Mac community must wake up to security


ebow

macrumors 6502a
obligatory quote from Holy Grail:
Black Knight: [with various limbs chopped off] "I'm INVINCIBLE!"
King Arthur: [clearly the victor] "You're a loony."

Let's just hope it never gets that bad.
 

lopresmb

macrumors 6502
Apr 29, 2005
289
0
I agree that many mac users feel that they are simply immune to the security threats that are out there today. And to some degree, its true.

but, I have a question, (1) is it even worth purchasing some sort of antivirus software for a Mac (even though there are no current viruses) in the hope that it may help in the future?

(2) what all do current mac users do to ensure that they are secure and not (that is what other precautions do you take?

--thanks...
 

Blue Velvet

Moderator emeritus
Jul 4, 2004
21,652
123
I believe the communities' response is appropriate considering the lack of trouble we generally have with these sorts of things... when and if it happens that a new piece of code is on the loose that can automatically install and eat your Mac, then I'll worry. Not before then...
 

Sun Baked

macrumors G5
May 19, 2002
14,874
57
lopresmb said:
but, I have a question, (1) is it even worth purchasing some sort of antivirus software for a Mac (even though there are no current viruses) in the hope that it may help in the future?
Consider that while you may not see any problems with an infected file you download, it's quite easy for you to send that file to a PC user.

If Norton Anitivirus worked under OS X as well as it did under OS 8-9, it wouldn't be a problem to keep it loaded, up-to-date, and running in the background.

But now it's no longer the best use of CPU cycles, and it is a subscription based product. :(
 

gerardrj

macrumors regular
May 2, 2002
208
0
Arizona
lopresmb said:
I agree that many mac users feel that they are simply immune to the security threats that are out there today. And to some degree, its true.

but, I have a question, (1) is it even worth purchasing some sort of antivirus software for a Mac (even though there are no current viruses) in the hope that it may help in the future?

(2) what all do current mac users do to ensure that they are secure and not (that is what other precautions do you take?

--thanks...
I do nothing, I don't suggest my customers do anything special.

Mac OS X comes out of the box (off the DVD) quite secure. No services are turned on that can be compromised directly by a remote attacker.

If a user were to download, install and run a piece of malware, that software doesn't have access to anything but that user's files. It can't systemically infect/affect the system or other user's files; even if the host account is an administrator. The program could not even last across log-ins or reboots since to add itself to startup items requires authentication.

The most plausible scenario involves a unix program/process that is simply a zombie for trying to infect Windows systems or sends out spam. Still, getting such a program to install and run across logins or reboots would require some participation by the user.

There is no such thing as an impenetrable fortress, I have no delusions that the Mac can't be hacked; I just don't see any fundamental security flaws that would allow something as innocuous as a JPEG image on a web site to take over a system to track your every move, steal your personal information and become a zombie system for spammers.
 

yellow

Moderator emeritus
Oct 21, 2003
15,925
1
Portland, OR
This article is all about someone pointing out the obvious to users. And then someone wrote an article about it. Hurah.
 

ebow

macrumors 6502a
gerardrj said:
I do nothing
Same here. Well, almost. I turn on the built-in firewall, and I have my Mac behind a NAT'd router (more for convenience than security). Also I think before typing my admin password into an authentication box. And that's about all... I'm (nearly) invincible!
 

jim.

macrumors 6502
Dec 22, 2004
308
0
C-ville, VA
gerardrj said:
If a user were to download, install and run a piece of malware, that software doesn't have access to anything but that user's files. It can't systemically infect/affect the system or other user's files; even if the host account is an administrator. The program could not even last across log-ins or reboots since to add itself to startup items requires authentication.

The most plausible scenario involves a unix program/process that is simply a zombie for trying to infect Windows systems or sends out spam. Still, getting such a program to install and run across logins or reboots would require some participation by the user.
Assuming an installer is used, everything you said couldn't happen in that post, actually could. Even if you did a drag and drop install with malware, all it has to do is ask for authentication on first run (like many legit apps do), and then your security situation is bust.

Actually trojans of this type would work just as well under a unix environment as a windows one. The only hoop they have to jump through is granting admin rights. However, once that sudo window pops up, I guarantee that very few people (with the notable exception of ebow above) actually look at the details as to what application they are granting admin rights when they do an install. Plus, once the password is entered, it is trivial to script a chmod 666 during the process (fixing permissions may catch the suid bit though) if there is a server to be run, or if systemwide access is needed.

And yes, the program can add itself to OSX's root (or user, if admin rights aren't requested) cron jobs calling a trivial script every 5 minutes that checks if it is running, and if not then execute. Crontabs last through reboots, just as they are designed.

