I have that virus that’s going around, you better stay back.”
“No, I’ll be fine.”
It was May 2006 and Apple, in the latest instalment of its PC vs Mac role-playing ads, was busy tearing strips off its rival. Cupertino was bragging about its security chops, citing how the hundreds of thousands of malware variants found that year affected its competitor’s customers, but not users of its iconic white computers.
Apple could not play that same ad today. Over the past few years, major vulnerabilities and exploits in Mac systems have been revealed, many making headlines in some of the world’s biggest mastheads.
There were some 1,800 Mac malware samples found in 2014, with the Flashback trojan the most likely to achieve nods of recognition from the man on the street. The 2012 menace infected some 600,000 Macs, including some 36,000 in Australia, and around 300 thought to be in Apple’s campus. It targeted Java vulnerability on OS X, enslaving machines into its botnet, which limped along a year after a fix was released with some 22,000 infected machines clocked early last year.
Apple’s security skin was further peeled in September 2014 when California-based security firm FireEye discovered attackers had written malware to exploit a previously unknown feature that helps hackers gain root privileges on all OS X machines. The highly dangerous vulnerability, considered a backdoor, was revealed in November but it would be well into 2015 before Cupertino’s failed patch would be finally addressed.
Even then, an estimated 60 million Macs running versions older than Yosemite were deemed unworthy of a patch, leaving those systems exposed to Apple’s poor segregation choice.
Last November also saw the release of WireLurker, the biggest distribution of Mac malware yet seen. The attack used USB ports to smash non-jailbroken OS X and iOS devices in a similar way to Windows malware. The Palo Alto security researchers who discovered WireLurker suspect hundreds of thousands of users downloaded the malicious applications.
The Mac flak has continued in 2015. The second iteration of the ThunderStrike attack, brewed and thought to be confined to a New York lab, was detailed in August showing how Macs could be completely and permanently compromised without users knowing a thing. The jaw-dropping remote attack could infect any Apple accessory, turning the devices into portable vectors to infect more Macs. The most concerned owners were advised to throw out their computers until one could be acquired with disabled option ROMs.
This debrief of pain is vastly incomplete. It fails to account for the scores of dangerous vulnerabilities emerging for OS X, including two zero days found in August by a teenager that can completely compromise Mac computers. But it need not be complete; experts agree that these malware attacks are just the beginning of a monstrous malware machine slowly moving crosshairs to Cupertino.
Dash for cash
“At this point, and as a Mac user it pains me to acknowledge this, but I think Windows clearly has the upper hand in terms of security,” says Patrick Wardel, director of research at Hawaii-based security penetration testing firm Synack.
“I think the reason this [secure Mac] fallacy has perpetuated is that back in the day, Windows had a horrible track record in terms of security.”
In August, the former NSA security man gave a talk entitled ‘Writing Bad @$$ Malware for OS X’, at the hugely popular Black Hat conference in Las Vegas. The talk aimed to bust the Mac security bubble. He agrees that it is a matter of time – or specifically, profit – before the epic attacks of Windows fame hit Mac.
Despite, as Wardel says, “lower Mac market share [means] indiscriminate hackers are going to go after Windows”, this is changing as Macs get ever more popular.
But Apple now makes regular appearances among the world’s top five PC makers, still behind Lenovo, HP and Dell, but ahead of ASUS and Acer in IDC figures for the second-quarter of 2015.
Apple’s smaller user base has been a perennial theme in any debate over Mac versus Windows security, and for good reason – attackers know there is a much better chance to catch a fish when you throw a line into a well-stocked pool.
The fallacy is long dead. For FireEye malware-reverse engineer James T. Bennett, the security claims are based on the volume of malware families or the numbers of infected Macs, both metrics that lose wind when the dominance of Windows is considered. “If you are spending time developing malware in order to make a profit, where are you going to focus your efforts?”
Apple’s 2006 ad may be defunct in 2015, but it still seems to represent the Mac user mentality. That bravado is dangerous, experts agree. San Francisco-based software company OPSWAT said in June that only half of Mac users have an antivirus program installed and only a third of those bother to turn it on.
