Ready For the Big Mac Virus? 560
An anonymous reader writes "The IT security manager of the University of Otago, New Zealand, has been educating his OS X users in security best-practices. According to Mark Borrie, many Mac users believe they were immune to security problems -- a trap many Mac fans seem to have fallen into. He said around 40 percent of the computers at the uni are Macs. "On the security side of things I reckon the Mac community has yet to wake up to security. They think they are immune and typically have this idea that they can do whatever they want on their Macintosh and run what they like," said Borrie. "If I can get our Mac users up to speed and say 'you are not immune' -- so when [the malware] hits, hopefully we will be pretty safe," he said. "We want to be ready for the first big Macintosh virus -- because it will come. Some day, somebody will say 'I am going to create a headline and write a virus for Mac'," said Borrie."
Are you ready? (Score:5, Insightful)
I'm sure the question on everyone's mind is, "Does it come with two all beef patties, special sauce, lettuce, cheese, pickles, onions, all on a sesame seed bun?" If so, BRING IT ON! I'm hungry! =)
(And in case anyone is wondering why I'm making a joke out of this, it's because it *is* a joke. While Macs can and have had security issues, the system is nowhere near as vulnerable as your average Windows box. The design of the system guarantees that most of the problems we see on Windows can't happen on a Mac. No default open ports to send overflows through, no default root access to the system, no easy way to send executable email attachments, etc., etc., etc. We'll need a completely new class of highly sophisticated attacks to make a dent in the stronghold that is OS X. Nothing like this skript-kittee crap we've seen.)
Mac OS X is more secure, period. (Score:5, Insightful)
But this doesn't mean that Mac users shouldn't have current AV/malware protection and use standard computer security best practices.
What follows below is an answer to a query raised during a Chronicle of Higher Education colloquy. Yes, I have posted this [slashdot.org] to slashdot before, but it is still very much relevant, and I believe it touches on the major issues here.
Question from Lisa L. Spangenberg, UCLA:
Given that there are no viruses or Trojan horses for the current Macintosh system, OS X 10.3, and given that it is essentially UNIX, and given that the most common applications (Microsoft Office Suite, Adobe applications) work very well on OS X, why don't more institutions adopt Macs and encourage faculty to use them?
Gregory A. Jackson:
Well, first of all, there are viruses and Trojans that afflict MacOS, witness Apple's periodic release of security fixes to counteract them.
First, that isn't true, regarding viruses. To date, there are no known viruses that specifically target Mac OS X. Last week's "trojan" was nothing more than an application with a different icon and misleading name that displayed a dialog box (which was an example posted to a USENET Mac programming group to illustrate this fact that has been known and possible on Mac OS for over twenty years; an antivirus vendor apparently thought this an appropriate time to dress it up, incorrectly, as some new, terrible exploit easily adapted for malicious means, when in reality it's nothing more than an application).
If you're referring more broadly to security issues in general, almost all of the security and security-related updates for Mac OS X to date have been updates for primarily server-type services that ship with the OS, all of which are disabled by default, and the lion's share of which are never even enabled, much less touched, on the vast majority of systems. I'm not saying that they should be ignored, but Apple's comprehensive and swift response to the most minor security issues does not rise to the level of the staggeringly numerous, sometimes completely automated, remote exploits, worms, and so on for Windows. It is no longer possible to even get through a full installation Windows XP on a machine connected to a public network without it being exploited before you even have a chance to patch it.
It's definitely possible for Mac OS X to have viruses, worms, trojans, and other malware - Mac OS X is not invulnerable, and no sensible person would claim it to be. But the underlying philosophical design principles are fundamentally more secure than Windows, period. Since the major ingredient for the success of a worm or virus is some ability to spread, witness the fact that there is no way with anything built into Mac OS X to perform automated propagation of a virus, and no current known ways to exploit a machine remotely, not to mention that potentially exploitable network services are disabled to begin with anyway (and remain that way unless explicitly enabled), a stark contrast to Windows. Any hope for automatic propagation would require a comparatively high level of sophistication, and perhaps even its own mail server - not to mention some intrinsic vulnerability to exploit. On the other hand, there are still, to this moment [at the time of this writing], unfixed vulnerabilities in certain versions of Outlook that will spread certain virus variants simply by previewing a message, and nothing more. There is simply no equivalent to this on any other platform. Microsoft's track record and attitude
In the meantime... (Score:1, Insightful)
Bring It On (Score:5, Insightful)
> and write a virus for Mac'," said Borrie."
I've been hearing this for years. I'm still waiting.
Re:Where's that power button again? (Score:5, Insightful)
Have you gone into a CompUSA and seen the populace that buys those computers? I'm not going to say *all* of them are novices...
If Apple has a reputation for making a computer that's easier to use than a PC, more power to them. I use my PowerBook constantly at home, and find that for ease-of-use and productivity it compares favorably to every other computer I've ever used.
(For the record, I'm a system adminstrator who manages Linux and Windows 2k3, and came out of a position where I did desktop support for Windows 95, 98, and XP.)
Re:Where's that power button again? (Score:4, Insightful)
A: We don't. That's why the Macintosh comes in a secure configuration. No open ports, no root access without password verification, no root password at all, no way to send executable attachments (short of putting an entire
Re:Where's that power button again? (Score:5, Insightful)
You don't need to train them, that's the point. The firewall is on and tight by default. Automatic updates are on by default. The ports that don't need to be on, are off, by default. You have to _know something_ to make the system unsafe, in sharp contrast to Windows.
I'm curious. How much do you actually know about OSX? It's interesting how often Windows people who bash Macs, don't actually have hands on experience with them, when it's almost inevitable that Mac users who badmouth windows are doing so due to years of direct experience with it.
So, did I guess right? You're making assumptions that people have to be trained to secure OSX, when in fact it's secure out of the box, so I'm guessing I'm at least somewhat right.
Part of the problem is no consequences yet (Score:5, Insightful)
Same problem with Windows. It's not like Windows admins haven't been telling users for YEARS "Don't download and install random shit off the net". However in the past, a virus scanner kept you pretty safe and viruses infecting downloads were fairly rare. Then along came malaware and a whole host of trouble. Finally people are slowly starting to learn, but only because it's caused them problems.
I imagine the Mac community will be similar. Some will listen, but the majority will continue to believe their Macs are invincible since at this point there aren't any consequeces to not listening. Only when it finally bites them in the ass will they wake up.
Re:Where's that power button again? (Score:3, Insightful)
Nature has it right. Biology is perfectly user-friendly. Built in virus protection, even. You don't need to know how your immune system works to fight off a cold. If you catch something that is too much for your immune system, you go to an expert.
Sure, you need to apply a little common sense, but why should checking e-mail require special knowledge?
Re:Question about old Mac Viruses (Score:5, Insightful)
Presumably, an old Mac virus could infect other files on a new Mac system, but they'd probably not be able to infect PowerPC code.
Re:Are you ready? (Score:2, Insightful)
They finally became a convicted monopolist, and they bought off the Bush DoJ to get a slap on the wrist.
Re:Are you ready? (Score:1, Insightful)
As it stands, you're just confusing the mods. Poor slashdot semantics. Go do your homework.
Re:Are you ready? (Score:1, Insightful)
Just because the majority of today's miscreants are attacking Windows does not mean the truly experienced weasels aren't still out there. There's thousands of Mitnicks and the people who inspired him and from which his generation learned still out there. People with a true aptitude for finding minor overlooked weaknesses which will in concert open a system wide. Sooner or later, between them and the present day Linux kiddies looking to prove their 37337 status, someone will take a serious look at the Mach/BSD ancestry and the current OSX code and look hard to find something that Apple overlooked.
As the subject of the article said, it will happen and in the end in retrospect it will seem in its own way as easy as the Windows crackers' work.
Re:Are you ready? (Score:5, Insightful)
Re:Question about old Mac Viruses (Score:3, Insightful)
Re:Where's that power button again? (Score:3, Insightful)
Why should they learn computer security?
Shouldn't that be handled by professionals? Shouldn't their ISP be employing security, scanning their mails for viruses, blocking spyware hosts?
Do you know everything about all your appliances? Are you an expert in camcorder repair? Can you rewire your bathroom to code?
Why precisely should anyone using a computer be forced to learn about firewalls, security levels or any of that? Because you claim to know about it?
A computer is a tool. The sooner it is like a refrigerator the better.
Re:Are you ready? (Score:2, Insightful)
The reason windows is the dominant OS is because they had 100x the marketing. Once they got windows installed on most x86 PC's around the world, complete with their office apps and such, it was easy to remain dominant. Companies would rather patch crappy windows installs than completely overhaul to a knew system like linux or OSX.
