Linked by Thom Holwerda on Fri 20th May 2011 20:37 UTC
Apple I have personally tried to pretty much let the whole MAC Defender trojan thing pass by, since we're not a security website. However, we have an interesting turn of events this week. An article over at Ars Technica quotes several anonymous Apple Store employees as saying that the infection rate of Macs brought into the Apple store has gone up considerably. More interestingly though, Apple's official policy states that Apple Store employees are not allowed to talk about infections to anyone - they're not even allowed to inform Mac owners if they find the infection without the customer's knowledge. Another interesting tidbit: Apple mandates the use of Norton Antivirus on company Macs, according to one Apple Store genius.
Order by: Score:
???
by macUser on Fri 20th May 2011 20:46 UTC
macUser
Member since:
2006-12-15

That policy makes zero sense and I'm glad it's been outed. If anything it's a great opportunity for Apple to educate its user base on trojans and promote their shiny, new app store.

Reply Score: 11

RE: ???
by _txf_ on Fri 20th May 2011 20:51 UTC in reply to "???"
_txf_ Member since:
2008-03-17

If anything it's a great opportunity for Apple to educate its user base on trojans and promote their shiny, new app store.


It would appear that apple needs some education of its own.

Reply Score: 7

RE: ???
by Kroc on Fri 20th May 2011 21:04 UTC in reply to "???"
Kroc Member since:
2005-11-10

It makes perfect sense to a company fastidious about its public image.

Reply Score: 5

RE[2]: ???
by ecpeachy on Fri 20th May 2011 21:13 UTC in reply to "RE: ???"
ecpeachy Member since:
2010-06-07

yea but that very policy is bad for their public image, besides, uneducated users are the root of this kind of malware spread in the first place.

Reply Score: 1

RE[3]: ???
by Kroc on Fri 20th May 2011 21:25 UTC in reply to "RE[2]: ???"
Kroc Member since:
2005-11-10

Right, so they should advise _everybody_ to run Norton just because some people download an install a shady app? We’re not talking about viruses here, we’re talking about user responsibility. No software can protect against users making poor judgements, and even when it tries they can often ignore it. I’ve seen people switch the AV off because it was preventing them from downloading something.

Apple’s policy here might be akin to sticking its head in the sand, but it’s still saner than stating that all Mac users should buy Norton.

Reply Score: 1

RE[4]: ???
by Thom_Holwerda on Fri 20th May 2011 21:29 UTC in reply to "RE[3]: ???"
Thom_Holwerda Member since:
2005-06-29

Who's talking about advising Norton?

Apple should be responsible. They should've released an official MAC Defender-removal tool within days of its arrival. They should've updated applications like Safari, the unzipper, Mail.app, and so on right away to recognise and block the trojan.

Reply Score: 8

RE[5]: ???
by Kroc on Fri 20th May 2011 21:34 UTC in reply to "RE[4]: ???"
Kroc Member since:
2005-11-10

We know Apple’s security process is slow on the uptake—that’s the real issue—but we can’t jump to the conclusion that Apple won’t ever do those things.

Reply Score: 1

RE[6]: ???
by Laurence on Sat 21st May 2011 11:39 UTC in reply to "RE[5]: ???"
Laurence Member since:
2007-03-26

We know Apple’s security process is slow on the uptake—that’s the real issue—but we can’t jump to the conclusion that Apple won’t ever do those things.

Hows that a defence?

The simple fact here is not that they're "slow on the uptake" but that they're proactively doing nothing.

Yes the problem here is stupid users, but its a perfect opportunity to educate them

Reply Score: 7

There is this other little problem wiht MAC users
by BrunoH on Mon 23rd May 2011 09:03 UTC in reply to "RE[6]: ???"
BrunoH Member since:
2011-05-23

A lot of the MAC newbies surely bought their MAC after seing TV-ADs like this one:

http://www.youtube.com/watch?v=CHFy6egYcUg

This kind of advertising might give the impression that you are safe as a MAC user. So clicking on anything on Internet surely is no problem eh..?

Reply Score: 1

RE[4]: ???
by ecpeachy on Fri 20th May 2011 21:47 UTC in reply to "RE[3]: ???"
ecpeachy Member since:
2010-06-07

Apple's official policy states that Apple Store employees are not allowed to talk about infections to anyone - they're not even allowed to inform Mac owners if they find the infection without the customer's knowledge


sorry I wasn't talking about the Norton part, although its good to mandate an AV solution on corporate computers.

Reply Score: 2

RE[4]: ???
by JairJy on Sat 21st May 2011 02:56 UTC in reply to "RE[3]: ???"
JairJy Member since:
2011-05-21

This is social resposability:
http://www.microsoft.com/security/pc-security/antivirus-rogue.aspx

Microsoft cares about user security more than any other company. Microsoft Security Center offers info about different kinds of malware and social enginering scams. Also, Microsoft gives an Antivirus for free.

Reply Score: 2

RE[5]: ???
by BluenoseJake on Sat 21st May 2011 07:21 UTC in reply to "RE[4]: ???"
BluenoseJake Member since:
2005-08-11

They do care about security more than any other company, but they we're dragged there with a gun to their heads, it wasn't always (or mostly) like this.

Reply Score: 4

RE[5]: ???
by Gone fishing on Sat 21st May 2011 11:31 UTC in reply to "RE[4]: ???"
Gone fishing Member since:
2006-02-22

Microsoft cares about user security more than any other company.


Not more than any other company, maybe more than Apple. MS provides an AV because due to the legacy of its terrible security in the recent past, there are many orders of magnitude more Windows viruses, than viruses for any other OS.

Reply Score: 3

RE[6]: ???
by WereCatf on Sat 21st May 2011 11:54 UTC in reply to "RE[5]: ???"
WereCatf Member since:
2006-02-15

"Microsoft cares about user security more than any other company.


Not more than any other company, maybe more than Apple. MS provides an AV because due to the legacy of its terrible security in the recent past, there are many orders of magnitude more Windows viruses, than viruses for any other OS.
"

To give Microsoft atleast some credit Microsoft Security Essentials (MSE) is an exceedingly good AV; it's a whole lot less resource-hungry than the others and is very good at doing its job without getting on the nerves of its users. Not to mention it's free.

So while Windows still has a security-hole here or there and Microsoft can't really stop people from being stupid and installing malicious things atleast they are trying to.

Reply Score: 4

RE[7]: ???
by Gone fishing on Sat 21st May 2011 15:23 UTC in reply to "RE[6]: ???"
Gone fishing Member since:
2006-02-22

Security Essentials (MSE) is an exceedingly good AV; it's a whole lot less resource-hungry than the others


MSE is certainly OK, on Virus Bulletin its been tested 4 times and missed a in the wild virus once http://www.virusbtn.com/vb100/archive/vendor?id=70 I use ESET NOD (tested 67 times tailed 3.) So I think time will tell if MSE is good.

As for resource efficient where would you get a reasonable impartial review of AVs? The popular press would have us using McAfee (failed the 4 of the last 5 tests) or Norton. - Well Mac Defender or Norton that would be a tough call

Reply Score: 2

RE[6]: ???
by Thom_Holwerda on Sat 21st May 2011 12:12 UTC in reply to "RE[5]: ???"
Thom_Holwerda Member since:
2005-06-29

MS provides an AV because due to the legacy of its terrible security in the recent past


Define "recent".

There hasn't been an outbreak (i.e., like in the XP days) of anything since the release of Vista.

Reply Score: 1

RE[7]: ???
by Gone fishing on Sat 21st May 2011 13:51 UTC in reply to "RE[6]: ???"
Gone fishing Member since:
2006-02-22

Vista comes out in 2006 - much improved in security appalling in most other respects, XP service pack 3 in 2008.

Mid last decade, probably the worst years for out of control virus problems, most viruses in the wild date from 2007.

So lets say recent past is about then.

Reply Score: 2

RE[7]: ???
by smashIt on Sat 21st May 2011 20:00 UTC in reply to "RE[6]: ???"
smashIt Member since:
2005-07-06

There hasn't been an outbreak (i.e., like in the XP days) of anything since the release of Vista.


and even then the 2 major outbreaks came from people not updating their systems

how long was iloveyou patched before the actual virus came around? 3 month?

Reply Score: 2

RE[5]: ??? - ahahahaa.. hehe.. sorry, what?
by jabbotts on Sat 21st May 2011 14:15 UTC in reply to "RE[4]: ???"
jabbotts Member since:
2007-09-06


Microsoft cares about user security more than any other company.


oh damn that's funny. Where you making a joke or did you actually type that with a strait face?

If Microsoft cared more than any other company we would have a modular Windows install. Everything including a web browser and basic image rendering libraries wouldn't be deeply embedded into the kernel. Privileged separation would be implemented in a strong manner instead of the wet cleanex separation between regular users and administrators. We'd never have had regular programs needing administrator rights to run. They would deliver anything but "good enough" quality product. We wouldn't have the immense "antivirus echosystem" that's remained so well supported by every Windows version so far. In all likelihood, Microsoft would be producing Windows under an open source license to take advantage of the expert peer review available; it seems to work for Cryptology and they tell me that relates closely to security.

I mean; keep some perspective. Microsoft cares more about user security than Apple. Sure. But "more than any other company"?

Reply Score: 1

Thom_Holwerda Member since:
2005-06-29

Everything including a web browser and basic image rendering libraries wouldn't be deeply embedded into the kernel.


Lolwut? Where do you people come up with this stuff?

Privileged separation would be implemented in a strong manner instead of the wet cleanex separation between regular users and administrators.


You realise that when it comes to access control, Windows NT is miles ahead of vanilla UNIX and Linux, right? You need SELinux to come even somewhat close to the kind of fine-grained control NT allows, and then SELinux is a complicated mess.

Reply Score: 5

apoclypse Member since:
2007-02-17

" Everything including a web browser and basic image rendering libraries wouldn't be deeply embedded into the kernel.


Lolwut? Where do you people come up with this stuff?

Privileged separation would be implemented in a strong manner instead of the wet cleanex separation between regular users and administrators.


You realise that when it comes to access control, Windows NT is miles ahead of vanilla UNIX and Linux, right? You need SELinux to come even somewhat close to the kind of fine-grained control NT allows, and then SELinux is a complicated mess.
"

Yep. But its so stupidly complex that people just stick with the tried and true regular and superuser. The issue with Windows is the culture. This is MS's fault for not designing their 9x system with security in mind. They basically trained users for more than two decades to run as administrator on their machine, and by extension developers were trained to write their software needing admin rights for no apparent reason.

Apple's OS is not inherently more secure than something like Windows 7 or even XP for that matter, but the culture is the main differentiator. Apple has trained their users and developers to at least heed an application that needs super user rights. Nothing installs on your system without your knowledge, nothing touches system wide files without you knowing, downloaded applications don't run without telling you that they are from the web.

As of late I have had to deal with the stupid Windows Defender trojan on Windows 7 machine's at the company I work for, it basically borks your whole system to try to get you to buy the application. By comparison the Mac Defender trojan is relatively harmless as it can't really do anything without your consent, a simple delete will get rid of it. A simple delete can't rid of Windows Defender, its a multi step process that may not get your machine to the way it was before the trojan did its damage.

I do think Apple should stop reinforcing naive users belief that nothing dangerous can happen to their machine "because its a Mac". I also think that they should take at least some minimal precautionary steps to mitigate this issue now before it gets worse. The first one being not having Safari open downloaded files by default. I always turn that off as I don't like not knowing whats on my system without my consent. I think the Downloads folder bounce in the Dock is enough to let users know that there is something there and let them make the choice of opening the file or not.

Reply Score: 3

jabbotts Member since:
2007-09-06

Well, the primary point was questioning the claim that Microsoft takes the security of it's end users more seriously than any other comapny. (it was stated definitively too, as in "no other company never ever")

Can you honestly say that with a strait face Thom? Are you suggesting that Microsoft does infact put more effort into delivering a secure OS than any other "company". Default windows puts default OpenBSD to shame maybe?


But, to respond to your question; "where do you people get this stuff" and recognizing that this is not a security website and your not a security expert as you've mentioned in the past.

http://www.esecurityplanet.com/trends/article.php/3933491/Is-Linux-...

Filtering out obscurity attributes like popularity and non-tech attributes like user skill level..


Windows7 is an improvement over past Windows distributions, however;


"From day one, the development of the Unix operating system (upon which Linux is based) was premised on the idea that the user should have minimal interaction with the operating system kernel," explained Bob Williams, a security consultant at The Binary Guys. "That is to say that the operating system does not regard the user as a god."

The OS regards every interaction of the user with suspicion. Any flavor of Linux is basically operating on the same idea.

"The development of the Microsoft OS from the earliest DOS system to the present Windows 7 is just the opposite," said Williams. "Even a guest account in Windows is tightly connected to kernel at a very fundamental level. If the guest account is given access to a printer function, for example, the account is given escalated privileges to the kernel."


This is worth considering also:


The biggest security problem with Windows, however, still lies in too few eyes watching for threats -- and way too long a lag in fixing the issues. It can literally take months for Microsoft to address a security issue adequately.

"It cannot be said any more that Windows is a closed source system. It seems as if the folks that investigate and exploit Windows know more about how the code works than Microsoft does," said Williams.


And, the mechanisms to update Windows and Windows based software are still a mess. I have one central mechanism to update my Debian install and third party repositories are easily plugged into that same mechansims. It does not just check for updates from Debian. With Windows, I'm still visiting Microsoft Update, then Lenovo Updates, then any other hardware manufacturers driver updates, then Flash update utility, then Adobe Reader update utility, and so on.. and so on..

On the Linux based OS side;

- peer review is the norm due to the open source nature of development

- as mentioned above, security by design inherited from it's roots as a networked multi-user OS

It's not all roses and sunshine for Linux based distributions as the article does point towards weak configurations as something to watch for.

Now, outside of the article; if a graphic library has a vulnerability it's going to still be running at the user's privileged level on a Linux based system. I've also not seen a graphics library provide a remote code execution vuln. On Windows systems, I believe jpg rendering has delivered remote code execution as has the library that renders animaged mouse pointers because these both get to run in kernel space rather than being seporated from the kernel.

Right now, we can also point to DLL relative vulnerabilities in Windows including Win7. Microsoft can't fix it without breaking backward compatibility. The official stance is that third party program developers must go back over all there code and re-write it to use full path DLL calls; to fix something that is a flaw in the OS itself.

http://www.informationweek.com/news/security/vulnerabilities/228000...

If you prefer Security Now:
http://www.grc.com/sn/sn-263.htm

in short:


So get this. What has been discovered, and a security firm called Acros, it's a Slovenian firm, they disclosed last Thursday that what they call "binary planting," other people call "application DLL load hijacking," they disclosed that this was a flaw in iTunes which Apple had fixed, but that another 40 applications that they had discovered were doing the same thing.


and


Steve: Yes. How friendly. Now, Microsoft has responded. There's a knowledge base article 2264107. So that's support.microsoft.com/kb/2264107. This is one of a number, I mean, Microsoft's scurrying around now. What's interesting is that they have told people they're not going to fix this. They've said something about maybe in a future service pack, but that they're not going to fix this. Now, the problem is they kind of can't because fixing it would mean changing the order in which DLLs are found, which everything is dependent upon.


But if you want the details, here's the first block of text, you can read on from there:


Steve: So, yeah. Once again we're with Microsoft and Windows, not surprisingly. A big new problem that's got the security community buzzing because it's not directly Microsoft's problem, although it relates to the way Windows works. Apple knew about this four months ago, in March. And one of the fixes they made to iTunes fixed it. The problem is that as many as more than 200 Windows apps are implicated in this problem.

So here's the story. In the past there's been various ways of malware exploiting the order in which Windows searches the hard drive for pieces of applications that are loading. For example, certainly, probably all Windows users have seen these DLL files, Dynamic Link Libraries. The idea is that many applications have an executable portion, the so-called EXE, the E-X-E; and then also may have more code that's not in that EXE, but are in DLLs. And when the application runs, Windows looks to see what other DLLs are necessary. Some applications load the DLLs that they need dynamically, thus the word "dynamic link loading." They load them, like, explicitly. If they know they're going to need it, then they'll say, hey, I need the following DLL.

Well, Windows has a sequence that it goes through for searching for the DLL that an application has asked for, when the application uses something called LoadLibrary, which is the function in Windows that applications use, asking Windows to please load this library for them into their application space. Windows looks at the directory from which the application was loaded first. If it's not there, then it looks in the system directory. If not there, it looks in the 16-bit system directory. If not there, in the Windows directory. If not there, in what's called the Current Working Directory, which is sort of like the current path that you're logged into, for example, if you're using a DOS box. And then if still not found, it looks through the path environment variable, which typically has tons of different directories that are enumerated.

So what malware guys have exploited in the past is the idea that, if there was some way for them to get a malicious DLL named the same as a good DLL, and somehow get it in one of those places upstream in that sequence that Windows uses for searching, then they could get their DLL to load first.

Reply Score: 2

Vanders Member since:
2005-07-06

You need SELinux to come even somewhat close to the kind of fine-grained control NT allows, and then SELinux is a complicated mess.


Sadly, this. In all my years as a Linux Sysadmin, I've only ever been able to figure out one command for SELinux: setenforce permissive. Bah.

Reply Score: 4

Nth_Man Member since:
2010-05-16

Supposing that you really need ACL (I've never needed them), you can see:
http://www.tuxradar.com/answers/644

Reply Score: 2

RE[4]: ???
by Kivada on Sat 21st May 2011 07:24 UTC in reply to "RE[3]: ???"
Kivada Member since:
2010-07-07

NortoN? You're kidding right? Just use the OS X port of ClamAV http://www.clamxav.com/ OSS to the rescue again...

Nah, you get whats coming to you if you blindly follow every advertisement and install random sketch files because the flashy thing says to.

Take it the same way as the "Nigerian", everyone has revived some variant of this, it's been floating around for DECADES, and yet every few months we hear yet another story of some moron that tossed their life's savings into the abyss.

Reply Score: 2

RE[4]: ???
by wocowboy on Sat 21st May 2011 11:35 UTC in reply to "RE[3]: ???"
wocowboy Member since:
2006-06-01

Exactly. I've been around Windows machines for ages and have seen dozens of scams like this where a real-looking window pops up that says you have a virus and would you like us to scan/clean for you? HELL NO! I realize not all users are educated enough to realize this UNSOLICITED offer is not legitimate, but the whole process does require you to enter your administrator password, and then later enter your credit card number, which one would think would look awfully suspicious, but I guess it doesn't to the "average" user. To me this is even stretching the definition of a virus, which to me is something that takes over your computer completely without your knowledge or authorization having simply gone to an evil web page or opened a legit-looking jpeg file from someone you know in an email from them.

I do think Apple should inform customers if something is found on their computer and cleaned up, such as this problem is, it is a very easily remedied problem, only taking 5 minutes to get rid of. Then the customer would be educated next time they see something like this pop up on their machine.

Reply Score: 1

RE[5]: ??? - computer based social engineering
by jabbotts on Sat 21st May 2011 14:36 UTC in reply to "RE[4]: ???"
jabbotts Member since:
2007-09-06


o me this is even stretching the definition of a virus,


In old lingo, it would be classified as a Trojan; a program which apears desirable while hiding an undesirable function.

In the newer lingo, it would be classified as "computer based social engineering; exploits a social situation or emotion with something delivered by computer versus delivered by more direct human interaction.

- fake AV (exploits fear of malware while actually delivering a malware payload)
- addware (exploits desire for a program while secretly stealing information)
- email spam (often exploits greed or fear to elicit a response)

All computer based social engineering. Human based social engineering would be the more traditional:

- phone calls
- impersonation

Reply Score: 4

RE[4]: ???
by imaginant on Sat 21st May 2011 18:43 UTC in reply to "RE[3]: ???"
imaginant Member since:
2010-02-26

I wonder if you are missing the point. If there is a real security threat, Mac Users should be informed, especially since it is their heedlessness (those that are affected, not all Mac users) which contributes to the problem. There is NO need to recommend that users use Norton. There IS a need to reinforce the notion that no unsolicited software should ever be allowed to install by typing in your password. By not admitting the problem, Apple ignores a great opportunity to use this as a teaching point in the One-on-one program, which many of the unsophisticated users purchase. The same goes for Genius appointments. Both of these programs provide exceptional value for Mac users. Why undermine them?

Reply Score: 1

RE[4]: ???
by mrstep on Sat 21st May 2011 21:22 UTC in reply to "RE[3]: ???"
mrstep Member since:
2009-07-18

They should educate users to either buy through the App Store or to NOT just type in their password and hit 'OK' when they're web surfing and happen to get a sudden prompt. But God no, don't push Norton or crap like that - not to mention, exploits routinely get past those until they have them in their profile, which means... yeah, you better just not blindly type in your password when the prompt shows up.

But then, somehow that escapes large numbers of computer users.

Maybe Lion will have a 'lock-down' by default to red-flag any software not signed / delivered through a secure channel. That's not to say it shouldn't allow it (I know I'm personally not interested in having a full-fledged machine that I can't even do my own development anymore!), just that many non-tech users would be safer if it had more warnings about the software being unsafe - or even making users go to Preferences to specifically authenticate and click on 'Allow Unsafe Programs'. Maybe people would thing a second time?

Reply Score: 1

RE[2]: ???
by kaiwai on Sat 21st May 2011 03:11 UTC in reply to "RE: ???"
kaiwai Member since:
2005-07-06

It makes perfect sense to a company fastidious about its public image.


It has nothing to do with image and everything to do with have a single company wide policy and training for people who are the public face of Apple. I worked at an ISP and we were told the operating systems, browsers and mail applications that we supported - we were told in no uncertain terms that we aren't to provide support for anything else even if we knew how to.

I wouldn't be surprised if this was the same situation at Apple where they don't want some 'know it all' employee claiming to be able to fix something, the computer gets sent off home with the customer thinking that it has been fixed only to find that the Apple employee hadn't completely fixed it. 6 months later Apple being sued by said Joe or Jane Sixpack for several million (as what always happens in the US - the law suit capital of the world) because some trojan was sitting in the background collecting credit card information.

I find it funny the number of people here who have never worked for customer service sector getting up bloviating crap about stuff they have no idea about. 99% of problems I've found in the variety of industries I've worked in all comes down to the end user doing something wrong. I worked in the supermarket and we'd get people complain that the ice cream they left in the car on a hot day melted, people who purchase a pizza and take 40 minutes to drive home only to find that their pizza is cold, or they buy a pirated copy of Windows XP as they travel through Indonesia then they ring up the ISP complaining that their computer is unreliable. I've seen it all before so I suggest some of the arm chair experts here get off their backside and work on a 'hell desk' for several years or some other customer service role.

Reply Score: 5

RE[3]: ???
by darknexus on Sat 21st May 2011 03:28 UTC in reply to "RE[2]: ???"
darknexus Member since:
2008-07-15

I wouldn't be surprised if this was the same situation at Apple where they don't want some 'know it all' employee claiming to be able to fix something, the computer gets sent off home with the customer thinking that it has been fixed only to find that the Apple employee hadn't completely fixed it. 6 months later Apple being sued by said Joe or Jane Sixpack for several million (as what always happens in the US - the law suit capital of the world) because some trojan was sitting in the background collecting credit card information.


And yet, the way it is now, that trojan will *still* be sitting in the background collecting credit card information. There's a difference between providing product support for something you aren't supposed to, and blatantly leaving an issue unsolved *without* even notifying the customer that there's a possible problem there. You claim to have worked in customer service and, maybe things are different in NZ than they are here in the US (in fact I'm sure they are) but, let me tell you, if someone were to take their product to me and something like this results, I'd get sued anyway. I've worked in cs too (though I don't anymore) and There's only one real way to prevent getting sued in this situation, and that is to put the decision in the hands of the customer. You tell them clearly what the issue is, in easy-to-understand terms, and you let them decide if they want you to fix it or not. Either extreme (ignoring it or fixing it without asking) is a fast track to the court room, and I'm not just talking about technical support and service. Apple are not obligated to provide support for Mac Defender and its offspring, but they *are* obligated to provide support for OS X especially if you've paid for Apple Care. There is, after this trojan has its way, an issue with your OS X installation. They should at least have the decency to grow up and admit the problem. Then again, this is Apple we're talking about.
This is not going to prevent them from getting sued, especially now that it's out there. What this will do is drop the confidence level of Apple's tech support ever so slightly. Give it a few months, and we'll be seeing customers calling Apple and demanding an answer as to why their machine is still acting up after Apple's "geniuses" got through with it.
And as for the rest, tone down the vitriol a little. It doesn't help you make your points.

Reply Score: 7

RE: ???
by toast88 on Sat 21st May 2011 06:31 UTC in reply to "???"
toast88 Member since:
2009-09-23

That policy makes zero sense and I'm glad it's been outed. If anything it's a great opportunity for Apple to educate its user base on trojans and promote their shiny, new app store.


Please don't get me started on the Mac app store. They're having similar sorts of issues with security there, since they're keeping important updates to apps in the store back [1].

Adrian

[1] http://www.h-online.com/security/news/item/Mac-App-Store-delays-cri...

Reply Score: 1

Patch the User
by Moredhas on Fri 20th May 2011 21:39 UTC
Moredhas
Member since:
2008-04-10

This just goes to prove that the biggest security risk is still the user. Same goes for your house, give a disreputable character the house keys, don't be surprised when your TV is gone. On the one hand, Apple are right that they don't HAVE to do anything, but it really harms their image and their security track record. I don't expect them to fix it on every computer, but some user education wouldn't go astray. They're so fond of forcing things on people, so why can't they force a slideshow on people the next time they turn on their mac?

A side anecdote about users. Apple are right not to remove this for them because of user objections. I've mentioned a thousand times here I work in a phone shop, and worked in an internet cafe / repair place, so this makes for a modest pile of user anecdotes. At the internet cafe, I found more than enough computers brought to us with exactly this kind of scareware installed on them. I removed it, and the idiot users, even after I explained what it was, wanted it back. I was more than happy to oblige after their rather friendly advice. Flash forward a couple of years, and a customer came into the phone shop with one of those "you've just won a MILLION POUNDS in the MEXICAN LOTTERY!" messages, asking HOW TO CLAIM IT! As if the helpful URL in the message weren't enough. A co-worker deleted the message for them, and they threatened to sue. They in fact DID go to their lawyer, we found out, when the lawyer called us up just to laugh about the customer. Seems there are some lawyers out there who won't take just any case.

So, my point is, the users are dullards, and likely to get angry that someone has arbitrarily removed their paid software, whatever the intent.

Reply Score: 8

RE: Patch the User
by Phloptical on Fri 20th May 2011 22:35 UTC in reply to "Patch the User"
Phloptical Member since:
2006-10-10

Their security track record is based on a market share that, up until recently, hasn't made their OS worth targeting.

Reply Score: 3

jabbotts Member since:
2007-09-06

Security really can't be compared to market share.

Security relates to how well a thing resists attack not how many attack attempts it receives. A thing that resists five out of ten attacks (50%) is more secure than a thing that resists two out of six attacks (33%) even though six attacks is less "market share" than ten attacks.

In terms of market share (popularity), a thing that becomes more popular still had all those un-found vulnerabilities before gaining popularity.

OSX may be getting more attempts against it now due to popularity but exploitable vulnerabilities discovered still existed before now. It was still just as insecure against attempts before as it is now.

Small market share is actually obscurity not security.

Obscurity; I hide behind a corner and you can't see me until you walk around the corner. I'm obscured only until you know where to look.

Security; I hide behind a corner but you can't walk around it and see me because you'd have to get through the locked gate between us.

The first provides no real resistance to finding me where the second does provides some form of resistance to your attempts at walking around the corner.

Reply Score: 2

Phloptical Member since:
2006-10-10


Small market share is actually obscurity not security.

Obscurity; I hide behind a corner and you can't see me until you walk around the corner. I'm obscured only until you know where to look.

Security; I hide behind a corner but you can't walk around it and see me because you'd have to get through the locked gate between us.

The first provides no real resistance to finding me where the second does provides some form of resistance to your attempts at walking around the corner.


I really wasn't equating their security with obscurity, although that's what all the CLI-kiddies tout as their number one reason why command line is better. My argument is that everyone knew you were around that corner, but it's only been recently that anyone cared about the gate you're sitting behind.

Reply Score: 2

jabbotts Member since:
2007-09-06


but it's only been recently that anyone cared about the gate you're sitting behind


Well yes, but that gate is not magically more effective now that people take interest in seeing me. The wall and gate is not suddenly more or less secure than it was before. It may attract more attempts now with it's recent popularity but any successful attempts would have been just as successful before.

Reply Score: 2

RE: Patch the User
by darknexus on Fri 20th May 2011 22:51 UTC in reply to "Patch the User"
darknexus Member since:
2008-07-15

Apple are right not to remove this for them because of user objections.


Quite right, you should never remove something without asking no matter what it is. But to not even be allowed to mention that they found it and actually ask that question is inexcusable. If you tell the user what it is and they throw a fit, then by all means let them lie in their own soiled bed. However, on the flip side, if you *do* find something like this and do not tell a user and they find out later, you could be in for just as much of a trouble spot as if you removed something without their consent. You see, when someone doesn't fix something even though they're being paid to do so... that means they aren't doing their job, at least in my mind. Essentially what Apple has done is protected the geniuses (most of whom are anything but, by the way) from reprisal by people who might actually have a clue. Then again, I suppose the people who actually understand this stuff don't take their machines into the geniuses in the first place, and probably didn't even fall for this trojan to begin with.

Reply Score: 4

Comment by Brynet
by brynet on Fri 20th May 2011 22:33 UTC
brynet
Member since:
2010-03-02

It's a Unix system, if you willingly elevated the permissions of a 3rd party executable, well then you're an idiot.

I'm all for blaming the vendor for attracting stupid uninformed users though, there was an opportunity to teach them how not to blindly trust.. wait a minute, wasn't there an article about that the other day? something about the mind of a Mac user is similar to that of a religulous loser?

Edited 2011-05-20 22:38 UTC

Reply Score: 3

RE: Comment by Brynet
by bouhko on Sat 21st May 2011 01:23 UTC in reply to "Comment by Brynet"
bouhko Member since:
2010-06-24

Sure, because you can fix your pipe system, you know exactly how your car work, you can pilot the airplane you are taking and you don't need to go to the doctor because you have a medical degree.

Reply Score: 1

RE[2]: Comment by Brynet
by TechGeek on Sat 21st May 2011 01:46 UTC in reply to "RE: Comment by Brynet"
TechGeek Member since:
2006-01-14

And yet for most of those (assuming code enforcement for plumbers and inspection permissions for mechanics) you need a piece of paper that says you know what your doing. Being a stupid user is bad enough, but insisting that your user base stays stupid to sell more product is pretty much crap. People and their false idols indeed...

Reply Score: 3

RE[2]: Comment by Brynet
by brynet on Sat 21st May 2011 02:01 UTC in reply to "RE: Comment by Brynet"
brynet Member since:
2010-03-02

Sorry, but your analogy doesn't fit.. but if you're comfortable hiding behind them, you don't need to be a locksmith to lock your doors, but you need to be smart enough to use the keys.

Reply Score: 2

RE[3]: Comment by Brynet
by basic on Sun 22nd May 2011 03:57 UTC in reply to "RE[2]: Comment by Brynet"
basic Member since:
2010-08-25

And not give the key away

Reply Score: 1

RE: Comment by Brynet
by Nth_Man on Sat 21st May 2011 07:06 UTC in reply to "Comment by Brynet"
Nth_Man Member since:
2010-05-16

> there was an opportunity to teach them how not to
> blindly trust
So do you want them to trust you, specially when you tell them not to trust the others.

Reply Score: 2

RE[2]: Comment by Brynet
by brynet on Sat 21st May 2011 18:33 UTC in reply to "RE: Comment by Brynet"
brynet Member since:
2010-03-02

No, not even me.

Reply Score: 2

RE: Comment by Brynet - marketing
by jabbotts on Sat 21st May 2011 15:10 UTC in reply to "Comment by Brynet"
jabbotts Member since:
2007-09-06

If you provide even a Unix based system and all your marketing relies on "we're invulnerable to everything bad", I can't really hold average user's fully responsible.

One's user manual says the microwave oven makes food hot, they believe it and treat it as such. One's user manual says the computer can't be affected by malware, they believe it and treat it as such.

Reply Score: 2

brynet Member since:
2010-03-02

The problem is that they're treating a computer like an appliance.

Reply Score: 3

Malware on a Mac?
by ballmerlikesgoogle on Fri 20th May 2011 22:37 UTC
ballmerlikesgoogle
Member since:
2009-10-23

Well....I can't imagine that it would be anymore that a "hiccup" in Apple's opinion.....

Reply Score: 2

This free for all can't continue
by mkone on Fri 20th May 2011 22:45 UTC
mkone
Member since:
2006-03-14

And yet when Apple tries to get users to use its Mac App store, it's all "Apple teh(sic) evil".

Let's face it, many users would be better off being unable to install software from arbitrary locations on their computers. The internet is the wild west, and it's not safe for uninformed users.

Curated app store may at least allow a single company to provide a reasonably safe conduit through which users can install and maintain apps on their computers. Maybe even third party app store (which should be possible on the Mac).

Reply Score: 2

WorknMan Member since:
2005-11-13

Let's face it, many users would be better off being unable to install software from arbitrary locations on their computers. The internet is the wild west, and it's not safe for uninformed users.


I would agree with this, as long as there is an option for users to 'take off the training wheels'. And I'm not talking about a jailbreak method that voids the warranty, but rather a 'safety switch' built into the OS that can only be turned off manually, and make the process hard enough to do so that nobody would ever do it accidentally.

For example, 'hold down these 3 keys on the splash screen logo, and then type in this passcode when prompted'. Then, you present a huge warning message to the user, so that they understand the dangers when flipping the switch.

That way, everybody is happy. Those who want absolute control can have it, while everybody else remains blissfully ignorant in the walled garden.

Reply Score: 2

toast88 Member since:
2009-09-23

Let's face it, many users would be better off being unable to install software from arbitrary locations on their computers. The internet is the wild west, and it's not safe for uninformed users.


Not as long as Apple delays important security updates for the apps offered in the app store [1].

Apple's problem is not their software or technology but their generic attitude towards software security.

Adrian

[1] http://www.h-online.com/security/news/item/Mac-App-Store-delays-cri...

Reply Score: 2

bassbeast Member since:
2007-11-11

Except as we have seen Apple IS evil, as they have thrown out apps that would compete with apple apps or would allow freedoms like the GPL even if they are free. Would you like to have a computer that only MSFT approved software is allowed to install and run? How about a server where nothing runs without Oracle's blessings? Does not sound to appealing to me.

Oh and for the one that said "If you give out your unix password you deserve what you get" you DO realize that is currently the way the vast majority of Windows machines are infected, right? Social engineering getting the user to approve an elevation to UAC, no different than getting an Ubuntu user to run Sudo or this bug here for Macs. i guess you can't complain about Windows security if it is all the users fault huh?

In the end it isn't about the bug, it is about the p#ss poor way Apple is dealing with it. Instead of basically giving the finger to those that shelled out the "Apple tax" for their illusions that Macs were somehow better or immune to malware they should have done like MSFT and released something like Malicious Software Removal Tool to get rid of it. Instead they are just leaving their users hanging in the breeze. Considering how much more you have to pay for Apple PLUS how much you have to pay for Applecare if I was a Mac user that got burned I'd be looking at a Windows 7 machine right now. After all, if you are gonna pay all that money and get NO help at all, why not buy a more powerful Windows machine for less?

Reply Score: 1

Advice from a Windows user ...
by WorknMan on Fri 20th May 2011 22:47 UTC
WorknMan
Member since:
2005-11-13

Well, I can tell you first hand that being a Windows user is a lot like living in south central Los Angeles... you have to learn how to survive in 'da hood ;) It looks like Mac users are going to have to learn the same lessons we did, so let me give you 5 quick pointers that will take you a long way down the road of safe computing:

- The most important lesson of all is to PAY ATTENTION to what you install on your computer. You should take as much care when installing an app as you would letting a stranger in your home while you are out of town. This is especially true for any app that requests admin permissions.

- Grab a firewall if you don't have one, either one that runs on your computer or a router that has one built-in. This will protect against most/all drive-by malware looking for vulnerabilities from open ports. I think a combination of both of these is best; a firewall on the router to keep out the bad stuff, and one running on your machine to let you know when a new app is requesting to connect to the Internet. (And firewall programs that have a 'host intrusion protection system' (HIPS) have many other abilities as well.

- If OSX has the equivalent of a hosts file, grab something like this:
http://winhelp2002.mvps.org/hosts.htm

- Use a browser that has a flashblock extension, and only 'whitelist' trusted sites that you visit often, with a lot of Flash content (such as Youtube), and only allow Flash on a per-site basis otherwise. Take extreme care when visiting porn sites as well. I would also seriously recommend using an adblock extension.

- Be careful who you let use your computer. Even if you take all the security precautions in the world, all it takes is one dumbass and about 5 minutes to wreak havoc on your machine.

Reply Score: 5

Is it surprising?
by jbauer on Fri 20th May 2011 23:16 UTC
jbauer
Member since:
2005-07-06

Telling your users that you can buy a Mac and completely forget about malware helps Apple sell Macs. I doubt Apple is going to acknowledge anything that implies otherwise unless they really don't have any other choice.

Reply Score: 6

Deliciously ironic...
by ourcomputerbloke on Sat 21st May 2011 02:12 UTC
ourcomputerbloke
Member since:
2011-05-12

Am I reading this correctly? It shouldn't be up to Apple to be protecting people from malicious apps on iDevices (App Store vetting) but it should be up to Apple to be protecting people from malicious software on the Mac?

Hmmmm

So in short, damned if you do, damned if you don't.

Reply Score: 2

RE: Deliciously ironic...
by Neolander on Sat 21st May 2011 10:15 UTC in reply to "Deliciously ironic..."
Neolander Member since:
2010-03-08

For the nth time, App store vetting does not remove malware, only thing malware has to do is to hide a bit better.

The only true way to stop malware is to introduce a security infrastructure that's worth something. Everything else is deceptive.

Edited 2011-05-21 10:16 UTC

Reply Score: 1

RE[2]: Deliciously ironic...
by WereCatf on Sat 21st May 2011 10:21 UTC in reply to "RE: Deliciously ironic..."
WereCatf Member since:
2006-02-15

For the nth time, App store vetting does not remove malware, only thing malware has to do is to hide a bit better.

The only true way to stop malware is to introduce a security infrastructure that's worth something. Everything else is deceptive.


True enough, but even lessening the amount of malware is better than nothing, you have to admit that. And app store or similar is good for that; there simply aren't as many malware-/virus-infected applications there that get through.

So, as a temporary solution it would still be worthwhile.

Reply Score: 2

RE[3]: Deliciously ironic...
by Neolander on Sat 21st May 2011 10:34 UTC in reply to "RE[2]: Deliciously ironic..."
Neolander Member since:
2010-03-08

Sure, if you see it as a temporary solution, it's worthwhile.

I'm just against people who advocate (or at least seem to advocate) it as some kind of silver bullet that will magically solve computer security problems.

It's like antiviruses : if your OS' users need a third-party program or company to tell them that some piece of software is dangerous, you're doing it wrong ;)

Reply Score: 2

RE[4]: Deliciously ironic...
by fran on Sat 21st May 2011 14:04 UTC in reply to "RE[3]: Deliciously ironic..."
fran Member since:
2010-08-06

This is the very irony of OS insecurity. You have this battle hardened OS's but with you the user the keys to the castle. Microsoft and Apple argues we can only sell you the castle we cant help you choose your friends also.

Reply Score: 2

Comment by Icaria
by Icaria on Sat 21st May 2011 05:57 UTC
Icaria
Member since:
2010-06-19

Apple Store geniuses


Please stop, this is worse than all the MS pejoratives combined.

Reply Score: 3

Apple is not responsible
by ViewRoyal on Sat 21st May 2011 17:42 UTC
ViewRoyal
Member since:
2011-05-21

Mac Defender is NOT a virus (and there never has been even a single Mac OS X virus!). It's a "scareware" scam, in which a naive user blindly uses their own password to purposely install a bad application.

Is Apple responsible if you fall for a scam?

What if a naive user fell for another scam, like giving all their money to a "Nigerian prince"? Would Apple also be responsible because the request came through email on Mac OS X?

The answer of course is "No".

But Windows users (thanks to abysmal reporting by bloggers on the Web) seem to think that Mac Defender is a "virus", and so are comparing the security of Mac OS X to the "Swiss Cheese" non-security of Windows OS.

Let's repeat the fact again, for those Windows users who mistakenly believe that Mac OS X has viruses just like Windows:

During the 10 years that Mac OS X has been in existence, there has NEVER been a virus for the Mac.

Or to put it into numbers:

Windows OS = hundreds of thousands of viruses
Mac OS X = zero (0) viruses

;-)

Reply Score: 0

RE: Apple is not responsible
by Thom_Holwerda on Sat 21st May 2011 18:00 UTC in reply to "Apple is not responsible"
Thom_Holwerda Member since:
2005-06-29

Is Apple responsible if you fall for a scam?


Let's put it this way: if you knew all sorts of details about certain criminals, and you did not give this information to the police, then you're still breaking the law.

Reply Score: 1

RE: Apple is not responsible
by WereCatf on Sat 21st May 2011 18:35 UTC in reply to "Apple is not responsible"
WereCatf Member since:
2006-02-15

Is Apple responsible if you fall for a scam?


You're missing the whole point: Apple specifically tells AppleCare NOT to tell customers if their Macs are infected by it. That's not just negligence, that's downright malicious.

No one is saying Apple should be held responsible if people fall for scams. But people ARE saying Apple is responsible if they tell their employees not to inform people of such even if the employees know about it.

