[LINK] Musings on Mac Malware

Kim Holburn kim at holburn.net
Sat May 5 12:42:20 AEST 2012 

http://blogs.oucs.ox.ac.uk/oxcert/2012/04/25/musings-on-mac-malware/

> Over the past couple of weeks, OxCERT have been somewhat overwhelmed by Mac malware. This isn’t quite the first time we’ve dealt with problems on Macs – we’ve seen several compromised over the years through weak or exposed ssh credentials, and others infected as a result of installing pirated software. But with Flashback, the game has changed forever. We are seeing huge numbers of attacks of the sort that Windows users have had to contend with for years. Apple users, and indeed Apple themselves, just have not been ready. We are dealing with what is probably the biggest outbreak since Blaster struck the Windows world all the way back in the summer of 2003. That time OxCERT dealt with around 1000 incidents; we have seen several hundred Flashback incidents and they keep on coming.
> What is Flashback?
> 
> Flashback is not in fact that new, it has been around in various forms since September 2011. Like much malware, multiple variants exist, as the attacks evolve to exploit new vulnerabilities, avoid detection and adapt to new purposes. Early versions required user interaction in order to execute, but in recent weeks the malware has been exploiting a vulnerability in Java, allowing for “drive-by” exploits where all a user has to do is to visit a webpage hosting malicious content (perhaps via a third-party advertisement).


This article is interesting but somewhat oer the top, given that the "Blaster" they talk about was at the time one in tens of thousands of exploits and Microsoft did nothing seerious for years about malware.

The next article is a cause for concern though:

http://blogs.oucs.ox.ac.uk/oxcert/2012/04/25/apple-security-support/

> Apple and security support
> 
> Posted on April 25, 2012 by Robin Stevens
> In a companion article I discuss Mac malware, and how this has recently become much more of a problem than has previously been the case. As well as Apple’s apparently slow response to a recent vulnerability, and general air of secrecy, one of the problems that the attacks have highlighted is Apple’s product support lifecycles, which are much shorter than in the Windows world. Many users are unaware of the issues and will not realise that their systems may be insecure as a result.

> Let’s look first at software. To the best of our knowledge, Apple do not officially state their software support policy anywhere, but from what we can gather, only support the two most recent versions of OS X. Currently that is 10.6 (Snow Leopard) and 10.7 (Lion). 10.6 released in August 2009, which means that any Mac purchased prior to that date and not subsequently upgraded will be running a version which receives no security support. That’s for a system purchased under three years ago. Granted, users can upgrade – but at a cost. Users don’t like being told that they have to spend money. Moreover, 10.8 is due out sometime this summer – based on past experience, we can expect 10.6 systems to lose security support once that happens.

> Compare that to the situation in the Windows world. Windows XP was released in summer 2001, and will receive security support until April 2014 – twelve and a half years since it released, over seven since it ceased to be the “current” Windows version, and even for those who refused to touch Vista, nearly five years after the release of Windows 7. During that time functionality has been improved considerably by the release of three service packs, available at no charge. Windows Vista and 7 are both scheduled to get over ten years of security support. With around two years between OS X releases, Apple have been struggling to reach four years, and unless their support policy changes as they move to an iOS-style annual release cycle, that could come down to two years.

> Now, granted, users can upgrade to a newer OS X release than their system came with. Plenty of users are unlikely to bother unless forced – their system seems perfectly adequate, why spend money and risk breaking it? One college has reported almost 50 systems known to their student registration system running OS X 10.5 or earlier.
> 
> Hardware support
> 
> But there comes a point at which a system can be upgraded no further. With Apple hardware, that can happen surprisingly rapidly. 10.6 does not support PowerPC-based hardware (last sold new during 2006); 10.7 does not support 32-bit Intel systems – most were superseded in late 2006, but in the case of the Mac Mini, not until August 2007. 10.8 is expected to release this summer and will drop support for even more recent systems, including any MacBook made before late 2008, although 10.7 should continue to be supported.
> 
> Thus in little over five years, it’s not just that the latest version of OS X may not run on your hardware, but that no currently-supported version of OS X will. If you want security support, buy a new system. Or change operating system. For old PowerPC systems, that limits you to certain distributions of open-source operating systems (e.g. OpenBSD or Debian GNU/Linux) – in all reality probably not something the average user is willing to consider. If 10.6 loses security support this summer, the best option for owners of early Intel Macs will most likely be to install Windows, heretical as it may sound to many Mac users. Vista’s probably good until 2017, and if the hardware’s up to Windows 7, they’ve got until 2020.
> 
> Five years is not a long time to retain a computer, especially in these cash-strapped times. In many departments, it will be their typical hardware replacement cycle, while others don’t even have one. Privately-owned systems may well remain in use until the hardware gives up. For the environmentally-conscious, throwing away perfectly functional machines is hugely wasteful (Apple have made considerable efforts to improve their green credentials in recent years), and the secondhand market relies on people not knowing or caring about the lack of security support, or being willing to run alternate operating systems.
> 
> In the PC world, many machines made last century can still make a decent stab at running Windows XP. It would be good to see Apple commit to their hardware being able to run a supported operating system for longer, with a minimum perhaps in the range seven to ten years. The supported operating system needn’t be what the machine shipped with for all that time, nor the current version, nor need all the whizzy new features of newer versions be available (just as Windows Vista would run better on old machines with Aero disabled). The important thing is that the hardware is still fit for use rather than the scrapheap.

> The cost
> 
> Now, improving support lifetimes is going to cost money, and may deter a few customers from upgrading to newer Apple systems. But equally, customers are going to be less keen to stick with Apple if they learn that Apple are not looking after them. Apple may not have much a place in the enterprise market, but they do in the educational market, and people like us exist to ensure that people do care about security. And let’s face it, these days Apple are most definitely not short of cash.
> 
> Now, please don’t get me wrong: there is much about Apple that I like, and I use Apple products daily. I appreciate that Apple are also out there to make money. But they have been complacent in terms of their attitude to security and support, especially when compared to their chief competitor. Microsoft have learned a huge amount from past mistakes, support their products for many years, and these days I feel do an excellent job. By comparison, Apple appear to be making minimal effort, and are putting their customers at risk as a result
> 
> So in summary, I’d like to see from Apple the following:
> 
> 	• Timely security updates
> 	• Greater openness regarding security issues
> 	• Minimum hardware and software support lifetimes stated clearly up-front
> 	• Longer operating system security support lifetimes: at least five years
> 	• Hardware that runs a supported operating system version for longer: minimum of seven years perhaps?
> Whether anything will change any time soon remains to be seen, but as the threats towards Macs increase, surely Apple cannot afford to stand still.





-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list