
Kaspersky Lab: Apple is '10 years behind Microsoft' on security - shawndumas
http://www.tuaw.com/2012/04/26/kaspersky-lab-apple-is-10-years-behind-microsoft-on-security/
======
pslam
I would be worried about Kaspersky's CEO if this wasn't just off-the-cuff
hyperbole. Was he around in the tech industry 10 years ago? Because if he was,
he would realize just how ridiculous it is to compare anything from today with
the state of Microsoft software in 2002.

For starters, people were still running Windows '95 (or worse). A fresh
install of Windows would be infected just by connecting it to the internet -
and within 15 minutes depending on where you were. All web browsers had
multiple vulnerabilities, and by far the worst was Internet Explorer.

Everyone ran everything as root/administrator.

Yes, today is just like Microsoft from 2002.

~~~
replax
As I used Win in 2002 I was wondering why you consider IE the worst browser at
that time. Is there a reason for that? What were the better alternatives?

At that time, I found IE to be superior, actually.

Also, do you have more information on the infected-within-15min claim? I'd
like to know more about it...

~~~
r00fus
Phoenix/firefox hit 0.2 in fall 2002 and was already faster and more usable
for me than IE

------
nirvana
Microsoft has real security problems- rampant viruses and trojans, and a major
business on that platform is selling after market security products (probably
why Microsoft has never closed these holes.)

Apple killed the virus problem of the late 1980s dead, with only the most
robust viruses surviving in the early 1990s, but none since. Apple has had an
automatic updating program for at least 15 years, long before Microsoft,
including monthly (if needed) security updates patching holes as they are
found.

Microsoft makes a lot of money from the security holes its own products, many
of which were put there deliberately as "marketing features" that later turned
out to be security vulnerabilities that apparently Microsoft finds it
unprofitable to close.

I've seen the source code for both Windows and OS X. Windows is very poorly
engineered in general, with a great deal of cruft (leading to inadvertent
security holes) while OS X is generally well engineered, benefits from being
open source and pulling from open source BSD and from being fostered by a
company that does not make any money from shipping security holes.

However, Apple's superior quality for the past 2 decades has resulted in a
great deal of growth in profits and prominence for Apple, and this means that
you can always get a lot of attention by claiming Apple has security holes. In
fact, people have been making these claims for the past 15 years, in articles
like this.

And yet there aren't massive botnets of Macs (the one trojan that got any
traction has been eliminated) while there are millions upon millions of
infected windows boxes out there to this day.

The idea that Microsoft is ahead of Apple on security is a joke to anyone who
knows their history or knows their engineering.

Ok, You got me. This is obviously a troll, and I responded.... and of course
the people commenting here seem to have no real knowledge of the matter, but
anyone not bashing Apple is getting down voted.

This is the kind of crap that makes "Hacker" news suck.

~~~
someone13
> Microsoft makes a lot of money from the security holes its own products,
> many of which were put there deliberately as "marketing features" that later
> turned out to be security vulnerabilities that apparently Microsoft finds it
> unprofitable to close.

[citation needed], please. I'm not being snarky - in fact, if you have a
citation, I'd love to be able to use this in my discussions with others.

------
Jayasimhan
Read as "Apple is 10 years behind Microsoft in our revenue growth chart."

------
droithomme
As has been discussed here, FileVault decryption passwords are stored in plain
text in RAM that is easily found by a scanner attached to the firewire port.
Fixing this is not difficult, it's simply a matter of NOT storing encryption
passwords in plaintext in RAM, but in a register instead. This is just one of
countless numbers of critical vulnerabilities in the system that are known and
completely ignored as "works per spec" when reported. This is definitely by
design, for many government agencies use automated hacking devices that take
advantage of these vulnerabilities to gain access to machines, such as when
passing through customs, or when stopped by police. The vulnerabilities are
desired and doing what they are supposed to - providing a false sense of
security.

~~~
ceph_
Secure virtual memory has been an option since pre leopard. In lion it's
enabled by default and they removed the menu option to disable it.

~~~
replax
As you said, secure VIRTUAL memory refers to swapped memory. Meaning it is
encrypted when it is written to disk. Seeing as the password is probably in
near constant use, it will never be written to disk and therefore stays
UNENCRYPTED in ram...

------
mrb
As someone who works in the IT security industry, I absolutely agree with this
statement. I could give dozen of examples showing Apple does not prioritize
security as much as, say, Microsoft.

For example, when an open source software project bundled with Mac OS X
releases a security update (LDAP, Apache, Java, etc), it sometimes take Apple
months to merely test it and ship it out.

OS X was also very late, compared to Windows, in implementing in-depth defense
mechanisms such as address space layout randomization, stack protection, etc.

And last August, it was discovered that LDAP auth on OS X blindly accepted any
password! Apple's code review and testing processes must be very immature to
let such a glaring vulnerability ship to customers
<http://forums.macrumors.com/showthread.php?t=1197379>

But I think Apple is slowly and finally understanding the importance of
security in their software ecosystem...

~~~
taligent
What you wrote contradicts itself.

You criticise Apple for taking too long to test and ship out security updates.
And then criticise Apple for not testing enough.

Which is it ?

~~~
steve918
These things aren't mutually exclusive. Apple takes to long to put out
security updates for the same reason they are not testing enough. They don't
dedicate a lot of resources to doing so.

------
shadesandcolour
To put it bluntly, Apple is 10 years behind Microsoft on security because up
until now they could afford to be. We had a few trojans and such but for the
most part, security updates weren't critical because people just weren't
messing with the system. The important part of all of these outbreaks of
flashback means that Apple realizes that it's time to get going on security.

Apple doesn't ship the patches that Oracle or other third parties ship as
quickly because this is how they work. They want to make sure that everything
results in the best experience for the user.

"But wait!" you'll cry. "Getting a virus because of a slow update isn't the
best experience!" Well neither is shipping a patch that causes more issues
than it fixes.

Hopefully, the outcry of the users that they are getting viruses will up
Apple's security efforts. In the next version they've already signaled that
they think security is important because they're shipping Gatekeeper. I'd also
like to point out that many, not all, but many of the bugs that are being used
as exploits are in third party software (probably with the exception of Safari
which has some serious issues).

~~~
nirvana
The Mac had viruses in the late 1980s. I know they existed as early as 1987,
and as late as 1989, from first hand experience.

Do you think that the Mac was a major force in the 1980s, but has been safe in
obscurity since then?

Apple has been serious about security for 22 years, at least, and measurably
better than Microsoft for 18 years.

It is absolutely absurd to ignore that history and pretend that nobody was
interested in messing with the mac, when they were interested in messing with
it in the 1980s.

But what else can you do when you are an apologist for microsoft? Admit that
they make billions from their security holes?

~~~
el_presidente
Do you think that the horse carriage was a major force in the 1800s, but has
been safe in obscurity since then?

It is absolutely absurd to ignore that history and pretend that nobody was
interested in messing with the horse carriage, when they were interested in
messing with it in the 1800s.

------
mindstab
Some people seem to wonder how Apple could be 10 years behind.

How about this, lets look at application programming language. Apple uses
objC, Microsfot increasingly uses C#. What does this one metric get us?

I believe it was Paul Graham himself who 10 years ago mentioned that to scale
a company you should have your top developers just develop the tools the rest
use. This was also around the time Microsoft was at the height of the buffer
over flow bugs.

Slowly they transitioned much of their code to the memory managed language of
C# that their best developers made.

Their entire development process, developer allocation and development
language changed in part in order to meet security needs.

Mean while Apple still develops everything in un memmory managed objC.

That's just one example of how long Microsoft has been transitioning the
entire company to new more security focused practices.

The point is, to be really good at security, you have to be really focused on
it, at all levels, in an all encompassing way. Microsoft has been
transitioning to that for a long time and it's paid off. Apple hasn't even
started. And that kind of massive corporate change in companies this big
doesn't happen over night. And look how much public shaming it took to kick it
off for Microsoft. I think we can look forward to a new golden age of Mac
insecurity over the next few years before the process even kicks off.

And this is probably how Kaspersky Lab came to say that Apple is 10 years
behind Microsoft on security.

~~~
shadesandcolour
To be fair, Mac OS X is transitioning to Automatic Reference Counting in the
next version 10.8 and iOS has had ARC and Garbage Collection for a version or
two now. Apple does exactly what Paul Graham said in a different way. Their
top developers make the tools that everyone else uses. Just because they
haven't transitioned to a different memory management scheme doesn't mean they
aren't doing it.

We also might want to take a statement on the security of a platform by a
company that makes their money securing people's computers with a grain of
salt or two

~~~
DrJokepu
This is nitpicking but OS X 10.7 already ships with full ARC (and it works on
10.6 too in a somewhat limited manner). However, garbage collection was never
enabled on iOS.

