Replies

Swordmaker,

Simply put you are wrong about the security flaws. A simple search on CERT, SANS or any other popular security website will yield a TON of OS-X advisories, not just trojans but buffer overflows too.... including Zero Day Exploits.... it’s just the way it is...

And any serious security proffesional with thier eyes open knows it.

Furthermore, if you know much about the motivation of malware writers/blackhats. It really is largely about numbers. The more zombies you get the bigger the DDS attack you can stage. The more computers you compromise...the more SS numbers, credit card numbers, etc you have a chance to snag and sell. The more sites you deface.... the bigger the street cred you get. That’s just the way it is with these guys.

They can choose to put out a hack that only has the potential to hit 10% of the possible target pool....or they can choose to put out a hack that has the potential to hit 90% of the potential target pool. It’s a no brainer which they are going to choose... it’s as simple as that.

Not real familiar with Leopard... I’ve already granted that. However POSIX compliance isn’t that big of a deal.... Windows is mostly POSIX compliant.... you just have to enable the shell/services for it. MS needed to do that in order to meet Fed purchasing requirements. Heck many flavours of Unix (including most Linux distros and FreeBSD) don’t really do any better then that.

The thing about most of the Unix distros I’ve seen is not that they are bullet proof or anything like that.... it’s that they tend to let you dig down to alot more granualar level of how the OS functions then MS... and they often tend to install with only minimal functionality/services enabled. That is good from a security standpoint but comes with a real trade off from the administrative overhead aspect....especialy for home users. Admitedly the last time I worked with Mac was only very early OS X... but it certainly didn’t seem to follow that design philosophy....and I can’t imagine later versions would have changed that radicaly.

Frankly a good Windows admin can achieve much the same results as you would see on a Unix box....although it sometimes takes outside tools/kits to achieve. ( The Windows Servers I administer... which are commercial servers hosted on the internet for Fortune 1000 companies haven’t had one successfull penetration in over 7 years of operation.... and we get dozens of attempts every hour).

Plus, it’s REALLY, REALLY dumb advice for anyone to run naked on the internet without some sort of FW (hardware or software) on the point of entry to thier home network....regardless of the OS they run on thier machines.
Especialy a home user. There are alot of even HW level vulnerabilties out there. Plug a printer or multi-function machine into your home network and it may well try to grab a publicaly exposed IP from your internet point of access and if it’s setup with SMNP functionality.... as many of those are these days... you’ve got a built in vulnerability without even having to turn your computer on.

Look, I’m not trying to argue thst MS is God and Mac crap.... just that for most home users it ends up being a choice between Coke and Pepsi.

Simply put you are wrong about the security flaws. A simple search on CERT, SANS or any other popular security website will yield a TON of OS-X advisories

This security estimation by counting advisories was well debunked a while ago.

However POSIX compliance isn’t that big of a deal.... Windows is mostly POSIX compliant

Windows is partially POSIX compliant through a compatibility layer, as you said, just enough to make the feds happy. In any case, POSIX compatibility is not UNIX certification.

Heck many flavours of Unix (including most Linux distros and FreeBSD) don’t really do any better then that.

Linux and FreeBSD are pretty much UNIX compliant in fact, but two things keep them from getting official certification: 1) You need a company with the cash and control over the source to push compliance, 2) they change so fast they'd be out of compliance by the time they were in. Apple basically forked BSD in order to have the control necessary to get it certified compliant.

That is good from a security standpoint but comes with a real trade off from the administrative overhead aspect....especialy for home users. Admitedly the last time I worked with Mac was only very early OS X.

It works pretty well. You can still call up Terminal and sudo to your heart's delight, but the average user never needs to do that. Some things are actually hidden too well IMHO. For example, you can check a box to enable power management on your hard drives and it works well, but to get the fine-grained control a geek would want you gave to go to Terminal. If I turn on Windows file sharing, OS X starts the service and opens the port, pretty simple.

I've been a Mac user since 1987, online since then (started with a 300bps Panasonic telephone/modem with a home-made cable!), on the net since '95. I've used Macs from the early "SE" right up to my current Intel iMac and this PowerMac g4.

I use a router to connect everything together (with whatever firewall protection comes from Network Address Translation), but other than that, I use no (let me repeat that for empahsis, NO) virus protection software, nothing at all.

I download freely, open attachments left and right.
Without worrying.

And... in twenty years of Mac usage, I have NEVER had a virus, trojan, adware, spyware, ANY of that stuff.

Perhaps there is always a first time. If there is, so be it.

But Swordmaker's post was appropriate. The "average" Mac end user can connect to the net with nothing more than the default Firewall protection included in OS X, and not worry any more than I do about "protection". BTW, I don't even have OS X's firewall running. I don't need it.

A far, FAR, F-A-R cry from the world of Windows.... :)

- John

No, I am not. I have been tracking and following the security of Mac OSX for seven years... I am totally aware of the vulnerabilities and the exploits (or lack of exploits) for the Mac OSX platform. I read the advisories when they come out and investigate them. I've even reported a couple of vulnerabilities that I've found to Apple.

But, Mel, vulnerabilities are NOT exploits. There are at present ZERO OSX viruses in the wild and ZERO self spreading OSX spyware in the wild an ZERO self installing OSX Adware in the wild.. There are Trojans... that require much more user gullibility than most Trojans to install and run. They cannot install themselves.

There have been a half dozen or so Proof-of-concept worms and/or viruses that have only been seen in security company labs... none of them worked as advertised.

OSX.Leap-A (also called OSX.Oompa-Lumpa-A) which supposedly spread over iChat required two security specialists from Secunia and two Apple software engineers as well as two Mac specialists from Macworld Magazine over six hours to get Leap-A to merely copy itself from one Mac to another... and then it failed to execute in the target Mac.
OSX.Macarena, another reported OSX Virus Secunia reported, was so virulent that Secunia reported the number of systems affected as "0-49." This was only true, it later turned out, because that number range includes ZERO. OSX.Macarena was supposed to delete the files in the folder it was installed into... but OSX does not allow apps to do anything to files in the folder where it resides. OSX Macarena was just another well reported FUD attack instead of a viral attack. Macarena also had to be downloaded and installed by the user, giving proper administrator permissions. It also had to be approved for a first run. Really dangerous.
OSX.Inqtana was a widely reported Mac OSX virus that was supposedly spread over Bluetooth... but the user had to accept the download of a file from an unknown user and then install it and run it... all things requiring permission. Another proof-of-concept that was never seen in the wild.
OSX.Renepo-A,B & C, Opener-A widely reported as the first ever Mac OSX virus was actually merely a BASH shell script that did nasty things. Originally a really stupid proof of concept, it was weaponized and placed on a Mac forum... but affected no one. To get it, a user had to download it, activate ROOT (which is turned off by default in OSX), invoke the terminal, and then run Renopo. It was laughed out of the water. Renepo took no advantage of any vulnerability in OSX other than the fact that computers can run apps and scripts. At worst it was a Trojan.
An early unnamed OSX Trojan (it gets the honor? of being the first OSX Trojan) did, indeed, wipe the user files of ONE, count him, 1 user. It was a 40K file placed on pirate board claiming to be a complete install of Mac OSX Office. An idiot user downloaded it, for some reason thinking that Office could exist in 40K, and installed it and ran it... and it erased his user files. No one can protect idiots from themselves.
OSX.RSPlug.A Recently, a fake OSX Codec for a non-existent video format was actually found on some porn sites... it installed a DNS redirector. However, to get this Trojan, the victim user had to ignore the warning that the downloading codec contained an application, installed it, five it permission to run for the first time, and then giving it permission to modify the system files.

That pretty much exhausts the list of Mac Viruses...

No, it is not as simple as that. Most viruses hit less than 2% of the available targets (although some have been 100% virulent)... because the Windows community does hide behind firewalls and multiple levels of anti-this and anti-that. If you were writing a virus that could infect 100% of the totally unprotected Mac users which comprise almost 20% of all US computer users... you would have hit 20% of the available computers... TEN TIMES the number the most successful exploits hit. It hasn't happened. Why?

Mel, crackers have written viruses targeting far smaller installed bases than the 30,000,000 Mac users. Some of these have been as small as the 12,000 unpatched Blackice Routers a YEAR after the company released the patch fixed that the vulnerability that was exploited. Several months ago, someone wrote a virus that infected iPods that had been hacked to run Linux... all 200 -300 of them. Just last week someone released a virus that attacks only Jailbroken iPhones that have a specific third party application installed. These are ALL far smaller targets than the 30,000,000 unprotected Macs.

Last quarter Macs were 8.3% of all computers sold in the US... and a little over 4% of all computers sold in the world. If all things were equal, we should see at least 4% of the number of viruses in the Windows world being written for Macs. We don't. We haven't for over seven years.