Why don’t Mac sites take security seriously?

Posted on January 27, 2006 by Ian Betteridge

The Mac is a safer computing platform than Windows. It has had no serious malware problems. By design, it’s more secure than Windows thanks to its smart use of user and administrator privileges. Mac users are right to be happy about the choice they made for security reasons.

Yet sometimes pieces appear in the appear in the Mac press that just make me want to weep. For the fact is that the Mac, like every operating system, isn’t perfect. There are security holes in it, some known, some as-yet undiscovered, that could be exploited to give root privileges and thus control over a machine.

At ZDNet Austrialia, they’ve done a piece pointing this out. The piece is based on an interview with Neil Archibald, a security specialist with SureSec. Archibald points out that there are plenty of security holes in OS X, and that – because Apple does not use software auditing tools to spot bugs before releases – there will undoubtedly be plenty more.

Archibald isn’t speaking without experience. Last year, he discovered the dsidentify bug, which affected 10.4, and that allows a non-admin user to gain admin rights – potentially allowing them to create and remove root accounts and gain control over the machine.

OS X riddled with “ancient” security flaws – The Unofficial Apple Weblog (TUAW). This track record suggests that he should be someone worth listening to. In fact, he says, the main reason that the Mac hasn’t been a target is simply that it’s not worth developing malware for – the user base isn’t wide enough to make it worth it.

However, some parts of the Mac web clearly think that clapping your hands over your ears and shouting “la la la” is the right response. Take, for example, TUAW:

Of course, his opinion is
wrong. Small market share is obviously a contributing factor in OS X’s rock-solid security track record, but there are also other components, like the fact that root is disabled by default, anything that makes any global changes to your
machine requires a password, etc. Besides, even if the market share thing is monumentally important, it’s not like OS X is going to be the most-used platform overnight. So we’re still safe (for now).

Sorry, but “has security holes in it that can be exploited to gain root” does NOT equal “safe (for now)”. It means both users AND Apple have to take security way more seriously than they do at the moment.

It’s simply irresponsible for a serious publication (and TUAW is serious, most of the time) to keep parroting the “it’s safe” line. There are plenty of users out there who believe that there’s simply no way that anyone could ever make a virus, malware or exploit for the Mac. I know, because I’ve had to argue with them. These are the people who, when they get an email attachment from one of their friends won’t think twice about double clicking on it and letting it install something – because “Macs don’t get viruses”.

The main part of the problem, I think, is that so few Mac users know anything about the way viruses work in the Windows world. Take a look at the top ten list of viruses reported to Sophos in December. All are email worms. They rely on someone opening an attachment and running the contents in order to install themselves. All, therefore, rely on “social engineering” – fooling the user into thinking that an action that’s isn’t safe is perfectly OK. None – not a single one – relies on a security hole in Windows. None of them will work if you have up to date anti-virus software (and given that decent virus software can be had for nothing, there’s no reason why any user shouldn’t). And, if you’re running up to date email software, you’ll be warned about downloading and running an executable file, too.

Mac users are equally susceptable to social engineering. In fact, because there’s a rump of Mac users who believe that the Mac has no security problems, they’re arguably more susceptable. The only difference between the platforms is that the Mac requires you to input your password before running an installer, or anything that places files where they’ll run every time you run your Mac. How many Mac users would happily install something if it came (apparently) from a friend, and was called something like “cool screen saver for you to install”? Far, far too many – all because “the Mac doesn’t have security problems”.

There is, of course, a counter argument. Why, if all this is true, are there no viruses for Macs? Surely the kudos of writing the first Mac virus would be enough to tempt virus writers to do it? This answer again exposes a lack of knowledge of what virus writing is all about. Spreading an infection is more about two things: gaining control over a machine for profit; and disabling the viruses of other virus writers, in a kind of virtual war. It’s about harvesting email addresses that can be sold to spammers; creating botnets for spamming; keylogging to get credit card details; or hijacking machines via Spyware trojans. All these require hitting as many machines as possible, and that means hitting Windows, not the Mac. There is no profit in making a Mac virus, and so it doesn’t happen.

This entry was posted in Macs. Bookmark the permalink.
  • http://tapeitofftheinternet.com paulpod

    Mind you, the credit card numbers of mac users sounds like a good prize to me. They do spend a lot… ;-)

  • http://www.jonathanbaldwin.co.uk Jonathan

    I read that TUAW article this morning and have been thinking about it.

    I don’t think market share is an issue as for a virus writer wanting to make an impact, the prize of exploiting any security hole is a big one, and the idea of potentially taking down the design and AV industry in one fell swoop sounds like a scalp worth pursuing.

