Mac users shouldn’t let a false sense of security contribute to their computers being compromised by malware or viruses. As Macs continue to grow in popularity, they’ll increasingly become the target of malware. Macs can no longer stand alone; recruit your Macs into an integrated and comprehensive ‘defense in depth’ information security strategy.

The recent compromise of over 600,000 Apple Mac computers by the malicious software “Flashback” illustrates the weakness of the “security through obscurity” approach to information security. Security through obscurity is a passive, arrogant approach that assumes that one can predict an attacker’s lack of interest in one’s computer systems. But any reliance on Apple OS X’s minority operating system status as compared to the much more widely deployed Microsoft Windows is misplaced. Macs are being deployed into the corporate world at an increasing rate. Apple Mac premium pricing indicates that Mac users are more affluent, or more willing to spend, than Windows users. Combine these demographics with a trend indicating that malware is no longer just a playground for “script kiddies” out for after-school fun. Malware is increasingly used by organized criminal elements to target vulnerable computers, infect them, and to monetize their infected state. With illicit revenue generation in play, cyber-criminals are likely to target easily compromised computers, not necessarily only those based on Windows. Welcome, Mac users, to the sordid world of malware.

For comparison, the best practice approach to computer systems defense requires a combination of prescriptive and proscriptive elements (Intivix blog post fortchcoming!) to thwart external malicious parties and their software. This layered model of information security, “defense in depth”, is built upon the expectation that no single layer of defense against malicious software (collectively termed “malware”) can succeed against all attacks. This is analogous to bulletproof vests: a single sheet of Kevlar fabric will not stop a handgun bullet fired into it; but layered Kevlar can. To mitigate a single defense’s weakness, a proactive IT department will stack multiple defense layers in the hope of thwarting a majority of potential attack vectors that might target an organization’s systems and data.

But how do we apply a defense in depth strategy, so common in the Windows world, to Macs? Aren’t Apple Macs inherently less susceptible to malware than Windows PCs? Some Mac proponents might look to the Mac OS X’s foundation on the long-lived and open sourced Mach kernel and FreeBSD/NetBSD as a testament to its inherent protection from malware. Are Macs invulnerable to malware? No. All but the most trivial software suffer from bugs, programming defects that might open vulnerabilities or exploitable behaviors to a system. Because open sourced Mach and FreeBSD/NetBSD have allowed the technical community at large to review their code over decades, however, the operating system’s internals have likely been scoured for subtle security vulnerabilities and cleansed of exploitable holes. This makes it harder for a vulnerability to result in a zero-day exploit such as Flashback, but not impossible. (A zero-day exploit is generally one for which no vulnerability mitigations exist, thus rendering them among the most dangerous attacks.)

As of April 11, 2012, the US-CERT National Vulnerability Database (NVD) lists 92 known FreeBSD and NetBSD high severity network-based vulnerabilities. For comparison, NVD lists 316 Windows 7 vulnerabilities and 9 for Mac OS X. The low Mac OS X vulnerability count looks attractive until a composite assessment that includes 3rd party software is added. Malware authors may not necessarily need to break OS X; they may only need to compromise an application that runs atop OS X. For example, Apple has not been as aggressive as Microsoft and Linux distributions in patching Java Runtime Environment (JRE) releases. There are 162 high severity network-based JRE vulnerabilities currently listed in NVD, the worst of which were exploited in the Mac’s recent Flashback compromises. Interestingly, Windows computers were less susceptible than Macs to Flashback because the relevant JRE patches for Windows have been available for months.

Last week’s object lesson in the weakness of a security through obscurity approach to Mac malware defense should encourage business users with Macs to join their Windows-using colleagues in the layered defenses that likely already exist in their business environment. Or encourage business executive management to mandate information security best practices top-down throughout their respective organizations. We encourage our clients to engage us to assess the current state of the organization’s information security defenses and practices, and to identify any necessary changes or improvements. You certainly can’t rely on obscurity to save you, so if you’re using a Mac you shouldn’t automatically assume that you’re safe.