Thursday, May 04, 2006

“Mac OS X is Insecure” Rivals “Paul is Dead” as Publicity Ploy

From: http://www.tonybove.com/getoffmicrosoft/blog/

It was a slow news week in February, so the press naturally ganged up on the “Mac vulnerability” story.

News reports, such as “Is Mac OS as safe as ever?” By Joris Evers of CNET News.com, stirred up the flamers in both Windows and Mac camps with statements like this one:

Apple Computer fans have long loved to point out the safety of using Mac OS X, which has mostly been left to its own devices by hackers. But the arrival of three threats has some asking: Is the software’s charmed security life over?

The Beatles’ charmed life as band may have been over in 1969, but it wasn’t because Paul was dead.

Of course, George Ou at ZDNet got in on the blood frenzy with “Extremely critical Mac OS X zero-day exploit released“:


The problem is severe because a user simply needs to visit a malicious website and shell scripts with launch with zero user interaction! [bolding his]

Oh my gosh! There are clues on all the Beatle album covers!

I reported on two Mac OS X flaws last week, but this news frenzy centered around a new vulnerability that runs a script in the Mac OS X Terminal program if you merely visit a Web site with Safari, and points to possibly other methods of running a script surreptitiously.

This comment from mdfischer to George Ou was most useful:

The problem can be worked around by renaming the Terminal program in /Applications/Utilities, or moving it elsewhere… This should be a non-problem in a day or so. It was a clever hack, but Apple should have caught this in their QC. It hasn’t emerged as a ‘real’ problem yet (unlike the numerous Windows exploits). Sadly, however, this is an opportunity for mac-haters to crow … why not let them. They don’t, and won’t, get many other chances. Go ahead and give them a taste of what it is like to be in the shoes a mac user. And take this opportunity to experience in ever so small a way what it must be like to be in theirs.

Renaming or moving the Terminal program, as described above, is a sure way to fix future exploits that use the same method of running a script. But most of us already have a way to block this method. By default, Safari leaves off the dangerous option to “Open ’safe’ files after downloading”. You would need to turn this option on for this vulnerability to exist. FireFox and other browsers don’t even offer this option and are safer as a result.

The vulnerability can also use Apple Mail if you click on a JPG attachment — such as a “picture” from someone you don’t know. Well, don’t do that! And if you like to live dangerously, then rename the Terminal program as described above.

Like I said, it was a slow news week, and security experts took the opportunity to crow about their research and get publicity. I’m on the verge of calling it a conspiracy — of security experts to drum up business. But it is human nature to poke at this scrap of news and turn it into a discussion of whether anything at all is secure.

I think it’s wrong to believe that since all software is ultimately vulnerable, Mac OS X is not secure. All locks are vulnerable, but some can be picked a lot easier than others, and people generally choose better locks so that they can sleep at night. That’s what the editors (and mainstream bloggers) should remember when they bends over to give these security firms free publicity in exchange for exciting headlines — see “Mac Attack a Load of Crap” by Leander Kahney in Wired News:

These security woes prompted a rant from one of our editors in a daily story meeting.

Mac security-threat stories are annoying, he said, because they play off misconceptions — held with a fervor bordering on the religious — that the Mac platform is inherently more secure than Windows. Not so, he insisted. Microsoft has done some stupid things that exposed its customers to unnecessary risks compared to Mac users. But all systems are theoretically vulnerable, so it’s inevitable that the Mac citadel will eventually be breached.

The Mac has had no viruses to date, he said, primarily because of its small market share. It’s got a superior track record compared to Windows, but it’s not invulnerable; rather, no one has bothered to spend much time trying to attack it. Now that hackers are taking more notice, life will get harder for Mac owners. He suggested I tackle this “wake up call” in this column.

Kahney was all set to write this column in the way the editors wanted, but decided, instead, to write the truth:

I’m not going to be running any anti-virus software anytime soon, just as I haven’t run it for many years.

Also, I’m not going to turn off any preferences that make my daily computing habits any less convenient (the browser takeover is protected against by disabling the “Open safe files after downloading” preference in Safari).

The smuggest of smug Mac users is right: the platform is more secure, and these new security threats are no more threatening that a paraplegic kitten…

These Mac security holes are a storm in a teacup. They’ve inspired hundreds of stories in the press and even the national network news, but if they were Windows holes, no one would have blinked…

These Mac “threats” are only news because of their novelty, not the threat level they pose.

I guess the surviving Beatles will have to do solo albums now. And who was that guy who was knighted by the Queen of England? Sure looked like Paul to me.

delicious digg technorati yahoo newsvine google socialize