Mac Punditry and The Office Paradox

Dave G. | April 21st, 2007 | Filed Under: Apple, Industry Punditry

Mac Punditry

I don’t know why I have to respond everytime I see someone trying to debunk myths about Mac OS X security, but apparently I lack free will. Over at Roughly Drafted, there is a long response on what he believes to be Mac OS X security fallacies. Let’s begin:

Opening an email URL that exposes a security flaw in Safari is both news to report and a problem for Apple to tackle, but reporting it as a remote exploit is inaccurate, irresponsible, and sloppy journalism, particularly for IDG’s InfoWorld, which purports to be an authority on computing.

Your definition is behind the times. A browser based vulnerability is considered to be a remote one by just about any person that is in the security industry. I understand what you meant, in that you think of a remote vulnerability being one where a client attacks a server. But, a Safari exploit is a remote.

For example, many schools are full of Macs; if they were easy targets because of wide open security flaws, school populations would see problems with Mac viruses. They do not. There are no real Mac viruses.

Mac OS 9 was no more secure from viruses than DOS was. There were close to 100-200 Mac OS 9 viruses compared to 50,000+ PC viruses. Explain to me how the security architecture of Mac OS 9 protected users from viruses.

Any security expert who is confused on that subject really needs to inform themselves better. IDG’s InfoWorld is doing the world a disservice to offer up such rubbish information on the subject. Perhaps it should be rebranded as ConjectureWorld.

Corvettes aren’t popular targets for theft because they are ubiquitous but rather because they are valuable. Similarly, if it were easy to remotely exploit Macs, they would offer hackers valuable targets both in environments where Macs are plentiful such as education, as well as sites where Macs are high profile goldmines, such as the iTunes Store servers.

How are educational environments high value targets? What other sites besides the iTunes Music Store servers? Because touting one site is not the best argument against the “its a marketshare/installedbase issue” claim. Especially if an exploit against Windows via a Malformed Word document sent as a resume to the HR department (*) has a high probability of compromising a large swath of the Global 2000.

(*) Example ripped from Marc Maiffret’s talk at OWASP.

Finally, even your analogy is wrong. Corvettes are not popular targets for theft. When you do the research on this, you are going to find the sad truth is that most of the commonly stolen vehicles are actually average cars like the Honda Accord’s and Toyota Camry’s. If a Corvette and a Honda were to be characters in an Apple commercial, which one would be played by Justin Long?

Listen up security pundits: hackers aren’t after fame, they’re exploiting security systems for money. As with any business, the easiest route is always to target the low hanging fruit first. In the computing world, that means exploiting PCs running Windows, not because they are common but because they offer an easy exploit for something of value: a way to send spam.

Ok. So, in the business of spam, I think we would all agree that the limiting factor in your ability to grow revenue is based on the amount of spam that you can send. If both Mac OS X and Windows were equally easy to compromise, would you target the smaller or the larger market?

In conclusion, I don’t think you in anyway disproved the notion that marketsize is related to number of exploits. Most of your arguments actually did not contradict the market share argument in any way.

The Office Paradox

Almost every pro Mac OS X security pundit will highlight the scores of zeroday vulnerabilities that affect Windows, and attack the code quality of Windows as being a primary factor.

In recent months/years, many of these have been vulnerabilities in Word, Excel and Powerpoint vulnerabilities. There is a version of Office for the Mac. Why do we not see rampant exploitation of Office/Mac vulnerabilities? Why haven’t we seen one case of it?

Viewing 31 Comments

    • ^
    • v
    Clearly, because those Microsoft Mac guys have figured out how to write vulnerability-free code.
    • ^
    • v
    What does Mac OS9 have to do with what Roughly Drafting is asserting?
    • ^
    • v
    The assertion is number of viruses in education environments has something to do with the security of Mac OS X. Mac OS 9 had no security and still had less that 1% the number of PC viruses. Mac OS 9 had no security that would prevent the spread of viruses, and yet there were a disproportionate number of Mac viruses compared to PC viruses. How is this not a datapoint that strongly suggests that there are other things that factor into virus related attacks other than the defenses offered by the OS?
    • ^
    • v
    I've heard of that 100-200 Mac virus number mentioned before, but do you have a cite for it? Mikko Hyppönen says 50. Wikipedia says 4-63.

