Symantec: Mac OS X Becoming a Malware Target

tb3 writes "According to ZDNet 'Security vendor Symantec is warning that Apple's OS X operating system is increasingly becoming a target for hackers and malware authors.' They go on to warn that the only thing that's protected Apple users from exploits so far has been the small number of Macs on the net. Now that people are buying Apple products for 'style over function,' according to one analyst, Apple computer has become a target for new attacks. More coverage on Australian IT and Silicon.com. I guess sales of Norton Anti-Virus for Mac needed a boost." Symantec may well be right about this, but note that they also have the world's biggest vested interest in making Mac owners nervous enough to buy their anti-virus products.

Security through obscurity?

[LukaFox]

Is it really true that the only thing protecting Macs thus far has been their smaller by comparison presence on the Internet? Is there nothing to be said for the inherent security or insecurity of a particular platform? This is the kind of argument that free operating systems get against their security all the time. It'll be interesting to see whether the Mac platform can stand up to increased attacks. If it does, this might help convince people that some platforms really are more secure than others.

Re:As an IT person who is deploying OS X

[CaymanIslandCarpedie]

As an IT person, you should already know the answer to this ;-)

Yes, Mac OSX has historically had very few problems with viruses or exploits. However it only takes one ;-) And in my experience when that one hits users/bosses aren't very understanding to "I didn't even realize there was anything to worry about." as an answer from IT about why they weren't protected. If there is a SUPER tight budget, yes you can probably get away without it, but I NEVER would. If for no other reason than to CYA. We only have a few OSX computers in the network, but they are all protected. The price of the Macs VS price of some basic anti-virus its really not much of an issue better to spend the extra few bucks than be sorry ;-)

Here is a decent summary of OSX historical vulnerabilities (there are still a couple unfixed ones out there).

http://secunia.com/product/96/

Mac Os9 has never once been exploited remotely !

Despite many high profile web sites and servers using OS9 for many years, not one database entry in the large BugTraq database documents a remote explloit for Mac OS in the history of the internet.

Even the US Army used macs exclusively (mostly MacOS 9 until recently) after being rooted rouitinely using unix and MS Windows NT. For many many years www.army.mil has been run on macintoshes exclusively.

The same is true of many colleges that were rooted and defaced too often on Linux. They installed WebStar and OS 9 and never had to worry again.

http://uptime.netcraft.com/up/graph/?host=www.ar my .mil

http://www.google.com/search?q=army+webstar+"os- 9"

Check it out yourself. This entire post is full of factual citations and 100% facts.

No mac in the history of the internet hosting a web server has ever been rooted or defaced remotely.

Why?

Because not one version of Mac OS has ever had a single exploitable hole ever discovered. (classic mac os now up to version 9.2.2 on currenlty sold g4 towers). OpenBSD has had no less than 5 holes (not one) in the default install in the last two years. Mac OS has had ZERO in over 8 years, even when paired up with its preferred web server app.

In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely. Scan it yourself.

That is why the US Army gave up on MS IIS and got a Mac for a web serve. Currently it is a honeypot for OSX testing, and US Army use regular Mac OS on other internal servers

This post is not talking about FreeBSD derived MacOS X (which already had a more than a 50 exploits and potential exploits in BugTraq database, and in the news yesterday with Symantec claiming in March 2005 of OSX having remote exploits) I am talking about current Mac OS 9.x and earlier which are highly sophisticated abstract-OS models.

Why is is hack proof? These reasons :

1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for procces to process communication that is heavily typed and "pipe-less"

2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidian's birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.

3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator. Additionally certain types of compilers can check range on assignments to prevent out of bounds. Furthermore many good programmers ensure that the bounds are not overwritten.

4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, expecially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.

5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing, nor are there lame single 'x' executable bits! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with dat

Re:Style over function?

[wealthychef]

I didn't say there were no _potential_ bugs or vulnerabilities in the system. I just think (and this is not a contradiction) that the system is very secure out of the box.

Try this experiment: install OS X and connect to the Internet. Leave it connected for a week. Now install Windows and connect to the Internet. Leave it connected for 30 minutes. Which one will be hacked? My point is that Windows needs special steps to be _protected_; Mac OS X requires special hacking and other circumstances to become _vulnerable_. The QuickTime ruse you refer to no doubt requires some social engineering to make work... that's just a guess on my part. Am I right?

Furthermore, the buffer overflows in quicktime do not afford an attacker root priviledges, do they? And when vulnerabilities are found, Apple, unlike Microsoft, so far anyway, has a great record of fixing them immediately. Apple has a great record on security in OS X. You are not going to see a flood of crippling, disabling OS X attacks like you see every couple of months with Windows viruses that take out our whole email system at work from time to time. Hacking an OS X box is HARD.

Re:Mac Os9 has never once been exploited remotely

[phillymjs]

Actually, there was an exploit, once.

It was some time ago, and I believe it was the result of a "hack the server, get a prize" type contest.

I'm too lazy to Google it right now but IIRC, the server that was hacked was running the classic Mac OS, WebSTAR, and Lasso, a tool that lets you webify FileMaker databases. There was a vulnerability in Lasso that was used to, per the contest rules, successfully alter the contents of a certain page on the WebSTAR-hosted site.

The prize was awarded, the vulnerability was quickly fixed, and that's the first, last and only time I have ever heard of any server on a classic Mac OS based machine getting hacked.

~Philly

Windows software dying art?

[laird]

I started a company a few months ago that's building consumer software that runs on MacOS X and Windows (and Linux, etc., eventually). Our strategy is to build the core in tight C code, and then build platform-specific applications in the appropriate language, so the result is a great ObjC Mac app, a great C++ Windows app, etc. While I like Java, Ruby, etc., our goal is to make the app small and efficient, so asking people to install 30 MB runtimes is out. Interestingly, it was easy to recruit first-class Mac and Java (server) developers, and nearly impossible to recruit a really great Windows developer. It turns out that the best CS students are _all_ working in modern cross-platform environments (e.g. Java, Python, Ruby), most use Mac's, almost none are using C++, and nobody even _considers_ writing Windows applications any more. While this is kinda neat in one respect, it's a bit surreal that the vast majority of great developers won't write software that runs natively for the platform on 95% of desktops. Weird.