Mac OS X Lion: Losing its security pride

The past couple of weeks have not been the best for Mac OS X's security reputation.

Recently, anti-virus firm F-Secure detailed a Trojan dropper that will insert a backdoor onto targeted systems. During the attack, a PDF is forcibly opened, designed to distract the end user from the shenanigans going on in the background.

According to F-Secure, the PDF file is written in Chinese, and is politically inflammatory. While the PDF launches, malware is dropped after it downloaded from a remote server located in Russia.

This week, Mac security software maker Intego said it discovered a new, albeit low risk, Trojan that pretends to be an Adobe Flash player installer. According to Intego, users visiting certain malicious websites may see a link or an icon to download and install Flash Player. Since Mac OS X Lion does not include Flash Player, some users may be fooled and think this is a real installation link, Intego said in an advisory.

It's those users that keep their standard system settings that are at the greatest risk, Intego says. Because the Safari browser is set to consider installer packages as safe (those files with a .phg or .mpky extension) it will automatically launch after download if their settings aren't changed from the default. Intego advises users remove those settings.

If the Trojan and malware are installed, according to the vendor's analysis, it will then attempt to shut down certain network security software and delete its own installation package. It will then install attack code that enables it to inject code into the applications the user launches. Intego says it will release more information about the code the Trojan inserts after it has completed its analysis.

In another recent scratch on OS X Lion's security luster, security researcher Patrick Dunstan posted on the Defense in Depth site about how OS X Lion's passwords can be maliciously changed. This is made possible, according to Dunstan, because Lion enables non-root users to view password hashes by extracting the data directly from Directory Services. That could be scary enough, but unfortunately, according to Dunstan's research, Directory Services in Lion doesn't require user authentication when performing a password change: which makes it easier for attackers to change passwords for you.

Does such security design missteps and a recent bump in OS X attack software mean OS X users need brace for a wave of fresh attacks and exploit code?

Mac security firm Intego believes so. "The past year has seen a huge increase in Mac malware. Not only are malware creators targeting Macs more, but they are also improving their techniques. The code in this new Trojan horse is very sophisticated and shows a good knowledge of Macs," said Peter James, global spokesperson for Intego.

When asked to provide figures to substantiate that malware authors were targeting Macs in much greater numbers, Intego did not do so.

Rich Mogull, analyst and founding CEO at the IT security research firm Securosis, says that while there may be an uptick in Mac malware -- and there have been some security design mistakes -- the threat landscape for Mac users hasn't changed very much.

"The default trusting of installer packages is something Apple should change, but it's a setting users can correct themselves," Mogull says. "As for the risk of increased malware, that's not something I'd be concerned about. It's not as if OS X is going to experience the type of malware problem we all saw with Windows XP," says Mogull.

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter at @georgevhulme.

Read more about network security in CSOonline's Network Security section.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityVulnerabilitiessoftwaredata protectionapplicationsfirewallsMac OS Xf-secureExploits / vulnerabilitiesData Protection | Network SecurityLionIntegoMac securitysecurity flawsPDF flaw

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

George V. Hulme

CSO (US)
Show Comments

Brand Post

Bitdefender 2018

Secure and Save before time runs out with Bitdefender Exclusive Clearance Offer! Get Bitdefender Total Security 2018 Now!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?