The Fall of Mighty Mac?!?
A month ago, I blogged about Apple's new OS X Leopard operating system, and commented on how so many of its features seemed similar to those in Windows Vista, a comparison that usually runs the other way when it comes to comparing OS's.
Well, the other day, Apple did something else that made it seem hauntingly similar to Microsoft:
Apple has released a major security update to current and previous versions of its OS X operating system.
Most significantly, the update fixes 41 vulnerabilities, many of which could allow a remote attacker to execute arbitrary -- ie: malicious -- code on the affected system. The affected software includes the Adobe (NSDQ: ADBE) Flash Player Plug-in, AppleRAID, the Mach Kernel, the Safari Web browser, and other core system components.
On Thursday, Apple released an update (10.5.1) for Mac OS X "Leopard," which debuted last month. It includes three fixes to the Application Firewall that could lead network services to be exposed. Apple also released a security update (3.04) for Safari 3 Beta for Windows XP and Vista on Wednesday. The patch fixes a tabbed browsing flaw that could expose user credentials, several cross-site scripting vulnerabilities, and a buffer overflow bug, among other issues.
As I've said many, many, many, many, many, many times before, Apple's starting to play with the big boys now, and they're bound to encounter similar issues (and take similar) action in this regard.
Tune in next week, when we read about the poor sysadmins who didn't install the 41 patches right away because they decided to spend some time testing on their network infrastructure before rolling them out to hundreds of users, only to be attacked by the hacker who has now downloaded the patch, reverse-engineered the malicious code, and sent it crawling for servers in exactly that position...
Welcome to the party Apple. Sit back and enjoy Microsoft's new ad campaign, starring John Hodgeman comforting Justin Long: "It's OK, Mac, it happens to everyone eventually. It's nothing to be ashamed of. I'm told there's a patch you can get that will clear it all up. Kinda like smoking..."
posted by Brian at
12:38 AM
6 Comments:
Geez, Brian, haven't we gone through this before?
Yes, there are vulnerabilities in Mac software, sometimes even the system software, and Apple updates it from time to time. Check the release notes for 10.4.1 through 10.4.11, and you'll see much the same thing.
The difference is that it is exceedingly rare where a published vulnerability (and most of these have been known for a while) has the slightest impact on anyone. I still tell my clients they don't need to bother with antiviral software, and I don't run it myself. The only exploit in the wild for Macs recently was a trojan horse in a porn video download, which required the user to download it, launch it, *and* enter his admin password.
Don't worry -- the first day where I have the slightest reason to protect my Mac from the Internet, the same way I have to protect my XP sandbox here, I'll be sure to let you know.
By
Jeff Porten, at 9:35 PM, November 19, 2007
Sounds like a pretty dangerous course of action, given the above story. I'd say it's almost a given that someone will exploit the holes they just plugged in the near future.
So my question to you: Will you (did you?) install the patch?
By
Brian, at 11:13 PM, November 19, 2007
Well, that's just it -- the holes are in the category of "hard to exploit". For example, the Safari buffer overruns require navigating to a site that are written to trigger them -- and AFAIK, no such sites exist. If they do, then they're likely not in places where I would browse, because if they were, then I *would* have heard of them from the Mac sites I read.
This gets back to the ecosystem issue that I know we've discussed before. There are two concepts at work here: the first being (which I think you're alluding to) that there are issues of security that crop up from the number of people using an OS. Part of Mac's protection, and Windows' lack thereof, is from the same monocultural issues that crop up in biological viruses. A similar exploit in IE *would* be implemented within minutes because with so many non-technical people using IE, the authors can much more easily profit from such. Mac viruses and exploits, on the other hand, are much less easily transmitted -- if 90% of the people in your neighborhood get a flu shot, then you really don't need one.
The second concept is the core of our debate: Mac exploits (including this one) are generally much less dangerous. In the case of the Safari buffer overrun, for example, the research I've read indicates that on the Mac, it can get an attacker into some parts of the system, but even then the user is protected by various Unix permissions. Apparently there's a way into the root shell, but with limited access to the system; honestly, I can't remember many details.
So this is why I have an apparently cavalier attitude to this -- as a Mac expert, I assume that any serious exploit would be discussed in the communities I monitor long before I would be exposed to them. This has generally been true even though I'm very much an early adopter of most new releases. I consider this to be an ongoing benefit of being in the Mac community; the onslaught of Windows attacks are numerous enough that it's not possible to know enough to avoid them. On Macs, it's still the case that I can.
Going forward, it's quite possible that Macs will lose their monocultural protection if they hit a large market share number -- and obviously, I'd be thrilled if this happened as the benefits would far outweigh the cost. It would also be nice to have real-world data to point to my continued assertion that Macs with 50% market share would continue to be safer than Windows due to their technology. (Talking about XP here -- I'm not qualified to include Vista.)
