PCs

Do you trust Apple when it comes to security?


Apple securityA security researcher who was part of the team that found the first iPhone security flaw has announced that he believes that "Macs are as easy to hack as they are to use." This is causing an uproar in the Apple community, which has long believed that Apple's computers were somewhere between hardened and hackproof. The unfortunate truth of the matter is that some software running on even newer versions of Mac OSX are running older versions of some software, versions that have known vulnerabilities and could be used as attack vectors.

Researcher thinks Mac OS X is easy to exploit (CNET)

These claims are certainly nothing new, as SANS reported in May of 2006 that Mac vulnerabilities were on the increase, saying:

"Just because you use a Macintosh, don’t think you’re any more secure than a Wintel user. A sharp increase in the number of flaws being discovered in Mac OS X suggests that the Apple operating system may soon be every bit as prone to malicious attacks as Windows systems."

Even when Apple patches its systems, it tends to be more secretive than other companies, leading to frustration on the part of security researchers who sit on undisclosed bugs while Apple finds time to patch them. Even the most mundane of Apple products, the Nike+iPod Sport Kit, has been found to be lacking basic cryptographic tools that could thwart someone trying to use the kit for surveillance.

Honestly, as far as I am concerned, Mac has its place and does a good job in that space. I have an eMac in my living room for Web browsing and child entertainment, but our other computer (and everything I deal with at work) is PC. When it comes down to it, I don't worry because I follow (and have taught my wife to follow) some basic guidelines about life on the Web (don't download things from organizations you haven't heard of, discard even remotely suspicious e-mail, etc.) that, along with our trusty Linksys router, have kept us free from viruses and hacks for a decade.

Do you worry more about vulnerabilities on PC or Mac? Has Apple or Microsoft done more to improve the security of their operating system and applications? Why does Apple choose to be so secretive about potential security flaws? Do you trust Apple when it comes to security?

17 comments
Absolutely
Absolutely

Funny question. Security isn't about "trust", it's about deny by default policies, and access via credentials. [i]Even when Apple patches its systems, it tends to be more secretive than other companies, leading to frustration on the part of security researchers who sit on undisclosed bugs while Apple finds time to patch them.[/i] Maybe Apple considers the paparazzi's credentials insufficient for the "security researcher" roles they assume.

nojoe45-webnews
nojoe45-webnews

Why would Apple need a firewall? It is so secure why use a firewall? Remember the first viruses know came from the unix operating system. John

dlmeyer
dlmeyer

markvp has a good point ... lets make sure we are talking the right talk. It's OSX vs Windows, here ... and OSX is ahead by a mile. Andy's eMac hasn't been sold for over a year - were it the last one built, it would hardly be considered "new". Yet, it is "problem free", with little (if any?) effort. His Windows system may also be problem-free - but how much effort has gone to that end? How much system performance has been given over to preventing problems? OSX has flaws, as many Windows experts have happily pointed out, yet no hacker has managed to gain access to a standard system using those flaws. A Black Hat was able to access a laptop made more vulnerable for the purpose - but not full access and not remote access. A minor quibble, you might argue, not to the point, you could say, but any number of script kiddies - NOT the premier hackers who tested this semi-crippled system - could gain full remote access to a Windows system. Apple's OSX is NOT a perfect foil against malware. It is STILL better than anything Microsoft has ever made available. DLMeyer - the Voice of G.L.Horton's Stage Page Pod-Cast - now featuring the ICWP Pajama Party

djdawson
djdawson

It may seem obvious to say that because Apple has been issuing security patches at the same or higher rate as Microsoft that OS X is just as easy to hack as Windows. However, there's a big difference between a "security issue" and a truly exploitable security vulnerability that allows an attacker to infiltrate a system. In this regard I believe OS X and other *nix-derived operating systems truly are more secure by design, though Vista is definitely better than previous versions of Windows. It also seems silly to assume that market share is a primary explanation for the seeming lack of successful OS X attacks in the wild. With all the press about OS X being more secure, I'd expect that to be quite a motivator to the hacker/cracker community to be "The First" to create a successful attack against OS X. So, I say to all these "Security Experts" who claim OS X is just as vulnerable as other OSes, put up or shut up. The most notable recent attempt at this that involved the wireless vulnerability never went anywhere, and it appears the weakness was really in third-party software and not OS X itself. Even when stock systems are made available to all comers the level of successful attack is limited at best. You can't argue with reality, and the reality seems to be that OS X is in practice less vulnerable than Windows.

DanLM
DanLM

BSD, in a modified form is the core of Mac OS X. Where FreeBSD released a patch straight away when this exploit was found, apple denied it ever existed... George did a whole series of articles on this. What I truely dislike about apple is the same thing I truely dislike about Microsoft. They deny or do not address security issues in a timely fashion.... I hate that about both companies... And I wonder if that is what has stopped me from buying Mac. I already know MS does this, why should I go with another company that does the same damn thing. Dan

jdclyde
jdclyde

The "If you were as popular as we are, you would be as hacked as we are" excuse is lame and getting lamer all the time. Put up or STFU? Exactly. Show us the security issues in the OS'es and then we can talk. There is of course also the turn-around time for MS to get out their security fixes. If they have their "fix" loaded, why do I need to run a third party AV package to continue to protect me from that KNOWN and patched exploit? Why is that hole not CLOSED, never to raise it's ugly head again?

markvp
markvp

I know I'm off the subject a little bit, but is a MAC not a PC (personal computer). If you are arguing OS's then use the names. Windows OS vs Mac OS. Because other OS's do exist.

mithraigor
mithraigor

Well, Apple OSX is a BSD based system, and like any OS passwords have to be set, default privileges checked and modified, system services reviewed, and the users have to *not* run as root by default. UNIX has evolved over the years to fight off external attacks, but these defenses have to be turned on, and silly stuff avoided.

Andy Moon
Andy Moon

Apple has long claimed that it was less vulnerable than other operating systems, but has never been the most forthcoming about existing vulnerabilities or patches for them. Do you trust Apple when it comes to security?

yschoo1
yschoo1

I believe both window PCs and Mac OS are equally vulnerable by design. The difference is hackers normally go for big apples (microsoft). Only nuts would want to hack a system which only has perhaps the total of 8% of the total market? I am running window XP, Mac OX and even Linux. It is never a surprise to me that I have never had security issues to deal with with the latter two platforms. As for XP, oopah! patches or not. Like we Chinese say: " A tall tree catches the wind, period."

Neon Samurai
Neon Samurai

It's not just kids impressing themselves anymore, if someone is cracking computers they are in it for real motivations. They will find a way into whatever OS the target system is running. Any argument that comes down to market share should be discarded in these topics; obscurity is not security. Your basic premis is bang on though as all software has flaws. The basic design helps the overall security greatly but everything needs patches. It's just that some things need many, many more patches than others. The real problem is that proprietary software developers see patches as a negative. They market based on the idea that there software is somehow bug free. For them, a high bug count means a loss of apearances. Because of this, you things like Apple's discrediting researchers so they can quietly fix the flaw and continue the white background Apple ads.

Dumphrey
Dumphrey

backups in much the same way I did not mention breathing...its kinda a no brainer. The hows and whens are complex, but the need is not a question. But we are discussing Macs here, one of their largest markets is people who "just want it to work". People who believe the hype. And as for loosing data due to a bad HAD, you are correct. I use smart monitoring software on single drive systems, and keep an eye on the raid monitor software on raid systems. Hard drive failure is 100% over time. "Windows is compromised because of all the automated wizbangs that people bought it for in the first place. The "it just works" applies to all the viruses and malware" No argument there, and it applies to Mac OSX as well, just in a milder form. Security is a compromise between usability and protection. And from what I have seen, most OS's are moving towards the "ease of use end." Even Linux is doing this in the form of Ubuntu/etc. And as each OS makes compromises towards ease of use, there is a good chance new security holes will appear, be it Windows, Mac, Linux, or BSD. "ActiveX and scripting are major issues. Anything that allows a system to be compromised by simply viewing a webpage is not on the same league as trying to hack the linux system because it won't AUTORUN the virus." Once again no argument...your preaching to the choir. I use firefox with scripting disabled. My point was more that while Mac is more secure then Windows, it is a poor idea to assume it will stay that way, and even worse to act like its invulnerable. SANS gives Windows XP (pre sp2) about 8 minutes of direct connect to the internet before a major risk of compromise. XP Sp2 is closer to 300 minutes. Unix based systems are at 1500 minutes without hardening. I found no statistics on Vista. Is *nix (I am including Mac here)safer? Yes. Bulletproof? No.

Absolutely
Absolutely

Linux users all have direct access to every line of our code, except for proprietary add-on software, which we can easily identify when we acquire it. The best programs are all open source, anyway. And we can review the code for the most powerful programs, making sure that they allocate the resources that make them powerful using responsible, secure methods. Apple has direct access to every line of their own code. You can install third party apps, some of which are likely to be insecure, but Apple computers are quite useful, with only Apple software. Microsoft is unique in the lack of visibility of their own code, and the amount of [b]proprietary[/b] third party code that runs with their operating systems. Apple software is also proprietary, but it's written in the same shop as the OS, so they can collaborate more efficiently. Linux runs third-party software, but generally it's open source, so anybody who has problems with software on their own system can [b]legally[/b] fix it ourselves, which several folks tend to do, then share the wealth of their work. When it's illegal to decompile software and read source code, only criminals will decompile software and read source code.

jdclyde
jdclyde

DESERVES to lose it. You are more likely to lose your data due to a HD failure than having your MAC/Linux system compromised. Windows is compromised because of all the automated wizbangs that people bought it for in the first place. The "it just works" applies to all the viruses and malware. ActiveX and scripting are major issues. Anything that allows a system to be compromised by simply viewing a webpage is not on the same league as trying to hack the linux system because it won't AUTORUN the virus.

Dumphrey
Dumphrey

is that Macs do not get Windows viruses. Linux will not get Windows viruses. but all it would take is ONE well written virus to spread a long way in the mac/linux world. This is an inevitability, not a fantasy. People point to the fact that linux/mac privileges do not by default allow root access....my response is so the F##k what..all my data is stored as me, the local, running user. Ubuntu installs in 20 min. lost data is gone. People forget that its not the OS thats important, its the data, OS exploits are a way of getting AT data. So Mac is "hack-proof", as long as no one really tries to hack it. Macs are "virus proof", as long as no one writes viruses for Macs. Obscurity is not security, its a lie. "Im safe because no one can see me/or cares" is no different then "I am really rich, as long as I do not need to prove Im rich." So, for the moment, Linux and Mac are more secure in terms of virus resistance, but betting that will not change is pure stupidity. And as for "hack-proof" well, thats just ignorant to begin with... as has been shown at any *.hat convention. "I have met many paranoids that weren't the least bit security conscious, but I have never met anyone security conscious that was not at least a little paranoid."

yschoo1
yschoo1

I still believe market share has everyting to do with it intentional or otherwise. My humble personal experience is I have run all three "major" (window PCs in my opinion is the only major platform) platforms and I have never had problem with Mac OX and Linux Ubuntu, get this, not even once this past 2 years. I don't even have antivirus software on my Mac OX other than the build-in firewall that comes with the machine. I spend more time lately on Mac and access the same web sites with all my machines with different platforms. However, I had more than 3 crashes (2 fatal due to viruses) with my window XP with both fire wall and propriety antiviral software running. Twice I had to reformat and reinstall my windows XP. I am certainly not that naive to believe that Mac OX has better defense system by design. Obscurity is definitely not security. That said, obscurity no doubt tends to attract less vulnerability. I work for a major corporation in Canada which is still using Window 2000 for our national network. It may be a surprise to you that a tremendous number of our executives are using Mac Books both at work and at home. Reason? When it comes to avoid crashes and risk being infected Macs simply beat windows hands down, period.

Editor's Picks