PDA

View Full Version : Apple's Virus Immunity. How?



iapplepie
15th October 2007, 04:20 PM
ive been wondering how apple manages to keep all their systems virtually 'virus free' how do they do that, and why doesnt dell or microsoft in general use this and make theirs virtually virus free?

Cheers

decryption
15th October 2007, 04:24 PM
It's called security flaws, and not having them (or as many).

Some people think it's purely obscurity that Macs have avoided security issues ala Windows.

iapplepie
15th October 2007, 04:27 PM
thanks decryption, would it be possible for windows in the future to gain a reasonable virus free status?

morgan
15th October 2007, 04:28 PM
Apple is virus free due to the small numbers of users, why bother spending tie writing a virus for an operating system that is used by 5% (is that correct) of computers?

That being said it is more difficult to surreptitiously install software (ie. viruses et. al) without activating the root user which brings up that dialogue box where you have to type your administrators password. If you weren't in the process of installing something you'd get suspicious and cancel the operation.

jerrah
15th October 2007, 04:29 PM
Technically yes.

iapplepie
15th October 2007, 04:31 PM
are we more likely to see more frequent malicious viruses emerging as macs gain popularity?

jerrah
15th October 2007, 04:31 PM
Apple is virus free due to the small numbers of usersI don't entirely buy this. Despite the smaller installation base Apple makes a pretty big target by claiming to be 100% virus free.

It is theoretically possible to write bug free, reliable, virus proof software.

tcn33
15th October 2007, 04:31 PM
Apple is virus free due to the small numbers of users, why bother spending tie writing a virus for an operating system that is used by 5% (is that correct) of computers?
Security through obscurity is a myth. If that were the case then 5% of viruses would be written for OS X. If anything OS X is a bigger target because we Mac users are smug bastards :p

jerrah
15th October 2007, 04:32 PM
are we more likely to see more frequent malicious viruses emerging as macs gain popularity?AFAIK there hasn't been a virus for OsX since release that didn't require the root account or installation by the user.

iapplepie
15th October 2007, 04:33 PM
AFAIK there hasn't been a virus for OsX since release that didn't require the root account or installation by the user.

Are we likely to see one in the near future?

jerrah
15th October 2007, 04:39 PM
Are we likely to see one in the near future?How long is a piece of string? Given the past history I think it's unlikely but you can never be 100% sure.

I'm not losing sleep over it.

step_andy
15th October 2007, 04:41 PM
Are we likely to see one in the near future?
First Mac OS X virus (trojan) called"Oompa-Loompa" was unleashed on 13 Feb 2006
http://www.macrumors.com/2006/02/16/the-first-mac-os-x-virus-a-new-os-x-trojan/

http://www.ambrosiasw.com/forums/index.php?showtopic=102379

Technical info here http://www.symantec.com/security_response/writeup.jsp?docid=2006-021614-4006-99

jerrah
15th October 2007, 04:47 PM
First Mac OS X virus (trojan) called"Oompa-Loompa" was unleashed on 13 Feb 2006This bait-and-switch (executable pretending to be an image) doesn't exploit any particular MacOS vulnerability.

I don't think there is an operating system out there that protects priviledged users from running damaging executables.

When something can infect my machine merely by connecting to the internet I think we should worry.

Hamsmyth
15th October 2007, 04:52 PM
AFAIK there hasn't been a virus for OsX since release that didn't require the root account or installation by the user.

OFF TOPIC:

What exactly does AFAIK mean?

Aa
15th October 2007, 04:55 PM
Unleashed?

I think by memory only about 2 or 3 macrumors users downloaded it and bothered running it...

AFAIK : as far as i know, it means ummm...

decryption
15th October 2007, 04:56 PM
OFF TOPIC:

What exactly does AFAIK mean?

As far as I know ;)

jerrah
15th October 2007, 04:57 PM
What exactly does AFAIK mean?As Far As I Know.
http://en.wikipedia.org/wiki/AFAIK#A

iapplepie
15th October 2007, 05:03 PM
I am right in saying that if the windows on your mac via fusion,bootcamp etc. gets a virus, the mac part is still fine, and if you use bootcamp, does the partition you create become 'infected'?

chrome
15th October 2007, 05:05 PM
Had this discussion in #apple a while back.

Basically, it boils down to this;

1) Viruses that rely on network vulnerabilities to infect and propagate are rare on OSX because of it's compartmentalised design and unix underpinnings, and the choice of stable and secure open source software, such as Apache 1.3 and OpenSSH that has had thousands of eyes looking for, finding, and fixing, vulnerabilities.

2) Viruses that rely only on end user stupidity to infect and propagate are possible on OSX but are rare because either Mac users are smarter (ha ha ha! not likely) or virus writers can't be arsed trying to write viruses for the mac platform (more likely). Without an automated method of infection, propagation would be very slow and it's just not fast enough for today's virus writers.

That said, it would be very easy to write a virus for OSX. You'd need to rely on distributing it via nefarious means, such as uploading infected versions of iWork to bittorrent trackers and friends copying software around. But such a virus would be an academic exercise; how many people these days give each other Application bundles? Nobody, really. Most people download the latest versions of things off the official websites.

Back in the old days, propagation via traded programs were a sufficient method for virus propagation but with the internet, faster vectors are available, and with OSX coming out of the box in a "pretty damn secure" state, even when bare to the wire, its easier to go for the easier target, Windows.

So yes, in answer to your question, Viruses are possible on OSX. But I think that Apple's choice of Open Source software for certain key network daemons is instrumental in providing us with an operating system that is secure when connected to the internet, and has made it not worth the effort to try and develop a virus that could propagate via the network, and of course propagating via stupid users file sharing is also not worth it, as not many people do that these days, as discussed.

chrome
15th October 2007, 05:08 PM
I am right in saying that if the windows on your mac via fusion,bootcamp etc. gets a virus, the mac part is still fine, and if you use bootcamp, does the partition you create become 'infected'?

MS Office macro viruses can infect mac documents, so if you have your home directory shared in vmware then you could end up infecting your .doc and .xls files there. But in general, viruses are for specific platforms and Windows viruses won't work on the Mac and vice versa.

Mind you, it is possible to write a program that runs on Windows or the Mac, from the same binary. I think. It'd be tricky, but I've read of such a thing being possible.

Its not something to worry about right now, though.

Linux_insidev2
15th October 2007, 05:23 PM
This bait-and-switch (executable pretending to be an image) doesn't exploit any particular MacOS vulnerability.

I don't think there is an operating system out there that protects priviledged users from running damaging executables.

When something can infect my machine merely by connecting to the internet I think we should worry.

What about a libtiff exploit that would cause the same effect as the libtiff exploit on the iPhone and iPod touch?
Macosx uses plenty of open source libraries that have known flaws - it's just that nobody bothers.

On PPC Macs it was even harder though, due to it being a different animal to the mainstream X86 Machines everyone was running - now things are different.

Hell, you could even hack into earlier versions of 10.4 with old versions of Apache - you could use mod_rewrite exploits that were available at the time.

Currawong
15th October 2007, 06:15 PM
What's usually missed in the understanding of this situation is the change in the purpose of viruses over the last decade. They were originally written as malicious software and often used to cause serious damage to people's computers. Nowadays, they are written for profit by spammers, often to either harvest email addresses to spam, or hijack computers to send spam. Obviously, for this, the best targets are servers on high speed lines, or now that many millions of people around the world have broadband, insecure PCs.

Overall, I'd say that both the prevalence of Windows along with its insecurity has made it a huge target. Much alone could be solved if the major ISP's in the USA and other countries blocked port 25 (used for sending mail) as an outgoing transport across all their users. As it would devastate spammers and remove a means for them to make profit, you'd also see a huge drop in virus manufacture.

That being said, any computer running a web browser has some degree of insecurity. A web site tailored to do something malicious to a person who views it could easily be made to target end users depending on which OS they were running. How much damage could be potentially done would then be very dependant on the security of the browser and OS.

bullrout
15th October 2007, 06:40 PM
Security through obscurity is a myth. If that were the case then 5% of viruses would be written for OS X. If anything OS X is a bigger target because we Mac users are smug bastards :p

That's exactly what I have always thought.

feeze
15th October 2007, 06:44 PM
Apple is virus free due to the small numbers of users, why bother spending tie writing a virus for an operating system that is used by 5% (is that correct) of computers? .

