Byron Acohido
USA Today
SEATTLE — In a widely aired TV commercial, a hip-looking dude personifying Apple products wipes the nose of a sickly businessman representing Windows PCs, and smugly declares Apple’s immunity to computer viruses.
But the ad belies an alarming shift in cyberattacks. Cyberintruders once bent on breaking into the Windows operating system are increasingly probing for vulnerabilities in popular software applications — and not just Microsoft’s.
Critical security holes have been turning up in Web browsers, anti-virus programs, word processors, spreadsheets and digital media players. “As we start to see the operating system become more secure, the criminals are moving up the application layer trying to attack Office or iTunes or RealPlayer,” says Stephen Toulouse, Microsoft security response center program manager.
The profit motive has never been greater for cybercrooks to take control of a PC to hijack online accounts and commit identity theft. Yet most people don’t realize the degree to which their favorite software applications have come under assault, say security experts. Popular routes include:
• Tainted spreadsheets. Microsoft on Tuesday issued patches for 17 security holes — a dozen for its ubiquitous Office programs. One flaw was discovered in mid-June by a corporation. An employee had opened a tainted Excel spreadsheet attachment, which then took control of the PC, says David Cole, director of Symantec’s security response center.
• Web-browser bugs. A Russian-built program called WebAttacker is being planted on websites across the Internet, says Roger Thompson, chief researcher for Exploit Prevention Labs. It checks each website visitor’s browser for vulnerabilities, then uses one to take control of the PC. Cybercrooks have discovered “a rich pool of vulnerabilities” in browsers, says Thompson.
• Apple security holes. Apple has issued patches for vulnerabilities 35 times since January 2005, including 12 this year. Seven have been to fix flaws in its popular iTunes and QuickTime digital media software. The most recent iTunes patch, issued June 29, plugs a security hole that could allow an intruder to execute malicious code. Apple turned down interview requests for this story.
Apple and other software vendors are just starting to come to grips with security patches, says Scott Carpenter, director of security labs at Secure Elements. Unlike Microsoft, which has emphasized security since early 2002, Apple lacks a “well-developed process of notification and remedies,” he says. “Apple’s message is, ‘You don’t have to worry about security with a Mac,’ but that’s just not true.”