backtop


Print 61 comment(s) - last by coferj.. on May 16 at 2:08 PM

Company is showing signs of improvement, past flaws took it up to a year to patch

Famed OS X hacker Charlie Miller once told a security blog, "Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town."

But of late there have been some thieves in the farm house, and even Apple, Inc. (AAPL) has started to admit that it has security issues -- well, after realizing that telling its technicians to lie to customers about them might be bad publicity.  One recent piece of malware is estimated to have infected 600K Macs and generated millions in profit for identity thieves alone.

Kapersky Labs, a top security firm recently warned the public that Apple's security was 10 years behind Microsoft Corp.'s (MSFT).  Evidence of that was seen in the 10.7.3 build of OS X "Lion", which due a programming error (a stray debugging flag left on in OS X's source) accidentally logged in plaintext the passwords of users who used legacy FileVault settings.

An Apple user, Eric Hildum complained in the support forums three months ago:

I’ve tried it on another Mac as well, same result: The login of a normal network user writes this log line as his homedir gets mounted.
This poses a security risk. We have some users who are local admins, they could ask another user to login on their Mac and look for the password afterwards. Extration in single user mode would be possible as well.

Is this a “speciality” of our environment or is this a known bug? Can I turn this behavior off?
We are running Lion clients with a SL Server and using OpenDirectory.

Apparently the Apple answer was that this was a "feature" for the time being, because the user received no reply to his pleas for three months.  Then a security researcher by the name of David Emery, posted his findings to the Cryptome mailing list, a list frequent by hackers.

Apple FileVault

As noted by Mr. Emery, the issue did not effect purchasers of new Lion systems, but might have affected many users of legacy systems who upgraded to Lion.

With the Cryptome email, the media began to catch wind of Lion's penchant for plaintext password dumping and Apple was forced into the awkward position of providing an "update" for its "feature".

Hence OS X 10.7.4 was born, and aired today to loyal Lion subscribers.  

The patch also "improves" other "features", such as no longer losing settings to the "reopen windows when logging back in" checkbox, and allowing "certain British third-party keyboards" to finally work.

Apple may still be living in the dark ages of security, but at least it's figured out not to stores users' passwords in plaintext, even if it took the company three months of complaints.  On the plus side, the three month turnaround is faster than past incidents where Apple took up to a year to fix past security issues/features.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Old Quotes
By ltcommanderdata on 5/9/12, Rating: 0
RE: Old Quotes
By macdevdude on 5/9/12, Rating: -1
RE: Old Quotes
By captainBOB on 5/9/2012 6:14:55 PM , Rating: 5
There is a point, while OS X security is now *almost* on par with Windows 7, Apple is absolutely terrible when it comes to releasing security updates...CRITICAL updates in a timely manner, it will be Apple's undoing if they don't hustle with the updates.


RE: Old Quotes
By Labotomizer on 5/9/2012 10:01:53 PM , Rating: 5
Charlie Miller's comment may not be relevant but Kapersky's certainly is. Kapersky is saying Apple's security process is where Microsoft's was when XP was released. That puts them 10 years behind in their security process. How can you be okay with a bug that stores network and local passwords in plain text in an unencrypted area of the drive that goes for 3 months without being patched? You'd be standing outside Redmond with pitchforks and torches. But you can defend Apple?

How can you defend a Java bug that resulted in over 600k infections that was fixed for over 3 months before Apple updated the version they won't allow Sun to update directly? And 600k is roughly 1% or so of the OS X install base. I know what you're thinking, 1% isn't bad. To put that into context 12 million Windows infections would be 1% of the Windows install base. The last major virus that hit Windows that didn't require direct user intervention to spread? Conficker. It affected around 2-3% of the Windows install base. However it exploited a vulnerability that had been fixed for almost 6 months before the Conficker worm hit. So that's end user or IT stupidity/laziness.

Microsoft has one of the best security practices in computing today. Do they respond as fast as Linux? No, but they also have validation and extensive testing of patches. Linux users have to worry about a patch casuing issues with other programs that are dependant on files that have changed. It's very unusual for the MS patches to cause widespread problems. They are easily 10 years ahead of Apple and MS actually discloses the information when the patch is released so IT staff can determine testing order and deployment priority.


First Part of the Problem
By amandahugnkiss on 5/9/2012 6:59:20 PM , Rating: 2
"... with a SL Server and using OpenDirectory."

