The Unavoidable Malware Myth: Why Apple Won’t Inherit Microsoft’s Malware Crown
April 1st, 2008
Daniel Eran Dilger
According to the Unavoidable Malware Myth, Microsoft’s Windows security epidemic of viruses, spyware, and adware will be passed on to the next major computing platforms as an inevitable symptom of platform popularity. Were this to be true, it would be bad news for both Apple’s Mac platform, which is growing several times faster than the PC average, and for the iPhone and iPod Touch, which appear to have an early lead as one of the most promising mobile platforms of the future. But malware isn’t unavoidable. The myth is wrong, here’s why.
A Sign of Weakness.
The idea most frequently thrown out by detractors of the previous articles involving the CanSecWest contest was that Macs lack the security epidemic plaguing Windows only because Apple has held a marginal percentage of the market share of all PC desktops and servers sold worldwide over the last decade. Were that to change, they say, Macs would become an equal target for malware authors and fall into the same mess bogging down Windows.
Although difficult to prove unequivocally, it is likely true that the limited exposure of Mac OS X to attacks, based on its historically small market share, has helped to prevent any Mac malware industry from developing. However, that’s not the only factor in play, nor even the most significant.
Thanks to its extensive use of battle-hardened Unix and open source software, Mac OS X also has always had security precautions in place that Windows lacked. It has also not shared the architectural weaknesses of Windows that have made that platform so easy to exploit and so difficult to clean up afterward, including:
- the Windows Registry and the convoluted software installation mess related to it,
- the Windows NT/2000/XP Interactive Services flaw opening up shatter attacks,
- a wide open, legacy network architecture that left unnecessary, unsecured ports exposed by default,
- poorly designed network sharing protocols that failed to account for adequate security measures,
- poorly designed administrative messaging protocols that failed to account for adequate security,
- poorly designed email clients that gave untrusted scripts access to spam one’s own contacts unwittingly,
- an integrated web browser architecture that opened untrusted executables by design, and many others.
CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security
Mac Shot First: 10 Reasons Why CanSecWest Targets Apple
Thom Holwerda of OSNews Calls “Mac Shot First” Misinformation and Slander. Oops!
The Past is Not the Future.
If we could travel back to 2001 and somehow alter history to give Windows a 5% share of the PC market, and grant Mac OS X a 95% share of the market, that reversal of fortune would result in spammers finding that their existing malware exploits were nearly worthless. It could also induce them to desire to write or obtain attacks exploiting Mac OS X. Third party developers would also have to make a huge shift in their allocation of software development resources, as Windows software would have much less value, while demand for Mac software would explode.
We can’t actually go back in time to do that. We can however watch in realtime as history moves forward over the next eight years. As Apple’s Mac market share has ratcheted up dramatically over the last two years in particular, there has been no change at all in Mac malware: there’s still no viruses, and no real malware threat dogging Mac users. Pundits’ predictions from as early as 2003 that Mac OS X would fall into the same malware void as Windows have failed to come to pass.
It would seem reasonable that malware authors would gradually move from being Windows-only to also target Macs, just as other software developers have increasingly shifted their resources to develop new Mac versions of their software over the last several years. However, while the percentage of major developers who offer Mac versions of their software is much greater than the Mac’s overall worldwide market share, the Mac’s share of the malware market is at zero, and shows no signs of growth.
As the future unfolds, external factors, including learning from the past, will prevent the past from playing out again exactly as it did. Before detailing how these factors will change the malware industry, consider the core fallacy of the idea that malware is inextricably tied to market share and popularity.
The Malware Market Share Myth.
Does malware development require some threshold of market share before it can exist? Is the malware ecosystem “irreducibly complex” in a way that prevents small pockets of malware from spontaneously developing to exploit smaller markets? If so, this would explain why Apple now has 20% or more of certain markets, but does not have even 1% of the malware market.
Alas, this theory is easy to crush. There have been many examples of thriving malware “serving” minor markets. Back when all computers used floppy disks, and floppies were easy to infect with boot sector viruses, Macintoshes of the Classic Mac OS era carried and transmitted viruses on floppies despite never having more than 8 to 11% of the market. Viruses were around because of a weakness, not because of the Mac reaching a certain market share threshold in popularity.
Even platform targets that are tiny to the point of insignificant are attacked by malware. Specific versions of small minority of Symbian phones were attacked by a Bluetooth virus, not because those models made up 95% of the phone market, but because there was an open flaw in their software that left them vulnerable to attack.
