Yet another reason why Macs need security software
As expected, my blog this week about Macintosh security generated a lot of comments. Some were personal in nature (author's note: I really do know the difference between a Trojan and a virus but typos happen), some were quite thought-provoking.
I did receive some interesting data from a colleague from IBM. According to the X-Force 2008 Trend & Risk Report (PDF) released early this year, Mac OS X Server and Mac OS X top the list of operating systems with the most disclosed vulnerabilities for 2008. Each accounts for 14.3 percent, and has been in the top five in each of the last three years. Rounding out the top five were: Linux Kernel at 10.9 percent, Sun Solaris at 7.3 percent, and Microsoft Windows XP at 5.5 percent.
The purpose of this data is to compare the total number of disclosed vulnerabilities with each individual operating system. Vulnerability data is submitted to the Mitre Corp. and then appears in the CVE (Common Vulnerabilities and Exposures) List.
This is not a perfect study as there are common vulnerabilities across different operating systems. Additionally, the Windows-based total vulnerability "footprint" is much larger than the Mac because of the size of the Windows installed base. Finally, this is a cumulative study but the data does not break down the vulnerabilities in terms of how critical they are. All that said, the X-Force data puts the whole "Mac is secure and Windows is not" discussion in perspective with some real numbers. I don't think IBM has an ax to grind here.
Again, I am not trying to pick a fight with Mac users or cast aspersions on Apple. My point is that OS X, Windows, Oracle, etc., are complicated pieces of software with known (and unknown) security holes. Clearly Windows is the biggest target but the Mac installed base is too juicy and exposed for the cyber bad guys to ignore. The X-Force data is yet another reason why Apple users shouldn't consider themselves immune. Apple itself has said as much, suggesting indeed that Mac users install antivirus software.
This line of reasoning seems to stir massive passion, anger, and antipathy in the Apple community, but is risk management really that bad?
Jon Oltsik is a senior analyst at the Enterprise Strategy Group. He is not an employee of CNET. 
...meanwhile, Millions of Windows machines get owned monthly (against totally innocent users), while the best anyone can come up with on any other OS is a "botnet" of a handful of trojaned machines - which incidentally got that way because their owners were too stupid to realize that maybe pirating copies of iLife off of P2P was a really bad idea.
Umm, yeah. Tell you what, kids (you too, Jon):
* When you can point to something Conficker-scaled in OSX or Linux, then we'll talk.
* When you can point to something besides rigged contests and perhaps point to more than conjecture based on bad metrics and cherry-picked statistics, then we'll talk.
* When you have a better argument than a reverse-attempt on 'security/obscurity', then we'll talk.
* When securityfocus.com (or similar) prints new, workable root-level exploit code for OSX and/or Linux on a frequency even 20% of Windows, then we'll talk.
...until then, the fact remains, and is real-world proven: OSX and/or Linux are far more secure in design and in practice.
Meanwhile? Maybe Jon and co. don't know it, but - security software already exists in OSX, and it works admirably (assuming the user isn't a masochistic idiot). Of course, that isn't nearly as sensationalist, now is it?
I got through dealing with another Mac zealot who was trying to make a case for inherent security a couple of weeks ago. Unlike the other guy, you actually have your statistics right; good for you. But which Windows operating system are you talking about? Of course, the author did mention Windows XP, which I will say is most definitely more vulnerable than OS X (at least out of the box; OS X doesn't default to root accounts). But Vista's advantage over OS X has been revealed not only in numbers, but in demonstrations year after year at CanSecWest.
Vista has UAC, ASLR, patch protection, and other modules at work. To my understanding, OS X basically has (aside from regular security patches for specific vectors) limited user privileges, which are circumvented on Windows XP all the time. I service Vista machines five days a week, and am still waiting to see one infected with Conficker or Mebroot. The only infections I ever find on Vista machines are at worst Trojans, and in almost every case the machine has LimeWire installed on it. I'd say more than half of the units that come in for supposed "infections" are simply systems with too much junk installed, and 25 icons in the system tray.
