Forgot your password?
typodupeerror
OS X Desktops (Apple) Microsoft Security Apple IT News

Microsoft: Macs 'Not Safe From Malware, Attacks Will Increase' 290

Posted by timothy
from the what-a-huge-surprise dept.
An anonymous reader writes "Microsoft researchers have analyzed a new piece of Mac malware that uses a multi-stage attack similar to typical Windows malware infection routines. In a post titled 'An interesting case of Mac OSX malware' the Microsoft Malware Protection Center closed with this statement: 'In conclusion, we can see that Mac OSX is not safe from malware. Statistically speaking, as this operating system gains in consumer usage, attacks on the platform will increase. Exploiting Mac OSX is not much different from other operating systems. Even though Mac OSX has introduced many mitigation technologies to reduce risk, your protection against security vulnerabilities has a direct correlation with updating installed applications.'"
This discussion has been archived. No new comments can be posted.

Microsoft: Macs 'Not Safe From Malware, Attacks Will Increase'

Comments Filter:
  • by TheRaven64 (641858) on Saturday May 05, 2012 @08:35AM (#39900871) Journal
    Possibly a biased source, but not exactly a shocking conclusion. The OS X kernel is a massive amount of C and embedded C++ code. On top of that is a huge pile more code. It's not going to be bug free, and at least some of those bugs will be exploitable. It does about the same set of things as other modern operating systems to reduce the damage that a compromised application can do (e.g. making it easy to run apps in sandboxes), but any network-exposed system running arbitrary code is vulnerable, the only question is whether the effort involved in finding and exploiting a vulnerability is greater than the reward.
    • Possibly a biased source, but not exactly a shocking conclusion.

      That's the problem. While the conclusion is hardly surprising, and is in fact what many people have been predicting for years, a lot of people are going to say "oh, it's Microsoft, FUD!" and ignore it. Interestingly, using many of the same vectors a virus for Linux is equally possible, it's just that most virus writing these days is done for profit, and it's not a big enough target to make it worth their time.

      • by drerwk (695572) on Saturday May 05, 2012 @08:57AM (#39900967) Homepage
        Until MS ports Office to Linux, Linux is safe from this particular vulnerability.
      • Re: (Score:2, Funny)

        by Anonymous Coward

        Virus ? Seriously you can craft some damned document in postscript that can thrash any system that has the ps interpreter.
        PS is a turing complete language. You can pull some crazy stuff with this shit.

        • by Entropius (188861)

          Will it actually thrash it so that it requires a reboot, or just soak up all the CPU cycles on one core until the user gets around to running top and killall -9? (I guess this basically boils down to: does postscript have a fork call?)

      • by Dunbal (464142) *

        a lot of people are going to say "oh, it's Microsoft, FUD!" and ignore it.

        Nah that's the thing about having 90% market share - you don't get ignored even when it _is_ FUD.

      • by martin-boundary (547041) on Saturday May 05, 2012 @09:42AM (#39901147)
        Nope, and yes, it's Microsoft FUD to some extent.

        It's true that *abstractly*, any computer system has bugs and vulnerabilities, and if you attach it to an untrusted network and if this network has a lot of malware that targets the system then compromises will happen, in direct proportion to the quantity of malware in circulation and the number of bugs and vulnerabilities in said system, which itself is proportional to the amount of code etc.

        But having said that, malware is not very smart or adaptable and this has nothing to do with the profit motive: every tiny change in a target system requires a rewrite or an addition to the malware code, and the more additions there are the bigger and more conspicuous the malware becomes, which makes it easier to recognize.

        That's why patching systems is effective, the malware is too dumb to smoothly react to the unexpected. It's also why predominantly Microsoft and to some extent Apple systems are more vulnerable than Linux systems. Microsoft OSes are hyper identical (available APIs, installed software, etc), so malware can be quite dumb and still be successful. Apple systems are a monoculture too. But OSes that come in kits and have lots of alternative subsystems that must be configured by users/owners, like Linux, are inherently safer. The malware just has too many variations to consider when it tries to invade. Note that systems like Android are also more vulnerable, like Apple systems, because the needs of user friendliness and unified user experience result in monoculture again.

        And thats where the commercial/consumer world is shooting itself in the foot. As the installed base grows, the cluster of identical machines grows at the same rate. Whereas in the more chaotic world of Linux/*BSD, the total installed base can grow but it's ok to fracture into alternative distros and flavours, and it suffices for the number of incompatible alternative clusters to grow at the same rate as the total installed OS base, so you can have more and more clusters which are all of a limited size and any malware can only affect one or two clusters at a time.

        • by andydread (758754)
          Yes but unfortunately [slashdot.org]
        • by Shavano (2541114)

          But the monoculture of Apple and to a lesser extent Windows is also what makes those systems so useful to so many people. You don't have to understand every intricacy of software systems that branch like a wild vine to get something done on a stock Windows or Apple system.

          The same thing that makes the Apple and Windows system so vulnerable to malwares is what make it so easy for a user or an administrator to comprehend how to use and configure it. And this is for the same reason. It's inefficient for h

      • While kind of true, Linux is so widely used on public networks that it's easily the most secure out of Mac OSX, Windows and Linux.

        That's not to say it's impervious but no one got fired for running Linux. ;)

        • by dynamo52 (890601) on Saturday May 05, 2012 @12:15PM (#39901933)

          ... no one got fired for running Linux

          That's because by the time they had a fully functional system, there were so many obscure configurations, custom scripts, and dirty hacks required that they are the only one who knows how to administer it.

        • by Shavano (2541114)

          It's not widely used because it's secure. It's widely used because it's cheap, and it's easily capable of doing the job in back-end environments where it can be locked down and prevented from running arbitrary code at the user's whim.

    • Re: (Score:3, Informative)

      by Megane (129182)

      The OS X kernel is a massive amount of C and embedded C++ code.

      Except the kernel isn't the problem. I haven't heard a single word about this recent malware crap that indicates it exploits the kernel or somehow achieves supervisor mode. Nor have I heard a single word about user-less exploits, as opposed to how you could simply install Windows, connect to the network, and have it owned within an hour, if not minutes.

      All this has been user land exploits, which require a user to do something. Some of them haven't even required the user to do something stupid, other than t

    • by Zemran (3101)

      It was also found that the Titanic was not unsinkable... Shock Horror !!!

      I do not think that any intelligent person thought that Macs are unsinkable/invulnerable, just that they are much harder to attack than a Windows box. Same with Linux, of it can be, it is just much more safe than Windows.

    • by MtViewGuy (197597)

      Leo Laporte on the "This WEEK in Tech" and "MacBreak Weekly" podcasts have said several times over the last 5-6 years that the reason why Macs running OS X haven't been hit with malware was that until very recently, there wasn't enough Macs out there to justify the effort to write malware that can infect these machines.

      But now, with the terrifying success of the "Flashback" malware, it's now open season on Mac users. As such, Apple may have to develop a true Internet security suite with automatic virus/malw

    • Apple is doing something to mitigate malware problems, though.

      What's the biggest attack vector for malware? Users installing it themselves. What is Apple doing to stop it? Making their App store the primary source for all software installs.
  • by Anonymous Coward on Saturday May 05, 2012 @08:41AM (#39900889)

    Maybe we need a new motto? You can have it easy to use, affordable or secure. Choose two.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      The thing is OSX doesn't really fit into ANY of those categories =P

    • by Entropius (188861)

      I dunno, Linux seems to be all three to me. It's braindead-easy to install these days -- hell, my mom can do it by herself, which is definitely not true for Windows.

      It's free, and it's pretty secure, only sacrificing security for usability in intentional, configurable ways (i.e. "should I require a password on console login?")

      • Interesting that the GP said "easy to use" and you changed that to "easy to install". Which of corse isn't the same thing at all. For sure, Linux is not easy to use. But lets quantify that - it's less easy to use than the other 2 mainstream desktop OSs.

        • by Entropius (188861)

          I mentioned the installation thing because that's traditionally been one of the confusing bits about Linux.

          Use is pretty simple -- you have a menu, it has stuff in it, you click on it. When you want something you don't have you fire up Ubuntu Software Center and go get it.

        • by bmo (77928)

          Interesting that the GP said "easy to use" and you changed that to "easy to install"

          But it is easy to use. You can use it all day and never touch a command line ever, just like Windows and OSX.

          It's just advantageous to use a command line for things that would drive you batty in any GUI. This is why OSX has bash and Windows has PowerShell.

          Oh, right, Microsoft thought so little of the command line they went and wrote a whole new one that even aliases the unix commands like cp, mv, and rm.

          Twit.

          --
          BMO

    • by Shavano (2541114)

      Affordable has nothing to do with it. Convenience and security are the pair that can't come together.

  • If anyone has a lot of viruses to examine, it's Microsoft!

    • by arbiter1 (1204146) on Saturday May 05, 2012 @08:55AM (#39900955)
      Accepting the fact your OS has flaw's is first stepping to make a secure OS, Apple for years claimed their OS didn't have any. Know all mac fan boys are finding out the hard way and its only gonna get worse.
      • by Joce640k (829181) on Saturday May 05, 2012 @09:15AM (#39901043) Homepage

        How to use an apostrophe [theoatmeal.com]

      • Accepting the fact your OS has flaw's is first stepping to make a secure OS, Apple for years claimed their OS didn't have any.

        Uh, no. They didn't. The fact that they've regularly and consistently provided security updates shows that they recognize that they have flaws in their OS that need patching. What they have claimed is that they don't have a lot of viruses, which is absolutely true. Due to Macs not being worth targeting because of a smaller user base, malicious attacks against Macs were very rare compared to PCs (which is always the benchmark they compared themselves to). So their claim was true.

        They have never, however, cla

      • by burne (686114) on Saturday May 05, 2012 @10:13AM (#39901261)

        Do I need to point out that the recent incident with FlashBack would have been impossible without gaping holes in Adobe's Flash, Oracle's Java and Microsoft Office?

        Microsoft makes a office-suite with no easy way to notify users of available updates and blames Apple for the gaping holes in Office?

        • by Nerdfest (867930)

          Well, there is a mechanism available to notify users of these updates, but I'm guessing MS is not that interested in handing over 30% of their price. I think Apple's exclusion of 3rd party repositories from their marketplace is pure greed. The Linux model they borrowed from should have been more blatantly copied. I think Windows should do the same, but I think they're following the iOS approach for Metro that locks users to a single market.

          One of the best features of Ubuntu, etc, is the single channel for s

        • by makomk (752139)

          Oracle had closed that "gaping hole" several months earlier, it's just that Apple are really slow at releasing security fixes for serious vulnerabilities in third-party software they bundle with their OSes.

        • by breser (16790)
          Microsoft has included AutoUpdate in Office for years. Every few months when they put out an update it pops up and downloads it for me. You can get to it by going to the Help menu and choosing Check for Updates in any Office Application if for some reason you want to run it manually. Maybe they could do a better job, but I think your statement that there is no easy way to notify users is fundamentally false.
      • by sootman (158191)

        When did MS first accept that their OS had flaws? Because securing Windows was about a 12-year journey.

      • by PNutts (199112)

        Apple for years claimed their OS didn't have any.

        Citation needed. From the Apple Support Communities site (non-authoritative): To deal with the Malware, Apple recommends disable Java for anyone with 10.6.7 or less who can't upgrade. [apple.com]

        Here's a link from Apple's support site [apple.com] posted in 1998 describing how to protect yourself against viruses in Mac OS 8.1.

        I'm too lazy to look for older links.

      • by jbolden (176878)

        Mac fanboys aren't finding out much of anything the hard way. Most of them have spent years in a relatively virus and spyware free world without having to worry too much. Not perfect but rather good, while Windows users live in a constant state of war.

        And it may or may not get worse. Apple has a lot of potential security in place that can be implemented almost instantly if security becomes a top priority; Microsoft was introducing new security features as the virus and spyware wars started. Apple's othe

  • by nurb432 (527695) on Saturday May 05, 2012 @08:49AM (#39900919) Homepage Journal

    No matter how 'secure' a system is, as long as end users have the ability to install software, systems will still be at risk. Its just part of the deal.

    If your particular systems are attacked or not, depends on your market share.

    • by jbolden (176878)

      We've just seen multi billion dollar virus written for the embedded systems in nuclear reactors and power regulators. It ain't just market share.

  • While I will agree with lack of surprise from /.ers, most of my colleagues that enjoy their Macs like to tout "invulnerability" to malware. Mac-pride makes them brave/foolish to the point they will not bother with anti-virus. I think they are more the norm than exception for Mac users. Once the Mac OS reaches a high enough number of users, there will be a significant surprise for most users.
    • by jbolden (176878)

      I've been on /. and using a Mac for about a dozen years with no anti-virus and no adware protection. No hint of problems.

      There is nothing foolish about it. There just isn't much incidence of infection. Once there is a high incidence then I'll start running security junk.

  • It's about marketshare. IT has only ever been worthwhile for virus writers to target a platform that is popular enough to warrant a return on investment, whether that be fame or clandestine botnet software.

    People always used to use half baked arguments trying to claim that OS X was mroe secure because it was "unix" or some crap, despite OS X being very insecure [osnews.com] for most of it's run.

    Aside from being common sense this is supported with some pretty solid mathematics, not least an article in an IEEE journal sho

    • by flyingfsck (986395) on Saturday May 05, 2012 @08:59AM (#39900981)
      Hmm, since Linux has by far the largest market share, then by your logic, it must have the most viruses. Yes, Windows probably has the largest market share on desktop machines (a dying breed), but Linux leads on computers overall, by a wide margin. Samsung alone sells hundreds of millions of Linux machines each quarter. So where are the Linux viruses? The difference is in the design, which is not dependent on market share.
    • It's about marketshare.

      No it is not. It is about yield.

      Two things have been happening over the past years
      * OS X has increased in market share
      * Windows and apps running on Windows have grown

  • Funny (Score:4, Insightful)

    by iMouse (963104) on Saturday May 05, 2012 @08:53AM (#39900943)

    ...a poorly written Microsoft product leaves a vulnerability open for exploitation, yet it is Microsoft who provides an internal assessment and statement that Macs are "not safe from malware".

    • I believe the term "takes one to know one" has never been more fitting.

      But it's true, Macs are now plentiful enough to attract the attention of malware purveyors, and the fact that the target market is so unsuspecting must be making them salivate. It's certainly in M$'s best interests to make this known, and they're doing the Mac fanboi's a favor by putting them on alert.

      And before someone sharp-shoots me on the apostrophe, it's acceptable to use one when otherwise the plural forms a misleading word. "Fan

  • anyone who is interested can look up security vulnerabilities by vendor. [securitytracker.com]
  • by voss (52565) on Saturday May 05, 2012 @08:59AM (#39900979)

    Not only was it opportunistic but the vulnerability comes from A MICROSOFT PRODUCT(It was an office for mac issue)!

    If I were apple and feeling particulary snarky I would send out an email to my users warning about microsoft software including the microsoft
    post and recommend that they not use Office for Mac and switch over to Libreoffice for a more secure computing experience.

    • by Amarantine (1100187) on Saturday May 05, 2012 @09:17AM (#39901055)
      Not only that: this particular exploit doesn't even work any more in Lion. Only Snow Leopard and earlier.
    • by gstrickler (920733) on Saturday May 05, 2012 @09:59AM (#39901209)

      And, it doesn't work if you've applied any of the Office patches in the past 3 years. Patches that Office (by default) notifies you about weekly.

      Very opportunistic.

      Still, they are correct that attacks will increase, and anyone who has refused to install security patches in a needs to change their habits, or they will eventually be infected.

      • Not that "OMG Apple is evil," but that "Mac users need to wake the fuck up and think about security."

        I've met more than a few Mac users who really believe that "Macs can't get viruses," and such things. They don't patch their shit, have weak passwords, etc, etc. They think the magic Apple fairy will protect them from all harm.

        I argued they were like someone living in a rich gated community that left their door open all the time. Nobody had broken in because nobody had really tried, but they weren't really s

        • by jbolden (176878)

          Well, that's over now

          We'll see if it is over now. Sorry if I'm not too concerned. I've been hearing how the virus apocalypse would happen any day now for a dozen years. Meanwhile Apple has been slowly turning up the security and laying the ground work for a rapid shift if they ever need to.

  • Am I the only one who thinks the headline sounds kind of like a threat?

  • Old news (Score:4, Insightful)

    by Anonymous Coward on Saturday May 05, 2012 @09:11AM (#39901025)

    I'm gonna go ahead and cite the Ken Thompson hack here:

    "It's been more than twenty years since I read Thompson's marvelous paper, but I believe I correctly recall his fundamental point: UNIX, and every system like it, can NEVER be "secure". It doesn't matter how many layers of anti-virus software, "internet worm protection", "firewall" or any other buzzword -- systems like UNIX (including all versions of Linux, Macintosh OSX, and all versions of WinXP) will NEVER be secure. Thompson published his paper and revealed his hack in order to demonstrate this point. "

    Closed sourced, open source, free, paid, whatever it is it will never be fully secure and people are foolish to believe anything to the contrary.

  • First of all, it must be said that the word "mac fan boy" is one of the most ingenious PR actions against apple. The statement of Microsoft that "macs are not safe" is a too obvious PR spin along the same lines. Any operating system is vulnerable as long as users can modify operating systems. This is not for discussion. What matters is how fast these vulnerabilities are handled and communicated and corrected. Apple as well as Linux distributions have handled vulnerabilities in the past pretty well and I f
  • by erroneus (253617) on Saturday May 05, 2012 @10:00AM (#39901217) Homepage

    When Microsoft puts out updates, they just put out the updates.... most of the time in single-fixes which are individually selectable and uninstallable. (Doesn't always work but they try) They do it like this because business depends on compatibility and continued operations of their apps. So if a particular update or patch breaks an important app, it can be rolled removed or at least identified and skipped.

    Apple doesn't care about that. Apple will push updates and bundle them with anything they like including feature removal and things users don't want.

    So what I foresee happening is that Apple will bundle a critical security fix with something else which the users don't want and they will refuse to update their machines.

    Some people here are "fans" of a particular brand or whatever. I'm none of those. I just call them as I see them. But if someone must insist I'm a hater of this or a shill for that, I run Fedora Linux on most of my stuff but I hate Gnome3 so I'm going to CentOS until the people out there get their heads on straight and listen to the users.

    • I think there are two kinds of fans: fans and zealots.

      I'm a fan of Apple, but I have no problem criticizing their OS, apps, or philosophy. I want Apple to improve, and grumble when they drag their feet, or, start to follow trends in app/gui design (e.g., i've noticed the menubars of their apps aren't consistent, or that some apps are just fucking retarded: preview and iphoto... wtf?).

      Zealots see their choice as infallible. Period.

      We both have brand loyalty, but I think the former is more reasoned in their

    • by jbolden (176878) on Saturday May 05, 2012 @03:03PM (#39903187) Homepage

      So what I foresee happening is that Apple will bundle a critical security fix with something else which the users don't want and they will refuse to update their machines.

      They have already bundled security fixes with feature removals and the users update. You don't buy Apple if you aren't willing to understand that ultimately Tim is in charge.

  • by RogueWarrior65 (678876) on Saturday May 05, 2012 @10:26AM (#39901303)

    Sour grapes, much? Jeez. The only malware A) is a Java problem and B) uses Office as the transmission medium.

  • Microsoft exec: "More people are going to be trying to attack Macs... and we've got the receipts to prove it!"
  • The vulnerability is in MS Office for Mac. Don't run MS Office, and you're safe from this particular malware.

    This is on MS to fix, not Apple.

    Please RTFA before saying this is a "MacOS vulnerability"

One small step for man, one giant stumble for mankind.

Working...