There have been examples in the past of systems with a smaller install base than Mac OS X being infected with great efficiency; http://en.wikipedia.org/wiki/Witty_worm


are we more likely to see more frequent malicious viruses emerging as macs gain popularity?

No doubt the Mac will gain more attention as it become more popular, but it's impossible to predict whether more attention = increase of successful attacks.

Software companies and users are now starting to become a lot more savvy when it comes to security. I don't think we'll ever see another blaster style worm as default installations are becoming very secure and users are starting to use firewalls.

What we will no doubt see (and already are) is an increase in malicious software that uses very complex social engineering to fool the user. Unfortunately there isn't too much that can be done to protect the computer from the users mistakes.

EDIT: I personally would be more worried about a person being fooled by Nigerian style scams than malicious software.

rtc
15th October 2007, 06:59 PM
MS Office macro viruses can infect mac documents, so if you have your home directory shared in vmware then you could end up infecting your .doc and .xls files there.

Maybe if the microsoft:mac team shunned its "disbanding" and "lowered funding" rumours, and got off its rump and fixed VBA for max properly so that Office macros actually run on macs too (instead of just the crippled, limited, poxy excuse for the mac equivalent of VBA that ships with office:mac2004), then office:mac would be much more useful to power users (and, unfortunately, VBA viruses) alike.

iPirate
15th October 2007, 07:04 PM
Apple is virus free due to the small numbers of users, why bother spending tie writing a virus for an operating system that is used by 5% (is that correct) of computers?

http://www.macvspc.info/

Download the PDF

my version, page 67: "Apple's overall market share is small" (Misc Mac Complaints section)



There are at least three reasons why the reported numbers for Apple are in error:

1 - There is no 100% accurate data! What you see is full of BIG (and often questionable) assumptions, as well as LARGE approximations.

...rather convincing explanation... (including table below)

2 - Statistics can lie.

...rather convincing explanation... (including how a 10% market share of mac users making 2/3 the purchases due to longer computer life makes for 6.9% statistical reading)

3 - The influence of businesses using Wintel machines effectively as terminals, significantly skews the numbers.

...rather convincing explanation... (including how gas stations, bars, retail outlets, airports [don't forget Cityrail... might explain a few things too] buy masses of computers according to the following criteria: the cheapest)

And taken from part one above;

And here is a September 2002 report of research that says that the market shares are quite different from
what you hear reported:
11.6% Apple
10.4% Compaq
9.8% Dell
9.1% IBM
7.3% Hewlett-Packard
5.1% Sony
All the rest are under 5%.



Yes, I sometimes come across as a pro-Mac evangelist. But I don't have faith without evidence. 115 pages of well-written and well-researched evidence is good enough for me.

Edit: And the stuff about viruses is there too, just I figured if you really wanted to know, you could find it yourself. I didn't want to go on and on unless people insist that I summarise that too.

morn
16th October 2007, 02:27 PM
Apple is virus free due to the small numbers of users, why bother spending tie writing a virus for an operating system that is used by 5% (is that correct) of computers?

That being said it is more difficult to surreptitiously install software (ie. viruses et. al) without activating the root user which brings up that dialogue box where you have to type your administrators password. If you weren't in the process of installing something you'd get suspicious and cancel the operation.

It may not actually be necessary to do that, if you have apps in Application that you have read/write access for, a virus would be able to modify it's executable without you knowing. And you will have read/write access for apps if you are an admin account.
So it should be quite possible to develop a OS X trojan that's able to overwrite other apps... But this won't work on a normal user account.
I wonder what else that trojan would be able to do. You usually root access on OS X to run a server program.... although I'm not sure if that is a must.
Key logger, spyware? I wonder how easy these would be to implement on OS X in an invisible way.

The Fluffy Duck
16th October 2007, 02:33 PM
Apple is virus free due to the small numbers of users

Look the old classic operating systems had somthing lke 80 virus (or less) the mac user base has grown many times since then. So the total of virus should increase by that passage of thought right?
Then why do we have zero? the answer is a properly made OS.

morn
17th October 2007, 04:53 AM
OS X is not virus proof, but it is more secure than windows at least.
For a long time microsoft didn't even care about security in the least this is what has caused the problem.
An example, the autoplay feature for removable drives in XP. You plug in a flash disk to a windows box, and a virus can be immediately executed by windows via autoplay without the user being able to do anything. This is just retarded by design.
This is also the method sony's infamous rootkit used.
For sony to port that to OS X, they'd need the user to manually browse the drive, double click a file and enter a user name and password. On windows the rootkit installs as soon as disk is put in.

Rasta
17th October 2007, 07:14 AM
I don't entirely buy this. Despite the smaller installation base Apple makes a pretty big target by claiming to be 100% virus free.

It is theoretically possible to write bug free, reliable, virus proof software.

I agree... 100% spot on jerrah....

morn
17th October 2007, 09:57 AM
It is theoretically possible to write bug free, reliable, virus proof software.

If you have magical powers, maybe.

Linux_insidev2
17th October 2007, 10:09 AM
I agree... 100% spot on jerrah....

Then it's obvious that both of you have NO idea what you're talking about!

Apple doesn't code everything in OSX, they use LOADS of open source libraries, that have plenty of flaws.

It's extremely difficult to write 100% bug-free software, and that's why they've been releasing security updates and also seeding new releases of leopard to devs everytime some of their bugs are fixed.

I seriously think some of you clueless mac users have to pull your head out of your asses...

Face it, they don't care enough to write mac viruses, because what the hell is the point of causing such small scale destruction when you have an easier and much more prominent target?

Of course, OSX is very secure - and I don't doubt that, but anything made by man can be broken by man.

iSlayer
17th October 2007, 10:15 AM
Apple doesn't code everything in OSX, they use LOADS of open source libraries, that have plenty of flaws.

Indeed but actually using them to do anything dangerous is a whole other story

Linux_insidev2
17th October 2007, 10:21 AM
Indeed but actually using them to do anything dangerous is a whole other story

Well look how easy it was to exploit LibTIFF on the iPhone/iPod touch to launch arbitrary code.

How many other open source libraries have buffer overflow exploits?

Leopard has better protection by randomizing memory locations, but i'll never beleive that anything is 100% secure.

iSlayer
17th October 2007, 10:32 AM
Well look how easy it was to exploit LibTIFF on the iPhone/iPod touch to launch arbitrary code.

Easy yes. Dangerous no.


How many other open source libraries have buffer overflow exploits?

Lots but again actually exploiting them to do something dangerous is a whole other story

Linux_insidev2
17th October 2007, 10:36 AM
Easy yes. Dangerous no.

It is when you get sufficient privileges to cause some damage, MacOSX when it had the Apache Mod_rewrite that allowed overruns also can lead to root access, allowing you complete control over the system.

The fact that you don't take this into consideration makes me question if you've become complacent with your own code.


Lots but again actually exploiting them to do something dangerous is a whole other story

My point is that it's possible to do.

marc
17th October 2007, 11:36 AM
My point is that it's possible to do.
...but no one has successfully, even though crap, try-hard non-trojan horses (http://en.wikipedia.org/wiki/Leap_virus) get worldwide coverage (http://www.google.com/search?client=safari&rls=en-us&q=leap-a&ie=UTF-8&oe=UTF-8).

Given the notoriety the virus and its authors would get, we can clearly disregard any security though obscurity arguments.

I don't think any of us are stupid enough to suggest that OS X is impenetrable. A virus *could* be written for OS X. The exploit *could* come from the open source Apple use, or from their own code.

It just seems like it must be much harder, due to the fact that OS X requires admin password for most dangerous things (btw, the iPhone hacks require knowledge of the admin password, so that's not a case against OS X security). Having all potentially dangerous sharing services and PHP etc turned off is a good start. Most users don't use them anyway. Apple seem very proactive in patching as well.

Linux_insidev2
17th October 2007, 12:07 PM
It just seems like it must be much harder, due to the fact that OS X requires admin password for most dangerous things (btw, the iPhone hacks require knowledge of the admin password, so that's not a case against OS X security).

Programs being run by the user will pop that window up, exploited daemons will not, and as far as I was aware the libtiff exploit method just involved loading an image in safari, and it then executed it's own code - due to all the apps on the iPhone/iPod touch being run as root it has full access, at no point do you enter a password.

This method was superceded by the jailbreak method utilizing iPHUC which does indeed require the root password when you get to the ssh stage of installation.

Regardless of the fact that a desktop os doesn't run apps as root, even admin user privileges are good enough to wipe out something like an iTunes library or some apps in the Applications folder.

:edit: and there have been past viruses, like this trojan: http://www.macrumors.com/2006/02/16/the-first-mac-os-x-virus-a-new-os-x-trojan/

:edit2: a great site that outlines mac exploits and what they do: http://www.securemac.com/

WonderBoy
17th October 2007, 12:26 PM
ive been wondering how apple manages to keep all their systems virtually 'virus free' how do they do that, and why doesnt dell or microsoft in general use this and make theirs virtually virus free?

Cheers

There's really only two consumer / small business OS vendors and Dell is not one of them. Unless you're Apple you have to bundle someone else's operating system on your hardware - and if that means Microsoft Windows, well, you're going to get viruses.

marc
17th October 2007, 12:39 PM
and there have been past viruses, like this trojan: http://www.macrumors.com/2006/02/16/the-first-mac-os-x-virus-a-new-os-x-trojan/
=

crap, try-hard non-trojan horses (http://en.wikipedia.org/wiki/Leap_virus) get worldwide coverage (http://www.google.com/search?client=safari&rls=en-us&q=leap-a&ie=UTF-8&oe=UTF-8).


:edit2: a great site that outlines mac exploits and what they do: http://www.securemac.com/
Read the news... there's not much to report. Also... "MacScan (a SecureMac product) 2.3 has been released with key new features". That site is going to be as tainted as reading a Symantec website (ie. they have a massive conflict of interest and will use it just to flog you an application that you don't really need).


due to all the apps on the iPhone/iPod touch being run as root it has full access, at no point do you enter a password
Maybe that is something Apple need to fix.

Linux_insidev2
17th October 2007, 01:05 PM
=
Read the news... there's not much to report.

Regardless of how much news there is to report, there are still articles to report on, and while the Trojan I linked to doesn't do much, it shows that it CAN do something and it IS possible to do some damage.

Apple recognize the need to keep up-to-date to make sure their product is 100% secure, and the fact that they are releasing security updates to patch exploits proves this.

If they didn't think (like you) that they were a non-issue they'd likely not fix them would they?

marc
17th October 2007, 02:07 PM
Regardless of how much news there is to report, there are still articles to report on, and while the Trojan I linked to doesn't do much, it shows that it CAN do something and it IS possible to do some damage.
Umm... you can never stop people from tricking users into running a dodgy app. There's no way to protect against that. It's not even worth really discussing here. It's very similar to telling a n00b "Run rm -r from terminal for a cool game! OMG! So cool!".


Apple recognize the need to keep up-to-date to make sure their product is 100% secure, and the fact that they are releasing security updates to patch exploits proves this.

If they didn't think (like you) that they were a non-issue they'd likely not fix them would they?
Please read my post more carefully. I don't think OS X is impenetrable and I agree that Apple will have to keep on patching indefinitely.

No OS is secure, but the reason why OS X has a good track record is because it's using a well tested open source core (which Apple can't take any credit for), doesn't install with users as root for default and because Apple do patch exploits before they get out and do damage.

Wally
17th October 2007, 02:09 PM
Seriously though,

Why would mac users write viruses? We are a different breed of people. Those who use macs tend to be more of the friendly type AND dont want to break anyones computers. Windows users dont try Mac OS X just to write a virus, they'd have no clue.

