News Stay informed about the latest enterprise technology news and product updates.

Hey, Mac. Is that a worm in your Apple?

In this week's Security Blog Log, Bill Brenner looks at the furor over new threats targeting Mac OS X -- long considered a more secure alternative to Windows.


Security Blog Log
For those who use non-Microsoft products that they believe to be more secure than those from the software giant, it's unsettling when the alternative suddenly becomes a target.

It's happened many times. The Linux crowd cried foul when Mi2g Ltd., a UK-based security and risk management firm, claimed in a 2004 report that Linux was the "most breached" operating system.

Firefox enthusiasts have stood by their browser as a more secure alternative to Internet Explorer, even as the list of vulnerabilities and exploits against it pile up.

And now Mac OS X faithful have rallied around their operating system amid reports that it has become the target of malicious code for the first time and that a critical security hole has been uncovered.

About Security Blog Log

Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at

Recent columns:
A week of vulnerabilities

Surprise! IE7 beta has a flaw

Is Nyxem really that dangerous?

Oracle makes Microsoft look good

Symantec flaw parallels Sony BMG

Plenty of opinions on WMF patching

While officials at Apple Computer Inc. have kept silent in recent days [as of Thursday, the company hadn't responded to requests for comment made by phone and e-mail], others have come to Apple's defense in the blogosphere.

An information security investigator who goes by the online name SecurityMonkey used his A Day in the Life of an IT Pro blog to defend Apple and heap scorn on AV vendors for fanning the flames of fear over the latest threats.

He singled out UK-based AV firm Sophos Plc. for issuing hyped-up statements, "hoping to sell even more Mac antivirus software," which he compared to "selling combs to bald men." He noted how Sophos then issued an AV signature file update "that rendered some Mac OS X systems useless."

SecurityMonkey ended with a vigorous defense of Apple's OS. "Let me be perfectly clear here. Mac OS X is a very secure operating system," he said. "It's much more secure out of the box than just about any other consumer operating system on the market. However, flaws will be found over time and you can bet your sweet RAM upgrade that Apple will fix them in record time."

He added, "The weakest link in the security chain is the person sitting between the keyboard and the chair. Spewing FUD and scare-selling security software to users is not the answer."

It should be noted that Sophos Senior Technology Consultant Graham Cluley warned against blowing the Mac threats out of proportion in an e-mail exchange with earlier this week.

Asked if the latest malcode could be tweaked to exploit the latest vulnerability, he said, "I don't think yet that we're seeing the intensity of hacker activity on the Mac platform that would suggest that this is likely. My feeling at the moment is that the Mac OS X malware we are seeing is being coded by a small number of individuals who are doing it as a proof-of-concept, an intellectual exercise if you like."

Security expert Eric Rescorla wasn't as frustrated with the media publicity as SecurityMonkey was. But in his Educated Guesswork blog, he said Apple doesn't deserve a black eye over recent events. After describing the flaw, he said, "I'm not ragging on Apple here. This is just the kind of error you get when you have a big software package written by actual humans. Still, it's a good reminder that just because it's not written by Microsoft doesn't mean it's safe."

Worm expert Jose Nazario, author of Defense and Detection Strategies against Internet Worms, stuck with a more objective analysis of the Mac OS X malcode -- known as Leap and Inqtana, respectively -- in his Worm Blog.

"Leap is important for a few reasons," he said. "Firstly, it's the first time we have seen an IM worm not use a central distribution site to propagate the malware. Instead, the malicious file is transferred from one user to another via iChat instant messages. This makes eradication harder (i.e. you can't just shut down one site; you would have to stop all messages between users with the malicious content)."

Secondly, he said, "Leap-A shows a classic virus trick, namely modifying other applications using the InputManager on OS X ..." Thirdly, he said, this was the first OS X-specific malware.

Next, he focused on Inqtana-A, a Bluetooth worm for Mac OS X. "Because many Macs have Bluetooth installed, they're vulnerable to these sorts of attacks," he said. "Inqtana uses a specific vulnerability to issue commands to a vulnerable machine. Bluetooth worms have been all the rage in some circles for cell phone and PDAs, and this extends it to general purpose computers."

Nazario said both are proofs-of-concepts, and they show what people can expect this year in terms of malware.

The Networks & Security blog dedicated space to a series of steps users can take to protect their Mac boxes.

In the end, the blog said, "The best advice we can give anyone is not to open applications sent to you via e-mail, and to not download from sites you do not know about or do not trust. Simple, yes. Sadly, a lot of people don't follow simple advice."

Dig Deeper on Alternative operating system security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.