The Mac Landscape: Full of Empty Threats?

Opinion: The verdict is in: OS X is as insecure as anything out there, but somehow nobody-including attackers-cares.

When it first came out in July, Symantecs report "The Mac OS X Threat Landscape: An Overview" revealed a collection of vulnerabilities and potential attacks that rivaled any major operating system (at least in their shipping versions).

The updated version, released earlier this week, reinforces these conclusions, and in fact things are getting worse.

And yet Macs are not widely attacked, as are Windows systems. In fact, from what I can tell from the monitoring I do of discussions on the matter, Linux boxes are more likely to be attacked, successfully or otherwise, than the average Mac, and there are a lot more Macs out there than Linux boxes.

The Symantec report does no original research; its all based on publicly available research and vulnerability disclosures from Apple. On the disclosure issue, the report shows graphically that the frequency of vulnerability disclosures for Apple software has been on the increase in recent years. Just recently the Month of Kernel Bugs project revealed a bug in the OS X kernels fpathconf() system call that could allow a DOS and that was fixed in FreeBSD, the antecedent of OS X, back in June 2000.

The report also discusses more general points that are key to assessing the security state of OS X. One is that the OS has been out for some time now and key components of it, such as the heap manager, are better understood. As Microsofts Robert Hensing says, "Understanding how something works is the first step in breaking it. :))."

The other general point I didnt appreciate before is the implications of the two-layer kernel. To quote the report:

The OS X operating system is based on FreeBSD, with a set of additional tools and frameworks (such as Core Foundation) built on top. The underlying kernel used by OS X is Darwin, a Mach-based kernel. Because Mac OS X is a UNIX-based operating system, it inherits all its built-in security features, such as a well-designed multiuser infrastructure as well as process and file attributes. It integrates functionality from BSD and Mach kernels, allowing both to interoperate independently. "Well-designed" as it may be, this two-layer kernel has an abnormally large attack surface because there are two kernels.

/zimages/5/28571.gifApple has encrypted critical parts of its operating system to protect it from software pirates, according to a researcher. Click here to read more.

This is not just a theoretical argument. The report goes on to cite research by Nemo on showing how BSD security can be bypassed because of flaws in the integration between Mach and BSD in the OS X kernel.

The Symantec researcher argues that they are seeing more activity in the Mac arena, including exploit development, all the time. They argue that the move to x86 architecture will assist this, although Ive been skeptical of this argument in the past. They point out a great deal of work done in rootkits for OS X. They point out that OS X has not employed advanced defensive techniques like address space layout randomization or even simpler ones like stack canaries.

OK! Im sold! Mac OS X has myriad opportunity for attack. So where are all the attacks? How come there arent armies of Mac botnets? Why arent there scores of new malware samples for the Mac every day?

The report focuses its attention on the obvious answer, the standard one for this question: The Mac is less popular, so theres less incentive to write exploits and malware for it. Theres as much reason to believe this as ever, since overall Mac market share hasnt moved much in the last few years, in spite of stories about its tremendous growth. Nor would I assume its share of the installed base of systems, a more important number, has grown much over the last few years.

There are even fewer Linux or Solaris systems out there, and they get attacked all the time, both through kernel vulnerabilities and application bugs. What explains this difference? Perhaps those who research and write attacks are more familiar with Linux and Solaris. Perhaps these systems are more likely to be servers and therefore more easily targeted for attack. Perhaps these systems are more likely to be business systems and are therefore a better target. Perhaps this is why Apple is not showing an interest in the enterprise.

Im still stumped. All of these explanations make sense, and somehow theyre all unsatisfying. One thing is clear: Mac users are really lucky so far.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.

More from Larry Seltzer