back to article Mac malware Crisis as Apple lets slip its Mountain Lion

Miscreants have developed a sophisticated multi-platform attack dog designed to maul Windows and Mac OS X computers. The malware comes bundled in an Java Archive file which pretends to be Adobe Flash Player, named AdobeFlashPlayer.jar. Inside the malicious archive is a .class file named WebEnhancer, and two files named win and …

COMMENTS

This topic is closed for new posts.
  1. jai

    AV for Mac

    and while you're at the Sophos site reading their blog post on the issue, worth noting that they offer a free virus checker that so far, seems to work great at picking up windows viruses attached to emails, and it should check for any of the known mac viruses.

  2. Callam McMillan

    A worrying development

    It would now appear that the Apple user community has reached a critical mass that it is worth the malware writers actively targeting OSX users. This means that security flaws which may have previously been ignored as "not worth it" are now valuable exploits, yet at the same time there is going to be resistance from the user community towards installing AV products meaning we may be in for a period of more announcements like this?

    1. Anonymous Coward
      Anonymous Coward

      Re: A worrying development

      The "critical mass" myth again.

      It's not about volume of sales, it's about security.

      1. Marty
        Facepalm

        Re: A worrying development

        "It's not about volume of sales, it's about security."

        Don't talk out of your ass.....

        a company can produce the most insecure os on the planet and if there is only a very few installations available, then they may indeed compromise that machine, but until enough units are in production and in use in ways that those exploits can become useful to hackers then they may keep an eye on it, but wont bother taking the time to produce malware or virus packages.... not sophisticated ones anyway...

        apple machines for years have never really had a major roll in businesses and homes. but since the rise of the ipod/iphone/ipad people have taken a keener look on the macs, particularly because of the lack of virus and malware threats....

        now that they are being used for more than design work and multi media editing, its now getting to the point where it is worth the coders time to code malware and virus for the mac and will gain results from the effort.

        Because of the attitude apple have had towards security and there alleged secure OS, it is widely acknowledged that the actual security is on par with what microsoft were at at the turn of the century.

        The critical mass theory IS NOT a myth, and saying it is over and over does not make it a myth... no matter what apples marketing department says.....

        1. eulampios
          Stop

          critical mass hypothesis

          critical mass theory IS NOT a myth

          It is not a myth, it is hypothesis. It however becomes a myth when thought to be the main theory. Although there might be a correlation between the popularity of a platform and the number of successful infections, the correlation coefficient is very close to zero when applied to different from MS Windows OS's though.

          Take GNU/Linux. Look at the figures of the web servers. According to netcraft.net the (overwhelming) majority of the OS's there are Linux (and BSD) .The critical mass theory doesn't seem to work here, since despite possibility of compromising these machine on the individual basis, there is no known malware to have been able to infect the said systems on the massive scale.

          The difference between Windows and Mac OSX is that they stand upon very different ideas (Apple has nothing to do with that rather than just once having chosen NextStep). This difference is essential, since unlike MS Windows (or MS DOS) UNIX was thought a secure OS very early on. This distinction can also be explained, that UNIX was designed openly by many IT professionals and scholars primarily for themselves. It adhered to many IT principles, like KISS and modularity. These IT principles used to be UNIX principles originally. AS for MS Windows, most decisions on the design and security were made by merchants to better sell to a larger number of people. The quality questions got out of fashion as soon as competition died out . The closeness, lack of developers and constant desire to lock-in customers has played its role to foster malware production as well.

          The recent flashback accident proves this, as a very moronic decision of those who run Apple Co. to "save" on Java vulnerability fixes would be a no go in a more competent IT environment. (How many times did we hear about poor and understaffed MS to save on software developers and coders?) Since then we now know that the Apple managers are not only fucking bastards, they are one moronic crowd of incompetent idiots, just like that from one company in Redmond, WA.

