Is Mac's New OS Something To Brag About?

Snow Leopard Could Level The Computing Security Playing Field

(CNET)  This story was written by CNET's Elinor Mills

---

Friday's release of the new version of the Mac OS, dubbed Snow Leopard, could include some security features that would make it secure, or at least push it closer to the level of security that Vista and Windows 7 have, experts said this week.

Contrary to popular Mac fanboy belief, Macintosh is not more secure from a software standpoint than modern Windows; it's merely safer to use because malware writers prefer to target the platform with the biggest install base, according to Charlie Miller and Dino Dai Zovi, co-authors of The Mac Hacker's Handbook, which came out this spring.

"Apple hasn't implemented all the security features that Vista has," Miller said. "They made some improvements in Leopard, but they are still behind."

If there is any truth to rumors circulating about Snow Leopard, the operating system security playing field could become more level as of this weekend and Mac users will really have something to brag about.

First off, a screen shot published on the Mac Security Blog of Intego on Tuesday appears to show a security feature supposedly in Snow Leopard that looks like it is detecting a Trojan in a disk image being downloaded via Safari. The post cites unnamed reports about an anti-malware feature being added.

"If it's true, it will mark a fundamental change in that Apple will be admitting that their operating system is as susceptible to malware as other operating systems," Miller said.

CNET's review of Snow Leopard posted late on Wednesday says that File Quarantine, first introduced in Mac OS X 10.4 Tiger, has been refined in Snow Leopard. File Quarantine checks for known malware signatures and displays an alert dialog if it finds a known offender and will be automatically updated via Mac OS X's software update as new malware signatures are found in the wild, the review says.

CNET Review: Apple Mac OS X Snow Leopard

It's unclear whether rumors are true that Snow Leopard includes several internal features designed to prevent attacks that Vista and Windows 7 have, known as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) on that platform.

By randomizing the location of key pieces of data, ASLR makes it much more difficult for attackers to predict where data is going to be in order to execute their code or the code resident in the process. For exploit code that gets past the ASLR barrier, DEP will try to block it from running, recognizing that it is data and not a legitimate code.

"If you have both, it's hard for an exploit to get around it. Leopard has some ASLR but everything is not randomized and Leopard has no DEP," Miller said. "Things could change significantly for the Mac if they do a good job...That was my main gripe with it."

In June, Dai Zovi reported on a new local privilege escalation vulnerability researchers had discovered that gives local root access on Mac OS X Tiger and Leopard. He offered up a wish list for Snow Leopard that included: real" ASLR; "full use of hardware-enforced Non-eXecutable memory (NX);" default 64-bit native execution for security-sensitive processes; sandbox policies for Safari, Mail.app, and third-party applications (akin to what Chrome has); and Mandatory code signing for kernel extensions.

Apple's Mac OS X security page makes reference to offering sandboxing, Library Randomization, and Execute Disable, but there are no details.

An Apple spokeswoman did not follow up on an e-mail request seeking an interview for this story.

The Snow Leopard Web site says it will offer protection against some common types of heap buffer overflow exploits but not new types of such memory overflow exploits, according to Dai Zovi.

The security level in Leopard falls in between Windows XP Service Pack 2 and Vista, he said. If Snow Leopard has full ASLR and DEP, it would bring its security close to the level of Vista, he added.

While adding full ASLR and DEP to Snow Leopard will boost the operating system's defenses against targeted attacks, the Mac OS software arguably has more holes that malware can slip through, Miller said. "It would be fair to say that Mac has more bugs, but it's impossible to measure," he said.


Market pressure has been missing

In this sense, Microsoft has benefited greatly from the plague of security holes in early Windows versions. Those problems led the company to embark on a quasi-religious conversion in 2002 with Bill Gates launching the Trustworthy Computing initiative and setting security as a top priority for the company. Its Software Development Lifecycle (SDL) program--designed to build security into the software--has become the model for the industry.

Microsoft puts "much more effort into auditing their code, the entire SDL process, developer training, automated source code scanners, and hiring external penetration testers," Dai Zovi said.

So far, Apple hasn't felt that kind of market pressure to improve Mac security, largely because malware writers have ignored it, so its secure software development process isn't nearly as developed or mature as Microsoft's, the security researchers said.

"Microsoft has had a head start. That's why they had ASLR and DEP first," Miller said. "It's not because they're geniuses. They just started caring about it sooner."

"These things go lock in step and it doesn't make sense for businesses to expend a ton of resources when the threat is not there," said Dai Zovi. "So far, Apple has been keeping up pretty well with the level of threats in the wild."

