Digg this story   Add to del.icio.us  
Mac OS X ? Unix? Secure?
Daniel Hanson, 2004-07-21

Apple's OS X is not safer or less susceptible to vulnerabilities and viruses than other OSes, and Apple's secretive culture is bad for the security world.

Last week, the city I live in hosted what is called "The Greatest Outdoor Show on Earth" and I spent a day at the rodeo watching the horses buck and the cowboys ride. While it was an entertaining escape from the world of computers for an afternoon, something the ring announcer said started me thinking. He was listing off the lineage of a particularly good bucking horse, and I started considering how breeding a large gentle horse with a small aggressive horse can get just the right combination of size and bucking temperament. But what about the colt that has the size of his undersized dad, but the bucking temperament of his milk wagon mom?

Is the child better than the parents?
The Macintosh is generally regarded as having one of the most consistent, refined and intuitive user interface designs this side of the toaster. It's one of the reasons that the people who love them were willing to put up with the myriad of problems related to hardware cost and availability, mysterious sad Apple crashes, and other annoyances that have kept yours truly from paying the premium associated with the wonderful user interface design.

With Mac OS X a shift has occurred, substantial portions of the underlying operating system have been completely redesigned and the response among many hard core techies has been enthusiastic. OS X tastes a lot like Unix due to its BSD grand-parentage, but without the hoops needed to get a pretty desktop with clear fonts, plus it runs MS-Word and a few games. So we have what appears to be a perfect world. Hallelujah.

Is this really the promised land?
While Mac OS X has certainly changed my opinion of Apple and its operating systems, I have to wonder about the security side of things. You out there in the audience, raise your hand if you ever heard Macintosh people claim one of the reasons that the Mac was better was a lack of susceptibility to viruses. Keep your hand up if you believed the claim. As with many aspects of security, the absence of danger does not mean that you are safe.

Another claim that many Mac supporters make is the inherent safety of Macintosh software from the perspective of vulnerabilities. Less vulnerabilities than other operating systems (other operating systems likely meaning those made by the perennial whipping boy from Redmond).

To a degree, Mac supporters are correct with regard to vulnerabilities. We have a Unix focus area and a Microsoft focus area on SecurityFocus, but no Macintosh focus area. We also don't have a Novell focus area but there have been a myriad of vulnerabilities for products from Novell, there just aren't the same number of people poking and prodding Novell and Macintosh. So how many people are looking for problems in Macs?

I don't know, but I would guess not many. I would certainly doubt if there was anyone concentrating on Macintosh software the same way as some security researchers target Microsoft products.

Are those warts or cancers?
In the absence of what I consider hard evidence, I have a number of concerns with regard to the security of OS X. One of the scariest to me is related to the culture of Apple as a company. This is a completely arbitrary feeling, but I do not believe that Apple "gets it" in the security world. One of the big problems, in my opinion, with the culture of Apple is the relationship with the traditional Apple customer. This relationship is very different than what is expected by many of the people who are currently snapping up power books like hotcakes. The company should be more forthcoming about their security plans when dealing with these customers.

Historically, Apple has not had very good external communication skills. They have a tremendous marketing team, but the amount of information (as opposed to marketing hype) that comes out of Apple is low. Some say this is the arrogance of the company; that customers should just accept what information is handed out and that Apple is justified in playing their cards close to their chest.

The consequences of this strategy were highlighted a few months back when a number of vulnerabilities were discovered in OS X and were patched by the Panther upgrade, available for a fee. The release of vulnerability information and the availability of the upgrade, with no security fix available for the earlier Jaguar release led to an initial assumption that Apple was saying "you'll get a fix when you buy the upgrade." Some of the media started yelling fire and the flames were fueled by a couple comments from the security peanut gallery. Apple quickly clarified their position of never charging for security patches, but it is difficult to tell if Apple simply didn't communicate the original message well, or if they rapidly changed course in response to the backlash in the media. I don't understand why they didn't just release the upgrade and the backported fixes at the same time. Perhaps this is indicative of a lack of process revolving around security inside Apple, only time will tell if this part of history will repeat itself.

Another concern I have is that while other operating systems and hardware platforms are moving towards controlling exploitation of buffer overflows through things like stack and heap protection, and no execute flags. There has been no indication from Apple as to what their plans are. Do they believe that Apple programmers don't write buffer overflows? What about third party developers? What about third party developers writing network enabled services?

With the control that Apple has over the total package (hardware and operating system), I would expect that they could be one of the first to embrace many of these changes. The resounding silence on this matter is to me, curious. Maybe they feel that they don't need to worry about this for other reasons. If that is the case, I would be interested to know why. Perhaps there are security lessons that other programmers can learn.

One technical area of concern I have is the interaction between the UI and the underlying kernel. After reading an interview with the Richard Wareham, the author of Desktop Manager, the presence of undiscovered APIs he described is concerning.

To me, this implies a fair amount of undiscovered functionality, and likely accompanying complexity. For those readers who have followed the Shatter style attack saga for Windows systems, I wonder if we will start to see privilege escalation vulnerabilities related to the Mac OS X UI. While Macs are generally pictured as home computers, organizations that use them and depend on them for information integrity should give a passing thought to the integrity of the system to a malicious user logged into the system.

A good looking colt, but we'll see how he develops
Overall I think that Apple has made some phenomenal strides largely with OS X becoming a so-called "real" operating system. The latest version of OS X adds a cryptographic file system by default, and I believe that Apple tries to get the user interface for everything just right, making social engineering a bit more difficult. These are all good signs that Mac OS X is continuing to grow in the security business.

To continue that growth, I think that Apple needs to embrace a new aspect in their relationship with their user community. Without this change in that relationship, we can expect more vulnerabilities, more confusing patch information releases and the reality may become that OS X is no more secure than Windows, or Linux, or Novell, or worse, it will fall behind and be hard pressed to catch up.

Apple has an opportunity here, I hope they see that opportunity and embrace it. Proactively secure by default -- it would be nice if another Unix colt started moving in that direction.


Daniel Hanson manages the Focus Incidents area of SecurityFocus as well as the Incidents mailing list.
    Digg this story   Add to del.icio.us  
Comments Mode:
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous (3 replies)
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous (1 replies)
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous
Mac OS X ? Unix? Secure? 2004-07-23
Anonymous
Mac OS X ? Unix? Secure? 2004-07-23
Anonymous (2 replies)
Mac OS X ? Unix? Secure? 2004-07-24
Anonymous
Mac OS X ? Unix? Secure? 2004-07-25
Anonymous (1 replies)
Mac OS X ? Unix? Secure? 2004-07-29
Anonymous
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous (2 replies)
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous (3 replies)
Mac OS X ? Unix? Secure? 2004-07-23
Anonymous
With no open ports, who needs a firewall? 2004-07-23
Anonymous (1 replies)
Mac OS X ? Unix? Secure? 2004-07-24
jammer-b
Mac OS X ? Unix? Secure? 2004-07-23
Anonymous
Mac OS X ? Unix? Secure? 2004-07-22
Kev (1 replies)
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous (3 replies)
Mac OS X ? Unix? Secure? 2004-07-23
Anonymous
Mac OS X ? Unix? Secure? 2004-07-23
Kev (1 replies)
Mac OS X ? Unix? Secure? 2004-07-28
Anonymous
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous (1 replies)
Mac OS X ? Unix? Secure? 2004-07-22
Eric Aitala
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous (1 replies)
Mac OS X ? Unix? Secure? 2004-07-22
Daniel Hanson
Mac OS X ? Unix? Secure? 2004-07-22
Scrutiny
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous
Mac OS X ? Unix? Secure? 2004-07-22
Peter (1 replies)
Mac OS X ? Unix? Secure? 2004-07-22
Dbl07
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous (1 replies)
Mac OS X ? Unix? Secure? 2004-07-26
Anonymous
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous
Mac OS X ? Unix? Secure? 2004-07-22
Chris (1 replies)
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous (2 replies)
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous (3 replies)
Mac OS X ? Unix? Secure? 2004-07-22
PecosBill
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous
Mac OS X ? Unix? Secure? 2004-07-22
Chris (3 replies)
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous
Mac OS X ? Unix? Secure? 2004-07-23
Phillip J. (MacPhilly)
Chris is making me tingly! 2004-07-23
Doug T.
*Yawn* 2004-07-22
Steve (2 replies)
*Yawn* at *Yawn* 2004-07-22
Chris (1 replies)
*Yawn* at *Yawn* 2004-07-22
PecosBill
*Yawn* 2004-07-23
Anonymous (1 replies)
*Yawn* 2004-07-23
Anonymous (2 replies)
*Yawn* 2004-07-24
Anonymous
*Yawn* 2004-07-26
Big Mac
Mac OS X ? Unix? Secure? 2004-07-22
Dan P (1 replies)
Mac OS X ? Unix? Secure? 2004-07-23
Phillip J. (MacPhilly) (1 replies)
Mac OS X ? Unix? Secure? 2004-07-26
Anonymous
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous (1 replies)
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous (1 replies)
Mac OS X ? Unix? Secure? 2004-07-22
PecosBill
Mac OS X ? Unix? Secure? 2004-07-22
chris holland
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous (2 replies)
Mac OS X ? Unix? Secure? 2004-07-22
Daniel Hanson (9 replies)
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous
Mac OS X ? Unix? Secure? 2004-07-23
Chris Holland
Mac OS X ? Unix? Secure? 2004-07-23
chris holland
Mac OS X ? Unix? Secure? 2004-07-23
Anonymous (1 replies)
Mac OS X ? Unix? Secure? 2004-07-26
Anonymous
Mac OS X ? Unix? Secure? 2004-07-23
Anonymous
Tech. Points Not Researched? 2004-07-23
Doug T.
Mac OS X ? Unix? Secure? 2004-07-23
Anonymous
Mac OS X ? Unix? Secure? 2004-07-23
Jeff Brown
Mac OS X ? Unix? Secure? 2004-07-23
Anonymous
Mac viruses vs. Windows viruses 2004-07-23
Anonymous
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous (1 replies)
Mac OS X ? Unix? Secure? 2004-07-22
Anonymous
Mac OS X ? Unix? Secure? 2004-07-23
Anonymous
On Apple Culture 2004-07-23
Steve (1 replies)
On Apple Culture 2004-07-24
Anonymous
Research? 2004-07-24
jammer-b
Mac OS X ? Unix? Secure- Yes 2004-07-27
John G (1 replies)
What can we learn from the comments? 2004-07-27
Anonymous (1 replies)
Some comments... 2004-07-28
Aaron
FUD 2004-07-28
Anonymous
Mac OS X ? Unix? Secure? 2004-07-30
Shirkdog
Comments 2004-07-31
Anonymous (1 replies)
Re: Comments 2006-05-16
Not so anonymous


 

Privacy Statement
Copyright 2010, SecurityFocus