How Long Can You Fly Under the Malware Radar?

Opinion: It's a form of "security through obscurity"-avoiding security problems by using an obscure platform. How long can it work?

The last few days have been embarrassing ones for Windows alternatives. Apple released a series of vulnerability disclosures and updates rivaling any put out by Microsoft and the Mozilla Group had to contend with a leaked "highly critical" vulnerability disclosure.

The mainstream press, not just the trade press, has been advising users to move to Firefox and the Mac in order to avoid the security problems that plague Windows users, and that may be good advice—for now. But a careful look at the last six months or so indicates that in terms of actual security problems theres not much of a difference between the platforms. Windows is a bigger target primarily because of its installed base.

So, the question becomes: How long can you get away with it? How long can you run on a Mac, or use Firefox on Windows, and expect to avoid security problems? Put another way, when will the authors of malware decide its time to start targeting Mac and Firefox users?

Even the short answers are complicated: I think it will be a long time before we start seeing Mac viruses in any meaningful numbers. The Mac would have to be far, far more popular than it is now for malware authors to have sufficient confidence that they could get attacks to spread and achieve the endemic status of Bagle, Netsky and the other luminaries of the Windows malware world.

No matter how bad a vulnerability gets on the Mac, its still an unsatisfying target for a malware author.

/zimages/3/28571.gifRead more here about security issues in Apples new operating system, Tiger.

With Firefox I can imagine attacks being attempted, such as Firefox-specific spyware and adware. There is no shortage of critical vulnerabilities affecting earlier versions of the browser, and undoubtedly many users have not kept up with the latest version.

With version 1.0.4 just around the corner its easy to imagine some users getting tired of all the updates, especially if they installed it after reading advice in the local newspaper, as opposed to getting help from their techie nephews.

Its also easy to imagine many people using both Internet Explorer and Firefox, as I do, since its free and easy to get. Finally, its also easy to imagine many Firefox users being careless about things like virus protection and casual surfing and link clicking.

So I do expect some kind of security problem to hit Firefox users, not just a vulnerability disclosure like we have now, but an actual exploit being used for malicious purposes. The early ones will attract attention and probably not cause much damage, but why, for example, should adware vendors who utilize IE vulnerabilities not add "support" for Firefox vulnerabilities?

/zimages/3/28571.gifClick here to read about how Firefox handles pop-ups.

The barriers to entry for Mac malware are much higher, both in terms of writing it and getting it to spread. This isnt because the Mac operating system is more secure, but because there are so many fewer Macs, and fewer qualified developers.

Let us presume that malware writers are, like most PC programmers, familiar with Windows programming but unfamiliar with Mac programming. They would need to acquire Macs to develop on, and then they would need Mac development tools, expertise in writing for the platform, and time to write the malware. Very little, if any, of the code they wrote for Windows attacks will be portable to the Mac.

Spreading a Mac attack is even harder. Few enough of the thousands of Windows attacks every year spread, and they have no trouble finding large numbers of compatible systems. The only hope Mac attacks have going for them is that many Mac users run without security software because its "unnecessary."

Adware for Firefox or a similar problem seems inevitable to me, and it will help, in a way, to put browser security in perspective.

It will be a shame when Firefox users have to suffer the same fears as IE users (those who arent blissfully ignorant of the problems), but maybe it will lead to solutions that address the problem, rather than just avoiding it.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.