As far as security goes, market share is a double-edged sword. As the Mac operating system gets more popular, the amount of malware targeting it is growing.

The Mac has only about 5 percent market share worldwide (nearly half is in the U.S. alone), compared with nearly 95 percent for Windows, according to market statistics provider Net Applications. But the Mac share is rising, from 3.73 percent to 4.86 percent in less than a year, the firm says.

In the meantime, more and more Mac malware is appearing. Earlier this week, TrendMicro reported that it found a new variant of the JAHLAV family of Trojans that pose as pirated versions of legitimate applications, modify a computer's domain name system (DNS) settings and enabling successful phishing attacks and redirects to sites hosting malware. Earlier versions of the Trojan masqueraded as versions of QuickTime, but this one passes as Foxit Reader or an antivirus program.

Some malware is written for both Windows and Mac platforms and downloads the correct version depending on the browser. Last week, Symantec reported that sites purporting to show streams of new movies were actually feeding up a DNS-changing Trojan instead called OSX.RSPlug.A for Mac and Trojan.Fakeavalert for Windows. Last month, a McAfee blog post wrote about the OSX/Puper.a Trojan that is downloaded onto Mac systems when users download what they think is a video player.

ZDNet's Zero Day blog has covered a number of Mac malware threats this year alone. In January, Intego, which has been tracking Mac malware for several years, discovered a Mac OS X Trojan circulating in pirated copies of Apple's iWork '09 software found on BitTorrent trackers and other sites. Symantec researchers in April linked malware found in bogus copies of iWork '09 and Adobe Photoshop CS4 to what they said could be the first Mac OS X botnet launching denial-of-service attacks. And in May, a new e-mail worm dubbed OSX/Tored-A targeting the Mac was uncovered, although it was not found to be spreading in the wild.

"The frequency is increasing" for Mac threats in the wild, said Dai Zovi. "Still, there are only a handful of threats; no where near what Windows users face."

In addition to considering how buggy the software is, how secure the operating system code is, and whether malware writers are creating viruses and Trojans for the platform, another factor in play is how likely Mac users are to be duped into visiting a malicious site, opening a malicious e-mail attachment, and downloading a fake file.

Most Mac users seem to take pride in their supposed invulnerability, so one would think that they are less cautious in their surfing activities. But it's hard to tell.

"No computer or operating system is more or less secure when it comes to users being tricked into downloading something," Miller said.

[barbaram99]

I am legally blind and that is why the Mac does not work for me.. It is not fear.He let me sit at his Mac. We are talking about their OS. I was given a machine running Home XP. I put together a library to teacIh to use the platforms I use. Fear..Ye could not handle a world with little sight. I want the bloody thing work and run the apps I use. Apple stuff is costly. It has nothing to do with fear. My friend prides himself with the Mac but I told him they are no better than Windows. I have noticed the air of Macs users. I thot I would never move to Vista. It is visual reasons. My peers told me to hold off on Vista. I am running an old notebook that I had upgraded. I told him that the reason I won't move to Apple and it has nothing to do with fear. I was a diehard XP user. The only reason I went to Vista is MS Anna. I use the talking clock . The reason I hated Vista from a cold boot it loads slows. I put it to sleep. I use Wondow base apps. I have bad mound Vista.Who has not. I have been using it since 08. When he put his Mac on the network he could not get on the net. I told what he needed to do and when he did he is on the network. He hate Windows. There are things on the Mac I would never use. My friend is a musican. So he likes that. MS has their hang ups. What turns me off from Mac is that bloody white everything. The walls is white. I sat at his computer to see how it is laid out. I toldhim the mouse be odd. I right chick more. I use Word to write my sighted mother. Make a greeting card for friend. I use Intel computers. His Mac can't do what my Windows machine can. I don't live in sear...

[gr3gst31n]

Where to start?

First off, barbaram99... thank you for your pointless comments. They have absolutely nothing to do with the topic at hand. You don't think macs can do what you need. Um... well since you have strayed, I would just note that apple has a long (and well documented) history of providing open access capabilities for people with disabilities, and if Macs don't actually run the apps you use it probably only tangentially relates to the main topic (security) in that hackers (like developers) tend to aim first at the big juicy targets (ie PC).

