Any Day Now…
The On This Day… widget in this blog’s sidebar is showing its worth; in addition to acting as a record of what I was thinking, doing, or seeing at this time in years past (not bad for birdwatching, for example), it reminds me of a lot of stuff I have written on but forgotten about, stuff that is worth commenting on. For example, there was a story three years ago about a “fast-charging battery” that would almost fully recharge in one minute. They said it would be available in 2006. Well, here it is, 2008, and I don’t see the battery around. Maybe it was released but is too expensive, or has limitations which keep it from being widely used, I don’t know. But it is worth noticing that so many of the stories of new, revolutionary technology that we see eventually come to nothing. Good reason to take such stories with a grain of salt, or at least a wait-and-see attitude.
Another story from the same day highlights the worthlessness of all the stories about how vulnerable the Mac is to attacks. Here’s a report released by an antivirus software company three years ago:
Security vendor Symantec is warning that Apple’s OS X operating system is increasingly becoming a target for hackers and malware authors. …Symantec believes that as the popularity of Apple’s new platform continues to grow, so too will the number of attacks directed at it,” the report said.
Symantec’s concerns were echoed by James Turner, security analyst at Frost & Sullivan Australia, who said many of the people who bought Apple products were not concerned about security, which left them wide open to attack. … As soon as you start seeing mass deployment of any technology you are going to see exploits.”
According to Biviano, while there have not been any mass outbreaks of viruses targeting the Mac, the potential does exist. …
“Look at where mobile viruses are going and they are not targeting Microsoft – they are targeting the market leader, which is Symbian,” he said.
That was three years ago. The Mac market share has more than doubled since then, and now the iPhone is a major player in the mobile market. We have trumped-up publicity stunts like this one (thoroughly debunked here and here) still trying to tell us how vulnerable Macs are and how secure Windows is, but the fact remains that Vista is far from secure, and about 80% of Windows users are still vulnerable to more than 100,000 real-world malware packages… while the Mac has suffered from only two real-world attacks, both trojans (the easiest type of attack to carry out because it bypasses OS security instead of defeating it), and neither of those trojans is known to have done much if any damage at all. The first affected a total of one person. The second has been reported as existing in the wild, but I have heard no reports of anyone actually falling prey to it. Both require several steps to be taken by a naive Mac user to allow the trojan to attack their system, including typing in administrator passwords for no good reason whatsoever.
In short, the Mac has remained virus-free and virtually malware free, despite increasing its market share far beyond what the naysayers guessed at three years ago. The promised wave of malware attacks has completely failed to materialize. And yet we still get regular reports from the same people saying the same thing–the Mac has all these vulnerabilities (which somehow never actually get turned into real-world exploits), it’s going to get creamed any day now! Look!
Apple Macs running the Mac OS X operating system are just as vulnerable to viruses and other threats as Windows PCs are. That’s according to Symantec software architect Ollie Whitehouse who made the claims in an interview with Tech.co.uk.“Apple has been demonstrated to suffer a number of vulnerabilities over the years,” he said. “Suffice to say that Symantec and other software security vendors do produce anti-virus software for the Mac because we believe there is the potential of a problem.”
That was last August, two and a half years after the first Symantec warning that I posted about–and I am certain there were scare stories from Symantec and others well before three years ago.
We’re still waiting for the massive onslaught of viruses on the Mac.
Actually, there was a recent competition in which OS X (on a Macbook Air, to be precise) was hacked via a Safari exploit – which the contestant discovered and wrote code to take advantage of himself. (In the same competition, Vista was only cracked when third party apps were installed on the machine, and Ubuntu was uncracked). So yes, it is relatively easy for vulnerabilities in OS X to be found.
This isn’t a testament to OS X’s security or lack thereof. It’s the case with any modern operating system, particularly the sort that can connect to the jungle that is the internet. However, don’t fool yourself into thinking that this means that OS X shouldn’t be worried about their security. The original estimates of when Mac exploits would emerge definitely jumped the gun. Think about how long it took for Firefox exploits to get developed after they started eating IE’s marketshare (of course, most of those were redeemed for prizes instead of actually used).
If Apple is lucky, their security holes will come out gradually, be fixed quickly, and generally get ignored. God knows they can’t outdo Microsoft in terms of failure there, especially since they’re Unix-based. If they’re SMART, they’ll offer a bounty in the hopes that crackers will tell Apple when something goes wrong instead of actually exploiting it.
However, what’s more likely is that when their user share hits 50% or more (no right-minded black hat will bother targeting them before then, Microsoft is still easier to hit than a beached sperm whale), they’ll see a few viruses spring up, at least one or two of which approach the impact level of the fabled “I love you” virus. Apple isn’t going to get totally creamed by viruses as many predicted, and certainly not any time soon, but neither is it going to go totally unscathed. Same applies to Linux if it ever gets its market share up (though having a user base composed mostly of nerds in the meantime ought to help it weather that storm), and the same would apply to BSD if it ever got popular (yeah, right).
So basically, don’t worry too much, but don’t assume everything will be fine either. As always, proficient, careful users will be largely unaffected, particularly if they back up.
Koala: I referenced the CanSecWest competition in the third paragraph of this post (see the links on “debunking”). I don’t know all the details myself, but I do know that the contest is not exactly consistent. As the debunker points out, the results of this event vary largely on the time they are held and what vulnerabilities are open. If this contest had been held a month ago–before Vista SP1 and before Safari 3.1–then the results would probably have been reversed.
In a past event, a Mac was only cracked after major artificial vulnerabilities were opened up, and that happened only after no one was able to crack the machine. Now, Ubuntu went uncracked, and no one tried to open up artificial holes in its security like they did with the Mac last time–nor did anyone use vulnerabilities that could have cracked the Ubuntu–that being the same one that cracked Vista. The debunking posts I linked to give a long list of details why the hacking contest is not a reliable indicator of real security. Not to mention, we still don’t know the details of the Mac hack, and since these events tend to be rather significantly biased against Macs, I am going to reserve judgment until we know exactly how the Mac was cracked.
Anyway, read the debunking and come back–I’d like to hear your thoughts after reading them.
That’ll teach me not to follow your links, sorry Luis. Response is below.
The flame war over the CanSecWest competition is, as you might imagine, incredibly heated. The first debunking you posted seems like it’s a direct response to someone saying “this means the mac sucks”. Of course it doesn’t mean the Mac sucks, especially since it was a bug in Safari, not the operating system itself, that allowed the exploit. However, some of that article’s points (and nearly all of the latter article’s points) are flawed.
Both articles spend lots of time explaining that Apple was being specifically targeted in this competition. However, they both miss a few key facts. First of all, there was a cash prize involved in the contest, and the winner was allowed to keep the laptop he or she cracked. Not only that, but the cash prize diminished from a cool 20K the first day to 10K the second day (when the MacBook Air was cracked) and only 5K the third day. This alone would be reason enough for most to focus on the laptop they were relatively sure they could crack.
Second, both articles assume in their argument that Apple was being specifically targeted that a majority (or at least a plurality) of the teams entered were working on the Air, as opposed to other laptops. I have seen no evidence that this is the case.
Finally, the first article in particular repeatedly claims that there are no “real world” viruses or other security problems for Macintosh users. Has the author never heard of Leap.A? It was a worm back in ’06 that propagated through instant message (though it had to be executed with root access at the beginning of the chain, there will always be one user stupid enough). Admittedly, this was OS 9 as opposed to OS X. However, at the time, Mac’s market share was something like 8%, I believe…maybe lower? In contrast, the first serious self-propagating viruses for Windows occured in 1999. In 1999, Windows’ market share was 89%.
Now that there’s a much larger cracking community (trust me) than there was in 1999, Mac may become widely exploited at a much lower market share than Windows first was. However, since Mac’s software is much more mature than Windows 98 was, I’m guessing the impact will be much less. At this point, the main threat to the users of ANY computer exists between keyboard and chair.
Koala: as for your first point, I would come back to (a) the timing issue, that had this been four weeks ago the Mac probably would not have been cracked and Vista would have, (b) the fact that we still don’t know what exactly the vulnerability is and how realistic it is (reports are that one would have to travel to a specific type of web site first, and I’d like to see how the Apple’s settings were arranged), and (c) the question of zero-day exploits and their relevance to the Mac. Also, how much of a threat is each exploit, how much are they actually exploited in real life, and how quick is the maker to patch said exploits? The author of the debunking refers to am XP security hole which has been around for years and still to this day lays a majority of Windows users open to attack. If Apple has 20 vulnerabilities and Windows 10, it doesn’t mean that Apple is less safe if the Windows exploits are more damaging and easier to fall into.
Which brings me to your final point, about Leap.A. I’m not sure what you mean by OS9, as that was phased out some time ago, and Leap.A (also referred to as Oompa) was an OS X malware. While called a “worm,” it really was a trojan as it could only be spread via iChat and by tricking the user into activating it; it would disguise itself as an archived image, and many users would have to type in an administrator password. Only then would it affect apps on your computer, and only specific ones, and even then it would no do anything except try to spread to other users via iChat–more than anything else, it was a proof-of-concept malware.
Read this article on the subject. The writer actually worked hard to try to find Leap.A, and after finally getting his hands on it, it didn’t even work! According to this article, it “has a bug in the code that prevents it from working as intended.”
As a piece of malicious software, it was an incredibly lame example–kind of like the Inqtana Bluetooth exploit, which needed to have two non-updated, Bluetooth-active and -discoverable Mac laptops in the same room, one infected and the other run by someone who would have to accept a Bluetooth device that could not be seen… you get the idea. The only malware that has come out has been trojan-based, requiring user intervention to get past the OS security. Both that I know of were proof-of-concept, did not work well (or not at all), and were incredibly unlikely to affect anyone–and indeed, there have been no reports that more than just a few people (and I mean few enough to be counted on the fingers of one hand) have ever encountered these in the wild.
Considering that the Mac now has a minimum of 8% market share and the first real viral threat would gain major props for the hacker who cracked it, I find it rather revealing that malware has been virtually nonexistent for the Mac.
Also, for Windows, one must remember that the vast majority, maybe 75% or more, or Windows users are using XP, not Vista, and that many using Vista in real life have actually switched off the system security because it is so damned annoying. In this way, Windows had a very unnatural advantage over the Mac, whose users update their OS far more often. If the machines used were more representative of real-world setups, then Windows would have been the first one targeted and the first one to fail.
Thanks for the information, and I’m sorry about the OS X/OS 9 slip-up; I’m not very familiar with the Mac OS between the original version and Leopard, and mistook a previous version of OS X for OS 9.
It sounds like we’re pretty much in agreement: It’s promising that there aren’t any serious security threats to the Mac at this point, but there’s still plenty of time for threats to develop. Windows security still blows (though much less than it used to) and has become horribly annoying.
You mentioned that you’d like to see how the Apple’s settings were arranged; according to CanSecWest, the computers were in “typical user configurations”. This usually means “we patched them and didn’t change a damn thing other than that”. In addition, the Safari exploit in the competition did indeed require a web page with the code on it to be visited. That’s a pretty powerful exploit; nothing had to be downloaded, executed, installed, just viewed.
We haven’t really discussed Linux (which also took part in the CanSecWest competition). Since Linux is generally acknowledged within the tech community as more secure than either Mac or Windows (though perhaps not quite as secure as BSD, depending upon whom you ask), finding an exploit in Ubuntu would perhaps be even better for a security expert’s publicity than finding one within OS X. The fact that no exploit arose (whether that’s based on the “real” experts focusing on easier systems or a simple inability to find an exploit) is quite promising, and while it doesn’t exactly give bragging rights to Linux users, it is worth mentioning. In fact, the only recent security exploit for Linux (which was patched within 24 hours) required physical access to the computer in question. When compared to the team that developed the OS X/Safari exploit having 100% working code within a week (they developed the exploit ahead of time) and the host of security issues that have already arisen with Vista, that’s a pretty nice statistic.
Update: I just read a more complete version of the CanSecWest pwn2own contest rules, which makes it look like the computers were possibly even more secure than is average:
13. Each machine will be secured to common industry best practices:
We’ll get Andrea Barisani from our Hardening Linux Dojo (which still
to look over the Ubuntu machine, and the
has seats available
Microsoft/iSec/Core DTF folks to secure the Windows box, and Josh
Ryder our local Mac zealot to look at the OSX wafer.
Koala: On your first message, I totally agree that OS X is not impenetrable, and as market share increases, we’ll no doubt see more malware come our way–but not as much as Windows or even Linux. The reason being that market share does not explain everything. Windows has about 90% market share and more than 100,000 pieces of malware. OS X has about 8% market share and has only recently acquired two trojans, maybe three. Linux has maybe 2% market share… and has about 100 pieces of malware that can affect it (some sources say less than 15, some say more than 500–many say around a hundred so I am going with that). If market share is the major variable, those numbers should be quite different–OS X should have a thousand pieces of malware, or Linux none. While the Mac can be pwned and potentially hit by a virus (I am assuming) or any malware without a trojan delivery, my understanding is that it is the security is simply better at all levels, and it is harder to put something together that will have any impact. Maybe I’m wrong, but the numbers we see would seem to support that.
As for the “common industry best practices,” I’d be interested to see if that involves any 3rd-party software. Probably not, but the devil is in the details. There was once a similar competition where the hackers were given local access to the Mac–a highly unrealistic security breach–and that went unreported in the flurry of press about how Macs are hackable within thirty minutes (a subsequent competition where such access was denied proved the same hack wouldn’t work). There was another famous case where some guy hacked into a MacBook and so claimed it was vulnerable, leading to similar “Macs are unsecure” press–but it was later revealed that in order to do the hack, they had to plug in a third-party wireless receiver, a complete impossibility in real life as the Mac ships with WiFi built in and no one would ever use such a third-party device.
So, having seen Macs intentionally burned at events like this before, I am quite leery about such media reports until I know that the Mac crowd has had a chance to look at all the details and find out whether–yet again–the Mac was made unrealistically hackable in a non-real-world fashion.
No third-party software (other than stuff that’s integrated into Safari like Adobe Flash, for example) was installed until the third day of the competition, after the Mac had already been “pwned” in the contest’s vernacular.
I see your point about being leery about anything that brings bad news about the Mac…but I think you should be careful to note the difference between an individual reporting a security flaw in the Mac and the Mac being cracked in an impartial competition.