First, Apple releases a support note admitting that Mac Defender is indeed a problem, providing instructions on how to clean it, and announcing an upcoming patch to prevent it. Then a new version of the malware appears almost immediately, one that automatically runs its installer (if you haven’t already disabled Safari’s Open “Safe” Files After Downloading setting), without requiring your administrative password.
Apple’s response and the bad guys’ response to that are both firsts. But before we start wallpapering our desktops with eight different antivirus tools, it’s important to take a step back and try to understand what Mac Defender really means. Because, as momentous as this event is, it doesn’t mean we face an upcoming Mac Malware Apocalypse.
People get emotional about security. Safety is hard-wired into our brains. People also get emotional about their Macs—or any Apple products, for that matter. Apple makes a killing by connecting with its customers on an emotional level.
So I understand that some of you worry that Mac Defender is a scary sign of things to come. But while the Mac security situation really is changing, those changes are due almost entirely to attackers’ changing tactics and have little to do with the inherent strength or weakness of Mac security. The bottom line: You should pay attention to Mac security. But you don’t need to freak out about it.
The real danger
Online crime falls mostly into four categories: self-spreading malware (like viruses); malware that attacks vulnerable Web browsers when you visit a site (drive-by attacks); malware that tricks you into installing it (like Mac Defender); and online scams and Web attacks that don’t hack your computer (eBay scams, phishing, search-result poisoning, and so on). Macs are still unlikely to see the first or fully-automated versions of the second. Mac users have always faced the fourth. But as our numbers grow, it’s only natural we will see more of the third.
For years, Macs have been free of the soul-crushing malware problems that have plagued Windows PCs. Despite the Mac Defender incident, I don’t expect that to change anytime soon.
Some attacks still take advantage of security holes in the computer—especially in Windows XP and in Flash or Java plugins. But we see far fewer successful attacks on modern operating systems like Windows 7 and OS X. Microsoft recently reported that only 4 out of 1000 32-bit PCs are infected by malware—and only 2.5 out every 1000 for 64-bit. Windows 7 is actually more secure than OS X, but the gap narrows every year. And there simply isn’t the same attack ecosystem for Macs, nor are we likely to see one develop.
So while Mac users will likely see more malware, it’s highly improbable we (or Windows 7 users) will ever experience what those who are still running Windows XP battle today.
But two other factors are changing the Mac security landscape. First, Apple products are growing rapidly in popularity. At the same time, the overall Internet security environment is more hostile than a cantina on Tatooine. For years now, cyber-attacks have been more about hacking your brain than your computer. We all face a massive, daily onslaught of Internet-based scams. The technical security of your computer isn’t the most important factor—but your Mac is still the target.
Lack of immunity
The bad guys are good. They spend all day, every day, trying to figure out ways to get a few of you to install a piece of software, enter a credit card number, or buy a fake purse off Amazon. Probably every one of you out there has fallen for some sort of scam, big or small, physical or virtual, at some point in your life. We’re human, after all.
And the scams are getting better. For example, recently a company called Epsilon was breached. Epsilon is one of the largest commercial e-mail marketing firms, managing lists for companies like TiVo. The bad guys obtained the names and e-mails for everyone who had opted into or out of any of Epsilon’s lists. Imagine getting a perfectly normal looking e-mail from a company you do business with that is addressed to you by name, and includes some links for new features. Ask yourself: Are you really immune to this kind of phishing attack?
There also really aren’t safe online neighborhoods anymore. Many Mac Defender victims searched for innocuous items like images of children’s birthday cakes. “Trusted” Websites, including many with well-known brand names, are breached and used to attack visitors on a daily basis. Who needs to break into your online bank account when he can get you to click on a poisoned link on Google or Facebook?
It’s time for those of us in the Mac community to start paying more attention to security issues—not because Apple is issuing a patch, but because, even if our Macs aren’t the target, we are. We’re going to see more attacks—some technical, some not—and we need to realize that we can all be fooled at least once. As Windows gets more secure, and Macs more popular, it only makes good business sense for criminals to start moving in our direction.
We are most likely transitioning to a state of constant, low-level crime and harassment that relies as much on fooling us as cracking our Macs—and probably some combination of the two. Bad guys will always go after the easiest, most cost-effective target. As operating system vendors continue to tighten the screws, the targets will likely shift to Web services, getting us to install the software ourselves, and traditional scams.
Actually, we’re already there.
While I’m sometimes foolish, I’m not a fool. Like the rest of you I plan on staying educated, paying attention, and adjusting my habits as the criminals change their attacks. We can patch our Macs, but we can’t patch our brains. They’re the ultimate soft targets.
[Rich Mogull has worked in the security world for 17 years. He writes for TidBits and works as a security analyst through Securosis.com.]