
OS X – Safe, yet horribly insecure - vijaydev
http://allthatiswrong.wordpress.com/2011/06/23/os-x-%E2%80%93-safe-yet-horribly-insecure/
======
comex
Although it's not officially documented, Snow Leopard's sandbox is already
quite capable and easier to use than the norm; it's nonsensical to list
"sandboxing" and "mandatory access controls" as wins for other operating
systems. Lion will make it mandatory for all App Store apps and add features
like a secure open dialog (where the OS handles the open dialog and gives the
app access to only user-selected files) and an easy-to-use privilege
separation API (to make it easier to take advantage of the sandbox); the
result is much more advanced than anything mainstream in Windows or Linux.
Lion will also get rid of previous limitations on DEP and ASLR; in particular,
it randomizes dyld.

The article also seriously underestimates the benefit of the centralized App
Store model (which has an equivalent in Linux, but not Windows); despite all
the horrible rejections and review issues, if it becomes the usual way to
obtain Mac applications, it will greatly reduce the chance that users will
come into contact with malware.

~~~
ralfd
I want an optional feature which only allows the OS to execute MacAppStore
programs.

This would be "grandparent proof" and would prevent trivial kinds of social
engineering used by MacDefender (which targeted clueless users).

~~~
meemo
If they did this (even as just an option), then there'd be an uproar about how
they're incrementally making os x a completely closed system (a walled
garden).

~~~
bonaldi
They've already done it. It's an option under parental controls.

~~~
pnathan
Confirmed. I just checked in Snow Leopard. I would totally do this for
clueless people, too.

------
api
"The Unix Design is significantly less granular than Windows..."

That's why it's more secure. Complexity means you don't know what's going on.
Complexity means you will forget something. Complexity means there's more
likely to be a way to squeeze through, more likely to be a bug, more likely to
be a little thing that is forgotten.

This is also a problem with complex cryptographic APIs, overly complicated
things like PKCS11 and X.509, etc. It's curious that security-related systems
are among the most complex, since complexity is inherently bad for security.

I call it a lack of "situational awareness."

~~~
jbjohns
I'm sorry but this is a horrible argument. Granular security is critical to
having a system that can actually be locked down. Which is why SELinux support
is built into the kernel now.

~~~
danudey
And from my experience, most admins turn it off immediately rather than
rewriting security policies so that Apache can access data outside of
/var/www/, etc. Sure you could modify the policy, but it's enough of a hassle
that no one I know has ever done it.

Restrictive security that just gets in people's way is terrible security. Just
like forcing people to change their password every 14 days results in people
using the same password repeatedly and incrementing a digit on the end (or
writing the password down and sticking it on their monitor), creating overly
complex rules means that people who absolutely must deal with these things (or
who have the time) do so, and everyone else just turns it off and forgets it
ever existed.

~~~
__david__
I'm glad I'm not the only one that hates SELinux. I find its setup to be super
complicated yet all it ends up doing is stuff that I can do anyway with native
unix permissions. As best I can tell it's a completely parallel world that is
just there in case you mess up your normal permissions.

~~~
jbjohns
You admit that you don't understand SELinux so could it be that you hate it
because you don't understand it?

The fact is there are a _lot_ of things that SELinux makes easier. In SELinux
you have your services run in contexts and you can say what they can do (e.g.
can listen on port 80 but not make outgoing connections, etc.). You no longer
have this ridiculous need to run as one user (root) and switch to another.

Unix security is so simple that, for my tastes, it's actually _more complex_
to set up securely than SELinux. If you use a distro that supports it SELinux
is drop dead simple anyway.

------
zdw
_They often share vulnerabilities with core libraries in other UNIX like
systems with samba and java being two examples._

Good thing that Lion jettisons both (Samba for going GPLv3, and Java is non-
core download)

 _The firewall functionality in OS X is impressive, but hardly utilized. The
underlying technology is ipfw_

Also changed in Lion, which now uses OpenBSD's pf. Apple doesn't make much
more use of it though.

 _It has been a shame to see the sandboxing functionality introduced in
Leopard not being utilized to anywhere near its full capacity._

That's changed as well in Lion, as any Mac App Store developer can tell you.

~~~
gonzo
OpenBSD's pf? I highly doubt that Jordan Hubbard took the OpenBSD tree's
variant. More likely it came directly from FreeBSD.

(Yes, I know that 'pf' started on OpenBSD.)

~~~
there
what have freebsd contributed to pf?

~~~
gonzo
don't get me stared on the lamefest that is OpenBSD

------
andos
Just as a curiosity: yesterday I watched a talk by Thomas Ptacek at some indie
Mac dev conference where he showed, _en passant_ , how some kludges used by
Apple produced vulnerabilities in Mac OS X. It’s old, fixed stuff by now, but
I was like “WTF?” all the same. Because it’s very stupid stuff from Apple.

Here’s the talk, slides (check slide 11), and related blog post:

<http://www.viddler.com/explore/rentzsch/videos/31/>

[http://www.slideshare.net/tqbf/c42-software-security-
present...](http://www.slideshare.net/tqbf/c42-software-security-presentation)

[http://chargen.matasano.com/chargen/2009/9/24/indie-
software...](http://chargen.matasano.com/chargen/2009/9/24/indie-software-
security-a-12-step-program.html)

------
5teev
> A lot of OS X users seem to have this idea that Apple hired only the best of
> the best when it came to programmers while Microsoft hired the cheapest and
> barely adequately skilled...

Is this really a commonly held belief? I've never encountered anyone
expressing this opinion.

~~~
olliesaunders
It’s possible some people might believe that, perhaps not HN readers But the
quality of the management plays a very important role in the quality of the
end result: Apples has Jobs and Microsoft has Ballmer. So Microsoft is at a
disadvantage human-resource-wise.

~~~
vogonj
As an engineer (though admittedly one at Microsoft), Steve Jobs seems like
he'd be a /horrible/ boss. All appearances suggest that he doesn't care about
good engineering, but rather that he cares about good user experience, damn
the torpedoes.

~~~
tres
This statement reveals so much about what's wrong with Microsoft...

Good engineering is good user experience.

~~~
cageface
So many of Google's products prove the contrary.

~~~
dclowd9901
I surmise that you're misinterpreting the statement.

------
skybrian
The author may have some good points, but this essay is so poorly organized
that it's hard to tell what they are or put them into proper perspective. It's
mostly a good argument for teaching essay-writing in school.

~~~
gonzo
The piece is badly out of date when Lion ships next month.

~~~
blub
The piece _will_ be out of date, today it is accurate and interesting. Many
security specialists have been saying the same thing.

------
X-Istence
> _The Unix Design is significantly less granular than that of Windows, not
> even having a basic ACL. The UNIX design came from a time when security was
> less of an issue and not taken as seriously as it did, and so does the job
> adequately. Windows NT (and later OSes) were actually designed with security
> in mind and this shows._

This comparison doesn't even make sense, comparing a decades old UNIX design
to a comparatively newly designed OS (Windows NT). POSIX permissions have
stood the test of time for a long time and by far were much better than what
was available in Windows for the longest time. Off course Windows NT has
improved on what was available at the time.

That being said, Mac OS X since 10.4 has had ACL, so that argument goes right
out of the window. ACL's are enabled by default and they function as designed.

    
    
      touch testing
      chmod 700
      chmod +a "otheruser allow delete"
      
      su - otheruser
      ls -lahe testing
      rm testing
    

> _They often share vulnerabilities with core libraries in other UNIX like
> systems with samba and java being two examples._

That is because they use that exact open source software. This is a simple no
shit sherlock kind of deal. Luckily those are going away and won't be in Lion.
Java will be an extra download, like Adobe Flash and Samba won't be included
by default because of the GPLv3.

Apple's policy regarding third-party software vulnerabilities could definitely
be improved, and they already have, but it could still be better. Ultimately
many of the third party tools they ship are never used by consumers and even
though they may be exploitable they aren't accessible to an attacker (looking
at you PHP ...)

> _They are extremely difficult to deal with when trying to report a
> vulnerability, seemingly not having qualified people to accept such reports.
> Even if they do manage to accept a report and acknowledge the importance of
> an issue they can take anywhere from months to a year to actually fix it
> properly._

This has been fixed recently, they have a new head of security [1] and have
increasingly shown that they are getting faster at closing bugs and bringing
out updates to fix issues. Look at the Pwn2Own contest iPhone bug, Apple was
notified and an update was made available that fixed only that one flaw.

Do I think they are doing the best of job? No, MSFT has them beat by a mile
with their security response team (really impressive), however the above
sentence makes it sound like this is still the case which is no longer true.

\--

It is a pretty good article in that it shows that there are certain issues
that Apple could definitely improve upon, but completely ignoring any
development to OS X for the past couple of years doesn't look good at all
especially when the flaws you are attempting to point out have already been
fixed.

[1] [http://threatpost.com/en_us/blogs/apple-hires-new-
security-c...](http://threatpost.com/en_us/blogs/apple-hires-new-security-
chief-012411)

~~~
rlpb
Whether ACLs are present or not makes little difference. When a user is logged
in, he either has access to do something or he doesn't. Only one line of that
ACL really matters, and that's the same on a system with permission control
but no ACLs (such as traditional Unix).

If the user is able to escalate his privileges (whether with UAC or sudo, the
OS doesn't matter) in order to install malware then he loses.

~~~
tobylane
The recent malware entirely (as I understood) depended on the user putting
their password into an OS prompt for permissions for the bad program. How can
the OS make the line between that and something safe like Growl or Virtualbox?

~~~
LaGrange
Stating the obvious: App Store only software installs, and other DRM
solutions. And yes, that has a price that people may or may not be willing to
pay.

It's somewhat scary, but I'm starting to think that we will be forced to adopt
something like that. Computers are used for serious stuff too (payments,
medicine, things like that), and, apparently, way too many people can't be
trusted to administer their computers securely. Right now people are mostly
damaging own life, but if this starts happening to medical records, it's going
to go beyond personal security.

It's too bad, really. Even if "developer programs" were free -- i.e., just
required asking the corp for a developer key (this could be enforced on state
level), it would be more of a hassle than it should be.

~~~
tobylane
So lets see an option in 10.8, aka Ocelot, where there is a fairly hidden
button called Allow non-app store app installs, with a readable (unlike itunes
eula), in Security.

------
crag
First, the author is right. Except his article is a boring read; repeating
himself over and over and over and over again.

Yeah, I get that OSX is not secure. Now move on and tell me why.

In short, I wish the author would not write like a lawyer (unless of course he
IS a lawyer).

------
quinndupont
So, let's review the _actual_ exploits listed here (since, the author says, it
isn't just FUD): ASLR & MacDefender... Hmm... hardly a damning criticism.

~~~
scottw
Agreed; follow the link the author offers near the top of the article to
Secunia. Of a few common OSes I looked at (Red Hat Enterprise 5, Windows XP
Pro, Windows 7, OS X), OS X had the fewest advisories for 2009, 2010, and
2011; most vulnerabilities seemed to be of a more benign nature than other
OSes.

Perfect? Probably not, but it's _still_ the OS I'm going to recommend to my
mom.

~~~
vogonj
Apple has fewer advisories because it's their standard operating procedure to
sit on security bugs for several months and then patch them all at once, even
if their contemporaries are patching them as they appear.

If you look at the numbers for OS X as opposed to Windows XP, OS X has 1,544
vulnerabilities in 153 advisories (~10.1 vulns/advisory) and Windows has 472
vulnerabilities in 358 advisories (~1.31 vulns/advisory).

Unless you have a good reason to believe that bugs in Windows are nearly eight
times "more unique" than bugs in OS X, please don't compare advisories.

------
speleding
Apple did one thing very well: they ask for a password when doing something
potentially harmful, but made sure that the password popup is rare enough that
you won't be trained to blindly fill it in.

That one thing has more security value than any of the advanced security
techniques listed in the article like "stack canaries" and "fine grained ACL".

It's too bad there are so many security consultants that focus on the
technology instead of user behaviour. If they would just look at the
statistics they'd see that >90% of security issues are not technology issues,
they are behavioural issues.

Sure, it would be nice to have a few of those advanced security techniques in
OS X if they don't cause too much usability or performance issues, but it will
have very little effect on security as a whole.

~~~
comex
However, you only need the password if you want to be root, and most of the
stuff malware wants to do (including keylogging, which the article mentions;
requiring root to intercept keyboards is only moderately useful if the regular
user can gdb -p whatever app has the password field) does not require being
root.

~~~
X-Istence
If you want to attach a debugger to a program in OS X you are required to be
in a developer group, and it will ask you for a password.

See: <http://i.imgur.com/l6Ntz.png>

~~~
comex
Oh, is this new in Lion or something? I've never seen that prompt before. (But
in any case, there are other options such as clever use of
DYLD_INSERT_LIBRARIES.)

~~~
dpkendal
I think it's new in Xcode 4.

~~~
paxswill
Pretty sure before then, I had this problem in Xcode 3 under Snow Leopard.

------
fourspace
11px font with 19px line height? Uf, not for my tired eyes.

Fixed with this CSS snippet: p { font: 16px "Lucida Sans Unicode", "Trebuchet
MS", Verdana, monospace; }

~~~
beaumartinez
My go-to bookmarklet for poor article design: Readable (not Readability).
Someone posted it as a Show HN a few months ago and I haven't looked back
since―it's incredibly fast and very customisable.

<http://readable.tastefulwords.com/>

~~~
ralfd
Or the "Reader" functionality in Safari or just enlarge the Text with ⌘+ which
every Browser can.

------
bborud
I read until the author expressed a preference for granular ACLs rather than a
less complex security model.

Security starts with an aversion towards complexity. No point in reading the
rest of the article.

------
mahrain
I don't see why this is discussed so much, afaik this article just says
"Windows is more secure than OSX", mentions Mac Defender and goes on OSX about
market share... The same story Mac users have heard for the last 10 years.
Nothing new here, moving on, and remembering the days of Melissa, Kournikova,
Sober, MyDoom etc...

------
davidu
This is actually just the tip of the iceberg for OS X vulnerabilities.

On the enterprise side, it's much much worse. AFP is heinous. Their kerberos
implementations are painful.

They actually have checkboxes in OS X server config screens that say: "Prevent
man in the middle attacks? Yes or No?"

~~~
X-Istence
I don't know any enterprise installations of Mac OS X Server that use AFP.

As for kerberos, that is painful on any platform. At the moment at work I am
trying to figure out why Mac OS X takes 10 minutes to connect to a Windows
Server 2003 based file share, all I see with Wireshark is a bunch of Kerberos
stuff being thrown around, whereas Windows clients connect without issues, but
without ever attempting to use Kerberos.

~~~
vogonj
your Windows clients are probably using NTLM (or NTLMv2), Microsoft's old,
terrible auth protocol that the Windows team eventually abandoned for
Kerberos. there are policy settings you can change to force Kerberos; I'd
suggest Googling to see if you can find them, and see if it breaks your
Windows clients as bad as your OS X clients seem to be.

~~~
X-Istence
I had not thought about that, would OS X fall back to using that in case
Kerberos doesn't function? Thanks for the suggestion!

~~~
w1nk
You should also check the clocks on all the machines involved. Kerberos is
quite finicky when the time between machines starts drifting.

------
epistasis
>Personally for me, malware is a minor threat with the impact being negligible
as long as you follow basic security practices and can recognize when
something looks out of place.

Likewise, with proper security knowledge, the holes that Apple leaves
unpatched for months are "minor threats." For example, disabling Java in the
web browser when there's a known vulnerability. It's an inconvenience, but so
is having to always be on the watchout for things that are out of place.

Apple is not fantastic on security, but they are good enough for the current
threat level, as long as you take basic security precautions.

~~~
vogonj
with apologies to ESR: "with sharp enough eyes, all bugs are visible."

"the impact [is] negligible as long as you follow basic security practices and
can recognize when something looks out of place" is a worthless statement,
because the majority of users have repeatedly proven to be unable to do that
(hence MacDefender, hence the largest families of malware on Windows being
fake AV.)

it also makes it too easy to hand-wave away security threats. you got a trojan
on your MacBook? you obviously weren't following basic security practices.

------
berkes
It is a pity the author does not include at least one Linux distro. Especially
for the mentioned "targeted attacks", servers are the most likely targets.

And in the servermarket, OSx is hardly around, and is the share of various
Linux servers growing larger then Windows, even.

------
yalogin
The whole article seems overly emotional and not objective at all. The only
thing I agree with are that ASLR and DEP are not implemented as well as they
could ( though I have not looked at it myself).

------
gnubardt
found this to be salient, there's a lot of malice to be done in plain sight of
an ignorant user: Root access is only needed if you want to modify the system
in some way so as to avoid detection. Doing so is by no means necessary
however, and a lot of malware is more than happy to operate as a standard
user, never once raising an elevation prompt and silently infection or copying
files or sending out data or doing processing, or whatever malicious thing it
may do.

------
molecularbutter
Does anyone have a version of this article with an even smaller font size?
Maybe something that requires a microscope to read? Size 8 font isn't blinding
enough.

------
16s
One point I would add is that by default, Macs have Perl, Python and Ruby (I
think). So it's easy to script malware or write portable tools. I'm not
suggesting that these languages are insecure or should not be installed, only
that a malware designer can pretty much count on having them available to use.
This may make Mac/Linux cross-platform malware easier as well.

~~~
X-Istence
Those applications aren't launched or available from the outside. If the user
runs/double clicks on something it is already game over. Social engineering
attacks are never going away so long as humans are humans and want to see Anna
Kournikova naked.

------
adsr
Is it only me who find it funny that the name is allthatiswrong given how many
factual errors there are in there. :) Can't quite make up mind if the author
is trolling or if he have just failed to read up on the topic he tries to
school us in.

------
ravivyas
All things said and done , one of the biggest flaws will be both Unix and Max
giving a user the sense that both are secure and nothing can go wrong. That is
the same reason Mac Defender worked.

------
rryan
I was struck by the part about the OSX ASLR implementation. I can't believe
they only randomize library loads :-/.

~~~
getsat
It is weird, but ASLR and DEP are regularly bypassed, anyways.

------
ricardobeat
The blog post wont open on an iPad...

~~~
getsat
You need cookies enabled to get past their interstitial ad.

------
lulz1234
personal opinion about security is all well and good but they wont make you
any more or less secure

either for what its worth osx really provides nothing impressive on the
security front

------
fedorabbit
I wouldn't go so far say Mac is more secure than Linux, both are Unix-based.
As for my user experience, Mac OS X is by far the best.

