This week in security

Apple Computer has traditionally been regarded as partially immune to the exploits of hackers and virus writers, thanks to its low market share--but those days may be over.

This week Apple closed a security hole that had allowed an underground program to tap into its iTunes Music Store and purchase songs stripped of antipiracy protections. The PyMusique software, created by a trio of independent programmers online, emerged last week. One of its creators was Jon Johansen, the Norwegian programmer responsible for releasing DVD-copying software in 1999.

But after Apple closed the hole on Monday, the group posted new code that it said will reopen the backdoor to Linux users.

The programmers' work has been one of the most persistent projects targeting Apple, whose iTunes store and iPod have drawn consistent attacks and experiments by people eager to extend the capability of the products or simply disarm copy protection.

Meanwhile, Apple's Mac OS X operating system is increasingly becoming a target for hackers and authors of malicious software, a security software company warns. In a new report, Symantec said that in the past year, security researchers had discovered at least 37 serious vulnerabilities in the Mac OS X. The company also said that as Apple increases its market share with new low-cost products such as the Mac Mini, its user base is likely to come under increasing attack.

The Symantec report also said there's been evidence of growth in vulnerability research on the OS X platform.

That report came as Apple released nearly a dozen fixes for flaws in the Mac OS, including a script for preventing phishers from fooling users of its Safari browser. The loophole could allow an attacker to use certain characters from different languages to create legitimate-looking Web addresses that actually send victims to malicious Web sites.

The newly released patches take care of flaws in the Apple Filing Protocol server and the Samba filing-sharing server, as well as multiple issues with the Cyrus authentication software, the Cyrus mail software, Mailman and SquirrelMail.

Let's look at the Statistics

I'm afraid the section of Symantec's widely reported document
that deals with Mac OS X is misleading and somewhat self-
serving marketing fodder. One could almost theorise Symantec
is campaigning to develop new revenue streams (from Mac
users) in light of Microsoft's competitive entry into the Windows
AV market.

However the chorus of inflammatory headlines based on this
report inflate the issues to panicky extremes:
"Hackers Unleash Worms on Apple",
"Mac Attack/Attention: smug Mac users. You're not safe
anymore."
"Mac OS X a hacker target"

Let's look at the statistics:

Microsoft Windows:
Viruses and Worms = 17,500 (symantec.com)
Spyware and Adware programs = 78,000 (www.pestpatrol.com)
Burrowers = 40 (www.pestpatrol.com)
80% of PCs infected with spyware (webroot.com)
Last year (2004) alone:
500 new Trojans (www.pestpatrol.com)
500 new keyloggers (www.pestpatrol.com)
1,287 new adware apps (www.pestpatrol.com)
7,360 new viruses and worms (symantec.com)
1,403 new vulnerabilities (symantec.com)

Mac OS X:
Viruses and Worms = 0
Spyware programs = 0
Adware = 0
Keyloggers = 0
Burrowers = 0
Trojans = 3
Last year (2004):
1 Rootkit (symantec.com)
37 new vulnerabilities (symantec.com)

When the evidence is considered, there are still actually no
worms, viruses, spyware or adware recorded targeting Mac OS X.
It becomes readily apparent that Mac OS X remains the safest,
pest-free OS by a more than considerable margin.
<a class="jive-link-external" href="http://www.mi2g.com/cgi/mi2g/frameset.php?" target="_newWindow">http://www.mi2g.com/cgi/mi2g/frameset.php?</a>
pageid=http%3A//www.mi2g.com/cgi/mi2g/press/
190204_2.php

Note that Trojans can't spread by themselves - they are bits of
code that pretend to be something innocuous and need to be
downloaded and opened by an authorised user. In the case of
the three targeting Mac OS X, two are harmless while the third
deletes a user's home directory if run by that user.

Note also the Rootkit discovered on a couple of OS X machines is
a set of scripts that requires root access to be turned on (turned
off by default on all Macs). The hacker also needs to know the
root password and the malware has no mechanism of spreading
and infecting other computers by itself.

Symantec's espousal of the theory of "Security through
Obscurity" fails to explain the fact that the number 1 web server,
Apache with around 69% marketshare has far fewer attacks
(including viruses and worms) than Microsoft's IIS which has
captured only 21% of the market (Netcraft.com). This theory also
does not explain why the many flavours of Linux suffer from so
many instances of malware themselves despite having as small a
marketshare as OS X.

37 vulnerabilities (mostly in open source components of Mac OS
X) which were promptly patched by Apple does not constitute
"increased attacks on OS X" as no attacks using any of these now
closed vulnerabilities have been recorded.

John Gruber has a useful article on why Windows suffers so
much malware:
<a class="jive-link-external" href="http://daringfireball.net/2004/06/broken_windows" target="_newWindow">http://daringfireball.net/2004/06/broken_windows</a>

However, no software can be perfect and it would be foolish to
say there won't eventually appear some malware targeting the
10 million+ OS X users out there - however, today is not that
day. Mac OS X has been sitting untouched for 4 years now
pretty much without blemish which speaks to a very impressive
security story even if/when some effective malware appears.
This is the quite amazing and constructive issue everyone
should be writing about.

-Mart

[Steve Bryan]

Orchestrated campaign?

The previous reply does a nice job of recalling the facts of the situation. What has me puzzled is why so many alarmnist articles seem to be appearing. It is almost as if these poor writers are being instructed to throw together another article making the questionable claim that everyone is in the same situation no matter what OS they use. If you repeat a lie often enough it somehow gains legitimacy.

Obviously this article just recycles the self serving claims of Symantec but it also contains a brief account about the iTunes Music Store. This has NOTHING to do with security for the user of his OS X system. First, the program PyMusique only runs on Windows and Linux. Second, it doesn't compromise either of those systems. Third, it doesn't do anything malicious to Apple's music selling service. The user still has to pay for any tracks that he downloads using PyMusique. The only difference is that it doesn't cripple the downloaded file with the DRM that is customarily wrapped around the file. You still have to pay for the tracks that you download. The main difference is that iTunes does not exist for Linux, This program allows people who only use Linux to still pay Apple for music that they download.

Somehow this is presented as a security risk for people who run Mac OS X? Complete rubbish. If the reporters want to provide news coverage about security risks it would be nice if they stuck closer to just reporting. For example it is worth noting when Apple issues security updates. It is nothing new but it would provide a service to people who could benefit from applying these patches in a timely manner. However, articles like this slip over into a category that is best described as more FUD in defence of Windows. I won't even try to speculate about motivations, but it has that unmistakable odor.