Why You Shouldn't Panic Over Mac Malware 370
Earlier this week, we discussed reports that Mac malware was finally becoming a significant problem. Now, reader wiredmikey points out an editorial arguing that everyone should slow down and analyze the situation more calmly so the threat can be accurately assessed. Quoting:
"According to Apple, the Mac installed base is approximately 50 million users. But according to Gartner, the number of Android handsets sold in 2010 alone exceeded 67 million units, giving it an installed base that is larger, and growing much faster, than the Mac base. If a large numbers of eyeballs is indeed the lure that causes criminals to write malware for a given operating system, surely Android is a more tempting target than Mac OS. ... I predict that the increase in perceived risks to Mac customers will give Apple the excuse it needs to increase its control over the Mac software ecosystem, by moving ISVs to the Mac App Store. It is no accident that the theme of the upcoming Lion desktop operating system is 'Back to the Mac': taking concepts that Apple employed successfully with the mobile version of OS X (iOS) and back-porting them to the desktop OS. One of those features is the introduction of the Mac App Store, an Apple-controlled storefront for selling and distributing applications. ... This provides buyers some assurance that their apps are from known points of origin and that they don’t contain malware, such as the Mac Defender Trojan horse.
Safari browser exploits (Score:5, Informative)
Re:Now I am _really_ panicked (Score:4, Informative)
It's probably not a popular opinion here, but my experience with the Mac App store is very positive. It works well, no installation hassles, automatic upgrades,... and I have the impression that it drives the price down.
Re:What a load of crap (Score:5, Informative)
Mac users less computer savvy? Not really I've seen a lot of IT- and multimedia-pros using them.
Yes, and I've seen plenty of IT- and multimedia-pros using Windows PCs, yet majority of Windows users are still not too computer savvy. Similarly, from what I've seen the majority of Mac users are equally non-computer-savvy.
And that's the whole issue. These scams and such aren't targeting the pros, they are targeting the people who don't really understand what they're doing. Macs are also more costly than the average Windows PCs and thus it's likely that a person owning a Mac is wealthy enough to make an excellent target for these things.
Re:What a load of crap (Score:2, Informative)
You have pretty much that, if you want your GUI application to run under X11 (well, some things are a bit different, but not that much).
But if you want native OS X applications, then the free alternatives are usually outnumbered by the shareware ones. Shareware has been strong in the Mac ecosystem since before OS X whereas it has been mostly non-existent in the Linux ecosystem.
Re:No need to panic, merely be more careful. (Score:5, Informative)
Yes I have, and it's an attempt to retro-fit a useful security model to a system not designed to have such security from the beginning.
No, UAC uses the already user and process tokens which were in Windows NT from the get-go to strip any token of certain rights. Compared to OS X and unix whic were borne with 12 bits of security, the Windows model is much more granular. The fact that Windows model is built to secure any OS object - not just filesystem objects - makes it more suitable in this exact scenario. The *nix idea of allowing setuid or setgid "servers" to "drop from root" is thoroughly broken and has been the source of numerous vulnerabilities and exploits. Setuid is necessary because *nix does not have sufficiently granular privileges.
UAC is using capabilities which were already there, thanks to the initial design using tokens and handles.
OS X App Store a disappointment so far (Score:5, Informative)
So far, the OS X AppStore couldn't be called 'wildly popular' since its inception on January this year. Regularly, I checked my installed apps for availability in the App Store, because it allows for such easy updating. Lo and behold, only fairly trivial apps are there, the following list is not available in the App Store:
Now I agree that stuff like a bittorrent client (Vuze) and a network sniffing tool (KisMAC) would probably be refused in the App Store. But all in all, the OS X App Store could be called a disappointment so far.
Note that the Opera browser (which contains a bittorrent client) is in the App Store.
It's s smaller pond (Score:5, Informative)
For OSX its the opposite. For every small task that i want to accomplish, i seem to need to pony up. Every small time programmer tries to make a buck with his little program. Nothing wrong with that, but where are the Free/Libre alternatives?
Well, OS X is still a vastly smaller community than Windows, and I suspect that although Linux (desktop) users outnumber OSX users a disproportionate number of Linux users are also programmers. So its not surprising there's less choice. That also means that the money to be made from true "honesty box" shareware is probably smaller, so developers are more likely to require payment. Also, historically, Mac OS "Classic" developer tools and documentation cost an arm and a leg - of course, since OS X they've been free (or very cheap, for iOS), but the early days may have set community expectation. Finally - I don't think OS X is the easiest platform to develop for (however elegant) and OS X users tend to demand nice GUIs on everything.
However - its not all bad: First, OS X is Unix: Install "fink" or "macports" and you'll get access to a huge number of Free/Libre packages from the Linux/Unix world - albeit most of these are command-line or X11. If you don't want to roll your own, lots of major "free" projects offer OSX versions: (off the top of my head and at random: LibreOffice, Eclipse, InkScape, VirtualBox, PostgreSQL, MySQL, Mozilla) not to mention the stuff that is already present in OS X (Apache, PHP, Ruby, Python, Samba, CUPS...) I hope the latter list doesn't diminish too much as projects move to GPLv3.
Re:Safari browser exploits (Score:3, Informative)
Safari browser exploits and other app exploits can still lead to installing malware on a machine.
The point is that
this is not true. Use of a Safari feature that is very useful for anyone downloading legitimate software allows malware to be downloaded and Apple's installer to be started. But "Installer started" != "malware installed". There is this tiny, tiny little gap that the malware cannot cross if the user has a brain: To install the malware, the user has to willingly enter their administrator password. No administrator password, no malware.
Re:What a load of crap (Score:3, Informative)
I always tell them I boycott apple and refuse to even try to learn, which I'm sure I could.
Re:Safari browser exploits (Score:4, Informative)
You're silly, and you've obviously never worked in tech support.
Here's the thing: even in the dreadful, woefully unsafe world of Windows '98 and ME, over 80% of malware infections could've been avoided by having the user learn some simple, seemingly obvious security tips such as do not install fucking Bonzi Buddy EVER AGAIN, you piece of useless, ignorant trash!!!, *ehem*. Yeah, like that.
Social Engineering is still the surest method to gain control of another machine, and the user is still in nearly all cases the most vulnerable part of a given system's security. So far, the only thing that has kept Mac users relatively safe so far has been their relative insignificance in the world of computing as a whole, but if black hats start targeting them seriously they'll buckle just as fast as their Windows brethren.