Fair and balanced?
 
A set of articles on the Fox News Web site tries to present two different points of view on Mac security. “Mac OS Becoming Juicier Target for Virus Writers” by Lisa Vaas takes one point of view, and “Macs Really May Be More Secure Than PCs” by David Morgenstern the other. It turns out, however, that both articles meet fairly close to the middle.
 
Both articles quote a number of “industry experts.” Both acknowledge that the number of real-world exploits against the Mac is essentially zero, and both wonder why. Both concede that any operating system, on a network, presents vulnerabilities. Both applaud the job Apple has been doing recently in patching new vulnerabilities soon after they are discovered (for instance through the Month of Apple bugs or CanSecWest). And both indicate that the focus on Mac security from the outside world is increasing.
 
Beyond their similarities, each article makes some interesting and insightful observations and conclusions.
 
From “Mac OS Becoming Juicier Target for Virus Writers”:
 
  1. The descriptions of patches lead people to write exploits for something that's been patched... Security research company Immunity released the exploit code — which leveraged a buffer overflow vulnerability in the... OS X mDNSResponder implementation — less than 24 hours after Apple had released a patch for it. Apple implements the protocol in its Bonjour technology...
  2.  
  3. Rich Mogull, another Gartner analyst, said that the buzz in the hacker underground is that "the bad guys are targeting Macs a little more [but] not enough to be worried about yet." Besides, one has to question the motivations behind the release of Mac exploit code, Wagner said. "Often the motivation is some kind of publicity," he said. "Recognizing vulnerabilities in OS X does have some cachet these days."
  4.  
  5. Another thing that analysts fault is Apple's lack of a solid patch process — one that's regularly scheduled, such as Microsoft's Patch Tuesday or Oracle's tri-monthly patch releases.
  6.  
  7. One such thing analysts would like to see in a Mac operating system is ASLR (address space layout randomization)—a technology designed to allocate random space for memory, thus making it harder for an attacker to figure out addresses of critical functions and hence harder to get exploits running correctly. Microsoft implemented ASLR in Vista.
  8.  
  9. Input Managers in particular are well-known to be security flaws in Macs. An Input Manager is an aspect of text input, enabling such things as the entry of non-Arabic numbers... Input Managers were also used as part of one bug featured in the Month of Apple Bugs, on Jan. 22, 2007.
  10.  
  11. it will be a good day when the company gets its first CSO [chief security officer]
 
From “Macs Really May Be More Secure Than PCs”:
 
  1. The Mac is a better platform when it comes to security and malware attacks. I've used Macs since 1984, and I've been infected by some malware twice. Two times. One was in 1989 on a diskette distributed at a Macworld Expo with a HyperCard stack... The other was an infection by a cross-platform Office macro virus perhaps 10 years ago. The person sending me the file was a Windows user.
  2.  
  3. Apple has turned off a lot of services in OS X that make Windows vulnerable, especially in Windows XP. One example he noted was that Apple offers users an opportunity during installation to enter an administrator password, rather than defaulting to admin user status without a password.
  4.  
  5. While there have been exploits demonstrated on the Mac, many are very difficult to accomplish out in the wild.
  6.  
  7. Consider this: The Mac is the most homogeneous computing platform in the world. That should make it the most vulnerable. Instead, it has the strongest real-world record when it comes to exploits.
Thursday, June 7, 2007