by Peter Tippett and Kevin Long

This is Part II of a three-part series on OS X security. Please read Part I if you haven’t already.

Before we go further, a review of the Verizon Business RISK Team’s risk equation is in order. Risk is traditionally thought of as the product of Likelihood * Impact (Cost). In the world of computers, the Likelihood is itself the product of Threat, which is the frequency of attempts of an attack, and Vulnerability, which is the likelihood of success of an attempted attack considering all countermeasures that are already in place. Thus, Risk = Threat * Vulnerability * Impact.

For the purposes of this discussion, Impact is consistent across platforms, so Threat and Vulnerability are the factors that will be addressed.

The threat of attacks against OS X systems has traditionally been significantly lower than that against Windows systems. When OS X was introduced in 2001, reasons cited for that could have included the following:

• Malcode writers were unfamiliar with the operating system.
• Malcode writers were less familiar with the PowerPC (as opposed to x86) architecture.
• Malcode writers were unlikely to own a Mac on which they could experiment.
• Malcode writers wanted their code to infect the greatest number of systems possible; notoriety was a primary motivation.

It’s almost 2009, so we have to update that list:

• Apple migrated to the Intel processor architecture; you can no longer buy a PowerPC Mac.
• Macs can no longer be considered rare or exotic; a new system can be purchased for under $600.
• Profit is the primary motivator for most attackers.

Despite those significant changes, the threat to OS X systems remains minimal. January 2007 saw an entire month devoted to the publishing of Apple bugs, but February 2007 did not bring a noticeable bump in pwned OS X systems. Criminals are still concentrating their efforts on compromising Windows systems because that is what brings them the greatest profit. So the Threat in our equation is low enough that it renders the overall Risk of using OS X relatively small. Others have come to the same conclusion, sometimes using interesting methods of analysis.

This brings us to the Vulnerability portion of our equation. Lest we sound like Apple apologists, note that we have reminded our customers on numerous occasions that Mac users can hurt themselves just as effectively as can Windows users. This situation is not improved by some of Apple’s default configurations, such as leaving the firewall off and having the Safari browser “open ‘safe’ files after downloading.” That last item removes a hurdle for an attacker attempting to social engineer a potential victim.

Increasingly, criminals are focusing their attacks on the application layer. OS X can run many of the same web applications that are attacked on other platforms, so it can be made vulnerable to the plethora of PHP, WordPress, and Apache exploits that populate hacking tool repositories. And while Mac users don’t have to worry about Internet Explorer vulnerabilities, they can fall victim to attacks against their default browser, be it Firefox or Safari.

OS X currently enjoys a low level of Threat, which results in a low level of Risk. Clearly, though, the potential for attack exists. Given that fact, should OS X users install an antivirus application at their earliest convenience? Stay tuned for the conclusion to our series on OS X antivirus.

Tags: anti-virus, antivirus, Apple, Apple security, AV, Inqtana, Leap, Leopard, Mac, Mac AV, Mac security, OS X, risk, RSPlug, Safari, security, Threat, Tiger, Vulnerability

This entry was posted on Monday, December 22nd, 2008 at 4:02 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.