Mac OS X Security

Preface and Disclaimer

This paper presents an overview of the security situation of Mac OS X. The purpose of this paper is to present security in a very easy-to-understand fashion. I firmly believe that there is an absurd amount of FUD about computer security in general, mostly propagated by vendors of antivirus software and their partners. In the case of Mac OS X in specific, it is very difficult to get accurate, non-sensational information about what the real security threats are. This paper began as a genuine effort to figure out, and then convey, what the real status of Mac OS X security is.

Please be aware that I am no security expert (nor am I a hacker), but simply a normal computer nerd with a passion for most things relating to computers and design. I have made every effort to consult the writings of security experts and convey accurate information. If any security ninjas out there find any inaccuracies, please let me know.

With the exception of the section “Out Of The Box Security and Additional Hardening Measures”, the entire report refers to Mac OS X 10.4 and prior versions. Where possible, I state specific versions of the operating system that I am referring to.

I’ve broken up this report into several pages because it is quite long. You can also download the report in its entirety in PDF format.


Enough With the Security FUD

One of my biggest complaints with the security industry in general, is that they seem to thrive on FUD. I find it to be particularily frustrating, because there actually is a lot of really important information there. Unfortunately, to find it you usually have to dig through layers of junk.

It pisses me off that someone like me, who is generally knowledgeable about such things although by no means an expert, can find frequently articles that are either completely wrong or very misleading. While this is merely annoying for me, the reality is that most people just lack the knowledge about computers and security to understand that oftentimes the information they are getting is just crap.

I was particularly annoyed by a recent article in ZDNet. Basically a Windows XP machine was set up on an unsecured wireless network and a security expert demonstrated a hack that downloaded some information from the compromised computers My Documents folder. It took about 11 minutes.

Getting onto the unsecured wireless network, pinging possible IP addresses of other computers on the network, finding Andy’s unpatched computer, scanning open ports for vulnerabilities, using the attack tool to build an exploit, and using the malware to get into the XP command shell took six minutes.

Frightening, yes. Surprising, no. The important part of the article is the fact that the compromised computer was running with SP1 and no protection whatsoever:

[They] connected a machine running Windows XP with Service Pack 1 to an unsecured wireless network. The machine was running no antivirus, firewall, or anti-spyware software…

This article isn’t really news at all. It simply demonstrates that if you put a default Windows XP SP1 install on a network, it is likely to get hacked (and fast). In fact, the “unsecured wireless network” part of this article is completely irrelevant. Granted, it may make hacking easier, but the fact remains; a default install of Windows XP SP1 will get hacked.

So, yes everybody, if you do not have SP2 on your Windows XP install, get it now. If you don’t have it because you pirated Windows, buy a fraking copy, or at least start using some free linux os (like Ubuntu).

I suppose there is no harm in reiterating the point that everybody, regardless of operating systems, should be upgrading their service packs. I do however take issue with the sensationalist tone of the article. Using FUD to increase page views or sell software doesn’t help anyone. This article could have just as easily been written about hacks for XP SP2 or Vista with patches installed. The hack probably would have taken a lot longer and had a lot of things line up perfectly, but that’s not to say it can’t be done. At least that type of article might have been newsworthy or even helpful. Even John Dvorak knows this article is crap.

Firefox 3 To Ditch Unified Cross Platform Look

Mozilla’s Alex Faaborg announced a week or so ago that Firefox 3 would focus on visually integrating with the operating system:

Visual integration with Windows and OS X is our primary objective for the Firefox 3 refresh.

This is great news for Firefox, because as I have mentioned before, its user interface has really been the achilles’ heel of the browser, especially on the Mac.

Mozilla’s user experience team literally wants to do a better job of visually integrating with Windows than IE, and a better job of visually integrating with OS X than Safari. I don’t know if we will be able to pull that off, but that’s the goal.

I’m glad that they’ve recognized this as an issue and I can’t wait to see what they come up with. If Firefox actually did look as good or better than Safari on a Mac, I might use it as my primary browser.

Via Beauty And The Geek: Firefox 3’s Visual Makeover.

Font Rendering

Khaled Abou Alfa has a nice summary of how the font rendering looks on the different browsers (I believe this is all on Windows):

The way that Firefox renders text on Windows is embarrassing. It just looks terrible. Using Alfa’s example, here is what the text looks like in Firefox:

Firefox Font

Ouch. It hurts my eyes.

Nice Rundown of Safari 3 Beta

Roger Johansson has posted a nice list of his impressions of Safari 3 beta (both Windows and OS X):