That would MS defenders *and* Daniel! :-)

But your extended quote goes on argue _against_ just such a conclusion! This particular vunerability could not be leveraged to create a worm or virus. Until and unless someone presents evidence of research, market share alone is not a convincing argument as to why OS X remains secure. Especially not given the presence of, as Joel points out, “security celebrities”!

Lets have a car analogy. Imagine if someone knew how to break into a BMW, but didn’t tell anyone for a year. Would we all still take him seriously…? Or perhaps someone who has kept a known fault from Airbus or Boing that lets people access the cockpit in flight…?

This researcher is an opportunistic self-promoter. He isn’t interested in increasing security. He’s interested in $$$$$. So no-wonder he isn’t interested in OS X. The big targets are in Windows Xp… This guy is a “security celebrity” not a “security researcher”. And like all celebs, although he hasn’t done anything substantial, people still listen to him…

Is OS X more secure though obscurity…? Unlike Windows, and via its BSD roots, OS X has security built-in. There’s also the umpteen features Dan has mentioned. There’s also a very small (compared to Windows) user base. In order to spend time over-coming all the OS X security you’re going to need very good motivation. I’ve posted this before, but until OS X users leave their Gold stash passwords in the clear with instructions how to access it, no “security researchers” are going to be motivated. (And remember, nothing is “obscure” on the Internet)

Mr. Miller’s comments seem to lend weight to the ’security through obscurity’ argument so often spouted by MS defenders. As someone who is not as educated as I would like to be on the technical details, I would be interested in your take on the comments on your article from the Appleinsider forum:

Alfiejr said:
“so Miller did not get root access with his attack, even though the Mac was running in Admin mode. he is right of course that he could still steal information, spoof emails, and invade/erase a user’s files. but that is not turning the Mac into a bot like the Conficker worm does to PC’s with no individual effort needed. it’s a focused one-at-at-time attack that is labor intensive and slow to reward. the NSA might do it to spy on you, but for a crook phishing is a lot easier way to steal someone’s bank account info quick.”…

“no doubt with more effort on that individual Mac he could then crack the password(s) that would finally give him total root control of the computer and install any programs and do anything (most consumers use relatively simple pw’s). but crooks aren’t going to go through that much extra work with a single random consumer just to set up a single bot unit or look for financial info hit-and-miss”…

“all of which adds up to the Mac’s practical security advantage. it’s not just the market share, it is the inefficient (for the crook) extra trouble it takes.”

Is Afliejr correct? It would help me in my practical discussions with my companies IT department Windows pundits. If for nothing else, than to give them something to go research (when they’re not installing anti-virus updates of course).

Thanks again!

It’d be nice to hear of a way to get this message to Apple. It is high time for them to take security more seriously. They’ve made some great design decisions on how to not have security in the way of usability but the computer still needs to do what it advertises as doing: load an image rather than execute it.

http://www.tomshardware.com/reviews/pwn2own-mac-hack,2254.html

Props to you Charlie Miller.