Windows space, I do believe it will make the kinds of attacks that are commonplace in Windows XP far more difficult to pull off… and hopefully far less numerous.

Since this is a site that discusses multiple desktop operating systems, it might appear to be implied that I’m suggesting Windows 7 and Windows Vista are “more secure” than other desktop operating systems such as Linux or Mac OS X. That is not the case. The point I am attempting to make is merely that Microsoft has improved security in Vista and 7 relative to earlier Windows releases. Whether this security is “better” than that of OS X or Linux (or not) is not the point.

Glyn Moody posted “The Huge Hidden Cost of Microsoft Software” on June 30, 2009, on Computeworld UK’s web site, and a similar article on Slashdot. In the post, Moody discusses how various UK government organizations had to spend a great deal of money cleaning up the Conficker worm. Moody explains how this is a “hidden cost” of running Microsoft software in your environment, much as Microsoft and others have tried to claim there are “hidden costs” in running free open source software and Macs.

There are certain of Moody’s points I agree with. More malware exists for Windows than for Mac OS X and Linux combined. That’s just a fact. If the PCs in your organization become infected with malware like the Conficker worm, it can be extremely time-consuming and costly to clean up the mess. Again, it’s a fact. If you ran Linux or Mac OS X throughout your organization instead of Windows, a Windows worm like Conficker would be stopped dead because it can’t infect those operating systems. Fact. But the conclusion that this is a “hidden cost of using Windows” may be true to some degree, it’s not quite on target. Allow me to explain.

I work in a company with approximately 2,000 Windows PCs, maybe 50 Macs, a small number of Sun Solaris workstations, and a data center including Linux, Windows, Solaris, and mainframe operating systems. In an environment like this, with so many Windows desktops, you might be thinking I’ve had to clean up some massive infections.

Ironically, in my 20+ year career, the biggest malware mess I ever had to clean up didn’t affect Windows at all, and it wasn’t at the shop where I work now. The culprit was a little Classic Mac OS virus code-named “WDEF“. Infection via WDEF was very Mac-like. It “just worked”. If an infected disk was inserted into a Mac, it instantly infected the Mac’s hard drive. You didn’t have to run any programs or do anything. If you inserted a clean disk into an infected Mac, that disk became infected. The WDEF virus managed to find its way onto every Mac in our company and on to most of the floppy disks. I was able to trace it back to a disk a single employee (yeah, it was me) brought into the office from home. I can’t tell you how many hours I spent cleaning up that mess (we had only a dozen Macs but literally hundreds of floppies to scan). I only found it because I was showing a co-worker how Macs didn’t really need antivirus software by running a scan with a free tool called Disinfectant. It was very humbling to see it detect WDEF, in addition to being painfully ironic.

It was also a valuable lesson. Over the 10+ years I was a Mac user, I had downloaded lots of free Mac software. When I ripped the shrinkwrap off my first antivirus package (bought after the WDEF incident), I was shocked to see how many viruses had already infected my supposedly “superior” system. During my time as a Classic Mac OS user, I saw more viruses than I’ve seen since… even though I’ve primarily been a Windows user, and still download lots of free programs. Mine may not be the typical experience, but it’s a true story.

Moody’s stories and mine share a common theme – and it’s obviously not Microsoft software. Take proper security precautions, no matter what computer you’re using, or you will pay a price eventually. I’m willing to bet if you investigate any of those very expensive cleanup deals mentioned in Moody’s article you’ll find that certain basic security precautions were ignored that would have cost FAR less than the cleanup effort for Conficker eventually did. Maybe they merely needed a cheap hardware firewall to keep the worm from getting in, or a cheap antivirus package to detect and clean it, or just to deny administrator access to their employees. As far as I’m concerned, Microsoft may share some of the blame but the bulk of it lies with the organizations themselves. I can say that with confidence because our 2,000-machine Windows environment didn’t see a single Conficker infection. Not one. (And no, I wouldn’t be so bold or stupid as to say that we “never will”… only that we’ve made all reasonable precautions to prevent such an occurrence. That’s about as much as you can ever really say about your security.)

While Mac users have been relatively free of malware, viruses have existed for OS X, Mac malware has made it into the wild, and it has resulted in the creation of a Mac-only botnet. I’ll bet if you could find the owners of the Macs whose systems are part of that botnet, they’d tell you they don’t need antivirus software because they’ve got a Mac, and Macs are immune to that stuff…

Linux has been relatively immune as well, but it too has seen Trojans, viruses, and other malware. The threat to Linux is nothing compared to the situation on Windows, but that doesn’t mean there is “no” threat.

If you go through life with the assumption that your platform of choice is totally secure, completely immune to malware, and impervious to hackers, the odds are good that you’re going to find yourself very sadly mistaken one day… just like I did when I ran that disinfecting program on my Mac those many years ago. Good security is a “hidden cost” of owning a computer, no matter whose logo is on the box or whose is displayed when you start it up.

About nine months ago, a security flaw was found in the Java Virtual Machine. The flaw allowed a malicious Java applet to execute arbitrary (read “unauthorized”) programs on your computer. This flaw affected all implementations of Java, including that on Windows, Linux, and of course Mac OS X. Because the implementations of Java for the “non-Macintosh” platforms come from Sun Microsystems, they were all fixed relatively quickly. The Mac version was finally fixed this week by Apple.

