Backlash

Writing a column containing debatable comments from security experts is nearly as good at filling up your e-mail inbox as the SoBig virus.

Last week, I concluded that Apple Computer Inc.'s Macintosh OS X provided safer computing than Microsoft Corp.'s Windows operating systems -- in part because its small market share offers Internet villains too little opportunity to spread mayhem and partly because OS X ships with all of its vulnerable services turned off. This blocks potential attackers from gaining access to the system's software in the first place.

The disputed quote arose in the effort to ascertain whether OS X is inherently more secure than Windows -- that is, harder to crack -- or is the dearth of viruses and worms for the Mac a result of "crackers" considering it not worth the time.

Incidentially, several e-mail writers objected to the use of the blanket term "hackers," which more accurately describes people adept at crunching code, and not necessarily for malicious purposes. "Crackers" is the term preferred for virus and worm writers. A larger group -- the "script kiddies" -- simply download other people's malware and tweak it.

The remark that many readers found objectionable came from Graham Cluley, senior technology consultant of British anti-virus software firm Sophos PLC.

"It's perfectly possible to write viruses for Apple Macs," Cluley said. "Indeed, a Mac has no more inherent security than a PC, but virus writers appear motivated by a desire to cause widespread havoc and so have concentrated on the market leader."

Many readers, most of them computer programmers, vehemently disagreed.

"Your article, and Mr. Cluley's statements in particular, perpetrate a myth regarding the fallibility of *NIX [Unix-based operating systems] when compared to Microsoft Windows," said Burt Janz, a senior software engineer who is president and owner of CCS New England, a computer-services provider in Nashua, N.H.

Janz has developed in all the major operating systems -- Windows, Unix, IBM Corp.'s OS/2, as well as OS X.

While creating a Mac OS X virus is not impossible, Janz said, "the degree of difficulty here is at least 9.5 on a scale of 1 to 10."

Even harder is creating a virus or worm that could access the OS X system. The reason, Janz and several others pointed out, is in part explained by how Unix-based systems handle multiple users on the same machine.

For instance, Mom, Dad and Sis all can have separate user accounts. This also is true of Windows. But in OS X, only an account with administrator privileges can install software -- and even those accounts cannot access or change applications or data in other accounts, especially not the core of the system software.

Furthermore, only a user with "root"-level permissions has full access to the system, but Apple has this access disabled by default. Most users never will go to the trouble of figuring out how to enable the root user, and don't need to -- as nothing a regular user would want to do requires root-level authority.

Denied such access, the damage that any OS X malware could do becomes limited to the account of the user who runs it.

In other words, even if Dad got hit with an OS X virus that wiped out all his data -- and, remember, no OS X viruses presently exist -- the Mac still would operate, and Mom's and Sis's stuff on it would be untouched.

Also, because OS X always asks the user to type an administrator password before modifying anything in the system, attempts to install malware or alter system files immediately would be flagged.

"The virus would have to be an application," said Alan Dail, an independent senior software engineer in Wooster, Ohio. "You'd have to see that it's an application and make a conscious decision to run it for it to actually do anything."

Windows, the programmers said, has no such protections.

The software allows many tasks to execute themselves in the background without the users' permission or knowledge. This maximizes malware's ability to do harm. And, unlike the Mac OS, a user account with administrative privileges on a Windows machine can wreak catastrophic damage to data, programs -- or the system itself.

"Any misbehaving task under Windows is capable of modifying any [non-running program] anywhere on the system," Janz said. "And, when that [executable] file is run, bad things will absolutely happen."

This is how the two most recent malware incidents, the Blaster worm and the SoBig virus, became huge headaches. Each could exploit weaknesses in the Windows code that allowed them to hijack the system and propagate themselves.

Several correspondents also pinned a lot of blame on the Windows' e-mail program.

"Microsoft made a decision 10 years ago that their e-mail client, Outlook, should be allowed to run any script that it finds as an attachment to incoming mail," said Darrin Cardani, president of Buena Software Inc., a Chicago-based company specializing in audio-, video- and image-editing tools.

"Since the average user has no idea this feature exists, or even what a script is, they don't know to turn it off -- let alone know how to turn it off," Cardani said.

So a virus like SoBig can infect a Windows machine and e-mail itself out, to everyone in the user's address book, without the user realizing it.

No Mac e-mail program allows this, so Mac users would have to spread a virus like SoBig manually by intentionally mailing it other users -- not a likely scenario.

In response, Sophos' Cluley said his comments reflected the danger of something like an AppleScript e-mail attachment. AppleScript is OS X's built-in scripting language, and scripts can be launched like programs.

A foolish user could click on such an attachment and cause some damage, Cluley said.

He blamed the success of many Windows viruses on the human element: people clicking on attachments in e-mail despite being told of the dangers.

Still, even Cluley had to admit that Microsoft bore some of the guilt because of its "sloppy coding" -- a sentiment expressed by several readers of last week's column -- and that the open-source Unix core of OS X was, indeed, more secure.

Despite the "trustworthy computing" initiative ordered by Microsoft Chairman Bill Gates in January 2002, most of the millions of lines of code in Windows was written before that. Even if Microsoft is succeeding in writing a more secure code, old vulnerabilities will continue to lurk in Windows for years, gradually being found and patched.

A Microsoft spokesperson said the company, based in Redmond, Wash., is "committed to making Windows the most reliable operating system available" and noted that Windows XP's Online Crash Analysis feature allows users experiencing a Blaster-related crash, for example, to upload a report that will redirect them to a page to download the patch.

Another issue raised by readers concerned Cluley's statement regarding the Mac's "security through obscurity" -- arguing the reverse. The real reason no viruses exist for Mac OS X has little to do with its low market share, they say, but rather its near-impenetrability.

Though many amateurs may be looking for, and finding, holes in Windows, the FreeBSD Unix code that forms the foundation of OS X has been prodded by legions of expert programmers for 30 years.

Though a few hardy souls use the Unix offshoot Linux on PCs built for Windows -- they usually wipe Windows off the hard drive -- Unix typically is used in mission-critical roles, powering high-end work stations and file servers.

And, as mentioned earlier, crackers prefer hitting targets that will cause maximum disruption.

"Many orders of magnitude more people look over the source code for OS X and the related BSDs than have access to Windows source code," said John Klos, a developer of NetBSD, a flavor of Unix closely related to OS X.

Thus, many of the obvious holes in OS X were closed years ago. That, some suggested, actually makes OS X a more attractive target.

"If I were a fame-driven cracker with solid technical skills, cracking a BSD-based system would be the fastest way to show off my capabilities," said Rich Morin, a programmer and consultant based in San Bruno, Calif.

"My suspicion, therefore, is that many crackers have tried this challenge and failed," Morin added. Still, he cautioned "nobody has any way to know for sure."

Copyright © 2015, Los Angeles Times
Comments
Loading