Re:Bring It On (Score:3, Insightful)
Re:Are you ready? (Score:5, Insightful)
This POV is betrayed by the fact that parent doesn't know what the hell he's talking about.
You've posited a great deal of hyperbole, but you haven't actually backed up any of it. Yes, viruses were a problem on early networked Unix machines. Then again, network security (and security in general) was not taken as seriously back then. Since the early days of the Morris Worm, there have been very few viruses and worms directed at Unix systems. The majority has actually targetted Linux, a heritage that OS X does not share.
Yet even the oldest Linux box could be made secure if you turned off every network service on the machine. How can you remotely attack a machine that has no ports open? Answer: You can't. You have to find another vector.
Which means that you need to use social engineering to trick the user. On a wide scale that has meant email attachments and browser flaws. Email attachments simply can't cause the problems on Macs that they do on Windows. The Mac interface *will not* execute even files that are marked as executable! It will only execute
So that leaves the web browser. Putting aside the difficulty of convincing tons of people to visit your site that will hack their computer, yes this is a problem even on Macs. However, any sort of damage is mitigated by the fact that root access cannot be obtained without a password. Which means that access and/or damage would be limited at best. More likely you'd just crash the browser in your attempts due to the more complicated Macintosh memory model.
The end result is that Macs simply aren't vulnerable in the same ways that Windows machines are. They aren't even as vulnerable are other Unix machines! And spouting tons of hyperbole isn't going to change that fact.
Re:Are you ready? (Score:0, Insightful)
Lies, damn lies and statistics.
30% growth means absolutely nothing when it is 30% of basically nothing.
Whoever cited Mac market share at 16% is a fucking liar.
4'th largest?
When you only have 4 major players, suddenly coming in 4'th doesn't sound so great.
Re:Question about old Mac Viruses (Score:1, Insightful)
For the most part, they went extinct. The System 7 update killed a number of viruses that depended on some of the features of System 6 and earlier. The ones that weren't killed were eventually killed by Mac OS X, since the viruses can't spread outside of the Classic environment.
No. Systems 7 through 9 had passive 68k emulation so that they could run older software that wasn't rebuilt for the PowerPC. That was removed from Mac OS X, although the Classic environment can still run some 68k software, because the environment actually "boots" OS 9 into a virtual machine.
Unless the Classic environment is running, nothing.
bull. (Score:5, Insightful)
In order to work, someone must either run the Opener script with Administrator privileges, or the attacker must have physical access to the machine to use an alternate boot device and select "ignore permissions" on the internal drive. Sure, it will do bad things to a Mac. I'm unaware of any system in common use on which running untrusted programs with administrator privileges is a Bad Idea.
One version of the Opener script can be found here [staticusers.net].
Comment removed (Score:5, Insightful)
A refinement on Mac browser security (Score:5, Insightful)
So what does the browser do to help prevent attacks? Currently it automatically issues a warning when any downloaded file contains an executable (or things lim img files which mount like discs). Also note that WebKit, the underlying Safari engine, is actually open source and thus gains the same kinds of "many eyes" security benefits that something like FireFox does (to perhaps a lesser degree since fewer people are looking at it).
As a last line of defense, OS X comes set to automatically check for updates once a week. As these are generally very unobtrusive people do not generally turn off this updating mechanism. Thus if an exploit is discovered that starts delivering malware to OS X users it only has about a week to try and draw people in before Apple can issue a fix that will protect 95%+ of the userbase.
Between the combination of no services to attack by default, and constant security updates that actually get applied to most people, you have a very small window to attack. I personally think that's why we have yet to see any real OS X malware attack as there are enough Macs around to make it worthwhile.
Re:Are you ready? (Score:4, Insightful)
Re:Not BSE at McD's (Score:5, Insightful)
The article also tries to rank order the "security awareness" of various Operating Systems: Unix > Windows > MacOS. But MacOS is Unix...
I rate the article as Marketing Materials.
Re:Are you ready? (Score:3, Insightful)
See Raskin's works for more on this.
Re:Bring It On (Score:3, Insightful)
And before you say: GLORY - ask yourself: How much glory one would have if one would finally write the first virus for Mac OS X?
Conspiracy theory: MS is stopping all Mac viruses so people will think it has a low market-share.
