All that is wrong with the world…

June 23, 2011

OS X – Safe, yet horribly insecure

Filed under: Security, Tech — Tags: , , , , , , , — allthatiswrong @ 2:48 am


I have had this article planned since the end of 2009 and have had it as a skeleton since then. I wanted to point out the many problems with OS X security and debunk the baseless myth that OS X is somehow more secure. Despite 18 months passing by before I managed to finish it, not much seems to have changed. I think I am publishing at an interesting time however just as malware for OS X is increasing and Apple are starting to put effort into securing OS X with the soon to be released Lion. There is no FUD in this article, just an analysis of the available evidence and some speculation. My motivation to write this article was the hordes of OS X users who are either blind or have been mislead by false advertising into believing OS X is somehow immune to malware and attacks.

It is one of the most prevalent myths among the computer purchasing public and to a lesser extent those who work in IT, that Apple computers are far more secure than their Windows and perhaps Linux counterparts. The word myth is precisely accurate, as OS X and other Apple software is among the most vulnerable software on consumer devices today. Apple have an appalling attitude towards security which often leaves their users highly vulnerable while hyping their products as secure, simply because they are rarely targeted. It is important before going further to note the difference between a distributed attack and a targeted attack. A distributed attack is one not specific to any one machine or network, but will exploit as many machines as it can affected by a particular set of vulnerabilities, of which OS X has had many. An example of a distributed attack is a drive by download, where the target is unknown, but if the target is vulnerable the exploit should work. Distributed attacks are used to infect large amounts of machines easily, which are then generally joined into a botnet to earn cash.

A targeted attack is more specific, where a single machine or network is attacked. A targeted attack is not blind and is specific to the machine being attacked. Distributed attacks such as drive by downloads are impersonal by nature because they must compromise thousands of machines while the motivation behind a targeted attack tends to be more personal, perhaps to steal confidential files or install some sort of backdoor. The argument always seems limited to distributed attacks which admittedly are nowhere near the problem they are for windows. This is more than likely because Apple has a very low market share of PC’s, simply making it less than worthwhile to invest in writing software to attack as many machines as possible when money is the motivation. I go into this in further detail in a later section.

Using a Mac may certainly be a safer choice for a lot of people as despite being vulnerable they are not targeted. However this is not the same as Macs being secure, something Eric Schmidt erroneously advised recently. I may be able to browse impervious to malware on a Mac at the moment, however I personally would not be comfortable using a platform so easily compromised if someone had the motivation to do so. In this article I address just why OS X is so insecure including the technical shortcomings of OS X as well as Apples policies as a company that contribute to the situation.

A trivial approach to security

One of the most annoying claims made by OS X (and Linux) users is that the UNIX heritage results in a far more secure design, making it more immune to Malware. Nothing could be further from the truth. The Unix Design is significantly less granular than that of Windows, not even having a basic ACL. The UNIX design came from a time when security was less of an issue and not taken as seriously as it did, and so does the job adequately. Windows NT (and later OSes) were actually designed with security in mind and this shows. Windows was not such a target for malware because of its poor security design; it is because the security functionality was never used. When everybody runs as Administrator with no password then the included security features lose almost all meaning. Point for point Windows has a more secure design than OS X, and is used properly the damage can be significantly minimized on a Windows machine than on an OS X machine, UNIX heritage or not.

A lot of OS X users seem to have this idea that Apple hired only the best of the best when it came to programmers while Microsoft hired the cheapest and barely adequately skilled, which not least resulted in OS X being a well designed piece of software completely free of vulnerabilities. In reality OS X machines have always been easily exploited and are among the first to be compromised at various security conferences and competitions. The vast majority of exploits that have been publicly demonstrated could have been used to write a successful virus or worm. Given how lax Apple is with security updates and any kind of proactive protection any prospective attacker would have quite a field day. The only reason this has not happened yet is not because Apple is magically more secure, it’s because no one has bothered to take the opportunity. It isn’t like no OS X viruses exist. Even without the poor approach apple takes to security, there would be no basis for claiming the design of OS X is more secure than that of other platforms.

Apple is generally months behind fixing publicly disclosed vulnerabilities, often only doing so before some conference to avoid media reporting. They often share vulnerabilities with core libraries in other UNIX like systems with samba and java being two examples. They are extremely difficult to deal with when trying to report a vulnerability, seemingly not having qualified people to accept such reports. Even if they do manage to accept a report and acknowledge the importance of an issue they can take anywhere from months to a year to actually fix it properly.

People always get caught up in the hype surrounding viruses and how OS X is seemingly impervious while forgetting that that is not the only type of threat. Personally for me, malware is a minor threat with the impact being negligible as long as you follow basic security practices and can recognize when something looks out of place. The idea of someone targeting me specifically on a network either because it is so vulnerable that it is child’s play or because they want something from my machine is far more worrying. This is significantly harder to protect against on OS X when you can’t rely on the manufacturer to issue patches in anything considering a prompt timeframe or even to acknowledge that vulnerabilities exist. Given that this is the Apple philosophy, it is hard to pretend to be safe on an Apple machine.

Examples and details

Every OS except OS X has a full implementation of ASLR, stack canaries, executable space prevention, sand boxing and more recently mandatory access controls. OS X doesn’t even try to implement most of these basic protections and the ones it does, it does poorly. I don’t understand why security folk use OS X at all, given its plethora of problems. Yes, they are pretty and yes it is UNIX and yes you are every safe using it, but given security folks tend to be working on various exploits and research that they would want to keep private, using a platform so vulnerable to targeted attacks would not seem to be the smartest move.

Apple to date do not have a proper DEP or ASLR implementation, two well known technologies that have been implemented in other OSes for the last five years. Apple did not bother to implement DEP properly except for 64bit binaries, and even then there was no protection on the heap even if it was marked as non executable. Apple technically implements ASLR but in a way that they may not have bothered. The OS X ASLR implementation is limited to library load locations. The dynamic loader, heap, stack or application binaries are not randomized at all. Without bothering to randomize anything except library load locations their implementation is useless aside from perhaps preventing some return to libc attacks. We can see using the paxtest program from the PaX team (the same team who initiated ASLR protections on PC’s) that OS X fails most of these tests (Baccas P, Finisterre K, H. L, Harley D, Porteus G, Hurley C, Long J. 2008). Apple’s decision not to randomize the base address of the dynamic linker DYLD is a major failing from a security point of view. Charlie Miller has demonstrated how a ROP payload can be constructed using only parts of the non randomized DYLD binary. Snow leopard unfortunately did not improve on things much except to add DEP protection to the heap, still only for 64 bit applications. This means that most of the applications that ship with OS X (including browser plugins) are far easier to attack than applications on pretty much any other platform.

The firewall functionality in OS X is impressive, but hardly utilized. The underlying technology is ipfw powerful and more than capable of protecting OS X from a wide variety of threats, however Apple barely utilizes it. The OS X firewall is disabled by default and application based meaning it is still vulnerable to low level attacks. Even if the option to block all incoming connections was set it didn’t do this, still allowing incoming connections for anything running as the root user with none of the listening services being shown in the user interface.

Apple introduced rudimentary blacklisting of malware in Snow Leopard via xprotect.pilst, which works so that when files are downloaded via certain applications they set an extended attribute which indirectly triggers scanning of the file. However many applications such as IM or torrent applications do not set the extended attribute, thus never triggering the Xprotect functionality. A fine example of this is the trojan iWorks which was distributed through torrents, and never triggered Xprotect. At the moment it can only detect very few malware items, although as a response to the MacDefender issue this is now updated daily. Only hours after Apple’s update to deal with MacDefender was released a new version that bypasses the protection was discovered, highlighting the shortcomings of the Xprotect approach. Since it relies on an extended attribute being set in order to trigger scanning, any malware writer will target avenues of attack where this attribute will not be set and for drive by download attacks it is completely useless. Still, it is a good first step for Apple acknowledging the growing malware problem on OS X and starting to protect their users.

It has been a shame to see the sandboxing functionality introduced in Leopard not being utilized to anywhere near its full capacity. Apple are in a unique position where by controlling the hardware and the operating system they have creating a truly homogenous base environment. It would be very easy to have carefully crafted policies for every application that ships with the base system, severely limiting the damage that could be caused in the event of an attack. They could go even further and import some of the work done by the SEDarwin team, allowing for even greater control over applications. They would not have to present this to the user and would probably prefer not to yet doing so would put them far ahead of all the other operating systems in terms of security at this point.

Security wise Apple is at the same level as Microsoft in the early 90’s and early 2000’s. Continuing to ignore and dismiss the problems without understanding the risks and not even bothering to implement basic security features in their OS. With an irresponsible number of setuid binaries, unnecessary services listening on the network with no default firewall, useless implementations of DEP and ASLR and a very poor level of code quality with many programs crashing with a trivial amount of fuzzing Apple are truly inadequate at implementing security. This still doesn’t matter much as far distributed attacks go, at least not until Apple climbs higher in market share but I really dislike the idea of someone being able to own my system just because I happened to click on a link. At least with Apple giving regular updates via Xprotect and including a Malware help page in Snow Leopard we have evidence that they are starting to care.

An appalling record

A great example of Apple’s typical approach to security is the Java vulnerability that despite allowing for remote code execution simply by visiting a webpage, Apple left unpatched for more than six months; only releasing a fix when media pressure necessitated that do so. When OS X was first introduced the system didn’t even implement shadow file functionality, using the same password hashing AT&T used in 1979, simply relying on obscuring the password via a pretty interface. This is indicative of the attitude Apple continues to have to this very day, having a horribly secure design at the expense of convenience and aesthetics, only changing when pressure necessitates it. One of the most interesting examples of this is that regularly before the pwn2own contests where Apple’s insecurity is put on display, they release a ton of patches. Not when they are informed of the problem and users are at risk, but when there is a competition that gets media attention and may result in them looking bad.

Being notoriously hard to report vulnerabilities to does not help either. If a company does not want to hear about problems that put their machines and thus customers at risk it is hard to say that they are taking security seriously. As is the case at the moment if you try and report a vulnerability to Apple it will likely get rejected with a denial and after retrying several times it may be accepted, where a patch may be released any number of weeks or months later. Apple still have a long way to go before demonstrating they are committed to securing OS X rather than maintaining an image that OS X is secure. Having a firewall enabled by default would be a start, something Windows has had since XP. Given the homogeneous nature of OS X this should be very easy to get off the ground and it may well be the case with Lion.

The constant misleading commercials are another point against Apple. Constantly misleading users that OS X is secure and does not get viruses (implying that it cannot) or have any security problems what so ever. Not to mention that they exaggerate the problem on Windows machines, they completely ignore the vulnerabilities OS X has. Most recently evidence Apple’s aforementioned attitude can be seen with their initial response to the MacDefender malware. Rather than address the issue and admit that a problem exists they keep their heads in the sand, even going so far as to instruct employees not to acknowledge the problem. To their credit Apple did change their approach a few days later issuing a patch and initiating a regularly updated blacklist of malware. Their blacklist implementation has flaws, but it is a start.

As much as users and fans of Apple may advocate the security of OS X it is very important to note that OS X has never implemented particularly strong security, has never had security as a priority and is produced by a company that has demonstrated over and over that security is a pain which they would rather ignore, leaving their users at risk rather than acknowledge a problem.

Malware for OS X increasing

While it’s true that doomsday for OS X has long been predicted, despite the predictions lacking a precise time reference. An article by Adam O’Donnell has used game theory to speculate that market share is the main cause for malware starting to target a platform, the result of a tradeoff between a lack of protection and a high enough percentage of users to take advantage of to make the investment worthwhile. The article made the assumption that all PC’s were using AV software and assumed an optimistic 80% detection success rate. If the PC defense rate were higher, then OS X would become an attractive target at a much lower market share. According to the article, if PC defenses were at around 90% accuracy, then OS X would be a target at around 6% market share. The estimated percentage from the article is just under 17%, and just as some countries have reached around that number are we starting to see an increase in malware for OS X. It may be a coincidence but I will not be surprised if the trend continues. Given Apple’s horrid security practices and insecurity it’s going to increase quite noticeably unless Apple changes their act. Aside from market share another important factor is the homogeny of the platform, making OS X an extremely ideal target once the market share is high enough.

A lot of people are saying they will believe the time for OS X has come when they see an equivalent to a Code Red type of worm, except that this is never going to happen. Worms shifted from being motivated by fame having a financial motivation, with the most recent OS X malware being linked to crime syndicates. With the security protections available in most OSes these days (aside from OS X) being more advanced it takes more skill to write a virus to infect at the scale of something like Code Red, and the people who do have that skill are not motivated to draw attention to themselves. These days malware is purely about money, with botnets that going out of their way to hide themselves from users. Botnets on OS X have been spotted since 2009 and OS X is going to be an increasing target for these types of attacks without ever making the headlines as Windows did in the 90’s.

Another contributing factor that should not be overlooked is the generally complacent attitude of OS X users towards securing their machines. Never faced with Malware as a serious threat and being shoveled propaganda convincing them that OS X is secure, most OS X users have no idea how to secure their own machines with many unable to grasp the concept that they may be a target for attack. The MacDefender issue already showed how easy it is to infect a large number of OS X users. Windows users are at least aware of the risk and will know to take their computer in to get fixed or to run an appropriate program as where it seems OS X users simply deny the very possibility. As Apple’s market share increases, the ratio of secure users to vulnerable users continues to slide further apart. With more and more people buying apple machines and not having any idea how to secure them or that they even should there are that many more easy targets. Given the insecurity of OS X and the nativity of the users, I do think it is only a matter of time before OS X malware becomes prevalent, although not necessarily in a way that will make the news. This means the problem is going to get worse as users are going to keep getting infected and not realize it while believing their machines are clean and impervious to risk.

People also have to get over the idea that root access is needed for malware to be effective. Root access is only needed if you want to modify the system in some way so as to avoid detection. Doing so is by no means necessary however, and a lot of malware is more than happy to operate as a standard user, never once raising an elevation prompt and silently infection or copying files or sending out data or doing processing, or whatever malicious thing it may do.

Macs do get malware even if it is a significantly smaller amount that what is for windows. Given the emergence of exploit creation kits for OS X it is inevitably malware is inevitably going to increase for OS X. Even if it never gets as bad as it was for Windows in the 90’s it is important not to underestimate the threat of a targeted attack. Rather than encouraging a false sense of security Apple should be warning users that it is a potential risk and teaching users how to look for signs and deal with it. The Malware entry in the Snow Leopard help is a small step in the right direction. There isn’t much Apple can do to prevent targeted attacks, except maybe fixing their OS and being proactive about security in the first place.

Much room for improvement

One thing OS X did get right was making it harder for key loggers to work. As of 10.5 only the root user can intercept keyboards, so any app making use of EnableSecureEventInput should theoretically be immune to key logging. Of course, if remote code execution is possible then that is a very minor concern. This requires the developer to specifically make use of that function, which is automatic for Cocoa apps using a SECURETEXTFIELD. Of course this does not completely prevent keyloggers from working as applications not making use of that functionality will be vulnerable to keylogging, such as was the case with Firefox and anything not using a secure text field. Of course, given the propensity of privilege escalation attacks on OS X it would not be hard to install a keylogger as root. However this is a great innovation and something that I would like to see implemented in other operating systems.

Apple asked security experts to review Lion which is a good sign, as long as they actually take advice and implement protections from the ground up. Security is a process which needs to be implemented from the lowest level, not just slapped on as an afterthought as Apple have tended to do in the past. I think the app store in Lion will be interesting. If Apple can manage to control the distribution channels for software, then they will greatly reduce the risk of malware spreading. At the moment most software is not obtained via the app store and I don’t ever expect it to be, still the idea of desktop users being in a walled garden would be one solution to solving the malware problem.

Lion is set to have a full ASLR implementation (finally) including all 32 bit applications and the heap. As well as more extensive use of sandboxing it looks like Apple is starting to actually lock down their OS, which means they understand the threat is growing. It will be interesting to see if Apple follows through on the claims made for Lion, or if they fall short much like what happened with snow leopard. Personally I think Lion is going to fall short while the malware problem for OS X will get serious, but it won’t be until 10.8 that Apple takes security seriously.

Update 1 – June 28th 2011

Updated minor grammatical mistakes.

It is amazing the knee jerk response I have seen to this article where people start saying how there are no viruses for OS X, which is something I acknowledge above. I guess people don’t care if they are vulnerable as long as there are no viruses? Then people start attacking the claim that OS X has no ACL, which is a claim I never made. I guess the truth hurts and attacking men made of straw helps to ease the pain.


  1. – A list of OS X vulnerabilities.
  2. – Eric Schmidt on OS X.
  3. – A list of OS X viruses from Sophos.
  4. Baccas P, Finisterre K, H. L, Harley D, Porteus G, Hurley C, Long J, 2008. OS X Exploits and Defense, p. 269-271.
  5. – Charlie millers talk on snow Leopard security.
  6. – Apple releases an update to deal with MacDefender.
  7. – A variant of MacDefender appeared hours after Apple’s update was released. – Charlie Miller talking about setuid programs in OS X.
  8. – Apple taking 6 months to patch a serious Java vulnerability.
  9. – Apple using password hashing from 1979 in lieu of a shadow file.
  10. – Misleading commercial 1.
  11. – Misleading commercial 2.
  12. – Misleading commercial 3.
  13.– Apple representatives told not to acknowledge or help with OS X malware 1.
  14.” – Apple representatives told not to acknowledge or help with OS X malware 2.
  15. Adam O’Donnell’s article – When Malware Attacks (Anything but Windows)
  16. – OS X market share by region.
  17. MacDefender linked to crime syndicates.
  18. – Many users hit by MacDefender.
  19. – The first exploit creation kits for OS X have started appearing.
  20.” – First OS X Botnet discovered.
  22. – A Firefox bug report about a vulnerability to keylogging.
  23. – Apple letting security researchers review Lion.

Update 1 – August 17 2011

A delayed update, but it is worth pointing out that this article is basically out of date. Apple has indeed fixed most of the problems with security with their release of Lion. At least this article is an interesting look back, and shows why mac users should upgrade to Lion and not trust anything before it. Despite Lion being technically secure, it is interesting to note that Apple’s security philosophy is still lackluster. Here is an interesting article on the lessons Apple could learn from Microsoft and an article showing just how insecure Apple’s DHX protocol is, and why the fact it is deprecated doesn’t matter.


  1. If you have access to the Lion pre-release, I suggest you look at (soon mandatory for all Mac App Store apps) and linked documentation.

    Also: do we have good numbers for the MacDefender infection?

    Comment by millenomi — June 25, 2011 @ 5:44 am

  2. I think you mean that *nothing* could be further from the truth; right? Because the statement in question is so far from the truth that it’s really really really untrue.

    Comment by Tony — June 25, 2011 @ 6:27 am

    • Many of the statements in this article are true. That doesn’t mean Mac OS X is absurdly insecure for everyday use (indeed, it doesn’t have, say, Windows’s penchant for allowing code injection) but many of these are valid points that Apple needs to address (and has started to address more aggressively in Lion).

      I can however say the tone of the article could be a little less alarmist, though. For instance: it says that key loggers can capture passwords from non-secure fields, but omits the fact that there is basically no app today that accepts passwords in nonsecure fields. Or that the no-keylogging API can be triggered at will by apps (see the Terminal app menu, for instance). Or that, as-shipped, the OS will generally have all the security features (eg the improved security for 64-bit apps — in SL, all shipped apps are 64-bit capable and all Macs sold in the last few years have 64-bit CPUs; and that the biggest security hole in the whole thing — still-32-bit Flash — is not shipped with the OS).

      That is, this is an “accentuate-the-negative” article that takes a valid point and spins it quite a bit, even though most underlined points are indeed legitimate concerns.

      Comment by millenomi — June 25, 2011 @ 7:02 am

      • Er, “all the security features that are dismissed as unavailable to certain apps”, sorry.

        Comment by millenomi — June 25, 2011 @ 7:03 am

      • I think he means that the author got the figure of speech mistaken. The figure of speech is ‘nothing could be further from the truth’, meaning something is very untrue. When you say ‘anything could be further from the truth’ you are saying it is very true, ie. That UNIX is very secure. Which contradicts the authors previous sentence that it is not secure.

        Comment by Cris — June 25, 2011 @ 9:11 pm

    • Yep, I don’t know how I made such a simple mistake. Thanks for pointing it out, I’ll fix it now.

      Comment by allthatiswrong — June 27, 2011 @ 11:12 pm

  3. Mac OS X is no more insecure than Windows (the most insecure of all as history has shown). I think Apple has taken security seriously, though they still have some work to do. I think the advantage Apple has, is the foundation in which Mac OS X was built (BSD/Unix). The folks at Bell Labs took security rather seriously in the ’70s and something the BSD community in particular focus on. I mean, a systems engineer from the University of Wisconsin placed a Mac into the wild (on the internet) and challenged anyone to hack into it and he even published the options in which to do so and it went unhacked for 2 days before the challenge was canceled (back in 2006). I’m not saying I believe that Mac OS X is unhackable as I believe there is no such thing as unhackable no matter what operating system it may be.

    Comment by JuggerNaut — June 25, 2011 @ 8:46 am

    • You do realize that unsubstantiated remarks on the Unix security model and appeal-to-tradition do not refute any of the points in the article, right?

      Comment by evinfinite — June 25, 2011 @ 9:11 am

      • But the problem with the article is that it’s biased towards Windows and claims that Microsoft had security in mind for Windows NT without providing any examples of what that is exactly doesn’t hold much water. In fact, Windows NT can trace its roots back to VMS (another operating system developed in the ’70s by DEC) and so whatever security Microsoft did have in mind was ultimately inspired by the security implementations found inside VMS (not invented at Microsoft). But the reality is, Unix (in general: System V, BSD & Linux, etc..) has shown to have a better security track record than Windows (whatever underlying flavor: DOS or NT) and all you have to do is Google on the subject to read and see for yourself.

        Comment by JuggerNaut — June 25, 2011 @ 12:16 pm

        • The article mentions ACLs as an example quite clearly. Most *nix-like OSes do not support ACLs at all, and the ones that do, generally have it available as a kernel-patch, rather than something that was designed into the kernel from the start (hence, not ‘by design’).
          Even if Windows’ security design is partly based on VMS, it is still part of the Windows security design, so the VMS heritage is irrelevant in this respect.

          Comment by Scali — June 25, 2011 @ 12:34 pm

          • You’ll (and this article) need to be more specific in the realm of ACLs as most operating systems incorporate similar implementations of the concept.


            Comment by JuggerNaut — June 25, 2011 @ 1:24 pm

            • No we don’t. It’s quite clear how Windows applies ACLs throughout the system. It’s very well-documented.
              It’s also clear how OS X (and similar OSes, such as *BSD or linux) do not use ACLs, but merely classic *nix filesystem permission bits.

              It is beside the scope of the article to get into the differences in detail. If you don’t know the differences, you can look them up.
              If you want to deny that there are differences between Windows and OS X in this respect, then the burden of proof is on you.

              Comment by Scali — June 25, 2011 @ 1:29 pm

              • But it’s so much easier to change the subject and attempt to bury your argument in non-sequiturs and minutae! =D

                Comment by Kitty — June 30, 2011 @ 2:13 pm

            • Oh, and if you want to argue “You can do the same with *nix groups as with ACLs”… don’t.
              Then you obviously don’t get it, like most kids who have just installed their first linux distribution on their daddy’s PC. Try thinking a bit larger, like an organization with dozens of departments and thousands of employees.

              Comment by Scali — June 25, 2011 @ 1:32 pm

              • I am familiar with Microsoft’s implementation of ACL (got rather acquainted in college during a semester learning the ins and outs of Windows Server 2003), so you can stop right there. The problem with this article is that it throws around a bunch of techno gobble goop without providing good historical comparisons between Windows and Unix (over the lifetime of both operating systems).

                This article suffers from what the article below calls out…


                Comment by JuggerNaut — June 25, 2011 @ 1:50 pm

                • I disagree with that.
                  The article actually does provide some comparisions (ACLs, ASLR, DEP, to name but a few). Not quite sure where the historical content would be relevant however, as the article focuses on the state of security available in OS X *today*, compared to other OSes.

