Apple pie order?


David Harley

Editor: Helen Martin


‘Over 40% [of computer users] think [that Macs are] only “somewhat” vulnerable.’ David Harley, ESET

Back in the 1990s, when I was working for a medical research organization, I wrote a report on the virus landscape. For completeness, I included a section on Mac issues. A Mac specialist whom I was working with at the time remarked that he was quite impressed with the report generally, but he confidently informed me that there weren’t any Mac viruses (there were, of course). Have things changed since then?

Last year, a survey carried out on behalf of ESET’s ‘Securing our eCity’ initiative found that many Mac (and PC) users in the US still assume that the Mac – or at any rate OS X – is a safe haven. More people own PCs than Macs, more people own both types of computer than own Macs alone, and 2.1% of users in the survey didn’t know what kind of computer they own (perhaps they’re the same 2.1% who think there are no PC vulnerabilities). Of all these groups, nearly 10% think that Macs aren’t vulnerable at all, and over 40% think they’re only ‘somewhat vulnerable’ – although it’s not obvious what the survey respondents understood by the term ‘vulnerable’.

According to the survey, no Mac user believes that PCs are safe from malware attacks, and only 1% of PC users do. (Perhaps that 1% accounts for the millions of machines that are still infected with Conficker, or are patiently broadcasting ancient mass‑mailers.)

I’d contend that while ‘somewhat vulnerable’ might be about right for systems/application vulnerabilities and exposure to current malware, the figures would be more alarming if the survey were more focused on the vulnerability of users rather than systems. Any computer user who believes his system is so safe that he doesn’t have to care about security (i.e. not vulnerable at all) is prime material for exploitation by social engineering.

In fact, while the general decline of old-school viral malware is reflected in the Macintosh statistics, there’s no shortage of other malicious code targeting OS X, including rootkits, fake codec trojans, DNS changers, fake AV, keyloggers and adware. Numerically, this is a fleabite compared to the many tens of thousands of unique malicious Windows binaries AV labs see on a daily basis, but ‘safe haven’ doesn’t seem quite the right description.

The last time I pointed to user complacency as a risk here (see VB, August 2004, p.2) it was condescendingly explained to me that Apple’s security model saves their customers from themselves (see VB, October 2004, p.16). At one time, Apple’s security model led the way on patching, and it still includes many potentially useful defensive techniques, but they’re generally more limited in implementation than is often assumed. This is certainly a far cry from the picture Apple has painted for so long where PC viruses are no threat at all (tell that one to the multi-platform enterprise administrator!) and your Mac is ‘safe out of the box’. In fact, looking at Apple’s notorious security page while writing this piece, I see some small but significant changes from previous versions. The ‘safe out of the box’ claim has gone, and security is now achievable ‘with virtually no effort on your part…’ The disparity between protection on 32-bit and 64-bit apps is addressed, with some positive spin. There’s even an admission that ‘since no system can be 100 per cent immune from every threat, anti-virus software may offer additional protection.’

Indeed, there’s probably no absolute need for anti‑malware on many Macs at the moment (as if most Mac users are going to be persuaded otherwise, short of an Autostart-sized panic!). Mac users are similarly placed to Windows users in the late 1990s: if you’re impervious to social engineering and can accept the risk from zero-day, self-launching exploits and cross‑platform malware, fine – only don’t assume that there is no Mac malware or that only viruses matter.

Of course, I haven’t even mentioned iGadgets and the limitations of security based on whitelisting and restricted privilege. But you may not want to get me started on that...



Latest articles:

VB2019 paper: Static analysis methods for detection of Microsoft Office exploits

This paper presents an exploit detection tool built for the purpose of detecting malicious lure documents. This detection engine employs multiple binary stream analysis techniques for flagging malicious Office documents, supporting static analysis of…

LokiBot: dissecting the C&C panel deployments

First advertised as an information stealer and keylogger when it appeared in underground forums in 2015, LokiBot has added various capabilities over the years and has affected many users worldwide. This paper analyses the URL structure of the LokiBot…

VB2019 paper: The cake is a lie! Uncovering the secret world of malware-like cheats in video games

With more than 2.5 billion gamers from all over the world, it’s no wonder that at least a fraction of them would bring into action additional tools to gain an unfair advantage over their opponents in the virtual world. This is one of the many reasons…

VB2019 paper: Rich Headers: leveraging this mysterious artifact of the PE format

Ever since the release of Visual Studio 97 SP3, Microsoft has placed an undocumented chunk of data between the DOS and PE headers of every native Portable Executable (PE) binary produced by its linker without any possibility to opt out. The data…

VB2019 paper: Medical IoT for diabetes and cybercrime

This paper evaluates the threats diabetic patients face when they use smart glucose monitoring devices.

Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.