Macs May No Longer Be Immune to Viruses

Bill writes "MSNBC reports that the combination of Apple's growing market share and their recent switch to x86 processors has made Mac OS X a new target for viruses. Unfortunately, it seems that many Mac users are in denial. '[Computer security expert Tom] Ferris said he warned Apple of the vulnerabilities in January and February and that the company has yet to patch the holes, prompting him to compare the Cupertino-based computer maker to Microsoft three years ago, when the world's largest software company was criticized for being slow to respond to weaknesses in its products.'"

Heh.

[c0l0]

One might wonder why this (non-)story is featured on the front page of MSNBC... ;-)

Re:Heh.

[Rosyna]

It's just sad really. This Tom guy can't read crash reports. He reports the same TIFF crash as two different crashes, and then says there is a parsing error in CFAllocatorAllocate(), which does parse anything, it just allocates memory. In CF, most functions will call abort() and force an application crash if given bad parameters. Such as a 0 size for memory.

Most, if not all, of these just amount to DoS attacks and it's not actually possible to get them to run arbitrary executable code. But now days any kind of reproducible crash is incorrectly regarded as a massively massive security issue. It's people like Tom Ferris that make real computer security jobs into a joke.

Switch to Intel

[pryonic]

I can see how the increased market share would make them more of a target, but I can't really imagine how the change in CPU would. The vast majority of x86 viruses target Windows using very specific windows API functions or by patching Windows components. If a writer is targetting a x86 Mac, how does the CPU matter, it would just be compiled for that processor.

Maybe we'll be seeing x86 and PPC virus fat binaries?

Re:Switch to Intel

[Rosyna]

I can see how the increased market share would make them more of a target, but I can't really imagine how the change in CPU would

The Harvard architecture that the PowerPC uses is inherently more secure than x86. A remote exploit on running code has a very low chance of working on the PPC, but nearly a 100% chance on the x86 (which is why all these IE exploits work all the time). When they fail to execute code, the PPC application just crashes. I'd think if someone went to a place that causes their browser to crash 10 times in a row, they'd stop trying to go there.

Then again, Apple has taken massive steps on the x86 side to prevent these kinds of attacks. Such as enforcing the NX/XD bit and enforcing a non-executable stack. The former goes a long way, it was even able to prevent the WMF exploit from working on Windows, if it was available in hardware. Luckily, all ICBMs ship with the hardware support.

Leap of Faith

[ozmanjusri]

I'm not even a Mac user and I still call FUD on this one. TFA was so slim on detail it was impossible to work out what had actually happened, and after searching for real info it turns out the virus, Leap.A, needs a root password to do any damage. Better article here: http://edition.cnn.com/2006/TECH/04/30/apple.secur ity.ap/index.html

Re:Immune?

[Scudsucker]

It's just that most virus writers don't give a crap about Macs.

And the fact that Macs never had Outlook, the PC version of Internet Explorer, Active X, ports and services open all over the place, or piss poor priveledge seperation. That is why Macs don't have viruses (Linux as well, for that matter), not because of market share.

Re:Macs have never been "immune" to viruses

[Scudsucker]

Nor even markedly more resistant. They have just been less targeted.

Nonsense. Microsoft is the target of viruses and spyware because of Microsofts moronic design decisions and security policies, not because of marketshare.

mixed article

[gmccloskey]

No-one can deny that with growing popularity of OS X that it becomes an increasingly attractive target. Malware writing works on similar economics to regular software: this implies that malware will exist but be a niche deployment. So it is a concern, but not the end of the world, or of Apple, as the world likes to regularly predict.

The article was mixed in accuracy. Many Mac users believe themselves to be invulnerable - the truth is they are currently /less/ vulnerable than the mainstream desktop OS. The thesis that using an intel processor increases security risks is not true - OSen don't allow direct hardware access as such, and how many script kiddies write x86 microcode?. Running Windows on a IntelMac may potentially increase security probems, and reduce the Macintosh (not OS X) brand reputation for security. It depends on how the 'wall' between x86 file access and OSX file access is implemented.

Nothing in IT or anywhere else is 100%. Currently OS X is more secure in many areas than its competitors. To maintain or improve on this, constant vigilence and innovation are required by Apple, ISVs and most importantly users.

Re:Immune?

[stefaanh]

Otherwise said:
Burglars break in houses with the most vulnerable alarm system, not because of the popularity of the alarm system.

Re:Gosh, it does sounds like MS.

The advisory is from 9 days ago. It is from a company that would like to sell you stuff related to its advisories. No known instance of the alleged flaws exist publicaly. The descriptions of the flaws do not support the conclusion of either a DOS attack being possible or compromising of one's system. As such, I invite you to use this flaw to do anything to my Mac.

Or, even present me with a URL where I can observe the alleged flaws in the wild.

Your handle, Whiney Mac Fanboy (963289), should be a tip-off that you are not posting about this matter in good faith.

Re:Article is a troll

[rolfwind]

The $2000 barrier to entry you used to have to pay to use OS X (and test exploits against it) no longer exists, if you don't think that makes a difference to hackers (many of whom are in far less afluent countries then you), then quite frankly, you're insane.

I suppose you haven't actually checked the Apple Store the last few years. The barrier of entry has been around $500-600 the last few years. Unless haxors absolutely need l33t 15" Powerbooks instead of a mac mini.

And on that point, wouldn't some haxors love to also be one of the few to make a sucessful virus/trojan/etc OS X or Linux (where's the barrier of entry here?) instead of one of the few thousand for Windows? I thought prestige was some sort of motivation. Pff.

Re:Gosh, it does sounds like MS.

I'd take an Apple spokeswoman's word over Tom Ferris's word. He's fairly good at finding crash bugs, but he frequently reports zero dereferences as "buffer overflows", etc. See his record in bugzilla.mozilla.org, for example, starting with bug 303433. I have no idea why the media keeps calling him a security expert.

Experts eh?

[Keen+Anthony]

Apple's iconic status, growing market share and adoption of same microprocessors used in machines running Windows are making Macs a bigger target, some experts warn.

Sadly those "experts" could not be reached for explanation because they were out buying antivirus software for Linux and FreeBSD - cause, you know, they're both iconic, have a growing market share, and run on the same microprocessors as Windows.

"They didn't know how to deal with security, and I think Apple is in the same situation now," said Ferris, himself a Mac user.

Sure, being a minority OS does mean fewer virus writers targeting the Mac, but Mac OS X has been cool for a few years now, and I'm still waiting for those dangerous viruses. I'd say Apple knows a little something about dealing with security - certainly enough not to pawn off the responsibility to the antivirus aftermarket.

The Mac's vulnerability could also increase as Apple transitions to a product line that uses microprocessors made by Intel Corp., security experts said. With new Macs running the same processor that powers Windows-based machines, far more people will know how to exploit weaknesses in Apple machines than in the past, when they ran on the PowerPC chips made by IBM Corp. and Motorola Corp. spinoff Freescale Semiconductor Inc.

Who are these security experts, and do they work weddings and bar-mitzvahs too? Since when did familiarity with a microprocessor lead to intimacy with an operating system. There's so much I still don't know about BeOS and I've written assembly on PowerPC and x86. The vulnerabilities described in the article may be found here. For the most part, it looks like flaws in the way Safari and Preview handle GIFs, TIFFs, BMPs, and bad ZIPs can cause an application crash, and *possibly* allow code execution (even via certain malformed HTML tags). I've had corrupt graphics files and zip archives crash Preview and Safari in the past, but never any virus-like behavior. Still, it's a good thing to note, but the reporting could have been much better.

Re:Macs have never been "immune" to viruses

[nathanh]

Nonsense. Microsoft is the target of viruses and spyware because of Microsofts moronic design decisions and security policies, not because of marketshare.

Nonsense. Microsoft is the target of viruses and spyware because of Microsoft's moronic design decisions and security policies AND because of marketshare.

Virus writers are writing viruses to make profit; either by stealing information, creating botnets, or proliferation of unwanted advertising. They make more profit by exploiting more machines, so it's no wonder that the most common OS is also the most targetted.

The fact that it's so trivial to exploit Microsoft software is purely because of the moronic design decisions and security policies, not because of marketshare. But the fact that Microsoft is so frequently the target of virus writers is a function of marketshare as well.

Anti-virus company campaign propaganda

[bananaendian]

What? So Macs were immune against viruses?

Seriously, it's way too easy to have a go at this MSNBC BS. What is more worthy to note is the frequency and desperation with which these articles keep appearing, claiming sleeping beauty mac-users are in imminent danger if they continue to refuse to take part in the virus paranoia of the Windows world.

I have been using W2K with no anti-virus software for years with no side effects. Sadly and with amusement do I follow the antics of my fellow XP users with their shiny anti-virus crapware popping up redundant warnings and notifications and slowing the machine to a crawl. And to top the irony they have to turn off anti-virus whenever they install anything or run certain software. And when you go to your workplace or school the machines there have been made almost entirely useless by over zealous protection software.

Having a go at Macs for security is either stupidity or plain propaganda. Security doesn't come from anti-virus programs. It comes from the underlying architecture of the OS and the third-party software having to comply with the security principles of the underlying architecture. Anti-virus software only protects the computer against clueless users and thus it can be claimed that any computer/OS architecture requires some.

And as for the age old user base threshold argument I'm still waiting. OSX has been for some time the most common UNIX based OS. It is remarkable how little vulnerabilities have been found considering the amount of software and services running on OSX by default. Thus, comparatively, statements involving OSX and poor security continue to be plain ludicrous.

As for me I'll merrily continue running my apparently 'immune' W2K box (behind two tailor made firewalls) and wave my greetings and encouragement to my fellow mac users.

Macs can get viruses?

[Mathiasdm]

I'll believe that when I see water running uphill!

Re:Immune?

[99BottlesOfBeerInMyF]

You make several good points, and it is clear a lot of people who are not in the security field overestimate the security of an OS X system. It is somewhere on par with the average Linux workstation, which is to say people out there can hack it if they are targeting you specifically. Worms might, but probably won't be an issue for an average user. Notifications and restrictions on users are middle of the road for security versus ease of use. I think, however, you are slightly incorrect on several points and are basing your opinion on several incorrect facts.

If you write a virus, you most certainly DO aim it at the most popular platform amongst those it has to contact to spread, especially if all the other platforms combined don't even reach 10% of the market, unless there are serious mitigating circumstances.

This is true in some cases, but not all. A good number of worm authors are for-profit these days they want to make money. Windows is the biggest market segment and the easiest target. It is not, however, necessarily the most profitable. Half the Windows machines out there are sitting in a business office and have no data easily exploitable for profit. Another 25% or so are home machines owned by people in the third world who have pirated the copy and don't even have credit cards.

Mac users, on the other hand, are people who shelled out big bucks for a high-end machine. Some Windows users are too, but by no means a large percentage of them. What percentage of Macs do you suppose have valuable, credit card and personal info for someone with a high credit rating?

Macs are not so rare that dumping one on Comcast's network would not net you a pile of machines. Further a cross-platform virus that hit both macs and Windows machines would solve the propagation issues. No, the reason worms don't hit Macs is not propagation or lack of a target. Nor is it lack of motivation. While many worm authors are working for profit, a large number are also just showing off and being malicious for its own sake. A lot of them would love to take "those mac users" down a peg.

The reasons we don't have mac worms spreading are:

• Unfamiliarity - many worm authors use tools and a knowledge base that is very Windows specific. Many just don't know how to write a Mac worm.
• Difficulty - There is no IE or Outlook and the default, common internet apps avoid many of the security snafus MS has made with them. Ports are closed and services not running by default. Like it or not, the average Mac is harder to attack that the average Windows machine.
• Community Expertise - you can have a worm propagate on Windows machines for weeks before it hits a honeypot or smart security guy's machine and becomes recognized. There is a higher percentage of security people and clueful professionals on Macs, so worms are/will be detected more quickly. The one attempt I know of to spread one used a Mac forum as the insertion point and was detected by users there and dissected immediately.
• Zero day to a month - The time between the discovery of a vulnerability that actually presents a real risk of worm propagation and the rollout of the fix is shorter, due to Apple's faster response time. This is party due to the complexity of the architecture and partly due to policy.
• Up-to-date security - If you're running Windows 95, 98, ME, or 2000 there are unpatched security holes on your machine. If you're running Windows XP, you may or may not be up to date depending upon your security update policy and what application you need and whether or not they work with specific security patches. If you are running any version of OS X you still get security fixes as they are rolled out. If you are running OS 9, well, there just isn't much pout there and isn't likely to ever be for a plethora of reasons.

And the truth is that Darwin's lack of fine grained security means it has a limit to how secure it'll ever be.

It is true that OS X has not implemented jails or Man