Digg this story   Add to del.icio.us  
Absolute Security is a Myth
Jason Miller, 2005-04-08

No operating system is completely immune to security threats, and that includes Apple's OS X.

Giving people the impression that their choice in operating systems makes them invulnerable to security threats is a very, very bad idea.

Sometime last week, a co-worker of mine forwarded a news article to me, which discussed the withdrawal of a $25,000 reward that was being offered for the successful creation of a "self-replicating virus that is effective against the modern Mac OS X operating system." I always get a kick out of contests like these, not only because they don't really prove anything, but mostly because they tend to stir up a lot of commotion. Once I started looking into the contest, I knew that I had something important to talk about with the educated readers on SecurityFocus. I'll first mention here that Apple did not endorse this contest in any way; it was sponsored by DVForge, a company that builds hardware accessories for Apple computers.

Let's be very clear on one thing: I write about Unix security for SecurityFocus out of my own volition, and my opinions have nothing to do with those of SecurityFocus or Symantec as an organization (SecurityFocus is owned by Symantec). When writing about Unix security, I am happy to say that there's not often much to talk about. Yet after delving into this contest a little bit, I wanted to do my best to separate fact from fiction, and prevent anyone from getting the wrong impression about the security of their operating system.

Some concerning statements

When reading some of the statements being made by the author of this contest, I was very concerned that people uneducated in information security would read these claims and buy into the suggestion that, simply by using Mac OS X or any operating system for that matter, one could be immune from computer viruses and other security threats. This paradigm is not only wrong, it's also very dangerous. It looks as though many of OS X users are under the impression that malicious code isn't something they will ever have to worry about -- though I hope this is just a vocal minority, and not a general consensus.

The thought that viruses and security threats are something of no concern to people running OS X might just be a popular belief among the OS X users who read about the contest. However, this is a frightening precedent, as good security starts with people, and convincing a group of people that any technology can be a panacea for security threats will do nothing more than set them up for failure. It's okay to be passionate about an operating system, but it's not okay to blindly believe that your operating system is somehow immune to security threats. This is something that no operating system on the planet can boast.

The fallacy of feeling immune

I don't want to get into a semantics argument, but we first need to make some clarification of the security threats that have been denounced by the author of this contest. First, a virus is a simply a computer program that replicates itself. A "plain virus" for a given operating system could be written by any solid programmer familiar with development in that environment, and OS X is certainly no exception. Regardless of whether or not the environment in question is a mobile phone, a PC, a Mac, or a calculator, is itself irrelevant. However, judging by some of the comments associated with this contest, it appears as though the claim is intended to cover the more broad concept of a network-based security threat similar to the plethora of those that have affected Microsoft Windows. Basically, it would make sense to talk about a threat that could significantly affect the average Mac OS X user without the user first doing something really silly.

The obvious misuse of the term "virus" in this contest should provide testament to the fact that people making these sorts of claims are sorely lacking in security knowledge in the first place.

When dealing with Unix, and by association Mac OS X, there are strong security policies in place to restrict a compromise to certain levels. There are both non-privileged and semi-privileged user-land accounts, and sitting atop the throne of user-land security is the almighty root account (which in OS X is disabled by default). Past user-land, you've got the kernel. But to the user of a desktop system, what sorts of comforts do these layers provide? Certainly, if a malicious program is running with the same privileges as the user of the computer, it can still do enough damage to ruin more than just their day. No one will take solace in the fact that it was, "only a user-level compromise" when all of their work, music, and other files are deleted, or when the credentials to their on-line banking account are compromised. Local privilege escalation vulnerabilities have probably been found in every operating system under the sun. And there are plenty more of them, for Mac OS X, or any other operating system, just waiting to be discovered. No one is immune.

So, what kinds of opportunities are present for new security-related threats that will target Mac OS X? First I must say that the default installation doesn't do a bad job of maintaining security, by having the firewall available (though it is disabled by default), only starting a small set of services, and encouraging the operator to run as a user and not as an administrator. However, there are other security threats that will be perhaps more common for a typical desktop OS X user. For starters, anyone using Mac OS X probably spends some significant time on the Web with Safari, and he likely sends and receives e-mail messages with the included Apple Mail e-mail client. The Web and e-mail clients for OS X, as well as the associated applications that integrate with them, have plenty of undiscovered vulnerabilities in them. So does Internet Explorer, Mozilla, Firefox, Opera, and whatever other browser or application you want to throw into the fray.