Re:Where's that power button again? (Score:5, Insightful)
You are criticizing Apple for marketing its computers as "easy to use"? Is "easy to use" bad? Don't numerous Microsoft cheerleaders on Slashdot drone on and on about how superior Windows is to Linux because it is easier to use? Don't they say Linux won't make it on the desktop until Grandma can install an application? Let me tell you something. Grandma can't install applications with Windows now. People like me do it for her. Also, doesn't Microsoft take the same "easy to use" marketing approach as Apple, although Windows is not nearly as easy to use as OS X?
You are criticizing Apple users as being novices? The vast majority of Windows users are completely incompetent. Many IT professionals supporting Windows are not much better. Why am I reinstalling Windows systems for two friends who contracted viruses recently? How difficult is it to pop in a CD and install Windows. (The answer is, "More difficult than many Linux distros I have used." Windows drivers/hardware support has been giving me fits on one of these systems.) Why am I doing the most fundamental Windows system configuration for another friend (a dentist, not a dumb guy)? I thought Windows was supposed to be easy. Regardless, Windows has been getting eaten alive by security problems in contrast to the "easy" OS (OS X) and the "hard" OS (Linux).
In the article, some clown made the statement that Linux has been secure by accident instead of design, as if it was one or the other. The "more popular target" argument is only part of the equation. Linux and Mac benefit from better designs. That does not make them invulnerable, but it makes them less vulnerable. Think Pinto (Microsoft) versus Volvo (Linux & OS X).
Microsoft once made the choice to auto-execute or allow the execution of email attachments. By default, Linux and included email apps did not set the execute bit for attachments. Those are design choices affecting a system's vulnerability to attacks. Linux and OS X have benefitted from their Unix-like heritage. Microsoft did their own, ill informed thing. Linux and OS X are not perfect, but they are better secured and more securable. Windows-heads like to believe their system is most attacked purely based upon its market share, attempting to shirk all responsibility for inherent design flaws and user incompetence. Until they stop deluding themselves, they will continue to have problems.
Re:Are you ready? (Score:3, Insightful)
The crucial hard part is getting the receiver to extract & install your code. Automation isn't possible, only social engineering will work.
Institutional security practices (Score:3, Insightful)
It's interesting that, because of the equal application of rules like this, and the media's insistence that things like Renepo pose a security risk, when in fact it doesn't, people think there are real threats to security on a Mac when there isn't. I have had many calls where a user thinks there is a virus on their Mac when it is really just a basic troubleshooting issue or user error. What I am saying is that I have observed the opposite to what the author says. It amounts to a false sense of insecurity.
In other words, security really could be improved if we moved more users to Macintosh but the prevailing opinion is that, once you do that, Macs will be just as vulnerable as Windows. It isn't true for two reasons. First, Mac OS does have features and development practices which make it inherently more secure than Windows. Second, the point is not to move 100% of users to Macintosh. The point is to move the industry to where there is some healthy competition between OS developers and where there is no longer a monoculture of computers which all have the same vulnerabilities.
Re:Are you ready? (Score:5, Insightful)
We're still waiting for the first Mac OSX virus. This silly malware mentioned in article is shell script only a moron would run with elevated privileges.
Re:Are you ready? (Score:3, Insightful)
Wrong. You could still exploit security problems in the TCP/IP implementation, for example - assuming that there are any, of course (but if you assume that there are none, then you also wouldn't need to disable unused services).
The only way to completely secure a machine against remote attacks is to remove it from any and all networks it is on.
Re:Are you ready? (Score:4, Insightful)
I think that OSX will be more of a threat to Linux in a few years then Linux a threat to OSX. OSX has a muscular open-source bottom with a shapely Apple designed top. Linux on the other hand kicks ass only on the bottom. Its great for servers, but I doubt it will compete on the desktop.
Re:The notorious Frankie X Virus (Score:1, Insightful)
Shame, that.
You would have been better off with this: All that matters is user-level stuff anyway.
I don't care if you mess up Safari or other programs... they can be reinstalled. What I care about is my data... and that's vulnerable no matter what. Any program I run has full access to all of my important data... encryption doesn't help, since encrypted data can still be deleted by a malicious program.
But even if you do sneak the few lines of code I provided above into a program, the only way I can be impacted is by running that program. There's no way that I will become 'infected' by browing to some website or by connecting my system to a network. Those are the situations that truly matter.
I have a slightly different take on that (Score:2, Insightful)
Now, Judge Bork backed Netscape. I think Microsoft intruded on the free market and at the very least acted unethically. But many conservatives, as well as the public at large, don't read slashdot and don't get this story.
Microsoft also didn't give political donations, which got them in trouble. You see, campaign contributions aren't bribes. Best case, they give you access. Worst case, they are extortion payments.
Also, some donations are to people who already agree with you. So if the Sierra Club giving money to Robert Kennedy Jr., if he decides to run for some office, is no big deal.
Re:OS switch because of viruses???!!! (Score:3, Insightful)
There are zero viruses for OS X. People are switching to OS X because they are tired of the crap with windows. Viruses are part of the crap but not all of the crap. Windows itself is crap.
Having to run a virus scanner, adware scanner, etc. is just more of the crap you have to put up with on a windows machine. I switched my household over to OS X years ago because I was tired of ALL of the crap windows expects you to put up with. Net result? More work done, less maintenance and I don't need to worry about ad junk, viruses or any of the other windows crap.
One of my current contracts forces me to use a windows machine for some development work. 3+ ghz machine with all of the niceties. But with all of the scanners and other corporate protection crap on it, it runs slower than my 2 year old powerbook. The vulnerabilties in windows not only require you to do more maintenace but they mean you have to run with 3x the hardware just to get half of the performance.
Re:Not BSE at McD's (Score:3, Insightful)
But requiring a user with admin privileges to actively run a program is *not* a virus. A virus is an executable that propagates (i.e., copies) itself and executes itself *without* user knowledge or explicit user permission.
What you are talking about is a trojan horse program and there is really no way to prevent the user from shooting himself in the foot if he actively chooses to run some random executable with admin privileges. At least Mac OS X throws up an alert notifying the user when opening a document will cause an executable to run for the first time.
Re:Only thing is Apple isnt Microsoft. (Score:3, Insightful)
I don't know if I agree so much with the clue'd in part as much as I would say the reason for greater patch diligence by Mac users is that the Apple software update works so much better than Windows Update (not just from an interface point of view, but also from a regular patching point of view.)
Re:But are users sufficiently secure? (Score:4, Insightful)
OK, when you start out with your initial 1 infected machine, you have a malicious app in total control of the computer. That is a given. OK, it emails a copy of itself to another user. OK, that's also a given.
Now what?
If it goes to a mac user, it sits in the user's in-box, then the user previews or reads it, it does nothing besides sit there, and maybe try to social engineer the user into saving to desktop and double clicking it. Assuming the user is stupid enough to fall for it and runs it, it can't do jack squat to the system because the OS will require the user to type their password to do anything major like modify system files, which is what all virii and trojans do. Again if the user is profoundly stupid they may actually do this, but look, this has required three steps for the user to take to spread one iteration. There are no known network exploits for OS X that allow a remote connection, drop of code, and forced execute, so mail is probably the only way to get your code into a macintosh.
Now if this were a windows PC, as soon as the email arrived, or as soon as the user previewed it, BAM! it exploits one of dozens of back doors to cause the program to execute, usually in the background, completely without the user's permission. Due to windows' total lack of internal security, the malware runs at root privledges immediately. System files are modified, the malware hides itself deep in the system where you will be extremely lucky to ever get rid of it. Now the mailer goes to work, scanning the entire HD for email addresses (ENTIRE hard drive, it can easily scan into other users' accounts and private files, unlike in OS X) and mailing out more copies of itself. Now note, this is the mail vector, one of many. Some are direct attacks that simply hack into a hole in the windows network, drop off their payload, and tell windows to run it. The horror of this is, windows actually runs it when its told to. This means we get an iteration of the spread with ZERO user interaction, and it may happen at a rate of several iterations per second. It took Code Red what, 8 minutes to infect 75% of the vulnerable machines in the WORLD.
Comparing dangers of a (theoretical) mac virus to a (commonplace) pc virus is like comparing a rubber band gun to an atomic bomb.
Re:Are you ready? (Score:1, Insightful)
Crack open the case on an Apple computer, and you'll find the same video cards, harddrives, memory, optical drives, etc. that you can buy on Newegg for your generic PC. I don't understand how they magically become more reliable when they are in an Apple branded box.
And don't forget all the problems that plague the iBook line and the cheap ass hinges on the Powerbooks either.
Re:Are you ready? (Score:3, Insightful)
Re:Trojan executables on OS X (Score:3, Insightful)
Even that's too much trouble. Just create a old-style Carbon binary (CFM?), set the file type to APPL, and the file extention will be ignored. (MacOS didn't have the concept of extentions until OS X) Give it the stock JPEG icon and your application will be virtually indistigishable from a regular JPEG.