Malware Evolution: Mac OS X Vulnerabilities 2005 - 2006
by Claudiu Dumitru - Kaspersky Lab/ - Tuesday, 25 July 2006.
This article looks at vulnerabilities detected in MacOS X in the first half of 2006. It compares these vulnerabilities to those detected in the first half of 2005, providing an overview of the evolution of threats targeting this increasingly popular platform.

The Apple Macintosh is becoming more and more popular. However, recent reports on Mac security have caused extensive discussion among security professionals. Those who have expressed concern about the increasing number of vulnerabilities detected in Mac OS X have been accused of overreacting. The other side of the coin is that those who do not take this viewpoint are accused of being lacking in common sense. This article examines several aspects of the recent evolution of threats for Max OS X in order to help readers understand the ongoing debate, how secure Macs really are and how secure they will remain.

I believe that out-of-the box machines running under Mac OS X are more secure than those running under other platforms. The Mac OS X *nix-like security model is, by default, configured to protect the system against threats common to other platforms where this kind of security and configuration is not standard. It could well be said that from the start, Mac OS X was designed with security in mind. However, although this approach seems to leave far less security flaws that can be exploited, assuming that there are no security issues at all is quite dangerous. Like any other platform, Mac OS X has software flaws. Such flaws inevitably draw the attention of malicious users, especially if users don’t think they need to take action to protect against possible threats.

One interesting aspect of the vulnerabilities identified is the components in which they are present. The number of vulnerabilities identified in components where remote attacks are possible increased in comparison to the same period last year. This clearly demonstrates that possible attack vectors are receiving more and more attention.


Figure 1: A comparison for the number of vulnerabilities in MacOS X and related products for the first half (January – May) of 2005, first half of 2006

For instance, the number of vulnerabilities identified in the operating system kernel and related components is less than in 2005. However, the number of vulnerabilities affecting Safari and the Mail application - which can be used to conduct an attack via the Internet - has increased. The same is true for QuickTime, which was a popular subject for security researchers during the first half of 2006.

The graph above also includes a series of vulnerabilities found in third party products which run on MacOS X. This category includes applications which are installed by default on the operating system but which are not MacOS X-specific. For instance, several vulnerabilities were identified in Sun's Java VM during this period, and these affect all operating systems capable of running Sun Java – not just MacOS X.

Interestingly, the number of core vulnerabilities in the MacOS X kernel (Mach) and related components / libraries has decreased compared to 2005. Still, a number of critical vulnerabilities have been found. The most popular was probably the local 'passwd' exploit (a zero day based exploit) reported on 03.02.06, which was used to hack the system of Dave Schroeder during the “rm-my-mac” competition.

Mac Malware

Malicious programs targeting Mac OS X are relatively uncommon. The Mac community was surprised when on February 13, 2006, the first worm for Mac OS X appeared. The worm was named OSX/Leap.A. Leap is an Instant Messaging (IM) worm which is also capable of infecting MacOS X applications. However, due to a bug in the virus code, infected programs will no longer run.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th