                  It sounds mnore like you are throwing a bunch of criciticm gobble goop around, without providing a technical argument.

                  Comment by Scali — June 25, 2011 @ 2:31 pm

                  • What a pointless discussion. Who cares how good an implementation of ACLs you have? It doesn’t matter if the default is to *not apply them*. In every Windows OS it is still much too easy to write to an application executable file. Even with Win7 UCA, the windows pop up so often that the average user just keeps clicking.

                    Whether or not Unix file permissions provide more granularity than Windows ACLs is largely irrelevant to system security, though very relevant to system management, as others have pointed out. The simple fact is that on most (all?) Unix implementations, /bin, /etc, /sbin, /usr/bin and /usr/sbin and so on have nothing that is writable by non-root users. And there are usually only one or two programs that need to have write access to them. That limitation means that anything that pops up a window asking for your password to give write access makes you think, “Hang on, why do you want / need that?” The model might be simple, but it has been there forever and so backwards compatibility means enforcing it, not providing work-arounds to selectively disable it. As long as Windows panders to legacy applications that assume they can write to %PROGRAMFILES%, it will be insecure by design.

                    Comment by Tom — June 27, 2011 @ 8:04 am

                    • Guess what? Since Windows Vista, the same applies to Windows by default: only admins can write to most places. And you say it yourself: most linux distros still pop up a password asking for the root password. How is that not a work-around to selectively disable security?
                      Since Windows 7, applications that want to write to Program Files will actually silently be sandboxed into their private filestore in the local user dir. You are horribly out-of-date. This means that:
                      1) No admin rights are required, and the user does not get a popup. So no security is sacrificed.
                      2) The application still gets no access to the REAL Program Files, it merely sees a virtual sandboxed version of it. So no security is sacrificed.

                      And no, you are completely wrong about “insecure by design”. Legacy applications that write to places they shouldn’t write to (as Microsoft has *always* documented) are a user error (in this case developers being the users of the system), not a design error.

                      Comment by Scali — June 28, 2011 @ 3:49 am

                  • OH YEAH!!! Go get em! Woot! Woot!

                    Comment by da808wiz — June 27, 2011 @ 4:42 pm

              • ACLs are based on MS-only network based security models for single user computers, or multi-user computers on generic networks, but not only have they never been used as needed, but they have been thwarted by MS and other software companies that require full access to computer resources for their software. For example, IE and Outlook. Likewise, Unix network security has a different model but ends up like ACL, particularly if you add in Selinux and/or Apparmor.

                Comment by John Fro — June 27, 2011 @ 1:45 pm

                • “Never been used as needed”?
                  Wow, I guess you’ve never set foot in an actual organization with a Windows NT-based office network? (Which is what, 90% of all offices?)
                  Ever since the early days of NT, network administrators have set up the security in Windows quite nicely with ACLs, allowing only limited access to users on their own computers (think public workstations and roaming profiles, for example, such as in university labrooms or libraries), and having file servers for the entire organization, where each employee can only see and access the documents he or she is entitled to.
                  Unix network security cannot do that. I should know, I was hired to upgrade a Unix-based security system to an ACL-based one for a large university that had trouble managing rights (one example: sensitive information such as salaries should only be accessed by that department, but not by anyone else, not even their superiors, even though in every other way, they have more rights in the computing environment. Unix is only ‘opt-in’ (allow), they needed ‘opt-out’ (deny)).

                  Comment by Scali — June 28, 2011 @ 3:56 am

                  • Whitelist vs Blacklist, which one is more secure ?

                    Comment by goarilla — August 9, 2011 @ 10:37 am

                    • Neither, that’s the point.
                      Whitelisting too much is just as insecure as blacklisting too little.

                      Comment by Scali — August 10, 2011 @ 9:57 am

                    • Whitelisting (deny by default) is more secure than Blacklisting (allow by default), however I don’t really see the relevance of asking such a question?

                      Comment by allthatiswrong — August 10, 2011 @ 8:09 pm

              • POSIX ACL’s have been implemented for quite some time Scali !
                And let’s be fair ASLR and DEP (microsoft’s technique of utilising NX|XD),
                were also implemented as an aftertought (patched), eg not part of the “DESIGN”.

                Comment by goarilla — August 9, 2011 @ 10:29 am

                • You cannot blame Microsoft for not implementing DEP sooner, as it requires hardware support.
                  The lack of an NX/XD bit was a deficiency in x86 hardware.

                  Comment by Scali — August 10, 2011 @ 9:54 am

                  • True can we then please say: NT technology was designed with (some) security in mind
                    enforced by ACL’s and not throw recent innovations in that ‘design plan’. Offcourse it could have been my
                    misinterpretation that led to these posts.

                    If it is I apologise and will try to cowardly hide behind the ‘english is not my first language’-cloak 😀

                    Comment by goarilla — August 11, 2011 @ 2:08 am

                    • allthatiswrong and I did not use the “secure by design” argument.
                      It is a commonly heard argument, that is clearly wrong. How secure an OS is, depends a lot on when it was designed.
                      The rest is about evolution.

                      But since we *don’t* argue about the ‘design’, but rather the state-of-the-art of the OSes today, clearly recent innovations are also relevant.

                      Comment by Scali — August 11, 2011 @ 3:33 am

                • Also, the point was not that POSIX ACL’s haven’t been around…
                  The point is that they were not part of the original UNIX design, so it does not fit the “UNIX security by design”-mantra.
                  ACLs *were* part of the original Windows NT design.

                  As a side-effect, ACLs continue to be optional in the UNIX world. POSIX ACLs still are more limited than Windows NT’s ACLs, and they are generally not used, even if available (a lot of APIs, libraries and applications don’t even know about ACLs, where ACLs are deeply integrated in the Windows API… Windows creates an ACL with every object it creates, the moment it creates it. POSIX ACLs don’t give that kind of control).

                  Comment by Scali — August 10, 2011 @ 10:05 am

                  • Offcourse back then ACL’s were mostly a concept and they couldn’t implement it because it
                    would have killed performance and the special/user/group/world permissions was a very
                    elegant and fast solution to the ‘we need to segregate users from each other’ problem.

                    Comment by goarilla — August 11, 2011 @ 2:11 am

                    • Yes, there are probably a lot of valid reasons you can name for it…
                      But that is not relevent…
                      The bottom line is that saying “UNIX is more secure by design” is nonsense.

                      Comment by Scali — August 11, 2011 @ 3:23 am

                • ASLR and DEP are as much an afterthought as USB Support, or the Aqua interface, or Wireless card support, or GPU support.

                  Operating systems evolve constantly and each incarnation can be considered a separate product.

                  Attacking the implementation by claiming it is an afterthought is a pretty weak argument.

                  Comment by allthatiswrong — August 10, 2011 @ 7:11 pm

          • You and allthatiswrong are both making two fundamental mistakes here.

            First, you’re mistaking “design” with “implementation”. ACLs have very little to do with the design of an Operating System’s security model; they are method of *implementing* the chosen design (a resource-oriented view of the access control matrix, if you fancy).

            And consequently, second, you’re saying that the this *implementation choice* of having ACLs is somehow affecting the *quality* of the chosen design — which is, sorry to say, simply nonsense.

            You’re right, of course, that the Unix security model is far less granular than Windows’. However, I’d like to argue this is not, in fact, a shortcoming of the former. Au contraire, the simpler the design the better because it is easier to comprehend and manage. The sheer number of the various security objects (ACLs and privileges being just some of them) in the Windows OS (file privileges, account rights, process privileges, user tokens, process tokens… gosh!) has proven next to impossible for application developers to use right, so they simply defaulted to “require admin rights for everything” — and hence everyone had to run as Administrator just to get any job done.

            (And no, this is not a problem of “badly written 3rd party software” — it’s a problem of a badly designed, over-encumbered, hard to use security model, and having ACLs “designed into the kernel” don’t help at all.)

            Comment by AiL — June 25, 2011 @ 1:46 pm

            • I disagree.
              ACLs are not an implementation, they are a concept. Windows has *an* implementation of ACLs, there could be different types of implementation for ACLs. I think the mistake is on your side.

              Comment by Scali — June 25, 2011 @ 2:27 pm

              • OS X has had ACLs since 10.4… can someone clue me into what kind of ACLs we’re talking about here?

                Comment by puzzled — June 25, 2011 @ 2:49 pm

                • Well, there you go: ‘since 10.4’. So they haven’t been part of the system design from the start, they were added later.
                  I am not an OS X user myself, so I may not be entirely up-to-date, but last time I looked, ACLs were still just an optional feature of the HFS+ filesystem, and disabled by default.

                  Comment by Scali — June 25, 2011 @ 2:55 pm

                  • ACLs are a requirement for Windows to have any security whatsoever. By default, Windows gives anybody access to anything. You have to pile ACLs on top of the file system in order to prevent access to certain things.
                    Unix, on the other hand, prevents everyone from accessing anything unless they are given specific permission to access it (excluding the root user which is disabled by default on Mac OS X).
                    It is much easier to lock down a system that gives users little to no access than it is to lock down a system that gives users access to everything.


                    Comment by Barney15e — June 25, 2011 @ 3:05 pm

                    • ACLs are a requirement for Windows to have any security whatsoever. By default, Windows gives anybody access to anything. You have to pile ACLs on top of the file system in order to prevent access to certain things.
                      Unix, on the other hand, prevents everyone from accessing anything unless they are given specific permission to access it (excluding the root user which is disabled by default on Mac OS X).
                      It is much easier to lock down a system that gives users little to no access than it is to lock down a system that gives users access to everything.


                      ACLs in Mac OS X are there to expand on the limited access rights given by posix permissions: owner, group, others can have read, write, or execute permissions or some combination. ACLs as implemented in OS X provide a wider number of choices of what type of access and how that access is propagated deeper down the file system chain.

                      Comment by Barney15e — June 25, 2011 @ 3:08 pm

                    • 1) ‘Easy’ has nothing to do with how secure a certain OS’ security features are. Besides, it *is* pretty easy for a system administrator to manage a network of Windows machines with users with limited access right profiles. Organizations have been doing that since the early NT days. Just because Joe the Plumber doesn’t know how to do it, doesn’t mean it is hard to do, or that it hasn’t been applied on a large scale.
                      2) Windows does NOT give anybody access to anything by default anymore. Not since Vista (eg: applications are required to access only the Documents & Settings/Users directories to store data, or any other directories that the user happens to have access… By default, the root, Windows system dir and Program Files are off-limits, for example. The rest of the directories are pretty much what you create yourself. For the registry, a similar policy goes, where only HKCU can be accessed by users) . You might want to be a *bit* more up to date.

                      Comment by Scali — June 25, 2011 @ 3:18 pm

                    • Yes, Vista and 7 use ACLs to lock everything down by default, but those ACLs must exist for the system to be locked down. On unix, if the ACLs don’t exist, nobody has access.

                      Comment by Barney15e — June 25, 2011 @ 6:37 pm

                    • “On unix, if the ACLs don’t exist, nobody has access.”

                      That’s not true at all.
                      On unix, if ACLs don’t exist, it just goes by the standard file permission bits. These ALWAYS exist, as they are a fundamental part of the inode.
                      You would have to specifically disable access, because the standard filemask generally is not ‘nobody has access’, as that would break pretty much everything on the system.

                      Comment by Scali — June 25, 2011 @ 6:41 pm

                  • Yikes, 10.4 was the first half-usable version of OS X. ACLs are standard fare in 10.5 and 10.6. As far as over all security goes, I have no opinion at all, it’s not an area I know much about. With the amount of code in a modern OS and the pressure to hit milestones, I doubt any of them are particularly safe.

                    Comment by puzzled — June 25, 2011 @ 3:39 pm

                    • True, the weakest link in an OS or application is still that it is written by humans. Any time a new feature is introduced, or existing code is rewritten on a less-than-trivial level, new bugs and security flaws will be introduced.

                      Having said that, I think by far the largest threat is based on social engineering. Exploiting the ignorance of the user, rather than any inherent flaw in the system itself. A lot of ‘safety features’ are more about blocking functionality that is otherwise normal (such as not allowing users to open file attachments in an email, or a firewall blocking applications from opening network ports), simply to protect the user against him/herself.

                      Comment by Scali — June 25, 2011 @ 3:48 pm

                    • This, sir, is one of the most incisive statements posted here. Windows has had good security for quite a while.. but the users had to actually a) know about it; and b) use it. That is asking a lot for folks that bought the computer for browsing the internet; using Quicken; and doing their taxes.

                      Comment by Ricahrd K — June 27, 2011 @ 2:59 pm

                  • ACL support was added in 10.4, which was released in 2005. There are plenty of valid OSX security concerns without bringing up flaws that were fixed 6 years ago. The current version of Windows at that time was XP, and the Home edition of XP did not allow users to adjust the ACLs at all. I believe you when you say that this article is not meant to be FUD, but you should really address some of these omissions regarding ACL support in OSX. Its currently somewhat misleading.

                    Otherwise, its a good article 🙂

                    Comment by Max — June 25, 2011 @ 10:39 pm

                    • That is the problem: ACL is an add-on for OS X, it is not a fundamental part of the OS design itself (and the same goes for pretty much all *nix-based OSes). In Windows, ACLs are a fundamental part of the API as well. In OS X, a developer has virtually no control over ACLs when he creates files, processes, threads etc. In Windows, the developer can just create the desired security attributes and pass them to the function that creates the files/processes/threads etc.
                      Just because OS X’ filesystem can ‘do’ ACLs these days, doesn’t mean it’s the same security model as Windows uses.
                      ACLs have *always* been part of Windows NT, the Win32API has always supported security attributes, since the first version of NT back in 1993.

                      Comment by Scali — June 26, 2011 @ 3:17 am

                    • I really don’t understand why so many people are talking about ACLs. I never made the claim that OS X does not have an ACL, I said that the basic UNIX design does not. Which is true.

                      It was an off hand comment as part of a paragraph debunking the claim that anything UNIX based is secure, not a direct attack on OS X.

                      Comment by allthatiswrong — June 27, 2011 @ 11:28 pm

              • Could, please, be more specific on which part you disagree? To me, it seems you’re saying pretty much the same as I do, with less words.

                Yes — the ACLs are not an implementation. The C/C++/whatever code is the implementation. They are a *method* of implementation. A pattern for solving a specific problem, if you wish (the problem being how to store and maintain the access control matrix). But they are not part of the design of the security model and hence their presence or lack thereof implies nothing on the quality of the said model.

                Comment by AiL — June 25, 2011 @ 2:56 pm

                • I disagree on you saying that we mistake ‘design’ with ‘implementation’.
                  The ACLs are a fundamental part of the design of the Windows security model. If they were ‘just’ an implementation as you claim, then you could take ‘another implementation’, say *nix file permission bits, and implement the same ‘design’ with a different ‘implementation’.
                  But that doesn’t work, since you NEED access control lists to store the allow/deny rules that Windows supports by design. You cannot do that with another concept of security, such as file permission bits. The concept is different: one is a list, where you can add as few or as many permissions as you want per node, the other is a fixed set per node.

                  Hence: concept, not implementation.

                  Comment by Scali — June 25, 2011 @ 3:09 pm

                  • > “you NEED access control lists to store the allow/deny rules that Windows supports by design”

                    Wrong. I can do exactly the same with a capability list (i.e. for each subject enumerate the list of resources and what privileges the subject has on them). I can do exactly the same by maintaining the access control matrix as one big, two dimensional structure. True, I can’t do it with *fixed length* list (like it is done in Unix)… but remind where I said that I could.

                    > “Hence: concept, not implementation.”

                    Look, I’m not a native speaker, so let me consult with the dictionary.

                    concept: an idea or mental image which corresponds to some distinct entity or class of entities, or to its essential features, or determines the application of a term (especially a predicate), and thus plays a part in the use of reason or language.

                    Yep, you’re 100000% right. ACL is a concept. “Implementation” and “model” in the context of the software development are also concepts. Yes, fixed length and variable length lists are different concepts.

                    Still doesn’t make the ACLs part of the design.

                    Comment by AiL — June 25, 2011 @ 3:25 pm

                    • Wow, you’re pedantic! People tend to get more pedantic the more they realize they are losing the argument.

                      Comment by Scali — June 25, 2011 @ 3:33 pm

                    • In short, take this page:
                      As it says, there are “ACL-based security models”, the Windows NT security model is one of them. As it is based on ACLs, the concept of ACLs are fundamental (the basis) to its design.

                      Comment by Scali — June 25, 2011 @ 3:36 pm

                    • You may be able to do the same with a capability list, but that is a capability-based security model, not the same as an ACL-based security model.
                      Likewise, Windows’ ACL-based system can do anything that the *nix-bits can do, but it is not the same security model.

                      Comment by Scali — June 25, 2011 @ 3:39 pm

            • Also, management is exactly where *nix falls short, because of its ‘simple’ security model.
              It is incredibly hard to manage larger organizations when the granularity of access is limited to groups (seeing as the other two classes, ‘world’ and ‘user’ are too much all-or-nothing to really control any kind of access). You’d have to create all kinds of arbitrary groups to manage different sets of access rights, not to mention that it’s impossible to DISallow access to someone once he’s part of a certain group.

              Your assertion that ACLs are too difficult to use properly by application developers, and that being the reason why things require admin rights is also wrong. This has everything to do with legacy:
              1) On 16-bit Windows and 9x-based 32-bit Windows, there was no security model, hence there were no ACLs to control. A lot of application developers were not brought up with NT, and as such never learnt how to use the security model in the first place. They continued to ignore the security model in NT-based versions of Windows. Not because it was too complicated, just because they didn’t bother to learn.
              2) In Windows Vista, Microsoft changed the default behaviour for certain things, such as non-admin users not having the right to write to Program Files or certain parts of the registry anymore. Since legacy software was not designed to run in such an environment, the only way to make them run, was to give them the proper rights. Strictly speaking, this was merely a more strict enforcement of the guidelines that Microsoft had layed out many years ago already: applications should write their data to specific user-portions of the registry, and to the Documents and Settings directories, not Program Files.
              In Windows 7, Microsoft implemented a sandboxing scheme so that applications would be automatically redirected to a local user store for the Program Files dir or registry, which would be mapped transparently into the application it belongs to. This way, elevated rights are no longer required.
              If a developer had bothered to read the manual, no issues would have occured.

              Comment by Scali — June 25, 2011 @ 2:41 pm

          • You really should read the article before posting. Windows does in fact have significantly better security than most versions of Unix. The problem has been that Microsoft has encouraged users not to use said security by having poorly designed default installs. A properly configured Windows workstation, particularly Windows 7, is significantly more secure than the vast majority of Unices out there, commercial and open-source.

            The fact that Windows falls over more easily is, as the article points out, not due to flaws in the operating system but user-error encouraged by Microsoft. In Windows XP, for example, it is almost impossible to run anything unless you are an administrator. Logging in as an admin for your daily work is moronic, but what XP, Vista and also Win7 encourages.

            Comment by TAB — June 27, 2011 @ 6:15 pm

            • So, you are saying that Windows has some good stuff…

              They added on (otherwise it would be integrated as PART of the distro, not hunt and peck to get going), security measures they tell no one about, and, therefore, release a system that IS NOT SECURE…

              I spent many years learning that…

              But if that is the crap you release and call it ‘User Friendly’…

              You are releasing a system that is, by no measure of reality… Secure… especially when YOU KNOW most people don’t know jack about security.

              I worked many years locking windows to make it less vulnerable (I had a job that had me going to WAREZ sites, and dens of Black Hats…

              I know what the released windows system is…

              I trusted nothing they released by contract, for maintaining security…PERIOD.

              When I reloaded Windows, I spent several hours, over days, making it tight… to all but Redmond, who blasted me out of the water 3 times with crap for updates…

              ‘My Bad’ is crap for restitution.

              That it still send stuff back, Installs stuff to screw up your software that they don’t sell…

              Makes it insecure… and nothing over-rides that.

              Comment by the old rang — June 27, 2011 @ 6:35 pm

        • Microsoft very much had “security in mind” during the design and development of Windows NT. I came on to the project at Microsoft from the OS/2 team about a year after Cutler and his crew arrived, and was put to work under Jim Kelly helping to design and implement the Security Reference Monitor (SRM). NT had a design goal from day 1 of being C2 compliant (Orange book, for those of you who remember the old Rainbow books), and this drove many of the design decisions being made in all other parts of the system. In fact, many of the security data structures were designed to be extensible for an eventual move from C2/DAC level security to B/MAC level. MAC (Mandatory Access Control) was eventually considered to be not worth the effort, though we did spend quite a bit of time trying to figure out what it might look like in a Windows context.

          So if you want to know what Microsoft had in mind, get yourself an old copy of the Orange book and take a look. It’s all there. I should point out that we did eventually obtain C2 certification, and maintained certification through the change to Common Criteria.

          As one of the comments on Mark’s article points out, “everything has to come from somewhere,” and a lot of the NT spec had been written based on the DEC team’s VMS experiences by the time I arrived on the project, but also, a lot of it was not. The parts I wrote had nothing to do with VMS because I had never worked on it. The DEC guys were very, very smart, and they took what they knew worked and modified it as appropriate for the Windows NT environment. But to say “NT came from VMS” and therefore security wasn’t a priority in the original design is demonstrably false.

          Comment by Robert Reichel — June 27, 2011 @ 5:08 pm

        • My article isn’t biased towards windows at all, it is attacking OS X on it’s own merits. I simply use Windows as a comparison because it is most often the target of security criticisms when OS X is far more deserving.

          Comment by allthatiswrong — June 27, 2011 @ 11:22 pm

    • I was around in those early Unix days, and guess what – you are dead wrong about how security was viewed in the 70’s. It was very easy to read other people’s files and e-mails back then. The goal of Unix was performance and flexibility, not security. The Mac platform’s security has primarily come from one factor – it’s low use made it less of a target for virus writers since so many of them look to make a splash, and to do that they will target the most popular platforms.

      Comment by Earle — June 27, 2011 @ 9:37 am

  4. […] by design? Posted on June 25, 2011 by Scali Today, my attention was directed at this blog, discussing the security of Apple’s OS X. I suggest you read it, as it makes a number of good […]

    Pingback by OS X–Safer by design? | Scali's blog — June 25, 2011 @ 10:51 am

  5. What a silly article. All those words to end up making no sense.

    Comment by Idon't Know — June 25, 2011 @ 11:52 am

    • Oh, gosh! Technical terms! What could they possibly mean!

      Comment by millenomi — June 25, 2011 @ 12:14 pm

    • I agree. He talks a lot but doesn’t say much — probably because he’s an engineer and not a writer, but still.

      It’s not the “technical terms” bs someone butthurt posted below. Just weak writing and weak points.

      Comment by Yup — June 25, 2011 @ 7:58 pm

    • LOOL!!!! You must be one of those “Mac users” that sleep in front of the istore waiting to buy new iCrap for your “work”.

      Comment by Fist — June 27, 2011 @ 8:30 am

  6. I guess it’s wrong to say windows is more secure because it has ACL’s etc. Unix is secure because it’s a damn simple operating systems, even if it had ACL’s for years, as has OSX since tiger.. Windows has so many security options, policies and so many file system options that it is a hell to administer. Unix is simple, small, and proven and administrable… windows in my point of view is not..

    Comment by #ka — June 25, 2011 @ 1:12 pm

    • I don’t think the article is making the point that Windows is more secure per se; it makes the point that there are several problems with OS X’s security, including several that Windows has since fixed (mostly in the areas of attack mitigation and turnaround time after vulnerability reporting). Which is entirely true.

      Comment by millenomi — June 25, 2011 @ 1:21 pm

      • Yes, it would appear that this is actually inconceivable in most people’s minds. It seems that people see it as a fact that Windows is the least secure OS in every way possible, and then assume that any other OS *must* be better in terms of security.
        They will have to let go of that idea first, and open their eyes, before they can possibly understand reality, or what this article is trying to say (and what it is not: it does not say that Windows is more secure, merely that you can point out a number of security-related areas where Microsoft has done a better job than OS X in one way or another).

        Comment by Scali — June 25, 2011 @ 2:50 pm

        • It still sounds like in your absolutely non-biased opinion 🙂 that you are saying that M$ has done a better job of plugging holes. Typically, M$ has denied, ignored and danced around and not fixed crucial security flaws at all. The only time they respond is when people get upset with them. That’s what usually drives their “better than average” security plugging.

