By Will Sturgeon, 1 August 2006 16:20
NEWS
A recent upturn in Apple's sales of its Mac computers has added fuel to concerns the Mac community's days of claiming a secure upper-hand may be numbered.
Last week it was revealed that Apple's shipments of its Mac machines had shown double digit growth, year-on-year, with analysts suggesting the growth is set to continue with more PC switchers in the pipeline.
And while that is great news for Apple and its marketing prowess, it has coincided with the question of Mac security rearing its head once more, with three large security vendors issuing words of warning for the Mac faithful while Apple remains tight-lipped about the security of its machines.
Mark Sunner, CTO of MessageLabs, said: "Now, as Macs become more popular, we're seeing an increase in attacks targeting OS X."
Greg Day, senior antivirus researcher at McAfee, said his company's recent Global Threat Report found evidence to support that claim.
Day told silicon.com: "Microsoft has the biggest bull's-eye on it but there's a lot of interest in Apple right now. There have been more vulnerabilities discovered in OS X than in XP over the past two years."
Day said 95 vulnerabilities have been discovered in XP during that time compared to 238 in OS X.
Jay Heiser, research VP at Gartner, said he would expect to see the risks from owning a Mac increase with popularity and a greater market share. "The relative 'safety' of the Mac environment is not so much an issue of obscurity, as it is a lack of hack-leverage and perhaps biological diversity," said Heiser. "From the attacker's point of view, the bigger the set of logically identical targets, the bigger the payoff in creating 'crimeware'.
"Clearly, as the number of Macs increase, it becomes more appealing to target them."
Heiser added: "The most important consideration is the amount of code. The level of vulnerability is a function of the size of the code-base and it is inevitable that the Mac OS contains a significant number of unrecognised vulnerabilities."
Last week Russian antivirus vendor Kaspersky Labs also waded in to the Mac security debate, with its own findings reporting a similar hike in the number of vulnerabilities found in OS X.
And while vulnerabilities and actual proven exploits are very different things, Kaspersky Labs echoed the concerns of others, saying 60 vulnerabilities discovered in the first half of 2006 suggests if growing popularity were to invite more attacks this could soon become a problem.
McAfee's Day also criticised Apple for being slow to address these vulnerabilities - adding that Microsoft, albeit due to an unflattering history of vulnerabilities, is at least largely on top of the situation.
He said: "I think Apple has not been as organised as Microsoft has had to be through necessity at dealing with vulnerabilities."
At the time of writing Apple had failed to comment.
Comments
There are 11 comments. Join the discussion
1. Garry Sidaway
People are now becoming aware of security flaws exploited on the MAC operating system but the difference here though is that the business community using the MAC OS is still relatively small and limited to graphics and media industries and therefore although they're still targets the community itself remains of limited value to hackers who want the recognition through notoriety and fame of global scale attacks - achieved by targeting the business community, which predominantly leans on Microsoft.
The iPod and multimedia may change this, but for now, like mobile phone viruses, MAC security issues will have little impact on the business world.
MAC Users should always be aware of security issues but I would say that risks themselves are quite often over-hyped.
2. MaXtel
No true real working viruses, spyware or malware on Mac. None. full stop. FOR SIX YEARS NOW!
More than 72,000 viruses on Windows, besides thousands of spyware and other malware.
Those are the fact. The rest is fantasy.
Gimme a break!
3. anonymous
I do not find it surprising that an operating system that is only a few years old and that is being updated almost yearly would have more issues. What I think is a shame is that an operating system that is complete would have so many problems that have to be fixed. How will the mac os be when it is as old as xp.
4. anonymous
I agree that no OS Is totally immune to problems, but, so far there have been no real attack on Mac OS, at least the ones I have read so far.
As a use of several Apple Macs, I can honestly say that to date - no attacks have been made. I have been using Macs since 1997, that's over 9 years, not a single attack. All my Macs I'm currently using are now at Mac OS X Tiger. In fact I've been using Mac OS X since 10.2 and no attacks so far.
Also I think Apple is doing a great job in releasing timely security updates, in fact , the security update I just downloaded is proof of that.
There is something to be said for all that!
5. anonymous
Pen testing experts at 360is published one of their quarterly reports mentioning the increasing hacker focus on OSX in June.. http://www.360is.com/360is-ei-Q206.htm
6. Graham Coles
Vulnerability is NOT just a function of codebase.
One of the major differences between XP and OS X is the classic issue of Windows being based on a non-networked, single-user trusting architecture (MS-DOS). Everything just got piled on top of that architecture leaving you with a mish-mash of legacy crap like Activex (all or nothing security model!), everything needing to run as Administrator (enabling Sony's rootkit to install easily) and filesystems like FAT originally designed for use on a 360 KB floppy disk with no concept of user permissions!
Unix predates windows, yet was designed for multi-user networked usage and the concept file permissions, many ordinary users and a superuser account for administration.
System design plays a bigger part in vulnerability than just counting lines of code. Open source, for example, improves security by making the code visible allowing it to be vetted more often (e.g. OpenBSD).
Based on Unix, OS X also clearly separates most users as non-admins, leaving a more secure system as shown by the recent attempts to try and produce malware for OS X has shown - trojans and worms that are forced to ask for the user’s permission before they can install! Since when has any malware on windows ever had to ask.
Windows was designed the wrong way up, starting as a very insecure system and just having various security permissions pasted on top of it. As any security expert will tell you, that's no way to design a secure system.
7. anonymous
It may be a growing market and a risk, but McAfee have pulled Virex and none of the companies names provide a consumer / SOHO / small business offering where the bulk of Macs reside.
So they obviously don't think that there is a big enough market opportunity there for them to sell anti-virus and other security software to the Mac community.
Don't watch what security companies spin but look at the areas they are looking to do business in.
8. anonymous
Surprise surprise, there is an advantage in having a large diversity of operating systems after all.
9. anonymous
I think the idea that security is all about patching vulnerabilities is a very narrow view. You can't achieve a good level of security by finding vulnerabilities, patching them and distributing fixes. The code base of any decent OS is too big. You risk introducing another vulnerability every time you patch an existign one and new features in software are being added to fast to keep up. Current patching strategies are just automated forms of shoveling against the tide. You have to rely on other methods to be secure.
Security through obscurity does not work and it's strange that you mention it at all.
It's quite true that security by simplictiy works. The size of the code base, as you mention, is a good part of this but modular design is also important and that's an area where OS X is well ahead of Windows.
Another security concept which works is called Security-in-depth. This is where you design a system so that more than one thing has to go wrong before security is actually broken. Again, Mac OS X is well bit ahead of Windows in this area. Apple has had six years perfecting many of the same security-in-depth features that are just now being incorporated into Windows Vista.
If you're going to compare security on Windows and Mac OS. You have to consider a host of issues like the granularity of the file permissions system and the useability of the system when logged in as a non-administrator. It's really more important to consider how difficult it is to exploit vulnerabilities on an OS than to consider how many vulnerabilities exist.
10. Dave
OK, so you can almost measure the decline in these security companies revenue by the frequency of attacks on Mac OS. They obviously don't view Linux as the same threat, even though the underpinnings of the OS are mostly the same (yes, I know it's based on Mach, but it's still a Unix variant).
As for the report listed from Pen Testers, I had to laugh. Three whole published vulnerabilities. In one quarter. I bet Microsoft would give their left arm for that. And with Vista (eventually!!!) coming out, we are about to open up a whole new can of worms for vulnerabilities. XP wasn't even close to secure for the first 3 years, and even after SP2 still has a pretty long way to go. I will stick with a Mac, and keep myself secure based on my knowledge of what vulnerabilities (theoretical or otherwise) exist. At least I can count them on one hand ;-)
11. Roy Judd
I've a feeling we've all been here before, and I'm beginning to suspect sour grapes. As irritating as it must be for journalists and anti-virus software purveyors, OS X is, to date, virus free. Fact, not fiction; in over six years, not one successful virus! No matter how it galls, do try to come to terms with it, and please don't come back to the issue until there is something worth reporting. "I wish OS X has a virus on the way" is rather crass, no matter how it's dressed up.