[infowarrior] - Article: Tech Muckraking, the PC Way

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.infowarrior.org/articles/2003-08.html

Copyright © 2003 by author. Permission granted to reproduce in
entirety with credit.

Richard Forno
12 Dec 03

Since Apple released Mac OS X, even the PC industry trade publications
have raved about its quality, design, and features.  PC Magazine even
gave Mac OS X "Panther" a 5-star rating in October 2003. Perhaps it
was because Macs could now seamlessly fit into the Windows- dominated
marketplace and satisfy Mac users refusing to relinquish their trusty
systems and corporate IT staffs wanting to cut down on tech support
calls. Whatever the reason, Mac OS X has proven itself as a worthy
operating system for both consumers and business alike.

Of course, as with all operating systems, Mac OS X has had its share
of technical problems and even a few major security vulnerabilities.
Nearly all were quickly resolved by Apple via a downloaded patch or OS
update.  But in general, Mac OS X is solid, secure, and perhaps the
most trustworthy mainstream computing environment available today. As
a result, Mac users are generally immune to the incessant security
problems plaguing their Windows counterparts, and that somehow bothers
PC Magazine columnist Lance Ulanoff.

In a December 11 column [1] that epitomizes the concept of yellow
journalism, he's "happy" that Mac OS X is vulnerable to a new and
quite significant security vulnerability. The article was based on a
security advisory by researcher Bill Carrel regarding a DHCP
vulnerability in Mac OS X. Carrel reported the vulnerability to Apple
in mid-October and, through responsible disclosure practices, waited
for a prolonged period before releasing the exploit information
publicly since Apple was slow in responding to Carrel's report (a
common problem with all big software vendors.)  Accordingly, Lance
took this as a green light to launch into a snide tirade about how
"Mac OS is just as vulnerable as Microsoft Windows" while penning
paragraph after paragraph saying "I told you so" and calling anyone
who disagrees with him a "Mac zealot."

You're either with him or with the "zealots."  Where have we heard
this narrow-minded extremist view before?

More to the point, his article is replete with factual errors. Had he
done his homework instead of rushing to smear the Mac security
community and fuel his Windows-based envy, he'd have known that not
only did Apple tell Carrel on November 19 that a technical fix for the
problem would be released in its December Mac OS X update, but that
Apple released easy-to-read guidance (complete with screenshots) for
users to mitigate this problem on November 26.  Somehow he missed
that.

Since he's obviously neither a technologist (despite writing for a
technology magazine) nor a security expert, let's examine a few
differences between Mac and Windows to see why Macintosh systems are,
despite his crowing, whining, and wishing, inherently more secure than
Windows systems.

The real security wisdom of Mac OS lies in its internal architecture
and how the operating system works and interacts with applications.
It¹s also something Microsoft unfortunately can¹t accomplish without a
complete re-write of the Windows software.

At the very least, from the all-important network perspective, unlike
Windows, Mac OS X ships with nearly all internet services turned off
by default. Place an out-of-the-box Mac OS X installation on a
network, and an attacker doesn¹t have much to target in trying to
compromise your system. A default installation of Windows, on the
other hand, shows up like a big red bulls-eye on a network with
numerous network services enabled and running. And, unlike Windows,
with Mac OS X, there¹s no hard-to-disable ³Messaging Services² that
results in spam-like advertisements coming into the system by way of
Windows-based pop-up message boxes. And, the Unix-based Mac OS X
system firewall ­ simple enough protection for most users -- is
enabled in by default, something that Microsoft only recently realized
was a good idea and acknowledged should be done in Windows as well.  
I guess Lance didn't hear about that, either.

Then there's the stuff contributing to what I call "truly trustworthy
computing."

When I install an application, such as a word processor, I want to
know with certainty that it will not modify my system internals.
Similarly, when I remove the application, I want to know that when I
remove it (by either the uninstaller or manually) it¹s gone, and
nothing of it remains on or has modified my system. Applications
installed on Mac OS X don¹t modify the system internals ­ the Mac
version of the Windows/System directory stays pretty intact. However,
install nearly any program in Windows, and chances are it will (for
example) place a different .DLL file in the Windows/System directory
or even replace existing ones with its own version in what system
administrators grudgingly call "DLL Hell."  Want to remove the
application? You¹ve got two choices: completely remove the application
(going beyond the software uninstaller to manually remove things like
a power user) and risk breaking Windows or remove the application (via
the software uninstaller) and let whatever it added or modified in
Windows/System to remain, thus presenting you a newly-but-unofficially
patched version of your operating system that may cause problems down
the road. To make matters worse, Windows patches or updates often
re-enable something you¹ve previously turned off or deleted (such as
VBScript or Internet Explorer) or reconfigures parts of your system
(such as network shares) without your knowledge and potentially places
you at risk of other security problems or future downtime. Apparently,
Lance doesn't see this as a major security concern.

Further, as seen in recent years, Microsoft used the guise of a
critical security fix for its Media Player to forcibly inject
controversial Digital Rights Management (DRM) into customer
systems.[2] Users were free to not run the patch and avoid DRM on
their systems, but if they wanted to be secure, they had to accept
monopoly-enforcing DRM technologies and allow Microsoft to update such
systems at any time in the future.  How can we trust that our systems
are secure and configured the way we expect them to be (enterprise
change management comes to mind) with such subtle vendor trickery
being forced upon us? Sounds like blackmail to me.  (Incidentally,
Lance believes the ability of a user to "hack" their own system to
circumvent the Apple iTunes DRM makes the Macintosh a bigger "hack
target" for the purposes of his article....apparently, he's not
familiar with the many nuances of the terms "hack" and "hackers" or
knows that power-users often "hack" their own systems for fun.)

What does that say about trusting an operating system's ability to
perform in a stable and secure manner? Windows users should wonder
who¹s really in control of their systems these days. But Lance is
oblivious to this, and happy to exist in such an untrustworthy
computing environment.

On the matter of malicious code, Lance reports being "driven crazy"
when Mac users grin at not falling victim to another Windows virus or
malicious code attack. He's free to rebuild his machine after each new
attack if he wants, and needs to know that Mac users are grinning at
not having to worry about such things getting in the way of being
productive.  You see, because of how Mac OS X was originally designed,
the chance of a user suffering from a malicious code attack - such as
those nasty e-mail worms - is extremely low. Granted, Mac users may
transmit copies of a Word Macro Virus if they receive an infected file
(and use Microsoft Word) but it¹s not likely that ­ again, due to Mac
OS X's internal design ­ a piece of malicious code could wreak the
same kind of havoc that it does repeatedly on Windows. Applications
and the operating system just don¹t have the same level of trusted
interdependencies in Mac OS X that they do on Windows, making it much
more difficult for most forms of malicious code to work against a
Macintosh.

Unlike Windows, Mac OS X requires an administrator password to change
certain configurations, run the system updater, and when installing
new software.  From a security perspective, this is another example of
how Apple takes a proactive approach to system-level security. If a
virus, remote hacker, or co-worker tries to install or reconfigure
something on the system, they¹re stymied without knowing the
administrator¹s password stored in the hardened System Keychain.
(Incidentally, this password is not the same as the Unix 'root'
account password of the system's FreeBSD foundation, something that
further enhances security.)

Lance also fails to recognize that Windows and Mac OS are different
not just by vendor and market share, but by the fundamental way that
they're designed, developed, tested, and supported. By integrating
Internet Explorer, Media Player, and any number of other 'extras'
(such as VB Script and ActiveX) into the operating system to lock out
competitors, Microsoft knowingly inflicts many of its security
vulnerabilities onto itself.  As a result, its desire to achieve
marketplace dominance over all facets of a user's system has created a
situation that's anything but trustworthy or conducive to stable,
secure computing.  Mac users are free to use whatever browser, e-mail
client, or media player they want, and the system accepts (and more
importantly, remembers!) their choice.

Contrary to his article, the small market segment held by Apple
doesn't automatically make the Mac OS less vulnerable to attack or
exploitation. Any competent security professional will tell you that
"security through obscurity" - what Lance is referring to toward the
end of his article - doesn't work. In other words, if, as he suggests,
Mac OS was the dominant operating system, its users would still enjoy
an inherently more secure and trustworthy computing environment even
if the number of attacks against it increased.  That's because unlike
Windows, Mac OS was designed from the ground up with security in mind.  
Is it totally secure? Nothing will ever be totally secure. But when
compared to Windows, Mac OS is proving to be a significantly more
reliable and (exponentially) more secure computing environment for
today's users, including this security professional.

If Lance is sleeping well believing that he's on an equal level with
the Mac regarding system security, he can crow about not being overly
embarrassed while working on the only mainstream operating system
that, among other high-profile incidents over the years, facilitated
remote system exploitation through a word processor's clip art
function! [2]

Trustworthy computing must be more than a catchy marketing phrase.
Ironically, despite a few hiccups along the way, it's becoming clear
that Mac OS, not Windows, epitomizes Microsoft's new mantra of "secure
by design, default, and deployment."

Who's crowing now?


[1] Macs Are Not Invulnerable
http://abcnews.go.com/sections/scitech/ZDM/mac_vulnerablility_pcmag_031211.h
tml

[2] Microsoft Makes An Offer You Can't Refuse
http://www.infowarrior.org/articles/2002-09.html

[3] Buffer Overflow in Clipart Gallery (MS00-015)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/fq00-015.asp


# # # # #

Richard Forno is a security technologist, author, and the former Chief
Security Officer at Network Solutions. His home in cyberspace is at
http://www.infowarrior.org/.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.