Finally, yes, I installed the *software upgrade* to 10.5.1 as soon as it was released, which included the patch. But that had zero to do with security issues, and was entirely based on dealing with some annoying bugs in 10.5.0, some of which remain unfixed. I'll be glad to discuss these at length, if only to stop you from claiming that *I* say that Macs are perfect.
By
Jeff Porten, at 9:04 PM, November 20, 2007
Man, my neck hurts from all that spinning.
I'm not sure why you're bending over backwards to make this anything different than the frequent patches Microsoft puts out for Windows. It's exactly the same thing, distributed the same way, and vulnerable to the same consequences.
To your points:
The "monocultural ecosystem"
(fantastic term, by the way - right up there with "right-wing conspiracy")
Forget about the Mac sites you read - just click on the link I provided in the post (which is from apple.com itself). Flaws include the ability for Flash content to execute code on the machine, a weak random number generator that allows hacks to guess the next DNS query ID, holes that allow remote DoS attacks, a bug in the FTP routine that allows someone to connect to secondary hosts remotely, the ability to report an untrusted SSL certificate as trusted, etc., etc., etc.
The page contains links with more information on the bugs, which is all a hacker needs to reverse-engineer them.
You're attitude that "as a Mac expert, I assume that any serious exploit would be discussed in the communities I monitor long before I would be exposed to them" is exactly how these things do damage. On the Windows side, network administrators (and, to a lesser extent, home users) feel complacent, because no one they know has been hit yet, and they figure they have time. Then the beeper goes off at 3AM...
Non-techie IE userbase
Seriously? Mac users are, on average, more techie than Windows users? Not everyone runs the Unix shell, remember. Lots of these folks are school children or Third Agers.
Mac vulnerabilities are less profitable
Seriously...seriously? Since when does a hacker need to profit from his hack? 99% of the time, it's more about proving it can be done. Even in the well-known cases (e.g., Melissa, I Love You, etc.), the hacker didn't make a profit. His victims lost a lot of money in system downtime, maintenance costs, etc., but that money didn't go to the hacker.
"Software Upgrade"
Ah yes, it's not a patch, it's a "software upgrade." If we're going to play that game, let's use Apple's term: Mac OS X 10.4.11 & Security Update 2007-008.
By
Brian, at 12:14 AM, November 21, 2007
Warning: this reply is likely to be snarky.
I'm not sure why you're bending over backwards to make this anything different than the frequent patches Microsoft puts out for Windows.
It's not about the patches. It's about the need to patch, and the issues being patched. Patches are good. Problems are bad. Bigger problems are worse than smaller problems.
Historically, Mac security issues have had an impact upon users that generally resemble a paper cut. Windows security issues have had an impact that generally resemble disembowelment. Need I point out to you how often a Windows security flaw was so egregious that it affected all computer users? My cable company allowed me to run servers on port 80 until Code Red came along. I've lost count of the number of times I've had to run fire drills on my mail servers due to some exploit in Outlook that dumped a billion spam messages into the ether. And I'm sure I've shared with you my personal anecdotes about using Macs to save the bacon of companies that relied on Exchange Server.
The "monocultural ecosystem" (fantastic term, by the way - right up there with "right-wing conspiracy")
Thanks. I picked it up from computer science professors who presented the concept at various security conferences I've attended. It stems from the fact that you can track and defend computer virus attacks in similar methods used with biological viruses.
Have you read Guns, Germs, and Steel? Viruses completely decimated the New World when the explorers arrived: estimates of fatality rates as high as 99.9%. That's a monocultural ecosystem. Now, let's take a theoretical Mayan, and put him in a theoretical city of Europeans who have all been exposed to Old World diseases, but none of whom are carriers. (It's theoretical; can't happen in real life.) Result: that Mayan could live in 16th-century Paris and die of old age, because being surrounded by people with immunity means that there are no vectors by which he can be infected. That's pretty much the heterogenous system that non-Windows computers benefit from.
But the Mayan is not analogous to a Mac, because my hypothetical Mayan has zero internal protection. There have been numerous cases of various (usually older) distributions of Linux and Unix being taken down hard, because they were too Mayan. But even when an attack reaches a Mac, they're typically swatted down hard.
Anecdote: I was troubleshooting a mail server a few years ago, and as part of my analysis noted that the server had been under attack approximately 45,000 times in the previous month. And the month before. Earlier than that, we didn't keep our logs. We simply hadn't noticed, because out of the box and with no special intervention, our servers were immune to everything that had been thrown at them.
Forget about the Mac sites you read - just click on the link I provided in the post
I'm guessing that you don't subscribe to the weekly CERT alerts. I recommend them; every week, you get a master list of all of these issues for all systems. Every one of them has a description that sounds like these -- in fact, the language here is taken directly from them (those are the citations you see before each one).
