Let's see. So far we have allot of self admitted "I don' knows", and others claiming that OS security is a function of the number of users, and still other fanboys in both camps who just have their heads so far up an orifice that they wouldn't have a clue regarding OS design or OS security and the differences between fundamental OS design and application design if it fell on them.

Fundamental design differs from sloppy programming. Sloppy programming is just that. But fundamental OS security designed from the bottom up in an integrated manner is different from add on traps and local obstruction.

And like it or not, that is the fundamental difference between Windows and OSX. There is a fundamental difference between the 2 OSes in terms of security design.

And the difference is real regardless of which OS you prefer to use in your day to day activities.

So is one fundamentally more secure than the other? Yup. Deal with it. But that feature alone does not determine which is better r which is the best for you. But it IS a fundamental design reality. ...And as such, it just might be a factor that helps you to determine which environment might be optimal for you.

And you can start with the concept called sandboxing. And nope, Apple did not invent it! But they did something that MS failed to do! They USED IT - fundamentally!

Windows, instead, is built around a fatally flawed concept called ActiveX - which conveniently fails to provide for the ability to authenticate a process. So, as long as a process says its a friend, the response is "come on down!" in the name of system interoperability. And this process, if its not really a friend (who would think!!!) can take over the OS and the machine.

In a properly implemented sandboxed system, the process can crash the local sandboxed application. And the solution is as simple as "delete".

So here is a bit of info for those fanboys and those who are just generally clueless about OS security design and simply can't see, what the fundamental differences in the design elements incorporated into various OSes are. After all, an OS is an OS, of course of course.

There are many ways to evaluate OSes. Security is just one.

So, if you want to compare OSes, you folks who can't even differentiate between the various approaches employed (or not employed) should stick to your level of expertise whereby you evaluate OSes based upon how many of your favorite games they run.

• Ultimately, what we would like is given some system, we would like to be able to execute unreliable code without compromising
the overall security of the entire system:
– Vulnerabilities in the unreliable code may damage the code itself, but should not break the host system
• Such an environment is generally called a sandbox

• Conventional OS sandboxing:
– Process space isolation
– chroot and jail
• Four approaches for sandboxing compiled code
– Code modification for run-time monitoring
– System call interposition
– Proof-carrying code
– Virtual machines (e.g., VMWare, User Mode Linux)

Conventional OS Protection
• Keep processes separate
– Each process runs in separate address space
– Critical resources accessed through systems calls
• File system, network, etc.
• Kernel functions as a reference monitor that checks all access to objects for proper credentials
Process => Kernel => Object (file, network, etc...)

• However, for some applications, OS protection doesn’t provide enough isolation
– Programs can still see what other processes are running on machines
– Can see the entire file system
– All programs running on the system have the same level of
access to the system call interface
• OS’s don’t provide any fine-grain isolation, either programs are running on the system and have access to all facilities that other programs have, or they aren’t on the system at all
• OS’s can’t protect themselves very well. Once you get root, you can install drivers, change configuration settings, etc… You only have to compromise 1 root process to do this.

• Stronger version of chroot
– Jail provides a limited view of the file system, just like chroot
• Provides a root account that only has privileges inside the jail
• Restricts certain system calls
• Each jail is bound to a single IP address (processes within the jail may not make use of any other IP address for outgoing or incoming connections)
• Can only interact with other processes in same jail (IPC, signals, etc…)
• This is coming closer to a virtual machine except:
– No process or resource isolation
– UID’s are not isolated for example, need to be careful about UID collisions

And Still Other Additional Security Options & Techniques
• System Monitoring
– Software Fault Isolation
• Modify binaries to catch memory errors
– Wrap/trap system calls
• Check interaction between application and OS
• Check code before execution
– Proof-carrying code
• Allow supplier to provide checkable proof
• Virtual Machines (e.g., VMWare; UML)
– Wrap OS with additional security layer

And there are many more aspects ranging up to and including what is implemented in SELinux, a version of Linux created by the NSA and Secure Computing Corporation (SCC)

– Have mandatory access control to all objects
• Even though there are multiple ways to access a particular object in UNIX, SELinux has checks on all of them
– Support for various policy configurations:
• Role-based access control: rather than assign rights to users, assign rights to “roles” which users can take-on
• Multi-Level access control
• Type-enforcement: Each subject and object has a type, policies are represented by relationships between each type

http://www.nsa.gov/selinux/

And a still more comprehensive definition of computer security along with the fundamental differences in OS security design are available within the Common Criteria.

There are many access control models, some stressing greater horizontal and some greater vertical security.

But ultimately, one has to determine which ones make sense for the OS you are using.

And at least between OSX and Windows, basic OS security with regards to application security and the potential for malware to gain destructive access and control of the OS and data is much more fundamentally restricted in OSX than in Windows.

Okay let me rephrase what I wrote:

"I don't get this. Why does this particular Apple os seemingly have more security issues than any other previous Apple os. What's so different about this os, because the number of security issues being addressed amazes me."

Oh wait a minute, I posted the right question first time - no mention of Windows at all. Phew thank God, I thought I was a fanboy for a minute. Phew!

Despite that very long tirade you've still not answered my question - is there a simple answer to a simple question? Why does this particular Apple os seemingly have more security issues than any other previous Apple os?

"Many of the flaws patched by Apple are located in UNIX applications that ship with its operating systems. BIND, crontab, fetchmail, file, PPP, ruby, screen and texinfo have all been updated."

The more Apple moves to a full 64 bit implementation - every routine has to be scrutinized for memory management! Especially as they have moved pieces and parts at a time.

The question should be, how have they avoided more tweaking and corrections to such a mountain of legacy code and open standards!

Also, I have no problem with MS issuing millions of patches! I hope they release twice as many!

Not because I like fixes or updates, but because I realize how complex OS security and even more so - application design can be!.

MS simply has a much tougher row to hoe, in that their fundamental design foundation has many more holes that were fundamental to the design (ActiveX!!! - I am surprised they don't simply bite the bullet and rewrite their apps to use other authenticated techniques! and be done with it!... And simply sunset future compatibility for he updated versions on updated OS versions.

Again, MS has tougher decisions to make.

But in any event, I have no problems with upgrades or fixes.

But as far as does one OS architecture offer fundamentally better security - absolutely!

Does that make it the OS that is best for you - well, you have to weigh the benefits and risks based upon many factors.

But, like it or not, and regardless of what platform you prefer or use (heck, I am often on platforms that I do not prefer!!!), OSX is fundamentally more secure than Windows by virtue of the basic foundation they employ. Apple didn't invent that foundation. But they were smart enough to employ it!

And is Apple's implementation Perfect? I doubt it! But it also makes finding the very small holes harder to find...and it s***s much of the focus over to the appls as opposed to the OS.

And as opposed to MS that controls almost all of their 'pieces and parts', OSX relies on open standards - after all, it is the most POSIX compliant OS. And as such they have to deal with all of the open code that is out there! Is it all as secure as one might like? Yeah, right! Like a committee - or think, MANY committees are more efficient and effective in making tight inter operable code. In your dreams!

So Apple has got to be very vigilant in trying to address what is essentially a herd of cats in terms of apps, routines and processes. And as they change their architecture to move to FULL unified 32/64 bit with all of the various legacy standards with which they are trying to remain compliant(& over which they have little or no control!), they have their hands full! So I am not surprised by the delay in the release of their new version of the OS either.

So both platforms have their challenges. And the righteous fanboy rhetoric each time someone releases fixes - on any platform - is asinine.

You like to write Foxy, no doubt about that. lol

Thanks for the reply though as it did make some sense to me. [grins]

I don't get this. Why does this particular Apple os seemingly have more security issues than any other previous Apple os. What's so different about this os, because the number of security issues being addressed amazes me.

Because more people use this version. It's not that old versions were more secure, the holes/bugs/vulnerabilities are just more exposed now. If/when Apple's market share grows, then we will see more patches. Apple will need to adopt a policy for updates similar to Microsoft's.

Who's the one that said that Mac's are more secure by design?

Anyone intimate with OS design.

I'm wondering if Apple will follow MS's idea and pick a day each month for the updates. Granted, they may not come out as fast, but it will help IT departments a lot.

All the Linux and Apple fans are so quick to point and laugh when Microsoft issues patches, but you try the same with Apple and you're suddenly labeled an Apple hater. I especially love those first posters with their preemptive name calling. Let's post about the so called "Apple haters" even before they get here, so that later we can yell "I told you so!" Brilliant.

The fact remains, Apple's OS isn't as bullet proof as you zealots thought. There weren't any exploits because nobody cared. But now Apple is gaining some popularity due to their misleading advertising against the PC. So expect more and more vulnerabilities to be discovered.

Especially when those folks are the same ones flaming away in the MS topics.

Nice to see the haters are commiserating. BWAHAHAH

Security Flaws?

I thought security flaws only happend in Windows.

I guess that perfectly secure dream world Mac user live in is beginning to come crashing down.

i see that you are living in a world of dreams, this nigga

Yup, they are still waiting for their first real world event where something other than a sandboxed app is corrupted and possibly crashes corrected by "delete".

It should be dramatic.

Compare that to malware that moves on to corrupt data and gain control of the OS and the machine where your only recourse is to unplug the machine and reinstall.

Oh.......

"I thought security flaws only happened in Windows."
Evidently you are new to this "thinking" stuff! Be careful!!!

Hmm - it's fifth security update of 2007. How long before we have the Apple haters of the world on here decrying Apple for being a greedy conglomerate with nothing but a swiss cheese OS?

Microsoft has also had 5 security updates - one each month.

But within 6 months has MSFT released over 100 security bugs. No As I will say about Apple and MSFT at least they are fixing the issue. Both have security issues (with apple less then 5% market share and more security issues patch).

Which would make them equally as Swiss and cheesy.

They've released more patches on their patch random-day-of-the-month than Microsoft on their patch Tuesdays.

(I know, I know, far different severities)