Apple has finally acknowledged that running anti-virus software on a Mac is a good thing. In a deeply buried knowledge-base article Apple has come forward and stated:
"Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult."
It's interesting, however, to note that this information was not publicized very well and only came to light recently on PC World's blog today.
The recent flaw in DNS that was identified by Dan Kaminsky represents a serious threat to the overall working of the Internet for many users. The vulnerability represented such a serious concern that Kaminsky worked with major operating system vendors and DNS software developers to coordinate the simultaneous release of fixes for this flaw. This coordination was coordinated with the help of US CERT. However, for reasons that remain unclear, Apple has failed to deliver a fix for this flaw in their own DNS server in Mac OS X Server. In their article, "Apple Fails to Patch Critical Exploited DNS Flaw" on the TibBits website, Rich Mogull and Glenn Fleishmann detail how Apple has not released a fix for the flaw for the DNS server in Mac OS X. What this means is that any user who relies on a Mac OS X DNS server is at risk of being the victim of DNS cache poisoning and site hijacking. The attack is not new. Cache poisoning has been around for quite a while, but the flaw identified by Dan Kaminsky is faster and more effective than previous flaws in this category.
So what's the risk? The risk is more for the consumer end-user rather than the enterprise user since consumers tend to rely more on their ISP's DNS servers for name resolution. A little side note...as of Friday, July 25th 2008, some of the biggest ISPs -- AT&T, Bell Canada, T-Mobile, and others -- have yet to patch according to this article. Anyway, the risk is that consumers (and some enterprise users) could find themselves being redirected to malicious websites where attackers can try and download malware to their machines or conduct social engineering attacks against the user. This is certainly not a "The sky is falling" scenario when it comes to online banking as the SSL certificate mismatch would be one warning sign that could indicate to the end user that the site they are visiting is not who it claims to be. However, there will certainly be many who could be impacted by this flaw if they did not pay attention to the certificate error or if there was no certificate at all (and the connection wasn't protected by SSL). On the whole this leaves Apple users and those users who depend on Mac OS X's DNS server software in a bit of bind. Hopefully they will move quickly on patching this flaw.
It's been somewhat interesting when I talk with customers and people that I know and they tell me that the Mac has better security than Windows. First thing I have to ask is what version of Windows and MacOS are they talking about? Usually they sit down and compare OS X (either Tiger or Leopard) to Windows XP. They don't even consider Vista in the mix...which is somewhat frustrating but nevertheless, let's continue. They tell me how Apple has so many fewer security bugs (or bugs in general) because Apple rarely ever releases patches (unlike Microsoft where we release patches once a month) and the fact that Apple's MacOS is "immune" to malware.
Yesterday SC Magazine published an interesting article titled "Mac attacks on rise" that describes how malware writers are now finding it worth their while to develop malware for the Mac platform. The level of the problem is certainly nowhere near it is with the Windows world but it's getting to the point now that Mac users are being cautioned not to be complacent about security. For example, the OSX/Hovdy-A trojan is a particular pernicious little guy that can do things like steal passwords, disable the firewall on the Mac and disable security settings. As the Mac population grows (Apple announced recently that it has had its best quarter in its 31-year history selling 2.5 million computers) more and more malware writers and attackers are going to be looking at the Mac as the platform of opportunity.
Looks like there's been progress in cracking 1024 bit RSA keys. Swiss researchers have been making strides along those lines and have reported some progress. We're still several years away from a "sky is falling" scenario but it looks like the days of 1024 bit keys may be numbered.
http://www.pcworld.com/article/id,132184-pg,1/article.html
A little bit of information about me. My name is Ido (pronounced e-dough) Dubrawsky and I am the Security Advisor for Microsoft's Communication Sector North America group. My customers run the gamut from media and entertainment companies to print and publishing companies to wired and wireless telecommunications companies. I've been working at Microsoft for only 13 months (tomorrow is my 13 month anniversary) but I have to say I have never been more impresses by the people and dedication in a company as I have seen at Microsoft. My background include about 20 years of UNIX and Linux administration (as well as Microsoft Windows administration). I used to work in Cisco's SAFE Architecture group for 2 1/2 of the 4 1/2 odd years I was at Cisco. After I left Cisco I worked for SBC/AT&T for a year in their Callisma consulting subsidiary before I was offered this position at Microsoft But enough about me for now...we'll continue that story later. The reason why I wrote this particular post is because I was reading a recent article in Network World about a "Hack the Mac" contest that was held during the CanSecWest conference in Vancouver recently. What was most interesting is that one of the attendees managed to exploit a vulnerability in the Safari browser that provided access to the system -- complete access. One of the conference's principal organizers, Dragos Rui, made the comment:
"You see a lot of people running OS X saying it's so secure and frankly Microsoft is putting more work into security than Apple has"
This is amazing. This is, in my mind, independent acknowledgement and validation of the effort we are doing to improve the security of our software. Remember...I come many years of UNIX administration as well as security consulting. Whenever someone mentioned Microsoft and security in the same breath I used to snicker and laugh. But in my last two years at Cisco and especially in the year I worked at SBC/AT&T I began to notice that Microsoft's Windows platform security had dramatically improved...so much so that when we did a penetration test on customer's networks it was easier to gain the initial access through one of the UNIX systems rather than the Windows systems. This was an eye-opening experience for me and was one of the reasons why I was interested in this position. I hope to bring to light on this blog some of the amazing security efforts that we're doing with the Windows platform in the hopes that people we realize that we have a very good security story. When I read things like Dragos' comment above I feel that we are starting to get recognition for our efforts...now if Apple would just stop those silly ads ;-)