          BTW, Windows was never designed from the beginning with security in mind. It was an afterthought! As was networking! I don’t care if it’s 1993 when they finally addressed it. They had many releases before then and had not address security until then. That’s when it became an issue and enough people changed their minds about how important security was.

          Based on the article’s point, I believe OS X is more secure simply because it’s pretty locked down out of the box. Which is something I can’t say about Windows.

          Comment by steve88 — July 7, 2011 @ 9:12 am

          • Wow, you really can’t be this clueless. Not if you participate in a technical discussion. Really. Seriously. You just look dumb. Perhaps you are.

            Here is a clue for you: Windows, as you know it today, was released, with zero microsoft history, in 1993. It was designed, from ground up, as a secure operating system. It shared quite a few things with VAX/VMS and also some legacy with OS/2. It shared (and shares) NOTHING with Windows versions released prior to 1993. Windows NT, which it was called at the time, ran (and still runs) Windows 16 bit software in EMULATION. Windows NT shared as much code with 16 bit Windows as does a Linux installation with Wine. None. This is common knowledge in the industry. To claim that Microsoft tacked on security on Windows because at some point in time they had a non-secure version of a completely different operating system is like saying Linux is insecure because Windows for Workgroups 3.11 was insecure. That is what is stupid in your post. For the record, OS/2 also ran Windows software, quite well in fact, better than Windows NT. OS/2 was also written, from ground up, as a new operating system. It shared nothing with Windows. It did run Windows software in emulation though. Just as Windows NT did, and – if you have Windows 16 bit software, Windows 7 does today.

            Now, for the less stupid, but only slightly so, Windows in its current incarnation, that is Windows 7, ships pretty locked down. In my opinion, still not enough, but pretty well locked down. In fact, as anyone with an ounce of actual knowledge would be able to tell you, it is more locked down than OSX. It is, as shipped NOT more locked down than a typical Linux installation, but it is not too bad.

            Here is what you need to do to get Windows 7 to a good level. You create a new user with admin privileges. You set some sort of password on that user. You edit the user that was installed as default when you got your PC up and running, and you remove admin privileges from that user. Now you Windows 7 box is locked down harder than is actually theoretically possible on an OSX box.

            Comment by Terje — July 7, 2011 @ 9:54 am

            • I’d like to add that Apple’s transition from their classic Mac OS to OS X was quite similar to what Microsoft did when going from legacy 16-bit Windows to NT: a completely new OS, with a different API, better security, with a backward compatibility layer added for legacy software.
              Microsoft just did it a lot sooner.

              Classic Mac OS doesn’t exactly have a good reputation either. It was plagued with virii, it was unstable because of the poor multithreading implementation, and since it is even older than Windows, the same things go for networking: it was added on later, and security was always a problem. Classic Mac OS, like 16-bit Windows, was never designed for multi-user, and as such did not provide any kind of user rights at all. Everyone was always ‘administrator’.
              It’s a sign of the times, more than anything.

              Comment by Scali — July 7, 2011 @ 2:01 pm

          • The short version is more or less that Microsoft designed a more secure basis for their Windows NT OS in 1993 than what AT&T did for UNIX in 1970.
            Given the 23-year gap, and all the experience gained in the field of security, that should not be all that hard to grasp.

            UNIX-based OSes these days generally have better security than the original UNIX design back in 1970, often through all kinds of add-ons, such as ACL support for the filesystem, or kernel security enhancements such as TrustedBSD, SELinux, AppArmor etc.
            So obviously these OSes are also more secure.

            However, if you make the blanket statement that “An OS is secure because it is based on UNIX”, or even “UNIX is secure by design”, it’s quite obvious why that is not correct.

            PS: Technically Windows was not an OS prior to Windows NT. 16-bit Windows ran on top of DOS, as a shell. Even the 32-bit extensions for Windows for Workgroups, and Windows 9x/ME still ran on top of DOS. DOS was the OS, Windows ran on top of that as an extension.

            Comment by Scali — July 7, 2011 @ 1:34 pm

          • Hi Steve,

            Why do you feel the need to use M$ instead of MS? You can’t talk about bias if you’re going to resort to that sort of childishness straight off the bat.

            The fact is as it stands right now, in 2011 Microsoft are very proactive about security and Windows 7 is very well locked down out of the box. The same cannot be said of Apple and OS X respectively.

            Also, much of what you say is factually inaccurate and I would ask that you verify them for your own benefit.

            Comment by allthatiswrong — July 9, 2011 @ 2:43 am

    • Windows is not as complex as you seem to think it is. It is not because of ACL’s that Windows is more secure, but because Microsoft have a responsible attitude towards security and bother to implement basic mitigation techniques correctly, which make a world of difference.

      Comment by allthatiswrong — June 27, 2011 @ 11:30 pm

  7. This article is so entertaining so I can not even laugh… You are not telling us anything new… I don’t really like Apple nor Mac OS X… but I think that most Unix-like systems today are more secure than Windows… I think u never heard about grsec, selinux, pam and etc

    Comment by No One — June 25, 2011 @ 2:46 pm

    • You obviously dont know what you’re talking about.
      The only thing laughable here is your comment and others like it. Everything mentioned is true, OSX IS more insecure, you just feel a need to disagree or make fun of the post because OSX is related to UNIX, and thats it. And because of this bizarre love for UNIX all logic and reason goes out the window.

      Comment by Photek — August 4, 2011 @ 3:36 pm

  8. […] OS X – Safe, yet horribly insecure « All that is wrong with the world…. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. […]

    Pingback by OS X – Safe, yet horribly insecure « All that is wrong with the world… - Imperfect Notes — June 25, 2011 @ 2:53 pm

  9. I have been meaning to write something similar to this.. good timing 🙂

    Like you said, the main thing people get wrong is the difference between safe and secure. A house in a good neighborhood may be more safe than a house in a bad neighborhood, but there isn’t necessarily anything inherent in the former that makes it more secure.

    I saw a good comment on reddit the other day that put this even simpler, it went something like “I haven’t been shot lately but that doesn’t mean my rib cage is bulletproof”

    as for OS X being secure because it is based on unix, the point I always make is that the unix security model is designed to protect users from each other. It doesn’t actually do anything to protect an individual user from themselves. Most OS X machines have 1 or 2 users on them, and a drive by browser exploit against the primary user account would be devastating, root or no root.

    – Justin

    Comment by Justin — June 25, 2011 @ 3:14 pm

  10. Mac OS X conforms to the IEEE’s POSIX (Portable Operating System Interface for Unix) Standard, and one of the issues addressed is security. The National Institute of Standards and Technology (NIST) does quite a bit of work on OS Security and developed POSIX Conformance Test Suite.

    Unix, that underlies Mac OS X, has quite a bit of work done on security .

    Comment by Viswakarma — June 25, 2011 @ 3:16 pm

  11. OS X – Safe, yet horribly insecure…

    I have had this article planned since the end of 2009 and have had it as a skeleton since then. I wanted to point out the many problems with OS X security and debunk the baseless myth that OS X is som……

    Trackback by IDELIT — June 25, 2011 @ 3:28 pm

  12. When you read the comments, it’s hard not to laugh at the people laughing. “Unix design” is 10% security, and 90% everything else. I need no proof to imagine a company thats built itself on “ease of use” and “convenience” will throw security under the bus for the sake of those two things. I mean, lets get real, is APPLE really going to compromise convenience to protect users? Nah, thats not the apple style.

    As far as Unix being more secure by means of “Simpler implementation”, that might work for a single user, or even a small organization, but large scale controls are needed when operating on a….large scale. And if I sound like a Microsoft fanboy (Running desktop Linux distros on all my boxes.) I assure you, I’m not. Get some better arguments, or you make all the Unix users sound stupid, or worse yet, a revival of “Worse is better” versus “The right way”. And I’ll die before I call windows in it’s current state the right way……

    Comment by "Some kid who just installed their first Linux distro" — June 25, 2011 @ 4:03 pm

  13. The same bs argument is presented here that the reason there aren’t more attacks on OSX is the smaller OSX market share. So millions of potential victims go un exploited because there aren’t enough of them to make it a viable investment? Ridiculous.

    Comment by J — June 25, 2011 @ 5:15 pm

    • Regardless of the reason that there aren’t more attacks on OS X, the lack of attacks does not somehow ‘prove’ that OS X is more secure. It only means that it is safer.

      If an OS X system is vulnerable to a drive by java plugin exploit, then it is vulnerable to a drive by java plugin exploit. There might not be anything actively exploiting that vulnerability, but that doesn’t make the vulnerability any less exploitable.

      Comment by Justin — June 25, 2011 @ 5:24 pm

    • It is not the number of users, but the market share. Max OS X has a much smaller market share. It is the same reason more hackers target IE than other browsers. It is simple math – there are more resources available for developing hacks against the more popular OS and browser. That does not make them less secure and those with smaller market share more secure. Lack of attacks does not equal security. That is the BS argument. This article clearly points out that there are equally serious holes in Max OS X. Only a fool would believe any OS is secure, or that “simpler” equals more secure.

      Comment by Earle — June 28, 2011 @ 6:39 am

  14. Excelent article. So bad that there are a lot of UNIX fans who will defend OSX security just because this affects UNIX too.

    Most of the false security about OSX is the securoty myths about Windows. Since Vista, Microsoft is more resposible about security than Apple. Windows’ users use Admin account no more, along with DEP, ASLR, free antivirus and an avanced permission paradigm on system infrastructure allows users to be more secure. Internet Explorer 9 is the best browser that detects phishing attacks, and the only one than can block malicious mixed contend.

    Comment by JairJy — June 25, 2011 @ 5:54 pm

    • Not to mention the fact that several parts of the OS X security design (eg. launchd security sessions) are departures from the standard UNIX model. But, hey, it’s unix, it’s gotta be secure derp derp.

      Comment by l0ne — June 26, 2011 @ 3:20 am

  15. “”Windows NT (and later OSes) were actually designed with security in mind and this shows. Windows was not such a target for malware because of its poor security design; it is because the security functionality was never used. When everybody runs as Administrator with no password then the included security features lose almost all meaning.””

    Exactly… and the reason for everyone using Windows as Administrator is related to this: “”The Unix Design is significantly less granular than that of Windows, not even having a basic ACL.””

    Windows “security model” is *too granular* and actually *hard to setup*. Fact: complexity is enemy of security. The only people actually using properly Windows security features are Microsoft engineers. Most people consider it a feature to be able to get anything MS up and running in a fraction of the tima it takes on other OSs, but that comes with the “setting everything to default” culture.

    You could compare Windows security to SELinux or similar systems, which very few use, also due to them being a PITA to setup…

    These things need to be manageable by humans, and very few of them are able to pay so much attention to detail to actually maintain a secure system. that’s the actual problem, and that’s why simpler security models win in the end.

    Comment by zpuk — June 25, 2011 @ 6:04 pm

    • The author actually talks about Windows NT before Windows Vista, when the default behavior was that the user is the administrator and has all the rights to installs software and modify any directory (with exception to some hidden security files). Any software can be installed anywere on the system, and can modify critical files without permission.

      But that was a long ago.

      Comment by JairJy — June 25, 2011 @ 6:08 pm

      • “default behavior” is mooth.. in Vista and Win7 you can still (and of course most people do it after being annoyed by the popups soon enough) set the security level to low and pay no attention to the small shield on “dangerous” buttons… but I’m not even worried about home desktops, I think about enterprise systems and networks. It is quite nontrivial to have a staff so competent on the miriad of Windows security concepts to be safe. Also nontrivial to audit your systems to be sure people are working properly. Also nontrivial to limit people access to what they need/must work on. Also nontrivial to propspect and interpret Windows verbose logs. And it goes on and on. This is what makes Windows hard to secure, not technical details per se.

        Comment by zpuk — June 25, 2011 @ 6:27 pm

        • You can say the same on UNIX OSes. Someday the user will be tired of writing his/her 12-characters-long password every time he/she wants to do some administrative stuff, so soon he/she will switch to using root account.

          Comment by JairJy — June 25, 2011 @ 11:43 pm

    • Problem with that notion is that it’s outdated. With Windows Vista and 7, Microsoft has changed some default settings, and added some new features to make it easier to run as a regular user. Which is what most home-users now do.
      In the professional world, the majority already used limited user accounts, since the systems were managed by Microsoft engineers, not by the users themselves. Both at university and in the corporate world, I have mainly worked with Windows NT systems where users were not administrator, but only had limited rights. And I go way back to the early 90s, with NT 3.5.

      Comment by Scali — June 25, 2011 @ 6:16 pm

    • Windows is more secure than OS X at the moment with a user having to configure a thing, simply because Microsoft have the right attitude towards security and implement basic mitigation technologies.

      Comment by allthatiswrong — June 27, 2011 @ 11:32 pm

  16. At this point all of this information is anecdotal. There is no substantive argument that MacOS X is less safe than Windows. It simply identifies the authors opinion on which kind of security is most satisfactory. To say “no one has bothered to make a virus for Mac” is juvenile. Hackers look for exploits and take them and they don’t care about the platform that they’re on. Many hackers would be happy to write virus’ for Macs but the truth is that they aren’t as persistent because there are less vulnerabilities in Mac Software…ultimately, most virus’ are perpetuated by a combination of poor permissions control (an issue that has plagued MS) and software vulnerabilities not so much with the OS as the software suites that are installed (flash,MS Office, etc). You don’t see as many of these vulnerabilities in the Unix environment and therefore it is more safe. I tend to agree that it may not be more “secure” but that is ultimately in the hands of the hacker not the EU. In your analogy of being shot in the ribs, the most “secure”/”safe” solution would be to eliminate bullets entirely. The chances of that happening are slim to none, just as making software completely free of vulnerabilities is slim to none. In reality many if not most of the people I know (and the companies that I have worked for) just don’t see incidences of spyware/malware/virus’ on Macs, yet, its a consistent problem on PCs. Anti-Virus software for Windows is a joke, you should be using a minimum of two different malware scanner/blockers on top of AV with a firewall just to begin. MS Office and adobe should be patched compulsively and you should hold regular trainings for ignorant staff clicking on spurious emails. NONE of this is the case with Macs. Until that fact changes I’m going to lead my EUs to use Macs, less work for me. My production environment (Apache/IPS/SMTP/SQL/JAVA/Juniper/ etc) is entirely Linux not because I’m “geeky” and like command-line utilities, but because its the most cost effective, safe, manageable, and most importantly OPEN software available. Apple saw this fact and capitalized on it years ago, POSIX environments provide more solutions than their alternatives. The guy that wrote this article is obviously not a SysEng. He’s probably a programmer aspiring to get into security but is stuck in theory. Continue to use your windowz environment and the rest of us will continue using the most powerful safe and SECURE group of OS’ in existence.

    Comment by eng — June 25, 2011 @ 6:40 pm

    • Wow, talk about keeping your head in the sand. I’m sorry, but there is a ton of evidence that OS X is far more insecure than Windows 7, none of it is anecdotal. Apple have not been taking security seriously at all and deliberately mislead users. You can dismiss that as much as you like — it doesn’t make it any less true.

      Comment by allthatiswrong — June 27, 2011 @ 11:34 pm

      • Notice you said “Windows 7” Could it be that they finally made it more secure? 🙂

        The myriad opinions that spew forth out of the mouths of Microsoft fanboys does not make it fact. Let’s talk out of the box… M$ has that stupid UAC dialog that is suppose to be their answer to improved security. All that was suppose to do was shift the blame on to the EU. They were probably thinking, “If we give them the option of installing this malware with a warning then it’s their fault.” Most all of the capabilities to screw up are turned off on OS X. Much more than a dialog that says in a round about way, it’s your fault not mine.

        What it boils down to is the software that is installed on the system has the most vulnerabilities, not the OS.

        Comment by steve88 — July 7, 2011 @ 9:31 am

        • Ah, yes, flaunting your cluelessness. That is a great idea.

          You really need to get out more. The “capabilities to screw up” on OSX are not turned off. Not even close. Some don’t even give you a warning message. Look at recent history for example.

          Again, the built-in security capabilities in Windows, and UAC is not a very important one, stack and heap randomizations are far more important – something both OSX and Linux lacks proper implementations of. Again, the guy is talking about what actually is in the system, not how people are using it.

          Comment by Terje — July 7, 2011 @ 10:02 am

          • UAC itself is not a security feature, technically.
            It is more of a tool to make a more secure system more userfriendly.
            In the old days, Windows had no mechanism for escalating rights through a simple popup. So you either had to start your software as an administrator, or it would fail (depending on how well ‘access denied’ errors were handled in the software, the application might just fail silently, or even crash).
            Thanks to UAC, Windows can now warn the user: “Hey, this application wants to have these rights, do you want to give them?”.
            Most of the security features underlying UAC have always been in Windows NT. UAC just makes them a lot more practical to use.

            Comment by Scali — July 7, 2011 @ 1:26 pm

          • True Windows’ ASLR implementation is top notch, bot don’t forget that ASLR was
            prototyped on linux by the PAX team and these still exist and are continuesly updated.

            Comment by goarilla — August 10, 2011 @ 6:44 am

        • From the moment typed “M$” your post became completely worthless as it’s clear you’re just some stupid little kid who knows absolutely nothing of security. Grow up.
          And you do realise that Apple are the largest tech company in the world, making more money than “M$” because of morons like yourself. How ironic.

          Comment by Photek — August 4, 2011 @ 3:42 pm

  17. … and if the Windows APIs and OS architecture weren’t such a pile of Swiss cheese then it wouldn’t need all the AV tools and other cruft piled on top to make it secure.

    As others have pointed out, Windows has many security features, but most of these features are there to paper over defencies in the underlying operating system and the middleware cruft that it has accumulated. Sticking ACLs, sand boxes and code signing around around controls enbedded in web pages etc. is ignoring the fact that they were a bad idea in the first place. Security is a question of less, not more, as OpenBSD shows.

    Yes, Apple could do better, but they are responding to challenges such as MacDefender before they reach endemic levels are they have in the Windows community. Microsoft, on the other hand, waited until they had no choice.

    Comment by Peter Evans-Greenwood — June 25, 2011 @ 8:15 pm

  18. There is always a trade off between security and convenience. Finding the right balance is not always easy and Microsoft brought on its problems by making enduring mistakes which is why botnets are still almost exclusively Windows based. An important factor you fail to account for is the proposed claim that marketshare determines malware attention. If that were the case and Apple’s work so shoddy where is all the malware for iPhones and iPads?

    I don’t see how anyone cannot see the irony that the only social engineering exploit that had any noticeable footprint was only effective insofar as Mac users heard and believed the claims of OS X vulnerability that are periodically promoted by sensationalist headlines in the press and articles like this. I saw the exploit once while browsing on Google image search with Mobile Safari on the iPad and laughed at the faux Mac graphics that popped up.

    I’ve owned a Windows XP box and know what a real security breach looks like. Using Macs since 1984 I have never had a problem of similar magnitude.

    I am aware there are security improvements only arriving with Lion (due next month for $29) but it appears that Apple has done a good job balancing security and convenience and that you are simply bitterly mumbling about how those hipsters shouldn’t be able to laugh and dismiss you. Some times life just isn’t fair.

    Comment by Steve Bryan — June 25, 2011 @ 9:16 pm

    • The point of this article (in part) was to point out that just because there is a lack of viruses and malware in general, does not mean you are any less vulnerable. If I can take over your Mac just because I’m on the same network as you without you ever noticing, then how are you secure?

      Also, the iPhone analogy doesn’t work unless you are talking about jailbroken iPhones.

      Comment by allthatiswrong — June 27, 2011 @ 11:36 pm

  19. “… reality OS X machines have always been easily exploited and are among the first to be compromised at various security conferences and competitions”

    What you should also mention is that the people who exploit OS X *first* spent months finding exploits.

    “… regularly before the pwn2own contests where Apple’s insecurity is put on display, they release a ton of patches.”

    Google does that for their Chrome browser also. I bet you Microsoft does that too.

    In the end, we use computers to become more efficient at what we do. I think security shouldn’t obstruct efficiency. Even if Windows is more secure than OS X, it is less efficient to use. There’s more to aesthetics than what your eye can see.

    Comment by varactor — June 25, 2011 @ 9:25 pm

    • Windows is no less efficient to use than OS X. What a ridiculously subjective claim.

      Comment by allthatiswrong — June 27, 2011 @ 11:39 pm

    • It all depends on what you do. But to claim that OS X is more efficient to use than Windows is utter nonsense. I have used both, for decades. Neither is perfect, far from it, but Windows is, overall, more efficient because, due to its larger market share and being friendlier to developers, has far more third party tools available.

      It has caused problems for MS, but they have worked hard to maintain backward compatibility so you would not have to buy all new software with each update. There is no assurance of that from Apple. Indeed for many years they clearly stated that they would not guarantee that a new release would run old software. As a developer why should I work to develop for a platform, then have to start over when they release a new version?

      No doubt others will disagree, that’s their right and personal opinion based on their experience as mine is based on decades of personal experience.

      You are right that there is far more to aesthetics than what your eye can see, sadly most people never look beyond the initial flash of Apple products and never see the headaches of their proprietary policies until it is too late.

      Comment by Earle — June 28, 2011 @ 6:47 am

      • Wrong! More software != more efficient. Wrong! Apple even brought compatibility from OS 9 to OS X. Windows apps from 3rd parties always has compatibility problems and always will. Think Vista… They even had a lot of hardware compatibility problems. Something Apple never had.

        Comment by steve88 — July 7, 2011 @ 10:18 am

      • I bought a macbook pro because i wanted a Unix with a consistent and nice GUI (with virtual desktops).
        I’m well versed in the unix userland and the lack of it in windows makes the latter inefficient to me.

        I know you can install cygwin but it’s slow and buggy sometimes and incomplete. There are also 3rd party read — commercial
        programs that try to implement virtual desktops on windows but they just don’t work that well.

        As being developper friendy: out of the box you have a plethora of scripting languages and more with mac os X and no
        cmd and vbscript don’t compare — although powershell might.

        Comment by goarilla — August 10, 2011 @ 7:02 am

        • Is the pretty GUI worth the vendor lock in and insecurity? I would think Linux with WINE or any platform you choose with virtualbox is a better option these days.

          Comment by allthatiswrong — August 10, 2011 @ 9:23 pm

          • Security is relative I’m very confident that in the case of increased malware chances are low that i would be hit.
            Same was true when i used win2k without antivirus. Is it worth the vendor lock-in ? Don’t know it’s a laptop you know, these
            have always offered less freedom than their desktop counterparts. But I do like a lot of their built-in apps, preview is very nice.
            Also Iterm2 (3rd party) is the best terminal emulator i have ever encountered. I have steam on mac and i have steam on wine on mac (took a while though – and apple’s X11 server is in some ways broken). Safari, iTunes, iChat, iMail, iOffice are ditched though.

            You can’t argue that the macbook is not a good laptop, aside from the keyboard, it blows the competition out of the water imho. Even now
            I see the features/details that apple implemented showing up on the other laptops, which I do applaud.

            So in a way I avoid getting locked in on the software front, and I like the hardware (macbook).

            Comment by goarilla — August 11, 2011 @ 2:26 am

  20. Your entire premise on Windows being so secure, rests on the ‘piped tune’ that it was designed that way, and it is the user not using it correctly, that is the problem…

    I bet the dinners from Microsoft tasted good, and the prizes were great.

    Riddle me this…

    If it is so safe and secure, How come so many of its biggest customers have been hit so hard and often??

    You may recognize the names….

    Amazon, Skype…

    Oh yes… MICROSOFT VIA Yahoo Email, Hot Mail, Corporate (Redmond to those in Rio Linda).

    Now… If they get MILLION$$$ from customers like those, and service them like they should, They should have been secure.

    Not mentioning the US Senate… They don’t know a damned thing about security…

    Your premise ‘might’ float, if NONE of those were hit… But the MICROSOFT hits, say you premise is full of floaters.

    Comment by the old rang — June 25, 2011 @ 9:41 pm

  21. Wow, not one mention that perhaps the Unix-like OS’s are more secure because almost all applications on a typical install are open source? Consider the “given enough eyeballs, all bugs are shallow” idea that Eric S. Raymond formulated in The Cathedral and the Bazaar. The fact that Unix-like OS’s are typically used by programmers helps quite a bit as well, since if a flaw is discovered the users are more likely to have the utility to fix it themselves and submit a patch. Windows doesn’t have this advantage, being closed source. They have to use their own testing laboratories to find and fix flaws.

    Also, consider the modularity of the Unix-like operating systems. There’s a reason people used to (and some still do) have heated arguments about calling Linux “Linux” or “GNU/Linux”, as Linux is just the kernel; all other applications can be quite easily switched out (which is the main reason for all the Linux flavors). This makes it harder to have a concrete attack strategy against such an OS because the list of what applications the computer is running is more nebulous.

    Comment by Steven Seagal — June 25, 2011 @ 11:20 pm

    • Facts and Fallacies of Software Engineering, by Robert Glass.

      Educate yourself instead of blindly believing mantras. The fact that they’re repeated ad nauseum doesn’t make them true.

      Comment by aftermath — June 28, 2011 @ 4:42 am

      • You’re guilty of the same sin.
        You dismiss the conclusion ESR comes to in his book by the rebutal
        written in another book.

        Comment by goarilla — August 10, 2011 @ 7:06 am

        • If the rebuttal presents good arguments…
          That’s how science generally works: someone comes up with a theory, then others will test that theory. They may prove it wrong, or evolve the theory to be more accurate/generalized/etc.

          Comment by Scali — August 10, 2011 @ 10:01 am

          • Or cast it into an empirical niche.
            I know how science works I work at a university. 😀
            But my reply was a hasty one after I posted it, I looked up the author of your
            book. He does seem very academic and qualified.

            But bear in mind he engineered software for a very narrow and esoteric niche/field of the
            industry. Their methodologies, atmosphere could be strangely queer from
            the majority.

            Comment by goarilla — August 11, 2011 @ 2:33 am

        • It doesn’t matter that he is citing an argument in a book, if the argument has merit.

          Comment by allthatiswrong — August 10, 2011 @ 9:21 pm

  22. So, why don’t we have any OSX viruses again? The incentives are the same as for Windows (stealing bank info, botnets, etc).

    You seem to ignore that MacDefender is nothing more than social engineering. It barely exploits anything, the user is tricked into installing it!

    Comment by Janel — June 25, 2011 @ 11:40 pm

    • This is true. I’m not saying there aren’t exploits there that a virus could get through, but so far there isn’t one in the classic sense.

      As far as MacDefender, it’s true that it’s more social engineering that could the exact same thing on Windows 7 or the other more “secure” OS’s the author here mentions. If MacDefender was using an exploit, it’s something that the makers of the OS could patch or fix. But there’s no patch you can download to fix a gullible user.

      Comment by Goofball Jones — June 26, 2011 @ 1:58 am

      • Yep: the article discounts the fact that, out of the box:
        • downloading MacDefender through Safari, and
        • opening it
        used to show the standard alert for all new apps, now shows the xprotect alert, and that after this debacle Apple added on-by-default malware definition updates: MD authors could circumvent the list in a few hours, but the article conveniently leaves out the fact that Apple itself could add the circumventing version’s signature in that much time again. Which arguably should’ve happened earlier, which is most likely true, but eh.

        Comment by millenomi — June 26, 2011 @ 3:28 am

        • Xprotect will only alert the user if the file were obtained via a program that assigns meta tags, which is far from all programs. That’s a serious design flaw right there.

          Comment by allthatiswrong — June 29, 2011 @ 10:07 am

    • The incentives are not the same at all. Spend 100+ hours on development to infect maybe 5% of 10% of the market? Or spend that same development time and infect 40% of 80% of the market? Do you see? Do you see?

      Comment by allthatiswrong — June 29, 2011 @ 10:09 am

      • Sorry for coming by late, but the point about market share, that is brought up in many articles like this one, is not a convincing argument as to why OS X has been relatively free of virus and malware attacks (ie safety by obscurity).

        Malware, virus writers, crackers are not motivated by market share of an operating system. *They will have a target number of machines they want to infect*. At a rough estimate there will be at least 100 million OS X machines in operation today. That is a large enough target pool for any malware operation such as DDoS or a successful spam programme or password phishing or the like.

        If your article is correct that OS X is less secure, users are less alert to security risks, Apple cares less about security, security is tacked-on, exploits are faster and easier to develop, exploits will last longer (due to slower response from Apple), then developing exploits for OS X would be a VERY attractive proposition. Your 100+ hours of development should – according to your article – reach your target number of infected machines much quicker and thus at much less cost.

        The only case in which the low 5% to 10% market share of Apple, could be considered a de-motivating factor would be if the proposition is that anti-virus vendors are directly or indirectly funding almost all of the virus and malware development we see (probably discounting spam). Although in all the articles I’ve read (quite a few, including yours), that use the market share argument, none of them mention this.

        But think about it. Anti-virus vendors – unlike true malware authors – ARE driven by market share. Most Windows machines have paid licenses for anti-virus software. Almost all Mac machines don’t. The Windows anti-virus market is simply huge. If we assume 3 billion Windows machines and 2 billion paid anti-virus licenses, that is a lot of money. If hypothetically, OS X market share shifts upward towards 20%, then anti-virus vendors will be losing revenue and will obviously defend that revenue or try to get OS X users to install and pay for anti-virus software. What better than to have some virulent viruses for OS X?

        The game theory article you link to would be relevant to anti-virus vendors (hypothetically and surreptitiously) involved in virus development, since he defines the payoff as directly related to market share. As I mentioned before market share is not a payoff for a malware or virus writer that is only interested in a particular malware objective such as DDoS, spam, phishing etc, and so the game theory calculations would not apply to them.Yet market share or lack of it, is almost solely relied upon, in articles like yours and the game theory article you link to, as the reason as to why we haven’t seen the levels of compromised OS X systems as we’ve seen on Windows.

        Comment by jasonsmart — May 1, 2012 @ 7:05 pm

        • Why write for OS X which changes with each version when you can write for Windows and infect every version for the last 10 years or more? There may be 100 million vulnerable OS X machines but there are far, far more vulnerable Windows machines with a malware writing culture surrounding it, making it easy to learn and refine.

          Of course it comes back to market share.

          Comment by allthatiswrong — December 11, 2012 @ 4:26 am

  23. if you are so concerned about security your site shouldn’t be mixing http and https…..

    Comment by joe — June 26, 2011 @ 2:18 am

    • He thinks Windows is super secure, therefore is not worried

      Comment by the old rang — June 26, 2011 @ 3:07 am

    • You realize it isn’t my site, right?

      Comment by allthatiswrong — June 27, 2011 @ 11:45 pm

  24. The thing I really take exception to in this article is that OS X security is “Year 2000 era” –Windows 2000 didn’t support ASLR or DEP. Windows 2000 still made every file readable to every user, created Administrator users by default and offered no way to escalate privileges as a normal user making it almost impossible to be logged in as a normal user for day to day tasks without constantly logging in and out to change settings or install software. Windows 2000 shipped with many ports open and no easy way to configure it’s built-in tcp-ip filter, and to top it off while it may have provided the very sophisticated Win NT ACL functionality you talk about, made absolutely no use of them whatsoever.

    If the Unix security model offers absolutely no extra protection, then please elaborate on why Windows Vista and Windows 7 have opted not to have users run as administrator anymore? I thought the awesome infallible amazing ACLs provided by the NT kernel would have protected the system without any need for something as clumsy as user permissions.

    Comment by steviant — June 26, 2011 @ 4:43 am

    • “If the Unix security model offers absolutely no extra protection, then please elaborate on why Windows Vista and Windows 7 have opted not to have users run as administrator anymore?”

      That is some seriously flawed logic there.
      Firstly, Windows NT was never meant to be run as administrator by everyone.
      Secondly, whether a user runs as administrator or not has nothing to do with the *security model*. That is a user error, not a shortcoming of the OS.

      “I thought the awesome infallible amazing ACLs provided by the NT kernel would have protected the system without any need for something as clumsy as user permissions.”

      Wow, talk about totally not understanding technology. ACLs are a means to configure user permissions. A more flexible and powerful means than owner/group/world bits, commonly used in the *nix world.

      Comment by Scali — June 26, 2011 @ 5:08 am

  25. Lol, I liked reading the comments from the obvious mac fanboys that completely missed the whole point of the article.

    Comment by cookie — June 26, 2011 @ 4:48 am

    • Indeed, people totally miss the point, and keep shouting: “But Windows gets a lot more security exploits than OS X!”.

      Comment by Scali — June 26, 2011 @ 6:01 am

    • There should be a Godwin’s Law of Apple discussions – the first person excuse an Apple flaw because of something bad in Windows loses the argument.

      The article is about OS X security or lack thereof, not how bad Windows is.

      Comment by Andy — June 27, 2011 @ 8:55 pm

  26. Good article; I had no idea how apathetic Apple really was about security.

    Just be weary, you’ve got a few errors:
    “if…then,” not “if…than.” “than” is used in comparisons of size.
    “naivety,” not “nativity.”
    There were a few more, but I can’t remember them now. There was a missing preposition or two as well. If you read it aloud, you ought to find most of the ones that would trip a reader up.

    You’ll make a bigger impact if you cross your i’s, dot your t’s.

    Comment by Grammar Nazi — June 26, 2011 @ 9:16 am

    • I’m weary of this whole discussion, and I’ll be wary about reading more like it in the future.

      Comment by Grammar Nazi's Gramma — June 26, 2011 @ 12:14 pm

    • Personally, I cringed at the mixed use of singular and plural verbs associated with the subject “Apple”, as in “Apple is” and “Apple are”. The singular form refers to the company and (should be) used when referring to the company and its actions. The plural form refers to the group of people which can be collectively referred to by “Apple” (or other such noun). Since the latter form refers to the “group”, it should be used when that group, not a subset, is involved. In this article, the subject is that of what the Apple corporation has does with its products. Referring to individuals within the corporation is meaningless as Apple (and not just Apple) provides products as a corporation not as individuals within the company. There is little value or meaning in writing “Apple to date do not have a proper DEP or ASLR implementation …” which refers to all Apple employees; all that matters is what “Apple does not have”.

      Comment by Jim — June 27, 2011 @ 7:34 pm

    • I definitely should have proofread before posting. I would appreciate any further specific corrections.

      Comment by allthatiswrong — June 27, 2011 @ 11:47 pm

  27. […] I came across a lengthy but interesting critique of Apple security – OS X – Safe, yet horribly insecure –  by the anonymous author of the All That Is Wrong With The World blog (well, that’s an […]

    Pingback by Apple Safe or Sorry? « Mac Virus — June 26, 2011 @ 9:46 am

  28. Man, I’m glad Lion doesn’t have some mode where anyone could reboot my browser to a publicly accessible account-neutral Safari session someone could use to visit a malware site and own the computer.

    That would be pants on head stupid, and we know Apple’s too shrewd for that.

    Comment by Duane Moody — June 26, 2011 @ 3:48 pm

  29. You think ASLR is implemented well in Windows? Answer this question after you looking at this line of code .. You can break Windows ASLR with one line of C:

    ULONG_PTR Base = *((PULONG_PTR)0x7ffe03d0)) + 0x77ec0000;

    (credit Alex Ionescu)

    Comment by mavvy — June 26, 2011 @ 9:40 pm

  30. I’m laughing my ass off watching the mac fanboys trying to dis on your article and thus far have had no good technical argument.

    Thanks again 🙂

    Comment by NoFanBoys — June 26, 2011 @ 11:02 pm

  31. Macs had numerous viruses in the 1980s and 1990s. I had viruses on my Mac in 1988 while working at a division of Sun Microsystems. Indeed, one of the first, if not the first, consumer anti-virus product was S.A.M. (Symantec Antivirus for Macintosh). I worked at Symantec in the early 1990s, too. Macs always had low market share, especially in the 1990s, yet viruses continued to spread under pre-OSX/pre-UNIX MacOS 6,7,8 and 9. It is a myth that the only reason OSX has so few viruses now is because of Apple’s low Mac market share. If that were true, Macs in the 1980s-90s would have had even fewer viruses than today’s OSX Macs.

    Go to any anti-virus company’s website and randomly or methodically examine the effected OSes of any single virus or mass of viruses of the *millions* of viruses. Let me save you time: “windows, windows, windows.” You’ll be hard pressed to find UNIX, Linux or OSX viruses. Hackers targeted UNIX for years (e.g., Kevin Miknick [spelling?]) because so many juicy infrastructure, university and government targets used UNIX. UNIX has been pounded on by the top hackers, not a bunch of hacks using wizard-based virus-generating tools, though today’s money- and espionage-motivated top heavyweights seem to target Windows more than UNIX (e.g., ransomware and Iran nuke reactor).

    As a longtime IT pro and former machine and assembly language programmer, it’d be idiotic for me to ignore the fact that of the thousands of computers I’ve serviced since OSX, all of the thousands of viruses I’ve encountered have been Windows-only viruses, while the hundreds of OSX Macs under my watch have yet to have a single virus. A current stat bruited about today is that a new virus is created every 6 seconds! Even if that’s bunk by a factor of ten, a new virus is created every 60 seconds! Those are Windows viruses. The scant few OSX viruses I’ve heard of require victims to type their admin user id and password. Besides logging in, when was the last time Windows prompted a logged-on admin user for his or her password? OSX does that regularly (the MacDefender virus and perhaps all variants, requires it, btw).

    Public hacking competitions that revealed lightning fast OSX takeovers mostly (maybe entirely) relied on Safari flaws. My clients avoid Safari. I think those fast takeovers also required direct access with no hardware firewall present, but I’m not sure. I make way, way more money servicing clients using Windows PCs and have seen my billable hours dive when clients switch to OSX, though I’ve made up the difference by regularly accepting new clients after years of only sporadically doing so.

    Oh, and if you’re right and OSX viruses catch up to WIndows viruses (doubtful at the rate of 6/sec versus 6/year or 6/month), I’ll make more money — I’ll make out well either way. But OSX is currently the smartest, though imperfect, choice over Windows where security is concerned for end-users (maybe Chrome or Linux will take the lead but I doubt it).

    Pointing out x flaws in OSX is dwarfed by the x*10^5 flaws in Windows.

    Comment by john — June 27, 2011 @ 2:59 am

    • Did you miss the whole section where I reference the article using game theory to predict that just as OS X reaches about %17 marketshare malware will start to appear? How odd that just as OS X is reaching 17% marketshare malware is starting to appear..

      Viruses were more widespread in the early days because they were trivial to write. As malware has become harder to write it has started to be written only when the incentive to do so is there. For OS X, that is only recently.

      In any event, the point of this article was to point out that despite the lack of malware, OS X users tend to be the most vulnerable of all PC users.

      Comment by allthatiswrong — June 27, 2011 @ 11:42 pm

  32. Hmm. I would have liked to read this, except your choice of layout indicates that you are one of the 20-something effete Apple ‘artistes’ who believe everyone can read 4 point type.

    Comment by Gary Wheeler — June 27, 2011 @ 6:58 am

    • Your browser has a zoom tool. Learn how to use it and your life will be much happier.

      Comment by John — June 27, 2011 @ 11:03 am

    • I’m sorry you are so superficial as to dismiss an article because of the choice of theme used. I chose a theme without too much thought that looked OK on my screen and made everything clear and easy to read. As yours is the only complaint so far, the theme doesn’t seem to be hampering anyone else….

      Comment by allthatiswrong — June 27, 2011 @ 11:44 pm

  33. It’s seriously disapointing that no one has stooped to spelling Windows with a z in it on thus far! C’mon fanboys’, what’s the world coming too?

    Comment by WhyMustI — June 27, 2011 @ 7:18 am

  34. well I believe you are just a MS employee trying to put dirt on Aple’s face.

    Comment by mariusm — June 27, 2011 @ 7:35 am

    • And clearly, you either didnt understand the technical explanations in this article, or you didnt read it to begin with.

      Comment by John — June 27, 2011 @ 11:16 am

  35. I wonder how much marketing budget Microsoft spent on this little gem.

    Comment by Probe — June 27, 2011 @ 7:47 am

    • I wonder how many more Apple users will post stupid comments because they cant understand an article. Well intelligence isn’t your strong point or you wouldn’t be using Apple toys.

      Comment by Photek — August 4, 2011 @ 3:51 pm

  36. […] Continue reading. Share and Enjoy: […]

    Pingback by OS X – Safe, yet horribly insecure | Jesus Was Rasta — June 27, 2011 @ 7:56 am

  37. The tone of the article is reminiscent of e.g. Nazi and Bolshevik propaganda: spice your BS with a few facts and have a media ball.

    To summarize:
    – No existing modern OS is secure enough, and the root of the problem is the need to be hardware-compatible with x86 address model.
    – No existing modern kernel is designed insecure to begin with.
    – Windows security features are not employed to their full extent because they are not usable by a normal user (or even semi-normal one – such as within US DoD with all their internal restrictions etc).
    – The assumption that 10+% of the entire market is “too small for the criminals to bother” is beyond ridiculous.
    – It is easier to configure – and use – a secure Mac than a secure Windows.
    – Malware for both Windows and Mac exists and will continue to multiply & proliferate.
    – ACL is a great and powerful tool that is irrelevant for most computer applications, and usually not used properly even when it could provide benefits.

    Comment by mouse — June 27, 2011 @ 8:45 am

    • And there we go, Godwin’s Law is met once again!

      Comment by Scali — June 27, 2011 @ 11:49 am

    • 8% please. iOS is not counted here, even if it is secure.

      Comment by Interarticle — June 27, 2011 @ 9:29 pm

    • Malware developers are not going to spend development time on malware to infect a minority of the PC population unless their is profit, as opposed to breaking even or having a net loss. Obviously, 10% of the market would mean a net loss or breaking even, so it isn’t worth it for them to try.

      Secondly, it is not easier to secure a mac at all. Part of the point of this article was that in many cases you can’t secure a mac, because you are reliant on Apple who simply don’t care.

      Comment by allthatiswrong — June 29, 2011 @ 10:12 am

      • Huh what ?

        You configure the firewall and ipfw, disable all unneccessary services.
        Disable your sudo capabilities and add a real root or administrative account that
        can use sudo, no auto logon as well.

        You replace the standard browser by something else, enable the safe keyboard input where you can (terminal).
        You update update update.

        Comment by goarilla — August 10, 2011 @ 7:24 am

        • Updating won’t help when Apple refuses to fix a vulnerability. What do you do then, huh?

          Comment by allthatiswrong — August 10, 2011 @ 9:20 pm

          • If you can stop using it, If you can’t be extra diligent.
            But let’s be honest there have been quite a few hard to fix
            vulnerabilities in the Windows OS that took years to patch.

            Comment by goarilla — August 11, 2011 @ 2:36 am

            • You don’t always have the option of not using it, what about vulnerabilities in the core OS?

              Comment by allthatiswrong — August 11, 2011 @ 4:06 pm

              • Then you’re fucked, but still every OS suffers from this problem even the open source ones.
                You always rely/trust someone to have done some vetting for you.

                Comment by goarilla — August 12, 2011 @ 2:14 am

                • Part of the point of this article is that Apple is a whole order of magnitude less reliable than other OS vendors for patching critical security flaws. You can’t simply trivialize that and say that every OS vendor has this problem, because while technically true the scale varies, with Apple being at the very worse end of it.

                  Comment by allthatiswrong — August 12, 2011 @ 3:08 am

  38. What a load of crap. Up through Vista (I got so tired of it I switch to a Unix based OS) ACL’s, no matter how secure they may be, were absolutely useless to the average user. Through Windows XP many programs had to run as Administrator. Vista did much to ‘fix’ that since we had to give permissions for certain things. Never mind that you were never told who as asking for the permissions are what they were for. The feature was absolutely *useless*. I have been told that Windows 7 fixes that . We’ll let me run right out and spend $200 dollars on the new version of the OS and another $1500 dollars to replace all of my software to take advantage of that.

    The weakest link in security is *always* the user. Windows had trained users to do stupid things because the UI to all these *security* features have always been stupid. The best lock in the world is useless if it’s laying on the floor.

    Comment by LJ — June 27, 2011 @ 12:09 pm

  39. All the petty sniping by the Mac users and Windows mafia, aside…

    The article was, seemingly written with a bias.

    I have a bias, too…

    I don’t use a Mac, and I don’t like Windows.

    For sake of Information, I spent many years working in various aspects of security.

    Windows, violated many security processes, by reporting on what was processing, to Redmond (dial outs were traced by various military security outfits, self initiated, to Redmond, from Highly classified locations… For many years, military groups would not use Windows, on site).

    For an OS to be secure, It has to be locked out from such shenanigans.

    But, the thinking that the penetrators have, has never been the thinking of most programmers (or system designers).

    They don’t slap together stuff to lock people out, once they have gotten in. They should design from the stand point, that people are going to try to get in, and test before it is sent out to the user.

    I know, Social Engineering is almost never programmed against, but, with “password” being one of the most common passwords, you would think they would design something better (which eliminates passwords designed by people and keeps it changed with each contact… no people involved… Not single word used. A relatively simple process for a ‘system’ which almost no one I know of uses, but, was designed years ago)

    That aside, I left Windows, because I was sick and tired of having to spend hours of work patching around to make it securer… It was a sieve of holes, and staying ahead of the black hats was labor, on a machine that I only wanted to play on.

    The worst case of security thinking has been the users (Especially Financial) who believe the crap Microsoft puts out about safety, and only program systems to try to protect the ‘Financials’ with little to protect their clients. (Until the recent explosion of Facebook and social networking, Gaming on line with financial transactions, Nothing came close to the data dumping to the black hats, like financials… very poor security sysems)

    So… Don’t tell me how safe (for the sake of the Micro-soft lover) Windowz is… Check the stuff given away by black hats to break it…. Windowz isn’t)

    Nothing is.

    But, the Unix model runs the internet, and unlike Windowz, has fewer MAJOR break downs, like Skype, Amazon, Yahoo, Hotmail and HQ Redmond.

    Yes, much is the job of the Administrator (like the ones from Sony that laid off the Security Dep’t… I don’t know which O/S they use, so that is a toss up).

    But, I had lost too many hours to crap, put out by Micro-soft, destroying my system with far less than proper ‘Updates’…

    Which means ‘their security who should be interested in the customer’ was not doing any job.

    Is Linux Perfect? No… but, its design, like Unix, doesn’t generally destroy the system if one program does.

    And a last word for Windowz lovers….

    Windowz stole the idea from Apple…

    Again I have never used it, So, I don’t know about or ‘luv’ Apple…

    I have used Windowz for many years…

    I don’t like it.

    Most of the snipping going on, from the Windowz crowd, says they are also liberals, since it is name calling, not discussion. Macs come from liberals, so no telling on the user side, but, I have seen more real tech input from their side here, and less from the Micro-soft side.

    (And the Micro-soft side yelling they see none, only tells me, they have visual literary blindness)

    ‘Nuff said. I don’t like Macs, I don’t like Windowz (again, only for the Micro-soft fanboy) and I am pissed at Ubuntyu, right now…

    But, they beat Windows for most security.

    The Black Hats, are not as bad as the Government, OR a certain Large Search engine company… They steal all your data, at will…

    Believe it

    Comment by the old rang — June 27, 2011 @ 2:16 pm

  40. […] Apple has convinced many mac users that they are more secure than Windows users. This is not entirely accurate. Now, back in the ’90s just after I installed Windows XP, I got a worm within 5 seconds. I […]

    Pingback by The black dot virus at Ed's Home — June 27, 2011 @ 2:58 pm

  41. This entire page misses the point. Why do we have applications that allow software to be installed on the machine? What is it that allows malware to be installed because somebody opened an email or a web page? When we see “Download and install application?”, it is very convenient to just click and its done, but you can also install a virus at the same time. Why is M$’s IM application allowed to install files? Unfortunately, most of the user population would not be able to handle a system hardened against such attacks, and I don’t mean one laden with detection software, I mean one that does not have a cavalier attitude with the installation of files.

    Comment by Jim — June 27, 2011 @ 7:56 pm

  42. Thanks for the excellent post. Especially I appreciate few points like Erich Schimdts blame on Windows. He’s always Anti Microsoft. Microsoft SDLC is amazingly well and Microsoft is really doing well with Enterprises. How many servers are running in Mac? How long Safari stayed strong in any Pwn2own contests.

    The flashy GUIs doesn’t mean that it’s secure. As you told, they’re less targetted. but it’s not the story anymore. Mac will surely get hacked and affected by Malware. The other wrong thing could happen with the new In App purchase option is that, the malware or hackers can make users spend huge amount of money by fraud purchasing. For Apple, security is never a concern by business.

    Comment by sarat — June 28, 2011 @ 12:45 am

  43. than != then

    Comment by Matr — June 28, 2011 @ 8:21 am

  44. I don’t think I’ve come across such a collection self angrandising opinionated wank in a long time.

    Rather than you fanbois from both sides spending your time waving your genitals at each other and boasting about how big and shiny they are you might like to learn something.

    Look up Agnosticism. Have a think how it might apply in this context and you might make some real progress.

    Comment by Guerrilla ontologist — June 28, 2011 @ 12:45 pm

    • You didn’t even read the argument as to why OS X is insecure, did you? Despite agnosticism having absolutely no place in this discussion, perhaps you should read my article dismissing agnosticism as pointless and irrational.

      Comment by allthatiswrong — June 29, 2011 @ 10:14 am

      • Well, actually, I see a few parallels between that article and this topic.
        To some (many?), computer technology is similar to a religion. People see linux as ‘good’, and Microsoft as ‘bad’, and make comparisions with the devil and such.
        People also buy into various myths about the merits of certain technology, on the basis of “since so many people keep saying it, there must be a point to it, so I will believe it, even though I do not fully understand the subject matter/have not seen proof either way”.
        The myth about UNIX security is a prime example of such behaviour.
        I saw another one yesterday: I referred to the book Operating System Concepts by Silberschatz/Galvin, as it has some interesting case studies of the Windows NT and linux kernels. Two people chimed in, claiming that Tanenbaum’s books on Operating Systems were better. I doubt that these people actually even read the book I mentioned (let alone understood WHY I mentioned this book in particular, rather than other, perhaps more wellknown works on the subject). Yet they ‘knew’ (well, believed) that Tanenbaum’s book is better, and felt the need to spread the gospel. Tanenbaum’s work is like the Bible on OSes to these people. By mentioning a different book, I might appear to be a heretic to them, and as such I must be converted!

        I think in general, the whole fanboy phenomenon in technology these days is a cult, very much like a religious cult. You can easily put together a stereotype linux user: they will read Slashdot, hate Microsoft, Apple and most other commercial companies (perhaps with the exception of ones like Google or IBM, since they support linux), promote freedom and openness for everything, and they will probably have read some of Tanenbaum’s books, as well as Eric S Raymond’s work, and some other ‘usual suspects’. Or at least, they claim to have, or are planning to. In short, there’s a certain folklore, very similar to religious traditions, rituals etc, in many ways. A lot of it is pointless and irrational.

        Likewise, trying to argue over which OS is better/more secure/etc is pointless and irrational. There are far too many aspects to an OS to simply divide them into ‘good’ and ‘bad’. However, ‘good’ and ‘bad’ are typical themes in religion… They make things simple. Someone has already decided a lot of things for you, so you don’t have to.

        Comment by Scali — June 29, 2011 @ 12:42 pm

  45. Holy crap! I read all the comments and at most three of them actually made sense to me. and all those authors don’t use (NOT hate) neither windows nor mac… Does that mean something to you really? please, be reasonable not emotional when you talk.

    Comment by come on man!! — June 28, 2011 @ 5:20 pm

  46. I stopped reading here: “The Unix Design is significantly less granular than that of Windows, not even having a basic ACL”

    What nonsense!

    Comment by John Starlight — June 28, 2011 @ 9:50 pm

    • Interesting comment. Why is it nonsense? Standard Unix file security (User, Group and Other) is still most widely used. Yes, Linux has had ACLs since somewhere around 2.6 (as far as I can remember). I would love to see a survey of how many Linux installations have something like the following in fstab though: LABEL=/home /home ext3 rw,acl 1 2. I am willing to bet “not a lot”.

      This means that we have the same problem here as basically Microsoft created with XP – the security mechanism is theoretically there, but it is not really there since it is either not being used (Linux ACLs) or circumvented by the OS installation mechanism (Windows XP).

      Rather than throwing a tantrum when reading something that is factually rather close to correct, you should read the entire thing and try to post intelligent comments.

      Comment by TAB — June 29, 2011 @ 12:16 am

      • That is not the point however. If you merely look at the filesystem, ACLs aren’t all that important. They aren’t necessarily more secure than the standard permissions. They just give you better granularity in controlling these permissions. If you can get the desired permissions with standard UNIX permissions, then obviously ACLs have no added value for you (and for most people using a *nix-based system at home, the UNIX permissions will probably be ‘good enough’, as they probably only have a root account, and a handful of user accounts for the people at home who use the system, and who will generally have the same level of access).

        The difference is in WHERE Windows applies its ACLs. It goes well beyond just the filesystem, and is all through the Win32API. You can control the security attributes of any ‘securable object’ that you create.
        See MSDN here:
        And here:

        This means that you can not only limit the rights of files and directories from a user perspective. But as a developer, you can also create processes, threads etc with limited rights. Which means that even *if* such a process or thread gets exploited, it is still ‘sandboxed’ in a way. It does not obtain the full security rights of the user owning the process (eg. the exploited process is not able to spawn new processes or threads, or create files/sockets/etc). This is something that the original UNIX design does not have AT ALL. There is nothing in the POSIX APIs to give you such control.

        And while there are some solutions to build extra security into the OS (SELinux, AppArmor, TrustedBSD etc), you can use the same argument as the one you just used for ACL: it may be availbable, but how many linux/BSD/OS X installations have them installed in the first place, and how many have them configured properly? Again I think the answer is going to be “not a lot”.

        Granted, in Windows there may be a ton of apps that don’t bother with these security features either… But at least the features have been part of the OS design since day 1 (which was the original argument with ‘secure by design’). And you will find that the better server software will generally use these security features to their advantage (creating special users/groups and special ACL configurations for the services they install). Another design advantage Windows has is that you don’t need root privileges to open a socket on a port below 1024. This means that most Windows services don’t require escalated privileges at any point in their lifetime.

        Comment by Scali — June 29, 2011 @ 3:53 am

        • Day 1 was the original Windows releases not NT. Not by design but necessity.

          Comment by steve88 — July 7, 2011 @ 10:56 am

          • As I was trying to explain: Windows NT was a completely new OS design. It was still backward-compatible with 16-bit Windows, but only through a kind of virtual machine, a subsystem running on top of the microkernel. It’s akin to a linux system being able to run Windows software by using Wine, or the ABI compatibility layers in FreeBSD.
            Windows NT was the first 32-bit version of Windows, which came with a completely new API and security model. That is what I call ‘day 1’, since we still use Windows based on NT, with this 32-bit API and security model. The 64-bit versions of Windows are also based off this API and security model.

            Comment by Scali — July 7, 2011 @ 1:20 pm

        • There is a draft called POSIX capabilities !

          Comment by goarilla — August 10, 2011 @ 10:59 am

          • What’s your point?
            The POSIX draft for ACLs is WAY newer than the POSIX standard APIs that most UNIX systems are built on. And also way newer than the Windows NT API.
            The POSIX draft for ACLs is merely a proposed extension of the filesystem, not comparable at all to the design of the NT API.
            Please, someone needs to start understanding that ACL != ACL.
            It’s not just a checkbox feature. It’s about where and how the ACLs are applied in the system, and since NT was designed with ACLs from day 1, it looks way different from any UNIX/POSIX-like OS.

            Comment by Scali — August 11, 2011 @ 3:58 am

            • Does the future of the windows ecosystem depends upon the developpers to
              securely use the ACL/NT API ? I ask this because although linux has been the
              academic research OS of prototyping new security idea’s. Most of them
              can not be used right now (conveniently) because your userland needs to behave
              differently and that will properly not happen for the mainstream. If it is then yes
              Windows has a big leg up, but if it lies in something like rbac, mac, capabilities then
              we’re both screwed some of us a little less but not much.

              Comment by goarilla — August 12, 2011 @ 2:23 am

              • ACL’s are already used by all windows programmers. Likewise Windows Integrity Controls have also started receiving widespread support in many programs.

                I feel we are getting off topic however. My article was never about ACL’s, but rather just how insecure OS X was, regardless of how secure Windows is or isn’t.

                Comment by allthatiswrong — August 12, 2011 @ 3:09 am

  47. Again..

    Keep in mind, the main topic in this discussion, is actually…


    To me, and I could care less if it is Windows, Apple, Unix (in its several flavors), or any other OS…

    The topic of the discussion, is Apples lack of security, and how Windows is ‘more’ secure than anything….

    I say… BS… I only offer ‘apocryphal’ as it might be…

    Now, take that all you Apple devotes! (statement drips with anachronistic sarcasm. In case you missed it… that is a Windows slam)

    Comment by the old rang — June 30, 2011 @ 9:43 am

    • So Malware with extensive development delivered via a trojan can significantly embed itself into a system.

      This is news? Equivalent software (albeit without the anti-virus part) exists for both Mac OS, Linux, and BSD. The article actually doesn’t bring up anything security related at all. It simply states its hard to remove, and has been spread through popular downloads (cracks etc); nothing more.

      Comment by Moros — July 4, 2011 @ 11:38 am

  48. […] OS X – Safe, yet horribly insecure « All that is wrong with the world… – Ouch… (auch für Linux-User, BTW) […]

    Pingback by Linkschleuder vom 30.06.2011 — Konstantin Klein — June 30, 2011 @ 4:01 pm

  49. My experience:
    I used to maintain for several years my sister in law’s PC. She, and all her family, has very little knowledge about computer, and no skills about IT security.
    I had to recover serious trouble every 2 months in average, spending a few minutes up to several hours to repair the system, remove some malware, etc…
    After a final crash which cost most of her files (she didn’t dare to ask me to do the repair again and asked to some “professional” to do it), I adviced her to switch to Mac (precision: I use only PC with either winndows XP – for years either linux – for months. I am not a Mac addict :o).
    Result, she and her family enjoy their computer for almost 3 years now, without any noticeable trouble, maybe some unwanted reboot, but no maintenance operation.
    Maybe the small market share of Mac is the main reason. I am convince that the quality of the OS and application design is also a root cause. And the homogeneous hardware and driver park must be important too. But as a user, I only see the result and I don’t really care about the reason: Using a Mac is really safer today.

    Comment by pascal — July 1, 2011 @ 1:32 am

  50. – ‘Given the insecurity of OS X and the nativity of the users’

    Might be handy to do just a little more proof reading of your article, just a suggestion here to avoid naively thinking that this comment refers to the births of users of OS X.


    Comment by David — July 1, 2011 @ 10:40 pm

  51. Look,

    I agree with you, there are plenty of vulnerabilities in even the best system. I run Symantec for Mac because being in IT I know there is never a perfect system (including mine even with Symantec). I run Mac OS X firewall, and do my best to keep my system secure, as in any IT world, there is always that chance, even if it less than windows, overnight it could become more than windows. Enjoy the benefits of OS X……..don’t be dumb though.

    Comment by Dave — July 3, 2011 @ 1:42 am

  52. You’re wrong on a couple of points – that there no ACLs (they aren’t usually necessary), and about the firewall not blocking incoming connections to root processes (tested that about two weeks ago), and I think the fact that the firewall shows what applications own which ports is just a friendly user interface – I’m not convinced of the (vague and undefined) “low-level attacks” you claim (though not convinced of their non-existence either). Lots of your statements were accurate about the first or early OS X releases. I could make many statements about Windows 1.0, but they wouldn’t be very interesting. Apple bet the company on a very disruptive (as in “your old stuff won’t work”), revolutionary (as opposed to evolutionary) change when they went from OS9 to OSX. This is something I don’t know of any other large software companies doing, though there probably are other examples.

    You also kind of want it both ways – you say you aren’t worried about malware but are worried about targeted attacks, but then you blast Mac for not having good A/V. A/V really only catches bottom feeders and script kiddies, and has limited practical use in real life on all OSes but the really large ones. It’s a hopeless game, actually, since it’s a blacklist, and it’s pretty trivial to bypass — all competent VXers know how. No, I’m not going to explain this claim publicly, sorry 🙂

    Furthermore, I’m not sure how sharing code with third-party or open-source systems negatively impacts security. Studies show no difference between the security of open-source and proprietary code, and arguably more eyes on the code means more bugs found. By amortizing development/security resources across a larger group, shared code means less investment for each “user” (company). In other words, if Oracle and Apple both use the JVM, they each need to invest fewer resources into securing it than if they did it all in-house. The general rule with security is, “don’t roll your own” if you don’t have to – it’s too easy to get wrong.

    Your rant is very similar to many others that “prove” that OpenBSD and Linux+GRsec are more secure. And they have never been corporations with larger market cap than any other company, which Microsoft was for some time. Apart from .NET/CLR, which was really a response to Java, I can’t think of a single _technology_ that Microsoft invented (there are probably examples, I just can’t think of any). I will point out that many/all of the security technologies they use were innovated elsewhere – DEP was released on Linux 4 years before Microsoft, and on OpenBSD (as W^X) one year before. Stack protection was first implemented in stackguard (gcc/Linux) in 1997, and by Microsoft in 2003. Fuzzing was first done on Unix, and was mentioned in “Practical Unix and Internet Security” which was published in 1996. Microsoft still has nothing like SELinux, apparmor, RSBAC, etc. Sure, they’ve created lots of products, and things they call technologies, like the obfuscated hierarchical typed key-value store (which gives me hives) known as the registry, but in general, I find the things they innovate to be kind of derivative, but are almost always complex and by being complex, lock you into the platform, either by requiring administration tools, or by requiring you to specialize in it and buy related information, training, and tools. If you spend all your time trying to figure out the bugs in the win32 API (or its documentation), you don’t have time to learn any other way of doing things. Apple does the same thing – you’re gonna have to learn Objective-C, Cocoa, Xcode, etc… which is non-transferrable knowledge. To develop for the iPhone, you’re gonna have to buy an iPhone AND a Mac, and also learn those technologies. By the time you actually learn all those things, it’s like growing up in subsaharan Africa – you have long ago gotten used to the flies all over you and people dying of malaria (that’s an inside joke – Apple used it about Unix scripting long ago; turn about is fair play).

    I’m not totally disagreeing with you; among other things, Apple is a hard company to work with, even in a business-to-business capacity – typically you report a problem to one of their developers, three weeks later you get an email saying it’s not really their problem/fault, and in the next release it’s fixed. Microsoft is much better to work with. And yeah, Microsoft has really improved their game over the last 5 or so years.

    I am not a Windows expert. I don’t think many people are, since you can’t inspect the source code to Windows, and there is (to my knowledge) no good design docs or architectural overviews in book form or on the web. It also has a lot of legacy baggage. Since you can’t really understand how it works, it’s very hard to detect when it is compromised – especially by stealthy rootkits and so on, which you seem to be rather concerned about. The only really decent tools for inspecting the system are released irregularly on developer CDs by Microsoft, or were invented by the sysinternals guys (which Microsoft wisely bought), and even then you sometimes don’t know what you’re looking at.

    That having been said, Microsoft has done a lot to improve security in the last 5 years or so. They had their head in the sand about the Internet and security for a long time (remember Doom 2 over IPX?), but they’ve really turned around. I’ve been to SDL presentations by Michael Howard, and most of the MS engineers I meet are surprisingly competent. MSIE actually has had fewer CVE vulns in the last few years than Firefox. They are handicapped by dealing with a large body of code that I assume was written long before the commercialization of the Internet, which started as a single-user system. It is possible, since they hired many of the DEC/VMS guys. I am not convinced of your claim that NT was a secure multi-user rewrite from the ground up – please back up that claim with references describing the architecture, and how you can still run W95 EXEs on an NT/Vista/7 system if it was, in fact, a complete redesign.

    They also cannot break compatibility very quickly without alienating their developer/customer base, which is their greatest financial asset. IMHO, if upgrading means incompatibility, they would make users choose between them and some other platform on a technical basis, which MS really doesn’t want them to do – it nullifies their biggest asset! Also, as a developer, you get visits from the BizDev people if you break compatibility, and you don’t if you don’t – so if you break compatibility, there’s a negative consequence that needs to be supported up the management chain. And people don’t upgrade, which negatively affects security (why do you think people still have to design web sites for MSIE6? Corporate intranet apps – nuff said). I have some experience with this and I kind of understand their dilemma. Props to those among you fighting the good fight 🙂

    What they have done – threat modeling, fuzzing, DEP, stack protection, and ALSR – is actually pretty good, and it is the most “bang for the buck”. It’s also reasonable when you have a lot of code written by people right out of college (Microsoft is well-known for hiring this way – because, to quote Steve Ballmer – it’s hard to get them to do things the Microsoft way), since you don’t need to pay attention to every line of code.

    I don’t run Mac OS X at home, I don’t own an Apple product any more, but it is something I can recommend to my grandmother as being generally safe to use, though more of an “effective security” way than a “absolute security” way (see my book for definition of these terms; the link is at the end of this comment). Many of my security professional associates use it, as well.

    I don’t use either because the companies just want to lock your data and customer base onto the platform – just like the “big iron” database/hardware vendors in the 70s-80s (one of which have recently purchased big software companies). However, I hope it has satisfied your desire for an intelligent response. Since I just claimed not to be an expert on Mac or Windows, and not in an argument-by-authority way, I will state in my defense that I run the Bay Area Hacker’s Association:

    And I also wrote a book I wrote on computer security, which some of your readers might find useful.

    Comment by T — July 4, 2011 @ 12:26 am

    • Correction; Steve Ballmer said (paraphrasing) that Microsoft tended not to hire people except straight out of college, because it’s hard to train people who have had other work experience to do things “The Microsoft Way”. I believe this was from an interview on “Triumph of the Nerds”. It may no longer be true, but that’s what he said back then.

      Comment by T — July 4, 2011 @ 12:30 am

    • Hi Travis,

      Thanks again for your reply.

      I would appreciate you being specific on any points you think I may be factually wrong about. I should also note that I never said that OS X lacks ACL’s, bur rather that the UNIX security model does — which is true.

      All of the claims I have made are accurate for Leopard or Snow Leapord, so it is hardly as though I were attacking the equivalent of Windows 1.

      I say targeted attacks have always been a problem, and that Apple should not have been so irresponsible to leave so many users at risk for so long. This doesn’t mean the growing problem of mac malware should be ignored, and given their half-assed AV implementation I thought it was worth mentioning.

      I never made any claim in my article that OS X is less secure because portions are open-source. I would be curious as to what you may have interpreted to mean that?

      As for your analogy to OpenBSD…perhaps you should read my article on OpenBSD, dismissing it as insecure. The rest of your paragraph is comparing Microsoft to Apple in a context irrelivant to the security of OS X, so I will decline to respond. This is not and never was a Windows vs Apple peice.

      You can easily search or find the history of how NT was built up from the ground. There is overwhelming documentation that it was built from the ground up to be secure, it isn’t something I need to cite here.

      Also, not sure why you mention that Microsoft has done fuzzing. Fuzzing is a technique used to find flaws in handling of arbitrary data that can be exploited, not something a company can employ to help mitigate attacks.

      Anyway, I appreciate your input, just keep in mind this is not about Windows vs Apple, just pointing out that Apple is running last when it has little reason to be.


      Comment by allthatiswrong — July 5, 2011 @ 8:04 pm

      • Hello allthatiswrong, thank you for the reply.

        You state that the 1970s UNIX design lacked ACLs. And yet, in 1970s, UNIX was a real multiuser system, and Windows did not exist, and certainly there was no multi-user NT kernel. I wouldn’t think that most of the arguments about Unix being more secure are suggesting that a 1970s Unix kernel would still be secure today, but rather that, at the time, it had multiple users and permissions (DAC), which are still useful today. So that’s a bit of an implicit straw man. Some of the other security features were being developed in MULTICS, which inspired UNIX, though it never made it into production since it tried to solve too many hard problems – the best being the enemy of the good and all that. IIRC, your pre-edit paragraph had multiple different verb tenses – some present, some past, which made it rather confusing, though it was probably not deliberate on your part.

        Every OS except OS X has a full implementation of ASLR, stack canaries, executable space prevention, sand boxing and more recently mandatory access controls.
        I doubt that’s factually accurate. Did you include Spring, MINIX, Plan9, L4, QNX, and Inferno in your list of OSes? There’s dozens, if not hundreds, OSes out there – see an old copy of Patrick Bridge’s OS page on for a list. I doubt all of them have these features. I’m also sure many do not have MAC, and Windows ACLs are not MAC if they are up to users or applications to decide if they should use them, or if they choose to not use them – that’s DAC, not MAC.

        Even if the option to block all incoming connections was set it didn’t do this, still allowing incoming connections for anything running as the root user with none of the listening services being shown in the user interface.
        I had a friend over here perhaps one week before you wrote this article, and we enabled the “block all incoming connections”, and I nmapped her Mac. It had no open ports listed. So either she isn’t running any root processes with listening sockets (unlikely!), or I did something wrong in my test, my default nmap scan didn’t hit root-owned listening ports, or this statement is wrong. What was your basis for your statement?

        Apple’s decision not to randomize the base address of the dynamic linker DYLD is a major failing from a security point of view. Charlie Miller has demonstrated how a ROP payload can be constructed using only parts of the non randomized DYLD binary.
        There’s one line of C in the comments here that can get the base address of ntdll. So apparently Windows isn’t doing so well either. ntdll is pretty big; I’m sure you could find some ROP gadgets in there.

        All of the claims I have made are accurate for Leopard or Snow Leapord, so it is hardly as though I were attacking the equivalent of Windows 1.
        When OS X was first introduced the system didn’t even implement shadow file functionality, using the same password hashing AT&T used in 1979, simply relying on obscuring the password via a pretty interface.
        That’s a pretty irrelevant comment to Snow Leopard. I can make a much more relevant comment: LANMAN. I still see it on many Windows networks today, and not because they’re still running pre-NT systems, AFAIK.

        I never made any claim in my article that OS X is less secure because portions are open-source. I would be curious as to what you may have interpreted to mean that?
        Sorry, I misread this:
        They often share vulnerabilities with core libraries in other UNIX like systems with samba and java being two examples.
        In my quick reading, I interpreted that to mean that vulns in third-party libraries were somehow a Mac OS X design failure – and now I’m not clear what you’re saying.

        You can easily search or find the history of how NT was built up from the ground. There is overwhelming documentation that it was built from the ground up to be secure, it isn’t something I need to cite here.
        Well, it should be easy for you to provide a link then. I doubt the current Windows installs have no pre-NT code – since they still run non-NT binaries, they must at least still implement the pre-NT APIs, which may have design flaws, even if they do not share any code (and thus implementation flaws). A weak API is still part of the local attack surface, though I can understand why a company with such a large market share might not want to break backwards compatibility. I do hear from Windows developers that there are many Windows APIs marked as deprecated – presumably, for good reason.

        Also, not sure why you mention that Microsoft has done fuzzing. Fuzzing is a technique used to find flaws in handling of arbitrary data that can be exploited, not something a company can employ to help mitigate attacks.
        Well, if you find and fix a vuln before attackers do, then you have very effectively mitigated attacks which rely on exploiting it, no?

        Anyway, I appreciate your input, just keep in mind this is not about Windows vs Apple, just pointing out that Apple is running last when it has little reason to be.
        Hmmm, you mention NT/Windows several times in your piece, and implicitly compare it many times, so I find this rather curious. Also I wonder what makes you say it’s “running last”? Last in what race, with what contestants, with what metric of lastness? Okay now I’m just being snarky 🙂

        I think the issue is rather complex and not quite as simple as “apple not/least secure”, though it was entertaining to read. I’d read the OpenBSD polemic but I suspect I’d learn less than if I read some of those NT architecture books – no offense intended 🙂

        Comment by T — July 6, 2011 @ 5:46 pm

        • Hi Travis,

          The UNIX design did lack ACL’s, and that has absolutely nothing to do with Windows at all. No strawman, just cold hard facts that you took out of context.

          Obviously when I said “every OS aside from OS X” I did not mean every OS, bur rather every consumer OS. Which you can take to mean Windows and Linux.

          The criticisms I made of the firewall are both backed up by the book OS X Exploits and Defense and Charlie Millers presentation, both of which I reference in my article.

          As far as I known the 1 line of C code was limited to 32bit Windows Vista. Please let me know if the scope is larger than that. Once again, it doesn’t matter if Windows is not perfect ion this regard; it doesn’t change or excuse how bad Apple’s implementation is.

          LANMAN is irrelevant to an attack on Apple for not having a shadow file. Whatever Microsoft does, it doesn’t excuse Apple’s shitty actions..

          RE core libraries, I am saying Apple often share vulns with other unix like OSes and are often far far behind in fixing them.

          RE linking you to the history of NT. It is not my intention, desire or responsibility to educate those so that they can understand and/or discuss this article. Certain standard prerequisite knowledge is assumed, and if you don’t have that then its hard for me to respond properly to you. I have no more need to link you to the history of NT than I do to link you to the origin of OS X.

          I mention Windows as a comparison sometimes, because part of the myth I am debunking is that OS X is more secure than Windows. I show why this is not true sometimes, in certain contexts. It doesn’t mean the article is directly comparing OS X to Windows, or that it is the point of the article.

          The issue really isn’t that complex. Apple have been horribly insecure, and well behind Windows and Linux technically for years. They’ve been lucky, that’s about it.

          Comment by allthatiswrong — July 9, 2011 @ 3:38 am

          • “Once again, it doesn’t matter if Windows is not perfect in this regard; it doesn’t change or excuse how bad Apple’s implementation is.”
            Isn’t that ironic? The non-Windows crowd (OS X, linux etc) always goes on about how poor Windows is.
            However, when you have some fair criticism on a shortcoming of their OS of choice (let’s face it: no OS is perfect), their immediate reaction is to point out how Windows is worse in whatever (related or non-related) area.
            So in a way they’re using the OS they despise for being poor as an excuse for their own OS being poor.
            Makes no sense whatsoever. Especially since they love to sling accusations of bias around.
            If you ask me, the only non-biased response to criticism is to acknowledge it if the criticism is fair. Other OSes can never be an excuse for ‘your’ OS.

            PS: I think Mr. ‘T’ is Travis, not Terje.

            Comment by Scali — July 9, 2011 @ 6:04 am

            • Thanks, fixed the naming, and agree with you 100%. It’s a shame they have to bring Windows in to it at all.

              Comment by allthatiswrong — July 9, 2011 @ 11:41 pm

      • Was it really written from the ground up to be secure (against what ?) or was it like unix, written
        from the ground up to be multi-user and benefitted from that security wise ?
        User/Group segregation was never implemented for the sake of security on Unix it was for the
        many users the system had to service.

        Iirc Microsoft never saw the internet as viable and, thus
        if it still shared that thought during the conception of their NT design, were they trying to be secure against
        physical attacks, sneakernet attacks ?

        Comment by goarilla — August 10, 2011 @ 11:17 am

        • Windows NT was written from the ground up to be multi-user *and* secure.
          Clearly there’s more than 20 years between the design of UNIX and the design of Windows NT.
          By the time NT was designed, networking (not necessarily internet as we know it today, but that is irrelevant, besides, NT dates from before the WWW explosion, dotcom boom and all that. What you are talking about was mostly regarding Windows 95/98, NT is older than that) was already commonplace, as was the security surrounding it.
          The DoD had already put down a lot of security requirements in the Orange Book:
          And the Windows NT designers aimed to meet these requirements.

          Comment by Scali — August 10, 2011 @ 12:45 pm

        • NT was most definitely designed with security in mind. The design documents reflect this, as does the push to be certified under Orange Book as Scali points out.

          Comment by allthatiswrong — August 10, 2011 @ 7:02 pm

    • You make claims about technologies that Windows lacks, while at the same time admitting you don’t know much about Windows internals.
      For starters, your FUD about how Windows has no good docs and architectural overviews (because it is not open source) is, well, FUD.
      There’s a ton of great documentation on Windows, and it is nowhere near as obscure as you want to make it sound. There are plenty of experts on Windows internals around, and they publish a lot of information. Try following Mark Russinovich’s blog posts and videos for example.

      Furthermore, since you apparently don’t understand much about Windows internals, you make some nonsensical claims, such as that Windows does not have equivalents of SELinux or AppArmor. No indeed, it doesn’t have those, because it doesn’t *need* them. Windows uses a completely different security model, which does not require ‘bolt-on’ solution such as these, since it has been integrated in the design since day 1 (being Windows NT… Windows 1.x through 3.x are a completely different OS, being 16-bit only, not compatible in any way with the 32-bit NT. As for Windows 9x/ME, although they support (most of) the Win32API from NT, they are also not the same OS. The design is completely different from NT, and none of the security in the Win32API is implemented).
      And that is *exactly* the kind of claim that this article took as a premise:
      People claim *nix is more secure by design, yet they need all sorts of patches on top of the basic *nix design to improve security. Windows NT has not needed any such thing yet. The basic ACL-based security model introduced in the first version of Windows NT can control a lot of security rules in a very granular and flexible way (and no, not just on the filesystem, as some people think, on all securable objects, see my other post above).

      Comment by Scali — July 6, 2011 @ 3:42 am

    • In fact, riddle me this:
      There are tons of third-party tools available for Windows, working with the kernel at low levels, requiring a good understanding of the system.
      Think of device drivers, virus scanners, firewalls, copy protection schemes etc.
      And that is of course only the ‘good’ side. There’s also a lot of malware that exploits flaws/bugs in Windows in order to infect a system, avoid detection etc.
      How is it possible to write all these things, if you “can’t really understand” the Windows internals?

      Comment by Scali — July 6, 2011 @ 4:42 am

    • Oh yes, I forgot:
      Sourcecode is NOT documentation.

      If you don’t get what I mean by that… then you probably have never seen any non-trivial algorithms.
      I always like to use the Marching Cubes algorithm as an example.
      It is an algorithm that converts a 3d scalar field into a polygonized isosurface representation.

      The thing is, the algorithm itself is not all that difficult. However, when you implement it, you encode most of the actual algorithm into pre-computed tables.
      If you look at the actual sourcecode, there is no telling what it does, since you just see a few table lookups. You don’t know what is in these tables. It’s also not something you can easily explain with comments in the code (assuming the code is commented at all).

      It’s much like the old adage: Programming is not done in front of the keyboard.
      Writing the actual code is simple once you’ve solved the problem. Solving the problem is the real programming.
      Documentation should focus on how the problem is solved. How the solution is actually implemented in source code follows trivially from a good description of the problem and solution.
      Open source advocates just don’t get it.

      Comment by Scali — July 6, 2011 @ 4:50 am

  53. Bleh sorry for the numerous typos in that article folks. I should really not use in-browser editors for long comments 🙂

    TL/DR; it’s a complicated issue, and I’m not sure of your conclusions, though you’re probably right on most of the points I didn’t call out specifically.

    Apple does have a bit of catching up to do – hopefully they can do it before their market share catches up and they start getting targeted widely 🙂

    And yes, I’m biased – I learned a lot about Unix in the early 90s from books and the Internet, and haven’t been able to acquire the same level of knowledge about Windows as easily. In fact, I don’t know anyone with equivalent Windows knowledge to ask! There don’t seem to be many good books on how Windows actually works – just instructions about how to program to the API. Please follow up if I’m missing one, as I’m genuinely interested. I know I can’t read the source, but I’d love to see the equivalent to books like these:

    The Design of the UNIX Operating System
    The Design and Implementation of the 4.4BSD Operating System
    UNIX Internals
    Understanding the Linux Kernel
    Operating System: Design and Implementation
    The Magic Garden Explained

    The closest I could find is “Undocumented Windows 2000 Secrets”, and it’s a bit of a snoozer, and also out of print.

    Comment by T — July 4, 2011 @ 1:48 am

    • There’s quite a few books on Windows internals, such as the “Inside Windows” series, by David A. Solomon and Mark Russinovich, or “Windows Internals” by Matt Pietrek.
      Starting at Microsoft Press is a good idea:

      There’s also quite a lot of information to be found in the various MSDN articles and blog posts.

      Comment by Scali — July 4, 2011 @ 6:50 am

  54. Hmm, leave a long, careful reply, it gets silently removed. Interesting. No wonder the contra comments are so poor.

    Comment by Travis H. — July 4, 2011 @ 6:55 pm

    • Hi Travis,

      I apologize for the delay. I never block comments unless they are obviously spam. However sometimes my spam filter will mark a legitimate comment as spam, and it may take me a day or two to notice and manually approve it.

      Your first comment is very lengthy, and I will read through and address it now.

      I won’t delete any of your subsequent comment unless you specifically ask me to.


      Comment by allthatiswrong — July 5, 2011 @ 7:42 pm

  55. BTW, free security book for interested readers – note there is NO commercial aspect to this at all. No ads, no selling anything.

    Comment by T — July 4, 2011 @ 6:57 pm

  56. Whoops! My mistake. Please feel free to remove comment 55, 56, and this one, moderator 🙂

    Comment by T — July 4, 2011 @ 6:58 pm

  57. […] An article about OSX and the ‘myth’ of its security. The issue is not which OS is more secure; it is which OS are you willing to take your chances with? (warning: a bit technical) […]

    Pingback by security tuesday bulletin: july 5, 2011 « a few things — July 5, 2011 @ 7:37 pm

  58. Below is a link to a post in the macrumors forums that provides counterarguments to “Mac – safe, yet horribly insecure.”

    Comment by Billy — July 9, 2011 @ 5:51 pm

    • Sadly they just take a few ‘arbitrary’ (as in: favourable to their cause) points, and compare them to Windows. Missing the entire point of this article. Or actually, they unknowingly reinforce the point of this article: Mac users are in denial about the potential security risks.

      Comment by Scali — July 9, 2011 @ 6:39 pm

  59. I think the point of that macrumors post is to show that the “Mac – safe, yet horribly insecure” article presents a biased one sided argument.

    It does inherently take into account the data from this article and negates it while also providing more information to the contrary.

    Comment by Billy — July 9, 2011 @ 8:04 pm

    • Hi BIlly,

      I do appreciate the link to that discussion, thanks.

      However, Scali is right in his comment above. That post tries to defend OS X by attacking Windows, which really has nothing to do with how insecure OS X is or is not.

      His arguments are either factually incorrect, irrelevant or misleading. I could defend each point, bur rather I’m going to just make a few corrections.

      1. Sandboxing and MAC are not at all the same thing. They may have some similarities at a surface level but they are fundamentally different. He is just showing his ignorance by saying such a thing.

      2. He blames the windows registry as making it easier to write exploits for Windows. What utter nonsense.

      3. The ASLR implementation in OS X is in no way equivalent to the one in Windows. It is very behind. Nothing he linked to showed differently.

      4. Xprotect is not 100% effective because it only scans files marked for scanning. That’s just dumb.

      5. His notes on Authentication and password handling in Windows are very much out of date.

      6. His analogy of web server software to consumer operating systems to try to make an argument for market share being irrelevant is misguided and works against him. Apache has the majority market share, and is attacked far more frequently than IIS.

      If you wish to argue anything further from that point, just mention it specifically.


      Comment by allthatiswrong — July 9, 2011 @ 11:41 pm

      • I’d like to add to 2: The Windows registry has ACL-based access control. This makes it no less safe than using the filesystem to store data (the method used on most *nix-based systems). That is why it is nonsense.

        Comment by Scali — July 10, 2011 @ 3:53 am

  60. So, by your own reasoning, the most appropriate complimentary title for a similar article about Windows would be “Windows – unsafe, yet even more horribly insecure.”

    Reply: point by point

    1. Actually, mandatory access control (MAC) is the archetype for all other types of application sandboxing.

    2. Utter nonsense is not being able to understand how a greater number of local privilege escalation vulnerabilities that are leveraged via the registry and used in malware, such as Stuxnet and TDL-4, makes Windows less secure.

    3. The article shows that both systems do not have full ASLR despite anything that states the contrary.

    Click to access DEP_ASLR_2010_paper.pdf

    4. No AV software has 100% detection rates. AV software that runs with elevated privileges, such as those with on-access scanning, as typically used in Windows can actually decrease the security of the OS.

    5. Actually that data is up to date.

    6. Script kiddies exploiting unpatched services due to user error on the part of the server admin is not relevant to an analysis of OS security.

    Inherently, IIS is less secure because it only runs on Windows and Windows is less secure.

    Comment by Billy — July 10, 2011 @ 1:56 am

    • Hi BIlly,

      I’m sorry, but a lot of what you say is simply wrong. Are you the writer of that forum post by chance?

      I don’t necessarily agree that MAC is the archetype for application sandboxing, but whatever. The claim made in the forum post is that MAC and sandboxing are the same thing, which is bullshit. A paper about Apple’s implementation is kind of irrelevant here. Instead, I’m going to direct you to the wiki pages on sandboxing and MAC, both of which are fairly comprehensive.

      The registry does not make Windows more insecure. You must not understand the registry at all to think such a thing. Malware can use the registry to make sure it starts up again after a reboot or something like that, or to change file behaviors or whatever. Everything you can do with the registry you can do with a textfile analog. Except that the registry has the advantage of ACL’s.

      The PDF you link to says absolutely nothing about Windows ASLR being implemented incorrectly. It simply states that third party developers are not taking advantage of it, implying there is a correct implementation to take advantage of.

      Sure, no AV software is 100%. AV Software that only scanned files that were marked by a small set of applications to be scanned would be the laughing joke of the AV industry though. Apple gets away with it because Xprotect is not an AV scanner, it’s just a poorly implemented blacklist.

      The original forum post said that Windows only uses NTLM hashing which is false. The article you linked to is more accurate, but omits Kerebos and the other hash algorithms windows can use.

      You appear to be contradicting yourself here. Windows being less secure is not an axiom, but your perception. If IIS is attacked it is more than likely due to unpatched services or error on the part of the server admin, the same reasons you choose to exclude evidence of Apache on *nix being attacked.

      In that case, please find me recent examples of IIS being compromised due to 0 days.

      Also remember, Windows is irrelevant of the claims I make against OS X. Windows happens to be more secure, that’s just a fact. Even if Windows 7 was at the level of Windows 95, so what? It does nothing to excuse the insecurity of OS X.

      Comment by allthatiswrong — July 10, 2011 @ 11:30 am

    • 2: The problem here is that you blame the registry for these exploits. The fact that certain settings are stored in the registry doesn’t have much to do with the nature of the exploit. Storing these settings anywhere else doesn’t make them any more secure. So the reasoning is flawed.

      Comment by Scali — July 10, 2011 @ 11:31 am

  61. MAC is an implementation of sandboxing. It is mandatory. 

    MIC is an implementation of sandboxing. It is not mandatory due to being based on inherited permissions. So, why not call it discretionary integrity control?

    Actually, malware manipulates registry entries to cause kernel mode drivers to crash so that the drivers can be exploited.

    ASLR not being implemented correctly by developers still means that Windows does not have full ASLR. As soon as a user installs a browser plugin that does not use these mitigations, the browser functionally does not have those protections as well.

    XProtect is more secure than having a client side service, in this case AV software, running with system level privileges.

    That post is referring to local user account password hashing. NTLM is used locally to hash the user account passwords in Windows 7. Mac OS X uses Kerberos for remote authentication as well but OS X’s local password hashing is more robust.

    Reports of Apache being exploited in the wild all most always occur against systems that are not up to date. Below is a link to an example of a public and unpatched IIS remote privilege escalation zero day that will exploit a fully patched system.

    Comment by Billy — July 10, 2011 @ 12:46 pm

    • “Actually, malware manipulates registry entries to cause kernel mode drivers to crash so that the drivers can be exploited.”

      I think you miss the point… So, let’s say that these kernel mode drivers don’t use the registry to store settings, but they use some kind of configuration file instead. Then malware can still manipulate the configuration file to cause a crash so that the drivers can be exploited.
      This is not about where the settings are stored.

      “ASLR not being implemented correctly by developers still means that Windows does not have full ASLR.”

      Windows as in: “Windows the Operating System”, then yes, it does have full ASLR.
      Windows as in: “Windows the full ecosystem of all Windows software in the universe”, then no… but that is hardly Microsoft’s fault. Surely, OSes with a much smaller ecosystem tend to have an implicit advantage here. But that has little to do with security models and design.

      Comment by Scali — July 10, 2011 @ 1:07 pm

    • Billy, are you the author of the post you linked to?

      Anyway, you’re still wrong.

      MAC is not an implementation of sandboxing. If anything, sandboxing would be an implementation of MAC, as is WIC.

      As I said, there is an analog for anything you can do with the registry in OS X or Linux. It is just one of many means to the same end.

      ASLR not being implemented by developers has nothing to do with the OS. The OS has a full implementation for developers to use. Windows does, OS X doesn’t even give developers the chance.

      XProtect is useless, as it will only look at files downloaded through certain applications. You can download something that XProtect “protects” against through, say, bittorrent and it won’t get noticed. An AV would notice it.

      NTLM2, not NTLM.

      That vulnerability is related to Windows, not IIS directly. It is also only exploitably locally, and only if relevant functionality is enabled. I can find you local privilege escalation vulns too if you really need proof.

      Anyway, as far as webservers go, Apache is attacked more often than IIS. Even if we consider your claim that IIS is less secure than Apache, it adds credence to Apache being attacked more due to marketshare.

      I will only continue discussing the last point (marketshare) with you. I don’t mean to be rude, but I don’t think you understand MAC or ASLR or any of the more technical stuff and I don’t wish to explain it to you, or argue about definitions.

      Comment by allthatiswrong — July 10, 2011 @ 1:15 pm

  62. The claim about ACL was particulary lame, implying that Windows is more secure than UNIX derivatives. There are areas like services and drivers that are frequented by malware, where they toggle ACL settings to lock out control, and Windows provides no control of this accept C libraries or something else cryptic.

    Microsoft is notorious for making security decisions for profit motivations rather than considering needs of end-users. Take active scripting and OLE (COM) automation. This engine embedded into IE, IIS, and WSH has opened the door for malware authors and cost the world untold billions in damages. IE with this feature is embedded into just about everywhere: help system, outlook, outlook express, windows media player, messenger; all vehicles use to spread malware. And the geniuses at MS added OLE automation to Silverlight, so that all browses using the plug-in can potentially spread malicious software via Silverlight on Windows.

    Windows is a dangerous platform, not so much that it popular target, but because of design decisions based on profit orientation over costumer orientation (feature bloat, vendor locking, anti-competitive, etc.). There are just so many opportunities for exploitation, despite whatever candy MS provides. Some vectors of attack, such as one used by PRC against Google, existed for over 15 years after introduction of IE 4.0, and it is still a great vector for future corporate espionage to end user attacks by crime syndicates and other opportunists.

    Comment by Sedrick ferguson — July 10, 2011 @ 3:28 pm

    • Sigh, Sedrick, you can’t just make shit up as you go along. Really. You can’t.

      >> implying that Windows is more secure than UNIX derivatives

      As it comes to file and resource security, yes, ACLs are far more secure than the traditional Unix security of UGW. This is why everybody is adding ACLs to their operating systems. They simply are a much, much better idea. Even in Unix. If it wasn’t better, why is everybody doing it?

      >> IE with this feature [OLE automationn] is embedded into just about everywhere

      No, it isn’t. It is disabled as default, and it takes active user interaction to enable it. It was a bad idea, and Microsoft has said so themselves. Sadly billions of dollars worth of software has been developed that requires this, so it is a little hard for MS to just remove it. Instead it is disabled by default. A rational decision.

      >> And the geniuses at MS added OLE automation to Silverlight, so that all browses using the plug-in

      I hope this is just ignorance. Lying is just too dumb. Ignorance isn’t all that much better though. Not really. So, which one is it? Ignorant or lying? OLE automation is NOT available in the silverlight plug-in for browsers. It simply isn’t. It is ONLY available for Out of Browser apps, in other words, Applications. Are you saying that OLE automation is a bad idea for applications? Again, just making shit up just proves you are an idiot.

      >> Some vectors of attack, such as one used by PRC against Google, existed for over 15 years after introduction of IE 4.0

      Yes, that is quite unique to Microsoft. No other operating systems have such vectors of attack. Moron. Apple patches holes all the time, as does most Linux distros. This is not at all different from Microsoft. A prolific hole finder has been Charles Miller who showed 20 zero-day security holes in OSX just a year ago. I like his comment about the two operating systems:

      “Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.”

      I wonder who knows more about security, someone who’s job it is to find the holes, and who has found a lot more holes than most, or some idiot who thinks that an application and code running in a browse plug-in is the same thing.

      Before continuing, stop being ignorant and dumb.

      Comment by TAB — July 10, 2011 @ 5:08 pm

  63. As you browse the web, the ASLR in Windows is easily defeated via processes, such as Java, that do not use the feature. So, Windows does not have full ASLR.

    Click to access DEP_ASLR_2010_paper.pdf

    Anyway, methods to bypass the Windows implementation of “full” ASLR have been known for awhile now.

    Click to access Pwn2Own-2010-Windows7-InternetExplorer8.pdf

    Looking beyond ASLR, stack canaries are a more effective mitigation. The stack canary implementation in OS X (propolice) is more robust than Windows (/GS).

    Click to access bh-us-04-silberman-paper.pdf

    The configuration files in Mac OS X, called plist, do not have nearly the ability to leverage the processes for which they are attributed. Also, plist for sensitive processes are better protected by DAC by default in OS X.

    The ACLs applied to the Windows registry are very weak in the default configuration. Much of the access control related to the registry is mitigated by MIC. For the most part, only low integrity process cannot modify registry entries. But, by default, processes without a defined integrity level are given a medium integrity level which enables modification of most of the registry. So, an attacker simply has to drop in a payload, which will receive a medium integrity level by default, to modify registry entries.

    These win32k registry entries are modifiable with only standard user permissions. The same method works with any win32k kernel mode driver zero day. If you roll back your version of Windows 7, the PoC linked below will bypass UAC in this manner.

    The article linked below also refers to NTLMv2.

    I suggest you read that link about the IIS zero day again:

    “Attackers who successfully exploit this vulnerability will be able to execute remote code on the vulnerable system with LocalSystem rights. This would lead to a complete system compromise, giving attackers full control of the system..”

    That link comparing Apache/IIS refers to malware. Writing malware is more difficult than using known exploits on systems that are not up to date. Being able to write malware for a platform is a better indicator of weak security. IIS has been target more by malware than Apache despite Apache having greater market share.

    Comment by Billy — July 10, 2011 @ 5:21 pm

    • Of course there are attacks against ASLR, it is not foolproof just an additional defense. Which Windows has, and OS X does not.

      Not sure what your point is with the registry. That it has ACL’s so it’s more secure than just text files and that it can be bypassed by a kernel mode rootkit. Very true. Also true for OS X that a kernel mode rootkit could do whatever the hell it wants. Point?

      I am aware your linked article refers to NTML2. I was correcting you, not the article. NTLM2 is not NTLM.

      IIS is targeted less than Apache, because it has less market share and is just as secure. IIS used to be targeted more because it was horribly insecure, however that has not been true for a long time. Look at all the worms that attacked apache and most high profile attacks are on sites also running apache. If you really believe this is accurate, then please provide evidence otherwise.

      Comment by allthatiswrong — July 10, 2011 @ 5:44 pm

    • I think you are confusing bugs with security designs…
      If we take this particular exploit:
      Two things come to mind:
      1) Why is this key user-writeable?
      2) Why does changing the type to REG_BINARY cause the buffer overflow?

      The answers to these questions have nothing to do with the security design itself:
      1) If there is no good reason, then apparently this was just a configuration error that slipped through the cracks. Just setting the proper rights with an ACL entry will disable users from writing to the key, and as such the exploit is disabled.
      2) Apparently the code does not do any sanity checks. Windows provides APIs to check the type of a registry key. The code should just be patched to test for the expected type of key, rather than interpreting a random type as REG_SZ.

      These are simply human errors, and have little to do with fundamental Windows design flaws. They can easily be patched without any changes to the design.

      Comment by Scali — July 10, 2011 @ 6:22 pm

  64. OS X does have partial ASLR. ASLR still has to be bypassed in OS X. ROP still has to be used in OS X.

    Most of OS X is 64 bit. 64 bit processes have NX (DEP) on stack and heap. Because both the stack and heap are not executable, the stack and heap not being randomized does not really make a difference.

    Dyld not being randomized is an issue. Browser exploits against Safari on OS X use dyld for ROP. But, browser exploits alone do not provide system level access.

    Local privilege escalation is much more rare and difficult in OS X due the a lower incidence rate of priv esc vulns and the greater difficulty in linking remote exploits to local exploits. The greater difficulty in linking remotes to locals is due to not using a system like the registry and more secure IPC.

    Bypassing ASLR in Windows requires exploiting a process that does not use the feature or finding the address of a dll loaded into memory. Either of these methods is well documented.

    Click to access DEP_ASLR_2010_paper.pdf

    Click to access Pwn2Own-2010-Windows7-InternetExplorer8.pdf

    Bypassing UAC in Windows is much easier due to the insecurity of the Windows registry. It is bypassed by exploiting kernel mode drivers to install malware at the system level; it is not bypassed by a “kernel mode rootkit.” When it is bypassed, it allows the installation of rootkits without triggering a UAC prompt.

    Information showing IIS is targeted by malware more than Apache is included in the macrumors post.

    In relation to targeted attacks, can you provide a link the explicitly shows that fully patched Apache is targeted more than fully patched IIS?

    Or, any links to a publicly known remote priv esc zero day affecting fully patched Apache?

    I provided one for IIS.


    The issue with win32k kernel mode driver vulns is not preventable via modifying the ACL or sanity checks. If it were possible MS would have done that right after this vector was used by Stuxnet. Instead these vulns have been a persistent issue.

    If those solutions would be effective, then the prevalence of these vulns is an ongoing blunder on the part of MS.

    Comment by Billy — July 10, 2011 @ 7:31 pm

    • Billy, I’m going to assume you wrote the forum post you originally linked to, as you are arguing in a similar style and have avoided the question twice.

      As to your actual reply, you are still incorrect on many points. The links you provide don’t corroborate what you are saying, and it appears you glanced through them to link them, without really understanding them.

      I’m sorry, but I don’t want to continue this argument if you don’t fully understand the technical details behind my points. I mean, you were just attacking Windows because ASLR itself has flaws, despite OS X not even having a complete ASLR implementation, which windows does.

      I feel like you are learning about this as you go, if that’s the case I’m glad I could initiate that. If that isn’t the case….then I would hope you will start to.

      Comment by allthatiswrong — July 10, 2011 @ 8:17 pm

    • “If it were possible MS would have done that right after this vector was used by Stuxnet. Instead these vulns have been a persistent issue.”

      I don’t think you quite understood what I said, or what the list of vulnerabilities you linked to is saying.
      Pretty much the entire list comes down to exploiting functions that do not perform adequate sanity checks (they are all different instances of similar bugs, not exploits of the same thing over and over again because MS cannot fix it due to a deficiency in the OS design).

      ‘Ongoing blunder’? Not quite. Just human error. You’ll find that all software has a big list of similar bugs. Nothing is ever completely secure. Because all software is written by humans. The people at MS are no better or worse than any other programmers (which was also mentioned somewhere).

      Comment by Scali — July 11, 2011 @ 3:10 am

      • How long should it take to fix this class of bugs?

        win32k vulnerabilities have been persistent through 2010 and so far in 2011.

        Some have even been used in malware in the wild.

        Comment by Billy — July 11, 2011 @ 12:09 pm

        • What is your point anyway?
          I mean, this article is about OS X, not about Windows.
          So yes, Windows has vulnerabilities as well. Nobody denies that.
          You *are* denying the vulnerabilities of OS X though, and the way Apple responds to them, which *is* the point of the article.

          Comment by Scali — July 11, 2011 @ 1:05 pm

          • The following links show currently known public and unpatched zero day vulnerabilities.

            Take a look at the zero days per vendor and the number of days exposed.

            It will give you a good idea about how effective MS is dealing with zero days in comparison to Apple.



            Comment by Billy — July 11, 2011 @ 5:12 pm

            • Not exactly, but reasons why these comparisons are flawed were already given in the original article, and discussed further in the comments. I see no need to reopen that discussion with you.

              Comment by Scali — July 11, 2011 @ 5:18 pm

              • The information in that article has already been shown to be presented in a biased manner.

                What you see is no reason to bother trying to be a magician anymore.

                The mirrors are broken and the smoke has been blown away.

                Comment by Billy — July 11, 2011 @ 5:42 pm

                • “The information in that article has already been shown to be presented in a biased manner.”

                  Biased? How do you figure?
                  The only bias I see here is eminating from you: The article discusses a number of aspects of OS X, making the odd comparison to Windows here and there (but also to linux and other Unix-like OSes). You focus solely on those few mentions of Windows, ignoring the rest of the article.

                  Comment by Scali — July 11, 2011 @ 6:07 pm

  65. No sir,

    It is you that at no point provided any technical analysis of anything that you have stated in your original article. You didn’t even provide links to resources concerning many of the security mitigations referred to in your original article. You made many errors, such as stating stating 64 bit process do not have DEP on heap, that are untrue. You provided only a one sided argument for which that macrumors poster went about providing counterarguments and that I further corroborated. BTW, I am not the same individual that made that post.

    So, if the Java plug-in in IE does not have DEP nor ASLR and that plug-in can be leveraged in a browser exploit, how does Windows have full ASLR? Those plug-ins are part of the OS that is in use by users as they browse the web. Basic logic dictates that “does not have” is mutually exclusive to “does have” if the two conditions occur at the same time and directly oppose each other.

    Here is the reason why so much security misinformation exists about Mac OS X.


    Guess what? MS hosts and sponsors a lot of security conferences. Ever heard of Blue Hat (hosted by MS)? What about CanSecWest (MS is a major sponsor)?

    Security researcher get paid to talk and participate at these events. Security researchers are smart; they do not bite the hand that feeds them.

    Comment by Billy — July 10, 2011 @ 10:23 pm

    • “Basic logic dictates that “does not have” is mutually exclusive to “does have” if the two conditions occur at the same time and directly oppose each other.”

      Basic logic is that Windows is an OS, and Java is a third-party application.
      Microsoft cannot be held responsible for what Sun/Oracle do in a browser plugin.

      My experience is that Java initially could not run with DEP because it generates its code on-the-fly on the heap (obviously, being a VM with a JIT-compiler). DEP would simply break Java. Apparently the code wasn’t written very cleanly, since proper use of VirtualAlloc() and VirtualProtect() should make it work.
      I haven’t looked at it since, so I don’t know if that has changed by now.
      Java should also implement its own ASLR for code it generates, obviously. The ASLR that Windows provides is performed during loading of a PE file, and cannot take code into account that is generated by the application itself.
      The .NET VM is very similar to Java in concept, but apparently Microsoft has done some things better in the implementation than Sun/Oracle did.

      Comment by Scali — July 11, 2011 @ 3:23 am

      • Again, does the Java plug-in represent a vector for exploitation in Windows? Yes

        Does that Java plug-in have DEP and ASLR? No

        So, does Windows 7 have “full” ASLR in actual use? No

        Comment by Billy — July 11, 2011 @ 12:10 pm

        • I don’t think you quite understood what I said.

          Comment by Scali — July 11, 2011 @ 1:02 pm

          • The argument you are trying to make is not relevant.

            The web browser in Windows is not protected by a full implementation of ASLR because many common plugins do not have ASLR.

            Despite that fact, the “full” implementation of ASLR in Windows can be bypassed.

            Also, how does one define full ASLR?

            There are better implementations of ASLR than used in Windows 7. How “full” are those implementations of ASLR?

            Comment by Billy — July 11, 2011 @ 1:41 pm

            • The argument that *you* are making is not relevant. Why this focus on Windows alone?

              Comment by Scali — July 11, 2011 @ 2:08 pm

              • Define why my argument is not relevant?

                My argument is more pertinent to the end user.

                If you look under the heading “A trivial approach to security,” it was the original author of the article that wanted to contrast unix based OSs against Windows.

                I have used OS X as a model of that paradigm given the intent of the original author seemed focused upon making a comparison between OS X and Windows.

                I have provided information about OS X and Windows to contrast the biased information presented by the original author.

                If he wants to write a biased article expounding the flaws in even more secure OSs than OS X, I will come back and post counterarguments in relation to that information.

                Comment by Billy — July 11, 2011 @ 4:40 pm

                • The author holds OS X (and its unix predecessors) up against other OSes (not just Windows) for comparison, to point out where OS X could do better.
                  It is not a direct comparison between Windows and OS X/Unix.

                  You however seem to have isolated Windows and are just randomly pointing at security issues, without any comparison or context at all. Which is why I say it is not relevant. Windows does not operate in a vacuum, and neither does OS X (hint: your ‘example’ of Java is not specific to Windows).
                  By doing that, you are making the same mistake that the article is arguing against.

                  Comment by Scali — July 11, 2011 @ 5:17 pm

                  • If you read the slide deck from Charlie Miller about his ROP technique, he has found that Java is no longer a reliable exploitation vector in OS X.

                    Again, read “A trivial approach to security.” The author groups linux and other unix based OSs together with OS X in a comparison against Windows.

                    Your attempts at being David Copperfield to perform magic to occlude that fact is not very successful.

                    Comment by Billy — July 11, 2011 @ 5:38 pm

                    • “Again, read “A trivial approach to security.” The author groups linux and other unix based OSs together with OS X in a comparison against Windows.

                      Your attempts at being David Copperfield to perform magic to occlude that fact is not very successful.”

                      *You* are the one trying to occlude facts. Your argument is based on a single sentence, not on the article as a whole. The article as a whole is not a comparison of OS X to Windows.

                      Comment by Scali — July 11, 2011 @ 6:04 pm

  66. Yea .. Windows is so secure it amazes me

    520+ remote execution vulnerabilities for “any file type” on Windows:

    Comment by bit — July 10, 2011 @ 11:14 pm

  67. Sory, no good ingrish. Im chinese.

    This line is bad.

    “The word myth is precisely accurate, as OS X and other Apple software is among the most vulnerable software on consumer devices today.”

    This link say so.

    This is saying of Charlie Miller in link.

    “Miller, for example, does not disagree with the assessment that the iOS may be the current pinnacle of security for a mass-market operating system. “It’s in the realm of truth,” he says.”

    Comment by Hello — July 11, 2011 @ 9:08 pm

    • But iOS is not OS X, and iOS applications are not OS X applications.

      Comment by Scali — July 12, 2011 @ 4:48 am

    • Just a little bit of advice. Please reat TFA before posting it. This is a technical discussion about the technical (not social) safety of an OS. Now, the article does, as Scali points out, talk about iOS, and not OSX (which is the topic of THIS discussion) but it also doesn’t say that iOS is TECHNICALLY more secure than the competition. In fact, the article lists five points that makes iOS more secure, and ONE, A SINGLE ONE of those five is related to the operating system as such. The other four are about process and social factors.

      Now, as Scali points out, iOS and OSX are not the same, and the SINGLE thing iOS has going for it, namely sandboxing apps, is not available for OSX. Also, as the article points out, the iOS sandboxing is nowhere near as good as that on Android (or, Windows Phone 7). There is a reason for that, iOS apps are native apps, and sandboxing native apps is generally rather hard compared to sandboxing apps that run on a Virtual Machine.

      So, not only is the article a bad example of how OSX security is troubling, it is also a piece of really bad journalism since none of the data presented in the article support the conclusion. Charlie Miller is quoted, but you don’t take the context into consideration. He thinks iOS is safe, not because it is a safe OS but because it is an OS that is targeted less. This is the same position he takes on OSX vs Windows for example. His statement that OSX is a “house with no locks and no keys way out in the countryside while Windows is a house with barred windows in a bad part of town” is an accurate description of the situation, and it also supports the author of the article we are commenting on. OSX is safe but insecure. It is safe because it is not targeted, and basically only because it is not targeted. It is an open house in a place where no bad people live.

      Comment by Terje — July 12, 2011 @ 5:44 am

  68. Here is a better link about iOS and Android security.

    Also, the article stating that iOS is the most SECURE OS, while being completely accurate about iOS, includes some errors concerning OS X.

    Mac OS X does include code signing for applications.

    It is not mandatory, but most apps have a _CodeSignature found within the app bundle’s contents.

    Let’s not forget about those dll hijacking links. Those look interesting.

    Comment by Pickles — July 12, 2011 @ 10:26 am

  69. I threw no tantrum. I just mentioned that I stopped reading when I encountered a completely false statement.

    Comment by John Starlight — July 21, 2011 @ 8:42 pm

    • Why on earth would you even bother to post a comment on an article you didn’t read? Especially since that comment only mentions that you didn’t read it.
      Not sure if ‘tantrum’ is the right word, but I think frustration definitely has something to do with it. It’s an immature response of someone who cannot control their frustration.

      Comment by Scali — July 22, 2011 @ 4:08 am

      • On the contrary. It’s a well thought out reaction to the proliferation of disinformation or perhaps ignorance abundant on the web. If I encounter a basic flaw in an article, which is used as a premise for the rest of it, it’s probably my duty to inform other people of this, so that they don’t accidentally believe the article.

        Comment by John Starlight — July 28, 2011 @ 6:50 pm

        • No it’s not a well thought out reaction at all. You make absolutely no effort to point out what is wrong, or why. In fact, even when someone engages in a discussion on the subject, and provides a number of arguments, you decline to respond and defend your stance. In other words: you’ve lost the argument, you are wrong.

          If you really feel it is your duty to inform other people, then *inform* them. Also, considering that you feel this is your duty, shouldn’t you be even more inclined to read the entire article, so you can also spot all the other ‘disinformation’ which you should ‘inform’ other people about?

          Really, the only ignorance I see is yours, which TAB already covered in his original response to you.
          Next time, try discussing the presented arguments, instead of these childish fallacies.

          Comment by Scali — July 29, 2011 @ 4:27 am

          • I will re-present my original statement:

            I stopped reading here: “The Unix Design is significantly less granular than that of Windows, not even having a basic ACL”
            What nonsense!

            I think this pretty much illustrates that the quoted sentence from the article is wrong, thus addressing the “what”. It is wrong because it is false, also covering the “why”, which is enforced by the exclamation “What nonsense!”.

            This then informs readers of my comment that the article is crap.

            As to your proclamation that I “lost the argument”, I offer you these words: hahahahaha.

            PS TAB has no idea what he’s talking about. None of his facts are true. Perhaps if you continue to respond, you might want to educate yourself above your initial knee-jerk acts of ignorance.

            Comment by John Starlight — August 29, 2011 @ 11:45 pm

            • Hey, if you think “TAB” is misstating everything, if you are older than thirteen, mention one and explain how it is inaccurate. Fail to do so and you have only proven that you are not yet thirteen and also an ignorant fool to boot.

              Comment by TAB — August 30, 2011 @ 1:40 am

              • @TAD:


                You said that “Standard Unix file security (User, Group and Other) is still most widely used. ”

                This is not the case at all.

                POSIX.1e defines ACL, implemented in FreeBSD ACL (since 1999), in Solaris (since 1995), and in Linux (since 2002).

                NFS 4 defines ACL, which is even more widely implemented.

                Comment by John Starlight — August 30, 2011 @ 10:22 pm

                • He’s right.
                  Most BSD and linux distributions don’t use ACLs by default, and neither do their users.
                  ACLs on UNIX are in a similar situation to limited user accounts on Windows a few years ago: even though they exist, most people don’t even know how to use them, so they don’t.

                  Comment by Scali — August 31, 2011 @ 4:46 am

                  • Linux != Unix

                    Comment by John Starlight — August 31, 2011 @ 11:39 pm

                    • No, but since linux is based on the same UNIX design, for the sake of this argument, that doesn’t matter.
                      Stop being so childish.

                      Comment by Scali — September 1, 2011 @ 2:18 am

            • Uhhh, “it is wrong because it is false” is not a good explanation. In fact, it is not an explanation at all.
              It is an unsubstantiated claim.
              Why is it false? What would be the true situation?

              You also cannot say anything about the article as a whole, since you haven’t even read the article.
              Even if this sentence in the article is wrong (which you have yet to substantiate), that doesn’t automatically mean that the entire article is without merit.
              TAB phrases the same view in a slightly more efficient way.

              Comment by Scali — August 30, 2011 @ 8:35 am

              • Dear Scali. Please learn to read and understand what you read.

                It is definitely wrong because it is false.

                If I were to say the earth is a rabbit, it would be wrong. Why? Because it’s false. I leave it up to the intrepid googler to figure out why.

                I am not going to read an entire article written by someone who haven’t done even the most basic research in his little opinion piece about file system security.

                I do not have to substantiate all my claims. It is common knowledge that Unix has ACL. Literally 30 seconds of googling will easily confirm this.

                Comment by John Starlight — August 30, 2011 @ 10:25 pm

                • Nope, you’re wrong.
                  Historically, UNIX has not had ACL support.
                  Recently (long after Windows NT introduced them), ACL extensions for various UNIX-like (but not the original UNIX) OSes have been developed, but they are NOT part of the intrinsic UNIX design (which is what the article says, it doesn’t deny the existence of these extensions, it just points out that they are not part of the original UNIX design, unlike Windows). This is common knowledge.
                  It is also common knowledge that even for OSes that have these extensions, they are often not used by default (most linux and BSD distributions do not use them, for example, even though they exist).
                  The reason why you don’t substantiate your claims is either that you can’t, because you don’t know what you’re talking about, or you know that you can’t substantiate your claims, so you’re basically trolling.

                  Comment by Scali — August 31, 2011 @ 4:42 am

                  • …It has. I’ve cited them all.

                    Comment by John Starlight — August 31, 2011 @ 11:40 pm

                    • Then apparently we all missed them, so re-cite them here, for clarity.

                      Comment by Scali — September 1, 2011 @ 2:19 am

                • A course in basic English reading comprehension would be appropriate for you. One that tells you the difference between “have” and “use”:

                  I have never claimed that Unix distributions do not have ACLs, I just point out the rather obvious fact that they are not nearly as widely used as their availability would indicate. I run with ACLs on a couple of my Linux boxes, and to a degree they are annoying since so many utilities do not take ACLs into account. “chmod 755” still rules on most Unices. It would be fun to run some statistics and see the number of times setfacl is used vs chmod.

                  Comment by TAB — August 31, 2011 @ 8:18 am

                  • Your “obvious fact” is based on your incorrect classification of “Linux is Unix”. This negates your little anecdotal Linux story about ACL and fstab.

                    chmod 755 DOES NOT rule on most Unixes.

                    Comment by John Starlight — August 31, 2011 @ 11:44 pm

                    • Sigh. Remember, the first part of “assumption” is “ass”. For one, Linux is Unix for all practical purposes and intents, but Unix is not Linux. Unix is far more than Linux, and to a degree, going by your definition, Windows NT and later, up to Windows 2000 was Unix since they had POSIX built in. Windows NT derivatives after Win2000 (XP and later) need to install Unix Services for Windows. Windows 7 Enterprise and and Ultimate are both POSIX compliant out of the box and are as such, both Unices by your definition. I am not quite sure you would find a lot of people agreeing with your statement that Windows NT, Windows 2000 and Windows 7 E and U are Unix.

                      Now, back to the “ass” part. Linux is not the only Unix, neither is OSX or Solaris. Linux and OSX on the other hand outnumber the other Unices quite significantly. Since both, for example, are installed on mobile devices, they both outnumber Solaris by an enormous amount, probably several orders of magnitude. Even the number of QNX installations probably outnumbers Solaris installations by a significant margin. I am old enough to have complained when Sun went from SunOS (BSD) to Solaris (AT&T, or System V if you wish). I am not stupid enough to think that Sun (Oracle) is the most significant player in the Unix space anymore though.

                      If you look at internet connected systems, Linux accounts for more than 70%, Windows for almost 25%, and neither Solaris nor BSD for enough systems to register at all. If you go by server units sold commercially (which accounts for a very small part of the Linux systems out there) Windows has about 67%, Unix and Unix-like has about 30% and Linux alone (separated from the 30%) has about 24%. In other words, of commercial server operating systems sold, Linux and Windows make up 90% and the rest gets to divide the remaining 10%. Again, you could argue that Linux is not Unix, but that is only true in the most asinine way. OS X got ACLs in Tiger, which is a while ago now. I do not know enough about OS X to say anything about ACL usage in that operating system, but OS X accounts for, if you take Linux out of the picture, the largest Unix installed base by a rather significant margin. Heck, even VxWorks, which is POSIX compliant, probably outsells Solaris by a multi-digit number. If you are talking about Unix, who cares what a tiny player like Solaris does?

                      Comment by TAB — September 1, 2011 @ 1:10 am

                • The Unix design did not incportate ACLs. Hint: POSIX and the Unix design are separate, though related things.

                  Comment by allthatiswrong — August 31, 2011 @ 3:09 pm

                  • Another hint: A Unix OS is the implementation of the POSIX standard. And since POSIX includes ACLs…

                    PS: Why not attempt to admin a Solaris box sometime? It will clear up your misconceptions.You speak from no experience, but from some Wikipedia-inspired bit of “knowledge”.

                    Comment by John Starlight — August 31, 2011 @ 11:42 pm

                    • A UNIX OS is NOT an implementation of the POSIX standard.
                      UNIX is an OS, POSIX is a standard distilled from part of the UNIX OS.
                      The UNIX OS started in 1969, the first POSIX standard wasn’t defined until 1988.
                      Which means that there are/were UNIX OSes that did not implement the POSIX standard (if only because it didn’t exist yet), and there are non-UNIX OSes that do implement the POSIX standard.

                      Regardless, the POSIX standard from 1988 itself does not include ACLs. Why not? For the simple reason that UNIX did not include ACLs, mostly.
                      Extensions to the POSIX standard have been introduced over the years…
                      The ACL extension is known as POSIX 1003.1e. However, this has never gone beyond the draft status (in 1997), so it is not even an official POSIX standard.

                      So, you are wrong on both counts. UNIX is not defined by the implementation of the POSIX standards, and POSIX does not include ACLs.

                      Comment by Scali — September 1, 2011 @ 2:33 am

                    • Scali has dome a commendable job correcting you. I suggest you read up further on the things listed in his comment, rather than continue to argue from emotion.

                      Comment by allthatiswrong — September 1, 2011 @ 12:31 pm

                    • POSIX is younger than the first UNIX implementation for sure.

                      This is not really relevant.

                      POSIX is a set of standards which is meant to specify OS behaviour, and UNIX OSes are the implementation of that.

                      Scali, allthatisgood, TAB I’m sorry, but you have no idea what you’re talking about.

                      Comment by John Starlight — September 1, 2011 @ 4:11 pm

                    • One thing I would like to know, since you have this rather odd definition of Unix (implements the POSIX standard). Why do you think this standard is particular as to what defines Unix? Why is SVID for example not as important? Given that SVID was defined by the people who actually owned Unix, one would assume that that would be an important standard. Is it not? What about X/Open, is that irrelevant? If I dig in my closet and open a box or two, I am sure I can find an old box that runs SysV R2. If I boot this, can you explain to me why this thing, created and owned by the owners of Unix, is not Unix? I am not as sure that I would be able to find an old BSD 4.3 box, but it should not be impossible. For some reason, if I boot that I am not running Unix, but when I boot my Blackberry or Windows 2000 workstation, I am running Unix? Why is my BB and my Windows 2000 boxes (both POSIX compliant) and the optical switch I was managing (running VxWorks) all Unix, while SysV and BSD are not? Didn’t AT&T invent and own Unix?

                      Now, your statement that compliance with POSIX is what is required to be Unix, is utterly wrong. It is simply not correct. What is required to be allowed to brand your product Unix is compliance with the SUS from The Open Group (who now owns the trademark Unix). If we go by this definition, which is more accurate than your erroneous assertion that POSIX means you are Unix, there are only the following Unices in the entire history of the world:

                      Mac OSX 10.5 and 10.6
                      Solaris 8, 9 and 10
                      HP-UX 11
                      AIX 5.2 and later
                      z/OS V1R2 and later
                      NEC UX/4800 R12.3 and later
                      IRIX 6.5.28 with patches (4605 and 7029)
                      UnixWare ® 7.1.3 and later on the IA-32 platform

                      These are the ONLY Unices that ever existed according to a reasoning close to (but more correct) than Scali’s reasoning. He is simply wrong when stating that it is POSIX that makes something Unix, it is not. It is the SUS. POSIX is only a small piece of SUS. So, what does SUS mean? It defines what you need to comply with to be an Open Group branded Unix. Is that the only form of Unix? Well, why don’t we check with the people who actually OWN Unix shall we? What does The Open Group say about Unix? Well, take a look at their timeline of Unix history here:

                      Note, this is not Unix history as defined by me or any random person, it is Unix history as defined by the people who actually own Unix and therefore knows what Unix actually is. The history is long and nice and it includes mostly items that, according to the “reasoning” of Scali, are not Unix. Xenix, BSD, SysV, all are listed as part of Unix history, but according to Scali neither were Unix. According to Scali, the first versions of Unix started popping up in the market around 1994-95, which is when some of them started to comply. HP-UX 11 for example.

                      Oh, and one more thing Scali, if Linux is not Unix, why does The Open Group list it as part of Unix history? I mean, they are the guys who know, right? They are not just full of shit like you. They actually know. Who are the retarded one here, The Open Group or Scali, who basically claim that The Open Group knows nothing about what Unix is.

                      Comment by TAB — September 1, 2011 @ 6:06 pm

                    • TAB, I think you meant John Starlight there, not me. Since I agree with you on this matter, and disagree with John Starlight.

                      Comment by Scali — September 15, 2011 @ 9:36 am

  70. Sorry. no good ingrish. look at article

    Comment by Hello — July 21, 2011 @ 9:43 pm

  71. My post is off the technical topic but this article has nonetheless become into another battleground of MS vs Apple or Windows vs *nix so.. here it is..

    This comment list can go on like this forever. But reading the article and the replies to comments, allthatiswrong and scali cannot say they are not at least a 0.00..001% pro Windows and that they didn’t have at least some anger in their heads while replying to these people, even if they are mindless Apple fanboys (or maybe because they are so mindless commenters.. but still..). You really have to be a detached monk when writing such articles and comments and replies to the comments. C’mon you two, please ask yourselves honestly. You too are pissed off pretty bad at times at opposite opinions.

    I think the only remedy is to allow only the Thompsons, Kernighans, Ritchies, Cutlers and Tevaniens to comment and publish the discussions within themselves while they are discussing this trying to make the next best OS humans can produce.

    Comment by Anay — August 14, 2011 @ 3:15 pm

    • I’m not pro-Windows. I’m not a PC/Windows user by nature. I’ve always used ‘alternative platforms’, and only moved to PCs because of their popularity, so that is what most people use, and that’s where the jobs are when you are a software developer such as myself.
      If anything, Apple is closer to my ‘natural habitat’ than Windows is.

      Comment by Scali — August 14, 2011 @ 5:01 pm

      • OK..

        BTW, why do we generally see very small percentage of people with most authority on these subjects write and comment on such posts? (Well, the author and commenters here might as well be some of the biggest authorities on the subject so I am not talking about you, but the programmers and designers that actually worked on these OS’s teams, one of them is amongst the commenters I think).

        Let’s discuss and come to some conclusions once and for all. Because it is you and those experts that can give lesser programmers like me some insight into the matters that I maybe can’t get through books and other resources very easily. If there is any resource where we can find the Ritchies and Cutlers discuss this, let’s share it.

        Comment by Anay — August 15, 2011 @ 12:40 pm

        • I think it’s partly because company policy doesn’t allow such people to comment on forums and such, regarding company products… And partly because these people just aren’t interested in participating in forums anyway.

          There’s plenty of resources out there though. I mean, I’ve learnt this stuff as well. I think the biggest thing one has to learn is to forget about all the preconceived ideas about Windows, OS X, linux etc. Which is exactly what this blog post was about, I suppose.
          As long as you are convinced that ‘this OS sucks’ or ‘that OS rules’, you will never learn the truth. You don’t even want to learn. You just want to find information to reinforce your beliefs. Which you will, since no OS is perfect, and they’re such big and complex beasts that you can always find some strong points and some weaknesses.

          Comment by Scali — August 16, 2011 @ 2:25 am

  72. Caveats of that article that reduce it’s relevance to only a specific setting:

    1) requires a network made up of both a Mac server and clients.

    2) requires local access to the network. So, an insider (that already has access sensitive data without needing this attack), improperly secured corporate location, or improperly secured corporate wireless network. If the attacker has physical access than other methods, such as hardware keyloggers, exist to collect authentications regardless of the security of the authentication protocol. Wireless is easily secured and other MITM attacks exist if have wireless LAN access.

    3) requires malware to be installed on target if do not have local access. Difficult via exploitation in OS X. Social engineering applies but corporate networks do have AV, IDS/IPS, & Firewalls regardless of OS deployed due to security best practices.

    Comment by Shawn — August 17, 2011 @ 4:58 pm

  73. According to Scali, these are Unices: VxWorks, Windows NT, Windows 2000, Windows 7 EE and UE.
    According to Scali these are NOT Unices: AT&T Unix for most of its history, BSD for most of its history, SunOS, SCO Unix for most of its history.

    You have to be a special kind of retarded to conclude like SCALI does.

    Comment by TAB — September 1, 2011 @ 5:17 pm

  74. The author has clearly not proof-read this article which gives the impression that he hadn’t considered what he’d written was worth the trouble. OK. I’ll not bother to read it, either.

    Comment by Nicole — September 9, 2011 @ 5:32 am

    • To the contrary, I did read it. I didn’t proofread it as thoroughly as I should and don’t have people I can ask to do so for me, however I thought it was good enough. That may not be true, in which case constructive criticism is always appreciated. Given the amount of discussion it generated and the amount of people who did read it, any grammatical errors don’t seem to impede the ability to read and comprehend it — which is surely what is important.

      Comment by allthatiswrong — September 10, 2011 @ 2:09 pm

  75. whoaaa.. i cant believe that.. I think mac so secure..

    Comment by Waldi Syafei — September 9, 2011 @ 12:12 pm

  76. BTW, new security mitigation in Windows 8 already bypassed.

    Methods to bypass new security mitigations in OS X Lion still haven’t been found.

    Comment by Haha — October 3, 2011 @ 12:24 am

    • Lion has had several security problems since it’s release, while Windows 8 is yet to be released. Not sure what your point is.

      Comment by allthatiswrong — October 3, 2011 @ 7:39 am

      • None of the issues in Lion are related to bypassing the runtime security mitigations.

        Runtime security mitigations need to be bypassed to exploit a system remotely without user interaction.

        Non of the issues in Lion are practical vectors for exploitation in the wild.

        Changing a user’s password via local access using the issue in Lion causes the user to be unable to login or authenticate in their own account because the user wouldn’t know the new password set by the attacker.

        The attack would be quickly detected and much of the damage is mitigated by the user no longer having access to the system after it has been compromised.

        For example, this exploit is useless for installing a keylogger because the user can’t login after the attack and the attacker is unable to know the users password to change it back to allow the user to access the system once the keylogger is installed.

        Given a salted sha512 hash is used in Lion, cracking the hash is still unfeasible even if accessed locally because that hash algorithm is still considered cryptographically secure.

        The article llinked in my previous post shows methods to bypass the improved runtime security mitigations (aslr, dep, & etc) in Windows 8 to facilitate exploiting the system remotely.

        Methods to bypass the runtime security mitigations in Lion have not been found.

        Comment by Haha — October 4, 2011 @ 2:21 am

        • Yes, Lion has had it’s fair share of issues, most recently granting easy access to password hashes. Yes, it is cryptographically secure but shitty passwords and rainbow tables make it anything but insignificant.

          In any event, Windows 8 is not even released yet. This article is about the insecurity of OS X, and since they have only bothered to implement mitigations since Lion, there is a lot to that.

          Windows is irrelevant to this discussion except for fanbois attempting to defend by counter-attacking, in this case software that is not even released yet.

          Comment by allthatiswrong — October 4, 2011 @ 11:03 am

  77. Car manuals…

    […]OS X – Safe, yet horribly insecure « All that is wrong with the world…[…]…

    Trackback by Car manuals — November 4, 2011 @ 10:06 am

  78. what you said is true. when i used a mac with 10.5 or 10.6 i noticed that my mac os x have been rooted into.someone remotely control my mac. someone enable the Active Directory, enable the File Sharing, Enable the Screen Sharing, Enable the Remote Desktop, Enable Internet Sharing, Enable the SMB, Enable kerberos.Enable Parental Control. All without my knowledge.You cannot heavily rely on other third party software to do security in mac os x. And some idiot sync all my stuff to their iphone. i noticed alot of things happening thru my logs. Did you happen to know a case where school kids in the US who use a mac have been spied into.Mac Malware is nothing new. I have tested many Antiviruses for mac And I know there are many unknown mac viruses which are not fully detected by current Antivirus software for Mac. About the Apple Apps Store. I’m sure you guys have come across that you cannot install or log in to your account. With that occurs I have to reformat my entire harddisk and reinstall the Mac OS X again The Apple Apps Store (what ever you want to call it) is sucks.I don’t like the software at all because it just look like the Google Chrome Web Store. Don’t tell me you did not use Chrome. There is some similarities. I did check some security on the Mac OS X. And indeed yes. Apple is very slow or ignored to implement any security updates. I noticed that they did not updated their SSH. Which i think is very vulnerable. They did not updated many Unix packages which are left open. So wake up guys. Mac OS X is not secure as it seems to be. If you wanted a secure OS. you can use FreeBSD or Linux. But you have to learn more to thinker around it. I’ve got nobody to spoon feed every damn thing. I have to search and learn everything on my own. I learned the hard way. By reading books and do extensive research.How hard you thinker with Mac OS X to secure it. Someone will find ways to break it. You have to do many things to secure your mac os x.
    I say many. I have followed thru many steps to do it. And I know what I am talking about. I can’t say it here.
    You guys have to figure it out. What you said on your blogs is base on facts. And I mean it. I been thru this before. And I know the issues. I have informed this matter to Apple. But I just don’t know whether they listen to it. Get a pc and install open source software like Freebsd or Linux. And learn the hard way.

    Comment by Victim of a Mac — November 6, 2011 @ 9:11 am

  79. to be frank with you guys. wake up. mac os x is not secure! even on your mac os x 10.7. so don’t ever say that mac is dead secure and no viruses. the myth is. there is viruses for mac. what apple meant is that you cannot get windows viruses. but apple never says that you can get mac viruses too.i cannot say much. but when I take a look at it. there are many vulnerable packages are not being patch.even on lion. what i did not like about apple is that they rush into things and release their software before fully tested for any vulnerabilities. they took many months to update their software unix packages. those who is in the know how and have been playing around with unix knows. well those who are experience guys who know how to thinker around knows their stuff. those who are newbies. i mean new to mac. think again. if you are experience in mac os x. i don’t mind to it. but those who are new to it. be prepare for the worst. if you view the apple support communities you will find many mac users are having problems on their macs. or the mac os x.did you guys ever noticed that every new version comes out you have to buy and buy new programs?
    those old programs that you use in the previous version of mac os x will no longer be working in the new mac os x. you have to wait for the software developer to release a new version. or better still you have to pay for the new version.

    about security.

    apple have said it. that they will not disclose any information about security until they found a confirmation.

    i found many programs or apps are useless in the Apple Apps Store.

    There are many apps which i don’t like. it’s like a mobile devices apps.

    Why can’t they produce good quality programs to runs on your mac.

    i say the old good old NExt Computer OS is much better than the current Mac OS X.

    There aren’t any free good programs to runs on your mac os x.

    isn’t unix programs supposedly to be free?

    Comment by Victim of a Mac — November 6, 2011 @ 9:35 am

  80. Learn SEO…

    […]OS X – Safe, yet horribly insecure « All that is wrong with the world…[…]…

    Trackback by Learn SEO — November 8, 2011 @ 4:48 am

  81. George…

    […]OS X – Safe, yet horribly insecure « All that is wrong with the world…[…]…

    Trackback by George — November 8, 2011 @ 10:21 am

  82. скайп бесплатно…

    […]OS X – Safe, yet horribly insecure « All that is wrong with the world…[…]…

    Trackback by скайп бесплатно — November 9, 2011 @ 7:10 pm

  83. get senuke…

    […]OS X – Safe, yet horribly insecure « All that is wrong with the world…[…]…

    Trackback by get senuke — December 21, 2011 @ 2:45 pm

  84. watch Mission Impossible 4 – Ghost Protocol 2011 Online Free…

    […]OS X – Safe, yet horribly insecure « All that is wrong with the world…[…]…

    Trackback by watch Mission Impossible 4 - Ghost Protocol 2011 Online Free — December 21, 2011 @ 4:43 pm

  85. forex…

    […]OS X – Safe, yet horribly insecure « All that is wrong with the world…[…]…

    Trackback by forex — December 24, 2011 @ 4:10 am

  86. Скачать оперу мини…

    […]OS X – Safe, yet horribly insecure « All that is wrong with the world…[…]…

    Trackback by Скачать оперу мини — December 25, 2011 @ 8:00 pm

  87. certainly like your web site however you need to check the spelling on quite a few of your posts. Several of them are rife with spelling problems and I in finding it very bothersome to inform the reality nevertheless I’ll certainly come again again.

    Comment by seo software diy — December 26, 2011 @ 6:43 am

  88. Admin – could you use help with your website? Through our site you can find Outsourced Workers starting at $1/hour. They speak English, work flexible hours, and pride themselves on doing a quality job. There are Article Writers, Web Designers, Virtual Assistants, Email Response Handling, SEO Workers, & more. If interested we invite you to check out . Thanks 🙂

    Comment by John — January 5, 2012 @ 2:35 am

  89. nice

    Comment by geo — January 9, 2012 @ 3:21 am

  90. Best page for such a programs is for me FreePlatinumDownloads….

    […]OS X – Safe, yet horribly insecure « All that is wrong with the world…[…]…

    Trackback by Best page for such a programs is for me FreePlatinumDownloads. — February 2, 2012 @ 12:24 am

  91. The annoying thing that you pull down when trying to play Temple Run will now also be found on your Mac. I have never used this feature on my iPod other then to check my Facebook notifications, but it will be more handy to see what apps need updating. Other then that I find it pretty pointless but a nice touch nevertheless.

    Comment by Dini — March 10, 2012 @ 2:27 am

  92. BeachTech…

    […]OS X – Safe, yet horribly insecure « All that is wrong with the world…[…]…

    Trackback by BeachTech — April 1, 2012 @ 2:42 pm

  93. This article repeats the same argument I’ve read about OS X security (or lack thereof) many times.
    And that is that OS X is insecure, but OS X users aren’t plagued by security problems (compared to Windows users) because there simply aren’t enough OS X users for virus or malware authors to waste time on.

    I find this argument a bit thin on the ground nowadays for a number of reasons.
    – OS X must have in the order of at least 100 million current users or more (around 10% of market share).
    – It is typically claimed OS X users are more naive about security than Windows users (as you also claim). They should be easy targets then.
    – These articles also typically claim OS X is devoid of many of the security features on Windows, and Apple has less committment to security, and what they do provide is an afterthought. That should make OS X a much easier target.
    – Some of the most notorious virus writers have had a lot of time on their hands, and time spent cracking is not something they’ve been particularly restrained about.

    If I was a virus or malware writer (I’m not) and I could target hundreds of millions of machines with gullible users, whose operating system is so much less secure, and easier to crack than Windows, why wouldn’t I target OS X?
    Hell, I’d spend at least some of my time having a crack at such a weak, gullible, but large target (ie the second largest desktop operating system at around 10% of users).
    I might even earn myself some notoreity, as well as cash, since my OS X malware would stand out from the crowd of Windows malware.
    Even if I was particularly calculating about the time I spent on virus writing, in a Return On Investment kind of way, then I’d spend at least 10% of my time targetting OS X and probably 2 or 3 times that since OS X users are reportedly so much less security conscious and OS X is apparently so much less secure.

    All of this just doesn’t add up to the real world figures of viruses and malware we are seeing.
    Articles like this one also typically warn on the impending wave of real malware we’ll see on OS X.
    But I’ve been reading articles like this for years, and I’m still waiting.

    Comment by jasonsmart — April 28, 2012 @ 11:07 pm

    • >> OS X must have … (around 10% of market share)

      Not even close. Make that 5%.

      >> It is typically claimed OS X users are more naive about security than Windows users

      Earlier this week more than 500 000 OSX machines were STILL infected by Flashback. QED.

      >> Apple has less committment to security

      They do. This problem was fixed by Oracle in February, but Apple didn’t bother to fix it until the stuff had hit the fan in a PR-disaster kind of way. Apple sat on their hands not caring one bit about its customers.

      >> Some of the most notorious virus writers have had a lot of time on their hands

      You are joking right? These are professionals. They are corporations. They are not kids with an allowance sitting in their parents basement. They can invest fifty to a few hundred thousand dollars (that would be the cost of researching and developing something like Flashback plus the back-end infrastructure to support the data collection) and go for the 95% of the market, or they could go after the 5%. What do you think they are going to do most of the time?

      >> why wouldn’t I target OS X?

      Have you been living in a cave for the past few months?

      >> But I’ve been reading articles like this for years, and I’m still waiting.

      You should get out more. Google Flashback.

      Comment by Terje — April 29, 2012 @ 4:58 am

      • >> Not even close. Make that 5%
        Even 5% is many millions of machines. That is easily enough for DDoS, enough to spam and make money, or wreak havoc.
        5% is not definitive. Web stats, (also not definitive) can range from 6% to 10%. The trend is increasing though.
        >> Earlier this week more than 500 000 OSX machines were STILL infected by Flashback. QED.
        Well then why have virus writers waited so long to exploit these gullible fools when we’ve been reading about them for years?
        >> Apple has less commitment to security
        You choose to ignore the corollary that this should make it worthwhile to write viruses to exploit that lack of commitment, but we don’t see that in the history of the real world.
        >> You are joking right? These are professionals. They are corporations. They are not kids with an allowance sitting in their parents basement.
        Yes I like jokes. If OS X and its users were such a soft target Flashback should be achievable by budding teen crackers.
        In fact if I was an aspiring teen cracker, I’d probably start with an easy target, hated by many.
        Many famous Windows worms were the result of teenagers in their parent’s basement.
        According to Sophos, Sven Jaschan was responsible for 70% of virus outbreaks in first half of 2004. He was under 18. There are many others.
        Shame prosecutors didn’t see the humour.
        >> They can invest fifty to a few hundred thousand dollars
        Then these ‘corporations’ and ‘professionals’ must be too stupid to do a return on investment. If OS X and stupid users are such an easy target, they can invest 5% of their budget with far greater results.
        >> You should get out more. Google Flashback.
        When I go out, I won’t be Googling Flashback. I have other things to do.

        Comment by jasonsmart — April 29, 2012 @ 9:34 am

        • Apple has not been increasing its market share of “PCs” significantly for quite a while. There has been some uptick since iOS development requires a Mac, but not enough to say that there is any significant upwards trend in the use of OSX.

          >> why have virus writers waited so long to exploit these gullible fools when we’ve been reading about them for years

          See 5%.

          >> You choose to ignore the corollary that this should make it worthwhile to write viruses to exploit that lack of commitment

          See 5%. I just PROVED that Apple has less commitment to security by providing you with a time-span of several months where a serious problem had been fixed and Apple didn’t release the fix for OSX. Apple also has a long history of not releasing security fixes, some are years after they were fixed elsewhere, and some where even more than a decade. Your “corollary” is irrelevant given the evidence that Apple is pretty slow on security fixes. Please note, this is not a controversial statement, it is a well known fact in the security community, and Apple has been criticized a number of times because of it. Thanks to their minuscule market size, it hasn’t been as much of a problem for them. Now it is a bit of a PR disaster for them. You should see more attention from Apple in the future.

          >> If OS X and its users were such a soft target Flashback should be achievable by budding teen crackers.

          Yes, since teen crackers have access to the infrastructure it takes to do extensive data collection from hundreds of thousands of computers. Are you slow or just ignorant?

          >> Sven Jaschan was responsible for 70% of virus outbreaks in first half of 2004. He was under 18.

          Yes, and 2004 was EIGHT years ago. Virus writing has long (yes, even five years is long in the computer world) stopped being something kids do in their basement and it is now an activity of criminal corporations with serious money on the line.

          >> If OS X and stupid users are such an easy target, they can invest 5% of their budget with far greater results

          You just added Economy to the long list of areas where your ignorance is only dwarfed by your arrogance.

          Comment by Terje — April 29, 2012 @ 9:48 am

  94. I relish, cause I discovered just what I was taking a look for.
    You’ve ended my four day long hunt! God Bless you man. Have a nice day. Bye

    Comment by Loretta — October 26, 2012 @ 6:39 pm

  95. It’s hard to find experienced people in this particular subject, but you seem like you know what you’re
    talking about! Thanks

    Comment by Nelle — November 1, 2012 @ 2:31 am

  96. Hi there! Someone in my Facebook group shared this site with
    us so I came to check it out. I’m definitely loving the information. I’m book-marking and will be tweeting this to my followers!
    Fantastic blog and wonderful style and design.

    Comment by — November 8, 2012 @ 6:49 am

  97. How did u end up getting the ideas to write ““OS X – Safe, yet horribly
    insecure All that is wrong with the world”?
    I appreciate it -Chadwick

    Comment by — January 9, 2013 @ 7:26 am

  98. Nice post. I was checking continuously this weblog and I’m inspired! Extremely useful information specifically the final part 🙂 I deal with such information a lot. I was looking for this particular information for a very long time. Thank you and best of luck.

    Comment by Top Moscow Hotel — January 30, 2013 @ 5:18 pm

  99. OSX may not be 100% secure and I will give you that. However, you have to look at it in it’s totality; meaning the Apple ecosystem. If you follow Apple’s recommendations, and stay on the reservation you are extremely secure. It’s easy to stay very secure by obtaining software from the app store, using Safari, and not installing weak 3rd party plugins like silverlight, Java, Adobe, etc… Since OSX is basically a redistribution of OpenBSD with a GUI on top; you can look at it as at least that secure, though Apple contends their Mountain Loin build meets all of the requirements of SecureBSD which is the most secure build of BSD and the most secure OS in the world. The fact that they can deliver this to consumers in a package that is esthetically pleasing and easy to operate makes OSX the all-around leader in OS technology and user experience.

    Being a professional IT manager I have worked with Linux, UNIX, and Windows for 20 years and have seen just about every hack and virus in that time. I always overlooked Apple as a fluffy toy computer for the simple-minded, but after getting an iMac for a birthday gift (almost as a gag) I have been converted. I have watched my PC laptop get smacked by drive-by’s and actually followed it with my macbook to the same sites only to see the code fail in Safari with no infection, so my first hand experience has also colored my view.

    That’s my 2-cents.

    Comment by Shawn — September 23, 2013 @ 8:40 am

    • OSX has nothing to do with OpenBSD and Safari is among the most insecure browsers.

      Comment by allthatiswrong — January 3, 2014 @ 10:57 am

  100. […] blogger has written a blistering, well-documented article about Max OS X security.  See:  The take-away?  Don’t assume that Mac OS X is more secure than Windows.  Windows is a simply […]

    Pingback by Nobody told me there are lots of people “out there” who want to hack into my computer | Database Doctor — September 28, 2013 @ 11:03 pm

  101. Now that is it 2013 which OS has the best security? LoL

    Comment by Boing — October 5, 2013 @ 2:30 am

  102. Wow, that’s what I was exploring for, what a information! present here at this
    web site, thanks admin of this web page.

    Comment by cctv bangladesh — August 5, 2015 @ 2:18 pm

  103. penas

    OS X – Safe, yet horribly insecure | All that is wrong with the world…

    Trackback by Sexy — September 12, 2018 @ 4:42 am

  104. orgas

    OS X – Safe, yet horribly insecure | All that is wrong with the world…

    Trackback by Whore — September 12, 2018 @ 4:45 am

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: