<p>"Fact: If you start up Windows out of the box with an internet connection it WILL get infected. You have to apply firewall settings, spybot, adwatch and antivirus before ever hooking it into the 'net."</p> <p>absolute rubbish. windows firewall is on by default. internet explorer's pop-up blocker and script blocker are on by default.</p> <p>check out Apple' iTunes and Quicktime flaws, and their patches which wrecked havoc, for an example of how "well" Apple security is. what about remote code execution flaws back in 2004? and yes, that WAS in the wild, on Limewire and Gnutella. statistically better than Windows? very likely. but with less than 18 times of Windows' installed base, i'm not surprised.</p>

Posted by: ruykava 23 Jan 2006

<p>I do IT for a few dozen Macs, all OS X with some acting as file servers (but not running OS X Server, just OS X), and a few acting as web servers. I am also certified in *NIX Security and have to keep about a dozen Windows XP machines secure.</p> <p>When I saw the headline in my RSS feed I came here looking for information to enhance my OS X security. </p> <p>Instead all I got was another screed against Apple that could have been written by Bill Gates, the same type of article claiming Open Source costs more and is less secure crap you see in every MS shill magazine. </p> <p>Fact: If you start up Windows out of the box with an internet connection it WILL get infected. You have to apply firewall settings, spybot, adwatch and antivirus before ever hooking it into the 'net.</p> <p>Fact: Out of the box OS X has never been infected. </p> <p>So it isn't a myth. Anyone can hack a machine that the user lets you into, but they can't turn other OS X machines into zombies if they do.</p> <p>I won't be back to this site, you haven't shown me anything I need to make my job or life better. If I want to read this level of hysteria about a non problem I'll go to Drudge.</p>

Posted by: Sailor 21 Nov 2005

<p>First, how do you know what Apple wound up doing to patch the flaw? What if they spent that time providing a more fundamental solution to a wider problem, recognizing the unlikelihood of someone getting in that way?</p> <p>The issue is with your title - security on the Mac is not a myth, it is real - and how all these people latch onto one minor vulnerability (not virus!) or one little delay and get all worked up and scream the sky is falling - Mac security is a myth.</p> <p>Before you scream that, take a look at where it really sucks and do a compare. Then choose more appropriate language to put it in context.</p>

Posted by: kk 26 Apr 2005

<p>Just 1000000000 more cracks to go and Mac OSX might come close to the amount of flaws Windows XP has.</p>

Posted by: PDzero 24 Apr 2005

<p>Re taking three months: well, maybe people were at risk in that time, but the simple fact is that no vulnerability in OS X has ever been exploited. When I played baseball in high school my coach's policy was when you're at bat, you take the first strike. Don't swing until you see a strike go by. This may seem to put you at a disadvantage, but in reality it makes the pitcher prove he can (and is willing to) throw strikes. If he throws a few balls first then you've got the advantage. Similarly in basketball, if someone you're guarding takes an outside jumpshot and misses, you don't guard the jumpshot. Watch the passing lanes and guard against the drive; give him open jumpshots until he makes one, thereby proving that the jumpshot is a threat. Then you can adjust your defense as appropriate. The point is, if anyone ever exploited a vulnerability, Apple would no doubt become faster at patching. But with no extant exploits, I'd rather they spend their time thoroughly bug-checking the patch. At this point bugs are much more problematic than viruses on Macs. So the delay is perfectly reasonable in my mind, and will no doubt change if the virus situation changes.</p> <p>And: the renepo/opener crap is NOT a virus. It's just a script. I can write a .bat DOS file or a Visual Basic script that will do all sorts of bad stuff to a Windows installation; does that mean I've created a new virus for Windows? No. It's just a script. By your logic the trashcan Apple places in the Dock is a virus, because it has the capability to destroy you files.</p>

Posted by: silas 22 Apr 2005

<p>I love my Mac - and I like the fact that we are far less likely to encounter security problems than the Windows community, but that doesn't stop me being paranoid. I still have firewalls, virus checkers and anti-spyware software. If there is a problem we should take it seriously - and not just react defensively every time someone 'criticises' any aspect of the Mac world...</p>

Posted by: Peter Dunkley 22 Apr 2005

<p>The story isn't about the security or insecurity of Windows. It's about a leak in OS X. Does it make OS X safer if Windows plugs its holes faster - or takes more time to plug them?</p> <p>The fact is that Apple took over 3 months to plug a hole that is relatively easy to plug, and this needlessly put users at risk, as Braden Thomas pointed out.</p> <p>I truly don't get the MSFT argument here.</p>

Posted by: SV Sleuth 22 Apr 2005

<p>What a boob you are. Countless millions have suffered from the malware and viruses that Microsoft can't prevent. I'm one of them. Spyware compromises personal financial information and leads to identity theft. And you're worried about some supposed vulnerability that not one person has suffered from. </p> <p>Get real and get a life. We've heard this tripe all before. You're just another victim of Microsoft's abuse and living the life of someone with Stockholm Syndrome. Get some help. The first step is recognizing that you are being abused by Microsoft and paying dearly for it (on many levels). Don't bother replying to me, I won't be back.</p> <p>The only other explaination is that you are just another Microsoft shill spreading their FUD crap. Not buying....</p>

Posted by: Lester Spamm 22 Apr 2005

<p>What if it took Apple more than three months to come up with a patch to secure the fault? Occams razor rule in effect here.</p>

Posted by: mcloki 22 Apr 2005

<p>Blah-blah-blah-OS X isn't as secure as you think-blah-blah-blah.</p> <p>How about something new and original?</p>

Posted by: Zenism 22 Apr 2005

<p>To: To Stu</p> <p>Social engineering could deliver an application that opens/turns on telnet or FTP. ssh is turned on by default in OS X server.</p> <p>You miss my point about, if these services somehow get turned on - via System Prefs, via social engineering - and then they are found to have a buffer overflow/generic guest account/some other exploit, the machine could become compromised. Look up John the Ripper and see if you can hack your own password. You did notice that I said there haven't been any holes in these remote services in a long time, but that doesn't mean never.</p> <p>I am being realistic, you aren't because you aren't willing to admit that there are real possibilities out there. That doesn't mean real probabilities, just possibilities.</p> <p>I've used OS X daily for almost 4 years now. I've seen several local (root access anyone?) and a couple of remote exploits. I think I know what I'm talking about.</p>

Posted by: Stu 22 Apr 2005

<p>Stu,<br /> You write:<br /> "You are both wrong on one account. These days local access does NOT mean physical access. If I can ssh/ftp/telnet into your box, I have local access but not physical access. This could also be obtained via social engineering."</p> <p>And how, prey tell, do you do this if you do not know the username/password? How do you do this until any of SSH/Telnet/FTP are turned on? (it is off by default)<br /> Social engineering, as in telling someone your username password and telling them to turn on SSH/Telnet/FTP because you need to help them in some way, and THEN give them your username/password?<br /> I guess anything is possible, but you are not being realistic...</p>

Posted by: To Stu 21 Apr 2005

<p>Stu wrote: There ARE virusses for OS X</p> <p>And wasn't that a storm in a tea-cup.</p> <p>"opener" was not a virus. It was a root kit with no attack vector. It was never found in the wild. It was a bunch of script kiddies playing "what if", and in the end, requiring root access in order to do nothing much with it.</p> <p>Hardly compares to the swiss cheese security found on Windows.</p>

Posted by: AJB 21 Apr 2005

<p>In re-reading my comments I want to make sure that I do not come across as someone who takes security lightly or worse come across as if I believe OS X is above any sort of attack. </p> <p>I know better, I know that any computer can be hacked, viruses can be created for any platform and no one is invulnerable. My lack of concern is thus far related to the fact that we mac users are not to the point Microsoft users are. Thankfully we do not require a security release a month...although someday we may.</p>

Posted by: Genesis 21 Apr 2005

<p>SV Sleuth, if you had read the comments on the article from the url you posted you would see feedback from users explaining that Opener IS NOT a virus. There are no viruses out for OS X. </p> <p>Opener is a framework for sure, but no virus. </p> <p>I laugh when I read these reports as there are so many unpatched vulnerabilities in Windows that have been known for much longer periods of time. The fact that people expect Apple to act so much more quickly than other large corporations is amazing to me. </p> <p>OK, done rambling...not a virus...we can move on now.</p>

Posted by: Genesis 21 Apr 2005

<p>RE Robert: </p> <p>Yes I did ask Apple (Simon Pope - PR for Mac OS X - simonp@apple.com - (408) 974-0457) to comment. They didn't get back to me, as is common with Apple's PR department.</p>

Posted by: SV Sleuth 21 Apr 2005

<p>SV Sleuth,</p> <p>Have you INQUIRED to Apple WHY there was a delay in patching this? Until we hear their side of the story, possbly we should not be so quick to judge.</p>

Posted by: Robert Hutwohl 21 Apr 2005

<p>There ARE virusses for OS X: <br /> <a href="http://www.itweb.co.za/sections/internet/2004/0410251248.asp?A=VIR&S=Virus%20Watch&O=FPT"><a href="http://www.itweb.co.za/sections/internet/2004/0410251248.asp?A=VIR&S=Virus%20Watch&O=FPT">http://www.itweb.co.za/sections/internet/2004/0410251248.asp?A=VIR&S=Virus%20Watch&O=FPT</a></a><br /> Just like there is a proof of concept expoilt for the iSynch flaw.</p> <p>If the technology is there to hack into OS X, it happens. Every day banks and major corporations are hacked or pay randsoms to hackers that we hear nothing about. Hell, there are wars going on that we no nothing about. Does that mean it doesn't happen? </p> <p>Yes, you need to sit behind a computer to exploit the iSync flaw. But how hard is it to find an unattended Mac in a school or library and wreak your havoc? </p> <p>Oh, and for the record: I have used a Mac for over 3 years. </p> <p>RE: "10 dire, critical warnings EVERY week" for WIndows:<br /> Microsoft issues monthly patches and doesn't issue warning prior to issuing the patch. Microsoft's last "Patch Tuesday" fixed 8 flaws, 5 of which were labeled critical.</p> <p>But the number of patches is besides the point here: Apple's inaction on this issue put users are risk. There is no excuse for that.</p>

Posted by: SV Sleuth 21 Apr 2005

<p>rbb and silas,</p> <p>You are both wrong on one account. These days local access does NOT mean physical access. If I can ssh/ftp/telnet into your box, I have local access but not physical access. This could also be obtained via social engineering.</p> <p>If there's a hole in any of these remote services, which there haven't been in a long time, then these secondary security issues can be hit. That's why they need to be fixed.</p> <p>Just something to think about.</p>

Posted by: stu 21 Apr 2005

<p>I hear that ActiveX is a major security flaw in Windows. When is it going to be patched?</p>

Posted by: Tonio Loewald 21 Apr 2005

<p>Ditto what rbb pointed out -- most OS X vulnerabilities require an attacker to already have overcome a major hurdle, like getting physical access to the computer or getting the normal user to give up the sudo password by means of some (as yet nonexistent) trojan horse.</p> <p>Those who claim the Mac is more secure do take into account that fact that some vulnerabilities are patched more slowly than on thw Windows side. And guess what? OS X is still far, far more secure than Windows. 1) There are far fewer vulnerabilities in the first place; 2) a higher ratio of the vulnerabilities that do exist require overcoming obstacles like those mentioned above; and 3) vulnerabilities or no, the simple undeniable fact is that there are no exploits out there -- no OS X user has lost data, uptime or anything else as a result of malicious attacks.</p> <p>1) + 2) + 3) = a far more secure system. There's just no way around it. As much as Windows users like to gripe and point out every little flaw in OS X, facts are facts. Furthermore, this isn't likely to change anytime soon. To the extent that the lack of malicious attacks is a result of disparities in market share, consider that even if Apple has a meteoric rise in the next few years and doubles their market share, they'll still only have around 9% of the market. The disparity will still exist, and there will still be fewer malicious attacks. </p> <p>Add in the fact that OS X's FreeBSD underpinnings are structurally more secure than Windows, and you're left with an undeniably superior platform in the seciruty arena. (Not perfect or invulnerable; just undeniably superior.)</p>

Posted by: silas 21 Apr 2005

<p>Just note one part of this vulnerability: "Users who have local access to affected systems can then gain superuser privileges." What this means is that to take advantage of this a user has to have PHYSICAL access to the computer. This seems to be a pretty limited vulnerability. A user with physical access could do all kinds of other bad things!</p> <p>rbb</p>

Posted by: rbb 21 Apr 2005

<p>I'm a major proponent and user of proactive security measures. However, as a user of both Mac OSX and Windows XP I have to ask....just how many Apple units in the wild were actually affected. If the answer is what I suspect, "none (or few) that we can verify", what is really your point?</p> <p>I consider this article to be rubbish, especially the title.</p>

Posted by: MT 21 Apr 2005

<p>When you say you are a Mac user, I know you mean that figuratively and in a wistful, wishful way. </p> <p>In "the lab" or in the theory and in the minds of a hacker pondering imponderables, a Mac virus is like serious astrophysics. It is possible but unproven yet.</p> <p>With 15 million Mac OSX users, we have ZERO real-world viruses, ZERO real-world spyware, and ZERO trojan horses either for OS. Yes, someday someone might write one that actually penetrates the multitude of defenses as anything is possible but like MS deciding to give away LOnghorn for free, it's not likely.</p> <p>So, while you should still look both ways when crossing abandoned railroad tracks, the possibility still exists - just very (to the power of 10) unlikely. That's what you get on the Mac side.</p> <p>Of course, it's hard to believe when you use a PC when you get 10 dire, critical warnings EVERY week that it's so nice in our neighborhood. When you get out of high school and make enough money to move out of your crack den neighborhood - you'll find that we don't live thinking every breath is out last.</p>

Posted by: jbelkin 21 Apr 2005