Macs May No Longer Be Immune to Viruses

Bill writes "MSNBC reports that the combination of Apple's growing market share and their recent switch to x86 processors has made Mac OS X a new target for viruses. Unfortunately, it seems that many Mac users are in denial. '[Computer security expert Tom] Ferris said he warned Apple of the vulnerabilities in January and February and that the company has yet to patch the holes, prompting him to compare the Cupertino-based computer maker to Microsoft three years ago, when the world's largest software company was criticized for being slow to respond to weaknesses in its products.'"

Immune?

[Red Samurai]

They never were immune. It's just that most virus writers don't give a crap about Macs.

Again, a total non-story

[mstroeck]

Why does Slashdot continue to post Apple-related non-stories? Every time Steve Jobs farts or some idiot proclaims the coming Mac-Virus-Mayhem (tm), Slashdot takes the bait.

This MSNBC(!) story contains no facts whatsoever. No piece of significant OS X malware has been discovered so far, and I believe it's highly likely that there won't be any in the immediate future. WTF does the Intel switch have to do with that?

Re:Switch to Intel

[Anonymous Coward]

The nastiest viruses are written in assembly language, and there are a heck of a lot more coders familiar with the x86 line.

Re:Article is a troll

[Whiney Mac Fanboy]

What a load of rubbish - viruses infect via operating system and application vulnerabilities, the chipset those are running on has very little relevance.

I don't think you've thought this through.

1) Consider how long it took for the hacking community to make OS X to run in a virtual machine on an Intel Box.

2) Now consider how long it took for the hacking community to make windows run on a macbook.

Which one of these tasks was harder (I would say the first, as Apple was actively hindering this activity, but 'not precluding' the second).

In spite of this (and inspite of the second task having a $13000 prize), the first hack was done in a much (much) faster time. Why do you think this is? The answer of course is barrier to entry. The $2000 barrier to entry you used to have to pay to use OS X (and test exploits against it) no longer exists, if you don't think that makes a difference to hackers (many of whom are in far less afluent countries then you), then quite frankly, you're insane.

Forbidden Fruit

[LiquidCoooled]

Anyone knows you don't get something for nothing.

Viruses for all different operating systems exist.
There are holes and exploits for practically everything known to man.

Now, if I walk into the dodgiest parts of town (with my turtle neck sweater on) and ask the shady guy at the street corner for a forbidden secret preview of the next big thing do you really think I will survive with the same number (and size) orifices as I started with?

Once you leave the beaten track, you cannot be sure what lurks in the shadows.

Re:Macs have never been "immune" to viruses

[Scudsucker]

Nor even markedly more resistant. They have just been less targeted.

Nonsense. Microsoft is the target of viruses and spyware because of Microsofts moronic design decisions and security policies, not because of marketshare.

mixed article

[gmccloskey]

No-one can deny that with growing popularity of OS X that it becomes an increasingly attractive target. Malware writing works on similar economics to regular software: this implies that malware will exist but be a niche deployment. So it is a concern, but not the end of the world, or of Apple, as the world likes to regularly predict.

The article was mixed in accuracy. Many Mac users believe themselves to be invulnerable - the truth is they are currently /less/ vulnerable than the mainstream desktop OS. The thesis that using an intel processor increases security risks is not true - OSen don't allow direct hardware access as such, and how many script kiddies write x86 microcode?. Running Windows on a IntelMac may potentially increase security probems, and reduce the Macintosh (not OS X) brand reputation for security. It depends on how the 'wall' between x86 file access and OSX file access is implemented.

Nothing in IT or anywhere else is 100%. Currently OS X is more secure in many areas than its competitors. To maintain or improve on this, constant vigilence and innovation are required by Apple, ISVs and most importantly users.

cha-ching

[St. Arbirix]

I wonder what percentage of some anti-virus software company's profits are a direct result of this article.

I'm in denial about invisible pink unicorns too. Put up or shut-up.

Re:Immune?

[stefaanh]

Otherwise said:
Burglars break in houses with the most vulnerable alarm system, not because of the popularity of the alarm system.

Re:Macs have never been "immune" to viruses

[strider44]

I'm calling bullshit on that. True, Macs haven't been tested with a huge market share like Windows has, but you seem to be using that as proof that Macs have as bad-a security model as Windows. My favourite analogy to this is asking which one is more bulletproof, an apple or a kevlar vest. You'd shoot the apple into smitherines then say "Obviously the kevlar vest would crumble similarly if I shot it therefore neither are bulletproof".