    I realize alot of it depends on what counts as a variant and stuff, but I'd be interested in seeing a list, even one which isn't comprehensive.
    • ^
    • v
    If you want to get technical....

    "There were close to 100-200 Mac OS 9 viruses compared to 50,000+ PC viruses. "

    It's actually close to ~60 System 6/System 7 viruses. The far majority of them wouldn't run on Mac OS 9 at all due to the changes to the structures in the system software.

    I don't understand your Office for the Mac comment. One of the reason for not seeing the issues is the hardcode paths used in some exploits and the relatively piss poor support of VBA in Mac Office (which is completely going away in Mac Office 12)
    • ^
    • v
    @Rosyna:

    Thanks for the correction.

    VBA related problems are so 1990's :) Most of the current problems with Office/Win32 are related to file format exploits (think buffer overflows in document parsers) that can be delivered via Mail that users double click on.

    I know you think this doesn't happen often, but if you think about how many people get conned into sending money orders to Nigeria via email, imagine how many people can be tricked into double clicking on a Word document.
    • ^
    • v
    huxley: why o why o why do you care? If there are 2 pre-OSX viruses, there could be 100, 1000, or 10,000. The notion that it matters how you count viruses, or that you think about them individually, is a toxic $3.5bn drag on the security industry.
    • ^
    • v
    huxley:

    I'd be interested in that as well. I dont remember where my numbers came from originally, but I snipped that number from a previous post, where I believe I did a high estimation based on a number of google searches. Either way, I was schooled and the lower number only supports my argument :-)
    • ^
    • v
    "A browser based vulnerability is considered to be a remote one by just about any person that is in the security industry."

    Though I am not sure I agree that this is true, doesn't it create a problem in classification regardless? It seems strange to use the delivery mechanism (Web) as a distinguishing characteristic, but then the indirect delivery of any communication channel makes every vulnerability potentially a remote one, right?
    • ^
    • v
    It's remote because a remote resource initiated the exploit.
    • ^
    • v
    Perhaps a better taxonomy would be local/network/remote, where local required existing access to the machine, remote was attacker-initialted via the network, and network was target-initiated over the network. The distinction between remote and network is less significant than the distinction between remote or network and local, but it's still a useful distinction.
    • ^
    • v
    I agree with Pete that clientside remotes create a taxonomic problem. Nobody knows what you mean when you say "remote" anymore. However, times have changed: you can make an argument that clientsides in major applications are more valuable than "classic remotes", which don't make it through NAT.
    • ^
    • v
    Hi I wrote the article you are criticizing.

    A remote vulnerabilty is one where attackers are able to access a machine remotely. There doesn't seem to be much real confusion on that point.

    In the case of the CanSecWest Macs, an automated "user" had to click on a URL causing a local Java exploit, which opened up the potential for a remote user to gain access to a user level file.

    I took issue with calling it a remote exploit because it wasn't a remote exploit. It was an exploit of user behavior which opened up the potential for a remote exploit.

    If a user turns on file sharing with a blank password, it is not a "remote exploit" if someone reads their files. It is a locally opened security hole.

    If the CanSecWest Macs had been directed to a malformed graphic that caused Safari to arbitrarilly execute code (like the flaw discovered in Vista), then yes, that would be a remote exploit via the browser.

    That didn't happen.

    --

    Regarding your other comments, I referenced school populations full of Macs as a high density installation of Mac systems, in an environment where script kiddies could run wild.

    But that isn't happening. Clearly, the arguement that Macs are too uncommon to warrant interest by attackers is a spurious one.

    During the decade of System 7 and Mac OS 9, there were a few Mac viruses, but they were really only a problem when working with shared files. Networked Macs didn't have significant security problems because they didn't allow remote access by default. That's why the Army moved its webservers from NT to Classic Macs running WebStar. The only port open was 80.

    While the Classic Mac OS "didn't have security" in the sense of system enforced file or user permissions, it also didn't have open ports listening for LANMan chat, nor did it ship with insecure protocols like SMB running.

    Your description of the classic Mac OS isn't really accurate; the old Mac OS was more secure than DOS+Windows, and even NT in practical applications such as serving web pages without being taken over and vandalized.

    No amount of artificial C2 Security badges made NT secure in the real world.

    Your tangent about Corvettes is odd; I dont know where you were going with that. The point I made seems pretty clear: people don't steal the most common cars because they are there, they steal things that offer them some sort of value with minimal effort.

    That's why car "security systems" work. They aren't impossible to get around, but they make attacking the car more dangerous and slower, making other, easier targets appear more attractive.

    Similarly, if Macs were easy to target, they would be used to propagate viruses and spam too, just as they can be used to transmit Word macroviruses today.

    You blow off the example of Apple's iTunes Store servers, which we know are under regular attack but have not been compromised. Why?

    How many massive examples of secure installations are needed to support the fact that Macs are in fact regular subjects of attacks, they just hold up better?

    That's not to say Macs can't be compromised, only that it's a myth to say that Macs aren't under attack because their numbers don't compare to PCs. We know that there are significant installations of Macs that are attacked but not owned, and that they are regularly holding up in high volume Enterprise environments.

    If you're not aware of the scale of the iTunes Store servers, I'd suggest examining how it is that Macintosh servers are running the largest media download servers in the world, with hundreds of thousands of thin clients running concurrent sessions buying songs, previewing content, and managing accounts.

    As for vulnerabilities in Word for Mac, there are known problems with macros and VB for Office that translated to the Mac because it is the same platform. If Microsoft ported Windows to PowerMacs, it would bring all the Win32 problems with it.

    Surely you realize that Office for Mac is written to Mac APIs, not Win32?

    Windows code quality most certainly is part of the problem behind Microsoft's security nightmare, but so is Microsoft's reliance on proprietary development. There are also factors Microsoft can't control: bad third party software, for example.
    • ^
    • v
    I don't get it. There's a "Fortune 500", consisting of banks, oil companies, phamaceutical giants, telecommunications service providers, and arms manufacturers. You're going to have to explain to me again why the iTunes Music Store is the premier target for attackers. Is it that you think hackers really hate Limewire and BitTorrent?
    • ^
    • v
    Daniel, you just wrote a whole roundup article:

    http://roughlydrafted.com/RD/RDM.Tech.Q2.07/FDA...

    Rather than go over it point by point, I'm going to direct you here:

    http://www.matasano.com/log/809/a-little-challe...

    Then I'm going to point out that Rosyna Keller and Drew Thaler, both of whom seem to have considerably more Mac internals info than you do, haven't refuted the challenge.

    You seem convinced that browser findings are unimportant. I expect that our challenge will be easily surpassed by one such as you. So, visit the comment thread and then tell us, on your boxes, right now, what can't we get from your primary user account?
    • ^
    • v
    Daniel:

    I am confident that the exploit conditions are analagous to a malformed image file, in that, you go to a web page where the exploit is located and arbitrary code of Dino Dai Zovi's choosing is running. So confident, that I am willing to bet you a six pack of whatever your favorite type of beer is.

    My point around System7/OS9 is really simple. The level of security an OS provides is not necessarily directly related to the number of viruses that exist for it. There were gobs of viruses (file/boot sector) for DOS and there weren't gobs of viruses for the Mac. Tell me what about System 7's security architecture prevented file infectors?

    By WebStar, I assume you mean this WebStar? (I am showing you that link not to point out that there were vulnerabilities in Webstar, but to point out that I found them. I am sure its going to come across as arrogance, but I mean it to say that I actually do OS X security research).

    You said: "Corvettes aren’t popular targets for theft because they are ubiquitous but rather because they are valuable." I dont understand how you think that means "people don’t steal the most common cars because they are there, they steal things that offer them some sort of value with minimal effort."

    And even if that is what you meant, it is still wrong. Corvettes are not popularly stolen cars. Popularly stolen cars happen to be cars more popularly driven. This is in line with arguments around marketshare.

    I didn't blow off your ITMS example. I simply say that you are not refuting the global marketshare argument by listing one-two examples (even one large example).

    Talking about VBA and Macros is again talking about a problem that peaked years ago. The biggest problems that Office faces today are buffer overflows and other memory corruption attacks that involve malformed file formats. Today, PCs are regularly compromised via these vulnerabilities and the Mac isn't. This should affect Mac and Windows equally, as the Mac API's do not protect against buffer overflows any better than Win32. If attackers were actively targeting OSX users, AND Mac OS X is as secure as the Macnorati say it is, then wouldnt attackers simply start exploiting Office/Mac?

    I think where you and I differ are around what "attack" means. To me, attack means what Dino did. He found a vulnerability that affected OSX and then used it. In order for someone to monetize that for spam, they have to take an exploit and run it against many machines. It is a numbers game. Now, if you are an attacker, are you going to go after the 80% part of the Internet?

    I feel very strongly that it is currently easier to find vulnerabilities in OSX than it is to find vulnerabilities in Windows. Of course, all I have going into this conversation is 11 years of security vulnerability research and a proven track record with Apple for finding vulnerabilities (If you check Apple Security Updates you will see my name mentioned from OSX 10.2 through 10.4).

    FWIW, I agree with you around some of the good decisions Apple has made around security, and would encourage you to read some of my other posts on the subject:

    My Myth Busting
    Safety Vs. Security
    • ^
    • v
    Now, if you are an attacker, are you going to go after the 80% part of the Internet?

    Nope, I am going after the platform that will allow me to have an automatic installation, replication, distribution of my malware with little to no user interaction after first infection. If I need to have a simpleton at the keyboard having to always authenticate and authorize activities that supposedly should happen without requiring attention of the user then I am not interested. I do not care whether there are 2 million, 20 or 200 if that is a constrain. I'll go with the platform where I only need the user just once at most. And I'll go toward the platform where I could gather zombies that I can sell more profitably. For that again, I do not care to look at your files, photos, documents etc in the user space. I need full control of your machine quickly, automatically and unnoticed. When that will happen on Mac OS X it will become instantly very interesting a target.
    • ^
    • v
    Another comment would be on Leopard: Apple is nicely tightening Mac OS X.
    Even fewer things to attack than in Tiger.

    Number of platforms is only a factor, not the only one in deciding where an effort will have a better ROI.
    When a platform has tens of million users it is already sizeable enough. Even with same numbers, Windows gives a larger ROI for less effort than Mac OS X.
    80% ? who cares, it could be 50-50 the split. Easier to go after Windows and with easier return. One goes after the low hanging fruits, period.
    • ^
    • v
    @Max:

    Why do you need full control of the machine? What activity does a botnet zombie perform that requires an end user to authenticate each and every time? Are you really going to tell me that the average OSX user is going to notice an extra process running?
    • ^
    • v
    @Dave,

    maybe to have PHP up and running first?
    • ^
    • v
    @ Thomas

    If you read my article and came away with the idea that "I'm convinced that browser findings are unimportant," I have a hard time having a dialog with you.

    Also, I never suggested that "iTunes Music Store is the premier target for attackers," only that it is a known, high profile target running Mac servers. I also included Apple's other web stores. I believe Apple's site is in the top ten most heavily trafficked sites, and the iTS is certainly a target hackers are motivated to exploit. Why would hackers target Limewire? That's absurd. What is there to get that isn't already available? Are you intending to have a meaningful discussion or just throwing mud furiously?

    iTS demonstrates the fallicy of saying that Macs aren't under attack and that nobody has ever tried. It's not true, so stop repeating it.

    Recall that a worm specifically targeted the BlackIce Defender firewall. Market share has little to do with incentive. It's all about reward vs risk.

    @ Dave

    You can quibble about Corvettes and what car gets stolen most, but you're missing the point. I wasn't proving a point about GM, I was making an analogy between cars that get stolen and computers than are broken into. Again, its reward vs risk. It is not about quantity.

    I already pointed out the difference between System 7 and DOS: One was designed for an appliance computer, the other for PCs chatting amongst themselves on a wide open LANManager office. Apple could bolt on network funtions onto the Mac, but Microsoft has had major problems trying to wrap Windows in diapers to slow the amount of crap flying in and out of its open pores.

    Dino's attack compromized the security of the Mac, but he only gained user level access. I don't want people being able to read my files, but that's a far cry from being able to install malware or turn the machine into a spam relay. That didn't happen.

    Also, I don't think it's even controversial to say "it is currently easier to find vulnerabilities in OSX than it is to find vulnerabilities in Windows." Mac OS X contains a lot of open source, Windows is a proprietary black hole.

    Dino didn't compromise Mac OS X, he apparently compromised the Java plugin, something that is common to many platforms. It was not easy or quick to discover, and required user interaction to set in motion.