Reply Score: 3

RE: Apple is not responsible
by danbuter on Sat 21st May 2011 20:56 UTC in reply to "Apple is not responsible"
danbuter Member since:
2011-03-17

Mac Defender is NOT a virus (and there never has been even a single Mac OS X virus!). It's a "scareware" scam, in which a naive user blindly uses their own password to purposely install a bad application.


Many Windows viruses are the same thing. Do they not count, either?

Reply Score: 2

RE: Apple is not responsible
by StephenBeDoper on Mon 23rd May 2011 01:56 UTC in reply to "Apple is not responsible"
StephenBeDoper Member since:
2005-07-06

Mac Defender is NOT a virus (and there never has been even a single Mac OS X virus!). It's a "scareware" scam, in which a naive user blindly uses their own password to purposely install a bad application.

Is Apple responsible if you fall for a scam?


HasBean, is that you?

Reply Score: 2

Questionable policy, but understandable
by theosib on Sun 22nd May 2011 17:52 UTC
theosib
Member since:
2006-03-02

To look at this from Apple's perspective, we must consider the various costs associated with any direct assistance given to users regarding this new trojan. Every infection is going to result in a support call or a visit to the Apple store. Each support incident costs money, and since support is in high demand for other things, customers who have other more pressing problems (e.g. faulty hardware or whatever) will have to complete with those who did something stupid.

It would be one thing if AppleCare techs and Geniuses spent a lot of time sitting on their hands. But they're not. They're BUSY, helping people with a variety of other problems and questions. Some of that goes to selling more Macs, and some goes to helping people who have already bought Macs and are not going to by another one for 3 years.

In fact, malware removal is something that can be automated, for the most part. If you want a _clean_ example of this, consider Microsoft Security Essentials. It's the least intrusive anti-malware tool ever for Windows, and it does the job nicely. Now, Windows is a big target, so even power users need AV software.

Apple does not want their support staff helping users poke around under the hood, manually removing malware. If they have to do anything, they'd much rather assist customers with the use of an automated tool.

Is Apple abandoning users who have this infection? This is a trojan, remember. Infected users took conscious action that resulted in this malware being installed. This is not Apple's fault. Only if this were a worm would we be able to blame Apple. We also don't blame Apple for physical damage resulting from computers being dropped. We don't fault Apple if someone drags the System folder to the trash. And, more apropos, we don't blame Apple for bugs in 3rd party apps. This trojan is definitely a 3rd party app.

This is why the non-technical users should stick to boxed software from an Apple Store and downloads the App Store. Apple makes it damn easy to keep your computer clean, and they really push hard the App Store and their boxed software. So anyone stupid enough to install this trojan probably did so directly contrary to advice they were given by someone at an Apple Store when they bought the machine!

Reply Score: 2

WereCatf Member since:
2006-02-15

To look at this from Apple's perspective, we must consider the various costs associated with any direct assistance given to users regarding this new trojan.


The reasons are obvious: Apple wants people to think there are NO such things for Macs, and they don't want to waste their time on those who have.

It still doesn't make it any more right, you know, no matter how you spin it.

Reply Score: 3

Comment by motang
by motang on Mon 23rd May 2011 02:19 UTC
motang
Member since:
2008-03-27

Seems as though they are trying to dodge the issue.

Reply Score: 1

RE: Comment by motang
by Paradroid on Mon 23rd May 2011 15:20 UTC in reply to "Comment by motang"
Paradroid Member since:
2010-01-05

Seems as though they are trying to dodge the issue.


That's because they're intelligent enough to know what to get involved in, and what they shouldn't get involved in because it will backfire spectacularly.

No-one can really expect a computer warranty to cover removing this sort of crap.

Reply Score: 1

RE[2]: Comment by motang
by StephenBeDoper on Tue 24th May 2011 00:37 UTC in reply to "RE: Comment by motang"
StephenBeDoper Member since:
2005-07-06

"Seems as though they are trying to dodge the issue.


That's because they're intelligent enough to know what to get involved in, and what they shouldn't get involved in because it will backfire spectacularly.

No-one can really expect a computer warranty to cover removing this sort of crap.
"

Who has suggested otherwise?

The actual issue here is that Apple has told their staff to not even inform customers of malware on their computers. So customers with infected computers don't even get the *opportunity* to pay for malware removal - a far cry from Apple simply refusing to do the removal for free/under warranty.

Reply Score: 2

Whats the uptake for the app store?
by viator on Mon 23rd May 2011 10:41 UTC
viator
Member since:
2005-10-11

INTERNAL APPLE BULLETIN........

MAC APPSTORE UPTAKE NOT FAST ENOUGH!

5 STEP PLAN FOR CORRECTION...

1)Release trojan into wild

2)Pretend it doesnt exist

3)panic ensues

4)Push end users to app store because its "safer"

5) $$ PROFIT $$

Reply Score: 2

Update
by computrius on Tue 24th May 2011 01:43 UTC
computrius
Member since:
2006-03-26

"Apple also added: 'Remember, we know where your family lives'".

Reply Score: 2

perfect!
by kovacm on Tue 24th May 2011 08:08 UTC
kovacm
Member since:
2010-12-16

This MAC Defender is simple perfect !

...for promoting Mac App Store ;) !!!

"do not buy untested and unproved software, come to App Store for quality software!"

;) just PERFECT ! BULLS EYE! ;) this will bring order to chaos - one click software install. Just like Larry Ellison told 10 years ago !!

http://www.youtube.com/watch?v=8g_tcdR_pQU

Reply Score: 1

Cost/Benefit analysis
by ezylstra on Tue 24th May 2011 14:31 UTC
ezylstra
Member since:
2010-07-16

More data has been lost _because of_ AV on Mac OS X than because of malware. For 10 years, my recommendation has been to not install AV. This strategy has served me an my users very well.

Reply Score: 1

Bonjour
by rakamaka on Tue 24th May 2011 14:41 UTC
rakamaka
Member since:
2005-08-12

Do you MAC guys have this service running in background???

For professional hacker, MAC is easy cake to hack. Search internet about hackers compitition.

MS have DEP and ASLR, Do apple have anything close to this type on MAC?

Pay $1000 for MAC and get false sense of security OR pay $500 for PC+ $50 for good AV. It is your money, your choice.

Edited 2011-05-24 14:41 UTC

Reply Score: 2