Minority Report: Mac OS X virus scares

'For real' or 'get real'?
Written by Seb Janacek, Contributor

'For real' or 'get real'?

The debate over Apple-related security rages on. But, says Seb Janacek, let's not be blinded by extremists on either side of the debate.

The good news for Apple fans is that the Mac appears to have gained mainstream acceptance in the technology world.

The bad news is that this news comes in the form of what many have claimed is the first true Mac OS X virus. No doubt some corners of the long-suffering Windows community would issue a warm welcome: come on in, the water's lovely.

The 'virus', called Leap.A or Oompa Loompa, was first discovered in mid-February by UK antivirus firm Sophos. The malware spreads via Apple's iChat instant messaging system and forwards itself as a file called latestpics.tgz to contacts on the infected users' buddy lists.

The news of the virus was heralded by some security experts as the shape of things to come.

Graham Cluley, senior technology consultant for Sophos, claims Leap.A represents the first "real virus" for the Mac OS X platform.

In a statement he warns: "Some owners of Mac computers have held the belief that Mac OS X is incapable of harbouring computer viruses but Leap.A will leave them shell-shocked, as it shows that the malware threat on Mac OS X is real."

More predictions of doom followed a few days later with news of another piece of OS X malware called Inqtana.A, which spreads via a vulnerability in Bluetooth. This time the malware was a proof-of-concept, never appeared in the wild and was set to expire on 24 February.

Meanwhile, a third Mac security scare hit the "shell-shocked" Mac community last week with news of an "extremely critical" vulnerability in OS X.

According to security firm Secunia, the vulnerability is due to an error in the processing of file association metadata in ZIP archives and mail messages. Secunia claims the vulnerability can also be exploited automatically via the Mac's default Safari browser when visiting a malicious website.

The metadata threat is currently a vulnerability not an exploit - and no known exploits had been reported at the time of writing. Meanwhile, both worms are graded as 'low risk' by security companies. And for good reason, as they pose little to no threat whatsoever to the average Mac user running the Tiger operating system.

Leap.A, the more 'virulent' of the two 'worms', actually sounds more like a Trojan, and requires a user to perform a series of steps before the payload (in this case, next to nothing) is delivered.

Firstly, the malware must be accepted via iChat, then the user must double-click on the file to decompress it, then double-click the 'jpeg' to view it. If all this is done, the user is then asked to provide his/her administrator account and password for the image to be opened.

If the admin password is provided then the Leap.A code then attempts to install itself into an application.

It's at the point that an admin password is requested that alarm bells should be ringing for the majority of users - any responsible user should be asking him or herself what was going on. (In OS X, images open by default in an application called Preview and don't require admin privileges to open.)

The majority of OS X users are not logged in as 'true' administrators by default and fewer still run as the root or 'super' user in the operating system's underlying Unix core. To do so requires a significant amount of command line work - beyond the ken of most users.

Apple this week issued a security update for OS X which addresses some of the concerns raised by the recent threats (available via Software Update or the Apple website).

In reality, all this represents very low risk for most Mac users.

Indeed, the most interesting aspect of the virus is the social engineering hook that the malware author uses to tempt the average Mac user.

Windows users have long fallen prey to email enticements promising images of scantily clad pop nymphets and rubbish Russian tennis stars.

The inducement to lure Mac users into double clicking on a file containing malicious code? Screenshots of Leopard, the next generation of Mac OS X (10.5) due out sometime in 2007. Same idea, different delivery, not quite so saucy.

Still, you've got to admire a malware author prepared to do his research - the prospect of a view of the much-hyped new Finder that represents one of the major developments in Leopard is pretty exciting for any OS X fan - but now I digress.

The Mac platform has been famously untroubled by malware for years.

Some attribute this to the theory that malware writers are interested solely in the mass propagation of their work and the small market share of the Mac (anything between three and five per cent depending on whose statistics you believe) is of very marginal interest.

In addition, since the arrival of OS X many have pointed to the underlying robustness of the Mac's Unix core, with its root access disabled by default, as a formidable obstacle to malware authors.

The indications are that if the Mac continues its recent increase of market share its attraction as a target to malware authors will increase. However, the indisputable fact that Mac OS X's Unix core is fundamentally more secure than Windows means that the challenge is considerably greater for potential malware 'switchers'.

In a Minority Report column on OS X security published in June 2005, Sophos product manager Phil Wood commented: "The technical challenges of producing malware for the OS X operating system are more difficult than for Windows. Both Mac OS X and Linux are much more secure than Windows. You would have to be genuinely clever to write an OS X virus and most virus writers are not."

Reactions to the recent spate of security stories have varied. Some rather smug Windows users (and perhaps security consultants with products to sell) have predicted that the sky has begun to fall in on Mac users.

Meanwhile, some equally smug sections of the Mac community have predicted that OS X is an impenetrable fortress with nothing to fear from the collected hordes of malware authors who have managed to make the majority of people in the Windows world miserable and paranoid about email-borne viruses and worms.

The potential threat to OS X from viruses and other forms of malware remains extremely small for the time being. However, this looks to be changing as these worms - and other proof-of-concept programs - spring up online.

In June's column, I suggested that as market share increases the "genetic make-up" of the Mac community is changing as more first-time Apple buyers make the switch.

It's from here - a segment less interested in the technology and possibly less savvy than the traditional Mac user base - that a possible risk emerges. Users may not think twice about entering passwords to view unknown files because as the salesman said: "Macs don't get viruses."

Social engineering will inevitably play its role.

Another risk is that malware authors will pick up the gauntlet thrown down by those who claim that OS X is impregnable - laying down a challenge to that minority of 'skilled' malware authors bored with shooting fish in the Windows barrel and turning their focus on big-game targets.

Further headlines announcing further Mac security "risks" are inevitable. Stories about vulnerabilities in the Mac and Linux platforms are items of curiosity in the mainstream technology media. But compared to the constant threat posed to users of the Windows platform from tens of thousands of existing and new malware threats the danger is miniscule and in some respects still theoretical.

A few low-grade worms or vulnerabilities are incomparable to the avalanche of new malware threats faced by users of the Windows platform.

Last June, Sophos' Phil Wood said that while no true OS X virus existed it could only be a matter of time before one appears.

What he advised then seems even more pertinent now: "A bit of vigilance is required - Mac users don't live in an unassailable tower."

Every defence has a weak spot. It's just a question of finding it. A little more balance from certain security outfits wouldn't go amiss, though. Neither would a little less complacency from certain sections of the Mac community.

Editorial standards