When it first came out in July, Symantecs report “The Mac OS X Threat Landscape: An Overview” revealed a collection of vulnerabilities and potential attacks that rivaled any major operating system (at least in their shipping versions).
The updated version, released earlier this week, reinforces these conclusions, and in fact things are getting worse.
And yet Macs are not widely attacked, as are Windows systems. In fact, from what I can tell from the monitoring I do of discussions on the matter, Linux boxes are more likely to be attacked, successfully or otherwise, than the average Mac, and there are a lot more Macs out there than Linux boxes.
The Symantec report does no original research; its all based on publicly available research and vulnerability disclosures from Apple. On the disclosure issue, the report shows graphically that the frequency of vulnerability disclosures for Apple software has been on the increase in recent years. Just recently the Month of Kernel Bugs project revealed a bug in the OS X kernels fpathconf() system call that could allow a DOS and that was fixed in FreeBSD, the antecedent of OS X, back in June 2000.
The report also discusses more general points that are key to assessing the security state of OS X. One is that the OS has been out for some time now and key components of it, such as the heap manager, are better understood. As Microsofts Robert Hensing says, “Understanding how something works is the first step in breaking it. :)).”
The other general point I didnt appreciate before is the implications of the two-layer kernel. To quote the report:
“Well-designed” as it may be, this two-layer kernel has an abnormally large attack surface because there are two kernels.
This is not just a theoretical argument. The report goes on to cite research by Nemo on uninformed.org showing how BSD security can be bypassed because of flaws in the integration between Mach and BSD in the OS X kernel.
The Symantec researcher argues that they are seeing more activity in the Mac arena, including exploit development, all the time. They argue that the move to x86 architecture will assist this, although Ive been skeptical of this argument in the past. They point out a great deal of work done in rootkits for OS X. They point out that OS X has not employed advanced defensive techniques like address space layout randomization or even simpler ones like stack canaries.
OK! Im sold! Mac OS X has myriad opportunity for attack. So where are all the attacks? How come there arent armies of Mac botnets? Why arent there scores of new malware samples for the Mac every day?
The report focuses its attention on the obvious answer, the standard one for this question: The Mac is less popular, so theres less incentive to write exploits and malware for it. Theres as much reason to believe this as ever, since overall Mac market share hasnt moved much in the last few years, in spite of stories about its tremendous growth. Nor would I assume its share of the installed base of systems, a more important number, has grown much over the last few years.
There are even fewer Linux or Solaris systems out there, and they get attacked all the time, both through kernel vulnerabilities and application bugs. What explains this difference? Perhaps those who research and write attacks are more familiar with Linux and Solaris. Perhaps these systems are more likely to be servers and therefore more easily targeted for attack. Perhaps these systems are more likely to be business systems and are therefore a better target. Perhaps this is why Apple is not showing an interest in the enterprise.
Im still stumped. All of these explanations make sense, and somehow theyre all unsatisfying. One thing is clear: Mac users are really lucky so far.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.
More from Larry Seltzer