- Related Stories
-
Apple megapatch plugs 45 security holes
March 13, 2007 -
Apple plugs four security holes
February 15, 2007 -
Squashing bugs with an Apple fix a day
January 12, 2007
The security update affects various parts of the operating system, including some third-party components such as the Kerberos authentication technology. The most serious of the vulnerabilities could allow an attacker to gain complete control over an unpatched Mac, Apple said in a security advisory.
The update deals with another trio of zero-day bugs that were disclosed as part of the Month of Apple Bugs in January. Apple has quashed many bugs detailed during the Month of Apple Bugs and Month of Kernel Bugs projects in previous patch releases.
While several of the vulnerabilities repaired by Apple's updates were previously known, it doesn't appear that any attacks exploiting the flaws actually occurred.
Apple's patch release comes just as hackers at the CanSecWest security conference in Vancouver, B.C., are being challenged to break into two MacBooks. A successful hack wins the hacker the MacBook and a $10,000 bounty, according to show organizers. The contest and conference ends on Friday.
Apple has released a Mac OS X security update each month this year. In March, the Cupertino, Calif., company released an update to fix 45 bugs in the operating system. Apple doesn't have a set patch schedule. Last year, the company released two Mac OS X updates in the first four months of the year.
The latest update is available through the Software Update feature in Mac OS X and from Apple Downloads.
See more CNET content tagged:
Apple Computer, Apple Mac OS, Apple Mac OS X, security update, vulnerability
Safe as houses....
That's true of most computers which is why you physically secure data centers. About the only machine I've never been able to break into from the console is an IBM AS400.
And knowing that is why any sensitive data on my hard drive is highly encrypted.
use virus protection or spyware protection on either of my Macs.
There is no need.
recognizing the enormous gulf between a vulnerability and an
exploit? I understand that a Windows vulnerability almost always
translates immediately into an exploit, but surely you must know
that is unique to Windows!
It doesn't matter how many vulnerabilities are found. The fact is
that there are still no exploits, and the longer you scream
security by obscurity, the more your argument rings hollow: if
everyone says OS X is obscure, then everyone knows about it!
love to see where Apple said this, much better, show it actually happening on an "unpatched" Mac.
impossible....... as usual.
and Windows. I know of NO Mac user using OSX that has been
hacked or had a virus of any kind. On the other hand, only a few of
the Windows users HAVE NOT been attacked at some level. Several
of them to the level of having to start over, wiping the machine,
etc. A few of them have been hit multiple times. Sorry, while in
theory you are correct that both Windows and Mac ARE vulnerable...
the Mac is far safer in the real world. -Steve
Happy now?
So... how many MORE are STILL currently unpatched that ARE being actively exploited that you don't know about? Your logic falls flat on its face there.
You can't patch what you don't know about and Apple isn't telling until after they release the patch. That doesn't say anything about the OS being safer- it says that you, the end user, are just in the dark about it.
So... how many MORE are STILL currently unpatched that ARE being actively exploited that you don't know about? Your logic falls flat on its face there.
You can't patch what you don't know about and Apple isn't telling until after they release the patch. That doesn't say anything about the OS being safer- it says that you, the end user, are just in the dark about it.
I don't care how they do it, just as long as it gets done. The vocal Mac users here are not used to having to admit their systems are exploitable and quite vulnerable, so they aren't going to do anything about securing their systems themselves, so Apple will need to do it for them.
Congratulations to Apple for getting these 25 flaws patched. Now let's start working on the hundreds of others that the public isn't being told about yet.
Now that flaws are being discovered on Macs, those voices have switched to "Macs are still more secure", "Big deal, Windows has 10K flaws", etc.
This may be a bitter pill for Mac advocates to swallow but guess what, Macs likely have many more flaws yet to be discovered.
Think about the attention that hackers and security researchers pay to Windows vs. Macs. Windows has been under scrutiny for many years by 1000's of hackers and researchers. Yes many exploits have been found and fixed. However, the rate at which flaws are being found these days is much lower than in the past. Put another way, the scrutiny has greatly improved the quality of Windows.
Now look at Macs. Much fewer eyes have been prying it open for much shorter of a time span, yet the rate at which flaws are being found is very high, 70 in four months, and those are the result of a limited group of security researchers looking into it.
Common sense suggests that given more time and more prying eyes, the number of Mac flaws found would be even higher. I believe we will all see this as Macs are used more widely, drawing more attention from people wishing to exploit a large user base. It is just not that interesting now unless you are a Mac user.
So do not be so quick to throw rocks at Windows. Your house is likely made of glass too; you just do not realize it yet.
without direct operator involvement. There hasn't been any
documented take-over of any machine, there's been no
documented trojan horse, no email bombs, no server break-in,
no disk drives erased. Almost to the last, everyone of these
"vulnerabilities" has required direct interface with the computer
either at the keyboard or through a trusted remote account with
supervisor access. Even the most vaunted of the so-called
vulnerabilities - the bogus exploitation of a 3rd party network
adapter - only caused the computer to shut down. Shutting
down when someone tries to break into my computer doesn't
really qualify as a true vulnerability to me.
I don't claim to live in a bulletproof glass house. Just that
Windows machines seem to live in break-away stage glass
houses, while Macs seem more like HerculiteŽ (the stuff they
use on hockey rinks).
OSX is based on Unix, which is why BANKS and Security Firms use Unix... NOT Windows when they want the most battle tested OS.
The world's best Hackers and Crackers have tried and tried to break into OSX, NONE have been successful. Most experts agree OSX is the most secure OS in common use today.
It's a stronger foundation, something Microsoft doesn't have access to, Users are separated from the underlying OS, thus you can't alter the OS from the outside. Each file on OSX has "permissions" further preventing hackers. And the list goes on. Nobody can crack OSX.
-
By now of course the hacker do know how very vulnerable the Mac OS is and perhaps now they will go after it. Wouldn?t be surprised.
And yes, I use an Intel iMac, along with Windows machines.
Now that flaws are being discovered on Macs, those voices have switched to "Macs are still more secure", "Big deal, Windows has 10K flaws", etc.
This may be a bitter pill for Mac advocates to swallow but guess what, Macs likely have many more flaws yet to be discovered.
Think about the attention that hackers and security researchers pay to Windows vs. Macs. Windows has been under scrutiny for many years by 1000's of hackers and researchers. Yes many exploits have been found and fixed. However, the rate at which flaws are being found these days is much lower than in the past. Put another way, the scrutiny has greatly improved the quality of Windows.
Now look at Macs. Much fewer eyes have been prying it open for much shorter of a time span, yet the rate at which flaws are being found is very high, 70 in four months, and those are the result of a limited group of security researchers looking into it.
Common sense suggests that given more time and more prying eyes, the number of Mac flaws found would be even higher. I believe we will all see this as Macs are used more widely, drawing more attention from people wishing to exploit a large user base. It is just not that interesting now unless you are a Mac user.
So do not be so quick to throw rocks at Windows. Your house is likely made of glass too; you just do not realize it yet.
way back in the day, so anybody that said "Mac's are
invincible" (never seen that statement except from anti-Mac
trolls, so there ya go) is an idiot, and deserves all the scorn in
the world. That said, its crap to say that Apple and the MacOS
haven't has just as intense scrutiny on their security as Windows
or any other OS, if Mac OSX had the flaws (quantity and depth)
that Windows does it would be publicized along with the
exploits, for no other reason than because so many people who
use PCs hate Macs, and would love to publish destructive code
for them. On top of that, Symantec would love to add Mac Users
back to their customer base, as I said back in the Pre OS 8 days
many of us ran SAM because there were legit (though infrequent)
threats from viruses and such. And look at how much attention
things like this do get: CNET never covers mac stories (iPhone/
iPod/AppleTV don't count) unless they have some type of
negative security angle, because it makes Macs seem more
vulnerable, even if only for a moment.
Also, what is this "shorter time span" that "much fewer eyes"
have had to look at Windows versus Macs? You can talk about
marketshare all you want, but less than 5% of PCs sold (and it
was a much higher percentage up until the mid 90s when PC
sales took off) is still a ton of units, and Mac OS is older than
windows, unless you count DOS. OSX is almost 6 years older
than Vista, but has already had more functional exploits (cursor
bug)
My point is, you're right that some mac users have occasionally
been superior ******** about security, but perhaps you should
learn more about the actual history of the PC industry and Macs
before you make statements about the amount of resources
involved in either platform's development, your ignorance only
undermines your position.
There is no new "bitter pill" to swallow. Mac users have always been keenly aware of security and have built the most secure OS as a result.
Fewer and fewer Unix flaws have been found over the years, so it's winding down, not up.
OSX is the most secure OS in use today, and will remain that way for the next several decades.
OSX is made of bullet proof glass, nobody in the universe can break it.
-
Also, please use spell checker and re-read your postings. This will help with mispelled words.