You're right that they have never been "immune" to viruses. I don't expect you to say something stupid like that *nothing* is immune to viruses unless you can successfully hack my hello world program, but macs definitely aren't. That doesn't mean they're as bad as Windows though, so if you say something like "Nor even markedly more resistant" how about you back up that comment...

Re:Switch to Intel

[rolfwind]

security at apple is like microsoft 3 years ago in the sense that they are still burying there haed in the sand.in the last 3 years microsoft has coome a long way in security eventhough there still not at the high standard that some people desire its alot better than 3 years ago

How does everybody figure this? As a results-oriented person, I have to say Apple's track record is better than Microsoft's at the moment.

Re:Gosh, it does sounds like MS.

[Anonymous Coward]

I'd take an Apple spokeswoman's word over Tom Ferris's word. He's fairly good at finding crash bugs, but he frequently reports zero dereferences as "buffer overflows", etc. See his record in bugzilla.mozilla.org, for example, starting with bug 303433. I have no idea why the media keeps calling him a security expert.

Re:Immune?

[Gobelet]

But that is the modern propagation of viruses. How did people infect computers before that? By infecting medias. Dammit, you don't need a security flaw to embed viral code in a software that you have to install with root.

Countdown ...

[Aceticon]

... until somebody starts a flamewar by saying that Macs are not immune to viruses after all and they've only managed to stay relativelly safe because there are so few of them, to which a horde of Mac religious fanatics angrily reply that Windows is much worse at which point the flames start flying back and forth all the while drowning the only 2 posts that make sense, one saying that the only mainstream OS purposelly made with security in mind was OpenBSD and the other that says that stupid users running with admin rights that open executable attachments in mails from unknown sources are, independently of the OS, the biguest cause of virus infections.

3, 2, .... nevermind, already started.

Re:Article is a troll

[kryten_nl]

I totally agree, now to te rest of you: Since the trojan writer / spammer alliance, writing viruses has become a business worth millions of dollars. If you still think that a virus writer won't buy a couple of powerbooks, if he thinks he can make a profit, you're dead wrong.

Re:Switch to Intel

[Anonymous Coward]

It isn't easier to do buffer overflows on x86 processors than it is on others, except for the fact that until recently it was difficult to disable execution on the stack. However most systems haven't done that until recently anyhow, because there has been software that needs to allow execution on the stack (so called "trampolines" are sometimes useful).

Your comparison of Apple with Microsoft 3 years ago lacks any kind of substance; please provide examples if you wish to be taken seriously. Apple has been doing security updates for OS X since it was released, and they never had Microsoft's earlier issues with enabling all sorts of dangerous remote services by default. The closest to such a problem was the problem where a spoofed local DHCP server could be used at boot-time to gain access, but that still required access to the LAN the computer was on.

I would trust neither system to prevent local privilege escalation (i.e. trojans can and will be a problem for some time to come).

I'd say Apple and Microsoft are currently close to the same level of security in terms of potential for exploitation, but MSWin is still targeted considerably more.

Re:Switch to Intel

[/ASCII]

This is nonsense. x86 is in no way more sensitive to buffer overflow bugs than other popular architectures. It is probably possible to implement hardware acceleration of guard pages and some form of privilige separation, making such protection mechanisms slightly faster, but I know of no hardware that does so, so this is in no way x86-specific. Also, on a 64-bit platform, you have more address space, meaning that if you randomize the memory space layout on each invocation, an attacker will have a pretty hard time figuring out what to do with an overflow error, but again this is not x86-specific. I think you're thinking about the C computer language, which is designed with fixed-sized memory buffers in mind, making it much more work to avoid buffer overflows in C than in e.g. Java or C#.

Re:Article is a troll

[Whiney Mac Fanboy]

I suppose you haven't actually checked the Apple Store the last few years. The barrier of entry has been around $500-600 the last few years. Unless haxors absolutely need l33t 15" Powerbooks instead of a mac mini.

Good point - you're quite right. But, while virus writing has become a multi-million dollar industry recently, many of the people writing exploits are not the ones directly making money off them.

To these people, lowering the barrier to entry from $500 to $0 will make a tremendous difference.

And on that point, wouldn't some haxors love to also be one of the few to make a sucessful virus/trojan/etc OS X or Linux (where's the barrier of entry here?) instead of one of the few thousand for Windows? I thought prestige was some sort of motivation. Pff.

