What Windows' defenders should know about Mac OS X Tiger

I often hear folks beat up Microsoft Windows for being a breeding ground for viruses, spyware, and all sorts of malware. Bad Microsoft for being so sloppy!

There was a recent exchange between Scoble and Dan Gillmor, where Scoble defends Microsoft against what he feels is an unfair attack:

"But, today, he took a shot at Microsoft that I thought was unfair. Here, I'll wait while you go and check out his post.

"I would have written a different beginning to this story, roughly as follows: In winning and sustaining its monopoly in the operating system and browser markets, Microsoft has exposed countless millions of people to woes from security holes that have become conduits for viruses, worms and spyware. Now the software giant is planning to charge its captive customers to clean up the mess it created."

Dan, we've done a TON of security work and distributed that to our customers for free (one of the largest operating system updates in our history, Windows XP Service Pack 2, was given away free). We've given away a beta of our AntiSpyware program for months now (after spending lots of money to buy the company that made it). (From Scoblizer)"

People living in the world of Windows may not know that in the most recent release of the Mac OS, "Tiger" there's a security hole so big you can drive a truck through it, that if it had been in Windows, there would have been hell to pay.

So being that I live with a foot in each world, and being a fan of irony, I can't help but point it out :-)

One of the fairly neat features of Tiger is the so-called "Dashboard" - an environment to launch little handy applets (we used to call them Desk Accessories in the old days, remember? Dashboard calls them "widgets")

I say fairly neat, because while they look very pretty, in practice they aren't that useful. They are practically a direct knockoff of a product called Konfabulator, which is available for Mac and Windows. But that's not the problem...

[Update: the following paragraph has been clarified based on the comment below]

The problem is that in the default settings of Tiger, Widgets are automatically downloaded and opened without any warning. Exactly how much of the widget code gets run simply by opening it is not totally clear, but feels quite dangerous, because widgets can contain arbitrary code, with full access to the underlying system. They can even run unix shell scripts!

Now there's a simple setting ('Open "safe" files after downloading') which you can turn off to disable this risky behavior. But of course most users will never discover this setting or be aware of the risk.

There has been quite a bit of handwringing about this in the Mac community, and speculation that Apple will fix this bug in the first rev of OS X Tiger. But in the meanwhile, let's see if any malware strikes.

Certainly if the shoe had been on the other foot (or the shade on the other Windows) there would have been hell to pay for Microsoft!

Technorati Tags: , , ,

Posted on May 16, 2005 and filed under Technology.