I have personally tried to pretty much let the whole MAC Defender trojan thing pass by, since we’re not a security website. However, we have an interesting turn of events this week. An article over at Ars Technica quotes several anonymous Apple Store employees as saying that the infection rate of Macs brought into the Apple store has gone up considerably. More interestingly though, Apple’s official policy states that Apple Store employees are not allowed to talk about infections to anyone – they’re not even allowed to inform Mac owners if they find the infection without the customer’s knowledge. Another interesting tidbit: Apple mandates the use of Norton Antivirus on company Macs, according to one Apple Store genius.
Security on the Mac is always a touchy subject. Since widespread infections have never occurred – until now, perhaps – the real-world security track record of the Mac is pretty much spotless. However, for years now, we’ve had article after article stating that once the Mac became really popular, malware infections would follow as a natural consequence. While the Mac isn’t much more popular if you take the entire world into consideration (and hence, why Steve Jobs tends to use US figures only during his keynotes), here in the western world it has been doing pretty darn good. So, are we seeing a rise in infections?
Ars Technica decided to investigate, and contacted 14 Mac support specialists, including several Apple Store geniuses. Their tales are basically all over the place – while independent Mac support specialists saw no spike in malware infections since the arrival of MAC Defender and its many variants, the Apple Store geniuses did reveal there has been a notable spike in malware infections among machines brought into the Apple stores – so much so in fact that Apple has found it necessary to instate a ‘don’t ask, don’t tell’-policy.
“In the last 6 months, only one of my clients reported a possible malware [scenario]. I have consulted with other Apple services and the rate is basically the same: one or two people out of 750-1000 in six months,” a Chile-based Apple Certified Help Desk Specialist named Pablo Toledo told Ars Technica, “Mac users here tend to be alert and informed, and only very basic users fall into the trap.”
This low infection rate was confirmed by the other independent support specialists, but when Ars spoke with several Apple Store geniuses, who understandably want to remain anonymous, the picture is entirely different. “MAC Defender has changed everything,” one Apple Store genius told Ars Technica, “We probably get 3 or 4 people with this per day. Most of them only got as far as installing the program and haven’t entered their credit card details.” MAC Defender is what is called scareware; it claims your computer is infected with malware, and will then give you the option of cleaning it for you – for a fee. It can has credit card number plez?
“This always sparks a debate at the bar on whether antivirus software is necessary on the Mac,” the genius continues, “This is difficult, as the store sells several antivirus products implying that Apple supports the idea, but as many customers point out, the sales guys aren’t shy in making the claims for Mac OS X’s security. Internally, Apple’s [IT] department mandates the use of Norton Antivirus on company machines.”
This is an interesting little tidbit. Of course, it’s only common sense to have antivirus installed on corporate machines – if only to pick out malware attached to emails sent to colleagues using Windows – but it’s still somewhat embarrassing that the company who continuously bangs on about how secure the Mac is actually mandates the use of antivirus software itself.
A genius from a larger Apple Store (I’m calling him genius II), which services a few thousands Macs per week, gives more specific numbers. Up until three weeks ago, about 0.2 percent of Macs brought into this store were infected with some form of malware. Since about three weeks, however, this percentage has risen to 5.8 percent, consisting almost exclusively of MAC Defender infections and its many variants.
What is more shocking, perhaps, is how Apple deals with it. Ars Technica managed to get its hands on internal Apple documents which impose a ‘don’t ask, don’t tell’-policy when it comes to MAC Defender infections. Apple Store geniuses are prohibited from talking about MAC Defender; they’re not allowed to remove it if found on a machine, and in fact, they’re not even allowed to inform the customer if the malware is found without the user knowing.
Part of Apple’s internal memo. Courtesy of Ars Technica.
“With regard to how the company is dealing with it, the answer is not very well,” genius II told Ars Technica, “As you know, OS X requires an admin user to authenticate and OK the install for pretty much anything that’s not drag and drop. The response has been a case of ‘they installed it, so it’s not our problem.’ Until something that makes use of a zero-day exploit hits, I really doubt that we’re going to do anything, technology wise, to address this.”
Genius II praises Mac OS X’s security model, and laments the fact that users seem to ignore it anyway. “I can’t help but be frustrated that people inherently trust everything they’re prompted to do on their machines. The beauty of Mac OS X is its security model. That people blindly enter a password is going to be the undoing of it,” he told Ars Technica.
Yeah well, welcome to the real world.
All in all, the rise in malware infections on Mac OS X is definitely real, all thanks to the first truly sophisticated trojan to hit the platform. However, the number of infected machines is still low. What’s far more troubling, however, is Apple’s official stance – a ‘don’t ask, don’t tell’-policy doesn’t sound like a company that has any experience with handling these kinds of situations. It would seem that Apple cares a whole lot more about its image than about its customers.
That policy makes zero sense and I’m glad it’s been outed. If anything it’s a great opportunity for Apple to educate its user base on trojans and promote their shiny, new app store.
It would appear that apple needs some education of its own.
It makes perfect sense to a company fastidious about its public image.
yea but that very policy is bad for their public image, besides, uneducated users are the root of this kind of malware spread in the first place.
Right, so they should advise _everybody_ to run Norton just because some people download an install a shady app? We’re not talking about viruses here, we’re talking about user responsibility. No software can protect against users making poor judgements, and even when it tries they can often ignore it. I’ve seen people switch the AV off because it was preventing them from downloading something.
Apple’s policy here might be akin to sticking its head in the sand, but it’s still saner than stating that all Mac users should buy Norton.
Who’s talking about advising Norton?
Apple should be responsible. They should’ve released an official MAC Defender-removal tool within days of its arrival. They should’ve updated applications like Safari, the unzipper, Mail.app, and so on right away to recognise and block the trojan.
We know Apple’s security process is slow on the uptake—that’s the real issue—but we can’t jump to the conclusion that Apple won’t ever do those things.
Hows that a defence?
The simple fact here is not that they’re “slow on the uptake” but that they’re proactively doing nothing.
Yes the problem here is stupid users, but its a perfect opportunity to educate them
A lot of the MAC newbies surely bought their MAC after seing TV-ADs like this one:
http://www.youtube.com/watch?v=CHFy6egYcUg
This kind of advertising might give the impression that you are safe as a MAC user. So clicking on anything on Internet surely is no problem eh..?
sorry I wasn’t talking about the Norton part, although its good to mandate an AV solution on corporate computers.
This is social resposability:
http://www.microsoft.com/security/pc-security/antivirus-rogue.aspx
Microsoft cares about user security more than any other company. Microsoft Security Center offers info about different kinds of malware and social enginering scams. Also, Microsoft gives an Antivirus for free.
They do care about security more than any other company, but they we’re dragged there with a gun to their heads, it wasn’t always (or mostly) like this.
Not more than any other company, maybe more than Apple. MS provides an AV because due to the legacy of its terrible security in the recent past, there are many orders of magnitude more Windows viruses, than viruses for any other OS.
To give Microsoft atleast some credit Microsoft Security Essentials (MSE) is an exceedingly good AV; it’s a whole lot less resource-hungry than the others and is very good at doing its job without getting on the nerves of its users. Not to mention it’s free.
So while Windows still has a security-hole here or there and Microsoft can’t really stop people from being stupid and installing malicious things atleast they are trying to.
MSE is certainly OK, on Virus Bulletin its been tested 4 times and missed a in the wild virus once http://www.virusbtn.com/vb100/archive/vendor?id=70 I use ESET NOD (tested 67 times tailed 3.) So I think time will tell if MSE is good.
As for resource efficient where would you get a reasonable impartial review of AVs? The popular press would have us using McAfee (failed the 4 of the last 5 tests) or Norton. – Well Mac Defender or Norton that would be a tough call
That I don’t know, I would provide one if I could. My opinion is based on my personal experience; I for example just switched a friend’s daughter’s laptop to MSE from F-Secure and the speedup was quite noticeable. But I understand that just some random person on the Internets isn’t the most reliable source — it’s just anecdotal evidence — and an impartial review on performance of even 5 of the most used AVs would indeed be nice, even just for the sake of curiosity.
I’ll try to remember to PM if I come across one, but all the ones I’ve seen have been paid for behind-the-scenes.. :/
Define “recent”.
There hasn’t been an outbreak (i.e., like in the XP days) of anything since the release of Vista.
Vista comes out in 2006 – much improved in security appalling in most other respects, XP service pack 3 in 2008.
Mid last decade, probably the worst years for out of control virus problems, most viruses in the wild date from 2007.
So lets say recent past is about then.
and even then the 2 major outbreaks came from people not updating their systems
how long was iloveyou patched before the actual virus came around? 3 month?
oh damn that’s funny. Where you making a joke or did you actually type that with a strait face?
If Microsoft cared more than any other company we would have a modular Windows install. Everything including a web browser and basic image rendering libraries wouldn’t be deeply embedded into the kernel. Privileged separation would be implemented in a strong manner instead of the wet cleanex separation between regular users and administrators. We’d never have had regular programs needing administrator rights to run. They would deliver anything but “good enough” quality product. We wouldn’t have the immense “antivirus echosystem” that’s remained so well supported by every Windows version so far. In all likelihood, Microsoft would be producing Windows under an open source license to take advantage of the expert peer review available; it seems to work for Cryptology and they tell me that relates closely to security.
I mean; keep some perspective. Microsoft cares more about user security than Apple. Sure. But “more than any other company”?
Lolwut? Where do you people come up with this stuff?
You realise that when it comes to access control, Windows NT is miles ahead of vanilla UNIX and Linux, right? You need SELinux to come even somewhat close to the kind of fine-grained control NT allows, and then SELinux is a complicated mess.
Yep. But its so stupidly complex that people just stick with the tried and true regular and superuser. The issue with Windows is the culture. This is MS’s fault for not designing their 9x system with security in mind. They basically trained users for more than two decades to run as administrator on their machine, and by extension developers were trained to write their software needing admin rights for no apparent reason.
Apple’s OS is not inherently more secure than something like Windows 7 or even XP for that matter, but the culture is the main differentiator. Apple has trained their users and developers to at least heed an application that needs super user rights. Nothing installs on your system without your knowledge, nothing touches system wide files without you knowing, downloaded applications don’t run without telling you that they are from the web.
As of late I have had to deal with the stupid Windows Defender trojan on Windows 7 machine’s at the company I work for, it basically borks your whole system to try to get you to buy the application. By comparison the Mac Defender trojan is relatively harmless as it can’t really do anything without your consent, a simple delete will get rid of it. A simple delete can’t rid of Windows Defender, its a multi step process that may not get your machine to the way it was before the trojan did its damage.
I do think Apple should stop reinforcing naive users belief that nothing dangerous can happen to their machine “because its a Mac”. I also think that they should take at least some minimal precautionary steps to mitigate this issue now before it gets worse. The first one being not having Safari open downloaded files by default. I always turn that off as I don’t like not knowing whats on my system without my consent. I think the Downloads folder bounce in the Dock is enough to let users know that there is something there and let them make the choice of opening the file or not.
Well, the primary point was questioning the claim that Microsoft takes the security of it’s end users more seriously than any other comapny. (it was stated definitively too, as in “no other company never ever”)
Can you honestly say that with a strait face Thom? Are you suggesting that Microsoft does infact put more effort into delivering a secure OS than any other “company”. Default windows puts default OpenBSD to shame maybe?
But, to respond to your question; “where do you people get this stuff” and recognizing that this is not a security website and your not a security expert as you’ve mentioned in the past.
http://www.esecurityplanet.com/trends/article.php/3933491/Is-Linux-…
Filtering out obscurity attributes like popularity and non-tech attributes like user skill level..
Windows7 is an improvement over past Windows distributions, however;
This is worth considering also:
And, the mechanisms to update Windows and Windows based software are still a mess. I have one central mechanism to update my Debian install and third party repositories are easily plugged into that same mechansims. It does not just check for updates from Debian. With Windows, I’m still visiting Microsoft Update, then Lenovo Updates, then any other hardware manufacturers driver updates, then Flash update utility, then Adobe Reader update utility, and so on.. and so on..
On the Linux based OS side;
– peer review is the norm due to the open source nature of development
– as mentioned above, security by design inherited from it’s roots as a networked multi-user OS
It’s not all roses and sunshine for Linux based distributions as the article does point towards weak configurations as something to watch for.
Now, outside of the article; if a graphic library has a vulnerability it’s going to still be running at the user’s privileged level on a Linux based system. I’ve also not seen a graphics library provide a remote code execution vuln. On Windows systems, I believe jpg rendering has delivered remote code execution as has the library that renders animaged mouse pointers because these both get to run in kernel space rather than being seporated from the kernel.
Right now, we can also point to DLL relative vulnerabilities in Windows including Win7. Microsoft can’t fix it without breaking backward compatibility. The official stance is that third party program developers must go back over all there code and re-write it to use full path DLL calls; to fix something that is a flaw in the OS itself.
http://www.informationweek.com/news/security/vulnerabilities/228000…
If you prefer Security Now:
http://www.grc.com/sn/sn-263.htm
in short:
and
But if you want the details, here’s the first block of text, you can read on from there:
Sadly, this. In all my years as a Linux Sysadmin, I’ve only ever been able to figure out one command for SELinux: setenforce permissive. Bah.
Supposing that you really need ACL (I’ve never needed them), you can see:
http://www.tuxradar.com/answers/644
NortoN? You’re kidding right? Just use the OS X port of ClamAV http://www.clamxav.com/ OSS to the rescue again…
Nah, you get whats coming to you if you blindly follow every advertisement and install random sketch files because the flashy thing says to.
Take it the same way as the “Nigerian”, everyone has revived some variant of this, it’s been floating around for DECADES, and yet every few months we hear yet another story of some moron that tossed their life’s savings into the abyss.
Exactly. I’ve been around Windows machines for ages and have seen dozens of scams like this where a real-looking window pops up that says you have a virus and would you like us to scan/clean for you? HELL NO! I realize not all users are educated enough to realize this UNSOLICITED offer is not legitimate, but the whole process does require you to enter your administrator password, and then later enter your credit card number, which one would think would look awfully suspicious, but I guess it doesn’t to the “average” user. To me this is even stretching the definition of a virus, which to me is something that takes over your computer completely without your knowledge or authorization having simply gone to an evil web page or opened a legit-looking jpeg file from someone you know in an email from them.
I do think Apple should inform customers if something is found on their computer and cleaned up, such as this problem is, it is a very easily remedied problem, only taking 5 minutes to get rid of. Then the customer would be educated next time they see something like this pop up on their machine.
In old lingo, it would be classified as a Trojan; a program which apears desirable while hiding an undesirable function.
In the newer lingo, it would be classified as “computer based social engineering; exploits a social situation or emotion with something delivered by computer versus delivered by more direct human interaction.
– fake AV (exploits fear of malware while actually delivering a malware payload)
– addware (exploits desire for a program while secretly stealing information)
– email spam (often exploits greed or fear to elicit a response)
All computer based social engineering. Human based social engineering would be the more traditional:
– phone calls
– impersonation
I wonder if you are missing the point. If there is a real security threat, Mac Users should be informed, especially since it is their heedlessness (those that are affected, not all Mac users) which contributes to the problem. There is NO need to recommend that users use Norton. There IS a need to reinforce the notion that no unsolicited software should ever be allowed to install by typing in your password. By not admitting the problem, Apple ignores a great opportunity to use this as a teaching point in the One-on-one program, which many of the unsophisticated users purchase. The same goes for Genius appointments. Both of these programs provide exceptional value for Mac users. Why undermine them?
They should educate users to either buy through the App Store or to NOT just type in their password and hit ‘OK’ when they’re web surfing and happen to get a sudden prompt. But God no, don’t push Norton or crap like that – not to mention, exploits routinely get past those until they have them in their profile, which means… yeah, you better just not blindly type in your password when the prompt shows up.
But then, somehow that escapes large numbers of computer users.
Maybe Lion will have a ‘lock-down’ by default to red-flag any software not signed / delivered through a secure channel. That’s not to say it shouldn’t allow it (I know I’m personally not interested in having a full-fledged machine that I can’t even do my own development anymore!), just that many non-tech users would be safer if it had more warnings about the software being unsafe – or even making users go to Preferences to specifically authenticate and click on ‘Allow Unsafe Programs’. Maybe people would thing a second time?
It has nothing to do with image and everything to do with have a single company wide policy and training for people who are the public face of Apple. I worked at an ISP and we were told the operating systems, browsers and mail applications that we supported – we were told in no uncertain terms that we aren’t to provide support for anything else even if we knew how to.
I wouldn’t be surprised if this was the same situation at Apple where they don’t want some ‘know it all’ employee claiming to be able to fix something, the computer gets sent off home with the customer thinking that it has been fixed only to find that the Apple employee hadn’t completely fixed it. 6 months later Apple being sued by said Joe or Jane Sixpack for several million (as what always happens in the US – the law suit capital of the world) because some trojan was sitting in the background collecting credit card information.
I find it funny the number of people here who have never worked for customer service sector getting up bloviating crap about stuff they have no idea about. 99% of problems I’ve found in the variety of industries I’ve worked in all comes down to the end user doing something wrong. I worked in the supermarket and we’d get people complain that the ice cream they left in the car on a hot day melted, people who purchase a pizza and take 40 minutes to drive home only to find that their pizza is cold, or they buy a pirated copy of Windows XP as they travel through Indonesia then they ring up the ISP complaining that their computer is unreliable. I’ve seen it all before so I suggest some of the arm chair experts here get off their backside and work on a ‘hell desk’ for several years or some other customer service role.
And yet, the way it is now, that trojan will *still* be sitting in the background collecting credit card information. There’s a difference between providing product support for something you aren’t supposed to, and blatantly leaving an issue unsolved *without* even notifying the customer that there’s a possible problem there. You claim to have worked in customer service and, maybe things are different in NZ than they are here in the US (in fact I’m sure they are) but, let me tell you, if someone were to take their product to me and something like this results, I’d get sued anyway. I’ve worked in cs too (though I don’t anymore) and There’s only one real way to prevent getting sued in this situation, and that is to put the decision in the hands of the customer. You tell them clearly what the issue is, in easy-to-understand terms, and you let them decide if they want you to fix it or not. Either extreme (ignoring it or fixing it without asking) is a fast track to the court room, and I’m not just talking about technical support and service. Apple are not obligated to provide support for Mac Defender and its offspring, but they *are* obligated to provide support for OS X especially if you’ve paid for Apple Care. There is, after this trojan has its way, an issue with your OS X installation. They should at least have the decency to grow up and admit the problem. Then again, this is Apple we’re talking about.
This is not going to prevent them from getting sued, especially now that it’s out there. What this will do is drop the confidence level of Apple’s tech support ever so slightly. Give it a few months, and we’ll be seeing customers calling Apple and demanding an answer as to why their machine is still acting up after Apple’s “geniuses” got through with it.
And as for the rest, tone down the vitriol a little. It doesn’t help you make your points.
Please don’t get me started on the Mac app store. They’re having similar sorts of issues with security there, since they’re keeping important updates to apps in the store back [1].
Adrian
[1] http://www.h-online.com/security/news/item/Mac-App-Store-delays-cri…
This just goes to prove that the biggest security risk is still the user. Same goes for your house, give a disreputable character the house keys, don’t be surprised when your TV is gone. On the one hand, Apple are right that they don’t HAVE to do anything, but it really harms their image and their security track record. I don’t expect them to fix it on every computer, but some user education wouldn’t go astray. They’re so fond of forcing things on people, so why can’t they force a slideshow on people the next time they turn on their mac?
A side anecdote about users. Apple are right not to remove this for them because of user objections. I’ve mentioned a thousand times here I work in a phone shop, and worked in an internet cafe / repair place, so this makes for a modest pile of user anecdotes. At the internet cafe, I found more than enough computers brought to us with exactly this kind of scareware installed on them. I removed it, and the idiot users, even after I explained what it was, wanted it back. I was more than happy to oblige after their rather friendly advice. Flash forward a couple of years, and a customer came into the phone shop with one of those “you’ve just won a MILLION POUNDS in the MEXICAN LOTTERY!” messages, asking HOW TO CLAIM IT! As if the helpful URL in the message weren’t enough. A co-worker deleted the message for them, and they threatened to sue. They in fact DID go to their lawyer, we found out, when the lawyer called us up just to laugh about the customer. Seems there are some lawyers out there who won’t take just any case.
So, my point is, the users are dullards, and likely to get angry that someone has arbitrarily removed their paid software, whatever the intent.
Their security track record is based on a market share that, up until recently, hasn’t made their OS worth targeting.
Security really can’t be compared to market share.
Security relates to how well a thing resists attack not how many attack attempts it receives. A thing that resists five out of ten attacks (50%) is more secure than a thing that resists two out of six attacks (33%) even though six attacks is less “market share” than ten attacks.
In terms of market share (popularity), a thing that becomes more popular still had all those un-found vulnerabilities before gaining popularity.
OSX may be getting more attempts against it now due to popularity but exploitable vulnerabilities discovered still existed before now. It was still just as insecure against attempts before as it is now.
Small market share is actually obscurity not security.
Obscurity; I hide behind a corner and you can’t see me until you walk around the corner. I’m obscured only until you know where to look.
Security; I hide behind a corner but you can’t walk around it and see me because you’d have to get through the locked gate between us.
The first provides no real resistance to finding me where the second does provides some form of resistance to your attempts at walking around the corner.
I really wasn’t equating their security with obscurity, although that’s what all the CLI-kiddies tout as their number one reason why command line is better. My argument is that everyone knew you were around that corner, but it’s only been recently that anyone cared about the gate you’re sitting behind.
Well yes, but that gate is not magically more effective now that people take interest in seeing me. The wall and gate is not suddenly more or less secure than it was before. It may attract more attempts now with it’s recent popularity but any successful attempts would have been just as successful before.
Quite right, you should never remove something without asking no matter what it is. But to not even be allowed to mention that they found it and actually ask that question is inexcusable. If you tell the user what it is and they throw a fit, then by all means let them lie in their own soiled bed. However, on the flip side, if you *do* find something like this and do not tell a user and they find out later, you could be in for just as much of a trouble spot as if you removed something without their consent. You see, when someone doesn’t fix something even though they’re being paid to do so… that means they aren’t doing their job, at least in my mind. Essentially what Apple has done is protected the geniuses (most of whom are anything but, by the way) from reprisal by people who might actually have a clue. Then again, I suppose the people who actually understand this stuff don’t take their machines into the geniuses in the first place, and probably didn’t even fall for this trojan to begin with.
It’s a Unix system, if you willingly elevated the permissions of a 3rd party executable, well then you’re an idiot.
I’m all for blaming the vendor for attracting stupid uninformed users though, there was an opportunity to teach them how not to blindly trust.. wait a minute, wasn’t there an article about that the other day? something about the mind of a Mac user is similar to that of a religulous loser?
Edited 2011-05-20 22:38 UTC
Sure, because you can fix your pipe system, you know exactly how your car work, you can pilot the airplane you are taking and you don’t need to go to the doctor because you have a medical degree.
And yet for most of those (assuming code enforcement for plumbers and inspection permissions for mechanics) you need a piece of paper that says you know what your doing. Being a stupid user is bad enough, but insisting that your user base stays stupid to sell more product is pretty much crap. People and their false idols indeed…
Sorry, but your analogy doesn’t fit.. but if you’re comfortable hiding behind them, you don’t need to be a locksmith to lock your doors, but you need to be smart enough to use the keys.
And not give the key away
> there was an opportunity to teach them how not to
> blindly trust
So do you want them to trust you, specially when you tell them not to trust the others.
No, not even me.
If you provide even a Unix based system and all your marketing relies on “we’re invulnerable to everything bad”, I can’t really hold average user’s fully responsible.
One’s user manual says the microwave oven makes food hot, they believe it and treat it as such. One’s user manual says the computer can’t be affected by malware, they believe it and treat it as such.
The problem is that they’re treating a computer like an appliance.
Well….I can’t imagine that it would be anymore that a “hiccup” in Apple’s opinion…..
And yet when Apple tries to get users to use its Mac App store, it’s all “Apple teh(sic) evil”.
Let’s face it, many users would be better off being unable to install software from arbitrary locations on their computers. The internet is the wild west, and it’s not safe for uninformed users.
Curated app store may at least allow a single company to provide a reasonably safe conduit through which users can install and maintain apps on their computers. Maybe even third party app store (which should be possible on the Mac).
I would agree with this, as long as there is an option for users to ‘take off the training wheels’. And I’m not talking about a jailbreak method that voids the warranty, but rather a ‘safety switch’ built into the OS that can only be turned off manually, and make the process hard enough to do so that nobody would ever do it accidentally.
For example, ‘hold down these 3 keys on the splash screen logo, and then type in this passcode when prompted’. Then, you present a huge warning message to the user, so that they understand the dangers when flipping the switch.
That way, everybody is happy. Those who want absolute control can have it, while everybody else remains blissfully ignorant in the walled garden.
Not as long as Apple delays important security updates for the apps offered in the app store [1].
Apple’s problem is not their software or technology but their generic attitude towards software security.
Adrian
[1] http://www.h-online.com/security/news/item/Mac-App-Store-delays-cri…
Except as we have seen Apple IS evil, as they have thrown out apps that would compete with apple apps or would allow freedoms like the GPL even if they are free. Would you like to have a computer that only MSFT approved software is allowed to install and run? How about a server where nothing runs without Oracle’s blessings? Does not sound to appealing to me.
Oh and for the one that said “If you give out your unix password you deserve what you get” you DO realize that is currently the way the vast majority of Windows machines are infected, right? Social engineering getting the user to approve an elevation to UAC, no different than getting an Ubuntu user to run Sudo or this bug here for Macs. i guess you can’t complain about Windows security if it is all the users fault huh?
In the end it isn’t about the bug, it is about the p#ss poor way Apple is dealing with it. Instead of basically giving the finger to those that shelled out the “Apple tax” for their illusions that Macs were somehow better or immune to malware they should have done like MSFT and released something like Malicious Software Removal Tool to get rid of it. Instead they are just leaving their users hanging in the breeze. Considering how much more you have to pay for Apple PLUS how much you have to pay for Applecare if I was a Mac user that got burned I’d be looking at a Windows 7 machine right now. After all, if you are gonna pay all that money and get NO help at all, why not buy a more powerful Windows machine for less?
Well, I can tell you first hand that being a Windows user is a lot like living in south central Los Angeles… you have to learn how to survive in ‘da hood
It looks like Mac users are going to have to learn the same lessons we did, so let me give you 5 quick pointers that will take you a long way down the road of safe computing:
– The most important lesson of all is to PAY ATTENTION to what you install on your computer. You should take as much care when installing an app as you would letting a stranger in your home while you are out of town. This is especially true for any app that requests admin permissions.
– Grab a firewall if you don’t have one, either one that runs on your computer or a router that has one built-in. This will protect against most/all drive-by malware looking for vulnerabilities from open ports. I think a combination of both of these is best; a firewall on the router to keep out the bad stuff, and one running on your machine to let you know when a new app is requesting to connect to the Internet. (And firewall programs that have a ‘host intrusion protection system’ (HIPS) have many other abilities as well.
– If OSX has the equivalent of a hosts file, grab something like this:
http://winhelp2002.mvps.org/hosts.htm
– Use a browser that has a flashblock extension, and only ‘whitelist’ trusted sites that you visit often, with a lot of Flash content (such as Youtube), and only allow Flash on a per-site basis otherwise. Take extreme care when visiting porn sites as well. I would also seriously recommend using an adblock extension.
– Be careful who you let use your computer. Even if you take all the security precautions in the world, all it takes is one dumbass and about 5 minutes to wreak havoc on your machine.
Telling your users that you can buy a Mac and completely forget about malware helps Apple sell Macs. I doubt Apple is going to acknowledge anything that implies otherwise unless they really don’t have any other choice.
Am I reading this correctly? It shouldn’t be up to Apple to be protecting people from malicious apps on iDevices (App Store vetting) but it should be up to Apple to be protecting people from malicious software on the Mac?
Hmmmm
So in short, damned if you do, damned if you don’t.
For the nth time, App store vetting does not remove malware, only thing malware has to do is to hide a bit better.
The only true way to stop malware is to introduce a security infrastructure that’s worth something. Everything else is deceptive.
Edited 2011-05-21 10:16 UTC
True enough, but even lessening the amount of malware is better than nothing, you have to admit that. And app store or similar is good for that; there simply aren’t as many malware-/virus-infected applications there that get through.
So, as a temporary solution it would still be worthwhile.
Sure, if you see it as a temporary solution, it’s worthwhile.
I’m just against people who advocate (or at least seem to advocate) it as some kind of silver bullet that will magically solve computer security problems.
It’s like antiviruses : if your OS’ users need a third-party program or company to tell them that some piece of software is dangerous, you’re doing it wrong
This is the very irony of OS insecurity. You have this battle hardened OS’s but with you the user the keys to the castle. Microsoft and Apple argues we can only sell you the castle we cant help you choose your friends also.
Please stop, this is worse than all the MS pejoratives combined.
Mac Defender is NOT a virus (and there never has been even a single Mac OS X virus!). It’s a “scareware” scam, in which a naive user blindly uses their own password to purposely install a bad application.
Is Apple responsible if you fall for a scam?
What if a naive user fell for another scam, like giving all their money to a “Nigerian prince”? Would Apple also be responsible because the request came through email on Mac OS X?
The answer of course is “No”.
But Windows users (thanks to abysmal reporting by bloggers on the Web) seem to think that Mac Defender is a “virus”, and so are comparing the security of Mac OS X to the “Swiss Cheese” non-security of Windows OS.
Let’s repeat the fact again, for those Windows users who mistakenly believe that Mac OS X has viruses just like Windows:
During the 10 years that Mac OS X has been in existence, there has NEVER been a virus for the Mac.
Or to put it into numbers:
Windows OS = hundreds of thousands of viruses
Mac OS X = zero (0) viruses
😉
Let’s put it this way: if you knew all sorts of details about certain criminals, and you did not give this information to the police, then you’re still breaking the law.
You’re missing the whole point: Apple specifically tells AppleCare NOT to tell customers if their Macs are infected by it. That’s not just negligence, that’s downright malicious.
No one is saying Apple should be held responsible if people fall for scams. But people ARE saying Apple is responsible if they tell their employees not to inform people of such even if the employees know about it.
Many Windows viruses are the same thing. Do they not count, either?
HasBean, is that you?
To look at this from Apple’s perspective, we must consider the various costs associated with any direct assistance given to users regarding this new trojan. Every infection is going to result in a support call or a visit to the Apple store. Each support incident costs money, and since support is in high demand for other things, customers who have other more pressing problems (e.g. faulty hardware or whatever) will have to complete with those who did something stupid.
It would be one thing if AppleCare techs and Geniuses spent a lot of time sitting on their hands. But they’re not. They’re BUSY, helping people with a variety of other problems and questions. Some of that goes to selling more Macs, and some goes to helping people who have already bought Macs and are not going to by another one for 3 years.
In fact, malware removal is something that can be automated, for the most part. If you want a _clean_ example of this, consider Microsoft Security Essentials. It’s the least intrusive anti-malware tool ever for Windows, and it does the job nicely. Now, Windows is a big target, so even power users need AV software.
Apple does not want their support staff helping users poke around under the hood, manually removing malware. If they have to do anything, they’d much rather assist customers with the use of an automated tool.
Is Apple abandoning users who have this infection? This is a trojan, remember. Infected users took conscious action that resulted in this malware being installed. This is not Apple’s fault. Only if this were a worm would we be able to blame Apple. We also don’t blame Apple for physical damage resulting from computers being dropped. We don’t fault Apple if someone drags the System folder to the trash. And, more apropos, we don’t blame Apple for bugs in 3rd party apps. This trojan is definitely a 3rd party app.
This is why the non-technical users should stick to boxed software from an Apple Store and downloads the App Store. Apple makes it damn easy to keep your computer clean, and they really push hard the App Store and their boxed software. So anyone stupid enough to install this trojan probably did so directly contrary to advice they were given by someone at an Apple Store when they bought the machine!
The reasons are obvious: Apple wants people to think there are NO such things for Macs, and they don’t want to waste their time on those who have.
It still doesn’t make it any more right, you know, no matter how you spin it.
Seems as though they are trying to dodge the issue.
That’s because they’re intelligent enough to know what to get involved in, and what they shouldn’t get involved in because it will backfire spectacularly.
No-one can really expect a computer warranty to cover removing this sort of crap.
Who has suggested otherwise?
The actual issue here is that Apple has told their staff to not even inform customers of malware on their computers. So customers with infected computers don’t even get the *opportunity* to pay for malware removal – a far cry from Apple simply refusing to do the removal for free/under warranty.
INTERNAL APPLE BULLETIN……..
MAC APPSTORE UPTAKE NOT FAST ENOUGH!
5 STEP PLAN FOR CORRECTION…
1)Release trojan into wild
2)Pretend it doesnt exist
3)panic ensues
4)Push end users to app store because its “safer”
5) $$ PROFIT $$
“Apple also added: ‘Remember, we know where your family lives'”.
This MAC Defender is simple perfect !
…for promoting Mac App Store
!!!
“do not buy untested and unproved software, come to App Store for quality software!”
😉 just PERFECT ! BULLS EYE!
this will bring order to chaos – one click software install. Just like Larry Ellison told 10 years ago !!
http://www.youtube.com/watch?v=8g_tcdR_pQU
More data has been lost _because of_ AV on Mac OS X than because of malware. For 10 years, my recommendation has been to not install AV. This strategy has served me an my users very well.
Do you MAC guys have this service running in background???
For professional hacker, MAC is easy cake to hack. Search internet about hackers compitition.
MS have DEP and ASLR, Do apple have anything close to this type on MAC?
Pay $1000 for MAC and get false sense of security OR pay $500 for PC+ $50 for good AV. It is your money, your choice.
Edited 2011-05-24 14:41 UTC