Charlie Miller to reveal 20 zero day security holes in Mac OS X

@ColinScatt

For a company touted for it's foresight, I'm really surprised Apple doesn't invest more into it's security. They tout it like it's the best saying "we don't get viruses" but, half the reason is because the hacker community hasn't reared their heads toward it or they already have and just hasn't been known up to now because there's no mass worm/virus knocking out Macs...

@PlatinumSkeet On top of that, you would think they'd kind of see the end coming as their market share grows, and they'd try to stay ahead of security issues as much as possible to hold the big problems off for as long as possible. Eventually there are going to be problems, but you would think they would try to fix things while they have a smaller user base so that when the user base is larger, it gives them an easier time.

@ColinScatt get antivirus if your so worried theres loads of it out there for macs, another 50 quid on top for your two grand machine aint gona hurt ya.

@andy6 Actually, iAntiVirus and Clamxav are free.

@Greg7388 I actually have iAntiVirus, it's mostly just principle that gets me lol. I'm big on business, so it's just so perplexing to me when companies have such glaring problems coming at them and don't (seemingly anyway) do anything about it.

@Mack Stone

Nothing has happened because Mac OSX marketshare has not risen significantly.

Lets go with a few more lies to balance your books.

"Tiger will be a 64 bit OS"
"Leopard will be a fully realised 64 bit OS"
"Now with Snow Leopard we have a fully native 64bit OS"

The point about most of these security holes is if someone uses them chances are you will never notice.

@ColinScatt

it is IMPOSSIBLE !!!

@Mack Stone
Except that ONE zero-day for Windows is a big deal, three simultaneous ones is unheard of since XP SP2 (that I can think of), and I don't think they've had more than three per year on NT6/6.1

@Mack Stone

It's humorous that most of those quotes came from companies who only make money because of the existence of viruses. FUD if you ask me.

@Mack Stone
They used to care about bragging rights. That's why viruses used to do annoying crap like get rid of your start menu or format your hard drive. Now they steal your money/information and care about money.

As for 8.5%: HA! Mac marketshare in the USA may be 8.5% it's below 4% in the world. So if I can spend a bit of time making a flash ad that looks like a Windows security prompt to coax some moron into installing my crap, I'll do that instead of exploiting a security hole.

@Mack Stone

Charlie Miller uses a Mac. How do you explain his comments given that he isn't an Apple hater?

Macs are safer. More secure? Nope, not really.

@Fatherfork Exactly. It's a shame it took up to your post for someone to say something. The post from Mack Stone had quotes from each year, and what are the odds that two main manufacturers of anti-virus software are ""telling you"" that attacks are on the rise. Seriously? I was one of the idiots who started using Norton on my iMac. What did it do for me? It did nothing but ***k up my entire system while it was installed. Random lock-ups and all. Since the uninstall, I haven't had a problem. So who is attacking what here? It's amazing that these companies even bother trying. Many are becoming more aware or know someone savvy enough. I'll watch the market share go up or down, and while I'm doing it I'll enjoy the serenity of being "attack" free for 2.5 years now. Can't say I've enjoyed that leisure w/ my Windows counterpart. I use both so don't bother whining to me.

@ColinScatt

With the ridiculous prices Apple charges, you don't have to worry about it getting popular. It wont. Its perpetually destined to stay under 10% market share.

@ColinScatt so is that the only reason they are better,is that no one cares to hackem,well as the saying goes its a toyota,oh sorry its a MAC

@Mack Stone

How is this troll getting up-ranked? Get off your high horse, security through obscurity is NOT entirely bullshit.

@Mack Stone Dude, you need to stop calling everyone who disagrees with you "Apple Haters".

@N900 You're just a Mack Stone hater. /s

@PlatinumSkeet

We've been hearing the old line that Macs don't get viruses because there are less than Windows PCs for a very long time.

It's been 10 years since Mac OS X has been in existence... and not a single virus attack to date.

Yes there are less Macs than Windows computers. Macs make up more than 10% of all personal computers (Mac users hold onto and use their Macs much longer than the average Windows PC user keeps their computers on average).

There are over 100 Million Mac users... that is not a tiny number, and it is well worth a hacker's time to attack Macs. You would think logically that there would be about 20,000 viruses and malware for Macs (10% of the number existing for Windows for PCs...

But there has not been any virus outbreaks for Mac users in 10 years!

The line about Macs being safe because there aren't many of then is pure FUD.

Most Macs are home computers (although many businesses are entirely or almost entirely Macs). It is mostly home users who get attacked and lose data, since businesses and governments have extensive firewalled servers, and they don't let their users install anything on their PCs.

When looking at just home users, about 1 in 5 are Mac users. If you are a Windows user, think of how many people you know who has a Mac. If you know anyone, you can probably name a few.

Mac OS X is a UNIX based system, and unlike Windows it is built for networked and Internet use. It is inherently much more securely coded than Windows (which has its origins in DOS).

Whenever you hear about hackers who find "security holes" it is because they bend the rules and give themselves permissions that a hacker would not have in the real world.

Just be aware, with all of the so-called "security holes" found and publicised over the past 10 years... and with over 100 Million Mac users... there have never been any virus attacks on Macs.

@Mack Stone
you may be overfocusing on the MAC, but the predictions you cite are pretty much the same going for Linux, as Ubuntu and other debian flavors have grown in popularity massively.

As it was said, the real malware threat are not hackers (remember the MacBook Air was hacked in 2 minutes...http://www.engadget.com/2008/03/27/pwn-2-own-over-macbook-air-gets-seized-in-2-minutes-flat/) but Botnet operators. And a guy who wants to get as many Zombies as he can will not spend a minute finding one of the hundred holes that may be in Safari. Because maybe there are 10 Million Safari installs (non-educated blind guess) on the net and 500 Mio. Internet explorers which may take a day or two or more to find a nice cozy hole to exploit. But the zombie yield for offering his botnet for a competetively priced DDoS attack is just so much higher.

And you probably need more zombies than there are MACs out there for a successful DDoS attack. So why bother about Macs?
It may be harder to get into the barred houses, but you dont have to go all the way to the countryside.

Plus, if a system is compromised well, a normal user on it will never notice.

@N900 I'm a stairs hater because I prefer to take the elevator.

@ElCid
"It may be harder to get into the barred houses, but you dont have to go all the way to the countryside."

Quote of the year ^_^

@ColinScatt

Apple supplies 91% of all computer purchases over $1000.

If I was exploiting computers for monetary gain (identity theft presumably), why would I completely ignore the 8.5% with clearly the most disposable income?

@ColinScatt

Selling music, films and books is more important to Apple nowadays.
I never thought I would say that ten years ago.

@Mack Stone
The only thing your quotes prove is that Mac simply isn't growing fast enough. (insert evil laugh here). Thanks for playing.

p.s. They couldn't even stop us from cracking the IPhone (insert second evil laugh here).

@Mack Stone

I am so sick of the misuse of the term security by obscurity. Security by obscurity has NOTHING to do with marketshare. Security through obscurity has to do with being CLOSED SOURCE as opposed to OPEN SOURCE. Fewer exploits due to small marketshare is security by minority or a host of other terms.

@ViewRoyal

OK, let's clear up a few misconceptions.

"It's been 10 years since Mac OS X has been in existence... and not a single virus attack to date."

Indeed - at least as far as anyone is aware. However since the introduction of Vista virus attacks on Windows machines have also decreased. If you're going to talk about 'OS X' and 'Windows' please ensure you're talking about current versions.

"Macs make up more than 10% of all personal computers."

Where's your source for this? I think the figure is approaching 10% of consumers but not there yet.

"There are over 100 Million Mac users... that is not a tiny number, and it is well worth a hacker's time to attack Macs. You would think logically that there would be about 20,000 viruses and malware for Macs (10% of the number existing for Windows for PCs..."

Well no, you wouldn't. First of all I doubt there are 100 million Mac users in the world - it's probably closer to 50-60 million. Secondly that figure has only been achieved relatively recently and thirdly malware isn't written on a proportionate basis, it's written to maximise impact. Malware for Macs is increasing for the the same reason that Macs are now only just getting the newer games and software as opposed to 10 years ago - it's only recently become worth doing.

"But there has not been any virus outbreaks for Mac users in 10 years!"

Nor any meaningful virus attacks for Vista and W7 for three. Please note - we're being very specific about viruses here. There is and has been malware for both OS S and Vista/W7 for some time.

"The line about Macs being safe because there aren't many of then is pure FUD."

No, it isn't. When you have someone who has very publicly demonstrated that Macs can be broken into through browser vulnerabilities or other methods telling you that this is the case and the entire security community agrees then it is indeed true.

"When looking at just home users, about 1 in 5 are Mac users."

Again you need stats to back this up - this may be true for local regions like the US (although I don't think it is) but certainly not globally.

"If you are a Windows user, think of how many people you know who has a Mac. If you know anyone, you can probably name a few."

Sure. I know eight including myself and all but two of them also run Windows either on their Mac or on another PC.

"Mac OS X is a UNIX based system, and unlike Windows it is built for networked and Internet use. It is inherently much more securely coded than Windows (which has its origins in DOS)."

No. I'm sorry but this is complete nonsense. That's not how it works and unless you can demonstrate why this is the case you should really just quit spouting that sort of crap. Again, when the security community is telling you it isn't any more secure than Windows you should pay attention.

"Whenever you hear about hackers who find "security holes" it is because they bend the rules and give themselves permissions that a hacker would not have in the real world."

Yes. That's how it happens for pretty much any of the current generation operating systems.

@fourthletter
Actually, OS X share has risen dramatically since 2003. Not only that, but it has gotten a shitton of publicity (think about the whining every time an Apple article is posted on Engadget).

Any time you call something secure and virus-proof you put a HUGE bullseye on it.

You're LYING TO YOURSELF if you don't think OS X is a massively bigger target today than it was 7 years ago.

It's not much of a target for the typical russian crime syndicates that just want to make money via massive botnets, but it's a huge target for the underground.

@msgyrd

Even if that were true. MS makes the same ammount on Windows whether the computer is over $1000 or under $400 so what do they care?

That Windows 7 has now sold over twice as many copies as every copy of Mac OX combined is what matters to them.

@UnixSystemsEngineer

I don't know if I would call going from 3.5% to 5.02% all that dramatic.

And Apple market share has been steadily declining since Windows 7 was released, going down about 0.1% every month.

@Mack Stone

In all honesty in order for the hacker community that matters, which is the money grubbing behind the scenes one...not to be confused with the jackass' that want to get their names on a tech site, will probably never bother with the Mac OS.

Until Mac OS makes some kind of dent in the corporate market(10-15%) I dont think anyone that actually matters is going to care or attempt much on the Mac.

At the same time I dont see Mac OS corporate adoption rates rising...ever. So my prediction is that the data on my mom and sister's computer will stay safe and sound.

If facebook hacking becomes ultra lucrative maybe this could all change but I doubt it.

@Mack Stone

If you want to guesstimate the marketshare mac needs to get for it being viable ecosystem for hackers, image that you are a burgler.

Then image you are in a city where 95% of locks are type M, and 5% type A. You wont know which type it is until you try to break in. To which lock would you make a lockpick? Theres no difference in the loot so that doent factor in.

Even if the 5% lock is easy there isn't a point to make a lockpick for it as you can enter into only one house of 20 with it. With the lock M lockpick you have robbed 19 houses compared to the 1 house with lockpick A.

No profit going robber is even going to consider making a lockpick A until there are about 30% of doors with that lock. Some may start to appear at 20%-25% marketshare when it isn't such a waste of time, but still no big profits. At 20% the robber could have robbed 4 houses with lockpick M in same time that robber with lockpick A robbs one house.

@msgyrd
That is what I've long thought myself. Why bother trolling for info on the PC of some dumb redneck (PC) when you're likely to get a more affluent person if you choose a ranmdom Mac? They're smart enough to do the kinds of hacking they do, yet they don't adopt this strategy. It makes me wonder about the reasons why (they can't crack it/bad business plan).

@msgyrd
Yes, because all those liberal arts students with macbooks who hang out in coffee shops are just overflowing with money...

@Funke Tobias Dr
I'd argue that most machines are taken over to be used in botnets, and most personal information thefts happen via phishing and social engineering.

@UnixSystemsEngineer Most attacks consist of turning your computer into a mindless drone on a botnet as well as stealing your personal information and passwords in the process. The largest private networks of computers tend to be corporate networks with the vast vast majority of them Windows based PCs. So it would seem targeting those would be much juicier targets than one offing personal computers of consumers regardless of what OS they use. Its all about getting the most bang for your buck, even with hackers.

@Solipsism

Don't lie to yourself. Software developers and creative professionals love Macs, and neither are low-wage career paths. The rest are people willing to shell out a premium for some reason...so they can either afford it, or think it's worth the [marginal] cost difference, or they're stupid, but still making them good targets. Unfortunately for your irrelevant counterpoint, there's no published data about what a Mac ends up being used for.

Also, your over-exaggerated population of liberal arts students (did you stop and ask them or are you just making stuff up?) sitting in Starbucks own an expensive computer and are drinking $5 coffees. Some are possibly even making money while sitting there(paid writers don't go to an office, freelancers can work anywhere). You just sound jealous really.

@Mack Stone its not convenient nonsense...its true. it is really security through obscurity. i'm a mac user and a windows user...i haven't gotten any malware on either. I know for a fact that windows is more secure not only because i've been a long time user, but i've actually researched on both systems. wait 'til hackers stop believing that macs are a waste of time for them. every stupid mac fanboy will be crying...

@MarkAnderson
Thank god someone here has a brain


Apples market share is just too low, im sure that when it gets to about 20% of all computers in use, someone will be interested in creating a virus.

Now, im no computer expert, but i assume that viruses (effective ones anyway) are VERY hard work to make, why would you bother if you can only effect about 10 people if you COULD infect about 10000? (not exact figures, just an example)

other than that, apple users really should look into security, usually im an apple hater, but in this situation (concerning security of personal information) i pity the apple users, theyre often led to believe that their system is unhackable, and it really isnt, Mac users really should be informed on security (although, i understand security for macs is hard to come by)

Also, im sure in the past 3 months ive seen about 5 instances about mac vulnerabilities, one was this guy using an MP3 that he put up on limewire to spread something that stole peoples passwords

@Ioncloud9: Corporate networks have network administrators, who operate firewalls. You can't send public email from a machine inside a corporate network (except via the corporate mail server which will not forward large volumes of spam), and your botnet client can't connect to the IRC server that sends it its orders. If this trojan actually uses outgoing http on port 80 to get its commands, and honours the Windows proxy settings, then that part will work, so you could make a DoS attack... except that your DoS attack is going to go through the corporate proxy, which will spot large volumes, trigger warnings, and quickly get it stopped.

On a home PC, whether Windows or Mac, there is usually no administrator to speak of and no firewall (well, there is a firewall, but not the type of firewall that really stops trojans doing things).

A long time ago, the place I work didn't have a firewall. We also had a print server in the office opposite that, until network administrators did eventually spot it just from traffic information, was serving a large portion of the EU's pirated movie needs. :) But that sort of thing is rarely going to happen these days. People who write trojans are better off targetting home computers.

If you want to attack corporate systems it's better to go for web servers which are usually so full of holes (or 'PHP' as we call it in the trade) that anybody and their dog can get in there. Most of these holes are cross-platform anyway, but nobody ever runs web servers on a Mac - they're mostly Linux, or Windows. (I'm not quite sure why anyone would run web servers on Windows either - hello, it's a web server, you don't need the machine to run Office or Photoshop or whatever reasons there are to use Windows. But some people do.)

Back to home computers, as for the security through obscurity thing HELL YES. (And yes I'm a Mac user.) Most computers have security holes, and Apple take a long time to patch theirs. Although Apple historically had a major, genuine security advantage - no Internet Explorer - that's less significant these days.

Security through obscurity only doesn't work when you're an individual, specifically chosen target - e.g. corporate espionage, things like that. For general mass attacks that are the vast majority, it's great.

@(Unverified)

There are several reasons to run IIS, .NET being the biggest.

@(Unverified) Do you have any idea what these guys are even talking about. Do you really think a corporate firewall, like there is only one firewall, is going to stop a sophisticated botnet. The whole idea of a botnet is not to flood any network with tons of traffic to one location but to spread the load over huge amount of nondescript locations. Conficker for example was running undetected until 2008 on an estimated 6,000,000 to 15,000,000 PC's. These were not just "home" users they found these guys in every major network in the world, tens of thousands of those being US Gov systems alone, not to mention the French Navy, UK defense, russian FSB... They also found infected computers inside more than half of the Fortune 1,000 companies and more than 40 major banks. Do you think the feds and wall street guys take security as lightly as Apple? I think not. Conficker has updated itself 4 time, it uses over 50,000 domains to do so. Its not as easy a setting up firewall rule to block these kind of things. Hell the thing can install it self on a USB and travel around for workstation to workstation, work to home, home to work.

Apple is building a new 500,000 square feet of data center, to me that is looking more and more like a big juicy bulls eye. You guys had better decide to START taking malicious software seriously. I can see it now you guys are going to move all you data to the cloud with a smile talking about how grand it is that your baby pictures sung and secure your with S Jobs but you'll forget that there are people looking to mess with your shit. They just need some incentive. Just because apple systems don't contain data with any real value to hackers.I would guess it's of value to you, what would happen to AAPL ( that's apples ticker symbol for those of you who are still living of mom and dads dime) if someone wrote some code to that brought that data center down for a day or two or god forbid wiped out you data.

Can you say SHORT in Russian? how about the Chinese?

@MarkAnderson

"OK, let's clear up a few misconceptions."

Sure - why don't we actually do some research and clear up some misconceptions... instead of just guessing and spouting out stuff that we actually don't know anything about...
------------------------------

"...If you're going to talk about 'OS X' and 'Windows' please ensure you're talking about current versions."

Actually, windows 7 is susceptible many of the vista/xp viruses.
http://rixstep.com/1/1/20091103,00.shtml

OS X has had ZERO viruses in ten years. (Any version of OS X. Of course, OS 9 (pre-unix kernel) had plenty of viruses. Because OS 9 was less secure - not because of the size of OS 9 market share.)
------------------------------
"...Where's your source for this? I think the figure is approaching 10% of consumers but not there yet."

There aren't very many good ways to measure this, other than comprehensive door to door surveys around the world. Pretty unrealistic. What you can do is monitor the operating systems used by people hitting websites. Several companies have been doing this for years. In a study released last month (Feb 2010) and published a couple of weeks ago, 10.9% of web visitors were using OS X and 86.8% were using Windows.

http://osxdaily.com/2010/03/02/mac-os-x-market-share-up-29-last-year-now-10-9-of-web-consumption/
------------------------------
"...First of all I doubt there are 100 million Mac users in the world - it's probably closer to 50-60 million."

As of June 2009, there were 75 million "active" users. Looking at sales figures for the last few quarters, that number is likely now well above 100 million.

http://www.cultofmac.com/wwdc-mac-users-triple-in-last-2-years-to-75-mill/11492

"Secondly that figure has only been achieved relatively recently"

Yep.

"and thirdly malware isn't written on a proportionate basis, it's written to maximise impact."

Really? Ok, if you say so; I'm no expert in the psychology of malware writers. Perhaps to "maximise" impact, you should write for every platform, not just one. Perhaps you should write for the platform that has nearly zero anti-malware software installed; you know - to get a bigger impact.

"Malware for Macs is increasing for the the same reason that Macs are now only just getting the newer games and software as opposed to 10 years ago - it's only recently become worth doing."

Right... as opposed to the pre-OS X days when there was more mac malware than there is now. I think I'm starting to see some holes in your arguments...

------------------------------
"Nor any meaningful virus attacks for Vista and W7 for three. Please note - we're being very specific about viruses here. There is and has been malware for both OS S and Vista/W7 for some time."

Wow - this time you totally missed the mark. Let's use your word and talk about "meaningful" malware attacks on Vista and Windows 7 vs. OS X. Maybe I should ask YOU to provide your sources on this one. I can't find ANY evidence of a "meaningful" malware attack on Mac OS X ever. There have been several for both Vista and Windows 7.

I assume that by "meaningful", you mean either significant numbers or significant damage. Please let me know if there have ever ever ever been any "meaningful" malware attacks on OS X. Thanks.

------------------------------
"No, [the idea that Macs are only safe because of their small market share] isn't [an attempt to spread FUD]. When you have someone who has very publicly demonstrated that Macs can be broken into through browser vulnerabilities or other methods telling you that this is the case and the entire security community agrees then it is indeed true."

I think you need to look a little more closely at what you can actually do with the bugs that Charlie finds.

------------------------------
" 'When looking at just home users, about 1 in 5 are Mac users.'

Again you need stats to back this up - this may be true for local regions like the US (although I don't think it is) but certainly not globally."

Yeah - that 20% (1 in 5) number seems a little high to me too. Regarding stats though, I'd like to see some from you on the other topics covered here.

------------------------------
" 'Mac OS X is a UNIX based system, and unlike Windows it is built for networked and Internet use. It is inherently much more securely coded than Windows (which has its origins in DOS).'

No. I'm sorry but this is complete nonsense. That's not how it works and unless you can demonstrate why this is the case you should really just quit spouting that sort of crap. Again, when the security community is telling you it isn't any more secure than Windows you should pay attention."

You're right and wrong. Unix has a much stronger legacy of stability and security vs. Windows; however, things have changed and this is pretty much nonsense now. That being said - it's important to understand that the "security community" is not an unbiased party in all this. There is a vested interest in convincing people that OS X is insecure whether or not it's true. (Back to that FUD thing again.)
------------------------------

" 'Whenever you hear about hackers who find "security holes" it is because they bend the rules and give themselves permissions that a hacker would not have in the real world.'

Yes. That's how it happens for pretty much any of the current generation operating systems."

Pay attention to the results of the Pwn2Own contest this year. The contest starts with pretty rigid rules and then they relax those rules until someone wins.

@ColinScatt Contrary to the article, he's not releasing details of the exploits, merely how he found them by injecting code into closed source apps to see how they reacted.

Wonder how many came from the Flash plugin this time.

@bifikus
You wrote: "..not to be confused with the jackass' that want to get their names on a tech site, will probably never bother with the Mac OS."

That statement is complete NONSENSE! A "jackass" that wants to get their name in lights would FOR SURE want to be the FIRST virus on the Mac where their name will even make the front page of CNN, and not lost in the thousands of Windows based virus where they get barely a mention unless they are massively destructive and wide spread. A simple, small footprint virus, one that even just puts up a "Hello World" dialog will be the talk of the Tech world!

This "security by obscurity" crap for this reason, and the fact that Mac users have more $$$$, hence buying more expensive hardware, and in shear numbers when compared to the number of non-protected Windows boxes anymore, and the entire market-share argument falls apart!

The fact is I have been reading these SAME articles, just search and replace author and quoted security experts, for ten years, and I still do not run anti-virus software.

THAT IS A FACT AND NOT AN OPINION!

@MarkAnderson "Indeed - at least as far as anyone is aware. However since the introduction of Vista virus attacks on Windows machines have also decreased. If you're going to talk about 'OS X' and 'Windows' please ensure you're talking about current versions.since windows"

By current you mean release or system that is being used? vista? what? wasn't that installed on about 100 machines? Why not add in windows ME and really get crazy? That whole operating system was a virus.

@vandrook Nice exaggeration, but not quite. I'm not sure of the validity of these statistics but they show usage statistics of web browsing and what OS were being used. Appears to be correct to a degree, but the traffic on the logged sites effect things

http://www.w3schools.com/browsers/browsers_os.asp

@Ebonwumon open source barns?