Suggesting that any software application is vulnerability-free is not only naive, it defies history. Some vulnerabilities have already been found in Safari, and for one to suggest that no others will be found in the future is senseless, unprovable, and naive. There have been vulnerabilities which are fantastic candidates for remote exploitation on "real world" OS X computers. While malicous code hasn't been written to exploit these vulnerabilities, it would not be hard to do so and thus Apple users should simply consider themselves lucky. It should be no surprise that these sorts of attacks will continue to be discovered in the future. Don't get me wrong, it's great that the AppleFileServer isn't enabled by default -- but don't tell me that a large percentage of the OS X population doesn't activate it for convenience. And if they have the attitude that their operating system is immune to attack by viruses, then what's going to prevent them from enabling insecure services?

If the contest was simply to suggest that an up-to-date OS X machine with the firewall enabled and no applications running would be very hard to penetrate remotely, then I'm not aware of many operating systems that wouldn't fall into this category. And if so, this is hardly a valuable or realistic simulation of the real world.

Once more

While a full discussion of how users on an OS X-based computer can be exposed to security-related threats is out of the scope of this article, suffice it to say that the threat of attacks targeting Mac OS X, or any other operating system for that matter, is very real. I don't care if you run OpenVMS, Plan9, OpenBSD, Linux, Solaris, Windows, or any other operating system under the sun. Nothing is infallibly secure. I'm not picking on OS X, either, I'm simply trying to enforce the fact that considering yourself immune to security threats is probably one of the biggest mistakes you can make in the security game. [Editor's note: many SecurityFocus staff are loyal users of OS X.]

Ultimately, we can't depend on technology to eliminate security vulnerabilities. Mac OS X has had security vulnerabilities in the past, and more will be discovered in the future. If you don't believe this is the case, you're living in a fantasy world.

Lets be very clear. Am I suggesting that Mac OS X users should be busy preparing for some sort of massive attack from some new malicious virus? Of course not. Although OS X users shouldn't live in fear of attack due to new security threats, unlike their Windows counterparts, they also shouldn't make the mistake of believing that they're immune to them either. What I'm saying is this: vulnerabilities are everywhere, and good security practice means that you should never consider your software to be 100% vulnerability free. Security threats of all types feed on vulnerabilities; no operating system is immune to vulnerabilities, and users of any operating system need to understand that.

Don't get me wrong, OS X has a lot going for it. It's Unix-based and it includes plenty of mature code from open source projects. It's been built on a solid foundation, and it has a very passionate user-base. But running OS X, or any operating system for that matter, doesn't make anyone immune to security threats.

The more popular something becomes, the more scrutiny it will face by security researchers. The more scrutiny directed at any piece of software, the more vulnerabilities will surface. It's simply a game of numbers. Absolute security is a myth, and a dangerous one at that.

Jason Miller manages the Focus IDS area for SecurityFocus.
    Digg this story   Add to del.icio.us  
Comments Mode:
How about OpenBSD and Zos? 2005-04-09
Janice (4 replies)
How about OpenBSD and Zos? 2005-04-10
Darwin Lopez (1 replies)
How about OpenBSD and Zos? 2005-04-12
Janice (2 replies)
How about OpenBSD and Zos? 2005-04-12
How about OpenBSD and Zos? 2005-04-14
How about OpenBSD and Zos? 2005-04-11
How about OpenBSD and Zos? 2005-04-11
Absolute Security is a Myth 2005-04-10
Anonymous (1 replies)
Absolute Security is a Myth 2005-04-11
Absolute Security is a Myth 2005-04-12
Saar Drimer
Absolute Security is a Myth 2005-04-13
Absolute Security is a Myth 2005-04-14
Reinholt56@gmail.com (1 replies)
Absolute Security is a Myth 2005-04-15
Mail and Web Surfing? 2005-04-19
Absolute Security is a Myth 2005-04-20
hans.y.blom@telia.com (1 replies)
Absolute Security is a Myth 2005-04-22
Anonymous (1 replies)
Re: Absolute Security is a Myth 2005-11-15
Ian Miller


Privacy Statement
Copyright 2010, SecurityFocus