Mac OS X: a security recap

This post isn’t about smearing the good, evolving system that is Apple’s Mac OS X. The goal was to bring perception and reality together: just like the other operating systems, Mac OS X has its fair share of bugs, and while the historically smaller Mac user base has resulted in less cyber criminal targeting, it doesn’t make Mac OS X impervious. Macs’ user base has been growing steadily over the last few years, and criminal interest is following the same pattern.

For years, Mac OS X has had a great reputation as a secure system, almost completely unaffected by the cyber threats plaguing other operating systems (mostly Windows, of course). But is it really as impervious as people think? Putting aside the question of price, can one say that replacing a business’s Windows-based PCs with Macs is a total solution to the cyber threat issue? Well, let’s take a closer look.

Less interesting, but not ignored

Launching early in 2001, Mac OS X has been highly regarded as a system unaffected by the multiple problems afflicting the Windows family in the late 1990s and early 2000s. At the time, Windows (95, 98, 2000, NT, then Windows XP) had been taking over the world with authority, becoming the most popular/widely used OS around the globe. Most of the PC manufacturers produced Intel-based machines capable of running the existing versions of this OS.

Apple adopted a different policy: for a long time Mac OS X could only be launched on Macs- personal computers produced exclusively by Apple. Mac OS X was not supposed to be licensed to a third party.

Macs were, and continue to be, much less popular among the end-users than Windows-based machines for several reasons, starting with their pretty high price tag. However, Macs are a great tool for working with multimedia, and, as Mac-lovers would say, are very superior to Windows in many ways, making Mac OS X less interesting to black hats (i.e., cyber criminals). Mac OS X was never targeted when cyber vandalism was common, and even now, Macs are secondary targets to cybercriminals looking to profit.

But “secondary” doesn’t mean ignored. Especially because Mac OS X’s “secure” reputation leaves the end-user less likely to implement extra defenses.

Security features

Late last year we posted about the security features in the then-new Mac OS X Yosemite (version 10.10). Apple stated that security was, “The first thought. Not an afterthought.” A motto to be lauded these days.

But five and a half months later, a security researcher (Patrick Wardle from Synack) claimed that all of the Mac OS X protections are quite simple to bypass, and that gaining access to a Mac as an attacker isn’t much of a challenge at all. Actually it is trivial: for instance, Gatekeeper doesn’t verify any extra content in Apple apps, so by tricking an Apple-approved app into loading external content, one can smuggle potentially harmful content past Gatekeeper.

wide

Again, the researcher said by simply recompiling a known piece of OS X malware, which changes the hash, he could get the malware past XProtect and unleash it onto the machine. Even easier, he could simply change the name of the malware, which also allows it to sneak in under the fence. Sounds bad.

More data on this is available at Threatpost. In a nutshell, it looks like Mac OS X security features are poorly implemented.

How exploitable the above flaws are is a different question, however, but regardless, these mistakes are serious and hopefully they will be fixed ASAP.

Real-world issues

While Mac OS X is considered to be much more secure than Windows, it is NOT impenetrable, and IS affected by malware, even though this problem has never been as massive as with Microsoft’s OS.

Still, for instance, in 2012 more than 700k Macs were reported as infected by a Flashfake Trojan – at the time it was the largest Mac OS X malware outbreak ever.

Late last year researchers nailed down a WireLurker malware family that was attacking and infecting both Mac OS X and iOS devices. In early November 2014, C&C infrastructure of the WireLurker was blasted, while Apple revoked a legitimate digital certificate used to sign WireLurker code and allow it to infect non-jailbroken iOS devices. Details on the operation are available via this link.

In early January this year yet another security researcher came out with the first public concept for a Mac OS X Firmware bootkit codenamed Thunderstrike. By exploiting a Mac OS X vulnerability, once successfully implemented and installed, it would resist cleanup and give hackers persistent, stealthy control over a compromised Mac. An APT guys dream. Apple responded with a 10.10.2 combo update fixing this bug along with several others.

In March, Patrick Wardle talked to Threatpost about DLL hijacking, an attack that had plagued Windows machines as far back as 2000; now it works with Mac OS X as well.

Wardle said, among other things, that this style of attack is also perfect for prolonging hackers’ persistence in infected machines.

On April 8th, Apple delivered yet another monster batch of security patches for OS X (and iOS) eliminating 80 bugs in Yosemite. Among them – a Rootpipe backdoor bug in OS X Admin framework (still affecting Mac OS X 10.9 and below – Apple decided not to backport the fix), a Darwin Nuke bug that allows attackers to remotely crash Apple devices, which was discovered and reported to Apple by Kaspersky Lab researchers, kernel bugs, code execution, privilege escalation, denial of service vulnerabilities, etc.

A relatively healthy number of bugs, introduced by the inevitable mistakes of human code writers, were fixed. Errare humanum est (to err is human).

Good, improving, non-impervious

Overall, there is a lot going on with Mac OS X. This post isn’t about smearing the good, evolving system that is Apple’s Mac OS X. The goal was to bring perception and reality together: just like the other operating systems, Mac OS X has its fair share of bugs, and while the historically smaller Mac user base has resulted in less cyber criminal targeting, it doesn’t make Mac OS X impervious. Macs’ user base has been growing steadily over the last few years, and criminal interest is following the same pattern.

At least five known APT campaigns targeting Mac OS X, along with other platforms, have been discovered so far, with two of them still active. Perhaps more will arrive with time.

So, in fact, Mac OS X-based machines do require extra protection, despite their “secure” reputation.

Kaspersky Lab’s business products – both Kaspersky Endpoint Security and Kaspersky Small Office Security – protect Mac OS X from every kind of modern and future IT security threat for long-term reassurance. Both current and legacy versions of the operating system are supported.

Tips

How to travel safely

Going on vacation? We’ve compiled a traveler’s guide to help you have an enjoyable safe time and completely get away from the routine.