          1. Anonymous Coward
            Anonymous Coward

            Re: critical mass hypothesis

            Take GNU/Linux. Look at the figures of the web servers. [...] The critical mass theory doesn't seem to work here

            You never managed a server and seen it scanned for every remote vulnerability the attacker can think of, did you?

            1. RICHTO
              Mushroom

              Re: critical mass hypothesis

              Sorry, but critical mass theory certainly DOES work here. Linux is used most as web servers and is many times more likely to be hacked than say a Windows server: http://www.zone-h.org/news/id/4737

              1. Anonymous Coward
                Anonymous Coward

                @RICHTO

                OS-X is nearly as insecure as Linux.

                You better be kidding. OSX has an awful record concerning timely upgrades (some exploits are years old, Apple can't even be arsed to upgrade basic things like libc), whereas every decent Linux distro publishes the upgrades ASAP.

                1. RICHTO
                  Mushroom

                  Re: @RICHTO

                  But Linux has lots more vulnerabilities than OS-X.....Even if they are fixed faster than by Apple.

                  (But not as fast as by Microsoft: http://www.computerworlduk.com/news/security/3629/microsoft-we-patch-faster-than-apple-novell-and-red-hat/ )

          2. toadwarrior

            Re: critical mass hypothesis

            My server wasn't even up for half a day and it already had people hitting the IP looking for various web applications (mainly PHP of course) to take advantage of, attempts to log in as root and numerous other attacks.

            Linux servers are considered worthy of their time and it happens more than you think. No one is going to admit their server was compromised unless they really have to and annonymous' script kiddies aren't getting all this information they share because they're elite hackers. It's due to well known security flaws on servers (both windows and linux) that no one can be bothered to fix until it's too late.

            Admittedly it's mainly software on Linux rather than Linux itself that's the problem but likewise applications that people click and run on OS X (or windows) are more a user weakness than an OS weakness.

            1. Anonymous Coward
              Anonymous Coward

              @toadwarrior

              Spot on.

              The reason why Mac viruses/trojans are on the rise is because there are dumb users who run the exploits locally. Linux machines only have to bother about remote exploits (which are a PITA to leverage) because there are few desktop users.

              QED re. critical mass.

      2. Callam McMillan

        Re: A worrying development

        You're half right, the security of the platform plays an important role in how quickly exploits can be, er, exploited. However all of these Malware vectors aren't just sat there with a neon light blinking away saying "HEY. THERE'S AN EXPLOIT HERE!" Somebody has to sit down and find them, then derive a practical attack using it. That takes time and effort, which isn't going to be much good if they're only going to infect a couple of hundred machines and make a few hundred quid.

        As an alternative example: Take my Cisco 1921 router I have at home, the mechanics of it are unimportant here, but it has a cryptographically based licensing system. Now I am sure this could be overriden if somebody who knew what they were doing was to sit down with a copy of IDA and decompile the binary image and reverse engineer the software. However, what would be the point? There aren't that many people who use these routers that would want to enable all the features, so there isn't much reward for anyone to do it*.

        *That's not to say there wouldn't be a lot of happy Cisco people if somebody was to manage it!

      3. RICHTO
        Mushroom

        Re: A worrying development

        Mac OS-X has an order of magnitide worse security than Windows (See Secunia.org). So why hasnt it been targetted before then?

      4. Mectron

        Re: A worrying development

        In Apple's Case if more like: What Security? CrapOS is a insecure as any version of windows....... why go for 0.0000000000000000000000000000000000000000001% of users?

    2. RICHTO
      Mushroom

      Re: A worrying development

      Considering Mac OS-X has over 1600 known security vulnerabilities I would say more malware is a certainty. To put that in perspective, Windows XP has about 450.....Apple are about 10 years behind Microsoft in Security and OS-X is nearly as insecure as Linux.

      1. Anonymous Coward
        Anonymous Coward

        Re: A worrying development

        Interesting figure - source?

        I find it VERY interesting that the the Anti Virus companies (all of them) suddenly stopped listing which platform a virus was for - I can only assume this was after pressure from Microsoft (their main source of revenue).

