Mac security not so much about the Mac

The scalp of Mac OS X has been waved trophy-like after being hacked in controlled environments, yet security researchers are hard pressed remembering the last time a Mac was compromised in the wild.

Macs, according to most security experts and analysts, remain a safe computing option, however safe does not mean secure--its software, like software for PCs, is written by humans and contain flaws, which are technically exploitable.

But market share still provides some shelter to Mac users. Even though Apple's market share continues to grow quarter by quarter, the company's products account for just 5.8 percent of the total U.S. market for PCs, according to IDC.

"Market share equals money" to the hacker criminals of the world, according to Charlie Miller, a researcher at Independent Security Evaluators.

Miller made headlines last month by taking control of a MacBook Air as part of the CanSecWest conference's "Pwn to Own" contest. He used a previously unadvertised flaw in Apple's Safari browser to gain control of a system that was directed to a malicious Web site, earning himself and his team US$10,000 and a new MacBook Air.

"Even if Apple moved to 10 percent market share, why spend the time on the 10 percent when you can just nail 90 percent with one bug?" Miller said. It's far easier, and far more lucrative, for hackers to spend their time going after the other 90-plus percent of computers in the world than it is to try to exploit flaws in the Mac.

Changing of the threat
Taking control of a computer through flaws in the operating system is a thing of the past, according to Mike Romo, product manager for Symantec's Mac product line. "Trojan horses and viruses are yesterday's news," he said. Today it's about using the browser as the entry point into the system or hacking Web sites.

At the CanSecWest conference, no one was able to take control of three laptops in play (the MacBook Air, a Fujitsu running Windows Vista Ultimate, and a Sony Vaio running Ubuntu) when attacks were confined just to the operating system. But Miller's Safari exploit, and the Flash flaw later exploited by Shane Macaulay, Derek Callaway, and Alexander Sotirov on the Vista laptop, show how security threats now focus on the browser, rather than the operating system.

Phishing and social engineering is the easiest path to someone's wallet versus trying to take over their system, Romo said. "The OS is not really the target anymore for these next generations of threats; it's taking advantage of the fact that people are spending more time online. People are much more comfortable with entering a credit card number than they ever have before," he said.

The debate about Windows versus Mac OS--at least in terms of security--is passé. More important today are the differences between Internet Explorer, Firefox, Safari and Opera. It's also about things like QuickTime, which Apple has patched extensively since the "Month of Apple Bugs" project last year.

Symantec distributed some research this week showing that 22 vulnerabilities were reported for Safari in 2007, compared with 88 in Mozilla browsers like Firefox, 18 in Internet Explorer, and 12 in Opera. It should be noted that counting the vulnerabilities is not the best way to measure the security of a piece of software, and can be explained in part by increased interest on the part of security researchers in investigating Firefox and Safari, as they become more widely used.

And, as the Symantec research highlights: "as security researchers have focused more efforts in discovering vulnerabilities in these browsers, the theory that this would result in much greater levels of malicious activity targeting these browsers in the wild has not yet been borne out."

Regardless how secure vendors make browsers, phishing scams like the Nigerian 419 e-mail messages, are almost impossible to track and protect against before people are affected. Social engineering is far more effective over time than trying to exploit a flaw in Vista or Mac OS X, Symantec's Romo said.

It is indeed a social problem, said Romo. People who are nervous around computers often just do whatever the computer tells them to do, Romo said. Apple's decision to ship a new of Safari to Windows users is a case in point--many people didn't realize that they didn't have to do what the computer was telling them to do.

Miller and Romo--both Mac users--worry that the need for greater security to protect people from themselves will force Apple to change the way the Mac handles certain tasks, potentially taking away some of the Mac's ease of use. Leopard already takes a step in this direction, Miller noted, though not nearly as far as the User Account Control feature introduced in Vista, to much derision. But Apple's not going to adopt Microsoft's security strategies for Mac OS X, until users demand it or hackers force its hand. They simply don't have to. Until then, quick, diligent patching and a wider embrace of the security community will more than do its part in keeping the Mac secure.

Education and "safe surfing" practices are as important to this era of security as anything having to do with counting flaws or patching practices. Maybe that's the third rail of technology writing: it's not always the mean evil corporation's fault; sometimes, it's yours.

This article was first published as a blog on CNET News.com.