Symantec: Mac OS X Becoming a Malware Target

tb3 writes "According to ZDNet 'Security vendor Symantec is warning that Apple's OS X operating system is increasingly becoming a target for hackers and malware authors.' They go on to warn that the only thing that's protected Apple users from exploits so far has been the small number of Macs on the net. Now that people are buying Apple products for 'style over function,' according to one analyst, Apple computer has become a target for new attacks. More coverage on Australian IT and Silicon.com. I guess sales of Norton Anti-Virus for Mac needed a boost." Symantec may well be right about this, but note that they also have the world's biggest vested interest in making Mac owners nervous enough to buy their anti-virus products.

Style over function?

[sgant]

Why does it have to be one or the other? From what I've found in OSX is that it can have style AND function.

Is that so wrong?

Re:Style over function?

[gitana]

Of course not.

The OS X platform is built on solid unix programing. The eye candy is just the sparkly coating. Properly implemented OS X can be quite secure. Although, you might be able to say the same thing about any modern os(yes even windows.)

Re:Style over function?

[Too+Much+Noise]

Why does it have to be one or the other?

It does not have to, but inevitably it will for some people.

The by-product is that people are buying these products for form over function. They say it looks pretty and then buy it but don't secure it.

Familiar, eh? it's the typical user buying a machine from Fry's, CompUSA and, now, Apple stores. Meaning Apple is also netting clueless users with its 'switch' campaign. Simply because they were largely confined to Windows so far won't magically change their ways as they move to Macs.

Next, more of this type of users can mean more unsecured machines, hence a more attractive target for hackers. Once hackers move in (and they will, what with macs becoming cheaper and all) security of OSX will really begin to get tested.

Re:Style over function?

Reading all the comments below, this story is getting flooded with fanboys trying to dismiss an article which has a genuine point, by using any dirty means necessary - kind of like what happened here.

Sorry kids, but don't you think that there's a possibility that an OS which is designed to be easy to use (ie for the computer illiterate) AND is growing in popularity is going to be a target for malware/viruses?

Jesus Fucking Christ.

Re:Style over function?

[prockcore]

There are no Microsoft-like ActiveX analogous components that allow viruses to replicate if you do something innocuous-sounding like read email or run a word-processor.

You mean *besides* the buffer overflows found in quicktime?

Re:Style over function?

[GFLPraxis]

You know what I find amusing? "Mac OS X is becoming a malware target! There are no viruses yet, but there will be some!"

Re:Style over function?

[maxspivak]

There are at least two ways of getting a system infected: automatically and with user intervention.

A system may become infected 'automatically' when an external attack exploits a hole in the box's current configuration.

I got hit with a script-kiddy's sendmail exploit in an underpatched Linux box back in '97. Yes, it was my fault for not patching the system correctly. However, a properly locked down system, one with all necessary patches installed, is going to be *fairly* impervious to this type of attack.

Mac OS X gets kudos for being secure out of the box (though Apple should enable firewall by default). Linux has generally been there for a while now. Windows is slowly getting there.

Part 2 of avoiding 'automatic' exploits is being able to keep a system up to date. This is important and requires some user intervention on *all* OS's. The user *must* allow the OS to keep itself up to date. If not, newly-found holes will be left unplugged and potentially exploited in the future.

<aside> How many of these holes will be found depends on the underlying design of the OS. The worse its initial design with respect to security the more holes will be found. In its current state, Linux and OS X are more *inherently* secure than Windows. This is akin to Java being more secure than Active X -- Java was designed with security in mind, and very few security vulnerabilities were ever found. Active X has a security model of a sieve, and its terrible security history speaks for itself. </aside>

The second way a system can become infected is via user intervention. This is commonly called 'Social Engineering' and goes something like this: "Hey user, install this cool piece of software for neat feature X, Y, Z". So user installs the package, which includes malware, adware, opens a port from inside the system and communicates with it's mothership, etc. I don't see whey the Mac is inherently more secure to this type of an attack. In my one week's using a new Mini, I think this kind of an attack can succeed -- the user would even type the admin password to install the bad piece of software. Now, the malware on OS X & Linux wouldn't be able to overwrite critical system files (wouldn't have filesystem permissions) as it would on XP, but it could still cause enough havoc.

