« Wikis and collaborative writing | Main | Free books »
March 08, 2006
The State of Macintosh Security
Before last month, Macs were indisputably the safest computers to own and use. Note that I am not arguing that they were inherently the most secure; I am saying they were the safest to use: there were no known Mac viruses. Before last month, the last Mac virus was written sometime in the early nineties. The only things Macs could be infected with were M$ Office macro bugs. Mac infections were so rare that it was the official policy of Chesapeake Systems, Inc., the Apple reseller I work for in Baltimore, to disable or remove any antivirus software installed on a Mac a client brought in for repair. The "protection" these programs provided was simply not worth the ridiculous slowdowns they caused. The antivirus makers like Symantec and Virex extorted money from Mac users who naively believed that viruses were as much of a problem on Macs as on PCs.
And then, on February 15, 2006, an anonymous poster uploaded a file called "latestpics.tgz" to the MacRumors.com forums...
...and all hell broke loose. The poster claimed that the file contained top-secret screenshots of Leopard (aka Mac OS X 10.5), Apple's next operating system. This was not the case. Other forum readers had downloaded the file and decompressed it, and were experiencing strange behavior.
Within hours the file was sent by arn, the guy who runs MacRumors, to Andrew Welch, the founder and president of Ambrosia Software (an awesome Mac software company whose games I've written editors for). Andrew immediately began disassembling the file, and passed it along to two of his employees for more in-depth analysis. By that night, Andrew posted a highly-detailed analysis of the file's exact behavior and effects. They had completed their disassembly and knew the function calls it made so well that they pinpointed a fatal bug in the code that effectively prevented it from accomplishing its intended actions. The "virus" (actually a non-virulent trojan) was named Oompa-Loompa (or OSX/Oomp-A) because of weird characters strings present in its hex codes. And the entire thing was declared a non-event. You simply could not be infected by this file without manually decompressing and executing it. It exploited zero flaws in Mac OS X. It spread only through social engineering.
By the next day, however, news of the "virus" had saturated the Internet. Sensationalized reports began appearing on tech news sites and articles ran in many of the nation's print newspapers. And what they all conveniently failed to mention was that this was not really a virus. And that you could not really be infected by it.
The story blew over in about a week, but not without inciting completely unnecessary fear in the minds of tech neophytes and casual users. The antivirus companies, sensing a unique opportunity to exploit for marketshare gain, issued updated definitions (and press releases to this effect!) to "block" the "virus".
The media made it seem that was the beginning of the end for Mac security, when in fact *nothing had changed*.
And then, the next week, a security company posted a proof of concept virus that it claimed exploited a hole in Mac OS X. Once again, the media drove itself up into a frenzy, pointing out that this was the second in so many weeks to effect the Mac platform. But they didn't mention that more than two PC viruses come out every day. What they also didn't make clear: this was a *proof of concept*. Nobody was actually infected! The security hole they made public was closed by Apple within days. Nothing actually happened!
And then this past week, just when we thought everything had calmed down, a quintessentially moronic user revealed that he ran a "hack my Mac" competition and that his machine had been compromised in less than 30 minutes. And to the average computer user, this sounds terrifying...
But what the average user does not understand is that he contacted the hackers, told them about the competition, and provided them LOCAL SSH ACCOUNTS ON THE MACHINE. In other words, he explicitly provided them with (yes, unprivileged) command-line access to the computer.
Yes, the winning hacker is highly skilled and exploited an unknown (and still extant) hole in Mac OS X 10.4.4/5. So yes, there is something to worry about. BUT IT FIRST REQUIRES LOCAL COMMAND LINE ACCESS. In other words, this is turned off by default. You can't enable it unless you turn it on explicitly and then provide the hacker with a working username and password on your computer. In other words, there is nothing to worry about.
So, in summary, in the last month, the Mac platform has been compromised by:
1. An amateur attempt at a virus that exploits no vulnerabilities and has fatal flaws in its code. (People infected: < 50)
2. A security company that needlessly posted a proof of concept virus that did nothing but inspire fear. (People infected: 0)
3. And an idiot who let his computer be hacked. (People infected: 1, him)
In other words, nothing has changed in the state of Mac security. Yes, as we move forwards and the platform gains in popularity, yes, we will have to be vigilant, but as of right now, nothing has changed.
And when something does change, we have Mac users, one of the greatest, most supportive, communities there is, and people like arn and Andrew, to discover the truth.
And reassure us that the light is still there.
:: Jeff
Posted by JeffSeibert at March 8, 2006 11:06 PM