At this point in time, you're right. There are only Trojans for OS X, no exploits. However, the author is not necessarily talking about status quo. Remote exploits have been demonstrated on OS X three years in a row at CanSecWest, first by Dino Dai Zovi, and then two consecutive times by Charlie Miller. Both of these security researchers say that OS X is the most vulnerable operating system on the market (XP doesn't count, as it is no longer mainstream).
People in Russia do not use OS X as much as they do Windows, and are less interested in it because about 9 in 10 machines are running Windows. And besides that, Mac OS was not running on Intel until three years ago; no one knew the shell, and because of Windows, no one cared. That was Apple's biggest advantage, and the main reason why the annals of Mac malware didn't go beyond a few handfuls, while Linux malware has climbed to nearly 1,000 ItW samples. But now that extra obscurity is gone, and it's only a matter of time before Russian bot herders get familiar with the operating system, which now has almost 10% of the global market.
BTW, Ubuntu has never been hacked at CanSecWest. Indeed, the only manner of botting I have heard of concerning Linux has indeed involved Trojans. But make no mistake, just because your choice platform is Unix-based doesn't mean a whole lot. Three years in a row, the Mac was hacked within minutes (this year, in under 30 seconds). Nobody was able to touch Vista until the third day; that's three drive-by downloads for Mac OS, zero for Vista. And all the way through, Ubuntu remains standing. The experts agree unanimously that Vista is more inherently secure than OS X, and Linux more so. Unix-based or not, Apple does not compare to Linux.
Let us hear how Mac OSX is bulletproof and no hacker or virus can breach it. Ignore the security reports, Mac OSX is superior to Windows which has security holes so big that Space Shuttles can fly through them.
Maybe Mac Users like sharing their Mac with hackers and other security risks? All part of sharing the Mac experience?
That is a two way street, but it is usually it is one of the WinTrolls commenting first.
oh wait...
I'm perfectly happy with Ubuntu and Vista at home. Work is a mix of Windows, Linux and OSX. I love my iPod Touch and will be switching over to the iPhone when the next gen comes out. I don't dislike Apple, but a lot of Mac users seem to be out of touch with reality.
It would be interesting to find a winblows apologist who not only can claim to understand the difference between a trojan and a virus, but who can also DEMONSTRATE they UNDERSTAND the difference. How many Mac OS X viruses and worms are there again? How many for winblows? Here's the kicker - HOW MANY WERE THERE FOR OS 9?
Uh-oh, there goes Jon's market share myth. I think it's time to stop reading his mindless rants, his "articles" have no more substance than Don Reisinger's (sp?).
There is a pretty simple reason why where wasn't a virus from Mac OS Nine. The hackers had enough heart to not send a virus to someone who was already stuck with a far inferior Operation System. They felt for the poor bastards who had to day in and day out use something that was for one purpose, WORK.
I'm also sure that Mr. Oltsik has a vast knowledge in the area of computes he works for a Enterprise Strategy Group as a senor Analyst and you do not.
I think you are missing the point...
There WERE a few virus' under the Classic Mac OS. A very few, mind you.
OS X has far higher installed base now and has been around for what, 8 years. How many virus' on OS X? Let me give you hint: less than one.
How well do YOU know your parasites? Unless you had a typo of your own, be aware that Trojans and worms are not the same thing. A computer virus is a program that makes copies of itself, similarly to a real virus. A Trojan horse is a malicious program (usually a backdoor) that is packed into a file that users are tricked into downloading and opening. A worm is a program that is designed to propagate, and by definition carries no payload at all; it piggybacks malware. Most parasites today combine the strengths of various families.
Security researchers are in unanimous agreement (and demonstrating year after year at CanSecWest) that OS X is the most vulnerable mainstream operating system today, and Linux the least vulnerable (Ubuntu, anyway). Of course it's possible that OpenBSD blows even Ubuntu out of the water. But in case you deduce prevalent BSD security because of OpenBSD, and therefore Mac OS security, understand that Mac OS is based on FreeBSD and NetBSD, but not OpenBSD. And even if it were based on OpenBSD, you still don't know what kinds of alterations take place. And I know you wouldn't know something like that, because you reference worms as botnet programs, and right after trying to slam someone else for semantics (LOL).
Fact: Windows and OSX have security holes which can be exploited by malware. The report shows that OSX actually has more holes than others.
Fact: Most malware written targets Windows
Fact: Malware writers could target OSX as well, but they do not currently
These are the facts and they are not disputable. The reason that Apple and Jon are sounding the alarm is because of fact #3. Malware is a business that thieves profit greatly from. Until now, even though there was a chance of collecting from Mac users, why bother. With the same effort, one could collect many times more from Windows users.
Well, the cost of targeting Windows has gone up dramatically. It is no longer like shooting fish in a barrel. Despite the FUD you routinely hear, Microsoft has fortified Windows. In addition, Windows users are more aware. Net result, the return on the malware investment is diminishing.
Now look at the other side... OSX has just as many if not more holes and no security software. The install base of Macs is going up. Macs cost more so people using them presumably have more money to steal. Add to that a sense of invulnerability by Mac users and you have a flock of sitting ducks.
Time for Apple and Mac users to stop deluding themselves. I would actually be more nervous if I owned an iPhone.
Wikipedia has an nice article listing "antivirus" software in a nice, easy to read chart.
Here you go, a couple of free 'antivirus' software apps:
http://www.clamwin.com/
http://www.avg.com/
There's a good list on Wikipedia here: http://en.wikipedia.org/wiki/List_of_antivirus_software
And another list here: http://www.dmoz.org/Computers/Security/Malicious_Software/Viruses/Products//
Time to get back to photoshop on my PC!
huh?
isn't it time for you to check your mail for that cash from apple for trolling?
http://store.apple.com/us/browse/home/shop_mac/software/games
There's the short list for you.
Games aren't the most important thing anyway, unless you are a stunted adult or a kid. And most of the games that do make it to Mac OS, are usually in a more developed state (the bugs have been worked out in the game play).
when you say a mac or pc is better it depends on what your application and purposes are. there are things that pcs are better for, like games, over-clocking, cheap hardware and uh, getting malware, and there are things that macs are good at, like everything else. i own both, and theres no question, in a fire id be jumping out the window with my mac, and im a serious gamer. in fact the more i use my mac, the more laughable the idea of considering windows as an operating system becomes.
i agree with pc fanboys in one aspect though, a lot of mac fanboys are annoying, artsy beatnik hippies, that have no clue what a front side bus is, or why they should care. not all mac lovers are like that though.
Don't cry.
where's F.E.A.R. Crysis Fallout3 HalfLife2
and you insult all the gamers of the world because Macs aren't good for gaming
... the purpose of these data is ...
also, do you have any idea what a "disclosed vulnerability" is ? I think not
(I was terribly disappointed that Apple failed to release Leopard with code load-point randomization that was promised. I also thought that Safari was going to be sandboxed.)
Let's instead focus on what this argument is really about. It's way for us to draw some battle lines and express some good, old fashioned, pure unadulterated hate! Seriously, what makes you feel better than anonymously sticking it to someone via the internet!
but Comparing Windows to other OSes
is like comparing a sand castle to a fortress
"Updated 10:50 a.m. PST December 2 to correct that Apple previously recommended antivirus software to Mac users, and at 1:50 p.m. PST with call back from Apple and link to 2002 Apple anti-virus item. A follow-up blog will be posted that goes into more detail about the coverage."
Security software much of the time is too little too late anyway on any platform, and doesn't do much more than let you know you're screwed. It doesn't protect stupid users from themselves.
There isn't any malware in the wild for OS X right now that doesn't rely upon user stupidity to work; see the pirated iWork trojan. Trojan != virus.
Even if there was security software on a Mac, I doubt it would do much for something like that. For instance, if a moron downloads warez for Windows, they'll get a warning from UAC, then click on it anyway. Boom. Infected. The same goes for Macs. It's just that Macs aren't targeted yet.
Trojan = Malware
!= means 'not equal to', as in Trojan is not equal to virus.
Virus = malware that doesn't require user stupidity to work.
Trojan = malware that does require user stupidity to work.
Polaris only said there is none of the former, not that there's none at all.
Yes they do, once they realize that the greater stability and reliability of Macs is a myth.
I have a hammer with a CARBON FIBRE handle. I obsess. Coolest hammer ever.
Jon, how I can people take your linked blog article seriously when your facts in #4 are lacking critical info enough to almost be false? True, Charlie Miller did win $5,000 for exploiting a hole in Safari. However, it DID NOT take him "10 seconds" to FIND the hole. He clearly stated in an interview that he found the hole after searching for quite some time _long_ before the contest started. He didn't tell Apple about it but sat on it until the contest so he could win the money. It merely took 10 seconds to set up his previously plotted work. (Apple doesn't pay for bona-fide holes found (from what an article said), and they should. I think M$ does.) I can dig up proof if desired.
How many virus/malwares/spyware have you caught on Mac, Linux? ZERO!
And on Windows? THOUSANDS!
That`s so true for me and I guess that for anyone who has had the opportunity to use all three OS.
I`m not saying Mac or Linux are bullet proof, but they are a lot, a lot more secure than Windows. And when I say a lot, I mean a lot more!
Also, number of security holes is by no means a good measure. I guess you should research more and start to used opened security breachs (specially the 0 day), which Windows has a lot, as still hasn`t fixed for Windows 7.
I agree there are a lot more viruses and malware out there for Windows than there are for Linux and Mac but that's probably because average people can't afford an underpowered, overpriced Mac and average people do NOT understand Linux. So if average people aren't going to use those OS'es, what's the point of trying to wreak havoc on them?
Then you have either been exceedingly lucky or your computer has never been on the internet or shared files and software with other computers.
Had a linux box hacked though. Fortunately it was a complete amateur job on my firewall box and the guy disabled the system so no-one could do anything with it, least of all him.
debating mac vs. pc is a foolish exercise anyway. one company aimed to be the biggest software company in the world, the other aimed to create the best computing experience. i'd say they both succeeded.
Or it must be a lie because it doesn't fit the FUD that you've been spilling out for years.
Is it so hard to type more than the first three letters of a username? Have difficulties spelling do you? I've never spread any FUD, ever. I've only written about personal experiences, anecdotes I have first hand knowledge of, documentable facts from reliable sources. Which is more than I could ever say about the diatribe that you've been spewing. It's been nothing but half truths, outright lies, personal attacks, and petty bickering. Come back when you've graduated high school.
Look at Secunia's (http://www.secunia.com/) superb collection of stats on vulns for each of the various OS's:
Microsoft Windows XP: 12% unpatched, 216 vulns in 6 years (36/yr), 51% system access + 19% DoS
Microsoft Windows Vista: 7% unpatched, 55 vulns in 2 years (28/yr), 42% acc + 15% DoS
Linux Kernel 2.6.x: 6% unpatched, 174 vulns in 5 years (35/yr), 3% acc + 46% DoS
Mac OS X: 4% unpatched, 125 vulns in 6 years (21/yr), 19% acc + 22% DoS
Apple has done a great job patching vulnerabilities compared to the other vendors. The IBM XForce report talks about the total number of vulnerabilities. Tell me, how many of you run around with systems 100% unpatched? XForce is nonsense.
Yes, Vista is better than XP, Linux is somewhere in the mix, but none are as good as Mac OS X in this list. (Of course, OpenVMS v8 has 7 vulns in 4 years, and 0% unpatched. That's why I still use it.)
Ref:
XP http://secunia.com/advisories/product/22/?task=statistics
Vista http://secunia.com/advisories/product/13223/?task=statistics
Linux 2.6.x http://secunia.com/advisories/product/2719/?task=statistics
Mac OS X http://secunia.com/advisories/product/96/?task=statistics
OpenVMS v8 http://secunia.com/advisories/product/6052/?task=statistics
Smell the sarcasm yet? You know, when the day comes that I turn on the news and hear about the millions of Mac computers conquered by a virus - then I'll start to use anti-viral software. BUT IT AIN'T HAPPEN YET.
It would be in their interest to make statements that would create such a product line, but rather than sell sensationalism, they tend to stick to the facts.
Fail.
You can go to the National Vulnerability Database as well, to get a better idea of how many vulnerabilities are being found in each version of each product at any particular time. But do you know the difference between "discovered" and "undiscovered?" There are more people looking for Windows vulnerabilities. Take a look at each individual version of OS X, year to year. You will find a relatively small list of vulnerabilities, but more interestingly, the number of vulnerabilies per year is similar between versions. This means there are vulnerabilities pervading the product line for years before they are discovered.
The more they discover, the more they get to eliminate. Chances are that OS X has a LOT more unpatched bugs than competing platforms. And this makes sense, because MS has more manpower, and because more people in the open source community are focusing their efforts on Linux, rather than FreeBSD and NetBSD. And even if there were a lot of people working on BSD, this doesn't address all the additions, deletions, and other alterations in Mac OS code; not to mention the fact that Apple changed shells in 2006. Compared to its competitors, OS X is a relatively new animal.
Personally, I like to keep track of the people the security industry depends on, the researchers themselves. CanSecWest is a good place to look. OS X has been successfully pwned in remote attacks three years in a row, first by Dino Dai Zovi in 2007, and then by Charlie Miller in 2008 and 2009. These attacks include drive-by downloads, which have yet to succeed against Windows Vista. From all the newsletters I have read and all the Web searches I have done, I gather that all security researchers agree that OS X is inherently the most vulnerable operating system on the market. XP is still sold on budget systems and some netbooks, but I would say it's no longer on the market; it doesn't count.
Dai Zovi says he finds Vista's code, at least in terms of security, to be "much better overall" than in OS X. When Miller was asked why he chose to attack Mac OS, he said "It was the easiest one of the three. We wanted to spend as little time as possible coming up with an exploit, so we chose OS X." He also specified one particular advantage of Vista over OS X, ASLR. With Vista, when code is downloaded to memory, the hacker doesn't know where the code is. And even if they find it, the code is still not executable. Still others have said, "OS X is easy pickings for bug finders. That said, it really doesn't have the market share to interest most serious bug finders."
Beyond that, Ubuntu Linux hasn't been touched at CanSecWest. This stands in stark contrast to your findings in bean counting. Again, if anything, it means more vulnerabilities have been found and fixed in Linux and Windows Vista, leaving OS X looking like swiss cheese. I'm not trying to pick a fight, I'm just offering up another point of view, and where I get my information from.
pecos-bill has a point, it's hard to check for known Mac mal ware. But unprotected Macs are the "Typhoid Marys" (see Wikipedia) of a mixed network. That virus/trojan, whatever, that won't infect your Mac _will_ be passed on to your Windows neighbors.
Mac fanboys, before you flame, I'm writing this on a Macbook pro, I have two G4 Powerbooks and a Blue & White in my home. Unfortunately, I also have an old XP machine and run XP under Parallels - the software doesn't exist to do some things in OS X - no, I'm not a gamer.
I consult. One customer only allowed a specific, windows based IM client through their proxy (iChat was blocked). Many customers only support Outlook on their Exchange servers - the usual Apple Mail client access to Exchange not configured. It's not unusual for companies to require (because they provide a pre-configured client) Windows for VPN access. If I wanted to run Blackberry Enterprise Server, I'd be required to run Windows Server and Exchange. Oracle runs on Windows, Unix and Linux, but not OS X. My specialty requires software (a GUI) that only runs on Windows.
Shall I go on?
But comparing security Is a difficult task
Lets just say they hasn't yet been a major outbreak on the OSX platform
even after 10 yeras of existence
but For Windows just this year alone 3-4 different Conflickers various others and 100s of Undiscovered ones not to mention millions that already exist
and add in Spyware and Adware ! Face it Windows is a mess in terms of Security
Plus you are looking at malware the wrong way. The goal is not to infect 100% of the computers in the world. The goal is to infect enough computers to deliver your payload and get rich. Targeting the < 5% of the world is not an effective way to hit that goal. Look at Conficker for an example. It is considered one of the most widespread viruses ever. It has affected roughly 1-2% of the windows installed base. If your target is only 5% of all computers and best case you can manage 2% of them, (which is also almost impossible to do with such a small install base.) then you are only going to hit a few thousand computers. There isn't much money to gain from that.
- by Maarek Stele May 8, 2009 1:46 PM PDT
- the Safari hole is one that Apple has still never fixed.
