Windows vulnerabilities on Macs in Qualys scans

Alien vulnerabilities are the kiss of death for any vulnerability scanner. There’s no faster way to lose credibility with a sysadmin than to show them a scan of Linux or Mac hosts with Windows vulnerabilities in it. Recently I had to troubleshoot one such issue. Here’s how you can end up with Windows vulnerabilities on Macs in Qualys scans.

Vulnerabilities that shouldn’t be there

Windows vulnerabilities on Macs in Qualys scans
When I found Windows vulnerabilities on a Mac, the culprit turned out to be Boot Camp, a utility that lets you dual boot Mac OS X with Windows on Intel-based Macs.

If an organization doesn’t believe its vulnerability scanner, it won’t have a successful vulnerability management program. Period. At my first sysadmin gig that actually used a vulnerability scanner to verify the results of its patching efforts, I found one of my coworkers spent more time arguing about false positives than we spent actually fixing vulnerabilities. And the security analysts didn’t have the background to challenge him on it.

Understanding Qualys findings is the key to a successful vulnerability management career.

Of course, there’s no obvious reason why you should find Windows vulnerabilities on a Mac or Linux host. This was a complaint I heard when I worked at Qualys, but nobody ever showed me the data so I could troubleshoot it. This week I finally had a chance to dig into the situation. What I found surprised me. Qualys wasn’t making stuff up.

Troubleshooting Windows vulnerabilities on Macs

First I downloaded the offending report in CSV format. CSV is most useful for this because you can sort and filter the results and rearrange columns or even delete the columns you don’t need. First I just filtered the Results column on the word “Windows” to isolate the offending vulnerabilities. There weren’t a lot of them, but it only takes one. Then I scrolled to the left to check the operating system on the asset. My first thought was some Windows machines had been tagged incorrectly. But not in this case. Qualys detected it was running a recent version of Mac OS X. And since it had specific version information, I knew the scan authenticated.

So then I unfiltered the report and looked at all the other vulnerabilities on the same host. The host only had a few findings, but most of the findings were indeed Mac software and looked legit. When troubleshooting, I like to use raw scan results or a report that shows informational findings, as that can also be helpful to determine whether all the findings went together. It’s very unusual for Qualys to mix two hosts together, but if it does, you’ll find informational findings that contradict each other.

In this case, I didn’t find any funny business. So I logged into Qualys to check one more thing. Of course there was one more thing. It’s part of the brand. I pulled up the host in Assetview and looked at the installed software. On page 2, I found the culprit: Boot Camp.

Why Boot Camp makes Windows vulnerabilities show up on Macs

Boot Camp is a utility that allows Intel-based Macs to dual boot into Windows. When you install it, the Windows installation isn’t completely isolated from the Mac side. That means Qualys can see the Windows files even when you’re running Mac OS on it.

When you boot the Mac into Windows and update it, then the findings will clear. In this instance, from looking at some of these Macs, it looked like some of these machines hadn’t been booted into Windows in a very long time.

How vulnerable is a dormant Windows installation on a Mac?

Of course the next argument is how big of a problem this is. You can’t use the Windows vulnerabilities to exploit a Mac while it’s booted into Mac OS. The system is just a carrier in this instance.

But when you boot the system into Windows, it will be vulnerable until it pulls down updates.

So the key, if your company dual boots Mac with Boot Camp, is to make sure your Boot Camp users are actually using it often enough to pull down updates. That means once a month, at the very least.

As security professionals, part of our job is to raise awareness to things like this.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: