Is Apple's security honeymoon on OS X ending?

Apple has hardened El Capitan, but OS X is under more scrutiny than ever

Apple scored unforgettable hits against Microsoft with its Mac vs. PC ads, which anthropomorphized Windows as a sneezing, miserable office worker.  

Security experts always knew that the campaign was a clever bit of marketing fluff, one that allowed Apple to capitalize on Microsoft's painful, years-long security revamp.

The landscape is changing, however. Apple's market share of desktop computers is nearing 17 percent. OS X, Apple's operating system, is popular with consumers and enterprises now, making it a more interesting target for hackers.

A report to be released on Thursday by the security company Bit9 + Carbon Black shows that more malware has been found this year for OS X than in the last five years combined.

The company found 948 unique samples of malware this year compared to just 180 between 2010 and last year.

Although the increase is large, the malware isn't very sophisticated and is easy to remove, security experts say.

More than half of the malware found this year was aimed at forcing people to view advertisements, a class of annoyances known as adware. Also, infections were mostly dependent on users making poor decisions, such as downloading what should be recognized as questionable software.

The jump in OS X malware also still pales in comparison to Windows. 

"If you put all of the Mac malware that we've seen, and you combine those numbers for the history of OS X, basically it is less by a significant amount than the amount of Windows malware you will see in an hour," said Rich Mogull, an analyst with Securiosis in Phoenix, Arizona.

Apple, which usually does not comment on security issues, declined to comment.

Over the last several years, including in the latest version of OS X, El Capitan, Apple has been hardening keys parts of the operating system to make it much harder for attackers to run rogue code.

Still, software is fallible, and even well-resourced companies such as Apple make coding mistakes that could provide opportunities. Also, OS X is attracting more attention from highly skilled security experts, who have found ways around some of its recent defenses.

Tricking the Gatekeeper  

Patrick Wardle, director of research with the company Synack, has extensively studied Apple's Gatekeeper, a key defense in preventing certain kinds of applications from installing.

Gatekeeper, introduced in 2012, checks if applications have a digital signature and will block those that don't have one approved by Apple.

Wardle found a way around Gatekeeper earlier this year, and Apple patched the issue. But after studying it for a few days, he bypassed Gatekeeper again. 

"Instead of them implementing a more generic patch or generic fix, they kind of did just what was the bare minimum," Wardle said. "That's a little worrisome."

His latest findings were presented two weeks ago at the Virus Bulletin security conference in Prague, and Apple has been notified.

apple gatekeeper Patrick Wardle/Synack

Patrick Wardle of Synack has found two issues in Apple's Gatekeeper, which is designed to stop certain applications from installing.

Patrick Wardle/Synac

 Wardle talks to Apple's security team regularly about bugs he finds in OS X. They are "sharp guys," he says, but they may be fighting a company culture where usability in many cases trumps security.

Locking down OS X's core

Apple introduced a new defense in OS X El Capitan called System Integrity Protection (SIP), which is makes it a lot harder for malware writers to touch critical OS files.

SIP blocks the most powerful kind of access to the operating system, known as "root." That access is usually only prevented by a single password set by the Mac's user, who has administrative privileges.

If that password is compromised, an attacker with root access can disable other security protections, posing a great risk.

SIP greatly reduces the opportunity for malware writers to put something deeply rooted in OS X,  said Rich Trouton, a Mac systems administrator in Middletown, Maryland, who writes the Der Flounder blog.

"People look at it and go 'Apple's not finding a bunch of malware,'" Trouton said. "And that's true at the moment, but the reason for that is that Apple's put a lot work into making OS X a less appealing target."

However, "who knows what the future may bring," he said.

More eyes on the code

Another interesting fact about OS X this year: about four times more software vulnerabilities have been disclosed than in past years.

A list shows 276 flaws have been found this year, which is about four times higher than the average number found annually over the last 15 years, said Claud Xiao, a security researcher with Palo Alto Networks.

"It's a huge increase," Xiao said. "This year, more and more researchers are focused on how to bypass security mechanisms or how to get code to execute remotely."

Malware writers also seemed more tuned into using vulnerabilities to infect OS X. Xiao said that in three cases this year, malware or adware used disclosed vulnerabilities to get onto systems.

Mac malware and adware programs have typically relied on tricking users into installing them rather than exploiting vulnerabilities. Apple's built-in AV product, called XProtect, is regularly updated to block nuisances like adware.

But Wardle said Apple has fixed more than 100 security bugs in El Capitan so far, which means there are likely other opportunities to get malware onto a machine.

"I'm sure more advanced adversaries could find remote vulnerabilities if they needed to," he said.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleApple.MicrosoftPalo Alto NetworksPhoenix

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place