We all know that Mac fanatics claim how secure Mac OSX is. Is it really that secure though?

The last couple of months have not bee kind to OSX. The Mac operating system has seen its first round of widespread malware. Apple has been busy playing whack-a-mole trying to stop it. The Mac fanbois have been denying it. Apple is still more secure they claim. If this is true, then how did Apple top the Stack of Shame this week?

The reality of the situation is that Apple is entering uncharted territory for OSX. Not only does it have enough percentage of the market to make it a more viable target for the underground Internet, but it doesn’t have a true plan in dealing with such issues. This was shown by Apple’s response to the MacDefender malware. The denials, the bad press, and finally a solution that keeps getting circumvented. Yes, overall the amount of people infected might be small beans, but it is a larger outbreak than ever before, plus it shows that it can be done.

The next question comes in with these 26 vulnerabilities, how quickly will they be patched? That is the key to preventing exploitation of said holes. Is Apple ready to do monthly patches, weekly patches, out of band patches? How will they respond to all of this?

No Operation system is 100% secure. There is too much code, too many different vectors to attack from, and there is always the end user who is the biggest threat to security. Apple response to the OSX security issues should enlighten us to the iOS plans for security issues. No, there aren’t many now, but there will be.

I have an Android phone, and I enjoy it. I don’t care for the iPhone. That being said, Apple has one huge advantage over Android.

The Android Smartphones are popular. The work well (for the most part), and are reliable (again for the most part). The open development community for apps has produced some great free applications, that you would have to pay for on iOS. There is a drawback to Android though, and it is something that by all rights should be more of a strength.

When you look into the world and history of Operating Systems, you see a bloody trail over security. Which OS is more secure, which one addresses security problems the fastest, etc. The Open Source community has always claimed that because more people can look at the code, patches can come out faster, and in the Desktop arena this definitely seems to be true. In the world of Smart Phones though, this “advantage” is lost.

The problem is not directly Android or Google, or the Open Source community. The problem is in Manufacturers, and even more so on the carriers. There is a process for patches and updates. Google writes an update, tests, sends to the manufacturer who tests, approves and then sends to the carrier. Android is so customizable, and on so many different manufacturer’s phones that this process has to happen for each model, each customized OS, and each carrier.

Now we are getting into a situation with this long protracted system of updates. Holes being found in the systems are there for months, possibly years before a patch gets pushed out. In this age of phone upgrades every 18 months, of more mobile applications for smart phones, more people banking and shopping off smart phones, and the upcoming Near Field Communications, updates for security need to happen a lot faster. The risk of more and more identity theft is growing, and the slowness of the pipeline is maddening.

Now add on that every manufacturer has been customizing the Android OS to try and differentiate itself from the others. How many more security issues can this raise. How many of the mods are creating security holes (we won’t go into other issues these mods cause)?

Yes, Apple has to go through the same sort of pipeline, but Apple has only piece of hardware (with different chips for GSM or CDMA) and just the carriers to deal with. Its a much shorter pipeline, and Apple can cut a carrier off from future iPhone releases if it wants to. Android needs to come up with something similar soon, especially with all the malware that has been coming out for the platform already.

With all the hacks going on out on the net today, patching your machines is more critical than ever.

Microsoft is releasing 16 Patches, 9 of which Microsoft deems critical. Patches include Windows, Office, and .Net, and all attempt to address RCE attacks.

Oracle has also released a major patch for Java in the past few days which addresses a number of security vulnerabilities. Adobe has patches out recently for Flash, Apple is playing whack-a-mole with malware, and basically there is a lot of patching to do.

Don’t forget though, with all these patches, to test them before deploying them. It doesn’t happen very often, but some patches can break your software.

So it seems that a few vulnerabilities have rated out of band patches from Microsoft. One for Visual Studio and one for Internet Explorer. while they are not releasing the details of the patches yet, I”ll bet the IE one is to patch the drive by downloads that have been happening lately.

Read the information here.

I always find it interesting as to what Microsoft considers important enough to do an out of band patch. Last year one was to close up the hole that Cornficker used. Sometimes it seems that they should issue one and they don’t. Maybe someday we will understand the madness to their decisions.

Yep, that’s right, its that time of month where Microsoft’s servers get slammed. Its patch week.

This month some patches for holes that have Zero Day Exploits out for them already. Included in this is the Active X Video Hole, The Direct X Quicktime Hole, and the Open Type Font hole. The first two I had talked about when they came out, with the Direct X hole being the one that it looked like Microsoft had no serious plans of patching. Nice to be proven wrong.

There is no fix this month for Office Web components, which have recently come under attack. I expect this fix is being worked on and will be out soon. Considering the move to the cloud that people talk about, and that Office Web competes with Google Documents, they do need to secure it.

As always, I do recommend paying attention when you patch as one reader pointed out, you can choose not to install IE8, which still comes down as a critical patch, unless you download it and then stop the install of it, or tell the updater to hide the download of it. Yeah, its a pain, and unfortunately the everyday end user who we tell to make sure they install critical patches will still inadvertently install the sucker, we can at least try to educate them a little and not make the same mistake ourselves.

Before I get started let me say this, I believe in patching, and updating systems and software. It is essential to security fo a system.

