Cutting Through the OS X Security Rhetoric

Much has been written about future, potential problems with OS X security, but so far no widespread documented issues have occurred. On the heels of Mondayis report from The SANS Institute that Mac OS X vulnerabilities are on the rise, The Mac Observer took a look at some of the recent rhetoric surrounding the operating systemis security.

With Apple launching a new series of TV ads, one of which touts the fact that Mac OS X is virus-free, it seems that the company will also need to combat some of the misinformation being spread by the media, as well as deal with accusations that itis not responding fast enough to vulnerabilities when theyire reported.

For example, an Associated Press story that ran on CNNis Web site on Monday described a computer user named Benjamin Daines who had "clicked on a series of links that promised pictures of an unreleased update to his computeris operating system." According to the article, "a window opened on the screen and strange commands ran as if the machine was under the control of someone -- or something -- else."

The promised pictures of an unreleased OS X update sounded like the OSX/Leap-A Trojan horse that hit the Internet in February. While it affected very few users, it did prompt media reports that OS X was on the verge of suffering the same problems that have been plaguing the Windows world for the past several years.

When contacted for comment, Johannes B. Ullrich of The SANS Institute took exception with the attack being characterized as a virus, but he did say that it "sounds very much like the 0-day from earlier this year. The exploit would wrap a shell script inside an archive file, which would auto execute as the user access it via Safari. The user would typically see a command shell pop up."

He added: "We did see a number of uses of this exploit. I wouldnit characterize them as a virus, as they didnit self-replicate. They fall more in the category of ibotsi as they will then connect back to some kind of command and control server to allow the attacker to execute additional commands.

"Such a bot would be able to perform any action the user would be permitted to perform. For example, the bot would be able to connect to network services, send e-mail or modify/delete files owned by the user."

Apple Responding in a Microsoft-Like Manner?

Tom Ferris, a security researcher whose uncovering of five OS X vulnerabilities was publicized by Secunia last week, agreed with Mr. Ullrichis assessment when contacted via e-mail. He was also featured in that Associated Press story, warning that Appleis slowness to respond to security issues reminded him of Microsoftis attitude three years ago. ""They didnit know how to deal with security, and I think Apple is in the same situation now," he was quoted as saying.

An Apple spokeswoman told the AP reporter that Apple will fix the vulnerabilities reported by Mr. Ferris in its next OS X update. She also said that the issues wouldnit enable someone to execute code on a Mac and in fact havenit been exploited in any real world situations that the company is aware of.

Mr. Ferris, however, told The Mac Observer that it took Apple three attempts to fix a core vulnerability in Safari, and itis possible that that flaw is what was exploited in Mr. Dainesi situation. He did add, though, that he would expect a malware author to "code the exploit in a way where you would not see anything pop up on your screen. It would just install his malware in the background, under the context of the logged in user."

Give and Take

Elsewhere on the Web, the recent flurry of OS X security talk prompted tech-oriented editorials on both sides of the issue. In a Washington Post blog, for example, Brian Krebs assembled an exhaustive list of the security patches issued by Apple over the past two years and found that the company averaged 91 days to fix each one. He wasnit able to determine the length of time for a fix for all of them, however, because in some cases either Apple or the researcher who found it wouldnit divulge a date.

Mr. Krebs started the project in January and was initially rebuffed by Apple when he asked to speak to someone there about it. Eventually, though, the company allowed him to talk to Bud Tribble, its vice-president of software technology, who said that the lag time between a vulnerabilityis discovery and a patch has a lot to do with the QA process. "[A Mac user] simply expects things to work with single button click, and that means we have to take time to do that correctly," he said.

Mr. Tribble also pointed out that Apple averaged around 50 days to patch the most critical bugs, although Mr. Krebs noted that the company wouldnit give discovery dates for about a third of them, so it wasnit possible to obtain independent confirmation of that figure. The Apple executive did say, however, that the company wants to improved its turnaround time for security fixes.

While itis obvious that Mac OS X is currently a more secure and stable operating system than Windows XP, several of the security experts contacted by Mr. Krebs felt that hackers are starting to pay more attention to it by virtue of Appleis higher profile, which could lead to an onslaught of malware that users arenit ready to counter. One also noted that with cracked copies of OS X running on cheap PCs, malware authors also now have an inexpensive way to develop their exploits.

Not everyone is crying fire at the first sign of smoke, however. Scott Bradner on Monday published a column at Network World in which he noted: "There have been a few actual OS X attacks found in the wild (that is, the software is being used, not just a security-expert exercise) but not many. Last I read, there were fewer than five, compared with many thousands for Windows (even if many were exploiting the same underlying vulnerabilities)."

"OS X is not going to be vulnerability-free," he concluded, "but I do expect it to show significantly fewer vulnerabilities than Windows has. That does not mean OS X users can ignore security -- at the very least, enable the built-in personal firewall -- but it does mean you should not stay with Windows because you think it will be safer."