Trojans suck, because there is no real security from them except for the users themselves. You can use all the ACLs you want, but one well placed social-engineering statement blows it all out of the water. I think trojans are going to be the real vulnerabilities in OSX for a while. Safe computing practice is to know what you are putting on your computer and do not give admin rights out like candy.

Jim
 

ebow

macrumors 6502a
jim. said:
Trojans suck, because there is no real security from them except for the users themselves. You can use all the ACLs you want, but one well placed social-engineering statement blows it all out of the water. I think trojans are going to be the real vulnerabilities in OSX for a while. Safe computing practice is to know what you are putting on your computer and do not give admin rights out like candy.
It would be nice if the OS could force installers to "declare" what they're going to do when they request your password, and then run the installers in an isolated sandbox-type environment until the OS can verify that the software is doing what it said it would do. Once that was (somehow) confirmed the execution or results would be moved from the sandbox and applied to the regular computing environment. I think I've read about something along these lines, but it's been a while, and I am by no means an OS coder, so I couldn't say for certain if it's feasible.
 

jim.

macrumors 6502
Dec 22, 2004
308
0
C-ville, VA
ebow said:
It would be nice if the OS could force installers to "declare" what they're going to do when they request your password, and then run the installers in an isolated sandbox-type environment until the OS can verify that the software is doing what it said it would do. Once that was (somehow) confirmed the execution or results would be moved from the sandbox and applied to the regular computing environment. I think I've read about something along these lines, but it's been a while, and I am by no means an OS coder, so I couldn't say for certain if it's feasible.
I think that parts of Trusted Computing were said to be a hardware solution to this problem, with little overhead. There's just a large potential for abuse by OS vendors. Sandboxing would be interesting, and there are ways to do it on a BSD system (does OSX support jails?), but the overhead would be tremendous to a regular desktop user. Plus integration would pretty much go the way of the dodo if you sandbox every program while it is running.

Yeah, and sandboxing during install isn't necessarily going to help much. A program can install itself anywhere, and would reasonably expect to have access to certain configuration items or schedulers. Malware can act like a regular program on install and get past the sandbox, then it unleashes itself during runtime, and sandboxing every program just isn't sane on a desktop.

Jim
 

nagromme

macrumors G5
May 2, 2002
12,551
1,186
I will get antivirus software when (NOT IF!) there is a Mac virus that isn't blocked by a prompt security update. Even if I HAD virus software I'd need to download the new definitions anyway... may as well wait until then to download the software too.

Meanwhile, my security measures:

1. Non-obvious passwords, and not the same online as for my Mac.

2. Non-admin account for my guests to use.

3. OS X firewall on.

4. Don't download software unless a lot of people have gone first--and only from a trusted central location that tells me so--like versiontracker.com.

5. Software Update.

6. Keep one eye on Mac news so I'll know when the first virus arrives.

7. Never connect my Windows PC to the Internet.

Really, only #6 requires any effort, and only #4 requires any special habits.
 

cwtnospam

macrumors regular
Sep 4, 2004
148
0
Sun Baked said:
Consider that while you may not see any problems with an infected file you download, it's quite easy for you to send that file to a PC user.
I for one have considered this, and I've come to the conclusion that it would be the PC user's problem. Having made a poor choice in their computer purchase, it must be up to the PC user to take the necessary precautions.

Further, Mac users protecting PC users would allow PC users to continue blindly purchasing PCs, therefore allowing more viruses to be developed for that insecure platform. If computers are to continue to evolve, then we should allow natural selection to weed out the PC.
 

iindigo

macrumors 6502a
Jul 22, 2002
719
10
San Francisco, CA
anonymous161 said:
Imagine that, people who work for security companies see security issues coming for the Mac.
In other news, insurance adjusters feel that my house could possibly catch on fire.
Well said, those people are just trying to increase purchases of their software because only the most paranoid (for the most part) Mac users buy it. :rolleyes:

I don't do anything, not even put up a firewall, and my Macs have been perfectly fine from 1996 up till now. I might be pressing my luck, I dunno, but I've never needed a firewall or antivirus software on my Macs. My PCs on the other hand - ugh. Just clean install WinXP and hook it up to the net and spyware/adware/virii has invaded within 20 minutes. It's craziness.
 
gerardrj said:
Still, getting such a program to install and run across logins or reboots would require some participation by the user.
Not necessarily because a malicious attacker can look for undisclosed vulnerabilities (or more easily, disclosed vulnerabilities in un-patched systems) in programmes which allow an escalation of privileges i.e. it offers a way to become a super-user programmatically. Casting a quick eye over any Apple security update reveals these are quite common, especially for local access. Not to mention stuff like brute force password crackers - and how many people do not follow Nagromme's #1 bit of advice?