- Like this Reply to this comment
-
-
- by Draxon May 8, 2009 4:18 PM PDT
- Please list for me all the known virus's that are infecting mac machines in the wild.
- Like this
-
- by samalander May 12, 2009 2:36 PM PDT
- @Mareek
- Like this
-
- by santuccie May 23, 2009 1:39 AM PDT
- PART 1
- Like this
-
- by santuccie May 23, 2009 1:40 AM PDT
- PART 2
- Like this
-
- by santuccie May 23, 2009 1:40 AM PDT
- PART 3
- Like this
-
Showing 1 of 3 pages (136 Comments)Oh, and in a security defense test, Apple was the FIRST to fall victim of that race. Sorry Apple, your OS is still horrible.
And than please read the link below. The number of Windows computers infected with the new "downadup" worm ? also known as "Conficker" and "Kido" ? has exploded to almost 9 million worldwide
Source:
http://www.guardian.co.uk/technology/2009/jan/19/downadup-conficker-kido-computer-infection
About the Apple being the "first to fall":
this has been covered time and again. I guess you only like lurid headlines and don't read many facts... The Apple was TARGETED. The vulnerability used was not done in the 10 seconds. The hacker had been preparing all year, searching for way to get in use the vulnerability (common to other browsers as well). He has stated all this in other articles.
He wanted the Mac for his own machine! He went for the Apple first, so he could win the machine. He has gone on record about the far superior security of OS X than Windows. This is all documented. Go read it and stop spreading FUD.
Furthermore, the hack depended on the computer user doing something to activate -- visit a specially prepared webpage he had worked on for a long time, download a particular file, and install it, get this, by ENTERING both an admin username and password. MacUsers can't just dimiss these pop-up boxes as an annoyance.
Furthermore, the hacker said he sat on the vulnerability he found for a long time, waiting for the contest. He did this because Apple doesn't pay for vulnerabilities disclosed by hackers. He wanted to profit off his discovery. In other words, he had no market for it. Evidently, many hackers are finding plenty of good exploitable vulnerabilites in Windows, and selling them to the highest bidder among the underworld.
By why let the facts behind the story through deter anyone from the absolute glee of a PC user being able to say "nah, nah, Macs are "JUST AS" vulnerable as PCs, just you wait till there are a few more Macs out there." About time this myth died (that with a higher market share Macs will be equally at risk): the plain truth is that the OS have some fundamental differences in design and architecture. Oh, and that MS doesn't give a crap about the end user. It will milk its OEM and corporate licensing deals until it dies.
@Draxon and salamander:
Both of you have completely missed the point. You're trying to use status quo as evidence for inherent security. And worse, you're using Windows XP in this comparison, when Vista is the MS product on store shelves these days (and has been for the past three years).
@Draxon:
Most of the machines getting infected with Conficker are running XP. As a service tech, I deal with Conficker fairly often (and Mebroot from time to time). When I find infections on Vista machines, they're usually singular Trojans or some kind of grayware. And more often than not, the infected machine has LimeWire on it, with possible culprit files turning up in scans on the LimeWire downloads folder. But most of the Vista machines that come in for supposed "viruses" are simply bogged down with 25 icons in the system tray, and more than one antivirus at a time.
@salamander:
You've got your facts flat out WRONG...
"The hacker had been preparing all year, searching for way to get in use the vulnerability (common to other browsers as well). He has stated all this in other articles."
>>>>All year? "We sat down about three weeks ago and decided we wanted to throw our hats into the ring. It took us a couple of days to find something, then the rest of the week to work up an exploit and test it. It took us maybe a week altogether," Miller stated.
"He wanted the Mac for his own machine! He went for the Apple first, so he could win the machine. He has gone on record about the far superior security of OS X than Windows. This is all documented. Go read it and stop spreading FUD."
>>>>Wrong again: "It was the easiest one of the three. We wanted to spend as little time as possible coming up with an exploit, so we picked Mac OS X."
Were you hoping nobody would know better, and nobody would do so much as a Google search to find out? That is absolutely foolish. But of course, so is lying. I think I'm getting a pattern here.
