Dino Dai Zovi, the New York-based security researcher who took home $10,000 in a highly-publicized MacBook Pro hijack on April 20, has been at the center of a week’s worth of controversy about the security of Apple’s operating system. In an e-mail interview with Computerworld, Dai Zovi talked about how finding vulnerabilities is like fishing, the chances that someone else will stumble on the still-unpatched bug, and what operating system — Windows Vista or Mac OS X — is the sturdiest when it comes to security.
From your research on both platforms, is there a winner between Mac OS X 10.4 and Vista on security?
"I have found the code quality, at least in terms of security, to be much better overall in Vista than Mac OS X 10.4. It is obvious from observing affected components in security patches that Microsoft’s Security Development Lifecycle (SDL) has resulted in fewer vulnerabilities in newly-written code. I hope that more software vendors follow their lead in developing proactive software security development methodologies."
Full interview at source.
News source: MacWorld
From your research on both platforms, is there a winner between Mac OS X 10.4 and Vista on security?
"I have found the code quality, at least in terms of security, to be much better overall in Vista than Mac OS X 10.4. It is obvious from observing affected components in security patches that Microsoft’s Security Development Lifecycle (SDL) has resulted in fewer vulnerabilities in newly-written code. I hope that more software vendors follow their lead in developing proactive software security development methodologies."
Full interview at source.
News source: MacWorld
With the resources Microsoft has and the emphasis they put on security this time around, that they have the superior product with better code. Apple just doesn't have the userbase that would shed light on the many vulnerabilities it has.
2. If the OS is compromised by vulnerabilities in software such as Quicktime then the OS is still lacking in security because despite whatever flaws the software contains it should still not compromise the system.
Sounds like Mr PC needs to just tape over Mac's mouth in the next ad.
Windows Seven should shut some people up
OSX = On computers / Sale for 6+years
vista is newer code, so it should be more secure, but on the other foot, OSX has been out in the market for longer then Vista has been in development, and still has less security holes ( Vista / XP or combined )
OSX = On computers / Sale for 6+years
vista is newer code, so it should be more secure, but on the other foot, OSX has been out in the market for longer then Vista has been in development, and still has less security holes ( Vista / XP or combined )
And do you have Macboy written across your forehead too?
Point being is that Apple users need to shut their mouths as they have been put in their place. Vista is newer code so it should be more secure? That makes no sense whatsoever in the computing industry, at least not at the software level. Newer code does not equal and never has equated to "more secure". It's clear MS has stepped up their security levels and newer technology has resulted in more secure, that I will agree with.
The news story brings out a good point: fishing. This proves once again that because Windows has a substanially larger market share, of course more vulnerabilities will be found and exploited compared to OSX. If there's 10,000 fish in the lake and MS owns 9900 of them, the chances someone will catch one of those fish is substanially greater than catching one of the 100 other.
Enough said.
how have we been put in our place. apparently you didn't read how this " Hack " came about or how the contest had to be altered due to nobody at the competition being able to hack the OS, and the hack came from somebody not at the competition, it was emailed to him
Point being is that Apple users need to shut their mouths as they have been put in their place. Vista is newer code so it should be more secure? That makes no sense whatsoever in the computing industry, at least not at the software level. Newer code does not equal and never has equated to "more secure". It's clear MS has stepped up their security levels and newer technology has resulted in more secure, that I will agree with.
The news story brings out a good point: fishing. This proves once again that because Windows has a substanially larger market share, of course more vulnerabilities will be found and exploited compared to OSX. If there's 10,000 fish in the lake and MS owns 9900 of them, the chances someone will catch one of those fish is substanially greater than catching one of the 100 other.
Enough said.
Not true. Secunia lists 101 OSX vulnerabilities in 53 months, or an average around ~2 per month.
http://secunia.com/product/96/?task=statistics
On the other hand, Vista has just 8 vulnerabilities in the last 6 months (Vista was released in November), which works out to around ~1.3 per month.
http://secunia.com/product/13223/?task=statistics
So Vista's doing pretty good as far as I can tell.
Actually a lot of code has changed since 10.0, 10.4 came out 2 years ago as one of the largest releases up to that point.
but agreed vista is doing pretty good so far, cant wait to see what number vista will be kicken in 53 months, but OSX is still more secure(IMO), mainly due to underlying structure, same as Linux compared to Windows
OSX>Windows
Linux>Windows
Not true. Secunia lists 101 OSX vulnerabilities in 53 months, or an average around ~2 per month.
http://secunia.com/product/96/?task=statistics
On the other hand, Vista has just 8 vulnerabilities in the last 6 months (Vista was released in November), which works out to around ~1.3 per month.
http://secunia.com/product/13223/?task=statistics
So Vista's doing pretty good as far as I can tell.
