Apple Mac OS’s reputation for being more secure than Windows, however false, has taken a battering recently after a series of damaging incidents raised questions about the way the technology giant approaches security. Steve Evans reports.
Apple has long had the reputation that its desktop operating system, Mac OS, is more secure than Microsoft’s Windows. It isn’t true.
The myth is, or perhaps was, based on the lack of malware aimed at the system compared with Windows threats, but that was just a reflection of their respective market shares. Why target an operating system used by significantly less than 5% of the world’s computers? It made much more sense to target Windows, which regularly pulled in 90% of the world’s PC OS market share.
The lack of security threats on the Mac system perpetuated the myth that it is more secure than Windows, and this in turn meant the vast majority of users felt there was no need to install any kind of security software and that simply by using a Mac they were safer than their Windows-using counterparts.
Recent events have shattered that illusion and led many in the IT security industry to question Apple’s approach to keeping its users safe from cyber threats.
In September 2011 security company Intego detected a new Trojan horse, which they dubbed Flashback, masquerading as an Adobe Flash Player installation. Once downloaded the malware would disable some of the security features the user had previously installed on their computer.
The infection then attempted to inject code into applications launched by the user, to connect to the host server and send back unique information that could identify the user.
Intego initially described this as a low-risk infection, but what happened a few months later would cause much more damage.
In April 2012 Russian antivirus firm Dr. Web reported that a variant of the Flashback Trojan had infected 600,000 Macs around the world. This version exploited a vulnerability in the Java programming language and meant users could be infected simply by visiting a compromised website.
This quickly became the largest Mac-based infection to date, with infections spread across the world. The US had the most infected computers (300,000), followed by Canada (95,000), the UK (47,000) and Australia (42,000). Other infected countries included France (8,000), Italy (7,000), Mexico (6,000) and Spain, Japan and Germany all hovering around 4,000 each.
Another security company took a deeper look at the malware, and found that writing and releasing malware aimed at the Mac platform was a lucrative business. Symantec said its investigations revealed that the purpose of the Trojan was "revenue generation".
Looking at OSX.Flashback.K, Symantec determined that it included an ad-clicking component that installs itself in Chrome, Firefox and Safari and intercepts all GET and POST requests from the browser, as well as certain search queries. When that search term is entered, the unsuspecting user is redirected to a website that will pay the cyber crooks ad revenue.
This ad-hijacking is nothing new, Symantec says, and similar cases have proved very profitable. "In an analysis of W32.Xpaj.B last August a botnet measuring in the region of 25,000 infections could generate the author up to $450 per day," the company says on its blog. "Considering the Flashback Trojan measures in the hundreds of thousands, this figure could sharply rise to the order of $10,000 per day."
However, following subsequent analysis Symantec revised that figure significantly downwards.
Apple’s response to the issue has drawn criticism from a number of quarters, and for understandable reasons. Oracle plugged the Java vulnerability in February 2012, soon after they were made aware of it. However, Apple does not allow Oracle to patch Java for Mac on its own; instead it takes an active role in the process. This meant the vulnerability was not patched on Mac computers until early April.
"This window of opportunity helped the Flashback Trojan to infect Macs on a large scale. The Flashback authors took advantage of the gap between Oracle and Apple’s patches by exploiting vulnerable websites," Symantec says.
Russian security firm Kaspersky Lab went even further. The company’s chief security expert, Alexander Gostev, raged: "The three-month delay in sending a security update was a bad decision on Apple’s part. Apple knew about this Java vulnerability for three months and yet neglected to push through an update in all that time.
"The problem is exacerbated because – up to now – Apple has enjoyed a mythical reputation for being ‘malware-free’. Too many users are unaware that their computers have been infected, or that there is a real threat to Mac security," says Gostev.
This delay undoubtedly made the infection much worse. Apple’s proclamations on the outbreak were also baffling. A short note on its website simply said: "A recent version of malicious software called Flashback exploits a security flaw in Java in order to install itself on Macs. Apple has released software updates for systems running OS X Lion and Mac OS X v10.6 that will update Java to fix the security flaw, and remove the Flashback malware if it is present."
The bulletin went on to say that the malware will be removed from infected Macs and that Apple was working with ISPs to disable the host servers. And that was it. Nothing else. Certainly nothing anywhere near the level of detail that Microsoft goes into during its monthly Patch Tuesday cycle. Microsoft’s bulletins include what the vulnerability is, what the impact of it could be, how urgent it is and how much effort is required by IT staff to roll out the update.
Apple’s aloofness is legendary, to the extent that any public announcement by the company is greeted with near-hysterical levels of fawning coverage and analysis by many members of the tech press.
But to leave users in the dark over matters of security, when sensitive, personal information is potentially compromised is dangerous. Microsoft is certainly not perfect, but it is thorough when it comes to keeping its users up to date on security issues.
That, of course, is because Microsoft has plenty of experience in battling malware and is well-versed in the patching cycle. Apple is not and it has a long way to go to offer its users the same level of protection its Redmond rival does.
In comments that were always likely to provoke a strong reaction, Eugene Kaspersky, founder and CEO of Kaspersky Lab, believes Apple is a decade behind.
"I think they are 10 years behind Microsoft in terms of security," Kaspersky tells CBR. "Apple is now entering the same world Microsoft has been in for more than a decade: updates, security patches and so on. They will have to make changes in terms of the cycle of updates and so on and will be forced to invest more into their security audits for the software.
"That’s what Microsoft did in the past after so many incidents like Blaster and the more complicated worms that infected millions of computers in a short time. They had to do a lot of work to check the code to find mistakes and vulnerabilities. Now it’s time for Apple [to do that]," he adds.
A recent Mac OS X update claimed to fix more than 50 vulnerabilities, but users who installed the update unwittingly introduced another huge flaw to their computers. This new flaw resulted in all usernames and passwords for user accounts on the Mac being stored in clear text, freely available for anyone to read, including someone that had gained access to the system.
This clearly raises questions about how thorough Apple’s testing was before the update was pushed out. Apple released a fix for it in early May, just days after the issue was reported in the press but a full three months after the company was first notified (here is the original issue in the Apple Support forum).
Graham Cluley, senior technology consultant at Sophos, tells CBR that claiming Apple is a decade behind Microsoft is probably doing the Cupertino-based firm a disservice. "It blotted its copybook with Flashback and maybe they have been slow to inform the market and its users about vulnerabilities," he says.
"But Mountain Lion [Apple’s next major OS, scheduled for release in summer 2012] will have improved security. However, it could be that Apple users are 10 years behind," he adds.
Cluley says that research from Sophos backs up his suggestion that it is the users that are perhaps leaving themselves open. Analysis of 100,000 users of its antivirus for Mac software revealed that 20% have Windows malware on their Mac.
That on its own is not particularly dangerous, but there is a real possibility the malware could spread to Windows machines, where it could do real damage.
Despite this, Apple’s website proudly claims that Macs do not "get PC viruses. A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers." This may be technically true, but it is a dangerous claim to make and is surely part of the reason Mac users have such a laissez-faire attitude to security.
Some of the malware discovered by Sophos dates back to 2007, which shows many Mac users simply do not scan their devices regularly. The Sophos research also discovered that 2.7%, or roughly one in 36 tested, were also carrying Mac OS X malware. The Flashback Trojan and fake antivirus software, which tricks users into paying for antivirus they don’t need, made up almost all the malware sampled.
But is this an isolated incident or is the trend of Mac malware here to stay? Cluley says that while it is difficult to exactly pinpoint malware numbers, Sophos is definitely seeing an increase.
Kaspersky, too, is seeing it. He says an increase in Mac malware was "just a question of time and market share. Cyber criminals have now recognised that Mac is an interesting area. Now we have more, it’s not just Flashback or Flashfake. Welcome to Microsoft’s world, Mac – it’s full of malware."
Furthermore, with Mac OS’s market share creeping up – it is now hovering between 5.5% and 6.5% according to NetMarketShare.com – the upward trend will surely continue.
But it is not just the market share that is driving cyber criminals towards Macs. Users are a "soft target", as Cluley calls them, because of the lack of security software installed on their devices. He says Sophos expects to see "huge" growth in Mac malware over the next few years.
One of the many victims of the Flashback outbreak was Oxford University. Robin Stevens, part of the network security team there, echoes Cluley’s claims that it is Mac users that are failing to adequately protect their machines.
"The university had been "somewhat overwhelmed" by the Trojan, Stevens writes on its blog. "This isn’t quite the first time we’ve dealt with problems on Macs, but with Flashback the game has changed forever. We are seeing huge numbers of attacks of the sort that
Windows users have had to contend with for years. Apple users, and indeed Apple themselves, have just not been ready.
"Sadly, far too many users still appear to be under the misapprehension that ‘Macs don’t get viruses’ in spite of decades of evidence to the contrary. There was perhaps a time when the threat of viruses was sufficiently low that Mac users didn’t have to worry too much about having antivirus software installed, but that time is long gone. Apple’s ‘built-in defences’ weren’t saving users from Flashback infections."
There is a threat to businesses, particularly with the Bring Your Own Device (BYOD) craze, which is not limited to iPhone and iPads. Macs in the enterprise are at risk from Flashback and any other malware that may follow. As the Sophos research shows, they are also at risk of passing Windows Malware on to other devices.
To help keep an enterprise secure, the advice is simple: keep antivirus up to date and run it regularly, roll out updates and patches from Apple as soon as they are available and ensure third-party software from the likes of Adobe and Java are also updated as soon as possible.
What’s also vitally important is education. Mac users can no longer sit back and smugly watch PC users fiddle around with security software, so making them aware of their responsibilities is key.
CBR repeatedly asked for Apple’s input into this article, but all requests went unanswered.