A Rocky Road Ahead for Apple On Security

Computer security experts have been forecasting the arrival of malicious programs that target Apple’s products for so long that they had begun to sound like the kind of Rapturistas and Mayan Calendar sleuths that we all (smartly) ignore. But if May didn’t bring Harold Camping’s Judgement Day, as predicted
(Update: its now October 21st, y’all!), it did prove those Apple
doomsayers correct as real Mac-focused crimeware and rogue antivirus
appeared in the wild.

Apple securityComputer security experts have been forecasting the arrival of malicious programs that target Apple’s products for so long that they had begun to sound like the kind of Rapturistas and Mayan Calendar sleuths that we all (smartly) ignore. But if May didn’t bring Harold Camping’s Judgement Day, as predicted
(Update: its now October 21st, y’all!), it did prove those Apple
doomsayers correct as real Mac-focused crimeware and rogue antivirus
appeared in the wild.

The latest Mac malware outbreaks, though miniscule when measured against the volume of Windows malware, may prove to be portentous for the Cupertino based Apple – now the world’s most valuable technology firm. And, if Apple’s response is any guide, the company has a long and rocky road ahead of it as it struggles to deal with an increasing number of malicious threats targeting its products.

The evidence that Mac malware is coming of age was everywhere this month. In early May, my colleague Dennis Fisher reported on a crimeware kit targeting systems running Apple’s Mac OS X had been found in the wild by the Danish security firm CSIS Security Group. That kit, sold under the name Weyland-Yutani BOT, appeared to be similar to the Zeus crimeware kit and could be used to carry out drive by download attacks against Mac OSX users surfing with the Firefox, Chrome and Safari Web browsers.

At about the same time, MAC enthusiast sites like MacRumors and organizations like the SANS Internet Storm Center began reporting on a new strain of malware dubbed “MACDefender” that was making the rounds. The malware, an example of fake antivirus software, was being pushed through Google Image Search and compromised Web sites. Users with Mac features like “Open Safe Files After Download” enabled found themselves infected. Soon, that malware was linked to search engine optimized Web pages with hot terms like “Osama bin Laden’s death.” and there was evidence that its creators were refining the malware to make it possible to compromise Mac systems without user interaction.

By mid month, word began filtering in that users were feeling the pain. Specifically, ZDNet writer Ed Bott scored an exclusive interview with an (anonymous) Apple Support engineer who claimed that the malware problem was escalating, but that Mac was discouraging support representatives from offering assistance to customers. By the end of the month, Apple promised an update to OS X that would automatically find and remove the MacDefender malware, only to find that the malware authors were updating their creation in ways that would sidestep detection.

This kind of Spy vs. Spy game play has been common in the Windows world for almost a decade. But its a new phenomenon for Apple and a new reality for legions of MAC acolytes whose allegiance to the company and its products has been likened more to a religion than a market-based consumer preference.

Unfortunately, Apple’s response to the MacDefender outbreak, as well as its response to other security issues with its products suggests the company is ill-prepared to deal with an onslaught of malicious programs targeting Mac and iOS devices. Secretive, suspicious and used to getting its way with the public and business partners, Apple has shown itself to be slow to address security issues with its products, dismissive when confronted with questions about the security or integrity of its products and loath to take responsibility for flaws and mistakes when they are identified. 

For those readers who have hung around the security and vulnerability research fields for a while, all that sounds strangely familiar: it’s Microsoft circa 2000, just as worms like Code Red, Nimda and Slammer would knock the company off its perch and force it to address security head on and wipe away the opaque and inwardly-focused engineering culture that often left customers and the public fuming over the poor handling of security incidents and malware outbreaks.

However, as both platform and software vendor, Apple is doubly exposed to security issues, with few partners to take the fall. The company has enjoyed more than a decade of peace as it watched its chief rival Microsoft buffeted by software flaws and malware outbreaks. The relative lack of threats that affected Macs even became part of the company’s advertising pitch to disgruntled Windows users. But it was clear to most security experts who cared to look under the covers that Apple’s MAC and iOS had little to offer over Windows when it came to security. In fact, experts like Charlie Miller used contests like the annual Pwn2Own hacker challenge to lay the insecurity of Apple products in plain sight. Miller has been saying for a while now that Windows and Apple’s OS X are, more or less, comparable in terms of their security features and that, in fact, Windows may even be superior to OS X in some respects.

Where does that leave Apple and Apple customers, then? Not in a good place. After claiming, for years, that its products did not require antivirus software, Apple finally bowed to reality and baked a basic virus scanning and removal engine, dubbed XProtect, in 2009.  As Kaspersky Lab researcher Aleks Gostev pointed out at the time: XProtect was a fairly simple engine that scanned files downloaded via the Web as well as Mail and iChat. Apple started with a list of five signatures for two Mac-focused Trojan programs. That list has since been updated, including new signatures for variants of the Mac Defender rogue AV. But the company has found itself on the wrong side of the speed and agility equation – essentially needing to push out daily dictionary updates to account for new malware variants. A recent analysis of the latest MacDefender variant update by Johannes Ullrich at the SANS Internet Storm Center supports this.  

At the time that XProtect was first released, Gostev suggested that it fell well short of a security product and was more akin to Microsoft’s Removal Tool for Windows. Almost two years later, not much has changed, said Gostev. And, while Apple is showing signs of a cultural thawing on the issue of security – inviting security experts to vet the OS X 10.7 (Lion) release, for example, Cupertino has a long way to go before it can claim to have the pieces in place to deal with security head on – a fully staffed virus research lab and customer support for malware and security experts, as well as global monitoring capability to detect new outbreaks.

Looking back, of course, Apple’s claims to superior security were always more marketing hype than reality. The company did, of course, build security features into its operating system, but they were never the reason that attackers avoided Mac. The only real security the company had was the security of obscurity. With just a sliver of the desktop operating system market, criminals found it more profitable to fish where the fish were – on Windows. That’s rapidly changing. No, we won’t see a tidal wave of Mac malware. OS X still enjoys just a 7% to 9% market share in the PC space – but that share is growing, even as the overall PC market shrinks. Add the lure of millions of iPads, iPhones and future devices running the company’s iOS, and the number of bad guys looking under the covers at Apple’s applications and operating systems is sure to grow in the coming years. Time will tell if Apple, like Microsoft, finally faces up to reality and begins to make the investments and undertake the cultural and organizational changes it will need to in order to build a security function. Or, like the PC Guy in its commercials, cling doggedly to an image and story line that ring false.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.