Hacker: Snow Leopard less secure than Windows

As reported by Techworld, Snow Leopard, Apple's highly anticipated new operating system, lacks basic security features that are found in Windows XP, Windows Vista and Windows 7 says Charlie Miller, a noted security researcher.

Address Space Layout Randomization, commonly referred to as ASLR, randomly assigns data to the memory to make it more difficult for hackers to locate the critical operating system functions.

Charlie Miller of Baltimore-based Independent Security Evaluators who many people may remember from when he successfully hacked a fully patched Macbook in seconds, was disappointed upon hearing that Apple did little to improve ASLR from Leopard to Snow Leopard.

"Apple didn't change anything. It's the exact same ASLR as in Leopard, which means it's not very good. I hoped Snow Leopard would do full ASLR, but it doesn't. I don't understand why they didn't. But Apple missed an opportunity with Snow Leopard. Apple did make various moves to improve Mac OS X 10.6's security including a revamp of QuickTime and additions to Data Execution Prevention (DEP), a security feature built in to Windows Vista."

"Having both ASLR and DEP in an operating system makes it much more difficult for attackers to create working code," Miller argued. "If you don't have either, or just one of the two [ASLR or DEP], you can still exploit bugs, but with both, it's much, much harder. Snow Leopard's more secure than Leopard, but it's not as secure as Vista or Windows 7," he said. "When Apple has both [in place], that's when I'll stop complaining about Apple's security."

In the end, Miller agreed that hackers' disinterest in Mac OS X comes down to numbers rather than the security measures that Apple adds to the operating system. "It's harder to write exploits for Windows than the Mac," Miller said, "but all you see are Windows exploits. That's because if [the hacker] can hit 90% of the machines out there, that's all he's gonna do. It's not worth him nearly doubling his work just to get that last 10%."

"I still think you're pretty safe [on a Mac]," Miller said. "I wouldn't recommend antivirus on the Mac."

Report a problem with article
Previous Story

Bing gains market share

Next Story

Skype founders take eBay to court

159 Comments

Commenting is disabled on this article.

[RANT]
In a little research one of the first virii back in the 70's & 80's was on a Apple Computer. Now I know OS X did not exist back then but still. Mac's can get virii. 2nd point. lets shift our focus away from Mac OS X for a moment and take a look at other iCrap such as the iPod & iPhone. These devices have vast popularity and a huge marketshare among it's field. If I remember correctly there was for a while a couple different ways to completly pwn a iPhone by just sending it a SMS (txt) msg. And all the iPhone had to do was receive it to be the ****** adopted device of a cracker. Now if the security that is behind the operating system/firmware of a iPhone is the same stuff that OS X is built on then that shows me there are mass amounts of potential exploits to be found. I am not saying by any means that Mac OS X is safer/more secure than Windows or vice versa. What I'm saying is all computer systems & OS's have their potential and guaranteed flaws. I have used every single version of Microsoft Windows operating systems all the way back from Windows 3.1 to Windows 7. Microsoft has always improved their security and general usability of the successor to the current OS with exception to Windows Me which was a half assed slap together job to shut up the impatient people when Windows 2000 wasn't ready. I know many will talk of how Windows Vista "Sucks" and yes it has its flaws but it is one of the first of a new genre of NT OS. So it is bound to make its mistakes much like Me. I have never had a single Virus or piece of malware on my Vista machine or my Windows 7 Machine. The few Virii & Malware I have had back in my days of using Windows XP were rare at best and mostly due to Luser error. (Friends or my own sheer stupidity at the time) I have not had the pleasure of destroying a Mac personally yet just because I do not have the cash to go buy one. I would rather scavage hardware from web sites an build a completely custom PC and slap on my own copy of Windows than spend $2,000 on the Mediocre version of a Macintosh computer. More so someone mentioned earlier that there are quite a few Botnets on the Mac. I laughed at this because they are right. OS X makes just as good as a zombie as a Windows XP machine. Heres something to think about. Maybe someone can answer this. If Windows is so insecure and such a crappy OS then why is it Mac users have built in the functionality to run the OS via bootcamp on their machines? I know they want all the juicy software that people develop for Microsoft OS's (A good perk to having a majority marketshare) But are they willing to get themselves all the infections and worms/virii/malware/spyware/scareware that they are allegedly trying to stay away from hence their use of the Mac just to be able to play a PC game? Why hasn't Mac found a way to run Windows software natively on its own? Why include the alleged insecure unsafe OS that is Windows? Why not just figure out a way to execute the same code on a OS X machine instead of having to include the nasty bugger Windows XP??? I wonder this alot. Because if Mac's are so secure and can't allegedly get virii and malware then they should be able to have the potential to run all the software that PCs cane run via a pretty complex emulator or something of that nature without having to worry about their OS dying. I'm just thinking that Apple should have found a way to do this by now. Yes I understand the architecture of the Windows software and OS X are way different. But I know with the use of WINE on Linux machines you can emulate a environment to run windows based apps, and with the mass amounts of cash that Apple pulles in from iTunes sales, iPods, iPhones, iMacs & Macbooks all combines that they would be able to put their software engineers to work and come up with something far better than WINE. Well I'm tired and done and going back to cleaning the mess that is my room. And for the record I do not have any AV installed on any of my machines. Good AV programs usually take a small hit to computer performance that I do not want. Once in a while I'll install something and do a scan and find that my computer is squeaky clean. Then I get rid of the crap and go about my ways. So look I can be just as Naive as a Mac user with the whole don't need AV piece..........maybe this means I should switch to Apple products............ If only they were within my price range........ and only if they weren't so fruity lookin ;)
[/RANT]

Worry causes illness, severe in some cases, and where anti virus companies have failed to scare Mac users in the way they have traumatized MS Windows users, the health and work level of the Mac users benefits. The amount of time many Windows users spend on trying to de-louse Windows and tweak and optimize and reinstall... is almost a full time job with some of them. Also, up until relatively recently, MS Office was expensive and routinely pirated with cracks and hacks, just as was Windows where people tried to bypass activation. You don't active Apple OS X and the office suites of iWork and iLife have always been cheap, iLife is included with new Macs and has been for some time. Kids would install hacks on the family computer to circumvent games protection, and so on and so on and so on and

I agree, Apple are infuriating and need to stop being complacent and get their act together but the MS platform, thanks to some of its users and abusers in the family unit, feels vastly less safe.

Yeah thats why Miller owns and works on a mac LOL
BTW for this few seconds break in OSX, he spent at least a month searching on how to... before the event... :)
This article is just a hit counter...

Wow, a flame war between official software developers.
@Brandon: Seriously man, leave them alone. If you're really dignified as you say you are you'd let these people say whatever they want, your position at Microsoft was enough to give you strong credibility. I find it a privilege to see someone who worked on such component on the infamous operating system speak, but I find it condescending that someone of your caliber would argue with these buffoons. I myself have been developing for years as a hobby and never by trade in comparison to you, but I felt that it was natural to me to give advice to a fellow developer when they are unnecessarily infuriating themselves.

So Mac's greatest security feature is how little people use it around the world? Pretty smart if you ask me.

splur said,
So Mac's greatest security feature is how little people use it around the world? Pretty smart if you ask me.


Sadly, Windows NT 3.x to 4.0 in the mid/early 90s was on the same level, as it wasn't affect by Win 3.x or Win9x viruses. People only ran Anti-Virus software on NT 4.0 Servers for the Win9X clients, not the NT 4.0 server itself.

And when NT went mainstream with Windows XP, this notion fell and fell hard, to where MS stopped all development to focus on security and security policies resulting in Server 2003 and SP2 of XP.

(NT in theory has a much more complex security OS model, as even trusted kernel processes still must obtain security permission and get a token allowing the thread to run. Add in the full Object nature of the security system and the ACLs and other features that have been in NT from the begining gave it security advantages over even OS models like OpenBSD. That still didn't stop the XP fall when it went mainstream replacing Win9X.)

Here is a good analogy.

There is 1 bank that hold 50 billion dollars and another bank that holds 100 dollars. Which one will get more attempted robberies?


Market share plays a huge roll in viruses.

Those who say windows is unsafe, its only as unsafe as the user who uses it. If youre stupid enough to run a virus, doesn't matter what system you are on, it will get you.

Chances are, they'd still go after the 50 billion dollar bank even if it's security was many times (500 million times?) better than the 100 dollar bank

I know this post is long, but after reading the very generalized and highly opinionated comments. I felt it was my duty to point out some actual facts.

One thing I don’t see anyone talking about when arguments over which OS is more secure, stable, faster, etc is “Is the OS more or less secure by itself, or after you have installed 10 or more applications on it?”
An article came out a few years ago which made a claim that Windows Server was more stable and had more uptime that a Linux Server. This article was obviously attacked due to the fact that Windows critical updates alone cause more downtime than Linux requires. The humorous statement alone that “if you install Windows and no other applications, and put that box in a corner and leave it alone for a whole year and perform NO patches and so on….Then yes, Windows would be better”…..But lets be real….Who is going to use that Windows box in that way….No one…..This “independent” article from a while back was later found to be sponsored by…..Microsoft.

To my point of this argument…..Windows installed by itself, with no applications installed and all critical updates applied and completely left alone…Yes, it could be more secure than MAC OSX….or hell, even Linux or UNIX flavors….BUT……Who is going to build a computer/server that has no application purpose.

So then we are forced to look at how well an OS can maintain its security when applications are installed and what happens when you put that OS in a REAL WORLD scenario…..OSX has for years kept the entire OS system files in a read only mode…Applications do not have write access to any system files…Windows cannot say this….Ever herd the “Registry or Windows system file sharing”. Microsoft themselves said back when Vista was being developed…
”We tried to get rid of the registry and lock down the system files to a more “READ ONLY” like security structure…However, due to the thousands of applications made for the Windows platform we are forced to conclude that this is simply not possible as it would require every Windows application to be re-written which would bankrupt the software world”.

Case and point….When you start to install Windows applications that REQUIRE access to the system32 and system folder and the dllcache directory and the system registry, etc, etc, etc….You will degrade Windows security and be at the mercy of the developer who created your application, which is why 99 percent of Windows apps require admin level control of Windows. OSX does not have this problem and NO apps run as root. Steve Jobs is a Software Nazi (Joking) who has so much control over OSX applications…And no OSX application will ever be allowed to have a dependency on OSX system files….The application must be able to run from its own home directory, so if it tanks….it affects only itself….I can copy the Office 2008 folder or any other app folder from my mac to another mac and it will run with no install….everything it needs is in that folder….Let’s see Windows do that….

RSA Security and Symantec attacked Microsoft at the same time asking about UAC (User Access Control, some called it User authentication Control). The question was asked….

”IF UAC will be Windows only way to control access to the system files and has the ability to be turned off by the user, after authenticating….What would stop an application from being installed with a virus and disabling UAC”

Microsoft’s response…

”Nothing”

And how many people get tired of UAC and just disable it? So then what do you have….the same old Windows 2000 and XP security that will be degraded after each application you install.….

OSX Security (like it or not) will not change unless you tamper with the READ ONLY system files. Maybe that’s why Snow Leopard has no changes…????

To people that say “When mac has more market share it will have the same Windows problems”……Umm….Maybe you should look under the hood before saying that….

Intel008 said
So then we are forced to look at how well an OS can maintain its security when applications are installed and what happens when you put that OS in a REAL WORLD scenario…..OSX has for years kept the entire OS system files in a read only mode…Applications do not have write access to any system files…Windows cannot say this….Ever herd the “Registry or Windows system file sharing”. Microsoft themselves said back when Vista was being developed…
”We tried to get rid of the registry and lock down the system files to a more “READ ONLY” like security structure…However, due to the thousands of applications made for the Windows platform we are forced to conclude that this is simply not possible as it would require every Windows application to be re-written which would bankrupt the software world”.

Case and point….When you start to install Windows applications that REQUIRE access to the system32 and system folder and the dllcache directory and the system registry, etc, etc, etc….You will degrade Windows security and be at the mercy of the developer who created your application, which is why 99 percent of Windows apps require admin level control of Windows.



This is where I have to stop your stupidity...

First OS X system files are not Read Only.

Second, giving an application 'permission' to install on your system does not allow them to change or mess with most of the Windows core.

This is where knowledge is lost on a lot of people.

In Vista specifically, when an applications tries to modify files in the System folders or tries to modify parts of the registry, the OS does not allow this.

Instead Vista virtualizes the application, so it lets the developer 'pretend' he is putting crap in the system folder or modifying crap, and then the application when ran in the future uses the virtualized settings and files that are not 'actually' modify on the system or registry in a virtualization cache.

Try it, write a program or installer that messes with Vista or Win7 System files, and you will find your application changes in a virtualized folder set aside safe from the system and other applications.

This is just ONE security technology in Vista that people apparently don't have a clue is even there because it works so well. It is also a technology that OS X and other OSes have no equivalent, and on OS X if given root access the installing application can do far more damage to the system itself.

If you want to really argue security, how about 'code quality' and Since 2004, pretty much everything Microsoft has been putting out has been through a massive shift in security consideration and new compiler technologies beyond just things like ASLR and DEP.

In contrast Apple just released Snow Lepoard and within a week had a few hundred MB of updates, over 35 - many of the MAJOR security holes. This type of 'code' couldn't have been even compiled or got to a shipping product at Microsoft due to the development security policies.

Win7, RTMed at the end of July, there is still no security updates for it, and no known security flaws, just to contrast Snow Leopard...

Really, fact check your reality or rants, there is a lot of things you don't understand.

Intel008 said,
I know this post is long, but after reading the very generalized and highly opinionated comments. I felt it was my duty to point out some actual facts.

One thing I don’t see anyone talking about when arguments over which OS is more secure, stable, faster, etc is “Is the OS more or less secure by itself, or after you have installed 10 or more applications on it?”
An article came out a few years ago which made a claim that Windows Server was more stable and had more uptime that a Linux Server. This article was obviously attacked due to the fact that Windows critical updates alone cause more downtime than Linux requires. The humorous statement alone that “if you install Windows and no other applications, and put that box in a corner and leave it alone for a whole year and perform NO patches and so on….Then yes, Windows would be better”…..But lets be real….Who is going to use that Windows box in that way….No one…..


Ah, the "I know you are but what am I" defense. You have this backward. It's the Linux folks that always say "vulnerabilities in applications or runtimes (Apache, PHP, MySQL, etc) don't count as Linux vulnerabilities." On the other hand, the top server applications for Windows Server (IIS, SQL Server) have way, way better security track records than their Linux equivalents.

http://secunia.com/advisories/product/17543/?task=advisories

http://secunia.com/advisories/product/9633/?task=advisories

This “independent” article from a while back was later found to be sponsored by…..Microsoft.


Source?

To my point of this argument…..Windows installed by itself, with no applications installed and all critical updates applied and completely left alone…Yes, it could be more secure than MAC OSX….or hell, even Linux or UNIX flavors….BUT……Who is going to build a computer/server that has no application purpose.


This is a straw man. Nobody ever suggested that Windows should be used without applications, nor was this configuration ever used to tout the security of Windows servers.

So then we are forced to look at how well an OS can maintain its security when applications are installed and what happens when you put that OS in a REAL WORLD scenario…..OSX has for years kept the entire OS system files in a read only mode…Applications do not have write access to any system files…Windows cannot say this….Ever herd the “Registry or Windows system file sharing”. Microsoft themselves said back when Vista was being developed…”We tried to get rid of the registry and lock down the system files to a more “READ ONLY” like security structure…However, due to the thousands of applications made for the Windows platform we are forced to conclude that this is simply not possible as it would require every Windows application to be re-written which would bankrupt the software world”.


You just made that up. Nothing in that paragraph is true. Users do not have write access to system directories on Windows. They never did. Even Administrators don't have write access by default on Vista or Win7 without elevating.

One of the key advantages of the registry is its security model. Users have read/write access only to their per-user hive, and have only read access to the system hive. It has always been this way. Unlike, say, Linux - Windows was built to be a multi-user operating system from the very beginning.

Case and point….When you start to install Windows applications that REQUIRE access to the system32 and system folder and the dllcache directory and the system registry, etc, etc, etc….You will degrade Windows security and be at the mercy of the developer who created your application, which is why 99 percent of Windows apps require admin level control of Windows. OSX does not have this problem and NO apps run as root. Steve Jobs is a Software Nazi (Joking) who has so much control over OSX applications…And no OSX application will ever be allowed to have a dependency on OSX system files….The application must be able to run from its own home directory, so if it tanks….it affects only itself….I can copy the Office 2008 folder or any other app folder from my mac to another mac and it will run with no install….everything it needs is in that folder….Let’s see Windows do that….


Apps on Windows do not run as root. Most installers require admin privileges because this is how managed environments control who can and can't install software, and because admin privileges are required to register per-machine shared libraries, per-machine association handlers (like file extension / MIME type handlers, etc), and so on. But lots of applications can install per-user as well, or only install per-user (like Google Chrome) and don't ever require admin privileges to install.

Every OS X application ever has dependencies on system files. You clearly have no clue what you're talking about since that statement makes no sense at all. Further, applications on OS X frequently requires root privileges in order to install (like, say, Firefox, VMWare, Quicksilver, etc). In fact, one big gap in the OS X security model is that every installation asks the user for their password without a Secure Attention Sequence, meaning that it's trivial to steal a Mac user's password.

RSA Security and Symantec attacked Microsoft at the same time asking about UAC (User Access Control, some called it User authentication Control). The question was asked….

”IF UAC will be Windows only way to control access to the system files and has the ability to be turned off by the user, after authenticating….What would stop an application from being installed with a virus and disabling UAC”

Microsoft’s response…

”Nothing”


Ugh. Wrong again.

UAC = User Account Control.
UAC doesn't control access to system files. ACLs do that.
Applications can't turn off UAC without already having admin privileges.

And how many people get tired of UAC and just disable it? So then what do you have….the same old Windows 2000 and XP security that will be degraded after each application you install.….


Wrong again. UAC is one of many security technologies introduced in Vista. Besides that, very few users disable it.

OSX Security (like it or not) will not change unless you tamper with the READ ONLY system files. Maybe that’s why Snow Leopard has no changes…????


Security on Snow Leopard is a joke. There's no ASLR, no SAS or UIPI. NX support still isn't as good as Windows. BOTH systems grant read-only access to system files by default.

To people that say “When mac has more market share it will have the same Windows problems”……Umm….Maybe you should look under the hood before saying that….


Umm, they have. They've seen that Windows is constantly attacked despite the far greater barrier to entry for attackers. Every security researcher says that Macs are trivial to exploit. So the explanation for the relative lack of attacks against Macs clearly isn't a matter of difficulty, but rather a lack of incentive.

Intel008 said,
”We tried to get rid of the registry and lock down the system files to a more “READ ONLY” like security structure…However, due to the thousands of applications made for the Windows platform we are forced to conclude that this is simply not possible as it would require every Windows application to be re-written which would bankrupt the software world”.
You're going to have to provide a source on this, since it doesn't fit in with what Microsoft ever tried to do with Vista, nor does it sound like a Microsoft comment (especially the "bankrupt the software world" portion).

Dude, I have read your response and all I can say is....Someone is in the dark and obviously has no enterprise experience. Hintâ€Â¦its not meâ€Â¦.. I am not going to have a "who's is bigger than who's" argument with you....But I personally work with large corporate software vendors and one of our biggest issues when deploying new software is telling software vendors that they cannot be installed with admin privileges and they cannot run their applications from the registry with global admin rightsâ€Â¦.this forces them to go back and re-write their installers to use a lower priv service account and call out the specific reg entries the app needs access to. Any systems files the app needs access to the install must list those files and be given specific read/write access to those files. I have done this hundreds of times. So I don’t need to be told by you that Windows apps don’t requires sys file read/write access, and I am sure that any Microsoft .Net software developer would argue this with you as wellâ€Â¦..have you ever packaged/compiled an app beforeâ€Â¦I am guessing notâ€Â¦.otherwise you would not say the things you saidâ€Â¦.

You are clearly a Windows bias person and will stand by your man “Windows” just like a women who gets beat by her man and is too afraid to accept reality that its time to leave himâ€Â¦..

I like OSX very muchâ€Â¦.I have VMware running a Windows 7 for the hundreds of apps I can't use in OSXâ€Â¦All OS’s have their pro’s and cons, but if we are really going to focus on securityâ€Â¦.then Windows is and has been at the back of the the line for some timeâ€Â¦

OHâ€Â¦..And that comment you made about IIS being far better than non-Microsoft Web Servicesâ€Â¦..DUDEâ€Â¦.You just confirmed you have no idea what you are talking aboutâ€Â¦..the only reason IIS is still used on the “INTRANET” of corp networks is due to .Net Framework appsâ€Â¦Its cool, people like the functionality and so onâ€Â¦..Howeverâ€Â¦.I will gamble with you right now and challenge you to call the fortune 100 corps of America and ask them what web servers are sitting on their DMZ’s (that’s for public facing servers if you didn’t know)â€Â¦.IIS is NOT ALLOWED in the DMZ for MOST of these corpsâ€Â¦.It has been hacked too many times and has proven to be non-trust-worthy for public facing sites. America Express was de-faced about 5-6 years agoâ€Â¦.running IISâ€Â¦..AMEX does not allow IIS in their DMZ anymoreâ€Â¦its all “something elseӉ€Â¦The same can be said for most of the banking and semi-conductor corps that I have personally worked for and other large corps that have SOME of the best and smartest people working for them.

You need to go read some books before you respond again.....

I was going to point out the ridiculous amount of flaws and innacuracies within this supposed "fact based" post, but I see that I don't have to. Kudos, Brandon.

Intel008 said,
Dude, I have read your response and all I can say is....Someone is in the dark and obviously has no enterprise experience. Hintâ€Â¦its not meâ€Â¦.. I am not going to have a "who's is bigger than who's" argument with you....But I personally work with large corporate software vendors and one of our biggest issues when deploying new software is telling software vendors that they cannot be installed with admin privileges and they cannot run their applications from the registry with global admin rightsâ€Â¦.this forces them to go back and re-write their installers to use a lower priv service account and call out the specific reg entries the app needs access to. Any systems files the app needs access to the install must list those files and be given specific read/write access to those files. I have done this hundreds of times. So I don’t need to be told by you that Windows apps don’t requires sys file read/write access, and I am sure that any Microsoft .Net software developer would argue this with you as wellâ€Â¦..have you ever packaged/compiled an app beforeâ€Â¦I am guessing notâ€Â¦.otherwise you would not say the things you saidâ€Â¦.


I am a developer on the Windows shell team. I am intimately familiar with the Windows application model, and have released several applications independently of my work at MS (including Start++ among others).

Applications on Windows don't write to system file locations. If needed, shared libraries are installed by the Fusion APIs into the Side-By-Side assembly cache (WinSxS) or the GAC (for .NET stuff).

I'm quite confused about your "enterprise experience." Enterprise admins deploy software to managed desktops, they don't have users install them. Nobody should ever be changing registry ACLs or system file ACLs. Basically, none of what you said makes any sense at all.

You are clearly a Windows bias person and will stand by your man “Windows” just like a women who gets beat by her man and is too afraid to accept reality that its time to leave himâ€Â¦


Umm, what?

I like OSX very muchâ€Â¦.I have VMware running a Windows 7 for the hundreds of apps I can't use in OSXâ€Â¦All OS’s have their pro’s and cons, but if we are really going to focus on securityâ€Â¦.then Windows is and has been at the back of the the line for some timeâ€Â¦


No, it's an industry leader. Software development firms around the world look to Windows in defining their secure development practices. The "Secure Development Lifecycle" that originated from Microsoft has been adopted by a lot of ISVs, and I'd be surprised if several competitors (possibly including Apple) haven't integrated at least part of it into their process. They'd be very unwise to ignore it.

OHâ€Â¦..And that comment you made about IIS being far better than non-Microsoft Web Servicesâ€Â¦..DUDEâ€Â¦.You just confirmed you have no idea what you are talking aboutâ€Â¦..the only reason IIS is still used on the “INTRANET” of corp networks is due to .Net Framework appsâ€Â¦Its cool, people like the functionality and so onâ€Â¦..


IIS has little or nothing to do with any .NET technology. It's a web server, and by far the most trusted one, given its impeccable track record.

Howeverâ€Â¦.I will gamble with you right now and challenge you to call the fortune 100 corps of America and ask them what web servers are sitting on their DMZ’s (that’s for public facing servers if you didn’t know)â€Â¦.IIS is NOT ALLOWED in the DMZ for MOST of these corpsâ€Â¦.It has been hacked too many times and has proven to be non-trust-worthy for public facing sites. America Express was de-faced about 5-6 years agoâ€Â¦.running IISâ€Â¦..AMEX does not allow IIS in their DMZ anymoreâ€Â¦its all “something elseӉ€Â¦The same can be said for most of the banking and semi-conductor corps that I have personally worked for and other large corps that have SOME of the best and smartest people working for them.


IIS had 8 vulnerabilities since 2003, ZERO of which were rated "highly" or "extremely" critical, and only four rated at "moderate" which means they're at worst DoS attacks, all of which were in optional off-by-default components.

Apache has had 26 in the same time period, including 2 "highly critical" (remote code execution) and 10 "moderate" vulnerabilities.

How do you explain that? Not a SINGLE reported remote code execution vulnerability against IIS. Not even one. In 6+ years. Seriously, how are you arguing against that?

American Express is using IIS on at least three of their websites:
http://searchdns.netcraft.com/?position=li...icanexpress.com

Although those are just public facing sites. Their on-premise extranets are much more likely to be IIS.

Intel and AMD both use IIS:
http://searchdns.netcraft.com/?position=li...&host=intel.com
http://searchdns.netcraft.com/?restriction...osition=limited

Look at the top uptimes for webservers tracked by netcraft:
http://uptime.netcraft.com/up/today/top.avg.html

Out of the top 50, only ONE is running Apache! All of the rest are Windows Servers!

You need to go read some books before you respond again.....


Somehow, I don't think that's necessary...

+1 for all Brandons thoughts.
The thing that scares me with a lot of these *factual* posts are that these mac users will just click blindly on installs etc because they believe they are secure. Because so little run AV there will be little chance for them to find out they have a problem. Once a mac virus gets out its going to be very hard to change the idealogies and beliefs of the faithfull.
The user is always the weakest point in ANY os and if you dont expect a virus its the last thing you will check out when you experience issues. Windows users know they can get viruses etc and due to that are more dillegant when they experience issues on windows instantly checking for viruses etc just in case but a mac believer would not.
Please mac users wake up before you all get caught out which WILL happen eventually, just ask yourself if your prepared for it...
Social engineering for virsus and malware is one of the EASIEST ways get the crud installed/ran but at least windows users might expect it.
Also I do run a large network and the users NEVER install software, they simply are blocked doing it. We centrally deploy it after testing/licensing etc and because users never have admin rights (XP clients btw) it helps reduce the risk viruses can pose via the social engineering approach for malware etc.

Also my earlier thoughts still apply:

The thing that makes me laugh is the fact that people rabbit on about how insecure windows is but mac % has not *really* increased/changed that much on the desktop market even though the stupid ads try to shove this fact.
The truth is even if macs have less viruses/blah blah/etc/design blah blah people would rather have viruses and use windows then be stuck with mac prices/osx, yeh thats success, FAIL!
And whats makes me laugh further is the fact most mac users install windows on vm/bootcamp anyway as they need windows too! and thats a feature of the mac osx, yeh go out and buy windows anyway as we know you really need/want it.

Brandon Live said,
Unlike, say, Linux - Windows was built to be a multi-user operating system from the very beginning.

Uhh... what?

ichi said,
Uhh... what?


I'm pretty sure Linux was originally a single-user OS (though I can't find a reputable reference at the moment). Windows NT was multi-user from the very first release.

Absolutely agree, if hackers had bothered focusing on Macs in the past ten-fifteen years like they have with Windows machines the security issues would be the exact same that people claim against Microsoft.

Oh great. Now Apple has to scrap their advertising campaign. Either that or get sued for false advertising.

bob_c_b said,
I love how you guys still hide behind the low marketshare argument, you guys are hilarious.

That's not an argument, it's a response (to explain why macs get less viruses, which is the argument that the mac fans still hide behind).
It sounds like you're not even seeing the argument in this article.

Beaux said,
That's not an argument, it's a response (to explain why macs get less viruses, which is the argument that the mac fans still hide behind).
It sounds like you're not even seeing the argument in this article.


But it's an argument/response with nothing to support it but conjecture. You can't really use the marketshare point as your only leg to stand on when people were attacking FireFox when it had far fewer users. There are millions of Macs in use, and if I follow the classic logic that Mac users are stupid and have too much money, then we make the best targets for exploits. I'm not saying he Mac is impervious, but clearly it's hardened enough to keep most threats out and it must be just difficult enough to exploit that it is cost prohobiitive.

So as I said, these kind of threads are hilarious, made up moslty of home users/enthusiast trying to sound knowledable and IT guys clinging to their current platform. I've been in IT for 13+ years and there is nothing funnier than someone posting how Windows is clearly the most secure OS. Like I said... hilarious.

Every few months the security experts come along and say the Mac is at risk, and as the market grows so does the risk. But the market has grown steadily for the last several years and we still aren't seeing rampant exploits. I see what this article is, a so called security "expert" grabbing some headlines and hit count, nothing more.

bob_c_b said,
I love how you guys still hide behind the low marketshare argument, you guys are hilarious.

Not as hilarious as your inability to read the article;

In the end, Miller agreed that hackers' disinterest in Mac OS X comes down to numbers rather than the security measures that Apple adds to the operating system. "It's harder to write exploits for Windows than the Mac," Miller said, "but all you see are Windows exploits. That's because if [the hacker] can hit 90% of the machines out there, that's all he's gonna do. It's not worth him nearly doubling his work just to get that last 10%."

So, the guy that famously trashed an Apple in seconds, two years running, uses the same argument. You gonna tell him he's wrong too, Mr. Random Forum Fanboy?

Oh, I see. You've been in a field for 13 "plus" years and therefore your opinion is more valid than everyone else's because everyone else is just a "home user enthusiast". You have no idea what sort of education/experience Neowin collectively brings to the table but I'm sure it beats out your 13 years many times over.

Or do you have to dismiss any neagtive claim against Apple because you have a bias against Microsoft? That hasn't become painfully obvious in your postings at all.

bob_c_b said,
There are millions of Macs in use,

I asked 10000000 people if they want to get $100 or $900. Strangely all 10000000 said they want $900.

I'm about 90% certain that you intended to trash the marketshare argument, yet mentioned something (your own opinion) that validated it.

Mega Goatlord said,
So, the guy that famously trashed an Apple in seconds, two years running, uses the same argument. You gonna tell him he's wrong too, Mr. Random Forum Fanboy?

The guy owns and works on a mac! So he prepared the exploit months before the event LOL + the price was good cash + macbook...

A combination of low market share and generally non-tech savvy users has made the Mac OS relatively safe in terms of software security. As for Windows, it's a different story. Unparallelled market share and popularity combined with exposure to many, many people made Windows a secure yet unsafe OS. For now, Mac users are safe but that may change in the future.

Jugalator said,
LOL, I'm not even going to start reading this comment thread of trolls. :D

why not? Not exactly a cat fight, but it is still quite fun!

you are right but how can you not enjoy the writings of cakesy when he is in full blown spin doctor/troll mode always an entertaining read

Well,...
As a Switched from PC to Mac user, I can say:

Yes windows maybe more secure because its often attacked. its a relative issue.
But at the moment if Mac is less secure than windows, I Don'T Care!! as long as i have the peace of mind!
and probably Apple knows that too and knows that their market share is not that big to be concerned..

So be sure that when the market share increases and calls for it, Apple will improve security according to the threats available, and maybe smarter than microsoft too, and maybe not!

So for me, I am pretty happy using OSX and I know Apple is doing the right think not wasting their time on this issue and focusing more on Innovation!

So don't worry for us... we are happy with our "little" market share and current security level.

And I have to thank all the trolls here: you have been amusing me every night i check here before going to bed with a good smile on my face for seeing you that much pi*ss*ed off to be able to keep up trolling while updating your anti-viruses!.

good night

I'm glad it required a new platform and new software in order to give you piece of mind. All it required of me is a $100 router and a few anti-virus licenses.

People like you are the bread and butter of Apple. Ignorance truly is bliss.

I hope that thought keeps you warm at night, when an exploit is available and everyone like you gets raped by it due to your arrogant and smug attitude to security

Pink Waters said,
But at the moment if Mac is less secure than windows, I Don'T Care!! as long as i have the peace of mind!

I'm glad that I've changed platform because it gave me the chance to try OSX, and I liked it better than windows.

Yeah. Like getting the best bl****b in your life from a w***e with AIDS.

Pink Waters said,
And I have to thank all the trolls here: you have been amusing me every night i check here before going to bed with a good smile on my face for seeing you that much pi*ss*ed off to be able to keep up trolling

Yeah I like it too, but it's getting boring. Seeing those Apple zombies behaving like Scientologists trying to defend their Master from some news article about a new multithousand Mac botnet...

RealFduch said,
Yeah. Like getting the best bl****b in your life from a w***e with AIDS.

Actually the correct way of saying it would be:

Like getting the best bl****b in your life from a woman with weak immunity to AIDS who does not have sex that much!

RealFduch said,
Yeah I like it too, but it's getting boring. Seeing those Apple zombies behaving like Scientologists trying to defend their Master from some news article about a new multithousand Mac botnet...

We are apple fanboys and you're microsoft fanboys too, and I don't have a problem with that to be honest. but what the problem for me is the usual scenario act that keeps played and how boring it has become:

certain specific news gets posted here that has the potential to start a flame war and windows users staying here waiting for the moment it gets posted to be the first to start pushing the rather "Stereotyped" buttons!..

And the only thing the proves my point is that question:
why the latest apple ad hasn't been posted here yet ? :)

So to sum my points up... the only boring thing here is: "Bias and Attitude" !

but all you see are Windows exploits. Thats because if [the hacker] can hit 90% of the machines out there, thats all hes gonna do. Its not worth him nearly doubling his work just to get that last 10%.

See?

uh, read properly. It doesn't mean it's almost twice as hard to write the exploit code for the Mac. What he means is that it's not worth writing the exploit again (duplicating the original) but for the Mac, just to hit 10% of the people. In fact it means it's easier, because it's not even doubling, just nearly doubling.

If you can get 90% with one piece of code, will you write another piece for another 10%? It's double the work and not worth the gain.

It doesn't seem hard to hack a mac. Considering what? the past three years they are the first to fall at pwn2own.

Funny though whenever something does hit the mac world it tends to be a epidemic.

I have to disagree with the advise Miller gives in the end... all you need is one successful attack to cause a lot of damage to your files and, even worse, cause identity theft. No web browser is safe, so having some form of protection on that front is better than nothing. Spending $50 on a year's worth of protection is better than getting ripped off of thousands from identity theft.

This is why I am one of the very few that has Antivirus installed on my Mac. As the saying goes, "Always be prepared."

I have seen way too many bad things online to be so ignorant to think that I am safe with ANY browser or OS.

Medfordite said,
This is why I am one of the very few that has Antivirus installed on my Mac. As the saying goes, "Always be prepared."

I have seen way too many bad things online to be so ignorant to think that I am safe with ANY browser or OS.

A winner is you

Medfordite said,
This is why I am one of the very few that has Antivirus installed on my Mac. As the saying goes, "Always be prepared."

I have seen way too many bad things online to be so ignorant to think that I am safe with ANY browser or OS.

That was the best answer/decision I have ever read from a Mac user!

The % of marketplace has always been the major factor. Its a simple fact that you target the largest part of the market. They have not even made much of a dent in the enterprise market as most admins think that apples security and patch policies are worthless. They dont admit faults and let you prepare in advance as well as always promoting the ideal of apple knows best dont ask questions.

The thing that makes me laugh is the fact that people rabbit on about how insecure windows is but mac % has not *really* increased/changed that much on the desktop market even though the stupid ads try to shove this fact.
The truth is even if macs have less viruses/blah blah/etc/design blah blah people would rather have viruses and use windows then be stuck with mac prices/osx, yeh thats success, FAIL!
And whats makes me laugh further is the fact most mac users install windows on vm/bootcamp anyway as they need windows too! and thats a feature of the mac osx, yeh go out and buy windows anyway as we know you really need/want it. is it windows users that are delusional?

I think Windows developed security faster and "stronger" than OS X because it's more widely attacked. Like the article said:

"but all you see are Windows exploits. That's because if [the hacker] can hit 90% of the machines out there, that's all he's gonna do. It's not worth him nearly doubling his work just to get that last 10%."

Since OS X isn't widely used, i think Apple hasn't worried much about full security on their OS. They include this new security feature and that one, but they're not worried about getting attacked yet i guess.

Maybe that's some of the new features in 10.7, since Snow Leopard seems to be the last transition to 64bit. I'm pretty sure they now have a pretty stable OS release so they just need to tune it up a little more and include new security features :)

at least, that's what i think.

Data Execution Prevention (DEP), a security feature built in to Windows Vista

I think they mean Windows XP SP2 which was a few years before Vista.

sphbecker said,
I think they mean Windows XP SP2 which was a few years before Vista.

but if i'm not mistaken it was there but not actually turned on until vista.

If I cook food once in the last ten years ... and the people I cooked for loved the food ...

and then my girlfriend cooked for 100 people in the last ten years, and 95 of them said they loved it, but 5 went down with food poisoning because of a bad ingredient she used that one time ...

does that make me a better cook? No. It means there's not been enough chance to get food poisoning from my cooking (and believe me you'd get it!)....

Same with Apple. The virus coders simply can't be bothered to do malware because there's just not enough people's system's to infect. hence the lack of viruses. Give it a few more percentage market share, and Apple will get a serious kick in the teeth.

We know you all wish this were true, but that doesn't make it so. There is no way you could prove this, so you are just talking s**t. If that makes you happy, go ahead.

Should macs have ASLR. Sure. Do they need it? No.

cakesy said,
We know you all wish this were true, but that doesn't make it so. There is no way you could prove this, so you are just talking s**t. If that makes you happy, go ahead.

Should macs have ASLR. Sure. Do they need it? No.

Hahaha...somebody is deeply hurt apparently!

cakesy you dont have a clue tbh, please run a network and come back then and less of the bait! you spammed this whole thread with your misguided illusions.
The nice thing is mac still have a crap % and its never really increasing much at all, even with all the windows blah blah blah people still choose it over running a mac, NOW THAT IS A FAIL!

cakesy said,
We know you all wish this were true, but that doesn't make it so. There is no way you could prove this, so you are just talking s**t. If that makes you happy, go ahead.

Should macs have ASLR. Sure. Do they need it? No.


Sort of like the way you keep repeating the same rubbish with a counter-argument of "no it's wrong derp", not matter how much you wish it were true, OS X IS less secure than Windows. You mererly hide behind market share, nothing more, nothing less.

There is countless amounts of evidence proving this from people with exponentially more experience and knowledge than you. You just seem to be in some sort of trauma denial-stage about this.

cakesy said,
Should macs have ASLR. Sure. Do they need it? No.

No one "needs" ASLR. No one "needs" to not get hacked.
Sure, there might be some losses in businesses or sad people from losing information, but they'll survive. They don't "need" it.
So, the "should" is all that matters.

cakesy said,
We know you all wish this were true, but that doesn't make it so. There is no way you could prove this, so you are just talking s**t. If that makes you happy, go ahead.

Should macs have ASLR. Sure. Do they need it? No.


At Pwn2Own Macs ALWAYS get exploited first, and the people when asked why they always target the mac replied with "Because it is the easiest to exploit"

There we go, I think we just showed who really talks crap here

Frank Fontaine said,
At Pwn2Own Macs ALWAYS get exploited first, and the people when asked why they always target the mac replied with "Because it is the easiest to exploit"

To be fair, Macs are also probably the piece of hardware most people would choose to take home from a pwn2own.

Wow... I fully believe that the only reason Apple doesn't have all sorts of issues with viruses is because of it's lack of market share... If it had more market share I think it would be brutal... I would kind of like to see that just to see Apple get off its high horse when it comes to Mac's being so secure... Time and time again security researchers say otherwise, and Apple still claims that it is without investing any time in making it more secure or fixing these issues that security experts find... It's disappointing...

M_Lyons10 said,
Wow... I fully believe that the only reason Apple doesn't have all sorts of issues with viruses is because of it's lack of market share... If it had more market share I think it would be brutal... I would kind of like to see that just to see Apple get off its high horse when it comes to Mac's being so secure... Time and time again security researchers say otherwise, and Apple still claims that it is without investing any time in making it more secure or fixing these issues that security experts find... It's disappointing...

There is only one sort of person, who makes the claims that Mac would be more vulnerable if it had more market share, and it ain't real security researchers (oh, maybe the ones being paid by a certain company in redmond).

cakesy said,
There is only one sort of person, who makes the claims that Mac would be more vulnerable if it had more market share, and it ain't real security researchers (oh, maybe the ones being paid by a certain company in redmond).

When does the F$F cut their checks?

cakesy said,
There is only one sort of person, who makes the claims that Mac would be more vulnerable if it had more market share, and it ain't real security researchers (oh, maybe the ones being paid by a certain company in redmond).

Umm or, you know, every security researcher ever.

cakesy said,
There is only one sort of person, who makes the claims that Mac would be more vulnerable if it had more market share, and it ain't real security researchers (oh, maybe the ones being paid by a certain company in redmond).


So when do you get your ca$h from $teve job$ then?

Oh look, I can use that tactic too!

...Waits for Master1 to comment... :P I'm messing wit u chill

I knew this from the start. I still remember Mac being the easiest to hack in that competition and Vista being the last. They are drifting too much towards marketing rather than more improvement, never settle for "good enough" and this is also a life lesson imo. Why race with a Toyota when you got Nissan? Why have a Pentium Dual Core when you can get Core 2 Duo for a little more. Big differences between "good enough" and worthy.

In this case Macs have gotten the message out to people and this guy is saying its "good enough", wait for more to adopt Macs and like others have said it will go down unless Apple kicks it up a notch.

I'm not even kidding that I said the exact same thing to my friend today about the next 'Good Enough Revolution' that Apple would be starting!

Karo - 323z IT said,
...Waits for Master1 to comment... :P I'm messing wit u chill

I knew this from the start. I still remember Mac being the easiest to hack in that competition and Vista being the last. They are drifting too much towards marketing rather than more improvement, never settle for "good enough" and this is also a life lesson imo. Why race with a Toyota when you got Nissan? Why have a Pentium Dual Core when you can get Core 2 Duo for a little more. Big differences between "good enough" and worthy.

In this case Macs have gotten the message out to people and this guy is saying its "good enough", wait for more to adopt Macs and like others have said it will go down unless Apple kicks it up a notch.

hmm this is what I have been telling mr supposed it boy for a long time, but he wouldnt listen, apple merely doesnt get viruses due to the fact of its anemic market share, windows is much more secure, yet due to its immense popularity makes sense for hackers to try to target it, of course it always come down to how smart the user is, and what they decide to do =)

Don't start a flamewar here you already got a warning, you admittedly from AIM, are an Apple hater.

Anyways, this is also why I don't keep antivirus on my machines as that is just a waste of resources and for peace of mind. User stupidity will always cause problems, thanks for reminding me Master#1, you're not my master :P so thats why I didn't put it your way lmao.

no one is starting a flamewar, supposed IT man, its a shame that ure considered to be an IT person , and antivirus on any computer never hurt anyone, ure just supposed to use good antivirus, not crap =)

Please tell me how avast! antivirus is stupid? I myself don't use it because I am not as stupid as I used to be to go on to a fake site and plus Firefox and Chrome popup any downloads before I let them in or not.

Not that I'm condoning it but deep in the back of my mind, when I'm all alone, I sometimes wish someone would take the time to exploit mac OS. and I don't mean some little bitty worm. I mean a full blown, kick your ass virus. All the hapless people with no antivirus or protection. Oblivious to the cruel, harsh reality of exploits. Going along happily playing with thier dock when all of a sudden.WHAM! Bye bye files. Hello real world.
I'm not denying that macs have so far be void of any cruel virus's and kudos for them but, you know, deep down inside my mind......

Agree to that. It would completely nullify almost all of Apple's Mac vs PC ads, and take the smugness of some of the fans down a few pegs. Personally I actually feel very safe using Windows 7, more so than I would using a mac.

roadwarrior said,
OS X has been out for nearly a decade, and ever since then people have been saying the same thing. Still hasn't happened.


Windows XP has been out for nearly a decade... and in some ways... OS X is LESS secure. Fail.

Seriously, guys? You're willing to sacrifice millions of peoples' files, because some people on the Internet annoy you?

You shouldn't wish bad things on anyone. Just sayin'.

roadwarrior said,
OS X has been out for nearly a decade, and ever since then people have been saying the same thing. Still hasn't happened.

Exactly.

RAID 0 said,
Windows XP has been out for nearly a decade... and in some ways... OS X is LESS secure. Fail.

Except in the real world, were you get blaster infecting your windows machine within a minute of adding it to the internet. No such problems for Mac.

You guys are so smug, and you really have no reason to be. How can anyone say Windows is more secure, when there are so many exploits for it. Sure, it has more security measures, but that doesn't make it more secure.

simon360 said,
Seriously, guys? You're willing to sacrifice millions of peoples' files, because some people on the Internet annoy you?

You shouldn't wish bad things on anyone. Just sayin'.


What I want to see gone is not their files or data, just the smug attitude and the, "MY computer can't get a virus! Your PC sucks." I swear I've had someone say this to me, when my hardware FAR out-classed his. I just laughed and smiled and told him I play games. "Oh well... yeah... games... PC."

If you're into PC gaming, that is the end-all-be-all way to stop someone preaching Mac. There is no retort.

cakesy said,
Except in the real world, were you get blaster infecting your windows machine within a minute of adding it to the internet. No such problems for Mac.

You guys are so smug, and you really have no reason to be. How can anyone say Windows is more secure, when there are so many exploits for it. Sure, it has more security measures, but that doesn't make it more secure.


The Windows OS is more secure, you just have a greater chance of being attacked. It would be analogous to driving an unmarked hummer vs. driving a humvee with a US Flag on it around Fallujah. I think anyone would say that the humvee is more secure, but you are going to get blown up eventually. You're less likely to get blown up in your hummer because no one's paying attention to you while the stars and stripes are being paraded around, even though it would be much easier to take you out.

simon360 said,
Seriously, guys? You're willing to sacrifice millions of peoples' files, because some people on the Internet annoy you?

You shouldn't wish bad things on anyone. Just sayin'.


Exactly. Karma's a female dog... best one doesn't wish harm on others. This goes for both camps, PC and Mac.

cakesy said,
Except in the real world, were you get blaster infecting your windows machine within a minute of adding it to the internet. No such problems for Mac.

You guys are so smug, and you really have no reason to be. How can anyone say Windows is more secure, when there are so many exploits for it. Sure, it has more security measures, but that doesn't make it more secure.


As Brandon said, Windows is not SAFER, but it is more SECURE from an engineering standpoint. That means it is technically harder to exploit Windows, and in order to do so you really have to know your code. Not so much for Mac. This should really concern Mac users, because there may be a time when Mac is not a niche.

roadwarrior said,
OS X has been out for nearly a decade, and ever since then people have been saying the same thing. Still hasn't happened.

Their market share hasn't increased all that much in 10 years either. Why waste time on a relatively insignificant number of users?

cakesy said,
Except in the real world, were you get blaster infecting your windows machine within a minute of adding it to the internet. No such problems for Mac.

You guys are so smug, and you really have no reason to be. How can anyone say Windows is more secure, when there are so many exploits for it. Sure, it has more security measures, but that doesn't make it more secure.


yeah, don't know, never had blaster. Maybe another thing that you are pulling out of your ass?

simon360 said,
You're willing to sacrifice millions of peoples' files, because some people on the Internet annoy you?


Absolutely, yes.

simon360 said,
You're willing to sacrifice millions of peoples' files, because some people on the Internet annoy you?

It would be their own fault for not using an anti-virus programme.
You could probably port some of the early windows viruses over to Mac with very little change to them because they're so far behind on the security side of things.

iamwhoiam said,
Their market share hasn't increased all that much in 10 years either. Why waste time on a relatively insignificant number of users?

It just takes a guy as bitter as those posting above + the expertise to fulfil his wetdream.
But as noted above, it hasn't happened (yet).

Maybe sore feelings and computer proficiency are not compatible.

roadwarrior said,
OS X has been out for nearly a decade, and ever since then people have been saying the same thing. Still hasn't happened.

Yep, there are none. XP continues to get pwned. Vista continues to get pwned. The softies continue to live in their fantasy world regurgitating the same old Microsoft propaganda.

pc_tool said,
Yep, there are none. XP continues to get pwned. Vista continues to get pwned. The softies continue to live in their fantasy world regurgitating the same old Microsoft propaganda.


Speaking of propaganda...

What are you referring to? When has there been a substantial attack against Vista machines (or even XP SP2 for that matter)?

simon360 said,
Seriously, guys? You're willing to sacrifice millions of peoples' files, because some people on the Internet annoy you?

You shouldn't wish bad things on anyone. Just sayin'.


I don't necessarily want people to lose data I just want to see OSX get exploited in a serious way.

speedstr3789 said,
Not that I'm condoning it but deep in the back of my mind, when I'm all alone, I sometimes wish someone would take the time to exploit mac OS. and I don't mean some little bitty worm. I mean a full blown, kick your ass virus. All the hapless people with no antivirus or protection. Oblivious to the cruel, harsh reality of exploits. Going along happily playing with thier dock when all of a sudden.WHAM! Bye bye files. Hello real world.
I'm not denying that macs have so far be void of any cruel virus's and kudos for them but, you know, deep down inside my mind......

The thing is.. there already Mac botnets. Thousands active trojan infested Mac being controlled by hackers. But Apple users have some device implanted in thir heads that restricts any thoughts about Apple flaws.

Brandon Live said,
Speaking of propaganda...

What are you referring to? When has there been a substantial attack against Vista machines (or even XP SP2 for that matter)?

LOL. Why speak if you have no idea what you are talking about? Hint: google "vista security flaws"

pc_tool said,


LOL. Why speak if you have no idea what you are talking about? Hint: google "vista security flaws"


That search yields no results referring to attacks against Vista machines. It only points to patched vulnerabilities and such, the exact same sort of content you get if you search for "OS X security flaws" on Google.

Yeah, I remember reading an article a while back that Windows is more secure but as of now, OSX is safer. That's due to the lack of viruses and malware, but we'll see in the next few years how that plays out.

Windows is more secure but as of now, OSX is safer

true... but as the article said, it's purely because almost no one uses mac's so it's not worth their time to attempt hacking a mac when damn near everyone has a Windows PC.

but if suddenly tomorrow mac's had half the market share or more then odds are there would be many issues and mac's security would be history and then we would say that Windows is actually more secure.

but i did like how you worded the stuff i quoted from you as that's a good way of putting it.

same old tired Microsoft propaganda. There are no viruses and the like for OSX simply because by default OSX is pretty darn secure. If OSX was so insecure as all the Microsoft drones/marketeers say, OSX would be getting exploited left and right. The fact is, it is not.


pc_tool said,
same old tired Microsoft propaganda. There are no viruses and the like for OSX simply because by default OSX is pretty darn secure. If OSX was so insecure as all the Microsoft drones/marketeers say, OSX would be getting exploited left and right. The fact is, it is not.

So, the guy that exploited a Mac within seconds, two years in a row, is a Microsoft drone now? Not to mention the guy that hacked Windows 7 was also able to exploit a Mac in seconds as well.

pc_tool said,
same old tired Microsoft propaganda. There are no viruses and the like for OSX simply because by default OSX is pretty darn secure. If OSX was so insecure as all the Microsoft drones/marketeers say, OSX would be getting exploited left and right. The fact is, it is not.


The Mac isn't exploited because it's simply not worth the effort to the hackers to BOTHER. You can't build much of a botnet with such a miniscule market.

pc_tool said,
same old tired Microsoft propaganda. There are no viruses and the like for OSX simply because by default OSX is pretty darn secure. If OSX was so insecure as all the Microsoft drones/marketeers say, OSX would be getting exploited left and right. The fact is, it is not.

Yeah but unless you are running an 8+ year old version of Windows, chances are you haven't been exploited either. I haven't seen a virus on one of my machines since maybe 2002 or so. Even that was just stupid browser hijacker stuff. Since upgrading to Vista I don't know a single person who has gotten a virus. I'm sure they exist but chances are it's because they are running old OSes or doing stupid things like running strange executables from p2p without the digital prophylactic of a free antivirus.

pc_tool said,
same old tired Microsoft propaganda. There are no viruses and the like for OSX simply because by default OSX is pretty darn secure. If OSX was so insecure as all the Microsoft drones/marketeers say, OSX would be getting exploited left and right. The fact is, it is not.

I asked 10000000 people if they want $100 or $900. Strangely not a single one said he wanted $100.

RealFduch said,
I asked 10000000 people if they want $100 or $900. Strangely not a single one said he wanted $100.

Apple to oranges comparison. Of course _no_ hacker would be interested in being _the_ guy who blew apart OSX security and pwned millions of machines.

Mega Goatlord said,
So, the guy that exploited a Mac within seconds, two years in a row, is a Microsoft drone now? Not to mention the guy that hacked Windows 7 was also able to exploit a Mac in seconds as well.

OSX was not exploited, Safari was. Safari is not part of the OS like IE is. Sorry, you fail.

pc_tool said,
OSX was not exploited, Safari was. Safari is not part of the OS like IE is. Sorry, you fail.


Safari is just as much as part of the OS as IE is. 100%, undeniably so.

Which is to say, they're both applications included with the OS (and both include reuseable components for HTML rendering, such as the Safari engine used by iTunes).

True, but Vista and Windows 7 have all those "Features" and all it takes is fo the bad guy to ask "Do you want to run this executable that appeared out of nowhere and then the moron says ok.

warwagon said,
True, but Vista and Windows 7 have all those "Features" and all it takes is fo the bad guy to ask "Do you want to run this executable that appeared out of nowhere and then the moron says ok.


Security is only as good as it's weakest point.... in this case the moron hehe

I doubt it will give Windows more marketshare but it might HOPEFULLY give Mac Fanboys something to think about when they start to blindly turn it around on Windows. "But, windows still gets more attacks..blah blah"..

ASLR isn't the final say in security, it is just one more step. And Microsoft implementation is far from perfect, it is still possible to get past this.


March 24, 2009 -

quote:Internet Explorer 8 "critical" flaw in final version

Microsoft confirmed that the vulnerability exists in the official release, said Terri Forslof, a researcher at TippingPoint, which sponsored the Pwn2Own contest that challenged competitors to find bugs in either web browsers or mobile devices

"This is a single-click-and-you're-owned exploit," she told SCMagazineUS.com on Tuesday. "You click a link in an email or simply browse to a website, and your machine is compromised. This meets Microsoft's 'critical' bar [in its vulnerabilities and rating system]."

The exploit apparently defies Microsoft's DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) technologies -- two features added to IE8 to prevent memory corruption vulnerabilities.

"Once the browser was compromised, we handed over the exploit to Microsoft immediately, on site," Forslof said. "They went back and reproduced it and called to verify that the vulnerability was present. We retested again on the released version of IE8 that went live on the following morning and verified that the vulnerability was in it as well."

http://www.dslreports.com/forum/r22125670-...8-Vulnerability

You do realise that as a windows app, after it is installed IE8 is added to the list of things updated by windows update and so flaws in the final version in March may already be patched making your quote out of date?

Read the link you posted - that vulnerability doesn't work against the final version of IE 8 on Vista SP1 or Windows 7, and does NOT defeat DEP and ASLR. It only works against XP (where ASLR isn't implemented).

Further, on Vista before it was fixed, it still didn't get you passed the Protected Mode sandbox... so you couldn't really do any damage to the user since your code would have read-only access to the filesystem and no ability to access anything outside of the IE tab.

I agree with him, if Macs became more widely used, there would be a lot of viruses, and it wouldn't end well. Although it would push Apple to improve their product, which is always a good thing.
*puts on flame suit*

Agreed. This has been common knowledge for years but the Mac fanboys will continue to tell you how much better their platform is. The arguements will come out of how they don't need anti-virus, blah blah blah. Well the day will come where the lack of AV will come and bite back. I'll be laughing all the way home!

People have been making your claim for nearly a decade now since OS X was released, and yet there are still only a handful of viruses or trojans that affect the system, and most of those are only proof-of-concept. Almost none of them are even capable of spreading themselves either, and NONE can bring down the system since they are only capable of affecting user files.

roadwarrior said,
People have been making your claim for nearly a decade now since OS X was released, and yet there are still only a handful of viruses or trojans that affect the system, and most of those are only proof-of-concept. Almost none of them are even capable of spreading themselves either, and NONE can bring down the system since they are only capable of affecting user files.

There have been endless EoP exploits published for the Mac, some completely trivial.

You are correct that for a decade people have said "if Macs get significant marketshare, they'll have more attacks." Those people are clearly right. Why hasn't there been an onslaught of attacks? Because there hasn't been a significant change in their marketshare!

Windows is clearly a more secure operating system, I don't think there's any doubt about that. It may not be safer, because it's a much bigger target. But technologically speaking, it left OS X behind long ago.

Brandon Live said,
Windows is clearly a more secure operating system, I don't think there's any doubt about that. It may not be safer, because it's a much bigger target. But technologically speaking, it left OS X behind long ago.

And in the end, after so much trouble, effort and money, where did it get Windows? Millions of users probably still find pretty easy ways to render all those advanced additional security measures useless by downloading and installing trojans, mallware etc. themselves.

roadwarrior said,
People have been making your claim for nearly a decade now since OS X was released, and yet there are still only a handful of viruses or trojans that affect the system, and most of those are only proof-of-concept. Almost none of them are even capable of spreading themselves either, and NONE can bring down the system since they are only capable of affecting user files.

So you are cool with a virus deleting all your files just as long as the OS doesn't take a hit? Anyway, all those same things could be said about Windows....in both cases the systems are vulnerable to stupid users choosing to run something and flaws in the code where the system does not work as designed (things that need to be patched) Apple has released its share of patches that fix major flaws too, the only difference is that no one has ever really exploited them in a big way like the Blaster over 6 years ago for example (which by the way was the last virus to be able to spread without user intervention, and even then only if someone had a computer over a month out dated).

I know, it can't be that Macs and Linux and BSD are more secure from the ground up. It has to be another reason, any other reason. Despite the fact that Window has more serious vulnerabilities, despite the fact that Microsoft hasn't taken security seriously until recently (which they have admitted), despite the fact that each version of Windows builds on an insecure release, and they keep adding in more and more security features to stem the flow, a mess that they created in the first place.

Mac have never automatically run stuff from USB sticks. Macs don't execute code from email so easily. Macs don't hide the type of a file. Macs don't have such a tightly integreated browser to the OS. ALL of these have been Windows decisions... yeah, they take security seriously.

Yes, Macs would be more secure with ASLR. They don't need it, because they have a range of security measures already. In fact the only OS in the world that does need this, is Windows, because it is so full of holes. Yes, Microsoft have been plugging these holes, and they have done a great job, but they wouldn't need to if they took security seriously in the first place.

ASLR was first invented in BSD, and then moved to Linux, and then moved to Microsoft, and one day soon, it will have moved to Mac OS X.

cakesy said,
Yes, Microsoft have been plugging these holes, and they have done a great job, but they wouldn't need to if they took security seriously in the first place.

Or maybe, just maybe, the operating system is extremely secure as a result of continuously patching crappy code.

Say what you want about UNIX's security and how Mac is secure because it's based on that. Mac was made by humans, and probably has just as many holes. It'll only be truly tested when a million hackers are interested in breaking it open.

cakesy said,
I know, it can't be that Macs and Linux and BSD are more secure from the ground up. It has to be another reason, any other reason. Despite the fact that Window has more serious vulnerabilities, despite the fact that Microsoft hasn't taken security seriously until recently (which they have admitted), despite the fact that each version of Windows builds on an insecure release, and they keep adding in more and more security features to stem the flow, a mess that they created in the first place.

Mac have never automatically run stuff from USB sticks. Macs don't execute code from email so easily. Macs don't hide the type of a file. Macs don't have such a tightly integreated browser to the OS. ALL of these have been Windows decisions... yeah, they take security seriously.

Yes, Macs would be more secure with ASLR. They don't need it, because they have a range of security measures already. In fact the only OS in the world that does need this, is Windows, because it is so full of holes. Yes, Microsoft have been plugging these holes, and they have done a great job, but they wouldn't need to if they took security seriously in the first place.

ASLR was first invented in BSD, and then moved to Linux, and then moved to Microsoft, and one day soon, it will have moved to Mac OS X.

Wow...your spin gland is in overdrive.

Look...the guy that -hacked- a Mac, two years in a row, within seconds, might...just might, know a bit more about this subject than...you. So, ASLR was invented on BSD, then moved to Linux...but the only OS that actually *needs* it...is Windows? If a Mac can be hacked in seconds, without it..?

Do you really believe all this crap you spew? Man, you even make LTD look good.

cakesy said,
I know, it can't be that Macs and Linux and BSD are more secure from the ground up. It has to be another reason, any other reason. Despite the fact that Window has more serious vulnerabilities, despite the fact that Microsoft hasn't taken security seriously until recently (which they have admitted), despite the fact that each version of Windows builds on an insecure release, and they keep adding in more and more security features to stem the flow, a mess that they created in the first place.

Your claims are false. Windows has fewer vulnerabilities, and less severe ones, and they're patched more quickly.

Microsoft has always taken security seriously, the design of Windows NT makes this very clear. However, the desktop ecosystem and exposure to internet-based attacks led to the need for a new approach to security that Microsoft began nearly a decade ago. Since then Microsoft has pioneered new technologies and practices, and is highly regarded as the industry leader in this area.

Mac have never automatically run stuff from USB sticks. Macs don't execute code from email so easily. Macs don't hide the type of a file. Macs don't have such a tightly integreated browser to the OS. ALL of these have been Windows decisions... yeah, they take security seriously.

Windows hasn't either... it provides a nice UI to let you know that a new drive was attached and lets you quickly access the most common tasks you're likely to perform. The Mac's lack of this functionality is often cited as a user experience failing. AutoRun allowed drives to add an application to the list of tasks, but users had to choose to run it. That functionality has since been removed (or rather, restricted to optical media) to avoid confusion and social engineering attacks.

Yes, Macs would be more secure with ASLR. They don't need it, because they have a range of security measures already. In fact the only OS in the world that does need this, is Windows, because it is so full of holes. Yes, Microsoft have been plugging these holes, and they have done a great job, but they wouldn't need to if they took security seriously in the first place.

ASLR was first invented in BSD, and then moved to Linux, and then moved to Microsoft, and one day soon, it will have moved to Mac OS X.

Full of holes? Did you even read the article? Or pay attention to anything said at any of the security conferences over the last few years? The Mac absolutely needs better security technology. How can you say that Windows is the only OS that needs ASLR if Macs are so vastly easier to attack? Are you saying Macs don't need it because nobody targets them? That could change at any time, and really isn't comforting to me as a user.

Brandon Live said,
The Mac's lack of this functionality is often cited as a user experience failing. AutoRun allowed drives to add an application to the list of tasks, but users had to choose to run it. That functionality has since been removed (or rather, restricted to optical media) to avoid confusion and social engineering attacks.

Others experience AutoRun windows like that as additional nagware to an OS that by default already floods the user with constant messages, dialogue windows, pop-up balloons and banners. Granted Micrsoft finally improved this in Windows 7.

Brandon Live said,
Windows hasn't either... it provides a nice UI to let you know that a new drive was attached and lets you quickly access the most common tasks you're likely to perform.

Hasn't either? Never?

Come on, until recently autorun did exactly that: autorun. You just needed an exe and an autorun.inf.

You don't see so many infected pendrives (with hidden autorun files) for no reason.
I've even seen pendrives that come out of the box with an app that adds a tray icon (for no apparent reason) as soon as you plug it.

ichi said,
Hasn't either? Never?

Come on, until recently autorun did exactly that: autorun. You just needed an exe and an autorun.inf.

You don't see so many infected pendrives (with hidden autorun files) for no reason.
I've even seen pendrives that come out of the box with an app that adds a tray icon (for no apparent reason) as soon as you plug it.

If by recently, you mean November of 2006, then sure, that's recent. Vista has always popped up the little dialog.

Mega Goatlord said,
If by recently, you mean November of 2006, then sure, that's recent. Vista has always popped up the little dialog.

Compared to "never" yeah, that's recent.

ichi said,
Compared to "never" yeah, that's recent.


I'm not aware of any time when Windows automatically ran the autorun executable from a USB drive, but it's been a very long time since I used XP. Are you sure you aren't thinking of CD drives?

ichi said,
Hasn't either? Never?

Come on, until recently autorun did exactly that: autorun. You just needed an exe and an autorun.inf.

Not on USB mass storage. Only on Optical storage. Only before Vista.
ichi said,
You don't see so many infected pendrives (with hidden autorun files) for no reason.

Think a bit. Look at those autorun.inf files. Look at its icon (icon section or .exe icon). Think! The icon is most probably a folder icon and the description is domething like "Open folder to view files". The file is not run automatically. It's user who clicks on the malware's icon in the Auto Play dialog. That's why autorun item was completely removed from the Auto Play dialog in Windows 7.

ichi said,
I've even seen pendrives that come out of the box with an app that adds a tray icon (for no apparent reason) as soon as you plug it.


Please READ my reply!
1) CD-Rom with autorun.inf: Before Vista it was run automatically. Now they show a dialog boxes with option to run the file.
2) USB Mass Storage with autorun.inf: It was never run automatically. Before 7 they showed a dialog boxes with an option to run the file. Now there is no such option.

But
What if you had a USB hub with USB flash drive and USB DVD-Rom plugged into it? Now if you plug this hub into PC with Windows XP the autorun.inf from the Flash drive is not executed automatically, but the one from DVD-rom is.
Get the idea? Flash = no-run, DVD = run, Flash + DVD = run. But why do you heed a real USB DVD-Rom when you can emulate one?
Flash drives manufacturers got this idea and created so-called U3 flash drives ( http://en.wikipedia.org/wiki/U3 ) that were basically a USB hub with flash storage and emulated DVD-rom attached. And yes, the autorun.inf from its "DVD-Rom part" was executed automatically.

But then Vista was released...

Brandon Live said,
I'm not aware of any time when Windows automatically ran the autorun executable from a USB drive, but it's been a very long time since I used XP. Are you sure you aren't thinking of CD drives?

I had to hold shift when pluging a friend's pendrive on a winxp laptop I had back then, because otherwise it would automatically launch some app that placed an icon in the tray. I don't know what that app was supposed to do (it came from the vendor so it was probably safe, but still) and that guy didn't want to delete it (maybe he thought the pendrive wouldn't work without it).

So yes, I'm pretty sure it was a usb, not a cd.

Who cares how secure Macs are? Next to no one uses them for anything important, and those who do don't seem to know/care much about security, or have them in a secure-ish environment like a corporate network. That said, its not much different for other OSes.

All of these security issues with the OSes mentioned in this thread haven't detoured all of their users yet.

And at the end of the day, as people have mentioned already, users can easily infect themselves no matter how many security warnings e.t.c. are in place in an OS.

ichi said,
I had to hold shift when pluging a friend's pendrive on a winxp laptop I had back then, because otherwise it would automatically launch some app that placed an icon in the tray. I don't know what that app was supposed to do (it came from the vendor so it was probably safe, but still) and that guy didn't want to delete it (maybe he thought the pendrive wouldn't work without it).

So yes, I'm pretty sure it was a usb, not a cd.


There are a small number of USB sticks that include virtual CD-ROM devices. I believe these always contain data that is not accessible or changeable by the user, but they're used to cause AutoRun software to load (usually for encryption/decryption sort of programs). That's probably what you were seeing. As far as Windows is concerned, it's a CD, not a USB stick.