But in the meantime, we will just have to rely on Apple's control freak tendencies to keep us safe through developer disinterest.
Apple's Mac operating system may be the safer choice – but only because cybercriminals can't get their hands on people who know how to exploit it. That's according to security showman Eugene Kaspersky, who gave a keynote at the Mobile World Congress in Barcelona on Monday. In recent months, Kaspersky has made a habit of giving …
>All. Software. Contains. Bugs.
Yes, but that's a cop-out.
The major problem is that a modern OS is huge and the attack surface is massive. We need a redesign which minimises the attack surface. User-id based rights don't cut it. We need to be able to restrict rights at run-time in a reasonable manner. Things like EMET and capabilities are a good start but not anywhere close to having the required user-friendliness. We need to be able to clamp down on access to the directory tree, raw network stack, localhost-based web proxy, and config system. Those rights need to be defined during installation and managed by an admin system, not from inside the application - no self-updaters.
My internet browser and its sub-processes needs access to the GUI, these particular libraries, its disk cache and its download directory. It needs read-access to part of the registry and it needs r/w to where it stores user preferences (a config file or registry subtree). It does not need access to my whole user directory, screen-saver binaries and preference settings.
I may even need to define a second less secure browser config for intranet work. Maybe that one allows Java but won't connect to any non-rfc1918 addresses. It still does not need access to my whole user directory, screen-saver binaries and preference settings. Some of these things are in EMET and the host firewall settings on Windows, but they need to be brought together and made mainstream, integrating them into the application installer.
We need to kill extension-based interpreter selection and stop hiding "file types." Applications should not be able to overwrite files on their own -they should use an OS-mediated file-save dialogue. OS dialogues should be triggered if they try over-writing files for a mime-type they did not register during installation. Non-installed binaries get r/w to an auto-created subdirectory only.
Maybe I've got some of these details wrong, but this is the kind of OS redesign we need. Even Android and IOS at least attempt fine-grained controls.
I don't disagree on any of those points. I just think it's important to remember that All. Software. Contains. Bugs.
Sure, you can have everything you suggest there, right up to the point someone discovers that it's possible to buffer-overflow something running entirely within the constraints that you suggest such that it pokes data into memory it doesn't own, and oh look, if I invoke the following totally legal processes in the correct order I can cycle memory usage until a target process is _using_ that block, and ooops, look who's got arbitrary code execution as the system/root user.
Obviously we should do everything we can to make sure that our platforms are as secure as possible, but to believe that they'll ever be "immune" is hubris.
We could also do with a clever-UAC model. One which learns which permissions are not routinely required and resticts the user more as time goes on, whenever one of those permissions they haven't used in 6 months suddenly needs to be used - it should prompt the user for authorisation rather than just saying "ah screw it, this is within his rights".
We need our permissions models to be more reactive, right now we set them in stone and hope that's enough but there are permissions which could be removed over time which purely by prompting could alert the user to unusual activity.
Sure - you can have a secure system. It's the one that's never turned on, is encased in lead & concrete and sits at the bottom of the Marianas Trench..
Any system that accepts outside input is potentially compromisable. Obviously, such things can be minimised, but it's never going to go away.
Sure. But you can have systems where bugs effects are much more contained, and can't be used to mount attacks.
Take for example ROP. AFAIK, since the 80286, x86 chips could design segments as executable only (you can't even read their content from code, only the CPU can still load and execute it). Other segments could be readable/writeable, but not executable.
IMHO it would be very difficult to use ROP against a system which would use that 1984 technology. Combined with address space layout randomization, even reading the executable file won't tell you where it will be loaded in memory, and you would have no way to read it once in memory from user space (you'd need kernel code to create a readable segment for the same memory space).
Data code won't be executable, so even if you find the right byte sequences, they would be useless.
But no OS I know use these features. They set single huge overlapping segments, and the NX bit at the page level is stopgap that still can't block ROP.
Moreover the four ring model of the 80286 was clearly better than the two levels used by most other processor. It wasn't used because it was not compatible cross-platform code, and because every time code needed to "cross" a segment boundary, the access control checks (aka security checks) made it slower.
Back then performance were far more important than security - and we got here....
Now it's time to redesign CPUs, operating system and application so they work in an environment designed from the ground up to hinder many attack techniques ("immunity"), instead of trying to spot them and react.
Maybe bringing back some of those thirty years old designs, instead of removing them fully (hint: never let AMD design a chip - it too understands performance only, never security).
Yeah but OS/2 is dead in the water these days ;)
I wish someone would do a real-world modern update on OS/2. I really used to like it.
 And sell it for a reasonable amount of money. Not like the people who bought most of the OS/2 source code from IBM and currently flog a minimally-updated version..
Yes that'd be a conclusion one would draw from a limited exposure to macOS..
I used Macs almost exclusively for about two decades*, including OSX from it's beginning, and there's been more than a few times I've discovered something that had me shaking my head and saying "isn't it just as well nobody bothers with Mac malware..."
MacOS is not "safer"; it's just that its vulnerabilities haven't been discovered and exploited as ruthlessly as those of Windows.
(* ... Which means I can remember back to the times when Macs did get viruses. Luckily back in the 90s, viruses didn't do much more than print a stupid message and hang your system, but they certainly did exist on Macs)
If, because there are fewer hackers on MacOS it has less malware, rootkits and other exploits then it's by definition safer. If you put a Windows PC onto the Internet naked then it'll get owned almost straight away, whereas if you're using MacOS, Linux or any other unix-like OS then you're almost certainly going to be fine as long as you keep it all patched and don't do anything obviously daft.
But to argue that it might be like a sieve we just don't know and there isn't anyone to prove it then by the same argument it might be the most secure operating system ever devised. I think the anti-virus people are just annoyed they can't get any money out of Mac users and want to scare them into buying their software subscriptions.
"So what's the solution? A complete redesign of all of our systems, starting from scratch by building on top of secure platforms and software. He dreams of systems that are no longer "secure" but "immune.""
OS X (macOS) is an operating system started from scratch by building on top of a secure platform and software. It was built on top of BSD UNIX, which remains the single most secure (by testing and reputation) operating system available. OS X is certified BSD UNIX.
So Mr. Kaspersky, maybe Aricept can help. Either that or do your research before you blether.
An "immune" OS is something else entirely. We have no such thing at this time apart from running a standalone computer with no input and no output, no EM radiation or sound emanations, etc.
Hint To Kaspersky:
One reason your anti-malware isn't a hit on OS X (macOS) is that, thanks to the work of many, both volunteer and paid, malware is discovered, described and tested with the results passed along to Apple. On a good day, Apple then responds by providing automatic OS subsystem updates blocking that malware within their XProtect anti-malware system. (Yes, Apple has plenty of bad days when they don't keep up, such as their current forgetfulness about blocking out-of-date versions of Adobe's supremely dangerous Flash Player Internet plug-in).
As a result, there's very little point in bothering to write malware for OS X seeing as it will typically be squashed by Apple within a brief period of time, thanks again to the work of many of us OUTSIDE of Apple.
Mr. Kaspersky, realism is always welcome. Pulling bonehead Symantec quality FUD manoeuvres is NEVER welcome. Make your choice.
In any case, thank you Kaspersky for your many contributions to the computer security community. Apologies that they don't result in profits from your Mac software.
OS X is built on NeXTSTEP, not BSD. Apple basically bought NeXT to get it (and got Steve Jobs back as a bonus). Its lineage goes back to Mach, not BSD.
Architecture wise, the kernel isn't more similar to BSD than the Windows (NT) kernel is. In fact, if anything it's more similar to NT in the sense that both have some microkernel heritage.
No idea where this misconception comes from. Certainly not from reading the source code of the kernels in question, at least... Hell, there's even a lot of C++ in the OS X kernel - when was the last time you saw that in BSD?
There is actually _some_ BSD stuff in OS X but it's mostly userland.
As for blacklisting, guess what, Windows has this too (MSE/MSRT/Windows Defender). Since it's, you know, blacklisting, it doesn't do wonders for either platform.
I know this is anecdotal at best, but in 30 years of working with just about every type of Mac in every possible context I'm still one number short of bingo - I have come upon exactly 4 pieces of malware. This stuff is so rare people collect it for curiosity value.
The obscurity argument only goes so far. If any reasonably motivated 13 year old can cobble together a piece of malware to run on MS-based systems, where are the much more motivated professional crooks going after our Macs, and our precious details such as our credit cards - when we can obviously afford to buy such an overpriced useless joke of a computer with all the disposable income we are left with from being paid more - just for having the shinier laptop? By this logic, if anything, our collective lack of intelligence and surplus of funds should make us a desirable target. Apparently not?
AC because you can't write Mac without ending in AC...
30 years brings you well into MacOS Classic territory, which means you were very lucky for quite some time there. Just like similar OSes without any actual security (DOS/Win9x, AmigaOS, TOS, ...) there were lots of viruses going around. Though you basically had to copy software to get them, so that might explain it for you.
As to OS X malware, if we're talking targeted (nation-state/industrial espionage/whatever) malware, there's just as much "coverage", and your chances of succumbing to a targeted attack are the same (Close to 100% above a certain attacker investment).
Mass distributed stuff - well, not so much. The reason here is simple economics. The market share split for desktop systems is roughly 90/10 Win/OS X. A malware operation is much better off focusing on the 90% than the 10%. Spending what amounts to twice the work to target the extra 10% simply doesn't make sense for most operations.
You can't say a system is safe or not safe, it's a scale. MacOS is more secure than Windows and Linux - maybe much more secure - for architectural reasons.
Hackers are still going for low-handing fruit it would seem. Yes, Apple takes security seriously. Security means certain things can't be done, or you must live within the restrictions. Seems reasonable - security has by far and away become the most serious issue in the world of computing and its interaction with the physical world.
I'd personally rank a customized sufficiently paranoid Linux setup as the most secure, followed by Windows on a shared spot with some standard Linux setups, followed by other standard Linux setups shared with OS X (though to be fair it has shaped up in the last couple of years... used to be literally 10 years behind the rest security/mitigation wise).
IMNSHO, people don't buy Macs to learn about how operating systems work and how to fix problems if they go wrong, they treat them like appliances. In fact, the relative robustness of OSX means people are less likely to learn much about operating systems if they use a Mac. And over time OSX is becoming more locked down like iOS, so tinkering is getting harder.
Therefore I'm not surprised that real OSX experts are rare.