Slashdot Mirror
Microsoft: Macs 'Not Safe From Malware, Attacks Will Increase'
An anonymous reader writes "Microsoft researchers have analyzed a new piece of Mac malware that uses a multi-stage attack similar to typical Windows malware infection routines. In a post titled 'An interesting case of Mac OSX malware' the Microsoft Malware Protection Center closed with this statement: 'In conclusion, we can see that Mac OSX is not safe from malware. Statistically speaking, as this operating system gains in consumer usage, attacks on the platform will increase. Exploiting Mac OSX is not much different from other operating systems. Even though Mac OSX has introduced many mitigation technologies to reduce risk, your protection against security vulnerabilities has a direct correlation with updating installed applications.'"
Possibly a biased source, but not exactly a shocking conclusion. The OS X kernel is a massive amount of C and embedded C++ code. On top of that is a huge pile more code. It's not going to be bug free, and at least some of those bugs will be exploitable. It does about the same set of things as other modern operating systems to reduce the damage that a compromised application can do (e.g. making it easy to run apps in sandboxes), but any network-exposed system running arbitrary code is vulnerable, the only question is whether the effort involved in finding and exploiting a vulnerability is greater than the reward.
I am TheRaven on Soylent News
Maybe we need a new motto? You can have it easy to use, affordable or secure. Choose two.
No.
http://en.wikipedia.org/wiki/Irony
Beware of the Leopard.
I’m most concerned that this malware uses a three-year-old flaw in Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac. Here’s the corresponding security bulletin: MS09-027 - Critical.
If anyone has a lot of viruses to examine, it's Microsoft!
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
No matter how 'secure' a system is, as long as end users have the ability to install software, systems will still be at risk. Its just part of the deal.
If your particular systems are attacked or not, depends on your market share.
---- Booth was a patriot ----
While I will agree with lack of surprise from /.ers, most of my colleagues that enjoy their Macs like to tout "invulnerability" to malware. Mac-pride makes them brave/foolish to the point they will not bother with anti-virus. I think they are more the norm than exception for Mac users. Once the Mac OS reaches a high enough number of users, there will be a significant surprise for most users.
The thing is OSX doesn't really fit into ANY of those categories =P
It's about marketshare. IT has only ever been worthwhile for virus writers to target a platform that is popular enough to warrant a return on investment, whether that be fame or clandestine botnet software.
People always used to use half baked arguments trying to claim that OS X was mroe secure because it was "unix" or some crap, despite OS X being very insecure for most of it's run.
Aside from being common sense this is supported with some pretty solid mathematics, not least an article in an IEEE journal showing there is a certain percentage of marketshare that would attract malware. We are now seeing this with OS X and we have seen it previously with Android.
What will be interesting is how Apple react. Will they tighten the grip they have on their users and restrict them even more, or actually get off their buts and increase their security and respond to problems in a mature and timely manner.
If you ignore ACs because they are anonymous - you're an idiot.
...a poorly written Microsoft product leaves a vulnerability open for exploitation, yet it is Microsoft who provides an internal assessment and statement that Macs are "not safe from malware".
anyone who is interested can look up security vulnerabilities by vendor.
Not only was it opportunistic but the vulnerability comes from A MICROSOFT PRODUCT(It was an office for mac issue)!
If I were apple and feeling particulary snarky I would send out an email to my users warning about microsoft software including the microsoft
post and recommend that they not use Office for Mac and switch over to Libreoffice for a more secure computing experience.
I suppose there could be some people stupid enough to say that, but I haven't seen much of it (unless you count obvious troll posts). In fact, a misconfigured linux system is one of the easiest to hack -- but we're discussing malware, not hacking. Since most linux distros are using repositories for all the third-party software (vs non-tech users zooming around the web downloading "10,000 similies!") malware for linux is pretty darned rare -- much more so than windows or os x. Unless, of course, one counts all the android trojans -- I don't because to me android is a completely unique OS that happens to use some linux code.
Caveat Utilitor
I'm gonna go ahead and cite the Ken Thompson hack here:
"It's been more than twenty years since I read Thompson's marvelous paper, but I believe I correctly recall his fundamental point: UNIX, and every system like it, can NEVER be "secure". It doesn't matter how many layers of anti-virus software, "internet worm protection", "firewall" or any other buzzword -- systems like UNIX (including all versions of Linux, Macintosh OSX, and all versions of WinXP) will NEVER be secure. Thompson published his paper and revealed his hack in order to demonstrate this point. "
Closed sourced, open source, free, paid, whatever it is it will never be fully secure and people are foolish to believe anything to the contrary.
Most of this has been known by, well, knowledgeable users by a long time. Most of the malware now comes via third party software or stupid users. It really doesn't matter what platform you use, as hackers will find a way around to get the best bang.
As one of my great compatriots once said: Artificial intelligence will soon best the natural one, but there's no adequate substitute for natural stupidity.
Ezekiel 23:20
In before all the stupid replies that Linux cannot be hacked. :)
I assume you mean cannot get drive-byes. Linux is hacked in broad scene rather often. Linux does not get viruses in the sense that its never happened.
I assume you mean there is likely to be similar security holes in a bleeding edge easy to use distro as windows which may be true.
Linux is extremely hard to compare security on as you can everything from a full on SElinux setup to whatever ASUS use to distribute.
I think rapid updates all security wholes are fixed within a week (worse case) and a low user base make Linux so unattractive for virus spreading that no one needs to worry. When there a successful virus for Linux, then Linux security becomes non-hypothetical and decisions can be made on the security convince trade-off (as of now its just all inconvenience for malware threats).
Fact of the matter is, basically all computing requires more trust than should really be granted. We trust Microsoft to patch their vulnerabilities now that malware manages to find ways in through ever more creative means. We trust Apple to have an OS that was never really vulnerable to start with, and we trust GNU/Linux distributions and other free operating systems to have clean repositories and to be free of backdoors. We rely on non-OS, internet-connected software companies to produce software that isn't vulnerable to bringing problems in from the Internet.
All of these are essentially untrue, or are relying on means of security that can't be verified or well tested until something comes out in the wild. We instead rely on updates after the fact, and on feeble attempts by some to make programs to remove malware.
Even in the privileged/unprivileged user landscape that modern OSes are capable of using, too many users desire more credentials on their local computers than they need in order to perform the very basic tasks that a computer user does on a daily basis. In the early days I too was guilty of this, but learned. Unfortunately when there are combinations of vectors to infect the local user and then local root exploits even a good privileges model won't work.
We should demand more out of our browser developers and more out of our plugin developers. That is the single biggest category of infection route, and I'm sorry, but software that voluntarily brings in and deploys the exploit simply by visiting a markup-language page is completely unacceptable. Fix the bugs before worrying about new features.
Do not look into laser with remaining eye.
It comes down to the more popular your OS is, the more problems you will get with security.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
When Microsoft puts out updates, they just put out the updates.... most of the time in single-fixes which are individually selectable and uninstallable. (Doesn't always work but they try) They do it like this because business depends on compatibility and continued operations of their apps. So if a particular update or patch breaks an important app, it can be rolled removed or at least identified and skipped.
Apple doesn't care about that. Apple will push updates and bundle them with anything they like including feature removal and things users don't want.
So what I foresee happening is that Apple will bundle a critical security fix with something else which the users don't want and they will refuse to update their machines.
Some people here are "fans" of a particular brand or whatever. I'm none of those. I just call them as I see them. But if someone must insist I'm a hater of this or a shill for that, I run Fedora Linux on most of my stuff but I hate Gnome3 so I'm going to CentOS until the people out there get their heads on straight and listen to the users.
Android is a great example how malware just gets there, around the obstacles when the market share is right. It's even on their official store.
No. There is virtually no malware for the iOS, which is in the same ball park as far as market share is concerned. So it's not just market-share. Security, including walled gardens, make a huge difference.
Sour grapes, much? Jeez. The only malware A) is a Java problem and B) uses Office as the transmission medium.
Even now, I notice that Apple still doesn't automatically update software by default, so, the only people who tend to install the update are those who are security-minded anyway.
False. By default OSX automatically checks for updates on a weekly basis.
Additionally, your claims as to what sales staff say is hearsay. And given you're an AC and your one checkable claim was wrong, it's not worth much.
Achievement unlocked:
Falling for the Alanis Morisette troll.
Support the EFF and Creative Commons. The war is coming, and they're supporting you...
If you donâ(TM)t know they are there, who were you replying to?
Interesting that the GP said "easy to use" and you changed that to "easy to install"
But it is easy to use. You can use it all day and never touch a command line ever, just like Windows and OSX.
It's just advantageous to use a command line for things that would drive you batty in any GUI. This is why OSX has bash and Windows has PowerShell.
Oh, right, Microsoft thought so little of the command line they went and wrote a whole new one that even aliases the unix commands like cp, mv, and rm.
Twit.
--
BMO
yes, until mom needs word processor (cloud services like google doc don't count), and the ability to watch movies their kids email her of a newborn. The point is, while you could help your mom install linux or whatever other app she needs initially, she can't go out and download or buy additional software on her own, and then install it on her own.
I enjoy linux as any other, but I don't think it passes the grandma test yet.
It's hard to say if grandma is really in a worse position here with Linux. As we know, usually you have all the programs (browser, word processor, movie player...) already installed, while in Windows you have to install all kinds of stuff separately.
That being said, Linux is indeed having bad problems supporting third party stuff. There is currently no easy and unified ways of installing apps or drivers if they come outside of the distribution. :(
There is virtually no malware for the iOS
"virtually no malware" != "no malware"
In the context of this discussion he was correct. The real world is not binary.
What I mean by long gone is that it last worked on 4.3.3, which was superseded in July 2011. (We're on 5.1 now, and there has been several point releases in between). And it's never worked in any way, on any version, on latest hardware (iPhone 4S or new iPad).
Un-thethered exploits reportedly still exist
The use of the term "Untethered" is unintuitive and not quite what you think it is. "Tethered" means you need to connect to a computer every time the phone is rebooted. Untethered means it will reboot with the jailbreak still operative even if you're not connected to a computer.
Either way, you still need to be connected with a cable to a computer to do the actual jailbreaking. The jailbreaking software runs on the computer.
The reason why you don't see Linux desktops getting targeted is for multiple reasons, 1.-interoperability is shit, the lack of a unified platform that keeps third parties from touching Linux with a 50 foot pole also keeps away malware writers because the best they could score is say...40% of UBUNTU users, but that same attack probably wouldn't work on RHEL without serious tweaking, or on PCLOS, or on Mepis, you get the picture, 2.- Malware writers want powerful machines because the more powerful the machine the more they can remain hidden while cranking out the spam or spreading the bug. Not to slam Linux users but you DO have a shitload of "How to save that PC from the dump" articles which would give an outsider the impression they are more likely to find a P4 than an i7, and 3.-Malware writers are criminals and criminals are notorious for being lazy. they don't want to have to constantly rewrite their bug because something got fiddled with between Ubuntu maniac monkey and nutty narwhal and their shit got broke. With both Windows and Apple having quite clearly labeled life cycles this makes it easy to know how long a bug could be good for.
If you want to see how badly Linux would get pwned if it was on the radar simply look at android. it has tons of ordinary users, is using the Linux kernel, and has been royally assraped by the malware guys. in the end you simply cannot defeat reality which is thus: ALL Operating Systems are EXTREMELY complex, with literally millions of lines of code all having to interact perfectly and this isn't even counting the third party stuff. hell I doubt even Linus can tell you with 100% certainty when you launch say network manager every single call it will make and what every interaction is, its simply too complex. More than 90% of the planet are NOT geeks, hell they don't even come up to the level of a power user of any system, they know just enough to get it to function and that is it, and finally the malware guys figured out long ago its the USER that is the juiciest target, after all it is they that have the keys to the kingdom so by using social engineering they have become quite adept at getting past the defenses by having their "man/woman on the inside" aka the user, help them achieve their goals.
So it doesn't matter what OS you use, you practice safe computing you'll be fine, practice stupid computing you'll be pwned. For those that think the repos are safe might want to look at how long the repos were handing out an infected Quake 3, try a year and a half. If a malware writer truly wants to target Linux there are ways, target some of the software that isn't as heavily monitored or like I said simply target the users and you're in like flynn.
Now you watch as I get modded down for pointing out reality, to be followed by those that treat Linux as a religion (Some call them Freetards, I call them FOSSies because they remind me of Moonies) scream that it just isn't possible, that linux's magical goodness could never be tainted by malware crap...hmmm...where did I hear that before? Oh yeah those that bowed at the altar of Jobs, aka "The Cult of Mac". Wouldn't it be smarter to simply use the best tool for the job and be on your guard? But those that treat tech like ballclubs won't quit rooting for the home team, even when they strike out.
ACs don't waste your time replying, your posts are never seen by me.
Apple now requires all new MacOS X applications to create a proper sandboxing profile,
Apple now requires all new Mac App Store applications to create a proper sandboxing profile. Non-App Store apps need not do so.
I'm sorry friend but you are mistaken, unless you call sliding a single slider in UAC as some complex action. Win 7 can autosandbox the browser (your choice of IE or any Chromium based) and run it in low rights mode which is actually SAFER than surfing in Linux where running a single program in a much lower set of permissions is far from simple, and then simply add one of several free AVs that also sandbox (My two favorites are Avast and Comodo Internet Security, both work well) and frankly the user need not know anything. The OS will autoupdate, autosandbox, scan ALL pages before load, hell my 71 year old dad is as clueless about tech as they come and his PC has been on the net 24/7/365 running Win 7 since Oct 09 and hasn't has a single problem or bug, the worst problem he has had is he didn't know how to update his browser (it kept telling him there was an update but he kept pushing the X instead of the update button) and that was it.
If you want to know the REAL reason why you see much more infected Windows? let me tell you a true story about the only person i ever threw out of my shop. He comes in, buys a PC from me, and wants me to install limewire. I tell him "I'm sorry but Limewire doesn't exist anymore, they got shutdown by the feds and anything calling itself Limewire now is just a virus pretending to be the real deal. There are several alternative such as Emule and BT if you wish me to install one of those" so what does he do? He promptly goes home with his new PC, Googles "New limewire" and when the AV naturally wouldn't let him install it first he tried to disable and then he removed the AV altogether! Why did he do that? Because the program told him to! When I finally threw him out of my shop (demanding I fix it for free after he broke it by refusing to listen to my instructions or call) he was yelling "It says right there that it IS Limewire so you make it work dammit!
So if you want to know why there are plenty of infected Windows machines its because of the dancing bunnies problem. It doesn't matter how simple or secure you make the OS if the user has install rights because all you have to do is wave the right cookie, be it porn, piracy, hell I've seen users infect their PCs for a CHANCE of winning some iShiny, then all can be bypassed. MSFT thinks they are gonna fix this by going the Apple way with an appstore but it won't work, as porn and piracy won't be offered in the appstore and that will be enough of a cookie to lure victims. Whether you choose to admit it or not to run Linux you HAVE TO have more than moderate PC skills or have a full time admin (such as yourself) willing to work for free simply because you have to know how to deal with updates breaking drivers and other Linux "quirks" one simply doesn't run into on OSX or Windows. Hell simply the fact you have to install it, know what partitions are and what sizes to make them, Google for drivers that aren't included and understand how to find out the exact make/model of said hardware to properly install Linux already puts you above a good 80% of the population. if you wish to argue that let me take away install rights for all my customers who would only be allowed to let me remote in and install approved software? Windows would never get bugs either.
But that argument simply doesn't hold water when the vast majority are on their own, without so much as a geek in the family to guide them. In fact I would argue that them getting Linux installed correctly and having it fully functional for even a year would probably be impossible, since they simply wouldn't have the skills required. Linux is only friendly IF everything works OOTB AND it works after every upgrade, two situations which at least in my experience are about as likely as Santa dropping me off a dozen porn stars for Xmas.
ACs don't waste your time replying, your posts are never seen by me.