The State of Mac Malware

There has recently been a shitstorm between Gruber and a bunch of other bloggers about the fact that there now exists a pretty widespread piece of Mac malware that’s making its rounds on the Web (it’s called Mac Defender or something similar). Given past comments I’ve made about how OS X is never going to have the security debacles that Windows has because it’s better designed, I’d like to take a bit more of a calm approach and discuss this issue.

First off, I still have yet to see an OS X virus and I doubt that I ever will (a trojan horse != a virus). This piece of malware still asks for permission to do what it does and it can’t get installed on your Mac without explicit user intervention. And I’m still convinced that people making blanket requirements for all computers (including Macs) to have antivirus software installed is ill-advised. Trying to secure a Mac by installing antivirus software is like trying to protect yourself from a swarm of bees by wearing a helmet. The kinds of legit security attacks that OS X will be prone to are not in the form of viruses as we have known them in the Windows world (that is, executables that are “infected” or contain a virus). Sure, you could make an OS X app that will wreak havoc on your Mac, but it’s going to ask for your password first. Virus-ridden executables are simply not the way security issues affect the Mac. Rather, vulnerabilities in specific apps are where your Mac is most likely to get hammered. And as such, you should be sure to keep your copy of OS X and all of its corresponding software up to date.

But even in the Windows world, viruses are kind of passé nowadays. As more and more of the things we do most are moving to web-based things, the infections themselves are happening there (Facebook is becoming a home for all sorts of stupid virus-y things now). And to Microsoft’s credit, Windows has largely been made quite a bit more secure in the past few years.

Interestingly, though, this recent outbreak of Mac malware bucks that trend with the good old fashioned trojan horse. It adds a nice ironic twist by purporting to be anti-malware software and convincing you that you have Mac malware which it itself is but you otherwise likely don’t have.

What I have been most interested in, though, is Apple’s response to this. Like all other things that come to Apple’s plate, Apple appears to be approaching this issue with the same method it always uses, which is to be silent and wait until it completely understands the problem, then issue a well thought out response.  This is what happened when a bunch of tech journalists decided that the iPhone 4 had flaw so bad it meant Apple would have to recall the iPhone, it’s kind of what happened with the iPhone with regards to having a native SDK, it’s what happened when there were accusations of poor working conditions in Apple’s factories, and it’s what happened as of late when those douche bags at Lodsys started sending nasty letters to iOS developers.  Despite the fact that Apple’s approach to these issues has been quite consistent, the media never fail to go into hysterics when Apple is silent about the topic du jour.  It’s one of tech journalism’s biggest turn-offs for me (my turn-ons include that dapper and brilliant John Siracusa of Ars Technica).

So far Apple’s responded to this in their normal way (which is to say they haven’t yet). But I have been getting reports that Apple’s actually instructed AppleCare employees not to try to get rid of this piece of malware. On the surface that would appear to be exactly the opposite of what Apple should do (I can already see friends coming to me saying “Aaron, you’re not going to believe this virus I got on my Mac that not even Apple could get rid of. {pause} …do you think you could get rid of it for me?” yeah, thanks, Apple).  However, even that’s not bad advice. The best course of action here would be for Apple employees to collect as much information about the malware as possible and figure out the best solution. Granted, it wouldn’t kill Apple to be a little more forward with customers about what it’s doing, but I can hardly fault them for not making a promise that they don’t yet know they’ll be able to keep, and that’s just the sort of promise that would implicitly be made if Apple were to permit AppleCare employees to try removing Mac Defender on their own; if traces of it were left behind or it wasn’t removed properly, that reflects very poorly on Apple.

Bottom line: was there an outbreak/is there one going on?  Yes.  Is it cause for concern for Mac users? Not really.  A lot of headway would have to be made for it to reach the point that 1 in 14 downloads is malware for OS X.

Should Mac users look to installing third party security software? Probably not. OS X has rudimentary malware protection built in (though it doesn’t yet appear to detect Mac Defender).  Your biggest security dangers as of right now aren’t in your Mac, but in the cloud.  As of late, your browser probably plays a more important role in a Mac user’s safety than anything.  You should, of course, never believe anything that is inside of an HTML web page that is trying to tell you that your computer is at risk; instead only trusting things that your Mac is actually trying to tell you, like this warning dialog:

A malware warning in Snow Leopard

And most importantly, let us please not discuss as an option making the Mac App Store the only avenue for getting apps on your machine as a viable option for addressing security issues. Not only would it end up being ultimately ineffective, it’s unlikely to happen in OS X (maybe in OS XI or something like that) and taking that approach would probably harm the Mac platform more than anything.  That isn’t to say that allowing non-App Store installs for iOS would help iOS (though it very well could) but the Mac App Store was developed as a simplification to software distribution for people and a way to bring a great iOS feature back to the Mac, not as a way to usurp users’ freedom.

Leave a Reply

Your email address will not be published. Required fields are marked *

*