OSX "less secure" than other platforms according to security specialists

I found this article published on ZDNet yesterday, and picked up today by Cnet, to be very intereting. Not only are Macs vulnerable to exploits just like PC's are, but OSX actually still contains "ancient flaws" that were fixed 10 or 15 years ago in Windows, making OSX indeed less secure in many ways than Windows or Linux. I think the following quote from the article sums it all up pretty nicely, both in terms of technicality and attitude at Apple"

"Bugs like this require a simple glance over the code to notice and are long dead on other operating systems.… When we spoke to Apple on the phone about this issue, the security team had never even heard of the application, and burst out laughing at the simplicity of the vulnerability."

I also found this response from Apple to be particularly telling:

"A spokesperson for Apple told ZDNet Australia that the company is 'not going to comment on what other people say about Mac OS X'."

So apparently, Apple's got no problem running ads that say things like "Windows 95 equals Mac 84" (anyone remember that one?), or their latest TV commercial about how Intel chips are and always have been dull, boring, and lifeless inside PC's. But when someone legitimately points out how the Mac actually is behind the PC in a critical area, all of a sudden they've got nothing to say. In other words, they can dish it out, but they sure can't take it.

That's the biggest reason I don't own a Mac, by the way. Apple's always so negative. Their tendancy more often than not is to focus on what's bad about the competition, rarely on what's good about their own product. Negative ads can never sell me. If they'd just have the good sense to say honestly, "Okay PC's are pretty good at ____, but Mac's are really good at it, and let me tell you why..." they'd have me at hello. The insults always turn me off though. I happen to like my PC, so why would I ever want to do business with someone who makes fun of me for that?

The bottom line is regardless of good or bad someone's product may be, they'll never get a dime from me if they treat me like I'm stupid for having bought from their competition in the past. Never insult the competition. That's just common sense salesmanship, and I really wish someone would explain it to them.

Anyway, I digress. The topic here was security, not advertising, so let's get back to that. I guess the appropriate way to summarize that subject in Apple terms would be "Mac OSX equals Windows 3.1," would it not?

Damn, too bad you didn't find this before Ulrika left. I'm completely with you on the advertising thing. Apple's ads have always been all style and no substance. I hate negative advertising, but I hate "lifestyle" advertising even more where no useful information is given about the product at all. It's just implied that using the product will make you cool (car ads anyone?). It's such an insult to the intelligence of the viewer.

I think I'd have to disagree with that. I don't own an Apple, nor have I ever. As I've never spent any significant time with them, I find myself lost in front of one on the few occasions I've had to. Thus, it would be hard to class me as a fan-boy.

I read the exploits that you linked to and find the ZDnet article way overstates the severity of them. The reason I presume OS X to be inherently more secure than Windows is it's Unix/Mach pedigree and the fact that most users never need run as root. Under every single version of Windows, it is hard to run day to day operations as other than root unless you have some sort of turnkey application. Add in Window's ActiveX autoloading of root software from joe's website and they fairly invited exploits with open arms. Windows has closed many of the gaping holes that had made it an easy opening container, but, for example, until recently, you couldn't install SL - a pure user application - without root privileges which is just silly.

I've not looked into SureSec, but it would not surprise me if like other "independent" firms in the past have shown to be, it is funded by Microsoft's marketing group so that their corporate sales reps can say "Macs aren't secure, here, see this". Combine that with ZDNet's need to make stories and you have a mountainous molehill. I think http://www.cert.org/ would be a much more non-partisan source if you wanted to make deep comparisons.

As for Apple marketing, I found their using images of Ghandi and Lennon rather Godwin-eque, but can't summon enough energy to care much about it.

I think we'll have to agree to disagree, Introvert. I don't know enough about the "root" issues you mentioned to comment intelligently on them, but I do know enough to know that there's no such thing as a computer that works. My experience with the Mac has been that they crash just as much as PC's do, despite Apple's fervent claims to the contrary, so why should I believe Apple's similar claims about security?

I really think they've just been more or less secure by proxy up until now, just too small a target to have been very tempting to badguys. If you've got the smallest house on the block, you can probably get away without a burglar alarm for a good long time. You might get lucky for 10 or 15 years, and never get robbed while all your bigger-housed neighbors do, but that certainly doesn't mean you're immune to robbery. You were just too small to be bothered with.

As for your theories about Suresec, again, I can't comment intelligently on that. I don't know who they are either. It is interesting that all the advisories on their site are aimed at OSX and Linux, none at Windows, so at first glance you may have something there, but in fairness, that could be for any number of reasons. Besides, even if you theory were correct, and their charge were to be specifically to find flaws in non-Windows systems, and even if the funding behind that charge were to come directly from Microsoft, that wouldn't automatically invalidate their findings. Notice Apple has not refuted any of Suresec's reports, and they have patched some of the vulnerabilities Suresec has found, which strongly suggests that the findings are legit. You can't patch a hole that's not there.

I've always liked Apple's advertising. The "Think Different" campaign was a great one. Microsoft's ad's always seem clunky by comparison. I've used Macs since the first one came out in 1984. I've watched Windows try to catch up, get close, then, again, fall behind the features, ease of use, and just plain graphic beauty of the Mac OS. I'm stunned that the originator of this thread got his information from a website that focuses on Microsoft's two main OS rivals, Mac OS and Linux, but, laughingly, doesn't mention the plethora of holes in Window's security.

In the decades I've used Macs, I've never once had a computer virus. Never. No Mac user has ever had a pop-up appear on his computer. I didn't even know what they were until I had the misfortune of using a friend's windows box. Part of this may be due to the small percentage of the market that Macs take, but the maturity and security of the Unix platform probably play a role also.

Macs were the first home computers to use a graphical user interface, the first to use a mouse, the first to use the 3.5 inch floppy, the first to have true "plug and play", the first to jettison serial cables in favor of USB, the first to jettison the floppy when it became next to useless. With the new "intel" Macs, Apple is transitioning for the third time to a new chip. Amazingly enough, the OS is still recognizably Mac. And the latest version of the OS has a new feature I use all the time, called Spotlight. It's a universal search. Oh, yeah, Microsoft promises it will implement one in it's next version of windows. Due out when?

Chosen and Chip, you are well known Mac trolls, got a slow day eh ?
Come on guys show some maturity. Starting an OS war in a gaming forum, you should know better. I understand it's against the forum guidelines ?

No OS is perfect but some of us who choose Mac do so with a great deal of knowledge and experience behind us. ( If you need my credentials, I develop USB and Firewire driver, high level 3D graphics and Audio DSP software for Apple and Microsoft OSes, I have done so for 20 years ). Security plays a very small part in the decision btw, no OS is secure, the best security is in how you use a machine and being aware of the risks you expose it to.

As a side note, it is perfectly possible to run Windows every day for day to day operation of the computer in non-root status. Most people don't, but that's another issue.

MacOS has never, ever had popups, huh? Wow. A whole ton of sites that rely on them for one reason or another must not work for you...

With regards to this article... It's probably biased, but I would also believe that Mac has some OS flaws that are very ancient. Mac has, IMO, long relied on the fact that they were a tiny market share.

Mac's advertisement, I'll agree, rubs me the wrong way. And I say this as a person who harbors a desire for at least an inexpensive mac to play with. Every time I see one of them I twing a little inside. Not only are they, imo, self defeating by back-handedly insulting the people they are targeting, but they are... well... kinda cultish. I swear. Replace "macintosh" with "My dread lord Yog Sothoth" and "windows" with "Christ", and the commercials get a little freaky.

Micheal, you speak the truth!! I have been a MacUser since 1991(I was 4!) and a user of both PC and MAC since 2001. I genuinely did not know what a popup was until I got Windows. I thought it was when something opens in a new window, so imagine my surprise when all kindsa pr0n and viagra ads appeared!

I have to admit, even as a semi-rabid Mac user, that I have never liked the ads. I do however think that their website is a lot more positive about the mac's features and less needlessly negative about the competition. Give it a read.

And for people who used a mac once in the ninties, and still to this day say "they crash just as much as PCs", use a Mac today. It's not the same beast. Give it a chance.

.

The computer press is always full of computer security consultants and firms saying rude things about OS X - though they never seem to be actually able to point to a situation where anyone has exploited any of these holes. Symantec are the worst.

The motive for the anti-virus software companies is that, while there, er, aren't any OS X viruses in the wild, it's a growing market base, and they want to get in there and get AV software seen as a "standard purchase" just like it is on Windows. Symantec and Norton already produce god-awful OS X AV software, which I always advise people to never touch with a bargepole, because they screw up the system by themselves. Particularly Norton. Ugh.

They can't actually sell their products by the mechanism of them being good at doing something, because they have nothing to do (except screen your Word docs for macro viruses which can't do anything to you, and your attachments for viruses which you might pass on to Windows users if you're dumb enough to forward "britney_spearz_n00d!!!!.mpeg.pif" to your friends). Therefore they have to generate FUD around the issue.

As for consultants, I expect some of them are annoyed at the idea that people seem to magically think that Macs Are Safe, which of course they're not - there are holes in *nix systems. They're just way safer than Windows. And some of them are partisan, and some of them are just self-promoting, as the media picks up quite quickly on anything to do with Apple (reason: journalists are lazy and shallow, Apple does good press conferences and their products look nice).

Even when I used Windows at home, which was a looong time ago, I never saw popups that I didn't actually ask for, at least not since IE 5.5 was new, which was the last time I used it.

Watch your doors.

Antivirus software isn't a mandatory purchase on Windows either, despite what the companies would have you believe - In my years of computing, I've come across exactly one virus, and without getting into specifics, the fact that it ever even got close to me is my own damn fault.

One/If Mac ever gets as large a user-base as Windows, Virii will be out there for it. And you will have people stupid enough to do things that will put them at risk.

Pictures speak a 1000 words ...

Had the Mac not been invented, Photoshop might be a decade behind it's current level of development.

( )

Why do your menus look like sanscrit?

I've seriously never understood why mac was "too good" for the standard ctrl/alt etc..

That comming from a guy who's chosen platform spawned the most horrible key in existance, the windows key, granted... But at least we don't have a font symbol to represent our key

You've been developing USB and Firewire drivers for 20 years?!?!??
How true! I can count on two hands the number of machines I've had to recover from virus attacks or security exploits over the years. The rest are roughly 50% faulty hardware - 50% user stoopidity

precisely



Not to say you aren't correct but ... I once read a very good article explaining why the numbers of virii don't relate to the size of user base. It made a great deal about the corporate images of Microsoft and Apple and the psychology of the virus creators ... looking for the link, will post if I can find it...

I've been programming for 20+ years, makes note, be pedantic, be pedantic, be pedantic, be pedantic

Anti-virus suites. Ick. Can the cure be worse than the disease? Yup.

Uh huh - what exactly did yours say? Mine says this:

I have never had a Windows virus either in the decades I have used computers. The closest I have come is having received an email from someone who had one, trying to send the same thing to me, but it was blocked by my email program. As far as "no Mac user ever experiencing a pop-up", that is absolutely ridiculous. The Mac versions of Netscape and Internet Explorer (pre-Firefox and pre-Safari) did not have popup blockers built in - and all kinds of web pages use popup ads - it was a simple javascript command, which those browsers both supported. The problem with popups is exactly why popup blockers were built into Firefox and Safari. If the Mac did not suffer from them, why the need to have a popup blocker?

BTW, MacOS X, like other OSes, has vulnerabilities:

http://www.sans.org/top20/#u2

http://secunia.com/product/96/?period=2005#statistics

I know Mac users like to think that they are immune to all problems, but that is just not the case. Software written by human beings will always have flaws in it - and the more popular the MacOS becomes, the more it will become a target. While virus creation is somewhat about corporate culture, and Apple is still viewed as the renegade company vs the evil empire of Microsoft, it is also about having the largest attack surface to get impressive results. If you are going to write a virus, would you rather it have an 8% chance of affecting a computer, or a 90% chance?

On any operating system, it is important to keep security updates installed and to practice common sense. If you spend half your time online looking for cracks for warez that you've downloaded, it's probably not a big shock when you end up with a keystroke logger on your system.

Well Ulrika is not here, so I guess I will point out your mistake here.Your a smart guy, so I need not go on about how this is a completely illogical statement?

This is Apples and Oranges (no pun intended).
You are comparing Apples refusal to comment on a criticism of their OS with their criticism of other OS's, not to other companies refusal to comment on Apple's criticism of them. Are you asleep man? That's not the same thing at all.

Please have a cup of coffee or whatever else your drinking and come back tomorrow. So here,you are going off on an an essentially ill-informed negative emotional diatribe about how "Apple is so negative?" And you end it with a trashy insult that compares Apple to a product that no doubt you would have heartily endorsed at the time it was in use.

1) Your facts are simply wrong. Apple is no more "negative" in it's ads than any other company. I find their overdone *positivity* kind of annoying in fact as do many others.

2) Your "debate" here is just a bunch of emotional crap, opinionating in fact. Something you are fond of getting on others for and have stated in the past about how you like to "stick to the facts" and not get emotional. (In fact yo accused me of it once)

3) A series of negative insulting statements about how a company is so negative they insult you is just nonsense.

His statement is not illogical. Apple has had a history of bashing Windows in its ad campaigns - it continues to do so in its new Intel ads (ironic in and of themselves, as Apple has painted Intel as inferior for how long?). For a company that has spent as much time talking down their competitors as Apple has, a statement like "we don't comment on what people say about the MacOS" does seem a bit odd. Why wouldn't they comment and just dispute it? Perhaps because when it is not a marketing zing at Windows, then they have no great comeback?

As far as Apple not having negative ad campaigns, again, it is a fact. Apple's ads are the product equivalent of political attack ads, where the candidate talks about what is wrong with the other candidate instead of just talking about their own beliefs and policies. Apple's entire new ad campaign revolves around bashing current PCs and claiming they are setting the Intel chip free. It's a ridiculous assertion, but it is in line with the style of ads Apple has used for a long time. Apple is at its best when it is simply promoting its own products without attacking someone else.

Their iPod ads don't need to bash a competitor, there is no reason any of their other ads should either. It would be like Honda coming out with a car that used the same motor as a Toyota, and then claiming to be setting the poor Toyota customers free from their dull, boring cars. Yeah, effective in the negative - but it would be a lot more effective if you just pointed out why Honda is superior without attacking Toyota.

I have used a wintel machine for about 15 yrs or so and my Powerbook OSX for about less than a year. I have also dealt with wintel based clients within the IT tech service field of work for a little over a year. My personal opinion is that a computer illiterate person has a far greater chance of screwing their wintel machine than they would their mac just from doing day-to-day generic/office tasks considering exploits, flaws, virii, adware/spyware, etc.

EDIT: Mainly due to the greater exposure of the wintel based environments and greater risk and ease of vulnerability.