OS Security: Windows vs. OS X

[diogen]

An interesting article
Charlie Miller to reveal 20 zero day security holes in Mac OS X -- Engadget

Charlie Miller, who seem to know a thing or two about security, says

Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.

The Inquirer is more blunt

the attack surface of OS X is so wide you can land a 747 on it, sideways.

Whether this line of thought is true we might know shortly
http://arstechnica.com/apple/news/2...rst-mobile-device-to-fall-at-pwn2own-2010.ars
In this case the iPhone takes the role of Windows as the most popular (and by extension - targeted) device in its market...

Diogen.

 

[lparsons21]

yet no malware in the wild for OSX has ever shown up.

 

[tnsprin]

yet no malware in the wild for OSX has ever shown up.

Hardly true. But since it is rarer you don't hear about it as much.

 

[lparsons21]

I spoke too soon, there has been a couple of minor things. Available only from the porn sites, and I believe one pirate site. Both required the user to put on the "I'm really stupid" hat to install.

And I believe that there is at least one malware scanning/removal software that isn't just looking for Windows malware to remove.

I've been running OSX since it first came on the market and have yet to get a single piece of malware and my experience follows that of my friends that also have Macs. At the moment, buying anti-malware software is just throwing money into someone else's pocket with little return for the buyer, except possibly peace of mind. This is usually done by those coming over from Windows.

When/if it becomes an issue for OSX, then I'll do something about it. At the moment, it is all 'proof of concept' with no actual in the wild infections. Well, other than those that love to pirate software and look at porn...

 

[diogen]

At the moment, it is all 'proof of concept' with no actual in the wild infections...

Very true.

The question is: is this due to genetics or something else?

The quoted article claims what many were saying for years and Apple faithful denying:
an OS' security is inversely proportional to the attention it gets from the hacker community.

In other words OS X is not clean from malware/viruses/trojans etc. because it can't be infected but because nobody bothers trying this.

iPhone is locked up much more than OSX but plays Windows' role in the smartphone market. Hence, getting much more attention.
We will see whether it can escape Windows' fate...

Diogen.

 

[JAG72]

In other words OS X is not clean from malware/viruses/trojans etc. because it can't be infected but because nobody bothers trying this.

Bingo, We have a winner.

Why try to do something to an OS that has such a small market share. People that write malware and viruses what the biggest bang for their buck, which is targeting Windows.

 

[Ilya]

(From Infosecurity (USA) - Security and malware threats to Mac and Apple products are on the rise)

A deluge of security threats were aimed at the Mac OS X in 2009, especially when compared with previous years. While the Intego report admits that the Mac OS X is “more secure than Windows,” the company cautioned that the Mac OS contains a number of flaws that required Apple to issue numerous security updates throughout the year. Among the 2009 patches: flaws in web browser Safari’s handling of RSS feeds, among 50 other Safari security problems fixed during the year; patches for PDF vulnerabilities; patches for an iTunes security threat in March and September; numerous patches for QuickTime flaws/bugs in June and September; and an August security update for the Apple GarageBand program.

This series of security threats – combined with the fact that Apple products are being increasingly targeted by malware authors due to its increasing market share – led Apple to break with its claims that malware presents no real threat to Mac operating systems. Mac products now include a security disclaimer acknowledging that “no system can be 100 percent immune from every threat,” and that “antivirus software may offer additional protection.”

 

[diogen]

RE: Security of walled gardens
iPhone SMS database hacked in 20 seconds, news at 11 -- Engadget
Courtesy of "the best browser in the world" Safari...

And this despite being locked up more than any OS including their own OS X...

Morale: If you are popular, you are vulnerable even if Saint Jobs says you are not...

Diogen.

 

[diogen]

And just so iPhone doesn't feel too lonely, OS X was hacked, too. By the same Charlie Miller (see first post above).

Researcher Charlie Miller, principal security analyst at Independent Security Evaluators, quickly exploited a vulnerability in the desktop version of Safari running on Mac OS X. He won $10,000 for the exploit, which was one of 20 zero-day bugs that Apple fanbois deny exist in OS X.
Miller's exploit opened up a remote shell, which he accessed and was able to run any malicious code he wanted. We guess it just worked!

http://www.theinquirer.net/inquirer/news/1598208/apple-microsoft-trashed-hackers

The most secure setup: Chrome running on Windows 7.

Diogen.

 

[TheForce]

Bingo, We have a winner.

Why try to do something to an OS that has such a small market share. People that write malware and viruses what the biggest bang for their buck, which is targeting Windows.

This debate is as old as malware itself, but what you stated is thew classic summation of the malware war.

Add to that what Leo LaPorte once said- If Apple ever did suffer a full blown attack the consequences would be far more devastating. Why? Because Apple are like anti gun owners who live in a land of peace and harmony and believe that they will never be attacked. They have their guard down and are defenseless. Microsoft owners are like members of the NRA and understand their first line of defense is at home at the computer. They ward off small battles in this war every minute of the day every day of the year. They are war hardened battle experts.

 

[Ilya]

Here is an interesting read too: Questions for Pwn2Own hacker Charlie Miller | Zero Day | ZDNet.com

It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.

It’s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn’t have anti-exploit stuff built into it.

It’s clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that’s only half the equation. The other half is exploiting it. There’s almost no hurdle to jump through on Mac OS X.

 

[Foxbat]

BTW, Firefox 3.6.3 is out, based on one of the Exploits that Miller kept to himself until he could profit from it...

SANS discussions find that contests like this may reward moral hackers like Charlie Miller, but if they are truly above-board, they would notify the publishers of the exploit that they discovered instead of waiting until they can win a new computer or money in a contest like this.