[ISN] [infowarrior] - Article: Tech Muckraking, the PC Way

From: InfoSec News (isn@private)
Date: Mon Dec 15 2003 - 03:15:33 PST

  • Next message: InfoSec News: "Re: [ISN] InfoSec 2003: 'Zero-day' attacks seen as growing threat"

    Forwarded from: William Knowles <wk@private>
    
    http://www.infowarrior.org/articles/2003-08.html
    
    Copyright İ 2003 by author. Permission granted to reproduce in
    entirety with credit.
    
    Richard Forno
    12 Dec 03
    
    Since Apple released Mac OS X, even the PC industry trade publications
    have raved about its quality, design, and features.  PC Magazine even
    gave Mac OS X "Panther" a 5-star rating in October 2003. Perhaps it
    was because Macs could now seamlessly fit into the Windows- dominated
    marketplace and satisfy Mac users refusing to relinquish their trusty
    systems and corporate IT staffs wanting to cut down on tech support
    calls. Whatever the reason, Mac OS X has proven itself as a worthy
    operating system for both consumers and business alike.
    
    Of course, as with all operating systems, Mac OS X has had its share
    of technical problems and even a few major security vulnerabilities.
    Nearly all were quickly resolved by Apple via a downloaded patch or OS
    update.  But in general, Mac OS X is solid, secure, and perhaps the
    most trustworthy mainstream computing environment available today. As
    a result, Mac users are generally immune to the incessant security
    problems plaguing their Windows counterparts, and that somehow bothers
    PC Magazine columnist Lance Ulanoff.
    
    In a December 11 column [1] that epitomizes the concept of yellow
    journalism, he's "happy" that Mac OS X is vulnerable to a new and
    quite significant security vulnerability. The article was based on a
    security advisory by researcher Bill Carrel regarding a DHCP
    vulnerability in Mac OS X. Carrel reported the vulnerability to Apple
    in mid-October and, through responsible disclosure practices, waited
    for a prolonged period before releasing the exploit information
    publicly since Apple was slow in responding to Carrel's report (a
    common problem with all big software vendors.)  Accordingly, Lance
    took this as a green light to launch into a snide tirade about how
    "Mac OS is just as vulnerable as Microsoft Windows" while penning
    paragraph after paragraph saying "I told you so" and calling anyone
    who disagrees with him a "Mac zealot."
    
    You're either with him or with the "zealots."  Where have we heard
    this narrow-minded extremist view before?
    
    More to the point, his article is replete with factual errors. Had he
    done his homework instead of rushing to smear the Mac security
    community and fuel his Windows-based envy, he'd have known that not
    only did Apple tell Carrel on November 19 that a technical fix for the
    problem would be released in its December Mac OS X update, but that
    Apple released easy-to-read guidance (complete with screenshots) for
    users to mitigate this problem on November 26.  Somehow he missed
    that.
    
    Since he's obviously neither a technologist (despite writing for a
    technology magazine) nor a security expert, let's examine a few
    differences between Mac and Windows to see why Macintosh systems are,
    despite his crowing, whining, and wishing, inherently more secure than
    Windows systems.
    
    The real security wisdom of Mac OS lies in its internal architecture
    and how the operating system works and interacts with applications.
    Itıs also something Microsoft unfortunately canıt accomplish without a
    complete re-write of the Windows software.
    
    At the very least, from the all-important network perspective, unlike
    Windows, Mac OS X ships with nearly all internet services turned off
    by default. Place an out-of-the-box Mac OS X installation on a
    network, and an attacker doesnıt have much to target in trying to
    compromise your system. A default installation of Windows, on the
    other hand, shows up like a big red bulls-eye on a network with
    numerous network services enabled and running. And, unlike Windows,
    with Mac OS X, thereıs no hard-to-disable ³Messaging Services² that
    results in spam-like advertisements coming into the system by way of
    Windows-based pop-up message boxes. And, the Unix-based Mac OS X
    system firewall ­ simple enough protection for most users -- is
    enabled in by default, something that Microsoft only recently realized
    was a good idea and acknowledged should be done in Windows as well.  
    I guess Lance didn't hear about that, either.
    
    Then there's the stuff contributing to what I call "truly trustworthy
    computing."
    
    When I install an application, such as a word processor, I want to
    know with certainty that it will not modify my system internals.
    Similarly, when I remove the application, I want to know that when I
    remove it (by either the uninstaller or manually) itıs gone, and
    nothing of it remains on or has modified my system. Applications
    installed on Mac OS X donıt modify the system internals ­ the Mac
    version of the Windows/System directory stays pretty intact. However,
    install nearly any program in Windows, and chances are it will (for
    example) place a different .DLL file in the Windows/System directory
    or even replace existing ones with its own version in what system
    administrators grudgingly call "DLL Hell."  Want to remove the
    application? Youıve got two choices: completely remove the application
    (going beyond the software uninstaller to manually remove things like
    a power user) and risk breaking Windows or remove the application (via
    the software uninstaller) and let whatever it added or modified in
    Windows/System to remain, thus presenting you a newly-but-unofficially
    patched version of your operating system that may cause problems down
    the road. To make matters worse, Windows patches or updates often
    re-enable something youıve previously turned off or deleted (such as
    VBScript or Internet Explorer) or reconfigures parts of your system
    (such as network shares) without your knowledge and potentially places
    you at risk of other security problems or future downtime. Apparently,
    Lance doesn't see this as a major security concern.
    
    Further, as seen in recent years, Microsoft used the guise of a
    critical security fix for its Media Player to forcibly inject
    controversial Digital Rights Management (DRM) into customer
    systems.[2] Users were free to not run the patch and avoid DRM on
    their systems, but if they wanted to be secure, they had to accept
    monopoly-enforcing DRM technologies and allow Microsoft to update such
    systems at any time in the future.  How can we trust that our systems
    are secure and configured the way we expect them to be (enterprise
    change management comes to mind) with such subtle vendor trickery
    being forced upon us? Sounds like blackmail to me.  (Incidentally,
    Lance believes the ability of a user to "hack" their own system to
    circumvent the Apple iTunes DRM makes the Macintosh a bigger "hack
    target" for the purposes of his article....apparently, he's not
    familiar with the many nuances of the terms "hack" and "hackers" or
    knows that power-users often "hack" their own systems for fun.)
    
    What does that say about trusting an operating system's ability to
    perform in a stable and secure manner? Windows users should wonder
    whoıs really in control of their systems these days. But Lance is
    oblivious to this, and happy to exist in such an untrustworthy
    computing environment.
    
    On the matter of malicious code, Lance reports being "driven crazy"
    when Mac users grin at not falling victim to another Windows virus or
    malicious code attack. He's free to rebuild his machine after each new
    attack if he wants, and needs to know that Mac users are grinning at
    not having to worry about such things getting in the way of being
    productive.  You see, because of how Mac OS X was originally designed,
    the chance of a user suffering from a malicious code attack - such as
    those nasty e-mail worms - is extremely low. Granted, Mac users may
    transmit copies of a Word Macro Virus if they receive an infected file
    (and use Microsoft Word) but itıs not likely that ­ again, due to Mac
    OS X's internal design ­ a piece of malicious code could wreak the
    same kind of havoc that it does repeatedly on Windows. Applications
    and the operating system just donıt have the same level of trusted
    interdependencies in Mac OS X that they do on Windows, making it much
    more difficult for most forms of malicious code to work against a
    Macintosh.
    
    Unlike Windows, Mac OS X requires an administrator password to change
    certain configurations, run the system updater, and when installing
    new software.  From a security perspective, this is another example of
    how Apple takes a proactive approach to system-level security. If a
    virus, remote hacker, or co-worker tries to install or reconfigure
    something on the system, theyıre stymied without knowing the
    administratorıs password stored in the hardened System Keychain.
    (Incidentally, this password is not the same as the Unix 'root'
    account password of the system's FreeBSD foundation, something that
    further enhances security.)
    
    Lance also fails to recognize that Windows and Mac OS are different
    not just by vendor and market share, but by the fundamental way that
    they're designed, developed, tested, and supported. By integrating
    Internet Explorer, Media Player, and any number of other 'extras'
    (such as VB Script and ActiveX) into the operating system to lock out
    competitors, Microsoft knowingly inflicts many of its security
    vulnerabilities onto itself.  As a result, its desire to achieve
    marketplace dominance over all facets of a user's system has created a
    situation that's anything but trustworthy or conducive to stable,
    secure computing.  Mac users are free to use whatever browser, e-mail
    client, or media player they want, and the system accepts (and more
    importantly, remembers!) their choice.
    
    Contrary to his article, the small market segment held by Apple
    doesn't automatically make the Mac OS less vulnerable to attack or
    exploitation. Any competent security professional will tell you that
    "security through obscurity" - what Lance is referring to toward the
    end of his article - doesn't work. In other words, if, as he suggests,
    Mac OS was the dominant operating system, its users would still enjoy
    an inherently more secure and trustworthy computing environment even
    if the number of attacks against it increased.  That's because unlike
    Windows, Mac OS was designed from the ground up with security in mind.  
    Is it totally secure? Nothing will ever be totally secure. But when
    compared to Windows, Mac OS is proving to be a significantly more
    reliable and (exponentially) more secure computing environment for
    today's users, including this security professional.
    
    If Lance is sleeping well believing that he's on an equal level with
    the Mac regarding system security, he can crow about not being overly
    embarrassed while working on the only mainstream operating system
    that, among other high-profile incidents over the years, facilitated
    remote system exploitation through a word processor's clip art
    function! [2]
    
    Trustworthy computing must be more than a catchy marketing phrase.
    Ironically, despite a few hiccups along the way, it's becoming clear
    that Mac OS, not Windows, epitomizes Microsoft's new mantra of "secure
    by design, default, and deployment."
    
    Who's crowing now?
    
    
    [1] Macs Are Not Invulnerable
    http://abcnews.go.com/sections/scitech/ZDM/mac_vulnerablility_pcmag_031211.h
    tml
    
    [2] Microsoft Makes An Offer You Can't Refuse
    http://www.infowarrior.org/articles/2002-09.html
    
    [3] Buffer Overflow in Clipart Gallery (MS00-015)
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    bulletin/fq00-015.asp
    
    
    # # # # #
    
    Richard Forno is a security technologist, author, and the former Chief
    Security Officer at Network Solutions. His home in cyberspace is at
    http://www.infowarrior.org/.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Dec 15 2003 - 06:06:44 PST