"Windows 7 is actually more secure than OS X, but the gap narrows every year. And there simply isn’t the same attack ecosystem for Macs, nor are we likely to see one develop.
So while Mac users will likely see more malware, it’s highly improbable we (or Windows 7 users) will ever experience what those who are still running Windows XP battle today.
But two other factors are changing the Mac security landscape. First, Apple products are growing rapidly in popularity. At the same time, the overall Internet security environment is more hostile than a cantina on Tatooine."
How is windows 7 more secure? I can install a malicious app if I want to on any system.
The only "problem" here is that safari automatically opens safe files. They should also get a smartscreen filter like IE9 has. Safari has something like this already (google safefilter) but it doesn't seem to be as effective.
Mac OS X as a whole has xprotect, but that is a very simplistic defense to look for some known malware signatures.
One question that is worth asking is how many of these exploits can be done remotely, and how many of these exploits require physical permission to a system?
It is worth noting that there is a difference between exploits that require physical access and those that can be conducted remotely.
Speaking just for myself, I am not certain which operating system is more or less secure, but I do not think that operating system security matters as much as user habits. I have ran Windows XP since 2001 and I have never once suffered from malware or a virus (except when I transferred a USB-stick virus onto one of my computers just to see what would happen). I know that the plural of anecdote is not data, but it is worth noting that it can and has been done.
Many of them can be done remotely, as has been done at Pwn20wn for several years on OSX.
But to actually create a weaponized attack that can get on a lot of machines requires a fair bit of work. If you're going to do that, it's probably worth going the extra mile and attacking a much larger installed user base.
But, what's even easier is just doing malware that the user installs. You can write it in a fraction of the time, and you probably get similar infection rates.
I'm no security expert, but I do try to keep up. Someone please correct me if my facts are off. Ahem:
Windows 7 does a lot more randomization of memory layout than Mac OS X does, making it more difficult to exploit executables and libraries shipped with the system. It's actually easier to exploit a Mac OS X machine than it is a Windows 7 machine -- see the results of pretty much every Pwn2Own [1] contest.
That said, the vast majority of spyware is targeted at Windows and doesn't need low-level exploits to do its job. It's the difference between safety and security; you're probably more safe on a Mac, even though they're technically less secure.
There are only two long term solutions:
- an anti-vir scanner which constantly monitors all your files, hogs resources and plays the game of cat & mouse
- Prevent users from installing software that wasn’t from the Mac App Store, just like on iOS.
The last is a nuclear option and not practicable for a professional desktop system. But I would like this as a configurable option for my parents. (Withholding the admin password from them is another possibility, but, well, see the article)
Don't the parental controls in mac os x allow this? Haven't tried, but you can limit the apps that the user can run to your own selection. Or even limit to just app store apps.
As I understand it, this relies on the admin account's ability to write to the /Applications folder without a password. So, if you just run in a non-admin account, you should be fine.
Right, but the point of this article is that it no longer needs the admin password. If you're running in a non-admin account (like I am), it'll still need the password, and thus user interaction, so it'll be trivial to stop.
True. Somewhere I thought I read that the installer ran without user interaction in this variant, but thinking about it, that doesn't make much sense.
Though, if you're concerned about having to give an admin password (as evidently some people are), running in a non-admin account would solve that. (Also, if you have write privileges to /Applications, it's possible to write a script overwriting the contents of a trusted executable with malicious code, but that isn't how this works so it's slightly irrelevant.)
In other words: it still falls into the "you have to be stupid enough to allow total strangers behind the wheel of your car" category, they just don't need you to hand over the keys anymore. Got it.
Stupidity is not a problem that can be solved through technology.
At least Apple now has a service to protect stupid people against themselves, it's called the "App Store". You know, with the kind of approval system we've all been bitching about.
As far as I'm concerned, self-inflicted malware is about as big a security issue as running with scissors. To treat it as some external force that needs to be dealt with by manufacturers, OS-makers, anti-virus producers or even legislators just perpetuates the real problem, turning it into a perpetual arms race that can not possibly be won, but at some point may cost us the freedom to install anything we want on our computers.
Exactly, Mac users have so far been very safe from actual virusses and worms, and other malicious stuff sneaking onto your computer through security holes, however, this type is something you can't do anything against. It's the user consciously downloading and running a program.
For this type of inexperienced users Symantec and McAfee make Mac products.
Just as a thought: if there was an "Only run Mac App Store-distributed applications" switch somewhere in OSX's System Preferences, off by default, I know several people for whom I (as their tech-guy-cum-sysadmin) would flip it on in a heartbeat, and then never likely hear about this particular flavor of PEBKAC again.
Stupidity is not a problem that can be solved through technology.
My reaction is: Never say Never.
However, if you are going to try and solve stupidity through technological or scientific means, beware. A half-baked understanding of science can be a dangerous thing.
Example: At Enron, the policy was to fire those who evaluated in the bottom 10% of the company. Jeffrey Skilling thought he was using the miraculous power of evolution to create a company of super-employees. What he actually did was to create a company of those skilled at gaming the system.
This was like another attempt to evolve chickens to be super egg-layers. Instead of increasing the egg-laying of the whole population, only the egg laying of the dominant females was increased and overall productivity was decreased.
It's not. For whatever reason, OS X installer pkg files are deemed 'safe files' by safari, which has an option to open such "safe" files automatically. So the thing that actually launches is a standard Installer.app from apple, but running a pkg script provided by the 'bad guys'. Fortunately Installer.app requires user interaction before it does anything, but it's still disconcerting.
I like how they make it look like a passive process, except for the fact that at every screen shot you would have to run the application or click "next". This is social engineering. You were tricked into installing it. There's not way to stop that if it's an open system.
>If I tell my machine to do something, I want it to carry my orders.
I downloaded this 'Free Screensaver Pack' and I want to run it! Who does this virus scanner think it is? Quit telling me that its a bad idea and just goddamn do what I want you to.
If bad software exists I don't want my computer to warn me that it might be a bad idea to run it, I'd rather apple just creates a walled garden so I can don't even have the option to command my computer to do something bad.
The problem is, people confuse prevention and warning. They complain about the exception, rather than the rule. Oddly, I see few complaints about browsing implementing phishing site protection and warnings about bad SSL certs, etc. After all, the browser should just take me to where I want to go and shouldn't get in the way. Right? =)
These are the same arguments Windows users used for years, and Linux and Mac users mocked them for it.
Regardless, you've presented a false dichotomy. That the only way to combat the risk is to prevent users from using their operating system as they see fit. That's not what I suggested, at all, and trying to frame an argument around it is dishonest.
Nothing will protect a computer from a determined user. The OS may even warn the user the action he is about to take can harm the computer, but the decision rests with the user.
What you can do is to keep ZFS-like file snapshots and allow the user to return to a moment in time previous to the infection.
Education is great. However, no amount of education will remove the need for real protections. This doesn't mean you disobey a you keep trying to suggest.
Look to the real world of examples. Education doesn't trump protection. Take anything you need to pass a test for or need a license for. Their are still protections put into place to prevent abuse. Hunting license, gun license, driver's license. All have protections on top of education because people make mistakes.
Finally, quit trying to suggest that protection means it prevents a user from doing what they want. Again, it's a false dichotomy and continuously trying to argue it devalues any point you are trying to make.
In the final screenshot, I wonder how Sophos think that the unsophisticated user is supposed to figure out which of the two scare boxes claiming to have detected malware is lying, and which is telling the truth?
Does anyone know how this malware gets past the com.apple.quarantine attribute? That is a little concerning, though in general this is just your standard trojan attack.
Are you talking about the dialog warning you about opening software from the web?
Might it be because the zip file is extracted automatically? (open safe files in safari)
Or is an installer not considered an application is apple's eyes?
Edit: well, i just checked without open safe files (I just found it today on a google image search, google plays a big part in the distribution of this). And there still is no warning when opening the zip. I assume once extracted it doesn't know it was downloaded from the web. Is it that easy to circumvent?
I believe only a recent Windows emigrant would fall for the "your computer is infected" trick.
Oh, and wow! It evolved and now installs in a part of the system that makes the malware easily detectable and removable.
I wonder what Sophos is trying to sell... Oh yes! Anti-malware for a platform that really doesn't need it nearly as badly as that other competing platform.
Just to be clear, the article is written by someone associated with Sophos, a commercial anti-malware firm. ClamXav for Mac OS X is free, the engine is open source, it has regular malware definition updates, and monitors any directory or directories the user specifies. Well written, powerful, open source, free software. www.clamxav.com
Without wanting to sound condescending, I'm not sure that the average Mac user is sophisticated enough (in terms of technical expertise) to detect interaction that has been initiated by malware.
So many years of being told that there's no such thing as malware for OSX (and so no need for anti-malware) may have produced fertile ground for it. Of all the people with Macs I know, just one has an anti-virus installed.
48 comments
[ 3.3 ms ] story [ 113 ms ] thread"Windows 7 is actually more secure than OS X, but the gap narrows every year. And there simply isn’t the same attack ecosystem for Macs, nor are we likely to see one develop.
So while Mac users will likely see more malware, it’s highly improbable we (or Windows 7 users) will ever experience what those who are still running Windows XP battle today.
But two other factors are changing the Mac security landscape. First, Apple products are growing rapidly in popularity. At the same time, the overall Internet security environment is more hostile than a cantina on Tatooine."
The only "problem" here is that safari automatically opens safe files. They should also get a smartscreen filter like IE9 has. Safari has something like this already (google safefilter) but it doesn't seem to be as effective.
Mac OS X as a whole has xprotect, but that is a very simplistic defense to look for some known malware signatures.
The only thing is, nobody has bothered to write that code yet.
It is worth noting that there is a difference between exploits that require physical access and those that can be conducted remotely.
Speaking just for myself, I am not certain which operating system is more or less secure, but I do not think that operating system security matters as much as user habits. I have ran Windows XP since 2001 and I have never once suffered from malware or a virus (except when I transferred a USB-stick virus onto one of my computers just to see what would happen). I know that the plural of anecdote is not data, but it is worth noting that it can and has been done.
But to actually create a weaponized attack that can get on a lot of machines requires a fair bit of work. If you're going to do that, it's probably worth going the extra mile and attacking a much larger installed user base.
But, what's even easier is just doing malware that the user installs. You can write it in a fraction of the time, and you probably get similar infection rates.
Windows 7 does a lot more randomization of memory layout than Mac OS X does, making it more difficult to exploit executables and libraries shipped with the system. It's actually easier to exploit a Mac OS X machine than it is a Windows 7 machine -- see the results of pretty much every Pwn2Own [1] contest.
That said, the vast majority of spyware is targeted at Windows and doesn't need low-level exploits to do its job. It's the difference between safety and security; you're probably more safe on a Mac, even though they're technically less secure.
[1]: http://en.wikipedia.org/wiki/Pwn2Own
http://www.appleinsider.com/articles/11/02/25/apple_exposing...
The last is a nuclear option and not practicable for a professional desktop system. But I would like this as a configurable option for my parents. (Withholding the admin password from them is another possibility, but, well, see the article)
If people are willing to click through several steps of an installer app, they'll also type in the admin password if requested.
This is only useful for other family members that you do not trust for safety reasons.
Though, if you're concerned about having to give an admin password (as evidently some people are), running in a non-admin account would solve that. (Also, if you have write privileges to /Applications, it's possible to write a script overwriting the contents of a trusted executable with malicious code, but that isn't how this works so it's slightly irrelevant.)
Stupidity is not a problem that can be solved through technology.
At least Apple now has a service to protect stupid people against themselves, it's called the "App Store". You know, with the kind of approval system we've all been bitching about.
As far as I'm concerned, self-inflicted malware is about as big a security issue as running with scissors. To treat it as some external force that needs to be dealt with by manufacturers, OS-makers, anti-virus producers or even legislators just perpetuates the real problem, turning it into a perpetual arms race that can not possibly be won, but at some point may cost us the freedom to install anything we want on our computers.
For this type of inexperienced users Symantec and McAfee make Mac products.
Deny all the rest.
Wait a couple decades. Kurzweil may be on to something ;-)
My reaction is: Never say Never.
However, if you are going to try and solve stupidity through technological or scientific means, beware. A half-baked understanding of science can be a dangerous thing.
Example: At Enron, the policy was to fire those who evaluated in the bottom 10% of the company. Jeffrey Skilling thought he was using the miraculous power of evolution to create a company of super-employees. What he actually did was to create a company of those skilled at gaming the system.
This was like another attempt to evolve chickens to be super egg-layers. Instead of increasing the egg-laying of the whole population, only the egg laying of the dominant females was increased and overall productivity was decreased.
http://lesswrong.com/lw/l8/conjuring_an_evolution_to_serve_y...
* Doesn't work if you aren't an admin.
* The OS is just installing what the user agreed to install.
Seems like Mac users are regurgitating Windows users' excuses from years ago.
It's a problem. Rather than make excuses, we should be expecting Apple and others to be actively working toward a solution.
If I tell my machine to do something, I want it to carry my orders.
I downloaded this 'Free Screensaver Pack' and I want to run it! Who does this virus scanner think it is? Quit telling me that its a bad idea and just goddamn do what I want you to.
If bad software exists I don't want my computer to warn me that it might be a bad idea to run it, I'd rather apple just creates a walled garden so I can don't even have the option to command my computer to do something bad.
Regardless, you've presented a false dichotomy. That the only way to combat the risk is to prevent users from using their operating system as they see fit. That's not what I suggested, at all, and trying to frame an argument around it is dishonest.
What you can do is to keep ZFS-like file snapshots and allow the user to return to a moment in time previous to the infection.
But their are numerous things you can do to protect a computer from your average user. Not doing these things because of exceptions is wrong.
And may render a lot of protective measures unnecessary.
It didn't sound like it.
Education is great. However, no amount of education will remove the need for real protections. This doesn't mean you disobey a you keep trying to suggest.
Look to the real world of examples. Education doesn't trump protection. Take anything you need to pass a test for or need a license for. Their are still protections put into place to prevent abuse. Hunting license, gun license, driver's license. All have protections on top of education because people make mistakes.
Finally, quit trying to suggest that protection means it prevents a user from doing what they want. Again, it's a false dichotomy and continuously trying to argue it devalues any point you are trying to make.
Have you ever seen a false positive report from an anti-malware application? I have.
Might it be because the zip file is extracted automatically? (open safe files in safari)
Or is an installer not considered an application is apple's eyes?
Edit: well, i just checked without open safe files (I just found it today on a google image search, google plays a big part in the distribution of this). And there still is no warning when opening the zip. I assume once extracted it doesn't know it was downloaded from the web. Is it that easy to circumvent?
Oh, and wow! It evolved and now installs in a part of the system that makes the malware easily detectable and removable.
I wonder what Sophos is trying to sell... Oh yes! Anti-malware for a platform that really doesn't need it nearly as badly as that other competing platform.
Flagged because it's actually an ad.
So many years of being told that there's no such thing as malware for OSX (and so no need for anti-malware) may have produced fertile ground for it. Of all the people with Macs I know, just one has an anti-virus installed.