OS X – Safe, yet horribly insecure

Although it's not officially documented, Snow Leopard's sandbox is already quite capable and easier to use than the norm; it's nonsensical to list "sandboxing" and "mandatory access controls" as wins for other operating systems. Lion will make it mandatory for all App Store apps and add features like a secure open dialog (where the OS handles the open dialog and gives the app access to only user-selected files) and an easy-to-use privilege separation API (to make it easier to take advantage of the sandbox); the result is much more advanced than anything mainstream in Windows or Linux. Lion will also get rid of previous limitations on DEP and ASLR; in particular, it randomizes dyld.<p>The article also seriously underestimates the benefit of the centralized App Store model (which has an equivalent in Linux, but not Windows); despite all the horrible rejections and review issues, if it becomes the usual way to obtain Mac applications, it will greatly reduce the chance that users will come into contact with malware.

"The Unix Design is significantly less granular than Windows..."<p>That's why it's more secure. Complexity means you don't know what's going on. Complexity means you will forget something. Complexity means there's more likely to be a way to squeeze through, more likely to be a bug, more likely to be a little thing that is forgotten.<p>This is also a problem with complex cryptographic APIs, overly complicated things like PKCS11 and X.509, etc. It's curious that security-related systems are among the most complex, since complexity is inherently bad for security.<p>I call it a lack of "situational awareness."

<i>They often share vulnerabilities with core libraries in other UNIX like systems with samba and java being two examples. </i><p>Good thing that Lion jettisons both (Samba for going GPLv3, and Java is non-core download)<p><i>The firewall functionality in OS X is impressive, but hardly utilized. The underlying technology is ipfw </i><p>Also changed in Lion, which now uses OpenBSD's pf. Apple doesn't make much more use of it though.<p><i>It has been a shame to see the sandboxing functionality introduced in Leopard not being utilized to anywhere near its full capacity.</i><p>That's changed as well in Lion, as any Mac App Store developer can tell you.

Just as a curiosity: yesterday I watched a talk by Thomas Ptacek at some indie Mac dev conference where he showed, <i>en passant</i>, how some kludges used by Apple produced vulnerabilities in Mac OS X. It’s old, fixed stuff by now, but I was like “WTF?” all the same. Because it’s very stupid stuff from Apple.<p>Here’s the talk, slides (check slide 11), and related blog post:<p><a href="http://www.viddler.com/explore/rentzsch/videos/31/" rel="nofollow">http://www.viddler.com/explore/rentzsch/videos/31/</a><p><a href="http://www.slideshare.net/tqbf/c42-software-security-presentation" rel="nofollow">http://www.slideshare.net/tqbf/c42-software-security-present...</a><p><a href="http://chargen.matasano.com/chargen/2009/9/24/indie-software-security-a-12-step-program.html" rel="nofollow">http://chargen.matasano.com/chargen/2009/9/24/indie-software...</a>

&#62; A lot of OS X users seem to have this idea that Apple hired only the best of the best when it came to programmers while Microsoft hired the cheapest and barely adequately skilled...<p>Is this really a commonly held belief? I've never encountered anyone expressing this opinion.

The author may have some good points, but this essay is so poorly organized that it's hard to tell what they are or put them into proper perspective. It's mostly a good argument for teaching essay-writing in school.

&#62; <i>The Unix Design is significantly less granular than that of Windows, not even having a basic ACL. The UNIX design came from a time when security was less of an issue and not taken as seriously as it did, and so does the job adequately. Windows NT (and later OSes) were actually designed with security in mind and this shows.</i><p>This comparison doesn't even make sense, comparing a decades old UNIX design to a comparatively newly designed OS (Windows NT). POSIX permissions have stood the test of time for a long time and by far were much better than what was available in Windows for the longest time. Off course Windows NT has improved on what was available at the time.<p>That being said, Mac OS X since 10.4 has had ACL, so that argument goes right out of the window. ACL's are enabled by default and they function as designed.<p><pre><code> touch testing chmod 700 chmod +a "otheruser allow delete" su - otheruser ls -lahe testing rm testing </code></pre> &#62; <i>They often share vulnerabilities with core libraries in other UNIX like systems with samba and java being two examples.</i><p>That is because they use that exact open source software. This is a simple no shit sherlock kind of deal. Luckily those are going away and won't be in Lion. Java will be an extra download, like Adobe Flash and Samba won't be included by default because of the GPLv3.<p>Apple's policy regarding third-party software vulnerabilities could definitely be improved, and they already have, but it could still be better. Ultimately many of the third party tools they ship are never used by consumers and even though they may be exploitable they aren't accessible to an attacker (looking at you PHP ...)<p>&#62; <i>They are extremely difficult to deal with when trying to report a vulnerability, seemingly not having qualified people to accept such reports. Even if they do manage to accept a report and acknowledge the importance of an issue they can take anywhere from months to a year to actually fix it properly.</i><p>This has been fixed recently, they have a new head of security [1] and have increasingly shown that they are getting faster at closing bugs and bringing out updates to fix issues. Look at the Pwn2Own contest iPhone bug, Apple was notified and an update was made available that fixed only that one flaw.<p>Do I think they are doing the best of job? No, MSFT has them beat by a mile with their security response team (really impressive), however the above sentence makes it sound like this is still the case which is no longer true.<p>--<p>It is a pretty good article in that it shows that there are certain issues that Apple could definitely improve upon, but completely ignoring any development to OS X for the past couple of years doesn't look good at all especially when the flaws you are attempting to point out have already been fixed.<p>[1] <a href="http://threatpost.com/en_us/blogs/apple-hires-new-security-chief-012411" rel="nofollow">http://threatpost.com/en_us/blogs/apple-hires-new-security-c...</a>

First, the author is right. Except his article is a boring read; repeating himself over and over and over and over again.<p>Yeah, I get that OSX is not secure. Now move on and tell me why.<p>In short, I wish the author would not write like a lawyer (unless of course he IS a lawyer).

So, let's review the <i>actual</i> exploits listed here (since, the author says, it isn't just FUD): ASLR &#38; MacDefender... Hmm... hardly a damning criticism.

Apple did one thing very well: they ask for a password when doing something potentially harmful, but made sure that the password popup is rare enough that you won't be trained to blindly fill it in.<p>That one thing has more security value than any of the advanced security techniques listed in the article like "stack canaries" and "fine grained ACL".<p>It's too bad there are so many security consultants that focus on the technology instead of user behaviour. If they would just look at the statistics they'd see that &#62;90% of security issues are not technology issues, they are behavioural issues.<p>Sure, it would be nice to have a few of those advanced security techniques in OS X if they don't cause too much usability or performance issues, but it will have very little effect on security as a whole.

11px font with 19px line height? Uf, not for my tired eyes.<p>Fixed with this CSS snippet: p { font: 16px "Lucida Sans Unicode", "Trebuchet MS", Verdana, monospace; }

I read until the author expressed a preference for granular ACLs rather than a less complex security model.<p>Security starts with an aversion towards complexity. No point in reading the rest of the article.

I don't see why this is discussed so much, afaik this article just says "Windows is more secure than OSX", mentions Mac Defender and goes on OSX about market share... The same story Mac users have heard for the last 10 years. Nothing new here, moving on, and remembering the days of Melissa, Kournikova, Sober, MyDoom etc...

This is actually just the tip of the iceberg for OS X vulnerabilities.<p>On the enterprise side, it's much much worse. AFP is heinous. Their kerberos implementations are painful.<p>They actually have checkboxes in OS X server config screens that say: "Prevent man in the middle attacks? Yes or No?"

&#62;Personally for me, malware is a minor threat with the impact being negligible as long as you follow basic security practices and can recognize when something looks out of place.<p>Likewise, with proper security knowledge, the holes that Apple leaves unpatched for months are "minor threats." For example, disabling Java in the web browser when there's a known vulnerability. It's an inconvenience, but so is having to always be on the watchout for things that are out of place.<p>Apple is not fantastic on security, but they are good enough for the current threat level, as long as you take basic security precautions.

It is a pity the author does not include at least one Linux distro. Especially for the mentioned "targeted attacks", servers are the most likely targets.<p>And in the servermarket, OSx is hardly around, and is the share of various Linux servers growing larger then Windows, even.

The whole article seems overly emotional and not objective at all. The only thing I agree with are that ASLR and DEP are not implemented as well as they could ( though I have not looked at it myself).

found this to be salient, there's a lot of malice to be done in plain sight of an ignorant user: Root access is only needed if you want to modify the system in some way so as to avoid detection. Doing so is by no means necessary however, and a lot of malware is more than happy to operate as a standard user, never once raising an elevation prompt and silently infection or copying files or sending out data or doing processing, or whatever malicious thing it may do.

Does anyone have a version of this article with an even smaller font size? Maybe something that requires a microscope to read? Size 8 font isn't blinding enough.

One point I would add is that by default, Macs have Perl, Python and Ruby (I think). So it's easy to script malware or write portable tools. I'm not suggesting that these languages are insecure or should not be installed, only that a malware designer can pretty much count on having them available to use. This may make Mac/Linux cross-platform malware easier as well.

Is it only me who find it funny that the name is allthatiswrong given how many factual errors there are in there. :) Can't quite make up mind if the author is trolling or if he have just failed to read up on the topic he tries to school us in.

All things said and done , one of the biggest flaws will be both Unix and Max giving a user the sense that both are secure and nothing can go wrong. That is the same reason Mac Defender worked.

I was struck by the part about the OSX ASLR implementation. I can't believe they only randomize library loads :-/.

The blog post wont open on an iPad...

personal opinion about security is all well and good but they wont make you any more or less secure<p>either for what its worth osx really provides nothing impressive on the security front

I wouldn't go so far say Mac is more secure than Linux, both are Unix-based. As for my user experience, Mac OS X is by far the best.