How safe can you be if you leave your house unlocked; even if there are no known thieves in the area? This may be a rude-awakening for many Mac users… A few weeks ago I saw an article concerning a clients personal Mac with 1500 infected files, she was very surprised and said “but Macs don’t have viruses” A very expensive mistake…
I still despair at the number of people who ignore simple security basics, regardless of the OS you use, you should have a decent AV system.
Are Macs safer than PCs?
It’s a fact that Apple enjoyed a no-virus reputation for years. But a host of new attacks have threatened the Mac community head on. In the past four months, more than 70 variants of Mac malware have been detected. Most recently, the Flashback Trojan, considered to be the largest Mac Malware threat to date, infected more than 600,000 Macs. Exploiting a security flaw in Java, Flashback doesn’t need the user to interact or download anything to install itself on the system.
Mikko Hypponen, Chief Research Officer at F-Secure, put it very well when he said that, proportionally, the Flashback Trojan was as widespread amongst Macs as the notorious Conficker worm had been amongst Windows-based PCs.
The attack has left a lingering question: how secure are Apple Macs?
Apple has traditionally marketed its systems as being more secure than those running Microsoft Windows, but how true is that?
Mac OS, the Apple Mac operating system, is based upon the Berkley Software Distribution (BSD) of Unix, surrounded by a nice graphical user interface.
If you began your career using Unix, one of the things you come to value is that Unix (and hence Mac OS) has always had a security model built into the operating system.
That was not always the case for Windows as it was originally based upon MS-DOS. The concept of Read, Write and Execute for various executables and data, as implemented in Unix, is simple to understand and has stood Unix systems in good stead for many years.
Unix has other simple features, such as storing executable code and data in separate folders. When you install a program in Unix, you typically predict which folders the executables and data will reside. The corollary of this is that it is easy to completely remove an installation.
Anyone who has installed software onto a Windows platform knows that the installed components can be placed in a wide variety of folders, the obscurity of which mean that if you were ever to attempt to unpick the installation manually you’d inevitably end up with some unwanted pieces of code on your machine.
For Windows, this has spawned a whole host of tools for the uninstall and clean-up process.
So, Mac OS “feels” like it should be more secure. But is it in fact just tidier?
Fundamentally, there is no reason why Macs should not be targeted using malware in the same way that viruses, Trojans and worms are built to target Windows systems.
Ten years ago, when Windows gained a bad reputation for security, Microsoft responded by introducing its Trustworthy Computing Intiative. A security model had previously existed but it wasn’t until XP, where objects were given Security Id’s and allowed actions were enabled in a way similar to Unix, that a model existed that had the same value as that in Unix. However, Microsoft took a long look at the threat and made a conscious effort to evolve their operating systems to counter it.
Initially, one of the biggest threats was considered by Microsoft to be buffer overflow. This is where regions of computer memory that should not be used for executing code are misused by rogue software.
As well as preventing developers inadvertently building this into their applications by adding safeguards to the compilers, Microsoft also introduced memory protection mechanisms within their operating systems.
For example, since Vista was introduced in 2007, Windows has had address space layout randomisation (ASLR) which is implemented so as to obscure most of what an attacker needs to conduct, for example, shell code injection attacks.
Mac OS acquired ASLR in late 2007 (Mac OS X v10.5, aka “Leopard”). Unfortunately, Apple’s implementation is not as advanced as that in Windows, and hence it does not provide the same degree of protection.
Apple said it planned to improve items such as ASLR in its next release of Mac OS, but some five years later we are still waiting.
What all of this exemplifies is two populations of users (Mac OS and Windows) that have developed very different attitudes to security.
Those using Windows have been aware for a long time that their systems have vulnerabilities, and so they are much more likely to use some form of protection such as anti-virus software. Windows users also typically update their software when an update is released by Microsoft; they know updates mean that vulnerabilities may have been found, and it is safer to update than be exposed.
Those using Mac OS have, perhaps, been lulled into a false sense of security. Mac OS users think their systems are somehow inherently “secure” and hence they are less likely to update as frequently as Windows users, or to use tools such as anti-virus software.
A Mac OS user is less likely to be attacked than a Windows user, but that is nothing to do with the level of vulnerability in the operating system. It has everything to do with the fact that over 80% of the personal computers in use run the Microsoft Windows operating system.
Those building malware would rather attack the vast majority of the users. They get a bigger bang for their buck, to borrow a phrase from the military.
What is now catching up with Mac OS users is that their platform of choice is now becoming popular enough to be considered worthy of hackers’ efforts. With the last three years seeing a growth in Mac OS malware in excess of 200%, Mac OS users need to start adopting a different mindset or they will be caught out.
Mac OS users may be “safer” than Windows users, simply because they have fewer attacks focused on their systems, but they are not more “secure”.
Apple has its part to play by releasing updates rapidly in response to known vulnerabilities, and users need to make sure they implement those updates as well as installing security software to protect against the coming threat.
Now is the time to prepare, rather than try to react, when the inevitable onslaught begins. Don’t get caught flat-footed.