OSX Server? At least use a Linux box for authentication and housing user directories, bout the only need for OSX server is to create/host Netboot images.




RE: First Part of the Problem
By borismkv on 5/9/2012 7:21:53 PM , Rating: 5
quote:
OSX Server? At least use a Linux box for authentication and housing user directories, bout the only need for OSX server is to hold down the floor


FTFY


By amandahugnkiss on 5/9/2012 11:40:51 PM , Rating: 2
well played sir...


Grammar Police
By frobizzle on 5/10/2012 8:41:26 AM , Rating: 4
Sorry, Jason, but this one is just too annoying!
quote:
Apparently the Apple answer was that this was a "feature" for the time being, because the user received no reply to his please for three months.

Shouldn't that be "pleas"?




I so enjoy this
By DaveAnderson on 5/11/2012 6:53:48 PM , Rating: 3
I know I am bad but the YEARS I have behind me listening to the mac lovers all high and mighty. The spotlight is so on them at the dinner table now. :)




sheep
By apcrap on 5/10/2012 11:31:34 AM , Rating: 1
Ask yourself this why is it that it’s so easy to hack into an iPhone? Celibrities get there data and photo's leaked on the internet all the time and the phone they use it's a iPhone.So why should the OS for a Mac be better it's not good and for M$ it’s just the same if you don’t want to get hacked into don’t go on the internet and don’t buy a cell phone,
Apple = Sheep
Be yourself not a sheep

And if you’re going going say hey they make more money and blablabla that mean’s the sheep made them the $$$

Steve job’s once said “Unfortunately, people are not rebelling against Microsoft. They don’t know any better.




More biased anti-apple Trolling
By macdevdude on 5/9/12, Rating: -1
By JasonMick (blog) on 5/9/2012 5:34:00 PM , Rating: 5
quote:
Look at the facts. Apple is cleaerly ahead.

When 95 percent of all Windows PCs will get a virus over their lifetime and like 5 percent of Macs get a harmless virus who's realyl behind? What's your smart answer to THAT Mick?
Wow, I don't even know where to begin. Your facts are so compelling.


RE: More biased anti-apple Trolling
By Reclaimer77 on 5/9/2012 5:48:18 PM , Rating: 2
quote:
I've onwed 8 Macs in the last 5 years


LOL what a sucker! They say you coming a mile away chump.

Any reason you needed to buy so many Mac's in such a short period of time if they're really all that great? Just wondering. I certainly don't need to buy a PC every 1.6 years.


RE: More biased anti-apple Trolling
By macdevdude on 5/9/12, Rating: -1
By Digimonkey on 5/9/2012 5:54:54 PM , Rating: 5
Man, did a PC user kick your puppy or something?


RE: More biased anti-apple Trolling
By WhiskeyD on 5/9/2012 6:14:22 PM , Rating: 2
macdevdude you have clearly showed your ignorance. Only noobs like you get viruses and their identity stolen on a PC. I havent ran an antivirus in over 5 years and I've not had a single problem but then again I'm actually competent with a PC. You keep wasting your "six figures" every few months buying macs and I'll build a new "identity stealer" every 3-4 years with my "welfare check" hahah your a joke


RE: More biased anti-apple Trolling
By Cheesew1z69 on 5/9/2012 7:27:01 PM , Rating: 2
Showed it? He shows it every post he makes.


RE: More biased anti-apple Trolling
By bah12 on 5/10/2012 11:17:25 AM , Rating: 1
LMAO yah he averages -.88 almost every post he gets a -1. What a moron.


By Reclaimer77 on 5/10/2012 2:09:53 PM , Rating: 2
And that's only because -1 is as low as you can go here lol.


By ppardee on 5/9/2012 7:38:18 PM , Rating: 3
When most people quote a 'six-figure salary', they're not including the figures to the right of the decimal.

And generally when someone uses their salary to defend themselves, they are lying since it can't be verified.

I develop apps for a living, too. I've spent less than $2000 on my computers in the last 6 years and have a killer gaming system to boot (Get it... To boot.. It's a joke, son.). I'm not on welfare, just not stupid with my money.

In the end, there are two types of computer users. Those who know they've been hacked, and those who don't know they've been hacked. We know which category you fall into.


RE: More biased anti-apple Trolling
By elleehswon on 5/9/2012 11:25:22 PM , Rating: 2
A cluster of mac pro's for rendering? are you retarded or just trolling? The GPU's in macs are last generations technology, at best! For what you spent on those mac pro's, you could have bought a few cranking PC's(apple's markup is damn near astronomical), run triple SLI, and be able to dick off most of the day as you'd no longer have to waste time watching your pixels fill the screen. Wait, nevermind, you'd probably get a virus...something tells me you're the type that clicks on the boxes on the side of the webpages you visit.

Macs...for people who have no idea what they're doing, but still want to feel like they have something to brag about.

Man, i hope you're trolling... for your sake and mine. Please tell me you're trolling.


RE: More biased anti-apple Trolling
By Rukkian on 5/10/2012 9:58:26 AM , Rating: 2
And for those that want to show off how much of their "6 figure salary" they can blow on overpriced, overhyped, overmarketed crap.


RE: More biased anti-apple Trolling
By fic2 on 5/9/2012 5:57:05 PM , Rating: 2
Actually a new mac every 7.5 months.... (5 years/8 macs = 0.625 years/mac * 12 months = 7.5 months/mac)


RE: More biased anti-apple Trolling
By macdevdude on 5/9/12, Rating: -1
By Cheesew1z69 on 5/9/2012 7:28:52 PM , Rating: 2
Is anyone surprised your are a moron? No...we fully expect it.


RE: More biased anti-apple Trolling
By Reclaimer77 on 5/9/2012 5:59:46 PM , Rating: 2
lol oops, math fail on me. His idiocy shorted out my logic circuit.


RE: More biased anti-apple Trolling
By bah12 on 5/10/2012 11:19:31 AM , Rating: 2
It's ok I think everyone is a little dumber just by having read his posts.


RE: More biased anti-apple Trolling
By iceolate on 5/9/2012 5:59:36 PM , Rating: 2
Macs may look pretty on the outside, but they are full of sh¡t on the inside. Kind of like you. They use very cheap hardware and are poorly engineered. I work in IT at a University, and the students are constantly bringing in Macbooks with hardware problems. I build my own computers with the top of the line hardware, and they last for a decade or more. Can't do that with Mac.


RE: More biased anti-apple Trolling
By Dennis Travis on 5/9/2012 7:14:54 PM , Rating: 1
Do you build notebook computers also? You said Macbook, that is a notebook! :-)Grin


RE: More biased anti-apple Trolling
By iceolate on 5/9/2012 7:33:10 PM , Rating: 4
I personally don't have any use for a notebook computer. However when it comes to notebook computers, I would recommend Lenovo based on their durability and excellent customer service, and then second to that would be MSI and Asus based on their quality internal hardware.

When it comes to Apple's iMac or PowerMac computers, they seem to be a bit a more reliable as far as the hardware lasting. However, those are also way overpriced for the outdated hardware that they contain. One could build a far superior machine for a fraction of the cost that has things like eSATA, USB 3 and HDMI. Why doesn't the 27" iMac have any video inputs? It has only outputs. You pay a premium for a giant high res display and then can't even connect anything else to it. Super lame.

All Macs continue to have problems with their crappy, overpriced, slot loading optical drives as well. That's usually the first thing to break. I personally don't care for the OSX operating system either. I find it very unintuitive and lacking in features. The wireless networking can be horrendous at times, too.


RE: More biased anti-apple Trolling
By Dennis Travis on 5/9/2012 7:47:08 PM , Rating: 2
Lenova is an excellent PC Notebook for sure. You will get no argument from me. They take after the IBM Thinkpads and I have think pads that are 15 years old and still work like the day they were made. Excellent machines.


RE: More biased anti-apple Trolling
By Dennis Travis on 5/9/2012 7:48:35 PM , Rating: 2
Oops, me bad. Lenovo!


RE: More biased anti-apple Trolling
By Cheesew1z69 on 5/9/2012 9:08:41 PM , Rating: 2
They are IBM Thinkpads....


RE: More biased anti-apple Trolling
By Iaiken on 5/10/2012 11:43:13 AM , Rating: 2
quote:
They ARE IBM Thinkpads....


Quoted for truth. Emphasis added...


RE: More biased anti-apple Trolling
By JediJeb on 5/9/2012 6:04:37 PM , Rating: 5
quote:
I've onwed 8 Macs in the last 5 years and have never been hacked once or had their identity stolen


I have had 5 PCs over the last 20 years and have never been hacked, had a virus or malware on those at home, even when running them with Windows versions far past their prime(just upgraded one to WinXP 3 years ago). Those are my home systems and I am careful of what I load and what sites I visit, so that would point to PCs not being easily infected if you only look at my record.

Now if you look at the PCs at work, that is another story. We had a case of malware/virus there that was tough to get rid of, but when it was figured out how it came to be, not even a Mac would have been safe from that user. Mac or PC, if a user will click on anything, they are both prone to be infected.

quote:
The build quality of every Mac is beautiful unlike Windows machines, which look like cheap garbage


If you narrow down the list of Windows machines to only a hand full of select models, they look great too. But on the other hand, if someone has a very limited budget, what is the bargain basement model of a Mac that they can purchase? Not everyone can own the Ferrari of computers(though I would consider a Mac more of a BMW than a Ferrari), some can only afford the Tata, and Apple just does not offer a cheap poor person's model.

quote:
You can say Apple is 10, 20 years behind I don't care. You're just biased and full of garbage.


Just as full of garbage as those who make Macs out to be some heaven sent piece of perfection. Macs are what they are, a decent computer running a decent operating system that can fall prey to malware infections when the ones using them are careless. There are PCs that can stomp them on performance, others that can stomp them on price, and if you throw Linux on one with an experienced user at the keyboard that would probably even beat them out in other areas too. Windows users freely admit they have bugs, Linux users will admit the same, Mac users seem to never admit any weakness in their systems even when it is pointed out to them with clear proof. Who is the more biased, one who goes out of their way to point out an Apple flaw, or one who vehemently denies any idea that a flaw can exist?


By sprockkets on 5/9/2012 9:57:49 PM , Rating: 3
Clearly Macs were not made for you - you, you use your brain and make informed decisions, and if you don't know something you find out.


RE: More biased anti-apple Trolling
By Cheesew1z69 on 5/9/2012 7:24:29 PM , Rating: 4
quote:
Four out of my six best friends who use PCs all had their identities stolen because of Windows flaws.
Because they are morons...not because of flaws.


RE: More biased anti-apple Trolling
By Camikazi on 5/9/2012 9:43:38 PM , Rating: 5
Wow that is a serious ring of idiots he hangs around with, I still have not met a single person that has had their identity stolen. It's not as likely to happen as people think, yet this guy has 4 out of 6 people with stolen identities.


By VoodooChicken on 5/10/2012 10:47:55 AM , Rating: 3
I would be highly suspicious that HE'S the identity thief!


RE: More biased anti-apple Trolling
By JediJeb on 5/10/2012 2:26:07 PM , Rating: 2
It's funny about the identity theft statement since not so long ago I read an article that said the biggest tool identity thieves use is Change of Address at the Post Office and not online theft. Very simple to fill out a change of address card and then have all of your statements sent to a new address to grab your information. Low-tech usually works great with little investment.


By ihateu3 on 5/9/2012 8:24:10 PM , Rating: 3
Are you even serious? Statistically speaking, if only 5 percent of Macs get a virus by your rationale, how many would that be if they had the same base installment as windows machines???? Remember now, there are still even win 98 machines on the net, it is only obvious that if even both of these machines where equally secured, than windows would billions more infections by market dominance alone!

What hacker would want to create a virus to target the least amount of computers to spread to? Doesn't make any sense...

Windows is always under attack due to their dominance, this has made them hardened and use to dealing with non stop attacks. Only recently has Apple started to barely gain enough of the market share to be targeted by hackers (that and its easy when Apple didn't supposedly need antivirus software)making them an easy target, but yet not ready to deal with these ongoing threats.

Trust me, I love to love an underdog, but Apple is not the underdog to love, just by supporting them, even knowing the way that they deal business and treat their customers as idiots tells me quite a bit about your personality.

But hey, Apple can instill a feeling of superiority and coolness right?


By spread on 5/9/2012 8:29:52 PM , Rating: 3
quote:
Four out of my six best friends who use PCs all had their identities stolen because of Windows flaws.


It's because they're incredibly stupid, which is why you hang around with people that are like you.

I've owned so many PCs and how many times have I been compromised? Not once. I once had a trojan infection due to some files I downloaded, I knew what I was getting into and risked it. Took care of it in the hour with some cleaning and presto. Back in business.

