Symantec: Mac OS X Becoming a Malware Target 779
tb3 writes "According to ZDNet 'Security vendor Symantec is warning that Apple's OS X operating system is increasingly becoming a target for hackers and malware authors.' They go on to warn that the only thing that's protected Apple users from exploits so far has been the small number of Macs on the net. Now that people are buying Apple products for 'style over function,' according to one analyst, Apple computer has become a target for new attacks. More coverage on Australian IT and Silicon.com. I guess sales of Norton Anti-Virus for Mac needed a boost." Symantec may well be right about this, but note that they also have the world's biggest vested interest in making Mac owners nervous enough to buy their anti-virus products.
Call me anal.. (Score:3, Informative)
And no, I use McAfee [mcafeehttp]. And it's not too bad, but then again I am biased as we bundle McAfee with systems.
long time listener... first time caller (Score:4, Informative)
Just like Linux? (Score:2, Informative)
Vested Interest up the Wazoo (Score:3, Informative)
Maybe Symantec is trying to draw attention to generate more business for themselves because there certainly haven't been any viruses released yet on OS X that Symantec provides any real protection for - so I wonder, what information could they be basing their statement on? Secret contacts with the hacker community? Certainly nothing public...
The protection will come from such sexily named files as Security Update 2005-002 and Security Update 2005-003 distributed courtesy of Apple Inc.
Re:As an IT person who is deploying OS X (Score:5, Informative)
Re:As an IT person who is deploying OS X (Score:5, Informative)
As for patching, I patch manually, because of quirks in all the audio software we run, but OS X will patch automatically if you set it up to. you will be manually installing patches for any apps not distributed by apple, but all of Apple's stuff will update automatically.
Norton AV is worse than malware (Score:2, Informative)
Re:Safari runs like crap (Score:1, Informative)
Also, check dns for whatever that konfabulator widget is accessing... if your server is slow, add it to hosts... if it's just the target that is slow.. try changing targets... just a guess...
FUD. (Score:5, Informative)
At the current time, there are NO known exploits for MacOS X. NONE.
What a crock of Shit! (Score:5, Informative)
This is NOT A TROLL.
I have seen (and experienced myself) Symantec products CAUSE more problems than they fix (if they are even successful at fixing any) on the Mac platform.
I pity the poor soul who has no experience with Symantec on the Mac and falls for this pathetic ad piece.
Re:Safari runs like crap (Score:4, Informative)
First off, check and make sure popup blocking is enabled. I only see MAYBE one popunder a week, if that (and add the offending site to my mental blacklist, never to be visited again.) Go to the Safari menu and make sure there's a check next to the "Block Pop-Up Windows" item.
Secondly, yes, Konfabulator can really bog down a system if you have too many widgets running. They eat up memory and CPU power, even sitting idle. I have seven I keep open with little peformance imapct, but that's on a Dual 2Ghz G5. If you haven't discovered it yet, Activity Monitor (in Applications/Utilities/) can be very useful in tracking down where your CPU cycles and memory are going. It even lists all the Konfab widgets seperately, though it doesn't tell you which one is which. So if there's a widget that's being a hog, it'll let you know!
I'd bet that it's a low memory issue, Apple has a tendency to shortchange the memory in their systems, especially consumer level stuff like the iBook & iMac. Running OS X on less that 512MB will bring things to a snail's pace frequently, so a simple memory upgrade might help greatly.
Re:As an IT person who is deploying OS X (Score:2, Informative)
The only virus definitions I have ever seen in Symantec products for Mac OS X are Word macro viruses and the like. That would suggest that there are no viruses in the wild that can cause any damage that Symantec will protect you against. There have been a few proof of concept stories going around which are usually fixed by Apple at the next security update. Sometimes they relate to open source software (I think Apache had one a while ago) and some relate to Apple software. As far as I know they have all been patched. And, as I said, I'm still not infected.
Re:Just like Linux? (Score:2, Informative)
For example, up until at least 10.2, the admin user could write files to
I always recommend that people set up a non-admin user as their normal account. But of course, few people are going to go to the trouble of going beyond the default settings.
That said, even if security on that front were perfect, all it would do is keep malware from gaining root access. For the average user, malware that only has write access to their own files is going to be just as catastrophic.
The system does now warn you if this is the first time you've run an app.
Jerry
Re:As an IT person who is deploying OS X (Score:5, Informative)
Update reguarly/automaticly, and keep an eye on an OS X site or two to stay abreast of things, and you'll be fine.
The real statistics for Symantec (Score:5, Informative)
I do install one copy every few years to verify this personal protest against virus company scare tactics
Re:Style over function? (Score:5, Informative)
Macs are secure but not invulnerable (Score:5, Informative)
If someone can get root on a mac you can install a root kit. But youhave to get root first. It's not good enough just to get user level or even admin user level. You have to get the admin user to enter their password to elevate to root.
The ppc played role too as I have read that until last year there was no widely know compact way to exploit a buffer overflow to execute arbitrary code. I beleive that is now solved and published so one might see these cropping up. :-(
Since the security model is better you dont have problems like active-X waiting to ruin your day, or auto execute on mous-over e-mail subject lines, or registry changes needed to install applications. Or other bonkers stuff.
But despite all the default security, nothing will stop a determined used from trojaning themselves good and hard. And if they are admin and enter their password your rooted. Nothing will withstand unrestricted physical access either. You can at least ward off limited physical access by using the firmware password but this can be overridden by a determined user.
and of course there have been security holes and always will be. SSH, quick time, and even JAVA had had security holes. Fortunately no one has manged to exploit these before apple fixed them and given apples default services-off settings and lack of root access, its going to be harder for these things to spread like wild fire.
on the other hand Macs are very homogenous so once a virus does finally break loose, if it can get in without requiring any services its going to spread quickly.
Re:Security through obscurity? (Score:2, Informative)
No, it isn't true.
It may be true that obscurity helps, but (for instance) you can't infect a Macintosh by sending the right kind of packet to it, surfing the wrong web site, opening the wrong email, or clicking Yes at the wrong moment to some confusingly worried alert.
The blame for earlier versions of Windows being completely insecure lies firmly on Microsoft, just as the blame for System 6.0.5 being easily infected fell on Apple.
Decent security is neither hard nor complicated, it's just fusswork. But you need to plan for it right from the start.
use ClamXav (free virii scanner for OSX) (Score:3, Informative)
http://mac.softpedia.com/get/Antivirus/ClamXav.sht ml [softpedia.com]
bo
it's not market share! (Score:3, Informative)
How can you say 10 million is too small? The population of Canada (where I live) is about 33 million. The installed OS X based is then (about) 1/3 the population of Canada. That's not far from the population of New York city (~15M).
If a worm [caida.org] can hit only 12,000 hosts like Witty did and be called "successful" (it was basically a 100% infection rate), then surely the OS X population is vulnerable.
John Gruber has some [daringfireball.net] articles [daringfireball.net] on this.
Re:As an IT person ... www.ARMY.mil uses mac (Score:1, Informative)
The reason? The us army was embarrassed by being routinely defaced using unix and Windows NT.
http://uptime.netcraft.com/up/graph?site=www.arm y. mil
Why is Mac OS9 hack proof?
Why is is hack proof? These reasons
1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for procces to process communication that is heavily typed and "pipe-less"
2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidian's birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.
3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator.
4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, expecially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.
5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by designof creating an executable file. The file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually. TOTAL security.
4> Stack return address positioned in safer location than some intel OSes. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac compilers usually place return address in front or out of context of where the buffer would overrun. Much safer.
7> There are less macs, though there are huge cash prizes for cracking into a MacOS based WebStar server (typically over $10,000 US). Less macs means less hacker interest, but there are MILLIONS of macs sold, and some of the most skilled programmers are well versed in systems level mac engineering and know of the cash prizes, so its a moot point, but perhaps macs are never kracked because there appear to be less of them. (many macs pretend they are unix and give false headers to requests to keep up the illusion, ftp http, finger, etc). But some huge high performance sites use load-balancing webstar. Regardless, no mac
Re:What a crock of Shit! (Score:2, Informative)
I used to use Norton products before I knew better. Now, I have to talk people out of installing anti-virus, FileSaver and all that other crud. I have spent a lot of time on problems caused by these programs, but no time on viruses.
