Mac bomb ticks for security smug users
- 01 May, 2009 15:37
- Comments 26
The idée fixe that Macintosh is impervious to attack could be shattered if cyber-criminals act on their arsenal of 0-day exploits, security experts say.
Hackers need only a few critical vulnerabilities, common to all operating systems including the security-focused OpenBSD, to craft a successful attack.
Pure Hacking senior security consultant Chris Gatford said hackers may retain 0-day Macintosh vulnerabilities unknown to the industry and exploit them at an opportune time.
“It's only a matter of a time before Macs get more market share and become a more viable target,” Gatford said.
“Mac users now are exposed to less risk because bad guys see the money in compromising Windows machines as they have a better chance of a hit with malware.
“Most Mac users don't run anti-virus and those that do rarely update. Apple are a lot slower to patch holes for the Unix/BSD back-end than the other Unix variants,” he said.
Only last year, a MacBookAir was hacked in less than two minutes using the Safari browser. The hacker, a US security analyst who scored US$10,000 at the pwn to own competition, said the fully updated and patched OSX 10.5.2 was easier to hack than the updated Vista and Unbuntu systems.
Securus Global CEO Drazen Drazic said it is well reported that Macs are not invulnerable and said it is doubtless that hackers are hiding unreleased exploits.
“Very surprised if there is not exploits that guys are sitting on as 0-days for their own private use,” Drazic said. “It's far more beneficial to keep private a vulnerability for an iPhone.”
Hackers that keep vulnerabilities on the down-low have more time to write and perfect exploits. “It could take say three months to write an exploit for a standard memory-corrupting vulnerability for OpenBSD,” Drazic said, adding that it may take a few days or hours to exploit address space randomisation and memory protection which are new to Apple systems.
Still, industry figures say the security of an operating system cannot be rated by its exploit count — an approached favoured by many vendors — because more vulnerabilities will be discovered in popular operating systems than obscure alternatives.
Moreover, the most prevalent Mac infection techniques require reckless users as it is arguably more difficult to hack the latest OS X and Windows Vista systems - if only because they do not allow root access by default and contain better application installation controls than their predecessors. The iServices Trojan Horse, discovered in January which triggered a Mac botnet scare, typified the use of pirate software as a vector of attack.
Researchers are not suggesting that Mac exploits will be launched in a collective Armageddon, rather they may be quietly in use now, and taking advantage of Mac users smug on security, or vendors that are ignorant to the holes.
“You can't be certain that their not using exploits just because you're not hearing about it. Many organisations don't have decent logging or monitoring and don't run penetration tests, so they can't tell if they are compromised,” Drazic said.
- Bookmark this page
- Share this article
- Got more on this story? Email Computerworld
- Follow Computerworld on twitter
- HP ePrint Enterprise mobile printing solution
- Lost USB keys have 66% chance of malware
- IDC Insight: V-Ray Gives Symantec NetBackup a Competitive Advantage Today and into the Future
- Virtualisation and Cloud Computing: Optimised Power, Cooling, and Management Maximises Benefits
- Magic Quadrant for Enterprise Disk-Based Backup/Recovery
-
The NBN, service providers and you... what could go wrong?
-
NBN build gaining momentum daily: Quigley
-
FTC chairman: Do-not-track law may not be needed
-
Kindle sales soar but Amazon mum on actual numbers
-
Wall Street Beat: IPOs, M&A, chip news stir tech optimism
-
Windows 7 for Dummies®
-
Computers for Seniors for Dummies, 2nd Edition
-
Excel 2007 All-In-One Desk Reference for Dummies
-
Microsoft Office
-
Windows 7 for Dummies® Dvd+book Bundle
-
Office 2007 for Dummies
-
Office 2007 All-In-One Desk Reference for Dummies
-
Windows 7 for Seniors for Dummies®
-
Teach Yourself Visually Windows 7
Comments
Anonymous
0day-no way
Of course that is the case. The guy did not hack the Mac in 2 minutes from scratch. He has had the vuln and 0day for who knows how long. The stuff is out there as Drazic mentioned. It is not worth giving this stuff away for free to Apple or whoever.
Anonymous
FEAR PANIC RUN FOR THE SECURITY COMPANIES
Yes ALL computer users need to be aware of security issues. Phishing and scams are a bigger security threat than EVIL hackers and there bots, worms, and trojans.
Anonymous
Tick Tock
The clock has been ticking for a while and we have fewer problems than Windows. Anyone with an ounce of sense realises that OS X is not impervious to attack. Only gullible journalists and fanbois caught up in an OS war are stupid enough to fall for the hype.
When push comes to the shove Windows is more likely to be exploited than OS X.
Anonymous
Mac OS vulnerability
When it comes to vulnerability the bomb is ticking for all Operating Systems. Just one jackass that uses their skill for distruction rather than benefit can burn most any system. I have never understood why our wonderful Homeland Insecurity could allow such exploits. There must be a way to track the creator of such distruction and bring them down. Just don't get it!
Anonymous
Only half the story as usual
While it is true that Mac's are less popular and as such less a target that is only a very small part of the Mac vs Windows security issue.
Windows is more targetable because MS's code is sloppy at many more levels than just the OS and the browser. Their legacy of single user un-documented code for integrated inter-application communication (that they used to make office integrated and keep Lotus and Wordperfect out of the windows market) is what makes it so easy to break into and do bad things.
As long as they try to keep backwards compatibility in Windows there will be easy access to their systems by script monkeys.
This has nothing to do with buffer overflows and deep exploits it is that they never fully eliminated historical ties to the single user environmental assumption legacy code. OSX was a full re-write to multi-user environment and it broke everything before it to fix that. Windows never truly did that.
OSX has been that way since day one. Windows is still making the progression and each release moves it closer but it is still not where OSX (and Unix) was 8 plus years ago. Again this about the whole code set (inlcuding MS applications) not just the operating system.
Anonymous
Bomb ticks on Mac, Explodes every day on Windows
"could be shattered if" is the key phrase right in the first sentence.
It is a possible scenario for Macs; It is an everyday scenario for Windows.
Lawrence
Still Waiting
Anybody know how many years the security experts have been repeating this mantra? Ten years now? Meanwhile OS X's market share has been steadily rising. Still nothing in the way of self-propagating worms or viruses, just trojans and phishing so far. The experts have been saying "any day now" for a long time. How long before we start ignoring them?
I'm not saying that OS X is any more or less secure than any other OS. What I do know is that, when running a standard user account, I have to type in my password to do just about anything in terms of installing software or making changes to permissions, preferences and the like. I do not run AV software at this time but I do keep track of what is, or is not out there. IF the day ever comes that I really need protection I will act accordingly.
Everybody should know by now that the absolute weakest link in the security chain is the one between the ears of the user. The January '09 trojan introduced into pirated copies of the iWork suite of applications proves that in spades. If you regularly pirate software off the torrents then I suppose you should do yourself a favor and install AV software on your Mac.
Anonymous
You are grasping at straws, Windows users
Sure, you like to call it 'smug' but the FACT is that Mac users are FAR MORE SECURE.
There are still ZERO VIRUSES. A trojan can find it's way onto ANY computer.
Windows is a TOTAL MESS, and you all KNOW IT. And CW knows it's readership is still majority windoze users. Don't want to offend the readership, best toss them something that will make them feel good, right?
What's the freqeuency, Kenneth?
FUD
Clickbait FUD...I think I'll wait until the FIRST exploit (other than a Trojan Horse, from which no one protects you well or quickly) shows up in the wild, thanks! Until then, I'll laugh at Windows and it's thousands of exploits.
fabrice002
Pride goeth....
It’s a shame that a publication with your history and reputation has fallen so far.
It's not that Mac users aren't smug - probably some are, although that may be more in the eye of the beholder than in reality.
It's that the taunt contained in the headline disqualifies the remainder of the article as intrinsically biased, no matter how accurate it may be.
Your attitude is malevolent; beyond predicting, but hoping and wishing that someone will suffer. Why? Do you or your readers need to gloat? Beyond sad, that's childish.
Send an e-mail when you return to get serious journalism.
Anonymous
I have been hearing this for
I have been hearing this for a long long time. I have seen one trojan horse in something like 13 years of using mac. It was supposed to be a video codec for quicktime. It was not me who downloaded it but a novice user . No worms or other viruses.
I have seen hijackers, viruses, trojans and worms for windows. Just finished fixing one. She was about to buy a new computer!! Thought it was dead! I will install a virus checker when there is a real threat!
Anonymous
13 years of Virus free Mac use
What is it with windows users? You just can't stand it that the Mac OS is easier to use, and much more secure can you.
What does it take to make you wake up and see why users love the Mac?
How many billions are wasted on windows steaming
pile of crap?
How much data is lost?
What is the "real cost" of owning a PC after you add up what it cost to "marry" an IT guy to keep it running?
Talk about being in denial!
auramac
Smug?
Mac users are not smug. We're just grateful and perplexed that Windows defenders resent us because of our apparently wiser choice of OS.
When you believe strongly in something, it is both annoying and surprising to find yourself in the minority and on the defensive.
Computerworld is to Mac-bashing what the Pakistan-Afghanistan border is to terrorism.
Anonymous
XP can be made bullet proof
Or so says Steve (Monkey Boy) Balmer. He claims that Microsoft has made a bullet proof version of XP. The only catch, it's only available to the military. Why, if XP can be hardened so as to be bullet proof, can't it be made available to the public. My guess, Anti-Virus and Anti Spyware vendors would go ballistic.
Mickey
So What....
If and when a mac virus comes out it'll take 1 day to develop an anti-virus for it, just like it's done on Windows everyday. Really, the media including CW are hyping this stuff because it buys clicks, but it's not like it's going to be this huge deal. Remember that trojan back in January? Despite the fact that it was one of the first trojans, it wasn't a big deal because of the following:
The next virus isn't going to spread like wildfire like they do in the Windows world because of several factor, including the fact that proportionally more Mac users are on the internet, and are more likely to get the heads up sooner, rather than most windows users that are unaware a virus is even out (despite news reports) until they get it.
Also, more mac users are familiar with the fact that they should run update weekly, since it's on by default vs. the average windows user that runs a system update after someone tells them to which is usually after their first virus encounter. I can't tell you how many times I've walked into a business or home to find the users I'm helping haven't even applied the latest service pack, nor run any updates since they bought the computer. (It probably numbers in the hundreds.)
That's pretty sad. Really viruses could be stopped cold if there were more user education and less hyping of non-events. Next CW headline: "The internet could come to a grinding halt!..."
(if everyone turned off all the servers in the world. ;)
Mickey
BTW: look at that graphic
It's a screen shot from Mac OS 10.2 (or 10.3). it even shows IE which was discontinued at least 4 years ago. Really CW the fact that you recycled this graphic from ages gone by shows that this warning has been run once every few years, but has never come to light.
Simon
Pure F-U-D
The media keeps harping on the claims of Mac "insecurity" -- dredging up so-called "security experts" from the distant corners of the earth to bang the gong of fear-uncertainty-doubt (aka FUD).
The two supposed experts quoted here, Drazen Drazic and Chris Gatford have little-to-none Mac experience. Here, for example, is all that Drazic's written on Macs: <a href="http://beastorbuddha.com/category/mac-security/">http://beastorbuddha.com/category/mac-security/</a>
And Gatford's Mac knowledge is shown by <a href="http://www.penetrationtester.com/blog/2006/12/6/working-on-a-mac-in-a-windows-shop.html">this posting on his blog.</a>
In other words, their knowledge of Mac security is about the same as any other computer nerd with a blog: pretty minimal.
Anonymous
So shameless hits are more important than integrity for Computerworld. Sigh.
Anonymous
I agree. Having used Macs for the last 25 years, I've only once had a virus. That was in the eighties. Try that with a pc.
Anonymous
Smug? Yea ... When did I first read this story? Oh yea, 2000 ... and 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 and 2009 and yet no alien probe ...
So, basically the streak is about 10 years or about 3,600 days ... what's the longest WINDOWS has gone without the spyware/malware/virus/trjan alert status been updated?
Sometimes, it's hours, isn't it?
And no, it's not the obscurity thing - after all, there are 50 million OSx users and sometimes as few as an install of WIN of 200,000 can be hit so clearly it's not that.
Look, some people are like those NOT in Mexico running around with a mask on - they just prefer to think it's all collapsing around them ...
Buy a Mac, use a mac chuckle at the chuckleheads ... got better things to do on a computer than worry about an astroid hitting us.
Anonymous
Weak article
This article is sloppy and weak starting with the title: comparing a browser (Safari) to an operating system (Windows).
The fact is, no one has seen a "REAL" exploit for the Mac in the wild this century. By real, I mean I wouldn't count nonsense like having to supply your admin password to activate pirated software; thus activating a "Trojan". In contrast, Conficker, for Windows, has already cost 9 billion real US dollars this year. What is the cost to society of Eneterprise's self-serving, cult-ish devotion to Windows? Windows strongest virtue, by a wide margin, has always been providing jobs for tech support people.
Gonads
(No subject)
a perfect example of smug right there.
“It's only a matter of a time before Macs get more market share and become a more viable target”
buddy, you're just not worth the trouble yet.
Anonymous
Heh
As a Ubuntu user I find these articles pretty funny, there are SO many blinders on Windows users and yet they pick on the MAC guys. I think I've read for several years going that the MAC and Linux are the next great targets and yet it doesn't seem to ever come to pass. One might cynically theorise that these articles are mere click bait - Whatyuh think Computer World? Personally I'd have zero fear of setting up my Linux box or a MAC directly to the net. A Windows machine on the other hand . . . .
Pure F-U-D Numb Nuts
Going the 'experts'
Wondering what you are defending. The first link had some good info in there. He seems like he likes the Mac and is not saying anything that really isn't true. Doesn't seem to me that either 'expert' was saying something wrong. I think the Securus Global guys know a bit about Apple security. Sounds like you don't.
Pure F-U-D Numb Nuts
Last post directed at Pure F-U-D Numb Nuts.
Steve J
Bill and Balmer
Windows users when will you realize the Billions of dollars in MicroSoft profits have come from you fixing Windows on your own time. How much is your time worth? Has MicroSoft EVER paid you once for fixing their piece of OS?
What fools, slaves to cr*p.
There are no viruses for Macs. Live without it, your choice.
When you want your life back look at a Mac.
Post new comment