Comments on: Yet another reason why Macs need security software

Analyst Jon Oltsik says data shows why Apple users shouldn't consider themselves immune.

[nathan_grier]

I'm not sure about Linux or Windows machines, but I know if you have physical access to any Mac, you can simply change the root user's password without even having fully booted to the login screen. You don't need any special software, or an OS DVD or anything, just simply turn on the computer and type in a few commands and voila, Mac is owned. Might be the same for Windows and Linux, but I'm not as aware of the process for those as I am for Macs.

[samalander]

Are you sure? It is true that you can access root user from a regular account, without actually being logged in as the root user; BUT you MUST ENTER AN ADMIN USERNAME AND PASSWORD in order to make changes or own it -- same with installing any software that affects the system.

EVEN IF I am an admin user, I MUST STILL ENTER MY PASSWORD to make any system changes.

Most Mac users run their own user space as a non-admin user. In any case, unless the person who physically accesses your Mac knows your user password, even if your account is live when they site down, they cannot do anything.

If your Mac is in a public space, like an office or a coffeeshop, then most Mac users will have the screen lock on, so that even if they leave their Mac unattended, when the Mac goes to screensaver, it needs a password to wake it again. So, we are talking about two passwords and an admin username to do anything; and at worst, one password.

[santuccie]

@samalander:

It may seem that way on the surface, but no. Authentication is easy to circumvent, like a chastity belt made of paper. Wanna see a program launch without your permission? PoC right here: http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html

"CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable."

Again, "...merely by visiting a web page hosting the applet." Read it and weep.

And then, show us a drive-by download that actually works on Vista. You'll have your work cut out for ya'. It's official; the most vulnerable OS on store shelves today is... wait fo it............. OS X.

[compbry15]

I have always used Windows for all my computing needs since I first encountered a PC. There have been times where I took the paranoid stance and went with full throttle top-of-the-line security suites, but for the majority of the time I never use any sort of security software. I have a router firewall, and Windows Defender is enabled and I use Firefox, but that's about it. I never have issues with viruses or being hacked.

I think the problem is definitely the stupid consumer. The ones who click random "Click Me" popups, or don't check disguised URLs, or don't recognize a bad URL when they see one are the ones that really cause 90% of the virus issues.

If it weren't for the price I would already have a Mac now, due to my line of work, and I am saving for one ... but when I do I won't be getting be spending the extra money on security software, because my smart browsing habits make me largely not need it.

Articles like this aren't really that helpful, because I'd wager that the majority of its readers are the ones who don't fit into the category described above.

[NotForNuthin]

I think the poop smell might be coming from the ?Safari hole?

[Thad Boyd]

"Disclosed vulnerabilities" is a rather misleading statistic, no? I remember a statistic from a few years back saying that Firefox disclosed more critical vulnerabilities than IE -- which sounds damning out of context, but rather less so if you know that most of them were patched within two weeks of discovery while IE's holes stayed open for months at a time.

Is there really any doubt at this point that the "security through obscurity" argument is a crock? Just because Apple reports more vulnerabilities doesn't mean it HAS more.

None of which, of course, is to say that Mac users should go around blindly typing their password any time a program prompts for it or, say, downloading iLife from The Pirate Bay. Best security practices should be followed no matter the platform. It's just that the data you're citing don't say what you seem to be implying they are.

[sting7k]

I don't just get why the Mac community is so against any suggestion that they might need security software. Why wouldn't you want to protect yourself at all costs? You never know what will happen tomorrow. It's not a slam or anything like that, it's just advice to keep you safe.

The way people talk about it and go off the handle I'm inclined to say I can't wait until the first real virus/trojan/worm/etc. hits for OS X and just ravages all these people who think they are invincible. Sooner or later it's almost sure to happen. Why not be ready?

[akastevo]

Its not that Mac users are anti security software its just that Windows users think Mac users don't know anything about computers. Windows XP was not designed for the internet or an open network. On a closed controlled network its a great os, but in the wild it is easily attacked. Vista tried to correct that but made the user experience annoying. Security or safety comes from the user not the OS...don't do stupid stuff on the internet and you wont get a virus. I bet if you surfed CNET all day for the next 20 years you wouldn't contract a virus from their site...however you play with fire and you will get burned.

[baconstang]

It's like telling a monogamous couple they need to start using condoms.

[monkeyfun14]

No point even trying to explain to Linux and Mac users when someone buys a boat on their platinum card they'll learn.

[akastevo]

Well as you know the 2 happiest day of a boat owner are the day they buy it and the day they sell it...I can see how you can relate as a PC owner.

[kcotham]

What the hell is that supposed to mean monkeyfun14? This idea that all Macintosh users are rich is pure crap, and you know it. Walk around a college campus and talk to some of the students using Macintoshes. Go hang out at a retailer that sells Macintoshes. You'll see that your stupid idea that all Mac owners are rich is nothing more than a half-baked marketing ploy by Microsoft and builders of third-rate computers.

[monkeyfun14]

@kco

Never assumed they were rich it could happen to anyone. That wasn't my intention to call out all Mac users as rich.

[kcotham]

@monkeyfun14
Then, as usual, your comment made no sense whatsoever. Be more clear next time. (And is it against your religion to type more than the first three letters of a user name?)

[Draxon]

Please provide one example of OS X Server being breached in the wild? Or one virus that is currently infecting OSX in the wild (not in a lab or as a proof of concept).

I work in a windows world, and even on windows machines I have had more issue's with McAfee messing up machines than virus's. Anti-virus software is a scam, proper training and firewall protection on the network level are way more important.

[akastevo]

You know this is like any other security issue. Those who follow the standards and abide by the rules do not get in trouble. We are in a malware "dilemma" becuase of the noobs that jump onto every clickable downloadable widget thats out there. Just because stupid people do stupid things does not make me responsible for their actions. I choose how I spend my money and what computer to buy so why would I spend my money on a PC that is going to get malware because some noob sends me the :funniest email ever". If you enjoy running Anti-Virus every time you start up the great for you, if you dont mind entering your password every time you install something then so that you dont have to run Anti Virus crapware then you've spent your money well. The internet has made anti virus companies billions of dollars...but not one penny from this Mac owner of 15 years. Money well spent I would say...Thanks Apple.

[mackenzie2881]

I have been running Windows for years and have never had a single virus. Thank you Norton. Apple will eventually need anti virus as it becomes more popular. It's not that hard to figure out. Why do Apple users kid themselves into thinking they are forever immune to attacks.

[montex66]

Why do Windows user KID themselves into thinking Mac OS is as vulnerable as Windows?

[mackenzie2881]

I have been running Windows for years and have never had a single virus. Thank you Norton. Apple will eventually need anti virus as it becomes more popular. It's not that hard to figure out. Why do Apple users kid themselves into thinking they are forever immune to attacks.

[hoocares]

LOL - Another warning from this clown who didn't know the difference between a Trojan and a virus. No it wasn't a typo. If it was you should have fixed it, you haven't. If this guy is a senior analyst I'm the King of Siam.

Did you read the whole report or just focus on the table on p 44?

The numbers for OS X and OS X Server most likely report the same vulnerabilities. However windows vulnerabities are broken down into separate nbers for XP, 2000, Vista, etc. Do the arithmetic and windows counts for over 24%.

Then there is the interpretation of 'disclosed' vulnerabilities. I suspect a more active research community around os x and more openness because of Darwin and unix. Microsoft's code is not so open to researchers. This what is the ratio of disclosed vulnerabilities to actual vulnerabilities? That is the more interesting statistic. Also what is the severity of the vulnerabilities vs. the ease of exploit?

The table on p44 can't be used to prove anything.

I meant to add that those who know anything about is design know that os x is inherently more secure than both windows and Linux because of the way the lower levels are engineered. Of course it's a shame oses are written in C at all, but given that windows linux and mac all are, OS X is inherently more secure.

That does not mean mac users are careless - they are very well aware of the issues. Hence a more sensible decision of machine purchase in the first place.

[marcobat]

I think most articles about security like this one and most responses miss a very important aspect. The trend has change in the malware industry.
First it was the kid having fun, then it was criminals penetrating your computer without you even doing anyting and now it is mostly social engeneering.
Year ago window was hit but many and many viruses, zero day attacks etc... that was the time when you could not connect to the internet a windows machine without patches or protection for more than a day before getting all sort malware in it - i'm talking about from late '90 's to the time SP2 came.
In those years windows ws the target and the reason it wis the target was because there were people putting money and/or energy toward it and because it was relatively easy.
I'm not going to get into the discussion of weather it was easier to hack windows or the mac or linux or whatever else, that is not the point, it was done because the industry was not ready for it and windows was a big easy target. With fault or without fault windows took the hit for the entire industry and the other OS's learned and started protecting themselves from the kind of attacks windows users were experiencing before their user base got much of a problem.
Now, generally speaking, you can pretty safely connect a computer with a current OS to the internet and it will not get hacked just for there.
There are still zero day security issues and bugs discovered but most of them are dealt with before a worm or something takes advantages of them. The trend has shifted, now you don't get a worm, virus or whatever just because your computer is on and connected to the net, now you get it by visiting malicious websites, by installing a trojan or similar means. The situation has changed, now it is really mostly about the user not falling for the scam. This new method of "getting undesirable software in your computer" is mostly already, and it's going to be even more, OS independent.
It is not about which OS you use (i think you should use the one you are most confortable with, period) it's about educating the users so taht they don't fall for social engeneering tactics.
In spite of what security vendors would like you to believe they are all pretty much obsolete, you don't need a antivirus (which is nothing more than a authorized virus taking resources away from you on your computer) you need to became more aware of the treats and how to safeguard yourself ... how that will work will be a very interesting thing to observe...

[thomcarl]

People who use windows are stupid by definition.

[monkeyfun14]

So 90% of the world is stupid?

All those doctors and lawyers saving your ass are stupid?

What about the millions of firefighters and police officers.

College professors and teachers.

These people must be idiots right?

[kcotham]

Dumb, lazy, ignorant, or just plain scared of anything different. Is that better?

[sargess25]

Yet another trollish blog from a Windows apologist, trying to drag down other OSs in the mud. His/Their reasoning is if Windows is susceptible to virus and various hacks then all other OSs must be too.

I wouldn't lose any sleep over viruses in my precious Mac. I just let Windows users wallow in their deep sense of insecurity and inbred inferiority complex. Folks, have you reinstalled Windows today?

[MaLvaDo39]

Jon Oltsik, you refer to an old article by Apple. The article where they recommend anti-virus software was taken down. You can tell because the old article refers to Mac OS, not OS X.

You, as well as Cnet, should retract the article saying Apple recommends anti-virus software.
It's simply not needed on OS X.

[zato_3]

Jon Oltsik wrote: "Again, I am not trying to pick a fight with Mac users or cast aspersions on Apple"

Yes you are, you POS.

[supercomputerstar]

whats a virus trojan. and whats a mac is that a program that runs on my pc. i don't think i've ever used it whats the big fuss guys

[schmidty313]

Oh no! Does this mean the fanboy's dream world is finally over?!

Good, now maybe people will finally see Macs aren't that great...