Kaspersky: Apple security is like Microsoft's in 2002
Apple customers are more at risk from malware now because of their misconception that their iDevices and Macs are secure and because of Apple's poor attitude to security, according to experts. David Emm, senior security researcher at Kaspersky Lab told The Reg that Apple had cultivated the image of the Mac as intrinsically safer …
This topic is closed for new posts.
Re: WHAT!
fruity frim, foxconn rebrander etc.... Reg, that become old now... get a new line. Same as when everyone started taking the piss on AppleInsider comments because every article they wrote included the line "as first reported last XX by us"
Mabybe we will start calling Reg as the Nominet or RackSpace Rebrander, seeing as they are suppliers, or the overdrawn firm ?
as for the article :
"now that Macs were under attack from bot armies like the Flashback Trojan"
What other bot armies "like" flashback? are there? answers greater than 1 only and preferably showing a significant threat.
So effectively he things that BSD is comparable MS XP? Good to know.
I happen to agree that Apple need to up the game slightly, but his comments are waayyyyy out there.
Funny though.
Re: WHAT!
>Exactly my point, also for Mac users. I don't buy myths, I need facts so my Mac has anti-virus installed. Simply to provide proof.
You are assuming that the AV is telling you the truth. How do you know? Are the resources chewed up by the AV more or less than the resources chewed up by being a botnet node? Is the prevention worse than the disease? You might be better just running your banking from a livecd inside a (free) virtualbox. It will probably cost you less than AV and is probably more secure.
Re: WHAT!
...and exactly how do you _know_ the machines are un-infected? I had a friend a number of years ago who wasn't running updated av software or anti-spyware on his Windows machine (w2k to be exact) who thought he was doing fine. When he complained to me how his machine didn't seem to be as fast as it used to be, I recommended he run some particular av & anti-spyware programs on it and he found that he was infested with spyware & virii out the wazoo! He thought his machine was clean, until he actually checked it. So how 'bout you run some anti-spyware/av software checks on your "clean" machines and get back to us with the results. The only way they could be truly clean, without protection, is if they were never connected to the internet.
Re: WHAT!
That patterns made me a fair bit of cash in the past - "My machine's running slowly, but I'm running AV so it can't be a virus". Check the AV and it was last updated {insert long time} ago.
The thing is, security is more than action. It's a fucking mindset, you need to understand that there are risks, and make decisions in light of that. Even if there were 0 strains of malware for your OS, you have to accept that one day there might be, so you take steps to protect yourself in advance.
Half the mac-boys in this comments thread fail outright because they can't even get into the mindset of checking, even occasionally to ensure they aren't infected.
@AC 04:57 - If your machine is part of a botnet, who gives a fuck if the resources required to run the AV are 10x that to run the malware? There's this thing called responsibility, use some and clean your machine! Given that we've seen (admittedly, Windows) malware that set itself up as a CP server, do you really want to risk having uninformed plod kicking your door in because you couldn't be arsed to run AV? It's extreme, granted, but there's nothing to say it couldn't happen.
Re: WHAT!
"You might be better just running your banking from a livecd inside a (free) virtualbox"
Since when have malicious screen or key stroke grabbers not been able to grab the info that they need? I don't buy the notion that using linux or whatever in a VB is better security for banking. The better security would be to have a dual boot PC or live CD and do it that way directly well away from the host Win or OSX.
Re: WHAT!
Indeed, the arrogance of some users, especially partially IT literate ones is astounding.
Re: WHAT!
I don't allow Adobe Anything anywhere near my computers, I don't download random executables off the internet and run them, I don't allow plugins in my browser, I only open known media types with trusted programs and the box is firewalled to buggery both ingress and egress.
I've been doing this for 15 years with no virus, trojan or malware. Kaspersky runs at £60/year, so that's a £900 saving. It's a bet, with myself. I bet that I won't fuck up my machine, and so far, I'm winning.
Very telling...
What is worrying is not someone saying that even MacOS users need to be careful with what they do with their machines.
It's not even that someone feels it is even necessary to say it (it should be pretty obvious to anyone with half a functionning brain cell).
No, what is worrying and very telling is that event though it's extremely obvious, and even though people "in the know" actually take time to explain it slowly and with simple words, a lot of fanbuoys are still in denial, "lalala I can't hear you "-style (as seen in this very comment section for example).
Which kind of proves the point the guys at Kaspersky were making: some Apple customers need to change their attitude towards security, and yes, the impulsion should probably come from Apple (as some Apple customers won't believe anything that anyone else says).
Oh well.
Re: Very telling...
Actually - if you read through this comments section you'll find no (currently) fanbois suggesting that "that even MacOS users need to be careful with what they do with their machines". None. Find me one.
You may find people questioning the "10 years behind" statement. You may find people suggesting that actually this article is very light on facts and reads like a puff for Kasperky. But the the rabidly blythe fanboy is difficult to find. They may be out there, but they are fairly rare.
Re: Very telling...
> find me one
One dismissing the obvious truth because the article mentions the name of a commercial entity, for example?
> rabidly blythe fanboy
That's the sad part. Even the non-rabidly blythe fanbois are contaminated. Look at the comment section: Kaspersky have no interest in bashing Macs whatsoever. They might have an interest in scaring people a little bit, but any sysadmin could tell you that it's rather a good thing. A scared luser is a careful luser. Why would they lie about the state of MacOS security compared to Windows security? Yet you have a thread full of Apple users snickering about how their OS of choice must necessarily be safer than Windows, and the security experts are just peddling bullcrap. Spoiler alert: there is no anti-Apple conspiracy. You guys need to stop thinking that everyone unapologetic of Apple is an evil MS drone out to get you.
I don't think Apple will do anything...
Personally, I think Apple's answer to this will be the Gatekeeper feature in Mountain Lion. It basically lets the user select between running anything or only apps signed for the App Store.
I strongly suspect that "App Store-only" will be Apple's "default" mode and if a user chooses to leave the walled garden then Apple will take no responsibility for anything that forces its way onto users' system.
Assuming it actually does block all malware when switched on it's a clever way to side-step the problem without actually dealing with it...
Re: I don't think Apple will do anything...
Hmmm. Official releases from a software repository, where have I heard this before? We don't think that's a bad idea now do we?
Re: I don't think Apple will do anything...
You have NOT heard that before. Apple invented it. It did NOT exist before Apple invented it. If anyone claims otherwise, they will be sued into oblivion.
1: Macs are flawless, I am constantly told.
2: "XProtect"? Isn't that a bit close at the front to "XP"? I'm surprised that "Ice Cream" isn't at risk for a similar sounding name to iScream, which looks like an apple product.
3: I'm pretty sure this'll get thumbbed down by many fanbois
There is a big difference between Windows and OS X
Windows is a much bigger target because it has been traditionally insecure by design and by user habits (e.g. running as admin or power user) and it therefore it receives the brunt of attacks.
But I think as Windows has hardened up, especially with Windows 7 that attackers might perceive the benefit in attacking OS X more. While OS X has had a pretty sound sudo-like security model since it launched it certainly isn't secure by any stretch. And once they're in they get to enjoy a fairly conventional Unix like environment to work in.
The weakness of the Mac can be seen every time a pwn2own competition comes around and it's the first to fall. Clearly it has vulnerabilities that can be exploited, especially in the usual suspects such as the browser, flash player, PDF viewer and so on. It's just a matter of there being a financial / malicious incentive to do it.
Re: There is a big difference between Windows and OS X
I agree.
Mac OSX is more secure by the design inherited from Unix, it is insecure because of the design of Apple inc. Important decisions, including those on security, seem to be made by sickos like the late Jobs. Apple's careless Java patching was not the first priority, a megalomaniac-type idea that everyone is a thief of "their" product - it was instead.
GNU/Linux and *BSD have secure repositories, central packagers, AppArmor, SELinux or TrustedBSD and no AV bloat. Android has a more sophisticated permission system.
Re: There is a big difference between Windows and OS X
Quote: The weakness of the Mac can be seen every time a pwn2own competition comes around and it's the first to fall. Clearly it has vulnerabilities that can be exploited, especially in the usual suspects such as the browser, flash player, PDF viewer and so on. It's just a matter of there being a financial / malicious incentive to do it.
====================================================
From: http://pwn2own.zerodayinitiative.com/index.html
March 3rd, 2012: Pwn2Own has concluded!
Congratulations to VUPEN for placing first and netting $60,000 for demonstrating 2 0day vulnerabilities; one for Internet Explorer and one for Chrome.
Congratulations to Vincenzo Iozzo and Willem Pinckaers for demonstrating a Firefox 0day and winning $30,000 for placing 2nd.
I believe it
Ever since the Flashback thingy and the 'lock down' of Java in the latest security update, my one and only use of Java (VPN to my work) is a flaky piece of shit - has extreme difficulty recognizing Java is 'enabled'. Now takes me at least 30min of jiggery pokery to get a connection, where as before it was near instant. Bastards.
I'm now going to force a survey of Mac users at work to get their experiences on record, all with a eye towards forcing work to provide a non-Java solution.
And yes, I'm getting increasingly pissed off with Apple. Stuff just keeps crashing - don't get me started on iPhoto 11! Fuckers. Almost makes me want to go Win7.
Antivirus companies are the ones that create viruses in the first place...
It's just as simple as that.
And it's just plain crazy that the majority of the population worldwide hasn't figured it out anyway.
It's so obvious. But nowadays very few people think with their own brain to understand even simple things.
Re: Antivirus companies are the ones that create viruses in the first place...
You should of use'd the "sarcasm" tag. Now youre headed for 259 downvotes. Never assume its too obvious, theirs always someone who will take its eriously.
arrogance and ignorance
don't ignore this apple, it will bite hard otherwise.
To paraphrase Christine Keeler
Well, they would say that, wouldn't they?
Re: To paraphrase Christine Keeler
Pedant alert: That was Mandy Rice-Davies.
Re: To paraphrase Christine Keeler
B'derp! Ah well not a bad try; I wasn't even born. Must go off and check my facts!
Re: To paraphrase Christine Keeler
Oh, and I even managed to misquote it. Taxi!
What a pile of BS
>> "Even when Apple added signature detection to Mac OS, in the form of it's 'XProtect' module, it was done quietly, without any sort of fanfare," says Emm.
Oh, you mean EXACTLY like the Windows Malicious Software Removal Tool that runs during a software update and there's no evidence that it has run unless you catch the tiny status message it displays as it's running...?
>> "I think Mac customers are more at risk because of the historical mis-perception about Mac security. ...
Well, whenever I download a program and try to run it, OS X warns me that it could be dangerous and I'm running it at my own risk, again, EXACTLY like Windows.
This article is basically just a bunch of worthless handwaving about a 2006 Mac TV commercial.
By the way, not sure why iDevices were thrown into the mix since they really are virtually immune to malware thanks to the sandboxing security model for apps. Which Microsoft copied for Windows Phone, a product released 4 years later. Apple is also now doing some sandboxing for apps that you download from its App Store for the Mac. Microsoft still isn't doing anything of the sort (yet).
Re: What a pile of BS
"This article is basically just a bunch of worthless handwaving"
no, it is not.
1. Apple rides on advertising that its invulnerable to PC viruses (http://www.apple.com/why-mac/) . While technically true, it hides the fact that its vulnerable to Mac or cross-platform viruses (e.g. Java ones, like Flashback) , thus not helping the users to understand there are certain risks that still have to be managed .
2. Apple claims to deliver security updates fast (same link as above), which is demonstrably untrue. The fact is that Apple is very slow to deliver security updates to vulnerabilities which are actively exploited in the wild. Flashback update again - Apple released update 7 weeks after Oracle fixed Java runtime for everybody else. Since Apple does not want 3rd party runtime on its platform, users had to wait for Apple. And once update was published, Apple did not make it obvious that update fixes critical security issue and - it would have been too embarrassing.
3. There is no automatic update on Macs. If you don't install update, you will not have it. This leads to many users (who happen to believe in false claims 1. and 2.) simply skipping updates and the result of that is that 23.6% of users running Snow Leopard are out-of-date.
