Why You Shouldn't Panic Over Mac Malware

Earlier this week, we discussed reports that Mac malware was finally becoming a significant problem. Now, reader wiredmikey points out an editorial arguing that everyone should slow down and analyze the situation more calmly so the threat can be accurately assessed. Quoting: "According to Apple, the Mac installed base is approximately 50 million users. But according to Gartner, the number of Android handsets sold in 2010 alone exceeded 67 million units, giving it an installed base that is larger, and growing much faster, than the Mac base. If a large numbers of eyeballs is indeed the lure that causes criminals to write malware for a given operating system, surely Android is a more tempting target than Mac OS. ... I predict that the increase in perceived risks to Mac customers will give Apple the excuse it needs to increase its control over the Mac software ecosystem, by moving ISVs to the Mac App Store. It is no accident that the theme of the upcoming Lion desktop operating system is 'Back to the Mac': taking concepts that Apple employed successfully with the mobile version of OS X (iOS) and back-porting them to the desktop OS. One of those features is the introduction of the Mac App Store, an Apple-controlled storefront for selling and distributing applications. ... This provides buyers some assurance that their apps are from known points of origin and that they don’t contain malware, such as the Mac Defender Trojan horse.

Safari browser exploits

[Robadob]

Safari browser exploits and other app exploits can still lead to installing malware on a machine.

Re:Safari browser exploits

[brusk]

Easier just to disconnect the power. Pro tip: nearly 100% of malware infections occur in machines that are powered up.

Why You Shouldn't Panic Over Mac Malware

[AliasMarlowe]

...because you don't have a Mac?
That covers most people - many of whom actually should panic over Windows malware. But nobody should be too smug, not even Linux-only or BSD-only users, since every compromised machine (Windows or Mac or whatever) pollutes the internet commons.

Re:Now I am _really_ panicked

It's probably not a popular opinion here, but my experience with the Mac App store is very positive. It works well, no installation hassles, automatic upgrades,... and I have the impression that it drives the price down.

Astroturf.

Nice bit of Astroturf there.

So, we shouldn't worry about malware on the Mac because Oh LOOK here's some speculation about a completely different OS so don't pay attention to this story anymore!!!

And then the inevitable push from Apple to have total control over you system by the eventual restriction of apps to Apple market-approved programs only. Well that's sure a nice idea, too bad some of the Official apps like Safari also contain security weaknesses. So much for the safety of the walled garden approach. But it's not stopping them from trying, apparently.

No, I don't panic over Malware on my Mac. It has nothing to do with Android, or any other OS, or the App Market, or anything else this shit-for-an-article is talking about.

No need to panic, merely be more careful.

[MROD]

The story has the correct title but rather misses the point. Yes, it's not time to panic. There is a set of malicious tojan horse programs out there for MacOS. The current crop require the user to authorise their installation. i.e. the security weakest link (at the moment) being exploited is the one behind the keyboard. Very often this is the places where security is the weakest, just watch WarGames if you doubt this. MacOS is by design, with a greater degree of privilege and OS/Application separation, more resistant to attack than Microsoft Windows has been. However, this is not to say that it is not vulnerable. All systems are, be it design flaws or merely implementation flaws. Yes, I'm looking at you Linux, FreeBSD, OpenBSD, Solaris, HP/UX and AIX. No-one can rest on their laurels.

Re:No need to panic, merely be more careful.

[benjymouse]

Yes I have, and it's an attempt to retro-fit a useful security model to a system not designed to have such security from the beginning.

No, UAC uses the already user and process tokens which were in Windows NT from the get-go to strip any token of certain rights. Compared to OS X and unix whic were borne with 12 bits of security, the Windows model is much more granular. The fact that Windows model is built to secure any OS object - not just filesystem objects - makes it more suitable in this exact scenario. The *nix idea of allowing setuid or setgid "servers" to "drop from root" is thoroughly broken and has been the source of numerous vulnerabilities and exploits. Setuid is necessary because *nix does not have sufficiently granular privileges.

UAC is using capabilities which were already there, thanks to the initial design using tokens and handles.

Re:What a load of crap

[Gaygirlie]

Mac users less computer savvy? Not really I've seen a lot of IT- and multimedia-pros using them.

Yes, and I've seen plenty of IT- and multimedia-pros using Windows PCs, yet majority of Windows users are still not too computer savvy. Similarly, from what I've seen the majority of Mac users are equally non-computer-savvy.

And that's the whole issue. These scams and such aren't targeting the pros, they are targeting the people who don't really understand what they're doing. Macs are also more costly than the average Windows PCs and thus it's likely that a person owning a Mac is wealthy enough to make an excellent target for these things.

Re:What a load of crap

[boristhespider]

Wait, you mean.... the majority of people aren't computer savvy????? STOP THE PRESSES!

I'm not sure why people find this so hard to understand. Most people in this world
a) Don't understand computers
b) Don't really give a shit about understanding computers
c) Simply just don't care

That goes whether they're running Windows or Mac -- and for those who use a Linux their more computer-savvy relatives installed on their computer. And these days I strongly expect more and more Linux users to be computer un-savvy. That's the whole point behind Canonical's ethos is to grow beyond people who enjoy recompiling kernels, after all.

Re:What a load of crap

[Tom]

However, during my linux period i grew accustomed to finding great software doing almost everything i could wish for within a few clicks/google searches.

For OSX its the opposite. For every small task that i want to accomplish, i seem to need to pony up. Every small time programmer tries to make a buck with his little program. Nothing wrong with that, but where are the Free/Libre alternatives?

Not learnt anything during your Linux period? Ok, I'll help out. The answer to your question is: Are you writing them? No? See, that's why they're not there.

Re:Qubes OS

I don't know whether your post is serious or a reference to some meme I am unfamiliar with, but anyway.

Everything is in a VM instance

If this is the (only) reason why it is "secure", and the official website seems to say so, you may want to go with OpenBSD anyway. To quote Theo de Raadt:

You are absolutely deluded, if not stupid, if you think that a
worldwide collection of software engineers who can't write operating
systems or applications without security holes, can then turn around
and suddenly write virtualization layers without security holes.

Rutkowska definitely has an impressive resume, but I don't think that even someone like her can make a system secure just by using virtualization. However, I will make sure to keep an eye on that project, it looks quite interesting even though it won't replace my current setup.

OS X App Store a disappointment so far

[cerberusss]

So far, the OS X AppStore couldn't be called 'wildly popular' since its inception on January this year. Regularly, I checked my installed apps for availability in the App Store, because it allows for such easy updating. Lo and behold, only fairly trivial apps are there, the following list is not available in the App Store:

• Google software (Chrome, Sketchup)
• Mozilla software (Firefox, Thunderbird)
• Adobe software (Flash, Flash Builder CS5, Photoshop etc)
• Microsoft software (Office, Messenger, Silverlight etc.)
• OpenOffice
• Seashore (painting program)
• Parallels
• VLC
• Skype
• Calibre (an eBook converter)
• XBench (a benchmark for OS X)
• Vuze
• KisMAC

Now I agree that stuff like a bittorrent client (Vuze) and a network sniffing tool (KisMAC) would probably be refused in the App Store. But all in all, the OS X App Store could be called a disappointment so far.

Note that the Opera browser (which contains a bittorrent client) is in the App Store.

Re:Now I am _really_ panicked

[stewbacca]

And, yes, they will certainly lock down OSX.

Ahh, the inevitably incorrect Apple prediction. The most valuable tech company in the world that was predicted dead in 1997...the company that killed the floppy drive prematurely...the company that adopted USB too early...the company with the lame mp3 player.

You may still be able to buy a Mac Pro with an unlocked OS, but I'm willing to bet that soon all iMacs and MacBooks will be 100% walled garden.

That is possibly the most stupid prediction I've seen. Why would the company who is getting ready to consolidate OSX Server and OSX Home into ONE edition --OSX Lion-- start making different versions of the OS based on the user's hardware?

Keep predicting slashdotters, because my livelihood benefits from your terrible predictions.

Re:What a load of crap

[stewbacca]

Unpossible. Haven't you read the comments? Only people who are STUPID and have DEEP POCKETS use Macs. Neither of these describes college students.

It's s smaller pond

[itsdapead]

For OSX its the opposite. For every small task that i want to accomplish, i seem to need to pony up. Every small time programmer tries to make a buck with his little program. Nothing wrong with that, but where are the Free/Libre alternatives?

Well, OS X is still a vastly smaller community than Windows, and I suspect that although Linux (desktop) users outnumber OSX users a disproportionate number of Linux users are also programmers. So its not surprising there's less choice. That also means that the money to be made from true "honesty box" shareware is probably smaller, so developers are more likely to require payment. Also, historically, Mac OS "Classic" developer tools and documentation cost an arm and a leg - of course, since OS X they've been free (or very cheap, for iOS), but the early days may have set community expectation. Finally - I don't think OS X is the easiest platform to develop for (however elegant) and OS X users tend to demand nice GUIs on everything.

However - its not all bad: First, OS X is Unix: Install "fink" or "macports" and you'll get access to a huge number of Free/Libre packages from the Linux/Unix world - albeit most of these are command-line or X11. If you don't want to roll your own, lots of major "free" projects offer OSX versions: (off the top of my head and at random: LibreOffice, Eclipse, InkScape, VirtualBox, PostgreSQL, MySQL, Mozilla) not to mention the stuff that is already present in OS X (Apache, PHP, Ruby, Python, Samba, CUPS...) I hope the latter list doesn't diminish too much as projects move to GPLv3.

Re:Now I am _really_ panicked

[XManticore]

This is something Apple took the piss out of a couple years back, why would they start doing it with their own products?

To paraphrase SJ when he was introducing Mac OS 10.whateveritwas: "We have a Basic Edition that retails at $99. Moving up from that, you can purchase the Home Edition, also for $99, or the Business Edition for $99. And if you want the luxury of having all the features that we've built into Mac OS X, you can go all out and purchase the Ultimate Edition –at just $99".

They're not going to feature lock. This would just be daft.