        From the data I had (which was from informal discussions with people I know at two Anti Virus vendors) the actual numbers were more like 25 M different bits of malware for Windows, about 40k OSX and about 15k for Linux - and that's not where the story ends.

        I should have taken notes - the next remark was that a substantial amount of Microsoft infections were drive-y, i.e. did not need much activity from the user to install (Win 7 was in that respect at least a massive improvement), compared to a rather small percentage of Linux and OSX infections, where the majority was taken up by trojans - code that had to coax the user into installing it before it could do its evil thing. The java exposure is an example of drive-by risk, but they are rare because of the different security model (personally I think Apple could have used more of BSD's security layer, but I guess their line between security and usability is drawn closer to usability than my personal preference).

        I think I'm going to fill up those guys again with beer - I need more accurate data. Maybe even do a project. I personally think we have Microsoft users/victim to thank for over 90% of spam and DDoS risks, but it is indeed worth putting hard figures behind it - otherwise the only thing that Microsoft ever did right will try to bury this again: marketing and BS.

        Heck, even the MS consultants are a fraud: in reality, they are hired contractors who basically get paid peanuts to be hired out as MS suits (at least judging by the recruitment attempts where I live), so please don't try to give me BS based on figures. I sat though 20+ years of Microsoft sales presentations as part of my work and right up to this day they share one feature: figures that are either unattributed or were more creatively manipulated than the numbers in the UK speed camera effectiveness report. Been there, took it apart and will sure as hell not wear their T shirt.

  3. Dan 55 Silver badge
    Thumb Down

    You've never needed a password to install malware on a Mac

    There's no need to. Find a drive-by exploit via Java, Flash or social engineer one with Safari (which insists on running 'safe' files), install in the current user's homedir, and run it. It's got access to all your juicy documents.

    1. xyz Silver badge
      Devil

      Re: You've never needed a password to install malware on a Mac

      No Mac user would ever concern herself with things like "homedir." That's stuff that's uncool and not shiny. Give it 6 months and there will be queues of fanbois clutching their melted Macs, wailing outside Apple stores and chanting in the name of Jobs that they be saved from this plague that's destroying their righteous lifestyles.

      1. Anonymous Coward
        Anonymous Coward

        Re: You've never needed a password to install malware on a Mac

        Oh boy oh boy. Jealous?

        FYI, not everyone buys a Mac to be cool (I couldn't care one way or the other), some use it because you can actually get work done instead of either waiting for gigabytes of patches and updates, or endless fiddling with config files or finding a machine losing USB support through a simple kernel update.

        I haven't quite decided what is more irritating: fanboys or anti-fanbois, but I'm getting to the point where I hate both equally.

        1. Peter Storm

          Re: You've never needed a password to install malware on a Mac

          "some use it because you can actually get work done"

          Like having to use Final Cut Pro as part of your job, or even just using Photoshop on big files without continually having to restart it.

          1. Fibbles

            Re: You've never needed a password to install malware on a Mac

            "or even just using Photoshop on big files without continually having to restart it."

            When was the last time you ran Photoshop on Windows? In my experience every version since about 6.0 has run faster on Windows. If you're buying similarly priced hardware it should be significantly faster considering the premium Apple put on it's machines.

        2. Marty
          Flame

          Re: You've never needed a password to install malware on a Mac

          oh grow up......

          gigabytes of patches? you mean a few tens of megabytes every second Tuesday of the month or whenever it is, that will patch known exploits, it may even create a few more UNKNOWN exploits, but hey, its still more secure than sticking your fingers in your ears going " LA LA LA LA ",

          Endless fiddling with config files? yet another fail..... maybe when installing a new bit of software on a linux box, but once its done, its done.....

          as for losing usb support from a simple kernal update, I suppose you are talking about a linux distro?, but is that any worse than a os upgrade breaking a bucket load of software and when you call support they tell you to buy new software because the software you have been using for ages, and has no problems is not compatible with the new os?

          the thing that irritates me more than fanbois, or anti fanbois is people talking utter bolocks !!

        3. 404

          Re: You've never needed a password to install malware on a Mac

          Thinking about it, you spend more time and space 'consuming' your average movie download - less than the accumulative patches since XP first reared it's head on PC's - so where is the problem? At least Microsoft tries to correct issues and has never claimed (AFAIK) you're holding your PC wrong.

          Your 'gigbytes of patches and updates' statement is null.

          1. Wensleydale Cheese

            Re: Your 'gigbytes of patches and updates' statement is null.

            @404

            "Your 'gigbytes of patches and updates' statement is null."

            I have got to slap your wrists on that one.

            1. Install Windows Server 2008

            2. Enable a few things like Active Directory, Backup and so on

            Total disk usage at this point: less than 10 GB

            3. Now run Windows Update

            4. Rinse and repeat until no more updates are available.

            5 Notice that total disk space consumed is close to 20 GB. If you did this inside a Virtual Machine for training purposes., an initital allocation of 20 GB might not be enough.

            1. Arctic fox
              Windows

              @Wensleydale Cheese. RE "I have got to slap your wrists on that one."

              You are using the install/update process when installing a new os (when you of course get all, accumulated updates/patches) as an argument? You are suggesting that on "Patch Tuesday" it is a Windows user's regular experience to get several gigs coming down the pipe rather than (order of magnitude) megs? Well, far be it from to hinder you in making an ass of yourself but I would suggest that you re-think that line of argument.

              1. Anonymous Coward
                Anonymous Coward

                Re: "Gigabytes of updates"

                I am currently trying to get started with iOS development. To do this, I need to buy a mac... check.

                In order to download Xcode, I was first told by the website that I needed OS X 10.6.6 or later. I ran software update.

                Now I am sent to the mac app store, which helpfully informs me that I need OS X 10.7 (Lion) or later. Luckily, my office already purchased it so I am currently downloading the 4.2GB install file.

                After this is finished it looks like the download for Xcode is 1.7GB as well, which will be the very least that I need. That is before I can even write a line of objective-c.

                What was that you were saying about large updates? I hate Apple more than ever today and I haven't even opened the IDE yet.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: "Gigabytes of updates"

                  You bought a Mac with an OS prior 10 10.6.6 - that's equivalent to buying hardware old enough to come with Windows 98 and you're whinging? Sjeez..

            2. RICHTO
              Mushroom

              Re: Your 'gigbytes of patches and updates' statement is null.

              Utter crap. Windows 2008 is about 2.5GB for a full install or 1.5 GB for a core install. I got growth of about 400MB of disk space by fully patching it - and most of that is temp files and backups of previous file versions and can be deleted if required...

              See http://support.microsoft.com/kb/2592038 for how to clear it.

    2. Peter Gathercole Silver badge

      Re: You've never needed a password to install malware on a Mac

      Apart from those rare systems that really do run Java in a sand-box, user files on *ANY* platform will be vulnerable to this type of attack. The OS, however, shouldn't.

      What is worrying in this article is the issue of it installing a rootkit on MacOS. I'm not sure whether I am talking about the same thing, but I define a rootkit as something that gains privileged access, and then alters the OS start-up process so that it will have running privileged components that will monitor whether the rootkit is removed from the system disk, at which point it will re-infect it.

      The operative word here is "privileged". It implies that there is something that will cross the privilege barrier, which requires an OS security weakness or vulnerability. Of course, I could have the MacOS security model all wrong, but I thought MacOS was relatively robust. If it is a user-mode rootkit (is there such a thing - a process kicked off in user-land during the user's start-up, but not running as a privileged user) then I might be able to understand it.

      1. Dan 55 Silver badge

        Re: You've never needed a password to install malware on a Mac

        In this case it's userland malware which opens a backdoor and, if authenticated with a password, installs a rootkit.

    3. Mike Moyle

      Re: You've never needed a password to install malware on a Mac

      "...Safari (which insists on running 'safe' files)"

      By "insists on running 'safe' files", I assume you meant to say "gives you the option in the Preferences panel to open 'safe' files or not", since that check-box has been there since Hector was a pup.

      OS X has flaws, but (worst case) lying about non-existent ones or (best case) repeating something that you heard once online and know nothing about doesn't really help anyone.

      1. Dan 55 Silver badge
        FAIL

        Re: You've never needed a password to install malware on a Mac

        @Mike:

        1. I've got an iMac.

        2. The box came checked by default.

        3. See icon, fanboi.

  4. Anonymous Coward
    Anonymous Coward

    I wonder how many people will install a "improve your browsing app". Oh, who am I kidding, there is one born every minute, right?

    1. Silverburn

      Unfortunately yes.

      And the more we make security and PC's idiot proof, the better the idiots become at compromising their machines through stupidity.

  5. John A Blackley

    "The threat has not appeared in the wild"

    Only in Sophos' lab, right?

  6. Anonymous Coward
    Anonymous Coward

    Mac malware?

    In this article you managed to not once mention the underlying platform :)

    http://www.theregister.co.uk/2012/07/25/japan_finance_ministry_trojan_attack/

    1. Fred Flintstone Gold badge
      Facepalm

      Well, duh

      .. it's Facebook, obviously. Now known as lost-face book given the local culture..

  7. Anonymous Coward
    Anonymous Coward

    Something doesn't add up in this article

    Maybe I get overly critical when a vendor happens to observe something that helps their market penetrations (but then again, they actually have the talent to spot this) - I read on the one side that it's all sophisticated and scary ("see how we protect you"), but I also read that it hasn't been spotted in the wild.

    WTF? How did they get hold of it then? Homebrew? Explain to me why this is a worry yet for end users?

    1. Anonymous Coward
      Anonymous Coward

      Re: Something doesn't add up in this article

      Sorry to be a bit slow today - this is probably Sophos trying to ride the Mountain Lion publicity wave. This article will conveniently show up in any search for Mountain Lion now..

    2. DJ Smiley

      Re: Something doesn't add up in this article

      Some clever hacker writes a exploit to show what can be done.

      Sophos and any good security companies are watching these underground places for this activity. The hackers mostly don't mind either; its not about being good or bad.

      Then some kiddie gets the exploit and manages to package it into some form which CAN be used in the wild.

  8. Bored Stupid

    Yet not a single quote...

    ... from Graham Cluley - is he on holiday or something? He must be gutted.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yet not a single quote from Graham Cluley

      Yep.

      This is purely personal opinion, but .the man appears to me to be a media whore and for those who disagree with that, look up his Wiki entry.

      Intego have also been guilty of crying wolf about Mac viruses which have never been seen in the wild.

      1. Anonymous Coward
        Anonymous Coward

        Re: Graham Cluley

        I agree. Some of the things he has come out with in public statements demonstrate a generous level of stupidity, and I have had to argue with Sophos on previous occasions about downright misinformation in their "white papers".

        Which is why I can't help subconsciously morphing his surname by changing the 'y' on the end for a double 's'.

  9. Nanners
    Devil

    I'm convinced

    That half the malware out in the wild was concocted in some IT security firm's computers and released intentionally for the sake of job security. Crazy? Like a fox.

  10. Dave Oldham
    Mushroom

    Don't be silly, everyone 'knows' that OSX is immune to malware. AV is not neede!

    1. Thomas 18
      Thumb Up

      I hear you can catch a virus if you hold it wrong.

    2. Miek
      Linux

      Antivirus protection is needed about as much as a spell-checker.

      1. Rick Giles
        Linux

        And neither are used that much from what I've seen.

    3. Sean Timarco Baggaley
      FAIL

      @Dave Oldham:

      Ah, another child who fails at Internet 101: "How To Search The Internet And Not Look Like An Idiot."

      The popular myth is that Macs (since OS X became the standard OS for them) don't get viruses. To be fair, this is technically correct: there are indeed no known viruses on OS X.

      Older, pre-OS X versions of the Mac OS did occasionally suffer from the occasional virus as that older OS had a much more basic security model and barely supported multitasking properly. (It shared a lot in common with pre-NT versions of Windows in that area.)

      OS X was derived from NeXTSTEP, which was in turn built on a BSD UNIX variant. UNIX was designed from the outset as a multi-user operating system and has a very strong security model.

      The article is not talking about a virus however. It is talking about a trojan. A trojan requires user interaction to install itself, usually by pretending to be something the user might want to install—hence the name, "trojan". It relies on the weakest link in any OS' security chain: the users themselves. By default, OS X 10.8 ("Mountain Lion", the version that was released today) prevents any unsigned application from installing. You have to go into the Preferences panels and explicitly tell OS X to allow unsigned application to install too.

      A good IT Admin will set that same Preference panel to its most paranoid setting: "Only allow Mac App Store apps to install." This adds an additional layer of security.

      Furthermore, the trojan in question is actually a vulnerability in Oracle's Java VMs, not OS X itself. Note that it attacks Windows as well, and requires the user's password to actually install its nasty bits.

      Apple haven't been responsible for the OS X version of Java since the release of OS X Lion. Neither are Microsoft responsible for bugs in Oracle's Java VM for Windows.

      The security failure lies with Oracle.

      Granted, it'd be nice if the OSes were 100% bulletproof and perfect, but the OS that can unerringly spot a user doing something seriously bloody stupid has yet to be developed. Not even GNU / Linux is impervious to such social engineering vectors.

      And yes, GNU / Linux-based web-servers are hacked on a frequent basis. What do you think many of those hacked databases full of emails, passwords, and other user details we keep hearing about were running on? BeOS? Why do you think there are companies out there offering specialised "security hardened" Linux distros? If GNU / Linux were that secure out of the box, such distros wouldn't be necessary, would they?

      There is, in fact, only one way to ensure you never get hit by a trojan: never install any software you don't trust. On Macs, that means sticking with the curated App Stores for the most part, and only venturing outside the gated community when you really need to. Apple won't stop you if you're determined to go on such an adventure. That's Apple's fundamental design philosophy: you can't assume your users are trained in IT administration, so you simplify things for them and reduce the need for such training in the first place.

      The best anti-malware solution is to not install malware in the first place.

      1. RICHTO
        Mushroom

        Re: @Dave Oldham:

        WRONG. Mac OS-X DOES have known viruses:

        http://www.sophos.com/en-us/press-office/press-releases/2006/02/macosxleap.aspx

  11. Anonymous Coward
    Anonymous Coward

    Misleading Title

    As my post history would show, no fan of Apple, but the title of this piece is more misleading than most!

    Is a Java based nasty, not yet seen in the wild, really worthy of the word Crisis (Yes I know it's supposed to be a play on words).

    I only ask, because it's the first time I've felt the need to change the text to something less click-baity when using the 'Tweet' button.

    Of course, you can't view my post history as an admission of being a Twitter user demands that I post AC! Those bothered enough could quite quickly suss out who I am by checking Twitter though (if you want to waste your time, go ahead!)

    1. Fred Flintstone Gold badge

      Re: Misleading Title

      Actually, El Reg is only repeating the offense - the real nasty is the Sophos blog which strikes me as trolling for hits (I don't think it's a coincidence that it contains the words "mountain Lion" on the day that is launched - to me that says "search engine bait")..

  12. Buzzword

    Lions don't drink coffee

    Java isn't included by default in OS X Lion or Mountain Lion. This considerably reduces the number of potential victims: from all users to just those who have gone to the trouble of downloading Java. I can't remember the last time I needed to use Java on my home computer.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lions don't drink coffee

      Is there a way to restrict Java to only work with some programs? I have Java loaded for LibreOffice and FreeMind, as far as I know there is nothing else that needs it (and I am seriously *NOT* OK with having it anywhere near Safari and Firefox)..

      1. Kwac
        Happy

        Re: Lions don't drink coffee

        Firefox with 'Quick Java" extension?

      2. darkdog

        Re: Lions don't drink coffee

        you can disable java on the Safari preferences, which makes it a lot safer in this regard. still won't protect you if you open .jar files you downloaded, though.

    2. x4zYYvb3
      Facepalm

      Re: Lions don't drink coffee

      You obviously don't have a Norwegian bank account. Java is required to log into internet banking websites in Norway. This means that a ten year old PC running XP is more secure than five year old Macbook running Leopard.

  13. Miek
    Linux

    Wow, cross platform compatibility and no linux variant! Shame on you malware coders.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      As if no games or decent apps wasn't bad enough, now even the malware coders don't want it.

    3. RICHTO
      Mushroom

      But why bother with ~0% market share. At least OS-X has a couple of percent....

  14. Kevin McMurtrie Silver badge
    FAIL

    Playing in the shadows

    Apple assumes their users are dumb so they have come up with various ways to hide and disguise important files from casual access. Bundles make directories sometimes appear to be files. A shocking amount of critical data is placed into hidden directories starting with a period. 10.7+ even goes ludicrously far by hiding your personal "Library" folder from normal view. These areas are normal user directories so any application written in any language has permission to alter them. Essentially, Apple has gifted malware with big play areas without the assumedly dumb users being able to easily spot them.

  15. Anonymous Coward
    Anonymous Coward

    Just for technically illiterate sheep

    Stupidity, lack of technical savvy and sheep mentality will get 'em.

    In 5, 4, 3, . . .

    Have fun Mac sheeples.

    1. Sean Timarco Baggaley
      FAIL

      Re: Just for technically illiterate sheep

      (sigh)

      "Sheep mentality"? Really? You're accusing Steve Jobs, the late Douglas Adams and even Richard Dawkins of having placid, ovine natures?

      Yes, Apple have deliberately gone for a "gated community" approach. They've made no secret of this. Anyone who thinks otherwise clearly hasn't been paying attention.

      Of course, if you're going to rip the piss out of a group of people on the grounds that they don't know much about your pet obsession, I assume you don't mind if those same people take the piss out of you for knowing sod all about police work, military tactics, education, writing, management, golf, 3D modelling, graphic design, rocket science, or neurosurgery.

  16. asdf
    FAIL

    Java VM = malware portal

    This has less to do with Mac vs Windows security as it has to do with Oracle continuing Sun's tradition of a bloated insecure slow memory hungry crap VM implementation. Really the only bigger unintentional malware portal you can install on your computer is Adobe Flash and Reader.

    1. Kevin McMurtrie Silver badge
      Facepalm

      Re: Java VM = malware portal

      Applications have no security except for those placed on the current user. That goes for Java, Scala, Applescript, C, C++, Objective-C, PHP, Ruby, Bash, and everything else. Be happy that the viruses aren't being hand-coded in lean and mean x86-64 yet.

      As for Java's speed - it depends on the quality of the code. Anti-aliased image rendering runs in Java just as well as C if given the same level of optimizations.

      1. asdf
        FAIL

        Re: Java VM = malware portal

        >Applications have no security except for those placed on the current user.

        Funny that isn't the line Sun used to push Java. Something about being able fine tune permissions on the vm. But then again when your vm sandbox can easily be breached you are correct that your app then has no security (http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx). My point is the JRE is starting to accumulate CVE criticals as fast as Adobe's crap ware.

        1. asdf
          FAIL

          Re: Java VM = malware portal

          You can also include Oracle is bragging how secure java is also. Right on the download page it tells people "Java technology allows you to work and play in a secure computing environment.".

      2. asdf

        Re: Java VM = malware portal

        >Applications have no security except for those placed on the current user.

        Actually especially in windows this is not always true as well. A lot of malware takes advantage also of exploits in the OS to give itself root privileges instead of just the current user privileges.

    2. RICHTO
      Mushroom

      Re: Java VM = malware portal

      Or you could install Linux. That has more security holes than even OS-X.

  17. Anonymous Coward
    Alert

    No.....no that's not possible remember, macs are immune to viruses. You must be mistaken.

  18. Dana W
    Happy

    Don't need Java, and don't care.

    well then its a good thing I refuse to run Java then isn't it?

  19. DJ Particle
    Facepalm

    Another "stupidity test" trojan....

    So, for Macs, first you need to actually HAVE Java in the first place. Macs do not have this by default, so most end users likely won't have it, and they are weeded out.

    Say you *do* have it installed: Then when it tries to run, you get a "bad certificate" warning regarding a program called "WebEnhancer". That's another red flag.

    Only when you click through THAT, are you infected.

    You need to be REALLY stupid to go THAT far....

  20. Anonymous Coward
    FAIL

    How Much Redmond Money Did Flow For This Crap News ??

    Once again "malware" which must be installed by entering a root password. One more lame attempt to make everybody look as shitty as windows.

    The M$ faction also deploys their shitty memes like "it all depends on critical mass" and "all computers are equally shitty".

    This is a FAAAIIIILLLL.

    1. Invidious Aardvark

      Re: How Much Redmond Money Did Flow For This Crap News ??

      From where did you get the requirement to enter any password? All I see in the article relating to passwords is: "The threat can install itself on Mac systems without requiring a password.". The linked article also makes no mention of requiring passwords.

  21. Anonymous Coward
    Anonymous Coward

    "10.7+ even goes ludicrously far by hiding your personal "Library" folder from normal view"

    Much like Windows 7 hides the "AppData" folder, or $linux_desktop hides config folders - all have the same issue.

  22. Anonymous Coward
    Anonymous Coward

    bahh, iceburgs, nonsense... full steam ahead

  23. Flashy Red
    Black Helicopters

    I'm wondering if the time has come to disable Java on my machines. Can't really see the point of it anyway.

  24. spegru
    Linux

    App Stores & Repositories

    Desktop Linux Distros normally use Software repositories. They're alot like an App Store but without the corporate arrogance. So although in principle Linux may not be much different to Mac (although it IS vs Windose 'cos of the default Admin level Users), Mac users install from anywhere! Surely this is quite a bit safer (and therefore the Critical Mass argument is wrong).

    PS I like the Gated Community Analogy

    1. RICHTO
      Mushroom

      Re: App Stores & Repositories

      Yes - and it means that Linuxs servers need internet access to update or install anything new - a big security no no. Servers should never have internet access unless it is part of their function.

      1. Anonymous Coward
        Anonymous Coward

        Re: Linux servers need internet access

        You're being a little misleading there though aren't you?

        To make it simple, they need access to a package repository to update, granted, but that repository can be anywhere you like. You're free to put an up-to-date copy of a repository (preferably just the packages you're interested in) on some trusted storage and use that instead.

        If you're going to do it properly you should have your own vetting procedure for what does and does not make the cut for your internal repository, and vet updates against your own security standards.

        1. RICHTO
          Mushroom

          Re: Linux servers need internet access

          Yes, done that. Circa 200 vulnerabilities to review for Windows 2008 R2, and 3500 for SUSE 10...

          1. Anonymous Coward
            Anonymous Coward

            Re: Linux servers need internet access

            If you've done that, then why are you claiming that Linux servers need internet access and are therefore insecure?

            We aren't talking about vulnerability counts here, because then someone will point out that comparing discovered bugs in closed- vs open-source software is apples/oranges at best and you'll get upset

  25. RICHTO
    Mushroom

    Both are round fruit that grow on trees - not that far apart....

This topic is closed for new posts.

Other stories you might like