In the earliest days of Mac OS X, Apple bragged openly about how OS X would be a premier platform for Java. Just to show their commitment to Java, Apple penned an agreement with Sun Microsystems that prevents Sun from creating a Mac version of Java. Under the agreement, only Apple can release Java for OS X.

Apple having control of Java development for Mac OS X could actually be a good thing in some ways. For example, since it’s treated as an operating system component in OS X, Apple could be tweaking and tuning Java so that it performs optimally on their hardware and operating system. And, if Apple was keeping close tabs on Java security and patching its version quickly, Mac users would have the best of both worlds… a secure Java implementation that performs well on their OS and hardware. Unfortunately, this hasn’t been the reality – at least not for a while. As MacWorld’s Dan Moren reported back in May, “Apple should be more aggressive on security, rather than resting on the laurels of its safety record. That way, if an attack does come, the company won’t be caught with its virtual pants down.”

When Apple introduced OS X in 2000, Steve Jobs announced that it would be one of the best platforms for developing Java applications. Apple was so committed to Java that it signed an agreement with Sun saying that Apple would handle all Java development for the Mac OS X platform, forbidding Sun to produce a Mac version of the popular language. At the 2006 WDC, Apple claimed it was following Sun’s Java releases “very closely” with its own version. A year later, Jobs publicly derided Java as a platform that was no longer significant because it was bloated and no one used it anymore. (I guess that’s why “only” 3,000 people attended the Devoxx Java conference last year, 1100 attended one specific session at Java One 2008, etc. By comparison, 5200 attended Apple’s WWDC in 2008 and that covers more than just one subject area.) Today, the version of Java available in OS X is quite a bit behind the version available for other platforms. Still, Apple keeps its agreement in place that restricts Sun from providing a more current version for the platform. A consequence of this “about face” by Apple on Java is that Mac users are far more vulnerable to Java security issues than users of other platforms. A recent Slashdot post indicates that Macs are vulnerable to a 6-month-old Java flaw that has been patched on other platforms.

Java is still quite relevant today. My ISP uses it for some control panel functions. Popular game site “pogo.com” makes extensive use of Java. The OpenOffice.org suite uses Java. Lots of other applications use Java. I don’t have the figures to back this up, but I wouldn’t be surprised if as many people develop Java applications as develop Mac applications. It’s far from something “nobody uses anymore”. Just check the job ads. Java programmers are still in demand.

Even assuming I’m wrong and “nobody” uses Java today, why does Apple keep the Java development agreement in place that prevents Sun from releasing Java for the Mac? Why not terminate that agreement and let Sun’s developers “waste their time” developing Java for the Mac rather than using Apple engineers’ time to maintain something “nobody” uses? Is it that important for Apple to control everything associated with its products? Maybe it’s time for Apple to practice some of that “think different” stuff and let go of Java…

ZDNet’s Ryan Naraine posted the text of an interview with computer security researcher Charlie Miller, the guy who broke into a fully-patched Apple MacBook using a Safari exploit at the CanSecWest security conference during its “Pwn2Own” challenge.

When asked about the vulnerability used at CanSecWest, Miller indicated that he was under a non-disclosure agreement and couldn’t say much, but that “It was an exploit against Safari 4 and it also works on Safari 3.” Miller doesn’t know if it works on Safari for Windows.

Underscoring the fact that security exploitation, including the writing of viruses, worms, Trojans, etc., is much more a business now than ever before, Miller says that he never gives the bugs he finds away free. “I have a new campaign,” he says, “It’s called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there’s value to this work. No more free bugs.“

When asked why he didn’t go after Internet Explorer or Firefox, Miller said “It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows. It’s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn’t have anti-exploit stuff built into it.”

When asked about the relative ease of exploiting a system, Miller said that “For all the browsers on operating systems, the hardest target is Firefox on Windows. With Firefox on Mac OS X, you can do whatever you want. There’s nothing in the Mac operating system that will stop you.”

Regardless, every browser and every operating system has flaws. Most Windows users recognize this and employ firewalls, antivirus software, etc., to help mitigate the threat. Linux users also typically employ tools to protect themselves from attack. Mac users, by and large, seem to have bought into an idea that OS X is virtually impenetrable to attack and for the most part do not take extra steps to protect themselves. Are they right, or are they inviting an inevitable attack? Only time will tell.

According to InformationWeek’s Thomas Claburn, proof-of-concept exploit code has been posted online for six kernel vulnerabilities, five of which affect Apple’s Mac OS X 10.5.6, the most-current version of the operating system and are unpatched.

Neil Kettle of Convergent Network Solutions said that they published the exploit code because “We wanted to show how easy it still is to break production kernels in well-used operating systems.” The vulnerabilities, according to the CTO of Panda Security, “demonstrate the code can take control of a machine, either via creating a privilege escalation modifying the users or launching DoS (Denial of Service) local attacks” against the Mac. The code has the ability to create a new system volume, call some OS functions, change the User ID, and so on, without administrative privileges.

The first of the bugs, it is said, would actually allow for remote exploitation of the OS X kernel “if Apple’s AppleTalk implementation was actually *correct* and did not contain a rather simple development bug”.

Another, the “fifth” in the list, “exploits a local arbitrary kernel memory overwrite in the HFS IOCTL handler. The vulnerability is a little under four years old, and is present in all versions of Mac OS X Tiger and Leopard (and Snow Leopard betas), that is, OS X >= 10.4.0.” This particular bug allows “arbitrary code” (think “a virus or worm”) to run with kernel level privileges (meaning it has virtually unlimited access to the system).

“There is much less malware for the Apple Mac than there is for Windows, but that doesn’t mean that Apple fans can hide their head in the sand like ostriches. Mac users are no different [than] Windows users when it comes to falling for social engineering tricks like this,” according to a senior technology consultant for Sophos.

If you browse the mainstream media sites long enough, you’ll inevitably read about a security flaw in Windows which leads to a Mac user declaring that such flaws don’t exist in OS X, that the Mac’s built-in security will stop any exploit dead in its tracks, etc. That’s simply not the case. All operating systems have flaws, OS X included. Some percentage of those flaws can be exploited to gain control of the machine. As Informationweek reports:

“…while there is malware for the Mac, such as the Trojan identified by Sophos, such code isn’t likely to have a significant impact until Mac market share reaches 15%, which isn’t that far away… hacking is a business and… the focus remains on Windows vulnerabilities, at least for the time being.”

Security researcher Charlie Miller made good on his threat that Apple’s Safari web browser would fall first in this year’s CanSecWest Pwn2Own security challenge. This is the second year in a row that Miller has hacked into a fully-patched MacBook by exploiting a security weakness in Safari. Later in the conference, Internet Explorer 8 and Firefox also fell to attackers, proving that none of the web browsers is particularly more secure than the others. All of them have flaws which can be exploited.

Naturally, the folks at AppleInsider spun the story to imply that Apple’s security (while falling first) is nonetheless vastly superior to everyone else’s. In spite of their inherent bias toward Apple’s products, AppleInsider makes some interesting points. Their article is worth reading. Some of their commentary elicits a response, however.

AppleInsider argues that OS X looks more vulnerable than Linux in security contests because fewer researchers target Linux because it’s “hard work” to find a usable Linux exploit. AppleInsider then goes on to claim that Apple’s use of open source components is what makes OS X appear vulnerable. At first blush, this is a contradiction. If it’s hard work to find an exploit in open source Linux, why would Apple’s use of open source make it easier to exploit OS X? The answer is something AppleInsider conveniently omits: Apple takes longer to update its open source components than typical Linux distributions. Because of this delay, vulnerable versions of open source components remain part of Mac OS X for a while. Known, documented exploits for those components are recorded in bug databases for those open source projects (typically on the Internet where anyone can get to them). Finding a “Mac exploit”, then, is as simple as finding an open source component Apple hasn’t updated yet.

AppleInsider also reports that a study showed there were 678 patches released by Microsoft between 2002 and 2007, while Apple released 815. AppleInsider says that the use of open source enables Apple to “issue more security patches and operating system updates than Microsoft does”, implying that this is a good thing. It’s not necessarily indicative of better security. A counter argument would be that this shows far more bugs in Apple’s products than Microsoft’s, implying more security weaknesses in total, and overall weaker security. That’s not necessarily true, it’s just another way to spin the same data.

AppleInsider did take the opportunity to quote Jeff Jones, the director of Microsoft’s security group, who claimed that contests like Pwn2Own just show security experts what they already know, which is that “any machine can be broken under the right circumstances” and that it’s not worth reading too much into the Pwn2Own results. It’s interesting to see Mac fans quote Microsoft security guys as experts while trashing Microsoft’s product security.

At the end of its post, AppleInsider implies that because Apple didn’t write the open source components of Mac OS X, it’s not fair to count bugs in those components as OS X bugs. It would only be fair, they argue, if you counted bugs in the Windows versions of those same components in Microsoft’s totals. At first glance, this is reasonable, but it doesn’t stand up to scrutiny.

Apple leverages open source software to get OS X functionality to market without the associated development effort and cost. There’s nothing wrong with that. But by including open source software as part of the OS X distribution, they effectively assume responsibility for the bugs in that code just as if they’d written it themselves. If there are any open source components in Windows (none come to mind), then it’s just as appropriate to count bugs in those components as Windows bugs.

A perfect example of a situation where an open source component’s bugs should be included in OS X bug totals and not in Windows bug totals is the Apache web server software. Apple uses Apache in Mac OS X Server. It ships as part of OS X. While there is an Apache for Windows, Microsoft does not include that in Windows distributions, instead bundling its own Internet Information Services (or “IIS”). In this situation, it’s fair to count Apache bugs as Mac OS X Server bugs. Apple had access to the source code, after all, and could in theory have taken the time to comb over it and fix the bugs before releasing Apache as part of OS X. It’s not fair to count Apache bugs as Windows bugs in this case, because Microsoft didn’t include Apache in Windows. (Yes, it may run on Windows and have the same bugs there, but it’s not PART of Windows like it’s part of OS X.) It’s similarly fair to count IIS bugs as Windows bugs (and naturally not as Mac bugs), because that’s part of the Windows distribution as Microsoft shipped it.

In any case, this article is straying from its intended point, which is to say that the CanSecWest Pwn2Own contest should not be taken as an indication that (because Safari on OS X fell first) Apple’s products are “less secure” than Windows or Linux. However, the contest results should serve to Mac fans as a sobering reminder that Mac OS X and Safari are not bulletproof. The products have weaknesses, those weaknesses can be exploited, and while Mac users may have had less historic reason to worry about malware than Windows users, that doesn’t mean they’re immune to it. As Microsoft’s Jeff Jones said, any machine can be broken… even a Mac.

TGDaily’s Christian Zibreg reports that Charlie Miller claims Apple’s new Safari 4 Beta on the Mac will be the first browser to fail at this year’s “Pwn2Own” contest. Miller said that Safari is “the easiest browser” to hack. According to TGDaily, “Miller has argued that Safari’s security-related weaknesses stem from a complex code that handles many features and multimedia file types, as well as a lack of workable defenses on the part of OS X.” TGDaily said that Miller hinted that other browsers are more secure than Safari, arguing that $5,000 isn’t motivation enough to try to crack IE8, Firefox, or Chrome.

As Zibreg reports, “if Apple’s Safari surrenders again within minutes, it will be a big blow for Apple who likes pitching its software and the operating system as rock solid.”

Considering that Miller is the same guy who broke into a MacBook Air in under two minutes during a high-profile hacking contest in Vancouver, the odds are that he can do it again.

Although Apple would like to convey the image of OS X as a sort of impenetrable fortress, the reality of the situation is that OS X has security bugs just like any other software product. The OS X update Apple released today contains fixes for mroe than two dozen vulnerabilities, including holes in Safari, AFP Server, CoreText, X11, and Remote Apple Events. According to an article on CNET, these vulnerabilities could lead to arbitrary code execution (meaning a hacker could run any desired program on the compromised system) and disclosure of sensitive information.

CNet claims that Microsoft’s Live OneCare anti-malware solution changed the Windows antivirus landscape, generally for the better, by putting the antivirus vendors on their toes and making them develop more comprehensive products at better prices.  Maybe they’re right, I don’t know.

More interesting than this is the news that Microsoft is planning to release a free antivirus, anti-malware product for Windows in 2009.  As CNet claims, this is likely to change the antivirus landscape yet again, since Microsoft’s technology is being compared to the industry’s best. 

I think this is the right move for Microsoft, though it probably screws over those who actually paid for OneCare in the past to some degree.  To be as effective as possible, anti-malware protection really should be coming from the operating system vendor.  The operating system vendor would seem to be in the best position to identify potential weak points and protect them, and to ensure that the operating system integrates well with the anti-malware code.

It will probably also have a further downward effect on pricing for commercial antivirus solutions, which is good for the consumer (though not so good for the vendors).  This, in turn, should help more people deploy effective antivirus software and result in a more-secure “Windows world” overall.

I’m an optimist, I know, but I agree with CNet that this should be a good thing in the end.

In the security world, there are two kinds of threats that IT departments protect against. One threat comes from outside the company, when a malicious email message, virus, trojan, worm, or hacker tries to breach the company’s defenses and get at your systems and data. It’s clear from Apple’s actions that it understands this kind of threat and takes it seriously, as it should. 

Another, in some ways more dangerous, threat comes from the individuals inside your company. Depending on your security precautions, insiders can represent a more serious threat because they come in behind your firewall and perimeter security. They can (accidentally or intentionally) bring in a virus-infected disc, (if they have permission) disable security precautions like firewalls and antivirus, visit malicious web sites, etc. That’s why most companies limit the level of access employees have to their computer systems. The typical employee in most companies can’t install software, turn off antivirus, disable the firewall, or do anything else deemed “dangerous” by the IT security people. In OS X terms, most users aren’t administrators or “root” on their own Macs. It’s this kind of security that Apple, and the occasional third-party Mac software vendor, doesn’t quite “get”. Allow me to illustrate with a real world example from the Washington Post.
Back in June of this year (yes, I know I’m going back a bit, but this example just landed in my mailbox today so it’s new to me), a significant vulnerability was discovered in Mac OS X 10.5 (Leopard). To exploit this flaw, all an attacker needs is access to a Mac’s command line interface. With said access, the attacker can enter a relatively simple command that tells the Apple Remote Desktop Agent to run an AppleScript. That AppleScript will run as “root” (super-administrator) and be able to do anything you can do with AppleScript. In other words, it gives anyone with physical access to the machine the virtual “keys to the kingdom”. Best practice in corporate IT security dictates that you give a user the minimum level of security permission they need in order to do their job. For some users, that’s the ability to login and run programs, for others it might include installing software, and for a select few, complete access. By not giving everyone the keys to the kingdom, you’re better able to prevent the spread of malware, protect confidential data, and ensure the integrity of business processes. In most environments, there is more potential for an authorized user (independent of their security privileges) to intentionally or unintentionally harm corporate systems than an outsider, so this kind of security is in many ways even more important than firewalls and perimeter security.
When contacted about the vulnerability, Apple told users it was “not a cause for concern.” If it’s not a cause for concern when anyone can bypass all the operating system’s security features, then what exactly IS a cause for concern? This is what I mean when I say that Apple doesn’t quite “get” security. They respond well enough, albeit sometimes a bit slowly, when a flaw can lead to remote attacks on a Mac, but their response to “elevation of privilege” attacks shows that they don’t see the bigger picture. Columnists talk about how Apple and the Mac aren’t ready for a starring role in enterprise computing. This is a part of what they mean.
If Apple wants to continue being a niche player in the market, focusing on consumer computing and digital arts, then it can afford to be a little lax about “threats from inside”. But if it really wants to have an effective presence in the corporate world, it needs to step up its game. Say what you will about Microsoft’s security problems, but they understand the importance of both kinds of threats and don’t downplay the concerns of their corporate customers. As Ryan Naraine said in the ZDNet article linked above, “hip and cool can only take you so far in the enterprise.”

According to ChannelWeb, a flaw in QuickTime and iTunes paves the way for a malicious attack on the Windows platform. The new vulnerability was discovered a week after Apple updated QuickTime and iTunes. Security firm Intego says that the QuickTime tag fails to properly handle long strings of data, resulting in a heap overflow flaw in both QuickTime Player and iTunes, as well as other Mac OS X programs that stream media via the QuickTime plug-in. The error also affects the web browsers on both Windows and Mac OS X.

Reportedly, an attacker could add a QuickTime media file to a web page that executes arbitrary code and launches a malicious attack on affected systems. Blogger “securefrog” published a proof-of-concept exploit on the website Milw0rm. ChannelWeb reports that “the most recent QuickTime vulnerability is one in a long line of serious errors, particularly in its real time streaming protocol, that have left users susceptible to remote code execution attacks.”

Again, we remind Mac users that just because no one has exploited a vulnerability on the Mac in the wild doesn’t mean the system is secure… only that it’s been lucky.

A July 25 Computerworld article cites the results of a study saying that the largest software vendors account for fewer software flaws than in past years. The article opens by saying “Thought it might not seem that way, the top 10 most vulnerable software vendors — and yes, that includes Microsoft Corp. — are contributing a smaller percentage of all vulnerability disclosures per year compared with five years ago. That’s according to an analysis by Gunter Ollmann, director of security strategies at Internet Security Systems Inc.’s X-Force team, which is a unit of IBM.”

The article reports that in the past 5 years, the list of the most vulnerable vendors has included Microsoft, Cisco, Sun Microsystems, the Linux Kernel Organization, Oracle, and Apple Inc.

That’s something to think about the next time you see one of those smug Apple ads about OS X being especially secure compared to Windows.

According to Charlie Miller, an analyst at the Independent Security Evaluators (ISE) firm, “For three months, I was walking around with a vulnerable iPhone. [Apple] had the vulnerability and the exploit, they understood the exploit because they patched it on Mac OS X, but then they said the didn’t know that [the iPhone] was vulnerable.”

This is the same vulnerability Miller used to gain control of a Mac OS X system at the CanSecWest security conference and win a $10,000 prize package.  It took Apple 3 weeks to patch Safari on OS X, much longer to patch the iPhone.

Miller reports “So Apple said ‘We ran the exploit and it ran out of memory and it didn’t do anything bad.’”  What Apple had apparently not done, he added, was to run the actual exploit line.  ”Obviously,” he said, “they didn’t do a very good job of testing.  They had the source code, and they thought that the iPhone wasn’t vulnerable.”

The article says the incident made Miller question whether Apple can effectively manage security on its multiple platforms. “I don’t think they do a very good job of that,” he said.  ”They hadn’t patched the iPhone since February. For more than four months, it’s had vulnerabilities that were patched in Mac OS X.”

We’ve covered here how there is a significant vulnerability in the DNS software used to resolve names like “www.dell.com” into their respective IP addresses. We’ve also covered how the major OS players have all updated their software, while Apple had not done so. According to ComputerWorld, they’ve released a patch for OS X that they claim fixes the problem, but which the security experts report does not.

Andrew Storms, director of security operations at nCircle Network Security Inc. tested Apple’s update, and found that even with the update applied, Apple systems were not randomizing the ports they used. Attacks using this vulnerability are reportedly already in the wild, so Internet-connected Macs are indeed vulnerable. Storms is quoted as saying “Essentially, we’re at the same place as we were yesterday before Apple released the patch.” Swa Frantzen of the SANS Institute, says “So Apple might have fixed some of the more important parts for servers, but is far from done yet, as all the clients linked against a DNS client library still need to get the work-around for the protocol weakness.”

Storms suggests that Apple made a mistake somewhere to produce the “nonpatch patch” just released. “Is Apple modifying the BIND distributions from ISC, and somehow didn’t realize this repercussion? Or is there some kind of configuration file that they forgot to change? It must be one of those two,” Storms said. “If you take the BIND distribution from ISC and patch your system on a Linux box, you’re patched,” he said. “I don’t know what happened to Apple’s.”

For more information about this “nonpatch patch” click here to visit ComputerWorld.

We’ve been suggesting for a while here that Apple’s development team seems to be overburdened and that they appear to be making significant mistakes that are quite simply beneath the caliber of individuals we know to be working there. We know that they work hard. We know that they care about what they’re doing. The only reason for mistakes like this that we can imagine is that the developers are overworked, and QA staff are either similarly stretched too thin or are non-existent. We hope Apple is able to correct this situation. Their reputation is already starting to tarnish…

As we’ve covered in the past, Apple’s history for patching OS X indicates a tendency to patch vulnerabilities more slowly than Microsoft patches Windows or the open source community patches Linux. Computerworld carried an article on July 15, indicating that  Apple’s update service is up 99.9% of the time, while Microsoft’s update service is up 100% of the time, and Ubuntu Linux’s service is up 98.6% of the time. Even 98.6% is pretty darned good, but it’s interesting that Apple makes so much noise in its commercials about how OS X is so reliable, yet it can’t manage 100% uptime for its own servers.

It appears that Apple’s relatively strong sales in recent months have brought the platform to the point where, as Newsfactor.com reporter Jennifer LaClaire put it, “cybercriminals are increasingly interested in hacking into Apple, Inc.’s Mac computer.” According to the Newsfactor article, “Antivirus form SecureMac claims to have discovered multiple variants of a Trojan horse being distributed from a hacker web site. The site hosts a discussion on distributing the Trojan horse through iChat and Limeware.”

LaClaire goes on to report that “According to SecureMac, the Trojan runs hidden on a Mac and allows a malicious user complete remote access. The Trojan can transmit system and user passwords, and avoid detection by opening ports in the firewall and turning off system logging. The AppleScript version, SecureMac reported, can also log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing.”

Some time ago, we reported on this site that the primary reason hackers haven’t targeted the Macintosh platform isn’t superior security. It’s that there is no financial incentive yet for them to do it. Carole Theriault, senior security consultant at Sophos, echoes this reasoning when she tells Newsfactor, “In the last 12 months we have seen growing evidence that cybercriminals — although still focusing in the main on the Microsoft platform — have shown an increase in interest in seeing if there is an opportunity to hack into Mac computers for financial gain.”

If you think your Mac is impenetrable, that it doesn’t need antivirus software, and that it’s somehow far more secure than its Microsoft counterpart, you may be in for a rude awakening… perhaps very soon!

Last year’s
CanSecWest security conference introduced a “Pwn to Own”
challenge in which security experts could win an Apple MacBook if they
were able to breach its security.  As that contest continued, the
requirements for breaching the device’s security were relaxed
gradually until the security was in fact breached.  This year, to
make for a “fairer” challenge, the contest organizers used
three different laptops:  A MacBook Air running the latest version
of Leopard with all available patches, a Windows Vista laptop with all
current patches, and a Sony Vaio laptop with all available Ubuntu Linux
patches.

Researcher Charlie Miller of Independent Security
Evaluators (ISE) won the challenge on March 27 by breaking the security on the MacBook Air in under 2
minutes.  When asked, he said that he chose to
attack the Macintosh for one simple reason, “It was the easiest one
of the three.  We wanted to spend as little time as possible coming
up with an exploit, so we picked Mac OS X.”  

The
$5,000 second prize was won a day or two later by Shane Macaulay, a
consultant with Security Objectives, breaking into the Fujitsu laptop
running Microsoft Windows Vista Ultimate SP1, exploiting a bug in Adobe’s Flash
Player.

The Ubuntu Linux laptop, it should be
noted, remained unclaimed and unbroken at the end of the contest.

Once again, we here at The Mac Sucks point out that OS X
security isn’t as air-tight as Apple would have you believe.
 Worse, Apple relies on older versions of many of its open source
components, which contain known and documented security flaws.
 That’s what the security researchers mean by OS X being
“the easiest one of the three” to break.

 Earlier in the year we predicted that the
“cat and mouse game” played between Apple’s iPhone
developers and the hacker community would continue unabated throughout
the year.  A teenage hacker has proven this to be the case by
unlocking Apple’s latest iPhone firmware, according to The
Register.

The same hacker who earlier turned
his iPhone hack into a Nissan 350Z and 3 8GB iPhones has again broken
the security on Apple’s over-hyped uber-phone.  George Hotz,
known by his hacker alias “GeoHot”, says that it took him a
24-hour stretch with 3 hours of sleep in the middle.  He found a
way to install his own custom-built code into a range of memory
addresses where security software is installed on the phone.  

Instructions are reportedly posted on iClarified and ModMyiPhone for
those who want to know how it’s done.

Wired Magazine’s Bruce Schneier published a thoughtful article
entitled “With
iPhone, ‘Security’ Is Code for ‘Control’” that
explains why Apple has fought to retain such tight control over the
software on the iPhone.  As Schneier tells us:

• “Buying an iPhone isn’t the same as buying a car or a
  toaster. Your iPhone comes with a complicated list of rules about what
  you can and can’t do with it. You can’t install unapproved
  third-party applications on it. You can’t unlock it and use it with
  the cellphone carrier of your choice. And Apple is serious about these
  rules: A software update released in September erased unauthorized
  software and — in some cases — rendered unlocked phones unusable.
  ‘Bricked‘
  is the term, and Apple isn’t the least bit apologetic about
  it.”
• “Control allows a company to limit competition
  for ancillary products. With Mac computers, anyone can sell software
  that does anything. But Apple gets to decide who can sell what on the
  iPhone. It can foster competition when it wants, and reserve itself a
  monopoly position when it wants. And it can dictate terms to any company
  that wants to sell iPhone software and accessories. This increases
  Apple’s bottom line.”
• “With enough lock-in, a
  company can protect its market share even as it reduces customer
  service, raises prices, refuses to innovate and otherwise abuses its
  customer base.”
• “As for Apple and the iPhone, I
  don’t know what they’re going to do.  On the one hand,
  there’s this analyst
  report that claims there are over a million unlocked iPhones,
  costing Apple between $300 million and $400 million in revenue. On the
  other hand, Apple is planning
  to release a software development kit this month, reversing its
  earlier restriction and allowing third-party vendors to write iPhone
  applications.  Apple will attempt to keep control through a secret
  application key that will be required by all “official”
  third-party applications, but of course it’s already been leaked.
   And the security arms race goes on…”

Well worth
reading the rest of the article if this at all sounds interesting to you.

PCWorld posted an article Thursday entitled,
“Microsoft:
Vista More Secure than XP and Open Source” by Matthew Broersma
of Techworld. The article reiterates Microsoft’s claim that Windows
Vista was hit by fewer publicly disclosed security flaws in its first
year than Windows XP and open source rivals in their first years.
Microsoft’s Jeff Jones says that this shows their work redesigning
the security architecture and adding new security features to Vista have
paid off. Computerworld reports that this news “comes on the heels
of figures from Secunia, which reported fewer vulnerabilities for
Windows in 2007 compared to open source operating systems in the same
period.

Computerworld tells us that
Microsoft released 17 security bulletins and patches affecting Vista in
its first year, compared with 30 for Windows XP. Microsoft fixed 36 bugs
in Vista compared to 65 in Windows XP. Linux-based operating systems and
Mac OS X didn’t fare as well. Red Hat Enterprise Linux 4
Workstation, for example, had 360. Ubuntu 6.06 LTS had 224, and Mac OS X
10.4 had 116.

Vista had 9 patch
events for the first year, XP had 26, Red Hat had 64, Ubuntu had 65, and
Mac OS X had 17.

Microsoft’s Jones
“admitted that the figures do not indicate which operating system
is ‘more secure’ than the others, saying any such analysis would
need to look at software quality, administrative controls, physical
controls, and other issues.” Indeed, but it does imply that Vista
is likely to be less of a hassle to administer from a security
standpoint than either Linux or Mac OS X, since there are fewer patches
to be deployed.  As a person who happens to administer both Mac OS
and Windows security updates, I can appreciate that difference.

Over at The Lame Leopard blog is a post entitled “Taking a Closer Look at Leopard’s Guest
Account” in which the author discusses the way Apple
bills the Guest account in its Leopard marketing literature and how the
reality of the account doesn’t match up to the hype.  While we
recommend you read the post linked above for the full story, here’s
a sort of “Reader’s Digest” version of what the article
has to say about the Guest account:

• There is no
  special security on the guest account.  It’s just as though you
  set the world up with a normal (non-administrator) login account on your
  Mac.  Anything a normal user can do, the Guest account can
  do.
• Guests have access to any files or folders you create
  outside your home directory unles you’ve setup permissions to
  prevent them from doing so.
• If you have paired your Mac
  with a Bluetooth phone or other global resources, Guests can browse the
  information there.
• Guests can leave files on your machine,
  as long as they don’t put them in the home directory.
• Background processes that guests start up (terminal sessions,
  Trojans, etc.) keep running when they log out.
• Guests can
  login to your Mac remotely.

As the author of the blog
tells us, “The Guest Account could have been implemented in a much
better way. Leopard has many improvements like the sandbox facility,
signed applications, access control lists and a new firewall. Not
letting the Guest Account use any of these features is a big missed
opportunity.”

More proof that either Apple rushed
Leopard out the door before it got the security right on the guest
account, or that it is still trying to wrap its head around the whole
“security” concept.  Either way, I wouldn’t
personally recommend enabling the Guest account on a machine you
don’t have physical control of 100% of the time.  It would be
too easy for someone to compromise your Mac’s security through this
“hole”.

According to Daniel Nicholas of eNews 2.0, “Leopard Doesn’t Seem to Be a Secure Operating
System.” The author points out that while people gushed over
Leopard just before and immediately after it was released, problem
reports are starting to mount. He suggests that this is evidence that
Apple rushed Leopard to market to meet the October deadline.

Sadly, the first two commenters to Nicholas’ article didn’t
refute what he said, didn’t provide evidence to the contrary, or
suggest an alternative explanation for the facts he presented. No, they
just picked on his writing style, which I didn’t take any particular
issue with. Is it any wonder Mac users are increasingly seen as
“form over function” people who care more for how something
appears than what it really is?

In case you think I’m
agreeing with Daniel Nicholas just because I have the same point of
view, let’s share some evidence from around the web showing that
there is cause to question the security “improvements” in
Leopard and that it appears to be riddled with bugs and inconsistencies:

• The first significant Mac OS X Trojan has been found in
  the wild.
• According to ZDNet, “Researchers Pooh-Pooh Mac OS X Leopard
  Security“.
• Gizmodo points out issues with the Leopard firewall allowing traffic through that
  it shouldn’t.
• Chris Pirillo points out a number of
  UI inconsistencies and issues in Leopard in his
  blog.
• Harry McCracken of PCWorld shares his “21 Quibbles I have with Mac OS X 10.5 Leopard“.
  
• John Siracusa of Ars Technica posted his extensive review of Leopard showing many
  inconsistencies and issues.

Don’t
lecture me about inconsistent interfaces in Windows and Linux.
That’s irrelevant in this discussion. What we’re talking about
here is whether Leopard’s interface is inconsistent. (Got evidence
that Siracusa and Pirillo are wrong?) We’re also talking about OS X
having incompletely implemented security features, not Vista or Linux.
(Can you refute what the ZDNet and Gizmodo articles are reporting?) If
people have this many serious complaints about Leopard already, is it
that unreasonable to think that maybe, just maybe, Apple pushed Leopard
out the door too soon?

Wired Magazine carried an article yesterday entitled
“New Apple Trojan Means Mac Hunting Season Is
Open” by Ryan Singel. I’ve covered the Trojan on this site
already, along with my opinion that this signifies that the Mac must
have reached a critical mass where malware writers can make a profit
from the platform. Experts the Wired spoke to apparently agree with
me…

“Apple’s day has finally come, and Apple
users are going to get hit hard,” security researcher Gadi Evron
said. “OS X is the new Windows 98.” (It could be worse, Mac
fans. He could have said “OS X is the new Windows Me!”)

The article quotes Dave Marcus, security research manager at
McAfee’s Avert Lab, as saying the Trojan was “written by people
who know how to write malware” and not just some script kiddies out
to prove they can do it.

Wired says “The arrival of
the Mac Trojan signals that cybercrooks have decided there are finally
enough Apple systems on the Internet to make attacking them profitable,
according to security experts. [snip] Evron and other observers predict
that black hats will have a field day with Macs, as well as with
Apple’s new mobile platforms. ‘With 2 million iPhones and iPod
Touches, it makes sense they will think of them as an evolving market to
exploit, and there are a lot of new Mac users who aren’t as savvy as
Mac’s earlier users,’ said CEO Alex Eckelberry of Sunbelt
Software, which sells security software for Windows machines.”

The problem is relatively small, but interesting. McAfee’s
researchers have found the Trojan on 65 web site so far, but say that
the malware isn’t living up to its potential. It’s only
redirecting users to one obscure adult website. McAfee’s suspicion
is that word about the Trojan got out before the creators wanted it to,
perhaps while they were still testing to see what they could do with it.

The Wired article also reports that “Evron sees more
problems for Apple users than just new Trojans that try to trick users.
Hackers will find it profitable and all too easy to find holes in Apple
software, because the company hasn’t paid sufficient attention to
security, said Evron. He predicts Apple will experience a full-range of
attacks, just as Microsoft did a decade ago when Windows machines and
the Internet first met.”

Perhaps
the rush to get the iPhone to market and patched to prevent third-party
apps from running on it took too much development effort away from Mac
OS X Leopard. According to security researchers who spoke with
Robert McMillan of the IDG News Service, “The security features
introduced in Apple’s Leopard operating system need work. That’s
according to security experts who have been putting the new version of
Mac OS X through its paces, since the upgrade was introduced last
Friday. Leopard introduces a number of important security features to
the Mac, but they are often implemented incompletely, leaving users
vulnerable to attack.”

According to Thomas Ptacek, a
researcher at Matasano Security, “They’ve done a really good
job of robbing Microsoft advocates of their talking points, but I
don’t see anything that they’ve done out of the box, where
it’s realy more resistant to attack than Tiger was.” Ptacek
says two of Apple’s biggest security enhancements, Sandboxing and
Library Randomization, are great ideas that are imperfectly applied in
Leopard.

For example, while Library Randomization is a
good idea that makes it much harder “if not impossible” for an
attacker to exploit a buffer overflow or similar bug, Apple did not
randomize all of the parts of Leopard it should have.

Sandboxing, while potentially making OS X more secure, isn’t used on
the most commonly attacked applications – such as Safari, Mail, or
iChat. That means the Mac is still vulnerable to attacks against these
packages. The researchers also tell us that “the programs that have
been sandboxed have not been walled off as thoroughly as they should
be,” citing examples where the software can still be used to write
malicious files where they will be automatically launched.

The experts also took exception with the OS X Firewall implementation,
saying that it “suffered from a confusing interface that made it
very difficult to control access to individual services on the
Mac.”

Ptacek said it best at the end of the article:
“I like the direction they’re headed. I’m just
saying that they’ve got a long way to go to catch up with
Microsoft.”