Forgot your password?
typodupeerror
OS X Desktops (Apple) Microsoft Security Apple IT News

Microsoft: Macs 'Not Safe From Malware, Attacks Will Increase' 290

Posted by timothy
from the what-a-huge-surprise dept.
An anonymous reader writes "Microsoft researchers have analyzed a new piece of Mac malware that uses a multi-stage attack similar to typical Windows malware infection routines. In a post titled 'An interesting case of Mac OSX malware' the Microsoft Malware Protection Center closed with this statement: 'In conclusion, we can see that Mac OSX is not safe from malware. Statistically speaking, as this operating system gains in consumer usage, attacks on the platform will increase. Exploiting Mac OSX is not much different from other operating systems. Even though Mac OSX has introduced many mitigation technologies to reduce risk, your protection against security vulnerabilities has a direct correlation with updating installed applications.'"
This discussion has been archived. No new comments can be posted.

Microsoft: Macs 'Not Safe From Malware, Attacks Will Increase'

Comments Filter:
  • by TheRaven64 (641858) on Saturday May 05, 2012 @07:35AM (#39900871) Journal
    Possibly a biased source, but not exactly a shocking conclusion. The OS X kernel is a massive amount of C and embedded C++ code. On top of that is a huge pile more code. It's not going to be bug free, and at least some of those bugs will be exploitable. It does about the same set of things as other modern operating systems to reduce the damage that a compromised application can do (e.g. making it easy to run apps in sandboxes), but any network-exposed system running arbitrary code is vulnerable, the only question is whether the effort involved in finding and exploiting a vulnerability is greater than the reward.
  • by Anonymous Coward on Saturday May 05, 2012 @07:41AM (#39900889)

    Maybe we need a new motto? You can have it easy to use, affordable or secure. Choose two.

  • by Anonymous Coward on Saturday May 05, 2012 @07:51AM (#39900929)

    The thing is OSX doesn't really fit into ANY of those categories =P

  • Funny (Score:4, Insightful)

    by iMouse (963104) on Saturday May 05, 2012 @07:53AM (#39900943)

    ...a poorly written Microsoft product leaves a vulnerability open for exploitation, yet it is Microsoft who provides an internal assessment and statement that Macs are "not safe from malware".

  • by arbiter1 (1204146) on Saturday May 05, 2012 @07:55AM (#39900955)
    Accepting the fact your OS has flaw's is first stepping to make a secure OS, Apple for years claimed their OS didn't have any. Know all mac fan boys are finding out the hard way and its only gonna get worse.
  • by voss (52565) on Saturday May 05, 2012 @07:59AM (#39900979)

    Not only was it opportunistic but the vulnerability comes from A MICROSOFT PRODUCT(It was an office for mac issue)!

    If I were apple and feeling particulary snarky I would send out an email to my users warning about microsoft software including the microsoft
    post and recommend that they not use Office for Mac and switch over to Libreoffice for a more secure computing experience.

  • by flyingfsck (986395) on Saturday May 05, 2012 @07:59AM (#39900981)
    Hmm, since Linux has by far the largest market share, then by your logic, it must have the most viruses. Yes, Windows probably has the largest market share on desktop machines (a dying breed), but Linux leads on computers overall, by a wide margin. Samsung alone sells hundreds of millions of Linux machines each quarter. So where are the Linux viruses? The difference is in the design, which is not dependent on market share.
  • Re:"Get the Facts" (Score:5, Insightful)

    by clang_jangle (975789) on Saturday May 05, 2012 @07:59AM (#39900983) Journal

    In before all the stupid replies that Linux cannot be hacked. :)

    I suppose there could be some people stupid enough to say that, but I haven't seen much of it (unless you count obvious troll posts). In fact, a misconfigured linux system is one of the easiest to hack -- but we're discussing malware, not hacking. Since most linux distros are using repositories for all the third-party software (vs non-tech users zooming around the web downloading "10,000 similies!") malware for linux is pretty darned rare -- much more so than windows or os x. Unless, of course, one counts all the android trojans -- I don't because to me android is a completely unique OS that happens to use some linux code.

  • Re:"Get the Facts" (Score:1, Insightful)

    by Kotakee (2632245) on Saturday May 05, 2012 @08:04AM (#39900995)
    Android is a great example how malware just gets there, around the obstacles when the market share is right. It's even on their official store.

    Repositories also wouldn't work if Linux had the same market share as Windows, or hell, even OS X. You just cannot do everything via such system, and there needs to be a way to install software off from the "official" platforms. Hell, most of slashdot constantly argues against this too (DRM).
  • Old news (Score:4, Insightful)

    by Anonymous Coward on Saturday May 05, 2012 @08:11AM (#39901025)

    I'm gonna go ahead and cite the Ken Thompson hack here:

    "It's been more than twenty years since I read Thompson's marvelous paper, but I believe I correctly recall his fundamental point: UNIX, and every system like it, can NEVER be "secure". It doesn't matter how many layers of anti-virus software, "internet worm protection", "firewall" or any other buzzword -- systems like UNIX (including all versions of Linux, Macintosh OSX, and all versions of WinXP) will NEVER be secure. Thompson published his paper and revealed his hack in order to demonstrate this point. "

    Closed sourced, open source, free, paid, whatever it is it will never be fully secure and people are foolish to believe anything to the contrary.

