Focus on Apple
Re: Bill Gates on Mac OS X security Feb 03 2007 02:29AM
Pat Plummer, MD (blacksun ix gotdns org) (1 replies)
Re: Bill Gates on Mac OS X security Feb 03 2007 05:02AM
David Maynor (dmaynor gmail com) (2 replies)
Mr. Plummer,

While my response may seem snarky, I assure you its not.

Its probably got alot to do with the reasons in my post: even if you
manage to find a bug you would have to almost invent a new exploit
method to take advantage of it. It might have something to do with
Microsofts SDL and the way it does simple things like ban known bad
functions. Microsoft coders aren't allowed to use functions like
strcpy or sprintf anymore. Functions like this were responsible for
vulnerabilities used in major worms and you can still find them used
aplenty in Apple code. MoAB #1 was a simple stack overflow that would
not have happened if SDL was applied to Apple code.

So I have a pretty good idea and someone who answers with "i don't
know" you should be wary of becasue they probably can't right an
exploit. Its kinda like the approach alot of security companies take
to protecting against 0day attacks. Why bother stopping every
individual attack when you can do something simple like ASLR and you
kill an entire class of attacks. So there may be bugs in the new stack
but at best it will be a DoS. Maybe what you are missing is a
fundamental understanding of antiexploitatin technology and that it is
present in Vista and not is OSX. This is kinda funny because it is in
FreeBSD, but because of fundamental differences this technology is not
a straight port.

Before you roll your eye and write me off as a Microsoft fanboy, ask
your self why many other Operating systems like Linux and OpenBSD have
intergrated this type of technology yet OSX still hasn't. So in
closing just becasue you find a vulnerability in one of these sysemts
no longer means you can turn it into an exploit.

If you don't like the rsponse don't be mad at me, email
product-security (at) apple (dot) com [email concealed] and demand a timeline for when these types
of features will be added.

On 2/2/07, Pat Plummer, MD <blacksun (at) ix.gotdns (dot) org [email concealed]> wrote:
> > Please understand that I'm not referring to the average Mac user
> > that just wants a safe, reliable computing experience. I'm taking
> > exception with zealots who place those users at risk by giving them
> > a false sense of security. OS X is pretty safe today for the
> > average user, but the platform is definitely NOT as fundamentally
> > secure as Vista
> Mr. Maynor:
> I've been lurking in the background for a while now and certainly am
> not a high level security expert - just a lowly sysadmin for various
> non-noteworthy Linux, NetBSD, MacOSX, and Windows servers over the
> years who has an interest in topics like this. It is my understanding
> that Vista underwent a total from-the-ground-up rewrite of its
> network stack as opposed to using something more tried and true. How
> can one say categorically that Vista is more fundamentally secure
> when it is using this untested stack (untested out in the trenches at
> least and one that has apparently already had its share of major
> problems prior to release) as well as, presumably, other untested
> software components? IOW, how can one state with such certainty that
> software that is in many ways quite virgin and has not already
> undergone a full on assault for several years be more "fundamentally
> secure"? At best, I would think all that one could say would be "I
> have no idea".
> If not, I must be missing something. Please advise.
> Pat

[ reply ]
Re: Bill Gates on Mac OS X security Feb 03 2007 03:21PM
Dave Schroeder (das doit wisc edu) (2 replies)
Re: Bill Gates on Mac OS X security Feb 04 2007 11:42AM
Howard Oakley (h oakley btconnect com)
Re: Bill Gates on Mac OS X security Feb 03 2007 04:56PM
David Maynor (dmaynor gmail com) (1 replies)
Re: Bill Gates on Mac OS X security Feb 03 2007 05:17PM
Dave Schroeder (das doit wisc edu)
Re: Bill Gates on Mac OS X security Feb 03 2007 07:24AM
Pat Plummer, MD (blacksun ix gotdns org)


Privacy Statement
Copyright 2010, SecurityFocus