TechWeb: Mac OS X a very secure OS, but not magically secure

“Mac OS X is, out of the box, a very secure OS. It is, however, not magically secure. While some Mac users like to propagate the myth of ‘Mac OS X’s perfect security,’ the fact is that like any other well-designed OS, Mac OS X is highly resistant, but not invulnerable, to attack,” John C. Welch reports for TechWeb.

“This is not to say that it’s as bad as Windows at its worst. Early on in the history of Windows NT 4, Microsoft Office, and Internet Explorer, Microsoft made some decisions that, while not terrible from a user’s point of view, created the nigh-crippling problems you see with Windows today. The worst of these is the administrator account in Windows, and the reliance of too many software packages on that account. The Windows administrator account is essentially the same as the all-powerful root account on Unix — there are no files the administrator can’t access and no actions the administrator can’t perform — and it’s the default account on every version of NT through XP. So once you’re running as root, then you’re…well…root. There’s nothing you can’t do, and you aren’t going to even get a warning about it,” Welch reports.

Welch reports, “The insecurity of this is exacerbated by Windows’ very bad habit of, until fairly recently, not even asking for a password on the Administrator account. Auto-logon as root, no password needed. There aren’t enough letters in the phrase “That’s a Very Bad Idea” to adequately communicate the ‘bad idea-ness’ of this bad idea. So if malware gets into your system, then it is running as root. There’s very little any OS can do to stop a software process running with that kind of authority.”

“Apple has never done this. A user who is an ‘administrator’ is not even close to root, but rather is a part of the OS “admin” group. That means that, if needed, the user can authenticate and run processes as root, but is not root on an ongoing basis. In fact, on Mac OS X, the ability to log on as root is disabled, and positive steps must be taken to enable this feature,” Welch reports. “It’s worth noting that Microsoft has taken a page from Apple in its upcoming Windows Vista operating system: When that OS is released next year, users will not be logged in as administrator/root by default.”

Welch reports, “So no, there’s no looming security nightmare for Mac OS X. All the headlines mean is that more people are taking Mac OS X and Apple more seriously from a security point of view — and that is, in the end, a good thing.”

Full article with some good advice for keeping Mac OS X secure here.

[Thanks to MacDailyNews Reader “Rainy Day” for the heads up.]

Related MacDailyNews articles:
SecureWorks admits falsifying Apple MacBook ‘60-second wireless hijacking?’ – August 18, 2006
Chicago Tribune falls for the ‘Security Via Obscurity’ myth – August 14, 2006
Oxymoron: Microsoft security – August 12, 2006
Want Microsoft’s promised Windows Vista security now? Get a Mac – July 31, 2006
Mossberg: Jump through hoops trying to secure Windows or just get a Mac – July 27, 2006
Symantec details more security holes in Microsoft’s Windows Vista – July 26, 2006
Sophos: Apple Mac OS X’s security record unscathed; Windows Vista malware just a matter of time – July 07, 2006
Sophos Security: Dump Windows, Get a Mac – July 05, 2006
Network World: Apple’s Mac OS X is significantly more secure than Windows – May 01, 2006

39 Comments

  1. A great article. This guy gets it. I only take exception with the one line “While some Mac users like to propagate the myth of ‘Mac OS X’s perfect security'”… I have yet to meet any Mac user who claims that Mac OS X has “perfect security”. It isn’t magic, he’s right about that. It’s simply common sense. Other than that little gripe, this is one hell of a must-read article.

  2. Windows security flaws go *way* beyond the “doing stuff as administrator” weakness. Registry… Services enabled by default… Macros… Active X… Failure to separate OS from application… DLL Hell… Legacy code no one understands… Vulnerable to compromise by non-admin… Need I go on?

    Since backward compatibility is seen as essential to Windows, its flawed origins need to be considered. Whereas UNIX was created by Ph.D. computer scientists, the Windows project was headed by a college dropout. Enough said.

  3. It’s worth noting that Microsoft has taken a page from Apple in its upcoming Windows Vista operating system: When that OS is released next year, users will not be logged in as administrator/root by default.”

    AND THIS IS MAGICALLY KEEPING MAC OS X SECURE?

    What a frigging joke, just about any new application today demands a admin password to install and run, alters Mac OS X, opens security holes and allows hackers to access root.

    Take for instance the Sony rootkit. Mac users stuck the cd they bought from the store in their machines and ran the addtional software which asked for a admin password.

    We can trust Sony right? Then BLAMO, rootkit installed.

    Look at NeoOffice, a open source free Office software. What the FSCK IN HELL does it need a admin password and root powers to install?

    NeoOffice is buggy, they admit that and then they got the BALLS to get elevated security status?

    Norton AV, McAfee, Abode all have had exploits in their software running AS ROOT ON MAC’s.

    MY POINT IS, if developers demand elevated security status and hackers target applications, then having a admin password is really fucking worthless.

    Nobody writes perfect code, but everyone wants elevated status before the “other guys” do.

    It’s so goddam stupid and Apple allows them to do it.

    Then of course “Trusted Computing” is supposed to cure all this and every app have complete access to our machines.

    Fuck. We lose our control and our privacy.

  4. Time Machine will fail

    Apple’s “Time machine” is a backup method that requires a active connection to another drive.

    If a security exploit ensues, then the backup is also dead meat.

    Hopefully Apple will see the need for being able to disconnect the second drive and Time Machine not throw a bitch fit if it’s not perfectly sychned with the primary drive.

    Knowing Apple it will be totally automated and worthless as a security protection method.

    Apple’s “one size fit’s all” approach is begining to piss me off.

  5. some Mac users like to propagate the myth of “Mac OS X’s perfect security”

    Now that IS a myth ” width=”19″ height=”19″ alt=”smile” style=”border:0;” />

    I have NEVER heard ANYONE talk about Mac security as “perfect.”

    Yet I see people all the time arguing against those imaginary zealots. What gives?

    Macs are a WHOLE LOT safer than Windows, a conclusion with no escape. Who are these imaginary people saying that means “perfect”? Silliness.

  6. Well blueman groupie..if Apple are starting to piss you off then I’d hate to think about the affect using Microsoft would have on you!

    I really don’t see why you assume that Time Machine won’t be something that you can adjust to suit your needs. Don’t tell me that Apple doesn’t recognize that there will be some occasions when people will not want their “activities” backed up.

    After all, Safari provides you with the option of “private” browsing.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.