The platform has exploded though with Macs being the weapon of choice for all the hipsters and yuppies out there, we wrote about Apple Struggling With Security & Malware back in 2009.

In 2010 we saw Sophos Launch a FREE Anti-Virus Software For Mac and in 2011 we saw a JAVA based cross platform trojan that also effected Mac machines.

Apple — and many Mac users — argue that Mac OS X has a special recipe for security that makes it less likely to be infected with malware. Many security researchers counter that the Mac’s seeming immunity stems not from its security, but from its lack of market share.

The debate may finally be settled. The emergence of a serious malware construction kit for the Mac OS X seems to mimic a 2008 prediction by a security researcher. The prediction comes from a paper written in IEEE Security & Privacy, which used game theory to predict that Macs would become a focus for attackers as soon as Apple hit 16 percent market share.

Last week, security researchers pointed to a construction kit for creating Trojans for the Mac OS X as a major issue for Mac users. Currently, three countries — Switzerland, Luxembourg and the United States — have Mac market share around that level.

“The kit is being sold under the name Weyland-Yutani Bot and it is the first of its kind to hit the Mac OS platform,” Peter Kruse, partner and security specialist at security firm CSIS, writes in a blog post. “CSIS finds this crimekit to be quite disturbing news since Mac OS previously to some degree has been spared from the increasing amount of malware which has haunted Windows-based systems for years.”

The prediction in the paper was that Mac would start being targeted when they reached a 16% market share, which has happened recently in 3 countries. There is not a trojan creation kit targeting Mac OSX – this makes threats on the platform a reality.

The original paper can be found here – j3attAO.pdf

The fact is that Mac users probably still don’t run anti-virus software because they don’t believe they need to, these threats could spread fast.

Weyland-Yutani Bot, named for the corporation in the 1979 movie Alien, is currently being sold by its developers. While it is not the first attack on the Mac OS X, crimeware has enabled criminals in the past to scale up attacks quickly.

“What is happening is that people are testing the waters,” says Adam O’Donnell, chief architect of the cloud technology group at SourceFire and the author of the 2008 paper. “It just becomes economically viable to do it, so you start seeing these attacks becoming more common.”

The 2008 paper used game theory to calculate when attackers would start seeing a payoff in focusing on the Mac OS X over Windows. It simplified the problem by assuming that all PC users ran antivirus software and that no Mac users did. The assumptions helped reduce the problem down to two factors: the effectiveness of the defenses and the marketshare of the dominant platform.

With detection rates for antivirus in the 80 percent range, the Mac OS X becomes an attractive target around 16 percent marketshare. If PC defenses are better than 80 percent, then the Mac market share at which attackers become interested drops. For example, if antivirus programs detect attack 90 percent of the time, then attackers will focus on the Mac OS X at approximately 6 percent marketshare, says O’Donnell.

“It is much more of an argument that at the low rates of penetration of the Mac in the market is why there is no malware,” he says. “You get a few points up, and like we are seeing now, you will start seeing malware.”

But even still, with AV software installed doesn’t make your computer the bastion of security. AV software still works on a reactive basis, there still is no real proactive security. AV heuristics are crap, they don’t detect anything.

Signatures still need to be updated and pushed out, and can be avoided. Especially by morphing software, the new generations of trojan and bot software are much more advanced than any AV system.

Source: Network World

And let’s face it, even if you run Windows you don’t really need to run anti-virus either if you practice good web-habits. But with the amount of idiots running OSX on their shiny Macbooks – malware may well become a problem for the platform.

It’s not a problem right now, the stats for malicious software on Apple platforms are still minuscule compared to the threats on Windows and even on Linux.

Sophos released a free of charge Mac anti-virus product for consumers on Tuesday in a bid to highlight the growing security risk against the platform and to shake fanbois out of their complacency.

The business-focused internet security firm is making Sophos Anti-Virus Home Edition for Mac available for download at no charge – with no time limit, and requiring no registration. The technology is a cut-down version of Sophos’s pre-existing anti-virus software for Macs and will ship with detection of thousands of malware strains including Trojans and rootkits. Sophos has no plans to release an equivalent free of charge Windows anti-malware scanner.

Three well-established freebie security scanners (AVG, Avast, Avira) already exist even without considering Microsoft’s own Security Essentials software. Although commercial anti-virus packages for Macs have been sold for some time by the likes of Intego and Symantec – and more recently by Kaspersky and Panda – Sophos’s software one of very few freebie scanners for Macs available to date.

It’s a pretty interesting move from Sophos tho, business wise, as they have no plans into strong-arming users into paying for a commercial version by releasing a crappy crippled version under the guise of ‘free’ software.

Sophos has always been a company with strong technology, so even as freeware I’d expect this to be fairly capable software. There are other commercial AV systems out their for Mac – but this is the first one from a reputable vendor that is free. I mean there’s ClamAV – but in all honestly who would want to rely on that?

It’s not the first freebie scanner for Macs currently available, contrary to claims in the first version of this article. Others including, most notable, ClamAV exist.

Past threats to Mac users have included malware disguised as pirated software and uploaded onto P2P file-sharing networks, supposed video codecs that actually contain a Mac-specific Trojan horse and strains of Windows malware capable of infecting virtual installations of Windows running on a Mac.

Apple acknowledged the malware problem by integrating rudimentary protection against a handful of Mac Trojans in Snow Leopard, Sophos notes, arguing that users running its software are provided with more comprehensive protection against potential threats.

Carole Theriault, senior security consultant at Sophos, explained that while the picture is different in enterprise environments, “home Mac users aren’t protecting themselves from malware”.

Theriault admitted that Windows threats counted in their millions dwarf the number of strains of Mac malware, which can be counted in their thousands, but maintained there was a need for protection, whatever sales people in Apple Stores might say to the contrary. “We want to raise awareness,” she explained.

Either way it’s an interesting move from Sophos and we’ll have to see where it goes from here. They claim they won’t charge for it, but who knows? And will this pressure other AV vendors that have paid versions for Mac to release free versions for Home users. Much like the Windows vendors do (Avira, Avast!, AVG etc).

More on the software, together with hardware compatibility information, can be found out from a download micro-site here:

Sophos Anti-Virus for Mac Home Edition

Source: The Register

It’s inevitable as Apple products become more and more popular they will get targeted by the bad guys. Count on more viruses, malware, exploits and rootkits for Apple Operating Systems.

They are a bit behind in the curve as they don’t have a formal security program and it’s unknown if they use secure development practices (they seem to focus more on interface design than anything else).

Something has to be done though or the next big botnet could be running on Apple machines.

A well-known security consultant says Apple is struggling to effectively protect its users against malware and other online threats and suggests executives improve by adopting a secure development lifecycle to design its growing roster of products.

“Based on a variety of sources, we know that Apple does not have a formal security program, and as such fails to catch vulnerabilities that would otherwise be prevented before product releases,” writes Rich Mogull, founder of security firm Securosis and a self-described owner of seven Macs. “To address this lack, Apple should integrate secure software development into all internal development efforts.”

Microsoft was among the first companies to integrate an SDL into its internal development routine. Under the program, products are built from the ground up with security in mind, so that poorly written sections of older code are replaced with code that can better withstand attack. It also subjects programs to a variety of simulated attacks. Adobe Systems recently beefed up the SDL program for Reader and Acrobat following criticism about the security of those two programs.

With their fairly rapid development and pumping out of new product lines (Apple TV, Mac Mini etc) they are going to face security problems at some point.

That’s without considering the Internet connected mobile devices (iPhone, iPod touch).

Adobe has taken notice too with it’s recent spate of exploits and improved its Secure Development Lifecycle to ensure future problems are minimized.

Mogull’s suggestion was one of five he made recently to ensure company is doing everything it should to safeguard its customers.

“It’s clear that that Apple considers security important, but that the company also struggles to execute effectively when faced with security challenges,” he writes in a recent article on Mac news website Tidbits. He goes on to fault the company for its ongoing failure to patch a gaping security hole in Mac versions of Java.

The suggestions came as Apple on Monday announced Safari 4.0, a release that fixes more than 50 vulnerabilities in the browser. Protection against clickjacking attacks, denial-of-service flaws and bugs that allow for remote code execution were among the fare.

Another suggestion from Mogull is that Apple appoint and empower a high-ranking executive to oversee security in all Apple products. The CSO, or chief security officer, would serve as the public face for Apple security as well as the internal boss who coordinates the company’s response to security incidents and development of new products that are safe.

I believe Apple is indeed need of a solid CSO, one that can implement more proactive measures against security flaws such as secure development, a dedicated response and research team for vulnerabilities and spearhead a generally more responsible organisation when it comes to security concerns.

Obviously to fit into Apple it has to be someone charismatic that can ‘sell’ the benefits of Apples ‘iSecurity’ system or whatever they are gonna call it.

I’m sure they’ll find some way to spin whatever security measures they take into a marketing exercise.

Source: The Register

You right remember in March last year we posted about Charlie Miller at the PWN2OWN contest owning the MacBook Air in under 2 minutes.

Guess what? He’s done it again! This time though he’s even faster clocking in at under 10 seconds. No one else stood a chance. He walked off with the prize again, $5000 and the MacBook that he hacked.

Of course he wrote the exploit before hand, but still impressive!

Charlie Miller, a security researcher who hacked a Macintosh in two minutes last year at CanSecWest’s PWN2OWN contest, improved his time today by breaking into another Macintosh in under 10 seconds.

Miller, an analyst at Independent Security Evaluators in Baltimore, walked off with a $5,000 cash prize and the MacBook he hacked.

“I can’t talk about the details of the vulnerability, but it was a Mac, fully patched, with Safari, fully patched,” said Miller on Wednesday, not long after he had won the prize. “It probably took five or 10 seconds.” He confirmed that he had researched and written the exploit before he arrived at the challenge.

It guess it might be a Safari exploit, but I guess if you keep your ears open you’ll hear about it soon enough.

I wonder if he’ll be able to pull the same trick again next year, with his record so far I’d say it wouldn’t be a large stretch of imagination.

The PWN2OWN rules stated that the researcher could provide a URL that hosted his exploit, replicating the common hacker tactic of enticing users to malicious sites where they are infected with malware. “I gave them the link, they clicked on it, and that was it,” said Miller. “I did a few things to show that I had full control of the Mac.”

Two weeks ago, Miller predicted that Safari running on the Macintosh would be the first to fall.

PWN2OWN’s sponsor, 3Com Corp.’s TippingPoint unit, paid Miller $5,000 for the rights to the vulnerability he exploited and the exploit code he used. As it has at past challenges, it reported the vulnerability to on-site Apple representatives. “Apple has it, and they’re working on it,” added Miller.

Interestingly another researcher later broke into a Sony laptop that was running Windows 7 by exploiting a vulnerability in Internet Explorer 8. So Safari and IE8 both fell!

What with all the claims from Microsoft that IE8 is so secure…I guess that pissed on their bonfire didn’t it?

This year’s PWN2OWN also has a section for mobile operating systems, the prize is larger too at $10,000. If you want to join you can have a crack at Windows Mobile, Google’s Android, Symbian, and the operating systems used by the iPhone and BlackBerry.

Source: Computer World (Thanks Navin)

Judging by figures alone, Vista is more secure than Mac OSX and Linux? I somehow find this a rather strange claim, I guess these things are always subjective.

Most numbers can be moulded into any shape you want, and can show any result you like.

According to the numbers given in a new report from Microsoft, Windows Vista has blown away all the major enterprise Linux distributions and Mac OS X as far as having the smallest amount of serious security vulnerabilities in the six months since its release. The numbers were compiled by Jeff Jones, the security strategy director in Microsoft’s Trustworthy Computing Group.

“The results of the analysis show that Windows Vista continues to show a trend of fewer total and fewer High severity vulnerabilities at the 6-month mark compared to its predecessor product Windows XP (which did not benefit from the SDL [Secure Development Lifecycle] and compared to other modern competitive workstation OSes (which also did not benefit from an SDL-like process),” Jones wrote in a blog posting about the report on June 21.

I’ve heard some things about this report though, for example flaws in Firefox WERE counted under Linux, but flaws in IE were NOT counted under Vista.

In the report, available as a PDF download on Jones’ blog, Jones compares the number of vulnerabilities of critical, medium and low severity that have been discovered in Vista with those found in Windows XP, Red Hat Enterprise Linux 4 Workstation, Ubuntu 6.06 LTS, Ubuntu 6.06 LTS—Reduced Component Set, Novell SUSE Linux Enterprise Desktop 10.8, Novell SLED 10—Reduced Component Set and Apple Mac OS X v10.4.

The score, according to Jones: In the first six months of the Vista life cycle, Microsoft has released four major security bulletins that address 12 total vulnerabilities affecting Windows Vista.

Plus the amount of software packages included in these linux distributions are 100x times more than those in Vista, so it’s not really a fair comparison is it? I’m sure you if you counted core services and OS system files, the figures would look a lot different.

It’s a pretty comprehensive article, so do check it out and let us know what you think.

Source: Eweek

The fact is Windows is getting ripped apart with viruses, spamware, spyware, zombie clients, trojans worms and whatever else you can think of.

Mac and Linux aren’t (at the moment), there are already Bluetooth viruses, so why not Linux and Mac..

Some may say it’s because they are inherently more secure, the architecture and user privelege seperationg means it’s hard for any kind of malware to infect the system…plus they don’t come with crap like Internet Exploder that’s tied into the operating system.

There have been a couple of worms for Linux, mostly praying on Apache, and then the OpenSSL bug that allowed you to get access (combined with the kernel flaw in 2.4 you could easily get root access).

eWeek asks, What will Apple do when the malware comes? Which inevitably it will..

The release in the last few days of malware for the Mac and Linux underscore some old issues about how it is possible to have malware on those platforms. I have some new thoughts though. I’ve begun to wonder what Apple would do if a real problem developed.

To be very clear, a real problem has not yet developed, and Inqtana.A and Leap.A are not a real problem, except to the extent that they may be bellwethers. They are more interesting for what they suggest than what they actually do.

As with Windows, a lot of it is a consumer issue, and down to education.

With Mac, the user does run as a non-priveleged user by default, but when installing any software they can just pop in the Admin password and it’ll install.

It’s all about social engineering, making the user believe they want it, it’s something ‘cool’ or useful.

When good social engineering attacks are developed for the Mac, the same thing will happen. It’s not hard to imagine Web sites and e-mails offering programs for the Mac that do more than they claim to do.

Just in terms of adware, there may be some benefit to being able to deliver known Mac users to advertisers, but for the most part the “value” of infecting the user is the same: to spread itself, and perhaps to create a Mac botnet.

Few have tried to write Malware for OSX yet, but I guess it will happen, the question is are Apple prepared?

As the German IT portal heise online conveys, a new security hole in the Safari webbrowser for Apple’s Mac OS X has been discovered. This security hole is rather severe, as it invokes the execution of shell scripts under certain circumstances.

Once again the Safari option “open safe” files automatically after download bears the blame. If this facility runs across a shell script that is missing the so-called Shebang-row, the system won’t ask the user whether to execute the file automatically anymore – it’ll just execute it anyways. Unfortunately you can simply rename a shellscript without a Shebang-row to known-good filetype extensions like JPG or PNG and put that renamed script into a ZIP file – zipping as well an administrative file that’ll connect that file with the shell. A target Mac then “knows” automatically how to open that file if it receives that ZIP – it’ll take it as totally normal to execute the “jpg file” with the shell.

To circumvent this issue immediately, you can exercise two countermeasures – the first one is to disable that unsafe option in Safari, the second one is to move the terminal to another place, as the connection between shellscript and terminal has a hardcoded file path to the terminal. Additionally, you should never ever work with administrator privileges – as one should be used to with windoze, this rule of thumb has the same virtues on a Mac as well

Source: 4null4.de

A rare exploit for Mac eh, it is possible to exploit, it’s not just a theory, you can find a proof of concept here:

http://www.mathematik.uni-ulm.de/numerik/staff/lehn/macosx.html

With a Babelfish Translation.