Computer 'Worms' Turn on Macs

Carl Bialik from WSJ writes "Macs have been laregly immune to the viruses, worms and malware that have plagued PCs, but the Mac's recent popularity uptick has meant that 'bad guys appear to be casing the joint,' the Wall Street Journal reports. Among the signs: two recently discovered worms and the discovery of a vulnerability in Mac OS X that leaves Safari open to a hack. A Symantec engineer predicts a 'gradual erosion' of the idea that Macs are a safer operating system than Windows. 'Some security experts believe hackers are becoming more interested in writing nasty code for Macs precisely because of reports of its relative immunity to security woes,' the WSJ reports. 'Apple itself has gone out of its way not to promote the Mac's relative safety, lest it tempt hackers to prove the company wrong. Apple declined to discuss the topic of security in depth for this article.'"

not a worm or a virus!

[minus_273]

seriously if you have to manually download the program and enter your admin password, it is not a virus or a worm. I dont know why people keep calling it that. It is a Trojan and those have existed since the first rm -rf / script.

Application versus Operating System

[webjedi]

Folks,

The key thing to eyeball here, with all the FUD that has been stirred up, is there are OS vulnerabilities and application vulnerabilities. Much like the annual brew-haha when we comapre Linux versus Windows, you must make a clear differentiation.

Like Linux, I would never count, say an Apache hole against Mac nor Linux, since it's an application that is added after a base install. However, unlike Mac or Linux, Windows flaws are very much a hybrid. Windows really doesn't function much as Windows without IE (try reviewing a browser hijack, and see that the file explorer uses the IE render engine to see that an IE flaw is an OS flaw), and subsequent issues with IE are counted against the OS.

The issues found recently with Bluetooh OBEX and the Safari "open anything" flaw are two examples of differentiators. the OBEX flaw, is yes, a core OS issue, however, it was identified and patched two patches ago (10.4.3), Apple is no longer shipping the OS in that rev anymore. Minus one to OS security for Apple. Hoever, Safari, an application above the core OS, had a "bad settings default" besides the overall flaw in the app. In short, both are avoidable through an alteration in settings or application of an old patch. To be surprised that the Mac is "insecure" by the press FUD is rediculous.

Windows, as I sit on Microsoft briefings to my company each month, have not only application security issues on a predictable and regular basis (slow months in the summer and December are do to staff vacations), but because many of those apps are so tied into the core workings of the Operating System, that each new flaw opens a bigger hole that build upon each other. A standard install of XP out of the box takes 38 patches plus the two required to just upgerade to the latest version of Windows Update. WTF?! And that does even cover the OS settings needed to make it "generaly" safe to put on the Internet.

I feel safe putting ANY Mac, BSD or Linux box on the net for a half hour while I patch, because, in general are most of the distributions have reasonable defaults set, but, as they stay current, it makes it much less appetizing for the latest virus, worm, or hax0r than your default XP install. As it is with big business security, you don't nessesarily have to be the most secure, you just have to be less appetizing than the next guy down the row.

I'm truly sick of the news media (print, on-line, and TV) spreading unknowledgeable FUD to the masses, just because it's "something different" without recognizing why it may be different, let alone the overall truths. Remember kids, duck and cover!

Man bites dog journalism

[plopez]

Typical 'man bites dog' approach. If it is unusual, it is news. Microsoft Windows is a bug ridden unsecure OS, but since everyone (or at least 90% of users) use it it is not news. No one questions why a defective product exists or what it is actually costing in lost productivity. It is normal in most users' worlds, those users who never have experienced anything else.

OS X exploits are news only because they are unusual (though it does serve as an early warning, I sincerely hope Apple is busy auditing their code base). The fact that they are not as severe as Windows exploits, requires more user intervention and are often limited in scope are not discussed or probably understood by most people.

Re:Symantec?

[Angostura]

FYI the worm in question only spreads via Bonjour (nee Rendevous) connections, not via standard AIM chats.

Re:Symantec?

[flappinbooger]

"Honestly, the worst Mac malware I've seen so far had a Symantec sticker on the box."

Mcafee is just as bad. Norton products move in and provide lots of bloat, slowdowns and the random, annoying crash. McAfee products, from my experience, grind the system to a halt.

Re:Symantec?

[shambalagoon]

The worst computer disaster in all my years of computer use was thanks to Symantec. Apparently I had installed a slightly older version of Norton on my Mac. I think this was when they changed OS 9 to the extended file system. Norton had no problem running on an OS version that it wasnt built for. I ran the check on the system, and it found what it thought were errors, which it promptly "fixed". What it actually did was scramble almost all the data on my hard drive. My computer was inoperable. I got on the mac forums along with droves of other people freaking out about the loss of all their data, and it took several weeks for Symantec to come up with a fix that undid the damage it did to all those Macs.

Obviously, that was the last time ever used their products.

Re:Symantec?

[John Newman]

Unlike Windows, it's perfectly safe to run full-time as the "Administrator" user, and nearly every OS X user does.

It's mostly safe, not perfectly safe. The iChat virus/trojan suggests one reason why. Since an admin has free access to /Applications, a bug running under that user's permissions can modify apps in that folder, helping the bug to spread itself either locally (next time another user on the machine opens an infected app) or remotely (e.g. via a modified iChat). A second reason is that admin users can sudo with their own password. If the admin account's password is compromised by a bug or hacker, root control of the machine goes with it. This is not the same as running as root, like Windows admins do, and viruses running under the admin user's permissions do not have root access. A regular user must enter an admin's username/password to sudo, making the virus/hacker's job more complicated.

Nearly ever OS X user on a single-person machine runs as admin, and that's what Apple sets up by default. But it's not a bad idea to reocnsider.

Re:Symantec?

[John Newman]

It would, if Admin users didn't still need to enter their password and authorize the iChat trojan.

Actually, the reports [ambrosiasw.com] were clear that it doesn't require a password. The reason is that it only modifies iChat.app, not any system files. An admin user has read/write access to /Applications, no authentication necessary. Try it yourself (modifying /Applications, that is, not running the worm).

You're absolutely right that admin != root; but nor is it quite as blind, deaf and dumb as an unprivileged user.