# OS X and security



## Andrew Adamson (May 17, 2005)

Lately, I've been getting into a bit of a shoving match with a few of the members here over the issue of security in the Mac. Every few days, someone posts a question, "Should I use Company X's Anti-Virus Miracle Cleanser?" The immediate reply is, "You don't need anti virus protection because OS X has no viruses." 

I am willing to admit that at the moment there is not a lot to gain from installing anti-virus software, since the number of KNOWN malware threats is so tiny. You can't really expect an anti-virus program to protect you against unknown threats, right? Okay. But as long as the number of known threats isn't zero, there might be _some_ value in having an anti-virus program running.

Another common thread to pop up from time to time is the message, "Something strange is up on my computer. Do I have a virus?" Or, "My anti-virus program FOUND a virus. Should I be worried?" Immediately, the same reply is given. It's this one that kills me.

The assertion that there is no malware for the Mac or that Macs are somehow immune to hacks is begining to seriously get on my nerves. There IS malware available for the Mac. While rare, it exists. And while OS X is inherently _safer_  than Windows (true) does not mean it is inherently _safe_ (absolutely stupifyingly false).

Whoever the posters are and whatever the question is, most of the time there is no indication what sort of environment they are in. The assumption is that they are on a single-user machine on a trusted network with no other cracked boxes and that their Mac is properly patched and has their firewall turned on and unneeded ports turned off and the passwords are strong and that they haven't installed warezed software, and so on, and so on, and so on.... These are pretty big assumptions to make, especially when a user is concerned about an actual infection. 

Probably the best thing I've read on the issue was Jason Miller's column on the subject in SecurityFocus. If you intend on flaming me, please read it before you do. It's a pretty easy read and though he doesn't go into specific threats against the Mac, he does link throughout the article to very real examples. Already, there are some parts of the article that are out of date, but since writing it, plenty more vulnerabilities have been discovered. 

What are the odds that YOU've been rooted? Pretty remote, I agree. But there are 30,000 registered users on this board. More register every day. Most join because they have a serious problem they can't fix on their own. What are the odds that NO ONE on this board has been rooted? Pretty darned low. What are the chances the next person who posts a message about viruses has been rooted? Do you really want to gamble? Do you really want to gamble with strangers who are asking for your help?

I know I am a new-comer here and all, but.... By telling people who have legitimate security concerns that Macs are bulletproof, you may be screwing them. Please stop it.


----------



## elander (May 17, 2005)

Are we virus free on OS X? Yes. Will we always be? Probably not, but we can't know for sure.

Currently, there are no virii, trojans or worms in the wild that attack Mac OS X. As we have seen, there have been a number of "proof of concept" that potentially could've been used as starting points for such malware, but so far that hasn't happened.

Crying wolf repeatedly is actually as destructive as the virii themselves as the situation stands now. By warning of impending danger at an uncertain point in the future, you make people worry about something that may or may not happen. Installing anti virus software on OS X today is counter productive. The scanning process will tie up resources and force you to wait while you open files, and generally hinder you. All for what? A possible future threat? You'll be losing time, which makes your company / employer loose money, and on top of that you actually pay for the software that makes you loose money. Double whammy.

Is it safe to sit in your garden in the shade under an apple tree? No! You never know when a meteor falls on your head. Better keep a sharp look out.


----------



## HomunQlus (May 17, 2005)

Guys, there about hundreds of millions of threads regarding the security of Mac OS X. And everywhere there's the same answer.

There are *no viruses* for Mac OS X. The chance for that to happen is very very remote.

Why? First it's a UNIX system. Unix was written by hackers, so was the Internet. Also: the Darwin Kernel (on which OS X is based on) is freely available in its source for everybody, so critical holes can be patched quickly.

Further: The security model of an Unix system is written in a way that all operations that require administrative priviliges can not go unnoticed.

But: Yes, there still is a chance for a virus or trojan to be run on OS X. But it takes a lot of programming effort, and a lot of knowledge to make it work.

So you see, the chances for a virus on OS X are very small.


----------



## Viro (May 17, 2005)

HomunQlus said:
			
		

> Why? First it's a UNIX system. Unix was written by hackers, so was the Internet. Also: the Darwin Kernel (on which OS X is based on) is freely available in its source for everybody, so critical holes can be patched quickly.



Sorry but I disagree. Not many people read source code, even in the open source community. There seems to be a prevalent assumption that there are coders out there who read source code like one would read a novel. Doesn't happen. People only read the source code if they want to make changes or find vulnerabilities to exploit.

Apple doesn't always patch their products in time either. Take for instance the "mrouter" vulnerability. It took them 3 months to fix. That certainly doesn't really qualify as quickly. 



			
				HomunQlus said:
			
		

> Further: The security model of an Unix system is written in a way that all operations that require administrative priviliges can not go unnoticed.
> 
> But: Yes, there still is a chance for a virus or trojan to be run on OS X. But it takes a lot of programming effort, and a lot of knowledge to make it work.



The UNIX way doesn't guarantee that trojans will be prevented. If I made a malicious app that pretended to give you "XXX passwords" or "SeXy gURls" or whatever the rage is today, would you think twice about entering your password in order to install it? Or how about masquerading as legitimate applications? All this is very simple to do and will require less than 10 lines of C code.

OS X is currently quite secure. The administrative privileges coupled with file permissions(not all files are readable/executable/writable) are a good thing and cut down the chances of viruses very significantly. But they do not cut down on other forms of malware like trojans.


----------



## Tommo (May 17, 2005)

I have to agree with Andrew here, to keep repeating the are no virii that attack OSX does not help people who are sometimes novice computer users trying to acted resoponsibly and makes sure their systems and their data are safe and secure. The more truthful statement would be there are no known viruii that attack OSX.

I also agree that the chances of an OSX virus are small, but if people are not aware that thier might be then the results could be catastropic. If as suggested the amount of programming knowledge needed is grest there is a higher chance that the virus will be more destructive then most that are currently being written for the PC.

Should you run Anti-virus software on a Mac. Yes, for two reasons. Firstly it is no good installing it once it is too late, wait for the virus and you may not get time to install it. Secondly Macs can in some instances can distribute virii that may affect other systems.

This debate should be put to bed, and risks however slight should be accepted and informed information put forward when it is asked for. The Viruses on the Mac FAQ on this forums is a very good document and perhaps all future post regarding this subject should be directed there.


----------



## Lt Major Burns (May 17, 2005)

http://www.macosxhints.com/article.php?story=20040512085517829

i don't know if you've read this already, but this IS a trojan, that could be released quite easily (say as a file on a bogus mirror site when you are trying to update PithHelmet, eg. that would be ironic.  as soon as you've finished downloading it, of course you are going to click it - did you  download it for nothing?)

as soon as you do, it starts silently deleting the home folder, becuase you "told" it not to tell you. 

absolute genius, and all it is is a modified version of riccbhard's empty trash script...


EDIT: i'm not saying lock your systems down, and wait for impending doom, just don't be so sure of macOS's perfection - it was written by a human, and humans fall to error.  equally, any piece of software can be hacked, eventually. there is always a way. i still find it slightly hardto believe that macOS is "unhackable"  because it's not. that someone hasn't got round to doing it properly yet is luck, not just good coding


----------



## HomunQlus (May 17, 2005)

Well

*rm -rf ~*

is for the experienced Linux/Unix user pretty obvious. I don't think you can't really call it a trojan, but then on the other hand, it is. Some sort of anyway.

But you're advised not to run this command under no account!! Unless you really want to wipe the data in your user directory. If not, you better don't execute/run this. EVER!!!

Back to the security thing:
I didn't say that there's no chance for a virus. I only said that the chance is very remote. That's a huge difference.

Well, unfortunately Darwin IS a UNIX, and can be run on any computer. There's Darwin also for the i386 structure. look it up in Google. Darwin however is again based on BSD, which is UNIX as well. All Apple did was taking the Darwin base and Mach kernel, and put their Aqua on it with some modifications in the kernel to display the nice gray Apple when the computer starts up. That's it. Nothing more, nothing less. Of course, Apple also did modifications in the code itself. However, when you open a Terminal, I think it even says "Welcome to Darwin".



> The most widely-sold *UNIX-based* operating system, Mac OS X offers a unique combination of technical elements to the discerning geek, such as fine-grained multithreading, *Mach 3.0 microkernel, FreeBSD* services, [...]





> UNIX users will feel at home in *Darwin, the robust BSD environment* that *underlies Mac OS X.*



I give the source code of Darwin. For Mac AND PC. Here it goes:

Darwin Source
http://www.opensource.apple.com/darwinsource/

Source for 10.4
http://www.opensource.apple.com/darwinsource/10.4/

Binaries from 10.4 for x86
http://www.opensource.apple.com/darwinsource/images/darwinx86-801.iso.gz

Binaries from 10.4 for PPC
http://www.opensource.apple.com/darwinsource/images/darwinppc-801.cdr.gz

FreeBSD
http://www.freebsd.org/


----------



## Satcomer (May 17, 2005)

You are only as secure as you make yourself. Security is an on going process!   OS X out of the gate is way more secure! Those reasons have already been given. Is it perfect? No. There is no system today that is perfectly secure. You have to keep up on the security news front and make adjustments accordingly. 

Is OS X more secure than XP? You bet!


----------



## Miss_Lateralus (May 17, 2005)

Yeah but the article also touched on trojan's being hidden in what look like package installer files. On the outside they look like .pkg files, but on the inside they have the rm -rf ~ command inbedded in them.

I can see both points of view here, some may think there is no harm in keeping an anti virus app on a mac, even if its pointless to some its just a safety precaution to others. However I do agree with the following quote..



			
				Tommo said:
			
		

> I have to agree with Andrew here, to keep repeating the are no virii that attack OSX does not help people who are sometimes novice computer users trying to acted resoponsibly and makes sure their systems and their data are safe and secure. The more truthful statement would be there are no known viruii that attack OSX.


----------



## Viro (May 17, 2005)

HomunQlus said:
			
		

> *rm -rf ~*



Or with a bit more finesse, converting that concept to C code:


```
char buff[4096];
char *home = getenv("HOME");
sprintf(buff,"rm -rf $s", home);
```

3 lines of C code, that you can embed in any application. You could embed it in a game so that it deletes the user's home directory while they're playing it. It can happen, and there is practically no way to prevent that apart from not running applications from various sources you do not trust. 

Even better, the trojan can be made to look up all the addresses in your address book (easy, thanks for the excellent Cocoa API) and then email that same program to all your friends and colleagues.

Security is in the attitude. While OS X is more secure than XP out of the box, and it is easier to remain secure, it isn't invulnerable. The point that this thread has been trying to make is to not _act_ as if OS X is this wonderful security panacea. It's safer, but common sense is still necessary. Simply running attachments, automatically launching downloaded executables, etc should be disabled. On the other hand I still think running virus scanners are pointless as they are more trouble than they're worth _at the moment_. Hopefully the time will never come when we need to run such programs.


----------



## Andrew Adamson (May 17, 2005)

Well, this thread has reassured me a bit that there are a few people out there who have a sensible attitude about security.

I posted a link in one of my other postings a while back to a thread on MacOSXHints. The parent poster there is posting the output of ~/.bash_history, which is a listing of all commands typed into a terminal window under bash (one of the shell environments). It shows the user (NOT the owner, but rather a remote script kiddie) conecting to a Romanian ftp site, unpacking downloaded files, executing commands from those files, checking to see who else was logged on, and so on. It's a cracked Mac. Go have a read. Then tell me again how Mac's don't have malware.

Elander, no malware? Go take a look for "macintosh underground" and "opener" on Google (please never link directly to hacking groups). If you explore their newsgroups, you will be interested to see how the group there managed to get their rootkit patched for Tiger in only a few days. 

HomunQlus, being open source does not mean security holes will always be found in time. In fact, it doesn't mean they will be found AT ALL. You can have perfectly secure code and have it ruined by a buffer-overflow vulnerability in a trusted application (like, I don't know, say, iTunes, or iTunes, or even iTunes). MS Windows had a buffer overflow vulnerability in GDIPlus.dll that would allow an attacker to screw you when you, ahem, looked at a pretty picture. But it only worked in Windows ME and Windows 2000, not in Windows XP. Why? They used a different compiler. Same code. Different compiler. Opening the source code there would have made no difference at all. None.


----------



## Captain Code (May 17, 2005)

I don't think anyone is denying that there's ways into an OS X machine.  However so far there's no automatic way like there is in Windows.  Those links are interesting reads but none of them show any automatic infection even by a downloaded program.

They are all by dictionary attacks or packet sniffing which is not really the fault of the OS but of the user.

Notice how the one Mac got infected through a PC on the same network because that PC was infected and someone was sniffing the network and port scanning for open services.  

The person probably had FTP turned on and had a trivial password.


----------



## scruffy (May 17, 2005)

Totally fair comments - there are vulnerabilities in OS X, it's a young OS, so it's getting more than its share just at the moment.  And Apple has not been great (not terrible, but not great) at getting the patches out timely.

It's not the case that there's no malicious software for OS X; however, there have not yet been any automatically self-propagating worms yet.  It wouldn't be hard to write one - for heaven's sake, the average Windows mass-mailer worm doesn't take advantage of any major security flaws, it's just a small program sent as an attachment, with a message to intice the user to click it.

No AV will protect you from such attacks as effectively as not being an idiot.  Maybe if people weren't such idiots about security, virus writers would have to try a little...

I haven't actually checked this with an executable email attachment, but OS X does do one thing right - it asks before first running any program.

Still, I'm not sure there's a lot of benefit to antivirus software, given a sensible user.


----------



## elander (May 18, 2005)

...unless you install them. It is hard to acknowledge a shell script that requires administrator privileges to install as "malware".



			
				Andrew Adamson said:
			
		

> Elander, no malware? Go take a look for "macintosh underground" and "opener" on Google (please never link directly to hacking groups). If you explore their newsgroups, you will be interested to see how the group there managed to get their rootkit patched for Tiger in only a few days.



Not impressed. As I wrote earlier, there is no known malware IN THE WILD, and neither is this. It is a root kit, and as far as I know, they are available for every known OS. The trick is not to create a root kit, and patch it for a new version of an OS. Anyone can do that for any OS. The trick is to make it install itself on other users computers. Noone has done that for Mac OS X yet. This doesn't either. It takes administrators privileges to install, so you have to authenticate before it can be installed.

Have a look here:
http://www.lindqvist.com/index.php?ID=1735

As I wrote earlier: crying wolf when there are none only makes it worse when they really do come. Stop scaremongering and settle down folks.


----------



## cfleck (May 18, 2005)

I think some people are still missing the point.  Yes, OS X is probably safer than what most people are running, but the fact is that it can still be comprimised.  Quite frankly, I don't care if I get a worm on my mac that is self-propogating or if it is a root kit or whatever. I only care that it is on my computer.  

Some people that come here are in exactly that position.  They come here with claims that they may have a virus and they are all shown the same door: "No virus on mac.  Go away."  When in reality they may have a comprimised system and no one here seems to think it is possible.


----------



## Andrew Adamson (May 18, 2005)

Thank you cfleck. Nicely said.

To quote myself, Elander, 





			
				Andrew Adamson said:
			
		

> Go have a read. Then tell me again how Mac's don't have malware.


Look, the reason I posted this thread is because on this board I came across one poster who did a virus scan with Virex and it reported back that there were four 'possible infections' -- but didn't tell him the location or the nature of the infections. As well, he couldn't get the program to update. That was on May 16. Three pages later, he still hasn't got an answer to his questions, but he got an earful on how Macs are malware free. If anyone here can help him, please be my guest.

Some day soon (and perhaps this has happened already) someone will come to this group looking for help because they have recently downloaded a trojan from bittorrent (wrapped in Photoshop CS or Metal Gear Solid or The Sims or whatever), dutifully entered their password and now their computer 'seems slow' or 'sometimes the Internet doesn't work'. Perhaps they see the connection and are too embarrassed to say or perhaps they don't see it at all. Or perhaps their 14-year-old son downloaded the thing and they don't know about it. And not understanding the difference between 'virus' and 'rootkit' or 'trojan', they will ask, "I think I have a virus. What should I do?" If the ONLY answer they get is, "Macs are virus free," congratulations, we have helped no one.

MacOSX.com has a high Google ranking and a great reputation. People come here, like I did, because they needed help with something they couldn't do by themselves. If all you're going to do is be fanboys and ignore the basics of computer security, blame the user, support the brand and ignore the threat, you're just screwing people you could be helping.

That's all I have to say.


----------



## elander (May 18, 2005)

Andrew Adamson said:
			
		

> To quote myself, Elander,
> 
> 
> 
> ...



Well, go read yourself, and figure it out. There's a clue as to what probably went on with that users computer. The original poster writes "I believe this attack was initiated from within the LAN from the PC".

More likely than an "attack", the "hacker" simply walked over to the Mac, and enabled remote login. Wanna bet $20 that's not what happened? 



			
				 Andrew Adamson said:
			
		

> Look, the reason I posted this thread is because on this board I came across one poster who did a virus scan with Virex and it reported back that there were four 'possible infections' -- but didn't tell him the location or the nature of the infections. As well, he couldn't get the program to update. That was on May 16. Three pages later, he still hasn't got an answer to his questions, but he got an earful on how Macs are malware free. If anyone here can help him, please be my guest.



Well, that isn't true. He actually figured it out (see bottom of page two in that thread), it turned out to be stuff that couldn't affect Macintoshes.

The stuff to remember, to keep your computer clean and running is to apply common sense. Don't run applications from sources you don't trust, and specifically don't authenticate those applications. And if you deal with pirated software, well, don't come crying on my doorstep pal.

As I agree with you that knee-jerk responses are a bad thing, I really think scare tactics are even worse.

The facts remain: no reports as of today of malware in the wild. Check out the virii pages, nothing reported. I actually checked just after I wrote that sentence, to be sure...

Will we get virii, trojans, worms etc on OS X? Probably. Have we? No. When they do come, I'll holler from the hills like crazy. Until then, I'll hammer on everyone who tries to scare ordinary users into buying AV software they don't need. AV software that at the moment causes more problems than the non-existing ones they are supposed to "solve".

And for the love of God, someone with moderator status: please close this thread now... ::sleepy::


----------

