Mac OS X security as good as XP?

"...the vulnerability he exploited has yet to be published and Apple has not released a patch for it."

Yeah, I'm hoping to see a nice, reasonable discussion of this. :-)

Just to get you started:

{puts on Devil's Advocate hat}

At least M$ puts out regular security updates once they're aware of a problem.

}(

http://news.yahoo.com/s/nf/20060306/bs_nf/41948

Hacker Gains Root Access to Mac OS X in 30 Minutes

It took a hacker less than 30 minutes to gain root-level access to Mac OS X, according to a report from ZDNet. The hacker who penetrated the system called the Mac "easy pickings."

The security breach took place on February 22 after a Swedish devotee of the Mac set up a Mac Mini as a server and invited all takers to try to compromise the system's security to gain root-level control. Once a hacker has gained root access to a computer system, the attacker can install applications, delete files and folders, and use the computer for any nefarious purpose.

The competition was over in a matter of hours after a hacker, who asked to be identified only as "Gwerdna," gained access to the server in question and defaced the Web site with a message that read, "This sucks. Six hours later this poor little Mac was owned and this page got defaced."

Gwerdna told ZDNet that it took him a mere 30 minutes or less to gain root control of the Mac. "It probably took about 20 or 30 minutes to get root on the box," Gwerdna said. "Initially, I tried looking around the box for certain misconfigurations and other obvious things but then I decided to use some unpublished exploits -- of which there are a lot for the Mac OS X."

Although Gwerdna said that the Mac Mini could have been protected more effectively, he also said that, even had the machine been configured for better security, it would not have stopped him because the vulnerability he exploited has yet to be published and Apple has not released a patch for it.

All OS's are insecure.

Apple's marketing department is probably throwing a fit right now.

But there is a small segment that either:

1) goes NUTS whenever anyone says something like that, or
2) acts like it's no big deal even though it flies in the face of arguments they've made in the past.

Last time I saw a discussion on here (a couple of weeks ago, about that Mac virus) and it was pretty entertaining just to lurk and read. So I figured I'd be proactive.

http://test.doit.wisc.edu/

<snip>

The "Mac OS X hacked under 30 minutes" story doesn't mention that local access was granted to the system. While local privilege escalation exploits can certainly be dangerous - and used in conjunction with things like the above Safari exploit - this isn't very informative with regard to the general security of a Mac OS X machine sitting on the Internet.

<snip>

The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

Almost all consumer Mac OS X machines will:

Not give any external entities local account access
Not even have any ports open
In addition to the above, most consumer machines will also be behind personal router/firewall devices, further reducing exposure

The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open. Email das@doit.wisc.edu if you feel you have met the requirements, along with the mechanism used. The mechanism will then be reported to Apple and/or the entities responsible for the component(s).

<snip>

More at link -- knock yourself out!

OS X (which is a slightly modified FreeBSD, by the way), Unix, and Linux are typically more secure from the ground up. Microsoft's history is to unwittingly welcome hackers with open arms. Their history is replete with lots of program rewrites; mostly to keep competitors from copying or emulating their products; the OS/2 issue being the most noteworthy, but MS' alterations are universal... Haphazardly written code that's far easier to punch holes through.

So, we all continue to get the Microsoft way. Because hackers showing that nothing is secure gets the IT management thinking "Why spend a dime to migrate?" So they stick with a product line whose history is an utter embarrassment and that can only be patched for so long and Microsoft knows that these security problems are too much a danger to their profit margins that they will change business... again...

Zero Day is coming.

Never mind the centralization (roaming profiles, server clusters, terminal services for THIN CLIENTS (aka the "no desktop" business solution that isn't)) or "eggs in one basket". When this becomes commonplace, don't expect me to cry. The idea of 'all the eggs in one basket' has never worked and never will.

At any rate, fuck apple up its crapintosh. Jumping to Intel after hijacking FreeBSD is more than enough for me. (and the use of FreeBSD is what made moving to Intel possible - not to mention obvious.) Let apple's board of directors eat ipods. I'd much rather use Windows at this point; not with the performance issues for "non-native" applications - I thought OS X (aka OX) was supposed to be native? :eyes:

So now every Mac is an Intel Mac? Mine isn't. And it's practically brand new still. Don't jump on the Apple-bashing bandwagon "just because." If you'd much rather use Windows at this point, great for you. But that has nothing to do with anything else in your post. You prefer a piece of crap cludge like Windows to OSX because of...uh...what was the reason again? Someone finally found security flaws in a Mac, which turned out to be bullshit anyway?

LOL! Good one.

today. So get your facts straight.

in addition, linux user that you are, you will understand that this "hack" wasn't as much of a hack as implied when I tell you:

<snip>

The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

Almost all consumer Mac OS X machines will:

Not give any external entities local account access
Not even have any ports open
In addition to the above, most consumer machines will also be behind personal router/firewall devices, further reducing exposure

<snip>


http://test.doit.wisc.edu/


---------
ON EDIT -- just for fun, an article from 2002 eweek:

http://www.eweek.com/article2/0,1759,1656622,00.asp

<snip>

Apple Keeps x86 Torch Lit with 'Marklar'
By Matthew Rothenberg and Nick dePlume
August 30, 2002

As Apple Computer Inc. draws up its game plan for the CPUs that will power its future generations of Mac hardware, the company is holding an ace in the hole: a feature-complete version of Mac OS X running atop the x86 architecture.

According to sources, the Cupertino, Calif., Mac maker has been working steadily on maintaining current, PC-compatible builds of its Unix-based OS. The project (code-named Marklar, a reference to the race of aliens on the "South Park" cartoons) has been ongoing inside Apple since the early days of its transition to the Unix-based Mac OS X in the late '90s.

Sources said more than a dozen software engineers are tasked to Marklar, and the company's mainstream Mac OS X team is regularly asked to modify code to address bugs that crop up when compiling the OS for x86. Build numbers keep pace with those of their pre-release PowerPC counterparts; for example, Apple is internally running a complete, x86-compatible version of Jaguar, a k a Mac OS X 10.2, which shipped last week.

<snip>

Despite its current PowerPC pedigree, Mac OS X's roots tap Intel hardware. In December 1996, Apple acquired NeXT Software Inc. and its Intel-compatible OpenStep operating system. Under the company's "Rhapsody" OS strategy, it planned to base the next-generation Mac OS on OpenStep, shipping an Intel version to provide a cross-platform development environment. While developer previews of Rhapsody for Intel were released, it was never shipped to customers and quietly left the limelight as Apple's software strategy was refined into today's OS X.

<snip>

*yawn*

But until MacOS X has thousands of bits of viruses worms trojans and spywares available for it, it will be more secure than any Windows system.

And if you will recall, the last three stories like that have been debunked in turn...

http://www.macfixit.com/


Snip>The article fails to mention, however, that the Mac OS X system that was "hacked" had an LDAP server setup which was linked to the Mac's naming and authentication services, to let people add their own account on the machine. So the contest allowed the user to create their own account and local SSH access -- a precarious set-up to say the least.<snip

don't be so hard on Microsoft...they need your love and sympathy. I don't see any harm in "pre-hacking" the Mac so it's as "secure" as XP :cry:

:rofl:

The gauntlet is thrown down.

Have at it! You have permission, even, so its legal.

There are configurations you might use when you are making a system for internal and well-protected LAN use.

There are configurations when you're setting up a machine to serve ports to the 'net at large.

My guess is the guy who propped up that Mac didn't do his homework and put a type-A system into a type-B situation. Unfortunately, that's all-too-common in "the real world", too.

Would a WindowsXP server machine have done better? Hard to say. It depends a lot on the choices and practices of the admin(s) and which hackers show up for the party.

andrewG was probably telling the truth. :shrug:

edit: Just saw dogman's #5, yep.
"the Mac OS X system that was "hacked" had an LDAP server setup which was linked to the Mac's naming and authentication services, to let people add their own account on the machine."

The second a hacker gets his very own customizable command shell on your server, you're FUCKED. F-U-C-K-E-D. I don't care if you have the best authentication and permissions system in the known universe, the user can still run D.o.S. attacks and bring your server to its knees. Half the battle is keeping shit like that from happening in the first place. This is basic best-practices stuff. At 30 minutes, andrewG was taking his sweet time, maybe he stepped out for a smoke midway?

Once you start enabling things like SSH and FTP and etc, then you start becoming exposed to password guessing attacks.

The essential problem is that passwords can be guessed in many cases.

As long as you have given somebody a way to log onto your machine, you are insecure.

But the VAST majority of all users never turn on those features.

One of my profs put it thusly: "An absolutely secure computer is not plugged into a network. It is not plugged in to a wall socket. It is powered off, in a concrete bunker 2 miles underground, and the only people who knew where it is are dead."

In other words, it is useless.

The more you want the computer to do for you, the less secure it becomes. The second you start talking about networked apps and services of any sort, be they client or server, all computer security becomes a trade-off, a matter of balancing risk and return.

Riiiiight. Like the WMF vulnerability that was so large it was hilarious... the one that MS basically had to be shamed into releasing the patch ASAP rather than a week later, with the normal "Super Tuesday" rollout? Stop, I'm laughing so hard I'll split my sides.

No OS is bulletproof. That said, the fact that MacOS actually has a significant vulnerability doesn't automatically make Windows the more secure choice.

Hey, I'll be "nice and reasonable" after you start. "Devil's Advocate" my cloven hoof. :evilfrown:

This is a badly-written article and a poorly-formulated "test" of OS X security.

There was no "penetration". The owner of the computer created an account for this "Gwerdna" (andrewG backwards). There was no effort required to access it. And yes, a ZDNet reporter should know what a "system penetration" is.


Yeah, how about:

1. not giving a stranger an account and password to access the system;
   
2. not intentionally enabling ssh (off by default on OS X workstation);
   
3. not enabling the root account (again, disabled by default and not something your average user would do);
   
4. not promoting this through the biased mouthpiece that is ZDNet.

Yes, "Gwernda the bad witch" was able to escalate his privileges from a standard user to root level through some means, which should be prevented, but the owner basically told the burglar to come to his house, gave him the keys to the door, turned off the alarms, opened the safe and is now shocked -- SHOCKED I tell you -- that something went missing.

If you walk around all day with your dick hanging out of your pants and calling attention to it, don't feign surprise when someone slams a car door on it. Oh, and don't call "Penis-Haters Weekly" to report on it.

Funny how OS X has been out for five years and these FUD stories are only recently gaining any traction. Someone must feel threatened... (and it isn't me).

Oh, and OS X is FreeBSD with a modified interface that Apple claimed it would put back into Open Source what it took out in the first place.

Haven't read anything since that statement of Apple's but I'm sure they have kept their word </typicalsarcasmaimedatcorporation>

Double Bingo.

Great post. Informative and riotously funny.

I am feeling more secure on my G4. Just rechecked my security settings, following a list from MacGeekery.com

Snarf. LOL.

I had security fixes for my Mac this weekend. Mmmmm...... Wonder why they talk about Apple not putting out security fixes. They do it all the time.

Even if there were any true dangers at this point, I'd still have the last two decades+ to point at.

Windows users are suckers.

Supporting the GOP. Paying Ralph Reed 20 thousand dollars a month.
Putting up with Virus after Virus after Virus.

Suckers.

Unless you build your system yourself and pirate Windows.

Read something interesting the other day in the book "In Search of Stupidity." The reason there are all these MS systems out there and no Mac clones is due to different strategies.

1) There WERE clones of the first Apples, but Apple was able to prove in court that they had violated their copyright by copying the BIOS. So that killed off the Apple clones.

2) IBM said "Hey, we'll avoid Apple's trouble" and PUBLISHED their BIOS. They figured that in court they could argue "Well, we let everyone know how the BIOS was created, so now they've copied it and are violating our copyright."

Unfortuately for IBM, it's kinda hard to prove that someone read a particular item.

So that's where it all began. No IBM screw-up, no IBM clone market, and Bill Gates is working at a Best Buy somewhere.

I just don't get that.

And piracy, even if the Redmond Menace, is wrong.

If you don't want to pay money, use open source software.

How many everyday people even know how to build a PC and pirate Windows?

Not that it is particularly difficult, but most are afraid to delve into matters that far.

<snip>

The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

Almost all consumer Mac OS X machines will:

Not give any external entities local account access
Not even have any ports open
In addition to the above, most consumer machines will also be behind personal router/firewall devices, further reducing exposure

<snip>

http://test.doit.wisc.edu/

Lemme get this straight. Take an out of the box Apple system, butcher it, ignore all standard UNIX security practices, then compare it to a fully patched XP system.

Get real.

The biggest weakness in any security is the user. If they don't know what they're doing (allowing access, writing passwords down, etc.), doesn't matter whether you have a Mac, IBM, Altair, Atari, Kaypro...uh, Univac...

If one person can make it. Another person can un-make it.

OSX is only more secure because less malicious hackers have their eyes on it. I think that trend is changing.

I think you don't have a clue what a "tight" operating system FreeBSD (the basis of OSX) is.

Whereas Windows is a design nightmare. There is probably no way to make it as secure as OSX.

The more popular that OS becomes, the more people will start targetting it.

I'm not saying it's a crap OS, or an insecure OS. I'm just saying it hasn't had hundreds of thousands of code monkeys trying to find exploits to it for years at a time.

Most people who attack Macs never really seem to know what they are talking about. Kinda like a Dem/Liberal basher.

Have you heard of Snitch? And if so, do you use it?

Should I?

It is a firewall program that let's you know when a server or somebody outside is trying to connect. When I begin streaming, it'll let me know that AAR is trying to make a connection. Sometimes when opening certain threads, I get a ping from a another server. Pretty cool... just wondered if you knew about it.

I generally use the OSX built-in firewall.

i am not a mac owner (i build my own PCs) but i can still smell BS when a load is dropped.

is zdnet a shill for MS now, or has it always been?

I've never had anyone be able to attack my Windows machines. You Mac users are stupid to spend so much money on an inferior machine.

:sarcasm: