A Flashback trojan, that affected more than 600,000 OS X users earlier this month, has industry experts discussing Apple's response to Mac malware and its future prospects on security related issues. Eugene Kaspersky, CEO and co-founder of security company Kaspersky Lab, believes that Apple is "10 years behind Microsoft in terms of security." Citing the relative success of the Flashback infections in an interview with CBR, Kaspersky predicts that cyber criminals will progress to create "more and more" malware in the future.
Although, given Kaspersky's background, you could easily dismiss his claims as fear mongering to push sales of anti-virus software, he does speculate that Apple will face the "same problems Microsoft had ten or 12 years ago." Microsoft's Windows XP operating system suffered from some high profile security issues including MSBlast, which forced the company to issue a Service Pack 2 update with significant security-related improvements. Many believe that this engineering effort subsequently slowed down the development of future operating systems like Windows Vista. "They [Apple] will have to make changes in terms of the cycle of updates and so on and will be forced to invest more into their security audits for the software," says Kaspersky.
Apple appears to be heading in the right direction though. Mountain Lion, the company's upcoming OS X operating system due in summer, includes a new Gatekeeper feature that, by default, restricts applications from running unless they are from the Mac App Store or identified developers. There is an optional switch to enable all apps again, but it's clear this timely feature is designed to prevent malware from executing. Sophos security firm says nearly three percent of 100,000 people using its Mac anti-virus software were found to be infected with some type of OS X malware recently. If malware authors take advantage of holes in Mac App Store applications or developer signed ones, then Gatekeeper might not be enough to stem future malware outbreaks and Kaspersky's 10-year prediction might just come true.
Comments
I know, you are right
I’ve realised very moment as I posted.
Well it will be interesting to see how Apple will fight against those attacks.
Windows has proven after all of this years very good at the moment. I haven’t have any problem on my Windows 7 since December 2009. Very stable and robust.
By Boyan on 04.26.12 9:42am
Apple is about to get its cherry popped or apple I should say.
By ElBastardo on 04.26.12 5:26am
I must admit it was extremely unpleasant waking up the morning of the Flashback trojan news… I felt extremely concerned. Took me back to the days of PC anti-virus hell.
I mean even if you have that stuff installed, a lot of the time you can still be infected as their definition files (or whatever, I’m no expert) only get updated in response to some of the creative malware actually hitting users.
Worrying. I tried out Avast! for Mac’s beta but it was horrible. Lag city.
By Duality on 04.26.12 5:32am
Even though Flashback and a handful of Mac trojans exist… there are a million pieces of Windows malware, viruses and trojans out there.
I still think your chances of getting infected with some nastiness will be on a Windows machine.
But I’m a Windows user who doesn’t use an anti-virus package… I like to live on the edge.
By Michael Scrip on 04.26.12 6:37am
I’m a Windows user, I use a combination of Avast and Common Sense, and have yet to have any problem since the days of XP. Anyone who still manages to suffer from malware on Windows is either a complete idiot or is doing some very dodgy stuff.
By boss.king on 04.26.12 7:09am
My complete family and I are Windows users and I can’t even remember the last time any one of us had a virus. We all have security essentials installed and that does the job without irritating the user at all.
I must agree with you, anyone who manages to get a virus these days is most probably an idiot and should learn to use a computer.
By defrndr on 04.26.12 7:38am
I can tell you from all the free technical support I give to family and friends that its the less sophisticated users who are at risk most. Invariably they accidentally download some trojan that is not yet in the AV software’s malware definition file. Invariably they click that silly flashing button on some page because they think they are suppose to do that rather than just close the darn window and get out.
Incidentally, Apple’s new Gatekeeper would not have prevented the Flashback outbreak. Flashback works on files downloaded from mail attachments or where Safari is aware of the download (e.g.: it is showing up in the “downloads” pane on Safari). Flashback worked its way in via a hole in Java. Safari would have been completely unaware of it and thus would never have set the bit in the file that says “don’t execute this download unless the user confirms it”. Instead, Flashback would have executed itself by tricking Java into doing that.
There is no such thing as a fully secure operating system. The best you can do is use a decent dose of counter measures, buy an OS that is constantly adding new walls to would-be malware, keep yourself up-to-date on that OS, be vigilant when using the Web, and most of all be lucky. Everything has been or will be hacked, that’s a given. All Apple and Microsoft and Google can do is raise the price of admission for those capable of hacking it, but somebody will always be willing to pay that price.
The real trick is to never assume you are completely safe from malware. That’s exactly what the hackers want you to think. They want a complacent user who believes he can surf the Web without caution. Unfortunately, that describes a significant group in the Mac community and hence the vocal nature of the “I’m safe because I use a Mac” group is going to draw the hackers’ attention and there will always be some who rise to the challenge.
By BC2009 on 04.26.12 7:53am
With Microsoft integrating Security Essentials into Defender in Windows 8, Windows is getting very close to fully secure, excluding 0 day exploits. I would not be surprised if many of the virus creators start to migrate to OSX as there is a potential to infect more users with greater ease at this point.
By wackyanimation on 04.26.12 7:58am
The biggest problem is always going to be third party software. Every single third-party software you run is essentially a “trusted” executable. That trusted executable can have security holes and those security holes can be exploited.
The only defense against this is sandboxing to limit your exposure. But if a piece of third-party software is running with high-level privileges and it has security holes then you are essentially exposed even in the OS is doing fun things like ASLR and code-signing checks.
Apple is pushing for all Mac AppStore apps to use the sandboxing API and defer to Apple’s API’s for many common tasks — this way Apple can ensure those things are handled securely and are monitored, but there will always be a hole. The “App Store Review Process” may eventually need to include a serious automated security audit of the software, unfortunately a manual audit by a creative and sophisticated white-hat hacker would be too expensive for every piece of third-party software.
I agree with you that Microsoft is doing a good job of making the walls around Windows even taller, but I really only worry about the holes in those walls — because there is always a hole. The hackers typically don’t scale the wall, they find the lose bricks and punch a hole through.
By BC2009 on 04.26.12 8:27am
Apple’s sandbox has the problem of being too restricted.
And not all executables are trusted. Developers can have signed certificates to prove it’s safe or authentic.
By Entegy on 04.26.12 10:18am
The certs are free and trivial to obtain. There only purpose is so Apple can remove Malware from the system. Devs applying for them I basically just pinky swearing that the are not making malicious apps and permitting Apple to remove them if they are malicious. Apple has had this ability since the beginning of iOS and has never taken advantage of it so they have earned some trust in that regard. As a reference, other companies with the same ability have used it within that timeframe.
By jayfehr on 04.26.12 11:04am
Trivially easy.
I’m sorry, but making new accounts costs time and $99 and a CC or bank account ID. And if you get caught, you’re screwed. And you have to make a new one. And your code has to be different.
And since malware targets n00bs that don’t typically install anything outside of the safe and easy appstore, I think that the risk/reward for malware devs is safely on the side of risky. (Add to that the fact that unsigned code simply won’t run on said n00bs’ machines.)
We mustn’t forget that Apple screwed up royally by not fixing a known hole in Java. This never would have happened.
By azulum on 04.26.12 11:21am
The $99 is only for devs who want to post in the Mac App Store, signing certs are 100% free and easy to get.
The known hole in Jave was fixed by Oracle 6 weeks prior. However, Apple doesn’t release daily updates, they roll everything into larger point updates that come out once a quarter or so (no set release, but thats a good approximation). You know that Apple had this fix ready to go because the released it the day the infection became public. There approach is that people get annoyed at continuos updates so they release less often so people are more inclined to update. How often do you click the postpone button when windows prompts you to install updates?
By jayfehr on 04.26.12 11:37am
Updates are my life.
By Xenthis on 04.26.12 11:58am
False. Here’s what you can do for free as a dev. You can check out the benefits of being a paying Mac dev here.
And yes, Apple had no sense of urgency over pushing out the Java patch. They screwed up.
By azulum on 04.26.12 6:13pm
I wish there was a button for “factual inaccuracy.” You don’t need a dev account to get a cert, but that confidence you exude is convincing.
By Blecher on 04.26.12 2:15pm
You have to pay $99 to get a certification. Unless Ars and nearly everything else I’ve read is wrong. But regardless, you have to have a dev account.
And I think you’ve just proven why there is no “factual inaccuracy” button.
By azulum on 04.26.12 5:43pm
That’s not how it works, you get a certificate from a CA (Go Daddy’s is $199, but there are considerably cheaper ones) and you submit it to Apple.
You can use that certificate to sign as much software as you want as long as the certificate is valid. Apple just needs to insure that the certificate is valid and that it identifies you.
By ikelos on 04.28.12 7:37am
Sorry, I meant Microsoft certificates.
By Entegy on 04.26.12 11:22am
That “sandbox” is in no way a replacement for security. Especially looking at how long it actually takes Apple to respond with pushing updates. What was it with the Flashback exploit? Two months after it was made public? And still several older OSX versions are still at potential risk. I think Kaspersky are right about Apple’s view on security, they don’t really have a working procedure to fix issues like Microsoft.
By Hans Pedersen on 04.26.12 11:13am
6 weeks, and it was ready to go for the next point release. They did release it the day the infection became known. Also, this was a Java venerability and starting with Lion Java is no longer installed by default.
By jayfehr on 04.26.12 11:39am
Yes, but Mac OS X does indeed prompt you to install Java the first time you use it. I discovered that none of my Lion Macs had ever installed Java when Flashback became widely known (not even my kid’s mac mini). This tells me that Java is not used on websites nearly as often as it used to be since Java used to install on every machine I had because it was required for so many things.
But my original point still stands: there will always be some piece of third-party software out there even if you have an otherwise bullet proof operating system. In this case it was Java, next time it will be something else. The six-week lag time in the Java update from Oracle’s update is what gave Flashback a large window to spread.
Apple really should really setup a website where white-hat hackers can register themselves to find unique exploits in Mac OS X using lab of remotely-accessed Macs and then give reward money for each unique exploit found. They also need to provide security updates more frequently to close the window of opportunity for hackers.
By BC2009 on 04.26.12 12:37pm
I agree 100% with everything you said
By jayfehr on 04.26.12 12:42pm
It’s an extra layer. You can’t make a totally secure system unless you remove the human element from the mix. The point is to make it more and more difficult to get in and do bad things.
By MadusMaximus on 04.26.12 2:08pm
I concur, I am also my friends / family tech support and it’s people who miscellaneously download crap that get viruses. To sum it up in a sentence:
People get viruses, not computers.
By snowbeluga on 04.26.12 8:20am