[LINK] Musings on Mac Malware
Roger Clarke
Roger.Clarke at xamax.com.au
Sat May 5 13:51:53 AEST 2012
I'm on OSX 10.4.11 - the terminal PowerPC version, on a Power Mac G5,
CPU PowerPC 970 (2.2), 1.6 GHz. (Yes, the device has been scheduled
for retirement to the second office for a couple of years now).
I'll be moving to a dual-OS environment, details yet to be decided,
but basically as much Linux as I can manage, using OSX as little as
practicable but having it there in case some transitions to Linux are
tough work.
The reasons I'll be leaving Apple after almost 30 years are partly
the low priority given to Mac customers generally, of which the
security concerns in those posts are a good example, and partly the
rapid migration away from Unix-with-a-better-skin, in the direction
of customer-owning iOS.
(Unfortunately, Open Office appears not to support the
straightforward web-publishing method I've used for many years -
which depends on a template with styles and hidden php header and
footer calls. Apart from that, I'm hoping the transition away from
OSX will be swift).
________________________________________________________________________
At 12:42 +1000 5/5/12, Kim Holburn wrote:
>http://blogs.oucs.ox.ac.uk/oxcert/2012/04/25/musings-on-mac-malware/
>
>> Over the past couple of weeks, OxCERT have been somewhat
>>overwhelmed by Mac malware. This isn't quite the first time we've
>>dealt with problems on Macs - we've seen several compromised over
>>the years through weak or exposed ssh credentials, and others
>>infected as a result of installing pirated software. But with
>>Flashback, the game has changed forever. We are seeing huge numbers
>>of attacks of the sort that Windows users have had to contend with
>>for years. Apple users, and indeed Apple themselves, just have not
>>been ready. We are dealing with what is probably the biggest
>>outbreak since Blaster struck the Windows world all the way back in
>>the summer of 2003. That time OxCERT dealt with around 1000
>>incidents; we have seen several hundred Flashback incidents and
>>they keep on coming.
>> What is Flashback?
>>
>> Flashback is not in fact that new, it has been around in various
>>forms since September 2011. Like much malware, multiple variants
>>exist, as the attacks evolve to exploit new vulnerabilities, avoid
>>detection and adapt to new purposes. Early versions required user
>>interaction in order to execute, but in recent weeks the malware
>>has been exploiting a vulnerability in Java, allowing for
>>"drive-by" exploits where all a user has to do is to visit a
>>webpage hosting malicious content (perhaps via a third-party
>>advertisement).
>
>
>This article is interesting but somewhat oer the top, given that the
>"Blaster" they talk about was at the time one in tens of thousands
>of exploits and Microsoft did nothing seerious for years about
>malware.
>
>The next article is a cause for concern though:
>
>http://blogs.oucs.ox.ac.uk/oxcert/2012/04/25/apple-security-support/
>
>> Apple and security support
>>
>> Posted on April 25, 2012 by Robin Stevens
>> In a companion article I discuss Mac malware, and how this has
>>recently become much more of a problem than has previously been the
>>case. As well as Apple's apparently slow response to a recent
>>vulnerability, and general air of secrecy, one of the problems that
>>the attacks have highlighted is Apple's product support lifecycles,
>>which are much shorter than in the Windows world. Many users are
>>unaware of the issues and will not realise that their systems may
>>be insecure as a result.
>
>> Let's look first at software. To the best of our knowledge, Apple
>>do not officially state their software support policy anywhere, but
>>from what we can gather, only support the two most recent versions
>>of OS X. Currently that is 10.6 (Snow Leopard) and 10.7 (Lion).
>>10.6 released in August 2009, which means that any Mac purchased
>>prior to that date and not subsequently upgraded will be running a
>>version which receives no security support. That's for a system
>>purchased under three years ago. Granted, users can upgrade - but
>>at a cost. Users don't like being told that they have to spend
>>money. Moreover, 10.8 is due out sometime this summer - based on
>>past experience, we can expect 10.6 systems to lose security
>>support once that happens.
>
>> Compare that to the situation in the Windows world. Windows XP was
>>released in summer 2001, and will receive security support until
>>April 2014 - twelve and a half years since it released, over seven
>>since it ceased to be the "current" Windows version, and even for
>>those who refused to touch Vista, nearly five years after the
>>release of Windows 7. During that time functionality has been
>>improved considerably by the release of three service packs,
>>available at no charge. Windows Vista and 7 are both scheduled to
>>get over ten years of security support. With around two years
>>between OS X releases, Apple have been struggling to reach four
>>years, and unless their support policy changes as they move to an
>>iOS-style annual release cycle, that could come down to two years.
