Mac Users Pooh Pooh Security Holes?

The issue is that 2 of the 3 security issues were non events. Leap-A was a joke, and the bluetooth worm was even more so as it actively asked you even on unpatched systems if you wanted to be infected. The only security vulnerability that was even worth noting was the safari vulnerability and even that was fairly trivial mainly because it can only destroy your personal files, which any mislabeled application can do. So really these were non events. It was a lot of media shouting wolf, and very there was very little actual substance to any of the claims.

You do realize this so called "new" Safari exploit has been around for ages. (I think almost a year now) Apple just never completely fixed it.

OS X has always been succeptible to all kinds of exploits in its Unix underpinnings. If you know Unix, you know there are ALWAYS security holes. They get fixed and we all move on. This is nothing new. The latest media hype is just that. Hype. This is what burns me up the most. I used to work for an anti-virus company and they LOVE this stuff. They love when the public gets scared, and they love when they buy anti-virus products.

Does it mean everyone needs to start panicking and go buy some anti-virus software because rsync allows remote code execution? Does it mean we need to shut down all of our Macs because IPSec could allow a remote denial of service against VPN connections? Fear. Uncertainty. Doubt. Don't get caught up in the media hype and panic because of security exploits. Stay patched, stay smart, and stay informed.

Mac users are simply naive and complacent when it comes to security.

I would replace "Mac users" with "General users". How many years has PCs been succeptible to viruses and spyware and a LOT of people STILL don't follow good practices? Stupidity doesn't discriminate OS's. Yes, I call it stupidity when you willingly ignore the truth. Mac users are not immune as you pointed out. Like many things in life, people don't think bad things will happen to them until it does.

I am also a Mac user, have been for about 16 years now and what you mentioned about Mac users being naive and complacent, at least in my case is half true. I also have been using windows for the same amount of time. Now my windows box at home is locked down I have all the ad-aware programs spy-bot etc.. Firefox, blah, blah.. and I have taught my kids about not downloading and opening up attachments all the essential things you need to do to keep away the unwanted spyware. I am constantly out fixing other peoples computers and 90% of the time the culprit for there computers problems is malware or spyware they have downloaded from there bad internet habits.

Well to my point I do none of this for my Macs and in light of the vulnerabilities that have just surfaced I have never checked my Mac for spyware or Malware. As you know being a Mac user your are always asked, a couple of times, before you install anything, and I think with this we tend to feel safe. But like you I am not so sure that we are that safe. So maybe I am complacent but I would not say naive. I have a podcast that I reported these vulnerabilities on that no one seemed to care about. So you are right, we do seem very laxy daizy when it comes to our security. I have, like you had to fdisk reformat and re-initialize my windows boxes many, many times and that gets old, never done it on my Macs though, ever. But I do have faith in Apple that they are going to look after me and as misguided as that seems they came out with those patches pretty quickly.
I suppose we will see how all this turns out as our Macs get more popular.

it didn't write itself into the OS, it wrote into applications that you had permissions to write to. Hence constantly using an admin account is bad, lesson learned. If it had been malware the most it could have done is infected a single user, hence it's a non issue, because you can always destroy your own files. I can send you a bash script that is rm -rf / and if you run it, it deletes everything, that's not a virus though. And the method it tried to propagate with was worse then a joke. Leap-A didn't tell us anything, it didn't do anything interesting, it didn't attack any security hole, other then having a stupid user. That is why it's a non-event.

I can't argue about why it asks for permission, the fact is it's an old security hole long ago patched.

I agree with the safari issue, it was a danger, out of the three it's the only one that made me even think twice. But it got patched as soon as it was public. Nothing is 100% safe, I think over reacting to this is more dangerous then under reacting. If you can't learn anything from an attack it isn't useful to panic about it. And if you can, then fixing it is the correct answer, not worrying about it after it's been fixed.

I think the reason most Mac users didn't make a big deal out of this is because it happens a lot more often than it gets reported. Each point release with OS X has a few Security Updates along the way, and everything ends up getting fixed pretty quickly. All complicated software is bound to have holes, but for those holes to become a problem they have to cause enough damage to be noticeable, they have to spread quickly, and they have to do it all before everyone already has the fix. That's what really makes OS X more secure than Windows. It's not that is doesn't have any holes, it's that those holes rarely allow much damage, it's even more rare an exploit can spread on its own, and the simplicity (and non-intusiveness) of the Software Update utility means updates get applied by just about everyone as soon as they are available. Apple does their part by fixing things quickly, users do their part by allowing Software Update to do it's job, and OS X does its part by making it rather hard to inflict serious damage.

I think the reason most Mac users didn't make a big deal out of this is because it happens a lot more often than it gets reported.

Exactly the point I was trying to make.

Douglas, I read through your posting and the follow-up comments. I appreciate your zeal but the OMG approach does not give your credibility a boost and it invites the kind of defensive response you have noted. One other observation I'd like to make is whether you have considered the kind of population you are dealing with in the forums. Just because someone is commenting in a forum, doesn't make them an arbiter of opinion in the at-large population, nor does it show that they are representative. In fact, it is many times just the opposite. Forum-savvy and internet savvy users in ANY population are not consistently the norm and their opinions and comments shouldn't be treated as such. In fact, most are minority opinions because of their deeper understanding of the technology.

Finally, I as you, have been on both platforms - in my case for 22+ years. I've walked both platforms into their current maturity as well as Unix, Linux and several other minority OSes. I have surfed the crest of computing development from building mechanical and tube-based computers as a kid until our current state. I routinely advise family and friends about how to best manage their computing experience. You enjoy a state of enlightenment that few computer users ever even recognize - let alone aspire to. I commend your diligence - but lower your expectations per responses in forums. Instead target your discoveries to the sources that can best benefit from the knowledge - Apple, OpenGL, whatever. Not the bar crowd in the forums.

Douglas- Those 3 points hit the nail on the head. I guess it is up to us then to keep the message alive so Apple and all the Mac users become less complacent.

Emryc - I guess my complacency comes in to play here, by using my admin account all the time. I know I should not be doing this. But alas, even on my iMac G5 (intel), fast user switching, I still find myself working in Admin most of the time.

I also want to add that as a long-time Mac user, there has rarely been any active virii or trojans out in the wild (even pre-OSX days). Has this led to complacency? Perhaps a little. I also want to point out something else though: any of these vulnerabilities that you have mentioned were localised, meaning that even if they did infect you, they were unlikely to infect the whole system as is seen in many of the more notorious Windows virii. I also worked for several years as a support specialist for primarily windows machines during which time we dealt with some of the worst Windows virii that have circulated in the past five years. Sometimes these virii required a total system wipe and install to correct the problems they caused.

The point I am trying to make is this: Windows virii and trojans have or had the ability to bury themselves deep into the heart of the system, while any of the recent threats to OSX would not have had this effect. Delete a user account? Okay, well, if you've backed up lately that shouldn't be a big problem, just recreate the account and then restore your data.