Posted by: oldmacbloggit | June 26, 2011

Apple Safe or Sorry?

Yesterday, I came across a lengthy but interesting critique of Apple security – OS X – Safe, yet horribly insecure –  by the anonymous author of the All That Is Wrong With The World blog (well, that’s an ambitious project, even if the blog had been restricted to security, which it isn’t…)

I’ve been irritated by the “Apple is immune” argument since the 90s (long before OS X hit the streets, in fact), so I have some sympathy with the post’s irritability, and not just because he cites as a reference a book to which my colleague Mr Harley contributed.

Nonetheless, my first thought was “yes, but surely we’ve moved on from there” – in fact, that book came out three years ago, and both the threats and the countermeasures have changed since then, as David would be the first to agree. So I was inclined to agree with those commentators whose view was “some good points, but rather a glass-half-empty view.”

But then I read the 67 comments currently attached to a Telegraph article that is also cited in the post. And all the usual stuff is there:

  • There is only one Mac Trojan. Wrong on two counts: first, there is quite a bit of Mac malware these days, though the quantity is ridiculously small compared to all the malware that targets Windows; second, the fake AV that’s upset so many fanboiz recently is not a single Trojan, but a family (and the nature of the attack is a bit too complex to describe purely in terms of the binaries).
  • Windows is “insecure by design”. Come on, chaps: you can’t talk about Windows as if Windows 95 is king, unless you think that most Mac users are still on OS 9.
  • (In)security is all about OS vulnerabilities. And its companion piece “only viruses matter and social engineering attacks don’t count.”
  • The world is divided into intelligent Mac users and dumb, Mac-hating Windoze users. Well, no-one whose worldview is that stereotyped is going to pay any attention to me, so I won’t waste time on that one. Well, except to point out that I’m actually one of those intelligent Mac users. 🙂

I’m not enthusiastic about Apple’s security strategy of denial, but when I read some of this stuff, I have to think that the security problem here is not primarily Apple and its somewhat misleading advertising, nor even the (still relatively few) criminals specifically targeting Mac users, but a certain quirk of psychology among some Mac users (an aggravated Halo Effect, if you like) that couples a certain aggressive snobbishness about their chosen platform with an escalating fear of being proved wrong.

Or to put it another way: loving Macs does not mean that I always love Mac users. On the other hand, I’m guessing that cybercrims are getting increasingly fond of them and relishing their naivete.

Old Mac



  1. I’m glad to see someone else mention the insistence of some Mac users keep pitting MacOS X against pre-2000 versions of Windows. I suppose they believe they can emphasize how much they prefer a Mac by pretending that Windows 7, or even Windows XP, did never happen, when these days the difference through all the rings of security is much smaller.

    Windows Vista, you say? No, that one *did* in fact never happen.

  2. Below is a link to a post on macrumors that provides counterarguments to “OS X – safe, yet horribly insecure.”

  3. Regardless but especially if OS vulnerabilities are included in such a comparison, the complimentary title for a similar article about Windows would have to be “Windows – not safe, yet even more horribly insecure.”

    • @Really? – I’m not interested in fanboi zealotry from either side of the Mac/Windows divide. If you have a useful or even interesting point to make, like the comment pointing to the MacRumours counter-arguments , go ahead and I’ll approve it. Mac Good PC Bad (or vice versa) is neither true nor interesting.

      • To me it seems “Really’s” post is not fanboi zealotry, given the content of that macrumors counterarguments post.

        Windows is less safe than OS X due to its malware issues including recent malware that was able to bypass UAC and install into the master boot record.

        Windows appears to be more horribly insecure than OS X once presented an unbiased analysis of the actual implementation of security mitigations within each OS.

        Both OSs have security mitigations that are implemented at the discretion of the software developer that are often not used. This negates any inclusion of these mitigations in a comparison leaving only the variable that these mitigations are implemented to provide protection against as valid.

        That variable is vulnerabilities. With DAC implemented, incidence rates of privilege escalation vulnerabilities are the strongest determining factor in terms of security.

        Specifically, elevation privilege escalation vulnerabilities are important because provide system level access to install more covert and malicious malware, such as rootkits; lateral privilege escalation vulnerabilities are not so important because do not provide system level access from unprivileged accounts.

        Mac OS X Snow Leopard has only had 2 elevation privilege escalation vulnerabilities since it was released. That macrumors link shows that Windows 7 has a lot more elevation privilege escalation vulnerabilities just in relation to win32k; other classes of privilege escalation vulnerabilities exist in Windows 7 as well, such as those related ancillary function drivers (AFD.sys).

