Apple today released Security Update 2007-005 which is recommended for all users and improves the security of the following components:
• bind
• CarbonCore
• CoreGraphics
• crontabs
• fetchmail
• file
• iChat
• mDNSResponder
• PPP
• ruby
• screen
• texinfo
• VPN
Security Update 2007-004 has been incorporated into this security update.
Security Update 2007-005 is available via Software Update and also via standalone installers:
• Security Update 2007-005 (10.3.9 Client) – 42.5MB
• Security Update 2007-005 (10.3.9 Server) – 56MB
• Security Update 2007-005 (PPC) – 15.7MB
• Security Update 2007-005 (Universal) – 29.2MB
@ MacSecurityMan:
There is a very clear distinction between “vulnerbility”, and “Exploit” mate. I dont think you understand that, considering you said there are 109 exploits for OS X…which would mean that there are 109 viruses in one forum or another for OS X….where in reality, there are 0.
In order for an exploit, and for an ACTUAL genuine virus to be designed for OS X..it would somehow need to modify the system flies…which lies on another user permission level, known as root. This is extremely, extremely difficult to gain access to, and therefore, creating a true OS X virus is very, very difficult. Its not impossible, as no operating system is 100% safe, but taking history into consideration, ANY UNIX/BSD based operating system, such as OS X, and Linux…will be extremely secure.
Stop confusing vulnerabilities with exploits.
MacSecurity Guy was correct with his post, the distinction betwen vunerability and exploits was plain to see.
For those who don’t know…
A vunerability is a security weakness that hasn’t been used, a exploit is one that has been used.
In order to prove a vunerability, a exploit of it has to occur. “Proof of concept” Therefore the vunerability becomes a exploit.
It doesn’t matter if the exploit hits one machine or a million. If’s it’s contained to “the lab” or “released in the wild”.
One must conclude, from a security standpoint, that any vunerability has already become a exploit and currently being used in some fashion by the bad guys.
There ARE NO exploits in the wild for Mac OS X.
And by what basis are you concluding this?
The Media? Does the media know when the last time you ripped a DVD?
The Security Pro’s? Are they in every machine watching every process to confirm that?
The Lack of Viruses? Who says a bad guy has to make a virus of a exploit? Couldn’t he just keep it to himself or few close friends and enjoy free reign in any Mac OS X box he/she chooses? Watching you through your iSight camera? Recording your keystrokes and website passwords?
Did you know that it took Apple SEVERAL MONTHS to admit to and finally fix the URL handler exploits of Panther? The same exploit that was posted on Slashdot for hundreds of thousands of people to toy with?
So far with this version of Mac OS X there are 109 vunerabilites that had to be fixed, a unusually high amount.
Something is seriously wrong and one has to assume that the bad guys have plenty more and are currently using them in a limited, low key fashion.
If Mac OS X was pirated and distributed as widely as Windows is, they certainly would have viruses at this point in history.
exploit
In computer security, an unethical or illegal attack that takes advantage of some vulnerability.
vulnerability
A security exposure in an operating system or other system software or application software component. Before the Internet became mainstream and exposed every organization in the world to every attacker on the planet, vulnerabilities surely existed, but were not as often exploited.
virus
Software used to infect a computer. After the virus code is written, it is buried within an existing program. Once that program is executed, the virus code is activated and attaches copies of itself to other programs in the system. Infected programs copy the virus to other programs.
Just because there are no viruses for Mac OS X doesn’t mean there are no exploits of Mac OS X vunerabilities being used.
Apple needs to do a better job of finding vunerabilities in their software before release and not depend upon the WhiteHat community exclusively.
Apple has billions of dollars in profit, I’m sure they can easily afford the required manpower to secure their software.
Releasing shoddy code and depending upon the community to fix it has it’s drawbacks, the black hats have made a ruin of Mac OS X’s lengendary security.
$10,000 anyone?
Quoted from “Popcorn and Peanuts”
If Mac OS X was pirated and distributed as widely as Windows is, they certainly would have viruses at this point in history.
OS 9 actually had a few known viruses…yes, they were infact viruses that did harm to system files. OS X on the other, having a userbase size that is several folds larger than OS 9… still has 0 viruses so far since its debut in 2001. The market share argument no longer holds true anymore. Its the fact that OS X is designed on a hybrid BSD/UNIX foundation, rather than a closed proprietory NT.
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
The power of community has so far proven successful hasen’t it? This is the same reason why Linux is preferred by an increasing number of users as opposed to Windows. Communal problem solving is always much greater and powerful than a closed method where only a very few know how the system works, therfore have a harder time finding and retaliating on the exploit.
” width=”19″ height=”19″ alt=”smile” style=”border:0;” />
OS 9 actually had a few known viruses…yes, they were infact viruses that did harm to system files.
OS 9 predated the internet and the early malware for it was transmitted via disk base medium.
When the internet arrived, Apple was pretty much dead and nobody paid any attention to OS 9 in favor of the bountiful Windows machines.
OS X on the other, having a userbase size that is several folds larger than OS 9… still has 0 viruses so far since its debut in 2001.
Malware writers have learned now that if they release a virus for any OS that the repsonse to kill it would be immediate.
Windows took longer to secure because it wasn’t designed for the internet so the malware writers had a larger window to gleam rewards for their efforts. They just took advantage of the time microsoft needed to secure their OS.
Mac OS X on the other hand was designed to resist viruses better, before Windows. But now Microsoft has caught up and now even has less vunerabilities than Mac OS X.
The market share argument no longer holds true anymore. Its the fact that OS X is designed on a hybrid BSD/UNIX foundation, rather than a closed proprietory NT.
Doesn’t matter, it’s the attention to security that matters and the amount of workload required. If it’s a dozen qualified eyes from around the world or a dozen qualified eyes in Redmond or Cupertino. It’s still work, I rather have a command structure where people are motivated by their paycheck and ordered to work to find the bugs, this way it stays in house and not in the public domain.
The power of community has so far proven successful hasen’t it? This is the same reason why Linux is preferred by an increasing number of users as opposed to Windows.
Linux has it advantage because it’s free and more configurable than Windows. Windows has caught up in terms of security.
Communal problem solving is always much greater and powerful than a closed method where only a very few know how the system works, therfore have a harder time finding and retaliating on the exploit.
It’s because not enough qualitifed manpower was employed on the Cupertino end, Microsoft’s problem is that they took so long because of all the different hardware/software they need to support.
I rather not have Mac OS X based upon open source, there is no motivation to disclose. On the other hand in closed source there is, the companies very survival.
OS 9 predated the internet and the early malware for it was transmitted via disk base medium.
OS9 no where near predates the internet. The dot com bubble took place from 1995-1999, and OS9 ‘s introduction was in 1999, well after the internet established a significant role in modern computing. Moreover, early malware was not transmitted only via disk medium…it also transmitted online. There was a virus that was attached to one of the developer’s downloads at version tracker.com, and this explicitly affeced OS 9 through online replication only.
Malware writers have learned now that if they release a virus for any OS that the repsonse to kill it would be immediate.
Windows took longer to secure because it wasn’t designed for the internet so the malware writers had a larger window to gleam rewards for their efforts. They just took advantage of the time microsoft needed to secure their OS.
Actually, even if the response to kill the virus is immediate, that sill does not negate the fact that there are still virus writers who still code malware for Windows. Windows took longer to secure because its NT stack was not mature, due to major restructuring form DOS in the early 90’s…not because it was not designed for the internet. Infact, Microsoft propogated that they invented the internet in the mid 90’s, with the introduction of Windows 95…when the credit in truth goes solely to Netscape.
The reason why Windows is not as secure as OS X goes all the way down to the kernel that both of the operating system run in. Windows runs on the NT kernel, while OS X runs on the Mach kernel
Yes, the NT kernel (uKernel) is faster than the Mach kernel (Hybrid Kernel). There are advantages and disadvantages to both the kernel types though. For example the reason why the NT kernel is faster is because it adresses the hardware directly through a HAL (hardware abstraction layer) layer, therfore all the basic structures like processes, threads, device drivers and etc and also communication stacks…are simultaneously handled by a single object oriented kernel. What is the downside to this? well, It means that its stability is not that tight. Any tampering of the processes at the kernel level, will be enough to bring down the entire operating system during run-time in a flash (BSOD) or otherwise. Another good thing about the NT kernel though its that its portability features are excellent as a result, so it can be translated to other archietechures pretty easily.
The Mach Kernel on the other hand, has its own advantages and disadvantages as well. Ill start with the disadvantage. Because it was originally developed for usage with neXT before OS X, it has the same history timeline as what the NT kernel has. The Mach Kernel function set are kept to a minimum. The way in which the Mach kernel works is such that there is one server to take care of the process management, one for managing memory issues, one for managing drivers, and so on and so forth. The cool thing about the Mach kernel is that it does not run in the main kernel space anymore. Therfore they would need authentification each time a software has to access the root kernel structure. This is where the advantage comes, in that the Mach kernel is more stable and secure than the NT kernel, while sacrificing some speed. This is why OS X is more secure, and much, much more resistant to malware.
Another reason why OS X is more secure than Windows is becuase of the permissions levels. Anyone who uses Windows by default will run at admin level with superuser status. However, anyone by default in OS X, will not get access to root. So every time an application or script has to access root…it will need the admin password…and because of the way that the Mach Kernel works….this wont happen frequently. This is a critical step to ensure security, and this is still not properly implemented in Windows Vista. The UAC, honestly, with a lack of better words…is plain lame. All it does when you run as the default user (admin), is ask you to “cancel” or “allow”…only when you run as a limited user…which 90% of the windows population doesn’t…does it ask you for the system password. Its a good think that Microsoft took this step to ensure better security…but they never did it properly at all…thats the problem.
But now Microsoft has caught up and now even has less vunerabilities than Mac OS X
Not even mate. There are several reasons for this. Firstly, its only been a mere 4 months until Vista was released…and already there are accounts of potential vulnerabilities that steer right at the UAC control. Secondly, as long as Windows continues to carry around unnecessary legacy code….there will always be a vulnerability, and in many cases, an exploit. This is yet another reason why OS X is more secure…because it doesnt carry legacy code from OS 9. Why should Vista support legacy apps and drivers that were intended for Windows 95? Thats just asking for a vulnerability if anything.
Doesn’t matter, it’s the attention to security that matters and the amount of workload required. If it’s a dozen qualified eyes from around the world or a dozen qualified eyes in Redmond or Cupertino. It’s still work, I rather have a command structure where people are motivated by their paycheck and ordered to work to find the bugs, this way it stays in house and not in the public domain.
The “crackers” and the virus writers out there simply take aim at the lowest hanging fruit, nothing more, nothing less…and that fruit is Windows. Its network stack and kernel structure is simply too easy (atleast so far) to take advantage of. Although Vista has stepped it up a bit, this still does not constitute the argument that Windows is now all of a sudden just as safe as OS X (not that you said it…but someone will eventually) .
Think about it….if Apple is touting OS X has having superior security with a virus record of 0…for 6 years in a row…dont you think *some* individual would have attempted to prove Apple wrong, and actually create a virus for OS X? 6 years is a LONG time to prove Apple wrong. Imagine the fame that the individual would get…for creating the first virus for OS X. Why hasen’t anyone stepped up to this challenge, especially with apple having increased its footprint in the market from 05″ onwards? Your argument simply does not make sense, and is flawed from many perspectives.
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
Linux has it advantage because it’s free and more configurable than Windows. Windows has caught up in terms of security.
Firslty, Windows has NOT caught up yet…saying that would mean they have no exploits so far…when infact Vista already has has one severe expploit which was just recently uncovered of the UAC being hacked and escalating the privelages to gain full system access. Here is the link:
http://www.pcadvisor.co.uk/news/index.cfm?RSS&newsid=9421
See how flawed the UAC really is?
” width=”19″ height=”19″ alt=”smile” style=”border:0;” />
Moreover, what good is security if the operating system is not user customizable to begin with?
Sorry for the long post. Had to make it clear. ;P
Greatest news. I am glad that along grandness you blog is common, as it is really concerning and informal. It is pleasant to me your articles and that that you cause! My felicitations.
Wall Quotes &