    But you’re right in that it needs to be taken more seriously.

    What’s actually got me more thoughful is the idea that TUAW is a ‘serious’ publication. I enjoy reading it, but I treat it like a blog, nothing more, assuming that articles are not cleared in advance by an editor. Perhaps they should make certain topics more ‘controlled’ to stop what you’re complaining about?

    That being said, perhaps your own article could do with a heading change: ‘why don’t SOME Mac sites take security seriously?’ It’s bad enough combatting the myth of impregnable security on Macs (which is swimming in the pacific covered in blood) without combatting the myth that all Mac users are idiots ;-)

  • Hamster

    Good article. I don’t necessarily agree with all your points but I appreciate your take.

    My only gripe is jumping all over TUAW. For the most part they run a pretty responsible site, and even in the post you highlighted they didn’t resort to calling Archibald’s claims FUD and calling OSX exploits impossible. Spend a little more time on the “Mac Web” and you will find a number of sites which are much more flippant regarding articles like the one written on Archibald.

    I’ll give you a hint – MacDailyNews

    http://macdailynews.com/index.php/weblog/comments/8357/

  • sui

    Yes, you’re right, absolutely. I agree with you 100%. I use Mac, because of its OS design better than Windows/Linux in terms of security and user interface. However I am not believe 100% that Mac is 100% safe. Of course, there is no machine like that, because man made machine is always not perfect. There is no 100% bug free software.

    I also agree about Mac sites. TUAW is really crap and so bias when they talk about Mac.

  • http://cg5addictmacpage.blogspot.com/ CG5Addict

    while your article has some points, the last one has a big flaw.

    “Why, if all this is true, are there no viruses for Macs?[....]. It’s about harvesting email addresses that can be sold to spammers; creating botnets for spamming; keylogging to get credit card details; or hijacking machines via Spyware trojans. All these require hitting as many machines as possible, and that means hitting Windows, not the Mac. ”

    It’s a fact that Mac users make and spend more money. And to say there are not enough macs & mac users to spam and that’s why there are not any viruses is a false and puts you in the catagory of having “Stockholm Syndrome”. Want more info? go to this URL—> http://macdailynews.com/index.php/weblog/comments_opinion/defending_windows_over_mac_a_sign_of_mental_illness/

  • http://blog.blankbaby.com Scott

    Sui, I don’t think that TUAW is crap, but then again I am a little biased on that subject. :)

    I’d like to think that TUAW takes a fairly balanced look at Apple (as balanced as you can get from a site that is run by a bunch of Mac lovin’ fools), but I’m sure there are times in which we haven’t been as ‘balanced’ as we might like.

    It is also worth mentioning that TUAW is a group blog, and we don’t always agree with each other on many topics (most of the other bloggers think I’m a bit looney about security).

    Oh, and Ian, I posted about this on TUAW… you might want to check out the comments to see why I tend to avoid posting about Mac security. There are only so many times I can explain that just because a major outbreak hasn’t happened doesn’t rule it out for the future.

    Anywho, thanks for the though provoking post.

  • http://blog.blankbaby.com Scott

    Of course that should be ‘thought provoking post.’

  • http://www.chriscurtis.org/ djones

    Sorry, mate, but you played the marketshare card, and officially lose the argument.

    http://www.chriscurtis.org/comments/1261_0_1_0_C/

  • http://www.ambivi.com Wes McGee

    “It’s a fact that Mac users make and spend more money. And to say there are not enough macs & mac users to spam and that’s why there are not any viruses is a false and puts you in the catagory of having “Stockholm Syndrome”. Want more info? go to this URL—>”

    Sorry CGA5Addict, but even if we grant your assertion as true, would this income differencial be enough to have virus writers invest in purchasing a Mac. For you who don’t understand, there marketshare argument cuts two ways. If a virus maker wants to make a Mac virus, they would have to buy a Macintosh computer, and learn how to program for the Mac. You can’t very well whip up a good Mac program on a Windows PC, and you’d still need a Mac to test it on. Now would the time and money investment in doing all of this now be worth hitting say the 5% of a computer brand with a 2% worldwide marketshare (or 5% of US marketshare, to give you a higher, happier number to use)? — And remember, those huge viral events rarely ever infect more than 5% of vulnerable machines.

  • http://www.alexhutton.com Alex Hutton

    One thing to mention, is that Pre OS X, Mac’s were a relatively safe platform because the TCP/IP stack was SO screwed up. If it weren’t for stability, OS 9 would make a great server platform!

    At some point, I would guess that the general Threat Community will be able to increase their capabilities as the Intel version of OS X becomes more popular. Therefore, Threat Event Frequencies will increase, and which point any deficiencies in the Control Strength of OS X will become very apparent.

  • http://technovia.typepad.com Ian Betteridge

    djones: Sorry, but there’s nothing in your argument which contradicts anything I said. There’s precisely *zero* social impact in being the first to write a Mac virus: no money, no kudos in the virus writing community.

    Scott: I read TUAW every day, so I guess I must like it :)

  • http://www.chriscurtis.org/ djones

    “There’s precisely *zero* social impact in being the first to write a Mac virus: no money, no kudos in the virus writing community.”

    You’re fooling yourself. Hiding strictly behind an online alias, a person successful for such a thing would dominate Slashdot and online news outlets for days; weeks if it’s a serious threat that Apple couldn’t cap very quickly. And plenty (most) Windows viruses have no hope ever making money for the author. It’s ego stroking.

    For one reason or another, Windows kiddies on the internet *hate* Macs and Mac users. Just go to the forums for any software or game that is multiplatform and use the word “Mac” in the topic. There are plenty of angst-ridden Mac haters with limitless expendable income to not give a crap about the marketshare. If they can get *that one person* they’d be happy.

    You may have legimate concerns about Mac security, but you sour your arguments with the Hitler Card. For the record, no OS could be functional or productive if it had 100% effective protection against malware, as it would also break or cripple the majority of legitimate applications just trying to do what they’re supposed to do.

    This is NOT a Mac specific issue. The problem of malware is platform and hardware independant, and has more to do with trust, and user education. Organizations like http://stopbadware.org/ have a greater chance of success and quelling the threat of malware on any platform than any OS security model would ever have. And that’s still a slim to none chance.

  • http://www.caimito.net:80/pebble/2006/01/27/1138398512612.html Stephan Schwab

    You can’t protect people from themselves

    Operating systems that ask for authorization before making global changes, such as installing software or modifying the startup configuration, do exactly the right thing. The number one reason Windows has so many problems with malware is just the lack …

  • Aron T

    In regards to this: “Sorry, but ‘has security holes in it that can be exploited to gain root’ does NOT equal ‘safe (for now)’.” I could not find where any article on TUAW said this… so that whole paragraph kind of confuses me.

    In reality, if you actually read the whole post, you would see that the writer actually mentioned that he had read/wrote so many times about the lack of impenetrability in OSX that it was becoming rather mundane.

    As a reader the TUAW article communicates to me that the writer (and I would bet other TUAW writers as well) are not only well-educated about but also frequently practice adequate security tactics!

    The subject and seriousness of Mac security and its relation to the Mac web is very important and your post definitely had merit. To be frank, I think you failed as a writer to properly research your topic. This is evident in the bold-faced trashing of TUAW and its stance on security.

    =aron=

  • ash

    you kids are lame. take your arguments to seattle or vancouver where people make boring rock n’ roll based on meaningless ad naseum argument about things that don’t really matter.

    what this dude did is exactly what i’m doing: he made a good and useful point while randomly inserting his own unrelated opinion whether valid or not because ITS A FUCKING BLOG and he can do that if he wants to just like everyone else who ever writes anything (you other ho-humming bloggers or CNN, both of which i’ll avoid subjecting myself to).

    macs sell to a reasonable amount of people based on the fact that they’re “uh, good for, like, creative stuff” and they “don’t crash much or get viruses.” that’s sure as hell why i bought one. especially after having plenty of experience on the other leading platform.

    here, the writer made a point that i’m sure has been made elsewhere: dear ‘like, creative dude,’ macs can be vulnerable too so don’t be an idiot and use protection. and precaution.

    this way, the illegitimate but more life-like cousin of the blogger, the virus writer, can’t wreck yo’ stuff.

    and this time, i, as a non-techie whatever-let’s-do-creative-stuff-on-this-dohicky dude, happened to catch the message and i appreciate the time he took to write the article.

  • http://cg5addictmacpage.blogspot.com/ CG5Addict

    Sorry Wes McGee , but your answer of “If a virus maker wants to make a Mac virus, they would have to buy a Macintosh computer, and learn how to program for the Mac. You can’t very well whip up a good Mac program on a Windows PC, and you’d still need a Mac to test it on. Now would the time and money investment in doing all of this now be worth hitting say the 5% of a computer brand with a 2% worldwide marketshare (or 5% of US marketshare, to give you a higher, happier number to use)? ”

    Is B.S.

    1) you can get a used low end mac that can run OSX on e-bay

    2) it’s more closer to 3% of the computer marketshare and 3% is a lot of people

    3)djones gives you a reason why they would spend the money when he says ” a person successful for such a thing would dominate Slashdot and online news outlets for days; weeks if it’s a serious threat that Apple couldn’t cap very quickly. And plenty (most) Windows viruses have no hope ever making money for the author. It’s ego stroking.

    For one reason or another, Windows kiddies on the internet *hate* Macs and Mac users. Just go to the forums for any software or game that is multiplatform and use the word “Mac” in the topic. There are plenty of angst-ridden Mac haters with limitless expendable income to not give a crap about the marketshare. If they can get *that one person* they’d be happy.”

    To spend a small amount of money and see their virus make news around the world and also get paid for interviews, let me tell you a virus writer would be on top of it.

  • James Bailey

    “Spreading an infection is more about two things: gaining control over a machine for profit; and disabling the viruses of other virus writers, in a kind of virtual war. It’s about harvesting email addresses that can be sold to spammers; creating botnets for spamming; keylogging to get credit card details; or hijacking machines via Spyware trojans.”

    The big news of the week is the upcoming Kama Sutra virus which has nothing to do with profit. It is a purely destructive virus. It is estimated that as many as 500,000 computers will be affected. I agree that this is rarer than the for profit motive viruses recently, but there are still malware writers working purely on malice.

    Ian, we’ve had this argument before and you obviously don’t agree, but writing viruses for the Mac is difficult for a whole bunch of reasons that have nothing to do with market share.

    http://technovia.typepad.com/technovia/2005/04/the_reg_on_appl.html

    The odds of a successful virus on OS X are so much smaller than on Windows that it isn’t worth the effort whether the malware writer is doing it from malice or for profit. It isn’t only about market share–not even primarily about market share. It is about the expectation for success.

  • http://technovia.typepad.com Ian Betteridge

    In fact, James, Kama Sutra kind of proves the point I’m making.

    Kama Sutra (AKA Nyxem.E) is simply a destructive virus – the equivalent of graffiti over a newly-painted wall. It could also be easily written for Mac OS X. Like the vast majority of Windows malware, it requires that the user run an executable file in order to work. These kinds of viruses don’t depend on a security hole in Windows, they depend on fooling the user into doing something insecure.

    The situation, as I explained above, is little different on the Mac. Yes, you would need the user to input their password to install it – but it’s easy to social engineer that, given that many Mac users don’t believe Mac malware is even possible.

    And once installed, Mac OS X would offer no protection from the payload of Kama Sutra, which deletes documents from any mounted volume. There is nothing in OS X that prevents any process run by a user from deleting their entire /home/Documents folder.

    Writing Mac viruses is trivial. Writing Windows malware is even more trivial, but only because there are already so many viruses around to use as templates. Getting viruses on the Mac to spread depends on social engineering – just as it does on Windows.

  • James Bailey

    While the initial infection is due to mail users opening a file, what happens later is not something that can happen easily on OS X. You either need a root exploit or an administrator password.

    Now, if you are a user and get an email with the following subject:

    “School girl fantasies gone bad” or “Fuckin Kama Sutra pics” and your system asks you for a password, you will pretty much guess it is a virus. You would have to be living in a cave not to understand it. The ask for a password in this case is a very good deterrent.

    Even the masking on opening a file is more difficult in OS X too. Try and run an AppleScript from Mail.app. (Applescript being the VB equivalent here.) Mail.app will ask politely “Are you sure you want to open the application Kama Sutra”.

    Again, a user has to be really out of touch not to realize the problem here. You can discount the differences between Windows and OS X all you want but they make a difference.

  • http://technovia.typepad.com Ian Betteridge

    James,

    “Now, if you are a user and get an email with the following subject:

    “School girl fantasies gone bad” or “Fuckin Kama Sutra pics” and your system asks you for a password, you will pretty much guess it is a virus. You would have to be living in a cave not to understand it.”

    You would also have to be “living in a cave” not to have up to date anti-virus software, which protects you more effectively than a simple password. Yet, Windows machines still get infected (although less than is often made out – what happened on Kama Sutra day? Precisely nothing).

    “Try and run an AppleScript from Mail.app. (Applescript being the VB equivalent here.) Mail.app will ask politely “Are you sure you want to open the application Kama Sutra”.”

    As does Outlook, or any mail application on Windows that I know of made in the last few years. In fact, of course, Mail is a less secure application than Outlook, thanks to its open address API – something that Microsoft learned long ago was an open gateway for virus makers.