MSNBC reports (via the AP) “Macs no longer immune to viruses, experts say”. This title, as striking as it is, has no thought put behind it. Say what you will, but I’m positive Macs have never been ‘immune’ to viral attacks. Let’s be fair here too, that the general category should include cyber attacks as a whole – exploit code (theoretical or not), viruses, Trojans, worms, etc. In fact, Apple has NEVER in 30 years made the claim that their software was immune from attack. Then it gets even better reading the article. It is obvious Tom Ferris has taken an interest in Mac OS X, probably because the media and the community tout OS X as virtually bullet proof. I have no doubt there are a lot of problems with OS X, but just like a presidential candidate you either pick the best of the lot or don’t vote at all.
Apple’s most recent wake-up call came last week, as a Southern California researcher reported seven new vulnerabilities.
This bothers me because it makes it seem that Apple has turned a blind eye to security, suggesting Apple is following the paths Microsoft took. Then the alarm clock went off. These things happen all the time, and at least once a year where multiple attack avenues are published.
Ferris said he warned Apple of the vulnerabilities in January and February and that the company has yet to patch the holes, prompting him to compare the Cupertino-based computer maker to Microsoft three years ago, when the world’s largest software company was criticized for being slow to respond to weaknesses in its products.
Here we see the reinforcement statement that Apple isn’t doing anything about Ferris’ findings. While I am not disputing that his findings are valid or not, I did a little digging. Ferris, in his own words stated “As I previously wrote, I have been fuzzing Mac OS X applications, and have found quite a few flaws. Below are links to some of the flaws, which I have found. All of these were reported to firstname.lastname@example.org the beginning of the year. From what I have been told, they “will be fixed in the next security release”. Considering this is several different flaws, I would expect some time to pass before a patch became available. If his findings were one-offs, then I would expect a faster response. I wondered then, how much vulnerability has Apple handled with since OS X’s release in 2001? Here is Apple’s statistics from NVD. Note the criteria I used, and you can decide if that is a fair assessment to use or not. Here is Microsoft’s statistics based on the same criteria. Interestingly, both companies have vulnerabilities in their software. It seems Microsoft has more consistently, but nevertheless, Apple has added to the pool. Just for comparison, here is the entire industry so far as the data available from the NVD site. I chose remotely exploitable because the reality of the world is 98% of attacks come from remote machines, not local access.
The article continues…
In Daines’ infection, a bug in the virus’ code prevented it from doing much damage. Still, several of his operating system files were deleted, several new files were created and several applications, including a program for recording audio, were crippled.
Behind the scenes, the virus also managed to hijack his instant messaging program so the rogue file was blasted to 10 people on his buddy list.
The AP must be referring to OSX.Leap.A(shock! a worm!), but obfuscates when they mention the exact results of Daine’s computer infection. Leap.A did not modify any system files, but did modify/create some home folder files.
I will blast Apple for not having the Mac OS X firewall on by default. That is something that we should all start email-bombing Apple about changing soon. (I use that term figuratively – don’t really email bomb anyone. That is uncool.)
Then the statistics to back up that OS X is under fire:
Among the other signs Macs are a growing target:
The SANS Institute, a computer-security organization in Bethesda, Md., added Mac OS X to its 2005 list of the top-20 Internet vulnerabilities. It was the first time the Mac has been included since the experts started compiling the list in 2000.
They are referring to this. Of course, OS X would make the top 20 in Unix vulnerabilities because Apple is the largest distributor of UNIX operating system software. With Apple’s growth of OS X installations, this would have happened no matter what stance Apple had on security.
This week, SANS updated the list to warn against flaws in Safari, the Mac Web browser, which the group said criminals were able to attack before Apple could fix it.
The top 20 doesn’t mention any browsers.
The number of discovered Mac vulnerabilities has soared in recent years, with 81 found last year, up from 46 in 2004 and 27 in 2003, according to the Open Source Vulnerability Database, which is maintained by a nonprofit group that tracks security vulnerabilities on many different hardware and software platforms.
This suggests then that there is a trend to decreased OS X security. There is no mention, again, that in the same time period, Microsoft experienced the a similar surge. In comparison it would appear then that Apple’s stats on the number of discovered flaws was in fact below the industry normal.
Less than a week after Daines was attacked in mid-February, a 25-year-old computer security researcher released three benign Mac-based worms to prove a serious vulnerability in Mac OS X could be exploited. Apple asked the man, Kevin Finisterre, to hold off publishing the code until it could patch the flaw.
Microsoft asks the same, so how is this important? In fact, I think that is just common courtesy. Publishing security research findings is great, but you have to give the vendor a fair chance to correct the problem and not alert the dogs of fresh meat.
The article attempts to make everything happy again by coming to the conclusion that no computer is safe, especially now that Apple chose to use Intel chips. It’s just a chip, and despite that it’s popularity makes more information appear about it, doesn’t mean that the software flowing through it is more or less secure. Macs are vulnerable, at what level can be argued until one is blue in the face. Just be careful, especially when the AP and MSNBC try to suggest FUD like this.