Microsoft: Macs 'Not Safe From Malware, Attacks Will Increase'

An anonymous reader writes "Microsoft researchers have analyzed a new piece of Mac malware that uses a multi-stage attack similar to typical Windows malware infection routines. In a post titled 'An interesting case of Mac OSX malware' the Microsoft Malware Protection Center closed with this statement: 'In conclusion, we can see that Mac OSX is not safe from malware. Statistically speaking, as this operating system gains in consumer usage, attacks on the platform will increase. Exploiting Mac OSX is not much different from other operating systems. Even though Mac OSX has introduced many mitigation technologies to reduce risk, your protection against security vulnerabilities has a direct correlation with updating installed applications.'"

Not really surprising

[TheRaven64]

Possibly a biased source, but not exactly a shocking conclusion. The OS X kernel is a massive amount of C and embedded C++ code. On top of that is a huge pile more code. It's not going to be bug free, and at least some of those bugs will be exploitable. It does about the same set of things as other modern operating systems to reduce the damage that a compromised application can do (e.g. making it easy to run apps in sandboxes), but any network-exposed system running arbitrary code is vulnerable, the only question is whether the effort involved in finding and exploiting a vulnerability is greater than the reward.

Re:

[realityimpaired]

Possibly a biased source, but not exactly a shocking conclusion.

That's the problem. While the conclusion is hardly surprising, and is in fact what many people have been predicting for years, a lot of people are going to say "oh, it's Microsoft, FUD!" and ignore it. Interestingly, using many of the same vectors a virus for Linux is equally possible, it's just that most virus writing these days is done for profit, and it's not a big enough target to make it worth their time.

Re:Not really surprising

[drerwk]

Until MS ports Office to Linux, Linux is safe from this particular vulnerability.

Re:

[cyber-vandal]

Bullshit. Office 2007 doesn't even work flawlessly under Windows.

Re:

[Anonymous Coward]

Virus ? Seriously you can craft some damned document in postscript that can thrash any system that has the ps interpreter.
PS is a turing complete language. You can pull some crazy stuff with this shit.

Re:

[Entropius]

Will it actually thrash it so that it requires a reboot, or just soak up all the CPU cycles on one core until the user gets around to running top and killall -9? (I guess this basically boils down to: does postscript have a fork call?)

Re:

[Dunbal]

a lot of people are going to say "oh, it's Microsoft, FUD!" and ignore it.

Nah that's the thing about having 90% market share - you don't get ignored even when it _is_ FUD.

Re:Not really surprising

[martin-boundary]

Nope, and yes, it's Microsoft FUD to some extent.

It's true that *abstractly*, any computer system has bugs and vulnerabilities, and if you attach it to an untrusted network and if this network has a lot of malware that targets the system then compromises will happen, in direct proportion to the quantity of malware in circulation and the number of bugs and vulnerabilities in said system, which itself is proportional to the amount of code etc.

But having said that, malware is not very smart or adaptable and this has nothing to do with the profit motive: every tiny change in a target system requires a rewrite or an addition to the malware code, and the more additions there are the bigger and more conspicuous the malware becomes, which makes it easier to recognize.

That's why patching systems is effective, the malware is too dumb to smoothly react to the unexpected. It's also why predominantly Microsoft and to some extent Apple systems are more vulnerable than Linux systems. Microsoft OSes are hyper identical (available APIs, installed software, etc), so malware can be quite dumb and still be successful. Apple systems are a monoculture too. But OSes that come in kits and have lots of alternative subsystems that must be configured by users/owners, like Linux, are inherently safer. The malware just has too many variations to consider when it tries to invade. Note that systems like Android are also more vulnerable, like Apple systems, because the needs of user friendliness and unified user experience result in monoculture again.

And thats where the commercial/consumer world is shooting itself in the foot. As the installed base grows, the cluster of identical machines grows at the same rate. Whereas in the more chaotic world of Linux/*BSD, the total installed base can grow but it's ok to fracture into alternative distros and flavours, and it suffices for the number of incompatible alternative clusters to grow at the same rate as the total installed OS base, so you can have more and more clusters which are all of a limited size and any malware can only affect one or two clusters at a time.

Re:

[andydread]

Yes but unfortunately [slashdot.org]

Re:

[__aaltlg1547]

But the monoculture of Apple and to a lesser extent Windows is also what makes those systems so useful to so many people. You don't have to understand every intricacy of software systems that branch like a wild vine to get something done on a stock Windows or Apple system.

The same thing that makes the Apple and Windows system so vulnerable to malwares is what make it so easy for a user or an administrator to comprehend how to use and configure it. And this is for the same reason. It's inefficient for h

Re:

[binarylarry]

While kind of true, Linux is so widely used on public networks that it's easily the most secure out of Mac OSX, Windows and Linux.

That's not to say it's impervious but no one got fired for running Linux. ;)

Re:Not really surprising

[dynamo52]

... no one got fired for running Linux

That's because by the time they had a fully functional system, there were so many obscure configurations, custom scripts, and dirty hacks required that they are the only one who knows how to administer it.

Re:

[__aaltlg1547]

It's not widely used because it's secure. It's widely used because it's cheap, and it's easily capable of doing the job in back-end environments where it can be locked down and prevented from running arbitrary code at the user's whim.

Re:

[Megane]

The OS X kernel is a massive amount of C and embedded C++ code.

Except the kernel isn't the problem. I haven't heard a single word about this recent malware crap that indicates it exploits the kernel or somehow achieves supervisor mode. Nor have I heard a single word about user-less exploits, as opposed to how you could simply install Windows, connect to the network, and have it owned within an hour, if not minutes.

All this has been user land exploits, which require a user to do something. Some of them haven't even required the user to do something stupid, other than t

Re:

[jones_supa]

Does someone know what's the case with Windows 7? Let's say I install the original gold master of Win7 and apply no patches, leave it with a public IP address but don't otherwise do anything. Is the box vulnerable?

Re:

[PNutts]

Does someone know what's the case with Windows 7? Let's say I install the original gold master of Win7 and apply no patches, leave it with a public IP address but don't otherwise do anything. Is the box vulnerable?

The Microsoft Exec that claimed early in Windows 7 lifecycle backtracked from those comments. Combined with the security patches released since it's release the answer is Yes.

Anyone who thinks otherwise hasn't connected to a network yet.

Re:

[Zemran]

It was also found that the Titanic was not unsinkable... Shock Horror !!!

I do not think that any intelligent person thought that Macs are unsinkable/invulnerable, just that they are much harder to attack than a Windows box. Same with Linux, of it can be, it is just much more safe than Windows.

Re:

[MtViewGuy]

Leo Laporte on the "This WEEK in Tech" and "MacBreak Weekly" podcasts have said several times over the last 5-6 years that the reason why Macs running OS X haven't been hit with malware was that until very recently, there wasn't enough Macs out there to justify the effort to write malware that can infect these machines.

But now, with the terrifying success of the "Flashback" malware, it's now open season on Mac users. As such, Apple may have to develop a true Internet security suite with automatic virus/malw

Re:

[phantomfive]

Apple is doing something to mitigate malware problems, though.

What's the biggest attack vector for malware? Users installing it themselves. What is Apple doing to stop it? Making their App store the primary source for all software installs.

user-friendly software deemed insecure, news at 11

[Anonymous Coward]

Maybe we need a new motto? You can have it easy to use, affordable or secure. Choose two.

Re:

[Anonymous Coward]

The thing is OSX doesn't really fit into ANY of those categories =P

Re:

[Entropius]

I dunno, Linux seems to be all three to me. It's braindead-easy to install these days -- hell, my mom can do it by herself, which is definitely not true for Windows.

It's free, and it's pretty secure, only sacrificing security for usability in intentional, configurable ways (i.e. "should I require a password on console login?")

Re:

[BasilBrush]

Interesting that the GP said "easy to use" and you changed that to "easy to install". Which of corse isn't the same thing at all. For sure, Linux is not easy to use. But lets quantify that - it's less easy to use than the other 2 mainstream desktop OSs.

Re:

[Entropius]

I mentioned the installation thing because that's traditionally been one of the confusing bits about Linux.

Use is pretty simple -- you have a menu, it has stuff in it, you click on it. When you want something you don't have you fire up Ubuntu Software Center and go get it.

Re:

[Entropius]

Installing Linux *has* been an issue -- perhaps I'm just older, but it was a serious pain in the ass back in the day.

What distribution(s) have you tried, and what have you been trying to do on them?

Re:

[PNutts]

Are they using more than the browser? "Using Linux" implies the OS, not apps. But if this their first PC experience they don't have years of behavior to undo.

Re:

[bmo]

Interesting that the GP said "easy to use" and you changed that to "easy to install"

But it is easy to use. You can use it all day and never touch a command line ever, just like Windows and OSX.

It's just advantageous to use a command line for things that would drive you batty in any GUI. This is why OSX has bash and Windows has PowerShell.

Oh, right, Microsoft thought so little of the command line they went and wrote a whole new one that even aliases the unix commands like cp, mv, and rm.

Twit.

--
BMO

Re:

[BasilBrush]

The existence and completeness of a GUI does not make it easy to use.

Re:user-friendly software deemed insecure, news at

[jones_supa]

yes, until mom needs word processor (cloud services like google doc don't count), and the ability to watch movies their kids email her of a newborn. The point is, while you could help your mom install linux or whatever other app she needs initially, she can't go out and download or buy additional software on her own, and then install it on her own.

I enjoy linux as any other, but I don't think it passes the grandma test yet.

It's hard to say if grandma is really in a worse position here with Linux. As we know, usually you have all the programs (browser, word processor, movie player...) already installed, while in Windows you have to install all kinds of stuff separately.

That being said, Linux is indeed having bad problems supporting third party stuff. There is currently no easy and unified ways of installing apps or drivers if they come outside of the distribution. :(

Re:

[Teckla]

I've been a professional software developer for a few decades now, and done my fair share of running Linux, including Ubuntu. And, Ubuntu sucks.

Last year, I installed Ubuntu via wubi. It worked great, for a while. At some point, an update caused some kind of grub/kernel incompatibility. Ubuntu never managed to boot again.

So then I decided to install Ubuntu in its own partition and dual boot instead. Surely that would work. And it did, for a while. I foolishly allowed Ubuntu to try to update itself to the la

Re:

[jones_supa]

Unfortunately there's lots of brokenness like that in Linux distros. Things work generally nicely, but when you even slightly fall off the beaten path, there is not enough robustness to handle the condition. You might get some completely wrong error message and somewhere deep is just a script failing with an obscure "Invalid argument".

There should be more attention for things like this than the hipster desktop environment of the month...

Re:

[__aaltlg1547]

Affordable has nothing to do with it. Convenience and security are the pair that can't come together.

The voice of experience

[sootman]

If anyone has a lot of viruses to examine, it's Microsoft!

Re:The voice of experience

[arbiter1]

Accepting the fact your OS has flaw's is first stepping to make a secure OS, Apple for years claimed their OS didn't have any. Know all mac fan boys are finding out the hard way and its only gonna get worse.

Re:The voice of experience

[Joce640k]

How to use an apostrophe [theoatmeal.com]

Re:

[whisper_jeff]

Accepting the fact your OS has flaw's is first stepping to make a secure OS, Apple for years claimed their OS didn't have any.

Uh, no. They didn't. The fact that they've regularly and consistently provided security updates shows that they recognize that they have flaws in their OS that need patching. What they have claimed is that they don't have a lot of viruses, which is absolutely true. Due to Macs not being worth targeting because of a smaller user base, malicious attacks against Macs were very rare compared to PCs (which is always the benchmark they compared themselves to). So their claim was true.

They have never, however, cla

Re:The voice of experience

[burne]

Do I need to point out that the recent incident with FlashBack would have been impossible without gaping holes in Adobe's Flash, Oracle's Java and Microsoft Office?

Microsoft makes a office-suite with no easy way to notify users of available updates and blames Apple for the gaping holes in Office?

Re:

[Nerdfest]

Well, there is a mechanism available to notify users of these updates, but I'm guessing MS is not that interested in handing over 30% of their price. I think Apple's exclusion of 3rd party repositories from their marketplace is pure greed. The Linux model they borrowed from should have been more blatantly copied. I think Windows should do the same, but I think they're following the iOS approach for Metro that locks users to a single market.

One of the best features of Ubuntu, etc, is the single channel for s

Re:

[makomk]

Oracle had closed that "gaping hole" several months earlier, it's just that Apple are really slow at releasing security fixes for serious vulnerabilities in third-party software they bundle with their OSes.

Re:

[breser]

Microsoft has included AutoUpdate in Office for years. Every few months when they put out an update it pops up and downloads it for me. You can get to it by going to the Help menu and choosing Check for Updates in any Office Application if for some reason you want to run it manually. Maybe they could do a better job, but I think your statement that there is no easy way to notify users is fundamentally false.

Re:

[sootman]

When did MS first accept that their OS had flaws? Because securing Windows was about a 12-year journey.

Re:

[PNutts]

Apple for years claimed their OS didn't have any.

Citation needed. From the Apple Support Communities site (non-authoritative): To deal with the Malware, Apple recommends disable Java for anyone with 10.6.7 or less who can't upgrade. [apple.com]

Here's a link from Apple's support site [apple.com] posted in 1998 describing how to protect yourself against viruses in Mac OS 8.1.

I'm too lazy to look for older links.

Re:

[jbolden]

Mac fanboys aren't finding out much of anything the hard way. Most of them have spent years in a relatively virus and spyware free world without having to worry too much. Not perfect but rather good, while Windows users live in a constant state of war.

And it may or may not get worse. Apple has a lot of potential security in place that can be implemented almost instantly if security becomes a top priority; Microsoft was introducing new security features as the virus and spyware wars started. Apple's othe

Re:

[BasilBrush]

Even now, I notice that Apple still doesn't automatically update software by default, so, the only people who tend to install the update are those who are security-minded anyway.

False. By default OSX automatically checks for updates on a weekly basis.

Additionally, your claims as to what sales staff say is hearsay. And given you're an AC and your one checkable claim was wrong, it's not worth much.

ACs donâ(TM)t bother...

[mevets]

If you donâ(TM)t know they are there, who were you replying to?

Re:

[BronsCon]

As for "mac fan boys", if you mean "someone who stupidly claims that Mac OS is completely impervious to malware" I challenge you to name an actual person who fits this mythological description

My boss, even after I told him I had found FlashBack on our PM's Mac and removed it.

No one is safe

[nurb432]

No matter how 'secure' a system is, as long as end users have the ability to install software, systems will still be at risk. Its just part of the deal.

If your particular systems are attacked or not, depends on your market share.

Re:

[jbolden]

We've just seen multi billion dollar virus written for the embedded systems in nuclear reactors and power regulators. It ain't just market share.

Will be a surprise to most OS X users

[Stem_Cell_Brad]

While I will agree with lack of surprise from /.ers, most of my colleagues that enjoy their Macs like to tout "invulnerability" to malware. Mac-pride makes them brave/foolish to the point they will not bother with anti-virus. I think they are more the norm than exception for Mac users. Once the Mac OS reaches a high enough number of users, there will be a significant surprise for most users.

Re:

[jbolden]

I've been on /. and using a Mac for about a dozen years with no anti-virus and no adware protection. No hint of problems.

There is nothing foolish about it. There just isn't much incidence of infection. Once there is a high incidence then I'll start running security junk.

People have been saying this for a long time.

[metrix007]

It's about marketshare. IT has only ever been worthwhile for virus writers to target a platform that is popular enough to warrant a return on investment, whether that be fame or clandestine botnet software.

People always used to use half baked arguments trying to claim that OS X was mroe secure because it was "unix" or some crap, despite OS X being very insecure [osnews.com] for most of it's run.

Aside from being common sense this is supported with some pretty solid mathematics, not least an article in an IEEE journal sho

Re:People have been saying this for a long time.

[flyingfsck]

Hmm, since Linux has by far the largest market share, then by your logic, it must have the most viruses. Yes, Windows probably has the largest market share on desktop machines (a dying breed), but Linux leads on computers overall, by a wide margin. Samsung alone sells hundreds of millions of Linux machines each quarter. So where are the Linux viruses? The difference is in the design, which is not dependent on market share.

Re:

[flyingfsck]

OK, so compare viruses on servers then. Linux clearly runs the vast majority of servers compared to Microsoft. So how does Windows Server stack up security wise? The difference is in the design.

Re:

[spire3661]

The standard 'big box' desktop is on its way out. Pocket computers and docking stations are the future, bank on it.

Re:

[BronsCon]

I was not aware that there was a docking station that provided peripheral (including USB, printing, and mass storage) support, an extended displa, and a full hardware keyboard and trackpad (or mouse/trackball.whatever via USB) for an existing iDevice. In fact, I'm still not aware that there is, even after reading your link.

My Motorola Atrix 4G has this and I am typing this reply from it right now. I think spire3661 might be banking on WebTop, an Android extenstion (by Motorola Mobility, now owned by Google,

Re:

[benjymouse]

It's about marketshare.

No it is not. It is about yield.

Two things have been happening over the past years
* OS X has increased in market share
* Windows and apps running on Windows have grown

Funny

[iMouse]

...a poorly written Microsoft product leaves a vulnerability open for exploitation, yet it is Microsoft who provides an internal assessment and statement that Macs are "not safe from malware".

Re:

[dontmakemethink]

I believe the term "takes one to know one" has never been more fitting.

But it's true, Macs are now plentiful enough to attract the attention of malware purveyors, and the fact that the target market is so unsuspecting must be making them salivate. It's certainly in M$'s best interests to make this known, and they're doing the Mac fanboi's a favor by putting them on alert.

And before someone sharp-shoots me on the apostrophe, it's acceptable to use one when otherwise the plural forms a misleading word. "Fan

Security vulnerabilities by vendor

[Presto Vivace]

anyone who is interested can look up security vulnerabilities by vendor. [securitytracker.com]

Did anyone else notice...

[voss]

Not only was it opportunistic but the vulnerability comes from A MICROSOFT PRODUCT(It was an office for mac issue)!

If I were apple and feeling particulary snarky I would send out an email to my users warning about microsoft software including the microsoft
post and recommend that they not use Office for Mac and switch over to Libreoffice for a more secure computing experience.

Re:Did anyone else notice...

[Amarantine]

Not only that: this particular exploit doesn't even work any more in Lion. Only Snow Leopard and earlier.

Re:Did anyone else notice...

[gstrickler]

And, it doesn't work if you've applied any of the Office patches in the past 3 years. Patches that Office (by default) notifies you about weekly.

Very opportunistic.

Still, they are correct that attacks will increase, and anyone who has refused to install security patches in a needs to change their habits, or they will eventually be infected.

And I think that's their point

[Sycraft-fu]

Not that "OMG Apple is evil," but that "Mac users need to wake the fuck up and think about security."

I've met more than a few Mac users who really believe that "Macs can't get viruses," and such things. They don't patch their shit, have weak passwords, etc, etc. They think the magic Apple fairy will protect them from all harm.

I argued they were like someone living in a rich gated community that left their door open all the time. Nobody had broken in because nobody had really tried, but they weren't really s

Re:

[jbolden]

Well, that's over now

We'll see if it is over now. Sorry if I'm not too concerned. I've been hearing how the virus apocalypse would happen any day now for a dozen years. Meanwhile Apple has been slowly turning up the security and laying the ground work for a rapid shift if they ever need to.

"...Attacks will increase"

[BoogeyOfTheMan]

Am I the only one who thinks the headline sounds kind of like a threat?

Old news

[Anonymous Coward]

I'm gonna go ahead and cite the Ken Thompson hack here:

"It's been more than twenty years since I read Thompson's marvelous paper, but I believe I correctly recall his fundamental point: UNIX, and every system like it, can NEVER be "secure". It doesn't matter how many layers of anti-virus software, "internet worm protection", "firewall" or any other buzzword -- systems like UNIX (including all versions of Linux, Macintosh OSX, and all versions of WinXP) will NEVER be secure. Thompson published his paper and revealed his hack in order to demonstrate this point. "

Closed sourced, open source, free, paid, whatever it is it will never be fully secure and people are foolish to believe anything to the contrary.

what matters is how vulnerabilities are handled

[e**(i pi)-1]

First of all, it must be said that the word "mac fan boy" is one of the most ingenious PR actions against apple. The statement of Microsoft that "macs are not safe" is a too obvious PR spin along the same lines. Any operating system is vulnerable as long as users can modify operating systems. This is not for discussion. What matters is how fast these vulnerabilities are handled and communicated and corrected. Apple as well as Linux distributions have handled vulnerabilities in the past pretty well and I f

A foreseeable difference between MS and Apple

[erroneus]

When Microsoft puts out updates, they just put out the updates.... most of the time in single-fixes which are individually selectable and uninstallable. (Doesn't always work but they try) They do it like this because business depends on compatibility and continued operations of their apps. So if a particular update or patch breaks an important app, it can be rolled removed or at least identified and skipped.

Apple doesn't care about that. Apple will push updates and bundle them with anything they like including feature removal and things users don't want.

So what I foresee happening is that Apple will bundle a critical security fix with something else which the users don't want and they will refuse to update their machines.

Some people here are "fans" of a particular brand or whatever. I'm none of those. I just call them as I see them. But if someone must insist I'm a hater of this or a shill for that, I run Fedora Linux on most of my stuff but I hate Gnome3 so I'm going to CentOS until the people out there get their heads on straight and listen to the users.

Re:

[Sebastopol]

I think there are two kinds of fans: fans and zealots.

I'm a fan of Apple, but I have no problem criticizing their OS, apps, or philosophy. I want Apple to improve, and grumble when they drag their feet, or, start to follow trends in app/gui design (e.g., i've noticed the menubars of their apps aren't consistent, or that some apps are just fucking retarded: preview and iphoto... wtf?).

Zealots see their choice as infallible. Period.

We both have brand loyalty, but I think the former is more reasoned in their

Re:A foreseeable difference between MS and Apple

[jbolden]

So what I foresee happening is that Apple will bundle a critical security fix with something else which the users don't want and they will refuse to update their machines.

They have already bundled security fixes with feature removals and the users update. You don't buy Apple if you aren't willing to understand that ultimately Tim is in charge.

Want some cheese with your whine?

[RogueWarrior65]

Sour grapes, much? Jeez. The only malware A) is a Java problem and B) uses Office as the transmission medium.

Microsoft says Macs no safe

[Gumbercules!!]

Microsoft exec: "More people are going to be trying to attack Macs... and we've got the receipts to prove it!"

Not mentioned in Article Summary...

[DJ Particle]

The vulnerability is in MS Office for Mac. Don't run MS Office, and you're safe from this particular malware.

This is on MS to fix, not Apple.

Please RTFA before saying this is a "MacOS vulnerability"

Re:Oh well.

[Known Nutter]

No.

http://en.wikipedia.org/wiki/Irony [wikipedia.org]

Re:

[smallfries]

Have you read your own link?

Microsoft claims that malware infections will rise on OSX in the future, and as evidence they dissect an exploit that only works on an obsolete version because it is fixed in the lastest version. Your signature is oddly appropriate.

Re:

[hendridm]

More like the pot calling the kettle black...

Re:

[martinX]

http://www.youtube.com/watch?v=L_mrNQBLSMU [youtube.com]

Re:

[dyingtolive]

Achievement unlocked:
Falling for the Alanis Morisette troll.

Re:

[MightyYar]

Words change. Go to a Renaissance fair if you don't believe me.

MS is the vector apparently

[drerwk]

I’m most concerned that this malware uses a three-year-old flaw in Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac. Here’s the corresponding security bulletin: MS09-027 - Critical.

Re:

[drerwk]

And I suppose to be fair in attentive os x users.

Re:"Get the Facts"

[jellomizer]

It comes down to the more popular your OS is, the more problems you will get with security.

Re:"Get the Facts"

[clang_jangle]

In before all the stupid replies that Linux cannot be hacked. :)

I suppose there could be some people stupid enough to say that, but I haven't seen much of it (unless you count obvious troll posts). In fact, a misconfigured linux system is one of the easiest to hack -- but we're discussing malware, not hacking. Since most linux distros are using repositories for all the third-party software (vs non-tech users zooming around the web downloading "10,000 similies!") malware for linux is pretty darned rare -- much more so than windows or os x. Unless, of course, one counts all the android trojans -- I don't because to me android is a completely unique OS that happens to use some linux code.

Re:

[BasilBrush]

Since most linux distros are using repositories for all the third-party software (vs non-tech users zooming around the web downloading "10,000 similies!") malware for linux is pretty darned rare -- much more so than windows or os x.

Of course most OSX third party software is coming from the Mac App Store these days, so the same applies.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:"Get the Facts"

[TWX]

Fact of the matter is, basically all computing requires more trust than should really be granted. We trust Microsoft to patch their vulnerabilities now that malware manages to find ways in through ever more creative means. We trust Apple to have an OS that was never really vulnerable to start with, and we trust GNU/Linux distributions and other free operating systems to have clean repositories and to be free of backdoors. We rely on non-OS, internet-connected software companies to produce software that isn't vulnerable to bringing problems in from the Internet.

All of these are essentially untrue, or are relying on means of security that can't be verified or well tested until something comes out in the wild. We instead rely on updates after the fact, and on feeble attempts by some to make programs to remove malware.

Even in the privileged/unprivileged user landscape that modern OSes are capable of using, too many users desire more credentials on their local computers than they need in order to perform the very basic tasks that a computer user does on a daily basis. In the early days I too was guilty of this, but learned. Unfortunately when there are combinations of vectors to infect the local user and then local root exploits even a good privileges model won't work.

We should demand more out of our browser developers and more out of our plugin developers. That is the single biggest category of infection route, and I'm sorry, but software that voluntarily brings in and deploys the exploit simply by visiting a markup-language page is completely unacceptable. Fix the bugs before worrying about new features.

Re:"Get the Facts"

[BasilBrush]

Android is a great example how malware just gets there, around the obstacles when the market share is right. It's even on their official store.

No. There is virtually no malware for the iOS, which is in the same ball park as far as market share is concerned. So it's not just market-share. Security, including walled gardens, make a huge difference.

Re:

[wavedeform]

I basically agree, but the fact that there continue to be jailbreaks for iOS means that there are serious security holes. Luckily, people seem to be more interested in jail breaking than other exploits.

Re:

[BasilBrush]

The days of being able to jailbreak by visiting a website are long gone. You have to physically connect the phone to a computer in order that it can be re-flashed.

It's not relevant to what downloaded software/websites/document malware could do.

Re:

[wavedeform]

If by "long gone" you mean "not currently available," then OK. Un-thethered exploits reportedly still exist, though:
http://www.engadget.com/2012/05/03/iphone-4-receives-untethered-ios-5-1-jailbreak/ [engadget.com]
http://www.jailbreaknation.com/pod2gs-untethered-5.1-jailbreak-to-support-all-devices-including-iphone-4s-ipad-23-atv3-a5a5x [jailbreaknation.com]

Re:

[BasilBrush]

What I mean by long gone is that it last worked on 4.3.3, which was superseded in July 2011. (We're on 5.1 now, and there has been several point releases in between). And it's never worked in any way, on any version, on latest hardware (iPhone 4S or new iPad).

Un-thethered exploits reportedly still exist

The use of the term "Untethered" is unintuitive and not quite what you think it is. "Tethered" means you need to connect to a computer every time the phone is rebooted. Untethered means it will reboot with the jailbreak still operative even if you're n

Re:

[PNutts]

There is virtually no malware for the iOS

"virtually no malware" != "no malware"

In the context of this discussion he was correct. The real world is not binary.

Re:

[PNutts]

[citation needed]. It's 1.65% according to Wikimedia's stats [wikimedia.org] (includes wikipedia.org traffic - a top 6 site), 5.22% if you include Android.

Here's his citation (according to StatOwl). [wikipedia.org] Aren't statistics cool?

Re:"Get the Facts"

[K. S. Kyosuke]

Most of this has been known by, well, knowledgeable users by a long time. Most of the malware now comes via third party software or stupid users. It really doesn't matter what platform you use, as hackers will find a way around to get the best bang.

As one of my great compatriots once said: Artificial intelligence will soon best the natural one, but there's no adequate substitute for natural stupidity.

Re:"Get the Facts"

[nzac]

In before all the stupid replies that Linux cannot be hacked. :)

I assume you mean cannot get drive-byes. Linux is hacked in broad scene rather often. Linux does not get viruses in the sense that its never happened.

I assume you mean there is likely to be similar security holes in a bleeding edge easy to use distro as windows which may be true.
Linux is extremely hard to compare security on as you can everything from a full on SElinux setup to whatever ASUS use to distribute.

I think rapid updates all security wholes are fixed within a week (worse case) and a low user base make Linux so unattractive for virus spreading that no one needs to worry. When there a successful virus for Linux, then Linux security becomes non-hypothetical and decisions can be made on the security convince trade-off (as of now its just all inconvenience for malware threats).

Re:

[MightyYar]

All three largest OS - Windows, OS X and Linux - are pretty much equivalent now.

So this story finally got me motivated to update ClamXAV and scan my drive. It's been running for a couple of hours now, and so far it has found 4 viruses/trojans... Windows viruses :) They are apparently sitting in my Gmail account, which I mirror locally. One of them is a windows screensaver virus of some kind sitting in my Downloads folder.

I'll get back to putting clam on my FreeBSD server as well. My Windows machine is obviously protected (with AVG).

Re:

[spire3661]

You really need to reassess your perception of mac users. Scads of CS/IT people use macs because its so UNIX-like

Re:

[spire3661]

The other day my NAS reported to me that there are some virus files it quarantined in the Mac backup sparsebundle. So of course i run out and install Sophos on the mac and do a full scan. Turns out it was my Win XP VM that got hosed. So in this case, macs DO get PC viruses.

Re:MS Bullshit, Part 3

[Guy Harris]

Apple now requires all new MacOS X applications to create a proper sandboxing profile,

Apple now requires all new Mac App Store applications to create a proper sandboxing profile. Non-App Store apps need not do so.