Mac Attacks Surge

by David Miller

Time for Mac users to start learning the language of vulnerability.

Just as Apple Computer launched a new ad touting OS X's resilience against viruses, the Macintosh operating system and applications have come under fire for harboring serious security flaws.

Security software vendor McAfee, The SANS Institute, and independent researchers have all recently published reports slamming Mac security. It's a big switch for the computer company that has long enjoyed a reputation for creating software that's immune to the nastier aspects of "iLife."

Security vendor McAfee released a whitepaper on Friday on the state of Mac security. According to McAfee, from 2003 to 2005 the annual rate of vulnerability discovery on Apple's Mac OS platform increased 228 percent, compared to Microsoft's products, which only saw a 73 percent increase.

That may be comparing Apples to oranges, but McAfee also noted that, "as demonstrated by its March 2006 patch, which corrected 20 vulnerabilities, Apple's Mac OS platform is just as vulnerable to targeted malware attacks as other operating systems."

On May 1 the SANS Institute, a computer-security organization, listed "rapid growth in critical vulnerabilities being discovered in Mac OS X" as the No. 1 concern on its list of the 20 most important threats in computer security.

The report went on to say "OS X still remains safer than Windows, but its reputation for offering a bulletproof alternative to Windows is in tatters."

Many people think of Apple as not having any vulnerabilities, said Rohit Dhamankar, editor of @RISK and the SANS Top 20, and manager of security research at 3Com. "People generally think that if you don't see viruses or widespread malware that a computing platform is safe. However, you can still have vulnerabilities that people can exploit."

Apple was unavailable for comment on the McAfee and SANS reports.

In February, three exploits surfaced targeting Macs. "Leap-A" was buried in jpeg images purporting to be screenshots of the next version of Mac OS X. Once active on a machine, the worm replicated by sending itself to names in the infected computer's iChat buddy list. "OSX.Inqtana.A" was programmed to spread through a vulnerability in Bluetooth wireless technology.

Like many PC threats, both of those exploits turned out to be duds. But a third vulnerability reported in late February is potentially serious. Apple's Safari Web browser allowed downloaded files to open as soon as the download is complete. If a file contained malicious programming commands, Macs could be tricked into running those commands.

In March, security researcher Tom Ferris blogged about a slew of "zero-day" vulnerabilities that he believes hackers are using to target OS X. A zero-day vulnerability is a new security flaw that a software vendor is either unaware of or attempting to fix. An attacker who manages to develop a method to exploit such a flaw has a potent covert weapon, one that networks and IT staff cannot easily defend against.

Ferris told Apple about the flaws, some of which involve iTunes and QuickTime software, in early January.

Ferris thinks the recent defacement of Apple's Korean online store was carried out by a hacker using a zero-day exploit that gave him administrator access to the server housing the Web site.

"Apple's products are now becoming more of a target of hackers because more people use OS X now," said Ferris. "Also the fact that Apple now has a commercial saying that OS X is virus-free is just asking for it.

"It kind of reminds me of when Oracle said their database was 'Unbreakable,' and within a week a researcher had released multiple flaws within their products."

Ferris said many security researchers he knows have recently shifted gears and are now spending a significant amount of time looking for OS X flaws.

Increased scrutiny and a small spike in market share may dissolve the "security by obscurity" that some experts believe helped to shield Macs from hack attacks.

Apple is still generally regarded as more secure than PCs running Windows operating systems, OS X, like other Unix-based systems, will not usually run programs that will alter the operating system without explicit permission from the machine's system administrator.

In contrast, Windows users typically operate their machines under the administrator account by default.

"Yes, the more OS X is discussed, the more likely there will be viruses, worms and so on. But the frequency and the damage from these will be, in my opinion, much less than on a comparable Windows platform," said Mike Sweeney, owner of Packet Attack, a security services company.

"OS X is more secure out of the box than Windows. OS X and Windows were designed in different ways," Sweeney said.

"Windows was designed for personal computers, before the broad public adoption of the Internet. OS X is based in part of BSD, which is one of the most secure Unix types of operating systems, and designed for use in a networked environment."

But Sweeney and others believe that Mac security could be compromised by users who are blissfully unaware of the threats that lurk online. Apple users tend not to worry about whether they should or shouldn't open e-mail attachments or if they should click "OK" on dubious pop-ups. They trust their Macs.

"A prudent man always locks his doors no matter where he lives," said Sweeney. "Any operating system can be hacked. OS X is no different, so it is always better to take precautions."

Experts encourage Mac users to ensure they are up to date with Apple's security patches and to practice basic safe computing by following Apple's security tips.

This article was originally published on internetnews.com.

This article was originally published on Tuesday May 9th 2006
Mobile Site | Full Site