Slashdot Mirror

Current version as of July 16, 2012:
(visit site below for newer versions!)

- Linux Security 9.14
Download: http://download.f-secure.com/webclub/f-secure-linux-security-9.14.1942.tar.gz
Release Notes: http://download.f-secure.com/webclub/f-secure-linux-security-9.14.1942-release-notes.txt

- More Linux Downloads:
https://www.f-secure.com/en/web/business_global/support/downloads

- F-Secure Linux weblog:
https://www.f-secure.com/linux-weblog/

Good info about storing passwords properly: http://www.f-secure.com/weblog/archives/00002095.html

Yes, and in Finnish among other languages, F-Secure has identified a lot of localized versions. Although that malware is not that well sophisticated as zeus (instructions to get away from it are quite simple and included in the blog article) the method is the same - display the logo of a local law enforcement agency (police, internal police...) and demand (an anonymous) payment because they have found cp on your machine.

Easy money because it is a big accusation (even stronger than copyright infringement - with cp you are totally destroyed instantly by the community, copyright infringement at least gets yous some good-will) and just paying a relatively small sum may seem like an easy way out of the trouble. Of course education will help but there are those who are so freaked out by the accusation that they will not even think of seeking help and those who feel guilty because they have surfed "free porn" and are not really sure if that is all ok (no intentional cp, but you can never be sure with those shady things, can you, maybe those girls were 17 and not 18 after all...) and are afraid of if anyone else finds that out.

At the same time, having basic security practices still thwarted it from being installed on your system. From F-Secure:

On execution, the malware checks if the following path exists in the system:
 
/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app

If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.

So doing something basic and sensible, such as having a common (and free) antivirus program, or having a popular (but non-free) firewall meant that you wouldn't get the trojan. This particular piece of malware was specifically targeted at people who don't follow common security practices. (And before anyone says that Mac users haven't needed AV software in the past: It has always been recommended, if only because you don't want to risk passing a virus on to a friend's PC if you email him a file.)

The definition of worm is not "malware that copies itself from system to system automatically without user interaction". Worm is self-replicating code that uses a network, by some defintions, and, by others, a worm is any malware that spreads by itself but does not parasite legitimate software (thus why "USB worms").

Although the Morris worm did not require user interaction, this is not true of all future malware that would be considered a worm. Malware that copies itself to network drives, P2P software shared folders, or attaches itself to or sends e-mail, IM or IRC messages are all worms.

As for trojans, any malware that does not replicate is a trojan. Back in the day, and even today, the only way to convince a user to run such software is by advertising it as another piece of software - thus why the trojan horse definition. Exploit code changed that, but they're all still trojans, and most still fallback to advertising themselves as a Flash player plugin or video codec when the exploit doesn't work. In any case, this new malware doesn't replicate, so it is a trojan.

There is no malware category to describe code that requires no user interaction to run. Exploits, worms and viruses and trojans all can do it, but that's not required by their definitions.

Reference: http://www.f-secure.com/en/web/labs_global/threat-types

They now have a automated tool available at http://www.f-secure.com/weblog/archives/00002346.html

Yeah, and how hard is that? Is this about malware that magically attaches itself to existing executables, or does it just drop itself into a system directory and run itself?

"As with previous variants of the malware, the latest variant of the Flashback malware, called OSX/Flashback.I, works by modifying code within Web browsers that causes it to launch when the browsers are opened and result in modified Web pages being displayed."
Removal instructions

Both are pretty bloody old problems and easily mitigated. How is it that OSX can be owned by a driveby exploit trojan that adds it to a botnet? I thought its underlying guts were Unix. How is it that Windows can't notice that something new has been installed and executed without the user's instigation?

What have Apple and Microsoft OS developers been spending their time on for the last decade? Surfing pr0n? Posting "you guys suck" on web forums? Making Clicky spin more gracefully?

Meanwhile, their users are unwittingly added to botnets and their machines run keyloggers that phone home to crackers. And they get to pay for these "privileges"?!? Gee, what a great deal.

$DEITY help them if their shareholders ever wise up.

Actually the problems ARE all solved in the latest versions of OSX. The attack vector is a Java applet displayed in the browser, Lion no longer includes Java by default, malware detection was added in Snow Leopard and starting in Lion processes are sandboxed. From what I've read the malware seems to target older computers and versions of OSX. As always the best protection is remaining up to date.

1.Run the following command in Terminal:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
2. Take note of the value, DYLD_INSERT_LIBRARIES
3. Proceed to step 8 if you got the following error message:
"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

If you don't get that error message, well, time to head to F-Secure for your fix. If you're clean so far, you can move on to step eight:

8. Run the following command in Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"

In other words: "does not exist" means you've got a healthy rig. Anything else, just keep following F-Secure's instructions to vanquish the intruder.

When the computer needs to do something at the priveleged level, it asks for a password.

Interestingly enough, when it comes to Flashback, it will prompt you for the admin password when it attempts to infect your system. If you give it, it will attempt to infect Safari (but only if you don't have certain applications installed -- if you have Xcode installed for example, it will delete itself immediately), but if you don't provide an Administrative password, it will attempt to infect you via the users local ~/Library directory and /Users/Shared (although again, there is a list of app paths which, if present, will cause it to delete itself).

Thus, this one can infect even without admin access, although it can only infect a single user in this manner. Other users of the system won't see anything, and it won't propagate to them in any automated manner.

Lots of interesting details here. I'm glad to see that Apple has patched the Java flaw that permitted drive-by installation of this trojan, however the ability to dump libraries into folders and update property files to load native code that replaces common system-wide functions seems troubling, and is something Apple should address.

Yaz

Don't forget to replace Safari with "Google Chrome" or Firefox or Camino or Opera if you use one of these.

Anyway, the machines I checked were all clean. It seems installing MS Office 2008 or 2011 (and a bunch of other software) is enough to stop the thing from installing itself: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

Can we please end the madness where people claim that since an OS is a variant of unix it can't get a virus?

Funny, because in this thread I currently see zero (0) fanbois desperately trying to defend Apple wailing "....but its not a virus, its a trojan, and its all Oracle's fault anyhow!" c.f. any number of haters saying "Ha Ha! Macs can so get viruses!!!". Methinks some people are just a bit too desperate to knock Apple.

Actually, although this one is technically a trojan, it sounds quite nasty in that it can apparently infect your mac even if you don't fall for the "enter administrator password" dialog. Presumably it still needs some sort of user interaction to work.

However, I do like the irony that having MS Office installed "inoculates" you against this trojan :-)

Yes.

From instructions here: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

It basically boils down to running two commands in Terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If both of those come back as "The domain/default pair ... does not exist" then you are ok.

Although even easier, if you have MS Office 2008, MS Office 2011 or Skype installed you are not infected - the Trojan checks for these (for some reason) and deletes itself if it finds them

Similarly, it will check for the following directories, and if it finds them it stops installing and self-deletes: /Library/Little Snitch /Developer/Applications/Xcode.app/Contents/MacOS/Xcode /Applications/VirusBarrier X6.app /Applications/iAntiVirus/iAntiVirus.app /Applications/avast!.app /Applications/ClamXav.app /Applications/HTTPScoop.app /Applications/Packet Peeper.app

A threat, certainly (and Apple closed the Java hole just this week), but it's trying to fly under the radar as much as possible at the moment for whatever reason.

See here: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

Summary:

If you open Terminal and run

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

and

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

and see:

The domain/default pair of [...] does not exist

for each, you are not infected. Also, if you run nearly any AV software or other tools like Little Snitch, you are not infected as it checks for these and deletes itself if found.

Also, no sensible person ever said "Macs don't get [infected/hacked/whatever]." It just a lot less likely, and has historically been, even accounting for differences in marketshare. As Mac share increases, it only makes sense they'll be targeted more with malware. But Macs, as a whole, are indeed "more secure", in that still, to this day, you are far less likely — even with the complacency or, if you prefer, ignorance, of Mac users — to become impacted with any malware than with Windows. Maybe someday this will change. But it's never been true to date, and isn't true now. The fact that single instances of Mac malware get so blown out of proportion, STILL, is ridiculous. (Though, Apple could do better with patching known vulnerabilities in Java on Mac OS X...)

The same advice and best practices for avoiding malware apply to Macs as well as any other desktop platform, and Mac users would do well to run current AV software. The Sophos free edition is nice.

Lazy, aren't you? Google the Trojan name, and the very first result tells you.
Trojan:W32/DNSChanger

That's if the context didn't tell you... Hmm, a Trojan infecting millions of machines to the level of getting courts involved. You really expect that to be Mac or Linux?

Yeah, repackaging with malware or scamming users seems to be a major problem with Android. There's trojans and all kinds of nasty stuff, like this trojan repackages popular games and apps, says it's free version and scams the user by sending premium rate SMS to the malware author. Google isn't even really trying to do anything about it, they remove them afterwards when news get out and by then thousands of users have been scammed already. Stuff like that isn't happening on neither Apple's or Microsoft's store.

Yep: DNSChanger. Even works on Macs too!

Disclaimer: please do not blame me it you are actually stupid enough to try installing DNS Changer.

Yep: DNSChanger. Even works on Macs too!

Disclaimer: please do not blame me it you are actually stupid enough to try installing DNS Changer.

"Stuxnet source code is not out there. Only the original authors have it. So, this new backdoor was created by the same party that created Stuxnet." - F-Secure.

This wasn't stuxnet. It was Excel.

http://www.f-secure.com/weblog/archives/00002226.html

F-Secure has the installer: http://www.f-secure.com/weblog/archives/00002250.html

The name R2D2 comes from a string inside the trojan: "C3PO-r2d2-POE". This string is used internally by the trojan to initiate data transmission.

link

f-secure at least will.

You're probably referring to their stated policy. However, according to CCC

All examined variants of the trojan were not recognized by any antivirus program at the time of creation of this report. ("Alle untersuchten Varianten des Trojaners wurden zum Zeitpunkt der Berichterstellung von keinem Antivirus-Programm als Schadsoftware erkannt.") -- report page 3

Also, f-secure have not promised to detect all government malware they are aware of:

We have to draw a line with every sample we get regarding whether to detect it or not. This decision-making is influenced only by technical factors, and nothing else, but within the applicable laws and regulations, in our case meaning EU laws.

So if there is an EU law or regulation (such as an international treaty) that forbids interfering with an EU government's attempt at spying on their citizens, they will honor it. Not all regulations are public, so there is no way to tell if there is such a regulation or not.

http://www.f-secure.com/weblog/archives/00002249.html

Actually, as near as I can tell it is an executable with no extension at all, but with a PDF icon of some sort and MIME type included in the resource fork.

Actually, if you skip all the journalism and follow links all the way to the F-Secure blog posting about the trojan, it's a file "where the icon is stored in a separate fork that is not readily visible in the OS", which presumably means "in the resource fork". The F-Secure item for the trojan says "Trojan-Dropper:OSX/Revir.A drops a downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.", which seems to indicate that both a PDF that "[distracts] the user" and other stuff including "a backdoor program" are involved. It sounds a bit more complex than what the articles about the trojan say it is and the /. discussion of the trojan seem to imply it is, but they don't indicate what "a downloader component" is. I guess I've spent too much time dealing with Mac OS X at the UN*X level to know what "a downloader component" is....

Actually, as near as I can tell it is an executable with no extension at all, but with a PDF icon of some sort and MIME type included in the resource fork.

Actually, if you skip all the journalism and follow links all the way to the F-Secure blog posting about the trojan, it's a file "where the icon is stored in a separate fork that is not readily visible in the OS", which presumably means "in the resource fork". The F-Secure item for the trojan says "Trojan-Dropper:OSX/Revir.A drops a downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.", which seems to indicate that both a PDF that "[distracts] the user" and other stuff including "a backdoor program" are involved. It sounds a bit more complex than what the articles about the trojan say it is and the /. discussion of the trojan seem to imply it is, but they don't indicate what "a downloader component" is. I guess I've spent too much time dealing with Mac OS X at the UN*X level to know what "a downloader component" is....

The worst thing they can do is to use their CA to emit a valid cert for gmail.com and spy on me that way. That is a big problem, but I can remove the chinese CA from my system. Certainly this isn't perfect at all, but workable to some extent.

Remove the Chinese CA? That idea is "trust agility". You're suggesting you have some ability to change who you trust with modifying browser CA lists. It's quite minimal, really:

Did you remove the Diginotar cert? Or did you wait for your browser or OS to get an update? Eventually we discovered there were more than one cert:

• DigiNotar Root CA
• DigiNotar Root CA G2
• DigiNotar PKIoverheid CA Overheid
• DigiNotar PKIoverheid CA Organisatie - G2
• DigiNotar PKIoverheid CA Overheid en Bedrijven
• DigiNotar Root CA Issued by Entrust (2 certificates)*
• DigiNotar Services 1024 CA Issued by Entrust*
• Diginotar Cyber CA Issued by GTE CyberTrust (3 certificates)*

Handling that is not very workable.

