Mar
13
OS X Security – Untangling Some of the Hype
Filed Under Computers & Tech, Security on March 13, 2006 at 11:18 pm
There has been a lot of media hype in the last two weeks or so about OS X security and it seems to be sexy now to have a go at the mac. The amount of half-thought-out and poorly researched hype about OS X vulnerabilities of late is just astounding. To read some articles you’d swear that there was millions of destroyed macs littered all over the Internet. But there aren’t, there are two minor ‘viruses’, a vulnerability in a web browser, and a dubious hacking claim.
Two ‘Viruses’
So, what were these ‘viruses’, well, the first one, the wonderfully named "oompah loompah" virus (or Leap.A to be more formal) was a Trojan that spread it self via iChat. People had to open a file that they received via iChat to get infected. The second one allowed people with bluetooth devices to get too much access to your machine. Not good but the patch to fix this problem was released months before the virus so any sensible person was safe.
What can we learn from these two ‘viruses’:
- Don’t open files you get from an un-trusted source
- Keep your OS up to date
As for the first point, if you get a strange file from a strange person over ANY medium and you are stupid enough to open/run it you DESERVE to get your machine destroyed! Any file you run runs as YOU and has all the permissions YOU have so it can delete all YOUR files. That’s not a security problem that’s a fact of life on any OS. Programs you run can do what you can do and you can delete your own stuff!
The second point is another no-brainer. Linux and Unix are more secure than windows but ONLY if you keep them updated! Same goes for OS X, or any OS for that matter. Apple are very good at brining out security updates and patches, if your machine is going to be online INSTALL THEM!
You’ll notice that the two rules of thumb above are not OS X specific, they go for all OSes. Windows users have been aware of these realities for a long time, perhaps Mac users have not, well, they should have been!
One Vulnerability
The Safari vulnerability however was more worrying. In this case Apple did something stupid and they should have known better. Safari was susceptible because it opened files automatically on download. That is dangerous and the horrible experiences MicroSoft had with things like this SHOULD have served as an example to Apple for what NOT to do. It didn’t. I hope they’ve learned their lesson now!
And a Misreported Hack Success
Finally, the hack reported on ZDNet. Firstly, I’m disgusted with ZDNet for their shoddy reporting on this one. I read the ZDNet article and the implication was that the machine had been hacked remotely in 30 minutes. That would have been worrying. Thing is that is not what happened. The guy GAVE login accounts to the people who were doing the hacking! The exploit was NOT remote, it was local, and that makes the world of difference. I was disgusted when I found out from another source that that was how it had been done, ZDNet really let themselves down by leaving that vital piece of information out of their story, I for one will take everything they write from now on with a grain of salt.
What difference does it make if the exploit was remote or local? Well, on ANY OS you should only give accounts to people you trust. If you have to give accounts to un-trusted parties you need to take extra precautions to protect yourself. I very much doubt there is a single OS out there (be it a Linux, Unix or Windows variant) that does not have a local exploit, why should OS X be any different? What is important is that if you put a Mac on the internet that you are safe, that means that you should be protected from remote attacks, so far OS X seems to stand up very well to those, no doubt due to it’s excellent firewall which it inherited from it’s FreeBSD roots. In fact, another Mac was set up as a hack challenge, but without giving the attackers a login account and it lasted 38 hours before the test was cut short by University Administrators who didn’t like a machine in their network being advertised as a hacking target!
You Mean OS X is not Perfect?
So, OS X is not perfect, OS X users need to use common sense too, are you surprised? If you are then you were living in fantasy land! Linux is also not perfect, neither is Unix. There is no perfect OS! So, does that mean OS X is no better than Windows for security? Nope. Not at all. OS X has a better security model than Windows (as does Linux). The way attackers carry out remote exploits is by using a known or un-known flaw in some world-facing service on the target machine (e.g. the dreaded blaster used the RPC service to gain access to machines without the users having to do anything). The more services you have listening the more potential avenues for attack there are. You need to minimise the services you expose and you need to keep the software for those services as up-to-date as possible. On Windows there are loads of services open by default. Regardless of whether you ASKED your windows machine to run these services or not, ‘out of the box’ it will be running them, and each one is a potential entry point for nasty people into your computer. To make things worse it is actually quite tricky to turn off services on Windows, you need to be more than just an average user to have the skills to do it.
OS X and Linux by contrast have ZERO world-facing services by default! You, as a user need to turn on what you want. On OS X this is trivial to do, there is a nice simple GUI in the System Preference App to do it. The other nice thing is that the OS X firewall is tied in to the services and it’s default behavior is to block off all ports that are not needed by the services you have selected to activate. This means that, in general an attacker has FAR FAR fewer avenues of attack on an OS X or Linux machine than on a Windows machine. In fact, in general you don’t need any services open so you can keep everything closed and know that you are well protected, much better than you are on Windows unless you get technical or install third-party addons.
Finally … Some Conclusions
In Summary, here are the simple steps all Mac users should take to protect themselves:
- Turn on your firewall, Apple provided you with it for a reason!
- Don’t activate any services you don’t need!
- Keep your OS up to date
- Don’t open up any files (including apps) you get from un-trusted source
Finally, these are the reason I believe OS X is more secure than Windows
- OS X only opens the services you ask it to
- OS X has a better built-in firewall (the defauls are perfect for home users and power users have the power to do MUCH more, see The RIGHT way to set up a Custom Firewall on OS X and IPFW Firewall Script (Suitable for OS X))
- The core of OS X is opensource and based on the very solid FreeBSD.
- Apple seem to be quicker at getting out security fixes
- OS X has a better user-model, the Unix one
- OS X has a better file permissions model, again, the Unix one.