Comments on: Prediction: Apple will recommend security software

Analyst Jon Oltsik believes in the next 18 months Apple will back using security software. Given the state of cybersecurity today, pragmatism should trump romanticism, he says.

[r_roborovsky]

Mac viruses and malware are inevitable, don't put your head in a hole in the sand, someone will come along and do something not very nice to your back door. :)

[mlcgruhlke]

Hmmmmm...if you're running a TRUE Linux platform, you wouldn't have to use a separate security program to protect your computer. While it doesn't hurt to install one, Linux doesn't actually require them since virus codes are extremely unlikely from "hitting" a Linux machine like it would to a Mac or Windows. Linux is a true secure platform...take that Jobs!

[ewelch]

Wrong, your comparing Windows and Macs on this subject proves you don't know what you're talking about. There are zero virii for Macs. NONE. You can't even say that about Linux.

[kcotham]

@mlcgruhlke
OpenBSD is extremely good for security too. Perhaps Apple will take a cue from that project in "locking down" the Mac OS better?

@ewelch
Thank you, exactly.

[santuccie]

@ewelch:

Unlike profit-driven malware, 70% of which is Trojans, viruses are destructive, and targeted at specific people (usually a politician or high-profile clergyman). They are usually delivered through e-mail, as attachments to chain letters. It's infinitely easier to trick a novice into opening an attachment, than to attack them remotely.

Think about this for a second: the Mac is the only platform on the market today that has been successfully infiltrated with a drive-by download (at least four times, three times at CanSecWest, and once in a PoC, which is available here: http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html), while we're still waiting to see this on Vista or Linux. If the Mac can be completely pwned WITHOUT user intervention, do you really think it's any harder to make a virus work WITH user intervention?

Status quo does not equate to inherent security. Say a woman lives out her entire life without ever getting laid, and she never gets AIDS. Do you think this means she is immune to the HIV virus? You are naive.

[michael_j_x]

My prediction is that these virus will be sponsored by anti-virus companies, who already have a software for OS X ready to sell i.e. Karpersky

[themrwhite]

The attack on Safari you pointed out in the article, was hacked prior to him coming to the event. He had the exploit ready to go when they started the timer. The exploit was found last year and used in this event. So I agree, that all systems are hackable, the facts about the hack are wrong, it didn't take 10 seconds, it took a few weeks, which then he used at the event.

[monkeyfun14]

Well do you think any exploit is discovered in only a few hours?

[barcelonafan]

I think the 18 month window is kind of pushing it - since even if vulnerabilities do surface in the next 18 months, the no security software is such a big selling point for Apple that it wont recommend security software even if it's needed.

Definitely not until the needs get dire anyway...

[amkalis49]

There are some mis-truths in your story. The "ibotnet virus" is not a Mac virus, it is a trojan. It does not replicate, you cannot catch it by visiting a website or clicking on an ad or opening an email. You have to be duped into downloading fake software from an unknown site (fake malware remover, fake poker game, fake porn viewer, fake HD viewer, & a fake anti-virus). The other ways are in illegal downloads of iWorks 09 or Photoshop CS 4. I have 4 Macs, until someone writes a couple thousand "real" Mac viruses to start catching up with the over 1,500,000 Windows viruses, I'll abstain from unneeded anti-virus software.
And the "hacking", the guy set up a website in advance, he knew of a vulnerability in Safari and had planned for the hacking. He didn't just take 10 seconds.

[kcotham]

Thank you for clarifying that for people.

[super__mario]

Am I shocked that a senior analyst would make a beginners mistake and not know a difference between a trojan and a virus.

A virus is something that propagates without user interaction infecting machines on its own. Mac OS X does not have a single virus as of yet.

Trojan is something that requires users to download it and run it in order for them to get infected. And in order to get the users to do that it needs to use some social engineering. And offering Photoshop crack or iWork crack is a good way to do it.

Please note that there is no software out there that can guard against user doing something like this, not if you care about usability to any degree. You could lock the machine down completely and "forbid the user to use their computer" but that would be unacceptable computing experience.

