Detailed Information

What about Apple’s Macintosh. Is it more secure?

Out-of-the-box, Mac OS X has been reasonably secure. Apple installs a fairly secure default configuration, and provides regular Security Updates. The Unix foundation of Mac OS X, Darwin, has provided powerful tools that we can leverage to help our computers remain secure in an otherwise dangerous world.

But Apple is not immune from vulnerabilities and is starting to see security threats like Windows OS computers and applications. From recent discussions about security vulnerabilities for the MAC OS X operating system, here are some relevant quotes:

Even though the MAC has less threats today, you must still be diligent to configure your MAC with strong security practices as tomorrow may be different.

Source of the above quote and the 3 charts below come from an excellent White Paper by McAfee on Mac OS vulnerabilities :

Basic Security for the MAC means:
• Set Secure Passwords
• Keep your OS patched
• Use a Firewall
• Use AntiVirus Software
• Be vigilant in scams on web sites seeking to get you to divulge personal and financial information.
• Spyware is third-party software installed without your permission that transmits information you assume is private. Windows PC users are all-too familiar with the problems presented by spyware applications that display browser ads, or that reset the browser to a different home page. While these issues do not affect Mac users, you may find that some Web browser cookies fall under this broad definition of spyware. You can maintain your privacy on a shared Mac by clearing the browser history, removing all cookies, clearing downloads, and empting the cache.

Additional security strength for user and administrator accounts and passwords requires: 
Controling physical access to the Mac and using an Open Firmware password. 
Keep all applications up to date and patched. 
Use only secure, encrypted network tools (SSH, SFTP, SCP) 
Configure Personal File Sharing securely, without guest access. 


AntiVirus:
There is still, at this writing, no virus that infects OS X. A few Mac users unfortunately sometimes think that they do not need to worry about viruses. But virus-infected documents and e-mail attachments can be transmitted through OS X to Windows computers. Prevent that by using anti-virus software on your Mac. 

Some macro viruses can travel cross-platform and you should still scan your computer regularly. That way, you will not only be able to stop PC viruses before you forward them to your PC friends inadvertently but also will be able to react very quickly in the event of a massive Mac compatible infection.

Sharing and networking:
There are several options that can improve your Macintosh security by reconfiguring network services.
• Guest Access is not recommended
• Personal File Sharing (AKA AppleShare) is insecure, SMB is better, and SFTP is recommended for file transfers with Unix boxes. Do not enable Personal File Sharing unless you need to, because it doesn't allow you to require an account and password. It's a bad idea to allow guest or anonymous access to any service, folder, or file unless you understand what you're doing. 
• For best security, do not enable any of the incoming services listed under the Sharing System Preference Pane. (In 10.3, the services are Personal File Sharing, Windows File Sharing, Personal Web Sharing, Remote Login, FTP Access, Apple Remote Desktop, Remote Apple Events, and Printer Sharing). Note that this only affects incoming connections to your computer; you can still make outbound connections to servers, printers, and so on.

Patches and Updates:
Set the Software Update preference (in System Preferences) to automatically check Apple's upgrade service frequently. When purchasing a new Mac, or performing a system installation, manually trigger the Software Upgrade tool to check for any software updates that haven't been installed yet. Apply all Apple security updates and System Updates that appear, as soon as possible. 

Risky Shareware:
Do not install shareware or downloads from unknown vendors or web sites, unless you use good virus-checking and backup practices and are willing to take risks.

Physical Security:
Physical Access - Anyone can change your Administrator password if they start your Mac up with an OS X Installation CD. If your Mac is started up from an OS 9 (Classic) System Folder, there is no protection or security at all for the OS X files in the same disk partition. If your Macintosh is not locked in a closet, you probably want to prevent the possibility of someone booting it from an external hard drive, DVD, or CD, and then changing your administrator password, erasing your disk, or accessing your private documents.

Recommendations:
• To prevent booting from external drives, use the Open Firmware Password utility to set a firmware password. See http://docs.info.apple.com/article.html?artnum=120095 for complete instructions and a copy of the utility.
• Upgrade to OS X. Remove any OS 9 system folders and the "Classic" System Preference panel from your Macintosh.

Strong Passwords:
The first line of defense for your system is the password. Choose a good one, and change it regularly.

Recommendations:
• Set the "Security" preferences in System Preferences so a password is required to wake from sleep or from the screen saver; this will keep others from using an unattended Mac.
• Never create a guest account, anonymous login, or an account with blank or obvious password.
• Select strong passwords which are not easily guessed. Keep them secret; don't send them in e-mail or write them down. Change them regularly.

Accounts:
• Have several accounts for special purposes on your Mac OS X system.
• Be in control of all access to your system by other users, and don't use Guest access without a good reason.
• By default, the account created when installing OS X is an Administrator account which has the equivalent of "root" access. It's not secure or necessary to use that account for routine work. While logged in as the administrator, use the "Accounts" System Preference tool to create a non-administrator user account and give it a different password. Then, use the user account for daily tasks. 

By default, OS X logs in automatically after a restart, using the first account created during installation and this account's saved password. We've already seen that this is an administrator account, so if the Mac isn't in a perfectly secure location, any passer-by can start it up and make changes to it. To fix this, go to the "Security" System Preference, and click "Disable automatic login." Also go to the "Accounts" System Preference, click Login Options, and select "name and password" instead of "list of users". After making this change, log out. To log in, you will now need your user name and password. 

Firewall:
Mac OS X includes firewall software you can use to block unwanted network communication with your computer. You can use a firewall to protect all of the services available in Mac OS X, such as Personal File Sharing, Windows Sharing, and Remote Login. Using a firewall protects the services on your computer from users on other networks or the Internet. 

When you select a service in the Services pane of Sharing preferences, it is automatically selected in the Firewall pane. To prevent that service while the firewall is on, turn off the service in the Services pane. 

Hardware Firewall:
As silly as it may seem, a software firewall is no stronger than the operating system it runs on--as the ever increasing Windows security issues show. Therefore, it is important to get a hardware firewall that will provide a first layer of security for your network by making it "stealth"-- i.e. not responding to various probes--and warning you in case someone really tries to break in. No hardware firewall is 100% secure but, by applying the security updates provided by your vendor, you should be able to keep most wannabe evildoers out of your LAN. 
Also, using a hardware firewall to protect your network will allow you to worry less about the security mistakes that some users may commit on their Macs--although this should not give a false sense of security either. 

There are many, many types of firewalls and all of them have their strengths and weaknesses. However, you may want to make sure that you follow these rules : 
• Your external firewall should not require that you install any software of any kind on your Mac. Most of them now use a web-based interface, solving most compatibility issues. However, all web based interfaces are not created equal and you should try to avoid the ones that have been "optimized for Internet Explorer 6 or better"--this usually indicates a PC-centric vendor and is in no way a warrantee that the interface is better, even if you plan to set it up from a Windows computer. 
• Your firewall should provide you with detailed logs and should be able to warn you in case it detects something abnormal--by sending a mail, a page or a phone call. Even entry-level firewalls do that now (to some extent, of course) and it can be a valuable help. 
• Your firewall should use a stateful packet inspection system or better--in other words, it only allows remote packets that come as a reply to a request you sent. NAT is a first step towards security but does not a firewall make--although it is essential if you need to connect multiple computers on your LAN with one ISP-provided IP address.
• Your firewall should come with default settings that provide maximum security and not require you to be an iptables expert!
• Ideally, your firewall should have DMZ capabilities. A DMZ or de-militarized zone is an area of your network that is isolated from the firewalled computers and that can be connected directly to the internet. This is the place where you will place all your public servers and computers : it is not protected but, in case something goes wrong, the computers that contain your sensitive data are safe. 

Software Firewall:
Surprisingly, few Mac OS X users know that their operating system of choice comes with a built-in, time-tested, industrial strength firewall that they can turn on by simply using the "Sharing" preferences pane. 

Here are the detailed steps to follow. 
• Open the "System Preferences" application--you can do so quickly by using the Apple menu
• Click on "Sharing" to open the "Sharing" preferences pane and select the "Firewall" tab.
• Make sure that no box is checked in the "Allow" list
• Click on "start" to start the firewall

The firewall used by Mac OS X is called "ipfw" which stands for "ipfirewall". Its job is fairly simple--close ports and prevent remote host and applications from connecting to them. Some users may argue that the interface provided by Apple does not allow a lot of fine-tuning : this is true, but is done on purpose to allow even newcomers to benefit from reliable security settings, without having to worry too much about settings. 

Of course, by turning your firewall on, you are preventing some applications from establishing a connection with your computer. This is not likely to interfere with most of your workflow but can, under some circumstances, prevent a few network-aware applications from working, especially Rendezvous enabled ones--iChat over Rendezvous, for example. To avoid this, you can open the necessary ports by checking the corresponding box in the "Allow" list. Just keep in mind that, the more ports you open, the less effective your firewall will be--but it sure is far better than disabling the firewall altogether. 

Unfortunately, ipwf does not feature instant warning and will only write its warning messages to a log, accessible through the Console utility. This has the advantage of not disrupting your workflow but, unfortunately, does not allow you to react in a timely manner to some attacks since you are probably not constantly monitoring the logs. 

Many companies now sell third-party firewalling solutions that do not rely on ipfw in any way... These firewalls provide you with instant notification systems and are generally more "friendly" for a new user. However, they need to add "kernel extensions" to your installations --files that act as a very low level in your operating system to add features. While a very well written kernel extension can work perfectly, be aware that you will need to update them frequently and to pay attention to potential compatibility and stability issues. 

Reverse Firewall:
While you are using your Mac, many, many applications constantly try to access the internet, to either get information or send some. The problem is that some of them may, along the way, send some details that you deem confidential--or be simple Trojan Horses. 

To avoid this, you can install "reverse firewalls" that monitor outgoing connections and provide you with live alerts, allowing you to accept or deny attempts. Of course, such third-party products are not perfect since you have to trust the authors and that they too, install kernel extensions to provide you with alerts. However, the best of them can be a real help--give it a try and you will be surprised to see how many applications try to establish connections without your permissions!

Use a Tripwire-Like System:
Let's say that someone has broken into your computer and has begun to alter various configurations files to use your computer as a base for his unlawful activities. 
Luckily, there are some applications out there that can regularly calculate the checksum of your files (see the md5 information above) and compare it with a list of known-good files. Such a system can certainly be defeated by altering the reference database but it will provide you with an extra layer of security--and can be a real life saver under certain circumstances. 
Brian Hill, author of the world famous Brickhouse has released an application called "CheckMate" that acts the same way and that can check on a regular basis if any of your system files--or data files of your choice-- were altered without your consent.

Encryption of Data:
If your laptop is stolen, it's easy for a malicious user to peek inside of your hard drive. Even with extra firmware passwords, they can crack open the case, extract the hard drive, copy it to another computer on which they have administrative access, and scan its contents. 
Once your hard drive has been copied to another computer, it's less able to defend itself. In more technical terms, the UNIX permissions scheme that was set up on your Mac does not apply anymore.

This is where FileVault enters the scene. Even though it doesn't prevent hackers from accessing the hard drive and reaching the Home folder, it does make the contents of Home a pile of nonsense, unless they can crack the encryption or guess your password -- more on that later. Of course, the rest of your hard drive is not encrypted, and malicious users will be able to access it easily. However, no personal information should be stored outside of your Home folder unless 1) you use some strangely written applications that do not respect the Mac OS X architecture or 2) you chose to save sensitive data in a non-protected area manually. 
In a nutshell, FileVault prevents others from accessing the data stored in your Home folder while you are not logged in. 

FileVault was not designed to protect you against hackers and viruses should they create one for the MAC someday. It is important to keep in mind that, as soon as you log in, Mac OS X decrypts the data so that you and your applications can access it. Therefore, once you are logged in, a hacker or a virus can steal information as easily as when it is not encrypted. 
To protect yourself against these threats, you should use an updated anti-virus application, a good firewall, and secure passwords. FileVault is in fact a very secure system, designed for professional users who use their computers for a specific purpose -- and not for everyday general entertainment. The encrypted disk image it relies on uses the Advanced Encryption Standard (or AES), widely considered to be fast, strong, and secure. 

