The release of Apple's latest security patches proves conclusively that there's no such thing as an operating system impervious to security risks, especially when it comes to malware.
Released late last month, Apple's Security Update 2007-004 for the Tiger and Panther versions of the OS X operating system included patches for some 25 exploits.
Some of the patches addressed issues whereby attackers could, for example, escalate their privileges during login, if not bypass a network login altogether.
If patches are not applied, users would be unprotected should they click on a malware-laced link on a website or open a maliciously crafted disk image file or installer file.
Sean Richmond, senior technology consultant at security software vendor Sophos said the vulnerabilities were a worry for Mac shops.
"Of the 25 vulnerabilities, 14 included the possibility of executing arbitrary code, and a handful also involved privilege escalation," Richmond said. "The combination of the two can give an attacker system or root access."
Adriel Desautels, chief technology officer for security company Netragard and founder of the SNOsoft Research Team, said that he has seen multiple instances of OS X being compromised — resulting from either insecure services, poor configuration or the use of insecure web applications.
"The most common attack vector is the web application, at least based on what I've seen first hand," he said. "The attack was specifically used to install a bot on the system that was used for the distribution of credit card information."
Desautels said Apple’s latest range of patches would not have helped fix the issue. "Patches only fix what people know," he said. "Most hackers do not use known attacks, they use the unknown."
Apple no safer than other OSs?
Desautels acknowledges that by design, OS X could be seen to be safer than Windows, as services are run in isolation, rather than on a system-based level.
"If an attacker hacks the web service on a Windows system, then the attacker immediately has full system access with system privileges," he said.
But due to its higher market penetration, Desautels said Windows has been "beaten to death by the hacker community".
If OS X had the same install base as Windows, Linux and other systems, it would be less secure or, at the very most, as secure as the other systems," he said. "It's just a matter of what [attackers] focus on."
Richmond warns Mac users not to be complacent. "A lot of people who use Macs tend to think that it is a more secure machine that is invulnerable to malware," he said.
Desautels said that Apples are no more secure than other computer systems. "In fact, it is this misconception that might make them more insecure."
Two recent experiments prove the point.
In January, a group of IT security researchers conducted a "month of Apple bugs" project — each day listing a vulnerability applicable to Apple's OS and many of the popular third-party applications deployed on it. This initiative first made public three of the exploits in Apple's new security update.
In the days immediately after Apple released the security update, security experts put Apple's defences to the test again.
At the CanSecWest security conference in Vancouver, Canada, software engineer Shane Macaulay hacked into a MacBook through a zero-day security hole in Apple's Safari browser, winning a free laptop in the process.
Organiser Dragos Uiri offered two new MacBooks to any attendee that could exploit the machines via remote access. After the first day, the computers' defences remained uncompromised.
The rules were changed — allowing contestants to use web exploits in an attempt to compromise the system. The notebooks were compromised — via a weblink in an email which sent the user to a website laced with malicious code.
Under attack from the web
"Web threats are where things are happening," says Richmond. "In our experience, we are seeing a lot more attacks coming from the web than from email. The threats are coming from compromised websites hosting various forms of malware."
Sophos reports that, during the first three months of 2007, incidences of malware had doubled on the prior three months.
The security vendor identified 23,864 new threats — more than double the 9,450 discovered in the same period last year.
Email threats, on the other hand, dropped from 1.3 percent of emails (one in 77) to 0.4 percent in 2007 (one in 256).
Sophos identified around 5,000 new malware-infected web pages over the same period.
Up to 70 percent of these sites were not created by hackers, they were simply the result of an unpatched or poorly coded site.
"If a machine is left open to a threat, it becomes another robot in the botnet used to attack other machines," Richmond said. "Even if you are not concerned about your own machine being compromised, not patching to block these threats makes you a bad internet citizen. Other people will suffer because of your complacency."