Trojan/Virus

[GGJstudios]

Firefox's track record is a lot better w/ regards to patch speed.

Also, Safari has a couple of nasty habits that can reduce security: things like automatically opening downloaded files, allowing Javascript to manipulate window attributes, etc.

I've never had a security issue with Safari either, but that doesn't mean that it's secure. I've never had a security issue with any software I've used (and that includes Windows) -- but a large part of that is because I am extraordinarily cautious...

Safari doesn't need to be patched as often as Firefox. Safari doesn't automatically open downloaded files, unless you select that option. Like Firefox, Safari has add-ons to customize and add features. Javascript cannot manipulate any of my Safari window attributes.

Again, Firefox has no advantage over Safari in terms of security.

 

[ppc750fx]

Safari doesn't need to be patched as often as Firefox.

Yes, it does. Did you take a look at the link that I posted? There's at least one open vulnerability that Apple's ignored for over a year.

Safari doesn't automatically open downloaded files, unless you select that option.

Yes it does. The default is to automatically open "safe" files after downloading.

Like Firefox, Safari has add-ons to customize and add features. Javascript cannot manipulate any of my Safari window attributes.

IIRC out of the box, Safari has no way to prevent Javascript from tampering with your window attributes. Yes, you can extend its features and combat said Javascript abuse, but if we're talking out-of-the-box config, Safari has no controls over that.

Again, Firefox has no advantage over Safari in terms of security.

Except it does. See above: Mozilla patches holes quickly, and currently the only one of the two that has outstanding vulnerabilities is Safari.

It's not a matter of opinion: check the US-CERT notes if you don't believe me.

 

[GGJstudios]

Yes, it does. Did you take a look at the link that I posted? There's at least one open vulnerability that Apple's ignored for over a year.

If you're referring to the spoofing of the URL in the address bar, that poses absolutely zero security threat, which is probably why it's low priority. A spoofed address (although I've never encountered it) cannot harm your system at all.

Yes it does. The default is to automatically open "safe" files after downloading.

The default is to only open safe files... so it's safe. It only takes a mouse-click to turn that off, which anyone should do before using their browser. Still, it's not a threat.

IIRC out of the box, Safari has no way to prevent Javascript from tampering with your window attributes. Yes, you can extend its features and combat said Javascript abuse, but if we're talking out-of-the-box config, Safari has no controls over that.

Firefox lacks a LOT of features that are only provided via add-ons. There are elegant and simple methods for limiting Javascript on both browsers.

Except it does. See above: Mozilla patches holes quickly....

Because they have more holes to patch.

The point is, the OP does not need to dump Safari for Firefox in order to have a save browsing experience. Both are good browsers. Both have vulnerabilities. Both have add-ons to provide features that aren't in the basic version. Both are safe to use on a day-to-day basis, if the user exercises some basic common sense.

 

[Jethryn Freyman]

Mozilla patch bugs far faster than Apple do in Safari. Mozilla's code has more people looking over it. Firefox's NoScript addon makes it far more secure.

There are trojans for OS X, but that's not because of a security flaw in OS X. A trojan is no more than an application.

There is a newly discovered exploit for disk images which can allow root access if a malicious disk image is opened. Think about it. Some poor person goes to a site with Safari, which is actually a download link, downloads a nasty disk image, and then opens it automatically. System gets compromised.

 

[GGJstudios]

...
There is a newly discovered exploit for disk images which can allow root access if a malicious disk image is opened. Think about it. Some poor person goes to a site with Safari, which is actually a download link, downloads a nasty disk image, and then opens it automatically. System gets compromised.

Simple solution:

​

The all-bold font is unnecessary.

 

[gigadigit]

I download some files from the internet. A lot of good utilities out there. Sometimes, I am not sure if the site I download is from a legit site or not since there are so many sites out there.

How do I know some of those files are not trojans?
How can I check my computer?

 

[MisterMe]

...

How do I know some of those files are not trojans?
How can I check my computer?

You know because any site distributing Mac malware would be instantly outed by the Mac community, the Windows fanboys who look for chinks in the Mac's armor, and by the security utility developers.

 

[Jethryn Freyman]

Simple solution:

View attachment 169076​

The all-bold font is unnecessary.

Yes, the bold was probably over done a little.

The users most at risk of getting a trojan are the same users who won't think to deselect that box. Either way, it doesn't really matter, since Apple is likely to fix this flaw soon, and it's unlikely that the flaw will actually be exploited in the wild. Apple shouldn't have that box checked by default.

Without going into a lot of detail, Firefox has got NoScript, which adds a strong layer of security, and security flaws are patched faster. Safari isn't too bad, but Firefox is better.

 

[longball11]

Yes, the bold was probably over done a little.

The users most at risk of getting a trojan are the same users who won't think to deselect that box. Either way, it doesn't really matter, since Apple is likely to fix this flaw soon, and it's unlikely that the flaw will actually be exploited in the wild. Apple shouldn't have that box checked by default.

Without going into a lot of detail, Firefox has got NoScript, which adds a strong layer of security, and security flaws are patched faster. Safari isn't too bad, but Firefox is better.

If apple fixes these flaws does that mean i'll be safe? I know not safe "safe" but from the past porn stuff?
I can give one example... crocostars....if anyone knows that site... don't type it in unless u want to test it.
I would like to not feel dirty but now that I do I won't buy anything off itunes or do my anything with money online with banks.

 

[Jethryn Freyman]

If apple fixes these flaws does that mean i'll be safe? I know not safe "safe" but from the past porn stuff?
I can give one example... crocostars....if anyone knows that site... don't type it in unless u want to test it.
I would like to not feel dirty but now that I do I won't buy anything off itunes or do my anything with money online with banks.

Don't be too paranoid.

The threats on porn sites were trojans, pretending to be video format codecs. Download Flip4Mac WMV Player and Perian for Quicktime, and you'll never ever need another "codec".

The flaw in Safari I mentioned was used in a hacking competition called Pwn2Own. Safari was directed to a website, and the Javascript on the site was malicious and used a memory overflow to take control of the computer. Firefox with the NoScript addon protects against these type of attacks.

 

[designgeek]

just make sure to wipe down that unibody after, and i don't think anyone will be getting any viruses on or from that computer

^I "lol"d at this.

And I wouldn't worry, any mac virus that is a real threat will be widely publicized by the media claiming that macintosh is not as secure as previously thought scaring users to buy useless anti-virus software and apple will release an update to patch the hole and all will be well.

 

[ppc750fx]

If you're referring to the spoofing of the URL in the address bar, that poses absolutely zero security threat, which is probably why it's low priority. A spoofed address (although I've never encountered it) cannot harm your system at all.

Wait... so the ability to display false information in the address bar is not a security risk?

Really?

You do realize that this hole poses a tremendous risk to user's privacy? Most people have trouble determining whether or not a site uses SSL -- do you honestly think they're gonna go about verifying that the address in the browser bar is the actual address of the page they're viewing? 'course not. To these folks, a spoofed address bar can well mean the difference between logging into PayPal and logging in to a phisher's site.

The default is to only open safe files... so it's safe.

You're joking, right? It's safe because the label says "safe files"?

Keep in mind, as far as Safari is concerned, a DMG is "safe". Unfortunately, exploits in the disk image framework mean that just mounting a DMG can compromise your system. Oops. Looks like disk images aren't so "safe" after all.

It only takes a mouse-click to turn that off, which anyone should do before using their browser. Still, it's not a threat.

I thought we were discussing default configs? If you're willing to account for post-install tweaking there shouldn't be any debate at all -- Firefox wins, hands down.

Firefox lacks a LOT of features that are only provided via add-ons.

Such as?

There are elegant and simple methods for limiting Javascript on both browsers.

AFAIK Safari has nothing like NoScript available from Apple or from any third-party dev.

Because they have more holes to patch.

So Apple is slower at patching holes because Safari has fewer holes? Assuming I go with that conclusion (which I don't, given that you've provided no evidence supporting it), I still fail to see how this justifies taking longer to patch holes. An exploit is an exploit; it doesn't matter if it's a rare occurrence -- if your users can be harmed by it you need to fix it.

The point is, the OP does not need to dump Safari for Firefox in order to have a save browsing experience. Both are good browsers. Both have vulnerabilities. Both have add-ons to provide features that aren't in the basic version. Both are safe to use on a day-to-day basis, if the user exercises some basic common sense.

Both are better than Internet Explorer. Firefox has no unpatched holes. Safari does.

Firefox allows users a simple way to control what Javascript executes and what does not. Safari does not.

Firefox (again, via NoScript) provides protection from XSS attacks. Safari does not.

Yes, both are (probably) safe for normal use, but Firefox is a slightly safer alternative.

 

[GGJstudios]

Wait... so the ability to display false information in the address bar is not a security risk?

No. The security risk is someone going to a site like PayPal or their banking site via a link in a spam email or from another site, rather than going directly to the site. There's just as much danger from people not even paying attention to the address bar when they're visiting sites. The point is, if you're foolish enough to visit such sites (PayPal, banks, etc.) via any other method than going directly to the site, you're asking for trouble, whether you have Firefox, Safari, IE, or another browser.

It's safe because the label says "safe files"?

No, there are limited files that Safari would open upon download, if someone was foolish enough to leave that option enabled. It wouldn't automatically launch a program, for example. A document opening, such as a picture or PDF, is no threat to Mac OS X. As I've said before, a single mouse-click turns that option off completely.

Keep in mind, as far as Safari is concerned, a DMG is "safe". Unfortunately, exploits in the disk image framework mean that just mounting a DMG can compromise your system.

Not true. Just opening a DMG does nothing but allow you to see what's on the volume. It can't do anything harmful to your system unless you install something, entering your admin password. By your own admission, the "flaw" you keep harping on is not in the wild, but something used in a hacking competition. You only bring it up so you can have something to complain about regarding Safari. Millions of Safari users will never encounter that situation.

I thought we were discussing default configs?

No, that's an argument you keep trying to introduce. The OP's question wasn't "which browser is better out of the box, with no add-ons and with default settings", but you seem determined to hijack the thread for that argument. If you want to discuss that, start a separate thead. The OP asked how to determine if his system had been compromised. He didn't ask for you to launch into a sales pitch for Firefox. Your bias for Firefox and against Safari is duly noted, but it is inappropriate to recommend that the OP dump Safari, just because YOU prefer Firefox.

AFAIK Safari has nothing like NoScript available from Apple or from any third-party dev.

Key word: "AFAIK". SafariStand and SafariBlock both have script limiting capabilities.

 

[iNash]

Just lust week I visited a website that said I had 3,423 virus on my computer and I should download the advertised anti virus software. When I tried to download it, it was called Norton.exe and I could open it on my Mac so I think this was another virus!

I think the best solution for this is to turn off all our Macs now, unplug them from the wall and spray them all with disinfectant.

Then pour petrol over them and set fire to them as there are just soooooo many viruses out there that you need to worry about.

Then again if my Mac is destroyed how will I check the internet to find out about the impending meteor about to impact Earth and kill us all!

 

[ppc750fx]

Not true. Just opening a DMG does nothing but allow you to see what's on the volume. It can't do anything harmful to your system unless you install something, entering your admin password.

Unless, of course, the image was created using code similar to this, in which case it can run anything as root.

By your own admission, the "flaw" you keep harping on is not in the wild, but something used in a hacking competition. You only bring it up so you can have something to complain about regarding Safari. Millions of Safari users will never encounter that situation.

What? Nowhere did I state this this flaw was something used only in a hacking competition.

I honestly don't know if it's used in the wild. I can't say that I've read anything about it being deployed in the real world, but that doesn't mean that someone hasn't tried it.

He didn't ask for you to launch into a sales pitch for Firefox. Your bias for Firefox and against Safari is duly noted, but it is inappropriate to recommend that the OP dump Safari, just because YOU prefer Firefox.

I apologize. In the future I shall vet all my comments with you first so as to ensure that I don't post something that you don't approve of.


If the OP were concerned about what browser handled Javascript the fastest, I'd recommend Safari 4. If the OP were concerned about what rendering engine supported the latest and greatest CSS 3/HTML 5 tricks, I'd recommend a trunk build of WebKit. If the OP were concerned about memory usage, I'd recommend Opera. The OP was concerned about security, thus I recommended Firefox.

I recommended Firefox because it's easier to secure (i.e. there are extensions that offer lots of control over the browser's operation) and because Mozilla's track record indicates that they patch bugs faster than Apple does. I'm no more biased towards Firefox than I am towards Chrome. Every browser has its areas of excellence; Firefox is unique in that it can be customized to offer far more control over what webpages can and cannot do to your machine or with your data.

Key word: "AFAIK". SafariStand and SafariBlock both have script limiting capabilities.

Do they provide any clickjacking protection? XSS protection? What do they offer in terms of HTTPS cookie enforcement? How about embedded content whitelisting? Script surrogates? Web bug filtering?

Yes, both of those feature some script whitelisting support, but they have anywhere near the features that NoScript offers.