Save heaven for Mac OS users? Unmasking the Security Myth

“I do not need antivirus software because I am using an Apple Mac!” This unsuspecting view has been far spread till very short time ago. Contrasting to this, we hear in everyday news how many threats are looming to windows OS to steal, modify or simply destroy our data (for example here, in German). Is it really that easy that you can simply avoid any malware by switching to Mac OS and live an easy life? Now, IBM plans to switch from Windows to Apple Mac (in German) on devices for own employees to reduce support and other costs. In addition to this, IBM begins to offer the integration of MAC OS in business environment of its customers as part of its product portfolio. This development triggers Apple to offer OS solutions that fulfill the needs of business environments. But once Apple Mac OS is increasingly used in enterprise environment, it will become much more interesting and attractive as a target for cyber criminals.

This article assesses whether Mac OS is really safe or whether this is a myth based on the fact that there seems to exist far less malware for Mac OS than for Windows. The article also outlines the past development of the market share of Mac OS and present vulnerabilities illustrating how prone Mac OS is to malicious attacks.

The lack of market share is seen as the main cause for the scarcity of malware attacks on Mac OS in the past. The market share of the Mac operating system climbed from 1.8 percent in March 2003 to slightly more than 10 percent in September 2016. Compared to this, Windows operating systems market share including Windows 10, 7, XP and Vista ranged from 93,2 percent in March 2003 to 77.9 percent. Due to the perceived high reliability, in 45 percent of companies, employees now can choose Mac OS on their computers. Thus, attacks will increase further in the future as Macs have become very attractive for attackers due to the increasing sensitive enterprise data that may be stored on them. Generally, there seems to be a connection between popularity of an OS expressed by its market share and the attractivity it has to malware attacks. In case of Mac OS, this connection can be illustrated best in a diagram:


As it can be easily seen in the diagram, the market share of OS X has gradually increased. Thus, it continues the trend of the years before 2010.  Until 2010, the number of newly detected malware files have been far lower than 100 in most of the years until 2010. In the years following 2010, the number of detected malware files have literarily skyrocketed, leading to more than 30 times more files detected until September 2014. This leads to the assumption that there may be a threshold in the general number of installation of an OS today. If this threshold is surpassed, an OS may become interesting to malware authors.

In 2015, there is another big jump: The Bit9 + Carbon Black Report should be a wake up call for anyone still believing in the myth of the safe Apple cocoon. According to this study basing on more than 1400 malware samples, five times more OS X malware appeared in 2015 than in previous 2010-2014 together! Here, another threshold may have been passed now. This time, it could be the number of Mac OS installations in enterprise environments, making it even more interesting to malware authors. In 2014, more than 70 percent of enterprises supported Macs according to a VMware survey on nearly 400 IT professionals. In September 2015, 94 percent of a sample of 500 IT professionals indicated that their respective company supported Macs. In comparison, only 92 percent supported Windows PC. Thus, Mac OS endpoints may be very important in business context in the near future, making them attractive targets for malware authors.

In the past few years, a variety of different threats targeted Macs. These include any imaginable kind of malware. Take for example the Flashfake botnet, the Koobface worm, Mac Defender malware, cryptolockers as well as phishing and spam.

It is true: There exist less different threats malware programs that affect Macs. On the other side, however, the Flashback Trojan virus alone affected 700 000 Mac users in 2011 and 2012. So, there may be less different types of malware. But they can compensate this in a nasty way by spreading widely.

At the beginning of March 2016, Macs were affected by a fully functional crypto trojan for the first time. The ransomware called KeRanger hit the computers via an infected Transmission BitTorrent installer client. It stated to decrypt files three days after the infections so that users may have had difficulty to detect the source of infection. Apple reacted fast to that threat so that the cryptotrojan did not infect more than about 6500 users. But alternative ways may be used to infect Macs with that trojan.

There is no denial: The safety myth has been true in past, but it is not any more. The threats have long been ignored by organizations. This is also shown by the situation at the manufacturers: In case of Apple Mac Flashback virus, a patch needed 50 days to be ready and then only worked on some OS X versions. Does this lethargy regarding security also befell the manufacturers? Definitely, the manufacturers do not seem to react fast to a new threat.

In general, there is lower incentive for suppliers of endpoint protection like antivirus software to target Apple Macs as users do demand less endpoint protection than, windows PC users. This leads to lesser and less sophisticated endpoint protection offerings for Mac OS X.

As it is the case of malware, vulnerabilities of Max OS have experienced an overall increase, too, from 1999 to 2016. So far, vulnerabilities peaked in 2015 where 430 alone have been found. In 2016, so far, 216 have been found. Between 2010 and 2015, growth rate of vulnerabilities averaged at 63,12 percent.  This growth rate is comparable to the vulnerability growth rates of Windows 7 and Windows Vista that have also been supported during the complete time span of 2010 to 2015: 74,82 and 63,73 percent, respectively. These developments may not coincide with development of malware file numbers stated earlier in this article, showing, in case of Mac OS, that the market share and the increasing use of Mac OS in enterprise environments are the main factors curbing malware creation for Mac OS.

The malware affecting MAC OS exploits different vulnerabilities of Mac:

  • Malware can insert undesired components into Xcode, which is used as official tool to develop Mac OS. A well-known example for this is XcodeGhost. In 2015, hundreds of apps from China contained compromised Xcode versions enabling attackers to integrate malicious code into the Apps.
  • Gatekeeper and keychain features of the new OS El Capitan released in autumn 2015 contain vulnerabilities. Gatekeeper checks new apps in only a single check. If the program to be checked is opened, Gatekeeper fails to further scan it and may overlook malware. The keychain managing passwords and other sensitive data may be manipulated via an infected app, allowing attackers to steal sensitive data.
  • More than 90 percent of malware uses old load commands as entry point. So, Mach-O files with old load command will be much more prone to attack than files with new load commands.
  • Another vulnerability that has been detected in mid-2015 enables hackers to attack Apple Macs once they are in Sleep Modus due to the unlocking of the UEFI interface while the device is in that modus.
  • Further, an Apple Mac device can help to spread malware even though it does not get affected itself. For example, a virus may stay in a file on Mac OS, but could be distributed to other users.

Generally, malware uses OS X specific mechanisms like LaunchDaemons or browser plugins.

Both Windows and Apple are now enforcing steps to fight malware and protect the users of their respective operating systems. For Windows 10 as well as for Mac OS, these measures include the following steps, even though they are implemented in technologically different ways across the two operating systems:

  • Making sure that software running on the systems is only created by identifiable users.
  • Audit software before making it available, for example in an app store.
  • The applications are sandboxed, meaning that their actions and access rights are limited to what is needed for their intended functioning. For example, windows uses a sandboxing approach for enterprise environments called DeviceGuard that blocks any untrusted applications.

Still, there stays one major vulnerability that can be easily bypassed even if the security measures mentioned above are in place: The user. If an application is downloaded that is not trusted or an infected email-attachment is opened, malware attacks may still occur. Windows as well as Mac OS are prone to this vulnerability. Thus, one can say that Windows, even Windows 10, is not perfect regarding its protection against malware. But in case for Mac OS, we are now learning that it isn’t perfect either and has never been so.

In a nutshell, protection of operating system is for Mac users as crucial as it is for Windows users. Mac OS has not been and will not be a perfect OS not having any vulnerabilities. Thus, the use of endpoint protection like anti malware software is essential. Many Mac users may believe that they do not need protection measures against malware just because they are Mac users. This may create an incentive to criminals to target Macs more than ever. Thus, an awareness of Apple Mac users towards cyber threats needs to be created. Hopefully, we could contribute to this with this article.

Constanze Lissner

Constanze Lissner is an Information Security Specialist at CSC’s Cybersecurity Consulting. Corresponding to her educational and professional background, she combines consulting and project management excellence with in-depth knowledge about sophisticated and complex security and IT topics.
Some of her fields of interest include IT security of public critical infrastructure and control systems.


Leave A Comment

Copyright 2017 21st CENTURY IT · RSS Feed · Anmelden