So, you think that since there are so few holes in your Mac OS that you’re invulnerable to attack? That may be true for Trojans and viruses, but it’s not the case for phishing attacks that can be fiendishly deceptive and destructive. Not worried yet? Read this column and you might think again.
News at eleven.
No operating system protects from phishing scams, but they can certainly avoid executable attachments and other design gaffes famous in Windows. I’m sorry, but only common sense can really secure you against a phishing scam or trojan. Software will never be 100%.
In the meantime, enjoy the sensationalist headline. It’s brought to you by online ad revenue.
Man thanks for the update, Linux, Windows, mac, hell maybe even commodore 64 isn’t immune. Seriously nothing is secure against social engineering if the person is gullible enough.
It’s obvious you were looking for a flame war somewhere!
[comment removed by OSAlert Staff]
It’s nice that you didnt overreact or anything. That would have been stupid.
Because we all know pretending to care about something is much more honest than admitting you don’t.
[comment removed by OSAlert Staff]
I totally agree with you. I bought a Macbook pro last year, top of the line. When I got it home I discovered a huge bug, ctrl-tab would not work, no window switching! I filed a bug with Apple and they did nothing!! So you know what I did, I set fire to it. I’m never going back to Apple, worthless crap. And Steve Jobs hates puppies, it’s a known fact.
Hey, I hate puppies too. Maybe I should get a Mac.
Isn’t it command-tab? Is that why it didn’t work?
Command-Tab smartie-pants
Apple, the image:
http://www.flickr.com/photos/emeidi/43356340/
Apple, in real life:
http://img.worsethanfailure.com/images/200710/error‘d/Windows-iPhone.jpg
EDIT: OSNew’s autoparser seems to hate apostrophes.
Edited 2008-02-07 06:16 UTC
that’s an ATT window hoser
I don’t know if the second image was meant to link to a dead link and reveal an IIS 404 page error, but it does just that in KDE 3.5.8.
The apostrophe is not playing nice from the OSAlert site, but you can still see the funny image by copying the entire URL and pasting it into a new browser window or tab.
Either this is baloney, or you’re a very emotional man.
Giving you the benefit of the doubt here; did you even once consider reading what they wrote before getting upset and putting the email “right in the trash”? Did you consider they were requesting further info? Did it even occur to you for a second that despite your infallible genius, just got it wrong?
Oh, and my high end Mac Pro? I got a PC, with better specs then the mac Pro I sold, and it cost less.
What does that have to do with the price of eggs?
At least Microsoft pretends like they care about fixing security issues.
I can assure you that they do more than “pretend”.
[comment removed by OSAlert Staff]
Bla bla bla bla, move to linux and shut up. You’ll surely have less problems. Of try Windows Vista, it has really nice features. In the end, linux would have fixed your problems within a week and microsoft cares about your problem.
*sigh*
To get something that people have some confidence that the vendor will stand behind it, take backwards compatibility at least semi-seriously and fix serious bugs and security issues, that’s exactly what most people are doing – and have been doing for some time. Mac’s desktop market share is still miniscule, and it will remain that way.
You’ve just accurately summed up Apple’s attitude. Congratulations.
Ok. Who cares. Do you care? Do you own many Macs and your entire life depends upon it? Guess no.
Linux does not have ny “vendor to stand behind it”. There are RedHats, SuSe’s, etc~A(c)tera. But in the end if linux didn’t have a brute force of Open Source hackers, it wouldn’t have a damn security fix… fixed.
I couldn’t care less about Linux, seriously. @Servers I use OpenBSD at desktops I use Macs. And Mac “desktop market share” is not as minuscule as you think. Oh but you crawl in a server room full of “Login: ” prompts. Sorry.
You’re defending someone who scream like hell how much he hated Macs without a solid evidence of what he’s saying is true and overreacting like a 8 year old child.
I, for instance, do not share the same “benefit of the doubt” another user gave. I simply do not believe it. You just dont “sell all your stuff and suddenly become a hater because they didn’t respond in two months”. You don’t. And the security flaw… show some proof, real proof. Then Apple will respond; so far, I haven’t seen it. But go ahead, I repeat. move along.Who cares about your sold equipment and stuff?
I don’t understand your point of view, the user was angry at Apple and decided to post it here.
You’ve just accurately summed up Apple’s attitude. Congratulations. [/q]
Thank you, you’ve just accurately written a sentence that summs up the “We’re so geeks that we’ve head this over and over and we just can pretend to be the good guys in the room moderating every single conversation”.
Cry a river, build a bridge and get over it. I don’t care about any Apple Attitude, primarly because I use the computers the get things done, not to cry because a widget is brown or orange (some pun intended ubuntu fans)
Apple attitude is way more simple than that. It just works^a"c. When it doesn’t, apple fans cry. The day a serious threat is found and exploited on a Mac, you can come back here and say: “I told you”. Until then, leave the “apple attituders” in peace.
He, he. You got modded down because you criticised Apple. Shame on you!
While I haven’t had too much exposure to Apple’s server, I haven’t heard great things about it or Apple’s ‘support’ either. The general fix seems to be that you install your own Apache, PHP and other server components, especially if you want minor new features, fixes or more timely security updates.
Apple is heavily driven by features, buzz and Steve Jobs soundbites. That’s where Apple’s focus is. If you’re expecting anything to be fixed, well, that’s what the next version of Mac OS and the latest iPod is for. That philosophy doesn’t work too well if you want to actually rely on their software.
So, you have an opportunity to settle the argument once and for all and prove that there is a flaw in the Mac, but you’re keeping it to yourself because you’re scared of Apple’s lawyers. Still, you don’t mind telling us that it is there, and take the opportunity to throw in some addiontaly rants about “8800”s, Time Machine and ipods.
No worries…
I think that’s my favorite part of your little rant. Did you have your red clown nose on when you typed that?
Seriously, what kind of ‘third party graphics cards’ do you think they have inside Macs?
I will not even pretend to argue with you here. While Apple’s done great things to UNIX to make it a desktop OS, it’s relatively clear those things don’t translate to a wonderful server OS. Moreover, OS X is similar to Ubuntu in that upgrading key components is largely dependent on upgrading the entire OS to a new release — or being willing to leave behind the cozy warmth of pre-rolled binaries for manually compiling their own software. AIX and HP-UX users have similar problems for the same reason.
In the end, server admins who aren’t using Linux or a BSD need to ask themselves why they’re wasting this much time. Usually it’s because of PHBs who wet themselves at the thought of not using a product whose name has a registered trademark symbol beside it.
No such thing exists. Graphics cards are made of two things: GPU chipsets and firmware to control them. The firmware is keyed to the requirements of the OS, and often contains hardware-optimized copies of the OS’ own graphics libraries. Proof of this comes from people who have bought ATI graphics cards and successfully flashed the equivalent Mac model’s firmware on them. Linux works by reverse engineering the firmware, usually at a performance cost. You’ll notice that most Linux users prefer nVidia, although ATI’s recent change of heart on opening their specs may change that.
No argument here.
I think you’ve had too much coffee. Have a glass of water, maybe pour it over your head. You do a lot of jumping around and hand waving so I’ll pick one point.
You’re complaining about security and you installed a “dodgy” copy of PHP/Apache? Open mouth, insert foot?
He’s in touch with his feelings. Women dig chicks in touch with their feelings.
HAHAHA, OH WOW!
Pardon me, but how exactly do you define something an exploit if it doesn’t execute code?
And you completely dumped a platform from hardware to your job because you had to wait 60 days for a response? Excuse us if we don’t believe you.
Users of Debian variants were unable to digitally sign OpenOffice documents without the program crashing for at least eighteen months because the maintainers insisted on using a deprecated encryption library in their compile options, despite multiple bug reports posted across at least two trackers. Ubuntu maintainers pointed their fingers at the Debian maintainers and the Debian maintainers did pretty much nothing about it.
PPC Linux users with G3s can’t use the Gnash SWF player plugin or several multimedia apps because an Ubuntu Feisty dev arbitrarily decided to compile a dependent math library without support for non-AltiVec CPUs (previous releases of Ubuntu had this option flagged in their compiles). This bug was reported repeatedly and devs were reminded that SuSE had fixed this problem in their distro. It remains unfixed two releases later. There are similar issues with now-broken support for IDE drives.
Draw an X in GIMP, marquee select an oval shaped selection around the middle, select the paintbucket tool and click on any of the V shaped regions. In any other paint program, this fills the V all the way to the marquee. In GIMP, it fills the entire marquee selection regardless of the boundaries the X creates (because the fill isn’t using the marquee as a mask). When I asked the GIMP devs to fix this, their response was “The bucket fill code is too optimized to modify” (translated: undocumented and incomprehensible). It remains unfixed.
Let’s get to Microsoft. Key HTML elements remain unused because IE *still* doesn’t implement them to W3C spec. BUTTON, OBJECT… And Microsoft closes those reports with comments to the effect that they will not be fixed. IE8 claims it will finally get CSS2 right, but I doubt it will correctly apply the text-align:center property to tables or even implement most of the CSS2 spec missing since it was announced in 2001.
I commend you on your troll, but honestly you haven’t a clue as to how deficient most software is and how selective vendors/maintainers are about fixing bugs.
Edited 2008-02-07 16:37 UTC
Denial of service, privilege escalation, spoofing … any of these ring a bell?
Who’s “we”? Are you presuming to speak for everyone here? Don’t. Bad presumption.
I see your point and agree with it to some extent, but at least in the two cases listed above, one would still have the option of applying existing patches in the source code – given that there is one in the first place which is very likely if enough people are interested on it – and recompile the application from scratch on Debian and SuSE. And no, it won’t break anything and it won’t leave files scattered on the hard drive if one creates a package using checkinstall or “make deb” when possible whereas on an Apple system this is not really feasible most of the time (if not impossible at all).
But he does make a fine point as well, since Apple tends to ignore security advisories as much as they can while at the same time they are proud to say that they take security seriously and puff their chest when comparing themselves to a certain competitor based on Redmond…
As another poster correctly pointed out, if you’re going to deploy an OSS stack manually and have to keep it yourself, why not save some bucks with the hardware and install a proper server operating system where the package manager will handle security fixes? OSX is notoriously bad at some server tasks such as database servers as it is.
I’ve seen some people here throwing really harsh comments towards MS and the OSS *nixes as far as security is concerned that don’t seem to have any problem with the way that Apple handles these issues, even if they’re not better than MS in certain situations…
Edited 2008-02-07 19:52 UTC
I tried that with OpenOffice and my result was an application which could now digitally sign documents but wrecked my desktop’s integration with OOo — and OOo is an integral part of Ubuntu. You can’t remove it. The fix for the coprocessor library kept flagging Update Manager to replace it with the broken version.
Replacing broken components of Ubuntu is not a cakewalk. Yes, it’s possible, but it requires more effort than the average schmoe understands.
Actually his right. I have submitted a security bug report for a remotely triggerable security issue (I consider mine high, because its remotely triggerable, but it doesn’t execute code, but its not easy to fix, causes massive headaches, and can affect many people at once).
I called bullshit.
Sounds like a poorly constructed strawman to me. Burn baby burn!
I’d rather trust my own judgement over Norton any day, it’s worse than most viruses.
This article certainly proves that the author felt unhappy about responses to his Apple criticisms in the past. He begins as if the threat he describes is a new, hitherto unknown vulnerability in the Apple platform. Then he describes vulnerabilities that are not platform specific at all.
What shines through most is his strong resentment of Apple users. And then he concludes with a determined attempt to do nothing less than gratuitously piss on the parade of happy Mac users everywhere. Surely he could have written this article without specific reference to the Apple platform!
If I allow such scams to succeed on my Mac then it’s my problem: not his. I wonder if this miserable tosser has shares in a security suite company.
Don’t get me wrong, the article is pretty lame, but the author does have a point that many hardcore Apple fans tend to be complete nuts.
They take no criticism, they tend to be obsessed over the most minute Apple BS. They are unable to comprehend that Apple is just another company (one that isn’t particularly pro-consumer mind you).
Don’t get me wrong, the article is pretty lame, but the author does have a point that many hardcore Apple fans tend to be complete nuts.
He would have had a point also if he had said that many hardore Apple haters tend to be complete nuts.
They take no criticism, they tend to be obsessed over the most minute Apple BS. They are unable to comprehend that Apple is just another company.
Only read the article if you feel you need a very large dose of obviousness.
“Only read the article if you feel you need a very large dose of obviousness”
I obviously felt the need this morning. My fill has been filled for a good week or so.
Edited 2008-02-07 09:45 UTC
So the point of this fine news item being posted here on OSAlert is…?
The only thing it does is attract the crazy people like Auzy who don’t seem to get enough attention in real life.
Seriously, there should be a rule, if an author goes for two paragraphs about how Mac (or any other OS) users are “puffing up their chests, raising their chins and sniffing” or are “angry hoard of Mac nuts” or saying “whooshing sound you hear is that of a million Mac-o-philes’ chests deflating”, well, the article should be banned on every channel. Especially on OSAlert. Let’s keep things clear from bigotry and bullshit, folks. This ain’t no trashyard.
Edited 2008-02-07 09:23 UTC
Well, they’re certainly not going to get it from Apple.
Bizarrely, you’ve just accurately displayed what the author of the article is talking about. You don’t get to censor articles based on them being apparently critical of Apple, I’m afraid.
Fact is, a great many Mac proponents have tried to play the ‘more secure’ card when giving reasons why people should use OS X, and Apple have certainly done that in a big way. The reason why people haven’t been really stung by any exploits is:
1. Few people use Macs, either on the desktop or the server, so fewer people are looking for security problems who are willing to exploit them.
2. Apple doesn’t use open source software for OS X, so fewer people are handling the code to find exploits. Even when Apple does use open source software, they still have a hard time updating it.
Yes, everybody is at risk of phishing attacks. It’s not major news. However, you would have thought that Apple could have put in some nice and usable methods to help out given their security angled marketing, wouldn’t you? I mean, even if it is a basic Thunderbird style ‘This mail might be a scam’ warning message, or a mass list of scam web sites that they use to warn users of through Safari as they surf.
Is OS X perfect, of course not. But this argument that because of its comparably small user base it hasn’t been targeted and probably is much less secure than stated is dumb.
For one, a hacker trying to exploit OS X and succeeding would garner much more attention than another Windows flaw.
(so targeting it would be a big incentive)
And secondly, if that was true, why did so many security flaws/viruses exist for OS 8.x and OS 9.x which had an even smaller user base than OS X? So obviously OS X is doing something right.
Actually OS X uses a fair amount of open source software including the core system/kernel, Darwin. Sure its not Linux and has the source released the same day, but its a far cry from “hard time updating it.”
In regards to phishing attacks, this is obviously becoming an increasing problem for all OSes. Unfortunately no software will ever be enough for these attacks and operate education will remain the best defense.
(Of course signed/verifiable email addresses would help.)
Based on what?
Errrr, no. Exploits are found because of people using the software in a wide variety of ways (a lot of people use Windows), and preferably, doing stuff with the source code (open source). The more ways you can use the software and the code, the more problems you’re going to find.
You’re going to need to verify that. Mac OS 8 and 9 were real pieces of junk, and all it tells you is that problems were easy to find.
Darwin is used relatively little, if at all, outside of OS X. There are parts of OS X that remain completely closed. Having an open source project is not good enough. The real issue is whether anyone can actually do anything with the source code.
There are many ways in which suspected phishing can be pointed out to a user, and the point is, if Apple are going to promote OS X as a secure OS and tell people they don’t need anti-virus and other security software, they need to be bundling more in.
What the hell does having access to the code have to do with being able to exploit the software. As far as I know Xp was closed source and that didn’t stop anyone from exploiting the system to its fullest regardless of what MS would do to patch it. I’ve seen people exploit things in Vista. Linux and the BSD are mostly open source and it is considered one of the more secure OS’s around. Marketshare may play a factor but I think the fact that its oss gives it an edge. Any security issues that arises are usually patched by the community themselves and they usually respond much faster than any of the proprietary companies. So you are going to have to explain what you meant here.
That’s the point. You don’t want too many people, if any, exploiting it. The whole point of putting the source code out there is get people trying it out, putting it into a lot of different scenarios and being able to fix things before anything bad happens. Security also has to become a primary concern for developers because they can’t hide anything, so they have to think before they code.
Errrrr, yep. There’s a message somewhere in there. However, without the market share Microsoft would not know of these problems and would not be patching them – until the brown stuff really hit the fan.
That’s pretty much what I’m saying, so I’m not sure what you think I mean.
Sorry what i got form your post was that the software was more exploitable because it was oss. I guess misunderstood.
No they don’t use open source, except you know Darwin (the os itself), CUPS, apache, khtml, the entire bsd toolchain, BerkeleyDB, python, perl, ruby, X11, SQlite, samba, ldap, …
It’s easier to list to closed source parts of OSX.
I had to laugh at some of the comments.
I just got back from an Apple server even in Ruidoso. It’s a nice little place in the mountains of New Mexico at 1828 m above sea level. Skiing, gambling, tourism, lots of mountain homes, warm people and good attitudes.
Anyway, the event had a large number of K-12 and higher education people there. These are `long time` IT managers, directors, systems people, etc.
Their largest complaint? Windows. Seriously.
Between the licensing fees, constant maintenance and security issues they are looking for other options. These are Windows systems administrators, directors, managers, etc. Not just a single disgruntled person who took their expensive Mac Pro back for a PC.
This article is a rehash of what all systems people know. All operating systems are insecure. Some less than others. Some seriously less than others.
Most networks are compromised from bad design and user idiocy. The last one being the big one.
Allow me to use a real-world example. If a person, and I will not name them, yes, them, there are more than a dozen on a large campus, use the same password for their system log in, e-mail password, chat login, bank account, my space page and it many questionable design sites – you are going to be cracked and phished.
I use a Mac since I can touch all operating systems. It is `reasonably` secure and I am not a complete idiot on the ways of the internet. Too many people spend way too much time shopping, chatting and making modifications to their myspace pages. So far I’ve repaired two Vista home editions computers from this crap.
It’s going to be a bit of a bummer for them when they discover that the only way to get a fix for a serious bug or security issue they need resolved is to upgrade to Mac OS X [Insert new cat name here] Server (it has already happened), and where they live in a world where Apple will habitually break backwards compatibility with everything at the drop of a hat. Hell, there is a problem with software updates with Leopard Server that can only be rectified by upgrading to 10.5.2. This is critical enough that an individual patch should have shipped immediately.
Apple are about creating pretty iPods, laptops and marketing. They’re not the company for this.
Well, that’s why I personally think anyone who’d use a Mac for a server is an incompetent ass, and should be fired from their job.
Macs make great client machines, but I would never run one as a server. As others have said, you basically have to install all the server software yourself to keep it up to date / secure.
Apache and PHP aren’t something that “not many people use them, so not many exploits are found.”
If you’re going to use all the open source software for servers anyhow, I’d rather just throw on a Linux distribution and let the package maintainers do their job of keeping the software secure and up to date.
This of course also includes the fact that Mac OS X has (had?) lousy performance on MySQL.
As others have said, Apple is good at making things stylish and marketable. A server is something that just sits in a room and does it’s job quietly, without needing any sort of ‘ooh and aah’ sort of drooling over it.
I’m assuming this was posted today was a slow news day. Or perhaps just for a flamewar laugh.
This is not news, not technical and not interesting.
Someone journalistic member should write an article for a mac publication about how Windows users are pox in the internet. They’re a disease destroying the world/internet. They’re the ones pumping out spam by the bazillions. Those botnets are where most of these phishing scams originate. We should all be shocked to discover this and we can have another flame war on osNOTnews.
I totally agree with that. While the threat for Macs is still imaginary, we have billions of windows machines pumping out spam. Nobody seems to care. It’s just, you know, life!
Edited 2008-02-07 20:00 UTC
blah blah blah another idiot article
I don’t believe that this is entirely true. True there are remote exploits into MAC OSX. But the fact of the matter is that This is a ploy from Antivirus vendors to generate business on an old business model (Windows). You cannot compare the two. Mac OSX users need rootkit detection. NOT Antivirus software. As for MAC users in general. More and more MAC users are defecting from Windows. But a lot of them have the Windows user mentality of permissiveness. THOSE people may need some form of education in security. NOT Antivirus software.
I’m not sure why you’re drawing such a large distinction between a rootkit infection and a virus. Rooting a machine or infecting it with a virus can produce the same practical outcome. So, why can’t AV programs treat rootkit infections as exploits akin to viral infections?
Competition is good.
Agree.
Disagree. Most people will never get “some form of education in security” and, when the degree of user permissiveness determines whether someone will become infected by a virus/rootkit, these people need some kind of reasonable fallback. Don’t judge the need for AV software by your own technical skill. You don’t represent the average user; in fact, the average user is essentially a technical moron.
This blog post seems designed by Apple marketing.
“Mac users, beware, you are not as safe as you thought! If you are stupid enough to fall for the Nigerian scam, your Mac can’t protect you. You need security software!” LOL
I’m wondering whether there are issues that being addressed in 10.5.2 – maybe I am paranoid but I’m wondering whether the delay in releasing 10.5.2 has been due to numerous bugs and security issues being addressed – and Apple not disclosing those security fixes straight away because it would expose end users to problems in the mean time.
With being said, I’m hope for the day when Apple does take advantage of Objective-C 2.0 and starts using garbage collection when ever and where ever possible; especially on those components which are security sensitive or parts which run all the time, and if there is a memory leak, could reduce performance and uptime.
With that being said, I think it is very chicken little of people to run around claiming the sky is falling when in reality, yes, all operating systems have security issues, but I don’t see brain dead security issues popping up. Some of the issues are so obscure its the equivalent of, “you will only get your computer hacked if you have a blue background, your office window open and you’re listening to Kylie Minogue all at the same time”.