I say run a hardware firewall if you can, software firewall if you can't, choose a good password, don't turn shit on for no reason, apply Apple and 3rd party security updates, and read the Mac news regularly for anything that comes up like the Quicktime Autoplay vulnerability.
I have had zero problems with viruses and the like on the Mac, buut I feel like I need a shower after surfing the Net on Windows.
Re:Style over function? (Score:5, Informative)
Re:As an IT person who is deploying OS X (Score:3, Informative)
Re:Macs are secure but not invulnerable (Score:5, Informative)
Not true. In the olden days, there were a handful of Mac (Classic Mac OS) viruses. Some of them were even malicious, though those were extremely rare. The only ones I ever personally saw were benign, and easily eradicated by simply rebuilding the desktop file on the infected floppy.
From 1989 and well into the 90s (possibly even until 1998 when it was discontinued), the most popular Mac antivirus software was Disinfectant, [icsalabs.com] a free utility written and maintained by one guy-- so that should tell you the non-severity of the Mac virus problem even then. The developer threw in the towel when cross-platform Word macro viruses hit the scene and quickly became too numerous to keep up with.
Since the time of Mac OS 8 or 9 until the present, however, I would agree with your sentiment that the only reason to use Mac antivirus software is as a courtesy to Windows users with whom you exchange files.
~Philly
Re:What a crock of Shit! (Score:3, Informative)
As for viruses, I got by using the freeware software "Disinfectant" ever since system 7... arguably one of the best virus blocking/removal solutions ever made.
Re:Style over function? (Score:5, Informative)
Neither [techweb.com] (except if you're dumb enough to not have installed Windows XP SP2)
My point is that Windows needs special steps to be _protected_;
Actually, in SP2 it doesn't. The XP firewall is turned on by default in XP2. In SP1, all you needed to do was turn on the firewall for a connection in the Network Connections control panel.
Now as far as local security goes, I agree with you; there are some nasty local security exploits. Microsoft is to blame for much of the security issues, but also a major part of the problem is third-party developers! It would help if application developers would realize that Windows is a multi-user system and actually follow Microsoft's reference guides for how to program in this environment instead of forcing the user to be an Administrator to actually use their program. Windows has been multi-user for years, and application developers still haven't caught up. Why do I have to be an Administrator to run a game? Bad programming, that's why! Not even Norton AV gets this right (scheduled scans do not run for non-administrators and a non-administrators are told that Live Update is off even if it is actually turned on). The only program that I've see actually try to do something about this is Nero, which has a program to set up a group to enable burning by non-administrator accounts, but even this is a special download that is not part of the regular install. This needs to change; developers need to start using the Windows multi-user environment correctly.
In summary, Microsoft provided the ability to make the system more secure using non-privileged accounts and groups like every other major OS, but application developers are not taking advantage of it. I always run as a non-privileged user, and I am getting sick of applications that have no reason to need administrator privileges not running correctly.
Re:uh oh (Score:2, Informative)
Well that's cool if you've installed SP2 already (Score:4, Informative)
Re:Malware Schmalware (Score:4, Informative)
Really?
I just installed XP Pro and ActiveX was off by default and the firewall was turned on by default. And it yelled at me for not having AV software installed. (F-prot all the way!)
Which virus in the last five years targets data (Score:3, Informative)
Re:Style over function? (Score:3, Informative)
Re:Style over function? (Score:2, Informative)
Nope, it comes pre-installed. Owners of older machines can get it automatically through Windows Update or download it from Windows Update.
And who wants to use Symantec anyway (Score:2, Informative)
I picked up about 12 PC viruses that I had, and could have sent to a PC user, though they don't affect me at all.
Re:As an IT person who is deploying OS X (Score:1, Informative)
Re:Malware Schmalware (Score:5, Informative)
Re:In teh case of malware? (Score:3, Informative)
I don't believe that even for one CPU cycle time. There are millions of Macs and hackers love challenges. A hacker who could penetrate a Mac would and could feel very proud, but aside from some clever social engineering, tricking the user into giving some sort of OK, it is not likely to happen. If a user downloads some file onto a Mac, and if that file is a program that has never run before on that system, a dialog comes up warning the user not to click OK unless he/she KNOWS that it is a safe program. If there is any doubt, the user is advised to click cancel.
Re:Style over function? (Score:2, Informative)
New instalations have SP2 by default.
Re:Infidel! (Score:3, Informative)
Re:As an IT person who is deploying OS X (Score:3, Informative)
Re:As an IT person who is deploying OS X (Score:5, Informative)
Last I checked, out of the box machines come with SP2, which fixes most such vulnerabilities, and have a firewall enabled by default. In addition, the latest desktop and server versions of Windows come with very few services enabled by default. It's also been a LONG time since any Microsoft email program ran worms without user interaction. And finally, if you take security so seriously, why don't you filter viruses in messages on your mail server, patch your mail clients, install client-side virus scanners, or TRAIN your users?
IE sucks for security, but that doesn't seem to be part of your argument. Please play again later.
Re:Infidel! (Score:5, Informative)
Re:As an IT person ... www.ARMY.mil uses mac (Score:5, Informative)
http://books.slashdot.org/comments.pl?sid=75257&c
http://slashdot.org/comments.pl?sid=67477&cid=618
http://groups-beta.google.com/group/comp.sys.mac.
http://slashdot.org/comments.pl?sid=45793&cid=476
http://slashdot.org/comments.pl?sid=37389&cid=400
And I seem to recall seeing it floating around long before then. If anyone knows of the original, please respond. Also, if the original troll could please fix the numbering? 4 isn't supposed to repeat again after 5 and before 7, I'd greatly appreciate it.
Re:Style over function? (Score:3, Informative)
Not that complex actually. And it's been in since at least XP's release (maybe 2000, but I haven't used that much).
Ugh. I've defended Microsoft. I feel dirty now.
Re:Style over function? (Score:4, Informative)
If it's possible, then it is *very* fucking new.
It's been there since Windows NT, although the configuration was different in NT.
Re:Style over function? (Score:2, Informative)
In Windows, you have to either log in as an administrator, or use "Run as..." that 95% of the world doesn't know about but wouldn't use anyways becuase it's easier to just run an admin account. If already on an admin account, it just installs.
In Mac OS X, the installer simply asks you for the administrator user name and password. If on an admin account, it still asks for the password. They even ask for the password while root. If root is even enabled, which is superfluous with sudo.
Per-user preferences for all user apps
This isn't the case with Windows. Certain apps write to the global registry and save preferences in sytem folders. Bad coders, bad. This probably has something to do with the fact that there's no one single spot for preferences to go in Windows. It could be %HOMEPATH%\Local Settings, it could be in the app's folder, it could be %HOMEPATH%\Application Data. It could even be stored in the fucking Windows system folder. You just never know. The problem with the Windows model is that you never really know if you have to be an administrator to even run certain apps. Example: Until recently, the minimum group to run Yahoo! Messenger was Power User. Running an IM client as an administrator? Baaad. It's also just a general pain to run as a non-admin in Windows.
In OSX, it's ~/Library/Preferences.
And now a message for those of you that had the mental, ocular, and intestinal fortitude to read this entire comment, "What is wrong with you?"
Re:Style over function? (Score:3, Informative)
Actually it's not, unless you count malware as an extra "user", and neither is OSX. Unlike UNIX, they don't allow multiple concurrent users connecting via network or terminals and using the system's standard UI. As such, local file security is less important, because the machine will likely be only used by people with physical access. VMWare and other solutions that actually allow concurrent access have decent security (not sure about terminal server).
On the other hand, Win and OSX should have serious sandboxes for browsers and email to avoid becoming multi-user systems!
Re:Infidel! (Score:3, Informative)
Anti-virus software harmful to Macs (Score:3, Informative)
Re:Style over function? (Score:3, Informative)
Give me a proof of concept virus that actually spreads via email, instant messenger or something similar, and I'll start worrying.
The problem is that the email client in MacOS X isn't scriptable, and so you can't use it to read the address book and automatically send out messages.
If malware comes for the Mac, it will probably come through something like Kazaa. The simple fix, of course, is not to install whatever program introduces the spyware.
D
hogwash (Score:2, Informative)
Imagine that Windows is a house with the roof shingles installed upside down creating pockets for rain, and UN*X including OSX has a properly-installed roof. NAV is a subscription service for a new bucket of Henry's roof patch every week. (SP2 is a nice tarp in this analogy, but it's still just a mask for terrible security arcitecture.) On windows, the "roof patching" quickly becomes the main activity of the system. On OSX, not so much. The threats/vulns just arent there (yet), and the underlying architecture is basically sound. NAV-OSX just wastes cycles IMHO. Shit, a tripwire-for-dummies install would be a lot more useful.
Personal note: I'm provided a fully-Symanticised WinXP system to use for corporate email etc. And when I'm out of the office, I have to use Symantec's own amaturish VPN to connect to Notes ( of all godforsaken things...) sorry guys, four passwords to get into the main information repository of the company is four iterations of a single factor... This really shows how little Symantec collectively understands information security (as opposed to system security).
Yeah, I use a mac for personal stuff, and run my production (non-day-job) systems on Linux. Working for Symantec has taught me that the solution to endless repairs on a broken system is to get another system.
Re:In teh case of malware? (Score:2, Informative)
True. I know at least three persons that like to have smilies in their emails and just reinstall the spywares I removed about a day ago. I explain what the bad and evil spywares do, but hey, it's got smilies.
Re:Malware Schmalware (Score:3, Informative)
I just checked the box I'm on (a generic WinXP Pro install) and found that c:\windows is writable by "administrators" and "power users". The former is appropriate, the latter isn't, but the whole thing is rendered moot by the fact that the accounts are, by default, created with administrator privileges.
That's largely of necessity, I realize. On one of my home XP boxes I decided that my 2 year old daughter's account really shouldn't be privileged, so I didn't make it so. The result? Nearly all of her children's games failed to operate. When I called vendors about that, I was told that I'd just have to give the account the necessary privileges. (Can't return the software, of course, nobody allows software returns.)
So: We have a system that, if configured securely, doesn't work very well -- and if configured so it works, is so wide open that any little application error can lead to a compromised system.
It's a disaster and the only solution to it is going to be to have Microsoft turn the security way up by default so the software vendors are forced to write their code accordingly. Like, say, every other major OS out there.
The transition is going to suck, but until it's made Windows is going to remain a really easy target.
Re:Infidel! (Score:3, Informative)
it is a simple change in the NetInfo Manager to go from tsch to bash.
Yes, and you'll have to change it yourself if you've upgrade to Panther from a previous version of OS X. (Unless you prefer tcsh, of course.)
You can also change it via the terminal, as someone else has pointed out.
"Your computer may already be infected." (Score:1, Informative)
So now they're trying to scare mac users into buying their garbage? "Is your computer running too fast? Try our new and improved NAV for the mac."
Re:Style over function? (Score:3, Informative)
Of course, forward-thinking OS developers make sure that in order to write files into a preferences location (for example) you have to call "GetPreferencesFolder" and you are discouraged from using absolute paths, assuming there is such a thing as "C:" and so forth. So when the OS gets revised you don't have to rewrite anything at all. Your code does the right thing.
This is the marvelous thing about Mac OS X and its legacy Carbon APIs. I have a fairly large shareware music program that I originally wrote for Mac OS classic, and it took me about two days to get it running on Mac OS X. And I didn't have to do anything specifically for the multi-user elements of the new OS because the system environment is so well abstracted. (And it was very helpful that Apple provided the "Carbon Dater" utility which told me all the changes I needed to make, and where.)
Of course, just getting it running wasn't enough. I felt the need to redesign the appearance and to take advantage of the modernized music and sound technologies that Mac OS X provides. Now I have a program with an entirely new codebase, but one which I can now use to build future music applications. And I wrote it entirely in C++ with strong separation between TheirAPIs and MyData so I can consider faster cross-platform migration in the future.
I think if you install the developer tools and study the Apple headers you'll be pretty impressed with their forward vision and the intelligent choices their technology developers have made. (There are also very few LONG_UNWIELDY_UPPERCASE_LABELS to deal with, so code tends to be more readable.) Who knows, you might even decide to field some Mac projects in the future...?