Mac OS X Lion: Losing its security pride

The past couple of weeks have not been the best for Mac OS X's security reputation.

Recently, anti-virus firm F-Secure detailed a Trojan dropper that will insert a backdoor onto targeted systems. During the attack, a PDF is forcibly opened, designed to distract the end user from the shenanigans going on in the background.

According to F-Secure, the PDF file is written in Chinese, and is politically inflammatory. While the PDF launches, malware is dropped after it downloaded from a remote server located in Russia.

This week, Mac security software maker Intego said it discovered a new, albeit low risk, Trojan that pretends to be an Adobe Flash player installer. According to Intego, users visiting certain malicious websites may see a link or an icon to download and install Flash Player. Since Mac OS X Lion does not include Flash Player, some users may be fooled and think this is a real installation link, Intego said in an advisory.

It's those users that keep their standard system settings that are at the greatest risk, Intego says. Because the Safari browser is set to consider installer packages as safe (those files with a .phg or .mpky extension) it will automatically launch after download if their settings aren't changed from the default. Intego advises users remove those settings.

If the Trojan and malware are installed, according to the vendor's analysis, it will then attempt to shut down certain network security software and delete its own installation package. It will then install attack code that enables it to inject code into the applications the user launches. Intego says it will release more information about the code the Trojan inserts after it has completed its analysis.

In another recent scratch on OS X Lion's security luster, security researcher Patrick Dunstan posted on the Defense in Depth site about how OS X Lion's passwords can be maliciously changed. This is made possible, according to Dunstan, because Lion enables non-root users to view password hashes by extracting the data directly from Directory Services. That could be scary enough, but unfortunately, according to Dunstan's research, Directory Services in Lion doesn't require user authentication when performing a password change: which makes it easier for attackers to change passwords for you.

Does such security design missteps and a recent bump in OS X attack software mean OS X users need brace for a wave of fresh attacks and exploit code?

Mac security firm Intego believes so. "The past year has seen a huge increase in Mac malware. Not only are malware creators targeting Macs more, but they are also improving their techniques. The code in this new Trojan horse is very sophisticated and shows a good knowledge of Macs," said Peter James, global spokesperson for Intego.

When asked to provide figures to substantiate that malware authors were targeting Macs in much greater numbers, Intego did not do so.

Rich Mogull, analyst and founding CEO at the IT security research firm Securosis, says that while there may be an uptick in Mac malware -- and there have been some security design mistakes -- the threat landscape for Mac users hasn't changed very much.

"The default trusting of installer packages is something Apple should change, but it's a setting users can correct themselves," Mogull says. "As for the risk of increased malware, that's not something I'd be concerned about. It's not as if OS X is going to experience the type of malware problem we all saw with Windows XP," says Mogull.

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter at @georgevhulme.

Read more about network security in CSOonline's Network Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags VulnerabilitiesfirewallsapplicationsMac OS XExploits / vulnerabilitiesLionsecurity flawsPDF flawsecurityMac securityf-secureIntegosoftwareData Protection | Network Securitydata protection

More about Adobe SystemsAppleetworkF-SecureIntegoMacs

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts