The Mac OS X Malware Myth Continues

Continuing a non-story that will never die, Wired Magazine has an article about the threat of Mac OS X malware, in which I was quoted. I spoke with the author, Ryan Singel, by phone yesterday, and disputed the premise that Apple's (AAPL) market share grows, it will be subject to the same degree of malware that Windows is. Unfortunately, something got lost in the translation. Here's the quote:

But Carl Howe, an Apple analyst at Blackfriars Communications, disputes the security researchers' theories. He thinks that OS X's Linux heritage makes Apple systems less vulnerable to attack than Windows-based platforms. He argues that even if hacking Macs hasn't been profitable in the past, attackers would have done it anyway if they'd been able -- just for the attention.

"I think the market-share thing has always been a myth," Howe said. "It's a good story to talk about."

What I actually said was Mac OS X's Unix heritage, not Linux. I wrote Ryan about the mistake, and he corrected it. But I just wanted my readers to know I don't have my *nix's mixed up if they saw the earlier version.

But overall, I do stand by my statement that the whole Mac OS X malware story is one of those urban myths that just won't die, just like Craig Shergold, the child with cancer who wanted to get into the Guiness Book of World Records for the most business cards (which, by the way, was true in 1989, but he survived and no longer needs cards). For an ordinary consumer, it's easy to think that since Mac OS X and Microsoft (MSFT) Windows both looks somewhat similar, that they must be similar underneath and exhibit similar vulnerabilities. Therefore, the reasoning goes, the difference in malware must just be due to market share differences.

The only problem is that it isn't true. The two platforms have completely different business philosophies, architectures, and decisions behind them. And those differences matter when it comes to security.

Microsoft Windows evolved from a hardware platform philosophy

See, it's important to remember who Microsoft's biggest customers are. Those big customers aren't consumers; they're hardware vendors. That's why it's nearly impossible to buy a HP or Dell computer without Windows -- HP and Dell are Microsoft's customer, not you. And these hardware vendors are the people who drove Microsoft's growth.

When Microsoft designed Windows for the ability to run on as many hardware platforms as possible, it had to make its system easily extensible. Therefore, Windows needed ways that anyone could plug their software into, be they a motherboard maker, a peripheral manufacturer, or a software designer. That meant easy ways for outside companies to modify Windows to their needs. This doesn't just apply to device drivers, but other OS components like dynamically loadable libraries, graphical drivers, and the like. And with thousands of Windows vendors involved, developers became very creative at adding their software into Windows. And Microsoft, responding to Steve Ballmer's chant of "Developers, developers, developers....", put application programming interfaces (APIs) -- some of them public, some of them not -- so developers could install these add-ons.

And this extensibility didn't stop at hardware devices. When Microsoft found itself falling behind Netscape and its use of Java in Web browsers, it felt it had to allow Web designers to extend its OS as well. So it added a Windows-only extensibility feature called ActiveX, which allowed Web designers to add code to the browser and to the user's desktop environment. I noted publicly that this was a mistake in Web security in 1997. But in its quest for market share and Internet dominance, it didn't really care about security.

Now in 2004, Microsoft recanted on that view, and Bill Gates declared security its top priority with its Trustworthy Computing initiative. But by that point, Microsoft had millions of pieces of driver code and software add-ons that had to be allowed to insert themselves into Windows for its ecosystem to continue functioning. The company was left with two choices: be compatible or be secure. Guess which choice worked best with Microsoft's business model?

Apple chose a secure software foundation and rigid platform control

Mac OS X, on the other hand, never went through this same "we must be all things to all developers" evolution. It based its OS on a tried-and-true platform, the Berkeley Source Distribution [BSD] version of Unix. The APIs into this system are few and well-publicized. BSD's security model is also both open source and well tested, having been used by educational, government, and commercial researchers for about 30 years. Yes, Apple made changes and extensions to the system, but they were done to make Mac OS X run well on Mac hardware, not a million different Frankensteinian combinations of hardware from thousands of different vendors. And in fact, Apple still exercises very tight control of its platform and operating system software by building in security features that prohibit Mac OS X from running on other Intel hardware, even though it quite easily could allow it.

The result: Mac OS X remains a much tougher nut to crack for malware developers. Why? There are actually a lot of reasons, but I'll stick with just my top three. Unlike Windows,

• Mac OS X users don't run with administrator privileges. Until Windows Vista, almost every Windows user had all privileges to install and modify their OS at all times. Mac OS X, on the other hand, always has users run without such privileges. That means you have to type a password to install or change any critical system software. That minimizes the damage that Web- or email-based malware can do. And unlike Windows, there is no compatibility requirement for ActiveX binary code insertion into the user or kernel environment via the Web in Mac OS X.


• Mac OS X has less spaghetti code. Ask any security guru and he or she will tell you: a simpler software model is easier to secure than a complex one. Any Unix has only about 200 entry points into the secure kernel environment. And while there are many libraries in the Mac OS X system, most of those don't have enough privileges to do anything really bad (see bullet point above). For a nice graphical comparison of the relatively low complexity of Linux (not the same as Unix, but similar in security philosophy) compared with the high complexity and threat profile Windows, see these lovely charts.


• Mac OS X mail doesn't automatically run attachments.One of the poorest security decisions that Microsoft made was that back in 2000 or so, it configured its Outlook and Outlook Express mail systems to automatically execute script code on incoming HTML email without any user action required. This was one of the big vectors for virus proliferation earlier this decade. Microsoft has since patched that problem, but it remains a headache for the entire Microsoft ecosystem because unpatched systems still exist. Meanwhile, Apple mail systems have never run attachments or HTML code automatically, so this very common vector for virus transmission just doesn't exist in the Apple world.


• Apple can actively manage and verify its hardware Apple doesn't need to sacrifice security for compatibility with a million different hardware configurations. In fact, as we've seen in its latest Leopard launch, Apple actively prunes the number of hardware configurations it supports. And Apple has demonstrated with its iPhone that it is no stranger to locking down its hardware/software products to guarantee a good user experience. As a result, Apple doesn't have to provide insecure compatibility interfaces for old hardware or software systems -- and therefore can minimize its threat exposure.

Now I'm not saying that Apple has an invulnerable or even a "requires-an-MIT-Ph.D.-to-crack" security system. It doesn't, and smart security guys like Thomas Ptacek have written about Leopard's latest vulnerabilities. There will be security problems, both now, and in the future. But I think it's important to distinguish between having two exploits on the roughly 50 million Mac OS X computers (the latest of which is actually a Trojan Horse, and not a virus) and the roughly 140,000 viruses extant for the hundreds of millions of Microsoft Windows computers worldwide.. Two vulnerabilities don't make an epidemic. And given that Mac OS X is a harder target to penetrate, I don't expect those ratios to change dramatically any time soon.

One final note: I noted above that the vulnerability that is being publicized this week is actually a Trojan Horse, not a virus. What that means is that the user actually has to 1) explicitly download a piece of software, which the author advertises as a QuickTime codec, 2) choose to install that software, and 3) type in their administrator's password before the code becomes active. The fact that this threat requires three explicit user actions to activate and has no other way of spreading itself means it will never infect millions of computers the way worms like Storm or MyDoom do. All that said, if you want information on what and how it works, you can see a pretty good presentation here at the SANS Institute.

Comments

[Tom B]

This is MSFT's dilemma as the only publicly traded OS vendor that still uses proprietary cr*p instead of UNIX: If they sit down and take the time to write a modern, 21st century OS, like Steve Jobs did at NeXt and Apple did under his direction these past 6 years (or like SuSe, Ubuntu, or Red Hat), they will break 30 year old legacy DOS junk and they'll start to bleed market share at a faster rate. Heck, it took them 5 years just to change the eye-candy on XP and call it Vista. They AREN'T going to solve Windows' existing security holes that they have accumulated through decades of "spaghetti code".

[beech_35]

It also took 5 years to change the eye candy on Windows 95 (aka ME, W2K) as it took 5+ years to change the eye candy of Windows 3.1 which was essentially eye candy for DOS to begin with.

OS X is the only OS with origins in a multiuser, multitasking, secure OS, while Windows in all its incarnations has been an attempt to retrofit security to an aging interface.

With OS X, Apple completely scrapped its legacy OS and started over with a clean sheet using a BSD Unix core. Windows has no analogous core other than MS-DOS. Without scrapping Windows and starting from scratch, nothing from MSFT will ever be as secure as OS X.

[Tedious]

I don't think MS has to scrap Windows and start from scratch. Apple didn't even start over from scratch. The Carbon API is an OS X port of the "Classic" API that Apple stopped selling over a half decade ago and stopped supporting last week. The Carbon version has also been abandoned in 32-bit land. Expect it's support to end in 2 to 4 years.

I think that MS should take THAT page from Apple's book and start depreciating API sets (like any Direct X before 7 and the entire Win16 API) and port their new APIs to a BSD based filesystem running on a their 64-bit NT kernel.

Backward compatibility all the way back to PC-DOS 1.0 may be what MADE Microsoft, but it will be what kills it if it doesn't start pruning their code base (regardless of how many lazy grey-beard developers it will piss off).

[the deebs]

I remain to be convinced.

Windows experience suggests that wherever there is a hole it will be exploited (or already has been)

www.pixentral.com/show...

(OS X 10.5 with block all incoming selected through preferences)

[John2007]

Carl, the Mac community owes you a great debt. Many thanks for all of the efforts to set the record straight.

[Partners in Grime]

Have you seen any figures on the numbers of Mac users affected by the trojan OSX.RSPlug.A?