Mac desktop security: The landscape is changing

Only about 20 percent of Americans think Macs are vulnerable to viruses, compared to more than half who describe PCs as "vulnerable" or "very vulnerable" to attack by viruses, according to Alex Stamos, a security analyst at iSec Partners.

That doesn't mean Macs are safe, only that Mac users have a "go ahead, run this unsigned binary, who needs anti-virus" attitude about potential threats, Stamos told an audience at this year's Black Hat security conference in Las Vegas.

The truth about Macs and malware, according to Stamos, McAfee Labs and other vendors is:

  • Any computer is vulnerable to malware
  • Apple has ridden the popularity of the iPhone and iPad to a comeback in the enterprise, making its operating systems a more attractive target for malware writers
  • The high level of cluelessness about security makes Mac users of all stripes far more vulnerable to infection or phishing attacks than PC users who have learned caution by experience, according to Stamos.

Now in Hacker Sights: Adobe

Threats to Windows machines are actually going down, at least proportionately, as Microsoft's security improves and the popularity of Adobe products draws more malware writers to focus on it rather than Windows, McAfee's report showed.

The issue is not that Adobe code is insecure, just that it is growing in popularity more quickly than the stable user base of Windows, the report said. Since January, malware threats collected by McAfee that were aimed at Adobe products have increased from a little over 4,000 per month to just over 14,000 in June -- growth of 330 percent in six months.

Mac OS X -- Keep It Out of Your Enterprise

The increase in threats to Mac OS X machines is as dramatic as the effect is on Mac users, the report found.

"There are more Mac users than ever before as well as steady business adoption," the McAfee report found. "This puts the Apple platforms squarely in the crosshairs of malware authors. It will be interesting to see if this type of malware makes its way to the iPhone and iPad as well. It is probably a case of 'when' rather than 'if.'"

So far, most of the threats have been socially engineered approaches such as MacDefender -- a fake antivirus program that preyed on the budding awareness among Mac OS X users that their platform may be vulnerable.

MacDefender showed up in April and May; by May 31 Apple had shipped a patch that plugged the vulnerability it exploited and cleared it from infected machines.

It is not known how many Macs were infected.

As a networked enterprise platform, however, Stamos says Macs are not safe.

Apple's new server operating system -- OS X Lion -- is so inherently insecure that Stamos recommends keeping it off the network altogether and using Macs only as standalone machines connected to IP or Windows networks, not those designed for Macs.

The Mac Server's networking protocols -- especially DHX User Authentication -- are designed for ease of use, not security. It is trivial, Stamos said, for hackers to set up a Mac user to download a file that will overflow the buffer protecting the heap segment of the server's memory, allowing the file's malicious payload to run uncontrolled in the server's memory and give itself whatever access rights it wants.

The Login Keychain with the Mac OS X server is also vulnerable to brute-force cracking of the user's password, and, although there is a sandbox in which misbehaving code should be contained, Mac OS X Lion Server doesn't put a tight enough lid on it to protect against new malware threats. The list of vulnerabilities goes on, Stamos says.

Apple's ad hoc DNS service also requires no encryption, so malware listening to chatter on the network can identify machines and ID codes to replicate

VPN credentials remain within memory after the connection has been broken, which makes them vulnerable

Mac servers accept a range of authentication protocols but don't prevent malware from downgrading to the least secure of these and trying to get illegal access via the weakest link.

There is also no central, required cryptography or memory forensics to help identify malware already running on the server, Stamos said. The desktop version of Mac OS X is more secure than ever, so there is no excuse for such weakness in the server; the only solution, he said, is to leave the server alone.

"Run your Macs as little islands on a hostile network," Stamos told attendees at his Black Hat presentation. "Once you turn on the administrator stuff, once you install OS X Server, you are toast."

Join the CSO newsletter!

Error: Please check your email address.

Tags Applesecurityhardware systemsdesktop pcsMac desktops

More about Adobe SystemsAppleMacsMcAfee AustraliaMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kevin Fogarty

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place