PDA

View Full Version : Mac Attack a Load of Crap


MacBytes
Feb 22, 2006, 12:03 PM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: Opinion/Interviews
Link: Mac Attack a Load of Crap (http://www.macbytes.com/link.php?sid=20060222130349)
Description:: On Tuesday, there was news of a security hole in Apple's Safari web browser that allows a system to be compromised by merely visiting a website.

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

DUCKofD3ATH
Feb 22, 2006, 01:23 PM
This article hits exactly the right tone: Yes OS X can be compromised by stupid user behavior and there are known vulnerabilities that, in theory, might damage user accounts, but the Unix-based OS X is far more secure than MS Windows and there's no reason to modify your habits if you're a Mac user with common sense.

Really, if there were exploitable hacks or viruses that could damage Mac systems, you just know some l33t hacker would have already created them by now for bragging rights. Yet five years into OS X and we're still waiting for the first virus or serious trojan horse.

Happy to be a smug Mac user (I'm not even keeping my fingers crossed),
DoD

P.S. One more thing, ArsTechnica (http://arstechnica.com/news.ars/post/20060220-6221.html) was also unimpressed by the hoopla over the the latest trojan horse news. The article links to an pretty good tutorial on safe computing. Of course it's intended for Windows users, but Mac people can find a few interesting tips -- while giving thanks that they don't have to deal with any of the main problems the article discusses.

weblog: http://www.toptechwriter.us/weblog/

p0intblank
Feb 22, 2006, 02:20 PM
That was an amusing article. :) You have to love his comment at the end about his IP address. :p

XNine
Feb 22, 2006, 02:27 PM
Anyone who uses "marketshare" as an excuse should be shot. It's FUD. The reason OS X hasn't had a virus yet? Because no one's been able to do it. Plain and simple.

Mr. Kahney is becoming a senile fool. His two latest articles have proven that.

VanNess
Feb 22, 2006, 02:31 PM
I agree that there was a certain amount of opportunism taken by security software vendors (who have long crowed about potential Mac "vulnerabilities," or more often, the theoretical case for them) and the expected media sensationalism surrounding "Leap-A." Nevertheless, pointing fingers at less-than-savy users and "social engineering" isn't exactly reassuring as a care-free antidote in the long run either.

I think I might have posted this here before, but it bears repeating: any serious discussion of software security must involve the software vendor itself, insofar as their critical role in designing software that is secure out of the box. Here is where Microsoft fails miserably, and Apple shines in comparison. A good example of this was the "evil widget" non-event, where it was theorized that someone, in the early days of OS X Tiger, could write an "evil widget" that could automatically install itself on a users system without the users knowledge. Just visiting the worldwide wicked website would be all that was needed to do the deed.

Although no "evil widget" ever materialized, Apple's response was quick and exhaustive in changing OS X's widget installation procedure so that an evil widget event could never occur, regardless of "social engineering" tactics or simply relying on a presumed technical expertise of the user.

I suspect Apple will respond similarly here. In Safari, the contents of user downloads (such as zip and dmg files) are already sniffed for the presence of an application and the user is warned via dialog. I don't know to what method or extent Safari is using to accomplish this (file/creator vs extension or some other method) but it seems reasonable that whatever method it's using could be extended to include discovering unix shell scripts and/or executables of which potential trojans such as Leap-A are apparently dependent.

So, all in all, the media can say what it wants about Mac OS vulnerabilities, but the inescapable fact is that Apple isn't Microsoft and OS X isn't Windows. You can't just blur malware into a lump category as if there was no distinction between the two.

nagromme
Feb 22, 2006, 03:34 PM
I was all ready to remind my Windows-bound friends that neither of these two recent "viruses" can transmit over the Internet, only between local machines (and only in rare circumstances--neither can infect a Mac in its default configuration).

But amazingly, they were already all quite aware that this was smoke without fire. The attitude was "You call that a virus? THAT'S what you spoiled Mac people worry about?!"

So at least SOME people get the truth behind the misleading headlines :)

Successful real word OS X viruses: still zero.

(And yes, the Safari thing--and more importantly Mail as well--should be patched promptly. Meanwhile I've dragged Terminal into Applications instead of Utilities, having heard that it blocks that potential hole.)

pth-webdev
Feb 22, 2006, 03:37 PM
I was writing a text about virusses some time ago, but never posted it anywhere. It needs more examples, but it is a long text already. I hope it adds something to this discussion.

Virusses for Macintoshes, are they here yet?

goal: There seems to be an ongoing shouting-match about virusses for Macintoshes and whether they exist or not. However, the arguments that are used aren't always correct. This text tries to explain the arguments of both sides. It is a journey through cyberspace.

Before we step besides the discussion: I am not a native english speaker, so there will be both spelling and gramatical errors.

The argument seems to be whether there are or are not virusses for MacOSX. On one side there is a loud claim "there aren't" and on the other side there is a claim that abuse of your computer is something to be aware of. This, however, are not opposite sides, so we need to understand what both parties are saying. So a bit of explaination first.

Every virus is malicious software (or malware for short): software created for the sole purpose to do harm. Some virusses were created for fun, e.g. to see how far it could spread, but turned out to have a malfunction causing it to create a lot of trouble. Some virusses were created by someone holding a grudge, but the virus spread beyond what was intended. With increasing experience in how virusses could spread even complete virus construction sets were offered: applications that would let anyone create a virus by only making a few selections from radio buttons or checkboxes.

However, not every piece of malicious software is a virus. For a program to be a virus, it needs to have several properties:
- it should be able to move a copy of itself to another computer
- it should be able to hide itself from view (a casual computer user might not see it or might see it but take it for something else). This is not nessecary, per se, but in order for it to copy itself, the virus must stay hidden long enough or it would be detected and deleted before it could copy itself.

It is important to understand what the malicious things are that software could do. The most basic level is making alterations to the computer: change settings (e.g move the sound level way up or show things on screen to annoy a user), move or remove important files or changing the OS, so the computer would run not as well or not at all. These annoying things are easily detected and once detected a user might look for a cause and might find a fix. To be effective, many virusses would only do these kinds of things on a very irregular interval or only at a given date (say the birthday of a celebrity of in memory of an important event).
More subtle malicious action would be to look for some important information (say the file where all passwords are stored of a file where information about your bank account is stored or files with other private of business information) and send this information someplace. Instead looking for existing information, malware might collect information, such as registering each keystroke. Since this kind of malware is spying on you, it is called spyware. Kind of obvious, not?
Another type of malware would be something that is sending spam. So a spammer abuses your computer and your internet bandwidth to send email messages that nobody wants to read.

With the changing infrastructure of the internet (more and more dial-in connections become permanent connections through cable or dsl), other possibilities for virusses are created and virusses are becoming less obvious while becoming more effective.

Again, not all malware are virusses. This is an important fact to keep in mind.

Virusses have been able to copy themselves through email-scripts, Office macro's or by simply being an application that was received as an attachment that a user mistakingly thought was a document. As a result, in the mind of many computer users, virusses are related to email.
However, a virus might also be something that you downloaded, thinking it was a picture of your favorite celebrity, a rare piece of music, the latest gossip about your favorite computer company, or a cracked version of a well known program. Again, although you might actually be downloading malware, it doesn't mean you are downloading a virus.

I remember all kinds of email messages that warned about a virus: "look at a specific location on your harddisk and you will find a file with a given name and a certain icon. This is a virus that you should remove immediately." Each and every message of this kind that I looked into turned out to be a hoax. The file mentioned was perfectly legitimate and by removing this file a user would do damage to his/her own computer. This user would then send the warning to as many people as possible. This also fits the definition of a virus: it's malicious, it causes damage to the computer and it induces fear that causes it to be copied to other computers. All this without writing a single line of code. Ingenious.

It used to be the case that a vires needed to be an application. Many files were downloaded or received as an attachment that, for an unaware user, turned out to be an application. Users with more experience would be able to recognize the download or attachment for what it was or change settings in the OS to make it easier to detect the trickery. Although, virusses might still be around that need to be applications, most virus detectors will help users.

To recap: a virus is malware, but there are other kinds of malware, too. You might receive a virus through email, but essentially everything that you put onto your harddisk might be malware in disguise.

So before delving into the aspectes that differentiates MacOSX from Windows and even Linux, there is another important technical issue: the security hole. As I put earlier, it used to be the case that a virus needed to be an appliccation. So, you only needed to see if a file was a program. However, someone came up with the idea that while a file is being transferred, the application processing it makes assumptions about what is in the file. Now, if the file did not follow the specifications, then a program could crash or act unpredictable. However, in carefully crafted errornous files, the program processing this file would misbehave precisely enough to use part of the file as program code. Applications that are widely used to process files from the internet would be the target for abusers looking for opportunities. Examples would be applications like web-browsers, image-viewers and audio-players. Under certain circumstances it could be possible to create a file that contained malicious code. (again, this is not nessecarily a virus but spyware or spamware). Much attention goes into identifying the applications and how they would react on a file that doesn't follow specifications. In some cases actual abuse was found, but in most cases the security holes are closed before they can be exploited and often exploitation was just hypothetical. The most important factor is the time between they are published and the time that a patch is available.

I don't want to downplay the significance of a security hole at all, but we need to understand if our counter-measures (anti-virus, anti-spyware and anti-spamware software) could indeed help. Or how the OS itself could limit the damage that malware can do. It is here where many claims are made the a MacOSX user in general is too care-free.

It is hard to believe that any kind of anti-malware package might recognize doctered files succesfully enough to warrent any kind of security against undetected holes, although it might effectively recognize when malware tries to take action. But isn't this such an important issue that the OS itself should offer ways to minimize risk. I think that here is where the discussion should be focussed at.

So, why do people claim that MacOSX is inherently more secure then Windows? Here are some reasons that I can come up with.
- MacOSX users working in a different way (e.g. many things don't happen automatically)
- MacOSX users aren't as easily fooled (Finder offers clearer look at files, Safari warns when downloading), although enough will just give their password without asking themselves why it is needed and many will hapily just click "OK" without reading the message in a message dialog.
- it isn't easy for a program that needs to be downloaded to disguise as a regular file (in fact, we needed StuffIt and now use disk images)
- MacOSX has more reputable sources for freeware and shareware (at least, the author is often known and traceable)
- open-source (e.g. Safari)
- less need to install third-party system additions (e.g. drivers)
- MacOSX hardly ever allows anything to run with unix super-user rights and day to day use doesn't require it
- built-in firewall
- notification is an app runs for the first time
- MacOSX differentiate between installing for a particular user of the the system as a whole
- Keychain

There is malware. That much is certain, or at least there are some prototypes to prove a point. But a virus? I don't think so.

mvelinder
Feb 22, 2006, 04:40 PM
Smart guy... smart read.

AlmostThere
Feb 22, 2006, 06:37 PM
it should be able to move a copy of itself to another computer
That is a worm.

mduser63
Feb 22, 2006, 10:37 PM
Anyone who uses "marketshare" as an excuse should be shot. It's FUD. The reason OS X hasn't had a virus yet? Because no one's been able to do it. Plain and simple.

Mr. Kahney is becoming a senile fool. His two latest articles have proven that.

It seemed to me that Leander Kahney was complaining that his friend used the marketshare excuse. He himself was arguing that that was not so much the reason for Macs' lack of viruses as OS X's security is.

pth-webdev
Feb 23, 2006, 04:51 AM
That is a worm.

From Wikipedia:

A computer worm is a self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself.

I didn't think that this distinction would be important in explaining the current situation. But you are right, I just refer to both variants as virus. However, the important issue in my text is that there are ways that malicious code can get onto a computer other then software replicating itself. This distinction is what made me write the text.