What Will Apple Do When the Malware Comes?

By Larry Seltzer  |  Posted 2006-02-20

What Will Apple Do When the Malware Comes?

The release in the last few days of malware for the Mac and Linux underscore some old issues about how it is possible to have malware on those platforms. I have some new thoughts though. Ive begun to wonder what Apple would do if a real problem developed.

To be very clear, a real problem has not yet developed, and Inqtana.A and Leap.A are not a real problem, except to the extent that they may be bellwethers. They are more interesting for what they suggest than what they actually do.

Its true that the Mac OS has had, for many years, an important level of protection that will only emerge in Windows with Vista: By default, Mac users run at a restricted privilege level, and any malware they run will be similarly restricted.

The user may be presented, as with any legitimate software install, with a request for the Admin password, and at that point they may exercise discretion.

Apple updates Mac OS X. Click here to read more.

This is almost entirely a consumer issue I believe; in managed business networks it has been well understood for a very long time how to create Windows clients with restricted privileges, and any administrator who doesnt do it is to blame for problems that result.

This process protects against silent installations of malware, but it doesnt protect against all fraudulent installations.

Much of the garden-variety malware on Windows pretends to be a data file of some sort (as if data files were inherently safe, but thats another story). Double-click the icon and it turns out that youve actually run a program.

But much malware, especially of the adware variety, doesnt hide the fact that its a program. The user is told that they are installing some slick browser toolbar or perhaps a special viewing program for some porn, but in fact they could be installing anything at all.

And even if they were on Windows Vista and not initially allowed to install the program they would provide the Administrator password to install it because they know they intend to install a program.

When good social engineering attacks are developed for the Mac, the same thing will happen. Its not hard to imagine Web sites and e-mails offering programs for the Mac that do more than they claim to do.

Just in terms of adware, there may be some benefit to being able to deliver known Mac users to advertisers, but for the most part the "value" of infecting the user is the same: to spread itself, and perhaps to create a Mac botnet.

The small size of the Mac community has protected it so far even more effectively than the security features of the software. Few have even tried to write malware for OS X, although in earlier days of Mac OS, back when we still passed floppy disks around, it was a frequent virus target.

I still think this has to be an important limiting factor on malware for the Mac. Since Im talking about attack methods that are universal, most attackers will want to go after the larger audience.

Next page: What would Apple do?

What Would Apple Do


Weve also had a release of malware for Linux over the weekend. Researchers are still arguing over exactly what it is and how significant it is, and in fact it appears that this one attacks PHP vulnerabilities, a problem more likely to be found on servers.

More important is that—technically—the same social engineering approaches that work elsewhere work on Linux.

But realistically, the situation on Linux is not the same. Sure, you hear stories all the time about guys who set up grandma on a Linux system, but these are curiosities at best (and most of them are probably lies too).

I have no doubt that the overwhelming majority of Linux desktop users are either on managed, locked-down networks or technically sophisticated users who recognize a technical scam when they see it.

On the other hand, the Mac community is filled with novices, at least as naive about these things as the average Windows user.

And then theres the "old version" problem. Mac OS X has a history of serious vulnerabilities, many exploitable remotely without user intervention. I dont know of any in the current version, but do all Mac users apply updates when Apple releases them? We know that Windows users dont. Why should Mac users be any different?

Some experts say that Apples switch to Intel chips may allow OS X exploits. Click here to read more.

Larry Seltzer disagrees—Click here for his take on the matter.

In fact, with respect to malware, Windows has an ironic and unhappy security advantage over the Mac: Anti-virus software is common on Windows. I bet few Mac users use it. And since there is no OEM market for Macs, there is no serious chance for anti-virus software to get preloaded on Macs.

Actually, Mac users have been treated to a steady stream of security hubris for years, being told that they are immune to the problems that afflict Windows users, and they have basically been right. But that could change.

And if it did change, things could get really bad, really fast. You may be familiar with the idea of a computer "monoculture"—the idea that when so much of the market is Windows-based a single attack against it can thereby damage a huge percentage of the overall community.

The counterargument is one for diversity in operating systems as a sort of "public health" measure for the Internet.

But the monoculture also creates an environment where the large majority identifies itself as subject to those same attacks, and the security industry identifies them as well.

The Mac culture, the counter-monoculture, is unprepared for a major attack just as Native Americans were unprepared for the germs Europeans brought with them to the new world.

So what if there were an attack? What if a series of clever attacks based on well-designed social engineering and maybe even OS vulnerabilities were launched against the Mac community? What would Apple do?

I must admit I was surprised, upon Googling "virus site:apple.com," to see three links related to actual OS X anti-virus programs: The free (as in speech and beer) ClamAV, Norton AntiVirus 10.0 for Macintosh and Intego VirusBarrier X4.

It looks like you can buy anti-virus software with a Mac from Apple, but they offer just the Norton and Intego programs from among hundreds of programs they offer with your Mac and its not preinstalled. Go to the Apple Store at your local upscale mall and theyll tell you that you dont need anti-virus software.

In fact, Apple used to offer McAfees Virex as part of their .Mac service, but there were so many support problems that they withdrew it as an option, although they do still provide .DAT files.

So in an outbreak anti-virus software probably wouldnt be an easy answer for Apple, although they could raise its profile by making it more prominent on the site and offering it as a preload. That doesnt solve the problem for existing users, but perhaps ClamAV could rush in and fill the gap.

I think Apple would more likely resort to a campaign of education, and thats a frightening prospect unless Mac users turn out to have vast reserves of common sense unavailable to Windows users.

Maybe theyre still basically safe, but I would advise Mac users to get some sort of protection now before the unthinkable happens.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Rocket Fuel