By the way, people who want to be credible will cite their sources, or at least link to them. Here are my links:
http://news.softpedia.com/news/Microsoft-Finds-Irony-in-Mac-OS-X-Getting-Hacked-Before-Vista-SP1-82135.shtml
http://www.infoworld.com/d/mobilize/mac-easiest-hack-says-10000-winner-728
"Furthermore, the hack depended on the computer user doing something to activate -- visit a specially prepared webpage he had worked on for a long time, download a particular file, and install it, get this, by ENTERING both an admin username and password. MacUsers can't just dimiss these pop-up boxes as an annoyance."
>>>>WRONG. First of all, the reason Miller had to tell his partner the URL was to perform the test. What did you expect him to do, setup one hostile Web page on the WorldWideWeb, and wait for his partner to hit that page out of the trillions out there? RIDICULOUS!!!
And in the real world, it's not about "duping" users into visiting your page, either. Ever heard of a cross-site scripting attack? Not only does it save time to attack a preexisting site, rather than building a new one; its established user base also means a LOT more hits. This is why Granny is getting infected on XP and earlier; it's not just from porn, warez, and P2P that people are getting infected.
Second of all, CanSecWest is about remote hacking. Miller used a "browse to own" vulnerability to win the contest, also known as a "drive-by download." No user interaction is required. And just so you know, the Mac's authentication mechanism isn't any more meaningful than a limited user account in Windows XP or 2K. And hackers have no problem getting past it. Draxon's Conficker can circument it, as well as Mebroot. And in October of 2006, I saw SQL Slammer and Stack Bot do the same thing. This is called "privilege escalation," and is OLD news.
BTW, there is a PoC drive-by download out there right now, demonstrating a vulnerability that has been public knowledge for six months, and Apple is only just now working on implementing the patch issued by Sun: http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html
"By why let the facts behind the story through deter anyone from the absolute glee of a PC user being able to say "nah, nah, Macs are "JUST AS" vulnerable as PCs, just you wait till there are a few more Macs out there." About time this myth died (that with a higher market share Macs will be equally at risk): the plain truth is that the OS have some fundamental differences in design and architecture. Oh, and that MS doesn't give a crap about the end user. It will milk its OEM and corporate licensing deals until it dies."
>>>>Really? Show us a link. Every newsletter I have read, and every query I have done show the same thing... security researchers agree unanimously that OS X is the most vulnerable operating system on the market (Vista stocks the shelves now; XP doesn't count).
"I have found the code quality, at least in terms of security, to be much better overall in Vista than Mac OS X 10.4. It is obvious from observing affected components in security patches that Microsoft's Security Development Lifecycle (SDL) has resulted in fewer vulnerabilities in newly written code. I hope that more software vendors follow their lead in developing proactive software security development methodologies." - Dino Dai Zovi
'"Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders," added Gwerdna.'
'"The only thing which has kept Mac OS X relatively safe up until now is the fact that the market share is significantly lower than that of Microsoft Windows or the more common UNIX platforms.... If this situation was to change, in my opinion, things could be a lot worse on Mac OS X than they currently are on other operating systems," said Archibald at the time.'
"It was the easiest one of the three," said Charlie Miller, an analyst at Independent Security Evaluators (ISE), a Baltimore-based security consultancy. "We wanted to spend as little time as possible coming up with an exploit, so we picked Mac OS X."
"Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don?t do. Hacking into Macs is so much easier. You don?t have to jump through hoops and deal with all the anti-exploit mitigations you?d find in Windows.
"It?s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn?t have anti-exploit stuff built into it."
"For all the browsers on operating systems, the hardest target is Firefox on Windows. With Firefox on Mac OS X, you can do whatever you want. There?s nothing in the Mac operating system that will stop you."
http://i.gizmodo.com/256768/mac-os-x-less-secure-than-vista
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9072959
http://www.zdnet.com.au/news/security/soa/Mac-OS-X-hacked-under-30-minutes/0,130061744,139241748,00.htm
http://blogs.zdnet.com/security/?p=2941
Sorry, salamander. I don't think you got a single point right. My grandmother told me long ago that it's better to be silent and let people think you're stupid, than to open your mouth and remove all doubt. How embarrassing!