Services:
Mac OS X ships with all services and potentially dangerous daemons turned off by default. Most of them can be turned on by using the "Sharing" preferences pane, available through the "System Preferences" application. As soon as you turn a "service" on, you start a daemon that will continuously listen for connections on a given port and reply to them. For example, turning "Remote login" on will launch the sshd daemon that will allow anyone to establish a connection to your Mac through port 22. Would a malicious user know your password, he will be in, and legally!

Some of these services turn your Mac into a server, raising a new class of potentially important security issues. Therefore, you should not turn these services on unless you really need them. 
Of course, most of these daemons run as nonhuman users on Mac OS X. In other words, they run as if they were a separate user on your machine with very limited privileges. This makes using them to break into your computer more difficult, especially if you make sure that you always use the latest versions of them. However, such daemons can always be used to gain some interesting information about your computer and to launch DoS ( Denial of Service ) attacks quite easily--for example, repeatedly request SSH logins or file sharing to slow your computer down.

Would you need to run a "dangerous" service--i.e. a widely known, insecure one, like FTP or Windows File Sharing --, you may want to dedicate a specific machine on your network and to use it as a file server. On properly firewalled networks, place this machine outside of the firewalled zone--provided that its contents are to be known by the whole world, of course : this will make connecting it to the Internet and serving data much easier while protecting the rest of your network. For the same reason, avoid sharing your internet connection through the "Internet" tab since this grants legitimate access to other computers on your network and launches server daemons on your Mac too. Of course, this is not an issue when working with trusted computers and individuals but should not become a common practice in public places. 

NEWS ITEMS:

Apple no longer immune from security threats

New Safari Flaw, Worms Turn Spotlight on Apple Security
February 21, 2006 By Paul F. Roberts http://www.eweek.com/print_article2/0,1217,a=171931,00.asp

A serious new vulnerability in Apple Computer Inc.'s Safari Web browser and new worms that target Apple's OS X operating system have raised awareness of the growing number of threats to computers that do not run the Windows operating system. 
Security and anti-virus companies issued advisories Feb. 21 about a dangerous new hole in the Safari browser that could enable attackers to install malicious code on Apple OS X systems without any user interaction. 

The warnings follow news of a slew of malicious code for OS X in the last week, including new worms known as "Leap" and "Ingtana." 

The new threats may change the way that some Internet users, especially those on the Mac platform, view security, said Graham Cluley, senior technology consultant at anti-virus company Sophos PLC in the United Kingdom. 

The Safari Web browser flaw is in a feature called Open Safe Files that is enabled by default. 

That feature allows files such as ZIP archives and movie files to be opened and viewed automatically. 

Attackers could use a security hole in the feature to run malicious programs on OS X systems without any input from the computer user, according to Johannes Ullrich, CTO of The SANS Internet Storm Center. 

"It's pretty serious. It's extremely trivial to exploit," he said. 

No attacks that target the hole had been identified as of Tuesday, but malicious hackers could easily use it to place malicious programs on Mac systems, or take information from those systems, Ullrich said. 

"Apple takes security very seriously," a spokesperson told eWEEK. "We're working on a fix so that this doesn't become something that could affect customers." 

The company advises Mac users to only accept files from vendors and Web sites that they know and trust, the spokesperson said. 

News of the Safari hole follows a parade of new, non-Windows attacks began on Feb. 16, when security experts identified Leap.A, the first virus for Apple's OS X operating system. 

Click here to read more about new threats to Mac systems. 

Leap spread over Apple's iChat instant message and prevented some Mac applications from loading. 

A new OS X worm, named Ingtana, appeared Feb. 17, with two more variants cropping up on Feb. 21. 

Ingtana is a proof of concept worm that spreads between Macs running OS X Version 10.4 over Bluetooth wireless connections. 

The worm uses a known and patched Bluetooth hole called the OBEX Push vulnerability, according to anti-virus firm F-Secure Corp. in Helsinki, Finland. 

The new threats are sowing confusion among Mac users unaccustomed to the drum beat of security warnings that Windows users have long since grown familiar with. 

For example, Mac users were confused about the ISC's definition of "user interaction," in regard to the Safari hole, Ullrich said. 

ISC defines "no user interaction" as an exploit that doesn't require the computer user take a specific action to get infected—like opening a file attachment or clicking a Web link. 

However, Apple, like Microsoft, considers the phrase "no user interaction" to mean an exploit that can work even on a computer that is idle and unattended by a human, Ullrich said. 

"It's an old issue on the Windows user side. They think [a threat] is not serious if it requires user interaction, like going to a malicious Web site," he said. 

Apple Mac users have raised similar objections to Sophos over the company's descriptions of the Leap worm, Cluley said. 

OS X users are a passionate—at times evangelical—group who sometimes construe security warnings about their operating system as dark plots from Windows-backers to discredit the platform, Cluley said. 

"I think the problem is that people love Apple Macs. And they consider them superior to Windows. It's a minority choice, but one [Mac users] want to defend," he said. 

Apple OS X has considerable security features built in, including a firewall and automatic update features that only recently became standard on the Windows platform, Ullrich said. 

OS X also segregates user roles better than Windows, so that a user is less likely to be logged on as an administrator who can take any action on the operating system, he said. 

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet's Security IT Hub. 

Still, the string of security warnings will prompt some to reevaluate the security posture of Macs, Ullrich said. 

"I think Mac users are having growing pains. They're realizing that they're vulnerable, too," he said. 

Anti-virus vendors cautioned that the new threats were of little concern to most Internet users. 

"This is really a warning shot across the bow. It's not something that going to cause serious problems to anyone," said Cluley. 

Mac OS X users should start doing things that have been advised for Windows users for years: download and install regular security updates, use a desktop firewall and install anti-virus software, Cluley said. 

"The chance of encountering any of these [OS X] threats is low. But that doesn't mean you don't have to take security seriously," he said.


Apple's Switch to Intel Could Allow OS X Exploits
January 26, 2006 By Paul F. Roberts
http://www.eweek.com/print_article2/0,1217,a=170118,00.asp

The recent move by Apple Computer to begin shipping Macintosh computers that use microprocessors from Intel could open the door to more attacks against computers running the company's OS X operating system, security experts warn. 

The shift to Intel processors from the Motorola Power PC processors will make it easier to create software exploits for Macintosh systems, and could result in a steady stream of Mac exploits in years to come. 

The change could put more pressure on Apple to build security features into OS X, according to interviews conducted by eWEEK. 

Apple declined requests for interviews. In an e-mail statement, the company said that the security technologies and processes that have made Mac OS X secure for PowerPC remain the same for Intel-based Macs. 

Apple first announced its intention to deliver Macs that use Intel processors in June and said it plans to transition all of its Macs to Intel by the end of 2007. 

The company's CEO, Steve Jobs, unveiled the first Intel-based systems using Intel's dual-core Duo chip earlier this month at the MacWorld Expo in San Francisco. 

The move to Intel will end a 10-year relationship with Motorola, which produced the PowerPC microprocessors used in Macs, and is expected to bring immediate improvements in both processing power and efficiency to Apple. 

However, experts cite a number of ways in which the shift to Intel will spell trouble for engineers at Apple and for Mac users: 

History:

Using the Intel x86 platform pulls Macintosh systems onto the same platform used by Microsoft's Windows computers, a prime target of the hacking community for years. 
"Attackers have been focused on the [Intel] x86 for over a decade. Macintosh will have a lot more exposure than when it was on PowerPC," said Oliver Friedrichs, a senior manager at Symantec Corp. Security Response. 

There are many more malicious hackers who understand the x86 architecture in-depth than understand the PowerPC. And attackers have access to hundreds of documents and examples of how to exploit common vulnerabilities on x86, whereas exploits for PowerPC are far fewer, Friedrichs said. 

"[Intel x86] lowers the bar dramatically for someone trying to exploit a vulnerability," he said. 

Architecture:

Architecture: Though its name suggests otherwise Intel's CISC (Complex Instruction Set Computer) architecture is easier to audit for security holes than the RISC (Reduced Instruction Set Computer)–based chips from Motorola, said Lurene Grenier, a software vulnerability researcher and Mac PowerBook user in Columbia, Md. 
"With Complex Instruction Set instructions, there are more of them, and they do more for you. It's just simpler to read and write to CISC systems and get them to do something," she said. 

Those differences make it easier for vulnerability experts and exploit writers to understand and write exploit code for systems that use the Intel architecture, and removes a big barrier to writing exploits for Mac systems, analysts agree. 

"OS X will become more popular as prices drop. I think you have a variety of malicious folks who know the Intel chip set and instruction set. Now that Mac OS X runs on that, people can port their malware and other things over to OS X quickly and easily," said David Mackey, director of security intelligence at IBM. 

"If I want to pop some box, Mac on a Motorola chip is a barrier," says Josh Pennell, president and CEO of IOActive Inc. in Seattle. 

The population of individuals who can reverse-engineer code and read and write Assembly language is small, anyway. 

Within that tiny population, there are far more who can do it for CISC as compared to RISC-based systems, Grenier said. 

"There are payloads and shell code written for PowerPC, but there are far fewer people who can or care to write it," Grenier said. 

Tools:

Hackers need tools to help them in their work, and more of them exist for machines using Intel's x86 than Motorola's PowerPC, experts agree. 

Popular code disassembly tools like IDA Pro work for programs that run on both Intel and PowerPC, but there's a richer variety of tools such as shell code encoders and tools for scouring code that work with the Intel platform than for PowerPC, Grenier said. 

"There are tools that are not written for PowerPC because there's not the user base or the interest," she said. 

Windows, Linux and Unix all use the x86 architecture, and exploit writers interested in those platforms have developed more tools to help them over the years. 

Those tools, in turn, speed development of exploit code for buffer overflows and other kinds of vulnerabilities that require knowledge of the underlying architecture, Grenier said. 

"I don't think [Intel] will make Mac more or less secure. But there will be a ton more exploits coming out for Mac," Grenier said. 

Other factors:

However, there are many other factors will determine whether Mac systems will be targets of future attacks, experts say. 

"[Software] vulnerabilities still depend on the OS, not the underlying architecture," said Erik Tayler, a security consultant at IOActive. "It will still come down to writing good code." 

OS X is generally a stable operating system that is built on top of BSD (Berkeley Software Distribution) Unix, and already has features such as automatic software updates, said Mark Grimes, an OS X security expert who runs Stateful Labs in San Diego, Calif. 

Apple is also investing in security talent, and also pushing for stringent Common Criteria certification of OS X so that the operating system can be adopted by government agencies, Grimes said. 

However, OS X is still a very "open" operating system compared to Windows, Grimes said. 

"There are things you can do with OS X that are kind of scary," he said. 

The emergence of "haxies"—hacks for OS X that are used to make small adjustments to the user interface or applications are evidence that OS X could be used to spread malicious code, though maybe not self propagating viruses and worms, he said. 

Security companies from IBM to Symantec Corp. have warned that attacks against OS X are on the rise, though they are still a small fraction compared to attacks on Windows systems. 

A rich selection of OS X exploits can be found at online hacking sites like the Metasploit Project. 

Despite that, OS X lacks many of the security enhancements, such as stack protection, that companies like Microsoft have added in recent years to blunt the impact of malicious code attacks, analysts say. 

"Every part of memory is executable by default," Grenier said. "Just about every place you can stick data into memory, you can get it to execute." 

That makes it easier to compromise OS X systems for hackers who get access to them, she said. 

While Mac is immune to much of the Windows-focused malicious code that circulates on the Internet, that doesn't mean the operating system is without holes, as the frequent operating system patches from Apple indicate, she said. 

With a relatively tiny user population and little presence on corporate networks, however, those patches usually don't make news. 

