Mac OS X Lion: Losing its security pride

The past couple of weeks have not been the best for Mac OS X's security reputation.

Recently, anti-virus firm F-Secure detailed a Trojan dropper that will insert a backdoor onto targeted systems. During the attack, a PDF is forcibly opened, designed to distract the end user from the shenanigans going on in the background.

According to F-Secure, the PDF file is written in Chinese, and is politically inflammatory. While the PDF launches, malware is dropped after it downloaded from a remote server located in Russia.

This week, Mac security software maker Intego said it discovered a new, albeit low risk, Trojan that pretends to be an Adobe Flash player installer. According to Intego, users visiting certain malicious websites may see a link or an icon to download and install Flash Player. Since Mac OS X Lion does not include Flash Player, some users may be fooled and think this is a real installation link, Intego said in an advisory.

It's those users that keep their standard system settings that are at the greatest risk, Intego says. Because the Safari browser is set to consider installer packages as safe (those files with a .phg or .mpky extension) it will automatically launch after download if their settings aren't changed from the default. Intego advises users remove those settings.

If the Trojan and malware are installed, according to the vendor's analysis, it will then attempt to shut down certain network security software and delete its own installation package. It will then install attack code that enables it to inject code into the applications the user launches. Intego says it will release more information about the code the Trojan inserts after it has completed its analysis.

In another recent scratch on OS X Lion's security luster, security researcher Patrick Dunstan posted on the Defense in Depth site about how OS X Lion's passwords can be maliciously changed. This is made possible, according to Dunstan, because Lion enables non-root users to view password hashes by extracting the data directly from Directory Services. That could be scary enough, but unfortunately, according to Dunstan's research, Directory Services in Lion doesn't require user authentication when performing a password change: which makes it easier for attackers to change passwords for you.

Does such security design missteps and a recent bump in OS X attack software mean OS X users need brace for a wave of fresh attacks and exploit code?

Mac security firm Intego believes so. "The past year has seen a huge increase in Mac malware. Not only are malware creators targeting Macs more, but they are also improving their techniques. The code in this new Trojan horse is very sophisticated and shows a good knowledge of Macs," said Peter James, global spokesperson for Intego.

When asked to provide figures to substantiate that malware authors were targeting Macs in much greater numbers, Intego did not do so.

Rich Mogull, analyst and founding CEO at the IT security research firm Securosis, says that while there may be an uptick in Mac malware -- and there have been some security design mistakes -- the threat landscape for Mac users hasn't changed very much.

"The default trusting of installer packages is something Apple should change, but it's a setting users can correct themselves," Mogull says. "As for the risk of increased malware, that's not something I'd be concerned about. It's not as if OS X is going to experience the type of malware problem we all saw with Windows XP," says Mogull.

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter at @georgevhulme.

Read more about network security in CSOonline's Network Security section.

This story, "Mac OS X Lion: Losing its security pride" was originally published by CSO.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies