How Apple lulls Mac owners into a false sense of security

3 Feb 2012
iMac

Davey Winder says Apple's claims that Mac owners need not worry about security are dangerous

Is it any wonder that many Mac owners think they are immune from the security problems faced by PC owners? Right there on the Apple website it states that "with virtually no effort on your part, OS X defends against viruses and other malicious applications, or malware".

When security vendor ESET surveyed computer users about their perception of computer security, more than half thought PCs were either very or extremely vulnerable, whereas the figure was only 20% when it came to the Mac.

The same survey revealed that when it comes to phishing attacks, Mac users lost more money on average than PC owners did. Is Apple guilty of lulling its users into a false sense of security?

Macs not susceptible?

David Emm, the senior security researcher at Kaspersky Lab, told PC Pro that the inclusion of a signature-based scanner in OS X "represents an acknowledgement by Apple itself that the Mac is not immune to malware". Yet if you head over to Apple.com and read the Why You'll Love a Mac section it may surprise, or even sadden you, to discover some of the claims being made about how secure a Mac is.

Mac malware

Dan Clark works for security vendor ESET, and told PC Pro about a number of significant Mac malware incidents uncovered in its Labs in 2011:

"The first was the MacDefender fake antivirus product. Users would typically encounter the virus when opening an infected image found on a search engine. When the infected file was loaded, an alert would be presented warning the user that viruses were detected. If the user clicked on the alert box, the actual MacDefender malware would be downloaded. The software would then run a phony "scan" and then ask the user for money when it pretended to detect malware running on the machine.

Later in the year, ESET saw several other exploits, including Revir.A, a Chinese language PDF that attempted to drop a Trojan into a user's system; Flashback, a more serious attack that came out in September of 2011, which if installed, would disable the update features of the OS X malware defence system; and at the end of the year, DevilRobber was deployed through pirated software, which "minted" BitCoin currency, and also installed a backdoor for remote access, a screen grabber and other functions."

Take, for example, the headline which claims you can "Safeguard your data - by doing nothing" which is naïve at best, and arguably both misleading and dangerous. The reader is informed that "a Mac isn't susceptible to the thousands of viruses plaguing Windows-based computers" and goes on to suggest that this is "thanks to built-in defences in Mac OS X that keep you safe, without any work on your part". Erm, no it isn't. It's actually because Windows viruses are, obviously, coded to run on Windows and not OS X.

Another somewhat dubious claim is the one that states that "when a potential security threat arises, Apple responds quickly by providing software updates and security enhancements". Taking three years to fix a known vulnerability concerning the FinFisher remote spying Trojan, or the average of 91 days one prominent security expert discovered Apple took from first being notified of a serious security vulnerability to issuing a fix, wouldn't be what most people would regard as "quickly".

And at the end of last year when Google, Mozilla and Microsoft responded swiftly to blacklist hundreds of fraudulent SSL certificates following the DigiNotar hack, Apple lagged behind in issuing a security update to provide Safari users with the same protection, casting doubt over the Apple.com claim that "if you visit a suspicious site, Safari disables the page and displays an alert warning you about its suspect nature".

"False illusion"

Dr Wieland Alge, the general manager at security vendor Barracuda Networks warns that users are "under a false illusion if they think they are safe because it is an Apple product" adding that "the threat is very real and no longer restricted to PC users".

Indeed, as Dr Alge pointed out, the first OS X virus was discovered in 2006, and during 2011 a number of incidents were reported including a malware attack disguised as antivirus software that duped Mac users into handing over credit card details. Yes, the MacDefender scareware did require the user to be conned into installing the rogue application and Apple did, eventually, respond with a security update to warn against doing just that. However, it does rather blow apart the myth that Mac users are somehow immune from malware; especially when it adopts the social engineering route that Windows users are so often exposed to.

Read more

In-depth