MacOS X: secure by design, default, and deployment.
Since Apple released Mac OS X, even the PC industry trade publications have raved about its quality, design, and features. PC Magazine even gave Mac OS X “Panther” a 5-star rating in October 2003. Perhaps it was because Macs could now seamlessly fit into the Windows- dominated marketplace and satisfy Mac users refusing to relinquish their trusty systems and corporate IT staffs wanting to cut down on tech support calls. Whatever the reason, Mac OS X has proven itself as a worthy operating system for both consumers and business alike.
Of course, as with all operating systems, Mac OS X has had its share of technical problems and even a few major security vulnerabilities. Nearly all were quickly resolved by Apple via a downloaded patch or OS update. But in general, Mac OS X is solid, secure, and perhaps the most trustworthy mainstream computing environment available today. As a result, Mac users are generally immune to the incessant security problems plaguing their Windows counterparts, and that somehow bothers PC Magazine columnist Lance Ulanoff.
In a December 11 column [1] that epitomizes the concept of yellow journalism, he’s “happy” that Mac OS X is vulnerable to a new and quite significant security vulnerability. The article was based on a security advisory by researcher William Carrel regarding a DHCP vulnerability in Mac OS X. Carrel reported the vulnerability to Apple in mid-October and, through responsible disclosure practices, waited for a prolonged period before releasing the exploit information publicly since Apple was slow in responding to Carrel’s report (a common problem with all big software vendors.) Accordingly, Lance took this as a green light to launch into a snide tirade about how “Mac OS is just as vulnerable as Microsoft Windows” while penning paragraph after paragraph saying “I told you so” and calling anyone who disagrees with him a “Mac zealot.”
In other words, you’re either with him or with the “zealots.” Where have we seen this narrow-minded extremist view before?
More to the point, his article is replete with factual errors. Had he done his homework instead of rushing to smear the Mac security community and fuel his Windows-based envy, he’d have known that not only did Apple tell Carrel on November 19 that a technical fix for the problem would be released in its December Mac OS X update, but that Apple released easy-to-read guidance (complete with screenshots) for users to mitigate this problem on November 26. Somehow he missed that.
Since he’s obviously neither a technologist (despite writing for a technology magazine) nor a security expert, let’s examine a few differences between Mac and Windows to see why Macintosh systems are, despite his crowing, whining, and wishing, inherently more secure than Windows systems.
The real security wisdom of Mac OS lies in its internal architecture and how the operating system works and interacts with applications. It?s also something Microsoft unfortunately can?t accomplish without a complete re-write of the Windows software — starting with ripping out the bug-riddled Internet Explorer that serves as the Windows version of “Finder.” (That alone would seriously improve Windows security, methinks.)
At the very least, from the all-important network perspective, unlike Windows, Mac OS X ships with nearly all internet services turned off by default. Place an out-of-the-box Mac OS X installation on a network, and an attacker doesn?t have much to target in trying to compromise your system. A default installation of Windows, on the other hand, shows up like a big red bulls-eye on a network with numerous network services enabled and running.* And, unlike Windows, with Mac OS X, there?s no hard-to-disable (for average users afraid to tweak things unfamiliar to them, that is) “Messaging Services” that results in spam-like advertisements coming into the system by way of Windows-based pop-up message boxes. And, the Unix-based Mac OS X system firewall ? simple enough protection for most users — is enabled by default (in Mac OSX Server) and easy to find and configure in Mac OS X Client software (not that there’s much that users need to worry about out-of-the-box anyway) — something that Microsoft only recently realized was a good idea and acknowledged should be done in Windows clients as well. I guess Lance didn’t hear about that, either.
Then there’s the stuff contributing to what I call “truly trustworthy computing.”
When I install an application, such as a word processor, I want to know with certainty that it will not modify my system internals. Similarly, when I remove the application, I want to know that when I remove it (by either the uninstaller or manually) it?s gone, and nothing of it remains on or has modified my system. Applications installed on Mac OS X don?t modify the system internals ? the Mac version of the Windows/System directory stays pretty intact. However, install nearly any program in Windows, and chances are it will (for example) place a different .DLL file in the Windows/System directory or even replace existing ones with its own version in what system administrators of earlier Windows versions grudgingly called “DLL Hell.” Want to remove the application? You?ve got two choices: completely remove the application (going beyond the software uninstaller to manually remove things like a power user) and risk breaking Windows or remove the application (via the software uninstaller) and let whatever it added or modified in Windows/System to remain, thus presenting you a newly-but-unofficially patched version of your operating system that may cause problems down the road. To make matters worse, Windows patches or updates often re-enable something you?ve previously turned off or deleted (such as VBScript or Internet Explorer) or reconfigures parts of your system (such as network shares) without your knowledge and potentially places you at risk of other security problems or future downtime. Apparently, Lance doesn’t see this as a major security concern.
more from [url=http://www.zone-h.org/en/news/read/id=3845/]Zone-H[/url]
Post a reply
You must be logged in to post a comment.