Some Mac fans believe that OS X holds the security advantage due to its strong UNIX foundation. Windows fans, on the other hand, often state that the Mac’s superiority in the realm of security is just an illusion, as the platform’s market share is so small that it’s not an attractive target to hackers.
Although Mac OS X may be the debate’s winner in terms of general public perception, one security expert believes that the opposite is true. During the recent Black Hat Technical Security Conference, Alex Stamos of iSec Partners stated that Mac OS X is actually much more vulnerable to network-based attacks than Windows 7.
From a pure numbers standpoint, Mac OS X did hold an advantage over Windows in the past. Over the past three years, 1,151 major vulnerabilities were found in Mac OS X, while 1,325 affected Windows. Even with such statistics at hand, the talk of Mac OS X dominating Windows in the security arena should stop, as the numbers are much closer than many would anticipate. The numbers also dispel the notion that hackers don’t bother targeting Mac OS X due to its small market share. If it was such an unattractive target, why would the number of vulnerabilities be so close?
So, even though Mac OS X holds a slight edge over Windows’ past versions, what about now? When comparing recent Mac OS X releases and those of Windows, Microsoft’s platforms offer more overall security. If you look at network-based vulnerabilities, Windows fares even better. Stamos noted: "OS X networks are significantly more vulnerable to network privilege escalation. Almost every OS X server service offers weak or broken authentication mechanisms." Of course, Apple has recently released OS X Lion which should improve security, but Windows still remains strong in this realm.
Stamos also added another area where Microsoft holds the edge in the Mac/Windows debate: its so-called security religion. Microsoft has shown a stout devotion to improving security in the past, with its Trustworthy Computing program and Security Development Lifecycle process being prime examples. Both were initiated in response to a heightened amount of security issues and have helped Microsoft gain a solid edge over its competitors. Lastly, Stamos pointed out a false sense of security amongst many Mac users that makes them open to social-engineering attacks. He said Apple’s deceptive advertising can make Mac users feel completely shielded from attacks, when such is not the case.
For more on this topic, visit http://www.windowsitpro.com/article/paul-thurrotts-wininfo/security-expert-windows-7-secure-mac-os-140118
Microsoft Launches BlueHat Prize Contest to Counter Memory Safety Exploits
In an effort to defend against memory safety exploits, Microsoft recently launched its new BlueHat Prize contest that offers over $250,000 in cumulative prizes to winning contestants. The contest is asking participants to get creative when it comes to exploiting memory safety holes. The move is a break in tradition, as Microsoft is not usually in the habit of offering rewards in exchange for finding vulnerabilities.
Katie Moussouris, Microsoft Security Response Center’s senior security strategist lead, commented on the contest via a Twitter interview. She said: "Microsoft wants to defend against entire classes of attack with the innovation that comes via the BlueHat Prize. The BlueHat Prize is looking for mitigations to block memory safety exploitation techniques such as ROP or JITSpray." JITSpray attacks exploit two Microsoft technologies in particular: address space layout randomization (ASLR) and data execution prevention (DEP).
The contestant who presents the most innovative method will receive the first place prize of $200,000. The second place contestant will receive $50,000, while third place earns a MSDN Universal subscription, which is valued at $10,000. Winners will get to keep ownership of their intellectual property, but will have to grant Microsoft a license to use the technology. Participants whose technology is not selected will still retain their intellectual property.
The BlueHat Prize contest is now open for submissions and will conclude on April 1, 2012. Contestants can be as young as 14 years old to enter. Winners will be announced during the Black Hat USA 2012 conference that is scheduled for next summer. Submissions will be judged by a panel of Microsoft engineers using the following criteria: impact (40 percent), practicality and functionality (30 percent), robustness (30 percent).
As for any future editions of the BlueHat Prize contest, consider this year’s version a test run. Moussouris said, “We’ll evaluate the BlueHat Prize this year and see if we end up making changes to the contest after we’ve run it once.” She added, “We hope that we see not only new platform defense innovation through BlueHat Prize, but also ID new security researcher rock stars.”
For more on this topic, visit http://www.darkreading.com/advanced-threats/167901091/security/application-security/231300174/microsoft-offers-prize-money-for-enhancing-windows-security.html?itc=edit_stub