If you’ve ever consulted with a computer security expert and they seemed a little paranoid, consider it a good thing – paranoia is an essential component to effective security. Conversely, lack of paranoia is a risk factor, which is a key weakness in security for Mac computers --particularly in the enterprise.
Mac OS X has developed a reputation for being especially secure, and more secure than Windows, primarily because of the dearth of viruses and malware that target the Mac platform. The often-repeated assertions that Macs are not vulnerable to compromise is the riskiest kind of overconfidence.
Changing Security Landscape
It is no myth that Macs are less prone to viruses and malware. There are several good reasons for this. Part of the explanation lies in the OS design. OS X requires an administrator password to install privileged code, thereby defending against the kinds of rampant “drive-by” installs of malware that plagued Windows XP and to a lesser degree Windows Vista, despite Microsoft’s efforts to implement similar controls.
Moreover, Macs have been a statistically weak target for malware authors. With over 85 percent of the OS market running Windows, malware authors naturally invest their resources where they stand to benefit the most.
The network security landscape has become considerably more complex in the decade-plus since OS X was released, however. Viruses are old news, and even most modern Windows machines are well defended against them. "Bad guys” are exploiting numerous new attack vectors from which the Mac is not necessarily immune.
Going Beyond OS-centric Security
Highlighting that Macs are still vulnerable to security compromises is not a slam against OS X. But regardless of how secure the underlying OS, increasingly attackers are exploiting common third-party channels.
Exhibit A: Java. In January of this year, major vulnerabilities were discovered in a release of Java 7 which could allow attackers to execute arbitrary code and defeat software sandboxes. Java is developed by Oracle and is not bundled with OS X. But its use is widespread, since many websites and standalone applications are written in Java. In the wake of the Java 7 exploit, Apple blocked the Java 7 browser plug-in, but this is only a half-measure – users could still install Java 7 on Macs, and in doing so, potentially leave them open to outside attack.
Java can’t take all the heat. There’s also Flash, an even more popular runtime widely installed on Mac (and Windows) machines. The latest in a long line of security exploits hit Flash last month, which attackers could leverage to install unauthorized software on victims’ machines – including Macs. Because both Flash and Java are third-party platforms, updating them must be done outside the OS X system update, meaning both extra work for IT administrators and more opportunity for falling behind update patches.
Java and Flash are just two examples that illustrate a key point in modern Mac security. Either these third-party runtimes need to be kept off the machine or else a policy for keeping them up to date must be rolled into any security maintenance plan.
Phishing and Social Engineering
The philosophy behind security defenses built into OS X is to prevent software from taking privileged actions without explicit authorization. But what if attackers can trick users into authorizing malicious actions? This is exactly the idea behind many attempts at phishing and other forms of social engineering.
Many Mac users either administrate their own machine or know the password for an administrator account, because this allows them to install software. Bad actors can take advantage of this. An attacker might wish to install any of several kinds of malware onto a victim’s machine, including remote desktop control or a keylogger to capture logins and account numbers. To lure someone into authorizing these installs, an attacker could:
- Send the victim a scam email masquerading as an official security update and directing them to a download link.
- Send the victim an email with malware attached to a file that might look like a photo or funny video.
- Hide the malware inside another piece of software that the victim has downloaded. Often this is done by packaging the malware with pirated software but sometimes malware can even be sneaked into legitimate software.
The fact is, when the operating system prompts a user to allow a certain action, many people unquestionably accept it. This is partly due to the habituation that sets in when computers prompt us all day about so many things. Attackers who exploit this don’t care whether the victim is on a Windows or Mac machine, and there is little that the security design of OS X or any OS can do to prevent victims from falling prey to social attacks. For the enterprise there are two lines of defense.
One is user education. It might be obvious to the security-minded to be suspicious of email links and system prompts, but the evidence suggests that many people are not so cautious. Ongoing education is necessary to keep the message in the forefront of people’s minds.
The second defense is scanning tools that can catch phishing and malware before it reaches the user authorization stage. This is where many people think that Macs don’t need anti-virus software. Strictly speaking these attacks aren’t viruses, but the industry has come to embrace the term as marketing speak for myriad attack vectors. Major vendors like McAfee, Kaspersky, and Symantec all make scanners for Macs which – viruses aside – can help backstop machines whose users fall prey to social engineering attacks.
Speaking of the OS itself, note that the firewall built into OS X is inbound only. To run an especially locked down machine, administrators should consider adding an outbound firewall product like Little Snitch or TCPBlock. These applications can be used to whitelist which applications can send data out to the network, or to help find unwanted applications which are already doing so.
Aaron Weiss is a technology writer and frequent contributor to eSecurity Planet and Wi-Fi Planet.