4. Apple is only publishing security updates for current and last version of OS X, meaning older versions do not get updates. This means no security updates for OS X 10.5 or older versions , which is more than 15% user base. This also means that, for 27 millions Macs sold in years 2009-2010, all of those will stop receiving security updates in September 2012 as sold, and will only receive updates for new version of OS X (if user decided to spend money and time on upgrade). For comparison, Microsoft abandons its users after 10 years.
You want figures? Here http://www.zdnet.com/blog/bott/flashback-malware-exposes-big-gaps-in-apple-security-response/4904
Re: What a pile of BS
"not sure why iDevices were thrown into the mix since they really are virtually immune to malware thanks to the sandboxing security model for apps".
Your ignorance is startling and completely typical of Apple users. You will get what you deserve.
@Bronek Kozicki
Re: Point 3
Default behavior for OSX is to download updates automatically & then ask the user if they're ready to install, it *is* possible to make the update happen automatically, but not straightforward. However, the dramatic reduction in Flashback infections from 600,000 to 30,000 within 10 days of the patch (finally) being released, suggests that your assertions are incorrect.
Re: Point 4
Snow Leopard sold ~4 million copies in its first week on sale, so it seems unlikely that anything other than a small proportion of those 27 million Macs are still running Leopard. For anyone with a MobileMe account who is still running Leopard, Apple are now offering a free copy of SL; that should bring even more of those machines back into the patch fold.
Microsoft tried to kill off XP support when it launched Vista, but were faced with a massive backlash from business customers who not only did not want to downgrade to it, but actively began looking for alternatives, by comparison their previous *desktop* OS (Windows ME) went on sale in September 2000 and went out of support in June 2006, which is not entirely dissimilar to the ~5 years Apple supported Leopard (early 2007->end of 2011).
Microsoft supports its *server* operating systems for 10 years, but that's no different from any other server OS vendor.
I wouldn't trust any of Ed Bott's articles about the Mac, he's proved himself to be anti-Apple on more than one occasion and regularly falsifies or mis-represents information in them. Apple themselves only claim 58 million Macs worldwide (and this is more than likely an inflated figure), so it would be difficult for them to let down 70 million of them.
(Not that this excuses their tardyness in getting the update out in any way.)
Re: What a pile of BS
>>"not sure why iDevices were thrown into the mix since they really are virtually immune to malware thanks to the sandboxing security model for apps".
Your ignorance is startling and completely typical of Apple users. You will get what you deserve.<<
Really? As an app developer I don't see how you could write malware for iDevices. All of the file system, process, and IPC APIs are completely locked down. Please help cure my startling ignorance and let me know how someone can write malware for iOS.
Re: What a pile of BS
Really? As an app developer I don't see how you could write malware for iDevices. All of the file system, process, and IPC APIs are completely locked down. Please help cure my startling ignorance and let me know how someone can write malware for iOS.
How about this for comparison: "As a web developer I don't see how you could create malware for Windows distributed via web. Javascript is sandboxed etc etc"...
You are making a dangerous assumption that malware developers are dumb enough to download Apple's SDK, look at all the restrictions and give up because "it's so secure must be impossible".
Besides there are plenty of nasty things you can do within the sandbox given sufficiently stupid wetware.
Have they fixed the XP printer bug yet?
This would be the same Kaspersky that can't be bothered to explain or fix the problem of printing on XP with their last release? The one that means that in order to print, one has to disable the anti-virus first, print and then enable it again?
XP?
Pah! As any full nose, the only version of Windows worth having was Windows2000. Anyone running any other version (especially that bloated pile of crap that XP is) desserves everything they get.
Well, duh.
I bought a Mac because it works better for me than Windows. Despite the fact that the number of virus infections of OSX is several factors less than those for Windows, I never bought that as fact - I like proof, so I have always had a virus checker on the machine. And I'm familiar enough with operating systems not to do something stupid and to avoid running the machine on an admin account (although that is sometimes a pain).
Anti-virus companies have a bit of a problem. They should stick to facts, otherwise they will be accused of scaremongering to sell product, on the other hand, dry numbers don't wake people up. Not an easy balance to achieve..
Wait...
So, this walled garden that Macs and iProducts in general inhabit? Is it aiming to corner the market in trojans and malware now?
Oh waily waily, how will us non fanbois manage?
bwahahahahahahaha
And?
As others have pointed out: this has been a known quantity for years.
Apple, like all corporations, will wait until its actually a problem then address it.
Not a fanboi, wouldn't even want to own a Mac. However the truth is that the Mac platform is currently relatively safe for consumers. I won't bother comparing it to MS other than to say MS has made extraordinary strides in security.
When this changes, and it will at some point, then apple will address it. I'm sure they'll call it iSecure or something similarly idiotic.
Regarding the walled garden. I suspect that they will run afoul of the Government when major competitors start complaining. Which, is not currently in anyone's interest to bother with as they are still very small potatoes in the pc/laptop market and have other problems.
When this changes, and it will at some point, then apple will address it.
You may be right, but if a company as big as Apple think it's OK to just relax about security and try to fix things retrospectively, it does make you wonder what other important areas get skimped on. Their strength, historically, has always been in design and marketing so it's not impossible they are ignoring some other elements
Would Kaspersky software have protected me from the Java exploit?
I realise all computers can get malware, it's just down to the available attack vectors a malware writer can exploit. WIth Java now being managed directly by Oracle. Let's hope Apple responds better to any remaining Mac OS specific exploits in the future.
But do we really need third party anti-virus solutions to protect us from Mac malware or are they little or no better than own Apple attempts?
Some questions I'd like Kaspersky to answer:
1. How did third party anti virus application/vendors protect a Mac from the Java runtime flaw
a. Before it came common knowledge of the breach.
b. Before Apple released a patch?
c. After Apple released a patch and their own code removing any malware.
2. Did any of the Anti virus vendors release 'temporary' cleanup applications which made matters worse? Hmmm?
3. I understand Apple 'quietly release' malware clean up fixes as and when they are identified. Including ones which are installed via user assistance i.e. trojans. How do third party anti virus software do a better job cleaning up other Mac specific malware when compared to Apples own efforts?
Re: Would Kaspersky software have protected me from the Java exploit?
Answering your question: no idea. It would be possible assuming that Apple allowed for 3rd party firewalls with deep packet inspection (as Microsoft does on Windows) but whether this is actually the case, I do not know. 3rd party firewalls on Windows do protect against these kinds of attacks.
However, somehow quite a few readers assumed that security engineer employed by Kaspersky is only trying to advertise their product, instead of looking into the claims he made. The thing is, all of these claims are very sensible to me, but somehow this was lost.
Perhaps security is not that important, as long as customers believe that they are secure?
Re: Would Kaspersky software have protected me from the Java exploit?(@ Looking for answers )
"1. How did third party anti virus application/vendors protect a Mac from the Java runtime flaw
a. Before it came common knowledge of the breach.
b. Before Apple released a patch?
c. After Apple released a patch and their own code removing any malware."
Point 1a: behavioral antiviruses -though they're a pain in the ass in terms of computational resources used- could help here. Also, many AVs send suspicious 'samples' to their creators to be analyzed. Having lots of Mac owners using an antivirus would probably speed up the process a lot. In the PC world most viruses remain hidden only for a few days.
Point 1b: The antivirus blocks the viruses before they infect the machines, so even if Apple takes its time in publishing a patch -as they usually do- the computer remains safe. Also, for some kinds of viruses, preventing infections also protects machines that don't have AV software installed. There is a similar effect with epidemics/vaccination.
Point 1c: If the only thing the patch does is to remove the vulnerability, the files you receive may still be infected, even when they can't affect your machine. Having some AV informing you of this would prevent you from i.e. mailing infected files to your friends.
Point 2: If you expect software makers to make big complex apps without any errors, you're in for a long long wait. :-)
The problem will be Apples reaction
Instead of, for example adding community based repositories to encourage secure software distribution, Apple will simply have an "AppStore", locking out all other forms of software distribution. This of course doesn't bring any actual security.
mac antivirus
I'm sure I have a copy of Disinfectant around here with my old Quadra if anyone wants it?
Protect you from CDEF A it will!
i - diots. And I don't mean it in a derogatory sense.
People buy in to macs because:
The hardware looks better. (oh yes, it does)
The thing works almost as well as advertised (and yes, it does)
The advertisement promises a "no cares" attitude (oh oh - this can be a spot of bother)
The thing is in OSX land there be a few snakes. These are dangerous you see, because the snakes are transparent.
Because the system is not transparent.
The mindset is: "it just works"
Yes it does, it is quite nicely engineered (and it doesn't have to cope with an almost infinite number of uncontrollable configuration permutations, 20 years of backlog/legacy software).
And it did not have to deal with being popular, in the numbers kind of way.
Until now.
So, the malware (scare or the real thing) was something the "lowly PC people" had to deal with, and not the apple crowd - they thought they were too exclusive, too untouchable, an idea they readily bought into.
in the end an OS is just an OS. Anything can be hacked, if it's worth the effort.
Through the many advances and the subsequent layers in UI/UX majickery the computer may _feel_ like an appliance, but it is not an appliance. It can still bite you.
Learn about the dipstick in your car. Learn about malware in the wild outback that is the interwebs.
The moral of my story is: Don't be a blithering idiot.
Re: i - diots. And I don't mean it in a derogatory sense.
Careful there. You will end up making powerful ennemies. That PowerMouse can click fast!
And I don't mean it in any derogatory way.
Re: i - diots. And I don't mean it in a derogatory sense.
Which comes back to a comment I've made a few times and been downvoted for, if you treat your users like idiots then pretty soon all your users are idiots.
Painfully steep learning curve ahead I think.
Fanbois sex
If you presented a fanboy with a willing mate, I can assure you that the FB would ensure that both they and the willing mate would be scrubbed, shaved,, showered, condomed etc etc up to their jacksies, because your average fanboy must be clean and fresh and fragant and presentable to the world of fashion.
Yet, they'll let their Macs connect to any dirty old port without a second thought and get uppity if anyone even suggests that their machines might be suseptable to a dose of iClap.
Very odd.
Never claim your invulnerable
Apple created the image of the invulnerable mac years ago to shift boxes, what they didn't realise was that they simply were not targeted as heavily because of smaller market share.
To use an analogy its like claiming your invulnerable to bullets just because nobody has bothered to aim a gun and shoot at you yet.
With the rapid proliferation of idevices in the last few years Apple's market share has grown, and now they are starting to be targeted by malware because of the wide usage. The myth of the invulnerable mac is out of date and if perceptions are not changed Apple could be hit hard with a new generation of malware just like microsoft were back in the bad old days.
Educating the masses
One issue that would be concerning in terms of security is that someone who has a Apple machine doesn't see any difference between a virus and basic internet security. For example they hear that Macs don't get viruses and so click on any dodgy link they get emailed, open any attachment without thinking and click through on phishing links without worry as they believe they are protected.
The message that people should be wary of all the basic internet traps even with a Mac should be made, it is a shame that the only people who get this message pushed out are the security vendors as it lessens the message.
From what I can see Apple caused this by delaying the distribution of Java 6 update 31 and the fact that I imagine a majority of Mac owners do not use AV.
There were numerous stories about the Java exploit in March and no doubt it was known before http://krebsonsecurity.com/2012/03/new-java-attack-rolled-into-exploit-packs/ Somebody at Apple obviously thought it wasn't important as Windows is always the target.
The "beauty" of Java exploits is that are reliable, cross platform, allow the installation of OS specific malware without user intervention. All it takes is a visit a compromised site or even compromised OpenX http://krebsonsecurity.com/2012/05/openx-promises-fix-for-rogue-ads-bug/ I believe the O2 arena site's OpenX ads were tainted around 4th April.
The other thing is that all major operating systems have areas that users can write to and although I've never used OS X I expect the user can add applications to run at start-up too in a user specific file. No admin privileges required so no Admin password.
The Apple response is shockingly bad, from what I can gather Lion users get a Java update and "common variants" removal tool, Snow Leopard users get only a Java update and if you're on Leopard or before - disable Java is the only viable solution, for many this is OK as Java use seems to be vastly over estimated but as mentioned previously, but many Mac users are not IT literate? so something like removing Java could be rather taxing and I don't mean that in a bad way.
As the old Apple slogan went "It just works" and now it's changed to "It just installs Malware" unless you keep updating your OS X up to date.
This topic is closed for new posts.
