Mac Vulnerability Tops List of Security Flaws
Apple (Nasdaq: AAPL) computer users have long been immune from the Internet nasties that infect users of Microsoft (Nasdaq: MSFT) Windows PCs, but that's beginning to change, according to a report released Monday by the SANS Institute.
The institute said in a statement that in light of recent attacks on Apple's Safari browser, SANS experts agree that Apple's operating system, OS X , still remains safer than Windows, but its reputation for offering a bullet-proof alternative to the Microsoft OS is in tatters.
As attackers are increasingly turning their attention to Apple, OS X vulnerabilities are being discovered at a rapid pace, the statement noted.
Hackers Favor Macs
"Users often feel invincible when they have their shiny silver-colored Apple and they're surfing the Net with it," observed Ed Skoudis, a senior security analyst with Intelguardians in Middletown, N.J.
"They think, 'All these vulnerabilities are out there for Windows, and I'm not using Internet Explorer so I must be safe,' and that's not true," he said at a telephone news conference held by SANS on Monday.
He revealed that the Macintosh , especially since it became an Intel-based machine, has become a favorite of hackers. "If you go to a hacker conference, you'll see that when they're doing presentations there, about 70 percent of the time they're presenting off a Macintosh," he said.
Drive-By Infections
He explained that recent flaws discovered in the Apple platform facilitate "drive-by infections."
"If you surf to a given Web site, it will hack your machine, install malicious code on it and let an attacker remotely control it," Skoudis said.
"Given all the research and all the use of this by the computer underground, I expect to see a whole lot more of this," he added.
Slow Patching
Apple's maintenance of the open source components of its code may be contributing to its platform's vulnerabilities, noted Johannes Ullrich, chief technology officer with the SANS Internet Storm Center in Boston.
"Apple uses a lot of open source products, but Apple is late in implementing some of the patches for vulnerabilities in these products," he said.
"What's happening is vulnerabilities are being disclosed and fixed in open source products, but the fix is not being implemented for OS X users. As a result, the window of vulnerability is extended to OS X users," he concluded.
Internet Exploiter
In addition to the increase in OS X attacks, SANS identified seven other major Internet vulnerability trends:
- A substantial decline in the number of critical vulnerabilities in Windows Services and a corresponding increase in attacks through flaws in client-side software.
"In the 90-odd services that are installed on Windows XP in the last six months, only about four critical vulnerabilities have been found," observed Amol Sarwate, manager of the vulnerability management lab at Qualys in Redwood Shores, Calif.
- Continuing multiple zero-day vulnerabilities in Internet Explorer. A zero-day vulnerability is one that can be exploited before it can be fixed.
"I think it's almost time to rename the Internet Explorer to Internet Exploiter, because rather than it exploring the Internet for you, the chances of you being exploited using Internet Explorer are much higher," quipped Rohit Dhamankar, security research manager for the TippingPoint Division of 3Com (Nasdaq: COMS) in Austin, Texas.
- Rapid growth in Firefox and Mozilla vulnerabilities.
"We see as many exploits or vulnerabilities in Firefox as we do see in Internet Explorer," noted Ullrich, of the Internet Storm Center. "So Firefox is a bit safer but it's not the cure all for safe Net browsing.
"The one advantage you have with Firefox is that it's typically patched much faster," he added. "For critical vulnerabilities, patches arrive for Firefox within a week; with Microsoft, you have to wait for the monthly cycle."
- Surge in the number of zero-day attacks used for monetary gain.
Skoudis of Intelguardians noted that information highwaymen have been busy refining their business models. He cited one technique where malicious code hidden on a machine will scrape the advertising from Web pages and replace it with a spammer's ads.
"When you do a search at your favorite search engine, those ads that come back might not be from Google (Nasdaq: GOOG) itself but edited locally by spyware on your machine," he explained.
- Rapid growth in vulnerabilities that allow unauthorized access to database, data warehouse and data backup information.
"I don't see that trend as having surged, but I do see this one as a trend that's taking shape," observed SANS Director of Research Alan Paller.
- A surge in file-based attacks, especially attacks using media files.
"What hackers are trying to find is, if they can make a bad Excel file or a bad Word file, does the program crash and allow them to compromise the system," explained Ullrich, of the Internet Storm Center.
- Spreading use of "spearphishing" attacks, especially among defense and nuclear energy sites.
"These attacks are much less for money and much more for stealing sensitive information," SANS Research Director Paller said. "There's a massive spreading scourge of spearphishing."