Technology Review - Published By MIT
Advertisement

Is OS X Truly Vulnerable?

Only one of three recent concerns about the security of Apple's operating system is worth worrying about.

By Daniel Turner

Wednesday, March 1, 2006

smaller text tool iconmedium text tool iconlarger text tool icon

February wasn't a good month for Apple Computer, as lots of people wondered whether the company's once-impregnable operating system was vulnerable. But cries of doom in the popular press are premature. In reality, two of the three security issues concerning Apple's OS X operating system that arose last month triggered very low-level security alerts. In fact, they would probably not have garnered attention had they not come on top of each other -- and had there not also been the discovery of a security hole in Apple's Web browser, Safari -- a hole that is a potentially serious problem.

The first security issue, called Inqtana, was a "proof of concept": that is, it did not exist outside the world of programmers checking for potential problems in software. It was first reported by numerous people to the IT security firm Secunia, which classified it as a worm. (A worm is a self-replicating virus that enters a computer or network and can cause disruptions.)

Inqtana exploited a problem with the Bluetooth wireless communications protocol in order to send copies of itself to other computers. It was designed simply to illustrate this weakness, and didn't do anything else. In fact, it was never reported outside of testing conditions, and was even coded with an "internal counter" that rendered it dead after February 24.

Still, it inspired swift action. Apple quickly released a system patch that proofed Mac OS X 10.4.5 against it. Ironically, some other proposed solutions were more problematic than the worm itself. For instance, the U.K.-based company Sophos Plc issued an Inqtana update to its anti-virus software, which recommended that users delete certain files and applications -- many of which were critical (and uninfected). According to the company, the flawed version of its product was available for less than two hours before it was patched.

The other "non-issue" was called Leap by security companies, and originally dubbed Oompa-Loompa (later amended to Oomp-A). That exploit shares characteristics of both a worm and Trojan horse -- a seemingly innocuous program or file that, after getting itself installed, can compromise a user's online privacy.

Oomp-A masqueraded as a desirable image, running a program called a shell script, which directly interfaces with the operating system. It tried to copy and send itself through iChat, the Mac OS X's instant-messaging application, to other computers on a local wireless network. Security companies deemed Oomp-A a low risk, with little chance of doing damage. When several Apple experts dissected it, they found Oomp-A to be not only fairly harmless, but also poorly written. As Apple expert Andrew Welch says, "You cannot simply 'catch' the virus [Oomp-A]...you cannot be infected unless you unarchive [decompress] the file, and then open it."

Comments

  • thomas_e_barta@yahoo.com
    I think it is unlikely that many hackers will have the skill to infect OSX; it's not full of holes like Winodws. But I agree the Safari bug is worrisome. I warned my relatives about that one.
    Rate this comment: 12345
    Guest (tom barta)
    03/01/2006
    Posts:1
    • Don't be so sure..
      The OSX hackers will! As this article points out, once  of the biggest vulnerabilities in OSX is the complacency of its users (myself being one of them). Because of the perception of OSX being 'impenetrable' users are more likely to execute malicious software than perhaps Windows users, who through past experience, have become more cautious of such things.

      Keep an open mind and you'll likely stay safer, even if malware targeting OSX becomes more rampant.
      Rate this comment: 12345
      Guest (Dave)
      03/14/2006
      Posts:1
  • Of course its vulnerable...
    the anti-virus vendors are all hard at work turing the proof of concepts into exploits. are they going to stand by and watch the size of their addressable market shrink?  if not the vendors themselves, then at least some shareholder has an interest in this.

    if apple users want to continue to keep their head in the sand then so be it, but i think apple users are actualy more at risk than windows users in ONE respect.  A huge % of windows users have some AV running while almost no apple users do.  if someone really wanted to do something mean, like manipulate APPLs stock price, then they could easily, given the "head in the sand" mentality of apple and so many users.
    Rate this comment: 12345
    Guest (NetGuru)
    03/01/2006
    Posts:1
    • Patches were released today
      Apple released security patches today that fixed all the aforementioned security holes.
      Rate this comment: 12345
      Guest (DWalla)
      03/01/2006
      Posts:1
      • ..and your point is???
        patches were released today.  Yippeeee!  And does that mean that every vulnerability has been fixed? There are none out there that are not public? 

        Let's talk about an even worse thought...what if professional software developers are working on machines with malware infected compilers. The compilers are quietly adding hooks and backdoors for later exploit.

        Here is the complete list of 100% trusted computing platforms:
        Rate this comment: 12345
        Guest (NetGuru)
        03/02/2006
        Posts:1
        • The point was..
          My impression of this article, and what I think is general knowledge is that yes, there are vulnerabilities in OSX, it's practically impossible to have a totally secure OS thats flexible enough for the consumer market. With security comes sacrifice, usually in functionality.

          What people usually mean when they say OSX is more secure than, say, Windows is that to exploit security holes in OSX there needs to be much more user interaction in the process.

          BTW - With regard to the malware complier theory, while it could be possible, the people with the skills to build such a virus generally tend to have landed themselves pretty well paid jobs that don't leave them as much time to take over the world as they may have liked =P
          Rate this comment: 12345
          Guest (Dave)
          03/14/2006
          Posts:1
  • Several errors in the piece
    Daniel,

    you got yourself several errors in your piece:

    1. The Bluetooth hole "Inqtana" is exploiting wsa fixed last year already, not with some swift release of Mac OS 10.4.5. I.e., only people who hadn't upgraded last year were even theoretically vulnerable.

    2. "Eric Bangerman" is really Eric Bangemann

    Cheers,
    Noki
    Rate this comment: 12345
    Guest (Noki)
    03/02/2006
    Posts:1
    • To Noki
      Noki,

      Thanks for the notes. First, Inqtana was fixed with 10.3.9 and 10.4.1, but then needed to be fixed again with 10.4.5. For the sake of not making the timeline too confusing, I did leave that info out.

      As for Eric's name, actually it's Eric Bangeman. I apologize to Eric for my inital typo, which I then propogated.
      Rate this comment: 12345
      Guest (Dan Turner)
      03/02/2006
      Posts:1
      • You made that up?
        >First, Inqtana was fixed with 10.3.9 and
        >10.4.1, but then needed to be fixed again with
        >10.4.5. For the sake of not making the
        >timeline too confusing...

        You made that part up didn't you? If not, where did you learn about this? Not from Apple. Apple has this to say about security in 10.4.5

        "CVE-ID: CVE-2006-0382

        Available for: Mac OS X 10.4.5, Mac OS X Server 10.4.5

        Impact: A malicious local user can cause a system crash

        Description: A malicious local user may trigger a system crash by invoking an undocumented system call. This update addresses the issue by removing the system call from the kernel. Credit to David Goldsmith of Matasano for reporting this issue."
        Rate this comment: 12345
        Guest (James Bailey)
        03/02/2006
        Posts:1
        • To James Bailey
          James, what you describe doesn't seem related to Inqtana, which has had not reports of being able to do anything like causing a system crash. Are you sure you're looking at the correct issue?
          Rate this comment: 12345
          Guest (Dan Turner)
          03/02/2006
          Posts:1

Log In

Forgot your password?     Register »
Advertisement
Technology Review July/August 2009

Current Issue

Search Me
Inside the launch of Stephen Wolfram’s new “computational knowledge engine.”
•  Subscribe
Save 41%
•  Table of Contents
•  MIT News
Advertisement

Follow us on Twitter

Twitter

Get Technology Review updates via the web, cellphone, or Instant Messager – Follow techreview on Twitter!

Advertisement
Subscribe to Technology Review's daily e-mail update. Enter your e-mail address

Advertisement
TECHNOLOGY RESOURCES

More Technology News from Forbes

Advertisement
MIT Massachusetts Institute of Technology © 2009 Technology Review. All Rights Reserved.