TechWeb: Mac OS X a very secure OS, but not magically secure

“Mac OS X is, out of the box, a very secure OS. It is, however, not magically secure. While some Mac users like to propagate the myth of ‘Mac OS X’s perfect security,’ the fact is that like any other well-designed OS, Mac OS X is highly resistant, but not invulnerable, to attack,” John C. Welch reports for TechWeb.

“This is not to say that it’s as bad as Windows at its worst. Early on in the history of Windows NT 4, Microsoft Office, and Internet Explorer, Microsoft made some decisions that, while not terrible from a user’s point of view, created the nigh-crippling problems you see with Windows today. The worst of these is the administrator account in Windows, and the reliance of too many software packages on that account. The Windows administrator account is essentially the same as the all-powerful root account on Unix — there are no files the administrator can’t access and no actions the administrator can’t perform — and it’s the default account on every version of NT through XP. So once you’re running as root, then you’re…well…root. There’s nothing you can’t do, and you aren’t going to even get a warning about it,” Welch reports.

Welch reports, “The insecurity of this is exacerbated by Windows’ very bad habit of, until fairly recently, not even asking for a password on the Administrator account. Auto-logon as root, no password needed. There aren’t enough letters in the phrase “That’s a Very Bad Idea” to adequately communicate the ‘bad idea-ness’ of this bad idea. So if malware gets into your system, then it is running as root. There’s very little any OS can do to stop a software process running with that kind of authority.”

“Apple has never done this. A user who is an ‘administrator’ is not even close to root, but rather is a part of the OS “admin” group. That means that, if needed, the user can authenticate and run processes as root, but is not root on an ongoing basis. In fact, on Mac OS X, the ability to log on as root is disabled, and positive steps must be taken to enable this feature,” Welch reports. “It’s worth noting that Microsoft has taken a page from Apple in its upcoming Windows Vista operating system: When that OS is released next year, users will not be logged in as administrator/root by default.”

Welch reports, “So no, there’s no looming security nightmare for Mac OS X. All the headlines mean is that more people are taking Mac OS X and Apple more seriously from a security point of view — and that is, in the end, a good thing.”

Full article with some good advice for keeping Mac OS X secure here.

[Thanks to MacDailyNews Reader “Rainy Day” for the heads up.]

Related MacDailyNews articles:
SecureWorks admits falsifying Apple MacBook ‘60-second wireless hijacking?’ – August 18, 2006
Chicago Tribune falls for the ‘Security Via Obscurity’ myth – August 14, 2006
Oxymoron: Microsoft security – August 12, 2006
Want Microsoft’s promised Windows Vista security now? Get a Mac – July 31, 2006
Mossberg: Jump through hoops trying to secure Windows or just get a Mac – July 27, 2006
Symantec details more security holes in Microsoft’s Windows Vista – July 26, 2006
Sophos: Apple Mac OS X’s security record unscathed; Windows Vista malware just a matter of time – July 07, 2006
Sophos Security: Dump Windows, Get a Mac – July 05, 2006
Network World: Apple’s Mac OS X is significantly more secure than Windows – May 01, 2006

39 Comments

  1. No it’s not “magic,” just a lot of great work by Apple and the people who contributed to the Mac OS X Unix foundation.

    > Apple has never done this.

    Well, yes, actually they have. Mac OS 9/8/7 and earlier, plus the Apple II OS’s, and more if you count Apple III and Lisa… But Apple realized it was a very “bad idea” and threw it all out to go Unix. Microsoft just keeps trying to plug the holes in Windows.

  2. Ok, that article lost most if not all credability in the first paragrah, last sentence:

    “Almost simultaneously, security researchers took advantage of a wireless driver vulnerability to hack into a MacBook at this year’s Black Hat conference.”

    Not sure, but I think I remember something about that being a hoax. Not too sure either, but I think I remember something about a contest in which a MacBook was to be used as the prize if they could actually get it to work. Then, I think, maybe that contest was upped to two macbooks.

    Sorry, this whole article is interesting, but …..

  3. John C Welch is a top Mac OS X and WIndows sysadmin. He’s had to keep manifold servers running on both (and other) platforms over almost two decades.

    He knows his stuff.

    Google him and find his blog and other places where he contributes. There’s much more interesting stuff of his to read.

    Hint: “bynkii”.

  4. I heard a few months ago that it’s safer to not have your account you use all the time set up as Administrator. I did that, but it seems kinda dumb since I still have to type a password in to install something. Are there any benefits to this kind of set up?

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.