"Every time you get an update for OS X, there are a slew of under-publicized vulnerabilities. You might have five, 10 or 15 security flaws, but nobody murmurs," Grenier said. 

In the end, the interest in Mac as a target may simply be a factor of its popularity. And switching to Intel could make the systems much more popular, analysts say. 

Still, Apple should invest in technologies that make it harder for malicious code to run on their machines now, rather than waiting to see what happens. Protections against memory and stack overflows are a good place to start, analysts agree. 

"Technologies that protect against stack based overflows are readily available, and it's not difficult to leverage those and incorporate them into the OS," Friedrichs said. 

Apple should consider putting a large, public effort into security, much as its bitter rival Microsoft did with Trustworthy Computing, or the open-source GrSecurity effort to improve Linux security, Grenier said. 

OS X exploits aren't uncommon. The shift to Intel could be just the change that makes it worthwhile to write exploits for them, she said. 


Mac Could Get Infected at Boot Camp 
By Larry Seltzer April 6, 2006 http://www.eweek.com/article2/0,1895,1947242,00.asp

Opinion: Is it possible for a Mac to catch a Windows disease? Yes, though it's not likely. 

I'm quoted in April 6's USA Today in its story about Boot Camp, Apple's new software support for running Windows on Intel-based Macs. The reporter's question to me was whether Windows malware could attack the Macs running Windows. 

Of course, the answer is, "Of course." Unless Apple has pulled off some secret miracle, any malware targeted at Windows will run on an Apple computer running Windows. 

The more interesting question is whether it could affect the Mac parts of the system. 

At first it seemed to me that this was theoretically possible, but highly unlikely, both for technical and practical reasons. 

My understanding from talking to people who (unlike me) have actually used Boot Camp is that it is a simple boot loader. The Windows and Mac file systems exist on the system in separate hard disk partitions. From what I've read, they don't see each other, at least not by default. 

There is no software currently included to make Windows see the Mac partition. Perhaps this will be addressed by third parties. 

But it is also my understanding that nothing in Boot Camp prevents Windows from reading the portions of the disk that contain the Mac file system, and this is where the Mac becomes vulnerable. 

It should be possible for a malware writer to write a Mac OS X infection program inside a Windows program that will a) determine that it is running on a Mac, b) find the partition with the Mac file system, c) include code for basic file I/O on it and d) infect it. 

In fact, once a, b, and c are done, d is really tempting, because infecting a Mac system under OS X is not easy. This scenario proves the old truism that without physical security there is no security at all. However, it also largely proves the old and much-maligned adage of "security through obscurity," as it's hard to see any malware writer actually going through the trouble of doing this. 

It would involve an great deal of work. But maybe not as much as you might think. The source code for Darwin, which is the basis of the Mac OS X, is available out in the open, and my understanding is that the basic file system code is in there. A malware writer could include the code, or a derivative thereof, in the program. 

This type of Windows malware would be able to read and write the offline OS X partition completely bypassing all the OS X security, because OS X would not be running at the time. 

If it were sophisticated enough about using the file system, it could write malware into the OS X installation fully installed. Getting theoretical here, it might even be possible to replace parts of the Mac operating system with malicious versions. 

So, is this going to happen? For all the same reasons that little or no malware exists for the Mac, there is even less reason to write this program. If you're a malware writer you want your program to spread. The odds of a Windows system running this program are high, but the odds that the Windows system will be an Intel-based Mac running Boot Camp are very low. 

There are things that could be done, like disguise it as a special Windows-based Boot Camp utility, perhaps one that gives file system access to the Mac partition. When these utilities come out, make sure to get them only from trustworthy sources. 
------------------------------------------------
Reader Feedback: The new Intel Mac is secure until you install Windows on it. This is what Apple says on the Boot Camp page:

"Word to the Wise - Windows running on a Mac is like Windows running on a PC. That means it’ll be subject to the same attacks that plague the Windows world. So be sure to keep it updated with the latest Microsoft Windows security fixes."

A Security Primer for Mac OS X

Macintosh OS X Security

Macintosh - Using a firewall to protect your computer

MAC Beginner's Guide