The idea that Apple will inherit Microsoft’s problems is based in the ignorance that Windows’ security problems are rooted in its popularity, rather than its poor architectural design. That is not true, as countless examples of viruses attacking minor platforms attest. Malware targets weakness, not popularity. Windows is plagued with malware, not because it is ubiquitous, but because it is riddled with weaknesses.
The Malware Economy.
Today, and over the last two decades, Windows has been plagued with malware because it is easy to infect. That ease results in a low cost for creating Windows malware, as the supply of potential exploits is high. Even when adding in the small risk of being prosecuted, the development cost for Windows malware is still much less than the significant, if relatively shallow, payback spammers earn on spyware, adware, and the spam and viruses that deliver and install it.
Windows’ historical weaknesses have made the creation and maintenance of malware exploits cost effective. Complicating that problem, the platform’s popularity has made payback greater. Spammers earn returns on a very small number of duped victims out of the huge volume of messages sent out. Adware earns tiny profits on a huge volume of banner popups. As the cost of creating the malware to support those businesses is ratcheted up, the profits from high volume, low margin malware businesses quickly wither. The problem that makes malware work isn’t the popularity of the platform, but rather the platform weakness that drives down the cost of creating widespread, virulent attacks.
Creating Mac malware costs more because it is harder to write (fewer weaknesses to target), harder to keep working (exploits are patched), and too easy to clean away. There’s no Windows Registry that can be subverted to reinstall the malware the user is trying to eradicate, no clumsy web-based Windows Software Update and the Windows Genuine Advantage mess that prevents users from running updates; Macs are easy to keep up to date. There is simply no workable business model for Mac malware writers, not because the Mac market isn’t big enough, but because creating and maintaining a virulent botnet of Macs would be too expensively difficult to develop, given the lack of weaknesses to exploit.
Adding more Macs to the population does not change that. If exploited nodes on a network are too expensive to maintain, adding more nodes does not solve the problem. Mac malware is not sustainable as a business model, not because of limited market share, but because Mac malware costs too much to develop and maintain due to Mac OS X’s architectural strengths.
Planting Malware For a Harvest Payout.
Security researchers like Charlie Miller, who correctly point out that there are Mac exploits to patch, fail to also recognize that exploits are only part of the malware problem. An exploit can plant a malware seed, but without a Windows Registry to nurture it and wide open ports and poorly implemented network protocols to spread it, any potential Mac malware can be easily uprooted before it ever matures. That serves to make planting Mac malware an unworkable business: there’s never a harvest.
Windows has a thriving market of spammers, not because of platform popularity, but because there were and continues to be weaknesses in the design of Windows that made it easy and cheap to exploit, along with the fact that there are millions of PCs connected to the Internet but not maintained or updated. This provides fertile ground for a bountiful harvest of Windows malware. It’s not the popularity of Windows PCs that’s causing the problem, but the fetid pools of infected PC botnets.
That problem is not the product of popularity, but simply another example of an architectural weakness in Windows. Microsoft sold those millions of users defective systems that were ill equipped to be connected to a public network, yet it advertised them as being the ideal way to use the web and get email. Why haven’t those users filed a class action suit over being sold a harmful, defective product that was unfit for the purpose it was sold?
Hardware vs Software.
It’s because users see hardware as a product, but fail to grasp that software is one too. That’s why they like to pay for hardware but not software, and also why Apple and other manufacturers are regularly sued over minutia such as the advertised size of a display and the color depth of an LCD screen, while Microsoft is not sued for defective software that causes billions of dollars of real problems. Microsoft has only been sued for cheating customers by charging too much for its software.
If the world ever figures out that software doesn’t have to be horrible just because Microsoft’s has been for decades, real solutions could happen. Until then, the primary hope for gaining better consumer electronics software is being pushed by Apple by incorporating such software into its hardware products. The public doesn’t marvel that the iPhone has great software; they simply think of it as an impressive hardware device.
That reality plays into five factors affecting the computing platforms of the future that will prevent Apple from inheriting Microsoft’s malware legacy. The next article will present why those factors will have such a significant impact on the future of malware, and why the world’s greatest malware threat will continue to be firmly attached to Microsoft, the company that introduced the epidemic to the world in the first place.
Like reading RoughlyDrafted? Share articles with your friends, link from your blog, and subscribe to my podcast! Submit to Reddit or Slashdot, or consider making a small donation supporting this site. Thanks!