Apple's growing popularity is promising to cyber attackers. Once upon a time, Apple users could smugly (and dare I say condescendingly) claim that Mac users were safer than PC users because Macs didn't have nearly the same number of software vulnerabilities as PCs. This may still be the case to some extent, but that era is drawing to a close.
To quote a recent article from Computerworld:
Researchers spot Mac Trojan in the wild
Security researchers reported last week that they have spotted a Mac Trojan horse in the wild...
The malware exploits a recently publicized vulnerability in the Apple Remote Desktop Agent (ARDAgent), part of Tiger's and Leopard's Remote Management component. Composed as a compiled AppleScript, or in another variant, script bundled into an application, the Trojan leverages the ARDAgent bug to gain full control of the victimized Mac.
"[It] allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging," claimed SecureMac. "Additionally, the Trojan can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing."
This is not the first vulnerability of its kind in Apple products to be sure, and it will not be the last. When Apple languished at 3 percent market share it simply was not a lucrative target for cyber attackers. At roughly 6 percent market share, Apple is more promising (Ubuntu, at less than 1 percent market share has a long way to go).
In the software market, security is not part of the beauty contest until it is too late; that is, in the race for market dominance security is not a competitive differentiator for software manufacturers. As such, software manufacturers have no incentive to make security a priority. Features rule the race for market dominance; not security, not secure software, and certainly not software assurance.
When a software product finally becomes popular, the lack of attention the manufacturer gave to secure software and software assurance becomes more clear. In fact, as one my colleagues so eloquently remarked, "It becomes fucking obvious."
The problem, of course, is latent defects lose their latency proportional to a product's popularity. As a result, the patching race becomes more frenetic: the vendor must issue a patch and consumers must apply the patch (or undertake other system changes) as quickly as possible before attackers exploit the defect. Consumers rarely ever win this race. If attackers keep knowledge of the vulnerability to themselves, then consumers are completely out of luck. Attackers can exploit the vulnerability at will with no fear of the manufacturer producing a patch to thwart their activities. Consumers lose either way.
The fruits of popularity are clear: the manufacturer potentially makes a tremendous amount of money, shareholders are happy, and consumers pay for this success twice. First, by purchasing the product; second, by being exploited.
Something is rotten here.
Comments