Mac OS X: Debunking the ‘security through obscurity’ myth

"Most of the Windows platform's malware problems are caused by social engineering by the malware developers -- they are getting people to click on attachments and getting people to install dubious software like "better smileys" or a "dancing stripper on the desktop"" True--no OS is immune to trojan horses. The problem is, lots of bad software on Windows is spread with no obvious interaction on the user's part. The user clicks 'no thanks' on a popup window and it's off to the races--IE and ActiveX will install whatever the web page author has.

"Sure, BSD might have had 30 years of scrutiny, but look at Windows. People are writing stuff to target IE, Outlook, Messenger, etc. Safari, Mail.app, and iChat have had very little scrutiny. The OS and some of its files may be protected, but there is a LOT of stuff on top of that that isn't." But those apps don't have the GAPING security holes that MS software has. I'm not saying they're perfect and no flaws will be found, I'm sayinng they have no "features" that are fundamentatlly flawed. For example: Outlook viruses spread because older versions of Outlook Express would AUTOMATICALLY do what an incoming message told them. The combination of IE, ActiveX, and badly set default security "zones" will AUTOMATICALLY do what malicious web pages tell them to. In the past, those options were *on by default* on UNDREDS OF MILLIONS of units shipped. Bad, bad, bad. Microsoft made the assumption that networks would be friendly, and have been patching holes ever since. Unix (and, smartly, Apple) assume that the network is hostile. It's the difference between having a firewall with all ports open, and closing them as exploits become known (RPC, MS-SQL, etc.) versus having a firewall with all ports closed and only opening the ones you need (if any.) That's the fundamental difference. "Marko, as a new (well, returned) Mac user I was/am troubled by all the prompting for my admin password. It seems, like you say, that every installer needs admin access for some reason." OS X is simple: if you don't have admin rights, you can't write to the root level of the hard drive or the /Applications folder. (Try it: log in as a non-admin user and try to drag a file right onto your HD, or into the Applications folder. It won't let you, unless you authenticate.) Since most apps install into /Applications, their installers need permission to write files there. That's all.

> Most Mac users won't spend a second thinking > about whether they should give out their admin > password on a dialog that asks -- every other > Mac software installer asks, too. Marko, as a new (well, returned) Mac user I was/am troubled by all the prompting for my admin password. It seems, like you say, that every installer needs admin access for some reason. I'm not sure if this is just the nature or a flaw?) of OSX, because I'm not familiar yet with the underlying file structure and where apps put files, but it does bother me. Any app could easily create an identical-looking dialog that merely grabs my password and sends it along. The lack of application-level firewalls for OSX (or are there any?) makes it even easier for an app to silently phone home. Like the other posters said, the main problem these days is application-level attacks, not OS-level attacks. And while BSD itself might be secure, I doubt anyone is deluded enough to think that Mail.app or Safari have been pounded for flaws quite so thoroughly. When/if OSX becomes the platform of choice for dumb user-triggered attacks, it's going to be just as big an epidemic as it was in Windows. Hopefully Apple will be faster to respond with protection mechanisms than Microsoft was. It will be much easier for them to do so, since MS had the disadvantage of being the first target of this new type of attack.

Most of the Windows platform's malware problems are caused by social engineering by the malware developers -- they are getting people to click on attachments and getting people to install dubious software like "better smileys" or a "dancing stripper on the desktop". The Mac doesn't have any protection mechanisms against these attacks that Windows doesn't have as well. Most Mac users won't spend a second thinking about whether they should give out their admin password on a dialog that asks -- every other Mac software installer asks, too. And once the software has the admin privileges the user willingly gave away, the "BSD foundation" or UNIX plumbing or "true multiuser OS" doesn't help a thing.

I have to chime in here : Although the world at large may think that OS X is immune to viri, they are mistaken. In fact there are quite a few viri going around on OS X (and OS 9 even) thanks to Microsoft. They wrote what I like to call the first cross-platform virus engine. I am talking about non-other than the VBasic engine with which psuedo hackers write macro viri with. Beacuse of VBasic you can now have a virus attack your macintosh. Thanks M$! However, if you use Firefox, Pages, and other work-alikes while staying away from MS products you will be fine on that front. That is all nice and well, but there is another segment of your computers security to be concerned about. More than just viri. Exploitation. Someone can buffer-overflow any TCP/IP enabled service to gain control of your macintosh. Apache, flaws. Postfix, flaws. AFP/MBD, flaws. Anytime a package is released, I can bet you good money there are just as many flaws introduced as patched. Apple does a good job of keeping up with patch releases. But you are only as safe as the latest apple supplied update. All of this only comes into consideration if your machine is somehow exposed to unscrupulous, havok-causers. If you are on a residential netowrk with a firewall (such as a residential router) and adequate WiFi protection then you will be safe from that sort of attack. The last but not least security concern is hijacking, and spyware. While not as prolific as on the win32 platform I suspect people are still out there embedding nasty scripts in pages that will suck up your cookie data and grab info from your browsers history and password cache. As of yet there are no spyware removal tools for the mac (ala spybot s&d). Probably because that sort of problem is... well... not a problem yet. ;)

Sure, BSD might have had 30 years of scrutiny, but look at Windows. People are writing stuff to target IE, Outlook, Messenger, etc. Safari, Mail.app, and iChat have had very little scrutiny. The OS and some of its files may be protected, but there is a LOT of stuff on top of that that isn't. (iTunes libraries, user documents, Address Book app, etc.) So no, I don't think running BSD automatically makes your computer secure. Your OS? MAYBE. But not your entire computer.