Mac OS X Security Myth #2: Nobody Attacks Mac OS Xhttp://blogs.technet.com/security/archive/2007/01/11/mac-os-x-securty-myth-2-nobody-attacks-mac-os-x.aspxFollowing up on Mac OS X Security Myth #1: Mac OS X Has Few Security Bugs , this post continues my look at "perception versus reality" for Mac OS X security. There aren't a lot of sources of validated compromises, but one of the few we can check is www.zone-h.comenCommunityServer 2.1 SP1 (Build: 61025.2)Mac OS X Security Myth #3: Mac OS X Has More Security Designed Inhttp://blogs.technet.com/security/archive/2007/01/11/mac-os-x-securty-myth-2-nobody-attacks-mac-os-x.aspx#594655Sat, 13 Jan 2007 04:20:20 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:594655Jeff Jones Security Blog<p>Following up on Mac OS X Security Myth#1 (fewer vulns) and Security Myth#2 (nobody attacks), this post</p> Mac OS X Security Myth #3: Mac OS X Has More Security Designed Inhttp://blogs.technet.com/security/archive/2007/01/11/mac-os-x-securty-myth-2-nobody-attacks-mac-os-x.aspx#594657Sat, 13 Jan 2007 04:20:59 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:594657Jeff Jones Security Blog<p>Following up on Mac OS X Security Myth#1 (fewer vulns) and Security Myth#2 (nobody attacks), this post</p> re: Mac OS X Security Myth #2: Nobody Attacks Mac OS Xhttp://blogs.technet.com/security/archive/2007/01/11/mac-os-x-securty-myth-2-nobody-attacks-mac-os-x.aspx#596577Sun, 14 Jan 2007 21:48:50 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:596577PCSA<p>Jeff, while your point is a valid one -- no OS is 100% secure -- I'm curious as to your thinking here. &nbsp;Site defacements are certainly annoying and costly, and they certainly represent a security breach, but they are not necessarily OS attacks. One of my sites was defaced a couple of years ago, and the culprit was a PHP script someone was using that had a privilege escalation flaw. Some of the blame was also on Apache, and by extension OS X Server, which comes with Apache, but still, the OS itself had nothing to do with the attack. It would have worked on any platform, including Windows.</p> <p>So, did you examine each of the attacks in those 50 pages of matches to see what the details of the attack were before trusting the claim that it was a compromise in OS X?</p> <p>Also, each of these was an attack on a server. The majority of attacks these days are on clients, whether it's identity theft or creation of botnets. Now I'm no zealot. I know a Windows machine can be as secure as a Mac if it's properly maintained, but I can tell you from hard experience that this is beyond the ability of most Windows users. A network is only as secure as its weakest link.</p> <p>Now when you list the number of security flaws in OS X (quite fairly, you note that they all count, since it's all bundled software) you point out that the covered CVEs numbered over a hundred two years in a row. Is that a few? A lot? There's no context. How many similar vulnerabilities were patched in Windows/Office those two years? More or less? How about Linux? Were all the vulnerabilities critical? What percentage of them were, by platform?</p> <p>Now maybe those questions aren't really fair. They ask you to do a lot more work than would be reasonable for a blog post. But then again, security is not simple, so we should try not to simplify it to the point of uselessness.</p>