Friday, July 18, 2008

More on Macintosh and Security

Well, not just Mac. Tam left a quite interesting comment to my earlier post on Macs and security:
"So what happens if Macintosh market share doubles?"

We keep running obsolete versions of the Mac OS.

It'd take a bored hacker to make a serious run at OS 9.2. ;)
This is exactly right, but if you're a geeky security guy like me, what's interesting is why it's so right.

Really old OS versions are obsolete for a reason - lots of new programs (can you say Quake?) won't run on them. Old browsers won't give you the "new" cool features, like AJAX, and new browsers won't run on them either. A different way to say this is that there's a lot less capability in the OS. Less capability = less code.

Bug count is very closely related to code size (OK, I over simplify, but with everything else the same, the program with more code will have more bugs). Bugs in features tend to be more easily discovered during testing than security bugs: "Hey, the fratsulator just crashed again when I double clicked it." Security bugs often are latent, waiting until someone pokes the system the wrong way and finds that it's possible to run his own code on it.

From a security perspective, a security bug that lets the attacker run his own code on the computer is the worst case scenario, especially if the program runs with lots of privileges (IOW, permission to access everything). Thus the beauty of Tam's suggestion - obsolete OS versions like Mac OS9 or Windows 98 simply don't provide many ways for a bad guy to get his code to the computer. As they say up in Maine, "you can't get there from here."

Network communications rely on two things: addresses and ports. All computers have an address, at least if it wants to move onto Al Gore's Intarwebz. Typically the computer gets the address from the ISP - for exmple, right now I'm something.something.verizon.net (the magic of DNS translates names to actual addresses, but they're really referring to the same thing).

Ports, on the other hand, are owned by the computer itself (the ISP doesn't play here); the computer gives ports to applications that use the network. Some ports are "well known", like the web (80) or email (25). Others are entirely random.

Now from a security perspective, the really important port is the one used by the application that is a server. My Firefox application is using who knows what port right now; Blogger.com is using port 80. This means that to a Bad Guy, it's really really hard to get to me, but it's trivial to get to Blogger.com.

So what does this mean to Mac OS9 or Windows 98? They don't run server programs. Even if the Bad Guy wanted to get you, nothing's listening when he calls. He wants to send you his malware code to run, and nothing will take it from him.

More modern OS versions - Windows 2000/XP/Vista or Mac OSX (or Linux) typically have gobs of applications listening on gobs of ports. Target rich environment. Plus, the new OS has many, many more lines of code than the old versions: more code, more bugs. More bugs, more security bugs. The fact that the OS is pretty primitive is A Good Thing.

So Tam is absolutely right - burning the late night oil to learn how to be the ultimate h4X0r for OS9 is not going to give you a lot of targets. It's also a whole lot harder than becoming a good Vista hacker.

No comments: