Apple Quietly Recommends Antivirus Software For Macs

Barence writes "After years of boasting about the Mac's near invincibility, Apple is now advising its customers to install security software on their computers. Apple — which has continually played on Windows' vulnerability to viruses in its advertising campaigns — issued the advice in a low-key message on its support forums. 'Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult.' It goes on to recommend a handful of products." Reader wild_berry points out the BBC's story on the unexpected recommendation.

a way to make money

[Bizzeh]

is this a scare tactic for apple to push some payfor software and get people to buy it. or have apple started to loose confidence in their operating system? or even worse, do they know something we dont? are they expecting an attack?

Re:a way to make money

[bytethese]

It does sound like a possible "setup". Macworld 2009 debuts new AV software? Who knows. Maybe the Mac has starting to reach that point where virus writers and security aficionados have enough a base to target their efforts? After all, Mac does seem to be gaining market share year by year.

Re:a way to make money

[YttriumOxide]

Maybe the Mac has starting to reach that point where virus writers and security aficionados have enough a base to target their efforts?

Perhaps, but I am still waiting to see a real "virus" that hits MacOS. There's been a few trojans (such as the one mentioned in TFA), but nothing that qualifies as a virus yet as far as I know. It is likely much harder to write a real virus (rather than a trojan) for MacOS than Windows as you'll need to find a privilege escalation exploit (need I say, without local access) in one of the standard services first, all of which tend to be pretty robust and having a core that comes from the open source and Unix worlds... as far as I know, there aren't any such exploits known right now.

Trojans can of course still be fairly nasty, as there's a lot of stupid users in the world (of any OS)

Disclosure: I do use MacOS X as my primary OS at home, but I'm definitely not a "fanboy" (I also have Linux systems at home and use primarily Windows at work - I consider myself "OS agnostic").

Re:a way to make money

[CFTM]

I don't know why you want to wait, it will happen in time. This is not meant as a critique of Apple in anyway, I am of the belief that over a long enough time frame, with enough market penetration, Mac viruses will become more common. It's not that Macs are inherently that much more stable, rather the market penetration is such that it makes more sense for people creating malicious viruses to focus on the PC instead. Why create a virus that only hits 7% of computers when you can hit one that hits 85% of computers?

I also would wager that the Mac OS is probably a bit more secure than Windows, because well, it's Windows...that being said if there's enough code there will be mistakes that can be exploited that's the nature of the human element.

Re:a way to make money

[squiggleslash]

I wish people would stop parroting this fallacy all the time. Market share has nothing to do with how easy it is to break into a system.

Look at AROS! It has no security whatsoever, not even memory management between processes, so despite only having a hundred or so users, it must have zillions of virusses. But, of course, it DOESN'T. So far as I'm aware, nobody's bothered to write one, and it's unlikely any AROS virus would actually be effective.

All viruses require a reasonable level of market share to operate, because one of the principles they rely upon is a network effect, and you just plain cannot get a network effect without a decent market share. So marketshare is, very much, a pre-requisite for a successful virus. It's not the only one, but when people say "Mac OS X hasn't been attacked yet because it doesn't have enough marketshare", they're right. That's one fundamental reason. And unless you can show that any other reasons apply, it's likely to be the only reason.

If you have something like windows where security is bolted on after the fact, and OS that was never meant to be a multi-user OS connected to the internet (all these were added as features later on and done poorly) then you will have a system that is much harder to keep secure.

UNIX on the other hand was designed from day one to be networked multi-user OS, and security and separation of concerns was there from beginning.

It's frankly hilarious that Unix, on which the first worms operated, can be held up as some system that had security built-in from the start. It's also untrue that Windows, that is, the operating system known as Windows today, was "never meant to be a multi-user OS connected to the internet". Unless you're talking about Windows Me and its predecessors (98, 95, 3.1, et al), then that's completely false. Current versions of Windows (XP, Vista, 2003, et al) are derived from Windows NT, which was designed, from the beginning, to be "a multi-user OS connected to the internet".

In fact, Windows NT and its successors have a more advanced security model than Unix, allowing more than a separation of users and groups.

The issue with Windows is two fold. First, marketshare. And second, an over complex user-environment where too much functionality is available on the "user" side of the security wall. Both of these issues affected Unix up until the mid nineties, where its disproportionate share of Internet nodes and the amount of stuff running as the default user (which in Unix was root, which also happened to be the account with the most rights.)

There's little reason to believe that Mac OS X is protected from viruses by anything other than its low market share at this point. There's not a large enough group of users for network effects to take over. It is not an inherently secure operating system. The default user is generally set up with administration privileges, and it just takes a buffer overflow or other ordinary vulnerability in a client application like a web browser plug-in for a virus or worm to have complete access to the user's files, and enough access to be able to modify many of the applications the user is likely to run.

Fundamentally, Mac OS X has the same problem as Windows, and the same problem the "run-everything-as-root" Unixes did in the eighties and early nineties: too much functionality available to the default user. To fix this, you need to change the model somewhat. The very least Apple could do is set Mac OS X up so that the installer actively discourages setting up the default user as an administrator.

Re:a way to make money

[chaim79]

Mid 90's? so win 95? how did the security of Unix compare to the security of windows 95?

Maybe they stopped laughing at Unix security because they found something else that truly showed how bad security could be. :)

Re:a way to make money

[LO0G]

Good points all, but I think you forgot one major aspect of the "market share" argument.

There hasn't been a true "virus" out there in the wild for years (to me, a true virus means self propogating malware - malware that modifies existing binaries and relies on those modified binaries being distributed). Instead there's a TON of malware intended on converting machines into botnet clients.

The vast majority of malware (maybe as much as 95% or higher) these days is really "crimeware" - software intended to aid in criminal activity (identity theft, click fraud,etc).

As a criminal, let's say that it's going to cost me $10,000 to hire some eastern european hacker to develop malware for my criminal enterprise (number totally made up). I get to chose which platform I have the hacker target - I can target Windows with 90% of the market, I can target OSX with 8% of the market or I can target Linux with 2% of the market (market share numbers also made up, but probably in the right ballpark).

That means that if I'm interested in profit (and this IS a criminal enterprise, so profit is the primary motive), I want to have my hacker target the platform with the highest ROI. That means that the hacker's going to go after Windows and ignore OSX and Linux.

As the Mac's market share increases, it is going to be an increasingly more attractive target for hackers, because the ROI is higher.

Re:a way to make money

Agreed. Even with 5-10% of the market share, cybercrime is worth billions upon billions of dollars annually.

You can't tell me the reason the Russian Mafia isn't exploiting Macs is because they turn their nose up at anything less than a few billion a year.

Just think. A whole OS to yourself, full of people with more disposable income than PC owners and an attitude that their Macs are untouchable. The only positivist reason the Macs haven't been hacked is because they're designed to be more secure out of the box. You can't install a program without the password, ports are stealthed as standard. It's not because Mac exploiters won't get out of bed for less than ten billion a year... it's because there aren't any Mac exploits of this nature to be had, even for that amount of money.

Re:a way to make money

[nsayer]

Windows NT, which was designed, from the beginning, to be "a multi-user OS connected to the internet".

[citation needed]

I will grant you that NT was designed to be connected to a network, but I find it incredulous that the designers had in mind a publicly accessible one, much less the Internet as we know today. Even Billy got it wrong in the first edition of The Road Ahead and had to revise his pontifications.

Re:a way to make money

[Penguinisto]

Depends - those "billions" of zombies have to be defended against other bot herders, are likely to have already been strip-mined of any useful identity information (e.g. the data has already been stolen and sold) and are highly liable to simply bog down and/or die, causing the owner(s) to get a clue and fix the thing(s).

Meanwhile, you still have all those Macs sitting there, with 99.9% (or so) of their owners perfectly oblivious to anyone putting it towards nefarious use.

Sure, you have to put more work in up-front, but once you get in, you get a much greater and more long-term return, and/or get some very quality information. Why? Well... one: the owner obviously has some ducats in his wallet - he bought a Mac. two: odds are very good that nobody else has pilfered the data. three: there's almost always enough resource horsepower to go around on a Mac, so you can get a lot done on one without alerting anyone --especially the owner/user-- that you're doing it.

No matter how you slice it, you simply get a better return on busting into OSX machines... but then, crims are usually too lazy to think such things through, no?

/P

Re:a way to make money

[_Sprocket_]

As a criminal, let's say that it's going to cost me $10,000 to hire some eastern european hacker to develop malware for my criminal enterprise (number totally made up). I get to chose which platform I have the hacker target - I can target Windows with 90% of the market, I can target OSX with 8% of the market or I can target Linux with 2% of the market (market share numbers also made up, but probably in the right ballpark).

That means that if I'm interested in profit (and this IS a criminal enterprise, so profit is the primary motive), I want to have my hacker target the platform with the highest ROI. That means that the hacker's going to go after Windows and ignore OSX and Linux.

As the Mac's market share increases, it is going to be an increasingly more attractive target for hackers, because the ROI is higher.

Sure - market share is one factor on ROI. But it's not the only factor. Another big part of ROI is how long you get to keep control of your target. If the target doesn't remain compromised very long, then you've wasted your resources (unless of course you only needed a short window - but that's implying a targeted attack and is beyond the scope of this conversation). The thing is, if you look at malware in the wild, you'll find that there are plenty of examples for Unix malware but they just don't survive long (with one exception - more on that shortly). This makes Unix platform poor ROI performers for bot herders to target.

Yet that 8% of the market issue still persists. Is that a significant enough number to warrant interest from malware producers? I don't see why not. An 8% market still a sizable number of potential hosts - far larger than most botnets. The Witty worm demonstrated that not only will small numbers be targeted, but doing so can be very successful. If the Mac's 8% were fertile territory, it would be very much in a botnet herder's interests to target it.

We know 8% market share is suitable because botnet herders are going after smaller targets; namely the 2% Linux market. But there's some caveats to this. First - we're dealing with a very different mode of attack. Researchers at Sophos believe that the attack involves a 6yr-old piece of malware - a virus called Linux/Rst-B. But the interesting thing is that if the virus is being used, it's as something of a simplified rootkit. Hosts are either being intentionally infected by this virus to provide a quick root shell or the attackers are moving around tools that are unintentionally infected. In either case, the existence of this malware is due to an already bad situation. Secondly, we're probably not really dealing with 2% - its more like ~12% of the server market. So we're dealing with a larger market share but hardly the largest (still a strike against marketshare driving attacks).

So what is making Linux worth the ROI? Smaller numbers. Compromised Linux hosts are providing stable controllers for botnets. As one needs fewer controllers than zombies in a botnet, Linux fits the bill nicely. All one needs is a mismanaged server on a stable link and a controller is gained.

So what do we get with all this? Marketshare isn't the driver that people make it out to be. Numbers are important. But there are additional factors that add weight to that importance. In the end, it's all about ROI. And that determines whether a platform makes a good target.

Sophos

[gammygator]

I've been running Sophos on both my Macs for a year or so... Not so much because I felt I needed them... but because I come from the PC world and felt nekked without an AV program... and my work covers the license costs which made the decision a no brainer.

Interestingly enough... to date, they have only detected MS based viruses.

Re:Sophos

[gEvil+(beta)]

Interestingly enough... to date, they have only detected MS based viruses.

When I ran a lab of Macs several years ago, we ran AV software on all the machines. It was mostly there to strip out the Word macro viruses that students would bring in from their home computers. I'm not aware of the software catching any viruses that could actually have done anything to the machines themselves.

Re:Sophos

[SaDan]

The only Trojan I've ever seen for Mac was in a Word document macro years ago. The payload was empty if you opened the file on a Windows system, but on a Mac system it would try to wipe the drive.

My campus requires it

[tecker]

The college I attend actually requires all mac users to install Symantic Corporate to be allowd on the network. Their justification is that this will prevent WINDOWS virus from passing through macs and then hitting the Windows boxes as the mac users send them on. We have a good security team and I can understand why they would want to do this.

As macs are being used in Enterprise environments they can harbor virus infected files silently before going back into the network. One computer that missed new definitions can be taken down when that file gets passed to it. Its up to you but if you are in Enterprise situations you better comply.

As for multiple AV systems, that is retarded. They will fight for resources and cause performance to be brought down. Just pick one and run with it. If you want.

Re:Herd Immunity

[maztuhblastah]

The only reason macs have been able to get away with claiming such great security records (statistically) is herd immunity.

Indeed. Just look at Linux. It had a great security record up until the start of this decade. Then, once it gained a lot of popularity on servers, we started to see millions of infected Linux servers, linked together in botn...

Oh. Well damn. It seems that despite being the near ideal target for virus-writers (always on, very fast links, powerful hardware), the most popular server platform on earth doesn't have a major virus problem. Huh. Maybe an OSs security record isn't directly linked to its popularity...

It's in the Details

[jDeepbeep]

If you follow the apple store link in TFA, it's interesting to note the description for the first product (Intego VirusBarrier X5) says this:

Now that you've installed Windows on your Intel-based Mac, you're vulnerable to a whole new range of security threats: Viruses, spyware, adware, and hackers are all waiting to compromise your Windows setup. No matter if you're running Windows in Boot Camp, Parallels Desktop, or VMWare's Fusion, it requires Windows-specific protection. VirusBarrier Dual Protection is the answer. It provides security for both Mac OS X and Windows, ensuring that you'll have total protection for both operating systems.

Re:Herd Immunity

[TheRaven64]

Yup, no Linux viruses in the wild. I take it you missed the articles that periodically appear about Windows worms being spread via compromised Linux servers starting around 2001?

security was bolted on to UNIX too

In the apt words of Dennis Ritchie, "One of the comforting things about old memories is their tendency to take on a rosy glow."

According to one of the guys who was there on day zero, UNIX was *not* designed from day one to be a networked multi-user OS and security and separation of concerns were *not* there from the beginning.

http://cm.bell-labs.com/who/dmr/hist.html/ In the latter half of 1971 (nearly two years after UNIX's "day one"), "with no memory protection ... every test of a new program required care and boldness, because it could easily crash the system". Sounds like somebody describing Windows a decade ago, doesn't it?

Please stop parroting the fallacy that the reason UNIX is more secure is because it has always been secure. Security, networking ... these were later additions to UNIX too, the real difference is that the additions were better architected.

Windows security model

[alexhmit01]

The issue with Windows is two fold. First, marketshare. And second, an over complex user-environment where too much functionality is available on the "user" side of the security wall. Both of these issues affected Unix up until the mid nineties, where its disproportionate share of Internet nodes and the amount of stuff running as the default user (which in Unix was root, which also happened to be the account with the most rights.)

No, the Windows problem was that to migrate from DOS + Windows shell to Windows NT, was a slow, painful 10 year process with LOTS of growing pains. Windows 4.x series (Win95, Win98, WinME) were supposed to be a singular OS before the transition to NT, and was created because the uptick to NT 3.51 was low because of the RAM requirements. The original plan was 3.1 for home users, NT 3.1 for "Workstations," and Win32s was released to let people target both OSes.

As we moved through Win 3.11 w/ Win32s -> Win95 -> Win98 -> WinME, the NT systems grew in popularity. Lack of advanced DirectX support prevented NT 4.0's being the transition, Win2K was close but price kept it out, and WinXP finally merged the OSes. By that point, it'd been 8 years or so since the first 32-bit programs came out. The ones targeted mass market, originally Win32s, and later Win95/NT4 libraries, were generally assuming the consumer version. On the consumer Windows, there WAS NO SECURITY model, so it was common for applications to assume lots of access. This meant that while NT 4.0/Win2K gained market share and had the security model from the NT system, the security wasn't used and users had full access to the drive, because the alternative was broken software.

To not break applications from 1995 - 1998, in the early 2000s we were still shipping OSes with most of the system being world writable.

So while Windows possessed a security model that could work, in practice, it was never implemented, because it required locking down the system on each system, so instead of protecting OS directories, we used the "bolt on" security like Group Policies, etc., to prevent users from doing things. I worked with a bunch of Citrix systems in the late 90s, and we were able to lock down those machines, because you were only talking about locking down a single machine or two, and the defaults were more reasonable. There was PLENTY of software that wouldn't run under Winframe 1.x/2.x gold (2.0 never shipped, Microsoft pulled the license, then bought it to ship Terminal Server and Citrix moved the addons into Metaframe), not because it required the NT 4/Win95 libraries (we could always confirm that using 2.0 Gold that was NT 4 based), but because it made assumptions about access that was reasonable for Win 3.11/Win95, but not NT based OSes. Citrix, targeting big budget Enterprises could get away with that, Microsoft reaching the entire market could not.

I assume that this has been fixed in Vista, but I haven't used it, I switched to Mac OS X in the mean time.

Re:Windows security model

"I assume that this has been fixed in Vista, but I haven't used it, I switched to Mac OS X in the mean time."

Isn't it funny how so many people here admit to not having used a Windows operating system since 3 or 4 versions ago, yet they also seem to be "experts" on how Windows security works. That would be akin to a Windows user complaining about how crappy Macs are now because OS 7.5 was so sucky.

Re:Does a Mac AV program really do anything?

[kimvette]

It also detects apache worms. Back in the day SuSE shipped with a vulnerable Apache build and I had to clean a server. ClamAV made it simple to remove the worm, without my having to prune every directory by hand.

Re:Um huh? Apple has always recommended protection

[jeffasselin]

Correct. They've always had a similar article, listing antivirus solutions. This is just an updated version with current products.