Mac Coming into Focus As Attack Target

By Lisa Vaas Print this article Print

News Analysis: There haven't been mass Mac exploits to date, but interest is growing, as evidenced by the quick turnout of exploit code for a recently disclosed vulnerability.

Compared with Windows, the Macintosh platform is still largely untouched by vulnerability exploits. But the prompt release of exploit code for a vulnerability detailed in a May 24 set of updates shows that it's catching up fast when it comes to grabbing the attention of exploit writers.

"It is very Microsoft. It's something we've grown to expect in Microsoft: The descriptions of patches lead people to write exploits for something that's been patched," said Rob Enderle, principal analyst for the Enderle Group. "It was only a matter of time before that kind of behavior hit [the Mac] platform. People are going after consumers, and they're going after consumers broadly."

Security research company Immunity released the exploit code—which leveraged a buffer overflow vulnerability in the UPnP Internet Gateway Device Standardized Device Control code that's used to create port mappings on home NAT (Network Address Translation) gateways in the OS X mDNSResponder implementation—less than 24 hours after Apple had released a patch for it. Apple implements the protocol in its Bonjour technology to enable devices to automatically discover each other without users having to enter IP addresses or configure DNS servers.

The release of the exploit code for this flaw shows that interest in Mac vulnerabilities is high, analysts say. That's not surprising; even though Macs aren't used as broadly in businesses as Windows machines, plenty of consumers use them, Enderle said. Another factor that may be causing attackers to focus more on Macs is that Windows operating systems are getting "much [harder] to penetrate," he said. And to top it all off, Mac users constitute a "relatively lucrative demographic."

"These aren't bottom-feeding notebook buyers," he said. "In overall terms, their number is small. But it's always been an attractive target, increasingly so since [Macs] lack secondary protections that Windows [users] enjoy [such as a rich selection of third-party security software], though the primary platform itself [has been] in many cases and still is more secure."

At any rate, as pointed out by Ray Wagner, an analyst at Gartner, nobody ever said OS X was impregnable. "Any large code base has vulnerabilities," he said.

So no, security analysts aren't heading for the hills over the specter of attackers paying more attention to the Mac platform. Rich Mogull, another Gartner analyst, said that the buzz in the hacker underground is that "the bad guys are targeting Macs a little more [but] not enough to be worried about yet."

Besides, one has to question the motivations behind the release of Mac exploit code, Wagner said.

"Often the motivation is some kind of publicity," he said. "Recognizing vulnerabilities in OS X does have some cachet these days."

Still, many analysts would like Apple to get more serious about security.

"Apple is as much out of touch as Microsoft was half a decade ago," Enderle said, pointing to the fact that Apple has no chief security officer. "Everybody has to take security seriously. There's no Switzerland when it comes to attacks. If you have something somebody wants they're going to find a way to get it."

Why is the Mac platform more secure than Windows? Click here for David Morgenstern's view.

Read the full story on eWEEK.com: Oracle Settles Lawsuit with Federal Government.

This article was originally published on 2007-06-01
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.