April 19, 2007 3:18 PM PDT

Apple plugs 25 Mac OS X flaws

VANCOUVER, B.C.--Apple on Thursday issued a security update for Mac OS X that addresses 25 security flaws in the operating system software.

The security update affects various parts of the operating system, including some third-party components such as the Kerberos authentication technology. The most serious of the vulnerabilities could allow an attacker to gain complete control over an unpatched Mac, Apple said in a security advisory.

The update deals with another trio of zero-day bugs that were disclosed as part of the Month of Apple Bugs in January. Apple has quashed many bugs detailed during the Month of Apple Bugs and Month of Kernel Bugs projects in previous patch releases.

While several of the vulnerabilities repaired by Apple's updates were previously known, it doesn't appear that any attacks exploiting the flaws actually occurred.

Apple's patch release comes just as hackers at the CanSecWest security conference in Vancouver, B.C., are being challenged to break into two MacBooks. A successful hack wins the hacker the MacBook and a $10,000 bounty, according to show organizers. The contest and conference ends on Friday.

Apple has released a Mac OS X security update each month this year. In March, the Cupertino, Calif., company released an update to fix 45 bugs in the operating system. Apple doesn't have a set patch schedule. Last year, the company released two Mac OS X updates in the first four months of the year.

The latest update is available through the Software Update feature in Mac OS X and from Apple Downloads.

See more CNET content tagged:
Apple Computer, Apple Mac OS, Apple Mac OS X, security update, flaw

182 comments

Join the conversation!
Add your comment
Where's the Macsaresafer dude?
"The most serious of the vulnerabilities could allow an attacker to gain complete control over an unpatched Mac"

Safe as houses....
Posted by law_hog (43 comments )
Reply Link Flag
Here I am....
That's only 25... How many has Windows Fixed sinse XP came out... Hundreds!... Anything mad by man is never going to be perfect... Not even a Mac, but it is MUCH MUCH MUCH better to use than a windows machine, and much more secure... Get over it..
Posted by Rickb1 (23 comments )
Link Flag
Here I am....
That's only 25... How many has Windows Fixed sinse XP came out... Hundreds!... Anything mad by man is never going to be perfect... Not even a Mac, but it is MUCH MUCH MUCH better to use than a windows machine, and much more secure... Get over it..
Posted by Rickb1 (23 comments )
Link Flag
"..gain complete control ...
IF you are a local user (i.e.have physical access to the keyboard).

That's true of most computers which is why you physically secure data centers. About the only machine I've never been able to break into from the console is an IBM AS400.

And knowing that is why any sensitive data on my hard drive is highly encrypted.
Posted by rcrusoe (1305 comments )
Link Flag
Claim by MACSARESAFERDUDE
The claim is that OSX has zero virus'. This remains true - I don't
use virus protection or spyware protection on either of my Macs.
There is no need.
Posted by keaggy220 (57 comments )
Link Flag
Right here.
Why do Windows apologists like you have so much trouble
recognizing the enormous gulf between a vulnerability and an
exploit? I understand that a Windows vulnerability almost always
translates immediately into an exploit, but surely you must know
that is unique to Windows!

It doesn't matter how many vulnerabilities are found. The fact is
that there are still no exploits, and the longer you scream
security by obscurity, the more your argument rings hollow: if
everyone says OS X is obscure, then everyone knows about it!
Posted by Macsaresafer (802 comments )
Link Flag
funny that Apple never said it...
this story is one of many to rile Windows user's inferiority complex.

love to see where Apple said this, much better, show it actually happening on an "unpatched" Mac.

impossible....... as usual.
Posted by OS11 (844 comments )
Link Flag
Look at real world experience...
Here's the thing... I know hundreds of computer users, both Mac
and Windows. I know of NO Mac user using OSX that has been
hacked or had a virus of any kind. On the other hand, only a few of
the Windows users HAVE NOT been attacked at some level. Several
of them to the level of having to start over, wiping the machine,
etc. A few of them have been hit multiple times. Sorry, while in
theory you are correct that both Windows and Mac ARE vulnerable...
the Mac is far safer in the real world. -Steve
Posted by stevew928--2008 (19 comments )
Link Flag
As opposed to...
... all the STILL currently unpatched Windows flaws that ARE being actively exploited, these are potentially exploiteable and NO active exploits exist for them. Apple is patching before ANY damage is done. Macs ARE safer.

Happy now?
Posted by MadKiwi (153 comments )
Reply Link Flag
These are the known and latest batch
This is 25 KNOWN issues that were patched. The funny thing about this is that they are patched today. You didn't even know that they existed yesterday, did you? How many MORE flaws are there in the system that you don't know are there right now? Just because Apple isn't telling you about them doesn't mean they aren't there. They didn't tell you about these 25 until after they patched them.

So... how many MORE are STILL currently unpatched that ARE being actively exploited that you don't know about? Your logic falls flat on its face there.

You can't patch what you don't know about and Apple isn't telling until after they release the patch. That doesn't say anything about the OS being safer- it says that you, the end user, are just in the dark about it.
Posted by Vegaman_Dan (6683 comments )
Link Flag
These are the known and latest batch
This is 25 KNOWN issues that were patched. The funny thing about this is that they are patched today. You didn't even know that they existed yesterday, did you? How many MORE flaws are there in the system that you don't know are there right now? Just because Apple isn't telling you about them doesn't mean they aren't there. They didn't tell you about these 25 until after they patched them.

So... how many MORE are STILL currently unpatched that ARE being actively exploited that you don't know about? Your logic falls flat on its face there.

You can't patch what you don't know about and Apple isn't telling until after they release the patch. That doesn't say anything about the OS being safer- it says that you, the end user, are just in the dark about it.
Posted by Vegaman_Dan (6683 comments )
Link Flag
Apple Plugs 25 flaws Prior to Exploitation
There, fixed that for you.
Posted by Hep Cat (440 comments )
Reply Link Flag
Fixed, done, and on to the next batch
I'm glad that Apple actually admitted that there were this many flaws that had to be patched, quite a few of them as being serious security issues. More typically they don't say anything and then release an unrelated patch for iTunes that happens to also take care of these other issues that they don't actively admit to.

I don't care how they do it, just as long as it gets done. The vocal Mac users here are not used to having to admit their systems are exploitable and quite vulnerable, so they aren't going to do anything about securing their systems themselves, so Apple will need to do it for them.

Congratulations to Apple for getting these 25 flaws patched. Now let's start working on the hundreds of others that the public isn't being told about yet.
Posted by Vegaman_Dan (6683 comments )
Link Flag
People in glass houses ...
Even before security researchers started focusing on Macs, there was this 'air of invulnerability' projected by Apple and Mac users.

Now that flaws are being discovered on Macs, those voices have switched to "Macs are still more secure", "Big deal, Windows has 10K flaws", etc.

This may be a bitter pill for Mac advocates to swallow but guess what, Macs likely have many more flaws yet to be discovered.

Think about the attention that hackers and security researchers pay to Windows vs. Macs. Windows has been under scrutiny for many years by 1000's of hackers and researchers. Yes many exploits have been found and fixed. However, the rate at which flaws are being found these days is much lower than in the past. Put another way, the scrutiny has greatly improved the quality of Windows.

Now look at Macs. Much fewer eyes have been prying it open for much shorter of a time span, yet the rate at which flaws are being found is very high, 70 in four months, and those are the result of a limited group of security researchers looking into it.

Common sense suggests that given more time and more prying eyes, the number of Mac flaws found would be even higher. I believe we will all see this as Macs are used more widely, drawing more attention from people wishing to exploit a large user base. It is just not that interesting now unless you are a Mac user.

So do not be so quick to throw rocks at Windows. Your house is likely made of glass too; you just do not realize it yet.
Posted by NewsReader_ (280 comments )
Reply Link Flag
Reading is not the same as Reading Comprehension
There has yet to be a single documented exploit of an OS X Mac
without direct operator involvement. There hasn't been any
documented take-over of any machine, there's been no
documented trojan horse, no email bombs, no server break-in,
no disk drives erased. Almost to the last, everyone of these
"vulnerabilities" has required direct interface with the computer
either at the keyboard or through a trusted remote account with
supervisor access. Even the most vaunted of the so-called
vulnerabilities - the bogus exploitation of a 3rd party network
adapter - only caused the computer to shut down. Shutting
down when someone tries to break into my computer doesn't
really qualify as a true vulnerability to me.

I don't claim to live in a bulletproof glass house. Just that
Windows machines seem to live in break-away stage glass
houses, while Macs seem more like Herculite® (the stuff they
use on hockey rinks).
Posted by qprize (237 comments )
Link Flag
GO for it man
Put your money where your mouth is...
Posted by Rickb1 (23 comments )
Link Flag
OSX is more battle tested than Windows -
I think you are overlooking the fact that OSX has much more experience on world wide networks than Windows could ever hope to have.

OSX is based on Unix, which is why BANKS and Security Firms use Unix... NOT Windows when they want the most battle tested OS.

The world's best Hackers and Crackers have tried and tried to break into OSX, NONE have been successful. Most experts agree OSX is the most secure OS in common use today.

It's a stronger foundation, something Microsoft doesn't have access to, Users are separated from the underlying OS, thus you can't alter the OS from the outside. Each file on OSX has "permissions" further preventing hackers. And the list goes on. Nobody can crack OSX.

-
Posted by OS11 (844 comments )
Link Flag
People in glass houses
Possibly hackers too were under the impression that the Mac OS was invulnerable to exploits. Certainly they would have gotten that impression from the many Mac fanatics who seem to know even less about the Macs they use than they know about Windows.

By now of course the hacker do know how very vulnerable the Mac OS is and perhaps now they will go after it. Wouldn?t be surprised.

And yes, I use an Intel iMac, along with Windows machines.
Posted by gmcaloon--2008 (72 comments )
Link Flag
People in glass houses ...
Even before security researchers started focusing on Macs, there was this 'air of invulnerability' projected by Apple and Mac users.

Now that flaws are being discovered on Macs, those voices have switched to "Macs are still more secure", "Big deal, Windows has 10K flaws", etc.

This may be a bitter pill for Mac advocates to swallow but guess what, Macs likely have many more flaws yet to be discovered.

Think about the attention that hackers and security researchers pay to Windows vs. Macs. Windows has been under scrutiny for many years by 1000's of hackers and researchers. Yes many exploits have been found and fixed. However, the rate at which flaws are being found these days is much lower than in the past. Put another way, the scrutiny has greatly improved the quality of Windows.

Now look at Macs. Much fewer eyes have been prying it open for much shorter of a time span, yet the rate at which flaws are being found is very high, 70 in four months, and those are the result of a limited group of security researchers looking into it.

Common sense suggests that given more time and more prying eyes, the number of Mac flaws found would be even higher. I believe we will all see this as Macs are used more widely, drawing more attention from people wishing to exploit a large user base. It is just not that interesting now unless you are a Mac user.

So do not be so quick to throw rocks at Windows. Your house is likely made of glass too; you just do not realize it yet.
Posted by NewsReader_ (280 comments )
Reply Link Flag
Maybe need a bit more info..
OK, guess what, Macs used to have vulnerabilities and viruses
way back in the day, so anybody that said "Mac's are
invincible" (never seen that statement except from anti-Mac
trolls, so there ya go) is an idiot, and deserves all the scorn in
the world. That said, its crap to say that Apple and the MacOS
haven't has just as intense scrutiny on their security as Windows
or any other OS, if Mac OSX had the flaws (quantity and depth)
that Windows does it would be publicized along with the
exploits, for no other reason than because so many people who
use PCs hate Macs, and would love to publish destructive code
for them. On top of that, Symantec would love to add Mac Users
back to their customer base, as I said back in the Pre OS 8 days
many of us ran SAM because there were legit (though infrequent)
threats from viruses and such. And look at how much attention
things like this do get: CNET never covers mac stories (iPhone/
iPod/AppleTV don't count) unless they have some type of
negative security angle, because it makes Macs seem more
vulnerable, even if only for a moment.

Also, what is this "shorter time span" that "much fewer eyes"
have had to look at Windows versus Macs? You can talk about
marketshare all you want, but less than 5% of PCs sold (and it
was a much higher percentage up until the mid 90s when PC
sales took off) is still a ton of units, and Mac OS is older than
windows, unless you count DOS. OSX is almost 6 years older
than Vista, but has already had more functional exploits (cursor
bug)

My point is, you're right that some mac users have occasionally
been superior ******** about security, but perhaps you should
learn more about the actual history of the PC industry and Macs
before you make statements about the amount of resources
involved in either platform's development, your ignorance only
undermines your position.
Posted by DaiMac (62 comments )
Link Flag
Security Researches have always looked at OSX.
Your post doesn't make a lot of sense. OSX is the same OS that created the "world wide web", thus it's always been the center of "security" scrutiny.

There is no new "bitter pill" to swallow. Mac users have always been keenly aware of security and have built the most secure OS as a result.

Fewer and fewer Unix flaws have been found over the years, so it's winding down, not up.

OSX is the most secure OS in use today, and will remain that way for the next several decades.

OSX is made of bullet proof glass, nobody in the universe can break it.

-
Posted by OS11 (844 comments )
Link Flag
Sure, I agree
Yes, very true. The MAC has had fewer updates with OSX. We all need to account for the % market share of MAC vs PC computers. More people have PCs therefore more people attack PCs.

Also, please use spell checker and re-read your postings. This will help with mispelled words.

**Disclaimer: I use BOTH PCs and MACs and I like them both.
Posted by NProszkow (17 comments )
Reply Link Flag
No Need for Plugs
Who cares?! Hackers surely don't care about the Mac; why would anyone put in the effort to use an exploit that would affect only 25 people? Do many hackers care about the BeOS? Of course not.
Posted by dysonl (151 comments )
Reply Link Flag
problem is...
The Mac OS represents the most affluent user base in the world, thus the most valuable. Windows is easy to hack, OSX is impossible which has been proven over and over for YEARS.

Hackers have tried and tried, but Apple is too smart from them. It's too high of hurdle even for the best russian minds.

Thus, "zero" security issues with OSX.

But have fun trying... we always like to laugh!

just try and crack into this... I bet you $!,000,000 you can't.

<a class="jive-link-external" href="http://24.8.244.176/" target="_newWindow">http://24.8.244.176/</a>

-
Posted by OS11 (844 comments )
Link Flag
OH NO!!!
Now that you have adequately proved that macs are infinitely more vulnerable than pcs to take-overs...[snore]. PC lovers will take any chance they have to attack Macs mainly because they do not get the chance very often. That being said, I would also like to point out, as others have that none of these bugs have been exploited and also without saying it extremely verbosely... unix rocks, dos does not. Also I would like to point out that only about 5% of the market is controlled by mac OS's and about 93%ish(I don't know exactly, but close enough) by windows ones, yet on these blogs there are an equal number if not more mac supporters than winblows supporters. Does this tell us anything?
Posted by bobmarksdale (29 comments )
Reply Link Flag
Who was on the Net first...
"Also I would like to point out that only about 5% of the market
is controlled by mac OS's and about 93%ish(I don't know exactly,
but close enough) by windows ones, yet on these blogs there are
an equal number if not more mac supporters than winblows
supporters. Does this tell us anything?"