        A link from that macrumors post shows a public and unpatched win32k privilege escalation zero day that has been known for nearly a year. The Windows registry somewhat makes Windows 7 insecure by design given the number of vulnerabilities hat are leveraged via the registry.

        The lack of access controls on items in protected storage in Windows 7 is a major security issue because it provides an easy vector to gather sensitive data.

        Any argument concerning the user is mutually negated because the OS vendor can not do anything about users lack of knowledge concerning safe computing practices.

        Honestly, the inclusion of an article discussing “Mac – safe, yet horribly insecure” on a webpage that seems to want to avoid fanboi zealotry seems a little insincere.

      • The MacRumours article seems better-founded to me than the allthatiswrong blog, but there are points on which I’d disagree. I may come back to that at some point, if Mac doesn’t cover it first, but this blog isn’t one of my priorities right now. It seems to me that Mac’s blog is not particularly in favour of that blog: it’s a comment on some of the same old fanboi arguments that the article attracted.

        Of course OS X is safer than Windows due to malware issues. There’s hardly any OS X malware. But there is no evidence that this is due to the superiority of OS X or privilege escalation, and you don’t get to decide on behalf of the rest of us that attacks on users rather than on the OS don’t count.

        I am not really interested in arguments about the superiority of one operating system over another, being neither a marketroid nor a fanboi. I’m happy for you to comment here on specific security issues, even if I don’t agree with you. I don’t particularly care if you switch pseudonyms to support your own comments. I do object to your accusing me of being “insincere” or not “objective” because I haven’t censored or withdrawn a post commenting on an article you don’t like. If you only want pro-Mac or anti-Windows commentary, you’re on the wrong web site. (And that goes for anti-Mac and pro-Windows commentary.)

        As it happens, there’s one thing Mac and I definitely agree on, though I’m not sure that I “love” any computer: “loving Macs does not mean that I always love Mac users.” (No, I don’t love all Windows users, either…) If you can’t comment without personal attacks, I’d rather you didn’t comment, and I certainly don’t promise to approve such comments.

      • It seems interesting to me how for the topic of security and vulnerabilities, every user seems to take on the perspective of a systems administrator.

        The bulk of machines running either Windows or MacOS X are personal computers or personal workstations, not servers in a business backend environment. This makes many issues, in particular in relation to privilege escalation, a lot less important than commonly assumed. Malware that can take control of a system is devastating in business backend and server environments. For a personal user, unwanted advertisement or being assimilated into a botnet are certainly concerned, but I think what personal end-users worry most about is loss of their data, and maybe to some degree the trouble required to restore. Worst-case scenario, they have to initialise their system. But personal data can be irrevocably lost, no privileges involved.

        The point being that malware does not need more than user privileges to cause the kind of destruction that matters to personal users. An exploit for any of the hundreds of security issues in any of the hundreds of applications installed on a personal computer is enough to destroy a user’s personal files. This is true for all operating systems, including *X variants, and cannot be prevented without seriously restricting the user’s own access to the system.

      • @Daniel, interesting point. I generally say that Mac AV is more important in a corporate environment because the risks are complex and go beyond the tiny volume of Mac-specific malware. But it’s worth pointing out that home users are less likely to have their data backed up properly than corporate users (in a well-run corporate, at any rate), and I certainly wouldn’t want to rely on privilege levels as a defence. Apart from the fact that privilege escalation isn’t, as you say, necessary to cause damage or even to install (vide some versions of Mac Defender), social engineering is a more effective vector. Though in a corporate environment, the end user may not have administrator access, so an escalation may be more successful. However, it’s not that common in a malware attack. It doesn’t need to be, where users have admin privileges or ready access to an admin account.

  4. Again, any comparison of OS security in relation to malware that relies on social engineering is mutually negated across all OSs. Nothing can be done to mitigate a user’s lack of knowledge about safe computing practices.

    If you are going to use malware that relies on social engineering in any OS security comparison, then the most important factor is the volume of such malware per OS. Obviously, Windows has far more example of this type of malware.

    The personal data that malware typically attempts to collect is credit card data. Revenue from credit card data comes from selling the data on credit card dump websites. On average, that data related to one individuals credit card is only worth 50 cents to the seller as the data is typically sold in sets of 50 for $25. This means that the value of this data to the malware developer is dependent on gathering it in high volumes. Two common ways to gather that data in high volumes include keyloggers and abusing protected storage.

    Using these vectors to collect valuable personal data is protected by DAC by default is OS X.

    User space security mechanisms protect keystrokes related to sensitive data entry from being collected by keyloggers that do not have system level access so privilege escalation is required to covertly install keyloggers that can collect this data.

    Access controls applied to keychain items prevent the abuse of protected storage in OS X. Elevated privileges are required to modify the access controls for keychain items so privilege escalation is required to covertly install malware that can collect this data.