And what if the CA is someone like Verisign? Do you remove Verisign? And make a quarter of HTTPS connections show up as invalid? Too big to fail is another failure of trust agility.

And did you know that Diginotar's website had been hacked as far back as 2 years ago? And they never noticed or fixed it until now. Could their CA cert have been compromised then? 2 years of exposure, without a hint so we couldn't have removed the certs even if we knew which ones were relevant.

And there are over 500 organizations your browser trusted in addition to Diginotar. What are the chances that any one of them is being run badly? Or, the better question, how many other Diginotar-alikes are sitting in your browser at this very moment? The logical OR of the current browser CA system is a failure.

And, anyway, this scenario assumes you can block the notaries. Anyone can run a notary. Not everyone has to publicize their notary.

And if they firewall it off country-wide I have no way to reach it at all.

I assume "it" refers to notary access. I pointed out earlier that firewalling by protocol or port would be problematic because Convergence notaries use HTTPS.

And if they managed somehow to block all notaries by identifying some quality of the requests, you might still be able to access them via web proxy or SSH.

And if they managed somehow to block all notaries by identifying some quality of the requests, and they could block all web proxy and SSH connections, you would still likely have a cache of important sites' certs.

And if they managed somehow to block all notaries by identifying some quality of the requests, and they could block all web proxy and SSH connections, and you didn't have a cache of important certs, the Convergence protocol is extensible such that a local notary could return its "OK" or "NOK" based on results from any method it chooses, not only "whether seen". Notaries could use DNSSEC, or "whether seen" via Tor, or a PGP Web of Trust, or even the existing CA system. You could have such a notary running locally as a fallback.

Where the CA system requires only one -- just one CA -- out of half a thousand organizations to vouch for a cert -- and you have no choice about it using that method -- notaries-based systems can be configured to require some number/percentage of notaries to agree, out of a quorum. Who you trust and how you trust them is your decision. And you can change your mind.

First, if the notaries aren't published anywhere, how do people find about them? Very very few people are going to run their own notary. Few people understand all this stuff, and even fewer have the means to run a notary that has a different perspective than their own.

The system is in the process of be

It may not be complete, but, F-secure has a list of the ones created, including *.*.com, *.*.org, www.cia.gov, addons.mozilla.org, *.torproject.org, etc...

http://www.f-secure.com/weblog/archives/00002228.html

http://www.f-secure.com/weblog/archives/00002128.html

From what I've read, the worm isn't using an exploit. It's simply trying to log in using a set of common and easy to guess passwords. If you use strong passwords, then your machine won't be compromised. Though flood of RDP access requests could amount to a denial of service attach.

Bluetooth has always been a known attack vector. I remember one that affected symbian phones for example. I used to get the odd file transfer request on my phone from other people who were infected. I think this might have been it.. http://www.f-secure.com/v-descs/cabir.shtml

MBR rootkit malware is among the most advanced of all threats.

So advanced, it's been around for 25 years. Boot sector manipulation is like the flint arrowhead of virus tech.

http://www.f-secure.com/v-descs/brain.shtml

"The malware at issue, known as "agent.btz," infiltrated the computer systems of the U.S. Central Command in 2008" link

Don't you mean someone opened an attachment in Microsoft Exchange or clicked on a URL in Microsoft Internet Explorer, or plugged a USB device into a computer running Microsoft Windows.

Name : Worm:W32/Agent.BTZ

Category: Malware

Type: Worm

Platform: W32 link

See subject-line, & this quote from yourself:

"I would not call the malware situation on OS X anywhere near rampant. Rampantly reported, maybe." - by Stupendoussteve (891822) on Wednesday June 01, @10:49PM (#36315642)

OK Then - Refer to this list of malware related incidents, + security flaws on MacOS X then (over 50++ of them easily & I have more than this IF you would like them as well):

---

MacOS X - Techworld.com - Third worm hits Mac OS X:

http://www.techworld.com/security/news/index.cfm?NewsID=5429

MacOS X - Slashdot Apple Story | Apple Quietly Goes After Mac Trojan With Update:

http://apple.slashdot.org/story/10/06/19/1811203/Apple-Quietly-Goes-After-Mac-Trojan-With-Update

MacOS X - Slashdot | Worm Threat Forces Apple to Disable Software?:

http://it.slashdot.org/it/07/08/03/1451217.shtml

MacOS X - Slashdot | Two Trojans For Mac OS X:

http://it.slashdot.org/it/08/06/25/0032226.shtml

MacOS X - Slashdot | Mac OS X Root Escalation Through AppleScript:

http://it.slashdot.org/article.pl?sid=08/06/18/1919224

MacOS X - First Rogue Cleaning Tool for Mac - F-Secure Weblog : News from the Lab:

http://www.f-secure.com/weblog/archives/00001362.html

MacOS X - Mac malware authors release a new, more dangerous version | ZDNet:

http://www.zdnet.com/blog/bott/mac-malware-authors-release-a-new-more-dangerous-version/3385

MacOS X - Mac OS X backdoor Trojan, now in beta? | Naked Security:

http://nakedsecurity.sophos.com/2011/02/26/mac-os-x-backdoor-trojan-now-in-beta/

MacOS X - Mac Malware Evolves - No Install Password Required - Slashdot:

http://it.slashdot.org/story/11/05/26/1355243/Mac-Malware-Evolves---No-Install-Password-Required

MacOS X - New 'MACDefender' Malware Threat for Mac OS X - Mac Rumors:

http://www.macrumors.com/2011/05/02/new-macdefender-malware-threat-for-mac-os-x/

MacOS X - New Backdoor Mac OS X Trojan Surfaces - Slashdot:

http://slashdot.org/submission/1485038/New-Backdoor-Mac-OS-X-Trojan-Surfaces

MacOS X - New Mac fake-defenders similar to Windows scareware â The Register:

http://www.theregister.co.uk/2011/05/20/mac_scareware_win_rogue_similarities/

MacOS X - OS X Crimeware Kit Emerges MacDEFENDER- Slashdot:

http://apple.slashdot.org/story/11/05/02/2120203/OS-X-Crimeware-Kit-Emerges

MacOS X - OSX/Pinhead-B Trojan (OSX_HELLRTS.A, OSX/HellRTS.D) - Sophos security analysis:

http://www.sophos.com/security/analyses/viruses-and-spyware/osxpinheadb.html

MacOS X - Fake security software catches out Apple owners:

htt

F-Secure's analysis:

This application was originally harmless. However, a malicious developer called "Magic Photo Studio" downloaded the original application, modified it and re-uploaded it to Android Market.

In other words, the malware perps grab legit apps from the market, trojanize them, and re-upload to the market under their own throwaway "legitimate" developer identity. So (A) if you search for a particular kind of app, you will see the original clean app alongside the trojanized one, and perhaps choose the latter; and (B) even worse, the malware authors ARE COMMITTING COPYRIGHT VIOLATIONS!!!

Which is why you don't run AV on a compromised machine. You boot from a rescue CD such as that provided by Avira or F-Secure.

Even that's not a perfect solution, of course, because it assumes your scanner can detect secondary vulnerabilities injected by the infection itself - or that no such vulnerability exists. Both of which seem rather optimistic assumptions. Ideally you'd have some sort of boot CD that can run checksums against every file on the system - but by the time you get to this point, it's probably several times quicker to rebuild the system.

http://www.f-secure.com/weblog/archives/00002145.html has some insight into what Apple was after re WiFi hotspots. Skyhook and Goole had to seek them, Apple had iPhone owners.

Move over Richard Keil - this is a true memorial abend!

(for those too young: http://www.f-secure.com/v-descs/memorial.shtml)

Do you have any reliable sources for your claim? F-secure says using the default settings your data is sent to Apple twice a day.

John Graham-Cumming has an excellent, level-headed response to Mohamed Assan's entire "research."

Also confirmed at F-Secure.

Initial reports due to incompetence - there never was a rootkit: http://www.f-secure.com/weblog/archives/00002133.html

False positive from a rarely used AV package - detects the same thing in an empty folder on a clean machine.
http://www.f-secure.com/weblog/archives/00002133.html

And it had the dates right. http://www.f-secure.com/weblog/archives/00002094.html Cascade.... now a PE infector! Or not...

> Microsoft's decisions have placed "user friendly" above "security" for years.

Exactly. Case in point: Even Win7 still hides known file extensions by default. Users can be easily manipulated into clicking on something they think is legit.

http://www.google.com/search?q=Win+7+still+hides+known+file+extension+type

e.g.
http://www.f-secure.com/weblog/archives/00001678.html

Granted, you can't protect ignorance from stupid, but c'mon, why make it harder then it needs to be.

Unless, of course, you jailbreak your iOS device. Or someone gets a virus inside the walled garden and you install it as an app. Or a vulnerability in its web browser allows a properly-crafted website to execute code.

iOS is not invulnerable. It just doesn't allow you, by default, to be stupid enough to load cracked warez from Chinese websites. So it does offer you a level of protection against this specific vulnerability, that's very true. But that doesn't even come close to making you immune.

But it's not exactly invulnerable to attack: http://www.f-secure.com/weblog/archives/iOS_Security_Updates_20100908.htm

Note that, although many of the vulnerabilities listed above are pretty innocuous, some of them are pretty severe, and not a single one of them had anything to do with loading a specific application from an external site. These are all vulnerabilities in actual Apple-provided apps or the core iOS itself.

The only device that is immune to viruses is called a rock. And even it can get moss and lichen and dirt and stuff on it.

I've used Nokias exclusively for the last 6 years. S60 2nd edition allowed you to install any apps from anywhere, and there were quite a few trojans and other apps written for it, around 2004-05.
S60 3rd edition made it harder to do so by requiring all apps to be signed by Symbian, and earlier they only gave out certificates to companies rather than individuals. Nevertheless, there were (are) ways to self sign an install package (a .SIS file) and then install it.
Even then - the phone warns you that the application is not signed, so there's no way anything can silently install itself without user intervention.
The second most common vector for exploits is the browser. No matter what short sighted US tech blogs may say - Symbian is the world's most widely used OS, with over 2 billion devices sold to date. How come we haven't yet seen a browser based exploit for the internal Webkit browser?
A google search for 'Symbian 3rd edition malware' shows up hardly one or two examples - and reading the descriptions, they rely on social engineering to fool the user into getting installed.

The same rules apply as on desktop OSes - namely not to open/install unknown applications etc. What would be worrisome would be a browser exploit, where just visiting a link can compromise your phone, or some sort of silently installed malware. The former has yet to be proved and the latter can only happen through (all too common) user stupidity, so this leads me to conclude that Symbian at least is safe for the present.
Also bear in mind that Nokia pushes out firmware updates much more regularly than other phone manufacturers; even upto 2 years after launch (the 5800 Xpressmusic is a case in point), so you can expect security fixes, if found, to be available faster. Sucks to be in the US with a carrier subsidized handset though.

What we don't have is people focused on finding, removing, and spouting a product yet like Norton/McAffee/AVG/whatever.

Oh we don't, do we?

If Viruses did not exist, it would be necessary for AV companies to create them.

The Joker exists because of Bat Man. Bat Man exists because of the crime in Gotham. Both Bat Man and The Joker can use their resources to fight or cause crime.
Darth Vader exists because of the Jedi, the Jedi Order exists because of crime in the Universe. The Force can be used for good and evil.

It's a Yen & Yang sort of thing. Good and Evil are relative terms, subject to interpretation.

Crackers exist because of Hackers. AV exists because of malware in CyberSpace. The Source can be used for good or evil.

Hackers hack on the hardware / environments that they have available. Hackers can turn bad, and become Crackers, and use their but first they must have a genuine interest and exposure to a platform in order to exploit it.

Some platforms cater more to the Hackers, and they are less frustrated with the platform; Thus, less become Crackers for such platforms. Other platforms shun the Hacker, frustration fuels the desire to become a Cracker, and more malware is released which exploits such platforms...

What we don't have is people focused on finding, removing, and spouting a product yet like Norton/McAffee/AVG/whatever.

Oh we don't, do we?

http://www.f-secure.com/weblog/archives/00002054.html
Matthew ANDERSON between the 1st day of September 2005 and the 27th day of June 2006, together with Artturi Alm and other persons, caused unauthorised modifications to the contents of computers, with intent to cause such modifications, and by so doing to impair their operation and/or to impair the operation of any computer programs or the reliability of computer data.
+ Counts of acquiring criminal property and money laundering were left to lie on file.
He will be sentenced on 22 November.
Two other men were previously arrested as part of the investigation. One was released with no further action. The other Artturi Alm pleaded guilty in Finland in 2008 and received a custodial sentence (18 days) and a community service order.

It also spreads through network shares, so once inside it can quickly get around. Still, F-Secure has a nice Q&A bit up on StuxNet + demo vid.

http://www.f-secure.com/weblog/archives/00002040.html