News
Macs' Virus Profile Rising
Benjamin Daines was browsing the Web when he clicked on a series of links that
promised pictures of an unreleased update to his computer's operating system.
Instead, a window opened on the screen and strange commands ran as if the machine
was under the control of someone -- or something -- else.
Daines was the victim of a computer virus.
Such headaches are hardly unusual on PCs running Microsoft Corp.'s Windows
operating system. Daines, however, was using a Mac -- an Apple Computer Inc.
machine often thought as being immune to such risks.
He and at least one other person who clicked on the links were infected by
what security experts call the first-ever virus for Mac OS X, the operating
system that has shipped with every Mac sold since 2001 and has survived virtually
unscathed from the onslaught of malware unleashed on the Internet in recent
years.
"It just shows people that no matter what kind of computer you use you
are still open to some level of attack," said Daines, a 29-year-old British
chemical engineer who once considered Macs invulnerable to such attacks.
Apple's iconic status, growing market share and adoption of same microprocessors
used in machines running Windows are making Macs a bigger target, some experts
warn.
Apple's most recent wake-up call came last week, as a Southern California researcher
reported seven new vulnerabilities. Tom Ferris said malicious Web sites can
exploit the holes without a user's knowledge, potentially allowing a criminal
to execute code remotely and gain access to passwords and other sensitive information.
Ferris said he warned Apple of the vulnerabilities in January and February
and that the company has yet to patch the holes, prompting him to compare the
Cupertino-based computer maker to Microsoft three years ago, when the world's
largest software company was criticized for being slow to respond to weaknesses
in its products.
"They didn't know how to deal with security, and I think Apple is in the
same situation now," said Ferris, himself a Mac user.
Apple officials point to the company's virtually unvarnished security track
record and disputed claims that Mac OS X is more susceptible to attack now than
in the past.
Apple plans to patch the holes reported by Ferris in the next automatic update
of Mac OS X, and there have been no reports of them being exploited, spokeswoman
Natalie Kerris said. She disagreed that the vulnerabilities make it possible
for a criminal to run code on a targeted machine.
In Daines' infection, a bug in the virus' code prevented it from doing much
damage. Still, several of his operating system files were deleted, several new
files were created and several applications, including a program for recording
audio, were crippled.
Behind the scenes, the virus also managed to hijack his instant messaging program
so the rogue file was blasted to 10 people on his buddy list.
"A lot of Mac users are in denial and have blinders on that say, 'Nothing
is ever going to get to us,'" said Neil Fryer, a computer security consultant
who works for an international financial institution in Britain. "I can't
say I agree with them."
Fryer, also a Mac user, said he has begun taking additional precautions over
the past year to make sure he doesn't fall victim to an attack. He spends more
time than in the past scrutinizing his security logs for signs of intruders,
and he uses a firewall and additional security applications, just as he would
with a Windows-based machine.
Among the other signs Macs are a growing target:
- The SANS Institute, a computer-security organization in Bethesda, Md.,
added Mac OS X to its 2005 list of the top-20 Internet vulnerabilities. It
was the first time the Mac has been included since the experts started compiling
the list in 2000.
- This week, SANS updated the list to warn against flaws in Safari, the Mac
Web browser, which the group said criminals were able to attack before Apple
could fix it.
- The number of discovered Mac vulnerabilities has soared in recent years,
with 81 found last year, up from 46 in 2004 and 27 in 2003, according to the
Open Source Vulnerability Database, which is maintained by a nonprofit group
that tracks security vulnerabilities on many different hardware and software
platforms.
- Less than a week after Daines was attacked in mid-February, a 25-year-old
computer security researcher released three benign Mac-based worms to prove
a serious vulnerability in Mac OS X could be exploited. Apple asked the man,
Kevin Finisterre, to hold off publishing the code until it could patch the
flaw.
The Mac's vulnerability could also increase as Apple transitions to a product
line that uses microprocessors made by Intel Corp., security experts said.
With new Macs running the same processor that powers Windows-based machines,
far more people will know how to exploit weaknesses in Apple machines than in
the past, when they ran on the PowerPC chips made by IBM Corp. and Motorola
Corp. spinoff Freescale Semiconductor Inc.
"They have eliminated their genetic diversity," said independent
security consultant Rodney Thayer. "The fear is that we're going to run
into a new class of attacks."
Bud Tribble, Apple's senior vice president of software technology, disagreed.
"All the things we've been doing to make Mac OS X secure continue to be
relevant on Intel," he said.
Mac OS X, he said, is designed to be Internet safe out of the box, without
the need for firewalls or additional security software. He praised Mac OS X
for making it easy for users to automatically install security patches.
He noted that the operating system was derived from FreeBSD, open source software
that was built from the ground up to provide security for computers networked
together. Since its origins in the early 1990s, the Unix-based FreeBSD has continually
been battle-tested by college students and computer security specialists.
"The bottom line is we still feel more comfortable using a Mac than a
(Windows) PC," said Alan Paller, director of research for SANS.
But as Daines can attest, there are no guarantees.
"We're all sort of waiting with bated breath to see if any problem will
happen and the jury is still out," said Thayer, the independent security
consultant. "I don't think you'll find a consensus."