Ask a windows user about their computer? They'd probably tell you the specs and show you the internals when most people arent interested then get a spyware message pop up on the screen and they'd probably get a panic attack and start backing up all their data then maybe reformat once a month as they have nothing better to do :P. Some people reckon they have no spyware / viruses on their machine yet they dont run virus scanners and spyware checks...

If you ask me, we mac users have more time to spare!!

marc
17th October 2007, 03:38 PM
If you ask me, we mac users have more time to spare!!
More time to write viruses? ;)

iapplepie
17th October 2007, 04:48 PM
Dam what i thought was a simple question from me has built up to be quite technical and hard to understand...at least for me

Currawong
17th October 2007, 07:51 PM
iapplepie:

Mac OS X isn't immune to someone writing malicious software, it's simply that viruses nowadays are created to help spread spam, so there's no point in writing a Mac virus as it wouldn't spread far enough to be of any use. The single known Mac OS X trojan written and initially spread via a forum infected at most a few hundred people.

There's quite a bit of "proof of concept" stuff out there that could break into (mostly older) versions of Mac OS X mind you.

morn
18th October 2007, 03:24 AM
My guess is virus writers are simply lazy can't be bothered to get around os x's extra security when XP is so insecure by design. It's all about a quick buck these days.
I think if someone is motivated enough you'd see a OS X virus, it should be quite possible at least to make a trojan that infects other apps.

chrism238
18th October 2007, 06:51 AM
I don't think there is an operating system out there that protects priviledged users from running damaging executables.Far from true; if this is a serious requirement for you, you should investigate SE Linux and its use of security capabilities.

Currawong
18th October 2007, 10:05 AM
FreeBSD has "Jails" in which you can put apps so that even if someone manages to find a security flaw in an application, they can't do any damage to anything outside of that application's files. I think Safari and other web browsers should be in a "jail" since they are the first targets for exploits.

morn
18th October 2007, 02:45 PM
What disadvantages do these jails have?

feeze
18th October 2007, 04:34 PM
From Apple's website; http://www.apple.com/macosx/features/300.html#security


Sandboxing
Enjoy a higher level of protection. Sandboxing prevents hackers from hijacking applications to run their own code by making sure applications only do what they’re intended to do. It restricts an application’s file access, network access, and ability to launch other applications. Many Leopard applications — such as Bonjour, Quick Look, and the Spotlight indexer — are sandboxed so hackers can’t exploit them.

I'm assuming that this is similar to 'jails'

kim jong il
18th October 2007, 07:38 PM
Dam what i thought was a simple question from me has built up to be quite technical and hard to understand...at least for me


But it's a great way to learn and you will not the the only person to have gained some insight or been given food for thought from your OP. :)

chrome
20th October 2007, 08:21 AM
because it's using a well tested open source core (which Apple can't take any credit for)

I've noticed that Apple tend to be much better of late contributing fixes to the OSS that they use in the OS now.

geektechnu
20th October 2007, 09:22 AM
Re. the size of the Mac userbase as a virus target, also consider that a lot of malware is written to target computers in the business market. This is where a can spread faster, and cause more damage.

The Mac home userbase may in in the area of 5-10%, but in a corporate setting this figure is much much smaller.

Also, market share stats (mentioned by iPirate) mean nothing. These figures do not account for the white box PC market. Globally, this would bring apple's home market share well below 10%.

Now include the huge number of business PC on corporate networks powered by Windows-based servers...

All said, (combined with the fact that OS X is better designed than Windows) we should just consider ourselves extremely lucky. Let the good times roll :D

The_Hawk
20th October 2007, 09:57 AM
The virus-less-ness of OS X is due to a range of things as I see it.

Yes the smaller user base makes it a less worth while for people to write virus' for it, but then even if they do propogation is harder if the virus needs to be passed from Mac to Mac, again due to [relatively] low numbers of users.

Also the OS itself is more secure, but much of that comes from the control Apple has over the hardware. Windows needs to support an infinite number of possible configurations. OS X is very much limited to what Apple allows. In doing that you can lock down a system pretty tightly. Also controlling a majority of the software that can run on OS X helps alot.

*When I Say OSX I mean apple OS's



Thats the simple summary of how I see things.