Apple Security Isn’t a Sure Bet

Apple Macs are secure because they don’t get computer viruses, and because OS X, the operating system they run, is based on the rock-solid and highly secure BSD UNIX.

These are two popular misconceptions which make many Mac users underestimate the security risk of allowing their computers onto a corporate network. In a presentation at the EICAR conference in Paris this month David Harley, Research Fellow & Director of Malware Intelligence at anti-virus company ESET, his colleague Pierre-Marc Bureau and Andrew Lee of security outfit K7 Computing pointed out that underestimating the risks presented by Macs can make them less secure than Windows machines. “While Mac users – with the exception of those making significant use of Windows on Macs – operate in an environment prowled by infinitely fewer predators, Microsoft and its more savvy customers are to some extent shielded by a more accurate assessment of the risks to which Windows users are exposed.”

Even if Apple’s computers really were completely secure from viruses and all other threats, they would still represent a risk, Harley points out. “Any computer user who believes a system is so safe that they don’t have to care about security is prime material for exploitation by social engineering,” he says. But in fact there is no “Mac magic” which makes machines running Apple’s OS X immune to viruses. “It is not impossible to write an OS X virus. I wouldn’t say it was even conceptually more difficult than writing one for Windows,” says Harley. Right now there are “quite a few hundred” malicious Mac binaries in circulation, he adds.

What about the perception that Macs are secure because parts of OS X are based on BSD? The key word here is “based.” The reason the perception is false is because the two operating systems are not the same. “Apple has gone its own way as to how to interpret the BSD approach – in other words, you’re not in Kansas anymore,” says Harley.” You simply can’t assume that things considered safe in BSD are safe in OS X, because OS X simply isn’t the same as BSD.

For example, OS X uses a single program, launchd, that combines the functionality of a number of standard UNIX utilities including System V init, cron, xinetd and mach init. But Harley points out that there have been several vulnerabilities reported in launchd, and because it runs as root, the implications can be serious. Since it deals with setting up and managing networked services, it’s also likely that vulnerabilities in launchd will be remotely exploitable. By combining standard UNIX utilities in the way that OS X does, Apple has magnified complexity and increased the attack surface of its operating system.

Apple aficionados point out that the vast majority of Mac users don’t use anti-virus software and have never been infected by a virus, and while this is certainly the case it rather misses the point. That’s because while traditional viruses are in decline across all platforms, they are far from being the only threat that Macs face. Other OS-specific threats include:

  • rootkits such as WeaponX
  • fake codec Trojans
  • malicious code with Mac-specific DNS changing functionality
  • fake or rogue anti-malware
  • keyloggers
  • disruptive adware

But there are other threats to Macs as well: multi-platform threats that include phishing attacks (and social engineering) as well as attacks using non-Mach-O binaries, including bash, Perl, and other scripts, and Java bytecode. And JavaScript in particular can wreak havoc in many browsers, regardless of the operating system they are running on. “JavaScript is a now infamous tool for exploiting vulnerabilities in browsers, and there is no reason to suspect that Safari suffers any less vulnerability in this respect than any of the other popular browsers,” Harley concludes in his EICAR presentation.

Some of the blame for the inaccurate perception that Macs are “secure” must be laid at the feet of Apple. The company’s current security line is that “Mac OS X doesn’t get PC viruses,” which is disingenuous at the very least: PCs get PC viruses, and Macs get Mac viruses. Besides, as noted earlier in this article, viruses are only a part of the threatscape.

Harley says that while Apple has implemented some good security measures – such as the way it offers firewalling, updates and patches – others offer less security than they appear to. For example, Apple says that OS X “prevents hackers from harming your programs through a technique called ‘sandboxing’ — restricting what actions programs can perform on your Mac, what files they can access, and what other programs they can launch.” But Apple doesn’t using sandboxing with all its applications, notably Safari, so hackers are still able to exploit other applications that Safari can open.

The company also touts its “Library Randomization, which prevents malicious commands from finding their targets.” But library randomization is only a subset of the far more comprehensive Address Space Layout Randomization found in Windows Vista and 7 which includes code, stack and heap location randomization as well as library location randomization. “Apple’s security is not nearly as good or comprehensive as they’d like you to think” Harley says.

So what implications does all this have for network administrators tasked with protecting their infrastructure in enterprises with a growing proportion of Macs? Certainly they should be aware that Apple computers present a real security risk, and that this risk is likely to increase if Macs become more popular in enterprise. “If your security infrastructure is geared towards Windows desktops, then it’s probable that your perimeter defenses are geared to Windows, says Harley.” That means Mac threats are unlikely to be detected as they enter your network.” Running security software on each Mac as an extra layer of defense would therefore be a sensible precaution, he believes. Ensuring Mac users are aware of the possibility of social engineering attacks, such as being asked for their password by someone posing as a member of the IT department, is also a good idea.

While Macs may pose a less obvious security risk than PCs, the risks that they pose should not be ignored, Harley concludes. “I would be treating Macs with caution. Not panic, but caution.”

Paul Rubens
Paul Rubens
Paul Rubens is a technology journalist specializing in enterprise networking, security, storage, and virtualization. He has worked for international publications including The Financial Times, BBC, and The Economist, and is now based near Oxford, U.K. When not writing about technology Paul can usually be found playing or restoring pinball machines.

Latest Articles

Follow Us On Social Media

Explore More