Macs May No Longer Be Immune to Viruses

Bill writes "MSNBC reports that the combination of Apple's growing market share and their recent switch to x86 processors has made Mac OS X a new target for viruses. Unfortunately, it seems that many Mac users are in denial. '[Computer security expert Tom] Ferris said he warned Apple of the vulnerabilities in January and February and that the company has yet to patch the holes, prompting him to compare the Cupertino-based computer maker to Microsoft three years ago, when the world's largest software company was criticized for being slow to respond to weaknesses in its products.'"

Article is a troll

[bobintetley]

What a load of rubbish - viruses infect via operating system and application vulnerabilities, the chipset those are running on has very little relevance.

Leap of Faith

[ozmanjusri]

I'm not even a Mac user and I still call FUD on this one. TFA was so slim on detail it was impossible to work out what had actually happened, and after searching for real info it turns out the virus, Leap.A, needs a root password to do any damage. Better article here: http://edition.cnn.com/2006/TECH/04/30/apple.secur ity.ap/index.html [cnn.com]

X86 myth - tool chain aspects

[marcovje]

The funny part is what x86 would have to do with it? The x86 ABI of Mac OS X (which is SYSV like) preclude the usage of ordinary Windows tools, and getting a OSX/x86 targeting toolchain based on GCC is (slightly) harder than getting a PPC one has been.

Sensasionalist piece. Hanging is too good for them :-)

How about the virus name?

[lostngone]

CNN is carrying this article and so is msnbc, however no one mentioned the viruses name. I swear this is old, it sounds like the OSX/Leap-A incident that occurred back in early February. It wasn't even a virus is was a trojan horse. Apple will patch for this like they did the others and life will go one. At least Apple patchs for these unlike Microsoft that just recommends installing its "beta" program to "fix" the problem or some other 3rd-party software that may or may not cost even more money.

Re:Switch to Intel

[bigalsenior]

If a writer is targetting a x86 Mac, how does the CPU matter

the x86 acrhitecture has one major security weekness that will never go away.on an ax86 machine it is easy to perform a buffer overflow.this was fixed in windows with eXecute disable in windows and is avalable on all x86-64 machines.it is also i belive in linux aswell but as far as i know osx does not have this feature and is still vulnerable to buffer overflows.

security at apple is like microsoft 3 years ago in the sense that they are still burying there haed in the sand.in the last 3 years microsoft has coome a long way in security eventhough there still not at the high standard that some people desire its alot better than 3 years ago

Re:But...but..but..

[kneeslasher]

This is completely off-topic so will doubtless be modded as such. You will actually find that the lines: "And magnify Mohammed and his followers as thou didst magnify Abraham and his followers..." "And bless Mohammed and his followers as thou didst bless Abraham and his followers..." are recited (at least) thirteen times _per day_ in the compulsory Muslim five daily prayers. Now what use would these lines be if you didn't know whom Abraham or his followers were? The key is context, in order to find out what those lines are teaching, you have to go and do a little bit of historical homework on Abraham and why he was such a good pal of God's, to the extent that people living thousands of years after Abraham are still being taught to behave like him and his congregation. Similarly, for the verses mentioned above, context is needed otherwise the lines can easily appear to be contradictory. The verse about not taking Jews and Christians as friends is very often misused by Muslims and non-Muslims alike. But the actual historical reference (remember, that histroy homework again is needed), actually refers to when the northern Arabian tribes were becoming politically unified through their common adherence to Islam. Just as the Vatican or Israel would hardly trust its affairs to, eg, Iran or Saudi Arabia, and not necessarily because of antagonism but merely due to sensible political considerations, the same was true at the time for the fledgling Arab-Muslim state. Political Islam, or indeed Christianity or Judaism, is somewhat divorced from how you should treat your neighbour: it is how one nation should treat another. The verse about taking Christians as friends is the non-political way in which Man should deal with his brethren in the world, holding up the pious Christians of the time as an example to be followed. One can therefore easily ascertain how consistency is not lacking between the two verses, merely that people do not do their homework.

Re:Macs have never been "immune" to viruses

[moosesocks]

I call bullshit.

By your logic, because Apple now has a much higer visibility, it is a more likely target for viruses.

This is true, and I'm not going to argue with it. However, your reasoning behind it is faulty. Just because it is now being targeted more, does not mean that we are going to see huge numbers of viruses cropping up for OS X.

Heck, the "virus" described in the article isn't a virus at all. It's a trojan, and a shitty one at that. The guy downloaded an executable from an unknown source, and willingly ran it. "strange commands ran as if the machine was under the control of someone -- or something -- else."

Not only did the guy make a boneheaded move that would effect even the most secure operating system in the world, it was obviously apparent that the file being run was a virus the second he opened it. I don't think this is any cause for concern.

What's more, in order to inflict any serious damage on an OS X machine, you've got to provide the Administrator password. It is impossible to run OS X as root. If a program's trying to screw with your settings and files, you're going to know about it! Likewise, unlike Windows, file permissions are properly implemented (it's Unix after all...).

By your logic, because approximately 70% of the internet's web servers run Apache, we should be seeing tons of apache exploits, hacks, and viruses cropping up. The reason we don't is because Apache is a well-written and secure program, and because administrators are generally not stupid enough to run unmarked executables.

OS X and unix are inherently more secure by design than Windows is. This is a known fact that has been proven by time. I'll go a step further and say that because OS X is only 5 years old, and NT has had 10+ years to mature, that Windows should be more secure than OS X is. We all know this isn't the case. 95% of Windows viruses, trojans, and spyware would not be possible on OS X or unix simply due to the design of the OS.

Likewise, the article points out seven new vulnerabilities that were discovered two months ago that have yet to be patched, and draws the conclusion that "They didn't know how to deal with security", but later admits that the vulnerabilities wouldn't actually allow someone to execute malicious code on your machine, and that they're being rolled up into the next OS X security update. (Coincidentally, I've got to praise apple for their cumulative and bundled security updates. It makes it TONS easier for end users and administrators to install the updates, avoids confusion, and makes it significantly more likely for these people to install the updates to begin with, compared to the many crypticly-titled windows security fixes and the ActiveX horror that is Windows Update)

In short, the entire article is a piece of crap. Sure, OS X isn't perfectly safe, and it's a given that any system is vulnurable to a stupid user. However, it's damn better than anything else out there. Shame on slashdot for posting such a poorly-researched piece like this.

PS. Do not blame MSNBC for the content of the article. The article came through via the Associated Press, and appears on Cnn.com in addition to a plethora of other sites.

Re:Heh.

[Rosyna]

It's just sad really. This Tom guy can't read crash reports. He reports the same TIFF crash as two different crashes, and then says there is a parsing error in CFAllocatorAllocate(), which does parse anything, it just allocates memory. In CF, most functions will call abort() and force an application crash if given bad parameters. Such as a 0 size for memory.

Most, if not all, of these just amount to DoS attacks and it's not actually possible to get them to run arbitrary executable code. But now days any kind of reproducible crash is incorrectly regarded as a massively massive security issue. It's people like Tom Ferris that make real computer security jobs into a joke.

Re:Leap of Faith

[NitsujTPU]

Just wait.

Something will rip through OSX. It may not harm much, but the news to a lot of users is that it could happen at all.

The real shocker will be when most Linux users get some nasty virus. It won't have to damage much.

Simply put, viruses happen. That's life. Don't protect yourself, it's like sex without a condom. It's not that its usually unsafe, it's just that the one time it gets you, you end up with some terrible disease (and, if any future girlfriends read this, I'd just like to note that this hasn't happened to me).

At any rate. Saying that you're immune to viruses because you run OSX or Linux is fanboyism. You're immune because the OS is obscure, not because it's super-impossible for a virus to attack it. Linux may be better on this front (one can't really say it has a better track record, because it has a smaller user base. If you want to hear about damage done in *ix, ask someone about sendmail or NFS exploits, or httpd, or telnet, or xdmcp.)

I used to fix problems with files on my old company's fileserver (with permissions that I didn't have) through NFS via Linux.

Re:Article is a troll

[AC-x]

Well I wouldn't say it was a complete troll.

After all, if you've been writing windows exploits for x number of years in x86 assembly, which will be easier:

a) Writing OSX exploits in x86 assembly
b) Writing OSX exploits in PPC assembly

Of course I'd still be surprised if OSX had anywhere near as many security flaws as Windows, but it only takes one...

Re:Leap of Faith

[ozmanjusri]

Just wait.
Something will rip through OSX.

Something may well do so one day. This wasn't it though. This article was nothing more than hype about a three month old worm that failed to infect more than a few machines and doing little damage once it did. The worm used as an example had nothing to do with the architecture change purported to be trhe reason for the exploit. The whole thing was a puff-piece of self promotion by Tom Ferris, nothing more.

If you want to hear about damage done in *ix, ask someone about sendmail or NFS exploits, or httpd, or telnet, or xdmcp.)

I'm old enough to remember them. I'll start to be concerned about my Linux installs when there's an actual exploit that's happened less than a decade ago.

Re:Switch to Intel

[m50d]

Well-written viruses (which, yes, the vast majority aren't) are usually done in hand-coded assembler. For many buffer overflows, that's all you have space for. Sure, you need to know the API as well, but I think that's easier to learn than another assembly language.

Re:Article is a troll

[Anonymous Coward]

"... users were complacent [theregister.co.uk] the way mac users are now..."

Mac users are not complacent. Never have been.

Choosing to use a Mac is a conscious decision. One of the main reasons people use Macs is because the trojan/virus threat is significantly lower.

All Mac users know the threat exists. We are aware and alert. However, there are currently 0 (zero) virusses in the wild for Mac OS X. Reports such as TFA are generally FUD spread by people that want to sell you their solution to the problem that isn't there yet. What surprises and annoys me is that sites such as this and TheRegister propagate this without doing some research to find out if there is an actual threat or not.

If Macs become more popular, the threat will increase, and maybe someday there will actually be some virusses out there. At that time, we'll buy the appropriate protection product. Until such time, having a virus scanner on your Mac that has no virusses to scan is a bit silly, except as a service to Windows users.

Re:Heh.

[BrynM]

One might wonder why this (non-)story is featured on the front page of MSNBC... ;-)

MSNBC is a member of the Associated Press [ap.org]. They're probably hoping that the FUD will spread via other news agencies picking up the story from AP feeds. Since it's Monday morning, I'm sure at least one groggy editor has picked it up. From the looks of a Google News Search [google.com], MSNBC actually picked the story up from April 24 (The San Jose Mercury News and the Daily Breeze).

Re:Macs have never been "immune" to viruses

[drsmithy]

Heck, the "virus" described in the article isn't a virus at all. It's a trojan, and a shitty one at that. The guy downloaded an executable from an unknown source, and willingly ran it. "strange commands ran as if the machine was under the control of someone -- or something -- else."

That also describes the majority of Windows "viruses".

Don't bother with silly semantic games that only Slashbots care about. In the media when they say virus, they're talking about malware in general. Most Windows malware falls into the "trojan" category and requires varying levels of user interaction to get started.

Not only did the guy make a boneheaded move that would effect even the most secure operating system in the world, it was obviously apparent that the file being run was a virus the second he opened it. I don't think this is any cause for concern.

I do, because it's by far the most common vector for malware and, indeed, all security breaches.

It's also damn near impossible to defend against programmatically.

What's more, in order to inflict any serious damage on an OS X machine, you've got to provide the Administrator password.

Bollocks. For a start, any user can delete files they own - ie: the most important data on the machine.

Secondly, any user's account can turn the machine into just about anything an attacker might want, include allowing a remote login for further attempts at privilege escalation (because the OS X firewall is disabled by default).

Finally, any user in the Admin group (the default for most users) can delete (or modify !) not only just about everything in /Applications, but also other "system" files in /Library and /System.

It is impossible to run OS X as root.

Actually it's trivial. Running code as root is marginally easier than actually logging in to the GUI as root, but neither are particularly difficult to do.

If a program's trying to screw with your settings and files, you're going to know about it!

Highly doubtful. Most users have no ideas what processes run on the systems and even fewer actually monitor them.

Likewise, unlike Windows, file permissions are properly implemented (it's Unix after all...).

Windows's file permissions - indeed its security capabilities in general - are vastly more capable that OS X's.

In short the whole "but root is disabled" argument (and variants) is largely irrelevant. Elevated privileges are simply not required for the vast majority of things malware wants to do.

By your logic, because approximately 70% of the internet's web servers run Apache, [..]

(Wow, the good old Apache argument, what a surprise.)

Websites != Servers.

Also People Running Apache != People Running IIS. The bar for running an Apache server is set higher.

[...] we should be seeing tons of apache exploits, hacks, and viruses cropping up. The reason we don't is because Apache is a well-written and secure program, [...]

Actually we do. For the last few years, Apache has had a worse security record than IIS.

[...] and because administrators are generally not stupid enough to run unmarked executables.

Users are not administrators. Users have *extreme* difficulty identifying malicious code before running it.

OS X and unix are inherently more secure by design than Windows is.

False. There are many aspects of traditional UNIX "design" - including that in OS X - what are inherently less secure than Windows. For example, the concept of 'root'.

I'll go a step further and say that because OS X is only 5 years old, and NT has had 10+ years to mature, that Windows should be more secure than OS X is. We all know this isn't the case.

Firstly, the product OS X was is actually a touch older than NT. Secondly, it was basically yet another reimplementation of the flawed unix "design".

We never were Immune

[nurb432]

Apple users were Just (much) safer then windows. And less of a target. But in no way were we ever immune.

Re:Switch to Intel

[Peganthyrus]

Yes - but in a different way. Safari renders HTML using a system component called WebKit. A growing number of tools [opendarwin.org] use WebKit to provide rich text display - for instance, Adium, Fire, and Colloquy (two IM clients and an IRC one) use it for their very pretty message displays. Mail uses it for showing HTML email. Most apps use a WebKit-based help viewer.

So, like an IE hole hitting you no matter if you use IE or not, a WebKit hole can be opened from a lot of places. On the other hand, patches generally get rolled out pretty quickly, and there's nothing quite as system-exposing as ActiveX to worry about!!

Nothing to see here. Move along.

[cei]

This is the same "virus" that we talked about in February. link 1 [slashdot.org], link 2 [slashdot.org]. The CNN (AP, really) article mentions Benjamin Daines as finding it. MacRumors forum post [macrumors.com] from Benjamin Daines dated Feb 13 whining about how he was duped by someone posting a link to said trojan. We've gone over this before. This is nothing new. Must be a slow news day at AP...

Re:Immune?

[99BottlesOfBeerInMyF]

You make several good points, and it is clear a lot of people who are not in the security field overestimate the security of an OS X system. It is somewhere on par with the average Linux workstation, which is to say people out there can hack it if they are targeting you specifically. Worms might, but probably won't be an issue for an average user. Notifications and restrictions on users are middle of the road for security versus ease of use. I think, however, you are slightly incorrect on several points and are basing your opinion on several incorrect facts.

If you write a virus, you most certainly DO aim it at the most popular platform amongst those it has to contact to spread, especially if all the other platforms combined don't even reach 10% of the market, unless there are serious mitigating circumstances.

This is true in some cases, but not all. A good number of worm authors are for-profit these days they want to make money. Windows is the biggest market segment and the easiest target. It is not, however, necessarily the most profitable. Half the Windows machines out there are sitting in a business office and have no data easily exploitable for profit. Another 25% or so are home machines owned by people in the third world who have pirated the copy and don't even have credit cards.

Mac users, on the other hand, are people who shelled out big bucks for a high-end machine. Some Windows users are too, but by no means a large percentage of them. What percentage of Macs do you suppose have valuable, credit card and personal info for someone with a high credit rating?

Macs are not so rare that dumping one on Comcast's network would not net you a pile of machines. Further a cross-platform virus that hit both macs and Windows machines would solve the propagation issues. No, the reason worms don't hit Macs is not propagation or lack of a target. Nor is it lack of motivation. While many worm authors are working for profit, a large number are also just showing off and being malicious for its own sake. A lot of them would love to take "those mac users" down a peg.

The reasons we don't have mac worms spreading are:

• Unfamiliarity - many worm authors use tools and a knowledge base that is very Windows specific. Many just don't know how to write a Mac worm.
• Difficulty - There is no IE or Outlook and the default, common internet apps avoid many of the security snafus MS has made with them. Ports are closed and services not running by default. Like it or not, the average Mac is harder to attack that the average Windows machine.
• Community Expertise - you can have a worm propagate on Windows machines for weeks before it hits a honeypot or smart security guy's machine and becomes recognized. There is a higher percentage of security people and clueful professionals on Macs, so worms are/will be detected more quickly. The one attempt I know of to spread one used a Mac forum as the insertion point and was detected by users there and dissected immediately.
• Zero day to a month - The time between the discovery of a vulnerability that actually presents a real risk of worm propagation and the rollout of the fix is shorter, due to Apple's faster response time. This is party due to the complexity of the architecture and partly due to policy.
• Up-to-date security - If you're running Windows 95, 98, ME, or 2000 there are unpatched security holes on your machine. If you're running Windows XP, you may or may not be up to date depending upon your security update policy and what application you need and whether or not they work with specific security patches. If you are running any version of OS X you still get security fixes as they are rolled out. If you are running OS 9, well, there just isn't much pout there and isn't likely to ever be for a plethora of reasons.

And the truth is that Darwin's lack of fine grained security means it has a limit to how secure it'll ever be.

It is true that OS X has not implemented jails or Man

Re:Switch to Intel

[IAmTheDave]

Windows is the only OS with viruses in the wild because it's a poorly designed, bug ridden piece of shit.

Well, this gets my vote for "Most Uninformed Statement of the Year".

Every OS is buggy. Every OS is vunerable. Windows has a dominating market share, so Windows is targeted. UNIX systems, Linux systems, OSX systems, Windows systems - all have been hacked, cracked, broken, virused up, exploited, and brought to its knees.

I'm a happy OSX home user and Windows programmer (work). I don't like Windows as much as OSX, but I've never seen such uninformed, sheep-like MS hating. It's really a shame.

Re:Switch to Intel

[deathjestr]

The Harvard architecture that the PowerPC uses is inherently more secure than x86. A remote exploit on running code has a very low chance of working on the PPC, but nearly a 100% chance on the x86 (which is why all these IE exploits work all the time).

The PPC architecture isn't very different, from a security standpoint, than the x86. Both store return addresses on the stack where they can be overwritten to redirect execution to wherever the attacker desires. PPC stores the most recent return address in a register, but all the addresses before the most recent go on the stack as in the x86. This doesn't change things much for an attacker.

How is anything more or less likely either way? Guessing the stack address to jump to creates the same problems with either architecture, and both x86 and PPC allow the construction of 'nop' sleds which do not contain null bytes* to make guessing the address easier. I can't think of any other place where probability plays much of a role.

*The PPC nop instruction as written by a compiler contains null bytes, but the three bytes that are null are actually ignored by the processor. This means that the nop instruction can be written without null bytes in it, in a way that the processor will accept.

Then again, Apple has taken massive steps on the x86 side to prevent these kinds of attacks. Such as enforcing the NX/XD bit and enforcing a non-executable stack.

The W^X bit changes the playing field, but does not solve the problem. The problem is that execution can be redirected by rewriting return addresses (which are still data, not executable). Sometimes, code is written on the stack and the return address is overwritten to jump to the code on the stack. W^X prevents this particular method, but there are other ways to do it. Performing returns into libc is one well-known way. I know of another which I think is easier.

Re:What increasing marketshare?

[99BottlesOfBeerInMyF]

This article [slashdot.org] claims 16% according to the SPA. Personally I'd estimate it is somewhat lower, maybe 7%. Sales figures alone place it at about 4% for the year, but the average in use lifespan of a mac tends to be 1-2 years longer than that of the average PC (although close to that of other high-end machines). Also sales of macs were up 32% year over year from 2004 to 2005. The industry as a whole went up 18%. That means 14% of roughly 4% of all computers old would put Apple ahead by a little more than half a percent of the total PC market, to 4.5%. They've been doing quite a bit better so far in 2006, by all reports. So for a very conservative estimate you could say they have more than 4.5%, possibly considerably more than that. Anecdotally, here at work they have grown from 5-10% of the machines to about 50% or more in just a few years (mostly professional coders and security experts).

Re:Switch to Intel

[nickos]

From the same Wikipedia page you linked to:

"The term Harvard architecture originally referred to computer architectures that used physically separate storage and signal pathways for their instructions and data (in contrast to the von Neumann architecture)."

"Modern high performance CPU chip designs incorporate aspects of both Harvard and von Neumann architecture."

(my emphasis added)

Googling for "Harvard architecture" PowerPC [google.com] also seems to suggest that PowerPC chips may use some aspect of the Harvard architecture...