Its good that you mention linux - A few years ago, linux users were complacent [theregister.co.uk] the way mac users are now. A few worms, a few defacements, a few embarressed, burnt users & now the linux community is more proactive about threats. That has yet to happen in OS X land.

And yes, prestige as you say is going to be a big motivator to uncover OS X holes.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Macs have never been "immune" to viruses

[nathanh]

Nonsense. Microsoft is the target of viruses and spyware because of Microsofts moronic design decisions and security policies, not because of marketshare.

Nonsense. Microsoft is the target of viruses and spyware because of Microsoft's moronic design decisions and security policies AND because of marketshare.

Virus writers are writing viruses to make profit; either by stealing information, creating botnets, or proliferation of unwanted advertising. They make more profit by exploiting more machines, so it's no wonder that the most common OS is also the most targetted.

The fact that it's so trivial to exploit Microsoft software is purely because of the moronic design decisions and security policies, not because of marketshare. But the fact that Microsoft is so frequently the target of virus writers is a function of marketshare as well.

Re:Article is a troll

[Deorus]

> What a load of rubbish - viruses infect via operating system and application vulnerabilities, the chipset those are running on has very little relevance.

No, the article points out what I thought was obvious.

To write a worm/virus you actually need to know how to assemble on the target architecture for at least two reasons:
  1 - The first thing you do before attempting to exploit a crash is to debug it, now how do you debug on an architecture which you don't know? Trying to debug low level code (remember it's precompiled binaries we're talking about here, not scripts) without knowing how to assemble on the target architecture is like running the marathon without a leg.
  2 - If you find a way to inject code you'll need, well... code to inject..., and this code has to be written in the lowest possible level so that you can interrupt to system calls without depending on operating system libraries and avoid specific opcode patterns that would have a meaning to the high level application and prevent your injected code from running as expected.

Taking in account that every geek in the universe knows x86 assembly, if you think for a while you'll realize that the architecture switch makes OSX much easier to debug for the majority of people, and inherently much easier to exploit.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Car thieves steal Accords because they are common

[rufusdufus]

Thieves steal honda accords more than any other car. Not because Accords are better, but because they are more common.
You don't see a lot of mac viruses because virus writers are looking for a large population to spread their malware, and macs are few and far between.

Re:Switch to Intel

[MyNameIsEarl]

Windows can't write to an HFS partition, so no matter what is installed under Windows I don't believe it can touch the OSX part of that hard drive.

Re:Immune?

[norman619]

Poor analogy. Mac's poor market share is the main reason they haven't been targeted by the virus writers. You are just fooling yourself if you think it has anything to do witht he architecture of the OS. It's simple logic. You don't go after the minority systems you go after the majority. But Apple is changing and joining the rest of the world and as such they will prob come under fire. The irritating and misguided boasting of the Mac fanboys may be taken as a challenge by the kids that write the viruses. Oh well move along nothing interesting to see.....

So "security" doesn't exist?

[khasim]

Thieves steal honda accords more than any other car. Not because Accords are better, but because they are more common.

So ... if I drive a Honda Accord, then there is nothing I can do to prevent it from being stolen by any kid who wants to take it?

Fascinating.

You don't see a lot of mac viruses because virus writers are looking for a large population to spread their malware, and macs are few and far between.

So ... if there were more Macs than Windows boxes ... the Macs would have a higher percentage of infections due to worms that somehow manage to spread to machines that ship with no open ports by default?

Machines can only be infected by:
Worms
Viruses
Trojans

Worms spread via open ports. If Macs have no open ports by default, then the worm threat should be near zero for Macs.

But you say that it is just because there aren't a lot of Macs out there. So ... the worms would somehow manage to infect a machine with no open ports ... if that machine were more commonly found.

Fascinating.

What's the Difference Between Me and You?

[Greyfox]

The difference between OSX and Windows is that on OSX you have to download the "virus", run it and supply it with your root password. In Windows, you pretty much have to connect an unpatched install to the Internet without a firewall and wait 20 minutes.

Still, I WOULD like to see Apple try to do more to keep OSX secure. The system should only allow its system directories to be modified in single user mode -- I'm pretty sure BSD has a flag for that. I'd also like to see downloaded applications run as some other user that isn't allowed administrative access to the system at all, password or no. They'd probably have to make some changes so that the user could be restricted from changing its user ID to minimize the damage of people providing their passwords blindly when the dialog comes up. Allow the user to take explicit action if they want the application to be able to run as the regular user.

It still wouldn't be a perfect defense, but nothing can help you if the user's going to bend over backwards to give an application access to the system. Operating system companies really should err on the side of paranoia whenever possible.

"No Longer" Immune?

[Anonymous Coward]

Macs May No Longer Be Immune to Viruses

Nobody with a functioning brain thought that Macs were ever immune to viruses.

Re:Immune?

[Anonymous Coward]

I still think that most crackers are lazy, and take the road of the least resistance, just as burglars do. (To answer another post here: The Honda Accords with a poor alarm system will get stolen first.)

Not entirely, you have to consider the market for stolen cars and stolen car parts for anyone other than your joyriding car thief (the thieves that steal cars for the money). Car thieves typically take what they can sell or chop up to sell, easily (as in there is a market for them). In this regards, they are like computer viruses. The brands/makes of cars that are most popularly stolen are also the ones that have large market share, thus the widely available market for spare parts and the sale of used models of that car. So, when faced with wanting to get some money and you are a car thief in the USA, are you going to steal the (alarm or not) Accord, which is widely popular in the USA, or are you going to steal the Pinto or the Gremlin, which you may drive every day for two hours for a month and not see a single one on the road? If you chopped it up for parts, which parts or "resale" would have the largest market, and therefore the most money into your pocket with the least effort?

Virus writers are the same. In order for a virus to spread, you have to have a "critical mass" of machines or the virus will simply stop spreading. For example, you'd have to have at least a single "link" between two machines that are of the same type of OS so the virus could spread. If the ratio were 1:more-than-one, for every machine infected, there would be a high chance of finding another uninfected machine to infect. If the ratio were 1:1, for every machine infected, there would be one more infected by that machine, if it weren't already infected, so even this is a very low rate of spread. If the ratio were 1:less-than-one, then the virus will most likely not have many options even if it did happen to infect a machine that could contact another machine and the new contact wasn't already infected.

In Mac-centric communities, this ratio may be fairly high (a Mac user may have a number of Mac user friends) even though the total number would be small. So, you could write a virus that would, in the best case a few years ago, infect at most two million machines.

Just like a biological virus and viral biological warfare. There may be reason to design a very targeted virus to infect only one targeted segment of the population (precision viral assassination) but if you want to take out a large number of individuals and cause the most devastation, you're going to design something that will spread rapidly among a very broad target host and that won't happen if you design the virus to target some weakness that only 1% of the target population exhibits.

User-base fallacy

[Dr. Brad]

If the installed base size is the critical factor for exploit success, then why are there more successful exploits for Microsoft IIS than there are for Apache?

Take care,
brad

Re:Car thieves steal Accords because they are comm

[feijai]

In 2004 (the most recent year of record) the #1 most stolen car was the 1995 Honda Civic. The #2 most stolen car was the 1989 Toyota Camry. The 1991 Honda Accord came in at #3. #4 was the 1994 Dodge Caravan.

So. Not Accords. But get the picture? Nine year old Civics? The most common cars stolen are those which are owned by people living in the neighborhoods where thieves operate.

What really matters is no the most common car stolen but the car with the highest rate of theft. And for that, the top ten are: 1999 Acura Integra, 2002 BMW M Roadster, 1998 Acura Integra, 1991 GMC V2500, 2002 Audi S4, 1996 Acura Integra, 1995 Acura Integra, 2004 Mercury Marauder, 1997 Acura Integra, 1992 Mercedes-Benz 600. Someone likes those Integras.

Thing is, theft rate doesn't help your dorky argument. Because not only are there few Macs being broken into or zombied or attacked by virii, but Apple's *rate* is nearly zero as well.

Re:well duh!

[99BottlesOfBeerInMyF]

people supporting alternative systems such as linux and unix (including mac os), etc. should avoid claiming they are not able to be infected with virus and worms. such false advertising may cause people to abandon the adoption at the end because they will just think "hey, why spend all the fuss when you get the same problems.) ignorance is the problem. education is the solution.

I agree with you, but I think most of the ignorance is in the other direction. Talking to the average Windows user, most assume Mac users do have to deal with the same level of spyware, worms, and other malware that they do. When told, "No I've never been infected with any of them and in fact no mac worm has ever spread to OS X machines on the internet," many simply don't believe it. Those that do, sometimes inaccurately claim when speaking to others that mac can't get viruses, when in fact they just don't get viruses (or haven't yet).

Apple has been very careful on this issue, to never claim their machines are immune to viruses. I think the fact that most users don't know Macs are more secure than Windows machines and are unlikely to have malware problems greatly overshadows the problem of Mac's security being overstated by some individuals.

Re:Immune?

[Catbeller]

So. Where are the viruses, then? It's been at least five years.

There aren't any. That fact alone would be a challenge to a malicious hacker. The first successful writer of Mac viruses would earn enormous respect.

And it hasn't happened. Either the virus writers are idiots, or it can't be done.

This story is FUD based on the evidence. The article is spreading -- the article is the true virus. Microsoft and its little family of corps are at it again.

Re:Immune?

[99BottlesOfBeerInMyF]

A 'commercial' worm author doesn't give a shit about what you have on your PC, how much money the PC's owners have. Generally, all it cares about is that your PC is connected to the internet and that it can use the connection to send spam. That's it. They aren't trying to steal your secret family recipes or wedding photos.

I'm afraid you're woefully out of date. Worms can and do harvest CC numbers and other personal info and that trend is increasing. You can buy "identities" right now on underground Web sites where the higher the credit rating the higher the cost. A lot of those identities come from compromised databases, but more and more are garnered from worms reporting via the control channel. Further, the relative wealth of PC owner often correlates significantly with the bandwidth available to that computer.

Nice try on the whole "Mac users spend big bucks, so they're more valuable targets!" argument though. I wonder if you made any other irrelevant, probably incorrect generalizations in your post.

I don't know, why don't you actually read the post rather than complaining about the supposed inaccuracy of what you haven't bothered to read?

Re:Switch to Intel

[lostchicken]

Well, in terms of cache, the CPU (just like x86) uses separate instruction and data caches, at least at some level, making it a Harvard machine in that sense, but they have to support cache flushing operations to support self-modifying code. So there's really no security advantage gained through this bit of Harvardness. And it's certainly not unique to the PPC.

Re:Immune?

[PhatBhuda]

So Apple's marketshare was never very large pre-osx and there were a few viruses available for the Apple Macintosh platform. The marketshare still isn't very large, but not a great deal smaller. Still, post mac osx, no real virus threats.

According to this posting at macobserver:
http://www.macobserver.com/editorial/2003/08/29.1. shtml [macobserver.com]
He found 26 viruses that targetted Mac OS Classic, 553 Microsoft Macro viruses, and 0 Mac OS X viruses. This was in October of 2003.

So if you give Mac OS X a single virus to make the math work, there are 96% more viruses for Macintosh pre Mac OS X. There was not a 96% drop in market share for Apple from Classic to Mac OS X periods of time.

Re:Apple == MS

[Keen Anthony]

The only difference between Apple and MS/Bill Gates and Steve Jobs is cash. If history had run differently and it had been Apple that gotten to be the giant then there really wouldn't be that much change.

I think they are really two very different personalities. Bill Gates is competitive to the point of being a bit mental. He's still fairly pragmatic, but he has a win-at-all costs attitude. Steve Jobs is idealistic and dismissive. Had Apple won the war - even with Steve Jobs at the helm rather than Apple's other captains, I think the personal computer market would be far more balanced. We'd still have Amiga, C64, Atari, and TI in addition to the PC with all its OSen. Steve did hate the clones though, and he did put an end to them. Apple is very litigious, true. A lot of it has to do with animosity Apple has had with Microsoft and the anger the company has with PC vendors that have copied Apple's innovations while simultaneously trashing Apple. Yeah, at some point it gets childish. I think Apple was an angry, misdirected, company for a while, but it wasn't like SCO or Microsoft - companies that sue in order to gain strategic ground.

How many of you believe that is the media part of Sony that has been crippling the company by insisting on DRM that hardware consumers don't want?

I wanted to buy miniDisc but was overwhelmed with all that ATRAC mess. Grrrrr. I think even here though you've got a company that has more in common with Apple than it does with Microsoft. Sony does wierd things sometimes just cause it's Sony. Like Apple, Sony certainly doesn't care whether everyone uses their products, but they're so obsessed with their brand, the loyalist customers often get bit in the ass.

Harvard Architecture?

[compact_support]

PowerPC is not Harvard architecture. It has seperate L1 instruction and data cache, but that's it. Harvard implies that the instruction memory is in a distinct address space from the data address space, and that no instructions exist to allow one to write to the program memory.