browsers, operating systems and internet security
March 21, 2010 7:07 AM   Subscribe

it seems that the various methods of infecting computers dependent on weaknesses in browsers and operating systems. what are the safest browsers and operating systems? is virus detection software necessary, assuming you've made good choices about operating system and browsers.

I am trying to establish policies for a small company. We are predominently mac based using google's chrome browser right now.

Some have assured us that Macs do not have the vulnerabilities that hackers have exploited in microsoft's operating systems and browsers. If macs are relatively secure, is there a difference in the version of the operating system that we should worry about.

Also, i was told we don't need virus detection software because we use macs. agree? disagree?
posted by alcahofa to Computers & Internet (22 answers total) 2 users marked this as a favorite
 
Some have assured us that Macs do not have the vulnerabilities that hackers have exploited in microsoft's operating systems and browsers.

That's definitely not true, but the fact is that that people who write spyware usually target Windows XP, because it had a huge installed base, and it still works well as a spyware target now. Windows Vista and 7 are much less vulnerable, and aren't setup to run as "Administrator" by default. In fact, running an XP machine as a 'regular' user (which is usually how things are setup at offices) is a lot safer.

As far as anti-virus software, without it, you'd have no way to know if you got a virus or not. There's no way to know if Macs will start getting targeted in the future.

The other thing to keep in mind is that PDFs have become a popular exploit vector. Make sure you keep acrobat up to date.
posted by delmoi at 7:19 AM on March 21, 2010


The newest is almost always going to be the most secure

I don't understand this assertion.

Older operating systems have had their vulnerabilities patched, or, should have had their vulnerabilities patched by system administrators. Newer operating systems may have vulnerabilities waiting to be exploited by hackers.
posted by dfriedman at 7:26 AM on March 21, 2010


alcahofa: “is virus detection software necessary, assuming you've made good choices about operating system and browsers?”

Yes. Any company that runs software has enough liability that it is absolutely necessary to have security processes in place, and one of these is of course anti-malware software. The simple fact is that the risk is so much higher than the relatively minor cost that it's a no-brainer.

“Some have assured us that Macs do not have the vulnerabilities that hackers have exploited in microsoft's operating systems and browsers. If macs are relatively secure, is there a difference in the version of the operating system that we should worry about. Also, i was told we don't need virus detection software because we use macs. agree? disagree?”

Macs actually aren't relatively secure; at a recent hacker expo, Macs were the first machines to be hacked, because, the winner explained, there are more exploits for Macs than there are for other machines. Here's a good rundown of the insecurities of Macs by the metafilter member who ran the competition. These exploits simply aren't taken advantage of because of the smaller market share and for various other reasons.

Every company needs security protocols, and this includes Mac-based companies. Your worries are not simply "viruses," which are actually quite rare and innocuous at this point; nor is your concern even simply "malware," the common form of computer infection. If you run a company, there is always a worry that someone will run a coordinated attack on your software; and in the face of that kind of threat, no operating system is absolutely safe and secure enough to install and never worry about again.

If you're wondering, by the way, the most secure operating system you can possibly run is OpenBSD, a UNIX-like operating system similar to the one Apple lifted for its own OS X. It will run side-by-side on the same machines as OS X will. Most importantly, it is free, and it is much, much more secure than OS X will ever be.
posted by koeselitz at 7:26 AM on March 21, 2010 [1 favorite]


Principle of least privilege applies here. The safest browser is the one not running as administrator/root.
posted by damn dirty ape at 7:27 AM on March 21, 2010


@delmoi - Apple provides their own PDF rendering engine, so that's less of an issue as well.

I don't know about Chrome's track record for security, but Apple has occasionally been very lax with updating Safari.

But as always the most important security feature is an educated user.
posted by modernserf at 7:28 AM on March 21, 2010 [1 favorite]


Argh – forgot to add the link. Here's that explanation of Mac insecurities by mefite and PWN2OWN host mock.
posted by koeselitz at 7:28 AM on March 21, 2010


Ah. So maybe a more precise way of saying what you're getting at, floam, is: the safest operating system will always be the best-established and most recently updated. In other words, update early and update often.
posted by koeselitz at 7:33 AM on March 21, 2010


Safest OS is OpenBSD, because it's developed by paranoid geniuses.
posted by orthogonality at 7:40 AM on March 21, 2010 [1 favorite]


OpenBSD probably accounts for less than 1% of all installed x86 operating systems on all PCs worldwide, and maybe 5 to 10% of OpenBSD systems actually install x.org and a window manager for a single human to use it as a desktop PC. I assume from the original question that the original poster is talking about PCs for use in a regular office environment (ie: with a GUI). Unless you are building a headless colocated OpenSSL transaction server there is no need to use OpenBSD these days.
posted by thewalrus at 7:44 AM on March 21, 2010


thewalrus: “I assume from the original question that the original poster is talking about PCs for use in a regular office environment (ie: with a GUI).”

