“As part of its current ad campaign, Apple suggests that Macs aren’t vulnerable to the same Internet security problems PCs are,” Todd Spangler writes for Baseline Magazine.
“But according to a new study by security vendor Symantec, the number of vulnerabilities identified in Apple’s Safari browser in the first half of 2006 doubled over the prior six months—and it increased its window of exposure to Net-based exploits from zero days to five,” Spangler writes.
Spangler writes, “Microsoft’s Internet Explorer browser still has a longer window of exposure—the time between when code exploiting a vulnerability appears and when a fix is available—and a greater total number of security holes. But Apple ‘is headed in the opposite direction’ with respect to its browser’s vulnerability to Internet-based threats, says Dave Cole, director of Symantec’s Security Response team.”
Spangler writes, “Apple’s marketing campaign implies Macs are not vulnerable to the same kinds of Internet security threats that Windows PCs are. In a recent Apple TV ad, an actor playing the Mac character says to the PC character: ‘I run Mac OS X, so I don’t have to worry about your spyware and viruses.’
Spangler writes, “Symantec’s Cole says it’s a fallacy to claim that any Web browser is inherently safer than another. ‘The reality is, Apple has lower market share’ than Windows PC makers, he says. ‘Attackers are driven by money, so they go after the bigger market. If you have lower market share, you’re not more secure—you’re just less interesting [to a hacker].'”
Full article here.
[Thanks to MacDailyNews Reader “Stormy” for the heads up.]
MacDailyNews Take: Ooh, we’re shaking with fear. Let us know when Macs are hit with spyware or viruses in the wild, okay? Until then, we’re not buying what Symantec et al are peddling. While smaller market share is no doubt yet another advantage for Mac security, Mac OS X is inherently more secure than Windows. With 20+ million Macs in the world, why has there been no single successful Mac OS X virus in 5+ years? Shouldn’t there be a few or at least one?
Remember, do not download, authorize, and install things on your Mac from untrusted websites.
By design, Mac OS X is simply more secure than Windows. Period. For reference and reasons why Mac OS X is more secure than Windows, read The New York Times’ David Pogue’s mea culpa on the subject of the “Mac Security Via Obscurity” myth here.
Macs account for roughly 10% of the world’s personal computer users — (some say as much as 16%) — so the first half of the myth doesn’t even stand up to scrutiny. Macs aren’t “obscure” at all. Therefore, the Apple Mac platform’s ironclad security simply cannot logically be attributed to obscurity.
There are zero-percent (0%) of viruses for the Mac OS X platform that should, logically, have some 10-16% of the world’s viruses if platforms’ install bases dictate the numbers of viruses. The fact that Mac OS X has zero (0) viruses totally discounts “security via obscurity.” There should be at least some Mac OS X viruses. There are none. The reason for this fact is not attributable solely to “obscurity,” it’s attributable to superior security design.
Still not convinced? Try this one on for size: according to Apple CEO Steve Jobs at WWDC, there are “19 million Mac OS X users” in the world and there are still zero (0) viruses. According to CNET, the Windows Vista Beta was released “to about 10,000 testers” at the time the first Windows Vista virus arrived. So much for the security via obscurity myth.
Related articles:
Chicago Tribune falls for the ‘Security Via Obscurity’ myth – August 14, 2006
Oxymoron: Microsoft security – August 12, 2006
With exploits in wild, Microsoft Windows braces for yet another critical worm attack – August 11, 2006
Microsoft’s oft-delayed, much-pared-down Windows Vista hacked at Black Hat – August 07, 2006
Ballmer analyzes Microsoft’s One Big Mistake, Vista… er, ‘One Big’ Vista Mistake – August 02, 2006
Symantec details more security holes in Microsoft’s Windows Vista – July 26, 2006
Symantec researcher: At this time, there are no file-infecting viruses that can infect Mac OS X – July 13, 2006
Sophos: Apple Mac OS X’s security record unscathed; Windows Vista malware just a matter of time – July 07, 2006
Sophos Security: Dump Windows, Get a Mac – July 05, 2006
What Microsoft has chopped from Windows Vista, and when – June 27, 2006
Security company Sophos: Apple Mac the best route for security for the masses – December 06, 2005
Apple: ‘Get a Mac. Say ‘Buh-Bye’ to viruses’ – June 01, 2006
Apple Macs and viruses: Fact vs. FUD – May 26, 2006
‘Mac security’ garbage reports continue to proliferate – May 10, 2006
ZDNet: Reduce OS X security threats – ignore security software – May 05, 2006
Unix expert: Mac OS X much more secure than Windows; recent Mac OS X security stories are media hype – May 03, 2006
Macs and viruses: the true story – May 02, 2006
Anti-Mac FUD machine shifts into overdrive – May 01, 2006
FUD Alert: Viruses don’t catch up to the Mac – May 01, 2006
BusinessWeek: Apple should hire security czar to combat uninformed media FUD – March 09, 2006
Spate of recent Mac security stories signal that Microsoft, others getting nervous – March 06, 2006
Mafiasoft: Microsoft to charge $50 per year for security service to protect Windows – February 07, 2006
Computer columnist: anti-virus software purely optional for Apple Macs, not so for Windows – November 01, 2005
Hackers already targeting viruses for Microsoft’s Windows Vista – August 04, 2005
16-percent of computer users are unaffected by viruses, malware because they use Apple Macs – June 15, 2005
What about the argument that OS9 and earlier had viruses but Mac OSX has none. Doesn’t that basically defeat this obsurity crap as well?
to fandango:
My comments were in reply to questions of how money could motivate hackers – it does, and this is considered the “business model” for applying many exploits that exist for Windows and IE (primarily). Many of these exploits require little or no involvement of the user, just poor security management. Unfortunately, on the Windows platform, being safe requires being a security expert – hence the large numbers of compromised systems.
I got rid of Windows PCs at home and use only Macs for this reason.
“Ultimately, it doesn’t matter WHY Macs are more secure.”
—> One word: UNIX
“Even Mac OS users would be well advised to not routinely run as administrator (or as root in a Unix/Linux box). There is a known weakness in the Mac OS where a user running with aministrator privilages can install a package that requires root privilages without getting the authentication dialog box – run as a normal user and this weakness is not an issue, you will always get an authentication request.”
—> Link concerning this can be found here: http://www.macgeekery.com/tips/security/how_a_malformed_installer_package_can_crack_mac_os_x
This would definitely fall under safe computing practices, as in – Do not download, authorize, and install things on your Mac from untrusted websites., but it still needs to be fixed. Another one that concerns me, but falls under the same category, is the authentication dialog spoof that MDN reported on here:
http://www.macdailynews.com/index.php/weblog/comments/security_alert_mac_os_x_authentication_dialogs_can_lie/
And the metadata vulnerability (where, say, a file with a jpeg icon can actually be a Unix executable) is one that should have been fixed by now – it’s been a looooooong time coming.
Of the three, the metadata vulnerability concerns me the most. I don’t want to have to use “get-info” on a jpeg file to make sure it is not an executable. I am not losing any sleep over it, but, all things considered, it should have been patched by now.
No, the sky is not falling, but Apple please fix that damn metadata vulnerability!
Just came across this one a minute ago, and thought I’d come back. New QuickTime vulnerability (no known exploits) found:
http://www.securityfocus.com/bid/20138/exploit
PLEASE NOTE: The above link takes you to a page with two “proof-of-concept” links. They are “mp3” files that show how the exploit can be used. They are also harmless. DO NOT CLICK ON THEM IF YOU ARE WORRIED ABOUT IT.
Click tabs above links for further info on it. Again, no known exploits and the sky is not falling, but it’s good to be informed of such things.
Sorry to eat up all this space, but a very good explanation of “Back-dooring” .mp3, .mp4, .mov etc. files in QT can be found here:
http://www.gnucitizen.org/blog/backdooring-mp3-files/
I’m sure this affects Windows versions of QT as well……………
Stop beating me.
Just once, I’d love to read an explanation by one of the ‘computer security’ vendors of why the Mac OS prior to OS X had viruses, but OS X has none. If OS X isn’t a big enough target, how is it that OS 9 and previous versions were big enough? Security by obscurity either works or it doesn’t, and if it works for OS X, then it should have worked for previous versions too.
“Just once, I’d love to read an explanation by one of the ‘computer security’ vendors of why the Mac OS prior to OS X had viruses, but OS X has none”
—> OS X’s foundation is BSD Unix, which has been security pounded for years. Previous iterations of the Mac OS foundation were proprietary (not released to the public for scrutiny) and becoming “spaghetti-code”.
Symantec should be run out of town. What the hell good do they do, anyway? Nothing worthwhile….
You can only go up to a certain point in order to protect users:
http://secunia.com/mac_os_x_command_execution_vulnerability_test/
The above shows that the metadata fix is actually is place. Previously if you were to download the file in the link above, Safari was duped into believing it was a movie (as from the metadata content) while instead a terminal script (the file above is supposed to start ‘Calculator’) hence the hack.
Now not only in does not happen but the icon is no more that of a movie: it appears clearly as a terminal application. In finder I use the columns view, moreover selecting the Secunia.mov (that previously in the unpatched metadata flaw had a movie icon) the Finder clearly states it is a Terminal.Application.
Having different custom icon for a terminal application is not illegal, actually it is a requirement that cannot be broken: developers distributing software would get mad and they would be right. Better to make one angry idiot user (who would double-click that file even in it SCREAMS it is not a movie) than the hundred thousands developers that need to have a custom icon for their legit programs.
@Metadata – That is the ZIP archive shell script execution vulnerability:
http://secunia.com/advisories/18963/
<u>Solution Status:</u> Partial Fix
“NOTE: The update does not completely fix the vulnerability as it is still possible to trick users into opening malicious shell scripts (masqueraded as a safe file type) in ZIP archives. Do not open files in untrusted archives.”
Apple did a partial fix for this in Security Update 2006-002. Now it will show the actual file type in the finder (in column view) and using get-info regardless of the file extension.
In icon view however, – say you just downloaded a .mov file to your desktop but it is actually a Unix executable, it will NOT show as such. The icon will look to be a QT movie. So you could inadvertently have your system comprimised by downloading what you think to be a podcast, but in reality is an executable. Plain and simple – this needs to be fixed. PERIOD. It’s critical IMO. Apple needs to change the way OS X deals with custom icons so users are protected AND developers are also happy. Yes, you can only go so far to protect users from malware (like email attachments), but this is in another category altogether.