What worries me more is that Mac users, thinking that they're impervious to any attacks, wouldn't think twice about installing some random software on their invulnerable mac. They're not paranoid enough, and some paranoia is not a bad thing. :)

All in all, I welcome additional users into the Mac camp, even if it brings more risk with it.

Re:Style over function?

[TMacPhail]

My point is that Windows needs special steps to be _protected_;

Actually, in SP2 it doesn't.

I'd say installing SP2 is a special step on it's own.

Re:Style over function?

[Urgoll]

In summary, Microsoft provided the ability to make the system more secure using non-privileged accounts and groups like every other major OS, but application developers are not taking advantage of it

You do realize that Microsoft, if they were serious about security, could have fixed that with the release of Windows XP. For some reason, most application publishers want the 'designed for Windows XP' sticker, logo or whatever. To get this, they're supposed to follow the guidelines of the program setup by Microsoft. For some unknown reason, Microsoft has never asked that the programs be well-behaved in multi-user, non-administrator environment. So developpers don't care (path of least resistance).

In most cases, fixing the issues are simply to store preference files in the right place (user's directory, user's registry).

Re:Style over function?

[Moofie]

No, I DON'T think that its "stylishness" has anything whatsoever to do with its susceptibility to malware.

Once there are some actual exploits in the wild that we can examine and dissect, my conclusion will remain.

Oh, wait, what's this? There aren't any? Ah. OK then.

Re:Style over function?

[Darby]

Windows has been multi-user for years,

Well, they have advertized themselves as such for years.
Tell me this, though.
How do you build a windows service (that's a daemon for you unix folks but it needs to be specifically built and installed to work properly), have it run as an unprivileged user (i.e. *not* the system account) and have it start when the system boots *without* the user it is supposed to run as logging in at the console?

If it's possible, then it is *very* fucking new.

Re:Style over function?

[Sparks23]

In summary, Microsoft provided the ability to make the system more secure using non-privileged accounts and groups like every other major OS, but application developers are not taking advantage of it. I always run as a non-privileged user, and I am getting sick of applications that have no reason to need administrator privileges not running correctly.

Good assessment. I'd elaborate by adding that the /reason/ people don't program things to do non-administrator (or multi-user) stuff properly is because of legacy stuff, alas.

Let's say you're writing a program. You write it under Win95. Time goes on, Win98 comes out, then WinME, and finally XP. Now, with XP, you can do multi-user stuff... but by now you have a codebase you don't want to have to go back and rewrite all of. Or even with more recent programs, people complain that they want it to run on Win95, or 98, because they don't want to upgrade to XP.

It's really a pain to write something to do everything properly NT-ish/XP-ish multi-user /and/ run on single-user Win9x as well.

Whether or not Mac OS X is inherently 'better,' they picked up a bit of a benefit by the 'throw out the old system and start over with OS X' tactic. By basically creating an entirely different operating system, people really had to redesign their apps for it. Huge investment in time and energy... but as long as they're rewriting their apps anyway, they can rewrite them properly for a multi-user environment.

(Disclaimer: While I write Windows software for a living, Mac OS X software for a hobby, and use both, the Mac is my machine of choice for casual browsing and productivity.)

As an IT person who is deploying OS X

[snuf23]

Can someone out there tell me what the reality of the situation is? Do you really need anti-virus for OS X? In the research I've done I can't seem to find any references to real (as in active in the wild) OS X viruses.
We will be transitioning about 8 production Macs to OS X later this year, and I am wondering whether I need to concerned at this point. It doesn't seem like I do.
I also understand the possibility of exploits in some of the open source code used in OS X. I assume you deal with this the same as on any other OSes and patch it when the fix comes out.

Re:As an IT person who is deploying OS X

[mekkab]

You can "rootkit" BSD boxes. Though from here its a bit more than just BSD... sort of a mix.

Poorly administered servers can get trashed. If your root password is "r00t", it won't take long for someone to figure it out.

You need to be concerened only insofar as you need to have a network admin (or something to that affect). How do you know when your network is being attacked? How do you know what attacks are being tried? If you aren't analyzing your network thats the worst mistake anyone can make.

That being said, there is this virus, its called "rm -rf *", its really bad.

Re:As an IT person who is deploying OS X

It's limited to administrators. If you have administrator rights on OS X, you effectively have root anyway; it's just that it's shielded power: you need to take deliberate action to access it, rather than it being at your fingertips. Sort of the difference between an empty pistol with ammo in your pocket, and a loaded and cocked pistol.

Re:As an IT person who is deploying OS X

[Sycraft-fu]

At this point I'd say not to worry, there doesn't seem to be much in the way of viruses. The only real function would be to catch Windows viruses so you are an unwitting carrier, but then that can just be done on the Windows systems.

It sounds like spyware is the problem that is going to be the more immediate concern. Initally, there should be little enough of it that you can just shitlist it, but once the door is open I expect they'll be a flood of it since scammers just never seem to give up.

The real solution for that is just user education. Teach them not to install crap (I know, easier said than done). Make sure they don't think they are invincible just because they are now on a Mac. A distrubing trend I see with many Mac converts is they believe themselves to be invincible to malware/viruses/exploits/etc. Well that mindset will lead to crap getting on the systems when it comes out.

So while I'd keep an eye on the OS-X virus situation, I wouldn't worry about software at this point. Worry more about malware and teaching users to stay away from it.

Re:As an IT person who is deploying OS X

[NoodleSlayer]

Its possible to set up a root password using the NetInfo config utility, which unlocks 'su' on a OS X Client machine, OS X Server comes with 'su' unlocked by default. Log in as root from the log in screen is still disabled after unlocking 'su' though I believe.

As for sudo, its this simple, don't let people log in as admin if you're worried about security. If you are the type that knows how to use sudo, odds are you know enough to keep yourself from fubaring the system anyways, and even if you do, reinstall isn't that hard.

Besides, you're perfectly capable of doing most things you need to from a regular account. The point of admin level access isn't to make the machine 100% secure, its to have cursory security from the users to make sure that they can't easily delete their system folder, or anything of the sort.

Sounds to me like Symantec's trying to push their

Mac products out the door again. I guess with Apple projected to take 5% of the market share they decided maybe it would a good idea if they actually started pushing Mac products.

The only reason Windows is exploitable...

[hereschenes]

From the article:

"The only reason Windows has had mass exploits written for it is the sheer number of connected devices that are present on most networks."

It's a reason for sure, but the only reason? I think not!

Services are turned off by default...

[Philippe]

On MacOSX, most (all?) network services such as ftp, sshd, httpd... are turned off by default. And automatic software update (prompting the user) is on by default. That, coupled with a better security model from the ground up will ensure that the MacOS never becomes the trojan-infected mess that Windows has become.

Methinks that Symantec is propagating FUD to drum up sales...

let's see!!!

[netdur]

a small program that
1) fool web browser to download without user notice
2) chmod itself ---x--x--x
3) excute itself!!!

I don't think that is possible at *nix systems

Yes it is...

It will upset the frothing Linux zealots who keep insisting you cant have both - thats their excuse for liking a GUI (doesnt matter which - Gnome / KDE - take your pick) that is less intuitive to use than even Win95

Re:Yes it is...

[jessecurry]

I never said that the "i" didn't bother me either, but it's slightly less annoying(at least to me) because you get an idea of what the application does from its name.
Looking at names such as Krusader doesn't help me to know what the application does. The same goes for kdissert, kdar, Krita, Kate, KLibido, knoda, Konstruct, KlamAV, etc... basically what I'm getting at is that the prepended K seems to make developers try to come up with Kreative names for their applications rather than informative ones.
About the only applications that I am familiar with that have descriptive names are KMyFirewall and KText. I'm sure that there are plenty of others with descriptive names, but the vast majority of Kapplications seem to be named simply for the K.

Viruses and Word

[mr.dreadful]

The only real issue I have with OS X and viruses is with MCSFT Word macro viruses. Its worth having something that can sort those bad boys out because they can be spread to other users. I have one user who is constantly propagating macro-viruses, but I think I found the solution.

I'm moving him to Apple's Pages software.

Seems to handle doc files just fine, and no macro issues.

Re:Hypotheticals....Hypotheticals

[Knobby]

The WORST you could do is trash your user environment. NOT the OS.

Who cares about the OS? The OS can be reinstalled in about an hour. I have 40GB stored in my user environment. It gets backed up every day, but a virus, worm, or trojan that wiped out the user environment could cost me a days work without too much trouble. That's a much larger concern to me.

Re:Security through obscurity is not permanent.

[zulux]

It can safely be said that the amount of resources being expended to identify and cure OS X vulnerabilities is at least somewhat smaller than those used for Windows, in rough proportion to OS X's much smaller market share.

MORE effort is being spent to fix OS X than Windows - in proportion to market share.

OS X gets fixes from Apple.....

And FreeBSD.
And OpenSSH
And Samba
And Kerberos.
And Mach Developers.
And KHTML/KDE Developers.
And GCC Developers (stack protection,etc)

Plus a bunch more that I'm missing

Windows is unique

[Sloppy]

The only reason Windows has had mass exploits written for it is the sheer number of connected devices that are present on most networks.

I gotta call bullshit on that.

Quite simply, Microsoft's operating systems and applications are unique within the industry -- no, not just the industry, but almost unique in post-1989 history itself -- in the careless way they treat data as code. Nobody else would have deployed ActiveX, or deliberately made executing a mail attachment as easy as clicking on it.

I can believe MacOS (or any other platform) has its share of bugs that can be exploited, but you just can't find anything as dangerous-by-design as Windows. Windows will always (even as its marketshare fades) be a comparatively unsafe platform, relative to what is normal. It's not just about code quality, it's about amazingly dumb ideas, combined with business practices that resulted in a situation where users' happiness is not a significant market force.

And of course, there's the obvious counter-example: where are all the BIND and Apache worms? Talk about "sheer number of devices"!

In teh case of malware?

[Sycraft-fu]

Yes, obsucrity is absolutly he only reason it hasn't been targeted. Remember malware comes in the front door, not the back one. It either piggybacks on an app you want, or simply is an app you want. Well you can't secure against that, OSes don't know by magic which apps are good and which are bad. If you have permissions to install apps, you can install ones that fuck the system up.

That's different than exploits, which rely on finding bugs in code. If the code has less bugs and/or less services where one could try to find them, it is more secure.

However, there's basically nothing you can do about malware other than make scanners for it and try to educate users. Without some kind of trusted computing, signed application deal, there's no way you can make an OS that only allows users to install safe apps, since there's no way to know what is and isn't safe.

Hell some people don't even care about spyware, they want their dumb little free screensaver or whatever and don't care if it spys on them. You can tell them it's bad and they'll just ignore you.

Re:"But it's a Mac..."

[rokzy]

I don't get it? did anything bad happen to the Mac? what you're saying is that using non-Mac products can get you owned?

yes setting up a wireless network was maybe a bit stupid given such poor company security, but with that kind of bad IT administration something was bound to happen sooner or later.

also, look at how many Windows users don't think they need to understand security (the Windows box said is was more secure than ever!).

the moral here is that YOUR COMPANY SYSTEMS SHOULD BE DESIGNED TO BE SECURE in the first place so even the most retarded employee can't fuck everything up.

I hope you took the hint and moved everyone to Mac/linux. no? "fool me once, shame on you..."

This is still just FUD

[argent]

The only exploit they point to is a rootkit... which is something you install *after* you've exploited the box... there are no active threats that any antivirus software will work aaginst.

This is like their attempt to talk up a manually-installed program that deleted all your files on the Palm as an exploit, to push their useless PalmOS antivirus. And then their Pocket PC antivirus actually caused people data loss from false alarms.

Until there's an active threat in the wild, AND it's been analysed and an identifying signature discovered, antivirus software's only result is to make your computer less stable and less reliable because of its deep hooks in the OS.

This is not to say that the OS is magically perfectly secure, but anything any AV company tells you about ANY platform but Windows, at the moment, should be taken with a sackful of salt.

Re:"But it's a Mac..."

[multiplexo]

You still haven't said anything about the Mac though. The guy set up an unsecured AirPort base station, he's a fucking idiot, this is like plugging a 100 foot CAT 5 cable into an active network jack and then throwing the other end out the window onto a busy street. I've got some news for you sunshine, if he was a PC user and had purchased a Linksys or Netgear WAP you would have had exactly the same problem. Out of the box Linksys gear ships with SSID broadcast on, the admin password set to admin and the SSID name set to Linksys. From what I've heard Netgear isn't any better. This wasn't a Mac problem, it was a networking problem.

