Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

SANS Exposes 'Safe' Technologies

Apple's MacOS tops the SANS Institute's Top 20 Vulnerabilities, demonstrating that no platform is inherently safe

Wipe that smug look off your face, Mac user. Your system's in danger, too.

For the first time, Mac OS/X vulnerabilities ranked number one in the SANS Institute's quarterly Top 20 Internet Security Vulnerabilities report, which was published earlier today. The recent discovery of critical flaws, as well as a zero-day exploit, skyrocketed the Apple environment to the top of the list.

"OS/X still remains safer than [Microsoft] Windows, but its reputation for offering a bulletproof alternative to Windows is in tatters," said the security research and training organization in its report.

Security researcher Tom Ferris last month issued a report in which he identified six unpatched vulnerabilities in the Mac OS/X environment. Apple said it will patch the flaws in its next security release.

Experts at the SANS Institute said the vulnerabilities clarify an important point about non-Windows systems. "There's a difference between 'safer' and 'more secure,'" says Ed Skoudis, director of the SANS "Hacking Exploits" course curriculum and a senior security analyst at Intelguardians. "There are fewer users on systems like the Mac or Mozilla, which makes them less of a target for attackers, and therefore safer. But there's nothing inherent in those systems that makes them more secure."

Vulnerabilities in Mozilla and Firefox, which were discovered last month and patched last week, ranked number four on the SANS Institute's Top 20 list. (See Security Bugs Undercut Mozilla.)

Recent enhancements to the Macintosh and Mac OS/X have increased the platform's vulnerability, SANS experts observe. For example, Apple's decision to run the Macintosh on an Intel microprocessor makes it easier for attackers to exploit the Mac, because they already know the assembly language used on Intel.

Still, the Mac does offer some security advantages over Windows, whose vulnerabilities occupied several of the other Top 20 positions, including number two (continued problems with Internet Explorer). For example, SANS Institute experts said they have yet to encounter any instances of spyware on the Mac.

"In addition, it's still harder for an attacker to gain administrative permissions on the Mac than it is on Windows," says Johannes Ullrich, CTO of the SANS Internet Storm Center, which tracks newly-discovered vulnerabilities.

Aside from IE exploits, Windows attacks in the form of Windows Metafile Format (WMF) documents, Excel files, and SQL injection are on the upswing, the SANS Institute said. Vulnerabilities in Windows Services have dropped over the past quarter.

SANS researchers also expressed concern over the increase in frequency of zero-day attacks that are used to infiltrate systems for profit. "The attacks are becoming more targeted, which means they hit fewer users but they hurt more when they land," Skoudis says.

— Tim Wilson, Site Editor, Dark Reading

Organizations mentioned in this article:

  • Apple Inc. (Nasdaq: AAPL)
  • Intelguardians LLC
  • Microsoft Corp. (Nasdaq: MSFT)
  • Mozilla
  • The SANS Institute

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
    Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
    Deliver a Deadly Counterpunch to Ransomware Attacks: 4 Steps
    Mathew Newfield, Chief Information Security Officer at Unisys,  12/10/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Our Endpoint Protection system is a little outdated... 
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-19604
    PUBLISHED: 2019-12-11
    Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
    CVE-2019-14861
    PUBLISHED: 2019-12-10
    All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
    CVE-2019-14870
    PUBLISHED: 2019-12-10
    All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
    CVE-2019-14889
    PUBLISHED: 2019-12-10
    A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
    CVE-2019-1484
    PUBLISHED: 2019-12-10
    A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.