**Disclaimer: I use BOTH PCs and MACs and I like them both.
Hackers have tried and tried, but Apple is too smart from them. It's too high of hurdle even for the best russian minds.
Thus, "zero" security issues with OSX.
But have fun trying... we always like to laugh!
just try and crack into this... I bet you $!,000,000 you can't.
http://24.8.244.176/
-
is controlled by mac OS's and about 93%ish(I don't know exactly,
but close enough) by windows ones, yet on these blogs there are
an equal number if not more mac supporters than winblows
supporters. Does this tell us anything?"
I remember a study from 1997 reporting that while Mac had a
3-6% marketshare from 95-97 they constituted over 45% of
internet users in the study's survey, and almost 25% of the pages
examined were created on a Mac. Now thats a long time ago,
and I know that the percentages have shifted to better reflect the
actual PC market, but the fact is that if you're a technically saavy
internet user who actually remembers using Mosaic then you're
more likely to be a Mac user than a PC user.
The other thing is passion: most Mac users are very passionate
about their machines, whereas most consumers in general could
care less, they can check their email on both and Myspace.com
loads either way, so who cares which has what other features
and which UI is easier/better. While PC users (and I myself have
both, but the PC is not a "work" machine that I actually do
productive things with) like to harp on their marketshare, when
you hack off all of the machines used in offices and then
eliminate all the people who could care less what their computer
runs who have PCs, the number of PCs users who care enough to
come on forums and post for Windows or against Mac is
probably roughly the same as Mac users who can and will do the
same, hence the perception of parity.
You do indeed see many Mac supporters here than Windows supporters. In fact very few of the latter. Why is that? Because Windows users don?t need to prove anything given their numbers compared to Mac users. At that, Windows fanatics are almost nonexistent. On the contrary, Windows people most often are the most critical of Windows. Are they equally critical of the Mac? No. Why would they be? Most know nothing about Macs and don?t care to know anything about them. Some are still so ignorant of Macs they see them as hardly more than toys that are useful mostly for doing graphics stuff. Question most Windows users about Macs and usually you get nothing but a blank stare.
There are many Mac fanatics however, although far fewer now than previously and we can be grateful for that at least. The reason seems to be that some Mac people see themselves as a victimized minority. They are not of course because again most Windows users hardly know Macs exist. But perception plays a part and Mac fanatics feel rather put out in a world dominated by Windows. Hence the tendency towards fanaticism.
was it a double patch for the out of cycle Cursor flaw? MS first fix
didn't even take.
So whats all the gripe about Mac. Windows has your holy access
port to deal with.
Does that mean we can claim Apple had to create 3,325 patches with your logic?
I don't think so. You can't compare the two OS patches as they aren't related. If you do try to do so, it would look terribly embarassing for Mac users and it's simply not the case.
One Windows patch. Twentyfive Mac patches. Next week it can be the other way around.
Microsoft may make it's house out of thin float panes; while
Apple was thinking and used tempered so you can even walk on
it without causing it to crack.
and yes, for the record, you can walk on tempered glass.
It's just interesting that the Mac may have it's faults, as almost
any OS does, but we don't get the exploits. A lot of the time it is
third party wares that cause problems. Apple took a lot of that
problem out. Now it's just keeping the office all up to date so
there are not gaps on machines for the OS/security.
1) So i can check files before i send them on the my windows using
friends and
2) I know that no OS is perfectly secure, and one day i wouldn't be
surprised if someone wrote a virus or worm for OS X. I would like to
be protected from that rather then letting my ignorance be the
cause of me losing my years of work.
PCs are permanently hijacked and controlled by bots, thereby
used to send hundreds of millions of spam email messages
around the clock, costing the IT industry and individual users
collectively billions of dollars.
This means that taking over a Windows PC is a routine task, not
something that takes any effort. A small minority of Windows
machines may have been secured with third party software and
user effort to the point where taking control of them remotely is
not a routine task, but the vast majority of Windows machines
are prone to being hijacked without effort, using automated
tools that can do the job.
By contrast, taking over a Unix system generally requires effort
and skill. Again there may be a minority of systems which have
been put in a state that they can be hijacked easily, but the
default state of a Unix system and thus the vast majority is such
that it requires real effort and skill to hijack if at all possible.
Now, if legislation in a major economy such as the United States
or in the EU would change such that operating system vendors
become liable for the damage caused by the botnets and their
spam, then you would see Microsoft becoming concerned
enough to actually do something about it. Without any such
liability they have no incentive whatsoever and they will not
fundamentally change their tack to actually fix the problem.
Another way would be to make the invidiual user liable for the
damage caused by any computer they operate even if their
machine has been hijacked without their consent and without
their active wrong doing, the wrong doing then being to have
chosen a system with lax security. This would then cause people
to stop using products that put them at risk of being held liable
and the resulting loss in revenue would then be of sufficient
concern so that Microsoft would have to fix the problem.
In the real world though no such thing will happen. Microsoft is
too powerful for any legislation that would hold them liable to
pass and consumer rights rule out that any legislation would
pass that holds individuals liable. Without feeling any real heat,
Microsoft will continue to do business as they have always done
and we will continue to get more and more spam. It's as simple
as that.
People who have a real grasp on security understand that it requires something that this poster failed to consider. That concept is collaboration. Collaboration of users, security firms, developers, and the companies that write the paychecks. That is happening.
Arrogance also breeds contempt rather than collaboration, especially against the innocent. Educating a friend or a neighbor is another option that this individual seems to have forgotten as well. Try spreading the word. Use real world social networking to bring people up to speed.
Contribute rather than condemn.
Otherwise we may be forced to outlaw arrogance as well.
Second, Windows underlying code was built back before on-line security was an issue. It was designed to be easy for the user to install and run programs. This means that the user was an admin by default. To maintain compatibility, the same scenario applies even today.
Third, MAC is Unix-based. Unix doesn't like people running in admin mode. Programs were written to operate without users having admin control.
If Windows switched to a Unix based code, it would be more secure, but software compatibility would go out the window. This would be a huge expense for millions of businesses who would refuse to upgrade.
Macs were able to make the switch by bundling the classic OS and allowing users to run in that environment. In this case, a smaller market share actually helped Apple. There were a few big pains (like Photoshop), but overall, it went pretty smooth. Minor bumps again when Apple switched to Intel...the biggest, again, being Photoshop.
My point is, Microsoft's huge market share is what is killing their security. It's not that they are the biggest target, it's just that they are so big, that it is difficult for them to make the required changes without losing customers along the way.
commercials touting OS X's security (which apparently annoys
the cr@p out some people), the vitriol constantly expressed by
C|net Apple bashers you'd think SOMEBODY would have created
a really nasty varmint and turned it loose on OS X by now,
wouldn't you? Just to prove a point? Why hasn't it happened? The
"not enough market share to matter" argument just doesn't hold
water anymore. There's something about OS X that makes it real
hard to attack successfully.
They are actively telling people to leave their systems open and vulnerable. That's not responsible for anyone using any OS. If someone decides to go after Macs, then people like Macsaresafer and Daimac are prime targets.
It does beg the question to be asked- what about exploits or bots that haven't been detected yet? If I had written a Mac based exploit, I don't think I'd want to brag or advertise the fact. Why attract attention when you could have hundreds of thousands of Macbot slaves at your command and their owners never even know about it? The experts here recommend taking no action to even check so- well, it's a prime area to do something about. There's already keyloggers in the world for OSX. How many are running undetected because the end users are brainwashed into thinking their system is invulnerable?
Some day someone will make some splashy and obvious malware that will make people sit up and listen. I'm more worried about what's out there right *NOW* that people are not looking for.
Don't bother saying they don't exist. I can claim that there are no bots for the OSX, but if I was a person trying to make a big bot net, I wouldn't exactly advertise that, now would I? It'd be far better to keep it quiet and give people no indication of the problem or else someone might try to stop it.
But what gets under my skin is how this community gets wrapped up in petty little arguments that take away from our overall strength.
Collaboration with each other will be necessary as a part of the evolution of our security. And that can not happen if users on both sides continue to hold imaginary grudges.
We have businesses, communities, and families we need to watch out for. Let's take a deep breath of reality and move on.
And maybe we can build a more secure community together.
---
"One flaw that was patched was a denial of service attack that could result in code being executed on the local system"
Ah, no. It only had the "potential" to execute code, which in Unix is like saying "impossible".
"Hey, what sort of code would you like to run today? That flaw alone opened up the entire system to an outside attacker"
Ah, but there was never a flaw that allowed code to "run". Big difference. You can't run "code" on OSX or any other Unix, with out root "access". You are overlooking that.
"That's serious. That patch was taken care of, but what about the other vulnerabilities that still exist that Apple hasn't told you about?"
Not sure what you mea... we as Mac Users are fully abreast of any potential attacks, the Mac community is the most wired, most informed group of computer users in the world. If there was an actual problem, Mac users worldwide would know within minutes, have a fix within hours.
"Until yesterday, you didn't even know that THESE 25 vulnerabilities existed. How many more don't you know about that are on your system right now?"
Ah, that comments is based on a "Windows Mindset", not a UNIX one. I know EXACTLY what is running on my system. I know EXACTLY what is installed. I know EXACTLY what I install. Nothing can be installed without my APPROVAL. You don't understand Unix it appears.
"To claim that nothing can be installed on your system is- well, very, very, ignorant."
Ah, you said it. Not me. NOTHING can be installed on a Mac running OSX, without physical keyboard APPROVAL. That's the difference.
"How do you know if your system was exploited? If you keep sticking your fingers in your ears, you'll never hear the warning siren"
Ah, you are forgetting, (or don't yet understand) there is no way "into" a OSX box from the outside. So right there, you can't "exploit" a Mac. I know it's tough for you coming from the Windows world, but the types of things you are suggesting simply don't matter to a Unix based machine.
have a good day.
MS has 71,000 employees. Apple 17,787. Although close it means apple has *more than* 1/4 the number of employees.
Revenue numbers are cute but gross profit:
MS 36.63 Billion
Apple 5.6 Billion.
(That's less that 1/6 for those keeping track at home)
How about we stay on topic:
Apple just admitted 25 flaws. Numerous privlidge elevations both local and remote. Nasty stuff.
apple has 148 employees more than exactly "1/4th" hardly significant. my 1/4th comment was perfectly vaild
size does matter, within 5 years, Apple will be larger than Microsoft in terms of Revenue. All without having an illegal monopoly to prop it up.
of the 25 flaws, none were serious, none ever exploited in the wild. and "zero" were "nasty" also, no privilege escalations were reported.
so this is another example of Apple doing all the "security" work BEFORE it ever touches a user... a polar opposite approach than what MS users.
check your facts next time.
forumID=1&threadID=26862&messageID=259573&start=0
Personally, I doubt that anyone will go to the effort to find a new exploit. Especially since the last challenge (that I heard of) resulted in a successful privilege escalation yet the fanboys thought that was OK. They could have at least skipped the last patch and made things fairer...
(Anyone know when the challenge expires? At...
http://cansecwest.com/post/2007-04-19-12:30:00.Gentlemen_Start_Your_PWNing
...it doesn't say. I also cannot find any acknowledgement of the prize increase.)
have viruses written for it due to low Market Share I say this: In
the 90's Mac OSX had even LESS market share and it had plenty
of viruses and sucessful hacks.
OSX is more secure.
Read about "hack a mac" at this link:
http://news.com.com/8301-10784_3-9710845-7.html?tag=tb
- The difference between OSX and Windows
- by MSSlayer April 20, 2007 6:08 PM PDT
- Take your average computer user(ie an idiot).
- Like this Reply to this comment
-
-
- MACS are OBVIOUSLY BETTER!
- by mildew33 April 20, 2007 6:59 PM PDT
- I like the Mac commercial where the PC guy is on top of the Mac guy. The Mac guy is on his knees and saying, "I hope UAC guy does not find out I am with you tonight." Then UAC guy busts in and joins PC guy and MAC guy. Then Mac guys says, "it just works."
- Like this
-
- what are you saying
- by nightspark April 20, 2007 7:37 PM PDT
- so what you're saying is that macs are for idiots.
- Like this View reply
Processing -
- This is an old argument
- by Keith_C_A April 21, 2007 11:08 PM PDT
- ANY software is vulnerable to attacks ANY system is vulnerable to attacks. We only hear about the ones for windows systems because they are owned/operated by the MAJORITY. The more people who are affected by an exploit the more successful the creator of that exploit is. They create more havock and disable more machines by writing/creating the exploits for those machine owned and operated by the majority. Apple or OSX owners are just as vulnerable to attacks or why have these patches been created??????????????? Get over yourself there is NO difference in the security, just a difference on the amount of people who own different machines. PC>OS thats all stop your mightier than though attitude
- Like this
-
Showing 1 of 2 pages (183 Comments)Give him a default configured Windows(doesn't matter which one, they are all swiss cheese) and OSX box for a day.
Tell him to use one on one day and other the next.
Then run a check for spyware, viruses, trojans, rootkits, keyloggers, etc.
Guess which box will "win".
That is why OSX is a better system, a user with no technical knowledge can safely use it. It takes quite a bit of knowledge to secure a windows box(and still can't beat OSX or Linux) and tweak it to do what you want.
Windows is the most user-unfriendly OS on the planet.
good job numbnuts!