Cloud of Smug Centered over Apple HQ

Thank you for saying that, and saying it in such a matter-of-fact way. There was a time when I felt sorry for all the Mac people because they were going to get hit hard one day. Now, I am starting to lose that feeling and am almost hoping for the day. I know that is wrong, but these guys and gals obviuosly are not going to learn except by the hard way.

Michael

Well, there is something magical about the Mac that defies that. You can’t reformat the drive or install many things without authenticating. So, the Mac would theoretically say “spyware wants permission to install whatever in whatever.” Windows runs pretty much everything as root, as it were. Sometimes with priveleges that exceed root. Tom Yager explains it all very well, though it’s technical:

http://weblog.infoworld.com/enterprisemac/archives/2006/08/is_windows_inhe.html

Your “plain logic” ignores the fundamental differences between Windows and OS X (and other unix-based OSes for that matter.) Linux doesn’t have much spyware either, as far as I know.

Is a malware/virus possible on a Mac? Of course. Does the architecture of Windows make it far more likely to happen on Windows? Absolutely. Are there any viruses or malware in the wild on the Mac? Not a single one.

@mcloki

Alright, just for the record, my non-work computer (the one I bought myself with my own money) is a Mac. But it’s funny, I’ve have to do all the same things you mention on my Mac, too – patches, updates, reinstalls. Plus, when you say “If the authorized user has given permission for the spyware to install something then you wanted that.”, are you saying that because a user has to agree to installing software that they won’t get spyware? Or is the argument that it’s their own fault when they get it? I think the first interpretation is false, since most spyware (for example, those bundled with freeware programs) requires the user to agree and the second isn’t very sporting.

@Marcos

See, that’s exactly what I’m talking about. People say “Are there… viruses…? Not a single one” and mean it (like Apple’s marketing does) as rhetorical hyperbole. However, what concerns me is that people hear this and take it literally.

Look, there’s malware for the Mac. Really. For example, for Macs prior to OS X, there were 40 Mac-specific threats prior to February 2000. From the Mac Virus Faq (http://www.faqs.org/faqs/computer-virus/macintosh-faq/) a few were:

AIDS… Aladin… Anti… CDEF… CLAP… Code 1… Code 252… Code 9811… Code 32767… Flag… Frankie… Fuck… Init 17… Init 29… etc.

For OS X, there is of course “leapA” (http://www.sophos.com/virusinfo/analyses/osxleapa.html) and there’s enough spyware to warrant a number of products dedicatd to removing it (http://www.unwantedlinks.com/macsupport.htm).

I’m sorry Ed, all of those 40 bits of Malware you mentioned were for the old Classic Mac OS. They do not affect Mac OS X.

Leap A is one of those ineffective trojans I mentioned.

And that *single* Mac OS X spyware removal program you linked to? Have a look at the list of “spyware” it supposedly protects you against and you will see not spyware, but reputable commercial and shareware/freeware programs like OSX VNC and Type Recorder etc. No malware here – just a company wanting to make a buck on FUD.

-Mart

People can be duped and they will install bad stuff no matter what the system. The Mac OS offers one clear level of warning before installing something, and I disagree with the poster that claims Windows has the same thing. I know plenty of people that have/had spyware on their computers and didn’t purposfully ask that it be installed…duh, that’s why it is called spyware. But the orginal blog is correct, something will eventually come along for OS X, but to sit around and think all Mac users are deserving of being hacked is pathetic. Consider the number of Windows viri and spyware and you can’t deny Mac users have a reason to be pleased, but to wish them harm is, again, pathetic.

Ed’s comments are a bit misleading. While there are in the neighborhood of 40 pre-OSX Mac malware examples, some of these are not/were never in circulation, some affected only one or a few versions of the Mac OS, and some relate to older technology (i.e., infections of floppy disks, etc.). There never was a time when a particular Mac was vulnerable to 40 pieces of malware. The large preponderance of users of Mac OS 8 and 9 in the late ’90s ran completely without virus protection and never saw any malware. Furthermore, the relevance of this to the current OSX, which has an entirely different structure and security model, isn’t clear.

LeapA isn’t a good example of of malware of legitimate concern because it doesn’t have a viable way to spread between networks in the real world (it is confined to LANs running Bonjour). Currently there are no examples of malware for OSX that are any sort of threat for network spread.

Any computer system including OSX is susceptable to a well-crafted Trojan. So far, all attempts at OSX malware have had Trojan elements in an attempt to trick users into running them or entering admin passwords. What hasn’t been accomplished yet for OSX is a mechanism for replication and large-scale spread without requiring user intervention or alerting users to abnormal activity.

Someday somebody will be successful in circulating a piece of malware that targets Mac OS X.

But that day has not yet arrived, which is the point made in the ads–you’ll note that Apple’s ads always talk about the past or present tense, never the future.

Of course, there are bounties out on the Mac’s operating system have been for years. As someone who has provided computer security consulting services to Fortune 1000 companies and Universities for more than 15 years, I am amazed and impressed that no one has yet been able to put a piece of Mac targeted malware.

Given that Mac users tend to spend almost twice as much time connected to the internet and have been demonstraited to have higher incomes than most Windows users, you would think that the “bad guys” would have great incentive and opportunity to attack Mac users, but they haven’t figured out how–despite the resources available to groups like the Russian mob and the smart people they employ. I know people who have been offered as much as $500,000 to develop Mac OS X malware, none were successful.

Also, given that any “just for the accolades, just to prove I can do it” hacker would gain tremendous street cred and megabucks as a “security expert” if they got some Max OS X malware in the wild, you would think that someone, somewhere, would have done it. But they haven’t.

Macs are not invulnerable, no computer connected to the internet is. But with each day that passes, one really has to wonder if maybe their isn’t something truly superior about the way Macs are secured.

OSX has been out for 5 YEARS – after all this time and 25 million users, here’s a recap of ACTUAL exploits:

VIRUS – ZERO
MALWARE – ZERO
TROJAN – ZERO
SPYWARE – ZERO

When you build a better system and maintain it better, it is simply better. You can call it SMUG (but then you seem to do most of your research on a cartoon show) or call it what you will – the truth is the truth.

>However, the point isn’t whether they run on OS X or not – the point is that there’s malware for the Mac. Apple isn’t saying “no malware for OS X” or “no malware in the wild for Mac”; they’re making an unqualified statement “no viruses or spyware.” Is that an accurate statement? I would say that it isn’t…

Given that it’s literally impossible to buy a Mac that will even boot a pre-X Mac OS without buying secondhand, the statement is perfectly accurate in the context of Apple’s intended audience. No one making a decision to buy a Mac today needs to worry about pre-OS X viruses; therefore making the distinction is not only unnecessary, it’s potentially confusing and thus better avoided.

Okay, boys and girls. Time for a reality check.

Ed, if you want to include viruses from Mac OS versions, fine by me. After all, you can run Classic apps in Mac OS X–at least on PowerPC-based Macs. Of course, if you’re going to do that, we should also include the DOS based viruses, right? Also, we should include the ones that only affect Windows 95, 98, and ME. I’ll still hold those 40 viruses for the Mac up against the hundred thousand Windows viruses.

Also, Ed, the viruses you mention will ONLY infect applications compiled for the Motorola 68000. So, in other words, it will only infect applications written before 1993 or so. If you’re running a so-called “Fat” application (ie, with both PowerPC and 68K code) on a PowerPC processor, the virus code will not run because the operating system will use the PowerPC code.

The new Macs from Apple will not run Classic applications at all. So they’re safe from those viruses. Those people with PowerPC Macs running Mac OS 9 in Classic are safe because there’s no way to tell Classic to run a “Fat” application as 68K. So you need a Mac which will boot into Mac OS 9, a four year old Mac. You need to boot into Mac OS 9. And you need an infected application which is either 68K-only or the user has explicitly told Mac OS 9 to emulate the 68K code.

Next, let’s talk about the difference between an exploit and malware. An exploit is a piece of code that has the potential to do something. Yes, there are bugs in Mac OS X. Yes, there has been exploit code written to demonstrate that these bugs could allow someone to run code. Malware is then written to take advantage of these bugs to run code which does antisocial and nasty things.

The thing with Mac OS X is that the malware doesn’t ever seem to be written. Sure, there are exploits–my favorite was the one in embedded ICC profiles. Since Safari loves embedded ICC Profiles (as does a lot of Mac OS X), that one had all sorts of attack avenues. E-mail some pictures and whammo–you’ve got running code. So why didn’t we see malware written to take advantage of it?

There are a few reasons.

One reason is perceived marketshare. “No one uses Macs, so why bother writing malware for them?” As long as malware writers think that way, we’re safe.

Second, there’s the architecture issue. Since Apple has switched architectures, you now have PowerPC machines and Intel machines. Code written for one won’t run on the other. So you need to have two different hacks–one for PowerPC and one for Intel. Double the work. And it will be this way for awhile. Heck, it took Apple about 5 or 6 years to get rid of all the 68K machines. So you’ll have that issue to contend with, too.

Third is the biggest one, though: What can you do? The answer is, not much. Without elevating permissions, you can’t change the system. If your victim running as administrator, you might be able to infect some applications. But when they run, they’ll have the user’s permissions, so that’s a dead end.

Elevating permissions is the key, but it’s tricky. In order to elevate permissions, the user must enter an administrator password. Unlike Windows, there’s no “silent” way to do this. Personally, I’m going to be a little bit questioning when Safari or Mail suddenly says, “I need elevated permissions.”

To use the dreaded car analogy, Windows is like a car with door locks and the key in the ignition. Once you get through the door lock, you own the car. Mac OS X is more like the the car with door locks, encrypted ignition locks, and the owner having the key. Can you steal the car? Sure. But, you have to defeat two sets of locks. It’s difficult enough that it just isn’t worth the time and effort. The easiest method to steal that car is to convince the owner to give you the key.

About the only way to get spyware onto a Mac is a Trojan Horse–namely, you have to convince the user to let you through the gates. Can this happen? Sure, if the user allows it. But Trojan Horses are pretty easy to catch with conventional methods (like an antivirus program).

I somewhat agree with the proposition that Apple shouldn’t be telling Mac users that they are “safe” from malware on a Mac. The user can be tricked into installing something they shouldn’t and Mac OS X isn’t going to stop them. Vigilance is always a good idea. If you install a screensaver that needs root permission, this is not smart. Just buying a Mac will not protect you from Trojan Horses. The user must be wary of websites bearing gifts.

But this is in sharp contrast to the world of Windows, where you shouldn’t even look at an e-mail unless you know who sent it. You shouldn’t even think of connecting your computer to the Internet without running a firewall program, two antivirus programs, and reconfiguring Windows from the default install.

It’s the fact that you as a user have to authorize the spyware on a Mac that’s the important point. Most hacks on Windows happen by just going to a web page and IE does the rest automatically. It may not be sporting but it is just good social engineering. Hey who isn’t going to download nude photos of today’s “insert hot star here” That’s just trickery. Social engineering is different than a virus. What we’re talking about is viruses. Software that acts alone. No user interaction. Leave a Mac on the net unsupervised out of the box and even though it is getting attacked on the web by the same amount of viruses as a PC nothing will happen to the Mac. Do that with a PC and it will last 20 minutes if i remember the Reg article correctly. If competency and skill of defending your machine from viruses depended on how long you were able to keep your machine from a successful attack or exploit. My mom, grandmother of two, high school education beats every PC user out there and she doesn’t even know what she’s doing it. Sidenote: She can e-mail and surf the web, download photos and she’s happy. Though she wonders why no one is trying to sell her anything anymore because she doesn’t get pop ups anymore.
I will stay vigilant and am interested when a real virus shows up. But all this crying wolf has to stop.

@dan
“Someday someone will figure out how to infect a Mac with malware in a way that–like Windows malware–doesn’t require the user to agree to install it and take active steps to propagate it.”

believe it or not, most windows malware actually requires the user to do something to install it… the notion that most windows malware installs itself just by visiting a website is a misconception – those kinds of events grab the most attention because they are so troublesome to teach people how to avoid, but that doesn’t mean that’s the only way windows malware gets installed or even the most common way…

“But, effectively money making malware requires infection to occur unknown to the user.”

all effective malware requires this, but it doesn’t change the fact that most of it also requires user interaction… what that really means is that effective malware requires deception in the form of social engineering in order to get the user to think their interaction is doing one thing when in fact it’s allowing the malware to install on their system… that’s why osx/leap.a is able to spread in the wild…

@peter urb

the point in drawing attention to the fact that macs are also susceptible to malware (and malware susceptibility is not an indicator of obsolescence, by the way) is so that the mac population can learn to better protect themselves by example rather than learning the hard way that simply using a mac is not going to be enough in the long run… denial, such as that which you are demonstrating, will not keep the malware at bay…

Some of the main reasons OSX cannot be hacked is the “CULTURE” of Apple and its users. If you remember, The Apple // had the first PC Virus, then later the Mac had the first widespread virues in 1989 or so… The culture of Apple and its users killed those quickly since they tend to be more organized and much more computer savvy than Windows users.

OSX is a “network” OS… it is also based on Unix, which means a virus has to pass through
“Launchd”, which is impossible unless an Admin user “agrees” / types Admin password to allow the infection. There is no other way in PERIOD.

Bottom line… the WHOLE virus, spyware problem is because Windows is poorly written and maintained, PLUS the culture of Windows users just aren’t computer people like Mac users are.

There will “NEVER” be an OSX virus… for the simple reason it cannot “spread” beyond “1″ machine. Yes, we could see very limited spyware that lasts a few days and then killed, and a piece of malware here and there. But OSX is not built anything like Windows, thus no problems with security.

OS11

-

The FUD and F&L from the faltering Win community gets amusing. I made the switch 4-29-05 (GOOGLE: Winn Mad As Hell Mac) and documented why a security company had had it with the smugness of Redmond.

We also wrote a complete TCO analysis that has come to pass. Prescient or bound to happen? Maybe a bit of both.

But here is THE thing. The test.

Write a piece of code that will cross the native security barriers in OS X (think BSD guys…) in a default out of the box Mac, and I will pay a lot of attention to the current Win hubris. (Jobs is arrogant. Yes. So is Apple. It’s only hubris if you can’t back it up.)

NOW, if you can demonstrate the same attack with NO PHYSICAL ACCESS to the Mac, you will become part of computer history as THE GUY WHO….

I have no doubt there will be some problems. I have no doubt that when people pay attention to OS X with the same microscope they do Win-stuff, holes will be found. And they will be fixed Quick Like Bunny… instead of Patch Tuesday when Hell Freezes Over.

ERGO: If you can’t demo how to cross the native security boundary, stop misleading the Mas and Pas of the World with FUD.

Winn

Turns out Allchin’s OK. Can we pig-pile on Oracle instead?

Have you seen the ads for the "Truth in Software Commission" hearings over at BigFix.  If you haven’t seen it, I highly recommend checking it out.  Their satirical content is absolutely hilarious and it’s very much worth the trip (t…