Symantec: Mac OS X Becoming a Malware Target

tb3 writes "According to ZDNet 'Security vendor Symantec is warning that Apple's OS X operating system is increasingly becoming a target for hackers and malware authors.' They go on to warn that the only thing that's protected Apple users from exploits so far has been the small number of Macs on the net. Now that people are buying Apple products for 'style over function,' according to one analyst, Apple computer has become a target for new attacks. More coverage on Australian IT and Silicon.com. I guess sales of Norton Anti-Virus for Mac needed a boost." Symantec may well be right about this, but note that they also have the world's biggest vested interest in making Mac owners nervous enough to buy their anti-virus products.

Style over function?

[sgant]

Why does it have to be one or the other? From what I've found in OSX is that it can have style AND function.

Is that so wrong?

Re:Style over function?

[wealthychef]

I agree this will be a good test of the out-of-the-box security of Apple. Actually, I believe that out of the box, Apples are ironclad secure. They start with no services turned on by default. There are no Microsoft-like ActiveX analogous components that allow viruses to replicate if you do something innocuous-sounding like read email or run a word-processor. About the only service that is password-free is Software Update, but that is a client, not a server. If users turn on sshd and choose a poor password, they may well be attacked. This will probably rarely happen, since most people enabling ssh will be aware of the risks of poor passwords, and not really complain if attacked. I think this is just FUD for marketing.

Re:Style over function?

Nope, merely visiting a website with a malformed quicktime file will do it. At least with OS X and most modern Linux distributions you can connect a newly installed system the internet without a firewall and download patches. It used to be that in Windows 2000 you could set required services (servers) like DCOM and RPC to listen on localhost only but that feature was removed from XP so the only way to prevent DCOM or RPC from binding to interfaces connected to the internet is a software firewall. Completely disabling bind_interfaces_only functionality in XP was dumb even by Microsoft standards.

Re:Style over function?

[pyrrhonist]

Try this experiment: install OS X and connect to the Internet. Leave it connected for a week. Now install Windows and connect to the Internet. Leave it connected for 30 minutes. Which one will be hacked?

Neither (except if you're dumb enough to not have installed Windows XP SP2)

Windows XP SP1 with the for-free ZoneAlarm firewall, however, as well as Windows XP SP2, fared much better. Although both configurations were probed by attackers, neither was compromised during the two weeks.

My point is that Windows needs special steps to be _protected_;

Actually, in SP2 it doesn't. The XP firewall is turned on by default in XP2. In SP1, all you needed to do was turn on the firewall for a connection in the Network Connections control panel.

Now as far as local security goes, I agree with you; there are some nasty local security exploits. Microsoft is to blame for much of the security issues, but also a major part of the problem is third-party developers! It would help if application developers would realize that Windows is a multi-user system and actually follow Microsoft's reference guides for how to program in this environment instead of forcing the user to be an Administrator to actually use their program. Windows has been multi-user for years, and application developers still haven't caught up. Why do I have to be an Administrator to run a game? Bad programming, that's why! Not even Norton AV gets this right (scheduled scans do not run for non-administrators and a non-administrators are told that Live Update is off even if it is actually turned on). The only program that I've see actually try to do something about this is Nero, which has a program to set up a group to enable burning by non-administrator accounts, but even this is a special download that is not part of the regular install. This needs to change; developers need to start using the Windows multi-user environment correctly.

In summary, Microsoft provided the ability to make the system more secure using non-privileged accounts and groups like every other major OS, but application developers are not taking advantage of it. I always run as a non-privileged user, and I am getting sick of applications that have no reason to need administrator privileges not running correctly.

Re:Style over function?

[flyingsquid]

Yes, but OS X has the most stylish viruses and malware around!

Re:Style over function?

[TMacPhail]

My point is that Windows needs special steps to be _protected_;

Actually, in SP2 it doesn't.

I'd say installing SP2 is a special step on it's own.

Sounds to me like Symantec's trying to push their

Mac products out the door again. I guess with Apple projected to take 5% of the market share they decided maybe it would a good idea if they actually started pushing Mac products.

Portability

[khromatikos]

That's great!

Once they have it for OSX it must be fairly easy to port it to FreeBSD. I guess they might have to add a new category in the ports: /usr/ports/malware

The only reason Windows is exploitable...

[hereschenes]

From the article:

"The only reason Windows has had mass exploits written for it is the sheer number of connected devices that are present on most networks."

It's a reason for sure, but the only reason? I think not!

How useful

Symantec Anti-Virus OSX Version 1.0:

Please upgrade to signature file 032105.sgn, your current version only detects 3 viruses, however the new signature file finds and cleans 5 different viruses.

Services are turned off by default...

[Philippe]

On MacOSX, most (all?) network services such as ftp, sshd, httpd... are turned off by default. And automatic software update (prompting the user) is on by default. That, coupled with a better security model from the ground up will ensure that the MacOS never becomes the trojan-infected mess that Windows has become.

Methinks that Symantec is propagating FUD to drum up sales...

Re:As an IT person who is deploying OS X

[SmoothriderSean]

In my experience (as support staff for the Humanities Div of a university), far and away the most common virus issue with Macs is that they can be a carrier for Word macro viruses. Beyond that, you just have to keep an eye on users turning on services without knowing what they're doing (or using decent passwords). On the one hand, it's better to be safe than sorry, and just install an anti-virus package, but frankly, the need has been so slight that mac AV packages tend to be a mess.

Re:As an IT person who is deploying OS X

[littlerubberfeet]

I admin a sound studio with 10 macs and two windows machines. Nine run X.3 and one runs 9.2.2. The two windows machines run GigaStudio and are never, and will never be connected to the internet. I run antivirus software on the macs connected to the internet, and nothing has ever come up in a scan. Ever. I have run every single single version of X since 10.2.1 and they all stayed clean.

As for patching, I patch manually, because of quirks in all the audio software we run, but OS X will patch automatically if you set it up to. you will be manually installing patches for any apps not distributed by apple, but all of Apple's stuff will update automatically.

What a crock of Shit!

[ravenspear]

Anyone who has been a Mac user for any length of time and has used Symantec products can testify to the horrid filthy mutilated piece of code that is a Symantec product on the Mac.

This is NOT A TROLL.

I have seen (and experienced myself) Symantec products CAUSE more problems than they fix (if they are even successful at fixing any) on the Mac platform.

I pity the poor soul who has no experience with Symantec on the Mac and falls for this pathetic ad piece.

Re:Security through obscurity is not permanent.

[zulux]

It can safely be said that the amount of resources being expended to identify and cure OS X vulnerabilities is at least somewhat smaller than those used for Windows, in rough proportion to OS X's much smaller market share.

MORE effort is being spent to fix OS X than Windows - in proportion to market share.

OS X gets fixes from Apple.....

And FreeBSD.
And OpenSSH
And Samba
And Kerberos.
And Mach Developers.
And KHTML/KDE Developers.
And GCC Developers (stack protection,etc)

Plus a bunch more that I'm missing

Re:As an IT person who is deploying OS X

[jericho4.0]

The reality is, this article is FUD.

Update reguarly/automaticly, and keep an eye on an OS X site or two to stay abreast of things, and you'll be fine.

Windows is unique

[Sloppy]

The only reason Windows has had mass exploits written for it is the sheer number of connected devices that are present on most networks.

I gotta call bullshit on that.

Quite simply, Microsoft's operating systems and applications are unique within the industry -- no, not just the industry, but almost unique in post-1989 history itself -- in the careless way they treat data as code. Nobody else would have deployed ActiveX, or deliberately made executing a mail attachment as easy as clicking on it.

I can believe MacOS (or any other platform) has its share of bugs that can be exploited, but you just can't find anything as dangerous-by-design as Windows. Windows will always (even as its marketshare fades) be a comparatively unsafe platform, relative to what is normal. It's not just about code quality, it's about amazingly dumb ideas, combined with business practices that resulted in a situation where users' happiness is not a significant market force.

And of course, there's the obvious counter-example: where are all the BIND and Apache worms? Talk about "sheer number of devices"!

Macs are secure but not invulnerable

[goombah99]

for the past 20 years, having a virus checker was useless on a mac and only served to avoid passing along pc viruses. At one brief point you could get word macro viruses.

If someone can get root on a mac you can install a root kit. But youhave to get root first. It's not good enough just to get user level or even admin user level. You have to get the admin user to enter their password to elevate to root.

The ppc played role too as I have read that until last year there was no widely know compact way to exploit a buffer overflow to execute arbitrary code. I beleive that is now solved and published so one might see these cropping up. :-(

Since the security model is better you dont have problems like active-X waiting to ruin your day, or auto execute on mous-over e-mail subject lines, or registry changes needed to install applications. Or other bonkers stuff.

But despite all the default security, nothing will stop a determined used from trojaning themselves good and hard. And if they are admin and enter their password your rooted. Nothing will withstand unrestricted physical access either. You can at least ward off limited physical access by using the firmware password but this can be overridden by a determined user.

and of course there have been security holes and always will be. SSH, quick time, and even JAVA had had security holes. Fortunately no one has manged to exploit these before apple fixed them and given apples default services-off settings and lack of root access, its going to be harder for these things to spread like wild fire.

on the other hand Macs are very homogenous so once a virus does finally break loose, if it can get in without requiring any services its going to spread quickly.

Re:Macs are secure but not invulnerable

[phillymjs]

for the past 20 years, having a virus checker was useless on a mac and only served to avoid passing along pc viruses.

Not true. In the olden days, there were a handful of Mac (Classic Mac OS) viruses. Some of them were even malicious, though those were extremely rare. The only ones I ever personally saw were benign, and easily eradicated by simply rebuilding the desktop file on the infected floppy.

From 1989 and well into the 90s (possibly even until 1998 when it was discontinued), the most popular Mac antivirus software was Disinfectant, a free utility written and maintained by one guy-- so that should tell you the non-severity of the Mac virus problem even then. The developer threw in the towel when cross-platform Word macro viruses hit the scene and quickly became too numerous to keep up with.

Since the time of Mac OS 8 or 9 until the present, however, I would agree with your sentiment that the only reason to use Mac antivirus software is as a courtesy to Windows users with whom you exchange files.

~Philly

Re:As an IT person who is deploying OS X

It's limited to administrators. If you have administrator rights on OS X, you effectively have root anyway; it's just that it's shielded power: you need to take deliberate action to access it, rather than it being at your fingertips. Sort of the difference between an empty pistol with ammo in your pocket, and a loaded and cocked pistol.

uh oh

[Heisenbug]

I try sticking to the bash prompt, but I keep seeing Safari through the translucent Terminal window and coming back to check Slashdot.

Maybe I'm doing it wrong.

Re:"But it's a Mac..."

[multiplexo]

You still haven't said anything about the Mac though. The guy set up an unsecured AirPort base station, he's a fucking idiot, this is like plugging a 100 foot CAT 5 cable into an active network jack and then throwing the other end out the window onto a busy street. I've got some news for you sunshine, if he was a PC user and had purchased a Linksys or Netgear WAP you would have had exactly the same problem. Out of the box Linksys gear ships with SSID broadcast on, the admin password set to admin and the SSID name set to Linksys. From what I've heard Netgear isn't any better. This wasn't a Mac problem, it was a networking problem.

Malware Schmalware

[jimfrost]

This is kind of ridiculous. Oh, sure, malware on OS X is possible and perhaps even really growing in numbers. But the problem is not and cannot be anywhere near as severe as Windows because Apple, like all the other UNIX vendors, ships their systems in a (reasonably) secure state by default.

