I have that virus that’s going around, you better stay back.”
“No, I’ll be fine.”
It was May 2006 and Apple, in the latest instalment of its PC vs Mac role-playing ads, was busy tearing strips off its rival. Cupertino was bragging about its security chops, citing how the hundreds of thousands of malware variants found that year affected its competitor’s customers, but not users of its iconic white computers.
Apple could not play that same ad today. Over the past few years, major vulnerabilities and exploits in Mac systems have been revealed, many making headlines in some of the world’s biggest mastheads.
There were some 1,800 Mac malware samples found in 2014, with the Flashback trojan the most likely to achieve nods of recognition from the man on the street. The 2012 menace infected some 600,000 Macs, including some 36,000 in Australia, and around 300 thought to be in Apple’s campus. It targeted Java vulnerability on OS X, enslaving machines into its botnet, which limped along a year after a fix was released with some 22,000 infected machines clocked early last year.
Apple’s security skin was further peeled in September 2014 when California-based security firm FireEye discovered attackers had written malware to exploit a previously unknown feature that helps hackers gain root privileges on all OS X machines. The highly dangerous vulnerability, considered a backdoor, was revealed in November but it would be well into 2015 before Cupertino’s failed patch would be finally addressed.
Even then, an estimated 60 million Macs running versions older than Yosemite were deemed unworthy of a patch, leaving those systems exposed to Apple’s poor segregation choice.
Last November also saw the release of WireLurker, the biggest distribution of Mac malware yet seen. The attack used USB ports to smash non-jailbroken OS X and iOS devices in a similar way to Windows malware. The Palo Alto security researchers who discovered WireLurker suspect hundreds of thousands of users downloaded the malicious applications.
The Mac flak has continued in 2015. The second iteration of the ThunderStrike attack, brewed and thought to be confined to a New York lab, was detailed in August showing how Macs could be completely and permanently compromised without users knowing a thing. The jaw-dropping remote attack could infect any Apple accessory, turning the devices into portable vectors to infect more Macs. The most concerned owners were advised to throw out their computers until one could be acquired with disabled option ROMs.
This debrief of pain is vastly incomplete. It fails to account for the scores of dangerous vulnerabilities emerging for OS X, including two zero days found in August by a teenager that can completely compromise Mac computers. But it need not be complete; experts agree that these malware attacks are just the beginning of a monstrous malware machine slowly moving crosshairs to Cupertino.
Dash for cash
“At this point, and as a Mac user it pains me to acknowledge this, but I think Windows clearly has the upper hand in terms of security,” says Patrick Wardel, director of research at Hawaii-based security penetration testing firm Synack.
“I think the reason this [secure Mac] fallacy has perpetuated is that back in the day, Windows had a horrible track record in terms of security.”
In August, the former NSA security man gave a talk entitled ‘Writing Bad @$$ Malware for OS X’, at the hugely popular Black Hat conference in Las Vegas. The talk aimed to bust the Mac security bubble. He agrees that it is a matter of time – or specifically, profit – before the epic attacks of Windows fame hit Mac.
Despite, as Wardel says, “lower Mac market share [means] indiscriminate hackers are going to go after Windows”, this is changing as Macs get ever more popular.
But Apple now makes regular appearances among the world’s top five PC makers, still behind Lenovo, HP and Dell, but ahead of ASUS and Acer in IDC figures for the second-quarter of 2015.
Apple’s smaller user base has been a perennial theme in any debate over Mac versus Windows security, and for good reason – attackers know there is a much better chance to catch a fish when you throw a line into a well-stocked pool.
The fallacy is long dead. For FireEye malware-reverse engineer James T. Bennett, the security claims are based on the volume of malware families or the numbers of infected Macs, both metrics that lose wind when the dominance of Windows is considered. “If you are spending time developing malware in order to make a profit, where are you going to focus your efforts?”
Apple’s 2006 ad may be defunct in 2015, but it still seems to represent the Mac user mentality. That bravado is dangerous, experts agree. San Francisco-based software company OPSWAT said in June that only half of Mac users have an antivirus program installed and only a third of those bother to turn it on.
Couple that bravado with the typical higher roles that Mac users tend to hold in organisations and it makes a fertile fishing pool indeed. “Those users are possibly more valuable targets given that Mac use in the enterprise is generally top end,” says Neal Wise, director of Melbourne security consultancy Assurance.com.au. “It’s often mainly technical people and managers who use Macs, meaning targets could be more interesting.”
Large organisations like Facebook, Google, and IBM are moving to Mac in full and hybrid Windows environments. This means more intellectual property will be kept on Macs by users with fatter bank accounts and platinum credit cards. “The bad guys go where the money is,” says Wade Alcorn, managing director of Sydney-based Alcorn Group. “When we see a critical mass of wealth accessible via Mac malware there will be more bad guys targeting those servers and applications.”
Meanwhile, IBM last year inked a deal with Apple to sling its iOS devices at customers selling cloud management services over the top. Michael Sikorski, founder of the FireEye Labs Advanced Reverse Engineering team and former NSA staffer, says money-mad attackers are seeing more appeal in OS X.
“I do believe OS X is becoming a much more relevant target,” Sikorski says. “If we look at places money-driven attacks have taken place, these are mostly Windows based point-of-sale systems. We could see [Mac] becoming a more rich target for attackers in the future.”
Experts agree that the malware attacks reported so far do not reflect the likely real landscape. They say existing attacks indicate that hackers could probably hit most Mac targets they wanted to. Moreover, the statistics of malware instances comes from what is often immature and scarcely adopted Mac security software, which means many attacks go undetected.
“I’m very concerned that we wouldn’t know if a big attack was happening, that if there was some kind of attack vector we would miss it,” Assurance’s Wise says. “Maybe it is already happening, maybe it’s already happened. Criminals follow the money, or follow the resources, and there is an opportunity here.”
Next: Bulletproof Windows?