Couple that bravado with the typical higher roles that Mac users tend to hold in organisations and it makes a fertile fishing pool indeed. “Those users are possibly more valuable targets given that Mac use in the enterprise is generally top end,” says Neal Wise, director of Melbourne security consultancy Assurance.com.au. “It’s often mainly technical people and managers who use Macs, meaning targets could be more interesting.”
Large organisations like Facebook, Google, and IBM are moving to Mac in full and hybrid Windows environments. This means more intellectual property will be kept on Macs by users with fatter bank accounts and platinum credit cards. “The bad guys go where the money is,” says Wade Alcorn, managing director of Sydney-based Alcorn Group. “When we see a critical mass of wealth accessible via Mac malware there will be more bad guys targeting those servers and applications.”
Meanwhile, IBM last year inked a deal with Apple to sling its iOS devices at customers selling cloud management services over the top. Michael Sikorski, founder of the FireEye Labs Advanced Reverse Engineering team and former NSA staffer, says money-mad attackers are seeing more appeal in OS X.
“I do believe OS X is becoming a much more relevant target,” Sikorski says. “If we look at places money-driven attacks have taken place, these are mostly Windows based point-of-sale systems. We could see [Mac] becoming a more rich target for attackers in the future.”
Experts agree that the malware attacks reported so far do not reflect the likely real landscape. They say existing attacks indicate that hackers could probably hit most Mac targets they wanted to. Moreover, the statistics of malware instances comes from what is often immature and scarcely adopted Mac security software, which means many attacks go undetected.
“I’m very concerned that we wouldn’t know if a big attack was happening, that if there was some kind of attack vector we would miss it,” Assurance’s Wise says. “Maybe it is already happening, maybe it’s already happened. Criminals follow the money, or follow the resources, and there is an opportunity here.”
Next: Bulletproof Windows?
Bulletproof Windows?
There was a time when Windows was brittle, and Apple seemed hardened by comparison, but those days are past. Self-replicating worms and blundering vulnerabilities had angered Microsoft’s customers, prompting then PC chieftain Bill Gates to launch the Trustworthy Computing initiative in 2002.
Synack’s Wardel says that “back in the day, Windows had a horrible track record in terms of security. I think Apple rested on its laurels, while Windows did almost a full 180 and started to take security incredibly serious.”
In the intervening years, Microsoft has undergone a Security Development Lifecycle, implemented a bug bounty program, gone on a Windows hacker hire binge, and has woven exploitation mitigations into its core. When Apple does the equivalent, it is often insufficient or trivial to bypass, Wardel says, noting the caveat that many of Cupertino’s security team are “incredibly bright” and making “great strides to secure the OS”, notably with the upcoming El Capitan OS release which he advises all to adopt.
“Microsoft has gone through its hamster wheel of pain,” says Wise. “Microsoft has taken a whole lot of abuse and is now a very securable environment.”
It only takes one bad Apple
Macs in the enterprise are often unmanaged. They are the abnormalities in an otherwise homogenous fleet of Windows machines, often forgotten by system administrators whose skill sets are strongest with Microsoft, says Neal Wise of Assurance.com.au, a Melbourne-based security consultancy.
Management of Apple devices is often more piecemeal than Active Directory for Windows and non-uniformed, a practice that Wise is most concerned about because it creates a weakness in the enterprise security chains.
The immaturity of Apple security tools plays a role, too. High-value users become high-value targets and attacks against them will go unnoticed in many organisations thanks to a lack of development, adoption and proper configuration of defences.
Wise, a Mac and Unix aficionado, is a big believer in “control parity” because this helps eliminate the entry vector caused by the lack of management of a small number of Macs in Windows fleets.
Wade Alcorn of Alcorn Group says the same. He and all experts in this story reckon no system administrator should buy Windows or Mac based on the inherent security chops of those systems. Rather it should come down to, at least in part, the skills of the tech team.
In terms of security, the Mac vs PC security debate is drowned out by the timeless basic security tenets captured by the Australian Signals Directorate’s Top 35 controls. “Patching, full disk encryption and verification wins hands down in this situation,” Alcorn says. “They need to get the basics right, regardless of whether it’s a Mac or a garden variety Dell.”
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
