McAfee Stabs At Mac Security

Arik Hesseldahl

Hot on the heels of today’s column on the ever-controversial state of Mac security comes a report from McAfee, the title of which pointedly asks the question “Is Mac OS X the Next Windows?”

Among its key findings, which McAfee clearly hopes will scare you enough to consider buying its anti-virus software for the Mac:

  • From 2003 to 2005, the annual rate of vulnerability discovery on on Apple;s Mac OS platform has increased by 228% compared to Microsoft’s products which only saw a 73% increase.
  • As demonstrated by its March 2006 patch, which corrected 20 vulnerabilities, Apple’s Mac OS platform is just as vulnerable to targeted malware attacks as
    other operating systems
  • Security researchers and hackers will increasingly target the Mac OS and other Apple products, such as iTunes and iPods.

I have a lot to say about this white paper after the jump.

Well first off, let’s cover the obvious. As the CEO of any startup whose sales have gone from $1 million to $3.3 million will tell you, It’s pretty easy to have a 228% percent increase off a low base.

But there are other deceptive points about the numbers behind that claim. In its entire history of tracking and documenting Mac-targeted malware –viruses, Trojans and the like – which it started doing in 1987, it found only 76 occurrences in 19 years.

Even more strangely the study fails to differentiate between malware that appeared on pre-OS X operating systems from those on OS X. The worst year in the survey period was 1998 when 18 different viruses appeared – a year when I remember catching something from an infected Zip disk at the office.

Now here’s the forward-looking paragraph meant to make you worry:

“Apple appears to be in the earlier stages of malware evolution where exploits are written and spreads as proof-of-concept to demonstrate technical prowess and garner notoriety. While these elements remain in the Windows malware community, they are being overshadowed today by the more professional, profit-seeking malefactors. Apples customer base does not yet provide an attractive enough target to warrant interest from this for-profit contingent. However, as Apple’s continued market success places its products in the hands of more and more consumers that status will inevitably change.”

There’s two problems with that statement: First off, Mac users on average pay more for their computers, are self-selected because they tend to know more about technology than your average PC buyer, and by and large are a bit more affluent than those who buy cheapo commodity Windows PCs. The issue about volume that makes Windows attractive to virus creators and hackers is that businesses with huge Internet pipes buy them in large numbers, and often don’t protect them very well.

The second problem with that statement has to do with Apple's potential for success and capturing more market share. When you take into account the ongoing growth in general PC ownership, even if Apple pushes its annual unit sales to 12 million or more by 2010, its share of the overall market will still account for about 4%, leaving Windows the far more tasty target.

The study does point out an interesting similarity between Apple’s recent experience with the Leap Trojan. It compares Apple to Microsoft after the 1995 WM/Concept macro virus that hit Windows. Microsoft at the time dismissed “Concept” as a prank macro. In the case of Leap, Apple made a point to distinguish it from a virus, saying that to get infected the user first has to actively decide to download and execute the program. The study says “In fact, many Windows viruses also require the user voluntarily decompress an attachment and double-click to start an executable. Thus by this standard, OSX/Leap is a virus.”

Still, the authors of the study admit that none of the recent released malware programs have propagated widely, suggesting that bugs in the malware source code, or again, Apple’s small market share as the reason. Macintosh users, they say, will have to rethink their “safe harbor” logic.

Then they jump into the whole ridiculous “Intel chip brings potential security trouble for the Mac" argument, but then debunk it in the following sentence: “Apple’s recent shift to using Intel microprocessors in all new Macintoshes could usher a whole new era for Macintosh malware. Chip-level threats have not yet been seen, however the common architecture will not go unnoticed by the malware community.”

Let me get this straight: A chip-level threat has never been seen even on Windows, but somehow it’s a threat to the Mac? Logic: I've heard of it. If chip-level attacks, don’t exist, why are they a potential threat to any computer, Mac or Windows? If anyone reading this is aware of chip-level security threats, please leave a note in the reader comments. I’m sure there must have been some academic research on this topic, but there’s academic research and then there’s real-world threats. That which is theoretically possible is not always practical or easy to execute.

It gets worse, this study, and it's forced me to roll out another quote, one that I didn’t use, from my chat yesterday with Apple’s Phil Schiller and Bud Tribble. McAfee suggests that the onset of dual-booting via Boot Camp, and virtualization solutions like those from Parallels, open up the Mac to more danger from Windows based attacks.

I can see why a layperson might come to this conclusion, but a security software company? I expect a little better.

Remember that software written for Windows – even viruses – isn’t compatible with Apple’s HFS+ file system. This is why Windows software can’t run in the Mac environment without emulation or virtualization. So, apparently ignorant of this fact, McAfee says that these dual-boot and virtualization options will open Macs up to threats from the Windows side.

Having heard a lot of statements like this in recent weeks, I asked Schiller and Tribble if there was any truth to the idea that running Mac OS X on an Intel chip opens up any new security threats. “We do not believe there is any truth to that statement,” Schiller said. “All you have to do is look at real world threats that Windows users suffer from, and you see that those have all to do with software features in Windows. They have to do with things in Internet Explorer or things in Outlook, and not things that have to do with the processor or the boot ROM.”

No one has yet blamed Intel, nor for that matter AMD, for any of the security troubles that have taken place on Windows PCs. However they tend to blame Microsoft quite often.

Boot camp runs on its own disk partition and Windows software is utterly ignorant of and blind to the existence of the Mac-based partition. I asked them to envision any scenario whatsoever under which Windows-based malware could attack, infect or otherwise damage Mac-based software using Boot Camp as an attack vector. The only thing they could imagine – an unlikely worst-case scenario – was one in which a Windows virus erases an entire disk.

“If the Mac partition is on the same physical disk you could imagine a scenario in which a Windows virus erase the entire disk, but that is a pretty far-fetched example,” Tribble said.

Remember that the nastiest malware these days is created with a financial motive, which means that erasing the hard drive is not a very good idea – the target computer has to keep working in order to keep yielding a payoff, making a virus that erases the whole disk a pretty dumb idea, unless someone wants to hold the data on a particular machine hostage.

Secondly, creating a Windows virus that attacks the Mac via Boot Camp would take an awful lot of effort, Schiller said. You’d first have to write the malware to attack Windows, and then include in the payload drivers for HFS+ to allow the Windows side to see the Mac, and then formulate an attack on the Mac side. “Well then you have to ask, why not try to just write something to try and attack the Mac side? It doesn’t pass a logic test,” he said.

The best and most relevant section of the white paper comes at the end, and it covers vulnerabilities – not viruses, or malware but weak points in the Mac OS armor. It says that when Apple issued a patch for the Inqtana virus in March, it also corrected 20 vulnerabilities found within OS X, all of which could have been used by digital troublemakers to take over a machine, either in person or remotely over a network, initiated a denial of service attack on other machines and so on. “Clearly Mac OS X is far from invulnerable, and Mac users, like their Windows counterparts, must remain vigilant against new and evolving threats,” it says. Well, duh.

Before it's here, it's on the Bloomberg Terminal.