It’s sad to see that even after all these years, we still have to write articles like this one. It’s all over the web right now: a new backdoor Mac OS X trojan discovered! Code execution! Indicative of rise in Mac malware! Until, of course, you actually take a look at what’s going on, and see that not only is it not in the wild, it can’t really do anything because it’s a beta.
The malware in question is a port from Windows, and its functionality on the Mac is extremely limited. It can’t, for instance, gain root privileges, so all it can do is work within the confines of the user who installed it. This can certainly be bad, but it’s still a vital detail to mention. It can, for instance, open a fake administrator password dialog. For the rest, the tool is apparently in beta, coded by someone with a very insecure grasp of English.
As is always the case, the story comes from an antivirus company, Sophos, which happens to also sell a Mac version of their software (how entirely unrelated and not at all convenient). Sophos also stirs up the usual drama about how this is indicative of the rising popularity of the Mac and that more malware is sure to follow soon – something we’ve been hearing for years now, but never actually materialises.
Is the Mac a secure platform? Well, if you look at it from a practical standpoint – the standpoint that matters to most users – it is a very secure platform, with no widespread and/or destructive infections. From a theoretical standpoint – well, that’s for experts to decide. The story is the same for Windows Vista and up; these platforms, when kept properly up to date, are, like the Mac, incredibly secure in practice.
All in all, these stories are linkbait – plain and simple. Security companies are a lot like politicians – they spread fear (terrorism, computer viruses) because they’ve got something to sell (laws that further impede your rights so they can maintain their own power, security software). Like politicians, security companies are not tobe trusted, and are probably the worst scum in the software industry.
But I don’t give a damn if a piece of malware can gain root privileges on my desktop when measured against the greater harm that results from it getting and sending my personal information. This old mentality of “oh, well, it can’t gain root so it’s no big deal” needs to stop dead. Which is worse, my system being brought down or otherwise affected… or my personal data being snagged? This isn’t a trick question, especially in today’s environment. I’d argue that gaining user’s data is worse than gaining root privileges when you’re referring to desktop machines. On servers, of course, the situation is completely different and root access is much worse than a single user being compromised. We’re not talking about servers this time around, however.
Yeah, or using my box as a spambot or to set up a P2P hot spot for warez and/or child porn, neither of which require root access, AFAIK. Honestly, I’d rather them just gain root access and wreck my machine, as opposed to doing something that might lead to being sued by the entertainment industry and/or having cops knocking at my front door, wanting to ask me a few questions.
Edited 2011-03-01 03:46 UTC
This old mentality of “oh, well, it can’t gain root so it’s no big deal” needs to stop dead.
But I don’t give a damn if a piece of malware can gain root privileges on my desktop
While I agree with the first quote, I disagree with the second: if malware gains root privileges then that malware does indeed have access to all of your personal information AND it has much better chances of being able to hide its existence from you and your antivirus applications.
Malware with root access == malware with access to absolutely anything you do on your machine, including anything personal.
Basically I’m saying malware is bad, with OR without root access.
“Malware with root access == malware with access to absolutely anything you do on your machine, including anything personal. ”
I am not sure why this is even debated.
Root access is a superset of user level access.
User level access is sufficient to steal user files and to turn a machine into a zombie.
Couldn’t agree more. And this is something that many Linux/Mac die-hard fans fail to see.
Unless you use a specific guest account for Internet access, how inconvenient it might be, there is always the possibility to own an application and via it access your data.
All under a normal user account.
Depends on the use of that desktop, really.
If it’s a personal computer with only one user set up and one person ever using it, then sure, there’s not much of a difference with root access or not. Whatever infects it has access to everything on that user account. Similarly, multiple people using one account can be just as bad–if not worse, because one person could get the infection and everyone suffers, and it only takes one person to start it all. And there’s far more people who have no clue what they’re doing than there are people who know computer security basics.
If it’s a family computer with multiple user accounts set up and decent security, if one user’s account gets infected all of the other users are generally safe, at least from the effects of a spreading infection. Depending on how groups are set up, reading other users’ data can be possible, but Debian for example sets up each user with their own group to prevent this kind of thing. If it gains root though, not only is that a sure-fire way for it to be able to spread and infect other users’ accounts, it has no restrictions on file access whatsoever.
So root access, IMO, *can* be much worse. It just depends on the situation and how the machine is set up.
Well. it can make a real difference if you are taking advantage of the Unix security model. For instance, if you create a different user to own your backups, then a user-level malware can’t nuke them. If you run a rootkit detector on boot, if you have a low privilege user for dangerous activities, and so on, same thing. One caveat, though, the X server has a lousy security, so I would recommend to run diffent users in different virtual consoles. I used to run two X sessions at once, one for graphical admin tools like Synaptic and one for user stuff. You can also do without graphical admin tools and use command-line ones. Now I got tired of it and I just stick to frequent updates, NoScript and common sense, waiting for an object-capability OS.
For instance, if you create a different user to own your backups, then a user-level malware can’t nuke them.
The problem isn’t so much the malware that just deletes files, the problem is the malware that reads them! It’s quite common for people to keep important job-related files on their computers, or they write down their passwords in some text file and so on, and as such those personal files are very lucrative for malware writers to read over.
It’s only script-kiddies who want to destroy files, the real threat are those people who write malware that hides itself from the user and doesn’t do anything that would attract attention.
Good point, but then again, you can have a dedicated user for your important documents, a user who never visits suspicious websites. Cumbersome but effective, except if the malware has root access. I do agree that, in practice, a user-level malware is almost as bad, because people don’t take full advantage of user-based security because it’s such a chore and such a resource hog for graphical environments.
root gives you EVERY users data. If you (as in this case) install a Trojan, there’s nothing that will protect you. though you still have to give it root access yourself.
It’s like the one that was bundled in a pirated version of iWork – if you decide to trust stuff that may have been modified and run it, it has access to your files. Worry more if it has root access though, since that’s the point where you’ve really lost control of the machine.
If you think the linkbait is bad, then check out this:
http://img600.imageshack.us/i/screenshot20110302at125.png/
That is an advertisement by Google (on Macrumors) linking to two known scam websites, bidfun and bidhere, both of which are owned by the same company and both are known to be fraudsters and yet we have Google quite happy to take money from con-artists. At least in the case of linkbait all you need to be is a little savvy about the internet but if something is being advertised on a platform run by Google wouldn’t it be correct that Google wouldn’t allow con-artists and fraudsters to use their services to commit criminal acts? I mean, if I was an average end user I’d assume that Google checked out the company before allowing them to advertise with Google.
Agreed; with so much personal data on ones computer either explicitly in files or saved in cache or even virtual memory that hasn’t been flushed yet (Mac OS X has ‘secure’ virtual memory) will cause more damage than some mischievously socially engineered application.
I personally think the whole thing is way over blown because at the end of the day there is nothing you can do as so far as ‘security’ and ‘linkbait’ unless one were to go to the logical extreme and lock down the whole system with the only avenue of purchase being through some sort of ‘AppStore’. I would sooner give up some security if it means I have more liberty in the process – freedom is never neat and tidy, and quite frankly I don’t think the hysterics of halfwitts getting hacked because of their own stupidity is really helping the situation either.
“there is nothing you can do as so far as ‘security’ and ‘linkbait’ unless one were to go to the logical extreme and lock down the whole system with the only avenue of purchase being through some sort of ‘AppStore’.”
I hope I am misunderstanding you, because the app stores of the “walled garden” variety are not about security so much as they are about control.
Even devices in walled gardens can have vulnerabilities exploitable through the app store or directly. The iphone rootkit (which is generally used intentionally by end users to break apple’s chain of control) is technically proof of a vulnerability in the device.
While it represents a win for end users due to the freedom it gives them, it represents a failure by apple to protect it’s platform. It’s just so contorted that we live in a world where we have to break into our own devices.
“I would sooner give up some security if it means I have more liberty in the process – freedom is never neat and tidy…”
Thankfully we agree, but I don’t think security implies lack of freedom in the first place. However, security just happens to be an excellent excuse for vendors to take freedoms away from the ignorant, and by extension (through market pressure) the rest of us too.
True, but a walled garden makes the likelihood a whole lot lower but event then I think it gives a false sense of security to end users – I think there has already been an example recently with Android where an application was a approved but then remotely removed because it turned out not to be so kosher after all. There is only so many things that the app reviewers can check for and it wouldn’t surprise me if sometime in the future there is an embarrassing situation. Although I love the AppStore on Mac OS X I never use it as my ‘line of defence’ against trojans etc.
Yes, I understand it is about control but a side effect of control is greater security in much the same way that a police state can result in a lower crime rate – is it really worth the price for less freedom? I certainly don’t think so. Is Singapore clean and pretty much crime free? sure but I sure as hell don’t want to be arrested because the morality police catch my boyfriend and I having some undercover fun.
When I mean security I am talking about the fact that when you add more security to a system things either become more laborious to do, require you to work around it or worse ends up curbing your freedom in some way. If you have a fixed purpose device like an iPod Touch, there is security because there are limited things you can actually do with the device – you actually have to really go out of your way to accomplish the end goal of making it less secure. The net result is you’ve got a secure market place that has fixed set of rules but is it worth the price of not being able to tinker, source applications from other locations, being able to maybe loading on another operating system to the device itself etc?
How about not giving average applications access to so much user data (which they really don’t need) as a default setting, but giving the user the option to choose to do so for software which requires it, with an UAC/gksudo-like window ?
Apple already provide sandboxing API’s but unless Apple enables a way where applications refuse to run unless they’re sandboxed I simply don’t see things changing. The solution is there, it has been there for quite some time but are you willing to be told that 99% of your applications will fail to run because they’re not using sandboxing by default?
There is security on one side of the coin and on the other side the practical considerations.
OSX provides the feature, sure, but is it really pushed forward ?
Do the Apple guys put agressive sandboxing in Xcode’s basic application, as a default Xcode setting ? Do they mention sandboxing in their tutorials and doc ? Sure, if it’s just some random feature lying around along with the thousand of others, things are certainly not likely to change… Until the day where security issues will become critical, that is, and that day Apple will have no choice but to *brutally* sandbox everything, the UAC way (and we both know how effective this is, as you mention it in your comment).
Edited 2011-03-02 10:40 UTC
Yes, Microsoft has pushed it as soon as it appeared in Windows and same with Apple when it first appeared in Mac OS X. Developers don’t add it because they’re lazy but I do think there is one way they can get people to do it – by making it a requirement for applications submitted to the AppStore. If they make it a requirement for the AppStore then you might find vendors.
Btw, UAC doesn’t sandbox a thing – UAC is temporary privilege escalation and nothing to do with sandboxing. All UAC tells you is that an application is requesting privilege escalation but but it doesn’t actually sandbox the application in anyway when running as a normal user. Windows has sandboxing and Adobe is finally using it for Acrobat X (but not comprehensively) in much the same way that Google has taken advantage of sandboxing in Windows and Mac OS X.
Edited 2011-03-02 12:55 UTC
Not sure I worded my post properly, because it seems you didn’t understand what I was trying to say. Here’s another try…
With Windows NT, Microsoft have introduced some true multi-user mechanism, and the root/user security model based on that. Normally, Windows applications should now use HKEY_CURRENT_USER and the Users/Document&Settings folders to store their data, and nothing else. Sadly, some developers kept their old coding practices from the Win9x era, since “it worked”.
As a result, Microsoft have forced them to change, by making sure that all applications requiring root access display an annoying UAC popup on startup. Net result : terrible user experience, and users end up ignoring the popups because they are encountered too frequently. But Microsoft didn’t really have a choice.
Apple, to the contrary, do have a way to update their security model more cleanly, because they control Xcode, an IDE which AFAIK nearly everyone developing for Apple OSs use.
So they can modify Xcode’s default settings so that by default, it sets up highly aggressive sandboxing for all applications. This way, developers won’t be able to code the old way (writing config files randomly in the user’s home folder, etc…). Developers trying to use old development practices will see that they fail, try to understand why, and discover that it’s because of sandboxing. At this point, I bet many will think “hey, great idea, didn’t know about that !” and try to learn more. Of course, there will still be others who alter Xcode’s settings so that it works the old way, or keep the old release of Xcode. For those, making sandboxing mandatory on the App Store would indeed be a good option.
Edited 2011-03-02 15:44 UTC
Neolander,
“How about not giving average applications access to so much user data (which they really don’t need) as a default setting, but giving the user the option to choose to do so for software which requires it, with an UAC/gksudo-like window ?”
This is exactly what we *needed* for security, but the walled garden is what mobile users are *getting* instead.
The local application sandbox is not only valid in theory, but we already have several viable implementations. The benefits to end users is exactly the reason they’re losing traction in the mobile sector – they permit the secure execution of arbitrary applications without relegating control to a single vendor.
Most apps we might want to run from the internet don’t need (and should not have access to) other apps or local files. The sandbox model addresses all technical security concerns, yet mobile manufacturers are opting for a walled garden instead in the interests of market control.
Not quite right. They need some access to local files. However, it could be much more limited than it is right now.
Take a word processor or an image editor, as an example. It should have the right to play with its own config files and files explicitly designated by the user through an “open file” dialog or a command line parameter. But anything else ? Not so much.
Edited 2011-03-02 18:41 UTC
“Not quite right. They need some access to local files. However, it could be much more limited than it is right now.”
I didn’t bother mentioning it, but I was thinking apps could immediately access files in their own repository. Like flash or java web start do now.
I think the JWS model is a bit more powerful than flash since JWS apps are explicitly installed and can run offline. On windows (never tried it on linux) JWS apps would install into the start menu and look and feel just like native apps.
It’s disappointing that JWS never took off, but it’d be the perfect mechanism for installing apps on mobile devices.
“Take a word processor or an image editor, as an example. It should have the right to play with its own config files and files explicitly designated by the user through an ‘open file’ dialog or a command line parameter. But anything else ? Not so much.”
Yes, the scope for damage would be very limited.
Ultimately, no matter what you or I come up with as the ideal app security/distribution model, the fact is the corporate decision makers prefer solutions which give them control over end users.
Code execution! Indicative of rise in Mac malware!
Typical sensationalist OSNews article summary. Neither of those things is mentioned in the SophosLabs article at all. It’s basically malware that uses the same type of stupidity that the dumbest of Windows users fall for. The worst part is that such a thing will be likely to work Mac OSX, because Apple has lulled users into a false belief that it is more secure and users will be dumb enough to happily type in their Administrator password.
The ONLY reason why there is no Mac OSX malware is because its market share is too small for anyone to give a crap. IF it ever gets above 10% in the US, Canada and EU, look out. It will be found to be just as susceptible to the same problems Windows has.
Edited 2011-03-01 01:17 UTC
LOL, as suggested by the writer, it never materialize.
All it appears to be is a leaked proof of concept. Mac fanboys can mod down my original post all they like, but the points are still valid. Nobody really cares to write malware for OSX because less than 10% of people actually use it.
If that less than 10% computers have enough value of information or business secret or something, I doubt why not ?? Though I am not saying they really got such valuable things to be targets rather the f***ing crackers would choose targets by value not by mere market share if I was one of them
And that “less that 10%” accounts for how many million users?
Point, meet moot…
That doesn’t render his point invalid at all. If you’re a virus writer and you can target hundreds of millions (maybe billions?) of users with Windows, or tens of millions with Mac, which will you choose?
Of course, you’re going to choose Windows. If you stop and think about why malware writers actually write destructive software it makes perfect sense.
They are typically young and intelligent. However they are also insecure social outcasts, desperately seeking attention and validation.
That’s what drives them. They want their software to make the news with maximum destruction/chaos. They get that with Windows, not Mac.
<quote>That doesn’t render his point invalid at all. If you’re a virus writer and you can target hundreds of millions (maybe billions?) of users with Windows, or tens of millions with Mac, which will you choose?
Of course, you’re going to choose Windows. If you stop and think about why malware writers actually write destructive software it makes perfect sense.</quote>
There is actually a business-case for Mac malware too: Mac users are typically lulled into the belief that there are no viruses or malware for Macs and thus they are much easier to fool in that regards than Windows users. Also, Mac users are likely to have more cash than Windows users simply because Macs themselves are so expensive. And yet again, if you can choose to compete against a million other virus/malware writers or 5 others, it might actually make more sense to aim for the platform with only 5 other competing developers even if the market-share of that platform isn’t as big as the other platforms.
Atleast for someone interested in banking details Mac does indeed seem quite lucrative.
I think what you’re describing is only one kind of malware writer. Nowadays, there’s more.
Writing malware has become a lucrative business for some. Stuxnet is a good example of that : this is not some funny code from a student feeling insecure and looking for worldwide recognition, this is some fine-tuned electronic strike on a limited amount of places in the world, which noticeably required much more information about Iran than what the average Joe knows.
Apart from that, I think AV companies have also been caught spreading malwares around to make their products sell one time or two.
Edited 2011-03-01 16:42 UTC
Quote… They are typically young and intelligent. However they are also insecure social outcasts, desperately seeking attention and validation …end
If your reasoning is correct, (I can’t judge that), then what would give better attention and validation than creating the first successful and truly destructive software (malware, trojan, virus, etc.) for the Mac? First milestones usually get you at least a blue ribbon. if not a gold star.
It’s my guess that the sparsity of destructive software for the Mac is a function of many reasons, including one not often mentioned: these typically young and intelligent programmers keen grasp of windows and an almost lack of interest in OSX. like the Jabberwocky: “He took his vorpal sword in hand: Long time the manxome foe he sought — So rested he by the Tumtum tree, And stood awhile in thought.” And what was he thinking about: Windows, not OSX.
So this is what Caroll’s weird poem was all about ?
Edited 2011-03-01 19:35 UTC
That argument is really getting old now. The mac market share has been steadily growing for years, yet we haven’t seen a surge in mac malware.
And I think people modded you down because you’re just repeating that old questionable argument, not because they’re “Mac fanboys”.
“Nobody really cares to write malware for OSX because less than 10% of people actually use it.”
“That argument is really getting old now. The mac market share has been steadily growing for years, yet we haven’t seen a surge in mac malware.”
Doesn’t matter if it’s old or not, it is still true.
Also, I’m surprised nobody here has mentioned/remembers that in last year’s pwn2own contest apple’s mac was not only the first to fail, but the only one to fail on day 2 in which attackers were allowed to open malicious emails/web addresses on the machine.
http://www.infoworld.com/d/mobilize/gone-in-2-minutes-mac-gets-hack…
Clearly this hacker wasn’t out to exploit apple users in the wild, but he had an original zero day exploit, so he could have.
It’s only a part of the truth so it’s incorrect to present it as the reason why macs aren’t targeted by malware.
That argument is really getting old now. The mac market share has been steadily growing for years, yet we haven’t seen a surge in mac malware.
And I think people modded you down because you’re just repeating that old questionable argument, not because they’re “Mac fanboys”. [/q]
The Mac marketshare has been steadily growing by less than one percent each year. That hardly deserves a surge of interest. The largest figure I have seen for Mac marketshare worldwide is 7%. More often it is quoted as being around 5%. The fanboys always quote the American marketshare where I believe they just reached 11%. No Mac fanboy ever thinks to question it and thinks that it reflects the wider picture too.
The argument that Mac owners are richer and therefore deserve the attentions of malware writers is extremely poor mathematics. Mac owners would have to be on average 19 times richer than the average PC owner to make the effort worthwhile. As affluent as Mac owners tend to be, I doubt the gap is that wide.
That’s still millions of computers. And if they’re that easy to exploit it would make perfect sense to write malware for them.
The reason why hackers target windows is not only because it’s larger market share but also because of bad design decisions up until Vista:
* Automatically executing whatever that’s on an inserted CD or USB-stick.
* OS-integrated web browser
* ActiveX and its various security problems.
* Lots of services running and listening on ports by default.
* Users gets admin accounts by default.
XP still has a majority market share.
And when trying to fix these problems MS made a new misstake: UAC. It’s too easy to grant applications elevated privileges and it shows up too often so users learn to click ok by routine.
So the reason why hackers dont’t focus more on the mac is not only due to it’s market share.
Some people said the same thing about firefox btw when IE had something like 80-90%, but firefox never became a big target for malware as IE was despite its large market share today.
Thank you for showing the typical fanboy lack of mathematical prowess and reading comprehension.
Firstly you seem to have ignored the second part of my comment and I never said OSX was easy to exploit, just that it hasn’t really been tested yet.
Secondly, the flat numbers of computers don’t really matter as we are discussing the fact that a malware writer can write one program and has a huge target, whereas if he aims at Macs he has a much smaller target. He has to learn a new set of programming skills and a new platform architecture for a much smaller chance of success and a much smaller payoff. Like aiming at an elephant instead of a bee. So which is he going to choose?
XP hasn’t autoexecuted CDs in years, it gives you a dialogue box asking what you want to do. Any antivirus worth its salt has blocked autoruns on USB too. I’ve seen this argument now several times because it pops up as one of the top search results for Windows security flaws. Pity that the article linked dates back to 2002.
Macs don’t have ActiveX but they still have Java and Flash, which aren’t exactly saintly. Apple used to maintain updates of these for the user, and weren’t averse to installing their own version even if it was less up-to-date (and therefore less secure) than the user installed version. Any extension to a web browser is almost certain to have security flaws, there is always some tradeoff between ease of use or functionality for the user and security. Again it comes down to the fact that Internet Explorer was on more machines.
Safari (or more accurately Webkit) is integrated into OSX hence the need to reboot whenever it is updated.
This whole Admin by default thing is not a useful argument until you can demonstrate that the average user won’t give his password to any little box that pops on his screen. Trust me, the average user either doesn’t know or care enough about security to stop himself. Do you think that Steve Jobs had security foremost in his mind when he based NextStep on BSD or did he just use it because it was freely available? Do you think he predicted the virus and malware threat early? OSX security is a pleasant side effect, and as we have stated, will hardly be tested so long as there are so few machines to attack. It’s easy with hindsight to blame the default admin account but at the time it was seen as making things easier for users.
Likewise, Microsoft can’t be blamed for the number of pirated copies that serve to host malware, or the user who doesn’t patch his system. Did you know there was a patch for Conficker a month before it became widespread?
The majority of exploits now don’t attack the browser they attack a plugin e.g. Java since even Internet Explorer has got itself up to scratch with security. This is probably the reason malware attacks against Firefox have not proliferated in proportion to its popularity.
Fanboys quote outdated facts, poor statistics and just good old fashioned prejudice.
Woah, you should really do something about that temper. Getting angry at random people on the internet that you disagree with is pointless.
Really, so what kind of fanboy am I? Apple fanboy? I don’t own anything produced by apple.
You made a few comments about fanboys in your last post as well. I don’t think categorizing people as fanboys when they disagree with you will help you prove your point.
Why would I have commented on that part? It was something about whether mac owners are richer than PC owners, I don’t know where you got that from.
And there are trojans and viruses for macs, nothing that widespread though. But the OP said that the only reason why there are “no Mac OSX malware†is due to the market share, and I think that’s incorrect hance my comment on windows security.
Sure, but that doesn’t mean it wont happen. The reason why there are less malware for OSX is not only due to the market share.
Good thing they finally took care of that problem then.
Well, neither java nor flash has been as widely exploited as ActiveX used to be, despite the fact that they are widespread technologies.
I guess it’s because some applications embed safari, it’s not like the tight integration of IE.
If you’re logged in as an admin then the applications you run will also have admin rights. There are reasons why you are discuraged from logging in as root on unix-boxes.
At least apple got a lot of thing right from the beginning, probably due to OSX:s Unix heritage.
Of course not. And Microsoft have been getting better at delivering patches now.
Again, Microsoft have improved.
“Everyone who doesn’t agree with me is a fanboy!â€
Besides, my comment was mainly about XP which is an outdated OS.
“It was something about whether mac owners are richer than PC owners”
I was curious about this, but first let me point out that macs are PCs. The correct comparison would have been between mac PCs and windows PCs. Of course apple makes this mistake all the time.
Anyways, I was trying to find a value for median income between the users. This is the closest I was able to find:
“Mac owners are richer. 36% have household incomes greater than $100,000, compared with 21% of all U.S. consumers.”
(Note that it’s not clear whether the 21% is US consumers in general, or windows owners as implied in context of the survey.)
But wait, it turns out that 85% of mac owners also own windows, so, if mac market share is 5.1%, then 85% of that should really be classifies as dual OS customers.
Mac only = 5.1% * 15% = 0.8%
Mac + Windows = 5.1% * 85% = 4.3%
Windows only = 92.2% – 4.3% = 87.9%
The dual OS owners are surely richer than the mac only or windows only owners. It raises the question, are mac only owners richer than windows only owners? We can’t really answer that definitively with the data available.
http://arstechnica.com/microsoft/news/2010/01/windows-7-growing-fas…
http://tech.fortune.cnn.com/2009/10/05/85-of-mac-owners-have-window…
Are you sure? There’s so much (somehow justified) hate towards Apple these days, I’m surprised there are almost no malware pranks out there..
Well, or maybe Windows isn’t as secure as it’s fanboys want it to be…
That title was sarcastic you twit. In case you didn’t know, code execution is quite important to classical computer operation.
If you were smarter, you would see that I was commenting on the tone of the summary, which was quite sensationalist, and not whether code execution is possible. Obviously code execution is important to the operation of a computer. Any programmer or tech worth his/her salt knows that.
It’s typical around here to downplay any faults in Apple products, and this is just another lame attempt to lull people into believe their products are secure.
Edited 2011-03-01 17:13 UTC
Wait – I’m pro-Apple now?
http://www.myfacewhen.com/i/453.jpg
Not saying you are, but most of the articles that are not complaining about their DRM or iTunes app seem to regard them as the best thing since sliced bread, when in reality they are worse than MS.
My problem with this item is that the title and summary come across as very sensationalist and glosses over the truth. Which is that this malware reported by SophosLabs is a very real, but incomplete, proof of concept.
The title of their article doesn’t suggest it’s malware in the wild, but rather something being worked on
“Mac OS X backdoor Trojan, now in beta?”.
The article does not misrepresent it as a malware to be currently worried about at all. Just basically a heads up that something is coming.
The other problem is the several inaccuracies in your own writeup. The Mac version of their software is actually free for anyone to use, Mac’s have been the first to fail in pwn2own competitions (so much for being “incredibly secure”), and Windows Vista/7 are vast improvements over XP, but can be easily infected as well (I’ve seen it first hand).
Edited 2011-03-01 17:28 UTC
No, Thom, I think everyone knows you use QNX as a desktop
Oh, well, you did for a very long time, anyway.
Funny, I thought the article cleary was a put-down of the sensationalists, which I thought was pretty reasonable considering the lack of real danger (yet again). (Note that the headline now is:”Supposed Mac OS X Trojan Another Piece of Linkbait”, not sure if it was different earlier.)
Not saying it won’t ever happen, but looking at the number of comments from Windows fanboys on sites like DailyTech – where the author actually was defending calling this thing a ‘virus’ – you know, because even if you have to install it yourself, the virus term is so broad now (uh, I’m thinking virus / trojan / worm, but apparently that’s now too ‘technical’), clearly there are people who really desperately want OSX to get a real virus, and it just hasn’t happened. Maybe they can get on the 12/21/12 doomsday thing instead?
I guess you have forgot that there are at least half a dozen very real trojans infecting OSX installations since 2008?
OSX/Jahlav aka “MacAccess” is a prime example of one. It’s a typical “missing codec” trojan that used itself to download and install more crap.
Edited 2011-03-02 04:18 UTC
Wow, a full half-dozen? Should I be concerned when this random software asks for the admin password?
There was the one embedded in the iWork bittorrent downloads as well – I can come up with a real example off the top of my head, so I’m not saying there aren’t any trojans. If you’re an idiot, sure, install the Russian iWork variant or some unknown codec. I don’t blame Microsoft for Windows users installing trojans either – it’s social engineering, not an OS issue – and every OS has users who will click the OK button and type in a password.
My point was that there hasn’t been an actual virus or worm. And I’m still not saying it won’t ever happen, but I haven’t had to deal with/worry about AV crap, rootkits, keyloggers, etc. since 2003 myself when I ditched the lovely Windows world. I’ll be very sad if that security does fall at some point, but 8 years for me of not wondering if a random jpeg in an ad on CNN has taken over the computer is certainly nice.
Interestingly, Apple may just end up protecting the Mac more with the App Store there too now if you’re willing to purchase through that channel. (Ignoring arguments for/against curated apps, etc., just saying for a lot of users that may make life easier/safer too…)
Edited 2011-03-03 22:17 UTC
“My point was that there hasn’t been an actual virus or worm.”
There is so much contradictory information it’s hard to tell what’s true, I actually do hear about mac viruses, look them up and they even have names like “OSX/Leap-A” which was propagated through vulnerabilities in jpeg decoders.
Saying that macs have no viruses is kinda wishful thinking IMHO.
“I haven’t had to deal with/worry about AV crap, rootkits, keyloggers, etc. since 2003 myself when I ditched the lovely Windows world.”
Most of us (edit: technically knowledgeable) on windows didn’t have to deal with malware on our own systems, but rather we had to clean out the systems of friends who were careless.
The vast majority of windows malware is caused by unsafe user practices such as downloading and running software from untrusted sources such as emails or web pages. Is this a hit against the windows experience? It sure is.
However, to make a fair comparison, what does apple do to protect the same careless users on a mac? If they were equally targeted on macs, aren’t they potentially even more vulnerable there without A/V?
If we eliminate malware which is the “user’s fault”, then windows is actually fairly safe these days.
Remember, it was mac-os and not windows which was exploited with a zero day email exploit in the pwn2own contest last year.
Granted, I’m taking the position of devil’s advocate here. I’m not a fan of MS products, they’ve dragged their users through hell over and over again with shoddy software and IE/activex/WGA crap. But all of that is no excuse not to evaluate apple objectively, they need to clean up their backyard too.
Edited 2011-03-04 01:32 UTC
“Like politicians, security companies are not tobe trusted, and are probably the worst scum in the software industry.”
And I thought the worst scum in the software industry are those who erect walled gardens and impose restrictions on digital content so that consumers can’t exercise their legal rights (at least in the US). The era of locked-down/locked-in computing continues to chip away at the pillars of open computing.
it’s the computing version of communism/terrorism.
idiots fear things that sound scary.
I didn’t know the majority of the human race was communist terrorists. It does explain those silly, ineffective pat-downs, body-searches and bag check security though…
…other than steal your admin password, that is.
The next time someone publishes a proof-of-concept for a Windows or Linux vulnerability I’ll make sure to remember that proof-of-concept doesn’t mean anything, it’s not actually vulnerable because it doesnt do anything
.
What about steal all of your personal documents? That’s “nothing”?
I see so many people using the installed user base as the main reason why Macs don’t have a ton of malware, and this does make sense, but also I think that part of it is also the fact that Microsoft has been seen as “the bad guy” for far too long, and apple has largely been seen as potential competition for Microsoft at best.
But this may be changing as the folks in Cupertino continue to look more and more like the folks in Redmond in their business dealings. I can’t help thinking this will cause malware writers to focus extra hard on bringing Apple some much needed humility. And this is coming from a Mac owner BTW.
If this was linux, I bet someone would have written a Archlinux PKGBUILD in AUR for this virus..
Like politicians, security companies are not to be trusted, and are probably the worst scum in the software industry.
Agreed! They are scum. On the same level as dodgey used car salesmen or garages.
It doesn’t matter which OS you use, they will ALWAYS come up with FUD in order to sell their crap.
They rely on people not knowing how to use their systems with security practices in mind.
They don’t sell prevention. They sell cures. Because prevention isn’t a profitable model! Cures are!
They always use their “Boogie Man” or “End of the World” tone!
Back in 2006, Kaspersky tried to FUD Linux folks…
=> http://www.linux.com/archive/feature/53534
=> http://www.linux.com/archive/articles/53727
As well as OpenOffice…
=> http://www.linux.com/archive/feature/54824
Example from 2008: Mac, Linux, BSD open for attack: Kaspersky
=> http://www.computerworld.com.au/article/264352/mac_linux_bsd_open_a…
We can pretty much presume => Eugene Kaspersky = SUPER SCUM
Can the malware industry be trusted?
=> http://www.linux.com/archive/feature/54886
(If they have to, they’ll pull numbers out of the butt to FUD!)
I undermine AV companies by teaching people in my local area of good practices that prevent infection.
For example: I teach Windows users to…
=> Upgrade to Windows XP/7 Professional
=> Apply Software Restriction Policy and set to “disallow” (Whitelist mode)
=> Set Limited/Standard User
=> Password the default Admin-level account.
=> Apply MS’s Enhanced Mitigation Experience Toolkit to browsers, Adobe Reader, and certain Windows services.
=> The usual practices like staying updated, only installing from legit sources, making weekly back-ups, only use Limited/Standard user for daily use, etc.
=> Show people examples of social engineering. (The premise being: The more you know, the less likely you’ll fall for this nonsense.)
For Linux, I usually have two accounts; One has access to sudo or root privileges. The other does not…I also look into what is standard security practice. (Reading books, asking folks who are more experienced than I am, etc.)
If I had a Mac, I would very likely go here…
=> http://www.apple.com/support/security/guides/
…And become familiar the features or tools in OSX.
The only way to destroy lies and fear is with the truth and knowledge. Teaching people prevention will hurt AV companies at the core level of their business.
You’re surprised? before they even made themselves known to the west part of scaring the crap out of people was part of their whole marketing campaign – scare the living crap out of people with an unlikely scenario them ride to the rescue with a product that’ll ‘stop it from happening’. Given the dishonest and underhanded tactics it wouldn’t surprise me if they wrote some malware and virus’s themselves simply to ratchet up the paranoia level – tobacco company owning a large share in a company that makes nicotine patches for those trying to give up smoking. Create a problem and provide a solution.
Edited 2011-03-02 09:43 UTC
and someone wanted to be on the news
Scary headline,
Daily Mail style lede,
and then towards the middle of the article they say you need to enable the 3rd party APK install, cruise to a dodgy chinese market place… you get where this is going.