I caved in. I had all intentions of pre-emptively spending my $900 government handout on a $700 HP netbook this weekend. But I was pwned by a shiny little MacBook in about the time it took white hat Charlie Miller to hack its upscale brother, the MacBook Air.
So am I more secure now that I use a Mac without antivirus software than in my former life under a Windows machine with it?
The debate over Mac security compared with Windows is a long-running one. Apple considers Mac OS X so safe that late last year it removed a page on its site which Washington Post security blogger Brian Krebs had found.
Apple encouraged the "widespread use of multiple antivirus utilities" back then. Click it today, and you get the message as seen in the image below.
(Screenshot by Liam Tung/ZDNet.com.au)
Apple's reason for taking down the old message?
"It was old and inaccurate," Apple told Krebs. "The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box." It did concede that OS X wasn't bulletproof; antivirus (AV) "may offer additional protection," it said.
But how is that different to Windows Vista?
Since removing the article, Apple hasn't published a position on the issue, but Mac users on its support forum have closed the case on the matter: AV is unnecessary.
It's not surprising Apple would focus on its built-in technologies, especially when security researchers have begun paying more attention to them. Apple's growing user-base is still seen as a likely trigger for malware writers to start devising nasty payloads. Dino A. Dai Zovi, a buddy of Charlie Miller — the "prize" hacker who recently pwned a MacBook in 10 seconds — recently released his research on the subject.
Zovi's assessment was that while threats and the likelihood of attack are currently low for OS X, vulnerability is high. The chink in Leopard's armour is how it handles memory corruptions, such as a buffer overrun — a flaw that can be triggered by an attacker, which causes data to be stored beyond the boundaries of a "buffer". When that extra data is overwritten to a nearby memory location the process could crash, or allow malicious code to run.
One solution to this problem is known as address space layout randomisation (ASLR), which, according to Wikipedia, involves randomly re-arranging the positions of key data areas.
You might be interested in:
Microsoft took the lead, at least on ASLR, from the OS X cousin OpenBSD in this respect, announcing its use in the beta version of Vista in 2006.
Since then IBM security researcher Mark Dowd has tested Microsoft's implementation of defences against this type of attack in Windows Vista, looking at how Adobe Flash bugs could be used to beat them.
So am I more secure now that I use a Mac without antivirus software than in my former life under a Windows machine with it?
These defences don't stop, but reduce the likelihood of an exploit working. Dowd's work attempted to increase the likelihood of them working.
Today, OS X has fallen behind on several fronts, compared to Linux and Vista, says Zovi, whose research paper can be found here. His conclusion: "Mac OS X is significantly lacking in memory corruption defence features compared to other current operating systems like Windows Vista and Linux: ASLR, Non-eXecutable memory, stack and heap memory protections."
His proof? The CanSecWest hacking competition. Charlie Miller pointed out last week to Zero Day's Ryan Narraine about his latest exploit: "With my Safari exploit, I put the code into a process and I know exactly where it's going to be. There's no randomisation. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don't know where it is. Even if I get to the code, it's not executable. Those are two hurdles that Macs don't have."
It's interesting to see Microsoft has leapfrogged Apple on some very important counts (probably out of necessity), and that OS X could be hacked so quickly. But does any of this really matter to the user? Well, I think I'll just relish in my AV-less state for now, and enjoy the fact there aren't an army of Charlie Millers across the globe each with a $10,000 incentive to find more holes and devise payloads.
Linkedin 
RSS Feeds 
Newsletters 
Alerts
