COMMENT As Apple attempts to lure Windows users away from their PCs, the promise of a virus- and spyware-free operating system could be pretty enticing. So does Mac OS X really trump Windows on security issues? Seb Janacek investigates.
The April launch of Mac OS X 10.4, aka Tiger, lost a little of its sheen following news that the Dashboard - one of the key features of the operating system - was a potential security hazard.
The Dashboard is a layer of 'widgets', cute mini-applications such as calculators, calendars and weather reports, which drop down over the desktop with the touch of a button. Apple has encouraged developers to create additional widgets and around 250 are available for download from the company's website, with others available from third-party sites.
The problem stems from the fact that widgets are automatically installed after downloading. According to an alert posted on the Full Disclosure mailing lists, an attacker could write a malicious widget that would run invisibly in the background and hijack a user's sudo (or admin) privileges. With administrative privileges, the attacker would have full control over the Mac.
One developer called Stephan claimed in his blog to have created two mini-apps which he described as "slightly evil". One of the widgets, he said, will automatically install itself on users' desktops when his 'Zaptastic' website is visited using the Mac's default browser, Safari. Stephan claimed this could allow porn scammers to hijack browsers.
Apple moved swiftly to deal with the problem and an upgrade (10.4.1) arrived just a couple of weeks after the launch of Tiger. The OS now prompts the user to confirm the download of a new widget, though not the installation.
Security is a big deal for Apple in its ongoing drive to garner potential switchers who have grown weary of constantly patching Windows machines and updating virus definitions.
Recent sales of Mac units have surged, helped in part by the iPod effect but also, at least according to research from Piper Jaffrey, due of the promise of a virus-free computing utopia.
The unwelcome news about the widget vulnerability served to raise the profile of OS X's security. It followed reports earlier this year from analyst house Gartner and security company Symantec, which warned about the potential security risks faced by Apple users from spyware and malware, as well as a spectacularly ill-advised 'OS X virus writing competition', which was shut down almost as soon as it was launched. Judging by the warnings you'd think the Mac was under threat from all sides.
In truth, the real state of OS X's security is rather healthy. At the heart of the operating system is a Unix core that has been lovingly audited by the devoted open source community for years. By default, OS X users do not log on to a Mac as the root user - with access to the directory that includes all other directories. This effectively isolates the amount of damage that could potentially be done to a machine. So while a user could switch to root, it is only through a fairly obscure path and certainly not something that could be enabled accidentally. In addition, the majority of applications - widgets aside - do not auto-install and require an administrator password to proceed.
Furthermore, current figures indicate there is little to no risk to the Mac from spyware and malware. Less than 100 viruses are known to exist for the Mac - many of which date back to System 7 and 8. In addition, no true virus exists for Mac OS X - putting aside the highly contentious 'Opener' program. This compares to around 100,000 viruses for the Windows operating system, of which around 470 are currently in the wild.
The security experts tend to agree that Mac security is solid. Phil Wood, product manager at security firm Sophos, believes the current threat to OS X users from malware is "slim".
He tells the Minority Report: "There are no viruses written specifically for OS X. There are one or two older macro viruses for Word for Windows that could modify a user's documents. However, there's only a slim, theoretical risk of that and practically speaking I don't think it will happen."
He also commends Apple's swift response to the widget problem and thinks the Mac maker is doing a good job keeping the system's security up-to-date. "Kudos to them," he adds.
Meanwhile, the reports by Gartner and Symantec predicted that the increasing popularity of the Mac will inevitably make it a more attractive target to spyware and malware writers - a theory that has long been debated (and debunked) on many Mac community forums.
Security experts believe this is a pretty good assumption. After all, you do need to have a certain critical mass of boxes to make the propagation of malware a viable proposition. Or, in the skewed value set of your average virus writer, worthwhile.
As the Linux user base has grown over the last few years, a few viruses for the open source operating system have been spotted in the wild, they assert.
And despite the resounding lack of success for malware authors in the four years and five iterations that OS X has existed, all software can have security vulnerabilities and "OS X is no exception", according to Samantha Gurr, technical manager at Trend Micro. "Technically, Mac viruses are as feasible as Windows viruses," she says.
"The main difference between Microsoft Windows and other platforms is that there are much more Windows users and thus much more pressure to discover new vulnerabilities," Gurr adds.
However, Sophos's Phil Wood isn't so sure. While he admits there could be a risk to Mac users from malicious code, the actual task of writing a virus that would penetrate and damage the operating system is probably beyond the technical abilities of the average malware author.
He says: "The technical challenges of producing malware for the OS X operating system are more difficult than for Windows. Both Mac OS X and Linux are much more secure than Windows.
"You would have to be genuinely clever to write an OS X virus and most virus writers are not," he adds.
Meanwhile, the response to both the Gartner and Symantec warnings from silicon.com's passionate Mac-using readers has been largely critical.
Many have long accused antivirus and security companies - often with considerable justification - of trying to drum up support for their own Mac security products through the classic tech marketing technique of spreading 'fear, uncertainty and doubt' (FUD).
Readers who have taken the time to post on past silicon.com articles on Mac security are generally bullish about the safety of their data and systems given the lack of current threat from malware.
However, others are more increasingly cautious. silicon.com reader Kervin Desir says: "I think as the Mac becomes more widely use[d] we will have our share of viruses, that is almost impossible to prevent, but it all depends on [how] quickly and efficiently these vulnerabilities have their relevant patches and fixes."
The security experts concur. They advise that despite the present lack of danger a bit of common sense goes a long way and warn against complacency as that can only help virus writers. Sophos' Wood gives the usual recommendations to Mac users: "Be constantly aware of what you're downloading or double-clicking" and (of course) "keep your antivirus software up-to-date".
Social engineering has a key role in whether OS X remains secure. After all, part of the success of malware authors in general has been their ability to prey on victims' sense of curiosity (or downright stupidity). It's easy to roll our eyes at stories of people infecting their home machines or business networks in an attempt to see a glimpse of Anna Kournikova's bare ankle or read a spontaneous declaration of love but the techniques have proved extremely effective.
Historically speaking at least, Mac users have tended to be tech-savvy, possessing a passion for the technology they use. However, as the number of users switching from Windows to OS X increases, the 'genetic make-up' of the Mac community will be changed irrevocably. This could end up impacting the spread of malware.
In the end the cautious view of the experts seems wise. As Wood says: "A bit of vigilance is required - Mac users don't live in an unassailable tower."
Heck, a little vigilance is a healthy thing. But the enemy certainly isn't at the gates, or even in danger of crossing the moat. In fact, the enemy is likely still at home packing his trebuchet and spare gauntlets - more reason there's no harm in lending some thought to shoring up the defences a little. Just in case.
Comments
There are 2 comments. Join the discussion
1. Andrew Rice
MAC's not so secure.
I've found MAC OSX systems amongst the easiest to hack into especially if they have OS9 compatability installed. Whilst windows is not a secure environment it has been improving. Yes it is more targetted but that doesn't mean it's less secure.
You have to separate MACs from Linux as if they were pure Linux based and intelligently configured then they would be more secure than a non intelligently built Windows or Linux system.
One last point, it costs more to keep secure as the updates are hellishy expensive so a lot of people don't bother even I'm on a 10.2 version but don't trust anything sensitive to it because of this and won't be upgrading.
2. astonished
Security consultant my a**e.... A security consultant who won't be upgrading his Mac OS from 10.2 to make it more secure because it costs £50??? I pitty the company that picks you as its consultant..