So, all in all, this is poorly researched FUD, by someone who does not even know industry terms well.

[monkeyfun14]

Joe Six Pack doesn't care what makes a trojan a trojan and a virus a virus.

The thing is Apple advertises these machines as invulnerable when its hardly the case and when they get sued for misadvertising because someone gets there identity stolen they are just going to screw the customers that bought the machine for the purpose of being freed from malware by pulling up that same technicality.

Then all the little Apple apologists will go and defend them.

[kcotham]

@monkey

Apple doesn't say they are "invulnerable". They say they don't get viruses, which is true. There is not one single Mac OS X virus out there. And if the situation you describe of someone suing Apple on the off chance their identity is stolen due to some flaw in Mac OS X, is pure dreck. If that situation were plausible, then Microsoft would have been bankrupted about 20 years ago.

Your post above is a prime example of how you are incapable of being subjective or factual. Please refrain from using the keyboard for anything other than playing your games.

[geognett]

@kcotham and group

Not to defend monkey again, but first off your not being factual either by saying mac says they don't get viruses because they only miss lead on their commercial but on there website they say they are "not as susceptible". Check Number Six or this article - http://support.apple.com/kb/HT1147

And as to your general "there is no viruses" statement you are also incapable of being factual, because there is, and theirs worms, trojans and exploits, described in the article below, which might I add is an old article, by security analyst of Symantec in 2006, Aaron Adams.
http://downloads.securityfocus.com/downloads/MacOSX_DeepSight_Report.pdf

All that being said, I do agree that most people need a security analyst sitting over their shoulder as they surf the web to protect them and slap their hand before they click on the mywebsearch toolbar installer, or the smiley central emoticon installer and any other non sense people get into. So I don't disagree with everything, because I'm not a hater I am a realist, and if it makes sense then you cant deny, well at least if your rational.

[kcotham]

@geognett
First off, "your" does not equal "you're". "There" does not equal "their" or "they're". These mistakes make reading your posts a chore. And it is "Mac" or "Macintosh", not "mac".

I said that there were no viruses (self-installing, self-replicating) for Mac OS X in the wild, in real life. There have been some proof of concept trojans and worms created, and there are some exploits. I never said that it was completely 100% immune. What I have been saying is, that at present, there are no viruses on the Mac OS X platform and precious few exploits and malware. Now, in comparison, Windows is rife with them: exploits, viruses, trojans, worms, adware, spyware, malware in general.

Cheers

[geognett]

Well, thanks for the grammar lesson, didn't realize we were in high school English class. I'll make sure to get your mom to spell check for me this time... =P

The whole fact of the matter is, yes all of that is apparent that windows has more viruses than mac, the point is, every time some ego "Mac user" like you has a debate about something like this, it turns into my computer is better than yours, in stead of actually reviewing possible scenarios and or trends that are happening. But if you read any of my other posts you would have got that impression. I'm not a basher either way, just don't like when people try and make other people feel stupid for having an opinion on something. Just because someone is educated doesn't mean they are smart, and vice versa.

And furthermore I get tired of people saying in the wild, that's the dumbest thing I ever heard, if they have been made, I guarantee there in the "wild", just not as prevalent, as on windows. And just because it doesn't make headlines doesn't mean it doesn't happen.

[kcotham]

@geognett
How could anyone take you seriously if you can't even write properly? No matter how smart or knowledgeable you are, you will sound stupid and ignorant. Opinions are fine. I personally hate it when people try to pass off those opinions as fact. That's why I have been "policing" these posts for inaccuracies and fallacies.

Having a big "ego" is something of which I've never been accused. Don't pretend to know me or understand me, you do not.

Replace "in the wild" with the phrase, "in practice" then. The truth is, Mac OS X and various UNIX and LInux operating systems are virtually immune to malware of all sorts when compared to Windows.

[geognett]

Most reasonable people over 18, and that doesn't live with their mommies, would take me seriously especially in this type of setting, its not like we are having a formal academic debate here. And I never pretended to know you or understand you, so I don't know where that came from, but whatever makes you feel good. And there is always a first for everything. Oops, I started a sentence with AND, twice.

