Schadenfreude, Malware, and Hubris

Schadenfreude perhaps best describes the attitude of most Windows security experts to the OSX Flashback Botnet. For a long time security experts have argued that it was a matter of when, not if, we'd see a widespread infection on the Mac OSX platform. If the estimate of 600,000 infected hosts is correct - that suggests that somewhere between 3-5% of all computers running Mac OSX have become infected by the one piece of Malware.

The popular and very dangerous perception is that "Macs never get viruses" is being proven to be a marketing message rather than a security reality. Apple might not have made the claim of invulnerability explicitly, but that's the understanding that many people have been left with. In the last few days A thousand forums rang with statements such as "Macs don't get viruses because they are UNIX based" as though being UNIX based was some sort of magical charm against the possibility of exploitable code.

Given enough time and effort, all operating systems can be exploited. There is no deep philosophy within the structure of UNIX that makes UNIX like operating systems immune to compromise. UNIX was one of the first operating systems and it's unlikely that through random chance the OS is inherently secure, especially given that it wasn't designed from the very beginning with security in mind (security has certainly been added - but there is no magical component within UNIX that makes it unexploitable).

If there was a way to make your operating system unexploitable, Microsoft would have included that when they went back to the drawing board after Windows XP. You can certainly make it more complicated to exploit something, but just as any safe can be broken into given enough time, any operating system can be exploited given enough talent. The difference between safes and operating systems is that once one person figures out how to successfully exploit, they can share those tools so less talented people can also leverage the exploit.

Are UNIX based operating systems inherently more secure than Windows based OS? Or is it just that Windows based OSes have had a broader install base and malware authors have got more result for effort by targeting the platform?

There isn't any proof either way (though lots of opinion) - but it's interesting to note that the Linux based Android mobile operating system seems to be both the most widely deployed and the most widely exploited mobile OS.

In all likelihood, Mac OSX users will go on believing that they are immune from malware. Popular perceptions are almost impossible to eradicate and it will be a long time before the idea that "you don't have to run anti-malware software on a Mac" goes the way of Phlogiston.

The most likely remedy to this situation is for Apple to include stronger anti-malware protection in the OS. It neatly avoids the problem that Microsoft has had with users who have protection when they first get a computer not maintaining it over the lifespan of that computer. Unfortunately, as Apple is finding, just because you release a new version of an OS doesn't mean that everyone jumps on it. Just as more than a third of Windows users are running XP, around a third of OSX users are still running Leopard, Tiger, or earlier versions of the OS, even though Snow Leopard and Lion have been available for some time and Mountain Lion is due for release. Just as people don’t buy new cars when the next model comes out, they don’t upgrade to new operating systems on any schedule other than their own.

The best step you can take at this point, if you run Mac OSX or manage a fleet of computers running OSX is to do the same things that you do with your Windows machines: Ensure that you keep current with software updates and investigate and deploy anti-malware utilities.

Follow me on twitter: @orinthomas

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish