My take on Macintosh security


Ah, a new release.... must be time for another slew of articles aimed at getting press and money for the "security" folks out there. For those of us with Macintoshes, here is my take on the whole Macintosh virus situation.

Every time a new OS release comes out, a whole mess of security "professionals", especially those with recent books (such as Miller's The Mac Hacker's Handbook), are being interviewed by every Tom, Dick, and Harry, and repeat the same drivel that we've been hearing about Macintosh security for years, which basically amounts to:

Oh yeah? Well, if more Macintoshes were sold, then there'd be a lot more viruses for the Mac, I tell you.... just you wait!

Now, it may well be true that if there were more Macs out there, there would be more reason to go after the Macintosh and it would tend to lead people to write more viruses for them. It may also not be true, and I've never seen any indications that there is a statistical basis for this complaint.

However, let's take for the moment that it's a possibility and start looking at the kinds of exploits that tend to show up for the Macintosh in these articles. Generally speaking, and I'm not going to cite individual articles here because I haven't done a complete statistical analysis of them, the kinds of exploits that show up for the Macintosh are trojan horses, a class of malicious software that the user downloads and runs or installs. Once you've done that, you're open to a number of potential problems, including the stealing of data and the deletion of files that are not protected.

There are 2 key take-aways about trojan horses on the Mac: first, they are not the same as viruses; and second, they are limited in what they can do to your system unless you give them power. Now, this part in bold is important. If you download a questionable piece of software from the Internet (or any software for that matter, since most really don't need this facility) and the software prompts you for a password to your system during the installation process, you should be seriously considering saying "no". If you say yes, you do not have any granular control of what it might do to your system, as you have provided it with escalated privileges to access all data and services on your Macintosh.

Here are a few other things that make a big difference to Macintosh users: no in-the-wild viruses. There are basically no programs that exist today that can infect Macintoshes without the user taking specific action (opening a program in particular). Through the use of Quarantine, which has been around since Leopard, Apple tries to warn you the first time you open a piece of software, telling you where it was downloaded from asking you if you're sure you want to run it. It only happens the first time you run each program, so it doesn't provide an overwhelming number of "are you sure" dialogs.

Once you install a program on one Macintosh, the likelihood of it spreading virally (without you or the user of the computer specifically starting the program in question) is really, really low. I say really, really low, because there were some programs that managed this feat before Leopard due to hiding executables in what looked like data files. However, quarantine makes that virtually impossible these days.

Most importantly, the kinds of worms that have infected Windows and other systems over the years (a worm being a particularly vicious type of malware that makes its entrance behind the scenes, infects the computer and uses it as a jumping off place to infect more), have been almost absent from the Mac (there was a report of one in 2006/2007 using Bonjour as a vector, but that was patched by Apple on all affected systems and the worm appeared to only show up after that problem was disclosed).

People can argue until their blue in the face about why Macs tend to have a lot less trouble than PCs. Frankly, the amount of open administrative software that lies on (especially older) Windows machines is a good portion of the problem here. For years, Windows 2000 and other versions had the ability for network administrators to broadcast a message to every user on a network that was then displayed on their screens. This was a horrible idea, since it had absolutely no security whatsoever involved in it and basically allowed anyone with knowledge of your network address to send a message to your screen that popped up as if it were from the OS. To make matters worse, there were security problems with the program that put up the window and they were exploited to deliver worms and other viruses on the Windows platform. This is not an isolated case, either.

Architecturally, there's definitely more that Apple can do about security on the Macintosh and I hope that we continue to see the kind of sandboxing that is being used by Apple on the iPhone slowly creep its way into the Mac. By using this judiciously, they could keep only authorized programs from doing things on the system and they could make a much better permissions model for the otherwise-dangerously all or nothing approach that the installers tend to take these days. I'd love to see something along the lines of an installation dialog for VMWare (as an example) that requests permission to "add kernel extensions and startup items" and then have the OS grant just permissions to install items in those places. More importantly, for programs that use the installer just to put things into special locations, such a scheme could prevent them from doing other things behind the scenes (like installing kernel extensions) without your knowledge. I know I'd think twice if a graphics program requested permission to install a kernel extension.

But, for the time being, the Macintosh is a pretty safe platform, as long as users are vigilant. Keep up to date on your software updates and don't run programs with questionable pedigrees.

NOTE: Today's Wired article pretty much caused this article to be written. I have to say that you must admire a magazine that continues such superlative reporting as telling us that "In Snow Leopard, Apple has added security enhancements including Executive Disable"... executive disable? Sounds like something you'd use in a bad movie to remove your competition, did you mean Execute Disable (XD), a technology that's been around for years and was one of the most touted security features of the last 3 generations of processors? Oh, you know, that whole accuracy thing isn't important. Wonder how well you did on the other facts? Probably about the same, interview a couple of guys who are shilling a book and reprint their stuff as well as whatever you can find in a quick Google search. No offense to Google. For more humor, the next line: "Apple also added hardware-enforced Data Execution Prevention" is basically a reference to the Exact Same Technology. Curiously, Apple's only technology mention is of "hardware-based execute disable for heap memory", which I'll note doesn't mention disabling executives at all!