Ok, I wasn’t going to post on the whole virus/security thing again for a while but I just had to this morning when I saw Apple’s new adverts.
The advert is at the bottom of the post, but just read the links below before you watch it.
Case for the Prosecution, M’lud
A sample of recent incident links from the last month, not something that existed in System 7 and certainly not theoretical:
- Multiple overflow exploits in OS X, with proof of concept
- iChat worm
- Mac OS “virus” (via Slashdot)
- Local privilege escalation
The most worrying of these from my perspective is the first link, not so much for the exploit itself because I think over the course of previous threads we have agreed that they can and will happen. No, the thing that worries me is the fact that security fixes are not being disclosed by Apple in their release notes.
This issue was silently fixed by Apple in update 10.4.6.
Feel free to check the release notes for Mac OS 10.4.6 yourself, and raise your hand if it seems immediately obvious why a vendor fixing a security issue known internally in a point release without informing their users that it even exists in the previous version is a really bad idea both in the short term for users and in the long term for Apple as a company. I mean, bajesus.
Quoted from DrunkenBlog
Haven’t we learned that full disclosure regarding security is a good thing!
Case for the Defense, M’lud
(Direct link in case the embedded player messes up again)
Talk about your wrong message, man alive. Apple, pull this advert now.
Update: Updated the link for the iChat worm from the technical description to a more descriptive article.
Update 2: From ArsTechnica
The “Viruses” ad, which touts the Mac’s immunity to Windows viruses, is extremely ill-considered. The ad is technically accurate. Macs running Mac OS X can’t catch “Windows viruses,” by definition. It’s also true that there have been many harmful Windows viruses loose on the net over the past few years, but no significant Mac OS X viruses. Relief from viruses is a legitimate benefit of the Mac, but Apple shouldn’t make it an explicit selling point.
It’s like an airline advertising that it has fewer fatal crashes than its competitors. This just isn’t done—and for good reasons. Putting aside the moral and ethical aspects, which arguably don’t apply to Apple, there are important practical considerations as well. The new “Viruses” TV ad pulls back a slingshot and holds it to Apple’s face. The backlash is inevitable.
Technorati Tags: mac, os x, apple, security, virus, malicious code
Related Posts:
My Journey to Macintosh 
I read your blog and i like it alot, but sometimes, naturally, i disagree with your angle. If you look away from the part when Apple shakes its numbers in front of the virus-makers and dares them to write malicious code for Mac Os: 114 000 viruses in a year for Windows and only four hardly known incidents ever on Mac Os X are pretty selling numbers. Sure we will se viruses for Mac, but the SELLING point (as this is an advert) is that Mac is a better choice than PC, which i personally can agree on, being a PC user at home and a Mac user at work. Apple directs this at home users who will not argue that there ARE exploits for Mac and only see the huge benefit of a virus free computer, while the more technological crowd will of course react like us, pointing out the exceptions to the claim, small as they may be at the time.
You are right in that Apple should be more open about its bug fixes though, i definitely agree on that.
“Last year there were 114,000 known viruses for PCs…
“PCs…not Macs….”
I fail to see the problem. Apple arent saying there isnt any viruses, or there wont be. Just that the problem is miniscule compared to the situation on Windows, and I for one believe it is a gamble worth paying considering…
There have been a few updates recently where it’s unclear what they are fixing. I agree that’s, overall, a bad thing, but it’s definitely the lesser of two goods (fix with disclosure vs fix without disclosure).
The Defense notes that all of these exploits require local access to the machine and the user must run them. They are essentially trojans, requiring some level of social engineering (tricking the user into running them).
The Defense maintains that OS X is still at DEFCON 5. Windows is perpetually at DEFCON 2, with periodic episodes of DEFCON 1. If the Prosecution wishes to educate users about DEFCONs 5-1, the Defense has no objection. But if the Prosecution wishes to force Mac users into any DEFCON higher than 4, the Defense objects emphatically. The Defense maintains that the Prosecution has been inured to the highly elevated DEFCON states having using Windows for so long, and is having trouble acclimating to the lower DEFCON levels in the Prosecution’s new OS.
The Defense ends by pointing out that there are *many more* worms, viruses and rootkits which affect Linux, but Linux users rarely run antivirus, antispyware, or other similar applications, and like their Mac counterparts, haven’t really found this to be a problem.
In your opinion, macnewbie, which DEFCON levels would you put OS X and Windows at respectively?
@iLEZ
“four hardly known incidents ever on Mac Os X”
Thats not ever, thats this month… last 30 days… and thats only from my newbie research (I admit I am not familiar with every nook and cranny of mac security bulletins yet).
What the advert says to me is that if you are on a mac, you dont need to worry about viruses when that is simply not true. Yes if you analyse the words, they don’t actually say that the Mac has no viruses, only that the PC has more but who analyses adverts (apart fron saddo’s on the internet :)
@node3
“In your opinion, macnewbie, which DEFCON levels would you put OS X and Windows at respectively?”
This is not about Mac vs Windows. It is about Mac OS being more vulnerable than people make out, including Apple themselves. Windows out of the box is less secure than Mac, I agree but just because it is more secure does not mean it is not vulnerable.
I dont know how many times i need to make that point before it sinks in.
@macnewbie
Yes, I know it’s not about saying Macs are better than Windows, but what I’m trying to point out is that you are trying to treat security on the Mac the same as you do on Windows.
If you want to advocate Mac users act like Windows users, then you must think the threat level is similar. If it’s *not* similar, then why tell Mac users to act in a way that the threat level does not suggest?
*That’s* the reason I asked that question.
@macnewbie
“Windows out of the box is less secure than Mac, I agree but just because it is more secure does not mean it is not vulnerable.”
This is the essence of the whole discussion, and i agree. But my point is: Who can blame Apple for plugging such an obvious advantage in an ad-campaign? Marketing is separate from the technological world in many areas and the results are not always pleasing for us tech-heads.
Guilty as charged.
OS X’s comparatively better security above Windows’ is technical, not human. Proper management and maintenance of that is most certainly human: Apple needs to stay on the ball if they don’t want to turn into the next Microsoft.
At least MS is being fairly proactive about security, even if it takes them just as long to release patches as it does Apple, and they’ve got a horrible insecure mess of legacy applications as a starting point.
Non-disclosure is BAD. There’s no legitimate counter-argument, especially after the event. I’ve not looked at the report, but does the silently-fixed issue affect Panther users? If so, where’s their fix? (There are an awful lot of them out there, after all). If not, there really isn’t a reason not to disclose it.
In the security team versus marketing, when it comes to accounts of events (and vulnerabilities), the security team should always win, even if it’s quietly in the background. Apple’s claims about there being truckloads of viruses for Windows is still perfectly true, even if the security team were to talk openly (as Microsoft’s does now) about issues, so it’s not like they’d be lying in their shiny new campaigns (though admittedly it’d dilute the message, but the only way to fix that is to fix the problems).
Thankfully, none of the vulnerabilities really compares to the likes of Sasser (remotely infected within 60 seconds of connecting to the Internet, logged in or otherwise), but if Apple’s response is as bad NOW, what will it be like if a vulnerability of that scale is discovered?
I love OS X, and I love the fact it’s got a sane security model. I really, really, hate Apple’s mis-management of security, though.
Mo: there are still thousands of gaping security holes in Windows 98 that Microsoft isn’t going to fix. There’s still more people using Win98 than there are Mac users in total.
Point being, both MS and Apple focus their efforts to the users that keep up with the OS. They know that not everyone can switch, or switch right away, so they still support legacy OS versions to an extent, but the focus will always be on the latest release.
I know that some issues that were fixed in Tiger updates simply didn’t exist in Panther, but I don’t know if that also applies to this case (or maybe there was an update for Panther to address this issue; Panther updates aren’t usually announced for being legacy).
On the discussion itself:
I agree that Apple should be more pro-active and open about security updates, but I agree with node3 in saying that it is not necessary to warn OS X users for threats in the same way you’d warn them for Windows XP. The threat level is significantly smaller, so not only is it a great selling point, it’s a very real difference. No computer will ever be 100% safe from viruses, but Mac users are ridiculously safer when browsing the web, e-mailing and more.
Telling them the threat is similarly severe as it is on Windows is just too much. The whole idea behind Macs is a worry- and stressfree digital life (and so allowing you to do incredibly cool things with minimal effort). So far, Apple have done a great job in making that come true. Yes, there are reported security issues, but they don’t quite take away from the worry- and stressfree environment that is your average Mac of today.
@Faruk:
“Telling them the threat is similarly severe as it is on Windows is just too much. The whole idea behind Macs is a worry- and stressfree digital life (and so allowing you to do incredibly cool things with minimal effort). So far, Apple have done a great job in making that come true. Yes, there are reported security issues, but they don’t quite take away from the worry- and stressfree environment that is your average Mac of today.”
Unless they click on that pretty JPG that someone just sent them on iChat.. What could possibly go wrong… Oops! you just propagated a virus and dont even know about it!
Sure, you are still stress free because you dont know about the virus but is that really a good situation?
@Mo:
Amen, Mo!!! Great comment
http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/05/01/BUGK7IHGOC1.DTL&type=printable
@macnewbie
What are the odds they are going to ever see that jpg to click on it?
A year ago, the odds of encountering malware on the Mac was 00.0%. Today it is *still* 00.0%. The difference is somewhere in the digits to the right.
Re: the sfgate article (OS/X? And this is coming from “experts”?). You’ve already shown there are actual exploits. But there are two important points: 1. *all* of them require the user to run them. 2. The odds of even *encountering* these exploits is exceptionally low.
And finally, *you still haven’t made any actual suggestions*. For all I know, the suggestions you have in mind are reasonable and might fully, or at least mostly, agree with them. Again, that’s why I asked the DEFCON question, so that I could compare your suggested actions with your perceived threat level. Do they match? I have no clue because you won’t commit to anything specific.
I’ll remain at DEFCON 5, and act accordingly, until conditions change and warrant an elevation in DEFCON.
@node3
“A year ago, the odds of encountering malware on the Mac was 00.0%. Today it is *still* 00.0%. The difference is somewhere in the digits to the right.”
I disagree, but I am also tired of arguing this point with you so lets agree to disagree that the level of threat is more than 0.0%
I have made suggestions but they have been spread across several posts. I am sure you will agree with some of them but the main one simply comes down to what I was saying in the first post.
Install a virus checker and turn on automatic updates at the highest frequency, this is for two reasons:
– You will then have a mechanism to protect against clicking that infected file, even if you click it by accident
– You will also have a mechanism to get new threat signatures and definitions down to your machine within hours of them being released.
Also, get a virus checker installed and configured on every other Mac you know of. If you know someone who isn’t particularly interested their machine and just uses it for checking e-mail and surfing and would see that bouncing icon purely as an annoyance then go install it on their machine first. This is actually more important than getting it installed on your own machine because it is these people (through no fault of their own) who would more likely provide the propagation without realising it
Then the stuff that I am sure you will agree with, like I would advocate switching off the safari option to execute files, any other application specific options that will make an app more secure and also that people should be doing good backups and all of the other things that are good practice in running a computer.
I am actually setting up something to be proactive about this but its not quite done yet, bear with me.
@macnewbie:
There’s two important things you’re not taking into the equation:
1) all exploits for OS X so far have been completely benign. If ever a malicious exploit surfaces, you can rest assured that it will be all over the news. Apple and OS X are all over the news with insignificant things. The first serious virus threat will be a monumental tremor across the Internet.
2) Windows makes it a lot easier for a virus to execute itself and spread itself to other computers. The nature of OS X is still solid in that, if infected, it won’t (easily) allow the virus to propagate itself to others. This is where the BSD base makes a difference.
