Apple more secure than Windows? Computer says no

[sprintman]

Apple patches 45 bugs in massive security update


Apple patches several zero-day vulnerabilities, as well as a variety of bugs in Apple's software and third-party software such as Adobe's Flash Player and MySQL..

Apple has issued a security update for Mac OS X that fixes 45 security bugs.

The security update released Tuesday patches several zero-day vulnerabilities, along with other bugs in Apple's software and bugs in third-party software, including Adobe Flash Player and MySQL Server. Apple has issued several patch releases in the past few months.

The latest update, which is 8 Mbytes, is aimed at systems running Mac OS X 10.3.9. Patches are available for client and server systems.


Seven of the bugs being patched were published during the Month of Apple Bugs in January, and five were released during the Month of Kernel Bugs last November.

The update addresses a wide variety of flaws, including a buffer overflow in ColorSync, Apple's color management technology. Because of the vulnerability, if a user is enticed to open an image that has malicious code embedded in it, an attacker can trigger the overflow, which could crash the application or even allow remote code execution.

The update also patches a bug in Crash Reporter, which is an Apple program that logs information about all crashed programs. The vulnerability allows a local admin user to obtain high-level system privileges.

Also fixed in the update are several vulnerabilities within Disk Images, which are files containing the content and structure of any storage medium. The flaws generally lead to an application crash or arbitrary code execution.

Adobe's Flash Player has been updated to version 9.0.28.0 to fix a potential vulnerability that could allow HTTP request-splitting attacks, which are Web application vulnerabilities that are often used to perform cross-scripting attacks.

There are multiple vulnerabilities in MySQL. The most serious one is an arbitrary code execution, according to Apple. MySQL is being updated from version 4.1.13 to 4.1.22.

Apple's Security Update can be pushed down to users through the Software Update feature in Mac OS X, or it can be downloaded manually from Apple Downloads.

 

[Mystic]

I always felt that Mac OS X was by design more secure than Windows operating systems and for that matter I felt that the earlier 'Classic' Macintosh operating systems were even more secure than Mac OS X. But I am starting to wonder.

There are those (Windows fans) who say that Mac OS X has had fewer threats against it just because it is a lesser target (Apple about 5% of the current computer desktop market). Certainly there are fewer people who target Apple Macintosh OSs because of the smaller market. But a OS that is weak in security can be targeted and will be targeted even if its market share is small. Apple may be only 5% of the market but that 5% of the market still represents millions of users (and often more wealthy users because Macs are expensive).

My opinion is that in some ways Mac OS X certainly is more secure than say Windows XP because otherwise threats would be overwhelming the Mac even with smaller market share. Whether Mac OS X is more secure than Windows Vista is another question that is too early to answer.

In January there were all kinds of security updates by Apple for Mac OS X. I don't know if the security updates you are talking about are the same ones as those or not. But it certainly looks like the Mac has gotten the attention of the wrong people and they ARE finding weaknesses.

So it looks like even if Mac OS X is by design somewhat more secure than Windows XP at least, there were weaknesses there that people just had to go looking for. Which means that smaller market share did shield the Mac a lot.

My new prediction is that if the Apple market expands to something like 10% of desktop computers or more we are going to see a lot of threats to the Macintosh OS. Basically it has already been demonstrated that it is possible to write viruses, Trojan Horse programs, spyware, rootkits, hostile widgets, hostile Applescript, and develop various exploits to use against the Mac.

When Windows Vista was being developed I really did not have a lot of hope that it would be a really good OS. Microsoft has disappointed too many times. But I am thinking now that Vista just may have the security Microsoft was thinking about. Maybe not as good as they would have wanted but better than I orginally hoped. Without a doubt there are actually security features in Vista that actually go beyond what you see in Mac OS X. Just one example is Data Execution Prevention. There are other examples. It is still too early to tell but Microsoft really did put in a good effort at least when it comes to security.

 

[ToyotaNSaturn]

At least Apple actually patches their vulnerabilities. As a Windows admin, nothing frosts my cookies more than Microsoft not giving true vulernabilities top priority in patching ASAP. Internally, they just label them as "non-critical" (or whatever).

Then MS quietly patched a DRM problem within 72 hours. Very telling IMO.

I want BeOS back. There was nothing like it.

 

[sprintman]

VMS or these days OpenVMS. Still the most stable, secure, expandable OS ever made. When Mr gates was looking for a new OS VMS was the one he used as the ultimate. Character shift each letter in VMS one place to the left and what do you have?

 

[sprintman]

The right I mean. Been a very long week.

 

[BillionPa]

BeOS was indeed the pwn. i had a laptop running on it for over a year.... without rebooting it. long power outage finally took it out.

 

[LarryD]

I agree about OpenVMS. It can run for months with no degredation in performance. Also, it is the most efficient multi-tasking, multi-user system I have ever seen.

 

[sprintman]

There are VAX systems known to have run for 15 yrs without rebooting. Makes peoples eyes glaze over when you tell them that. Business running OVMS remote clusters wee not bothered by 9/11.

 

[Not the Autorx Frank]

I think the perception that OSX is more secure is founded from real world usage. There are few to no cases of serious issues while its common to hear people complaining of spyware and viruses on thier windows machine, I work in an office w/ 6 windows machines and 5 Macs. The windows fix it guy is in at least once every 2 weeks fixing something while I serve as the Mac guy myself because no issues to speak of really. Just seems worth the little $ difference to me...

 

[BillionPa]

windows server 2003 was a giant leap beyond XP in terms of security and uptime, and OSX being based on a server oriented operating system, should be compared to 2K3 instead of XP.

also hackers target windows systems because of their prevalence, and are much more likely to find a hole in its security than the sparce hackers that go afer OSX.

the OSX kernel is good, but its only as good as the unsecure apps running on it... so far.

i have been running win2k server, and now server 2k3 since early 2001, and have not been running anti-virus or anti-spyware software in that 6 year timeframe, with 0 infections (even though some have tried to install, the security settings in the operating system and/or my suspicion blocked it)

the human element is much more of a security risk than the operating system, and OSX tends to help in that respect by not letting you do many of the things that you can on a windows system (pre vista anyway) like change dozens of security settings without even a peep that what you are doing might not be in your best interest, among other things. and that is why i still use windows, because it lets me do what i want, when i want, without questioning my authorata!

of course this is not best for all people, and quite a few people that use windows would probably be far better off with a mac, i am so not one of them. and if they all switched, who would pay me to fix their system when they infect themselves with spyware?

 

[ToyotaNSaturn]

Billion, how do you know that you have 0 infections if you don't have AV-ASW software to find those infections?? Is it running behind a tightly controlled firewall or sitting directly on the public internet?

Good point...if they all switched much of the consulting market would vanish!!

 

[CivicFan]

Our service center runs OpenVMS. The servers can go on without rebooting for years. The only problems we encounter are when there are upgrades and there are incompatibility issues. that's when the system has to be rebooted with the rollback until a solution is found. We host a lot of banking databases so reliability is important.

I love that it is, unlike Unix, case insensitive. Unfortunately, the development of GUI applications on VMS is impossible and we had to have a Windows front end. Talk about PIA!

 

[sprintman]

I believe you. $1$ shutdown is all I remember. I worked for DEC from '84 till 93.

 

[BillionPa]

all the tests for infection vectors that AV-ASW software does i can do myself using either a hex editor, a decompiler, or by just looking at the file and saying "... somethings, amiss; somethings, askew...", among other methods.

i have even found new sneaky ones that werent in norton/mcafee/kasperskey databases, and infected systems with those softwares running. by the time they hit the database, its already too late. system was infected.

Nov06 comparative test: out of 62 infectious windows viruses not in their databases, Avast pro and Norton only detected...3, Mcafee and AntiVir premium got 14, AVG pro got a big fat 0! i have never seen a threat detection software that will catch everything a human with extensive knowledge of the registry and windows api can. not even close.

humans dont need artificially intelligent heuristic algorithms to detect harmful software, we have real intelligence to do it for us, as long as we know how to use it!!

by far the #1 anti virus solution is to not download potentially harmful files in the first place, and make sure the system is protected against unaided attack vectors. of course there are other methods of infection, but they can also be sealed without the need for AV-ASW software.

 

[Mystic]

I agree that computer operators are responsible for a lot of the stuff that gets on their computers. I have a couple of friends who are always searching the internet for every aminated joke and other stuff that they can find-I never open attachments or for that matter strange email that I know nothing about. But I still think a person needs an antivirus program.

This post was orginally about the Apple Computer. I do think that the number of threats against the Apple Computer is increasing, but the threats still do not amount to much compared to Windows. Windows Vista may make a big difference for Microsoft Windows security-it is too early to tell.

There are very few virus and Trojan Horse threats to Apple computers as evidenced by the very few antivirus programs available for Mac OS X. But you really should still have one. VirusBarrier or Norton Antivirus for the Macintosh are good choices for individual people with personal computers. There are only two antispyware programs available for the Mac as far as I know-MacScan and Internet Cleanup. And there are a few good firewalls like NetBarrier and Firewall X. According to what I have found out the firewall built in to Mac OS X is not that good so you probably really need a good firewall. I think Firewall X is pretty darn good.

If the Mac increases in market share eventually there will be more threats but with more threats there will probably be more security software. And of course, the computer user has to have good sense and not open email attachments, etc. But compared to Windows Macs are still extremely safe.

 

[Mystic]

There seems to be a lot of debate pro and con on the internet about Apple security. It is very detailed but some are saying that although there are not many viruses for the Mac OS X OS there are a lot of exploits which can be used to spread internet worms and take over computers. Of course, Apple has plugged a lot of the holes. There are also a lot of possible holes in various Apple applications like Safari, Mail, and QuickTime.

Various people are saying that if Apple does not make a serious effort to solve some of the issues that there could be major problems down the road. It looks like Apple could 'borrow' some of the technology used in Windows Vista. And there probably needs to be more thought on security when applications are developed.

It is beginning to look to me like Apple was just a small target that not many were interested in and also there was not the level of anger against Apple like there was against Microsoft. Apple has an opportunity (who knows how long it will last?) to solve some OS problems and some application problems.

With the levels of security in Windows Vista it is actually possible that Vista will prove more secure than Mac OS X. But it is too early to say.

 

[Mystic]

Symantec (probably no close friend of Microsoft) is apparently now saying that Windows Vista may well be MORE secure than Mac OS X. Not much in the way of viruses, Trojan Horse programs, and spyware have been developed for Mac OS X but there are apparently a lot of exploits that can be used against Mac OS X. And Linux operating systems are displaying a lot of problems with possible exploits. The safest servers are apparently BSD (that has been true for a while now) and Windows servers using Vista.

Apparently some people somewhere felt challenged by those Apple commercials. It has been only 3 months since Vista was released so it is early. But if present trends continue those Apple commercials are going to sound pretty hollow. It apparently really was just small market share to explain why Mac OS X seemed so secure.

Apple needs to do some security work on their operating systems and on their applications while they still have time to do so. There are already trends in BSD in technology leading to better security. BSD is under that Mac GUI and they should be able to make use of the same technology. Abd Safari, Mail, QuickTime, iTunes, etc., need to be made more secure.

 

[Master ACiD]

all you have to do is look at the computers that banks use. ever see an apple in a bank? nope.

 

[Mystic]

Well, there are some companies that use Apple servers. There is a major insurance company that uses them. But with all of the exploits that can be used against Mac OS X (and Linux operating systems for that matter) I think I would use a BSD server.

 

[01rangerxl]

I am not denying that an Apple can be affected by bugs and vulnerabilities, but how many hundreds of updates and fixes have been needed for Windows compared to Apple?

XP has worked for me, but after hearing nothing positive about Vista, I am beginning to think that an Apple may be in my future when my current computer takes a dump.