Symantec: Mac OS X Becoming a Malware Target

tb3 writes "According to ZDNet 'Security vendor Symantec is warning that Apple's OS X operating system is increasingly becoming a target for hackers and malware authors.' They go on to warn that the only thing that's protected Apple users from exploits so far has been the small number of Macs on the net. Now that people are buying Apple products for 'style over function,' according to one analyst, Apple computer has become a target for new attacks. More coverage on Australian IT and Silicon.com. I guess sales of Norton Anti-Virus for Mac needed a boost." Symantec may well be right about this, but note that they also have the world's biggest vested interest in making Mac owners nervous enough to buy their anti-virus products.

Security through obscurity?

[LukaFox]

Is it really true that the only thing protecting Macs thus far has been their smaller by comparison presence on the Internet? Is there nothing to be said for the inherent security or insecurity of a particular platform? This is the kind of argument that free operating systems get against their security all the time. It'll be interesting to see whether the Mac platform can stand up to increased attacks. If it does, this might help convince people that some platforms really are more secure than others.

Safari runs like crap

[iowannaski]

Safari has run like crap on my wife's iBook since about a week after she got (CHristmas). It runs like a spyware infected Windows machine, and here desktop is constantly littered with popunders.

Of course, figuring out how to fix it is no fun, because macs "just work" and suggesting otherwise makes one a troll.

I suspect the problems stem from installing Konfabulator and a bunch of widgets (one of which would cause the coputer to hang whenever it was started), but I haven't had the time or motivation to figure it out. I don't shit about administering Mac OS X - I only bought it because I was sick of playing sysadmin for every windows box in my extended family.

bring it on. i think.

[trainwrek]

"style over function" Yeah, like the "style" of increased security. In some sick way I hope that OSX becomes a target so we can finally know the answer to whether OS X has limited security issues due to its user base or design.

Virex, not Norton

[Grayden]

I think that if anything, this would boost sales of Apple's .Mac Service [mac.com] which includes a copy Virex.

Re:As an IT person who is deploying OS X

[JackAxe]

No. It is only for removing "PC viruses."

If Apple does its part, which it has, any critical holes found are patched with in a week. This is the benifiet of using a system that has a very tight software to hardware integration. I've read on Maccentral that some companies are now using OSX machines as the front for their PC networks, since it creates a truly secure front lilne.

Users are not root; data more important

[Anonymous Coward]

That is correct, but you have to admit that the data a user has (work, music, etc.) is likely to be far more important than the OS. I can reinstall my OS X and apps and recompile my OSS software in a day, but if I loose my source files, I'm in a world of hurt.

Re:Infidel!

[BandwidthHog]

Luna doesn't glisten.

Ever see how Stephen King uses that word in his stories? Luna does too glisten!

Re:Infidel!

[jericho4.0]

I don't own a Mac, but I do notice that;

The default shell is Bash

The terminal app's fonts and antialiasing is really nice.

Re:As an IT person who is deploying OS X

[gnasher719]

You definitely need anti-virus software on the Macintosh. That way you can download stuff on a Macintosh that you want to use on a PC; you do the virus check on the Macintosh without the slightest chance of catching anything. Then pass the checked stuff on to the PC. On a PC, there is always the risk that some virus is more clever than the antivirus software and you catch something. Seriously, the viruses that Symantec has found are so absolutely lame that you have to be completely braindamaged to catch anything. Like download the virus, then enter your admin password to allow it to infect your machine. At the moment there is nothing on MacOS X that would require a virus checker.

Re:As an IT person who is deploying OS X

[Omniscientist]

My girlfriend bought a Powerbook G4, so I've played around with it a little bit. The root account seems disabled by default. Well...I'm damn sure that a lot of processes run root level (so compromising a process and obtaining a root shell should still be ideally possible if there is a hole right?), but the actual logging into root seems to be disabled by default; which, at least locally, is a good idea for your average computer user.

Also, /etc/sudoers seems to allow a user to "sudo passwd root" upon default install...I'm not sure if this is limited to administrators, but uh, that's not very cool. Easy to fix, but I wonder why they even included that?

Counter PR

[Paladin144]

I think that Symantec is merely responding to this little bit that slipped out (grabbed it from Macintouch [macintouch.com]):

David Coursey writes for eWeek about the lack of Mac OS X malware:

How do I know there are no Mac OS X viruses and malware out there? Because the Mac product manager of one of the major security software companies told me so. And when people tell me I don't need their product, I usually take them at their word. I won't identify the person since he thought he was talking to me for a book project, but people at Apple were happy to confirm this to me. They don't put it in their advertising for obvious reasons.

Um...yeah. Can you say "Oops"? Now they've responded with some vague fears, but that's just to stir up some sales, as everyone has already guessed.

Next anti-virus companies will start writing their own viruses in order to drive up sales. Sheesh.

Re:As an IT person who is deploying OS X

[CaymanIslandCarpedie]

As an IT person, you should already know the answer to this ;-)

Yes, Mac OSX has historically had very few problems with viruses or exploits. However it only takes one ;-) And in my experience when that one hits users/bosses aren't very understanding to "I didn't even realize there was anything to worry about." as an answer from IT about why they weren't protected. If there is a SUPER tight budget, yes you can probably get away without it, but I NEVER would. If for no other reason than to CYA. We only have a few OSX computers in the network, but they are all protected. The price of the Macs VS price of some basic anti-virus its really not much of an issue better to spend the extra few bucks than be sorry ;-)

Here is a decent summary of OSX historical vulnerabilities (there are still a couple unfixed ones out there).

http://secunia.com/product/96/

Mac Os9 has never once been exploited remotely !

[Anonymous Coward]

Despite many high profile web sites and servers using OS9 for many years, not one database entry in the large BugTraq database documents a remote explloit for Mac OS in the history of the internet.

Even the US Army used macs exclusively (mostly MacOS 9 until recently) after being rooted rouitinely using unix and MS Windows NT. For many many years www.army.mil has been run on macintoshes exclusively.

The same is true of many colleges that were rooted and defaced too often on Linux. They installed WebStar and OS 9 and never had to worry again.

http://uptime.netcraft.com/up/graph/?host=www.ar my .mil

http://www.google.com/search?q=army+webstar+"os- 9"

Check it out yourself. This entire post is full of factual citations and 100% facts.

No mac in the history of the internet hosting a web server has ever been rooted or defaced remotely.

Why?

Because not one version of Mac OS has ever had a single exploitable hole ever discovered. (classic mac os now up to version 9.2.2 on currenlty sold g4 towers). OpenBSD has had no less than 5 holes (not one) in the default install in the last two years. Mac OS has had ZERO in over 8 years, even when paired up with its preferred web server app.

In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely. Scan it yourself.

That is why the US Army gave up on MS IIS and got a Mac for a web serve. Currently it is a honeypot for OSX testing, and US Army use regular Mac OS on other internal servers

This post is not talking about FreeBSD derived MacOS X (which already had a more than a 50 exploits and potential exploits in BugTraq database, and in the news yesterday with Symantec claiming in March 2005 of OSX having remote exploits) I am talking about current Mac OS 9.x and earlier which are highly sophisticated abstract-OS models.

Why is is hack proof? These reasons :

1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for procces to process communication that is heavily typed and "pipe-less"

2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidian's birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.

3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator. Additionally certain types of compilers can check range on assignments to prevent out of bounds. Furthermore many good programmers ensure that the bounds are not overwritten.

4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, expecially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.

5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing, nor are there lame single 'x' executable bits! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with dat

"But it's a Mac..."

[Punk Walrus]

The Mac mentality can be harmful. I had to go onsite to one place where a guy had managed to get the entire office hacked because of his "invulnerable Mac."

What did he do?

He hooked up an Airport wireless station to the network so he could use his "invulnerable Mac" from anywhere in his roomy office. But didn't encrypt anything. So he opened up the whole office network to a wireless node that anyone could log into.

In a shipyard.

Near a military base.

Surrounded by vacant lots in a bad part of town.

So... when we got to the office, every Windows machine was compromised, the DSL router had been reconfigured to DNS in Taiwan (because it had the default password), servers had all their root passwords changed, and there was steady traffic from who knows what back and forth. It was a mess. We ended up having to do a full DnR on all the servers and workstations (luckily, it was a small office, so it was only 6 machines).

Yes, his iBook was FINE. His "invulnerable Mac" was just GREAT! I doubt there was a single compromised thing on his creamy white laptop.

And he kept saying, "My Mac can't be hacked into, you Windows folks don't know a damn thing about how great the Mac is."

"Good thing I use Linux, then," I said, trying to capture and trace packets from my Knoppix-STD Live CD. "Care to tell me how to explain to your boss why you exposed the corporate network to an unsecured wireless connection?"

"But... you don't understand, it's a Mac! It doesn't do those things..."

When I finally sat him down and explained what the Airport does, he turned real pale. And quit a week later. He assumed because it was "an invulnerable Mac," that meant he didn't have to understand security.

Man, what a mess that was.

Re:Vested Interest up the Wazoo

[codegen]

I had a similar experience. A long time mac userr, I used to use some of the virus products in the old days (System 6 days) such as gatekeeper. I recently bought a compter at the university that I am at which has a site license for Norton. I installed Norton for MAC and constantly got warnings about the PC email viruses. I leave my email client on in the background and it was constantly interrupting me with warnings. I ended up turning the thing off. If they were able to be a bit more subtle with thier messages I might consider it again.

Re:As an IT person who is deploying OS X

[mekkab]

Totally! Log all inbound packets (to see whats out there) and have your firewall act in 'mysterious mode' (doesn't answer pings, etc.)

Re:As an IT person who is deploying OS X

[notasheep]

Do the Mac anti-virus progs use the same virus lists as their Windows couterparts? If not, then you can't really claim a download to be clean just because you check it out on a Mac.

Re:Style over function?

[wealthychef]

I didn't say there were no _potential_ bugs or vulnerabilities in the system. I just think (and this is not a contradiction) that the system is very secure out of the box.

Try this experiment: install OS X and connect to the Internet. Leave it connected for a week. Now install Windows and connect to the Internet. Leave it connected for 30 minutes. Which one will be hacked? My point is that Windows needs special steps to be _protected_; Mac OS X requires special hacking and other circumstances to become _vulnerable_. The QuickTime ruse you refer to no doubt requires some social engineering to make work... that's just a guess on my part. Am I right?

Furthermore, the buffer overflows in quicktime do not afford an attacker root priviledges, do they? And when vulnerabilities are found, Apple, unlike Microsoft, so far anyway, has a great record of fixing them immediately. Apple has a great record on security in OS X. You are not going to see a flood of crippling, disabling OS X attacks like you see every couple of months with Windows viruses that take out our whole email system at work from time to time. Hacking an OS X box is HARD.

Re:Style over function?

[wealthychef]

I don't see how the fact that the OS is designed to be easy to use has anything to do with its security. Your logic is wanting.

I do agree that its growing popularity will encourage virus and malware authors to find exploits in the OS. But Mac OS X is pretty analogous to Linux, security-wise. I'm sure occasional exploits will be found, and some have already been discovered. But they are rare, and relatively hard to use. I haven't seen any that enable a script kiddy with a shell script to hack into 50 OS X machines and turn them into zombies like you can with Windows.

The fact is that OS X is, inherently and by design, more secure than Windows. Even if it had 90% user base and was made for use by monkeys, I daresay there would be more Windows viruses going around than OS X viruses (of which I have yet to hear even of the possibility, much less any real attacks).

Jesus Fucking Christ to you, too. :-)

The only thing?????

[wickedsteve]

"the only thing that's protected Apple users from exploits so far has been the small number of Macs on the net." The only thing? What, the only thing besides the more secure default settings out of the box and authorization for every installation?

Re:Mac Os9 has never once been exploited remotely

[phillymjs]

Actually, there was an exploit, once.

It was some time ago, and I believe it was the result of a "hack the server, get a prize" type contest.

I'm too lazy to Google it right now but IIRC, the server that was hacked was running the classic Mac OS, WebSTAR, and Lasso, a tool that lets you webify FileMaker databases. There was a vulnerability in Lasso that was used to, per the contest rules, successfully alter the contents of a certain page on the WebSTAR-hosted site.

The prize was awarded, the vulnerability was quickly fixed, and that's the first, last and only time I have ever heard of any server on a classic Mac OS based machine getting hacked.

~Philly

.mac bundles Virex.

[Anonymous Coward]

There are at least two anti-virus options: Norton (Symantec) Anti-Virus and .mac's Virex (McAfee). Except with .mac there's a bunch of other services (iDisk, HomePage, Email, Learning Center) bundled as well.

Re:As an IT person who is deploying OS X

[Nate4D]

Well, I've never heard of anything like this, but a few comments:

The current version of Mail is 1.3.9. I don't know offhand if it runs with 10.2.8, since I'm running 10.3.8.

I wouldn't be completely surprised if there was a vulnerability in the older versions of Mail that allowed this to happen. I'm not aware of any such vulnerability, I'm just saying that it could possibly exist.

Camino's fairly beta software - I guess it's theoretically possible that there's a hole in it somewhere that allowed the attacker (who one has to presume got remote access) to find his eBay account name and password.

But, honestly, I'm much more inclined to guess user incompetence and/or deceit. Did anyone actually witness these events besides him, or is it all just on his word? I've known people to do stupider things than bid on expensive items while they're drunk, and this seems as likely an excuse as any to get back out of it.

Most likely scenario might be something like:

He acidentally did click on a link inside the email, and didn't realize it. Once activated, the link did it's job, and his account info was snagged in some nefarious way involving autofill, if Camino even supports that (I don't know, I use Safari, and cannot for the life of me fathom why a Mac user runs anything else, unless they're doing Web development).

I still bet he was drunk... ;)

Windows software dying art?

[laird]

I started a company a few months ago that's building consumer software that runs on MacOS X and Windows (and Linux, etc., eventually). Our strategy is to build the core in tight C code, and then build platform-specific applications in the appropriate language, so the result is a great ObjC Mac app, a great C++ Windows app, etc. While I like Java, Ruby, etc., our goal is to make the app small and efficient, so asking people to install 30 MB runtimes is out. Interestingly, it was easy to recruit first-class Mac and Java (server) developers, and nearly impossible to recruit a really great Windows developer. It turns out that the best CS students are _all_ working in modern cross-platform environments (e.g. Java, Python, Ruby), most use Mac's, almost none are using C++, and nobody even _considers_ writing Windows applications any more. While this is kinda neat in one respect, it's a bit surreal that the vast majority of great developers won't write software that runs natively for the platform on 95% of desktops. Weird.

From a cracker's/hacker's perspective

[Orion Blastar]

if you were going to control someone's box, and you wanted to make sure that they have valuable information to steal. Would you target the PC user who bought the cheap PC, or the Mac User who paid more for his/her Mac? Chances are the Mac User has a much higher income, being in a creative content or some other weathier profession. The Mac User would typically own more credit cards with larger credit limits, and have more money in their bank accounts. Sure, anyone could write a Windows virus, even 13 year-old kids do it. The Switchback virus showed that OSX is vulnerable, and also that OSX virus writers have little to no competition.

Also chances are the PC User already has a virus scanner, and knows enough about his/her PC to protect it. The Mac User, on the other hand, thinks he/she is safe from viruses and does not even have a virus scanner installed. Usually the typical OSX user uses default OSX settings, thinking that they are good enough. The OSX user is also more likely to click on attachments than the Windows user in email, thinking that no file infection exploits exist for OSX. The OSX user is also more likely to use the default email and web programs that come with OSX, and the Windows user is switching to Opera, Firefox, Thunderbird, Eudora, after the ton of exploits that exist for IE and Outlook and Outlook Express.

Best tactic of a cracker/hacker is to hit someone who does not expect to be hit.

Infect the typical PC, and you are more likely to discover someone's porn collection. Infect the typical OSX and you are more likely to find Intellectual Property and other goodies. Therefore, should you go for the swampland (PC) or the gold mine (MAC)?

I'd rather have a virus than symantec on my mac.

[Anonymous Coward]

In my 20 years of using and later supporing the mac, I have found far more crashes, bugs and system disasters caused by Symantec products than any other problems.

The autostart 9805 worm and homer on OS X combined don't even touch the amount of problems Norton causes. Hell, the Homer Simpson virus installed fewer kernel extensions, and it was easier to remove.

Practice safe computing: turn on the firewall, only install software you trust (and keep it up to date), use network client apps that don't suck, don't open any email attatchments you weren't expecting. Do these things and you will have very few problems. And the ones you do get will be tiny compared to what Norton will do to your mac.

Re:More scared people -- more sales

[Gilmoure]

Apple fans are the perfect audience. Most are technically non-savvy arty types who are easier to FUD.


My Mac users are mostly faculty at a small college. They range all the way from the CompSci prof who just started installing Macs in his lab (wife got a Mac for Xmas and he liked it) to a fine art professor who has difficulty sending .jpgs in email and didn't know what an iPod was but she bought it with her laptop 'cus the guy at the Apple store said there would be a discount buying them together (really, she's that clueless).

The biggest problem I see is that a lot of people have been switching to Macs, believing that they are totally secure. They don't follow basic secure practices, clicking on anything they receive in email. I've seen proof of concept Applescript apps that, while asking for a user's password, go and wipe out their user directory and a html link that would fire up the terminal app and then list the user's directory (could have done much worse in user land, of course).

Until people stop walking around thinking they have a titanium dick and sticking it into every hole they see, there will be vulnerabilities.

I hate my users. Won't someone give me a job for surfing the web, watching movies and drinking beer?