All successful, and most plausible, malware attacks on Mac OS X have occurred in the last 2 years with the last quarter of 2007 being particularly prolific. Market penetration and overall sales of the Mac OS X system have directly mirrored development of malware, a phenomenon also demonstrated with other operating systems such as Microsoft Windows. Based on this data there is no reason to believe the trend will not continue as Apple continues to increase their market share.
http://www.macforensicslab.com/Prod...in_page=document_general_info&products_id=174
Much of the information in the
PDF associated with
this article is incorrect. For example:
Page 26
It refers to the bundle architecture as insecure. The argument presented would be true if security sensitive apps were not owned by system. Given that they are owned by system, malware cannot modify the bundle of an app owned by system without authentication when the app is run with user privileges in an admin or standard account.
For example, show package contents of iTunes, Safari, or Mail and try to create a folder in the bundle. In relation to the example in the article, try renaming iTunes.
Apps not owned by system are vulnerable but without privilege escalation can not install rootkits or keyloggers. Even apps owned by system run with user privileges and require privilege escalation to install dangerous payloads.
Mac OS X does not prompt for authentication if you install apps in the proper location for that user account type. When installed in the proper location, apps are sandboxed from the system level of Mac OS X by the Unix DAC model used within Mac OS X.
Windows is less secure because most apps (Chrome only exception I can recall) install their associated files in levels of the system that require authentication regardless of user account type (unless Admin in Windows XP because running as superuser - no authentication required to install with elevated privileges - very dangerous). It is easier to trick Windows users to install a trojan with elevated privileges given that almost all apps ask for authentication to install and the user can not distinguish the intent of that authentication.
Page 30
The claim that the Application folder is unprotected is false. Security sensitive apps within the Application folder are owned by system.
Also, security sensitive system binaries are still stored in /bin and /sbin in Mac OS X.
Page 31
The ability to read the contacts stored in Address Book could be used by a worm to propagate. But, malware that uses this to spread is not likely to appear in the wild if the malware is not profitable. It is unlikely that malware will be profitable without being able to hook (this is a specific function) into apps owned by system.
Page 33
Starts off talking about trojans, trojans are easily avoided with user knowledge in Mac OS X because most apps do not require authentication to install if installed in the appropriate location where the Unix DAC model protects the system.
Viruses using the model shown in the article will not be successful without privilege escalation. This is the reason why Mac OS X malware is not successful in the wild.
By default, very few server side services are exposed in Mac OS X and those that are exposed are sandboxed. Vectors for worm propagation are limited to client side. Client side worms require authentication to install and spread if do not include privilege escalation via exploitation because of the Unix DAC model used in Mac OS X. Trojans used to trick users to authenticate are less likely to be successful in Mac OS X as stated above.