    Other abuses to personal data, such as being deleted, that target personal users are not occurring in the wild against any OS. Why? Because, why use your malware for pranks when it can be used for profit. It is difficult to find examples of this type of malware attack targeting personal users of any OS.

    Collecting that data without elevated privileges relies on phishing users for that data. This is the method used by Mac Defender. Some variants of Mac Defender did not require password authentication to install but it still required the user to actively click through an installer and still required actively phishing the user to enter a credit card number into the Mac Defender GUI.

    Many rogue AVs that have targeted Windows have installed without as much user interaction as required by Mac Defender. Also, those rogue AVs caused much more permanent damage to the Windows install, including standard accounts, via corrupting registry entries than Mac Defender causes to OS X. In comparison, Mac Defender is easy to uninstall in comparison to many rogue AVs that target Windows.

    The actual number of users that provide credit card data to rogue AV software is relatively low across all OSs and in comparison to the infection rates of rogue AV software. So, infection does not guarantee success in relation to rogue AV software as it does for other malware, such as TDL-4.

    Also, do you think TDL-4 infected 4.5 million Windows systems only via social engineering? I think the duration where TDL-4 included an unpatched privilege escalation exploit contributed to that high of an infection rate.

    • Nothing can be done to mitigate the user’s lack of knowledge? Wow. I’ve wasted 25 years of my life… Yes, of course Windows has more social engineering malware. And more of all kinds of malware. Who said it didn’t?

      And I’m afraid that telling a security professional that social engineering doesn’t count is like telling a pianist that he’s not allowed to play anything that uses white keys. And that’s why I usually stay out of this particular cesspool: I don’t care which OS is “the most secure” technically, because that’s a much more complex issue than counting priv escalation vulns. And I’m not wasting time on which is “the safest” (quite a different issue). I do care about making people safer, whatever platform they use, and I dislike the fanboi habit of misleading people into unrealistic expectations of invulnerability.

      You’re right in that deliberate direct damage by malware – even targeted malware – is comparatively rare, though that was the case even before malware was monetized. Accidental/collateral damage is quite another matter.

      If you must base a straw man argument (where did I say that malware spreads only by social engineering?) on a single malware family, Stuxnet might be a better example of escalation, if numerically less dramatic. But privilege escalation and infection rates are quite different issues. You’d be better arguing from autorun infection, which is a huge black mark against Microsoft.

  5. The variant of TDL-4 that includes priv esc used the same task scheduler bug as the payload in Stuxnet that targeted Windows 7. So, it is an equally as relevant exemplar of the potential of malware that targets Windows.

    TDL-4 targets personal users so it is more relevant to a broader user base. Also, TDL-4 was fairly successful in that it produced a good sized botnet.

    I avoided discussion related to autorun given that vector being used for malware propagation has been largely negated via improvements in the default configuration of DAC in Windows admin accounts starting with Vista and other various patches released by MS.

    • The situation re MS10-092 is not the same at all. When Stuxnet used it, it was a 0-day. (Check the acknowledgements in the MS bulletin, and see if there are any names you recognize…) TDL4 started using it much later. Furthermore, TDSS did not suddenly go out and find 4.5 million new zombies. The switch to P2P with recent evolutions simply made it easier to quantify.

      • It was a 0-day for TDL-4 as well. Or, at least, it was still unpatched while in use in TDL-4.

        The article below was published on Dec. 7, 2010 refers to TDL-4 using the stuxnet bug.

        The task scheduler patch from Microsoft was released on Dec. 14, 2010.

        Also, factor in the latency between the TDL-4 article being published and discovery of the exploits use in malware.

        The task scheduler exploit code was public on Nov. 23, 2010 to give a rough time frame of exposure.

      • Unpatched != 0-day. The bug did take a long time to patch – it was known many months before – but it was well-known (to researchers), and detectable generically and malware-specific. The availability of decompiled code to “the public” is irrelevant: anyone can decompile code, given a sample and a little knowledge. The point is that you don’t have anything solid to back up your assertion that the exploit accelerated the infection rate of the botnet, and it would just be one botnet even if it turned out that you were correct on this one unprovable point. The fact is, we are not going to agree that only system vulnerabilities count, and frankly, I don’t think I’m going to flog this deceased equine any more.

  6. So, if the malware developers of TDL-4 had a sample of Stuxnet, the time frame of exposure would have been even longer than from the public release of the exploit code.

    It is unfortunate that MS took so long to patch a bug being used in the wild.

    • Correct. But exposure in that sense isn’t a measure of efficacy. I have to say, I was surprised at the time it took, and don’t know what the hold-up was.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: