What did I learn from the MOAB? Not much
I’m not a developer. I’m not a coder. I’m not a Mac evangelist. I have recommended people buy Macs and have recommended that others buy Windows. I use Macs (and have for almost 2 years) but am also comfortable enough with Windows to run it without the need for anti-spyware and anti-virus software and not have to worry. I’m also familiar enough to know that while some criticisms of Windows are outdated (BSOD is not nearly as common as it used to be), many more difficult ones to describe are not (i.e. the overall experience of getting things done feels much easier on a Mac, including things like watching a DVD, which, in Windows XP, required extra software).
I do not have any Apple stock. I have no vested interest in the company. I am not Artie MacStrawman. I’m just a user.
I read with interest about the alleged WiFi security issue which exists, in some form, maybe, possibly. I was fully willing to believe there was such a flaw. Had there been such a flaw it might have been an important event in the life of Mac users.
Instead we got posturing. Apple’s comments on the matter seemed fairly straightforward, whereas the comments from the accusing side seemed slippery at best, and finally went up in a cloud of smoke.
Out of those ashes arose the Month of Apple Bugs. But it came with a bitter taste in its mouth.
Let’s keep out of personal attacks, they don’t bring anything interesting to the playground, and after all, there are plenty of ways to poke fun out of someone without resorting to dirty tricks.
But it was personal. You could see the chip on their shoulders from space using a Pringles can for a telescope. The whole thing reminded me of Jack Nicholson’s character in A Few Good Men trying to attack Tom Cruise’s character and yelling “I’m gonna rip out your eyes and piss in your skull” or something to that effect (the last time I saw it was on the USA network which had dubbed in “rip off your head and puke in your neck”). There is rage there, and I suspect most people are well aware of it.
Various Mac programmers have been interviewed and most said the same thing: “We all want a more secure OS X, but this isn’t the way we’d go about doing it.” Clearly the MOAB folks knew this was coming and their answer was:
[Q:] Are the issues being reported to the vendor before public disclosure?
[A:] Rarely, the point is releasing them without vendor notification.
I still don’t get what this means: “the point is releasing them without vendor notification.” The point, it seems clear to me, is “OS X isn’t as safe as you think it is and here’s a month worth of examples.” That point, at its most legitimate, could have been made, in January 2007, having informed all of the vendors one month earlier.
Although, sometimes we may decide to pass an issue through the appropriate people.
Read: “We have the power here, and we’ll use it as we see fit.” One might ask who benefits the most from this policy: OS X users, or the MOAB folks. Are they doing this for the betterment of OS X society, or for notoriety?
The problem with so-called ‘responsible disclosure’ is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial.
“Some people”? Who cares about “some people”? Even I, with a minor amount of knowledge in this area, am aware that security holes are routinely reported with a note to the effect of “I plan to make this public on (insert date here).” They could have done that. They chose not to. Who benefits from this policy?
And the reward (automated responses and euphemism-heavy advisories) doesn’t pay off in the end. ‘Responsible disclosure’ exists when the vendor doesn’t deploy any harmful tactics against the source of the vulnerability reports, and requires confidence by all parties involved. At the moment, we don’t trust Apple on these matters due to the track of incidents and unpleasant situations surrounding their policy on product vulnerability handling.
This is an allusion to the argument that Apple strong-armed the people involved in the supposed WiFi hack into not disclosing it. There is no proof that Apple really did this, just allegation. So far these are unsubstantiated claims against Apple which has routinely demonstrated a willingness to attribute discovery of security problems. If Apple deviated from that pattern, one might ask “Why”? Is there some major conspiracy in place to protect Apple against the disclosure of a WiFi vulnerability? Or is the truth more mundane, like the company agreeing to give up its claims in exchange for Apple using them as security consultants?
No one knows. The MOAB folks don’t know. Oh, and it’s important to note that Apple was by far not the only vendor whose software came up in the MOAB.
In fact, the MOAB is really quite a misnomer. Many of these are not Apple bugs, per se, they are bugs in software which you can use on OS X, the operating system made by Apple. OS X != Apple.
I would be curious to know if the MOAB folks contacted the folks connected at VLC (day 2) or Adobe (day 6) or OmniGroup (day 7) or Unsanity (day 8) or Colloquy (day 16) or Rumpus (day 18) or Panic (day 19) or Telestream (day 27). After all, if they were just concerned with Apple, they could have contacted the other developers, right? I mean, more than one whole week of the MOAB was 3rd party exploits: how many of them were contacted by the MOAB organizers? Were any? The folks at OmniGroup have a pretty solid reputation in the community as being decent — did that reputation gain them anything?
Apparently not:
If the “Month of Apple Bugs” project had given us advance notice of the security issue, we would have posted a fix sooner; as it was, they sent us notice at 11:15am and (as you can see) we posted this fixed release a few hours later.
We’re not proud to have had a vulnerability in the first place, naturally, but we are proud of our response time! (Now I guess we’ll see how quickly they respond to our fix, updating their workaround section to point people at our fixed release.)
By Ken on 01.07.07 3:11 pm
Well, more than 3 weeks later, Ken is still waiting.
It seems the MOAB folks were not all that interested in how vendors responded. At least, they weren’t interested enough to update their website to tell people that fixes were available.
VLC and Colloquy fixed their issues right away. Yet as of today (2007-02-01) there is no mention of these fixes on either the Colloquy MOAB page or the VLC MOAB page.
Transmit was fixed within days but the Transmit MOAB page has not been updated.
They wanted a more secure OS X, right? Does the response time for vulnerabilities mean anything? Not to Artie MacStrawman who believes that OS X is 100% completely safe and never has no problems nowhere and was therefore shocked shocked I say! to learn that some apps, even on OS X, are imperfect. To the rest of us, however, the response time of the 3rd party vendors should be heartening.
Oh, and what about that other vendor, Apple? They fixed the issue from Day 1 and released it on January 23rd (not bad considering that the huge Macworld conference also took place in the meantime). They even credited the MOAB folks for their discovery. What does the MOAB site say?
The only potential workaround would be to disable the rtsp:// URL handler, uninstalling Quicktime or simply live with the feeling of being a potential target for pwnage.
Oh I never get tired of that “pwnage” either. Did you see how they mashed up words there? It’s just so clever, like the Macarena, I can’t imagine ever getting bored of it.
They address this in their FAQ too:
The ‘pwnies phenomenon’ isn’t more than yet another meme or non-sense net-folklore. The original image is done by Jon-Mikel Gates and was sent to Jonathan Coulton. A fellow proposed it to be used for giving a sarcastic / humorous sense to the Apple-related bugs. Probably, the intention was to create the slang word (pink bug) for these issues, given the totally non-sense and immature reaction from so-called Mac fan boys. On the second question, if that, for you, ruins the credibility of this exercise, you’re clearly not the audience we’re speaking for.
Who is the audience they’re speaking for? Is it Mac end users? If so, I am one of them, and their H4xor-speak did indeed lessen the seriousness with which I considered their work.
They clearly know that the Apple Security update has been released, since they mention it in Day 23 of the MOAB:
This has been tested via QuickTime™ Version 7.1.3 running on Mac OS X 10.4.8 (8L2127), with the Apple Security Update 2007-001 applied.
So they haven’t bothered to update their site for any of the apps which have been updated since their reports went forth. Rumpus FTP really? In 2 years of Mac usage I haven’t even heard of this software. Smells like padding to me. In fact, having 8 third-party apps smells pretty fishy to me too. How many actual Apple bugs were there?
I count 22: #1, 3, 4, 5, 9, 10, 11, 12, 13, 14, 15, 17, 20, 21, 22, 23, 24, 25, 26, 28, 29, 30.
Day 31 was essentially meaningless. I was going to give them extra points for picking a month with 31 days in it, versus February’s 28. I suspect they chose January more because of Macworld than the number of days in the month. Really they only gave us 30 bugs, or 22 Apple bugs, which is what they originally promised. And even those 22…. well…
Of those, 5 (#9-13) all have to do with DMG handling. The most serious problem there is that Apple has insisted that Safari automatically mount DMGs. That is mindbogglingly stupid, IMO, and qualifies as “Just Asking For It.” When Leopard ships and Safari quietly has this turned off by default, we should all cheer (Note: I haven’t seen Leopard yet, so I’m just guessing that they will fix that.) Meanwhile, I download all of my DMGs from people/places I trust, so I don’t worry much about those.
Local Privilege escalations basically mean that if someone has a regular user account on your computer, they can get more power, either as an administrator or root. If I ran a lab full of Macs, this would be an issue. As it is, the only user on my Macs is me. So I don’t worry much about local users. That means #28, 22, 21, 15, 17, and 14 are essentially unimportant to my daily living.
Overall I find myself disappointed at the MOAB. The Macalope wrote:
The Macalope highly suspects that the Month of Apple Bugs is starting off intentionally lame in the hopes that Apple blogs will take the bait.
Please hold your snide remarks until all the bugs have been announced
- #1: Fixed by Apple
- #2: Fixed by Vendor
- #6: “temporal” [sic] fix: Use Adobe Reader 8 for PDFs
- #7: Fixed by Vendor
- #8: Fixed by Vendor (although I don’t use APE and would not be surprised to find more security holes in it)
- #9: Only download DMGs from trustworthy sources
- #10: Only download DMGs from trustworthy sources
- #11: Only download DMGs from trustworthy sources
- #12: Only download DMGs from trustworthy sources
- #13: Only download DMGs from trustworthy sources
- #14: I don’t use Appletalk and it’s local only issue as far as they know
- #15: N/A (I’m the only user)
- #16: Fixed by Vendor
- #17: See Appletalk issue #14 above
- #18: Fixed by Vendor (for an app I’ve never even heard of)
- #19: Fixed by Vendor
- #20: My AIM list is already set to only accept messages from people on my buddy list, so the risk here is low, and even the MOAB description is fairly vague as to the level of the threat
- #21: Workarond provided (and I think this is a local-only bug anyway)
- #22: Local or remote? Unsure but it seems like it’s local only
- #23: PICT? I guess someone could put it in a website or something…
- #24: So if I create a file and open it myself I can create a crash? Are there other risks? (And before they mock me for not being smart enough to understand what they are saying, ask yourself: Who is their audience? If not me, then who?)
- #25: I don’t run a Mac webserver, so I guess that doesn’t apply to me
- #26: So I should only install packages from places and people I trust?
- #27: Vendor patched? I don’t find myself using Flip4Mac all that often, so again I’m not all that worried here
- #28: Local only
- #29: I never have used iChat Bonjour. It’s like the Zune WiFi sharing: using it would mean someone else around me has iChat and Bonjour setup. They don’t…. although I bet I’d find another iChat user before I found a Zune user
- #30: “ Due to a bug in CoreFoundation, these issues are currently difficult to exploit for code execution. Still, certain conditions exist that make it possible under certain circumstances.” So you’re saying that there are bugs but those bugs can’t be exploited because of other bugs?
I’m frustrated and disappointed. A month of these things and a mere handful which really seem like anything to worry about. If there are more, please tell me, I’ll happily admit I’m wrong. But if one of the goals of MOAB was to get average users realize there are a lot of security problems with OS X… well, I came away feeling more like “They couldn’t even find enough to fill a month.” Maybe I’m wrong, but at the end of the day, I still feel like OS X is pretty secure, especially compared to Internet Explorer, which could compromise your system even if you didn’t use it. Admittedly that was awhile ago, but the level of danger of running OS X to Windows seems low. Not zero, but very low.
Update: I use Opera, which doesn’t even think about loading DMGs. And I have turned off the setting in Safari in case I’m ever using that when someone tries to hijack it. My point is 1) that if you have been paying attention at all, you have heard to turn this off, and 2) this needs to be turned off in Leopard.
See also:
32 Responses to “What did I learn from the MOAB? Not much”
on 01 Feb 2007 at 1:00 pm # The Macalope » Blog Archive » Aaaaaand now.
[...] Or, you can just read TJ’s excellent wrap-up here. [...]
on 01 Feb 2007 at 1:20 pm # niker
Soooo right!
During the month they progressively showed off how lame, how childish they are.
They’ve proved to the whole world that they were only seeking for notoriety.
Even George Ou didn’t care to report about MOAB (only the first bug).
Moreover, having read enough about this story, I’m fairly confident when I say that not only did they fail miserably, they are for sure two very asinine hackers.
They don’t seem to understand what they’re trying to do.
on 01 Feb 2007 at 2:04 pm # rahrens
As I noted at the Macalope’s site, go to MacDailyNews’ site and look at this story:
http://macdailynews.com/index.php/weblog/comments/12484/
It seems clicking on day 29 using Safari will hang Safari, and the HTML code behind it indicates it was done on purpose!
Loss of all credibility? What a way to end the month!
on 01 Feb 2007 at 2:16 pm # Fly the Network » Blog Archive » MOAB
[...] The Macalope has a good look back on the non-event that was the “Month of Apple Bugs.” Also linked is the excellent MOAB dissection by “TJ.” [...]
on 01 Feb 2007 at 2:40 pm # blabberz » MOAB over
[...] At long last the month of Apple bugs (MOAB) is over. The level of professionalism and thoroughness shown by the organizers, as well as the level of security vulnerability demonstrated, is really quite remarkable. [...]
on 01 Feb 2007 at 5:15 pm # NPC
I don’t understand why the Safari mounting disk image thing is an issue. What do you do with disk images after you download them NOT mount them? Scan them for viruses & then mount them? Every DMG I download I would immeadiately mount afterwards anyway (the point of it after all) what I like this feature Safari provides.
on 01 Feb 2007 at 5:20 pm # Phillip Winn
Even with the help of third-party apps, they *still* couldn’t quite fill up an entire month?
I want my money back!
on 01 Feb 2007 at 5:33 pm # Frog Masterson
Well, I thought I had learned something: format strings == bad. But then I looked at all my code where I used format strings and discovered that I already knew this and had taken proper precautions. Oh well.
on 01 Feb 2007 at 5:59 pm # InMuscatine » Blog Archive » Month of Apple Flops
[...] Tales of Being TJ | What did I learn from the MOAB? Not much: I’m frustrated and disappointed. A month of these things and a mere handful which really seem like anything to worry about. If there are more, please tell me, I’ll happily admit I’m wrong. But if one of the goals of MOAB was to get average users realize there are a lot of security problems with OS X… well, I came away feeling more like “They couldn’t even find enough to fill a month.” [...]
on 01 Feb 2007 at 6:17 pm # neil
> [Q:] Are the issues being reported to the vendor before public disclosure?
> [A:] Rarely, the point is releasing them without vendor notification.
> I still don’t get what this means: “the point is releasing them without vendor >notification.
Maybe the point is to scare people, by releasing the exploit before the vendor has any chance of fixing it, so fewer people believe that Macs are more secure (or in short FUD). Or the point is to give ‘real’ hackers a chance to exploit the issue which would be even more effective than just reporting the exploit. (Even more effective would be to write the malware themselves but obviously they did not do that.)
on 01 Feb 2007 at 6:55 pm # John Moltz
Even more effective would be to write the malware themselves but obviously they did not do that.
Follow rahrens’ link. They tried to crash Safari users who visited their site.
Also, as the inventor of Artie MacStrawman, I want to thank TJ for some excellent examples of him. Nicely done.
on 01 Feb 2007 at 9:09 pm # Jonathan
@NPC
The point of turning off the “Open Safe [sic] files after download” to prevent .dmg files from being mounted is very simple - currently, someone could create a webpage that caused a maliciously crafted .dmg to be downloaded without any input by the user (other than visiting the page, of course). Your system would crash and you would shrug your shoulders thinking that you’d hit a quirk, a one off, but what had really happened was that your system was cracked.
on 01 Feb 2007 at 9:28 pm # pualo
TJ,
I agree with your post in general, but you’re missing the point on the DMG thing a bit. It’s not about just downloading DMGs from trusted sites. The point is that any web page you visit can automatically initiate a download. Then, if Safari automatically opens the DMG, you can be hacked. All by just browsing to an untrusted site, not by intentionally downloading something.
on 01 Feb 2007 at 9:31 pm # pualo
Oh and one more thing. The local privilege escalation things are a problem because they can be combined with other vulnerabilities that give non-privileged remote code execution, to turn them into remote root hacks.
on 01 Feb 2007 at 9:45 pm # Jon Bodner
NPC -
The reason why it’s important to disable the “download safe files” option in Safari is that there are tricks that you can do with HTML that will result in a file being downloaded without any user interaction (you could use an iframe or put a redirect in the header or use a page with multiple frames or probably a couple of other tricks that I can’t think of off the top of my head). If Safari then opens a “safe” file downloaded this way, a potential exploit could run without any interaction besides you visiting a webpage that seemed harmless.
on 02 Feb 2007 at 3:18 am # Matt
The Apple bugs shown are very embarrassing. No one could pass an upper-level CS course writing code that fails in these ways. Worse, many automated tools that Mozilla and Microsoft run catch these bugs.
Apple really does need to recommit to security.
Note that I’m a Mac user. I have to say that Mac fan blogs are starting to annoy the hell out of me. I’ve yet to see anyone look past the attitudes of the people who did the Month of Apple Bugs to see that they found some relatively embarrassing and serious problems. Instead, I see lots of defense of Apple, but no striking Apple with the clue stick. Not to mention loads of annoying fanboyism.
Apple, take note: your fans are going to drive the more reasonable Mac users over to Vista.
(This response is to be expected. People throw stones at Apple, and anyone who steps in and says “This is a bit unreasonable” is considered a fanboy. The idea that Mac sites are going to drive mac users to Vista is utterly laughable. This is some kind of reverse-Artie MacStrawman: the Mac user who is swayed by what people write on websites to go to Vista. Best laugh I’ve had all week — ed)
on 02 Feb 2007 at 5:52 am # Horacio
I wonder if the whole MOAB exercise appears in some accounting line item statement as “security research” for some company hired by Microsoft to help in the Vista launching… this whole exercise reeks too much like rotten meat advertising
on 02 Feb 2007 at 5:59 am # Andy
…but surely just opening a disk image is not going to cause a problem, unless there’s also a vulnerability where a malicious application can appear to be a disk image ?
It does seem that certain disk images are able to automatically execute a script when opened (some developers use this to copy their app onto your system, saving you the effort, and eject the disk image afterwards). Now, THIS does seem to be a security risk IMO.
on 02 Feb 2007 at 8:49 am # alastair
“there are tricks that you can do with HTML that will result in a file being downloaded without any user interaction”
Well not really. You still have to get the user to visit a webpage containing those tricks, which is still interaction, and it isn’t as if they won’t notice the dmg file being downloaded (since Safari’s Downloads window will appear).
This is certainly a threat, but let’s not exaggerate it too much.
on 02 Feb 2007 at 2:07 pm # Matt
No, it’s that the people who step in and say ‘this is a bit unreasonable’ wholly ignore the substance put forth by the unreasonable people. No one says ‘this is a bit unreasonable,’ they say ‘look at those attention seekers! pay no attention!’ and proceed to reject their claims. In my case, I am an actual programmer (I get paid do it 40+ hrs a week), and I can see that a bunch of the holes revealed by MOAB have the potential to be serious in the presence of active exploits. (Note that we probably wouldn’t see any: Apple’s low marketshare makes OS X a less attractive target).
People like Horacio are the worst kind of fanboys: they’re seeing an MS-backed conspiracy here?
If you’re going to accuse me of something, accuse me of failing to see that ‘the plural of anecdote is not data.’ I am not a strawman, I am a living, real Mac user typing away on his MBP 17 (which replaced his PB 17, and 2 PB 15s) who cringes everytime he sees a Mac user scream MS conspiracy in the face of easily fixed (and mindlessly preventable) security bugs in OS X. I think: how can a community who refuses to pressure Apple to do the right thing ever cause OS X to have a proper security process, like other major software vendors do?
Of course, I’m just one person, and I’m probably not going to be moving to Vista–basing any decision off any fanboy (MS or Apple) is not a good idea. I don’t necessarily reflect the way other people think, so my anecdote is not data. However, it’s also not a strawman. I’m here, I’m real, and I have a legitimate gripe with the less clear-thinking members of the OS X community.
on 02 Feb 2007 at 3:05 pm # Drew
I would agree that the hype around MOAB has all but obscured any legitimate aims that the group may have once had. However, I would far rather people be raising what they feel to be issues to get them out into the community where they can be checked to see if they are valid. Simply holding the line that OS X is secure and anyone who says otherwise clearly has an agenda that is “anti-Apple” is a total nonsense. Complacency has been the source of decline of many endeavours. The security community has been having debates following disclosure of potential vulnerabilities for years (check out Bugtraq if you haven’t already) but nowhere have I seen the kind of response to a suggested issue than within the Apple realm.
And whilst finding most of Tj’s piece would form part of a reasonable debate I have to say when I got to the following part I was amazed.
“As it is, the only user on my Macs is me. So I don’t worry much about local users. That means #28, 22, 21, 15, 17, and 14 are essentially unimportant to my daily living.”
I don’t argue that this isn’t true for Tj but does that mean if vulnerabilities don’t happen to impact on a proportion of the user base that they should just be ignored? As someone who does have hundreds of Macs on a network I obviously want to know of potential problems, even if only to be able to satisfy myself that I can’t exploit them with the information generally available and therefore rest slightly easier.
(I didn’t imply that they should be ignored; however, I should have made this more clear. One of my first “jobs” was working in a lab full of NeXT computers so I know a bit first hand about trying to keep a bunch of computers secure when there are a bunch of idle hands trying to see what they can do. That said, the article is clearly titled “What *I* learned from the MOAB” - not “What everyone everywhere needs to know about the MOAB.” I suspect there are many users like me who are the only users of their Macs, or maybe just their immediate family, and for them, the local escalation bugs aren’t anything to really lose sleep over. To be clear: I want the local bugs fixed, and sooner rather than later. However, if one of the goals of the MOAB was to show to the average Mac user that OS X is horribly insecure, then the fact that 8 of them weren’t even OS X related, and the fact that most home users don’t really need to worry about the local exploits is not insignificant in the MOAB’s failure — even if one is willing to look past the personality defects of the creators. -ed)
I’ve owned my own Apple kit for many years and use OS X for most of my personal computing. However I am not naive enough to think that Apple have somehow managed to assemble a team of perfect developers and testers who ensure that there is not one single error in the software that they release. Yes OS X is relatively secure. Do I think it is impervious to attack? Not a chance in hell.
(If I can paraphrase you: “I am not Artie MacStrawman either.” Do the vast majority of Mac users think they are impervious to attack? I don’t think they do. The other question I would ask is “How much safer is OS X than Windows?” You said “relatively” but I wonder if that is the right word. — ed)
on 02 Feb 2007 at 3:09 pm # Horacio
More smoke n mirrors on MOAB. Seems Billy Gates even declared that:
Bill Gates: “Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine.”
From Newsweek interview http://www.msnbc.msn.com/id/16934083/site/newsweek/
Hmmm Billy decides to claim daily attacks on the Mac the same month MOAB decides to do the stunts which happens to be during the same month Vista is released…
on 02 Feb 2007 at 6:05 pm # TJ
@ Horacio: I don’t see Gates as being behind this, and I don’t see the timing as connected to Vista - it was connected to Macworld, to hope to steal some of their thunder and delay their response time.
As for Bill’s ranting: I think it shows that Apple’s success is pressuring Microsoft. Bill still wants to live in a world where Linux and Macs sucks - he needs them to exist so Microsoft isn’t an monopoly, but wants them crippled so they can’t compete. Look at all the evidence coming out from the court case Microsoft is involved in and you will see plenty of clear examples of Microsoft wanting to punish Dell for offering Linux, and Microsoft employees thinking that they ought to talk with Apple about iPod/iTunes. Not to mention Microsoft employees who are have talked about wanting to buy Macs, and Microsoft .Net developers who saw Leopard and were blown away.
Let’s no delve into conspiracy theories when there is plenty of evidence as to what Microsoft has done.
Gates is clearly angry about all the times that Vista is being called a Tiger clone. And Leopard will be here soon.
on 02 Feb 2007 at 7:18 pm # Drew
@Tj
Per my earlier comment, you are of course correct,
(There’s a sentence I don’t hear nearly enough :-) - ed
it was what you learned personally and as I said, or at least tried to say, I agree with much of the post.
However a couple of responses to points raised;
“However, if one of the goals of the MOAB was to show to the average Mac user that OS X is horribly insecure, then the fact that 8 of them weren’t even OS X related, and the fact that most home users don’t really need to worry about the local exploits is not insignificant in the MOAB’s failure ”
But was that one of the goals?
(I’m still not sure what the goal of MOAB was for, but at least part of it was to fry Mac users’ balls: See MOAB hacks for more - ed)
One of the criticisms of the response to MOAB is that the Apple community took it personally, as though it were some direct attack on all that was true.
(I think it was something in the attitude of “No we aren’t going to tell Apple about them first, no we aren’t doing to talk to 3rd parties first, no we aren’t going to recognize when someone posts a fix for a bug that we point out.” And then there was the frying balls part. - ed)
However the people behind MOAB had in November also done MOKB (month of kernel bugs) which covered Windows, Solaris, OS X, Linux and many more. That month has much in common with the latest month. Have they “attacked” Apple because they want to “scare” users or have they done MOAB to highlight that no OS is guaranteed to be secure? Will there be a MOSB or a MOLB later in the year? [obviously insert joke about YOWB :-)]
“How much safer is OS X than Windows?” You said “relatively” but I wonder if that is the right word.”
Interesting that you assumed my relative was with respect to Windows. In fact I think that the threats to OSs are not only a factor of their inherent strengths or weaknesses but also reflect their profile and how many people are spending time and effort targeting them. And of course their attackability (if that’s a word). The OS that runs my car is probably far more secure than OS X simply because there are less ways to attack it and fewer people trying to craft an attack. Windows is a massive target because it is a monstrous hack and there are thousands of people worldwide trying to break it. Linux probably falls somewhere close to OS X in the relativity scale.
(See John Gruber’s excellent Broken Windows post for a reply to that argument. - ed)
Your question though was how much safer is OS X than Windows? The problem with that question is that it isn’t that simple. I have both on my home wireless network and I am fairly confident that they are equally safe. That isn’t a function of either OS, it’s because they are behind multiple firewall layers and are both up to date in their patches. Both run Firefox with ad and script blocking add-ons. If you’re asking which is safer if handed out to a new user and exposed to the net in raw state then clearly OS X is more secure.
(I’d go even further that that. I believe that if you took OS X, patched as much as possible, and Windows XP, patched as much as possible, I think you would still find OS X to be more secure. Totally secure? No, of course not. But more secure. I could be wrong, but that’s the side of the table I’d put my money on. - ed)
But that isn’t the point I got from MOAB. The point I take is that OS X is more secure than Windows but that doesn’t mean it is impervious to attack.
(And I think most Mac users except Artie MacStrawman already knew that. So what was gained by it? Are there really any Mac users savvy enough to hear about the MOAB but not already know that OS X has flaws? And if so, can they actually take anything of real value away from the MOAB or does it all sound like a bunch of hokum? - ed.)
If all Mac users know this and take the other precautions such as securing the point of entry of their net connection then all is well. If Mac users continue to assume that their machines are totally safe and don’t cover the other angles then there is an increasing likelihood that they will be exploited.
(Increasing? Why increasing? -ed)
on 02 Feb 2007 at 8:56 pm # Drew
@Tj
“(I think it was something in the attitude of “No we aren’t going to tell Apple about them first, no we aren’t doing to talk to 3rd parties first, no we aren’t going to recognize when someone posts a fix for a bug that we point out.” And then there was the frying balls part. - ed)”
I agree, in my opinion this is not the way to go about vulnerability disclosure. However, this isn’t an Apple specific issue, I recall years ago over on the NTBugTraq mailing list there was a massively heated debate as to whether potential exploits should be disclosed to the public straight away, vendors notified and after a passage of time the public notified or vendors notified and public not told until vendor announced a fix. It probably generated more discussion than any other topic.
“(I’d go even further that that. I believe that if you took OS X, patched as much as possible, and Windows XP, patched as much as possible, I think you would still find OS X to be more secure. Totally secure? No, of course not. But more secure. I could be wrong, but that’s the side of the table I’d put my money on. - ed)”
I use OS X for most of my personal computing, I’m writing this using it now. I totally agree that it is more secure (in fact I said that in my comment). However, that isn’t the real issue…..
“(Increasing? Why increasing? -ed)”
Because to paraphrase Bruce Schneier, security is not an event it is a process. I think that we have already agreed that OS X is secure but not necessarily totally secure. At the moment the majority of the effort is towards breaking Windows, especially now that Vista has launched with the sales pitch that it is “secure”. However, the more Mac users wave their red flag to say that they are immune to hacks the more likely the bulls that dissect systems for fun are going to see if it is true. At the same time, users of OS X may begin to believe the general view that their machines are secure and neglect the security in depth approach.
Perhaps I’m a pessimist but the last thing I want to hear are Windows advocates crowing over the hacked Mac in their hand. In order to ensure that we need to have a proper debate about security, both in the OS and wider in ensuring that more “general users” adopt a layered security approach.
As a footnote, on my 12 mile drive between my work and my home I can locate 150 wireless access points of which 79 are unsecured. If they are running Windows then they are at risk. If they are running OS X they are probably secure but unless we embrace the security debate and encourage people to discuss possible vulnerabilities this may not remain the case.
Of course this may bring us back full circle to whether MOAB was a genuine attempt to help!
on 02 Feb 2007 at 9:11 pm # TJ
I used to be on BugTraq myself. Ah yes, the good ol’ flame wars.
I realize that I am reading a lot between the lines, and conflating some of this with the maybe-maybe-not WiFi fiasco last year, but I read their actions like this:
“There was a WiFi flaw and Apple said it wasn’t a flaw and we said it was a flaw and they said nu-uh and we said uh-huh and then they went all and fixed the bug and said it wasn’t the same bug but that they had gone looking for a bug and found something different than what we had told them was the bug and so we didn’t get the cred’ we deserved and so, d00d, we are like totally going to mess with them this time because they’re all in to, like, you know, not giving credit for problems spotted or we’d have to hold onto all of this prime info-may-shun and then they’d fix it and not give us credit and we were like nun-uh.”
Which is perhaps debatable until Apple goes and fixes the first bug they mention, and credits them for it (which may just have been the most slick security PR act this year since it totally took the wind out of the argument), and then they don’t even update their site to reflect the fix.
And again, even if you granted them their argument about Apple, why did they do the same to the 3rd party apps? What did VLC or Colloquy or Omni ever do to these guys?
From my recollection of those arguments, there were usually 2 (major) camps regarding when to announce security flaws:
1) Announce them as soon as they are found, because the Bad Hacker D00ds probably already know about them and you can alert others and maybe it will force (insert vendor name here) to fix it more quickly.
2) Report it to the vendor with a time-limit as to how long you will hold off disclosing it. See #1 for potential problems with this method.
Most non-zealots (from my observations) leaned towards #2 unless there was something particularly heinous going on (i.e. flaw in IE which could reformat your hard drive) but for the more mundance “If you download this untrusted app/dmg/exe/zip and run it, bad things will happen” prior vendor notification always seemed like the right choice.
on 03 Feb 2007 at 5:20 pm # dogcow
I find it interesting that the same damn arguments keep coming up about the Mac, and we continue to look around for someone to prove us all wrong.
If the Mac were just as insecure as Windows (which it *inherently* is NOT), regardless of “market share” or anything other bullshit term to take attention away from the truth, we would already have had some script kiddie somewhere, somehow, breaking a Mac for all the world to see.
And yet, we have silence. No hack from a h4×0r. No word from security companies.
Nothing, anywhere, that can take my machine, fresh out of the box, and after being online for a span of two whole minutes, be pwn’d by someone halfway around the world.
I can however discover the joy of that experience with any Windows box.
Why is it that so many people forget that the core of the Mac’s OS is a *nix? Why do people find it so hard to remember that a ginormous spine of the internet, UUNet, stands for Unix-to-Unix Network. Not Windows to Windows. Unix was already beefing up on network security before Windows even knew what the hell that was.
THAT is the main reason why any flavor of *nix has been, and will continue to be, more secure than any Windows box. Because it’s been attacked, beaten, hurt, melded, and massaged by hackers already interested in all its little holes. And the other side of the fence, the guardians of good code, have reacted with making *nix more reliable, more secure, and able to run like a workhorse better than most anything else out there.
Want a Windows network that’s as secure as an OS X network? Make it a closed loop. Don’t connect it to the outside world. You’ll be fine.
on 03 Feb 2007 at 8:29 pm # links for 2007-02-04 » Ross’ PhD Blog
[...] Debating Full Disclosure Contrast with What I learned from the Month of Apple bugs. (tags: security hacking) [...]
on 04 Feb 2007 at 12:16 am # insignificant thoughts » Blog Archive » Month of “Apple” Bugs Is Over
[...] Now that you know Artie, read this: They wanted a more secure OS X, right? Does the response time for vulnerabilities mean anything? Not to Artie MacStrawman who believes that OS X is 100% completely safe and never has no problems nowhere and was therefore shocked shocked I say! to learn that some apps, even on OS X, are imperfect. To the rest of us, however, the response time of the 3rd party vendors should be heartening. [...]
on 10 Feb 2007 at 12:53 am # one of me » links for 2007-02-01
[...] Tales of Being TJ » Blog Archive » What did I learn from the MOAB? Not much Wrap up of the Month of Apple Bugs (tags: MOAB Apple Security) [...]
on 01 Mar 2007 at 11:13 am # /dev/random » Blog Archive » TJ Weighs in on MOAB
[...] TJ has posted one of the best wrap-ups of the Month Of Apple Bugs (MOAB). [...]
on 17 Jun 2007 at 5:24 am # stephen hargrove dot com » Blog Archive » MoAB: Is It Safe To Come Out Yet?
[...] The Month of Apple Bugs is over, so you can all come out of your fallout shelters. Was it worth it? Maybe. Was it everything they made it out to be? Not really. I think TJ summed it up best: [...]