Now, every one of these items is true. But so is, "if you close your eyes and stomp on your gas pedal, there's a good chance you'll kill both your family and someone else's." So all of these items are assigned a criticality measure, which usually relates to the chances that someone will come across it. When I read these alerts, I generally do a quick reality check to consider if anyone I know might run into problems with them. Usually, it's not worth sending out the email.
Example: last year there was an alert that affected BIND 8 and all earlier versions. This was before the release of BIND 9. BIND is the Unix software that implements DNS, and for a long time it was the only software that did so. So this alert said, "We've found a security issue that is part of the central nervous system of the Internet, and has been there since we stopped using BITNET." In 30-odd years, there were zero reports of this ever being exploited. It was patched, and everyone walked away happy.
Almost all of the reports in the patch list fall into that category. The only things there that gave me a twinge of concern were the WebCore and WebKit items -- that file:// URI issue was particularly charming -- but the message to my clients would be, "Don't surf porn sites. Don't click on spam links. Stay out of the dark corners of the Internet." Which I've been telling them all along.
The page contains links with more information on the bugs, which is all a hacker needs to reverse-engineer them.
Actually, that's not true. These announcements are very carefully written to omit crucial information necessary to building the exploit. The only time you'll generally see a full published report is when a vendor has ignored an issue for a long time and it's believed that exploits are in the wild; at such times, some people go ahead and out the entire problem. The ethics of such are hotly debated at security conferences.
You're attitude that "as a Mac expert, I assume that any serious exploit would be discussed in the communities I monitor long before I would be exposed to them" is exactly how these things do damage.
I don't mean to brag, Brian, but keep in mind that I published last week in the largest and oldest online Mac newsletter around. My editor routinely ranks only two or three places below Steve Jobs as "most influential guy in the Mac industry." I talk to him and a bunch of other Mac journalists fairly regularly. So, yeah, I consider myself to be particularly well wired into hearing about what's going on.
Now, most Mac experts don't have this level of access, but on the other hand, the people I talk to have a habit of frequently publishing what they're talking about. And my assessment, given my own expertise and what I hear from people I trust, is that anti-virus software still isn't necessary. That's not to say "never will be necessary." And there is a Mac trojan in the wild at the moment. But it just doesn't require a great deal of effort over and above what comes shipped in the box.
Hell, Leopard has a vastly improved firewall built-in. I've never heard a good reason to turn it on.
Seriously? Mac users are, on average, more techie than Windows users?
No, they're much less technical, for the same reason that owners of a 2007 Honda Civic need to know less about cars than the owners of a 1927 Model T. What I was referring to was the vast numbers of non-technical Windows users who are vulnerable to attack. The vast numbers of non-technical Mac users are not -- or at the very least, there has never been an instance of such attack actually happening since Mac OS X was released.
Since when does a hacker need to profit from his hack? 99% of the time, it's more about proving it can be done. Even in the well-known cases (e.g., Melissa, I Love You, etc.), the hacker didn't make a profit.
On the one hand I agree with you, and on the other your information is seriously out of date. The latter first: the vast majority of viruses currently extant are released from black hat farms in Eastern Europe and the former Soviet Union. Almost all of these do have a profit motive involved -- generally involving spam sales, 419 scams, etc. Most of the spam you receive comes from zombie boxes and servers, which is part of the symbiosis between black hat hackers, spammers, and scam artists. The 45,000 failed attacks I mentioned on my server were all attempts to own the box -- and if they were successful, the next thing they'd do is use it for one of the above.
The part I agree with: yes, there is a huge subculture of hackers who do things that "can't be done" just to show that they can. These people have been hammering at Macs since they were released. Some of them are Windows advocates who adhere to your statement that "all computers are the same". Some are Mac advocates who try to break the system in order to make it better. Some are just people who really need to get laid more often. The number of times they've been successful: few. When they were: patch. Damage from these attacks: paltry. Meanwhile, I still can't use port 80 here.
Ah yes, it's not a patch, it's a "software upgrade."
Brian, what I said was that I upgraded to 10.5.1 because I wanted the software upgrade. I really don't give a damn about the patch, because there's not one iota of a chance that those issues will affect me. And you remind me to mention: I have not bothered to upgrade my computers that are still running 10.4.10, which are exposed to many of the same issues. This is because there's not a damn thing in 10.4.11 that I need. And most of them will be running 10.5.1 shortly, because there's plenty of stuff there that is useful.
Incidentally, I'm installing Leopard on a machine that was released in January, 2003. From what I hear, it should improve performance overall. I'm sure you'd get similar results running Vista on a computer that's five years old, yes?
By
Jeff Porten, at 2:14 PM, November 21, 2007
Addendum: this is the kind of thing I get worried about: http://www.heise-security.co.uk/news/99257
By
Jeff Porten, at 5:26 PM, November 26, 2007
Post a Comment
<< Home