I remember a study from 1997 reporting that while Mac had a
3-6% marketshare from 95-97 they constituted over 45% of
internet users in the study's survey, and almost 25% of the pages
examined were created on a Mac. Now thats a long time ago,
and I know that the percentages have shifted to better reflect the
actual PC market, but the fact is that if you're a technically saavy
internet user who actually remembers using Mosaic then you're
more likely to be a Mac user than a PC user.

The other thing is passion: most Mac users are very passionate
about their machines, whereas most consumers in general could
care less, they can check their email on both and Myspace.com
loads either way, so who cares which has what other features
and which UI is easier/better. While PC users (and I myself have
both, but the PC is not a "work" machine that I actually do
productive things with) like to harp on their marketshare, when
you hack off all of the machines used in offices and then
eliminate all the people who could care less what their computer
runs who have PCs, the number of PCs users who care enough to
come on forums and post for Windows or against Mac is
probably roughly the same as Mac users who can and will do the
same, hence the perception of parity.
Posted by DaiMac (62 comments )
Link Flag
Oh Yes!
Unix rocks and DOS does not? What kind of statement is that? Windows hasn?t used DOS since Win 98. There is no DOS in any NT Windows version, W2K, XP or Vista.

You do indeed see many Mac supporters here than Windows supporters. In fact very few of the latter. Why is that? Because Windows users don?t need to prove anything given their numbers compared to Mac users. At that, Windows fanatics are almost nonexistent. On the contrary, Windows people most often are the most critical of Windows. Are they equally critical of the Mac? No. Why would they be? Most know nothing about Macs and don?t care to know anything about them. Some are still so ignorant of Macs they see them as hardly more than toys that are useful mostly for doing graphics stuff. Question most Windows users about Macs and usually you get nothing but a blank stare.

There are many Mac fanatics however, although far fewer now than previously and we can be grateful for that at least. The reason seems to be that some Mac people see themselves as a victimized minority. They are not of course because again most Windows users hardly know Macs exist. But perception plays a part and Mac fanatics feel rather put out in a world dominated by Windows. Hence the tendency towards fanaticism.
Posted by gmcaloon--2008 (72 comments )
Link Flag
Not 133 bug patch
Oh, sorry that was Microsoft that is issuing the 133 patches. And
was it a double patch for the out of cycle Cursor flaw? MS first fix
didn't even take.

So whats all the gripe about Mac. Windows has your holy access
port to deal with.
Posted by Travis Ernst (170 comments )
Reply Link Flag
True, it's not 133 bug patch
Considering the 133 versions of the bug patch for Windows was for differing languages, you can now use your same argument to now multiply the Apple patch by... guess what- 133.


Does that mean we can claim Apple had to create 3,325 patches with your logic?

I don't think so. You can't compare the two OS patches as they aren't related. If you do try to do so, it would look terribly embarassing for Mac users and it's simply not the case.

One Windows patch. Twentyfive Mac patches. Next week it can be the other way around.
Posted by Vegaman_Dan (6683 comments )
Link Flag
Apple uses tempered glass
TSIA.

Microsoft may make it's house out of thin float panes; while
Apple was thinking and used tempered so you can even walk on
it without causing it to crack.

and yes, for the record, you can walk on tempered glass.

It's just interesting that the Mac may have it's faults, as almost
any OS does, but we don't get the exploits. A lot of the time it is
third party wares that cause problems. Apple took a lot of that
problem out. Now it's just keeping the office all up to date so
there are not gaps on machines for the OS/security.
Posted by Travis Ernst (170 comments )
Reply Link Flag
But...
I am a mac user and i use an anti virus for 2 reasons...

1) So i can check files before i send them on the my windows using
friends and

2) I know that no OS is perfectly secure, and one day i wouldn't be
surprised if someone wrote a virus or worm for OS X. I would like to
be protected from that rather then letting my ignorance be the
cause of me losing my years of work.
Posted by liam04uk (20 comments )
Reply Link Flag
Millions of Windows PCs are controlled by bots
People seem to forget the simple fact that millions of Windows
PCs are permanently hijacked and controlled by bots, thereby
used to send hundreds of millions of spam email messages
around the clock, costing the IT industry and individual users
collectively billions of dollars.

This means that taking over a Windows PC is a routine task, not
something that takes any effort. A small minority of Windows
machines may have been secured with third party software and
user effort to the point where taking control of them remotely is
not a routine task, but the vast majority of Windows machines
are prone to being hijacked without effort, using automated
tools that can do the job.

By contrast, taking over a Unix system generally requires effort
and skill. Again there may be a minority of systems which have
been put in a state that they can be hijacked easily, but the
default state of a Unix system and thus the vast majority is such
that it requires real effort and skill to hijack if at all possible.

Now, if legislation in a major economy such as the United States
or in the EU would change such that operating system vendors
become liable for the damage caused by the botnets and their
spam, then you would see Microsoft becoming concerned
enough to actually do something about it. Without any such
liability they have no incentive whatsoever and they will not
fundamentally change their tack to actually fix the problem.

Another way would be to make the invidiual user liable for the
damage caused by any computer they operate even if their
machine has been hijacked without their consent and without
their active wrong doing, the wrong doing then being to have
chosen a system with lax security. This would then cause people
to stop using products that put them at risk of being held liable
and the resulting loss in revenue would then be of sufficient
concern so that Microsoft would have to fix the problem.

In the real world though no such thing will happen. Microsoft is
too powerful for any legislation that would hold them liable to
pass and consumer rights rule out that any legislation would
pass that holds individuals liable. Without feeling any real heat,
Microsoft will continue to do business as they have always done
and we will continue to get more and more spam. It's as simple
as that.
Posted by balooh (37 comments )
Reply Link Flag
Perhaps we should outlaw arrogant users instead
Verbally attacking windows users and systems does not seem to be a reasonable approach to the overall security problems we face today. Apple is as secure as Windows, and Windows is as secure as Apple...until hackers turn their attention to them for fun and profit.

People who have a real grasp on security understand that it requires something that this poster failed to consider. That concept is collaboration. Collaboration of users, security firms, developers, and the companies that write the paychecks. That is happening.

Arrogance also breeds contempt rather than collaboration, especially against the innocent. Educating a friend or a neighbor is another option that this individual seems to have forgotten as well. Try spreading the word. Use real world social networking to bring people up to speed.

Contribute rather than condemn.

Otherwise we may be forced to outlaw arrogance as well.
Posted by Joe Koskovics (18 comments )
Link Flag
You know why?
First, Windows PC's are inexpensive. Buyers can get a no-name cheap-o machine fro $300 ready to go. This means a lot of people choose a Windows box as their first computer. Lack of experience in a networked world is a dangerous thing.

Second, Windows underlying code was built back before on-line security was an issue. It was designed to be easy for the user to install and run programs. This means that the user was an admin by default. To maintain compatibility, the same scenario applies even today.

Third, MAC is Unix-based. Unix doesn't like people running in admin mode. Programs were written to operate without users having admin control.

If Windows switched to a Unix based code, it would be more secure, but software compatibility would go out the window. This would be a huge expense for millions of businesses who would refuse to upgrade.

Macs were able to make the switch by bundling the classic OS and allowing users to run in that environment. In this case, a smaller market share actually helped Apple. There were a few big pains (like Photoshop), but overall, it went pretty smooth. Minor bumps again when Apple switched to Intel...the biggest, again, being Photoshop.

My point is, Microsoft's huge market share is what is killing their security. It's not that they are the biggest target, it's just that they are so big, that it is difficult for them to make the required changes without losing customers along the way.
Posted by One-Eared Gundark (610 comments )
Link Flag
The truth of the matter...
Between the blustering of security researchers, the TV
commercials touting OS X's security (which apparently annoys
the cr@p out some people), the vitriol constantly expressed by
C|net Apple bashers you'd think SOMEBODY would have created
a really nasty varmint and turned it loose on OS X by now,
wouldn't you? Just to prove a point? Why hasn't it happened? The
"not enough market share to matter" argument just doesn't hold
water anymore. There's something about OS X that makes it real
hard to attack successfully.
Posted by lkrupp (1608 comments )
Reply Link Flag
True- nobody really cares enough to write one
If someone does decide to write such a virus, then there will be some serious trouble if we base the average Macintosh user on the beliefs of people like Macsaresafer and Daimac, both of whom have recommended that Mac users NOT use any sort of AV or firewall products.

They are actively telling people to leave their systems open and vulnerable. That's not responsible for anyone using any OS. If someone decides to go after Macs, then people like Macsaresafer and Daimac are prime targets.

It does beg the question to be asked- what about exploits or bots that haven't been detected yet? If I had written a Mac based exploit, I don't think I'd want to brag or advertise the fact. Why attract attention when you could have hundreds of thousands of Macbot slaves at your command and their owners never even know about it? The experts here recommend taking no action to even check so- well, it's a prime area to do something about. There's already keyloggers in the world for OSX. How many are running undetected because the end users are brainwashed into thinking their system is invulnerable?

Some day someone will make some splashy and obvious malware that will make people sit up and listen. I'm more worried about what's out there right *NOW* that people are not looking for.

Don't bother saying they don't exist. I can claim that there are no bots for the OSX, but if I was a person trying to make a big bot net, I wouldn't exactly advertise that, now would I? It'd be far better to keep it quiet and give people no indication of the problem or else someone might try to stop it.
Posted by Vegaman_Dan (6683 comments )
Link Flag
Let's fix it and move on
It's very tragic that there has to be this "war" between Apple users and PC users. As a Windows user, I hold no grudge against Apple or their users. In fact, I think Mac Computers are great. I choose a PC for the business services they do so well. One day I will purchase a Mac, when I have the need for a machine that supports the arts.

But what gets under my skin is how this community gets wrapped up in petty little arguments that take away from our overall strength.

Collaboration with each other will be necessary as a part of the evolution of our security. And that can not happen if users on both sides continue to hold imaginary grudges.

We have businesses, communities, and families we need to watch out for. Let's take a deep breath of reality and move on.

And maybe we can build a more secure community together.
Posted by Joe Koskovics (18 comments )
Reply Link Flag
Don't worry we have MS to blame
Don't worry we have Microsoft to blame.
Posted by TanNg (31 comments )
Reply Link Flag
for Vegaman_Dan...
that thread tree was stopped due to length so wanted to reply to your comments:

---

"One flaw that was patched was a denial of service attack that could result in code being executed on the local system"

Ah, no. It only had the "potential" to execute code, which in Unix is like saying "impossible".

"Hey, what sort of code would you like to run today? That flaw alone opened up the entire system to an outside attacker"

Ah, but there was never a flaw that allowed code to "run". Big difference. You can't run "code" on OSX or any other Unix, with out root "access". You are overlooking that.

"That's serious. That patch was taken care of, but what about the other vulnerabilities that still exist that Apple hasn't told you about?"

Not sure what you mea... we as Mac Users are fully abreast of any potential attacks, the Mac community is the most wired, most informed group of computer users in the world. If there was an actual problem, Mac users worldwide would know within minutes, have a fix within hours.

"Until yesterday, you didn't even know that THESE 25 vulnerabilities existed. How many more don't you know about that are on your system right now?"

Ah, that comments is based on a "Windows Mindset", not a UNIX one. I know EXACTLY what is running on my system. I know EXACTLY what is installed. I know EXACTLY what I install. Nothing can be installed without my APPROVAL. You don't understand Unix it appears.

"To claim that nothing can be installed on your system is- well, very, very, ignorant."

Ah, you said it. Not me. NOTHING can be installed on a Mac running OSX, without physical keyboard APPROVAL. That's the difference.

"How do you know if your system was exploited? If you keep sticking your fingers in your ears, you'll never hear the warning siren"

Ah, you are forgetting, (or don't yet understand) there is no way "into" a OSX box from the outside. So right there, you can't "exploit" a Mac. I know it's tough for you coming from the Windows world, but the types of things you are suggesting simply don't matter to a Unix based machine.

have a good day.
Posted by OS11 (844 comments )
Reply Link Flag
Thought you could just pass those stats on
Did you think you could just pass those stats on and nobody would question?

MS has 71,000 employees. Apple 17,787. Although close it means apple has *more than* 1/4 the number of employees.

Revenue numbers are cute but gross profit:
MS 36.63 Billion
Apple 5.6 Billion.
(That's less that 1/6 for those keeping track at home)

How about we stay on topic:
Apple just admitted 25 flaws. Numerous privlidge elevations both local and remote. Nasty stuff.
Posted by smilin:) (889 comments )
Reply Link Flag
i checked facts, you did not.
the numbers you provided:

apple has 148 employees more than exactly "1/4th" hardly significant. my 1/4th comment was perfectly vaild

size does matter, within 5 years, Apple will be larger than Microsoft in terms of Revenue. All without having an illegal monopoly to prop it up.

of the 25 flaws, none were serious, none ever exploited in the wild. and "zero" were "nasty" also, no privilege escalations were reported.

so this is another example of Apple doing all the "security" work BEFORE it ever touches a user... a polar opposite approach than what MS users.

check your facts next time.
Posted by OS11 (844 comments )
Link Flag
This is the Best Post ... READ IT
<a class="jive-link-external" href="http://news.cbsi.com/5208-10784_3-0.html?" target="_newWindow">http://news.cbsi.com/5208-10784_3-0.html?</a>
forumID=1&#38;threadID=26862&#38;messageID=259573&#38;start=0
Posted by Thomas, David (1947 comments )
Reply Link Flag
Un-fair comparison
While I am extremely interested in how this works out, it really doesn't mean that much if no-one comes forward. The fact is that most Viruses/worms/trojans for Windows are either social engineering (and thus won't work too well against a static machine) or attack already patched exploits.

Personally, I doubt that anyone will go to the effort to find a new exploit. Especially since the last challenge (that I heard of) resulted in a successful privilege escalation yet the fanboys thought that was OK. They could have at least skipped the last patch and made things fairer...

(Anyone know when the challenge expires? At...

<a class="jive-link-external" href="http://cansecwest.com/post/2007-04-19-12:30:00.Gentlemen_Start_Your_PWNing" target="_newWindow">http://cansecwest.com/post/2007-04-19-12:30:00.Gentlemen_Start_Your_PWNing</a>

...it doesn't say. I also cannot find any acknowledgement of the prize increase.)
Posted by Siegfried Schtauffen (269 comments )
Link Flag
Hack a Mac
To those commenting that the Mac is not hacked or does not
have viruses written for it due to low Market Share I say this: In
the 90's Mac OSX had even LESS market share and it had plenty
of viruses and sucessful hacks.

OSX is more secure.

Read about "hack a mac" at this link:

<a class="jive-link-external" href="http://news.cbsi.com/8301-10784_3-9710845-7.html?tag=tb" target="_newWindow">http://news.cbsi.com/8301-10784_3-9710845-7.html?tag=tb</a>
Posted by dansterpower (2511 comments )
Reply Link Flag
The difference between OSX and Windows
Take your average computer user(ie an idiot).

Give him a default configured Windows(doesn't matter which one, they are all swiss cheese) and OSX box for a day.

Tell him to use one on one day and other the next.

Then run a check for spyware, viruses, trojans, rootkits, keyloggers, etc.

Guess which box will "win".

That is why OSX is a better system, a user with no technical knowledge can safely use it. It takes quite a bit of knowledge to secure a windows box(and still can't beat OSX or Linux) and tweak it to do what you want.

Windows is the most user-unfriendly OS on the planet.
Posted by MSSlayer (1074 comments )
Reply Link Flag
MACS are OBVIOUSLY BETTER!
I like the Mac commercial where the PC guy is on top of the Mac guy. The Mac guy is on his knees and saying, "I hope UAC guy does not find out I am with you tonight." Then UAC guy busts in and joins PC guy and MAC guy. Then Mac guys says, "it just works."
Posted by mildew33 (4 comments )
Link Flag
what are you saying
so what you're saying is that macs are for idiots.
good job numbnuts!
Posted by nightspark (8 comments )
Link Flag
This is an old argument
ANY software is vulnerable to attacks ANY system is vulnerable to attacks. We only hear about the ones for windows systems because they are owned/operated by the MAJORITY. The more people who are affected by an exploit the more successful the creator of that exploit is. They create more havock and disable more machines by writing/creating the exploits for those machine owned and operated by the majority. Apple or OSX owners are just as vulnerable to attacks or why have these patches been created??????????????? Get over yourself there is NO difference in the security, just a difference on the amount of people who own different machines. PC&gt;OS thats all stop your mightier than though attitude
Posted by Keith_C_A (42 comments )
Link Flag
The Mac Lost the challenge
<a class="jive-link-external" href="http://cansecwest.com/post/2007-04-20-14:54:00.First_Mac_Hacked_Cancel_Or_Allow" target="_newWindow">http://cansecwest.com/post/2007-04-20-14:54:00.First_Mac_Hacked_Cancel_Or_Allow</a>
Posted by Siegfried Schtauffen (269 comments )
Reply Link Flag
no it didn't -
but now CNET has reported they bent the rules to make this hack work:

From CNET: "The successful attack on the second and final day of the contest required participants to surf to a malicious Web site using Safari--a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day."

So it wasn't a break-in as first believed... which is "priceless" since it shows OSX remains unhacked.
Posted by OS11 (844 comments )
Link Flag
Zero Real Exploits for OSX, Countless for Windows
That's all that matters.


With the old Mac OS, there were many more viruses than there are
now (now being zero, of course).

The marketshare argument holds no water.
Posted by Mark Greene (163 comments )
Reply Link Flag
Around 5 Security Vulnerabilities for Vista, Countless for OSX
That's the truth that hurts you Apple fanboys. With the old Mac OS, Mac users were more secure with PowerPC arquitecture and had much less vulnerabilities (now being dozens every month, of course).
The marketshare argument is, in reality, a fact that shows how superior Windows is in comparison to Macs.
Posted by Fil0403 (1303 comments )
Link Flag
Around 5 Security Vulnerabilities for Vista, Countless for OSX
That's the truth that hurts you Apple fanboys. With the old Mac OS, Mac users were more secure with PowerPC arquitecture and had much less vulnerabilities (now being dozens every month, of course).
The marketshare argument is, in reality, a fact that shows how superior Windows is in comparison to Macs.
Posted by Fil0403 (1303 comments )
Link Flag
Who cares ... OSX is much more effecient
I've been a Microsoft fan since DOS 5.0 ... I fiddled to the Microsoft tune ever since, getting my MCSE, SBS cert ... spending the last 15 years as a professional NT / Active Directory administrator ... Hell, I am currently an independent owner of a Microsoft consulting company.

However, when I need to get serious work done ... I use my MacBook Pro. Why? It never locks up. It never blue screens, it always runs at top performance no matter how much I install on it ... OSX is a very powerful, very effecient, very "Power User" friendly operating system.

My workstation is a 100% name brand (Asus, nVidia, Maxtor, Kingston, Sony (dvd) ) computer that is less than 8 months old. It has Vista installed with Office 2007 and QuickBooks 2007, Firefox, Gaim and WinCSP. When I have more than 15 or 20 windows open on my Vista machine (and I frequently work with 30+ windows up at a time) ... Vista often looses its ability to right click (which sometimes returns when I close some windows). It also blue screens once a week on average ... and it REGULARLY freezez up so that I have to hard boot it (when waiting more than 10 minutes doesnt return it to a usable state).

All of the drivers (and bios's) are current as well as the patches ... and I spent more than $3,000 in hardware, purchasing the best I could get for the sake of stability.

I have kernel paniced my OSX machine once with a beta version of Parallels (and I actually don't use Parallels any more unless I need my Cent OS VM or I need to run a quick utility for a client that only runs in Windows) ... 98% of everything I do (and remember, I'm a Microsoft consultant) I accomplish using OSX. It is a power users operating system.

The bottom line is simple ... Windows causes me headaches. OSX makes me smile constantly. I can't count how often I have sat back after 10 to 15 hours of hard OSX usage and I just have this huge grin on my face because I realize that I have actually been working and hammering the tar out of my mac and all along it's been performing at top speed without any issues AT ALL.

I actually get more done with my OSX machine than I can with my Windows machine. When I'm working with linux servers, my OSX machine has native utilities that let me work with them. With windows, I am forced to download tools (and we all know that installing more software into Windows adds to its registry and file clutter ultimately increasing its eventual performance degredation that only a reinstall will fix).

No thank you ... I'll stay with OSX. Windows (and especially Vista) just plain sucks.

Mike
Posted by mikesims10670 (7 comments )
Reply Link Flag
Please do
Blue screens once a week! Freezes under Vista! I use Vista RC1 on a machine with only 512 MB and I never have a freeze or even a slowdown under normal usage. The problem is obviously you. The more people like you that leave the Windows world the better.
Posted by Siegfried Schtauffen (269 comments )
Link Flag
I led you to water - here drink
Why ask me for an example when you don't actually read what I provide?

If you want an actual working exploit, here is one you can play with yourself:
<a class="jive-link-external" href="http://secunia.com/mac_os_x_command_execution_vulnerability_test/" target="_newWindow">http://secunia.com/mac_os_x_command_execution_vulnerability_test/</a>

If you think this is only some demo and doesn't exist in the wild all you have to do is look at the results of that $10,000 hack a mac contest. (article appeared here on CNet since my previous post). The same vulnerability was used to win the contest.

note: this exploit was in the link I sent you already. All you had to do was scroll down the page.

If you want a working exploit that does something malicious I'm simply not going to provide it to you. I'll abandon this debate before I stoop to providing malicous code to prove my point.
Posted by smilin:) (889 comments )
Reply Link Flag
Tried to drink but nothing happened.
Heck of an exploit you've got there Brownie.
Posted by Macsaresafer (802 comments )
Link Flag
Didnt work on my mac ...
You loose!
Posted by mikesims10670 (7 comments )
Link Flag
This didnt work on my OSX machine ...
You loose.
Posted by mikesims10670 (7 comments )
Link Flag
Lets use your words then..
<a class="jive-link-external" href="http://www.sophos.com/virusinfo/analyses/osxleapa.html" target="_newWindow">http://www.sophos.com/virusinfo/analyses/osxleapa.html</a>

<a class="jive-link-external" href="http://www.sophos.com/virusinfo/analyses/osxinqtanaa.html" target="_newWindow">http://www.sophos.com/virusinfo/analyses/osxinqtanaa.html</a>




First I commented about the vulnerabilities and I get corrected saying they aren't the same as exploits. Fine. I then provide an exploit... <a class="jive-link-external" href="http://secunia.com/mac_os_x_command_execution_vulnerability_test/" target="_newWindow">http://secunia.com/mac_os_x_command_execution_vulnerability_test/</a>

"Heck of an exploit you've got there Brownie."

I then explain it's an exploit that's been patched (quite irresponsible to provide one that works to a public discussion)

"So you found a year old 'exploit' that didn't do much of anything and never affected Mac users in the real world. Congratulations. What's your point?"

(more on "my point" in a bit)

"If on the other hand, you're trying to show that there are real exploits that affect real Mac users, then you're not even close."

I then argue that if by that argument it doesn't affect users then it must not be an exploit...hence no Windows exploits since I've never been affected by one...after all I'm a "real user" (my silly point made to emphasise yours)

You then said I'm bending your words so here you are all quoted for the world to see. Here is your latest quote:

"I said it wasn't a real exploit because a) it didn't do much of anything to begin with and b) NO Mac users were affected, not just me."

Strange that the quote above doesn't quite match the previous one...you aren't bending your own are you? You said "real mac users" before and are now saying "no mac users"

"If you knew of a real exploit that affected real Mac users, you'd have brought it out by now. You don't know of one because there aren't any."

Ah. There you go. "there aren't any". You put that own hook in your mouth. What are these then:

<a class="jive-link-external" href="http://www.sophos.com/virusinfo/analyses/osxleapa.html" target="_newWindow">http://www.sophos.com/virusinfo/analyses/osxleapa.html</a>

<a class="jive-link-external" href="http://www.sophos.com/virusinfo/analyses/osxinqtanaa.html" target="_newWindow">http://www.sophos.com/virusinfo/analyses/osxinqtanaa.html</a>


...Now back to "my point"...

"Nothing created by humans is, ever was, or ever will be 100% secure."

Exactly. You said my exact point. If you and I agree on this then there isn't much point in discussing further. It's the only point I wish to make.

If on the other hand you wish to keep discussing how secure Macs are ***while sitting under a news story about 25 Mac OS X flaws*** (????) then reality is going to keep biting you.
Posted by smilin:) (889 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.