    Saying that staged event is somehow in the same league as Microsoft's Windows crisis is just plain credulity.

    The "Macnorati" are not saying Macs are impossible to crack, only that Mac security is better IN THE REAL WORLD compared to Windows. Even Windows cheerleader Paul Thurrott admitted that. There are ZERO MAC VIRUSES.

    At some point, you have to compare the theories you want to believe in with the truth: THERE ARE NO MAC VIRUSES. Change your tune appropriately.

    Since I haven't noticed a single criticism from anyone on your site that seems geniune and straighforward, I'll leave you at it to publish whatever information you like. I don't understand the interest and point in refuting the truth and insisting white is black, and I'm tired of seeing you stuff words in my mouth. Either your operation is very disingenuous, or your group collectively has poor reading comprehension.
    • ^
    • v
    Yeah. I think we are just going to continue to talk past each other. I am sorry you feel that I put words in your mouth. I think you are mistaken on whether or not a user level account is enough to install malware and start sending out spam, but we aren't going to see eye to eye on this.

    DOS did not have LanManager. I did not say Windows. I specifically talk about DOS vs. Mac file infector viruses to prove the point that there are other factors besides security that play a role in whether or not systems are attacked. I have tried to be explicit on this, but you instead attack me on poor reading comprehension.

    I agree with you that there are ZERO MAC VIRUSES (well technically there are some proof of concept ones, but neither here nor there). We just disagree with the why.

    I am comfortable disagreeing. Dino's vulnerability was found and exploited inside of 9 hours. Even he said “I think I may have set the land-speed record”, so I am not sure why you are now saying that it wasn't quick to discover.

    My contention has been straightforward and genuine from the beginning. I do not believe that the inherent security strengths of Mac are the primary factor in why they are not suffering from the same problems as Windows machines. Furthermore, up until the Witty worm comment, none of your arguments seem to disprove the myth you set out to disprove, and in fact, some even appear to support it. I am going to think about the Witty worm for a bit. Thank you for providing a good counter-example.

    I don't understand why in this specific instance, you just can't say, this is a serious security problem in Mac OS X. It is a remote vulnerability where an attacker can execute code on your machine just by having you visit a website they control. This is the exact type of problem that impacts Windows users. Instead, you constantly qualify it. If Windows had a problem in it's 'Java Plugin', and Mac OS X was not vulnerable, would you really be splicing hairs saying "Well it wasn't Windows, it was it's Java plugin, something that is common to many platforms". What if it was in image parsing code, would you stand up and say, "Well, it was in the JPEG parsing code, which is common to many platforms".

    Again, I am still willing to bet you a six-pack (or even just a letter signed by the person that is wrong) that Dino's exploit has the same attack pattern as a corrupt image vulnerability on Windows.
    • ^
    • v
    (Psst: Don't bet against Dino's boss when it comes to knowing what Dino's exploit was.)
    • ^
    • v
    If Windows had a problem in it’s ‘Java Plugin’, and Mac OS X was not vulnerable, would you really be splicing hairs saying “Well it wasn’t Windows, it was it’s Java plugin, something that is common to many platforms”. What if it was in image parsing code, would you stand up and say, “Well, it was in the JPEG parsing code, which is common to many platforms”.

    Well, for what concerns me, I do say the above. If it is Java, it is Java, not Windows and it worries me because it means it *could* affect Mac OS X unless Apple had put in some watchdog around.

    The Witty worm and the Linux iPod installation virus frankly both tell that the theory that ZERO virus on Mac OS X is due to its small user base is simply severely flawed.

    PS
    9 hours for Dino's exploit is to me like speed of light. If it was easy to remotely compromize Mac OS X and achieve an exponential infection (the more Mac you compromize the easier it is to infect the next one) it would have happened years ago.
    • ^
    • v
    @Ryan:

    Dino doesn't work here anymore, but the point is still a good one...

    @Max:

    Not sure I would go as far as to say severely flawed. The Linux iPod installation virus is analagous to InqTana (a Mac OS X Proof Of Concept worm).
    • ^
    • v
    @Dave

    Ok, not severely. Just flawed? ;-)
    • ^
    • v
    If market share isn't correlated to malware share, SunOS 4.1.3 is the most secure operating system deployed today.
    • ^
    • v
    Thomas, there are virus for SunOS. So it is not the most secure operating system deployed today.

    And it has far smaller market share than...
    • ^
    • v
    I tend to agree more with the Roughly Drafted article than this one.

    At least 60% of the world's internet servers are UNIX based. It would make sense that if you wanted to really exploit the internet with viruses or hacks you would do so on those servers. So why is this not the case? It's because those internet servers are more securely built. They are behind firewalls, MPRs, and have nigh-on bulletproof OSs. It's a 3 pronged attack.

    Windows internet servers on the otherhand are really only a 2 pronged attack as they sit behind firewalls and MPRs but their OS is so insecure, although the security risks are lowered if those Windows servers are running Apache.

    MacOS X is based on BSD Unix. OpenBSD is actually rated as the most secure OS not Sun but then it isn't really deployed widely so Thomas may be right.

    Incidentally there are actually 5 major viruses for BSD OSs. But those were patched 20 years ago.

    With MacOS X making more headway in both the desktop and server market it makes more sense to want to attack those systems if only to get the kudos of being the first to fully hack the system. Guess why the attacks aren't happening? It's because it's not as easy as everyone makes it out to be. If it was, all BSD based OSs would have been exploited over their lifetime but it simply isn't the case.

    I like Max's quote:

    Now, if you are an attacker, are you going to go after the 80% part of the Internet?

    Nope, I am going after the platform that will allow me to have an automatic installation, replication, distribution of my malware with little to no user interaction after first infection. If I need to have a simpleton at the keyboard having to always authenticate and authorize activities that supposedly should happen without requiring attention of the user then I am not interested. I do not care whether there are 2 million, 20 or 200 if that is a constrain. I’ll go with the platform where I only need the user just once at most. And I’ll go toward the platform where I could gather zombies that I can sell more profitably. For that again, I do not care to look at your files, photos, documents etc in the user space. I need full control of your machine quickly, automatically and unnoticed. When that will happen on Mac OS X it will become instantly very interesting a target.

    This is what Daniel was trying to say. The exploits for MacOS X required a user's interaction. Most of the Windows attacks don't. Recall the difference between Windows and Mac for the Sony RootKit debarcle. Windows automatically allowed the software to be installed without users knowing. On the Mac the user had to specifically install the application. Now tell me how MacOS X isn't more secure than Windows in this case?

    But then when MacOS X gets hacked those hacks will also effect BSD unless you hack Aqua, Quartz, or QuickTime. If you can hack QuickTime then this would effectively add another attack on Windows but not so much BSD as QuickTime isn't on UNIX.

    And this is also what Daniel was saying. To hack MacOS X you effectively have to hack OpenSource software which means you're not really hacking the Mac which makes this exploit meaningless.

    Dino's attack was the JAVA plugin so the exploit is effectively on every machine that uses the Java plugin. Therefore once again the exploit isn't Mac specific, unless you're trying to tell me Java isn't available on Windows, *NIX...
    • ^
    • v
    I don't have a good answer for you about why Unix isn't a more attractive target. But by your logic, SunOS 4.1.3u1 is the most secure OS ever --- not one piece of malware ever released for it.

    It's not a Java vuln. It's a Quicktime vuln, exposed through Java. It's a problem in Apple's code, sadly propagated to other platforms.
    • ^
    • v
    I'll admit I don't know much about OSX but what exactly prevents "automatic installation, replication, distribution of my malware"?

    A user visiting a web page seems "automatic" enough for me.

    Malware does not necessarily require elevated privileges (you can get and send spam with user-level privileges - w/o high cpu usage or memory consumption most people won't notice another process running).

    "Replication" & "Distribution"... hmm... with user-level access it would be possible to automatically post links to the page containing exploit on known sites/forums/blogs the browser has access (still has the authentication cookie)... I still don't know how it would be different in OSX/Safari from Win/IE unless Safari has some sort of security feature to prevent this.

    Also is there a security feature that prevents a user-level process from getting contacts from mail.app or iChat (which would later be used to send the URL to the exploit via email)?
    MSN messenger provides an option to encrypt contact files to prevent other apps from getting the contact data. Not sure if iChat does the same.

    If this features aren't there than "distribution" is possible.

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus