48 comments

[ 3.3 ms ] story [ 113 ms ] thread
from http://www.macworld.com/article/160098/2011/05/macdefender.h...

"Windows 7 is actually more secure than OS X, but the gap narrows every year. And there simply isn’t the same attack ecosystem for Macs, nor are we likely to see one develop.

So while Mac users will likely see more malware, it’s highly improbable we (or Windows 7 users) will ever experience what those who are still running Windows XP battle today.

But two other factors are changing the Mac security landscape. First, Apple products are growing rapidly in popularity. At the same time, the overall Internet security environment is more hostile than a cantina on Tatooine."

How is windows 7 more secure? I can install a malicious app if I want to on any system.

The only "problem" here is that safari automatically opens safe files. They should also get a smartscreen filter like IE9 has. Safari has something like this already (google safefilter) but it doesn't seem to be as effective.

Mac OS X as a whole has xprotect, but that is a very simplistic defense to look for some known malware signatures.

Security experts generally agree that there are more exploits on Mac. It's easier to run arbitrary code without permission.

The only thing is, nobody has bothered to write that code yet.

One question that is worth asking is how many of these exploits can be done remotely, and how many of these exploits require physical permission to a system?

It is worth noting that there is a difference between exploits that require physical access and those that can be conducted remotely.

Speaking just for myself, I am not certain which operating system is more or less secure, but I do not think that operating system security matters as much as user habits. I have ran Windows XP since 2001 and I have never once suffered from malware or a virus (except when I transferred a USB-stick virus onto one of my computers just to see what would happen). I know that the plural of anecdote is not data, but it is worth noting that it can and has been done.

Many of them can be done remotely, as has been done at Pwn20wn for several years on OSX.

But to actually create a weaponized attack that can get on a lot of machines requires a fair bit of work. If you're going to do that, it's probably worth going the extra mile and attacking a much larger installed user base.

But, what's even easier is just doing malware that the user installs. You can write it in a fraction of the time, and you probably get similar infection rates.

I'm no security expert, but I do try to keep up. Someone please correct me if my facts are off. Ahem:

Windows 7 does a lot more randomization of memory layout than Mac OS X does, making it more difficult to exploit executables and libraries shipped with the system. It's actually easier to exploit a Mac OS X machine than it is a Windows 7 machine -- see the results of pretty much every Pwn2Own [1] contest.

That said, the vast majority of spyware is targeted at Windows and doesn't need low-level exploits to do its job. It's the difference between safety and security; you're probably more safe on a Mac, even though they're technically less secure.

[1]: http://en.wikipedia.org/wiki/Pwn2Own

There are only two long term solutions: - an anti-vir scanner which constantly monitors all your files, hogs resources and plays the game of cat & mouse - Prevent users from installing software that wasn’t from the Mac App Store, just like on iOS.

The last is a nuclear option and not practicable for a professional desktop system. But I would like this as a configurable option for my parents. (Withholding the admin password from them is another possibility, but, well, see the article)

Don't the parental controls in mac os x allow this? Haven't tried, but you can limit the apps that the user can run to your own selection. Or even limit to just app store apps.
As I understand it, this relies on the admin account's ability to write to the /Applications folder without a password. So, if you just run in a non-admin account, you should be fine.
Won't the non-admin account just ask for the admin password? Since people are used to doing this when installing apps, it comes second nature..

If people are willing to click through several steps of an installer app, they'll also type in the admin password if requested.

This is only useful for other family members that you do not trust for safety reasons.

Right, but the point of this article is that it no longer needs the admin password. If you're running in a non-admin account (like I am), it'll still need the password, and thus user interaction, so it'll be trivial to stop.
Even without the password you still need user interaction, the user has to click next multiple times during install.
True. Somewhere I thought I read that the installer ran without user interaction in this variant, but thinking about it, that doesn't make much sense.

Though, if you're concerned about having to give an admin password (as evidently some people are), running in a non-admin account would solve that. (Also, if you have write privileges to /Applications, it's possible to write a script overwriting the contents of a trusted executable with malicious code, but that isn't how this works so it's slightly irrelevant.)

In other words: it still falls into the "you have to be stupid enough to allow total strangers behind the wheel of your car" category, they just don't need you to hand over the keys anymore. Got it.

Stupidity is not a problem that can be solved through technology.

At least Apple now has a service to protect stupid people against themselves, it's called the "App Store". You know, with the kind of approval system we've all been bitching about.

As far as I'm concerned, self-inflicted malware is about as big a security issue as running with scissors. To treat it as some external force that needs to be dealt with by manufacturers, OS-makers, anti-virus producers or even legislators just perpetuates the real problem, turning it into a perpetual arms race that can not possibly be won, but at some point may cost us the freedom to install anything we want on our computers.

Exactly, Mac users have so far been very safe from actual virusses and worms, and other malicious stuff sneaking onto your computer through security holes, however, this type is something you can't do anything against. It's the user consciously downloading and running a program.

For this type of inexperienced users Symantec and McAfee make Mac products.

Just as a thought: if there was an "Only run Mac App Store-distributed applications" switch somewhere in OSX's System Preferences, off by default, I know several people for whom I (as their tech-guy-cum-sysadmin) would flip it on in a heartbeat, and then never likely hear about this particular flavor of PEBKAC again.
System preferences > accounts > parental controls > limit programs > allow app-store programs > all

Deny all the rest.

(comment deleted)
> Stupidity is not a problem that can be solved through technology.

Wait a couple decades. Kurzweil may be on to something ;-)

Stupidity is not a problem that can be solved through technology.

My reaction is: Never say Never.

However, if you are going to try and solve stupidity through technological or scientific means, beware. A half-baked understanding of science can be a dangerous thing.

Example: At Enron, the policy was to fire those who evaluated in the bottom 10% of the company. Jeffrey Skilling thought he was using the miraculous power of evolution to create a company of super-employees. What he actually did was to create a company of those skilled at gaming the system.

This was like another attempt to evolve chickens to be super egg-layers. Instead of increasing the egg-laying of the whole population, only the egg laying of the dominant females was increased and overall productivity was decreased.

http://lesswrong.com/lw/l8/conjuring_an_evolution_to_serve_y...

Does anyone have information on where this new version actually installs to? Is it the per-user ~/Applications folder?
Someone who knows how OSX works - how is the malware getting execute permissions?
It's not. For whatever reason, OS X installer pkg files are deemed 'safe files' by safari, which has an option to open such "safe" files automatically. So the thing that actually launches is a standard Installer.app from apple, but running a pkg script provided by the 'bad guys'. Fortunately Installer.app requires user interaction before it does anything, but it's still disconcerting.
I like how they make it look like a passive process, except for the fact that at every screen shot you would have to run the application or click "next". This is social engineering. You were tricked into installing it. There's not way to stop that if it's an open system.
* Requires user interaction, so it doesn't count.

* Doesn't work if you aren't an admin.

* The OS is just installing what the user agreed to install.

Seems like Mac users are regurgitating Windows users' excuses from years ago.

It's a problem. Rather than make excuses, we should be expecting Apple and others to be actively working toward a solution.

So, you expect the operating system do disobey the user when it determines the user actions could be harmful?

If I tell my machine to do something, I want it to carry my orders.

>If I tell my machine to do something, I want it to carry my orders.

I downloaded this 'Free Screensaver Pack' and I want to run it! Who does this virus scanner think it is? Quit telling me that its a bad idea and just goddamn do what I want you to.

If bad software exists I don't want my computer to warn me that it might be a bad idea to run it, I'd rather apple just creates a walled garden so I can don't even have the option to command my computer to do something bad.

The problem is, people confuse prevention and warning. They complain about the exception, rather than the rule. Oddly, I see few complaints about browsing implementing phishing site protection and warnings about bad SSL certs, etc. After all, the browser should just take me to where I want to go and shouldn't get in the way. Right? =)
These are the same arguments Windows users used for years, and Linux and Mac users mocked them for it.

Regardless, you've presented a false dichotomy. That the only way to combat the risk is to prevent users from using their operating system as they see fit. That's not what I suggested, at all, and trying to frame an argument around it is dishonest.

Nothing will protect a computer from a determined user. The OS may even warn the user the action he is about to take can harm the computer, but the decision rests with the user.

What you can do is to keep ZFS-like file snapshots and allow the user to return to a moment in time previous to the infection.

> Nothing will protect a computer from a determined user.

But their are numerous things you can do to protect a computer from your average user. Not doing these things because of exceptions is wrong.

I think we would be more productive if we focused our energy on educating the users instead of disobeying them.
Abstinence-only eduction v.s education and protection. Right. Good policy.
I never said protection should be abandoned. I said education is more important because it allows users to use protective measures correctly.

And may render a lot of protective measures unnecessary.

> I never said protection should be abandoned.

It didn't sound like it.

Education is great. However, no amount of education will remove the need for real protections. This doesn't mean you disobey a you keep trying to suggest.

Look to the real world of examples. Education doesn't trump protection. Take anything you need to pass a test for or need a license for. Their are still protections put into place to prevent abuse. Hunting license, gun license, driver's license. All have protections on top of education because people make mistakes.

Finally, quit trying to suggest that protection means it prevents a user from doing what they want. Again, it's a false dichotomy and continuously trying to argue it devalues any point you are trying to make.

> it prevents a user from doing what they want

Have you ever seen a false positive report from an anti-malware application? I have.

If I trick a GNU/Linux or UNIX user into running a "sudo rm -rf /" command and entering a password, did I create malware?
No, you didn't create software, but you effectively distributed a trojan.
No, modern rm implementations disallow that by default. You need to override it with a switch.
In the final screenshot, I wonder how Sophos think that the unsophisticated user is supposed to figure out which of the two scare boxes claiming to have detected malware is lying, and which is telling the truth?
Does anyone know how this malware gets past the com.apple.quarantine attribute? That is a little concerning, though in general this is just your standard trojan attack.
Are you talking about the dialog warning you about opening software from the web?

Might it be because the zip file is extracted automatically? (open safe files in safari)

Or is an installer not considered an application is apple's eyes?

Edit: well, i just checked without open safe files (I just found it today on a google image search, google plays a big part in the distribution of this). And there still is no warning when opening the zip. I assume once extracted it doesn't know it was downloaded from the web. Is it that easy to circumvent?

I believe only a recent Windows emigrant would fall for the "your computer is infected" trick.

Oh, and wow! It evolved and now installs in a part of the system that makes the malware easily detectable and removable.

I wonder what Sophos is trying to sell... Oh yes! Anti-malware for a platform that really doesn't need it nearly as badly as that other competing platform.

Flagged because it's actually an ad.

Just to be clear, the article is written by someone associated with Sophos, a commercial anti-malware firm. ClamXav for Mac OS X is free, the engine is open source, it has regular malware definition updates, and monitors any directory or directories the user specifies. Well written, powerful, open source, free software. www.clamxav.com
Interesting that the author of the fake in-browser Finder apparently uses Dropbox.
Without wanting to sound condescending, I'm not sure that the average Mac user is sophisticated enough (in terms of technical expertise) to detect interaction that has been initiated by malware.

So many years of being told that there's no such thing as malware for OSX (and so no need for anti-malware) may have produced fertile ground for it. Of all the people with Macs I know, just one has an anti-virus installed.

Some nice sensationalism and FUD there by Sophos. Great product marketing, guys.