Snow Leopard could level security playing field

Share of the Mac operating system is growing, and with it the number of malware threats targeting the platform.

(Credit: Net Applications)

of the new version of the Mac OS, dubbed Snow Leopard, could include some security features that would make it secure, or at least push it closer to the level of security that Vista and Windows 7 have, experts said this week.

Contrary to popular Mac fanboy belief, Macintosh is not more secure from a software standpoint than modern Windows; it's merely safer to use because malware writers prefer to target the platform with the biggest install base, according to Charlie Miller and Dino Dai Zovi, co-authors of The Mac Hacker's Handbook, which came out this spring.

"Apple hasn't implemented all the security features that Vista has," Miller said. "They made some improvements in Leopard, but they are still behind."

If there is any truth to rumors circulating about Snow Leopard, the operating system security playing field could become more level as of this weekend and Mac users will really have something to brag about.

First off, a screen shot published on the Mac Security Blog of Intego on Tuesday appears to show a security feature supposedly in Snow Leopard that looks like it is detecting a Trojan in a disk image being downloaded via Safari. The post cites unnamed reports about an anti-malware feature being added.

"If it's true, it will mark a fundamental change in that Apple will be admitting that their operating system is as susceptible to malware as other operating systems," Miller said.

CNET's review of Snow Leopard posted late on Wednesday says that File Quarantine, first introduced in Mac OS X 10.4 Tiger, has been refined in Snow Leopard. File Quarantine checks for known malware signatures and displays an alert dialog if it finds a known offender and will be automatically updated via Mac OS X's software update as new malware signatures are found in the wild, the review says.

It's unclear whether rumors are true that Snow Leopard includes several internal features designed to prevent attacks that Vista and Windows 7 have, known as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) on that platform.

By randomizing the location of key pieces of data, ASLR makes it much more difficult for attackers to predict where data is going to be in order to execute their code or the code resident in the process. For exploit code that gets past the ASLR barrier, DEP will try to block it from running, recognizing that it is data and not a legitimate code.

"If you have both, it's hard for an exploit to get around it. Leopard has some ASLR but everything is not randomized and Leopard has no DEP," Miller said. "Things could change significantly for the Mac if they do a good job...That was my main gripe with it."

In June, Dai Zovi reported on a new local privilege escalation vulnerability researchers had discovered that gives local root access on Mac OS X Tiger and Leopard. He offered up a wish list for Snow Leopard that included: real" ASLR; "full use of hardware-enforced Non-eXecutable memory (NX);" default 64-bit native execution for security-sensitive processes; sandbox policies for Safari, Mail.app, and third-party applications (akin to what Chrome has); and Mandatory code signing for kernel extensions.

Apple's Mac OS X security page makes reference to offering sandboxing, Library Randomization, and Execute Disable, but there are no details.

An Apple spokeswoman did not follow up on an e-mail request seeking an interview for this story.

The Snow Leopard Web site says it will offer protection against some common types of heap buffer overflow exploits but not new types of such memory overflow exploits, according to Dai Zovi.

The security level in Leopard falls in between Windows XP Service Pack 2 and Vista, he said. If Snow Leopard has full ASLR and DEP, it would bring its security close to the level of Vista, he added.

While adding full ASLR and DEP to Snow Leopard will boost the operating system's defenses against targeted attacks, the Mac OS software arguably has more holes that malware can slip through, Miller said. "It would be fair to say that Mac has more bugs, but it's impossible to measure," he said.

Market pressure has been missing
In this sense, Microsoft has benefited greatly from the plague of security holes in early Windows versions. Those problems led the company to embark on a quasi-religious conversion in 2002 with Bill Gates launching the Trustworthy Computing initiative and setting security as a top priority for the company. Its Security Development Lifecycle (SDL) program--designed to build security into the software--has become the model for the industry.

Microsoft puts "much more effort into auditing their code, the entire SDL process, developer training, automated source code scanners, and hiring external penetration testers," Dai Zovi said.

So far, Apple hasn't felt that kind of market pressure to improve Mac security, largely because malware writers have ignored it, so its secure software development process isn't nearly as developed or mature as Microsoft's, the security researchers said.

"Microsoft has had a head start. That's why they had ASLR and DEP first," Miller said. "It's not because they're geniuses. They just started caring about it sooner."

"These things go lock in step and it doesn't make sense for businesses to expend a ton of resources when the threat is not there," said Dai Zovi. "So far, Apple has been keeping up pretty well with the level of threats in the wild."

As far as security goes, market share is a double-edged sword. As the Mac operating system gets more popular, the amount of malware targeting it is growing.

The Mac has only about 5 percent market share worldwide (nearly half is in the U.S. alone), compared with nearly 95 percent for Windows, according to market statistics provider Net Applications. But the Mac share is rising, from 3.73 percent to 4.86 percent in less than a year, the firm says.

In the meantime, more and more Mac malware is appearing. Earlier this week, TrendMicro reported that it found a new variant of the JAHLAV family of Trojans that pose as pirated versions of legitimate applications, modify a computer's domain name system (DNS) settings and enabling successful phishing attacks and redirects to sites hosting malware. Earlier versions of the Trojan masqueraded as versions of QuickTime, but this one passes as Foxit Reader or an antivirus program.

Some malware is written for both Windows and Mac platforms and downloads the correct version depending on the browser. Last week, Symantec reported that sites purporting to show streams of new movies were actually feeding up a DNS-changing Trojan instead called OSX.RSPlug.A for Mac and Trojan.Fakeavalert for Windows. Last month, a McAfee blog post wrote about the OSX/Puper.a Trojan that is downloaded onto Mac systems when users download what they think is a video player.

ZDNet's Zero Day blog has covered a number of Mac malware threats this year alone. In January, Intego, which has been tracking Mac malware for several years, discovered a Mac OS X Trojan circulating in pirated copies of Apple's iWork '09 software found on BitTorrent trackers and other sites. Symantec researchers in April linked malware found in bogus copies of iWork '09 and Adobe Photoshop CS4 to what they said could be the first Mac OS X botnet launching denial-of-service attacks. And in May, a new e-mail worm dubbed OSX/Tored-A targeting the Mac was uncovered, although it was not found to be spreading in the wild.

"The frequency is increasing" for Mac threats in the wild, said Dai Zovi. "Still, there are only a handful of threats; no where near what Windows users face."

In addition to considering how buggy the software is, how secure the operating system code is, and whether malware writers are creating viruses and Trojans for the platform, another factor in play is how likely Mac users are to be duped into visiting a malicious site, opening a malicious e-mail attachment, and downloading a fake file.

Most Mac users seem to take pride in their supposed invulnerability, so one would think that they are less cautious in their surfing activities. But it's hard to tell.

"No computer or operating system is more or less secure when it comes to users being tricked into downloading something," Miller said.

[DrtyDogg]

Bookmark this page, as these comments are going to get nasty.

[Random_Walk]

Why? It's two guys trying to get attention and selling a book.

Call me when something more dangerous than a local exploit shows up for it, then I'll be impressed.

Otherwise, it's just so much hot air.

[TechSlap]

Seriously Random_Walk? These guys are experts... and they are right. The facts are right there, right before your very eyes. Do me a favor and read the article again. Or not... Stay in denial. I have a Mac but that doesn't make me invulnerable to everything out there.

[Mark_Anderson]

@Random

Do the same for me when the same happens for Vista. You know, something that can install without user intervention.

Or get yourself banned again. Whatever.

[Seaspray0]

A couple of Mac experts made all those comments above. No doubt the mac fanboys will deny them in comments below. So here's my question. Who do you think the average person reading all this is going to beleive? The guys in the article above or the fanboy posts below? Me thinks they're going to beleive the experts above.

[NewGermaris]

In fact, my posting is a reply to Ben342.

You guy have a serious problem.
Did you try to make a Clean Install of your OS ?
I am quite sure your Mac has been loaded with a lot of useless bells and whistles and pseudo-utilities downloaded from nowhere which interfere with the normal use of your Mac.

I'm a Mac User for about twenty years.
Never, I mean never, it took thirty seconds to switch from an app to another.
Even on a SE30 or IIcx running in Multifinder mode under MacOS 6!

I do not say you lie. I say you are not telling us the whole truth.

I am perfectly aware of the speed domination the PC had for a long time in the past over the Mac.
But this is not the case anymore.
Since Apple uses Intel processors running Tiger 10.4.11 or Leopard, Macs are as speedy or speedier than any PC equipped with the same or equivalent processor.
All tests run by independent labs prove it.

[-hh]

(@DrtyDogg: You're right in that it has gotten parochial)


An important topic, although it unfortunately misses the real threat, while successfully pushing peoples' hot buttons to get website hits (4 pages of comments & counting).

Historically, Windows has "better" security features, if that's today's definition of MORE.

The simple reason is that its security had been so bad for so long, plus there's extensive legacy elements that's not been made secure simply by getting rid of it. Such is the price for backwards compatibility.

Think of an analogy of a boat and keeping water out. The Windows security toolkit has an inner tube patch kit, shellac, wood glue & clamps, glass gel and a MIG welding torch ... because Windows is kept afloat by (respectfully) inner tubes, canvas, wooden planks, fiberglass and metal.

As Noah would say: "How Long Can You Tread Water?"

Since each hull material must be repaired differently, one ends up with extensive 'repair' tools. However, having more tools is only necessary because of its heterogeneous patchwork nature.

Now sure, OS X isn't immune from being perfectly secure. However, by trashing legacy garbage, a more homogeneous OS architecture exists, which means a smaller leak repair kit...and ultimately a more easily-maintained system.

By being easier to maintain, those fewer caulking gaps between different hull materials means that its more work to find small holes to exploit, etc: as the article even says, potential hackers find things by "LUCK": it is simply harder to work against OS X. This doesn't mean that OS X is perfect, but what it does mean is that it is far easier for that hacker to go over and pick the low hanging fruit of Windows to write his exploits.

Thus, the question isn't if OS X is perfectly secure or not: all that's required is for it to have an inferior Hacker ROI than targeting WIndows.

This is afforded in two ways. The first is by making it a more hardened target. The second is that market share has also had an influence on this. However, with the overall Mac marketshare demographic being more affluent than average (more money to steal, etc), plus some college campuses now being more than 60% Mac marketshare, we have to place increasingly greater weight on the significance of the "hard target" dimension, much more so than the "security through obscurity" potentiality.

(When asked why he robbed banks, Willie Sutton simply replied, "Because that's where the money is.")


However!

What this article completely misses is that the nature of the security threat has substantially changed over the past decade.

Today's pragmatic real world threat is overwhelmingly a trojan, personally authorized to install by the operator.

As the article admits, Apple began to address this security risk vector (through File Quarantine) back in 2005. Apple is now enhancing it further by having its malware definitions integrated into OS X's Software Update system.

The overlooked implication is that this means that it is increasingly seamlessly and automatically kept up to current definitions for the entire installed user base.

But because this is done with merely one tool instead of a fragmented dozen, we are expected to believe that it is somehow "worse".


"Riiiiiiight".


-hh

[michael_j_x]

Here goes the "Mac is more secure due to its foundations" argument down the toilet.

[myles taylor]

Sure, the argument goes down the toilet but who really cares why? My Mac is less likely to get a virus or malware attack of any kind than any machine running Windows. Sure....the fact that it has a smaller user base is a large part of the reason but who cares what the reason is? I certainly don't.

Also, Mac OS X has less code (and as a Unix based system is more efficient) and therefore it's harder to find holes and easier to block them.

[TinyIoda]

@ myles taylor
"(and as a Unix based system is more efficient) and therefore it's harder to find holes and easier to block them."

Citation needed!

[elllroy]

again: NO viruses or worms for mac os x, only trojans. and contrary to the author's belief or probably agenda (she should know better as a tech writer) there have always been trojans on the mac and there always will be (probably even mor in the future).

but as you all probably know, a trojan is a programm that you have to download and install (you even have to type in your password) to affect you. worms and viruses do so without your knowledge or interaction. should apple be more agressive in teaching their users that they have to be very careful to download and install programs from unknown or untrusted sources? yes, is there the same malware threat for mac os x as for windows? no.

[elllroy]

and i have to give you this, couldn't say it any better:
http://macdailynews.com/index.php/weblog/comments/22221/

the windows sheeple have to be kept in the pen, no matter the cost. that is the purpose of cnet. because 99% of their advertising mrevenue comes from the windows ecosystem the erosion has to be stopped at all costs.

[Draxon]

So what your saying is two guys selling a book and a company that tries to sell mac into virus software are the people you should believe when it comes to mac security? and weather you need to pay said company money to be safe?

Wow maybe you should call ford and ask them if you need a new ford car to be safe on the roads? I'm sure they will be unbiased just like mcafee and those two writers.

Or you can talk to people who live in the real world, I am in charge of 2500 Mac OSX machines and about 400-500 windows machines and over the last 5 years i have seen 0 infected mac computers, and at least 50 windows computers infected with virus's. ad in the amount of time i spend babysitting virus updates when they don't update properly, the huge amount of ram eaten by sophos,and the time it took to switch from mcafee to sophos 2 years ago when mcafee upped the price of our renewal. I have spent more time working on 500 windows machines to keep them running than I have on 2500 mac computers. That is real world experience, and not biased as I honestly run vista at home, i look forward to getting windows 7 I don't mind spending time keeping my machine at home in running order, but for people who don't want to deal with all the crap a Mac is the way to go, THE REASON DOESN'T MATTER the fact is I have never seen a mac computer infected with a virus.

[Mark_Anderson]

@ellroy

That's right, ellroy, you couldn't have said it better. Mainly because you don't have the brain power to do so.

Wake up: It's 2009 and not 2006.

[Super2online]

@ellroy Let's try to make an appropriate distinction that is accurate. The threat level to Windows is far greater than the Mac OS because it commands 95% world wide market share. Windows employs superior technology by neccesity to thwart that threat. It's obvious to me that many Mac users are confused by this point and inappropriately claim that the Mac is more secure when it's not. It just doesn't have to rise to a higher security level to combat the attacks aimed at it.

[Super2online]

@ellroy Let's try to make an appropriate distinction that is accurate. The threat level to Windows is far greater than the Mac OS because it commands 95% world wide market share. Windows employs superior technology by neccesity to thwart that threat. It's obvious to me that many Mac users are confused by this point and inappropriately claim that the Mac is more secure when it's not. It just doesn't have to rise to a higher security level to combat the attacks aimed at it.

[ballmerisanape]

Super2online ,

WRONG.. .the VAST majority of those computers run XP and lower.. XP and lower is swiss cheese.

[Renegade Knight]

That was never an argument by anyone with a brain. Security through obscurity was alwasys the claim for Mac. The era is over.

[giant_david]

The risk is the product of the damage caused and the probability of that to happen.

Given that the damage is the same once you have a security issue in a MAC or in Windows, a larger installed base comes with higher probability, since the number of virus and malware target it.

So, the risk associated with Windos OS is still higher.

The security features tend to be more advanced in that one of larger installed base. Microsfot strategy was building features before the security were good enough.

From the marketing point of view, that worked great, since they get 95% of the Desktop OS Market. But from the users security point of view it WAS a disaster in 2001,2002,2003,2004s.

[Random_Walk]

"Given that the damage is the same once you have a security issue in a MAC or in Windows"

Actually, that isn't the case. The two are built entirely different, so probabilities go out the window when it comes to assessing "damage"

A compromised website on Unix usually requires patching the hole in php (which is the usual route) and replacing the altered content - the OS itself sits untouched. A compromised website on IIS/Windows will require a complete rebuild/restore of the server.

The reason why translates to the user level as well - it is still too easy to get system-wide access on a Windows machine. They've managed to improve a bit, but nowhere near as well as their competition.

The reason Miller and the like crow about Windows 'improving' is more due to his outdated skillset w/ Windows than any new uber-security improvements in Windows itself. See also, oh, Conficker as a good example as to why I can say this and be confident in doing so.

[giant_david]

And this contributes even more to the risk associated to Windows.

[Mark_Anderson]

@Random

And this has what to do with Windows Vista from a consumer point of view?

Oh that's right. Nothing.

[Renegade Knight]

" the risk associated with Windos OS is still higher."

It's really a function of how effective the Mac malware writers are in targeting Macs. For windows you could shotgun things and hit a lot of Windows PC's. For a Mac you (for now) need a more targeted approach. However right now having the field to yourself would be huge boon to the Mac malware writers. The windows malware guys have to compete with each other. That's rather funny when you think about it.

[AJ Pants]

I hereby declare this entire article complete bollocks.

[bonesbautista]

I second that motion!

[pithenumber]

so you will keep on lying to yourselves that Mac OS X is invulnerable?

[Draxon]

pith:show me a single proven mac osx virus in the wild. and please link a source. You can't because the only proven mac virus happened on a work bench at black hat under just the right conditions, and was never able to infect a computer in the wild.

Yes there are a couple trojan's but they require you to click "yes I trust this software I downloaded" and than put in your administrator password. a torjan is not a virus.

[Seaspray0]

pithenumber asked you a simple question. You didn't answer it.

[santuccie]

@Draxon:

Quoting myself from another news forum...

'Please list any proven mac virus in the wild that can infect a machine without explicit user interaction? and sources.'
>>>>Um, in case you didn't know, most viruses do not install without user intervention. Most viruses come through e-mail, initially targeted at people like politicians and high-profile clergymen. The very first virus was written for the Mac, before the launch of McAfee in 1987. These days, even if you're using Windows XP, you're unlikely to see a bona fide "virus" unless you open e-mails (and their attachments) from people you don't know.

The most immediate threat to XP and earlier is an online exploit, most commonly in the form of a drive-by download through a browser. And while an uneducated Mac user such as yourself will use status quo as evidence of inherent security, there have been four breaches on OS X through Safari in Pwn2Own competitions each year since its inception. You want sources? Here you go:

http://securitywatch.eweek.com/apple/mac_hacked_via_safari_browser_in_pwn2own_contest.html
http://www.darknet.org.uk/2008/03/mac-owned-on-2nd-day-of-pwn2own-hack-contest/
http://blogs.zdnet.com/security/?p=2917
http://it.toolbox.com/blogs/securitymonkey/mac-os-x-local-user-exploit-appears-12026
http://www.linuxtoday.com/news_story.php3?ltsn=2009-04-17-030-35-SC-SW
http://blogs.computerworld.com/why_windows_is_safer_than_the_mac
http://www.dasmirnov.net/blog/charlie-miller-on-the-lack-of-security-o

The closest thing we had to an ItW exploit for OS X was a PoC outside of the security conferences, on Landon Fuller's Web site. I would link you to it now - so you could see your "impenetrable" security circumvented first hand - but unfortunately, the files have since been removed from the site. That said, what's the difference between PoC and ItW? Time.

'remember "proven in the wild" isn't on a bench at a black hat conference, a windows xp machine after a clean install placed online can be infect within 1 hour with 0 user intervention.'
>>>>You seem to be choosing your words rather carefully, trying hard to avoid putting your foot in your mouth. Unless everyone in your family can only afford netbooks (unlikely, assuming you yourself use a Mac), XP is no longer on the market. And furthermore, what is this supposed to say about how bad MS' security is? XP was released in 2001; there was no such thing as a drive-by download then! Now show us an ItW exploit that circumvents DEP and ASLR. Then, you can add Safe Unlinking and XP Mode (hinders rootkits from installing their own emulators), which Windows 7 introduces in October.

There are two theories amongst security researchers on what will happen as W7 erodes XP's market share:

1) Bot herders will turn their attention to the most vulnerable platform remaining... OS X.

2) The threat landscape will revert back to social engineering tactics. And since there are Trojans for Linux and OS X already, you can bet Russian bot herders will quickly add these to their arsenals, in effort to make up for huge losses in remotely exploitable machines.

Either way, you're next. If I were you, I'd dispense with that challenging tone. There are people here who know security better than you do.

[ClaBR]

No matter what OS do you use: Windows, OSX or Linux, the system will end up being as safe as the user operating it.

Your system can be rock solid but if the user is tricked into downloading a program and installing it (in other words, give admin access to it either by typing the admin password or giving a go on UAC), all security goes down the drain.

[darkxeno]

This is the truth of all computer, you must educate the user in order for security to work.

[davidwarren]

So true. This is all that the malware detector in SL is for- to help prevent you from unknowingly installing malware. There still are not viruses that effect osx in the wild, infact, I think viruses are falling by the wayside and malware is a greater threat in the future due to the increased security of all operating systems. Malware will still generally require a user action to install.

[c60chemist]

This was not true before firewalls. The original XP box would be infected within 15 minutes of being directly connected to the internet, no user activity was needed. Microsoft's original decisions to expose raw sockets and have no firewall were directly responsible for the explosion of malware. The malware community would be dramatically smaller if they had not been given fertile ground for 5+ years by the incompetent security decisions coming out of Redmond.

Now that most people have NAT routers and the firewall default is "always on" the burden of protection has moved to the user. But there are still thousands of boxes in the wild scanning for security vulnerabilities and if you turn off your firewall and get rid of your router you will definitely be infected.

[polaris20]

Well said. Many of the issues currently a threat to OS X are trojans that depend on the user being stupid. Even with Linux all it takes is a user downloading a malicious .deb file (using Debian/Ubuntu as an example here) and sudo dpkg -i. Done. Installed, compromised.

[Michichael]

c60 - so you're citing Windows as an insecure OS based on comparing, forgive the pun, apples to oranges. What you're saying is that modern OSX is more secure than an operating system released what... 8, 9 years ago?

Let's compare OSX to Vista or 7 or Windows Server 2003 or something remotely in the ballpark. It pales considerably. I'll note that all of the OS's were equally impervious at a hacking competition until the browser was made available as a surface area of attack. After that happened, the Mac was the first, and easiest, to crack wide open because they don't have the security checkpoints in place that Vista and 7 do.

That's not to say that Mac's are inferior, all's I and every other reasonable person am saying is get off your high horse. Mac's aren't special. They're computers, and their /security/ aspects are completely over-rated and in fact sub-par compared to it's primary competitors.

[kelmon]

Personally, I rather like the idea of people who download pirated copies of software applications, or anything else for that matter, getting burnt.

[ralfthedog]

I don't like the spam generated by their computers.

[Perry_Clease]

"by ralfthedog August 27, 2009 5:20 AM PDT
I don't like the spam generated by their computers."

Spot on! That is probably why they say that most spam originates in the USA and not taking into account that the URL in the body of the message takes you offshore.

[reidjim76]

It's not just attached to pirated software. As mentioned in the article, there is Mac malware masquerading as Foxit (a free PDF reader) and video codecs. Using the "they get what they deserve" excuse is just ignorant.

[Perry_Clease]

"there is Mac malware masquerading as Foxit (a free PDF reader) and video codecs. "

OSX Preview is a free PDF reader. However, I am sure that our friend tetraploidies will tell us that you need an overpriced Mac to run Preview.

As to installing some off the wall CODEC in order to see a video, well don't do it.

[ballmerisanape]

I know a lot of Mac users.. and none of them have ever downloaded a free "pdf" reader.. reading (and creating) pdfs does not require 3rd party software on a Mac. You don't even need adobe.

You can write malware for any operating system.. the difference on the Mac is.. in order for it to do any real damage to the system.. it needs the user to enter an admin password.

[reidjim76]

Perry_Clease: "As to installing some off the wall CODEC in order to see a video, well don't do it." This doesn't say anything as to the security of an operating system, just to the intelligence of computer users.

ballmerisanape: "You can write malware for any operating system.. the difference on the Mac is.. in order for it to do any real damage to the system.. it needs the user to enter an admin password." You need to read up on User Account Control.

[Renegade Knight]

While I can appreciate your thinking here, It's the legit stuff that worrries me. Did I just download what I thought I was trying to get or the malware version?

@ballmerisanape
I tried the apple PDF function build in and didn't like it. Adobe offered theirs for the Mac so I used that. Others don't like the bloat of the Adobe solution so I can see where a 3rd party market could exist.

[Jeremy Chappell]

Oh good grief! So Mac OS X is less secure than Windows Vista right? WRONG!

OK, why is it wrong - the technologies argument seems pretty compelling. Well as tech writers so often forget technology only gets you so far, let me explain:

Firstly there is the numbers game, there are more Windows PCs, and yes they make a pretty tempting target. But there's more to it than that. A lot of infections aren't WEB to PC, a lot are PC to PC (often via thumb drives). As there are so many PCs this PC to PC interaction (that might infect a system) is a lot more common than Mac to Mac.

Next, and the one the yahoos who's views are expressed in the article have truly forgotten, is legacy. How many Vista boxes have UAC turned off? (I have seen first hand a large number) Mac's version of UAC is much easier to live with, and I'm pretty sure can't be disabled. OK, how many people have a few programs they have to run as administrator? Again I know of a reasonable number of examples of this too. Here many of Vista's security features are simply not working for the user.

Right, so maybe this doesn't describe YOUR Vista set up, but it is a common set up. Now what security features does Mac have? Well Safari (Mac's most used browser) has introduced Phishing Protection, Malware Protection (it highlights the site - currently on Leopard is doesn't look at downloaded files, though this protection is in the Windows version, and I suspect is included in Snow Leopard's version - though I have no advance knowledge), Extended Validation Certificates, Cookie Blocking, and it will query the users before running anything downloaded for the first time (this includes data about when and where the file was downloaded, Mac's default filesystem includes support for metadata). Mac OS X has always run in a "reduced privilege mode" and will prompt for a admin password before a process the user has run can modify certain parts of the system (similar to UAC, but far less chatty, AND the user must enter a password, not just click a button).

On balance even the current version of Mac OS X (without any user "hardening") is fairly secure, yes it can me improved by changing the defaults (and like on Windows some of those changes can start to make the machine a pain to use) and yes the improvements will be most welcome. But the idea that the current version of Mac OS X is highly insecure (for most users) isn't correct. Will I bee upgrading to Snow Leopard? Yes, and that is in part motivated by a desire for greater security.

Do I as a Mac user take security seriously? Yes, I have an old Mac that can't run Leopard - I wouldn't dream of actually using that system on the Internet! (It currently has Mac OS X Tiger installed, next stop for it is either out the door or a PowerPC version of Linux).

But if you're reading this and you have a Mac, if you can upgrade to Snow Leopard then that is probably a good idea, better security can't hurt, and better speed is always nice. If you can't, you can probably hold on to that Mac for a while yet (probably another two years at least).

[polaris20]

Actually, when compared to Vista 64-bit (and Windows 7 64-bit) Leopard is less secure, technically speaking. I'm not taking into account security by obscurity or market share. I'm talking the OS itself. However when taking into account the shear targeting of Windows, OS X is still safer (as noted by Charlie Miller).

[FuturamaFan]

@polaris

Really, and how many people do you know that shell out for Vista 64bit and will for Windows-7 64bit? I know of one business. ONE that has done this. The rest just use whatever comes on the system...IE: 32bit.

With Mac's (and I own both Windows and Mac) you get what you get; no fuss, no deciding which of the seven 'flavors' actually works best.

[polaris20]

@FuturamaFan

Every business deploying Vista I've worked with, and they also plan to migrate to Win7 64-bit. Your anecdotal evidence is just that; anecdotal, as is mine (though clearly I have more experience with it than you do). It doesn't change the fact that Win7 64-bit is more secure than OS X 10.5.

[Mark_Anderson]

@Futurama

Uh, you do know the license covers both 32 and 64 bit versions. You just can't use them concurrently.

Try again. Your post was almost as laughable as Jeremy's.

[Jeremy Chappell]

@Mark_Anderson

Just try getting Microsoft to honour their license. I've had first hand experience of this - it's a nightmare. Microsoft's representatives (mostly offshore) don't understand their own license. They also hide behind the "it's OEM" excuse. My advice for anyone buying a PC with Windows pre-installed is be very careful you get either the version you actually need (64 or 32 bit) because trying to fix it later shows up Microsoft's support badly. If you are stuck in this hole something worth knowing (apart from the fact you ARE RIGHT despite what you're being told is if your system was build by a smaller vendor Microsoft call them "system builders" make sure you tell them your system was build by a "system builder" and not an OEM - no I don't understand why this works, but it does, you will need to pay a little for the DVD but I did expect to)

Here in the UK almost every school runs software by Capita, generically it's called SIMS. SIMS cannot run on Windows 64bit (which is how I got to know the above) AND can't deal with UAC (you have to run it as administrator) this software is almost universal in UK schools - not something small that nobody actually uses. There are plenty of other examples from other industries that similarly don't play well with Vista's security model. You'll tell me that the problem is the application, and I'll agree with you - but none of that actually matters when it's your line of business application. I'm not apportioning blame here. And no it's not all about numbers either.

If you only run nice up to date applications, written by the big vendors, well sure you might well get one impression about the state of Windows security. You deal with a few SMEs, believe me, you'll get another very different view.

Yes, I have a Windows 7 box here, yes it's a step forward from Vista (though I think Vista gets a bad rap because so many applications have a problem with it - from a security technology perspective Vista was a big step up from XP SP3) I don't see the giant leap forward that's being talked about. I think Vista's taken most of the heat and Windows 7 is benefiting from that. If you're on Vista I think Window 7 is a small upgrade (especially if we're limiting ourselves to security matters) but worthwhile. If you're on XP then things are different, moving to Windows 7 is a big step (but you'll have to make it sooner rather than later) but will improve the security of your PCs hugely.

As for the Mac is a shambling mess, I just don't recognise that. Yes, Snow Leopard is a huge step forward from Leopard (in terms of security) but in reality this is fixing a problem that doesn't exist yet (though waiting for it to exist would be stupid).

[Mark_Anderson]

"Just try getting Microsoft to honour their license. I've had first hand experience of this - it's a nightmare. Microsoft's representatives (mostly offshore) don't understand their own license. They also hide behind the "it's OEM" excuse."

if you buy from an OEM then you're buying from their master of Windows which is a system builder copy. You approach the OEM to get the 64 bit version. I did this with MESH.

"Here in the UK almost every school runs software by Capita, generically it's called SIMS. SIMS cannot run on Windows 64bit (which is how I got to know the above) AND can't deal with UAC (you have to run it as administrator) this software is almost universal in UK schools - not something small that nobody actually uses."

Well since Capita Children's Services recommendation is that you run it on MS Server 2003 I'm not sure where you're going with this. I believe they're also building Vista support - as well as Office 2007 - support into it anyway.

Conversely SIMS won't run on OS X at all. That's why you're analogy is a bit silly - it doesn't matter that OS X has a nice version of UAC because:

a) The application you mention doesn't even run on OS X.
b) If it did it may very well run into the same problems as Vista does with UAC.

[Jeremy Chappell]

@Mark_Anderson

If your system was built via a "system builder" then it actually IS Microsoft who are offering the 32/64 bit migration (but hardly anyone inside Microsoft know this... ). Trying to get this resolved is utter voodoo - eventually somebody will figure out what you're supposed to do, then you pay your £26 and the DVD arrives - until that, well it's nightmare city (Again it's Capita's SIMS - won't run in 64bit mode)

Your talking about the requirements for the Server, I'm talking workstation. Captia claim they've "done" the migration to Vista - but it needs to be run as Admin (which is hardly my idea of a proper Vista app...) It also works with Office 2007 (I have no idea if there are any issues - the whole thing is a stinking pile, and no I'm not blaming Windows, it's pretty clear where the fault lies).

My point is, there is a lot of software that "runs" on Vista, but needs Vista's security somewhat hobbled (which lets face it, while it's not Window's fault rather blunts the security). So the "average" box, can't be considered as having all those feature intact (as a significant number simply won't). On the Mac, with Apple's attitude to backward compatibility (which is basically: "sure, as long as it doesn't get in the way") things are different, if a program can't run due to some new feature then it doesn't run (you can't switch the feature off). Now that means that Apple switch new features on with care (32 bit Kernel, for example) but more often it's the applications that have to come up to snuff. Now this is short term pain, so denying it, but it makes the ecosystem evolve faster. A lot of Vista's problem was it tried to adopt a more "Mac-like" approach, and that was a heck of a shock to the Windows ecosystem (rather more than it could stand in fact). Windows 7, is a pause, UI features with few real changes. But I think it just that "a pause" I fully expect Windows 8 to arrive quite quickly (if Microsoft have any sense at all) and to take a "hang-em high" approach to laggard applications. Will it stick? I don't know, but if it does Windows will be all the better for it.

Do you see what I was driving at now? I'm not a "Windows hater", I don't think Vista failed because it was bad software, or badly marketed, or even the wrong ides - no it was simply a bit too much of a shock to the PC ecosystem, but Microsoft should adopt a similar policy in the future, the PC ecosystem will adapt, and Windows can improve much faster as a result. I currently have Windows 7 RC on a machine (not a Mac I hasten to add) and it's OK, I'm not a great judge for everyone as the system is new and I don't run lots of old software on it - YMMV, but if you're on a new system with new (mainstream) software then it's a great version of Windows. It won't have me giving up Mac OS X, I'm a Unix person and more than that I came from NeXTSTEP so I really, really like Mac OS X. I do recommend Mac OS X for most people - but not everyone. If you've grown up on Windows I can see you take a different view, as I say YMMV.

[PTRSR]

The premise of this article is ludicrous, and only proves that the writer does not understand the world of hackers.

It is ludicrous to say that the Mac is more secure because fewer hackers attack it. That is like saying the bank with no security guards is more secure than the ones with security guards, as evidenced by the fact that it does not get robbed.

First of all, security is not determined by the number of attacks. Security is a quantifiable issue based solely upon whether or not a system possesses the requisite deterrent to thwart hackers. To say that Mac... which never gets exploited... is catching up to Windows... which gets exploited by the minute... is nothing short of a ludicrous argument.

Second, hackers love a challenge. To say that hackers bypass the notoriety of hacking a Mac, simply because there are only 100 million Macs on the market in contrast to he 900 million PC's is... dare I say it... ludicrous.

The only thing hackers bypass are systems that are too difficult to crack. This article is one huge logical fallacy. And I don't even own a Mac.

[tektaktyks]

u have no clue

[gp2792]

wait a second.

Statement 1: Security is not determined by the number of attacks
Statement 2: Security is a quantifiable issue based on possessing the requisite deterrent to thwart hackers
Statement 3: Windows gets attacked more often, Macs don't.

1 and 3 are contradictory. First you say it doesn't matter how much an OS gets attacked, then you refer to the number of hacks as a reason for macs being more secure. 2 is the exact point of the article. Vista and Windows 7 have the requisite deterrents to thwart hackers and leopard doesn't.

i think you have a bit of a logical fallacy of your own going on.

[cougar888]

You need to do a little research before you say that Mac's are never exploited. Charlie Miller, the guy in the article, is a Mac hacking expert. Perhaps you don't remember the articles where he wins the hacking contest every year by hacking a Mac. He hacked the Macbook Air in under 1 minute. I even hacked my brothers Mac by using a simple Java exploit based on the exploit posted by Landon Fuller a while back. The exploit has since been patched, but only after he publicly posted the exploit. It took Apple 5 months to fix it after Sun had already fixed their end. If you think it is harder to hack a Mac than a PC, you are mistaken. Give both a try and let me know how it turns out. The "security" that exists in Macs can be summed up by these 3 features.

1: Macs have a smaller base. There just aren't as many programmers willing to do it for a Mac. If you think it is because Macs are harder to hack, please read up on Charlie Miller

2: Macs are based on Unix. The security model in my opinion does have a stronger base, but it is still a little underdeveloped on the Mac.

3: Mac users are generally more educated about viruses and hacks. This is the biggest one. Most people that use macs have switched from PCs for one reason or another. In order to feel comfortable with a new OS a user must learn why they are switching and all about the new/different features of the OS. That being said, most(not all, most) Mac users are more aware of these threats. In my experience with the average (don't get mad at me windows fans, I just said the average) windows users, they are all very aware that viruses exist, but they wouldn't know one if it hit them in the face, so they just give it permission to run without a second thought.

[craigar]

I for one totally agree with PTRSR!
The article talks about numbers and user base. The relative desire for hackers to "GO AFTER" a mac. It's not worth their effort is the articles' assumption.. Oh please. Like PTRSR states.... give em a challenge. Why don't they take the challenge?

Ok, let's say that the user base is 5% Mac, let's half that and say 2.5% of the hackers are trying to go after OSX. So we should at least see (let's be conservative) 1% of all malware being successful against Mac users.... Sorry, no luck. And that's with 99% of all Mac users not even attempting to block the threat.

Yes, the potential is there, but it's not happening, so that tells me there is a difference, and if Snow Leopard improves the chances even more..... GREAT!

Talk all you want, I'm a fanboy all the way and proud of it! I'll also repeat what I've stated in previous threads. I sell School Surplus. I look at piles of old computers every day, I separate the Macs, sell those on ebay, send the PC's to e-waste for recycling. Just last month, the company I work for sold over 100,000 dollars in Macs that were 5-7 years old. The funny thing is, the PC's I trash are usually only 3 years old... go figure.

[polaris20]

I'm sorry, but you're way, way off on this. And I am a Mac (along with Win7, Ubuntu) user.

[tekitsune]

@cougar888
I have to laugh each time someone brings up the "Oh, the Mac got hacked in 2 minutes" thing. Every time I read about someone "hacking" a Mac, they always have to remove security from the equation BEFORE they can hack in.

You point to Charlie Miller. If YOU did your research, you'd know that no one was able to get into the Mac they way a normal hacker would. The only way he was able to hack it was AFTER the CanSecWest guys changed the rules and removed a layer of security.

I'll quote the Macworld article: "Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages."

Again, this all comes down to user issues. I've never heard of an instance where a Mac has been hacked remotely. Every time they have one of these "contents," they always have to adjust the rules so they can have people go to websites or they allow the hackers direct access to the computer. Those types of things aren't common, so these kinds of arguments are garbage.

Is OS X totally secure? No. No system is. It's impossible to have a completely secure system. And better security is never frowned upon. But the day one of these so-called "hackers" can actually get into a Mac without having someone in the user side do something stupid or having to have layers of security turned off to prove their stuff, then I'll pay attention.

[Renegade Knight]

You are confusing actual security vs. security measures.

Real world security is determined by the number of attacks. Macs win on this point.
Windows has a higher level of security measures built in. They are harder to hack than a Mac but far more frequently targeted at this point. Obviously that means they are not "harder enough" to attack.

For an anology, typically a town with a larger police force has it becuse it's needed. It's actually a symptom of the level of crime. You are safer in the town with a smaller police force. Windows is more secure out of need. OS X is increasinly more secure out of an increasing need.

[bryan1999]

The interesting part is that in 2002, Microsoft decided to make security a priority only after the plague had arrived.

[NikEst]

At least they did something about it. Apple is going to be in the same boat one day if they don't get their act together and deal with potential problems now. Even if the install base doesn't ever get that big, wouldn't it be fancy to say you ran an OS X botnet?

[Mark_Anderson]

The really interesting thing is it's now 2009 and we're two versions of Windows further on.

Do try to keep up.

[Jeremy Chappell]

@NikEst

Err, isn't Snow Leopard that exactly what you're talking about? This is Apple's response to a threat that hasn't happened yet. Yes there have been some isolated attacks (none of which have gained any traction) but the wave of attacks that Microsoft have faced still hasn't happened, Snow Leopard is an attempt to make sure it never does.

[Jeremy Chappell]

@Mark_Anderson

So why's it still happening then?

[Mark_Anderson]

Why is what still happening or did I miss the part where there were multiple Vista affecting viruses that could install themselves without user intervention?

[Renegade Knight]

@NikEst

That's what this article says. Apple is getting is crap together in the security dept.

[Sausagebiscuit]

A computer is only as secure as its user. No software will stop someone from blindly clicking yes to continue running nakedgirls-im-really-a-virus.exe (or .app or .sh, etc).

[tjt7a]

This is very true; you can be on the most secure linux system imaginable, and you could still download a malicious script and execute it, opening a bunch of ports for a hacker to access your machine.

The majority of malware capitalizes on the ignorance/mistakes of a user.

[Random_Walk]

"...you could still download a malicious script and execute it, opening a bunch of ports for a hacker to access your machine."

...if you had root privileges, sure. Here's a simple "malicious script" that will blow up any *nix machine, assuming the user had root privs:
============
#!/bin/sh
sudo -u root rm -rf /
exit 0
============

...and here's a similar one for Windows (as a .bat):
============
del /p /f /s /q /a:RHISAL c:\*.*
attrib -s -h -a -r recycler
del /p /f /s /q /a:RHISAL recycler
============

Now - which one would do the most damage, assuming an ordinary user with no administrative rights? :)

[Vegaman_Dan]

@Random_Walk:

In your example, the WIndows system would be left corrupted and largely unusable, if not unbootable.

The Linux system would have allowed the person sexploiting it to have full root access, the ability to install anything they want on your system including keyloggers, bots, etc, *all without your knowledge*

In your examples, I think I'd rather have my system destroyed since I have backups of data than to have it turned into a spy without my knowledge, quietly snatching up my banking information for ID theft.

Both are bad, but... yeah, guess it's a matter of preference I suppose.

[cuda2]

Would'nt it look more like this one a mac:
#!/bin/sh
Type Adminpassword:___________
sudo -u root rm -rf /
Comment "Running this command can....blah blah"
Type Password:__________
exit 0

Also, something like this would require you be at the machine itself, where as on a windoze box... lol. I can yell at the internet from across the room and crash several windows computers.
It has alot to do with the open ports on a winbox which are closed by default on a mac. Hell, even the admin account on a mac can not destroy the system without jumping through hoops. Most hackers are script kiddies nowadays. They do not have the natrual talent to exploit a mac and its inherently tighter security. I for one would love the bragging rights of releasing a mac virus into the wild but its just not possible to creat something that would spread past the first dumb user to let it be installed.

[Jeremy Chappell]

@Vegaman_Dan

He asks "Now - which one would do the most damage, assuming an ordinary user with no administrative rights?"

If they have no admin rights, then the script fails at "sudo -u root rm -rf /"

If you have admin rights and you're a moron no useful OS will help you.

[MyRightEye]

Hackers hack for fame. The first one to crack the Mac and have a virus spread as we have seen all over Windows will be more famous than Kevin Mitnick. It has nothing to do with the userbase numbers.

Enough with the strawman arguments.

[gp2792]

dumb kids hack for fame. Real hackers do it for impact. financial or otherwise. it's a valid point.

[freemarket--2008]

You're a decade or two behind the times. These day hackers hack for money. It's in the news almost daily.

[ddesy]

It isn't that "dumb kids hack for fame." Many hackers do. In some cases this fame lands them high paying jobs as "security experts."

[Random_Walk]

"Real hackers do it for impact. financial or otherwise. "

So... millions upon millions of near-homogeneous machines whose owners are in a relatively higher-paid demographic and don't run any sort of A/V would not make for a valid target? Hell, botnet herders start bragging at 100k or more 'doze boxes in their stable. Imagine what a million or two machines could do...

Thar's money in them thar Macs - and I don't doubt that many have tried. So far, the best the black-hat community can come up with is a spate of trojans that requires a real stupid user to activate.

They're going to have to try harder than that...

[knowles2]

May be they have an then sold the knowledge onto Apple. After all Apple got a brand to protect they probably pay any amount to stop someone from releasing a virus into the eco system. And Apple would do it utmost make sure this would ever become public.

[FuturamaFan]

Hackers are bums who need real jobs. You got time to waste thinking about how to screw other people? You would be better wasting that time thinking of how to get a girlfriend.

[Vegaman_Dan]

@Random_Walk/Penguinisto:

"So far, the best the black-hat community can come up with is a spate of trojans that requires a real stupid user to activate."

Spot on, and you nailed it right there. That's the problem that Apple has facing them. Their end users are used to not worrying about security and ARE ignorant enough to click on whatever is on their screen. Sure, YOU won't do it, but the average Mac user is not a geek to that level. And that's the real danger, isn't it? The ignorant few who do click on this or that exploit vector and create the bot net without their knowledge until it's too late.

It changes from Security through Obscurity to Insecurity through User Ignorance. :/

[DrtyDogg]

@Random_Walk: your comments are humorous in their naivety. In a large scale virus infection, the target is not the computer owners information, it is their machine. I would bet that if conficker infected Bill Gates machine, it would have done the same thing that it did to all of the others, so far, nothing.

Speaking of conficker, regarded as the most "successful" virus ever, in install base, it still only infected around 2% of the Windows PCs in the world. OS X has around a 5% worldwide market share worldwide. With that small of a market share proliferation of the virus to 2% would be incredibly hard because depending on how it spread it would hit a dead end 95% of the time. But let us just say it did hit those high numbers, 2% of 5% of the computers in the world would yield you a zombie network of little importance due to it's low volume.

As for what has already been done, there are several drive by downloads that have been shown that require no user interaction what so ever, as well as plenty of downloads with code that can take over a system.

[Renegade Knight]

Botnets are big business. Professional hackers have a job to do. When Mac's make that job easy Mac's will be targeted. Userbase numbers apply here.

[tektaktyks]

Contrary to popular Mac fanboy belief, Macintosh is not more secure from a software standpoint than modern Windows; it's merely safer to use because malware writers prefer to target the platform with the biggest install base," and look at the comments,those macboys are really sick ,just cant take it huh?

[freemarket--2008]

So I take it that you are a security expert and have fully evaluated both Windows 7 and Snow Leopard from top to bottom and done full comparison? Or are you just blowing smoke? Thought so.

[ddesy]

Keep drinking that MS Kool-aid.

[NikEst]

I can take it. It's also something I've known for years. As a software developer, I know that bugs can only be fixed if they are found. Less finding on OS X means less bug fixes, means Windows is probably "more secure" from a code perspective.

The mac fanboys have ignored this fact here and are instead reminding the Windows user that in practice, OS X is more secure. This is something I would agree with.

[ballmerisanape]

Polly want a cracker?

[Motyoj]

The insecurity I see isn't in the OS here, it's in the poster. Who cares? Why are you all worrying about this drivel?

[Andintroducing]

Stuff it!

Though it sounds good, you know not 1% of what you speak. And chaning the word "virus" to "malware" in your hitpiece du jour still does not an argument make.

There are fewer viruses and malware because the platform is stronger. Been using my Mac without any protection since OS X came out and never have I run into 1/100th of the malware, spyware or virus problems my cheap-ass Windows friends have.

Pull your head out of your cubicle once in a while!

[NikEst]

Nor have I run into problems on my Mac, but we will. I know the Apple fanboys ignore security, but it's going to bite them in the ass one day and comments rolls around the internet are going to boil when it happens.

This article was more about actual code security, not user security. They even mention that the user is ultimately the most important factor. Pull your head out of your cubicle.

[reidjim76]

I've walked around my whole life without wearing a bullet proof vest and I've never been shot. That doesn't mean I'm bulletproof.

[Random_Walk]

"I've walked around my whole life without wearing a bullet proof vest and I've never been shot. That doesn't mean I'm bulletproof."

You assume that in the computer realm, all bullets and all targets are equal. Cute analogy, but it doesn't fit at all.

[TechSlap]

Now... YES, you are more secure. Macs have a higher vulnerability level but a much lower threat level thus, your safe. Don't get to proud though. Mac does not have the anti-exploitation technologies that Windows has. Why? Well because Windows is hammered with attacks, 100's or thousands, every day. Measures are taken to prevent MOST of them. I own a Mac, and I'm well aware that the security set in place by Leopard (not Snow Leopard) are far from up to par with Windows systems but as long as they have that low threat level, Macs are safe. Can't wait to see what Snow Leopard has in store security wise.

[reidjim76]

Radom_Walk: "You assume that in the computer realm, all bullets and all targets are equal. Cute analogy, but it doesn't fit at all."

It fits perfectly to what the original commenter stated Just because you don't grasp the concept doesn't mean the analogy fails.

[laughingdude]

When I was reading this article I had to go to the top and make sure I was not reading "the Onion". LOL.

[ddesy]

No kidding! This article reeks of a lack of journalistic integrity.

[EwokHD]

Also note the poor job of editing In a rush to get this article out. At least the writers @CNET haven't started using texting abreviations.

[jav1231]

The problem with this article is simple. The case is never made. People are merely quoted. Frankly, this line pretty much ******** the argument for me:

/"Microsoft has had a head start. That's why they had ASLR and DEP first," Miller said. "It's not because they're geniuses. They just started caring about it sooner."/

Really? When? After years of neglect, that's when. Microsoft didn't have an epiphany about security. They were besieged by viruses and malware.

And I note they mention "from a software standpoint." As opposed to an OS standpoint?

[TechSlap]

Really? The fact is that they implemented the appropriate security measures to prevent such attacks from happening. Mac hasn't yet... Hopefully they will with Snow Leopard.

[fazalmajid]

The new malware detection features in OS X are basically a simple blacklisting feature for trojans. When you consider the fact Windows still has the glaring AUTORUN.INF vulnerability where it will blithely run arbitrary code in storage media inserted into the computer without even asking the user for consent, the assertion that Windows is more secure than OS X is simply ridiculous. There is no point hardening a door frame with titanium if the door is made of paper.

http://en.wikipedia.org/wiki/AutoRun

[Random_Walk]

To be fair, Windows asks for consent now.

[reidjim76]

AutoRun requires consent since Vista. You're probably one of those ignorant fools that follows the hype and tells people to keep running XP instead of Vista, though.

[ballmerisanape]

what consent.. a password..or another "ok" button?

[Random_Walk]

A list of actions, including opening File Explorer to view the contents, play a movie, show images, run some exe file, etc, depending on the content.

[ballmerisanape]

but no password.... just choices with no indication that it can cause harm. I believe with 10.5.. if you download an application.. or a .dmg with an application in it.. the OS tells you that you are "opening this file with this application for the first time.. are you sure.. bla bla".. at least you get some warning that its an app. Also.. you used to be able to change an application's extension from .app to anything you wanted.. and the app would still run. Now it will append the .app to the extension no matter what you change it too (.pdf.app for example).

[Nataku4ca]

I just had to say something here

Do you really want to type your password everytime something is inserted? (be it USB/DVD/CD/what ever can autorun..) I can guarantee you hundreds if not millions of ppl will start shouting in uproar, not to mention the fact you probably checked off always run with this app box... which should never be done unless if ur lazy and dont care

[reidjim76]

@ballmerisanape

On Vista and Win7, if an application you run, on removable media or not, requires admin privaleges you will get a UAC prompt. In the original versions of UAC in the Vista beta, Microsoft required a password. However too many "knowledgeable" tech journalists wrote negative reviews of UAC being annoying, so they reduced it to a simple Continue or Cancel prompt (for admins... limited users still get a password prompt). Admittedly, UAC in Vista delivered too many prompts causing the typical user to just click Continue for everything. With Win7, this has been reduced by changing the UAC default to only display when a program needs admin privaleges not for user driven admin actions.

Your comments show how little you know about how modern Windows operating systems work. You really need to do some research before attempting to contribute to a topic.

[Renegade Knight]

"There is no point hardening a door frame with titanium if the door is made of paper"

Nice but not quite apt. If you were going to install a metal door, you install the frame first.

[Mr. Dee]

I hope Mac users are more enlightened by this article and learn not to throw stones if you live in a glass house. So, when John Hodgeman and Justin Long play up their gimmick show on Apple.com or your local TV station saying Windows is not secure enough, just understand its a man named Steve Jobs behind the camera with a basic knowledge of computing directing the show.

[stickfu]

All this from a self confessed "intermediate" skill level user. Perhaps you can enlighten us with your interpretation of string theory too?

[NikEst]

You're assuming this article is correct. While it seems like it is, we would only know if we were security experts. I personally am not a security expert, nor do I pretend to be. I know that not running any 3rd party antivirus or security software on my Mac could burn me one day. I also know that not running antivirius or security software on my XP desktop at work will burn me, probably in less than a month. I welcome any security changes Apple wants to make and I hope that ASLR and DEP are included in Snow Leopard, there is no reason they shouldn't be. Apple has always claimed better security which is most likely misleading. Then again, Microsoft's current TV commercials (buy PC because it's cheaper) are also misleading (given $1,700 and you don't buy a Mac because you found a PC with better battery life (better than 7 hours?) and that is more portable, give me a break). It's the nature of free enterprise, I just hope Apple realizes security is important before OS X becomes a security nightmare.

[Motyoj]

Steve Jobs has a basic knowledge of computing? If you read up on him you will see he has a much greater knowledge of computing than "basic". Basic is what Bill Gates was involved with and worked for Jobs at one time. I believe Jobs delivered a better OS and Gates developed a better business model. In the end it's up to the consumer to decide what's right for them. Just my opinion however.

[themotie]

I assume this article is correct, in theory. And in theory there is no difference bewteen theory and practise. But in practise it is.

Being in a contemplating mood, I contemplate on my PC-using friends, who have more or less serious malware problems now and then despite using time-consuming and intrusive anti-malware programs, and my Mac-using friends, not one of whom I've ever heard having a malware problem despite not one of them having any sort of anti-malware program.

I must say I have some problems aligning this real-world fact with the above propsed fact that Windows is more secure, at least in any real-world, joe-or-jane-the-user perspective.

[NikEst]

I agree, the average Mac user has far fewer problems with this stuff than a Windows user, but the theory that Windows is more secure is probably true.

[Renegade Knight]

You have two things, real world security vs. security measures.

Mac has less need (from less attacks) and thus has taken less measures. Windows has more need (from more attacks) and thus has implemented more security measures.

That's what you are observing.

Mac is seeing more attacks and Apple increased their security measures with Snow Leopard.

What you are seeing shouldn't give you more problems with Windows having more security measures built in.

[ddesy]

Oh yes! More FUD claiming that Vista and 7 are more secure than Mac OS X. What are the real life, common exploits? We already know that "security through obscurity" is a myth.

[NikEst]

If Vista and Windows 7 have ASLR and DEP, but OS X doesn't, then Vista and Windows 7 are more secure. Those are simple, but effective, methods of providing basic security to the OS. Personally, Snow Leopard needs to have those things included.

Also, if Vista and Windows 7 are exploited more, then we know about the holes in Windows, whereas we have little to no idea about the holes in OS X because people haven't exploited them.

For the interest of not being flamed: I am a Mac user that thinks Apple needs to get on the ball about making real attempts to secure its operating system. Hire some hackers and fix what they find, that's not that hard to do.

[Random_Walk]

"...then Vista and Windows 7 are more secure."

Explain Conficker, then. ;)

[TechSlap]

Totally agree NikEst. Hire people to find those exploits, then patch them before there made public. Now, I'm sure they must have a team that does this but... Maybe try and get some outside sources.

[DrtyDogg]

@Random_Walk:
http://blogs.pcmag.com/securitywatch/2009/03/the_most_important_things_to_k.php

"Windows Vista is technically vulnerable in this way, but the exploit is almost impossible to execute on it. Conficker is basically an XP problem"

Why would you ask that question when you already know the answer ;)
/p

[santuccie]

Denial. He's so devout in his religion that he is refusing to acknowledge the truth.

[Renegade Knight]

Oh Yes a FUD argument about non FUD.