Malware Schmalware

[jimfrost]

This is kind of ridiculous. Oh, sure, malware on OS X is possible and perhaps even really growing in numbers. But the problem is not and cannot be anywhere near as severe as Windows because Apple, like all the other UNIX vendors, ships their systems in a (reasonably) secure state by default.

The malware problem on Windows is not primarily the result of the system's popularity, no matter how many times Microsoft claims that is so. Early attacks on the Internet did not target the most popular system; rather, the most attacks have always targetted the easiest systems to crack. That started out with SunOS and, by the mid-90s, was Linux. (If you think Windows has much better penetration that Linux today, just think how much more lopsided the numbers were in 1995-2000 when Linux was the most popular target.) These days Windows systems are easiest by far because at this point they are the only systems which ship without basic filesystem protections (now that it finally has a halfway decent firewall, a mere five years after everyone else).

If Windows had basic filesystem protection enabled by default on all critical filesystem areas, mandated nonprivileged user accounts, and an installer that required a password, suddenly Windows wouldn't get infected every time you sneezed in its general direction.

Maybe the future will prove me wrong but I will be very surprised to find OS X malware become a serious problem no matter how popular the OS gets. I don't suspect that its users are any smarter, but the barriers are a lot higher.

Re:What a crock of Shit!

[drinkypoo]

Anyone who has used any Symantec product for any length of time can testify to that, on ANY platform. Symantec antivirus is crap. I have a license for it and I actually switched to AVG free because it was less of a bitch. For one thing, the autoupdater actually works.

There's several reasons MacOS X is more secure

[jht]

Yes, a major reason it's safer is because OS X isn't targeted often due to the low market presence. But it's also a matter of effort versus payoff. By default, MacOS X has a much smaller attack surface than Windows, and even compared to most "stock" Linux distros. Virtually all server services are turned off by default on the Mac. Root is disabled. So to find a vulnerability and attack it takes a lot of effort, and then if you do so there are fewer Macs to take advantage of. So why not target Windows - it's easier!

I do know of people who've had their MacOS X systems compromised - but only among MacOS X Server users who've turned on services without knowing the implications, and then running them without the benefit of a firewall (because "everyone knows Macs are secure". Through bad setup and misconfiguration it's pretty easy to turn a server into "just another Unix box" that's just as vulnerable as any unpatched Linux server.

But that's not the default, and that's not how the client works. Hence at this time, Symantec is just blowing smoke and wondering why they don't sell any copies of NAV and Systemworks for Mac anymore.

Re:More scared people -- more sales

[Ibanez]

You're just joking right? I can't decide whether to respond, mod you down as a troll, or mod you up for being funny.

Seriously, you think the average Apple user is less savvy than a PC user? Most of the graphics artists I know are SIGNIFICANTLY more knowledgable than most PC users...

Blake

Re:More scared people -- more sales

[Bellyflop]

Sure, but most Apple users aren't graphic artists. Apple has home user market penetration too you know. Most mac users are probably people who bought their iMac because they liked how it came in different colors, like my friend. She's not an idiot, but she's definitely not a savvy computer user. She just likes how her Mac looks and doesn't do much but websurf and word process.

code and data

[jesterzog]

no, not just the industry, but almost unique in post-1989 history itself -- in the careless way they treat data as code.

I don't disagree with you in general, but could you please clarify what you mean about this more specifically? I realise that separating data and code is a big security thing, but I'm not particularly a security enthusiast beyond what I need to know.

As far as I'm aware, any system that supports scripting languages, Linux included (consider the number of scripts in your typical /usr/bin directory that'll be executed as root one day) is treating code as data and data as code. Things that are definitely executables can easily be kept protected in memory by an operating system, but not everything's obviously an executable.

Is the main difference here just that most scripting interpreters don't offer default access to volatile things like pointers, that might let a script get direct memory access?

Re:More scared people -- more sales

[Weirdsmobile]

Most mac users are probably people who bought their iMac because they liked how it came in different colors, like my friend. And most home PC users bought their computers because they liked the bargain basement prices. I don't know what kind of Windows platform utopia some of the posters in this thread are living in, but have you ever listened to some of the people buying PCs at CompUSA or Best Buy? I don't think fans of either platform can necessarily crow about the superior computer savvy of their users.