You can't quote it, because it's wrong. There have been a suprisingly small number of security vulnerabilities discovered in Vista, only one or two of note, and even then, one of them only worked if UAC was off.
I guess Microsoft is using a magical copy machine.
Software has flaws. Honestly, Microsoft has FAR more experience with security. They've actually run into thousands of problems that needed solving. It's honestly not very suprising that they would have far more mature security development.
Apple is negatively arrogant. What can I say? Marketing is marketing is marketing. Get over it!
It still doesn't mean what they say is false. It just could easily be made untrue by a larger market share, which everyone has talked about. Then again, a closed system makes the potential for fixes far faster and easier. If they ever grab a big enough piece, the real test is how they respond.
It's good to get a good punch in the face, every so often.
+ 1
+ 2
+3
i too dont use spyware/adware protection, just use firefox, i do scan for it every now and then but havnt found any since firefox (maybe 1)
and the only time i have gotten a virus, it was from downloading questionable content off of questionable sites
Using a mac does not make you immune if the person behind the keyboard is a retard and will open obviously dangerous files.
Apple comes across to me as an expensive car dealer that tries to claim that by driving their car, you'll never have any accidents, so seatbelts and airbags don't take up room in your iCar like every other vehicle on the roads.
+4
+5
+6
This was an application issue, not an OS issue. You cannot judge how secure OS X based on vulnerabilities in software working atop the OS. While we all understand that no computer is 100% secure, this “contest” was nothing more than the anti-Mac FUD machine going into high gear due to the growing interest in Macs and the lackluster adoption, if not outright rejection, of Windows Vista. Vista is not a new operating system and it is full of flawed legacy code, and now we are supposed to believe that Microsoft has developed a magic bullet to make their OS nearly-invulnerable.
The registry is still there. And so is that .dll mess. Vista is a disaster waiting to happen.
Meanwhile . . . I'm still waiting for the first ever virus in the wild for OS X.
Last edited by LTD on 01 May 2007 - 06:08
...yeah, MacWorld is nothing but a pro-Microsoft anti-Apple FUD machine...
What a clueless comment, let me explain before you start a barage of 'repeat all the anti-MS crap you ever heard' in your next post. This comment just proves you know nothing about OS's or programming. A programming language is just something that translates statements into machine executable code, there is nothing special about any particular programming language as long as it can possibly do this function with its syntax. Therefore, the following code is possible in a hypotethical language that is not invented, why not C or whatever? because I am an asm x86 programmer and don't read/write that stuff and I'm sure you don't read/write my language:
Get_name_of_current_file -> currentfile;
foreach *.app on harddrive[1...all] copy_and_replace currentfile to file on harddrive[x];
This could be called pseudo-code, and is a commonly used and valid means of planning out actual programs.
This particular code is just two lines, which would translate into maybe 50 bytes of code + maybe 256 bytes of memory use. It will find every .app file on the hard drive and copy the current executing file to the .app file it finds.
Obviously this can be easily changed to accomodate other executable types. So your claim that you have not seen a mac os x virus in the wild is nonsensical, as any high school programmer could MAKE a mac os x virus. Now, don't confuse virus with worm. A virus infects files, a worm exploits flaws accross a network to gain access to other systems, where it typically copies and executes its code and repeats the whole process. If you meant worm, it just shows yet again you don't know what you are talking about, if you don't know even basic security terminology why are you commenting with a knowledgable about security attitude? A mac os x virus would be, as I said, easily codable by a high school programmer, but utterly useless in these times of read-only software distribution via CDs and DVDs. Which illustrates how stupid the 'hackers would write a mac os x virus just because they'd be leet for making the first' sentiment is, since anyone could write the equivalent of the pseudo-code I wrote in a language that compiles and runs on mac os x. The code would not be able to infect every program on the hard drive and probably not any system files, but it IS virus-like and you said you had seen no such thing WITHOUT qualifications for OS X just to be extra sassy about how OS X is 'teh secure'.
And this is true of windows as well, viruses would not be able to infect system files in vista or from low-priviledge accounts on earlier NT OSes either. Now worms are different, worms depend on flaws in listening network applications, and both mac-os x and windows xp sp 2, windows 2003 server and all varients of windows vista include a firewall and turn it on by default, firewalls simply don't let programs listen to network data which could be formed in a certain way that causes normal network apps to become portals for malicious code into the system. So to recap, viruses are possible but useless in any modern OS, and in all they will have limited effect depending on the execution environment, by default, mac os x, all linuxes i know of and all variants of Vista give a low-access environment to the user and any malicious code they run, worms are blocked by firewalls which are on by default in all the linuxes i know of, mac os x and windows xp sp 2, windows 2003, and all variants of windows vista as well. Other channels of attack to worry about these days are more worm like,
maliciously coded html web documents and worms that attack non-system services, these attacks apply to and equally affect every OS that is useable by modern definitions, with wider used OSes having a higher number of attackers despite the same population base (ie, linux, mac, windows all equally access the net, but there are more windows machines so there are more windows attackers in the same population) which leads to the perception that windows is more insecure, but anyone with half a wit of common sense would easily see that this is just a side effect of being the most popular OS when you take into consideration everything I have illustrated. As an aside, it would probably be wise for me to put this on a web site and just link it everytime some mac user feels like being dramatic in a windows forum about security to mask how lonely they are or whatever drives this neurotic behavior.
Last edited by J_R_G on 01 May 2007 - 07:03
Regardless. I can't help feel that if this was the other way around, and it was some Joe Average, which effectively this guy is, stating that according to his "findings", Vista is less secure, the Windows fanatics would be screaming foul-play. In this case, however, they seem more than happy to accept the words as gospel.
Whenever these Windows vs. Mac debates pop up, it's like watching a special needs group argue over who has the tastiest lollipop. Grow up.
Calling them retards using other words is more mature? You should take the grow up advice you offered and look into it.
Whenever these Windows vs. Mac debates pop up, it's like watching a special needs group argue over who has the tastiest lollipop. Grow up.
Saying someone has special needs in front of everybody must make you feel real special, hell, maybe it'll get you a girl someday.
You were saying? At least I didn't lecture on english while messing it up worse than him, like you. Anyways, I was obviously in a hurry, I'm not going to spend an hour correcting insignificant typos and what not on this crap. Making off-topic spelling and grammar mistake related comments (I'd love to know what basic grammar mistakes I made, probably along the lines of 'he didn't worship at the anti-ms alter, so I'll just insult his intelligence repeatedly since I have nothing to say anyway'. ) shows how mentally bankrupt your death-to-ms idealogy is, considering you could have refuted me without commiting the sins you so vehemently denounce, instead of JUST commiting said sins in the same message you denounced them in.
I made some comments along those lines, but unlike you, I also added something to the subject. You just posted a silly, off-topic series of nonsensical, rambling, hypocritical insults after admitting you didn't read most of the message you replied to. Get a life and stop being disgusting.
Last edited by J_R_G on 01 May 2007 - 08:52
First, Vista has a re-written kernal which I would consider newer than MAc's fifth service pack for OS X.
Next, throwing around "FUD machine" is a very poor attempt to dismiss the facts presented in this article.
Third, single digit marketshare, which Apple has maintained for over 20 years, is hardly "lackluster" adoption.
Fourth, Vista has sold more copies than OS X (naturally), so I would hardly call it "rejected".
Fifth, Windows "legacy" code isn't flawed just because it's "legacy" code. All code is flawed because its human-generated. Just like Mac and it's "classic" OS 9 legacy code.
Finally, the registry and .dll system in Windows is only a "mess" to people who fail to understand it. It works just fine.
So, while you wait around for that "wild virus" for Mac OS, I will wait around for the "disaster" that will happen with Vista. But I might go back and read the article again because I might be waiting a lot longer than you will be.
Opinions are one thing but facts are another. Try not to mix them up.
First, Vista has a re-written kernal which I would consider newer than MAc's fifth service pack for OS X.
Next, throwing around "FUD machine" is a very poor attempt to dismiss the facts presented in this article.
Third, single digit marketshare, which Apple has maintained for over 20 years, is hardly "lackluster" adoption.
Fourth, Vista has sold more copies than OS X (naturally), so I would hardly call it "rejected".
Fifth, Windows "legacy" code isn't flawed just because it's "legacy" code. All code is flawed because its human-generated. Just like Mac and it's "classic" OS 9 legacy code.
Finally, the registry and .dll system in Windows is only a "mess" to people who fail to understand it. It works just fine.
So, while you wait around for that "wild virus" for Mac OS, I will wait around for the "disaster" that will happen with Vista. But I might go back and read the article again because I might be waiting a lot longer than you will be.
Opinions are one thing but facts are another. Try not to mix them up.
If LTD was the most blindly-loyal Mac fanatic, you would be the most blindly-loyal Mac hater here at Neowin. The irony is killing me.
1) Aside from Microsoft claiming it is completely new, do you have any proof to back it up? Scoured through the entire kernal code yourself, have you?
2) What facts? It's one person's opinion who was practically given the money on a silver platter.
3) PC market share covers large market segments where Apple isn’t competing – including markets where Apple doesn’t want to compete. Also consider that Apple probably has the 5th largest market share of any computer manufacturer. Who gives a rip about market share? When are you going to give up your tired old arguement about market share. Market share and sales have absolutely nothing to do with the quality of product you put out. This holds true in ANY product segment.
4) Ever wonder why? It sure helps to have it installed on every Dell and HP computer sold.
5) It's flawed because it's legacy code, period. Granted, humans will make coding errors, but Windows legacy code is horrid. Why do you think MS claims they rewrote the entire kernal? Proof in and of itself.
6) You are kidding right? C_Guy, you just make me laugh...but not because you are funny. There's a reason why MS wants to move away from dll files and the registry. If it worked fine, they would have no need.
If Vista wasn't forced on everyone buying a new computer, the situation would be much much different.
Windows and Mac have their places. I would not want to run a business with a Mac-only network. As a system admin, the only nightmare worse is a mixed environment. Nor would I want to use Windows as my own personal computer. I want it to work out of the box and not spend the time trying to make it secure.
Last edited by Chad on 01 May 2007 - 15:48
dll mess? Everything looks relatively fine to me on that front, especially with the rise in usage of .NET.
registry? Oh that thing. Well, you'll be upset to learn that local machine elements of it have been virtualized for applications, making it MUCH less of a mess than it was in the past.
Use both.
Use both.
Pretty much what I'm thinking.
Here's a theory - Mac code actually isn't more secure, but there are a heck of lot more haters out there that want to hack windows. We'll call it a brute force attack, if all the devious people hate "The Man" (Gates) and they put their collective efforts behind hacking his stuff, then of course they are going to get in.
Windows users don't have to sit around worrying about whether they can hack in to somebody's Mac, cause the fact is that there just aren't that many out there in the real world. The world where people need to do more with their computer than make cool home videos with the dorky high school dude from "Ed." I sort of like the guy's stuff, until he decided to join the blissfully ignorant. Mac fans are just like their commercials - bad politics. Talk about what your crap can do on it's own - not your biased opinion of how you think you can convince the masses that your stuff can actually do something that the other guy's can't do.
Dang, I sat down at my computer last night (just a lonely streamlined XP box ) and I was determined to make a home movie. Wull, golly... i were surprised to fin out that a windows puter caint make no movies. Read dripping with sarcasm (if it wasn't obvious).
Amazing.
As much as Apple has screwed the Darwin project over the years I can't imagine why they wouldn't be all gung-ho to help out with security issues.
Of course Vista HAS to be more secure because of the huge userbase, otherwise it would be a complete disaster.
But that doesnt take away the fact that using a mac is still far more secure that using a Windows-based computer. So as long as the mac userbase remains low, mac users will be fine.
In other words, Mac OS X isn't secure if too many people use it whereas Windows is because so many people use it? Did you even read the article?
In other words, Mac OS X isn't secure if too many people use it whereas Windows is because so many people use it? Did you even read the article?
The guy thinks that the amount of security vulnerabilites, which would include viruses and worms, is directly proportional to to the market share you have. That's absurd and shows me he has nothing to back up his statement. Previous incarnations of the Mac OS were vulnerable to many viruses, with a smaller market share than OS X has now.
Stick that in your pipe and smoke it, "Hi, I'm a Mac" guy.
Imagine a contest to break into a panic room; after everyone participating in the challenge fails to break in, they're given telephone access to the person inside the room so they can talk them in to opening the door from the inside to let them in. Is that a security compromise of the panic room, or a social exploit?
To win the first Mac, a cracker had to break in and "follow the instructions in the home of the default user." To win the second Mac, contestants needed to "follow the instructions in the filesystem root." Had both Macs been given away, this would have been a real exploit. After not being able to directly break into even the user realm, the contest dropped the bar to allow users to send URLs to the contest manager, who put them on a server and set the two MacBook Pros to automatically visit a website site and 'click on' the submitted URLs.
Reenacted by Jody Foster, it might have gone like this:
"Hello inside the panic room! It’s safe to come out now!"
Door opens.
"Ah hah! We broke in!"
Nobody could gain root privileges on the Mac despite the $10 000 prize (and the laptop), even though there are many hundreds of known vectors for doing just that on Windows PCs. Were an attacker to use a Windows-like exploit to try installing software via a browser link, or through a malware graphic attempting to run arbitrary code simply as a user simply visited a booby-trapped website, Mac OS X would throw up an authentication dialog telling the user to sign in for the software that was being installed.
Hundreds of ways to do that on a Windows PC?
http://secunia.com/product/13223/ for Vista - currently 8 vulnerabilities (2 unpatched) with the most severe unpatched being rated "Not Critical"
http://secunia.com/product/96/ for Mac OSX - currently 101 vulnerabilities (5 unpatched) with the most severe unpatched being rated "Less Critical"
I think Vista wins this round; 3 less unpatched vulnerabilities and 93 less overall vulnerabilities.
I hate this... Every time there is an Apple-related news article on Neowin, the general response is almost always either
a) OOOH! Apple got OWNED!
or
b) Pfft, yet another piece of bull**** Apple / Apple fanboys have come up with.
Seriously, wtf? Modern computers are all secure enough in general for the sensible user, quit with the flame war.
wctaiwan
PWNT!
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.