All you have to do is to get the user to execute something malicious, no password needed.

I just don't see any fundamental security flaws that would allow something as innocuous as a JPEG image on a web site to take over a system.
This was certainly possible up to 10.3.5 (although technically through a PNG image not a JPEG).

"By introducing a malformed PNG image to a vulnerable application (i.e. Safari), a remote attacker could cause the application to crash or potentially execute arbitrary code with the privileges of the current user."

The attacker is now local and has their choice of code to execute without the user clicking a thing. See above.

If the same vulnerability is present in Mail, then you have your transmission vector. If not, no worries, they can just mail a link to dodgy page (or pages) to everyone in your address book - something that can be achieved in two or three lines of most scripting languages.

The only limit is the popularity of the vulnerable applications.
 

cwtnospam

macrumors regular
Sep 4, 2004
148
0
AlmostThere said:
All you have to do is to get the user to execute something malicious, no password needed.

The only limit is the popularity of the vulnerable applications.
In theory this is possible. In reality, the likelyhood of accomplishing this and not getting caught isn't very high. ;)
 

iindigo

macrumors 6502a
Jul 22, 2002
719
10
San Francisco, CA
Applespider said:
Or switchers who are so used to having to have virus software they can't contemplate computer usage without it.
Haha yeah :p It's like the use of antivirus software has been written into their DNA permanently or something...
 

pubwvj

macrumors 68000
Oct 1, 2004
1,891
202
Mountains of Vermont
lopresmb said:
(1) is it even worth purchasing some sort of antivirus software for a Mac
No. I have owned and administered several hundred Macs over the past two decades from before the Mac128K was originally officially released. I have never had a virus, worm, trojan, etc on any of those machines. I do not waste money on "anti-virus" software.

lopresmb said:
(2) what all do current mac users do to ensure that they are secure and not (that is what other precautions do you take?
A little care goes a long ways. Don't download and run software from dubious sources. Don't be the first, the penguin on the edge of the iceberg. Let others test things and then if no problem is found and you find the producer to be trustworthy then use the software.
 

sjk

macrumors 6502a
May 2, 2003
826
0
Eugene
Sun Baked said:
Consider that while you may not see any problems with an infected file you download, it's quite easy for you to send that file to a PC user.
Got any examples of the types of files Mac users might download that could infect PCs that run Windows?
 

sjk

macrumors 6502a
May 2, 2003
826
0
Eugene
gerardrj said:
If a user were to download, install and run a piece of malware, that software doesn't have access to anything but that user's files. It can't systemically infect/affect the system or other user's files; even if the host account is an administrator.
That's simply not true. All any user needs to do is run a one-line command from a Terminal shell (guess which one? ;)) and it'll be partially destructive unless enough file permissions have been secured. To believe and claim otherwise is propagating a myth of a false sense of security when in reality a demonstrable vulnerability does exist (even if it's unexploited).

Too much software is installed with world-writable files/directories by default, which non-admin users can delete. And an admin user can take out a good chunk of /Library (for instance), which would be severely crippling on most systems. The amount of effort it would take to sufficiently protect against that, and sustain that protection (which running Repair Disk Permissions will partly undo), exposes shortcomings in the several-decade-old UNIX security model. For example, it was never designed to scale to filesystems with +100Ks of files on them. While ACLs may help to some extent they're still too high-maintenance, especially for non-technical users.

AlmostThere wrote:

All you have to do is to get the user to execute something malicious, no password needed.

And cwtnospam responded:

In theory this is possible. In reality, the likelyhood of accomplishing this and not getting caught isn't very high.

It's ridiculously easy to deploy a trojan without getting caught, even without enough "social engineering payload" to propagate and wreak havoc. I tend to agree with jim's observation:

I think trojans are going to be the real vulnerabilities in OSX for a while.
 

sjk

macrumors 6502a
May 2, 2003
826
0
Eugene
AlmostThere said:
... and how many people do not follow Nagromme's #1 bit of advice?
The majority of untechnically-inclined mainstream computer users (for lack of a better term)? Generally, if security measures aren't somehow enforced, many people choose to ignore them or simply don't even know about them. And all of us here know how easy it still is for someone to innocently and naively hook a Windows PC to the net with insufficient protection to keep it from being infected and/or hijacked. Etc. etc.