Mac security not so much about the Mac
SAN FRANCISCO--Politicians like to joke that Social Security reform is considered the "third rail" of politics. In Apple's world, that rail belongs to security.
It's been a while since we examined the "state of Mac security," and with this week's RSA Conference in San Francisco, and last month's CanSecWest conference fresh in everyone's mind, it seemed like a decent time.
The topic is always a heated one, and it tends to bring out the usual Mac vs. PC bashing. But according to people I talked to this week here at RSA, the nature of security threats has moved well beyond the platform.
First of all, let's examine where things stand. No security researcher I spoke with could think of an instance of a Mac running Mac OS X that had been exploited in the wild. Not as part of a contest, or as part of a show-stopping demonstration, but through a malicious attack aimed at pwning a Mac. Few were even sure that any viruses or worms existed for the Mac; there was a Trojan horse type of exploit in the wild last year, but it was delivered through a porn site, and it required users to take several steps to infect themselves.
So Macs remain a very safe computing option. This does not mean that Mac OS X is secure, however. It's software, written by humans, and it contains flaws. Those flaws are theoretically exploitable by criminals, but they haven't been, mainly because you don't need an MBA to do a cost-benefit analysis.
Apple hasn't had its "come to Jesus" moment yet with security, the way Microsoft did in the early part of this decade. Millions of Windows users demanded that Microsoft fix the leaky boats that were Windows XP and Internet Explorer, and to Microsoft's credit, it stopped almost everything it was working on and set about that task.
That hasn't happened to Apple. Even though Apple's market share continues to grow quarter by quarter, the company's products account for just 5.8 percent of the total U.S. market for PCs, according to IDC.
Charlie Miller pwns a MacBook Air at CanSecWest last month.
(Credit: TippingPoint)"Market share equals money" to the hacker criminals of the world, according to Charlie Miller, a researcher at Independent Security Evaluators. Miller made headlines last month by taking control of a MacBook Air as part of the CanSecWest conference's "Pwn to Own" contest. He used a previously unadvertised flaw in Apple's Safari browser to gain control of a system that was directed to a malicious Web site, earning himself and his team $10,000 and a new MacBook Air.
"Even if Apple moved to 10 percent market share, why spend the time on the 10 percent when you can just nail 90 percent with one bug?" Miller points out. It's far easier, and far more lucrative, for those shadowy figures in the hacking business to spend their time going after the other 90-plus percent of computers in the world than it is to try to exploit flaws in the Mac--even if there's a shiny new computer involved.
Changing of the threat
More and more, it's not really about taking control of a computer through flaws in the operating system; it's about using the browser as the entry point into the system or hacking Web sites, said Mike Romo, product manager for Symantec's Mac product line. "Trojan horses and viruses are yesterday's news."
At the CanSecWest conference, no one was able to take control of three laptops in play (the MacBook Air, a Fujitsu running Windows Vista Ultimate, and a Sony Vaio running Ubuntu) when attacks were confined just to the operating system. But Miller's Safari exploit, and the Flash flaw later exploited by Shane Macaulay, Derek Callaway, and Alexander Sotirov on the Vista laptop, show how security threats are now much more focused on the browser, rather than the operating system.
And it's also much more about phishing and social engineering your way into someone's wallet than it is about trying to take over their system, Romo said. "The OS is not really the target anymore for these next generations of threats; it's taking advantage of the fact that people are spending more time online. People are much more comfortable with entering a credit card number than they ever have before," he said.
That means it's no longer about Windows vs. Mac OS (at least when it comes to security debates--don't worry, fanboys). It's about Internet Explorer vs. Firefox vs. Safari vs. Opera. It's also about things like QuickTime, which Apple has patched extensively since the "Month of Apple Bugs" project last year.
Symantec distributed some research this week showing that 22 vulnerabilities were reported for Safari in 2007, compared with 88 in Mozilla browsers like Firefox, 18 in Internet Explorer, and 12 in Opera. It should be noted that counting the vulnerabilities is not the best way to measure the security of a piece of software, and can be explained in part by increased interest on the part of security researchers in investigating Firefox and Safari, as they become more widely used.
Browser flaws, not operating system flaws, are increasingly the more dangerous entry point.