[kcotham]

@geog
Your arguments aren't logical and they sound like they were written by an illiterate 15 year old. No one with an ounce of sense would lend any credence to an argument so presented. It was just a helpful hint. If you want to be taken seriously, improve your writing.

[geognett]

@YouKnowWho ={}
Well, this all goes back to my original statement, it's hard to get a point across or have a discussion when someones to busy not listening, and only trying to point out someones grammar flaws and basing their opinion on that rather than on what is being said. Most people that have respect for other people don't do that. Also, when you act like you have, no one will take you serious either, no matter how good your grammar is, just a helpful hint. So I will end by saying thanks for the tips, and good luck with puberty. Because if I go any further it would fall further into the category of arguing on the internet. =S

Ch3ers!!

[kcotham]

@geognett

Insinuating that I'm prepubescent, is in itself immature. So, by all means keep writing like the illiterate 13 year old you probably are.

[simply7]

I did not expect a MacRumor from CNet, bored today, had to make something up? Anyway Safari uses KHTML Core and is not "designed" by Apple so this was prob. a vuln on linux and all mobile devices too. Also, 10 Seconds? That hack was setup for stage and had he attempted to do it with a random Mac system he would have failed and that is what matters in the real world. Also whomever said there is not enough Apples to spread a worm or form a botnet is not thinking clearly because I have built a 100K node p2p system that was Mac only, just because you cannot infect them doesn't mean there aren't enough nodes on the internet. The only reason for security software is when you plugin XP for instance to an open internet connection, it will be compromised or infected within 30 seconds or less. The hack pulled off on Safari would now be detected by anti-phishing technology now built into Safari and every other decent browser. Also when did Safari become the OS? The OS did not get hacked remotely only a single app which would up with a valid memory pointer to a small part of the system. Blah Blah blah

[themrwhite]

Good point about the Safari browser not being the OS, which what the intended article is pointed at. I myself been running Macs for 20 years, not a problem. Can't say that for the pile of XP junk that is sitting on my desk at work. BSOD at least once a week.

[monkeyfun14]

"The only reason for security software is when you plugin XP for instance to an open internet connection, it will be compromised or infected within 30 seconds or less"

Actually thats false..

[geognett]

You see that's what people are not getting. Yes safari was the program exploited but it is apart of the OS. Just the same as IE is apart of Windows to a certain extent, being that it is packaged with the OS. Because what this hole thing is geared towards is security, and to think that every windows box is infected after 30 seconds of being on the internet is as ludicrous as saying I cracked OS X in 10 seconds, because all in all, any good hack takes preparation. People just need to get educated on whats actually out there. Because a car seat is not apart of the actual car but it still needs to be considered in the overall security of the car, otherwise you have a vulnerability, and also most OS vulnerabilities are the direct result of installed programs and not the actual OS itself.

[ewelch]

I think point number three is the most compelling argument I can find in the blogosphere on the topic of Mac security. It's a savvy hacker who can figure that out how to take advantage of the situation. But he's still going to have a hard time breaking into the Macs to get there. But it might be worth the effort to get to this whole crowd of computers than have been unchallenged so far.

But what overshadows that well-taken point on the author's part is the stupendously wrong statement about a Mac being hacked in 10 seconds in March. It was not hacked in 10 seconds. It was hacked with months and months of study and preparation and a relaxing of the rules from the same contest the previous year before. The lack of balance in the reporting that story that continues to this day is proof we still need real journalists at real news agencies, because the blogosphere where a whole lot more noise than light is generated on such subjects.

Be that as it may, and the fact that some dumb Mac users downloade pirated software carrying botnet payloads, the simple fact of the matter is that pundits with half a clue like the author here have been prediction for the past five years or so that "this year, the Mac is going to see a flurry of attacks and compromises."

Yeah, well, when that happens, let's talk. Until then, I'm not wasting processor cycles (even if I do have 8 of them on my Mac Pro going at once) on useless software that's mostly hyped by people who have an economic interest in causing a panic.

[monkeyfun14]

The point is not how fast it was done but that it was done what the hell does it matter how long it takes for a virus to come out does it make it any less dangerous?

[santuccie]

"I think point number three is the most compelling argument I can find in the blogosphere on the topic of Mac security. It's a savvy hacker who can figure that out how to take advantage of the situation. But he's still going to have a hard time breaking into the Macs to get there. But it might be worth the effort to get to this whole crowd of computers than have been unchallenged so far."
>>>>This statement is contrary to that of the hacker himself. When asked last year why he chose to go after OS X, he said, "It was the easiest one of the three. We wanted to spend as little time as possible coming up with an exploit, so we picked OS X."

"But what overshadows that well-taken point on the author's part is the stupendously wrong statement about a Mac being hacked in 10 seconds in March. It was not hacked in 10 seconds. It was hacked with months and months of study and preparation and a relaxing of the rules from the same contest the previous year before. The lack of balance in the reporting that story that continues to this day is proof we still need real journalists at real news agencies, because the blogosphere where a whole lot more noise than light is generated on such subjects."
>>>>Actually, he says it takes about a week. And the point of the 10 seconds (I thought it was 30 seconds) is not that it took 10 seconds to come up with an exploit, but 10 seconds to perform the task.

Also, I don't know where you're getting this "relaxing of the rules" idea. Nobody hacked into any of the three systems on day one. Only one person stepped forward, and that person failed. On the upside, this suggests that none of the three platforms is swiss cheese (XP might have gone down almost immediately). But Miller hacked the Mac on the second day, exploiting Safari with a drive-by download. This is only the third time Apple has been pwned with a drive-by download, while we're still waiting to see one work on Vista (let alone Linux).

Given track records, the notion that Mac OS has finally supplanted Windows as the most vulnerable OS on the market may be a tough one to digest, especially for a Mac romanticist. But that doesn't change the fact that security researchers have agreed on this.

[Angmarr]

bottom line.... it is only a matter of time! so enjoy your "we dont have any viruses" while you can!

[kcotham]

How long ago has Microsoft been able to say that? I'll take the off chance that someone will soon develop a virus over thousands of new ones created every day.

Disable your antivirus and then carry on with downloading software, music, attachments to e-mails, etc. See how long Windows stays clean and stable then.

[Angmarr]

my friend ... yes i did say my friend ... i have been recently fedup with this petty arguments between MAC vs. PC where I have also played my DIRTY part, including attacks @ you!!

So from now on I will DO MY BEST to refrain from attacking any "individuals comments" .... unless someone attacks me personally!!!

All im saying is that if apples numbers increase a significant amount, their safety will be compromised. Yes they are still safer than Windows, but for obvious reasons that everyone knows people like me use them.

[kcotham]

Mr. Oltsik
1. Why would recommending security software be a bad thing as you imply? EVERYONE should be running security software. If they did, we'd put 99% of the lowlife out of business.
2. Macintosh users are no more affluent than anyone else. That is Microsoft rhetoric, not supported by any real data. You should be ashamed of yourself for buying into it. Most of the people I know that have Macintoshes are not by any definition "affluent".
3. The Macintosh hack you refer to was in a specialised setting. And he prepared well in advance to exploit it. It wasn't like he sat down at the computer and did it from scratch in 10 seconds. Windows machines are just as easy to hack into. It all depends on the user at the keyboard to open most doors.

[MikePlacid2]

Well, "top quality reporting" (tm) on security issues that confuses virus with troyan horse. Sigh.

[steve4lee]

The writer indicated that he didn't know what he was talking about when he referred to the "iBotnet virus." If he doesn't understand what a computer virus is (and isn't), then why should I trust that he has some sort of particular insight into malware?

Who knows? Maybe there will be some reason to run security software on Macs in 18 months, but this guy doesn't suggest any real reason for it. Right now the only real reason to do so is if you run Windows on your Mac or if you're afraid that you might download some file that's affected with a Windows virus and that you might pass the file along to a PC. No software can predict what sort of viruses and such might be written in the future, so there's no reason to run security software on Macs to head them off if and when they are created. It won't help.

As security holes are found in Apple software, Apple plugs them up and offers patches. There's not need for third-party solutions to cover those. What is needed now is security hardware to keep idiots who download and install trojans away from your Mac.

[gerrrg]

I think Apple would rather buy a security software company, then integrate it into their OS, and pushing updates without anyone noticing. Forget the warning of a virus; Apple OS will simply eliminate it and you won't even know.

That's the Apple Way.

[kcotham]

And that would be bad, why?

And it isn't "Apple OS", it's "Mac OS X".

[elgarak]

There once has been a virus, spotted in the wild, for Linux running on iPods. An installed user base in the range of thousands.

There is not one, zip, nada, zilch virus for Mac OS X out there in the wild (if you know what a virus is, and how it differs from a trojan that made the "iBotnet"). With an installed user base in dozens of millions, surfing teh webz unprotected.

Why is that?

How big does the user base need to be? The Mac world is been predicted to be "falling soon" for years.

Why is no one attacking the Mac user base? There's already a nice bridge head there, with 5% in enterprises, networked with Wintel boxes, and, again, mostly unprotected, and oh-so-easy to hack.

And yet, it has not happened.

And there's no good explanation on why not.

(Except that at least one of your five premises is utterly wrong.)

[pentest]

Windows is insecure by design, all the security bolt-ons aren't helpful because the core problem exists and the new features are always broken.

AV is always behind the curve, saying it is better than nothing is like saying using WEP instead of no wireless security is better than nothing.

No, it is not. WEP can be passively broken in anywhere from 1 minute to an hour, regardless of the passphrase strength.

I can't tell you how many times AV(especially garbage such as Norton and McCafee) killed legit programs such as Cain but let lots of obvious malware go by unmolested. We are not talking about clever malware, just simple things like keyloggers that make very obvious calls to Windows functions that are well documented. To be fair AVG caught that the function call had the argument in it that told windows to hook into every application running and that will run that request keyboard access.

Of course, the fact that MS created a function that sets up your keylogger for you and is nice enough to do the spying is just more evidence of the seriousness that MS takes security and how competent they are.

[Martin_Turner]

Apple's history suggests that, if it decides security software is necessary, it will buy it and package it either with the OS or as a cheap add-on. Lots of vendors of utility software have had their market eroded when Apple released an update or new OX version which included the functions their software was offering.

www.martinturner.org.uk

[nhm]

This article is flamebait, and people who've never owned a Mac duly repeat the FUD they've been fed. It's worth pointing out that most Mac users have owned PC's in the past and so are likely in a better position to compare the two platforms from actual experience.

I would call the 100,000 viruses on PC's the "Microsoft Tax" -- this is the legacy of years when security was ignored by MS and it costs companies billions a year. Also, I wouldn't be surprised if a lot of the viruses are written by the antivirus companies themselves, which clearly spend a lot of time trying to pump up fear.

As for Trojans, please distinguish between these programs that you get fooled into installing, and viruses that creep in without your help. At the moment there are no viruses "in the wild" for Macs. And the exploit in the contest mentioned in the article was a stunt -- the same known browser exploit existed on the PC but the hacker had prepared a way to use it on the Mac because the prize was a Mac Air, which he wanted.

Finally, I actually agree that Vista has some important anti-virus measures that aren't present in OS X Leopard, but they are in Snow Leopard which will be out soon: Apple is learning from MS's troubles and trying to stay ahead of the problem.

[jamesserver]

I agree with this article. Its naive to think that because you use a particular operating system you are completely secure. The old argument of OSX being more secure was based more on the fact that Mac had a small market share in OSs. Well the market share is growing and Mac users are looking like better and better targets.

[MattDel]

1. Linux Schmucks... your OS is just as bad as everyone else's... Reference: http://lunduke.com/?p=429

2. Mac OS X sucks as much as windows, maybe more since Windows 7 fixes almost everything that's wrong with Vista.

3. OS X is a security nightmare. The OS has virtually no protection aside from it's ambiguity and small customer base. Apple will either publicly recommend security software within the next 18 months or face a massive backlash from it's consumers for the sheer amount of malware that OS X will be bombarded with and the blatant false advertising.