As Apple continues to grow its worldwide market share and the company’s products find their way into more business environments, attackers are certain to follow and create greater volumes of exploits aimed at vulnerabilities in the company’s software, security experts contend.
According to industry analyst firm Gartner, Apple shipped just over 1 million Mac OS X-based computers during the fourth quarter of 2007, a gain of 227,000 over the fourth quarter of 2006. The analyst firm reported that Apple’s U.S. market share for 2007 jumped by 28 percent compared to 2006, rising to just over 6 percent.
And with Apple CEO Steve Jobs stating at last week’s Macworld Expo and Conference that the company has already sold 4 million iPhones and 5 million copies of Leopard (Mac OS X 10.5), its latest OS, since launching the products last year, the company’s prospects look stronger than ever. However, malware researchers and industry analysts warn that as the sheer number of Apple end-point devices in use worldwide rise, so will the security concerns tied to the company’s products.
“It’s hard to get around market share. At the end of the day, malware writers don’t care what operating system you are using; it’s about whether or not you have valuable information on your machine and whether there is an opportunity to take advantage of it,” said David Marcus, security research manager for McAfee’s Avert Labs group.
“Microsoft Windows has been targeted so aggressively because it has a much broader deployment than the Mac OS,” he said. “But the malware authors watch trends just like everyone else, and they know more people are considering a move to Apple, including government institutions and businesses; if it makes financial sense to go after that opportunity at some point, they will move in that direction.”
The Mac’s vulnerabilitiesIn some cases, attackers will seek to exploit vulnerabilities such as currently unpatched flaws in Apple’s QuickTime multimedia player application. In other cases, malware writers will use threats based more on social engineering, such as with the MacSweeper rogue cleanup tool that appeared during Macworld Expo, the researcher said. MacSweeper serves as evidence that developers — both credible and not — have already begin to turn more of their attention to Apple platforms, anticipating Mac users’ security fears, Marcus said. Although MacSweeper is pitched by its creators as a utility for cleaning malware programs and other unwanted software off of Mac OS computers, it has proven to do almost nothing of the sort, despite its $40 asking price. David Maynor, chief technology officer of research and consulting firm Errata Security, said that one area where attackers may seek to assail the Mac OS is via flaws found in some of the older open source libraries of software code used in the platform.
Apple also typically lags in patching issues found in those code libraries, such as with the Samba networking protocol used in the company’s Mac OS X.
Even when the Samba open source community has created a fix for a known security issue, it often takes Apple three to four months to introduce a related patch for its products, giving any attackers looking to subvert Mac systems a lengthy window of opportunity to do so, Maynor maintained.
“If someone has a list of these open source security issues in the projects included in Mac OS, they could use that against OS X users,” said Maynor. “Samba is a perfect example, as there is generally a large window there.”
A rise in underground malware activityMaynor said that he observed an increase in Apple-related activity in the underground malware research community last year around several previous QuickTime vulnerabilities.
“It’s not that the number of Mac vulnerabilities is rising. If you look at their own security archives, you’ll see that there were always a lot that were reported, but no one cared in the past,” Maynor said. “One of the problems is that a lot of users buy into the misconception that Mac OS is more secure because of Apple’s development process, but that’s not really the case. Some people also feel that they are protected by Apple’s smaller market share, but with more of these computers out there, more attention is being paid to it.”
According to officials with Lumension, a software vendor that specializes in vulnerability scanning and patching, Mac OS has actually had far more security flaws reported in the last year than Microsoft Windows. Don Leatham, director of solutions and strategy at Lumension, formerly known as PatchLink, said that Mac OS X had nearly five times as many vulnerabilities reported than Windows during 2007. He noted, however, that many of those issues were considered minor, and that the Microsoft Windows security problems were notably more critical.
But Leatham agreed that publicly reported holes in Mac OS products tend to stay unaddressed longer than their Windows counterparts. “It’s not always about the sheer number of exploits anyways; it’s more about the speed at which real exploits are being created. That’s what people will need to be worried about going forward,” Leatham said. “If you get to the point where you have professional malware development kits being sold on the underground, as we have today for Windows, that’s when there could be real problems for Mac. But we haven’t seen any of those just yet.”
Leatham added that, as with other mobile devices, Apple’s iPhone has yet to see any truly dangerous malware attacks. However, when Apple releases its mobile applications development toolkit for the handhelds in February, he said it will be interesting to see if anyone tries to take advantage of the package to aim new threats at the phones.
“It would obviously still be a bigger deal if someone created a successful attack that targeted the Research in Motion BlackBerry platform, because those are the devices of choice in most businesses, but with 4 million devices sold by Apple, some of these handhelds are already finding their way into the enterprise,” said Leatham. “iPhone has been considered very safe thus far because of Apple’s rigorous applications white-listing approach, but we’ll be curious to see the security features open to developers in the new toolkit and whether it will attract the interest of any malware writers.”
Short-term safety, longer-term concernFor now, Apple users likely have little to worry about, the industry watchers agreed. Even with Apple’s dramatic market share gains, the majority of its computers are being purchased by consumers, and malware professionals are more concerned with trying to exploit Windows vulnerabilities to steal valuable data from business users, experts contend.
“We’re nowhere near a tipping point where, from an economic standpoint, it will be a better strategy for attackers to target Macs vs. PCs,” said Andrew Jaquith, an analyst with the Yankee Group. “People who write malware for a living are professionals, they want to get the best return on investment from their work, and there are still much higher returns to be found in the Windows space.
“We will probably see some opportunistic things being developed on the Mac side as the market share numbers increase, but it’s still nowhere near the epidemic we’ve experienced with Windows,” Jaquith said. “Mac is still a safer platform, although not necessarily a more secure one.”