As the latest Microsoft Windows infection spread across the Internet last week, knocking out thousands of PCs in homes and businesses, Macintosh users did what they usually do during a computer virus outbreak -- they continued working.

That's because the "Blaster" worm, also known as LovSan and MSBlast, cannot harm a Mac. The worm exploits a vulnerability present only in certain versions of Windows. So a computer running a non-Windows operating system, such as Linux or the Mac OS, is immune.

Nevertheless, this is not an occasion for gloating, as the attack caused widespread inconvenience -- ask anyone who visited any of Maryland's Motor Vehicle Administration offices last Tuesday -- and surely cost the nation's businesses millions of dollars in lost productivity.

Mac users rarely have concerned themselves with worms and viruses because very few "malware" -- malicious software -- programs have been written for the Mac.

In a report released last month, Sophos PLC, a British company that sells anti-virus software, noted that through the first six months of 2003, the most commonly reported virus that could affect Mac computers was one designed for the "classic" Mac OS -- not OS X. It placed 78th on the company's list.

Sophos compared that to the top 10 most-reported viruses, all targeted at Microsoft Corp.'s Windows, which accounted for more than half of all the attacks over the period.

Not that it was a fair competition. According to Security Focus, a computer security information Web site owned by Symantec Corp., the Cupertino, Calif.-based maker of the Norton brand of anti-virus products, the number of viruses written for the classic Mac OS is about 50.

By comparison, security experts estimate the number of Windows-specific viruses at about 70,000, though the exact count depends upon how you classify all the variations of a single virus or worm.

Graham Cluley, Sophos's senior technology consultant, attributed the lack of Mac viruses to a failure "to capture interest amongst the counter-culture that writes viruses."

"It's perfectly possible to write viruses for Apple Macs," Cluley said. "Indeed, a Mac has no more inherent security than a PC, but virus writers appear motivated by a desire to cause widespread havoc and so have concentrated on the market leader."

By "market leader," he means, of course, Microsoft Windows.

Sophos, nevertheless, advises Mac users to have anti-virus software and to keep it updated, if for no other reason that to prevent a Mac from spreading Windows viruses. Last month, the company released a version of its antivirus software for Mac OS X, which joins Norton AntiVirus and McAfee's Virex as OS X weapons to fight malware.

However, because a Mac can pass a virus to a Windows PC by forwarding an infected e-mail or document, Mac users always have been cautioned to run anti-virus software and to employ safe-computing practices, such as deleting e-mail messages from unknown sources without opening them.

And Windows malware can irritate Mac users despite its inability to infect their Macs; this week's outbreak of the SoBig worm, for instance, has choked my .mac e-mail box with dozens of useless messages.

Ensuring that Macs don't perpetuate the misery of Windows users by hosting Windows viruses is indeed desirable, but one question still begs an answer: Is Mac OS X just as vulnerable as Windows, spared by hackers only because of its relatively small footprint in the computer world?

It's a tough question to answer precisely because Mac OS X isn't being probed for weaknesses by thousands of mischief-minded hackers every day as is Windows. In other words, even if OS X has more security holes than Windows, with far fewer people looking for them, far fewer will be found and exploited.

Some clues to the relative vulnerability of Mac OS X can be gleaned from its heritage. OS X is based on FreeBSD, an established, well-known version of Unix.

"Unix architecture is a fairly known quantity," said Jeff Thompson, who worked with many commonly used operating systems -- Linux, Solaris, Windows NT -- as vice president and master technologist at the security software firm Argus Systems Group Inc.

Thompson now is chief technology officer of CodeTek Studios Inc. in Champaign, Ill., which is an OS X software developer.

"Unix kernels have had their security vulnerabilities over time, but they are fairly rare," Thompson said, noting that most Unix vulnerabilities reside in support services used more by businesses than homes, such as Web servers and e-mail servers.

"Chances are there are a fairly large assortment of Mac OS X bugs to be found," he said.

But more than two years after its introduction, not a single Mac OS X-specific virus has yet appeared.

Robert Richardson, the editorial director of the Computer Security Institute, an organization of computer security professionals, confessed he wasn't aware of many published OS X security holes, though he agrees that Mac OS X inevitably must share some vulnerabilities with its Unix cousins.

"My suspicion is that Apple did a fairly good job at closing up any known and obvious Linux vulnerabilities," Richardson said.

In fact, after taking some criticism early in the life of OS X, Apple Computer Inc. took a number of steps to improve its security. Besides issuing timely patches to security holes -- usually within about a week of a reported vulnerability -- Apple ships OS X with most of the services hackers typically use to invade a system, such as Web hosting, blocked by a built-in firewall.

Although experienced users who need these services can easily turn them on, this Apple policy protects the average Mac user from exposure to the most common attacks.

While Windows also has a built-in firewall, by default it has been turned off. In the wake of the Blaster worm, Microsoft said last week that new versions of Windows XP will ship with the firewall active by default.

Other steps that Apple has taken to thwart breaches of OS X include a Product Security Web page with advice on how to keep your Mac secure, as well as contact information for reporting security incidents. In addition, Apple collaborates with several computer security organizations, most notably the CERT Coordination Center.

Still, a successful Mac OS virus attack could occur; total prevention is impossible, for a number of reasons.

  • First, if a hacker discovers a vulnerability before Apple does, it would only take a couple of weeks -- perhaps just days -- to write and distribute a virus or worm before a patch could be made available.

  • Second, despite the constant admonition to users at all levels to use anti-virus software and apply patches, many people just don't bother.

    Take the Blaster worm, for example. Microsoft, based in Redmond, Wash., learned of the hole on June 27 and issued a patch to fix it on July 17. Millions of Windows systems were vulnerable on Aug. 12 only because their owners failed to download and install the patch.

    Though Microsoft frequently is berated for releasing vulnerable software, the reality is that 95 percent of malware attacks take place after a corrective patch becomes available.

    Faced with dozens of patches annually, both home users and technology administrators have a hard time keeping up. Worse, some Microsoft patches themselves cause problems, the most notorious being the one for Windows NT last January that crashed entire systems.

    Many home users turn off the Windows Auto Update feature because they find it annoying, but Microsoft is considering making it mandatory in future home editions of Windows.

    Apple sets Mac OS X's comparable Software Update feature to automatically check for updates once a week. Users who turn it off will often find it switched back on following a user-initiated update.

    In short, Apple can't do much more to enhance the security of Mac OS X. Any OS vendor, be it Apple or Microsoft, can only do so much. The rest is up to the user's common sense -- avoiding installing questionable software and treating e-mail attachments with extreme caution.

    Still, Mac users clearly have it much easier than their Windows counterparts when it comes to security. The profound lack of Mac viruses and weak nature of the few existing threats means that even neglectful Mac users who ignore all computing safety advice probably will never experience a security problem.
  • Advertisement