The malware problem on Windows is not primarily the result of the system's popularity, no matter how many times Microsoft claims that is so. Early attacks on the Internet did not target the most popular system; rather, the most attacks have always targetted the easiest systems to crack. That started out with SunOS and, by the mid-90s, was Linux. (If you think Windows has much better penetration that Linux today, just think how much more lopsided the numbers were in 1995-2000 when Linux was the most popular target.) These days Windows systems are easiest by far because at this point they are the only systems which ship without basic filesystem protections (now that it finally has a halfway decent firewall, a mere five years after everyone else).

If Windows had basic filesystem protection enabled by default on all critical filesystem areas, mandated nonprivileged user accounts, and an installer that required a password, suddenly Windows wouldn't get infected every time you sneezed in its general direction.

Maybe the future will prove me wrong but I will be very surprised to find OS X malware become a serious problem no matter how popular the OS gets. I don't suspect that its users are any smarter, but the barriers are a lot higher.

Re:More scared people -- more sales

[vwjeff]

Apple fans are the perfect audience. Most are technically non-savvy arty types who are easier to FUD.

I believe general stereotypes are bad but do have an example that fits this.

I work for the local school district as a computer tech. Recently, the art department bought a Powerbook for every art teacher. I got a call last week from an art teacher and said she was having problems installing a program. I told the user I would help her install it.

I get to the computer and ask her where the software is. She said she got it in an email from a friend. The subject was "Spring screensavers for you."

Of course the attachment was a zipped .exe containing a keylogger trojan. If this would have been a Windows box she would have unknowingly attempted to install a trojan. (All of our Windows boxes have AV software centrally managed)

I guess my point here is what if that trojan was coded for a Mac? A multiuser system is pointless if the user knows the admin/root password. (Our users do not have admin access.) In my experience, entering a password is more of an annoyance than a security measure for many users.

Ok, now I'm going off to another story but it is worth reading. A person of importance in the district recently got a new computer with XP Pro. She had previously had a Windows 98 PC and was in a habit to cancel past the Microsoft login. I don't blame her. There is not security there. Her new computer is shared between two people so I made an account for each of them like I do on every new computer. This person did not like the idea of having to type her password in just to get into her computer.

On Friday at 3:45 (work ends at 4:00) I got a call from the user demanding that the password be taken off the computer. She just wanted to turn on her computer and be at the desktop.

I did as she asked but also took the liberty to change her important documents to hidden. I was hoping I would get a call today. I did.

After getting a desperate voicemail for the user, I slowly made my way to her office. There she asked me what had happened to her documents. I played stupid and asked what documents. She said all of her important files were in the My Documents folder on Friday and there are not there anymore. I then came up with some bs about how I would need to recover them because someone must have been using the computer over the weekend and must have deleted them by accident. (Strangely enough there were children in that room over the weekend. Perfect scapegoats.)

I waited for about ten minutes and when she left the room I removed the hidden property from the documents. I then said I could enable the password so no one could get into her computer. She was more than willing.

Was my action unethical? Perhaps. Was it funny? I think so. I'm just happy I got my point across with no damage done.

Re:Yes it is...

[jessecurry]

I never said that the "i" didn't bother me either, but it's slightly less annoying(at least to me) because you get an idea of what the application does from its name.
Looking at names such as Krusader doesn't help me to know what the application does. The same goes for kdissert, kdar, Krita, Kate, KLibido, knoda, Konstruct, KlamAV, etc... basically what I'm getting at is that the prepended K seems to make developers try to come up with Kreative names for their applications rather than informative ones.
About the only applications that I am familiar with that have descriptive names are KMyFirewall and KText. I'm sure that there are plenty of others with descriptive names, but the vast majority of Kapplications seem to be named simply for the K.

Re:More scared people -- more sales

[Weirdsmobile]

Most mac users are probably people who bought their iMac because they liked how it came in different colors, like my friend. And most home PC users bought their computers because they liked the bargain basement prices. I don't know what kind of Windows platform utopia some of the posters in this thread are living in, but have you ever listened to some of the people buying PCs at CompUSA or Best Buy? I don't think fans of either platform can necessarily crow about the superior computer savvy of their users.