Windows Vs. Osx Vs. Linux Security

[rayzoredge 2]

The hornet's nest: which OS is more secure? And why?

It depends on how you look at things and which perspective you approach it from. As far as I know, Linux seems most secure to me, followed by OSX and then, by a long haul, Windows. My reasoning based from what I've learned so far is that Linux and OSX aren't exactly really big targets for malware, not to mention the fact that Linux has a community that frequently scrutinizes the code to prevent exploits and whatnot from ever happening in the first place. There's not enough of a market share by Linux and Apple to compete with being omnipresent as Windows has been, and it makes sense that most malware is being designed to target the Windows environment.

And of course, along with these facts, you always hear about Macheads smugly mentioning their snide remarks about being virus-free and whatnot... and sometimes, a Linux user will chime in every now and then. And it's funny when I say now that, although Windows is more apt in being targeted for malware, OSX is actually the most vulnerable OS out there. (Apparently, the answer lies in Snow Leopard, and you'll know why in a second.)

Clicky

Some of us are aware of the Pwn2Own contest where a contestant successfully hacked in not once, but TWICE into an Apple computer (a MacBook Pro and a Macbook Air, I believe), taking control of the machine within minutes. (Of course, the Apple community remains unfazed by this brazen act that proves that OSX is not invincible, blaming on something other than the operating system and their precious Apple devices.) These were fully-patched machines, mind you, and the point of the contest is to find bugs and attempt to exploit them to take control of the machine or execute abitrary code to be able to do anything malicious from snagging keystrokes to sensitive information to gaining complete control. And yet, a man by the name of Charlie Miller attempted and apparently did the impossible.

In all reality, security is just a way to deter if not slow down an attack. Keep this in mind, as anyone with the diligence and the knowledge can get into any machine he or she wants.

Microsoft's Windows Vista has something called ASLR (fully implemented with SP1) that is apparently a very effective security feature that deters such attacks. Linux has a weaker version of the same concept but reinforced with PaX and ExecShield. Apple's OSX (Leopard) has some smatterings of binaries of ASLR, but this will be fully introduced in Snow Leopard, the next OS release.

So what the heck is ASLR?

ASLR stands for Address Space Layout Randomization. It basically keeps abitrary code from executing due to a stack buffer overflow or other such attack where a hacker injects code to be executed to gain control of a machine, download malicious code, etc. The way it works dives deep into how things run on a machine, notably the address space. By randomizing the layout of the address spaces needed to execute code, this concept thwarts the possibility of a stack buffer overflow because the way the mentioned attack works is by injecting executable code at the END of a very long address so that after the program takes in the long address and allows for the "leftover code" to be read (run). If the address spaces are randomized, the "end" of the address that contains the malicious code can be exposed and discarded, usually ending with the program crashing on the user end, but protecting the OS itself from being successfully attacked. Linux has a basis of this, complemented with ExecShield and PaX, which basically do the same thing in preventing attacks in this fashion. OSX, however, does not have much of anything at all regarding ASLR, although this is apparently changing with the release of Snow Leopard.

Charlie Miller stirs up the hornet's nest, I'm sure, by declaring that OSX is actually the least secure operating system out of Linux and Windows. However, the saving grace is that with the facts discussed above, OSX is actually the more safe out of Windows and OSX. (He doesn't even mention much about Linux, although with the implementation of basic ASLR and its complements, including the fact that there's not enough of a presence to invoke making itself a target, I would personally say that Linux is the most secure OS.)

What do you guys think?

[Baniboy 3]

I think that although linux is secure, windows is the most secure. Why?Windows took 3 days and a 3rd party program to be hacked, I believe it was some adobe product. As for remote hacking, those days are over. you're gonna see those only in movies where some guy hacks into a some central computer and takes what he wants. BUT websites and databases are still very much hackable remotely. I hope people pay more attention to update they website software, so some idiot doesn't suddenly think it's fun to mess with one's database. And the next thing you see is a blank screen where you should have your blog saying "greetings from *somehackername*!".As for the Mac, I always new macs suck! :)I was right all the time!!! It starts getting a bit boring when you're right all the time...

[truefusion 3]

I think that although linux is secure, windows is the most secure. Why?
Windows took 3 days and a 3rd party program to be hacked, I believe it was some adobe product.

The 2009 Pwn2Own contest showed, on the first day of the contest, that Windows got hacked due Internet Explorer 8—although the Mac OS got hacked first. Internet Explorer 8 isn't a third-party program. But since you mention Adobe, that means you are referring to one of the past Pwn2Own contests, but i haven't gone through the Pwn2Own history to know which one exactly; i only remember about the one that Windows got hacked without any mention of third-party software and where the Mac OS got hacked due to the flash browser plug-in.

But the most secure OS is said to be OpenBSD, which isn't part of the list.

[zakaluka 0]

If you are using Windows, an interesting item to note is that Chrome was the only browser that came out unscathed. It doesn't really mean that Chrome is uncrackable, probably only that the market share it holds is too low for people to waste time attacking it during a contest.

Here's an interview with one of the contestants - http://www.zdnet.com/topic/security/?p=2941 . He mentions that though he has a Chrome vulnerability, but doesn't know how to currently exploit it.

I do wish they would test OpenBSD as well. With the amount of care that goes into it, I wouldn't be surprised if it came out unscathed.

Regards,

z.

[truefusion 3]

What amazed me a bit about the contest is that the Opera browser wasn't mentioned at all, yet Chrome, being newer and still in testing stages, was included in the contest. It would have been very nice to see how Opera stands up in security between the other browsers.

[rayzoredge 2]

What amazed me a bit about the contest is that the Opera browser wasn't mentioned at all, yet Chrome, being newer and still in testing stages, was included in the contest. It would have been very nice to see how Opera stands up in security between the other browsers.

I think that the view of things are kind of skewed with lack of information or even mention of the security of other alternatives. I can see how Linux didn't receive much mention as the main focus would be on the two operating systems that most consumers use (Windows and OSX), but at the same time, wouldn't businesses and enthusiasts benefit from more information and news from Pwn2Own about Linux? I don't think it's fair that Charlie Miller dismissed Linux because "grandma couldn't run it." I'm a little tech-savvy so I could do things like compile and make programs under Ubuntu, make hardware work with Ubuntu, and do a number of things from the CLI (something that Grandma probably can't do), but out of the box pre-installed on a Netbook or some other scenario of the sort, I'm sure that anyone can operate user-friendly distributions of Linux just as they would with OSX or Windows. And really, doesn't it take a bit of tech knowledge to work around ANY of the operating systems? I hear that OSX has a ton of power under the hood, but all of it is buried in menus and hidden tools and whatnot that you would have to learn, so how does that contrast with Windows offering the CLI, Control Panel, registry and services, and with Linux and the command line?

I liked Opera a heck of a lot when I used it, and I'm hearing more about it (but that's because I pay attention moreso to news about it now). I've heard of all of the major browsers and am aware of their consumer share in usage, so I suppose it's not surprising to know that Opera doesn't have as much press. (Why do you think Google's Chrome is already out and known moreso?) Internet Explorer comes with every system; Firefox grew with enthusiasts pushing the features and the awareness of "the better browser;" Chrome belongs to Google; and Safari comes with OSX. I think Opera is in the same boat as Firefox was years ago... it will only be some time before people become more aware of Opera.

[aloKNsh 0]

hello derei will prefer linux and i am currently using ubuntu because it will ask for password every time and also it has a special property that only .gz or something like that only will run and in win all files having .exe with .dll will run and generally some trojans are in this format only.........so ubuntu is much more secured than windows xp.........

[websey 0]

Hey Guys,To be honest, I run Windows Server 2003 R2 on all my computers wether home or work, whether desktop or server.The reason is we have a lto of freelancers come in so we lock all users down so they can only do the bare minimum, I have refused to allow autoplay on any of my pc's and also refused to allow any form of USB attachment with out sysadmin privalages ! lol ffs the cd drive doesnt even work To be honest the operating system is only as secure as people allow it to be....If you have a computer and run around all the dirty little infected sites with out any protection you have to expect this to happen...So yeah any way...As someone said above the reality of you getting your system remote hacked is very unlikley and what would be the reason to be honest, just remember to keep up to date with all your site security updates...Any way laters allwebsey

[truefusion 3]

If you have a computer and run around all the dirty little infected sites with out any protection you have to expect this to happen...

Interestingly enough, if you were to visit those same websites on another system, like Linux, you would most likely not have to deal with the inconveniences that plague the Windows user. Of course, i don't mean to imply that one should make the switch so that they can do foolish things.

[rayzoredge 2]

I have another article that bolsters the statement that Apple is indeed more "physically" insecure than Windows, yet is more secure because there isn't much of a base to write malware... yet.

 

... security expert Charlie Miller that argues that contrary to popular belief, the Mac platform is not more secure than Windows, it's just not targeted by malware writers--yet.

"The sky is not falling," Dai Zovi said. But also, "the Mac is not magically protected from malware."

 

If security features are added to the new version of Mac OS X, Snow Leopard, which is due out on Friday, that could change Dai Zovi and Millers' opinion.

Lazy Link

 

Addendum: Snow Leopard is going to have an anti-malware feature. Smart.

Edited August 27, 2009 by rayzoredge (see edit history)

[galexcd 0]

I have another article that bolsters the statement that Apple is indeed more "physically" insecure than Windows, yet is more secure because there isn't much of a base to write malware... yet.

That is true, to a point. However, like Linux, OS X is based on unix which is heavily permissions based. If a program doesn't have a root password it cannot write to certain places on the hard drive that are owned by root. Now of course if a user is dumb enough to give a suspicious program their administrator or root password, they deserve whatever is coming to them.

[rayzoredge 2]

Now of course if a user is dumb enough to give a suspicious program their administrator or root password, they deserve whatever is coming to them.

Took the words right out of my mouth.

However, I'm sure that even the best of us fall for some legitimate-looking items, like allowing svchost.exe in Windows XP to access network resources. (I'm guilty. As in a good hour's worth of cleaning-up-after-a-Trojan guilty. )

[galexcd 0]

As in a good hour's worth of cleaning-up-after-a-Trojan guilty.

Ahhh, the joys of reformatting a drive and re-integrating all the data. It's one of my favorite pastimes. It's loads of fun until you realize you forgot to back up an important file after you just finished formatting...

[iGuest 3]

zakaluka: "Chrome was the only browser that came out unscathed".

did you fail to see the milw0rm posts? 

As for OSX being a secure OS - What crack are you smoking? OSX fails to implement a number of memory protection mechanisms, such as ASLR! And **** a snow leopard. Its taken them this long?!

As for linux, you'd want to implement GR Security's patches. In addition, I don't think the linux implementation of ASLR is as good as Windows implementation.

To exploit a  memory corruption bug on vista is quiet difficult due to ASLR, and DEP in my opinion. It would become more difficult if safeSEH was implemented on the app you're attacking as well. A common method of bypassing ASLR on vista is the use of heap spraying. I have heard that heap spraying is ineffective against ubuntu, however I wouldn't be surprised if windows becomes immune shortly. I doubt it would be hard to implement, based on their other implementations.