Security → Massive Mac OS X Update Shatters Illusion of Security

Network World | November 11, 2010

quote:

---

Perhaps you've heard that the Apple Mac OS X operating system is simply more secure by design and not prone to the security flaws and vulnerabilities that plague the dominant Microsoft Windows operating system? Well, don't believe the hype. Apple unleashed an update for Mac OS X this week which fixes a massive 134 vulnerabilities.

To put that in perspective, Microsoft had a record breaking month with the October Patch Tuesday--when it fixed 49 vulnerabilities. October and November combined, Microsoft only fixed 60 flaws. To surpass 134 vulnerabilities, you have to combine six months' worth of Patch Tuesdays--from June through November. And, in fairness to Microsoft, Patch Tuesdays address a variety of applications such as Microsoft Office programs, SQL Server, Exchange Server, etc. that are outside of the Windows operating system itself.

Apple may release fewer total updates, and it may patch on a less frequent or regular basis, but when the dust settles it turns out that Apple is scrambling to fix just as many flaws--and sometimes more--than Microsoft has to address in the Windows operating system (and the rest of the combined software managed through Windows Update). And, every year Mac OS X is compromised in a matter of minutes by hackers competing in the Pwn2Own contest.

In fact, Charlie Miller, the winner of the Pwn2Own contest to hack the Mac for last three consecutive years, says that in spite of the massive number of flaws fixed by Apple with this update, there are still many vulnerabilities left open. Miller tweeted "Apple releases huge patch, still miss all my bugs. Makes you realize how many bugs are in their code (or they're very unlucky)."

---

»www.networkworld.com/new ··· ate.html

Perhaps you've heard that the Apple Mac OS X operating system is simply more secure by design and not prone to the security flaws and vulnerabilities that plague the dominant Microsoft Windows operating system

I don't remember that, what I do remember is Mac users saying they aren't prone to viruses and spyware.

quote:

---

In fact, Charlie Miller, the winner of the Pwn2Own contest to hack the Mac for last three consecutive years, says that in spite of the massive number of flaws fixed by Apple with this update, there are still many vulnerabilities left open. Miller tweeted "Apple releases huge patch, still miss all my bugs. Makes you realize how many bugs are in their code (or they're very unlucky)."

---

quote:

---

Mac users are lulled into a false sense of security--a combination of the hype that the Mac is just secure by default, and the fact that Mac's are largely ignored by malware developers because the market isn't big enough to be worth the effort.

Mac OS X has been gaining market share, though, and may start creeping onto the malware radar. When that happens, malware developers will apparently have a vast array of vulnerabilities to exploit, and Mac OS X users could be in for a culture shock.

---

Taken from the same article.

quote:

---

Mac users are lulled into a false sense of security--a combination of the hype that the Mac is just secure by default, and the fact that Mac's are largely ignored by malware developers because the market isn't big enough to be worth the effort.

---

Very true..

Not true at all. Unix is secure by design (unlike the Windows kernel, which has taken more than a decade to reach some semblance of stability and security, but still suffers from a massive number of exploits).

These patches, also, do not indicate insecurity - they indicate that Apple is being proactive and is patching holes as they find them. It's faulty logic to equate patching with insecurity..

You always hear that "no one makes malware for such and such OS because it isn't popular," and yet most all good servers run Unix.

quote:

---

These patches, also, do not indicate insecurity - they indicate that Apple is being proactive and is patching holes as they find them. It's faulty logic to equate patching with insecurity..

---

Fixing 134 vulnerabilities in a single update is worth to mention in Guinness World Records, even Microsoft or anyone else will not be able to beat Apple.

Secure by design hasn't proven to be very secure at all, given that Charlie Miller has consistently and repeatedly proven over the years that he can pretty much whack a mac at will. Now Charlie Miller isn't your run of the mill script kiddie, but neither is he one of a kind, so the old rule of hacking should be assumed, if someone can do it, then likely someone else can do it to. Market share does matter, for example why are there so many more software titles for Windows then OSX? Why have there been so many software titles for the iPhone, and why are there an increasing number for the Android, market share matters hugely and hackers are no different.But when Microsoft releases patches for half as many vuls the industry tended to point security fingers, Apple should expect some raised eye browses as well. That said however I would agree that system patches for any OS are a fact of life and if an OS didn't release them, then I would be far more concerned about the security of that system.You mean like the recent firefox browser malware spewed out by the Noble Prize organization which runs *nix servers. Sites like ebay run Windows Servers, but really as good as the different OSs are, frankly I'm a believer the skills of the Admin are perhaps even more important then the OS used as I've seen totally idiots configure even the most secure servers such that they can be own3d.

Blake

but but but but, the Apple commercials said they were more secure! It just has to be waaaa waaa waaa waaa!

Apple advised their users to us an av years ago, then later pulled the news article from their website, but tech sites still hold that hold that information to be public.

Apple's osx is usually the first os to fall at any hacker convention, it's quite a joke really, and last time they go into windows it was via a third party software exploit, software that isn't shipped with windows.

I do believe Apple is purposely keeping their market share small as they know they will have droves of mad users when they realize they were lied to by the commercials that they were more secure than Windows. The facts are these days it's usually improbable you can remotely attack a system, you need to trick the user into doing something, or exploit some software, usually popular 3rd party software.

55 of those vulnerabilities are for adobe flash. Your comparing apples to oranges since Windows patches do not include third party programs.

but but but but, the Apple commercials said they were more secure! It just has to be waaaa waaa waaa waaa!

I laugh at things like that. Let me ask one or maybe two things . Have you ever heard of a Mac user getting a virus or any spyware ? Have you ever heard of a Windows user getting a virus or spyware ? I know it's market share, I know if I was a hacker I wouldn't want to be the first to infect a Mac or make any money doing it , or be a God among my peers..

Yes on both accounts, and in all cases the systems were running up to date virus scanning software. Still doesn't keep a PhD from being a real dumbass when using a computer and clicking on every link they get in e-mail.

Doesn't matter how secure the computer software is by design as long as it's turned on and plugged into the internet.

Windows has included patches for Flash in the past, though it's not common.

In any case, it's entirely, 100% unfair to tag Apple with fault for third-party vulns, though I can't think of anybody I'd rather have it rubbed in their faces more than Apple.

Here, let me fix this for youThis claim is ridiculous.

I don't know about your employment, but when I work, I intend there to be money on the other side. Infecting a Mac might get you e-fame, but it sure as hell won't cough up the money like well established PC malware rackets.

Fame is worthless and in the hacker world fame often involves a risk of a federal vacation, so in a sense Fame is less then worthless, its dangerous so there has to be more then 'fame' to make it worth while.

Blake

Is that down to Apple itself or apple fans?

You can't really be serious...?!

Okay, let's make a new calculation: 134 minus 55 = 78. Still a record, so I am NOT comparing apples with oranges...

Rather than tossing around numbers as though they mean something by themselves, can we actually see what these 134 vulnerabilities are (minus the 50 whatever Flash plugin fixes) ?

One thing that occurs to me is that OSX comes bundled with a lot of large (as in, full featured) and widely used Apple software: iPhoto, iTunes, various rich media tools like iDvd, iLife, and garage band etc etc.

If (just hypothetical) a windows patch update fixes mainly the operating system and Internet Explorer, but the OSX updates covers a raft of bundled apps as well, then the absolute comparison on total number of fixes doesn't say that much about whether OSX contains more or less security bugs than Vista.

Anyway Apple has a huge HUGE advantage here: they control the hardware so they can assure themselves much more quickly than microsoft that an update doesn't break some weird hardware/driver setup or other. That advantage pays dividends for customers beyond just the protection afforded to a 10% market share.

Hey Smokey,

Stop trying to start fires in the Apple orchard. Is Windows 7 so boring that you have nothing to tweak to pass the time? Is your Linux box so error free that you spend hours wishing that Ubuntu wouldn't have changed their default desktop?

Sheesh, grab a roll of Charmin and relax.

said by Begemotik:

---

Stop trying to start fires in the Apple orchard. Is Windows 7 so boring that you have nothing to tweak to pass the time? Is your Linux box so error free that you spend hours wishing that Ubuntu wouldn't have changed their default desktop?

---

I realise that it earnestly hurt Apple users when there is criticism or comment on their beloved toys, but they must live with the fact that no product is perfect, their Apple toys included. I realise also that they prefer to ignore all bad news regarding their toys, and like it to limit such news to Windows and other OS's. But world is cruel and therefore have no mercy with anyone, even not with Apple.

Fwiw, I prefer a comment like justin wrote, it stick to facts and produce a matured POV.

I really don't want to take the thread off track, but your reference to Apple's other software. Microsoft also has some software included with their operating systems they don't make the consumer buy 3rd party software from everyone for basic functionality, but if they were to release all of their full featured software for free they would be over their head in anti-trust suits from companies who write paid software for Microsoft Windows, they just can't win sometimes. So yes there might be the occational update to media player, or media center software. Maybe even their mail client which in the latest operating system the user must download to install.

So I don't buy that it's just more spread out, Microsoft covers just as many type of applications, if not more.

If I were to respond to the hardware comment I'd really take this off track from security, and since the hardware is all basically the same with computers running Windows, or osx the operating system is the only difference, along with the prices given to the general public.

Key difference is that OS X is closer to Linux then you'd think, an update to the OS may be no different then replacing or patching a few dependency files in Ubuntu or Fedora.

We don't call patches to Xine, Evolution or OO.o holes in the Linux even if the hole patched is to a common library do we? No, we don't. Apple doesn't break everything down the same way the OSS community has had to do out of necessity, but that doesn't mean the same issues don't arise.

All I can say is whoa!!

Still, to this day, I have never even seen a Mac. I don't think there's a store around here that sells them.

I call bullshit on that one. There isn't a school around that isn't at least 50% Mac, every graphics company in around has them, theres even a few repair shops that specialize in refurbishing them in my tiny little pos town. I know at least 10 that have Macs, even 2 I've helped build OSx86 boxes.

Here is the listing of the fixes »support.apple.com/kb/HT4435 Many appear to affect 10.6.5 Server

thanks for posting that.
When you actually look at the list, this topic collapses to hot air.

A vast number associated with Flash.

Vulnerabilities in the following open source software: apache, gzip, mysql, openLDAP, PHP (many), python, Neon, X11 (many) and I missed some more.

So to make it apples to apples (so to speak) and still insist on comparing the counts, you must ignore the open source server related stuff. At which point the actual list is very small. In fact, the tables are turned completely.

For instance, one vulnerability in Safari, a few in Quicktime, a few in the font renderer, a single one in the OSX kernel (local user can cause a system shutdown).

You probably haven't been in many schools lately. That was true in the late 80"s/early 90"s; but no more. The only departments around here that have Macs are Digital Media and Journalism. Teacher's classrooms and computer labs are PC. From personal experience, I would estimate that most schools are about 90% PC.

Universities have much higher macbook to windows laptop ratio than the ~8 or 9% OSX internet population.