I Agree! :)

Unreleased Vista more secure than OS X. In other news, new car that doesn't exist will last for ever.

Carlos, thanks for writing.

Of course not. Regardless of Microsoft telling us how incredibly secure Vista will be over past Windows versions, it will probably be hacked lots. I can't say for sure that it will be hacked as much or more (because they have done an excellent job with W2K3, IIS 6, and SQL), but odds are that it will be hacked plenty.

But that's not to say that OS X is anymore secure, either. OS X has had over 66 vulnerabilites (http://secunia.com/product/96) in the last three years. Many of those vulnerability announcements covered multiple holes. Several announcements had over 10 holes, one had over 30 (http://secunia.com/advisories/16449) holes. So the real count is well over a hundred holes in 3 years. Is this the most secure OS you can brag about? Bring me OpenBSD (http://www.openbsd.org) anytime if you want to discuss a truly secure OS. The rest of the field is security mediocrity.

This sort of thinking is why I don't want this blog entry to degrade into a "my OS is more secure than your OS" thread.

Instead, let's talk on the merits, strengths and weaknesses, of both privilege elevation mechanisms.

Has InfoWorld ever posted anything positive regarding OSX?....no...? That's what I thought.

Unfortunately, I believe this topic misses the real point of OS security. It comes from the mindset of IT, rather than what reality will end up being.

In other words, the point on which OS from an end-user will be more secure once Vista ships is irrelevant.

What is relevant is which OS X is going to be attacked and hacked into more, causing more damage?

History shows us that hackers go after the mass market and perhaps just like to go after MicroSoft, and thus Vista no matter how secure, will cause more problems for the end-users, administrators, etc...

How much time, how much money, how much effort, and lack of efficiency will result in deploying Vista or OS X in environments that could be fitted with either - - In the end that's all the truly matters.

Damien, I appreciate you writing.

And in answer to your question: Yes. Matter of fact, the writing is 3:1 in favor of OS X. Here's some sample articles from just the first ten results returned from InfoWorld's own search engine:

http://www.infoworld.com/article/05/12/07/50OPcurve_1.html

http://www.infoworld.com/article/05/05/09/19PPpreview_1.html

http://www.infoworld.com/article/04/04/02/14OPconnection_1.html

http://www.infoworld.com/article/06/02/23/75815_09NNmacvirus_1.html

I think Carlos' point was that comparing Vista to OS X is not comparing oranged with oranges, because you don't know what OS X's security structure will be when Vista is released. Maybe Apple will release 10.5 and security will take a different form? Anyway, I don't think it's a matter of comparing oranges with oranges. The two different forms of security strategy are worth comparing in their own right.

In other words, EACH and EVERY action I take as administrator will have to be logged on/confirmed INDIVIDUALLY??!! As an OSX home user who just last week created a non-adminstrative account, I already feel inconvenienced by the need to give my user name/password to install programs. There is such a thing as overkill: people will just give themselves fulltime administrator privileges if "protection" becomes too onerous.

BTW, how many Macs have been infected by the "100 holes" you estimate? To my knowledge, zero (no sypware, no malware...) A new car, indeed!

I have to concur with Mark, here. All this talk about OS X "holes" and yet none have been exploited anywhere near a scale on par with Windows exploits. That doesnt mean that it WONT happen eventually but an os that hasnt had any malware/spyware outbreaks in 5 years of real world usage is pretty dang good. Once Vista has passed the crucible test of real world usage for about a year THEN maybe a discussion on whether or not it's more secure than OS X will make more sense. Until then, it's all theory.

Spyware and malware doesn't specifically target Macs because professional criminals are after as much money as they can get per minute...and hacking 95% of the market makes you more money than hacking 5% of the market.

Does anyone think that the Mac OS, if it's marketshare went to 90% would not get exploited by malware?

When I started in this business (in 1987), Macs were the only PCs that had dozens of computer viruses and worms. DOS-based PCs were safer because they only had 2 viruses.

Then IBM-compatible computers became more popular than Macs, and guess where the malware went?

The Mac with only a 3-5% marketshare got over 100 vulnerabilities in three years. Will it get exploited more or less as it gets more popular?

The Mac attackers sound like the Firefox proponents that don't speak nearly as loud about their "more secure browser" once they ended up having more holes than IE. Now there are web sites and malware that specifically targets Firefox. They didn't arrive until the FF marketshare went above 5%.

Malware will exploit whatever is popular, and if history proves correct, whoever is the marketleader will not do any better than the company they put out of business. You might argue with that statement, but I've yet to meet a POPULAR product that didn't get hacked lots.

Carlos and Anthony make the only salient point that can be made... It is absurd and disingenuous to compare OS X to an unreleased operating system that may or may not be out some time this year and may or may not have any and all features it is said to have. Anthony hit the point on the head... OS 10.5 may have far better security than 10.4, Vista, or the frelling NSA. Mark makes a valid point also... How many have fallen victim, Rog?

Oh yeah... We are not saying that Mac OS X is better than any shipping product. It's a simple fact that it IS better than Microsoft's currently shipping operating system. I guess that Rog will still attack me for helping to devolve this blog entry into a "my OS is more secure than your OS" thread...

sigh...

"people will just give themselves fulltime administrator privileges if "protection" becomes too onerous."

Fortunately, even the built-in administrator account for Vista runs under limited user rights and the OS asks you for a password to elevate to admin rights even if you are logged in as an administrator. Therefore, making your account an Administrator account will be very much identical to using a limited user account.

Thankfully, Microsoft foresaw this and reworked how administrator accounts work.

It might be a slight inconvenience but it is for your own good. If you knew the repercussions of always running as admin, you wouldn't complaint about having to key in your password when installing an application or changing a system setting.

On the topic at hand, I was not aware that OS X implemented user rights elevation in such a haphazardous way. To my knowledge, in Windows 2000 and higher, when you grant a process higher rights by running it as an administrator (with the Run As command), the process is given a security token which it uses to tell the system what user credentials it is running under. It does not temporarily allow arbitrary execution of code at an elevated level. Only the process that was elevated can do so.

I'm glad Microsoft has taken this approach to security. I believe a good portion of the malware and viruses of today run rampant because Windows XP defaults to using administrative rights for all users. While a few will still linger around, I expect that the amount of successful viruses roaming around the web will decrease substantially if enough PC users switch to Vista.

Most people think Vista is XP with a new GUI. What they don't understand is that Vista is much more secure than XP and that alone is reason enough to upgrade. Unless, of course, you don't value the data stored in your computer, you don't mind paying unnecessary AV subscriptions, and you don't mind having to format your computer every six months to keep it in top shape due to installed malware that hogs up your system resources while compromising your privacy.

Tech-savvy XP users know that you don't need an AV or anti-spyware solution if you create a user account for yourself that has limited rights and use it for your day to day work, only logging in as Administrator when you need to change a setting or install a program. Unfortunately, the rest of the population is not aware of this and enforcing it is a good thing.

It is slightly inconvenient to have to lock the doors to my house every time I leave as opposed to running out and going about my business. But its pretty obvious what could happen if I leave my doors unlocked. Unfortunately, most PC users don't lock their PC doors. And to them, it's not obvious that you should lock it. And sometimes, they don't even know how even if they wanted to.

There's one seemingly obvious point that the Security Through Obscurity argument misses: in the late 1990s with OS 9, when Mac market share was still paltry, there were several Mac OS exploits. Including one virus (I forget its name now) that brought a couple of advertising studios where I worked to their knees with crashing computers.

These attacks were minor news compared with everything that went on then and since then in the Windows world, but they should still make you think. We had a good number of successful Mac attacks back in those days. Antivirus software on OS 9 actually did something, and people felt compelled to use it. Now, several years into OS X, all we've had is a couple of social engineering threats and anemic proof-of-concept attacks. But not a single succesful outbreak of anything.

Not that it can't or won't happen, but the evidence shows there's something more than small market share at work on the Mac side..

Counting vulnerabilities is completely pointless. What matters are the consequences of those vulnerabilities being actively exploited. For example - many of the OSX vulnerabilites require local user action to exploit, and are thus of no consequence to network security. If your computer is available physically to others, it's already vulnerable irrespective of OS.

Can the exploits be escalated beyond the user space? If not, then the worst that can happen is the 'user' creates the equivalent of a 'dirty protest' confined to that space. It's just more difficult to get exploits beyond the immediate user space in OSX. Not impossible, but more difficult and less likely than Windows XP for example.

So, unless the consequences of each vulnerability are taken into account, simple (as in uneducated and simplistic) number counts across different OS' are meaningless.

Footnote: To those using OSX and are displaying the attitude characterised as 'smug' by others, I'd get used to hardening up your machines anyway, as some very intelligent clown will eventually create a nasty exploit, and it's just good practice to be security minded.

"...the default configuration for the built-in sudo actually has a period of time in which you can run ANY privileged tasks repeatedly without having to provide your credentials again..."

The 'sudo' command is a shell (ie. command line) utility. It has a default time-out of 5 minutes before asking to re-enter the password. This default is very convenient, like logging into your online banking, which usually times out after 5 minutes and then asks you to authenticate again.

However, 'sudo' (command line utility) is not the method used by a process to obtain elevated privileges in Mac OS X. There is a dedicated security framework, ie. API, obscurely named "Security.framework" for this. The main API function is AuthorizationExecuteWithPrivileges(). It requires the calling process to obtain "rights" first, eg. by prompting the user, and then nominate a separate executable to be run with the obtained rights. That is, the calling process itself never gets elevated privilages at all, only the executed supporting "tool". I have used this framework. Clearly, your 'friend' Dana Epps, doesn't know what they're talking about (MVP ahem..). Get your facts straight before trying to p*ss on Mac OS X by comparing it to an continuously delayed, over hyped, unreleased product.

Authorization Services C Reference
http://developer.apple.com/documentation/Security/Reference/authorization_ref/index.html?http://developer.apple.com/documentation/Security/Reference/authorization_ref/Reference/reference.html

Cocoa > Security Interface Framework Reference
http://developer.apple.com/documentation/Security/Reference/SecurityObjectiveC/Classes/SFAuthorizationView_index.html?http://developer.apple.com/documentation/Security/Reference/SecurityObjectiveC/Classes/SFAuthorizationView.html

ps I've developed for DOS/Windows since 1990 and Mac OS since 1991, 80% Win32/C++, and in my opinion Windows really is garbage. Kiss me...I'm Irish

I'm curious as to why you didn't post a link to information on how to change the sudo setting in OSX? Here's a link in case you needed one.

http://www.macosxhints.com/article.php?story=20050519125822728

Many readers disagreed with Dana Epp's behavior description of the sudo feature in OS X.

Dana Epp replies:

The Full disclosure list has quite a bit of discussion on this topic.

I do know this:

* In May of last year there was a MAC OSX 10.4 Dashboard Hijacking vulnerability which allowed dashboard widgets (GUI items) to watch for a sudo request, and then execute code in a root context. I know of one such widget that simply watched the /var/log/system.log file for the sudo, and would then begin its attack pattern once it saw a fingerprint signature of sudo executing. With the 5 minute grace period, the widget could wreck a lot of stuff in that time. In the field, its being called "sudo piggybacking". (http://adbas.net/OSX_Vuln.txt)

* The entire MAC GUI looks and acts as one TTY. So everything except for individual console windows run under the same TTY. On top of that, OSX's default implementation of sudo does not bind credentials to the TTY.
Consequently, any user of sudo via the GUI will establish a viable ticket for ALL processes in the GUI, even with TTY tickets. This can be changed in the configuration using "Defaults tty_tickets" in the sudoers file, but very few people know this.

* This isn't really a weakness in OSX as much as it is in sudo. You can compromise any host using this attack vector. (aka Linux, BSD etc). Point is, Apple decided to use the standard implementation with weaker defaults. Microsoft on the other hand has completely re-engineered UAC in Vista by controlling the actuall security context of the process.

This attack vector may be fixed in the current version. However, the fact remains that the precedence has already been set. It has been shown that an elevation with sudo opens up risk to ALL processes, whereas UAC in Vista is controlled by a per process security context.

You would have thought I published Apple cartoons depicting the Phophet Jobs.

After my Mac OS sudo and iTunes postings from last night, I rec'd over 150 emails today, two thirds of it containing statements saying I was stupid or an idiot. Only five actually discussed the feature I inquired about. Most took my posting to say that OS X is less secure than Windows.

Many people just couldn't believe I dared to ask for phone support for multi-billion dollar web site. Oh, what was I thinking? Five readers...I'm not making this up, said millions of iPod users have downloaded songs and I'm the only one to have complained about the lack of real people support. Yeah, right.

No matter how emotionally raving the writers were, I welcome you all. Of course, half promised never to read my blog again.

I'd rather have a real discussion based on technical merits than all the emotional diatribes I received, but feel free to write what you want. We are all in this computer security battle together.

Although it got me to pondering, why does any criticism of an non-Windows product immediately result in an onslaught of outrage from the vendor's user base?

You would think that us Windows-zealots (apparently many of the readers think I work for Microsoft) spend our days happily crushing the civil rights of Linux, Mac, and iTune users. The minority just has to speak out violently, firmly, and emotionally...to defend their attacked beloved platform.

Is it not right to discuss the advantages and disadvantages of our prospective products and platforms out in the open? Can we learn more from each other then inside our own cliques. Is the only place that Linux, Mac, or Apple technology to be discussed and debated in some love-in mail list?

As I've stated many times before, I run multiple OSs at home and for work. I like and dislike many things about each. I just don't think that Microsoft going away some day will magically make computer security all of a sudden much better. I don't spend my days thinking that "just if this or that happened..." computer security would be all better.

Real security is harder than that. It takes programmers learning secure coding with their first if-then statement. It takes customers demanding that products be more secure, and willing to let the product lifecycle slow down. It takes more educated consumers. It takes more holistic standards creation than one vendor can provide.

And those things will probably NEVER happen.

If you think that the Mac OS X is your pancea for security...and can't wait for it to take over the world...just wait for the world to take on the Mac OS X. Me, I'll keep my systems patched, my code reviewed, and my defense-in-depth systems locked and loaded...no matter what the OS.