How Long Can You Fly Under the Malware Radar?

By Larry Seltzer  |  Posted 2005-05-09 Print this article Print

Opinion: It's a form of "security through obscurity"—avoiding security problems by using an obscure platform. How long can it work?

The last few days have been embarrassing ones for Windows alternatives. Apple released a series of vulnerability disclosures and updates rivaling any put out by Microsoft and the Mozilla Group had to contend with a leaked "highly critical" vulnerability disclosure. The mainstream press, not just the trade press, has been advising users to move to Firefox and the Mac in order to avoid the security problems that plague Windows users, and that may be good advice—for now. But a careful look at the last six months or so indicates that in terms of actual security problems theres not much of a difference between the platforms. Windows is a bigger target primarily because of its installed base. So, the question becomes: How long can you get away with it? How long can you run on a Mac, or use Firefox on Windows, and expect to avoid security problems? Put another way, when will the authors of malware decide its time to start targeting Mac and Firefox users?
Even the short answers are complicated: I think it will be a long time before we start seeing Mac viruses in any meaningful numbers. The Mac would have to be far, far more popular than it is now for malware authors to have sufficient confidence that they could get attacks to spread and achieve the endemic status of Bagle, Netsky and the other luminaries of the Windows malware world.
No matter how bad a vulnerability gets on the Mac, its still an unsatisfying target for a malware author. Read more here about security issues in Apples new operating system, Tiger. With Firefox I can imagine attacks being attempted, such as Firefox-specific spyware and adware. There is no shortage of critical vulnerabilities affecting earlier versions of the browser, and undoubtedly many users have not kept up with the latest version. With version 1.0.4 just around the corner its easy to imagine some users getting tired of all the updates, especially if they installed it after reading advice in the local newspaper, as opposed to getting help from their techie nephews. Its also easy to imagine many people using both Internet Explorer and Firefox, as I do, since its free and easy to get. Finally, its also easy to imagine many Firefox users being careless about things like virus protection and casual surfing and link clicking. So I do expect some kind of security problem to hit Firefox users, not just a vulnerability disclosure like we have now, but an actual exploit being used for malicious purposes. The early ones will attract attention and probably not cause much damage, but why, for example, should adware vendors who utilize IE vulnerabilities not add "support" for Firefox vulnerabilities? Click here to read about how Firefox handles pop-ups. The barriers to entry for Mac malware are much higher, both in terms of writing it and getting it to spread. This isnt because the Mac operating system is more secure, but because there are so many fewer Macs, and fewer qualified developers. Let us presume that malware writers are, like most PC programmers, familiar with Windows programming but unfamiliar with Mac programming. They would need to acquire Macs to develop on, and then they would need Mac development tools, expertise in writing for the platform, and time to write the malware. Very little, if any, of the code they wrote for Windows attacks will be portable to the Mac. Spreading a Mac attack is even harder. Few enough of the thousands of Windows attacks every year spread, and they have no trouble finding large numbers of compatible systems. The only hope Mac attacks have going for them is that many Mac users run without security software because its "unnecessary." Adware for Firefox or a similar problem seems inevitable to me, and it will help, in a way, to put browser security in perspective. It will be a shame when Firefox users have to suffer the same fears as IE users (those who arent blissfully ignorant of the problems), but maybe it will lead to solutions that address the problem, rather than just avoiding it. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel