Blog Post


MSNBC reports (via the AP) “Macs no longer immune to viruses, experts say”. This title, as striking as it is, has no thought put behind it. Say what you will, but I’m positive Macs have never been ‘immune’ to viral attacks. Let’s be fair here too, that the general category should include cyber attacks as a whole – exploit code (theoretical or not), viruses, Trojans, worms, etc. In fact, Apple has NEVER in 30 years made the claim that their software was immune from attack. Then it gets even better reading the article. It is obvious Tom Ferris has taken an interest in Mac OS X, probably because the media and the community tout OS X as virtually bullet proof. I have no doubt there are a lot of problems with OS X, but just like a presidential candidate you either pick the best of the lot or don’t vote at all.

Some highlights:
Apple’s most recent wake-up call came last week, as a Southern California researcher reported seven new vulnerabilities.
This bothers me because it makes it seem that Apple has turned a blind eye to security, suggesting Apple is following the paths Microsoft took. Then the alarm clock went off. These things happen all the time, and at least once a year where multiple attack avenues are published.

Ferris said he warned Apple of the vulnerabilities in January and February and that the company has yet to patch the holes, prompting him to compare the Cupertino-based computer maker to Microsoft three years ago, when the world’s largest software company was criticized for being slow to respond to weaknesses in its products.

Here we see the reinforcement statement that Apple isn’t doing anything about Ferris’ findings. While I am not disputing that his findings are valid or not, I did a little digging. Ferris, in his own words stated “As I previously wrote, I have been fuzzing Mac OS X applications, and have found quite a few flaws. Below are links to some of the flaws, which I have found. All of these were reported to [email protected] the beginning of the year. From what I have been told, they “will be fixed in the next security release”. Considering this is several different flaws, I would expect some time to pass before a patch became available. If his findings were one-offs, then I would expect a faster response. I wondered then, how much vulnerability has Apple handled with since OS X’s release in 2001? Here is Apple’s statistics from NVD. Note the criteria I used, and you can decide if that is a fair assessment to use or not. Here is Microsoft’s statistics based on the same criteria. Interestingly, both companies have vulnerabilities in their software. It seems Microsoft has more consistently, but nevertheless, Apple has added to the pool. Just for comparison, here is the entire industry so far as the data available from the NVD site. I chose remotely exploitable because the reality of the world is 98% of attacks come from remote machines, not local access.

The article continues…
In Daines’ infection, a bug in the virus’ code prevented it from doing much damage. Still, several of his operating system files were deleted, several new files were created and several applications, including a program for recording audio, were crippled.
Behind the scenes, the virus also managed to hijack his instant messaging program so the rogue file was blasted to 10 people on his buddy list.

The AP must be referring to OSX.Leap.A(shock! a worm!), but obfuscates when they mention the exact results of Daine’s computer infection. Leap.A did not modify any system files, but did modify/create some home folder files.

I will blast Apple for not having the Mac OS X firewall on by default. That is something that we should all start email-bombing Apple about changing soon. (I use that term figuratively – don’t really email bomb anyone. That is uncool.)

Then the statistics to back up that OS X is under fire:
Among the other signs Macs are a growing target:
The SANS Institute, a computer-security organization in Bethesda, Md., added Mac OS X to its 2005 list of the top-20 Internet vulnerabilities. It was the first time the Mac has been included since the experts started compiling the list in 2000.

They are referring to this. Of course, OS X would make the top 20 in Unix vulnerabilities because Apple is the largest distributor of UNIX operating system software. With Apple’s growth of OS X installations, this would have happened no matter what stance Apple had on security.
This week, SANS updated the list to warn against flaws in Safari, the Mac Web browser, which the group said criminals were able to attack before Apple could fix it.
The top 20 doesn’t mention any browsers.
The number of discovered Mac vulnerabilities has soared in recent years, with 81 found last year, up from 46 in 2004 and 27 in 2003, according to the Open Source Vulnerability Database, which is maintained by a nonprofit group that tracks security vulnerabilities on many different hardware and software platforms.
This suggests then that there is a trend to decreased OS X security. There is no mention, again, that in the same time period, Microsoft experienced the a similar surge. In comparison it would appear then that Apple’s stats on the number of discovered flaws was in fact below the industry normal.

Less than a week after Daines was attacked in mid-February, a 25-year-old computer security researcher released three benign Mac-based worms to prove a serious vulnerability in Mac OS X could be exploited. Apple asked the man, Kevin Finisterre, to hold off publishing the code until it could patch the flaw.
Microsoft asks the same, so how is this important? In fact, I think that is just common courtesy. Publishing security research findings is great, but you have to give the vendor a fair chance to correct the problem and not alert the dogs of fresh meat.

The article attempts to make everything happy again by coming to the conclusion that no computer is safe, especially now that Apple chose to use Intel chips. It’s just a chip, and despite that it’s popularity makes more information appear about it, doesn’t mean that the software flowing through it is more or less secure. Macs are vulnerable, at what level can be argued until one is blue in the face. Just be careful, especially when the AP and MSNBC try to suggest FUD like this.

8 Responses to “Immunity”

  1. Mantiz

    I must say i have to agree with both views here Worlebird has a point, Apple has a very small market share compared to windows, so the logical idea for a hacker/coder/as*ole is to attack windows. There are a lot more viruses for windows than Mac.
    That is also helpful for apple to repair possible flaws in the programming that make Mac’s vulnerable.

    Less viruses -> less flaws being misused -> less time repairing them -> more security.
    So i get where the article is coming from, yes there are holes in OSX but there are even less viruses (miss) using them.

    Ryan on -THE APPLE BLOG-:
    “[ MSNBC reports… ]
    That’s enough information to discredit the news for me”
    Yes and your comment isn’t biased?

  2. Funny to compare this post to the one just after it…

    From this post:
    “Say what you will, but I’m positive Macs have never been ‘immune’ to viral attacks.”

    From “New Mac Ads”, immediately following:
    “Stating the obvious, Long informs Hodgman that Macs cant catch viruses.”

    If Apple ever gets a big enough market share to even warrant writing viruses against Macs, they’ll be singing a different tune. Apple is protected by its tiny market share.

  3. Peter OD

    It seems obvious to me that this was arranged by MS’s external PR folks to counter the new Apple ad campaign that launched this week.

  4. Why must the firewall be on by default? There are no services running, so there is nothing to be blocked. I must say, outside of the corporate/university/government/etc. environment, where a complex firewall configuration is often a matter of necessity, I can never understand the raison d’être for the firewall. Firewalls (in the conventional port-blocking sense, like the one Apple ships) wouldn’t have prevented the spread of this worm anyway – it needs you to be running iChat, and if you were and had a firewall, you’d have the ports for that opened anyway.

    All firewalls do is create additional undesirable complexity. Most users will never need to go near the Shared panel anyway, so they won’t have any services running in the first place. That way they can remain blissfully ignorant. Talk of ports and firewalls is only going to confuse.

    Incidentally, Slashdot has had some interesting commentary on this, including some who’ve noted that this Tom Ferris is the typical unknowledgeable type that MSNBC et al roll out for an anti-Apple troll. This is the sort of stuff that Symantec and McAfee love. I mean, we’re taking the word of someone who describes Apple’s security track record as “unvarnished“. (Clue: the bloke’s a fucking idiot).

    I’m not too worried yet. There are real issues with Mac OS X, as Drunken Blog has been cataloguing for a little while now. But even that is just about crashing, rather than remote code execution.

    It’s a non-story.