Security firm Intego has added to the bevy of year-in-review pieces for 2009 with a comprehensive report on Mac and iPhone security of the past year. While this may seem more than a little self-serving for the authors of VirusBarrier, the report is fair, comprehensive and hyperbole-free.
When it comes to Mac malware, there are only known two Trojan horses in the wild, which were respectively found via pornographic video websites and pirated software shared on Bit Torrent. There was also one non-functional proof-of-concept malware that only targeted the RealBasic runtime and a game that deletes files randomly, completely with the user’s consent.
OS X itself fared pretty well when it came to operating system level exploits, with the report outright stating that “Mac OS X, while more secure than Windows, contains its share of flaws, and Apple has to constantly keep on its toes to issue several dozen security updates each year.”
For most security holes, Apple issued a patch within a month of the vulnerability being brought to public attention, with the one exception being OS X’s Java runtime. A security researcher brought up how one Java vulnerability remained un-patched for more than six months, but Apple released a patch only a month after his concerns were made public. One kernel-level vulnerability in April allowed hackers to potentially break into OS X without a user’s consent, but that was patched in May.
Non-jailbroken iPhones faired even better. The sole major security flaw was the iPhone’s SMS vulnerability, which Apple quickly released a patch for.
For jailbreakers, though, it was another story entirely. Jailbroken iPhones turned out to be at a significant risk for malware. Security researcher Charlie Miller claims the jailbreaking process “removes about 80 percent of the security protections built into the iPhone software.”
The biggest target on the iPhone was the ssh remote login protocol, which allowed hackers and worms to get into the iPhone by correctly guessing the default password—a password which was not changed by most jailbreaking software. The first worm to exploit this ssh flaw actually “fixed” it by turning off ssh, but subsequently both a worm and hacking tool were each able to successfully download and upload software as well as other information to and from users’ iPhones without their consent, paving the way for phishing attacks and the creation of a botnet.
Intego’s report only goes to prove Macworld contributor Rich Mogull’s advice, that the greatest risk to a computer’s security is the user itself. That means you. But as long as you keep up to date with patches, abide by good security practices and common sense, and avoid shady websites, OS X and the iPhone are really quite secure, and at virtually no risk for malware. However, users of jailbroken iPhones should take the past year’s worth of malware as a good sign that they need to change their ssh password, now.