Doubtless there will be snide remarks back and forth about how OS X was supposed to be the most secure OS, and there were no viruses for it.

What I'm worried about most is that the majority of people that run OS X don't have any form of antivirus software, and still think that there are no viruses for mac, so won't be looking to install any. That's what worries me most :S

If the user finally downloads illegal content which might have a trojan embedded, then it's the users fault. Other users shouldn't be punished because of them.

"At least ****ONE**** documented case"


OOoOoooohhhhhh scary.

You are wrong. All major Windows virus and worms get in without the need for the user downloading and executing them.

This is just a case for user stupidity.

People like analogies, so here goes one:
A guy is worried about his house safety. So he buys the best door and a good security system. It works fine. Only he is able to get in and out. One day he meets another guy in a party, they talk and seem to become good friends. He invites his new friend home and lets him in. He got robbed.

Edit: after re reading that "vista is more secure in design", come on. What design?

The funny bit is, though, that a trojan like this would NEVER get through Windows Vista/7. Malware protection is built-in now, so I'd get a nice little dialog on my Windows boxes telling me this file is dangerous, we've blocked it for you. You want us to delete it?
...

@lqsh: In majority of those "windows...." cases it's through cracked software; and not updating their OSes...

The problem is not that they are punished because the pirate software (most of them probably won't notice). The problem is that we that do not pirate are punished. A friend of mine says his mailserver receives 17 times more spam than "real mail". The botnets are to blame.

There's no perfect solution for Trojans.

Quit saying virii. The english plural is viruses. And the latin plural is not -ii.

find this doubtful. Practically all Windows games and most applications requires administrator rights to install (mainly because of arcane copy protection mechanisms), how would the OS distinguish between DRM functionality included in a game (like protections which install services) and a trojan if baked into the installation procedure? These DRM schemes, just like trojans and rootkits vary greatly and are constantly changed so there is no way the OS can be updated to keep track and identify them, not even dedicated virus software can keep up.

It has an impeccable record for those who stick to the policy.

It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.

It’s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn’t have anti-exploit stuff built into it.

[ SEE: 10 questions for MacBook hacker Dino Dai Zovi ]

With my Safari exploit, I put the code into a process and I know exactly where it’s going to be. There’s no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don’t know where it is. Even if I get to the code, it’s not executable. Those are two hurdles that Macs don’t have.

It’s clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that’s only half the equation. The other half is exploiting it. There’s almost no hurdle to jump through on Mac OS X.

"If the user finally downloads illegal content which might have a trojan embedded, then it's the users fault. Other users shouldn't be punished because of them.

" find this doubtful. Practically all Windows games and most applications requires administrator rights to install (mainly because of arcane copy protection mechanisms), how would the OS distinguish between DRM functionality included in a game (like protections which install services) and a trojan if baked into the installation procedure? These DRM schemes, just like trojans and rootkits vary greatly and are constantly changed so there is no way the OS can be updated to keep track and identify them, not even dedicated virus software can keep up.

No offense, but what you said seems like a fanboy remark. If you look at the security model of Leopard vs Vista; Vista is a lot more secure in design. The reason mac didn't have till date is the same as before -- it wasn't a lucrative target for virus-makers till now. Not cuz "apple is ahead of the curve". If that were the case they could have done some justice by including atleast a simple paint-software (iPhoto is *NOT* what I want).
As for being "cheap", even World of Goo at $20 is pirated at 90% --- it's about getting things for free; and those two are *quite* different. IMHO.

However; I don't think antivirus softwares are as needed as customer awareness and education . There was this incident where my friend complained that his (pirated) copy of Symantec was outdated. When I gave him Avira; he COMPLAINED that it showed a lot of virus warnings; so removed it...

How about not borking the system with useless computations? The system should be safe by design. If the user finally downloads illegal content which might have a trojan embedded, then it's the users fault. Other users shouldn't be punished because of them.

He missed a grandparent-friendly case:

"Please click on this link to view an animated ecard program sent by your grandson!" *trojaned*

Except you're wrong in that iWork '09 does NOT require a serial number like iWork '08 did.

What I'm worried about most is that the majority of people that run OS X don't have any form of antivirus software, and still think that there are no viruses for mac, so won't be looking to install any. That's what worries me most :S

About the only thing that Microsoft actually provides is Defender which protects one against spyware/adware/etc.

What I don't understand is why it is the operating systems responsibility to protect people from installing things they downloaded off the internet.

Bleh. Enumerating badness is always a bad idea but OSX only has rudimentary anti-exploit measures compared to Vista and Linux even when you ignore blacklisting applications like Defender. Only in Leopard did Apple introduce Mandatory Access Controls and limited ASLR, which is similar to what Windows offered with XP SP2.

Despite whose fault it is these issues can be mitigated to some extent through proper access controls.

And even when the controls are in place the system is just as vulnerable as Mac OS X with less of those proper access controls. As I said the end user is the weakest link - and the only way to get around this is through automatic updates (which Apple and Microsoft have on by default) - but even then there is a window of opportunity. As I said, it comes down to personal responsibility - a virtue that many people in today's society try to evade.

or open source ones and don't read the source code.

The part where the Debian maintainer accidentally introduces a vulnerability in security-critical network facing software.

Or where the fedora repositories get owned remotely. This stuff can happen to the repository system (not saying that someone can't attack Microsoft's software distribution systems... I'm sure people have tried).

He said houses are often burgled a few weeks after a visit by the locksmith. In particular expect your house to be burgled if you buy a safe from a locksmith.

@sbenitezb: about virus...es, it was something of a fetish
@Kroc: MD5!?! Why would a general user go through something as geeky as checking the MD5 hash?

@werpu: No -- an anti-malware is NOT an anti-virus. Also; wha!? Did you even use vista?!?

I second darknexus, all it takes is a serial-key..

In the same way that all locksmiths are behind burglaries?

The fact that the OpenSSL "fix" in Debian wasn't Malware would be irrelevant to anyone who's system had been compromised and had their identity and other crucial information stolen, wouldn't it? The fortunate thing about the idiotic mistake by the Debian maintainer was that it was fixed very quickly, and that's the only fortunate thing about it.

This was an example of someone who did not know how OpenSSL worked mucking about in the code in an effort to improve it, and releasing that patched package into the community without proper testing.

This means, by the way, that repositories are only as fool-proof as those who run them and maintain them... and there's not one human being in the world today that hasn't made mistakes. I'll certainly grant that repositories are, by design, a much more secure way of handling things than Windows or OS X have by default.

But open your eyes, they aren't fool-proof and do not have a perfect record. You can bury your head in the sand all you want, the real world is still around you whether you choose to look it in the face or not.

But I am completely at their mercy should someone have the means to introduce a root kit into a package with or without the maintainers knowledge.

The official repositories work great, but quite often we do have to use the community repositories simply because a lot of packages just do not get included.

I think the point is in regards to this topic of OSX is not as much as OSX is more vulnerable, because ANY OS has its holes, that is a fact of life.

a "Virus Scanner" would be near useless in detecting this installation anyway.

"a "Virus Scanner" would be near useless in detecting this installation anyway.

"With the sophistication of most malware these days, regardless of the method they use to infect the user's (normally Windows) system, they have become very adaept at avoiding detection after they have been installed.

Some real-world examples of this wouldn't hurt either. There are no non-repository packages installed on my current Arch Linux KDE 4.2 system, for example, and indeed it works great.

"Some real-world examples of this wouldn't hurt either. There are no non-repository packages installed on my current Arch Linux KDE 4.2 system, for example, and indeed it works great.

A few points to make here:
(1) AUR is an open source repository. It is, AFAIK, a community source packages repository, it is not signed binary pre-compiled executables. One needs a client program other than pacman to install AUR packages, I believe yaourt is popular for this purpose. AUR is still, however, an open source repository.

http://wiki.archlinux.org/index.php/Yaourt

(2) Community open source repositories, AFAIK, enjoy the same impeccable record that official distribution repositories do ... it is just that they are often far less well known. I certainly am not aware of any end user's system ever getting malware via installing a program from a community open source repository.

(3) My KDE 4.2 Arch system, which works very well and which is very functional, does not include any packages from AUR. It does, however, use the KDEmod community repositories, which are, in turn, derived from the KDE project itself (all that the KDEmod repository does is compile and package the KDE desktop for Arch). It is not a case of repository maintainers going out and re-writing their own code, after all.

"A few points to make here: (1) AUR is an open source repository. It is, AFAIK, a community source packages repository, it is not signed binary pre-compiled executables. One needs a client program other than pacman to install AUR packages, I believe yaourt is popular for this purpose. AUR is still, however, an open source repository. http://wiki.archlinux.org/index.php/Yaourt

The distribution maintainers necessarily MUST read the code in order to be able to put it into repositories.

[q]or open source ones and don't read the source code.

That's reminds me of my university examinations go (i'm still studying btw) -- there are about 300 affiliated colleges; so the examiners seem to correct solely on basis of how neat the examination paper looks -- to the point that a friend who attempts 1.5 questions in the entire paper gets complete marks for both the questions and passes the examination.
Even in this case; repo's tend to carry proprietary software and I'm not sure if they get into look into the code..

Proprietary software in repos => Malware chances
Package Downloads => Malware chances
Custom Repos => strange issues + "theoretical" chances of malware

"theoretically" macs were malware-proof too..

Repeat after me ... "impeccable record". "No malware in open source repositories".

It gets easier if you practice it a bit.

"There is a point where an individual has to start taking responsibility for the choices they make;..."

You just hit the nail on the head. Sadly in todays society, people are taught from a young age that everything is always someone else fault. That is why there are so many lawsuits and idiotic defenses these days. That carries over into computer usage and everything else people do. People don't have a clue what it means to be held accountable for actions these days, as if they do something wrong and don't die, they can always sue someone for their own stupidity.

iWork doesn't have privileges which allow it to connect to a botnet. This trojan simply piggy-backed on the iWork installer, and it took advantage of the elevated privileges the installer temporarily acquired to insert itself into the startup routines of the computer. The trojan isn't in iWork itself at all, it just on the installer pkg... and if anyone has ever looked at an OS X pkg file, you know this is distressingly easy to accomplish. It's also easy to remove the trojan from the pkg, but you'd have to know to look for it.
I'm not sure how we'd avoid things like this. We can insert all the security we want, but if the user grants the required privileges to something malicious, and ignores all common sense... well, we can't save the idiots from themselves.