Just as Apple Computer launched a new ad touting OSX’s resilience against viruses, the Macintosh operating system and applications have come
under fire for harboring serious security flaws.
Security software vendor McAfee, The SANS Institute and independent
researchers have all recently published reports slamming Mac security.
It’s a big switch for the computer company that has long enjoyed a
reputation for creating software that’s immune to the nastier aspects of
“iLife.”
Security vendor McAfee released a whitepaper on Friday on the state of
Mac security.
According to McAfee, from 2003 to 2005 the annual rate
of vulnerability discovery on Apple’s Mac OS platform has increased by 228
percent, compared to Microsoft’s products, which only saw a 73 percent
increase.
That may be comparing Apples to oranges, but McAfee also noted that, “as
demonstrated by its March 2006 patch, which corrected 20 vulnerabilities,
Apple’s Mac OS platform is just as vulnerable to targeted malware attacks as
other operating systems.”
On May 1 the SANS Institute, a computer-security organization, listed
“rapid growth in critical vulnerabilities being discovered in Mac OS X” as
the No. 1 concern on its list of the 20 most important threats in
computer security.
The report went on to say “OS X still remains safer than Windows, but its
reputation for offering a bulletproof alternative to Windows is in tatters.”
A lot of people have been thinking of Apple as not having any
vulnerabilities, said Rohit Dhamankar, editor of @RISK and the SANS Top 20,
and manager of security research at 3Com.
“People generally think that if
you don’t see viruses or widespread malware that a computing platform is
safe. However, you can still have vulnerabilities that people can exploit.”
Apple was unavailable for comment on the McAfee and SANS
reports.
In February, three exploits surfaced targeting Macs.
“Leap-A” was buried
in jpeg images purporting to be screenshots of the next version of Mac OS X.
Once active on a machine, the worm replicated by sending itself to names in
the infected computer’s iChat buddy list.
“OSX.Inqtana.A” was programmed to
spread through a vulnerability in Bluetooth wireless technology.
Like many PC threats, both of those exploits turned out to be duds. But a
third vulnerability reported in late February is potentially serious.
Apple’s Safari Web browser allowed downloaded files to open as soon as the
download is complete. If a file contained malicious programming commands,
Macs could be tricked into running those commands.
In March, security researcher Tom Ferris blogged about a slew of
“zero-day” vulnerabilities that he believes hackers are using to target OS X.
A zero-day vulnerability is a new security flaw that a software vendor is
either unaware of or attempting to fix. An attacker who manages to develop a
method to exploit such a flaw has a potent covert weapon, one that networks
and IT staff cannot easily defend against.
Ferris told Apple about the flaws, some of which involve iTunes and
QuickTime software, in early January.
Ferris thinks that the recent defacement of Apple’s Korean online store
was carried out by a hacker using a zero-day exploit that gave him
administrator access to the server housing the Web site.
“Apple’s products are now becoming more of a target of hackers because
more people use OS X now,” said Ferris. “Also the fact that Apple now has a
commercial saying that OS X is virus-free is just asking for it.
“It kind of
reminds me of when Oracle said their database was ‘Unbreakable,’ and within
a week a researcher had released multiple flaws within their products.”
Ferris said that many security researchers he knows have recently
shifted gears and are now spending a significant amount of time looking for
OS X flaws.
Increased scrutiny and a small spike in market share may dissolve the
“security by obscurity” that some experts believe helped to shield Macs from
hack attacks.
Apple is still generally regarded as more secure than PCs running Windows
operating systems because OS X, like other Unix-based systems, will not
usually run programs that will alter the operating system without explicit
permission from the machine’s system administrator.
Windows users typically operate their machines under the administrator
account by default.
“Yes, the more OS X is discussed, the more likely there will be viruses,
worms and so on. But the frequency and the damage from these will be, in my
opinion, much less than on a comparable Windows platform,” said Mike
Sweeney, owner of Packet Attack, a security services company.
“OS X is more secure out of the box than Windows. OS X and Windows were
designed in different ways,” Sweeney said.
“Windows was designed for
personal computers, before the broad public adoption of the Internet. OS X is
based in part of BSD, which is one of the most secure Unix types of operating
systems, and designed for use in a networked environment.”
But Sweeney and others believe that Mac security could be compromised by
users who are blissfully unaware of the threats that lurk online.
Apple
users tend not to worry about whether they should or shouldn’t open e-mail
attachments or if they should click “OK” on dubious pop-ups. They trust
their Macs.
“A prudent man always locks his doors no matter where he lives,” said
Sweeney. “Any operating system can be hacked. OS X is no different, so it is
always better to take precautions.”
Experts encourage Mac users to ensure they are up to date with Apple’s
security patches and to practice basic safe computing by following Apple’s
security tips.