MAC OSX : Not as secure as you think?!?

[Maverick]

Taken from this site:
http://www.computerweekly.com/articles/article.asp?liArticleID=131513&li

----------

Security statistics show surprising finds
The Microsoft Windows application is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia.

The statistics, based on a database of security advisories for more than 3,500 products during 2003 and 2004 sheds light on the real security of enterprise applications and operating systems. Each product is broken down into pie charts demonstrating how many, what type and how significant security holes have been in each.

The*figures have shown is that OS X's reputation as a relatively secure operating system is unwarranted, Secunia said.

This year and last year Secunia tallied 36 advisories on security issues with the software, many of them allowing attackers to remotely take over the system - comparable to figures on operating systems such as Windows XP Professional and Red Hat Enterprise Server.

"Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed."

Its service, easily accessible on its website, allows enterprises to gather exact information on specific products, by collating advisories from a large number of third-party security firms.

Secunia said the service could help companies keep an eye on the overall security of particular software - something that is often lost in the flood of advisories and the attendant hype.

"Seen over a long period of time, the statistics may indicate whether a*supplier has improved the quality of their products," said Secunia chief technology officer Thomas Kristensen.

He said the data could help IT managers get an idea of what kind of vulnerabilities are being found in their products, and prioritise what they respond to.

For example, Windows security holes generally receive a lot of press because of the software's popularity, but the statistics show that Windows is not the subject of significantly more advisories than other operating systems. Windows XP Professional saw 46 advisories in 2003-2004, with 48% of vulnerabilities allowing remote attacks and 46% enabling system access, Secunia said.

SuSE Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58% of the holes exploitable remotely and 37% enabling system access. Red Hat's Advanced Server 3 had 50 advisories in the same period - despite the fact that counting only began in November of last year. Sixty-six percent of the vulnerabilities were remotely exploitable, with 25% granting system access.

Mac OS X does not stand out as particularly more secure than the competition, according to Secunia.

Of the 36 advisories issued in 2003-2004, 61% could be exploited across the internet and 32% enabled attackers to take over the system.

The proportion of critical bugs was also comparable with other software - 33% of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30% for XP Professional and 27% for SLES 8 and just 12% for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19%.

Sun Microsystems' Solaris 9 saw its share of problems, with 60 advisories in 2003-2004, 20% of which were "highly" or "extremely" critical.

Comparing product security is*difficult, and has become a contentious issue recently with vendors using security as a selling point.

A recent Forrester Research study compared Windows and Linux supplier response times on security flaws and was heavily criticised for its conclusion that Linux suppliers took longer to release patches. Linux suppliers attach more weight to more critical flaws, leaving unimportant bugs for later patching, something the study failed to factor in, according to Linux companies.

Suppliers also took issue with the study's method of ranking "critical" security bugs, which did not agree with the suppliers' own criteria.

Secunia agreed that straightforward comparisons are not possible, partly because some products receive more scrutiny than others.

Microsoft products are researched more because of their wide use, while open-source products are easier to analyse because researchers have general access to the source code, Kristensen said.

"A product is not necessarily more secure because fewer vulnerabilities are discovered," he added.

Matthew Broersma writes for Techworld.com

[Henjie]

Secunia is a joke. Check out As The Apple Turns' take on this Secunia demolition job masquerading as a legit report. :-)


~Henjie

[gonz]

Windows viruses: over 71,000, with more every week. (Source: Symantec Security response site)

Mac OS X viruses: one (and that one's a proof-of-concept virus only; no actual malware exploit has been created).

You do the math.

I wouldn't be surprised of Secunia has been paid off by M$ somewhere down the line.

[berniej]

Let me put on my Windows LAN Admin hat for a while here:

I say that there is no such thing as a fully secure system -- either Windows or MacOS. If your box is at a hacker/cracker's sight, you are a sitting duck unless you put your act together and secure it the best way you can.

One of the inherent weaknesses of Windows (which they are trying to fix in their latest Windows Server 2003) is that it has too many open ports right after installation. Also, right after installation, a Windows box is a proverbial sitting duck unless the user immediately applies patches/hotfixes/Service Packs immediately (and preferably offline). Add to that the fact that it is the target of around 71,000 (my source: Gonz's posts) malware so the user must never leave their system with an outdated anti-virus signature file.

Compare that to MacOSX. My iBook is sitting within a Windows-centric network without any anti-virus software. Our corporate network has had at least two malware outbreaks this year -- but my iBook is unscathed! I dare the writer of that piece to do the same and see which is the last 'Book standing...

[Edited on 7-12-2004 by berniej]

[directX]

macslash% sudo strings -8 /var/vm/swapfile0 |grep -A 4 -i longname

MacSlash is currently running an article about the command above giving you access to a particular user's password in PLAINTEXT! Try it and see if you can get your password - just substitute "longname" to your username.

Apple better fix this asap!

[ginoledesma]

As I posted elsewhere, so am I posting it again. Tthis is a problem that affects Unix boxes in particular. The problem is found in Solaris as well. I'm not sure if OpenBSD or other commercial Unix OSs have exactly the same problem, though.

Simply put, this is a NON-ISSUE EXCEPT FOR FILEVAULT/KEYCHAIN USERS. The reason being that, as a local exploit, anyone who has physical access to your machine will be able to break into it, but FileVault-protected data will now be "vulnerable" if the correct password is extracted from the swap file. Although swap files are deleted upon restart, it is always possible for the infiltrator to boot off an external drive or mount the hard disk in another computer and extract the data.

[berniej]

@directX
The command executed and wrote a whole caboodle of text on the terminal screen. What I did was dump it to a text file and tried to search for my actual password... wala naman.

[directX]

berniej, I tried it on a newly rebooted machine (new swapfile0) and password is not there either. I guess it works only for those machines that are running for several days (had 6 days uptime when I tested it - showed my password in plaintext).

[berniej]

Oh, that could explain it! I was tinkering around with my 'Book last night and I rebooted it.

[ginoledesma]

This problem is a hit-and-miss thing, of which there is no clear culprit just yet. Speculation is that it may be within Apple's underlying framework for authentication (Keychain et al), while for others it is possibly an application problem.

The suggestion is to use the mlock() and munlock() routines when passwords are requested, so that these passwords (whether in plaintext or in their encrypted format) are never swapped to disk. They are only in memory and there for the duration that they are needed. This is, of course, a programmer-side thing.

The problem overall is hit-and-miss, probably because no one has been able to pinpoint the exact problem. Some think that people who use auto-login don't have their passwords stored (since its never typed). In some rare cases, its there. On some Solaris servers we administer (that NEVER shutdown), I don't see the passwords at all. In one Solaris server that was freshly installed and rebooted, the password was listed along with garbage/text padding. In my Mac, I don't see my password at all, and last time I shutdown my Mac was a couple of days ago.