But their (ahem) enthusiasm doesn't invalidate the actual facts (whatever they are) behind the stories.
For example, I don't think that list of infected websites is complete, or that that is the only mechanism for infection. We still have more to learn about this malware. And it's POSSIBLE that the low number of user reports of infections could just be that (like myself) most Mac users tend to not bother much with anti-virus software and testing.
Now, as you know, I'm skeptical by nature, suspicious of marketers' motives, and cynical as hell about virus writers and the companies that make money "fighting" them.
We'll all know in a few months whether this was real or not. In the meantime, it appears to me that it COULD be real. We won't know for a while how it progresses. Perhaps like the Y2K event, if it is handled sufficiently well, the aftermath will be minimal and most people will say, "What was that all about? Nothing went wrong!". That would be a nice outcome for this malware.
But that requires action. I'm of the opinion that this COULD be the first successful widespread attack, and that it's worth a reasonable effort to pound it back down into oblivion, on the off chance that if we don't take it seriously enough, we'll learn in a few months that it was worse than we thought.
I'd rather be wrong in the safe direction. :)
It could be real... I have always tempered my advice with "yet..." I have never said, as for-q-clinton claims, that it was impossible. The Macs have YET to be breached. This may be the first successful attempt. But I am not seeing the real world evidence that there are THAT MANY infected Macs out there.
EVERY exploit used against the Mac in CANSEC West has been a JAVA exploit through Safari. Every single one an exploit that Sun did not know about as well. That is why Apple dropped Java as a default inclusion of the installation more than two years ago for OSX Snow Leopard and Lion. Even before, it was an optional install, one of the reasons I have my doubts about the large numbers they are claiming for the infected Macs. Now, if you want Java, you have to download it as a free app from the OSX App Store! Javascript is OK and is still included.
The easiest method of protection from this exploit is to go into Safari and FireFox and any other browser you run's preferences and turn off JAVA. Done. Safe. No body needs JAVA to run for surfing the Internet.
Then, the only other vulnerable Mac users are those that have automatic updates turned off. They don't get the pushed security updates when they are ready, or the new Trojan definitions that come out every 24 hours or sooner as necessary. But you can't protect the terminally stupid... they took a deliberate step to TURN OFF the updates. Why? I haven't got a clue.