Is the Mac impervious? Invulnerable? Hells no. The threat is above 0.0% but the threat is still too insignificant to worry about, and by the time something malicious does come by, it’s very hard to imagine that it’ll come by unnoticed. Every tech site will write about it, every community that has at least one Mac user will know of it, and even the regular news will most likely mention it. Mac users will tell each other as they’ll be shocked to find out they’ve now entered “Windows land” — which probably means both malware as well as significant market share.
vote 1 point for your post
My Signature {Blog@More}
please visit my blog http://fun-download.blogspot.com
@macnewbie
The problem with recommending installing anti-virus on the mac is that there isn’t any good anti-virus software for the mac, and such software as there is doesn’t have any mac virus signatures to look for. Norton on the mac is so infamous for causing problems that it has been withdrawn. If there is a mac virus created that actually carries a payload you will hear about it probably before your anti-virus is updated.
As others have mentioned, all the malware that has been talked about are actually trojans requiring user interaction – there are levels at which no operating system can prevent users doing silly things. If I can persuade you to rm -rf your system is that a virus? Is this: “this virus works on the honor system. Please forward this message to everyone you know, then delete all the files on your hard disk. Thank you for your cooperation?”
I do agree we should all be alert and monitor the situation, but presently anti-virus software for the mac is the disease not the cure, and truthfully I would never recommend it on the mac at this time. In the future this may change. Great blog by the way.
Nick
@macnewbie
The logic behind the “less than 0.0%” is that there are tens of millions of Macs in use today. And while I obviously don’t have the numbers, I do not believe there have been tens of thousands of OS X attacks.
“Install a virus checker”
Which virus checker did you have in mind? I’m looking for your specific suggestions, because until you make one, it’s going to be hard to evaluate.
If you want people to buy a program that, currently, does *absolutely nothing*, you’ve got a really hard sell on your hands.
John Gruber says it very nicely again, this time in his newest post, Good Journalism, wherein he completely leaves the AP story in the dust, reducing its factual value and concerns to almost absolutely nothing.
Which are three words that also accurately describe the level of the virus-threat on Macs today: almost absolutely nothing.
@macnewbie
“This is not about Mac vs Windows.”
Ah, but that is what the advertisement is about.
Yeah i disagree, i tend to take the daring fireball point of view on this. and that would be that these ads do waht they are supposed to do. be funny and give exposure. the virus part is funny and should be kept on the air.
I fail to see how the new “Viruses” commercial is any different than the message of the many AOL Broadband commercial have flooded the airwaves for the past year.
In the many versions of the AOL commercials, users are told that it’s a very dangerous world out there, with spam, spyware, viruses ready to invade your PC at every turn. In one commercial, a guy showing what a PC is like with AOL glops goo over his friend’s food tray, stating “This is your PC without AOL with Spam Blocker.”
Other commercials show large groups of users on the verge of panic about what to do with the “virus situation,” with the AOL spokesman saying something along the lines of, “Just click on AOL. That’s it. You’re protected.”
I think it’s quite clear that very few PC users are being insulted when such ads showing how dangerous and almost useless using a PC is without 3rd party security software have been all over the airwaves for more than a year. Not just AOL, but I can recall ads from Earthlink and SBC Yahoo that basically say the same thing.
The “Virus” ad may have been insulting 3 or 4 years ago, but the world’s changed a lot since then. The fact of the matter is, the vast vast majority of ordinary people are frustrated out of their minds with viruses and spyware, and the Apple ad is a simple acknowledgement of that new, harsh reality.
Seems like the scare tactic is working for AOL – why not Apple?
@Paul
Good point. This is the same message that all other PC companies are spamming users with. So, in a way, its one of the only ways that Apple can get attention.
@ Doughboy
I think you hit it on the nail. PC companies are spamming users with fear tactics because (surprise, surprise), it’s working.
And why is it working? Because the “all natural” Windows experience for the average Joe or Jane is pretty horrible. Apple is no different than AOL or Symantec by saying “it’s way better with our product.” Except that Apple has the gall to say you don’t need Windows at all, and is thus subject to the double-standard criticism.
Pingback: Anonymous