The team from iSEC revealed the results of the study this week at the Black Hat conference in Las Vegas. The nexus for the research was that many of iSEC’s clients began asking whether a move to a Mac environment would help mitigate against APTs, explained Alex Stamos, co-founder and CTO of iSEC Partners.
He and his team then began comparing the latest version of the Mac OS X 10.7 – Lion – versus its primary competitor, Windows 7, in several key security areas. What the group found was that, contrary to popular belief, the Mac operating system is not necessarily more secure than Windows for enterprise deployment and is likely more susceptible to network attacks.
The fact that Macs may be more vulnerable to network attacks is significant, Infosecurity notes, because a key component of APTs involves attackers gaining undetected access to an enterprise network to access information.
“Mac users may be safer, but that doesn’t mean that the operating system is more secure”, said Paul Youn, a member of the research team. “In 2008, 14.3% of all operating system vulnerabilities were reported against OS X 10, which is more than any other operating system.”
“Targeted attackers don’t care what operating system you are running; they are after your resources”, he added. “The fact that, typically, your personal Mac user is not being targeted too often does not have any bearing on APT.”
Apple has implemented several mitigations against automated exploits in the latest releases of the Mac operating system said BJ Orvis, a fellow member of the iSEC research team, but it still lags behind Windows in this area.
The Mac OS X operating system has made strides to harden itself against local privilege escalation, noted Stamos, citing specifically its application sandboxing feature. “This is where it will show a lot of benefits over Windows in the long term”, he added. Regardless, Stamos admitted, local privilege escalation issues are still possible on both Windows and Mac.
“Network privilege explanation is where it gets really bad for Apple”, he said, “and this is really at the heart of an APT”. Stamos noted that at organizations with thousands of users – typically the primary targets of APT attackers – at least one employee will be susceptible to a social engineering exploit and download malware to a machine connected to an enterprise network.
“Unfortunately [network privilege escalation] is a step that is pretty much trivial for attackers. Every password-based authentication mechanism in [Mac] OS 10 has problems”, Stamos said. This is because, based on his team’s assessment, almost every OS X server service offers weak or flawed authentication methods. He called it “game over” with respect to enterprise network defense.
Taking all of the comparisons between Windows and Mac OS X security into account, Stamos’ final recommendation for organizations contemplating a move toward Macs to defend against APTs was simple: “Treat them as little islands on a hostile network. They are good against remote exploitation; that is where Apple has put all of its research and development. But once you turn on anything administrative, once you install OS X 10 Server, you are toast. There is pretty much nothing you can use OS X 10 Server for securely.”