Monday, May 23, 2011

Mac Malware Scare: 7 Questions

It was only a matter of time. Numerous reports from the field leave little doubt that Apple OS X has become the target of its first widespread malware campaign -- in the form of MacDefender (aka, MacSecurity or MacProtector). Mac Defender is classic scareware: You're prompted to download and install an antivirus program to protect your system, when in fact the program itself is malicious.

Because the OS X malware campaign is the first of its kind, both Apple and Apple customers seem confused, with flames flying back and forth in various forums -- aggravated by a recent report that Apple support is refusing to help users remove the malware.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Discover the key Mac, iOS, and Apple tech trends for business users with InfoWorld's Technology: Apple newsletter. ]

To clear the air, we offer some basic questions and answers about the ongoing MacDefender travails:

This isn't a virus or vulnerability within OS X, so how is it Apple's problem?Anytime a company's customers are being exploited, it's the company's problem, especially when that company has made a point of saying these sorts of things hardly ever happen on its platform. Even in the Microsoft Windows world, most successful malicious exploits don't depend on a vulnerability within the Windows operating system.

Microsoft doesn't help customers deal with malware, so why should Apple?The premise is dead wrong. After fighting cyber criminals for over two decades, Microsoft's support staff is fully trained at malware detection and removal. Microsoft has multiple commercial and free antimalware products, and large portions of its security websites are dedicated to malware detection and removal. Check the default Microsoft security page for yourself.

What's the best way to stop scareware scams?Education is the best defense. If you know what real antimalware software looks like, you're less likely to fall for the fake kind. Many companies say they do a good job at computer security education, but fail to include a single screenshot of the legitimate antimalware software they've installed on employee machines. Of course, if you're a Mac user, it's likely you don't have an antimalware program at all, other than the extremely limited one provided in OS X by default. Thus, any antimalware warning is fake.

But isn't that already readily apparent to anyone who isn't running an antimalware program?If that was the case, MacDefender wouldn't be making headlines and ruining the week for many OS X users. Never underestimate users' need to believe everything they read and click on anything they've been told to run.

So installing a real antitmalware program like Norton AntiVirus for the Mac would eliminate the risk, right?Unfortunately not. Antimalware scanning programs can't stop a large percentage of malware, simply because they can't keep up with the volume of new exploits. There are thousands of new scare programs created every day, and before they are released, most get scanned by dozens of popular antivirus scanner engines to prove they don't generate an alert. By the time an antivirus vendor includes a new scareware program in its antimalware definitions, it's often too late.

That said, it's probably time to consider antimalware for the Mac. Keep your antimalware definition files up to date, make sure your operating system has the latest patches, and don't download or install any program unless you know where it came from. Common sense measures cut your risk by a magnitude.

Is Apple's sudo approach better or worse than Microsoft's UAC (User Account Control)?Mac and Windows fans have long argued over whether Apple's sudo approach is better than Windows UAC. Most malware requires elevated privileges and permissions to infect and exploit a system. With both sudo and UAC, the operating system vendors disable the super user account by default and force users to do something extra to gain elevated access to the operating system.

I like sudo because it's been around for decades; it's very simple and hasn't changed much over time. With sudo, there is very little configuration, and when you need it, you're pretty sure how it's going to work and what it's going to do.

UAC actually has a lot more functionality and is far more predictive (in most cases) about when it will be needed. My problem with UAC is its complexity. Because it is more intelligent than sudo, there's more for end-users to learn. For example, UAC doesn't just apply to members of the Administrators group, but also to members of 17 other elevated groups: Power Users, Enterprise Admins, Scheme Admins, Network Configuration Operators, Print Operators, and so on. Microsoft provides literally dozens of ways to customize UAC, when it appears, and when it applies. As a result, few users truly understand UAC.

Both sudo and UAC do their jobs well. But in the long-term security scheme of things, neither will significantly decrease malicious hacking when end-users can simply be tricked into running whatever Trojan executable they are presented.

Is Apple going to leave its users twisting in the wind?Apple will change its support policies in the future and respond better. It has to. When Apple had only a few points of global marketshare, it didn't need to worry about malware or strategize about malware response. Now that the company has grown up, it will need new ways of handling customer issues in order to succeed.

7 comments:

  1. I sense a great disturbance in the force.. it is as is a great volume of smug has been eliminated all at once.

    ReplyDelete
  2. And with great pow..(number of users), comes great responsibility..

    ReplyDelete
  3. yeah mac users will get under fire if the claim to get higher and will be more in the future!

    ReplyDelete