You can't do that. PCs aren't for you. They give you control, they give you choices. You're not ready, you can't think.

quote:
When 95 percent of all Windows PCs will get a virus over their lifetime and like 5 percent of Macs get a harmless virus who's realyl behind? What's your smart answer to THAT Mick?


How do you know your Mac isn't infected right now? It's not like you're running any kind of anti virus or anti spyware to tell you. You don't even have a clue.


By frobizzle on 5/10/2012 8:37:39 AM , Rating: 4
quote:
Four out of my six best friends who use PCs all had their identities stolen because of Windows flaws.

Oh come on! No one believes you have that many friends!


RE: More biased anti-apple Trolling
By coferj on 5/16/2012 2:08:15 PM , Rating: 1
If you're a hacker, why would you write a virus for an OS with such a small market share? It has nothing to do with their "superiority" and everything to do with the fact that only a small group of people use them.


Mac also....
By 1ceTr0n on 5/9/12, Rating: -1
RE: Mac also....
By Motoman on 5/9/2012 9:10:41 PM , Rating: 3
...they also don't know how to make a $3,000 computer that isn't a POS. Quoteth the still-kicking moi.


RE: Mac also....
By AssBall on 5/10/2012 10:08:02 AM , Rating: 3
You mean they don't know how to sell an average $800 computer without a $2200 broken operating system.


RE: Mac also....
By Apone on 5/10/2012 11:44:08 AM , Rating: 2
@ AssBall

- No one is saying Windows is perfect (far from it), but at least Microsoft doesn't proclaim to be the best and offer security through obscurity. And if you lump this article in with the rest of OS X's woes, you'll see OS X is "a broken operating system" just like Windows.


RE: Mac also....
By AssBall on 5/10/2012 1:33:12 PM , Rating: 2
Yes, I can agree more or less, my argument was more slanted toward the price differential for identical or worse hardware, and the inflexibility of OS-X.


RE: Mac also....
By AssBall on 5/10/2012 1:35:11 PM , Rating: 2
I was referring to OS-X, not Windows.. not sure why that got confused.


cheezy wording
By Argon18 on 5/10/12, Rating: -1
RE: cheezy wording
By HrilL on 5/10/2012 11:34:50 AM , Rating: 4
Lets see Microsoft has an average of a 13 day security patch turn around.

Apple doesn't seem to fix anything in less than 3 months and sometimes it takes a year.

Mac OS also doesn't automatically update so you'll never get their patches unless the user updates on a regular basis. Windows on the other hand updates as soon as Microsoft pushes the update.

Microsoft proactively supports the security community and works with them to fix security problems ASAP. Apple on the other hand sues security researchers and tries to send them to jail.

We can go on and on how Microsoft's security is by far better than apples. But lets just look at the 3 years of pwn to own competitions. Apple loses first in every time.


RE: cheezy wording
By Argon18 on 5/10/12, Rating: -1
RE: cheezy wording
By matty123 on 5/10/2012 1:23:20 PM , Rating: 2
Isn't it funny then how other apple fans will try and exclude android from the more secure OS's {even through following your logic it's based on UNIX and therefore by default more secure}.

In fact if android has shown anything it's that UNIX based systems are no more secure than any others as long as their is a will and enough market share malware inevitably crops up for a platform after a while.

Also microsoft does auto update, you've got it the wrong way round auto update is on by default and you willfully have to go and turn it off.

The same logic also applies to windows don't install unknown sh*t and you won't get a virus, I have been running windows for well over 12 years and the last time I got a virus was when I downloaded a game crack back in highschool.


...
By messele on 5/10/12, Rating: -1
RE: ...
By messele on 5/10/12, Rating: -1
RE: ...
By Cheesew1z69 on 5/10/2012 2:08:57 PM , Rating: 4
Awww, butthurt? UMADBRO?


RE: ...
By messele on 5/10/12, Rating: -1
RE: ...
By Cheesew1z69 on 5/10/2012 7:06:10 PM , Rating: 4
I have problems? LOL...No...sorry, when you whine about getting down-rated, UMADBRO....


RE: ...
By messele on 5/11/12, Rating: -1
RE: ...
By Cheesew1z69 on 5/11/2012 1:14:55 PM , Rating: 4
racial....um..right. LOL..and classic got-no-response answer : cheesedick...

LOL...You and Pirks...2 classic morons.


"DailyTech is the best kept secret on the Internet." -- Larry Barber














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki