April 27, 2007
The bear facts on Mac security
Posted Apr. 27, ’07, 8:51 AM PT by Dan Moren
Category | Security
If you thought that this past week’s announcement that a MacBook had been hacked at the CanSecWest security conference would lead to reasoned, thoughtful debate on the topic of security, then I certainly hope you’re enjoying those tangerine trees and marmalade skies. Search Security’s Bill Brenner pens a somewhat skewed look at the response to the vulnerability. You can tell it’s Quality (with a capital “Q”) by the slug alone:
This week in Security Blog Log: A much-hyped QuickTime exploit threatens Mac OS X and Windows browsers, but the Apple faithful feel the greatest sting.It’s true: I haven’t been this stung since a bee decided to attack my foot freshman year of college. Whew.
The Apple faithful have had to defend the security prowess of Mac OS X an awful lot this past year and a half.You know, I don’t really find the need to defend the security prowess of OS X; I think the fact that I’ve been using Macs for sixteen years without having my computer compromised by hackers or a virus speaks pretty well for itself. And bringing up the still-unproven Black Hat demo? Ouch—you’re going to lose points with the East German judge on that one.Early 2006 saw the appearance of the first malware targeting Macs, and a few months later a controversial Black Hat demo where a MacBook was hacked via a weakness in the wireless driver.
It doesn’t matter that this flaw seems to affect most browsers, from Safari to Firefox to Internet Explorer 7, and that users are under threat whether they use a Windows or Mac machine. A Mac was successfully targeted first, further chipping away at the OS’s reputation as a more secure alternative to Windows. Apple enthusiasts are feeling the sting.Whoa, whoa. Whoa. “It doesn’t matter” that the flaw is pretty much universal? So let’s say I got attacked by a bear. It wouldn’t matter that that could happen to anybody, because I’m a Mac user and I got attacked by a bear first? So, the headlines reading “Mac users vulnerable to ursine rampage!!!” would be totally justified? Look, Brenner’s right that Macs have an image of being very secure as compared to Windows, which means they have more to lose when vulnerabilities are discovered, but the fact that this is a vulnerability that affects multiple platforms and browsers does nothing to change the fact that Macs are still safer than Windows. And again with “feeling the sting.” I don’t feel stung. Readers, you feel stung? Anybody feeling stung? Anybody? Bueller?
Now, credit where credit’s due: Brenner does say “While it may be true that there are Mac users who would rather deny reality, some of them point to their own situations as proof that Mac security remains unblemished.” And he relates some stories about Macs remaining secure in the face of large-scale Windows attacks. But in the end, Brenner falls back on the trope of smug, oblivious Mac users:
The QuickTime exploit proved that most browsers are threatened, including those running on Mac boxes. On this point I agree with Betteridge:We know the Mac isn’t bulletproof. But they are better than the alternative. Wearing a Kevlar vest isn’t going to prevent you from getting shot in the head, but it’s better than running into a firefight without one. This exploit, like most of the previous vulnerabilities that have been discovered, is not in the wild and unless you’re drinking the Maynor/Eorgegay Uoay Kool-aid, Apple has a pretty good track record patching vulnerabilities. This insistence on Apple “fessing up” is nothing more than security “experts” looking for an opportunity to gloat about how they were “right” all along. And they might have a point, if Apple was blithely going about not fixing vulnerabilities, or Mac users were scoffing at applying their Security Updates.The larger lesson for Mac users and the top brass at Apple is that it’s time to drop the defensiveness and acknowledge that they too are not bulletproof.
7 Comments
Leave a comment
Recent Entries
Ch-ch-ch-ch-changes afoot at MacUser
The Macalope Weekly: Leopards and monopolies and DRM! Oh, my!
Apple levels DMCA on iPodhash project
iPod touch users get second classed again with the omission of new Maps features
Apple Pro Applications Update 2008-004 makes your day
iTunes v8.0.2 comes riding on the coattails of iPhone firmware v2.2
About MacUser
MacUser is your source for news, info, and opinion about Apple, the Mac, and the iPod. Our dedicated team of bloggers covers everything that is relevant to Mac users — and, okay, some stuff that’s not quite relevant, but is still a lot of fun.
Subscribe/RSS
- Blog Posts
- Blog Comments
- Podcast (RSS) (iTunes)
Tip us off!
- Email: macuser [at] macuser [dot] com
Recent Comments 
- Dan Moren on iPod touch users get second classed again with the omission of new Maps features
- johnnydfred on iPod touch users get second classed again with the omission of new Maps features
- on iPod touch users get second classed again with the omission of new Maps features
- Neurotic Nomad on Apple levels DMCA on iPodhash project
- Dan Moren on iPod touch users get second classed again with the omission of new Maps features
- Me Again on iPod touch users get second classed again with the omission of new Maps features
Categories
- Apple (234)
- Advertising (162)
- Events (235)
- Huh? (182)
- Humor (259)
- News (148)
- People (258)
- Rivals (405)
- Speculation (167)
- Steve Jobs (172)
- Stores (206)
- Apple TV (58)
- Business (451)
- Games (143)
- Geekery (460)
- Hardware (935)
- Accessories (79)
- Intel Macs (162)
- Ihnatko (18)
- Internet (463)
- Legal (244)
- MacUser (94)
- Macalope (8)
- Money (177)
- Music (344)
- Podcasting (100)
- Photography (74)
- Security (246)
- Software (1544)
- Updates (538)
- Tips (352)
- Troubleshooting (189)
- Video (403)
- Windows (219)
- iPhone (199)
- iPod (602)
- iPod Accessories (96)
- iPod Software (61)
- iTunes (128)
- iTunes Store (443)
Archives
- November 2008 (91)
- October 2008 (138)
- September 2008 (151)
- August 2008 (177)
- July 2008 (175)
- June 2008 (171)
- May 2008 (185)
- April 2008 (234)
- March 2008 (217)
- February 2008 (215)
- January 2008 (239)
- December 2007 (169)
- November 2007 (164)
- October 2007 (187)
- September 2007 (167)
- August 2007 (195)
- July 2007 (152)
- June 2007 (223)
- May 2007 (243)
- April 2007 (286)
- March 2007 (288)
- February 2007 (250)
- January 2007 (266)
- December 2006 (244)
- November 2006 (293)
- October 2006 (307)
- September 2006 (250)
- August 2006 (268)
- July 2006 (288)
- June 2006 (293)
- May 2006 (297)
- April 2006 (351)
- March 2006 (366)
- February 2006 (110)
- January 2006 (107)
- December 2005 (23)
Mac Publishing Sites
Links
Let's not forget that Dino Dai Zovi, the man who found the vulnerability, has nothing bad to say about Apple's policy on security. He has reported several bugs and found Apple to be responsive.
I maintain that journalists and "security experts" are the only ones using the term "bulletproof" regarding Macs.
Never been stung on my Mac yet. I've been using Apple products since 1982 with the Apple II. Using a Dualcore Intel iMac today and it is still secure. There are two things that bother me about this hack story. One is they said they had to lower the security level. Two they used a custom website which is how this supposed hacker got in. It should have been done through the open internet and the security levels should not have been changed and then I would believe it to be a problem. But right now I think this was a publicity stunt that someone will write about later like most of them that they cheated.
Yeah, I just read the DaringFireball interview with Dai Zovi, and he's nothing but a class act. He just wants OS X to be a better OS for his discovery of the crack. Meanwhile, all these other fools who didn't do anything gloat about one vulnerability, which (surprise!) can affect Windows too.
"Two they used a custom website which is how this supposed hacker got in."
Refresh my memory. What's the difference between a 'custom website' and a non-custom website?
"The larger lesson for Mac users and the top brass at Apple is that it’s time to drop the defensiveness and acknowledge that they too are not bulletproof."
Oh, my, Artie MacStrawman rears his head again.
I don't think I've ever come across this Mac user who believes that OS X could never be compromised under any circumstances. What would this (entirely mythical) user think he was downloading when he downloaded security updates? And the idea that Apple themselves would think this is risible.
What doesn't follow, pace Microsoft-friendly journalists, is that OS X is as vulnerable as Windows. And even if the security problems on Windows have been finally overcome, which one doubts, Microsoft deserves no credit for fixing what shouldn't have been so broken in the first place. They deserve obloquy for putting such stuff on the market in the first place.
Well, the reality is this:
Zero crashes/ freezes in System 6
Plenty crashes/freezes* in Systems 7 to 8.5
*But NOTHING that a simple restart didn't fix.
NO crashes/freezes in System 9 and from OSX 10.2 to 10.4.9.
ONE hard disk failure - NOT the OS's fault - disk repaired and 100% data recovered.
NOT ONE virus since System 6 in spite of heavy internet usage. NOT ONE. NOTHING. Spam yes, but NOTHING which caused any damage.
During this time, friends, relatives and companies I work with have had NUMEROUS and DISASTROUS crashes, freezes, data loss and viruses. NUMEROUS times when I've booked a hotel room to be told when I arrived that "the computers have been down for a few days and we don't have any record of your booking." These guys were, of course, using Windows.
You tell me which is more secure.
John Davis
That guy is a class act. Apple needs to hire him on their security exploit team.