Comments on: Apple releases OS X security patches

"Highly critical" security updates address more than a dozen vulnerabilities in the Mac OS X operating system.

[Jon N.]

Oh, Please people. Let's keep it REAL!

First things first. OS-X is a great system that has excellent security protocols. But so does Linux, & Solaris. Microsoft is everywhere, especially in the office! Microsoft is playing catch-up with the security protocols, and Linux is just beginning to experience programming standards. The new "Vista" OS is going to have the same security protocols that OS-X, Linux, & Solaris have. Isn't open source great?! You call it root...Microsoft will call it Administrator. Better late then never. I hope they can keep the cost of the new OS down below $130. Have you seen the screenshots? It looks like they swiped the desktop from a Linux KDE SUSE system! Apple is beginning to see that the next wave of cyber-terrorists & black hats will be targeting their systems as well. Though, I feel that it would be extremely difficult to do. Nothing is impenitrable. No ship unsinkable! Remember 4/15/1912? Well, if the roles were reversed & if Apple had 90% market share (and with all the flavors of Linux out there, I see that number as generous for M$)& M$ Windows had 4%, (I think that for Apple, this number is an underestimation)then I agree that the cyber-thugs out there would be more apt to go for Apple's throat! For some strange reason no matter how ya slice it, someone is always gunning for the guy or gal on the top! A smaller market share with a smaller consumer base = more time for better code, better implimentation as well as more R&D time. I still think that since Apple is switching to Intel chips, that they should fire the first salvo of code directly at Microsoft and make an OS-X for the Intel/AMD machines that are already out there. Oops! There I go, dreamin' again!

[Bill Dautrive]

re

"The new "Vista" OS is going to have the same security protocols that OS-X, Linux, & Solaris have. Isn't open source great?! You call it root...Microsoft will call it Administrator."

XP was supposed to also, in fact they do have an Administrator, problem is it was implemented in a half-assed way. Vista is not only coming to the party years late and underfeatured, but it will still hang on to "features" that cause windows to degrades over time(no other OS degrades, only windows) and cause security issues(aka the registry,activeX, ect). There inclusion might make for better backwards compatibility, but at a high cost of security and performance issues.

As for the rest of your uninformed post, read Johnny Mnumonics reply.

[Jon N.]

The uninformed thank you!

Look. I don't have a Masters in computer technology, nor a B.S. in computer science or programming. I am only going by my experiences as an end user. I was into computers (a TRS-80 Model I) back in 1980. To those that are more proficient (if not more educated) great! Rock on! But to slam a person for not having all the data concerning a subject is just being an intellectual elitist! There are many out here in cyberspace that are hoping for a resolution to the XP problem, & trying to find alternatives. I feel that any suggestions or input can be helpful, if it's given in a spirit of information & education. Those of you that slam the uninformed for chiming in, ought to be ashamed at yourselves! You were once a greenhorn newbie, too!
And to all the uninformed in cyberspace,
Your Welcome!
Jon N.

[Johnny Mnemonic]

Incorrect Assumptions...

Linux/Unix is a 30 some year old system. It has
POSIX, which is the Portable Operating System
Interface. C was developed for UNIX in order
to more easily port it to another platform.
The primary Internet protocols were developed on
a UNIX system. When it comes to standards, Linux
and UNIX based systems are the leaders. Rather,
Microsoft tends to "embrace and extend". It takes
a open standard and closes it.

Regarding your statement about the more popular
platform being a larger target...
Perhaps the most oft-repeated myth regarding
Windows vs. Linux security is the claim that
Windows has more incidents of viruses, worms,
Trojans and other problems because malicious
hackers tend to confine their activities to
breaking into the software with the largest
installed base. This reasoning is applied to
defend Windows and Windows applications. Windows
dominates the desktop; therefore Windows and
Windows applications are the focus of the most
attacks, which is why you don't see viruses, worms
and Trojans for Linux. While this may be true, at
least in part, the intentional implication is not
necessarily true: That Linux/UNIX and Linux/UNIX
applications are no more secure than Windows and
Windows applications, but Linux/UNIX is simply too
trifling a target to bother attacking.

This reasoning backfires when one considers that
Apache is by far the most popular web server
software on the Internet. According to the
September 2004 Netcraft web site survey, 68% of
web sites run the Apache web server. Only 21% of
web sites run Microsoft IIS. If security problems
boil down to the simple fact that malicious
hackers target the largest installed base, it
follows that we should see more worms, viruses,
and other malware targeting Apache and the
underlying operating systems for Apache than for
Windows and IIS. Furthermore, we should see more
successful attacks against Apache than against
IIS, since the implication of the myth is that the
problem is one of numbers, not vulnerabilities.

Yet this is precisely the opposite of what we
find, historically. IIS has long been the primary
target for worms and other attacks, and these
attacks have been largely successful. The Code Red
worm that exploited a buffer overrun in an IIS
service to gain control of the web servers
infected some 300,000 servers, and the number of
infections only stopped because the worm was
deliberately written to stop spreading. Code Red.A
had an even faster rate of infection, although it
too self-terminated after three weeks. Another
worm, IISWorm, had a limited impact only because
the worm was badly written, not because IIS
successfully protected itself.

Yes, worms for Apache have been known to exist,
such as the Slapper worm. (Slapper actually
exploited a known vulnerability in OpenSSL, not
Apache). But Apache worms rarely make headlines
because they have such a limited range of effect,
and are easily eradicated. Target sites were
already plugging the known OpenSSL hole. It was
also trivially easy to clean and restore infected
site with a few commands, and without as much as a
reboot, thanks to the modular nature of Linux and
UNIX.

Perhaps this is why, according to Netcraft, 47 of
the top 50 web sites with the longest running
uptime (times between reboots) run Apache. None of
the top 50 web sites runs Windows or Microsoft
IIS. So if it is true that malicious hackers
attack the most numerous software platforms, that
raises the question as to why hackers are so
successful at breaking into the most popular
desktop software and operating system, infect
300,000 IIS servers, but are unable to do similar
damage to the most popular web server and its
operating systems?

Food for thought.