  • Re:"Get the Facts" (Score:4, Insightful)

    by nzac (1822298) on Saturday May 05, 2012 @08:19AM (#39901065)

    In before all the stupid replies that Linux cannot be hacked. :)

    I assume you mean cannot get drive-byes. Linux is hacked in broad scene rather often. Linux does not get viruses in the sense that its never happened.

    I assume you mean there is likely to be similar security holes in a bleeding edge easy to use distro as windows which may be true.
    Linux is extremely hard to compare security on as you can everything from a full on SElinux setup to whatever ASUS use to distribute.

    I think rapid updates all security wholes are fixed within a week (worse case) and a low user base make Linux so unattractive for virus spreading that no one needs to worry. When there a successful virus for Linux, then Linux security becomes non-hypothetical and decisions can be made on the security convince trade-off (as of now its just all inconvenience for malware threats).

  • Re:"Get the Facts" (Score:5, Insightful)

    by TWX (665546) on Saturday May 05, 2012 @08:26AM (#39901087)
    Fact of the matter is, basically all computing requires more trust than should really be granted. We trust Microsoft to patch their vulnerabilities now that malware manages to find ways in through ever more creative means. We trust Apple to have an OS that was never really vulnerable to start with, and we trust GNU/Linux distributions and other free operating systems to have clean repositories and to be free of backdoors. We rely on non-OS, internet-connected software companies to produce software that isn't vulnerable to bringing problems in from the Internet.

    All of these are essentially untrue, or are relying on means of security that can't be verified or well tested until something comes out in the wild. We instead rely on updates after the fact, and on feeble attempts by some to make programs to remove malware.

    Even in the privileged/unprivileged user landscape that modern OSes are capable of using, too many users desire more credentials on their local computers than they need in order to perform the very basic tasks that a computer user does on a daily basis. In the early days I too was guilty of this, but learned. Unfortunately when there are combinations of vectors to infect the local user and then local root exploits even a good privileges model won't work.

    We should demand more out of our browser developers and more out of our plugin developers. That is the single biggest category of infection route, and I'm sorry, but software that voluntarily brings in and deploys the exploit simply by visiting a markup-language page is completely unacceptable. Fix the bugs before worrying about new features.
  • by martin-boundary (547041) on Saturday May 05, 2012 @08:42AM (#39901147)
    Nope, and yes, it's Microsoft FUD to some extent.

    It's true that *abstractly*, any computer system has bugs and vulnerabilities, and if you attach it to an untrusted network and if this network has a lot of malware that targets the system then compromises will happen, in direct proportion to the quantity of malware in circulation and the number of bugs and vulnerabilities in said system, which itself is proportional to the amount of code etc.

    But having said that, malware is not very smart or adaptable and this has nothing to do with the profit motive: every tiny change in a target system requires a rewrite or an addition to the malware code, and the more additions there are the bigger and more conspicuous the malware becomes, which makes it easier to recognize.

    That's why patching systems is effective, the malware is too dumb to smoothly react to the unexpected. It's also why predominantly Microsoft and to some extent Apple systems are more vulnerable than Linux systems. Microsoft OSes are hyper identical (available APIs, installed software, etc), so malware can be quite dumb and still be successful. Apple systems are a monoculture too. But OSes that come in kits and have lots of alternative subsystems that must be configured by users/owners, like Linux, are inherently safer. The malware just has too many variations to consider when it tries to invade. Note that systems like Android are also more vulnerable, like Apple systems, because the needs of user friendliness and unified user experience result in monoculture again.

    And thats where the commercial/consumer world is shooting itself in the foot. As the installed base grows, the cluster of identical machines grows at the same rate. Whereas in the more chaotic world of Linux/*BSD, the total installed base can grow but it's ok to fracture into alternative distros and flavours, and it suffices for the number of incompatible alternative clusters to grow at the same rate as the total installed OS base, so you can have more and more clusters which are all of a limited size and any malware can only affect one or two clusters at a time.

  • by erroneus (253617) on Saturday May 05, 2012 @09:00AM (#39901217) Homepage

    When Microsoft puts out updates, they just put out the updates.... most of the time in single-fixes which are individually selectable and uninstallable. (Doesn't always work but they try) They do it like this because business depends on compatibility and continued operations of their apps. So if a particular update or patch breaks an important app, it can be rolled removed or at least identified and skipped.

    Apple doesn't care about that. Apple will push updates and bundle them with anything they like including feature removal and things users don't want.

    So what I foresee happening is that Apple will bundle a critical security fix with something else which the users don't want and they will refuse to update their machines.

    Some people here are "fans" of a particular brand or whatever. I'm none of those. I just call them as I see them. But if someone must insist I'm a hater of this or a shill for that, I run Fedora Linux on most of my stuff but I hate Gnome3 so I'm going to CentOS until the people out there get their heads on straight and listen to the users.

  • by burne (686114) on Saturday May 05, 2012 @09:13AM (#39901261)

    Do I need to point out that the recent incident with FlashBack would have been impossible without gaping holes in Adobe's Flash, Oracle's Java and Microsoft Office?

    Microsoft makes a office-suite with no easy way to notify users of available updates and blames Apple for the gaping holes in Office?

  • Re:"Get the Facts" (Score:5, Insightful)

    by BasilBrush (643681) on Saturday May 05, 2012 @09:14AM (#39901265)

    Android is a great example how malware just gets there, around the obstacles when the market share is right. It's even on their official store.

    No. There is virtually no malware for the iOS, which is in the same ball park as far as market share is concerned. So it's not just market-share. Security, including walled gardens, make a huge difference.

  • by jones_supa (887896) on Saturday May 05, 2012 @11:41AM (#39902137)

    yes, until mom needs word processor (cloud services like google doc don't count), and the ability to watch movies their kids email her of a newborn. The point is, while you could help your mom install linux or whatever other app she needs initially, she can't go out and download or buy additional software on her own, and then install it on her own.

    I enjoy linux as any other, but I don't think it passes the grandma test yet.

    It's hard to say if grandma is really in a worse position here with Linux. As we know, usually you have all the programs (browser, word processor, movie player...) already installed, while in Windows you have to install all kinds of stuff separately.

    That being said, Linux is indeed having bad problems supporting third party stuff. There is currently no easy and unified ways of installing apps or drivers if they come outside of the distribution. :(

  • by jbolden (176878) on Saturday May 05, 2012 @02:03PM (#39903187) Homepage

    So what I foresee happening is that Apple will bundle a critical security fix with something else which the users don't want and they will refuse to update their machines.

    They have already bundled security fixes with feature removals and the users update. You don't buy Apple if you aren't willing to understand that ultimately Tim is in charge.

  • Re:"Get the Facts" (Score:5, Insightful)

    by hairyfeet (841228) <.bassbeast1968. .at. .gmail.com.> on Saturday May 05, 2012 @07:27PM (#39905167) Journal

    I'm sorry friend but you are mistaken, unless you call sliding a single slider in UAC as some complex action. Win 7 can autosandbox the browser (your choice of IE or any Chromium based) and run it in low rights mode which is actually SAFER than surfing in Linux where running a single program in a much lower set of permissions is far from simple, and then simply add one of several free AVs that also sandbox (My two favorites are Avast and Comodo Internet Security, both work well) and frankly the user need not know anything. The OS will autoupdate, autosandbox, scan ALL pages before load, hell my 71 year old dad is as clueless about tech as they come and his PC has been on the net 24/7/365 running Win 7 since Oct 09 and hasn't has a single problem or bug, the worst problem he has had is he didn't know how to update his browser (it kept telling him there was an update but he kept pushing the X instead of the update button) and that was it.

    If you want to know the REAL reason why you see much more infected Windows? let me tell you a true story about the only person i ever threw out of my shop. He comes in, buys a PC from me, and wants me to install limewire. I tell him "I'm sorry but Limewire doesn't exist anymore, they got shutdown by the feds and anything calling itself Limewire now is just a virus pretending to be the real deal. There are several alternative such as Emule and BT if you wish me to install one of those" so what does he do? He promptly goes home with his new PC, Googles "New limewire" and when the AV naturally wouldn't let him install it first he tried to disable and then he removed the AV altogether! Why did he do that? Because the program told him to! When I finally threw him out of my shop (demanding I fix it for free after he broke it by refusing to listen to my instructions or call) he was yelling "It says right there that it IS Limewire so you make it work dammit!

    So if you want to know why there are plenty of infected Windows machines its because of the dancing bunnies problem. [codinghorror.com] It doesn't matter how simple or secure you make the OS if the user has install rights because all you have to do is wave the right cookie, be it porn, piracy, hell I've seen users infect their PCs for a CHANCE of winning some iShiny, then all can be bypassed. MSFT thinks they are gonna fix this by going the Apple way with an appstore but it won't work, as porn and piracy won't be offered in the appstore and that will be enough of a cookie to lure victims. Whether you choose to admit it or not to run Linux you HAVE TO have more than moderate PC skills or have a full time admin (such as yourself) willing to work for free simply because you have to know how to deal with updates breaking drivers and other Linux "quirks" one simply doesn't run into on OSX or Windows. Hell simply the fact you have to install it, know what partitions are and what sizes to make them, Google for drivers that aren't included and understand how to find out the exact make/model of said hardware to properly install Linux already puts you above a good 80% of the population. if you wish to argue that let me take away install rights for all my customers who would only be allowed to let me remote in and install approved software? Windows would never get bugs either.

    But that argument simply doesn't hold water when the vast majority are on their own, without so much as a geek in the family to guide them. In fact I would argue that them getting Linux installed correctly and having it fully functional for even a year would probably be impossible, since they simply wouldn't have the skills required. Linux is only friendly IF everything works OOTB AND it works after every upgrade, two situations which at least in my experience are about as likely as Santa dropping me off a dozen porn stars for Xmas.

Those who do not understand Unix are condemned to reinvent it, poorly. - Henry Spencer, University of Toronto Unix hack

Working...