This is slightly beside the point, but: huh? The base install of OpenBSD runs X Windows, the same GUI most Linux windows systems are based on. You could run Gnome in OpenBSD without much trouble. I don't guess OpenBSD is that necessary, as long as you're careful, but it's not a command-line-only interface by any stretch of the imagination.
posted by koeselitz at 7:57 AM on March 21, 2010


"Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town."

Security researcher Charlie Miller also said he's going to reveal 20 zero-day security holes in Mac OS X next week at CanSecWest, a digital security conference. (A zero-day security hole is a weakness in software that neither the makers of the software nor other individuals have any knowledge of.)
posted by sharkfu at 8:02 AM on March 21, 2010


You're going to get a lot of opinion on MeFi, very little sourced facts. My own opinion is if you're running Chrome on Mac, you're probably going to be pretty safe. Macs aren't more secure than other OSes in theory, but because of their relative market share they aren't attacked like Windows boxes are. Make sure your Mac users aren't logged in with root privileges and make sure they understand not to let programs escalate to root. (Take away root entirely if you can.)

Your Macs should be pretty safe from attacks from the Web. It's much harder to secure usage of one Web site from another. Pretty much all browsers are vulnerable to cross-site scripting, etc. Chrome is likely better than most. If you use its Incognito mode the new private window should be particularly secure from the rest of the browser; if you have sensitive internal systems consider teaching your users to use that mode when accessing them. (Note: it's a pain in the ass for your users.)

I'm assuming your threat model is random drive-by hacks on the Internet. If you're worried about directed attacks, like Google recently saw from China, the answer is very different. In that case you need to hire a professional to advise you.
posted by Nelson at 8:04 AM on March 21, 2010


Here it is in a nutshell. Your clients expect you to do due diligence regardless of Operating System. You must protect their data as well as yours. That means Yes; you need to install firewalls and Anti-virus software regardless. Also be aware that many states are beginning to require that any corporate computer that has peoples' personal information on it (HR, Payroll etc.) be encrypted.
posted by Gungho at 8:21 AM on March 21, 2010


In theory, Macs are plenty vulnerable. This has been demonstrated a number of times.

However, nobody I know with a Mac - and that's a lot of people - runs any kind of antivirus software. None have ever had any problems with viruses or spyware. This ranges from computer professionals to my sister, who is entirely naive on matters technological. I have never, in many years of reading mac-related forums and blogs, heard of actual, real-world (as opposed to proof-of-concept) Mac-targeted viruses or spyware spreading through the wild.

This is certainly true in part because of the sheer number of Windows machines, and because of the presence of large numbers of identically-configured (thus, identically-vulnerable) corporate systems. But at the end of the day, the Windows users I know worry a lot about spyware, and on a regular basis I have to help one of them out in clearing a virus or malware infestation, and the Mac users never ever come to me and say "hey Tomorrowful, I have these popups every time I try to do anything on my computer, how do I fix it."

This has been another edition of Anecdote Theater. Do not mistake this for Data, or suffer wrath, etc etc.
posted by Tomorrowful at 8:30 AM on March 21, 2010


I have never, ever seen a Mac virus in the wild. I have been using Macs since I was a computer science major. I don't run any virus software; my security consists of not opening attachments I get from people or sites I don't know.

I would guess that the installed base for Mac servers, in particular, is so minuscule that no hacker bothers. For the same effort you can infect thousands of Windows boxen.

Mac OS (and, I assume, Vista) automatically update their security protocols. Just make sure that you have Software Update set to regularly scan for updates.

Windows may be theoretically secure, but it's a huge target, and somehow there are a lot of zombie Windows machines out there, so the gap between theory and practice may be huge. Theoretically condom+foam is as effective as an IUD, but you don't have to remember to use an IUD properly.

OpenBSD, aside from being incredibly secure because it's open source (and therefore picked over by the good guys), is also not particularly common on corporate servers. So theoretically it could be the most secure. Oh, and it's free.
posted by musofire at 8:45 AM on March 21, 2010


Also, you shouldnt think of security as a product (which browser to use) but as a process. If you do go with chrome then you should ask yourself how quickly you can patch it when a patch is released. Will you have any automated tools to do this? Is this easier to do in Safari with Apple's server/enterprise tools?
posted by damn dirty ape at 9:33 AM on March 21, 2010


Do you have sensitive data to protect? Do you care if machines become spambots, or host malware? Your answer should be yes. Run an antivirus program on the macs. Use a firewall. Stay up to date on security.

Your users will generally want the most recent version of any OS. Don't use an OS for which patches are no longer provided. I think the newest version is usually safer, as previous fixes are built in, and hackers take time to find exploits.
posted by theora55 at 10:14 AM on March 21, 2010


Response by poster: if i have administrative privileges on my mac and i run in that account with administrative privileges, is that equivalent to running as root?
posted by alcahofa at 11:38 AM on March 21, 2010


Apple deserves to get beaten up over their apparent casual attitude to security, but people also need to recognize the role of usability issues in a lot of end-user targeted exploits (on the other hand, security seems to be an arms race; why should Apple escalate with things like address space randomization before a genuine threat presents itself. If they deploy countermeasures as the threat-level demands, then they can rely on a large arsenal of tricks developed in more dangerous security theaters. This doesn't excuse them for being slow to patch zero-day exploits though)

Apple's administrative privilege escalation feature, where you have to put in an administrators password when performing certain actions, and Microsoft's privilege escalation feature are basically the same if you are taking a checklist approach. The thing is, Apple only hits you with the challenge once per task, even if the task is multiple steps. On the other hand Microsoft (on Vista, at least), will often hit you with the challenge multiple times when performing a multi-step task.

One result is that Microsoft trains users to see the challenges as an annoyance that needs to be clicked quickly, rather than as a warning to be considered and heeded, which is something that attackers exploit by throwing up scores of decoy browser dialogs to help conceal the real OS dialog. People then click the genuine dialog without knowing as they try to deal with the popups and their machine is "owned."

But by all means, be cautious and use antivirus software on the macs, and make sure that users are using an regular user, rather than administrator account.

(by the way, this last bit is, again, and advantage of the Mac/OS X, there is a lot less older software that requires an admin account than there is on Windows. This is something that makes windows an attractive target beyond just its market share)
posted by Good Brain at 12:41 PM on March 21, 2010


If you read the latest Cyber Security Risks assessment from SANS.org, the biggest revelation is Operating Systems are no longer the malicious code writers "target of choice". Applications are, because they typically get patched more slowly (businesses have gotten the hint to patch OS's,.. but they drag their feet patching applications for a variety of reasons)


Out of the top 30 most frequently exploited vulnerabilities effecting end-users, the top 5 are: Quicktime, Adobe PDF's, Adobe Flash, Java and MS Office. (meaning = since these programs are very popular, malicious code writers are using them as vectors of attack more often than any other vector) ...... So if you update/patch these applications expediently,.. you should make significant progress in minimizing the target on your back.
posted by jmnugent at 3:19 PM on March 21, 2010


In terms of business applications, IBM i (For Power Systems including AS/400, iSeries, and System i) is notably resistant to malware exploits, particularly in situations where it is hosting multi-user Internet connected applications. In terms of security and ease of administration, for small to medium sized organizations, there is still a lot to be said for running thin clients all pointed at a System i, or iSeries machine, which hosts the business applications, the communication applications, and secure proxies for Internet services you want to provide to end users.
posted by paulsc at 8:29 PM on March 21, 2010 [1 favorite]


Use a combination that most people don't use. Less reason for attackers to create code to attack you, since you are less than 1% of the installed user base. For me, that is Ubuntu Linux + Opera. You also need a good firewall. I use Smoothwall. Been using this combo for about 3 years, haven't had any problems yet.

Hell, just don't use Internet Explorer and you're almost done right there!
posted by humpy at 8:57 PM on March 21, 2010


« Older How to support a grieving family.   |   David Lynch Soundtrack to My Life - Am I Going... Newer »
This thread is closed to new comments.