Secondly, the notion that acknowledging security improvements is somehow a backhanded way of admitting earlier unacknowledged vulnerabilities is well, pretty convoluted, and not super useful. All systems have vulnerabilities. (Period for emphasis) It's just truth. Implying a cover-up is kind of silly, was there some massive exploit? No? OK, then... what was your point? Apple improved security on a platform remarkably free of exploit? No? Urm. Apple improved security even though hackers hadn't made them? Apple is self motivated to improve their product absent media firestorm? Reporter creates headline around cherry picked comments to satisfy self selected preferences? Rest of world fine with tools and hackers duking it out over PC universe?

Lastly, shoot i don't even care enough about this post to write anything else, suffice it to say: To each his or her own.

[REunson]

I don't know about anyone else here, but I hope Mac OS X never reaches the levels of security of Windows.
I don't ever want the Mac to have hundreds of thousands of viruses.

[barbaram99]

My friend has a Mac. I hate it. I use Windows as they work for me. There should be McAfee or something like that for the Mac. I use McAfee and have since 06. Everything I do is Windows based. I don't understand there UNIX based Mac OS. I used to hate Vista til I sat down at my friend's Mac. He hates Windows. True Vista loads slow. I am not a Mac person. He says Macs are easier to use.. Sorry for me they don't work..

[Tired-Of-The-Ignorant]

Sure - use what you want, but don't you ever get tired of being motivated by fear?

Because that's all that is happening - you're ignoring tested, proven environments that are Unix-based and choosing to keep a virus-riddled system just because you have developed a possibly false-impression, based on spending an evening watching someone work their computer.

Fear is what keeps us from changing, from growing, from further development.
Fear only feeds the Status Quo.

Again - if you're truly happy with Vista, go for it. But I read your response as someone who hates Vista and possibly hates the Mac more without understanding it. You have to really try something to understand how it works best for YOU, and that will take more than a quick look-see over a friends shoulder.

But don't spread misinformation based on fear or false hatred. Because it is false - can you truly hate what you don't know or haven't really experienced?

If the answer is yes, then you must be surrounded by hate.

[Hulk-Smash]

Hulk use Mac. No bugs. Never crash. Very powerful. Like Hulk. Mac is GOOD!

[legacyabq]

Hulk? I love your comments. You are awesome!! The Mean Green!

[cwiley_dotmac]

"Most Mac users seem to take pride in their supposed invulnerability." Good lord. Does the editor over at CNET know what's wrong with this statement? Here's a hint: it supposes to know who has pride about what.

No, Macs are not invulnerable, but Mac OS X is not just the obscure twin of Windows, ready to be exploited in exactly the same ways. A critical point for people to understand is that the Mac has a different operating system with a different security legacy. That, in turn, affects how matters of security are approached on a Mac, and what constitutes good vs. misleading advice for a computer user...

I find that articles like this one simply re-hash misleading banners like: "Macs are just as insecure as Windows!"

Finally, the record of Windows security is the record of Windows security, and, let me tell you, it ain't so good. For the article to imply that Microsoft cares so much more than Apple about this issue is a little ridiculous, given that security has been a Windows liability for over 10 years.

[ViewRoyal]

What a moronic article! Apple adds even more security to an already secure OS, and people use this to convince the clueless that Mac OS X is now MORE vulnerable to malware (instead of the opposite).

If you are really interested in finding out why Mac OS X is so resistant to malware, and why Windows is so open to malware attacks, read this article:
http://rixstep.com/2/20090826,00.shtml

[antoniof123]

This is an honest article it is true the reason why it is so secure is because their are 5 macs to every 100,000 windows and if I am going to attack and get drones I could care less about the 5.

Sorry to burst your bubble.

While it is not an exact number it illistrates the point.

[nedharwick]

re: antoniof123

let's use your 5-to-100,000 number to illustrate the myth of market share: by your estimation, a .005% market share. (not correct, btw, but this is just an illustration.) There are 97,000 Windows viruses. If market share in any way equates to viruses, there would be at least 4.85 viruses that affect Mac OS X. Instead, there are none. 0. Not one.

The truth far more complex, like "Mac OS X does not execute arbitrary code without direct user approval" and other, actually-based-in-the-OS measures. Market share is meaningless, and this article is click-bait.

Sorry to burst your bubble.

[thesevenveils]

Interesting article. Considering the fact that the Mac OS is based on the BSD open source UNIX, which has all and more security features than any Microsoft OS. This leads one to believe that Apple has removed BSD security features in order to improve performance.

[rational_1]

I didn't know about all these security weaknesses in Macs. Guess this article really b!tchslaps that smug little Mac dweeb on those Mac/PC guys commercials.