COMMENT
The debate over Apple-related security rages on. But, says Seb Janacek, let's not be blinded by extremists on either side of the debate.
The good news for Apple fans is that the Mac appears to have gained mainstream acceptance in the technology world.
The bad news is that this news comes in the form of what many have claimed is the first true Mac OS X virus. No doubt some corners of the long-suffering Windows community would issue a warm welcome: come on in, the water's lovely.
The 'virus', called Leap.A or Oompa Loompa, was first discovered in mid-February by UK antivirus firm Sophos. The malware spreads via Apple's iChat instant messaging system and forwards itself as a file called latestpics.tgz to contacts on the infected users' buddy lists.
The news of the virus was heralded by some security experts as the shape of things to come.
Graham Cluley, senior technology consultant for Sophos, claims Leap.A represents the first "real virus" for the Mac OS X platform.
In a statement he warns: "Some owners of Mac computers have held the belief that Mac OS X is incapable of harbouring computer viruses but Leap.A will leave them shell-shocked, as it shows that the malware threat on Mac OS X is real."
More predictions of doom followed a few days later with news of another piece of OS X malware called Inqtana.A, which spreads via a vulnerability in Bluetooth. This time the malware was a proof-of-concept, never appeared in the wild and was set to expire on 24 February.
Meanwhile, a third Mac security scare hit the "shell-shocked" Mac community last week with news of an "extremely critical" vulnerability in OS X.
According to security firm Secunia, the vulnerability is due to an error in the processing of file association metadata in ZIP archives and mail messages. Secunia claims the vulnerability can also be exploited automatically via the Mac's default Safari browser when visiting a malicious website.
The metadata threat is currently a vulnerability not an exploit - and no known exploits had been reported at the time of writing. Meanwhile, both worms are graded as 'low risk' by security companies. And for good reason, as they pose little to no threat whatsoever to the average Mac user running the Tiger operating system.
Leap.A, the more 'virulent' of the two 'worms', actually sounds more like a Trojan, and requires a user to perform a series of steps before the payload (in this case, next to nothing) is delivered.
Firstly, the malware must be accepted via iChat, then the user must double-click on the file to decompress it, then double-click the 'jpeg' to view it. If all this is done, the user is then asked to provide his/her administrator account and password for the image to be opened.
If the admin password is provided then the Leap.A code then attempts to install itself into an application.
It's at the point that an admin password is requested that alarm bells should be ringing for the majority of users - any responsible user should be asking him or herself what was going on. (In OS X, images open by default in an application called Preview and don't require admin privileges to open.)
The majority of OS X users are not logged in as 'true' administrators by default and fewer still run as the root or 'super' user in the operating system's underlying Unix core. To do so requires a significant amount of command line work - beyond the ken of most users.
Apple this week issued a security update for OS X which addresses some of the concerns raised by the recent threats (available via Software Update or the Apple website).
In reality, all this represents very low risk for most Mac users.
Indeed, the most interesting aspect of the virus is the social engineering hook that the malware author uses to tempt the average Mac user.
Windows users have long fallen prey to email enticements promising images of scantily clad pop nymphets and rubbish Russian tennis stars.
The inducement to lure Mac users into double clicking on a file containing malicious code? Screenshots of Leopard, the next generation of Mac OS X (10.5) due out sometime in 2007. Same idea, different delivery, not quite so saucy.
Still, you've got to admire a malware author prepared to do his research - the prospect of a view of the much-hyped new Finder that represents one of the major developments in Leopard is pretty exciting for any OS X fan - but now I digress.
The Mac platform has been famously untroubled by malware for years.
Some attribute this to the theory that malware writers are interested solely in the mass propagation of their work and the small market share of the Mac (anything between three and five per cent depending on whose statistics you believe) is of very marginal interest.
In addition, since the arrival of OS X many have pointed to the underlying robustness of the Mac's Unix core, with its root access disabled by default, as a formidable obstacle to malware authors.
The indications are that if the Mac continues its recent increase of market share its attraction as a target to malware authors will increase. However, the indisputable fact that Mac OS X's Unix core is fundamentally more secure than Windows means that the challenge is considerably greater for potential malware 'switchers'.
In a Minority Report column on OS X security published in June 2005, Sophos product manager Phil Wood commented: "The technical challenges of producing malware for the OS X operating system are more difficult than for Windows. Both Mac OS X and Linux are much more secure than Windows. You would have to be genuinely clever to write an OS X virus and most virus writers are not."
Reactions to the recent spate of security stories have varied. Some rather smug Windows users (and perhaps security consultants with products to sell) have predicted that the sky has begun to fall in on Mac users.
Meanwhile, some equally smug sections of the Mac community have predicted that OS X is an impenetrable fortress with nothing to fear from the collected hordes of malware authors who have managed to make the majority of people in the Windows world miserable and paranoid about email-borne viruses and worms.
The potential threat to OS X from viruses and other forms of malware remains extremely small for the time being. However, this looks to be changing as these worms - and other proof-of-concept programs - spring up online.
In June's column, I suggested that as market share increases the "genetic make-up" of the Mac community is changing as more first-time Apple buyers make the switch.
It's from here - a segment less interested in the technology and possibly less savvy than the traditional Mac user base - that a possible risk emerges. Users may not think twice about entering passwords to view unknown files because as the salesman said: "Macs don't get viruses."
Social engineering will inevitably play its role.
Another risk is that malware authors will pick up the gauntlet thrown down by those who claim that OS X is impregnable - laying down a challenge to that minority of 'skilled' malware authors bored with shooting fish in the Windows barrel and turning their focus on big-game targets.
Further headlines announcing further Mac security "risks" are inevitable. Stories about vulnerabilities in the Mac and Linux platforms are items of curiosity in the mainstream technology media. But compared to the constant threat posed to users of the Windows platform from tens of thousands of existing and new malware threats the danger is miniscule and in some respects still theoretical.
A few low-grade worms or vulnerabilities are incomparable to the avalanche of new malware threats faced by users of the Windows platform.
Last June, Sophos' Phil Wood said that while no true OS X virus existed it could only be a matter of time before one appears.
What he advised then seems even more pertinent now: "A bit of vigilance is required - Mac users don't live in an unassailable tower."
Every defence has a weak spot. It's just a question of finding it. A little more balance from certain security outfits wouldn't go amiss, though. Neither would a little less complacency from certain sections of the Mac community.
Comments
There are 14 comments. Join the discussion
1. Daniel Carter
Thank you for writing a balanced article on the recent news of security threats and malware for OS X. Most articles I've seen jump far to one side or the other.
2. anonymous
Personally, I'm jaded with the suggestion that Mac OSX is virus-proof. There is no such thing, and its absurd to believe anybody could think such. In some ways, I'll be glad when a good virus will flow through MacLand so the pundits will finally be able to say "I told you so" and will -- hopefully -- finally shut up about it. Problem is, most in MacLand will probably not realize the import of the virus since they will be tired of hearing how the sky is falling; and that, of course, will contribute to the its spread. Ironic, isn't it.
3. Macs Rule
Damn Already!!!
LEAP A IS NOT A F*CKING VIRUS!!!
4. EricYoung
I don't really understand how many media reporters have taken up the stance that a virus is finally on the Mac. First it is not a virus, and if you really want to log on to an administrator account on your machine, and do some damage, than you don't need malware! Seriously, the reason that mac fanboys say that macs don't have to worry about viruses, is well, because they don't. There has never been one, so why wouldn't a mac fan say they are not worried. I have never all of the sudden just left the surface of the earth and started flying like a bird, and as a result, I am not too worried about this happening. I would look pretty stupid trying to tie myself to park benches, while proclaiming "it only a matter of time until gravity will give up, then I will shoot into the air!!" A lot of people have also stated that the reason for there not being any mac viruses is because they have such a small market share. Well, there were several viruses for OS 9, and OS X is much more popular than OS 9. So the system became more popular and well known, and the hackers decided to stop writing viruses?? This is not logical! If the number of viruses was indeed related to popularity, then the number should have increased proportionally, not drop to zero!
5. anonymous
That's why the article says 'virus' and "real virus", notice the quotation marks.
6. anonymous
This article, like so many others, fails to comment on the perverse symbiosis that exists between viruses and the enormous industry that exists to "protect" computer users from these same viruses.
I, for one, am VERY cynical about the motives of a company like Sophos, which "uncovers" the first Mac OSX virus, then broadcasts this to the world & watches as "tech" reporters go gaga over the news, and THEN releases new Anti-virus software for sale two weeks later. This, in fact, is precisely what happened here. Are we gullible or what? I would love to see some real investigative reporting done on this lucrative world of hi-tech security, where "proof-of-concept" viruses etc are actually being developed by the very same companies that provide the"solutions' !!
7. Squigee
I knew that as soon as as something like this happened Windows centric sites (Cnet) would be trying to tell everyone there is no difference between OSX & Windows XP. Nothing is perfect, that's a given but to leap to that comparison immediately was totally over the top & misleading. Seems like these "tech writers" were trying to tell me that a grain of sand is the same thing as a desert. Nonsense.
8. carl co
yawnnnnnnnnnnn......... register slashdot cnet to name a few love it when a virus scare threatens the ivory mac users universe, i say to all you xp users keep defraggin refraggin scanning and washing your machine, me and a million other mac users will spend that wasted time doin something we want to do on our computer :)
9. anonymous
First off, stop wearing out Cluley. His real name is Clueless anyway. He has a product to sell. So do your readers a favour and ignore him.
Second, in the midst of this debate, it's important to remember that no one is going to be correct if they don't get down into the details of the system itself and analyse and compare it with others from the point of view of present and future attacks. You need a system programmer for that - someone with a lot of chops. Like Eric Raymond.
Apple have weakened both themselves and 'their' Unix by doing some incredibly dumb things with it and by pulling off from the rest of the community. When they screw up as they have, they have to go it alone, and their track record for patching things isn't exactly the best in the industry.
The present panic blew over and for now is forgotten, but the security pro remembers this very same issue came up a year or two ago and blew over in much the same way.
The only issues Apple have had in all these years are issues they themselves have created. These issues have nothing to do with Unix in general - nothing to do with Linux or FreeBSD. These issues happen to Apple because Apple have done some incredibly dumb things with 'their' Unix, to the point OS experts are hesitant to even call it Unix anymore. Anandtech, for example, called it a 'hodgepodge'.
Beyond that, Oompa shattered a strong belief in the security community, namely that any intrusion must inexorably proceed to an attack to 'get root'. It was always there for the taking, but only with Oompa do these self-same security pros realise root is irrelevant and unnecessary to do a lot of damage.
Apple had their users wait two weeks for this lame fix? Oh no. Apple are in denial - and that ain't just a river in Egypt.
Apple need to get back in the good graces of the Unix community. They need to have a common code base and to refrain from putting all their cute 'doodad' features all over the place.
10. OS11
I agree it's one of the better articles on the subject, although there are 2 rather major errors in the headline, and those are: "Virus Scares", first of all there are ZERO viruses on OSX, so how can there be a "scare" when there hasn't been any viruses?, second the use of the plural of "scare" is wrong since that implies more than "1" when there are "O" current viruses on OSX. Technically, it's impossible for a Virus to spread on OSX, it's built totally differently than Windows and no matter how popular it becomes in the years to come, it "technically" cannot spread beyond "1" machine, thus, no Viruses on OSX. Now you know the rest of the story.
11. Tim Coughlin
The most important point is noone was ever infected.
There has not been a single user report of being affected by any of these greatly overblown so called expoints. This is because they were proof of concepts, the bluetooth one having been patched 6 months ago, and thr iChat one only being able to spread over an intranet NOT the INTERnet.
12. Andy Gower
Good article, well balanced and nicely written. Nice one Silicon.
Amazing how many people get their knickers in a twist. Even more amazing that many people get so upset without actually bothering to read what they're posting about :-p
13. Adrian Asher
System security is clearly important, but what about your data?
Something that concerns me with the whole *nix/MacOS security debate is that everyone seems to be overlooking user data. OK so it may be argued that *nix/OS X may be inherently more secure from a system perspective, but user data is still vulnerable, unless you are going to supply credentials every time you want to touch any of the files you own. The pain of having to carry out an OS reinstall may smart at the time but it's a small loss compared to all that data, including those irreplacable holiday snaps, all that expensive downloaded music, home finance speadsheets etc.
Lets face it, how many people who believe their computer to be 'invulnerable' are likely to be backing up their user data on a regular basis?
14. DH
Excellent review of the issues.