That being said, there is something to be said about forcing updated software by calling it a high priority update. Yep, I’m talking about IE8 yet again. Don’t get me wrong, I’ve used it, and for general web browsing, it is ok, although a lot of sites still seem broken when using it.Some of it is because of the higher security settings built into IE8 the rest because a lot of sites are not optimized for IE8 yet.

The problem is that it is listed as a high priority update, and if you have a machine set to automatically install critical updates, it gets automatically installed on your machine. This is totally against the statement from Microsoft that IE8 is optional. The non-tech person does not know to check, nor is expected to know how to decline the installation of something like IE8. All of a sudden this is costing my clients money, due to the fact that they have to pay me to remove IE8 and then reinstall IE7 on their machine.

Yeah, its nice for my revenu, but it makes the IT world look bad overall. Clients jsut want things to work, and I can’t blame them on that. I just want things to work also. Microsoft doesn’t seem to care about anything except market share and money, and with more and more viable options coming out, they better start learning that reputation means everything, and properly working software is the way to get more market share and money.

Ahh yes, the second Tuesday of the month and Microsoft releases patches. This month is a big month for it again with 10 patches, 6 of them marked as critical. So what do we have patched this time?

1) Active Directory. It seems that there are holes in Active Directory’s security that can allow remote code execution. Definitely do some testing on this patch, but try to roll it out as quickly as possible. This does affect 2000, 2003, and XP

2) Print Spooler. A patch that closes up 3 vulnerabilities that could allow remote code execution. Another one that should be rolled out as quickly as possible. I have not heard of code in the wild on this, but you know how quickly people will jump on such a critical system hole.

3) Internet Explorer. Big surprise here as IE seems to get a patch at least every other month. Considering that Microsoft was able to compromise Firefox’s security with a .Net add on for it, the holes in IE need to get patched up as quickly as possible.

4) Word, Excell, Works. I hope you aren’t using Works, but with Word and Excel, test these and then deploy, even though they are marked as critical.

Those are the Critical’s as decided by Microsoft. Interestingly the Direct X vulnerability, which does have code exploiting it in the wild, has no patch whatsoever, and no sign that Microsoft is going to patch that hole anytime soon. Again a concern where Microsoft is concerned, but not surprising considering the amount of resources working on Windows 7, and the amount of reported vulnerabilities Microsoft must receive every month. More information on the Microsoft patches can be found here.

Also, Adobe released a patch to address a number of vulnerabilities that have been found in its Acrobat Reader. Information on that can be found here.

Yep, a busy Patch Tuesday, so go get them, test em, and deploy em. And if you find a problem with any of the patches, or caused by them, let me know.

So, in the midst of not writing too much this week, I’ve had a lot of headaches. Headaches that you can avoid.

Headache number one. Always do a daily check of backups. Make sure that everything including SQL databases are being backed up properly. If they aren’t, find a way to remedy that.

Headache number two, SQL 2005. Yes SQL works nicely, but when you have people who insist on using the Eval version past its 120 period, upgrading them to the full version is a pain. One that Microsoft can fix by not forcing an uninstall of the eval and install of the full version. Oh and double check all backups before you do the uninstall.

Headache number three, Windows updates and Symantec Endpoint. I have hit this one a few times this week, where Windows Update goes into a weird connection and install loop for a patch and can’t install it so keeps retrying to the point that Symantec Endpoint 11 things the server is under a DoS attack. Course this eventually led to other issues that required a reboot of the servers in question, so they worked properly again. Well two of them did, the third one led to…

Headache number 4, ease of finding information from Microsoft. Yes, Technet, and Google are nice items, but when one puts in a search about corrupted exchange log E00, you would think that you would get all the info or at least KB articles that offer solutions for it. This is not the case. It took about 100 different search strings along the exact same parameter, with a small change here, small change there to words or order, to finally find the missing step to bring back up a clients exchange information stores.

Yeah, its been a busy week, but at least there are lessons to be learned. The biggest one is that Microsoft is painful.

Days after the Windows 7 Release Candidate becomes available, Microsoft has to send out a critical patch. Now it only affects the 32 bit version, and honestly, I think that Microsoft is stupid to make a 32 bit version. All the processors on new machines can support 64 bit, so why not use it.

Anyway, the issue comes in with how ACL lists are handled. You can read more about it here.

Also, on Windows 7 RC patches, in the next week there will be a bunch of fake patches sent out by Microsoft that do nothing. Well, nothing but test the updating system, which is somewhat important. Make sure to use these for testing the system.

So Chrome updates itself silently, which can be a good thing, unless the patches require a restart of the browser. If this does happen you all of a sudden get a notice saying, “Changes have been made, you need to restart for them to take effect, ” or something along those lines. I get it with Firefox also. IE doesn’t do that, which is why it can’t be as secure.

Anyway, I digress. It seems that in the pas month Chrome has had to do some major patching quite often. People talk about how secure Chrome is, and while I haven’t tried it yet, I do have to wonder if it is being heavily targeted, or did the developers just make that many misses on bug testing?

http://blogs.zdnet.com/security/?p=3324#more-3324

So with all the browser choices out there, how many do you think have more problems than they know because of security through obscurity?