(Credit: Symantec)And, as Symantec points out, "as security researchers have focused more efforts in discovering vulnerabilities in these browsers, the theory that this would result in much greater levels of malicious activity targeting these browsers in the wild has not yet been borne out." Again, IE is still the leading browser, and it makes more sense financially to go after that product.
The problem for the security industry is that even if Microsoft, Mozilla, Apple, and Opera all make the most secure browser ever, it still won't prevent things like phishing scams. The quickest, and perhaps easiest, way to make money from criminal activity on the Internet these days is to send out one of those Nigerian 419 e-mails, have people visit a Web site and enter their information, and shut that site down after a few hours of gaining credit card numbers.
It's almost impossible for security companies like Symantec to track that kind of quick behavior and update browser protection software to recognize the phisher's site as a threat, before at least a few people are affected. Lather, rinse, repeat, and after a while, you'll take in far more cash for a day or so of work than you would toiling away for weeks trying to exploit a flaw in Vista or Mac OS X, Romo said.
This is as much a social problem as a technical one; lots of people who may already be nervous around computers often just do whatever the computer tells them to do, Romo said. Credit that tendency for some of the uproar around Apple's decision to ship a new version of Safari to Windows users through Software Update. More than a few people didn't realize that they didn't have to do what the computer was telling them to do.
Miller and Romo--both Mac users--worry that the need for greater security to protect people from themselves will force Apple to change the way the Mac handles certain tasks, potentially taking away some of the Mac's ease of use. Leopard already takes a step in this direction, Miller noted, though not nearly as far as the User Account Control feature introduced in Vista, to much derision.
But Apple's not going to adopt Microsoft's security strategies for Mac OS X, until users demand it or hackers force its hand. They simply don't have to. Until then, quick, diligent patching and a wider embrace of the security community will more than do its part in keeping the Mac secure.
Education and "safe surfing" practices are as important to this era of security as anything having to do with counting flaws or patching practices. Maybe that's the third rail of technology writing: it's not always the mean evil corporation's fault; sometimes, it's yours.
Tom Krazit writes about the ever-expanding world of Internet search, including Google, Yahoo, online advertising, and portals, as well as the evolution of mobile computing. He has written about traditional PC companies, chip manufacturers, and mobile computers, spending the last three years covering Apple. E-mail Tom. 
This is not a semantic issue. The iPhone is a Mac platform, and it proves that when it has functionality people want, people will exploit it. I believe that the only reason the mac laptop or desktop is not showing up on more exploit lists is because the cost/benefit to the cracker is not competitive with Windows (which is like a walk in a candy store). Nevertheless, Apple has not shown a great ability to protect its products or its users. Nor, obviously, has Microsoft.
It wasn't Microsoft created software that allowed the Vista machine to be hacked, it was Adobe. Safari is an Apple created product and Safari is what allowed the Mac to be hacked.
security and spreading a malicious code
Your premise is completely wrong. All "pwned" iPhones were "pwned" deliberately by their owners in order to unlock the phones from the network or to add applications. You need local access to the iPhone to "pwn" it.
If you are aware of an instance of someone taking control of an iPhone over the network, against someone's will, in a malicious attack that resulted in data loss or identity theft, by all means, please share with the group.
This was a story about PCs and Macs, not smartphones. The issue of smartphone security is a very valid one, and bears scrutiny as those devices become more prevalent. But that wasn't the goal of this exercise.
But, even if they don't have direct access to the hardware, it's still a very difficult problem if you want the system to actually do anything. (Yeah, I can make a system that you can't hack into... unfortunately, it also wouldn't have much software installed...) Even if Windows and Mac OS were 100% secure... the hackers will just exploit the web browser, or one of it's plug-ins, etc., etc.
Buh-bye now.
to get your BS posted first.
There are no real world viruses for OS X. This won't always be the case, but anyone that claims that this is only because Macs have a smaller market sharte should be barred from writing about computers until he learns what he's talking about. OS 8 and 9 on Macs had FAR smaller market shares than OS X, and they had ciruses.
Windows XP allow programs to install themselves, modify the registry, etc. without uyser permission. You can infect your machine just by visiting the wrong web site. OS X, and Linux, and Vista with User Account Control turned on, are FAR more secure for reasons that have nothing to do with market share.
What I don't agree with is with your last sentence: I think the fact that Microsoft has *always* been able to patch security vulnerabilities (be it quickly or slowly), IE7 has had less security vulnerabilities than most other browsers and Vista has been unnfacted by most XP security vulnerabilities and even praised by hackers as being the most secure OS available proves Microsoft *has* indeed shown a great ability to protect its products or its users. As with most (if not all) things in IT, the numbers and statistics (specially when compared to the XP-era) prove it.
I've installed a sandbox to make that happen but shouldn't the browser do it directly? Until I hit the "save" button I really don't want my browser expereince spilling all over my computer.
It's worth noticing that Vista's security configuration (requiring privilege elevation to do many things) has always been standard in OS X, and of course OS X inherited it from UNIX, which has used it for decades.
That's not to say there aren't bugs to fix, but if it were easy to crack OS X the malware guys would be doing it regardless of small market share. Remember, prior to about 1998 the favorite machine for crackers was Linux! If you think Linux has small market share today, consider what it was like ten years ago. The law of big numbers applies here: There are so many machines out there that even small market share yields a big botnet.
After vendors like Red Hat started shipping releases in secure configurations malware intrusions disappeared practically overnight. It stopped being low-hanging fruit.
Macs were targeted regularly by malware authors prior to Mac OS X too, further putting lie to the assertion that it's all about market share. They go for the softest targets, and that's still Windows XP by a long shot -- largely because almost everyone runs as administrator all the time. Any hole in any application and your machine is owned.
Compare this to OS X; if they get through a hole in Safari, the operating system is still protected. At most they can scribble on user data and stuff in /Applications (unless the user is smart and doesn't use an admin account day-to-day, but like Windows that seems to be the exception). The attacker still needs to perform a privilege escalation attack. Vista has this same design, so I think it will be interesting to see how malware penetration changes as people migrate to Vista.
I think the real problem these days is social engineering. We can build in all the security you want but if people keep pushing "yes" through all the "are you really sure you want to do this?" dialogs then you're going to lose. It's for this reason I've been rolling out machines to relatives without giving them admin privileges at all.
jim frost
jimf@frostbytes.com
It would be nice if you could give me links to the data you cite. It
is not that I do not believe you - BUT it really would prove the point
in the direction opposite to the original article.
If I understand what happened at the hacking challenge the hole was in Safari and yet he still owned the machine. Evidently the OS isn't any more protected than the Vista OS was the next day when that machine got owned.
Yes we like to blame Microsoft or Mozilla or Mac. And yes the user does do some stupid things, BUT the person in the wrong here is neither the software developer or the user, because they are not the ones committing the crime. The virus writers and phishing perpetrators are the people who's fault this is!!
Maybe we need to do something to make this less easy for them, maybe we need to up the enforcement and prosecution but the people attacking the user ate the people at fault!
There are common sense things that people do in lots of situations to protect themselves from harm, like not wearing a Red Sox jersey in the bleachers at Yankee Stadium. Sure, if you get beaten up, it's not your fault per se, but what the hell were you thinking?
Sorry, but you are unequivocally wrong. Everything is crackable by hardware repeat hardware hackers.
So, who are these "hacker-speak gurus" anyway? Well, yes for sure, they're criminals who understand hardware intimately.
So, where the heck did these malicious "system destroyers" learn their world-class tricks, anyway? I mean, who the heck could have taught them how to install keyloggers and trojans and etc in your hardware? I challenge you to find any courses taught on hardware hacking from any accredited school in the USA or elsewhere in other developed nations.
Be logical and remove the "!!!!!!!!!!!!!!!"'s for a second. Think.
Who knows the hardware inside a system better than anyone on earth? Don't limit yourself to bad guys in some basement somewhere, because it ain't them to any significant extent - include large publically traded companies in your analysis.
So, was it GOOG and all those kind of firms? Nah, they don't make hardware.
Ask these questions: Why did IBM really - no, I mean really - sell their computer manufacturing division to Lenovo? Why did Dell really - no, I mean really - fail?
Why won't even the most courageous, major tech publications like C|NET (cough lol) do a multi-part investigative story on this phenomenon? hmmmmm... maybe they will. But those ad revenues are soooo highly valued, so I wouldn't hold my breath.
HP is the world's largest OEM. Why? For the meager margins on computer making? Nah. Izzit to ensure the continued growth in sales and net profits from selling those tiny little ink cartridges that made them what they are today?
Follow the BIG money and you'll find the corporate culprit. It maybe - gasp - sitting right in front of you now as you read this?
share:
"Apple's market share in the US has broken the 20 per cent
market for the first time in its history as it continues to reap the
rewards of Mac sell-through from its iPod and iPhone
businesses. That's according to Piper Jaffray's chief Apple
analyst, Gene Munster.
Muster said in his latest investment note that he believes Apple
Mac's now account for 21 per cent in the US consumer market,
adding that he expects it to continue to grow for the foreseeable
future."
source: http://www.pcretailmag.com/news/29628/Mac-
market-share-on-the-rise-globally
He also noted that it isn't just in the US that Apple is breaking
new ground, with him saying he believes Apple has broken the
ten per cent barrier in worldwide for the first time too.
Keep in mind that it is Piper Jaffray's job to promote Apple numbers as they are a financial advisor/investing group. They get money for saying good things to convince you to buy stock through them. They have no reason to actually have proof to back it up. They are free to make up things as long as it convinces you to spend money with them. There is no accountability required.
Even Apple doesn't agree with the numbers that this report came up with. It's one person's opinion and it's not based in anything close to actual numbers or facts.
That's one problem with quoting sources blindly- when you follow the bread crumbs you come to a blog or opinion piece and not one based on facts or figures.
market share is owned by PCs" is cited, this includes: Home PCs,
Point of Sale systems, ATMs, routers, servers, network appliances,
etc.
The 20% you're referring to is the household PC vs the household
Mac, not including PoS systems, ATMs, et al.
computer purchases world wide. You also have to be careful to
differentiate between market share and installed base.
Conventional wisdom is that Apple's share of the installed base
is larger than its market share due to the average longer life of
Macs. I don't know if this is still true.
In any event, when you consider all routes to market, Apple's
market share is somewhere in the mid single digits (5-7% US
and 3-5% worldwide) right now. That puts them at something
like #4 or #5 of all computer vendors.
Nice to see Apple growing well - little wonder that MSFT is suddenly under (what I suspect to be) a TON of internal pressure to shove Windows 7 out the door ahead of schedule.
The 10% global figure has been expected by some of us for quite awhile, and the beginning of Q2 sounds about right for it.
Of course, neither commenters nor security analysts have ever bothered to answer one simple question whenever the argument of "marketshare = malware" comes up:
With Apple at a 10% global reach (and 20% of US consumer reach), why aren't 10%/20% of the bugs out there targeting Macs? Instead we have... well, 0%.
Seriously - it's a whole different bucket of everything when you're talking about security on other OSes (which is why I always find it humorous when someone tries counting patches and reported vulns like they were some sort of reliable indicator).
/P
And total market share is still very small...
stand. No security researcher I spoke with could think of an
instance of a Mac running Mac OS X that had been exploited in
the wild.") and then lost your way.
If you want to reduce your risk of harm to your computer, use a
Mac. It's that simple. You can discuss until you're blue in the
face whether that's because of low market share or inherent
security. It really doesn't matter. Macs have not been hacked in
the wild. OTOH, there are tens of millions of WIndows zombies.
It's like this. You're going to build a nice, new home and have to
decide where to build it. Do you build it in Macville where there
are no known criminals running around or in Windowstown
where the streets are loaded with thugs- and millions of homes
have been broken into.
Now, even if you're in Macville, it may be prudent to install
appropriate security and to behave in a way that you reduce
your risks (locking your doors at night, not clicking on links in
emails, etc). But for any given level of security, your risk is much,
much, much lower in Macville.
So why would you choose to live anywhere else?
On that same vein, even in Macville, thugs exist, and Macs do get broken into. Apple, the local sheriff, still needs to be on the prowl.
Operating system is becoming more and more irrelevant these days with regards to security, so realistically, it doesn't matter so much where you live as it does that you have a good, strong deadbolt and know how to use it.
Well therein lies the problem. People are so used to believing the Macintosh platform is secure that they simply don't take even those simple steps. We have Macintosh enthusiasts here even in the forums who are actively telling people to not run any sort of security applications or take any steps towards securing their system- and they claim to be an IT Security specialists So... what does that really say?
To me, it says that you have a whole town of suckers waiting to be scammed- and the people responsible for it are those same 'security experts' who keep sticking their heads in the sand.
It doesn't matter what OS you run. If you ignore the risks then don't be surprised when you get burned.
X. If you're wanting a reason to choose Windowsville over
Macville, it's pretty simple:
Despite the thugs, prostitutes, and crime, Windowsville is Vegas.
You have all the entertainment and games you can possibly
think of. Macville is Podunk, Arkansas. Sure, they have Bowling
(WoW), but they also don't have all the other great games only
offered in Windowsville, like Half-Life/Counterstrike, Half-Life
2, etc.
Why? Because we love you Mac fans. As you guys repeatedly tout how great the Mac is, you are going to increase the market share of the Mac and deep inside your heart, you all wish the Mac beats the PC on the platform war (that's why the marketshare news of the Mac keeps coming up -- people are interested.) So, at some points, the Mac will overtake the PC as the most used platform. At that point, the hacker will shift to hack the Mac because the economy is on your side. Then we poor PC souls can secretly hide from the dangers -- this is the ultimate secret weapon from Microsoft to win the security battle ... by sacrificing their marketshare! Thanks, Mac. PC loves you.
"So, at some points, the Mac will overtake the PC as the most
used platform. At that point, the hacker will shift to hack the
Mac because the economy is on your side."
Right. Wanna buy a bridge in Brooklyn?
Face the facts. OSX is based on Darwin (with closed source
candy thrown on top of course), an open source version of BSD
Unix. Unix has been working on security issues since it's
invention back in the 70's. Does that make it bullet-proof
secure? No, not by a long shot. But it does make it more
challenging to hack to say the least.
Winblows "answer" to security? Annoy the user with half a dozen
UAC prompts for every single installation. Convince me people
will pay attention to each and every one of them. Convince me
people will UNDERSTAND any one of them. No, people will just
click "OK" until it goes away, then will likely turn it off later when
they're just sick and tired of the annoyance.
If *nix based OS's need "root" access to install something, they
will prompt you once. Sometimes that's expected, like when
you're purposefully installing something. Sometimes it's not, like
when something's trying to install itself without your knowledge.
Is this the perfect scenario? No, but it's better than nothing.
UAC is worse than nothing because it gives you this false sense
of security. You have no idea what you're approving with those
multiple prompts, you just approve them so you can get on with
your life. How many people will bother to search M$'s website to
understand what this third UAC prompt is for? The fourth? All
the subsequent ones?
used platform. At that point, the hacker will shift to hack the
Mac because the economy is on your side. "
That might or might not be true. First, I doubt if the Mac will
ever overtake the PC. Even if they did, there's no way of knowing
if they will have as many viruses.
But WHO CARES? I happen to be living today not in some fantasy
future. I care about my computer's security TODAY, not in some
fantasy future. And today, it's infinitely safer using a Mac. That
is completely unquestionable.
But, just as with any other endeavor; biggest fish, my kid's an honor student at xxx, my car/computer/boat is faster, fastest gun in the West, and
so forth ... one of the "bad guys" would have done it just for reputation !
Chew on that thought.
don't. The *serious* hacking world isn't a bunch of kids living in
mom's basement. The crew system that was big in the 90's in
pretty much dead and replaced by very serious people interested in
making a lot of money.
Bottom line - name ANOTHER OS with 35 million users with ZERO spyware, ZERO trojans, ZERO viruses, ZERO zombie, etc, etc ... ... that's the bottom line - you can say a lot.
At ANY point for DOS, Win, ME, 2000, NT, XP before they crossed 35 million users, can they also claim the following?
ZERO spyware, ZERO trojans, ZERO viruses, ZERO zombie, etc, etc
The FACTS are in. It's not the number. It's the OS - plain & simple.
