Mac under attack: how secure is Apple's OS?
Posted on 15 Aug 2011 at 14:49
As reports emerge of further malware attacks aimed at Mac users, Davey Winder questions how secure the platform really is
For as long as I can remember, security researchers have been warning that the Mac will soon become a major target for the criminal fraternity as it looks for new soft targets at which to aim its malware.
The popularity of Apple hardware within the broader “personal computer” market – as an alternative to Windows PCs – continues to climb, and as it does so security warning bells ring louder and louder.
But is this just another case of FUD (fear, uncertainty, doubt) being spread by Windows security vendors hoping to branch out into a new and relatively untapped market: the Mac user?
You might expect that if Apple devices were such easy pickings, the bad guys would have spotted the gap and attacked it before now. After all, malware is almost exclusively profit driven these days, and even allowing for the fact that the Mac market is far smaller than the Windows one, there’s more than enough money to be made nonetheless.
The user is the weakest link in the security chain, and that’s certainly the case when it comes to Macs
However – and please do correct me if you happen to know differently – I don’t know of anyone who has suffered a data loss as a direct result of a malware infection on their Mac, nor for that matter anyone who has had their bank account compromised in this way.
That isn’t to say that I line up with the “Mac users needn’t worry about security” brigade, which would be a massive folly. Everyone, including Mac users, should be wary of the kind of social-engineering pressure used to con people into installing malware. It’s been said so many times, including by myself in these pages, that the user is the weakest link in the security chain, and that’s certainly the case when it comes to Macs.
False sense of security
Unfortunately, the ordinary man-on-the-street Mac user (as opposed to the clued-up fanboy) is likely to be lulled into a very false sense of security by the very fact that Macs are inherently more secure than Windows machines.
Having this “no security worries” message reinforced over and over by large swathes of the media, by Apple itself, and of course by experienced and often slightly over-enthusiastic users, causes the real security message to be lost. People start to believe the hype – especially people moving to Mac from Windows – and let down their guard.
If you believe that the Mac is impregnable (the only computer that can make this claim with any veracity is one that’s still in its shipping box and has never been switched on) then you’re more likely to run executables and visit sites that you’d otherwise think twice about, either of which increases the potential for successful attacks. Attacks such as those we’ve seen over recent weeks in the guise of Mac Defender and related malware.
Die-hard Mac evangelists have concocted an argument that for such attacks to be successful, not only does the Mac user have to be persuaded to download a dodgy bit of software in the first place, but they must actually enter their admin password to allow it to install itself.
“The Mac itself remains perfectly secure; it is the user that is insecure,” as I’m often reminded in less-than-polite emails. There’s a lot wrong with that statement, from the irrational belief in “perfectly secure”, to the thinking that malware operates differently on any platform.
Goes off and gets popcorn...
and awaits the barrage of denial from the technically inept.
By PaleRider on 16 Aug 2011
macs became more vulnerable when apple started fitting Intel processors. it is far easier for the malware creators to code attacks on common hardware to both platforms so they are trying more. they share the same instruction set after all.
additionally admin passwords only help if the users aren't fooled into entering them by the malware attempting to infect their PC.
By mr_chips on 16 Aug 2011
They are only human
... the user's that is.
They will have used the web and will see a tool that apparently scans your computer for free - without downloading - the program will 'apparently perform a system scan' and say all is fine and then offer you some free membership that really doesn't cost.
And then at some point later - once its gained your trust will offer services like anti-virus/spyware scanners - because they must have thought you have/had a virus to have performed a free scan - so you go ahead and give them access by downloading their free product - which sits around perfectly happy - scanning and checking and finding nothing - but always advertising that for other services like spyware or extra security like firewall, defender etc - you should pay and after a few months or so - more than likely you'll pay - because after all - you installed it - believing you would get a virus and hey lets be safe - you are only human and you want to have that necessary protection - so you will do what the security firms tell you.
I have AV on one computer but not on the other - as the AV would slow it down - but sometimes I get virus alerts - rare - I admit. The other one I use daily and though I scan it independently once a month - I never get viruses :)
But you never know what the future will hold for Linux users or Apple fans as they basically run the same OS underneath.
By nicomo on 16 Aug 2011
Novice user? Get an iPad
Maybe we should push novice users away from Windows/OSX completely and on to the iPad, TouchPad, etc.
Whilst not a fully-blow machine, get a keyboard and they will probably be able to do as much (it not more) using this than on a PC which could get hacked.
What do you think?
By Chatan on 16 Aug 2011
There was malware for Motorola 68000 and PowerPC in the past. The instruction set of the processor doesn't have much to do with it - look at the malware appearing for smartphones, none of them use Intel processors.
And for many attacks, especially the latest MacDefender attack, the admin password isn't even necessary.
There are enough escalation privilege bugs in UNIX, Linux and Windows, that if you can execute the malware in a local context, you will probably be able to escalate your privileges to administrator / root and infect the whole system.
Getting trojans and scareware onto computers is a lot easier than writing viruses.
Over on another forum, 18 months ago, Mac users were complacent about an attack that had just taken place.
Using a couple of lines of AppleScript, a fellow forum member demonstrated just how easy it was to implement a trojan on the Mac.
By big_D on 17 Aug 2011
haha, I clearly remember back in the days being able to laugh off Mac-fanboys (who would annoy me about me using windows) with comments like:
(first, pre '95) "wot? you got your mac working on a network have you? oh, you haven't. Yeah, you're safe allright.."
(next, '95 till 2000) "oh please, why should these scriptkiddies pay attention to you and those other five mac users? Not cost efficient, yeah you're still safe.."
(now) "look, it seems everybody and his little sister is now stylish and unique and buys a mac, wave goodbye to your security, I'll count the days.."
Being right never felt so good...
@mr_chips: you're trolling right? you cannot be serious with that statement, really.
@Chatan: if you had read the article then you should have come to the conclusion that there is NO safe environment. Not when that environment is open to the web. As soon as there are connections to the outside and ways for outside to interact with inside, then safety becomes a PEBKAC* issue.
Also, no amount of "administrator password" will safe you from hell when you're clueless.
Look, we have this administrator password stuff in Windows too. It's interesting to see how much (really serious) sites advice your to turn that UAC off because it's "annoying". Try a search on "turn off u" to see what I mean (yeah, the U is enough, there's apparently enough of these pages for google to know what you're looking for).
So, as with houses, cars and airports: humans are the weakest link when it comes down to security. Regardless of what form the doors and locks have.
(*Problem Exists Between Keyboard And Chair)
By Multifarious on 26 Aug 2011
just for the record: I'm using windows since 3.1 and I have NEVER lost data due to malware and the virii I contracted I can count on one hand. I DO get into fights with people I tell off for sending me crappy ppt or xls files or for not opening chain-letters or pleas for help. That I find a small price to pay for security...
By Multifarious on 26 Aug 2011
- 10 ways to make your business more secure
- Top five VoIP mistakes
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- How to write your company's IT security policy
- 20 years of PC Pro: our greatest review mistakes
- 20 years of PC Pro: our first A-List
- Wikipedia's "right to be forgotten" protest hits the wrong note
- 3D printing hits the high street for plastic selfies
- 20 years of PC Pro: What amazed us in our first issue
- How Google Glass ruined my lunch hour
- Smartphone battery packs: can a USB power pack beat the festival battery blues?
- Windows Easy Transfer – not so "easy" in Windows 8.1
- Formula 1: what a difference virtualisation makes
- Office of the future: comfy chairs and tablets everywhere
- Microsoft yanks Windows 8.1 update after crash reports
- Microsoft backtracks on blocking out-of-date Java
- Gartner: time to start planning your Windows 7 upgrade
- Still on IE8? You've got 18 months to upgrade
- Who's buying Chromebooks? American schools
- Microsoft targets Windows in next Patch Tuesday
- Microsoft to block old ActiveX controls in security push
- Samsung and Apple call off all legal disputes, except in the US
- Microsoft ordered to hand over European data
- Will the next Windows 8.1 update arrive next month?