>
>> Now, granted, users can upgrade to a newer OS X release than their
>>system came with. Plenty of users are unlikely to bother unless
>>forced - their system seems perfectly adequate, why spend money and
>>risk breaking it? One college has reported almost 50 systems known
>>to their student registration system running OS X 10.5 or earlier.
>>
>> Hardware support
>>
>> But there comes a point at which a system can be upgraded no
>>further. With Apple hardware, that can happen surprisingly rapidly.
>>10.6 does not support PowerPC-based hardware (last sold new during
>>2006); 10.7 does not support 32-bit Intel systems - most were
>>superseded in late 2006, but in the case of the Mac Mini, not until
>>August 2007. 10.8 is expected to release this summer and will drop
>>support for even more recent systems, including any MacBook made
>>before late 2008, although 10.7 should continue to be supported.
>>
>> Thus in little over five years, it's not just that the latest
>>version of OS X may not run on your hardware, but that no
>>currently-supported version of OS X will. If you want security
>>support, buy a new system. Or change operating system. For old
>>PowerPC systems, that limits you to certain distributions of
>>open-source operating systems (e.g. OpenBSD or Debian GNU/Linux) -
>>in all reality probably not something the average user is willing
>>to consider. If 10.6 loses security support this summer, the best
>>option for owners of early Intel Macs will most likely be to
>>install Windows, heretical as it may sound to many Mac users.
>>Vista's probably good until 2017, and if the hardware's up to
>>Windows 7, they've got until 2020.
>>
>> Five years is not a long time to retain a computer, especially in
>>these cash-strapped times. In many departments, it will be their
>>typical hardware replacement cycle, while others don't even have
>>one. Privately-owned systems may well remain in use until the
>>hardware gives up. For the environmentally-conscious, throwing away
>>perfectly functional machines is hugely wasteful (Apple have made
>>considerable efforts to improve their green credentials in recent
>>years), and the secondhand market relies on people not knowing or
>>caring about the lack of security support, or being willing to run
>>alternate operating systems.
>>
>> In the PC world, many machines made last century can still make a
>>decent stab at running Windows XP. It would be good to see Apple
>>commit to their hardware being able to run a supported operating
>>system for longer, with a minimum perhaps in the range seven to ten
>>years. The supported operating system needn't be what the machine
>>shipped with for all that time, nor the current version, nor need
>>all the whizzy new features of newer versions be available (just as
>>Windows Vista would run better on old machines with Aero disabled).
>>The important thing is that the hardware is still fit for use
>>rather than the scrapheap.
>
>> The cost
>>
>> Now, improving support lifetimes is going to cost money, and may
>>deter a few customers from upgrading to newer Apple systems. But
>>equally, customers are going to be less keen to stick with Apple if
>>they learn that Apple are not looking after them. Apple may not
>>have much a place in the enterprise market, but they do in the
>>educational market, and people like us exist to ensure that people
>>do care about security. And let's face it, these days Apple are
>>most definitely not short of cash.
>>
>> Now, please don't get me wrong: there is much about Apple that I
>>like, and I use Apple products daily. I appreciate that Apple are
>>also out there to make money. But they have been complacent in
>>terms of their attitude to security and support, especially when
>>compared to their chief competitor. Microsoft have learned a huge
>>amount from past mistakes, support their products for many years,
>>and these days I feel do an excellent job. By comparison, Apple
>>appear to be making minimal effort, and are putting their customers
>>at risk as a result
>>
>> So in summary, I'd like to see from Apple the following:
>>
>> * Timely security updates
>> * Greater openness regarding security issues
>> * Minimum hardware and software support lifetimes stated
>>clearly up-front
>> * Longer operating system security support lifetimes: at
>>least five years
>> * Hardware that runs a supported operating system version for
>>longer: minimum of seven years perhaps?
>> Whether anything will change any time soon remains to be seen, but
>>as the threats towards Macs increase, surely Apple cannot afford to
>>stand still.
>
>
>
>
>
>--
>Kim Holburn
>IT Network & Security Consultant
>T: +61 2 61402408 M: +61 404072753
>mailto:kim at holburn.net aim://kimholburn
>skype://kholburn - PGP Public Key on request
>
>
>
>
>_______________________________________________
>Link mailing list
>Link at mailman.anu.edu.au
>http://mailman.anu.edu.au/mailman/listinfo/link
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Faculty of Law University of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list