You can ignore the facts by trying to try and keep your cushy consulting gig but the real facts are plain.
ZERO = infinity = ZERO
Tom, you're turning into Joris Evers, and that doesn't bode well.
There's nothing I can do about the fact that these topics generate a lot of debate. Should I avoid ever bringing them up, simply to avoid the perception that I'm trolling for hits? Or should I try to deal with them in as forthright a manner as possible?
Sorry if it offends you, but we plan on discussing Apple, Microsoft, and security on this Web site.
Even then, when referring to hacks, it refers to standard web based attacks that are not based on what operating system the user has, but what browser they use. The writer only makes a reference to the whole "marketshare" theory, because he has no other explanations why cyber-criminals have not targeted the increasing amount of Mac users.
See I can live with some incorrect information, but when everyone who posts a response is only looking for a reason to push their own opinions on everyone who isn't a conformist (i.e clones/and or robots), that is when everyone loses.
Last point, the only reason that there is even any market for exploits is because crooks are smart enough to realize that 95% of all computers users are about as dumb as bricks when it comes to common sense (i.e. clicking on that suspicious red/green flashing banner that says you won 1,000,000 dollars).
over the fact that MS made a multitude of bad engineering decisions from the start. With the system being
closed...how exactly can anyone say that Windows is more secure. No one can examine the code as they can with the
open source software that Apple utilizes & contributes to. Yet even with a close system MS manages to have created
in industry for spyware, malware & viruses. I have no problem with the author taking Apple to task. I do have an issue
with the amount of whitewashing that is going on here. Everything old is new again. Marketshare had nothing to do
with these issues:
The Windows Registry and the convoluted software installation mess related to it,
The Windows NT/2000/XP Interactive Services flaw opening up shatter attacks,
A wide open, legacy network architecture that left unnecessary, unsecured ports exposed by default,
Poorly designed network sharing protocols that failed to account for adequate security measures,
Poorly designed administrative messaging protocols that failed to account for adequate security,
Poorly designed email clients that gave untrusted scripts access to spam one?s own contacts unwittingly,
An integrated web browser architecture that opened untrusted executables by design, and many others.
above list attributed to. read on for another point of view:
http://www.roughlydrafted.com/2008/04/01/the-unavoidable-malware-myth-why-apple-wont-inherit-
microsofts-malware-crown/
Future reality:
http://rixstep.com/2/20080314,00.shtml
http://arstechnica.com/news.ars/post/20080408-new-kraken-worm-evading-harpoons-of-antivirus-programs.html
That is the biggest thing that could be done to prevent most of these phishing attacks and virus attacks as well.
The last bit that needs to be done is to STRICTLY MONITOR THE AD COMPANIES! Most malware today that gets on a person's system can be DIRECTLY traced back to ads that download malware on your system, whether you click on them or not.
backbone should have auto-self cleansing of restricting ips of
the phishing/malware sites. There is some work going on
concerning the botnets and zombies, but it isn't enough. The
internet is still the "wild west" and users should be cautious in
their use of it.
Obligatory Vista slam:
Yes, Vista is truly more secured than its older brethren, however
the fact that their implementation of it is so bad, users end up
turning it off because of its intrusive nature. Another
demonstration of MS poor design.
You give me an OS that comes with Firefox, Transmission, Brasero, Blender, Inkscape, and the GIMP, and I'm feeling pretty self sufficient. Don't have it? Check the repos.
I think mac is fairly good with this too...
- Great piece.
- by Macalope April 11, 2008 3:01 PM PDT
- Very good wrap-up of the situation, Tom, and evenly handled in the Macalope's view. My antlers bob in your general direction.
- Reply to this comment
-
-
- Amen.
- by Fil0403 April 13, 2008 7:51 AM PDT
- Evenly handled indeed. Surely not evenly handled to Mac users (whose biased notion of "even" in this case would be to forget facts, numbers and statistics and just blindly and ingorantly claim that every Microsoft product sucks, has 200.000 virus and Apple products are perfect and Steve Jobs is a god and everything he says is tru), but surely evenly handled to any unbiased person, yes.
-
-
Showing 1 of 2 pages (76 Comments)