Archive for March, 2011

Continued Security Oriented and Mac OS X Part1

The most important part in security for any OS as I mentioned, is how to keep it secure against the continuous vulnerabilities discovered by the security community and Hacker.

Mac OS X security lifecycle doesn’t include any clear security model or framework. the reason of mentioning that is the lack of a centralized repository for the security issues in Mac OS X, actually most of what you can find is a personal or some corporative work done by third party.

Mac OS X proved to be one of the highest vulnerable OS in the market today. Based on the latest study research done by Secunia, Mac OS X till today has 1452 Vulnerabilities. this is on the Mac OS X side only. What do I mean by “Mac OS X side only”?

As mentioned in part one, Mac OS X is actually based on FreeBSD‘s and NetBSD‘s, so what Mac OS X actually is a FreeBSD, NetBSD and Mac OS X customization.

Mac OS X considered to be the User Mode of the Kernel, while FreeBSD is the kernel mode. on FreeBSD itself 84 Vulnerabilities, while the NetBSD is presenting the network kernel layer of the Mac OS X has 43 Vulnerabilities

So the total of infected vulnerability of a Mac System = Mac OS X + FreeBSD + NetBSD = 1579. this is a serious and dangerous number.

Now the criticality is not only in the number of vulnerability, the criticality relies beyond. The patching management is the key factor. you cannot find any reliable information in Mac OS X patching management as the absence of the patching cycle and addressing vulnerabilities and fixing them. Sure this doesn’t mean there is no patching or security implementation, but the absence of a clear resource and information about what has been patched and what not.

Some security advisory research keeps an eye to such changes, but still this is not the optimal way to handle a security for a well built promising OS like Mac OS X.

Generally speaking, all open source OS claims to be very secure, while the absence of a centralized repository for these multiple Linux and Unix-Like distributions is one of the concerns raised all the way.

OS popularity and the market share of use plays a huge role in orienting hacking against vulnerabilities, this why we find Windows Platform are more targeted to such exploits attempts. Windows 7 for example has 96 Vulnerabilities, where only 6 are not patched. which means, vulnerabilities are there, but they are well managed and handled by patches in a well known security cycle. Microsoft has a very nice Security Model called “SDLF – Security Development Life Cycle” which ensure developing applications against security standards to reduce the number of security breaches in MS Apps. the SDLF will not stop after producing the apps to the market, but it will continue improving security and addressing discovered vulnerabilities and work on patch them regularly following a nice model of Security Management.

Personally, I like Apple products and I am impressed with their quality build of hardware and the innovation part within it, but, what are the most important part, the soul of the outstanding hardware products, what about the Software? I hope in future Apple will take security more seriously apart from focusing on marketing and delivering nice looking products, spending some time in doing serious stuff is better than wasting all the time on marketing and presentations!!

If you are wondering about the FAN BOY WAR you hear here and there every day and every moment on the planet, then you should realize that nothing is real.

User experience, ease of use and much more functionalities are the major factors any user. but what about the hidden things!!!

Security of the platform you are using, is a fatal factor, not even important regardless you cannot touch it, play with it .. etc. actually, this topic is one of the hottest we find OS fans talking about, the fact is, most of the discussions I personally engaged in proofed for me most of FAN BOYS are repeating wrong information they received from …. WOW …. from another FAN BOYS!

“False Advertising”, this is the major headline about marketing OS.

One of the Headed IT Companies in advertisement is Apple. honestly, Apple is one of the best companies I ever find in advertising side. but False Advertising is a key in what I keep hearing about OS X like “Most Advanced OS” … “Secure OS” … “No Viruses” … “You don’t even need antivirus on Mac OS X” …. etc

Is this a joke?? ok let us move ahead and find out how much Mac OS X is secure. before I begin I must pointed out what is the meaning of Mac OS X.

Mac OS X is an OS relies on FreeBSD‘s and NetBSD‘s … so, there is no actual OS core “Kernel” built by Apple. Apple relies on (Mach kernel). this kernel developed at Carnegie Mellon University to support operating system research, primarily distributed and parallel computation.

Regardless the fact that Mac OS X developed by Apple is a GNU OS, Apple managed to build a great GUI experience on the GNU Kernel.

Let us talk business. Every OS by time will be part of security breaches attempts by hackers community world wide. and from there, hackers will focus on finding vulnerabilities in these OSes and try to develop an exploit to take advantage of the discovered vulnerability. it is very important here to point out that vulnerability doesn’t indeed means an exploit must happen. but the vulnerability itself is backdoor open for whoever able to realize how to reach it.

It will be silly to find someone fight or defend the fact of vulnerabilities because no OS, Application or any software is 100% un vulnerable. the main idea is, how to keep improving and securing your application/software to avoid the expected exploits of these vulnerabilities. so the management cycle of security is very important to follow.

Management Cycle of Vulnerabilities is the weakest part in Mac OS X. I don’t ant to point out any certain vulnerability yet, but pointing the UN PATCHED vulnerability what does matter.

A Framework of security management is a key in any security oriented model. This framework should include for example:

  • Monitoring discovered vulnerability in a certain cycles.
  • Assess discovered vulnerabilities against all possible exploits through it.
  • Work on patching these vulnerabilities, to be moved from unpatched to patched.
  • Release patches in well managed timing for users (this for moderate and low vulnerabilities)  and immediate patches for critical/fatal ones.

Apple doesn’t have any Security Newsletter advisory on Mac OS X, and there is actual alerting system to the users about any vulnerabilities. The worst is the absence of the security focus mechanism. a good aspect about this mess is the released updates for Mac OS X, there is no periodical updates, instead, you will find between time to time a patches with huge size. and you will find no actual information about what this update do.

Some sources mentioned about the absence of a Security Engineering section in Apple, still I cannot confirm this information, but it is most likely could be true based on the facts mentioned above, and the later completion of this article in its further parts.