Apple Inc (AAPL)

[Altaire4_2dot0]

Apple's Big Virus

by Kelly Martin, SecurityFocus

Alternative environments like Apple and Linux are finally catching on. Unit sales of Apple Computer's OS X based computers grew by 43% in the past quarter, over the same time last year -- in business terms, that's incredible growth. Revenue grew by 70%, and profit grew by an unbelievable 530%, thanks to the little music revolution they call the iPod and the iTunes Music Store.

What's fueling Apple's growth, besides the infamous iPod halo effect? Security. Either it's the perceived security that is thought to be better in OS X, or it's the documented lack of security in the Windows world. By that, I mean that you can't assume everyone who owns Genuine Windows is running XP with Service Pack 2, which has some improved security features -- because there are a few hundred million people out there still running Windows 2000, 98, or something else. No, they don't have automatic updates, and no, they may never understand what a firewall is. Anyone who works hands-on in the security field has his own experience spending countless hours removing viruses and spyware, or becoming adept at formatting and reinstalling (or laying down a new image), patching, immunizing, and so on. Whether it's in your large corporate environment or your Uncle Bob's computer at home, it all takes time.

Viruses don't have to be a fact of life. There are no viruses on OS X -- not a single one. The reason most often touted is Apple's lack of critical mass, but that argument has been beaten to death. There are millions of OS X computers out there. It's not that a virus couldn't be written for it either. Far from it. The soft underbelly of Unix (or Darwin, an open-source Unix like OS similar to FreeBSD) is just as vulnerable as the eye-candy applications that run on top of it. Step back from Apple's three-tiered user privilege system (user, GUI superuser, and root, which is disabled by default) and understand that users can still be tricked into clicking on anything -- social engineering will always work, and there will always be people who click.

Why, then, are there no viruses for OS X?

Just as Windows users have become accustomed to 140,000 viruses, Apple users have become accustomed to none. It's a major cultural difference that admittedly, sometimes causes Apple users to do stupid things -- and get away with them. It's hard to describe the freedom of using a system with no malware known to have spread. It's liberating.

Beyond critical mass, I would like to believe there's a better reason for the lack of viruses on OS X, and it's based on the culture of the Mac -- which is distinctly different from other platforms. Is it wrong to try a new computer system and actually enjoy the user experience, for a change? Can you imagine a world where (today) you can click on anything and never worry about malicious intent? Can we not continue this unwritten rule that there can be a platform out there that is simple, easy-to-use, with Unix (and a cool ports tree) underneath that has no threat at all from viruses?

Perhaps I'm living in a pipe dream, but that reality is here today. Linux is also close, but OS X is already there. Perhaps Apple's big virus is really just the market enthusiasm that translate to new unit sales, spread like a contagion, that fuels their 70% year-over-year revenue growth.

I held off writing this column for the better part of a year, because many SecurityFocus readers have the intellect, talent and ability to write a virus that could be quite nasty on OS X. There's the general notion that (shh!), any added exposure to the platform might bring it out of the limelight. But if a Windows programmer or security researcher can try a new operating system and enjoy it just enough to not want to destroy it, then there's hope for us all.

I should have also prefaced this column with the disclaimer that most SecurityFocus staff use OS X in some way or another, if not at work then at home, so we're somewhat biased. After covering multi-platform security news all day long, from WiFi penetration testing to intrusion detection and honeypots, at the end of the day it's nice to use a system that's not on everyone's radar for a change. Let's keep it that way.

Full story is here:

http://www.securityfocus.com/columnists/319?ref=rss