The Mac has no Weapons of Mass Destruction but we should invade anyway!

So I was reading this post last night about switching from XP to Mac which covers this entire blog in one post! (well, kinda :)

It is a really good overview post of almost every commonly encountered piece of Mac OS X and has some nice recommendations in it but he makes a bold claim which I have heard many times both before and after switching and I have been meaning to cover on this blog.

If you never want to worry about viruses infecting your computer again to delete all your vital information, then perhaps the switch to a Mac is more worth your time than you think!

Surely it is naive of us all to simply assume that because there hasn’t been a virus that has been successfully distributed on Mac OS yet, that there never will be and it is only something that Windows users have to worry about! Ok so the competition to write a virus for the Mac was cancelled, but that doesn’t mean that there are not people actively writing malicious code for this platform.

Security updates are posted all the time for Mac OS (there have even been several in even the few weeks since I have had my Mac) so it certainly isn’t that the operating system is invulnerable to exploits. More importantly, as the usage of Mac OS increases (via Intel Mac’s, Boot Camp, etc) so the surface area of the platform also increases as does the number of people working on developing sucessful malicious code. It is a ticking bomb.

I know there are virus checkers available (ClamXav, Norton Anti-Virus, etc, etc, etc) that currently scan for known (Windows) viruses so that Mac’s don’t act as a conduit for those viruses even though they can’t run them themselves but wouldn’t it be better for the Mac community to spread a different message than “You don’t need a virus checker!” because on Windows, it took years of education and even direct operating system changes to condition users into recognising the need for a virus checker and making sure it was updated regularly. When it happens for Mac OS, we will have this fight to win from square one.

I will end this with my own bold claim (why not!). There are at this very moment people working on malicious code for Mac OS X (no, it’s not me!) and I believe that it is inevitable that Mac OS will be hit by a successful malicious attack in the next couple of years and I believe we should be preparing for it.

Discuss :)

Technorati Tags: , , , , ,

Advertisements

29 responses to “The Mac has no Weapons of Mass Destruction but we should invade anyway!

  1. Bold statement indeed. I think codepoet has put it nicely yesterday: There Will Be No Mac BotNet.

  2. Users should be educated about the dangers of the Internet, regardless of what platform they are using. Phising is growing massively and this affects all platforms. People focusing on the existance of a Mac virus are all the while missing the succesful phising attempts made on Mac or Windows users.

  3. We always advise on buying anti-virus when customers are buying new Macs from the Apple Store and most take the advice. Get them prepared and make sure customers are not, and hopefully never will be, complacent about their Mac and security.

  4. @Nick
    Is this a standard Apple policy or just something that you and your store do? There was no mention of it when I bought mine (San Diego Apple store) and the guy had plenty of chance because we chatted for about 30 minutes while my credit card made me jump through hoops for making a parge purchase in a foreign country.

  5. The primary reason there is no fear of an outbreak of viruses/trojans/spyware on OS X is that it’s really hard to spread them. OS X has a relatively sane security policy with regards to: open ports, user privileges, remote application scriptability, and active services. Windows, currently and for the foreseeable future even though Vista, fails miserably on all four counts. This isn’t meant to bash Windows because it’s cool to, but to point out the facts–facts that are borne out by the evidence. It would actually be easier to infect Macs via Boot Camp (an HFS+ aware worm) than it would be to go through native means.

    OS X is halfway through its sixth year as OS X, and still no viruses/trojans/adware to speak of. OS X hasn’t become less secure in that time, so while someone may certainly be working on malware of some sort, they’re not going to have an easy means of deployment.

    As for the security updates, they are by far mostly updates to bundled Unix software, like ssh and apache (services which are off by default), and Unix utilities and libraries, like libtiff. These things are fixed quickly so an exploit (which in virtually all cases would require local access to the machine to begin with) would have only a short window to succeed. OS X benefits from the security-mindedness of the Open Source software it depends upon. For the most part, OS X is as secure as a well-adminned Linux machine. I’d even say more secure, since the default state of OS X is more locked down than most Linux distros, with regards to remote access.

    Allow me a bold statement of my own: OS X will *never* be as virus/trojan/adware-ridden as Windows is now. The reason is that Windows is very much sub-par. There may come a day (and it won’t be soon) when such malware becomes a concern on OS X, but it cannot become as bad as Windows is now until Apple worsens the innate security of OS X to Windows’ level. When that day comes, it will make the news in a very big and very loud way, and we’ll all adjust. Until that day comes, there’s nothing productive to do about it. Worry just causes needless anxiety, and any antivirus software will be wasted effort, since it won’t stop the first attack. By the time it does know what to do, all 10 billion Mac blogs will have linked to the proper software.

    I hate to sound smug, because that’s not my intent, but really, why worry about something that doesn’t exist, and can be simply dealt with whenever it finally does? The fact is that Macs are currently immune to all extant viruses, trojans and worms, and will be tomorrow and for many tomorrows to come. I say, don’t squander your innocence while you have it.

  6. @node3:

    “Allow me a bold statement of my own: OS X will *never* be as virus/trojan/adware-ridden as Windows is now. The reason is that Windows is very much sub-par.”

    I agree with your first statement here, but not your 2nd. I agree that no modern O/S will ever be in the situation that Windows is and has been in for the last few years but much of the reason for that is that the lessons learned regarding this stuff have been learned on Windows but all operating systems have benefited. However It is hard to say just how much of an impact this has had because Windows has been the target for so long mainly because of its surface area.

    “… and can be simply dealt with whenever it finally does?”

    Thats my point, much of what has happened to Windows is because it was left too late to do anything about it. Education needs to happen now, not when the threat strikes.

  7. That’s the kind of thing we can’t actually know about for sure until it actually happens. And we don’t want to happen. Therefore, the best approach is to assume it is happening, and defend against it.

    My 2c: I’d rather not run active antiviral software on my system. It hurts performance, and I don’t think it’s the best approach for OS X. The OS is very secure from outside infection. Rather, I think that user behavior is the weak chink in OS X security. And that’s where the biggest challenge lies. We need Apple to make default users non-admins. We need software designers to design defensively, to think “how could my software be taken advantage of by malicious hackers?”

    Still, I’m dubious that this is something that will happen naturally. Rather, I think we will need some kind of a wake-up call to stop people’s naive statements about OS X security, and get Apple and software developers to be proactive about user-behaviour-oriented security. I just hope that that wake-up call isn’t too disastrous.

  8. Will there be a real/dangerous exploit on the Mac platform some day?

    Only a fool would say it’s impossible.

    On the other hand, I’ve been using Macs since 1984.

    And I’ve NEVER experienced a virus or a worm.

    What’s 22 years of computing malware-free worth?

  9. So do any of you actually use a virus checker?

  10. Education is lovely, and yes, in the world of possibility we do have to allow that a Mac virus is at least *possible*, but…

    What are the options if we *do* want to run antivirus software? Nothing available for OS X checks for OS X virii, since there don’t seem to *be* any of those in the wild, and while you can still get software for ancient Classic Mac OS viruses (usually ancient versions of nVir), what’s the point these days? Do any of the known System 6-era viruses still propagate? They were all written eons ago in the pre-Internet days, so I really doubt it.

    Ultimately, while I don’t think any sane person would argue *against* educating the wider Mac community, I don’t know how much practical good it does, until Mac viruses actually become a problem. They aren’t yet.

  11. I suppose it will just be a matter of time before the first *real* mac virus gets out there.

    As the Mac security is so sensible, it will probably rely on stuipd users to download or execute some code or application without understanding the implications of what they are doing.

    And now that Boot Camp is available and people might start to use products like MacDrive to get to both partitions – who knows what the possibilities are!

  12. I have also never used a virus checker, I have been using macs since my Macintosh SE in the mid 80’s. No problems, I think if I was in a situation where I received a lot of MS Word files from random sources would be the only time I would bother. Those macro thingy’s I keep hearing about…

  13. OS X is based off of UNIX, which has been around for 30something years without any really huge, epic, windows-style virus outbreak. Since like half the internet runs UNIX I’m gonna go out on a limb and say there will NEVER be a mac equivalent of Blaster. Because of the way user permissions work, it’ll have to be something that relies on social engeneering.

    This blog post pretty much sums it up: http://hohle.net/scrap_post.php?post=189

  14. I could start a company making Mac Virus Protection. Sell software, make lots of money. Then when a virus ‘eventually’ does come out that attacks OSX I could just fold. Don’t waste your money on software that does something that isn’t there. Even when a virus does come the poeple with virus software willhave to wait for a fix, and while that is happening the ever dedicated Mac community will soon sort it out. Only THEN is it time to start with virus tools.

  15. > More importantly, as the usage of Mac OS increases
    > (via Intel Mac’s, Boot Camp, etc) so the surface area of
    > the platform also increases as does the number of people
    > working on developing sucessful malicious code. It is a
    > ticking bomb.

    This is a myth. Safety of Max OS X is largely based on BSD. BSD is widely used – for many years – on the internet. Mainly for large servers that must be secure. For an attacker large servers are like Ford Knox, so they attract a lot of attention of the best of them.
    So, Max OS X is already widely exposed, for a long time.
    Adding more users won’t make much of a difference.

    Also, because the Mac is based on open-source code (like BSD), it isn’t up to Apple alone to fix security problems. This is a huge benefit and this makes sure that problems are fixed fast and detected early.

  16. macnewbie:

    “I agree with your first statement here, but not your 2nd [That the reason is that Windows is very much sub-par.].”

    What I mean by Windows being sub-par is that is has so many easily exploited vectors. In Windows, there are, many times throughout the year, exploits discovered (in the wild) that can infect you *without your knowledge or interaction*. That’s the key point. In OS X, virtually every potential exploit requires the user to deliberately install and/or run a piece of malware (and to infect the system, requires an admin password).

    Another exploit vector on Windows is “bundled spyware”. That is also hard to spread on OS X because most software is installed via drag-and-drop, so you don’t get some spyware along for the ride.

    “Thats my point, much of what has happened to Windows is because it was left too late to do anything about it. Education needs to happen now, not when the threat strikes.”

    What sort of education are you talking about? There are no Mac viruses, worms, or spyware, so what would be the point in running a program whose entire logic is to show a dialog saying, “Your system is clean”? The only education I can think of that would be useful is to say, “You are safe now, so rest assured. But one day you may not be safe, so keep an eye out for any news of a Mac exploit, and when you do see it, *act on it immediately*.”

    While one could write some form of malware for OS X, it’s just really, really hard to get it to spread without user intervention. Only Windows has, built-in and enabled by default features that make spreading malware so easy.

    The only thing one is really left with are trojans. Any app can “rm -rf” your home directory. But those apps don’t spread. As far as I know, trojans aren’t a big problem in the Windows world either, since they don’t spread. Like I said at the top of this message, automatic spreading really is the key to the issue.

  17. You really should read Broken Windows, by John Gruber, a great resource for Mac news, including viruses on OS X, so make sure to add his feed to your feedreader.

    That post was written in June 2004, but it’s still true this very day, and describes very well what other aspects there are to the virus issue between OS X and Windows, and why OS X has many benefits in this regard.

    To answer your question on anti-virus software: I don’t run any anti-virus or anti-spyware software on my Mac. Never have. I didn’t even know there was any — I looked online once and found one major anti-virus software company saying “We currently don’t offer a Mac version of our products. If there ever is a malicious virus on Mac that will warrant a Mac version, we will offer it.” Made me smile and then I went on with my work again, feeling happily secure ;)

    Node3:
    “That’s the key point. In OS X, virtually every potential exploit requires the user to deliberately install and/or run a piece of malware (and to infect the system, requires an admin password).”

    Unless you’re running as an Admin account, which OS X _does_ do by default. There has been a proven exploit in that area, but it was a proof-of-concept and wasn’t malicious in any way.

    The biggest tip for keeping your OS X secure, right now, is two-fold:
    1: don’t run as an Admin account;
    2: disable Safari’s option “Open “Safe” files after downloading” — safe files aren’t necessarily safe, so disable this option because execution bindings can be changed to make safe files open in unsafe applications and OS X currently doesn’t prevent this (for relatively good reasons: there is no great solution for it, because the execution bindings need certain freedom of movement to offer the user control over file execution defaults).

  18. First of all, I had an OS X box hooked directly to the Internet for three years without any third-party add-ons for security and it stood up fine (just the regular, prudent stuff bundled with OS X and reasonably good passwords on SSH accounts). The logs would be full of attempts, but none got through (which is more a testament to Apache than the OS).

    That said, of course there could be a security hole that gets exploited. It could happen any day. The problem is that generic security software probably won’t catch it, since it will be something new.

    The main reason that Macs have not attracted a lot of virus writers is that a lot of the viruses that are written are easy-to-code scripting viruses. It has been a number of years since I worked in the security industry, but back when I did at least 95% of all new viruses were scripting viruses for Windows. They were easy to write and it was easy to adapt other people’s scripts and make them your own. Mostly, they were created by a lot of childish malcontents who wanted to think they were great Hax0rs.

    It’s a hell of a lot harder to write a true, binary virus that exploits a security flaw in the OS. It’s even harder when you’re dealing with an OS like MacOS X that doesn’t let the average user run with permission to screw up the OS or the kernel. It’s really complicated to write a binary virus that targets a platform that runs on multiple CPU’s!

    My guess is that, when an exploit does come to MacOS X, it will be something that includes a significant element of social engineering. Something not preventable by security software.

    Sure, we might have an exploit some day. But as long as Windows has a crappy security model and as long as it has made-for-exploitation scripting languages, it’s going to be the honey-pot attracting all of the attention.

    I’m certainly not going start bothering with security software until a real problem starts to present itself.

    In the end, the only real solution to malicious software is the solution we learn from nature: diversity. If everyone is running different OS’s and CPU’s and so on, then it’s really hard for a virus to take hold. Windows is dangerous more because it happens to be a monoculture than because it has some security holes. More diversity in the OS market would be better for all of us.

  19. If macs get really popular, ie have a significant increase in the sector, then i GUARANTEE, macs will have more viruses.

    However, lets say that Mac (and the Apple thing) and Windows (and the whole Microsoft thing) had just been released, I would lean towards Macs.

    I would switch to mac if I had some money and also the windows sector is so big there is a much variety of software.

    Die-hard Mac fans say its not the quantity but the quality i.e. it does not matter if there is a big variety, as long as the limited set of choices are quality software.

    However, in the real world a big variety DOES breed quality – it opens up competition and comparisons, which helps improve software efficiently at lower costs (for example the amount of quality freeware available to windows compared to mac).

    This brings to another point, no matter which way you look at it, there IS a premium that you have to pay for a mac. I reckon for macs to really get more converts they will have to change their business model and allow MUCH more freedom of licences for their software. That’s my 2 cents.

  20. > If macs get really popular, ie have a significant increase in the
    > sector, then i GUARANTEE, macs will have more viruses.

    Bob, did you read any of the previous comments? For example my comment?
    You know, you must have arguments when you make a statement.

    As for the other points you make:

    – The amount of freeware for the Mac is a lot more than you seem to think, did you take most linux/Unix freeware into account?

    – The cost of a Mac is now $599. That’s a lot less than most PC’s.

  21. Bob:

    “However, in the real world a big variety DOES breed quality – it opens up competition and comparisons, which helps improve software efficiently at lower costs (for example the amount of quality freeware available to windows compared to mac).”

    Just because big variety breeds quality, does not mean that the quality supercedes the case of no variety. From having extensively used Windows apps all my life, I can honestly say that almost every single app I’m using on OS X is better than anything I’ve ever encountered in my 13 years of Windows-life.

    Best browser? Tie between Safari and Camino — both OS X only.
    Best music app? OS X’s iTunes (the Windows version is crap).
    Best photo management tool? iPhoto, hands down.
    Best feedreader? NetNewsWire, OS X only.
    Best IM software? Adium. OS X only.

    I can go on for hours here. I’ve tried the diversity of Windows’ apps, I’ve tried a lot of programs for each specific goal (i.e. “photo management”, “music”, etc.) and on OS X, I’ve come to not look for the diversity as much because usually, my first try-out of an app is already that much better than all my Windows experience that I don’t even bother looking further (unless people recommend me software, of course).

    So yes, diversity breeds quality — I completely agree — but that doesn’t mean Windows’ apps are better than OS X’s. My experiences say otherwise on pretty much every single account. Games are really the only exception to this, but that may be a different issue (my hardware being lesser than my PC was, when it comes to games).

  22. “Best browser? Tie between Safari and Camino — both OS X only.
    Best music app? OS X’s iTunes (the Windows version is crap).
    Best photo management tool? iPhoto, hands down.
    Best feedreader? NetNewsWire, OS X only.
    Best IM software? Adium. OS X only.”

    These are all so much opinion. The only one I will give you for sure is NetNewsWire. iTunes is identical IMO. I have used both. Adium is pretty good. It uses libgaim for its acutaly protocol work. Gaim is just as good IMO and has a plugin system. iPhoto is ok. I still manage my photos on a PC in Explorer. If I need heavy editing (other than resizing, rotating, etc.) I use Fireworks.

    Camino would be nowhere without Mozilla/Firefox. The extensions system makes FF the winner hands down regardless of platform. Safari is ok. Their ignorance of CSS styled buttons and widgets is quite annoying and makes some pages look funny IMO.

  23. I don’t believe you can approach security on the Mac like you do on Windows. And I am glad people have not. The security world for Windows has mostly created a revenue stream for lots of AV companies and small time malware detection apps. There are so many, you have a hard time telling the real companies from some place trying to get you to install more malware.

    With the use of so much open source in OS X, the patches and fixes will come from the vendors of the software that is broken. We will not find ourselves waiting years for a fix to real problems that were created as features. That is the biggest problem on Windows. So many MS features that can be abused to install malware. OS X saw an early problem with that (something about auto-installing widgets) and it was fixed. Not brushed aside.

  24. Safari is ok. Their ignorance of CSS styled buttons and widgets is quite annoying and makes some pages look funny IMO.

    Ignorance? I can assure you, it has nothing to do with ignorance on their part. Keep in mind that Safari currently has the best and most complete CSS support of all browsers available today.

    iTunes the same on both? Please, it’s worlds apart! It simply will never be equal because the interface of Windows apps can never match up to their OS X counterparts, simply because the Windows OS is not built to support it (stuff like the menu bar being at the very top). Thanks to such details, there will always be a major difference between them. Just read X vs. XP if you want more information on why OS X’s interface approach is the better one.

  25. Pingback: My Journey to Macintosh » Weapons of Mass Destruction Part Two - You didn’t convince me!

  26. “…I am saying it is foolish to just assume that it is because a version of it was, once upon a time because every change made since that fork has the possibility of introducing a new security issue.”

    I must disagree, it is a fact that ‘Safety of Max OS X is largely based on BSD’ and not a misconception.

    The modifications of BSD for Darwin are not in this (safety) area. Even so, Darwin is also open source and has the same benefits as BSD in that respect.
    (It is funny you don’t consider that Darwin could even be saver than BSD. I think this could be the case because of the Mach kernel…)

    But I’am glad we agree on something, namely that BSD is secure.
    This is important because Apple will drop Darwin and switch to BSD in the near future.

    “What I am saying is that this idea that it is either secure by default or somehow not at risk from attack is wrong wrong wrong…”

    I disagree, Mac OS X is secure by default. If I would prepare a Linux system I would install the firewall and set it to close ‘all’ incomming ports. Mac OS X is set by default in this way. (It is also very easy to set the firewall to stealth mode, and this is the most secure mode.)

    With this fact, combined with warnings when you download and install files with exceutable content, the file system properties, automatic security updates and the proven security of BSD, it is a logical conclusion that Mac OS X is ‘not’ at risk from attack.

    As a side note: I didn’t see ‘negative comments and reactions’ to your posting. Most of the reactions are constructive and informative in my opinion.

  27. Well, I’m amazed at some of the comments here, the only way some of you will learn is by having your entire computer destroyed through some sort of virus outbreak.

    I’ve blogged about this on a mainly Microsoft Development web site – I’ll be very interested to see what kind of responses I get to the comments I’ve lifted from this post.

    http://weblogs.asp.net/plip/archive/2006/05/01/444698.aspx

  28. Pingback: My Journey to Macintosh » Welcome to the International War Crimes Tribunal Apple

  29. UNIX has never had any epic outbreaks?

    What about the morris worm? http://en.wikipedia.org/wiki/Morris_worm

    That’s arguably the most epåic outbreak ever. Brought the internet to itäs knees for days.