Newsflash: Mac Isn't Magically Secure

Despite Apple users’ belief, Mac security isn’t a given – but there are steps to take to make the Mac more secure.
(Page 1 of 2)

So now that the QuickTime Java hole has been discovered and plugged, within eleven day's time, what does that say for Mac OS X's security? Is Mac OS X really just a house of cards, ready to be destroyed by The Bad People? Have Mac users been deluding themselves? Or was this really nothing, and there was never any real problem?

The correct answer is, I think, neither. Look, the Mac OS has always had holes. It always will. To think otherwise, no matter what the legions of the MacMacs out there fervently wish, is to literally deny reality.

Windows Vista and XP also have holes. Solaris has holes. Even my dear, fondly remembered OS/400 has holes. We are talking about complex software designed by inherently, and sometimes actively imperfect beings. There are always going to be holes, a k a mistakes. No matter how smart the designers of Mac OS X are, (and having met quite a few of them, they're astoundingly smart, all of them), they're only human.

They also aren't the only smart people on the planet. As a good friend of mine, Andy Ihnatko once said, rather sagely (complete with appropriate sagely demeanor), "No matter how smart or evil I may be, there is always someone out there who is smarter and more evil than I am."

Related Articles
Mac and PC Installation Hell: Just Say No

Top 10 Mac Productivity Enhancements

iPhone and Steve Ballmer

Using Vista and Linux on a Mac, Part One

FREE IT Management Newsletters

As vulnerabilities go, this one was both quite real, and not as bad as it could have been. It affected a critical framework in Mac OS X, and a rather common install in Windows (QuickTime), and until it was patched, your only real safe bet was to disable Java in your browsers. It could, and did, allow a web site to open a hole into at least your home directory, and potentially worse.

To those who were, and maybe still are, trying to shout this down as "not a real problem," I say to them, "get a clue." Any hole that allows a random web page to open up your machine is bad. Period. Especially since this kind of attack vector makes hay of things like anti-virus and most firewalls. You created the connection, you "executed" the code. Had someone started exploiting this in a bad way, the fact that it wasn't a "real" problem would not be comforting to those damaged by it.

However, this vulnerability does not suddenly make the Mac OS no more secure than a tissue house in a hurricane. It had a reliable workaround (disable Java), that while causing some pain, did not require you to ignore the Internet until a patch was found. Exploiting the vulnerability meant you had to get people to execute the code on a web site. The law of averages makes this rather quite hard to do on the Internet, especially with an eleven-day window between discovery and patching.

This was not a "Witty"-level problem, wherein malware on another machine could reach out and infect your system, then crash it without you ever knowing about it. (For information on Witty, a particularly nasty bit of malware, read here.) You had to go to a location with the attack code to be hit by it. This is hardly a harbinger of doom.


Page 1 of 2

 
1 2
Next Page





0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.