Enterprise Software

New worms attempt a bite out of the big Apple

Long touted as a superior OS when it comes to security, Apple's OS X has come under fire in the past few weeks with the emergence of a high-risk OS vulnerability as well as two worms that target Macs. Is it the end of an era, or is Apple just finally catching up? John McCormick has the details in this edition of the IT Locksmith.

Is it a Big Mac attack? Two new malware threats and a major security hole have plagued the supposedly secure OS in the past month, which should give Mac advocates pause—or at least send them scurrying to buy antivirus software.


In the past few weeks, Apple's Mac OS X has taken some very serious security hits, leading some of us professionally paranoid security types to wonder if we're finally seeing the long-expected surge of attacks on Apple systems. I never did buy into the theory that Apple's software was immune to malware or significant vulnerabilities—I've always figured that vandals attack the most obvious target, which is why Microsoft vulnerabilities are so often in the security headlines.

Apple's Mac OS X simply hasn't seen enough popularity to tempt cyber-vandals when Microsoft offered such a gigantic—and vulnerable—target. But, as users of Mozilla's Firefox have found, as a niche product gains market share, it simultaneously garners the interest of those who wish to show off or simply cause mischief.

And it looks like the month of February turned out to be very interesting for these people: Two worms that targeted Mac OS X and a serious flaw in Mac OS X itself have made headlines this month.

The first worm, dubbed Leap-A, spreads via Apple's iChat instant-messaging utility, and it only appears to affect Mac OS X 10.4 platform files. (While Apple upgraded OS X 10.4 to OS X 10.5 a few weeks ago, performing the upgrade may not be a particularly good move at this time either.) This malware is spreading in the wild, but initial infection rates appear to be very small.

According to Symantec's report, the name of iChat IM attachment is latestpics.gz, which has an apparent size of 2314.7 MB. If the attack is successful, the worm installs its components, deletes some files on the vulnerable system, and, unless it's an Intel-based computer, will attempt to spread. Symantec says that Intel-based systems are subject to damage from the worm but won't allow it to spread.

The second malware threat is actually only a test version or proof-of-concept worm known as Inqtana.A on almost all antivirus vendor lists. The worm uses a Bluetooth attack vector (input validation vulnerability) to spread. However, because it lacks an active payload, Inqtana.A is more of a warning shot across the bow of Mac OS X users than a credible threat.

And if the first two worm threats weren't enough for February, a newly reported vulnerability in OS X has also surfaced. While this is probably a more serious blow to those who tout Apple's security superiority to Microsoft, the new remote code execution threat is quite reminiscent of all those Web site-based attacks that plague the Microsoft Windows and Internet Explorer world.

According to Symantec's report, this high-risk OS X archive metadata command execution vulnerability, discovered on February 21, affects those using Safari and Apple Mail. Version 10.4.5 of Mac OS X and Mac OS X Server are definitely vulnerable, and earlier releases may also be susceptible.

Apple is reportedly working on a patch. As of this writing, the latest update posted was the an update to the vulnerable Mac OS X 10.4.5, released on February 14. Keep in an eye on Apple Security Updates for more information on upcoming patches.

The SANS Internet Storm Center initially warned that this vulnerability could pose a serious threat. It later updated the initial warning to advise users that this vulnerability is a lot more dangerous than originally thought because merely shutting down Safari won't stop the attack. (See the initial Heise Online report for details about how Apple Mail sometimes executes compressed files and metafile scripts without asking.)

As with the many similar Microsoft attacks, Mac users don't have to visit a malicious Web site to be subject to this threat—merely opening an e-mail attachment is enough to trigger the attack. The latest reports say this is true even if you use Firefox to download the ZIP file. While Mozilla's Thunderbird e-mail client does appear to immunize a system somewhat because it avoids the automatic execution of the infected file, that doesn't protect against user stupidity (such as opening attachments from strangers).

Final word

It's true that very few Apple worms are in existence. However, it's also unfortunately true that many Mac users feel such a sense of superiority to Microsoft users and invulnerability to threats that they often fail to take even the most elementary steps to protect their systems. What that means is that while many Windows users can laugh at the latest Microsoft worm announcement because we have solid firewall and antivirus protection, even a weak worm could spread like wildfire through largely unprotected Mac systems.

I have nothing against Apple, other than the old single-sourcing problem (which would bother anyone who used to be a purchasing agent for a computer-based company). But it's only fair to point out that Apple may not be prepared to step up quickly enough if cyber-vandals really turn their attention to Macs.

For years, Apple has gotten away with its stated policy: "Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available." But I wonder just how long it can continue stonewalling as the platform comes under increasing threats. (You might almost call Apple's stand a bit Mickey Mouse—at least if you listen to Wall Street rumors that predict an Apple purchase of Disney.)

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Editor's Picks

Free Newsletters, In your Inbox