« Building Bleeding Edge | Main | The paid-for podcast »
February 22, 2006
So the Mac is invulnerable? Try this.
It looks like the blind fanaticism that hordes of Mac users display whenever someone - us for instance - dares to suggest that anything to do with Apple could possibly be less than perfect, might be starting to backfire on them. The other night in Germany for instance, Michael Lehn, a PhD student at the Department of Numerical Analysis at the University of Ulm got tired of Mac zealots calling in to an Internet television discussion on two new pieces of malware which target the Mac. Predictably, they were declaring that it simply wasn't possible to infect an OS X system, simply by clicking on a link or visiting a doctored Web page.
Not so, thought Lehn. He started exploring, and in 15 minutes discovered a critical extremely critical security flaw (harmless demo over here) that could be used to infiltrate OS X systems through Safari, the operating system's default Web browser. Indeed, says the German technology publisher, Heise Online, users of other Mac browsers could have the scripts downloaded and execute them by foolishly double-clicking on them. Safari merely saves them the effort, by executing them automatically. [Nice work, Apple!]
It's a useful read, because it tells Mac users what to do to safeguard against the exploit ... deactivate the option "Open 'safe' files after downloading" in the "General" section of Safari's preferences. And if you want to be really safe, you could move the Terminal application from /Applications/Utilities into a different folder. [But then you'd have to move it back to the original location before doing any updates]. Oh, and users shouldn't use their administrator accounts. [Does this sound just a bit tedious?]
Michael Lehn is wisely assuring the Mac community's lunatic fringe that he's an enthusiastic Mac user himself. And we're going to do the same, because we don't [sigh] want to have yet another barrage of the usual zealotry. We're merely suggesting that all this recent publicity about malware that targets the Mac could well make 2006 the year of the Mac exploit. So take care. As Heise Online concludes, "At this point, no web pages are known to misuse this vulnerability. However, this could change quickly."
Posted by cw at February 22, 2006 07:55 AM
Comments
well I'm gonna ignore most of this, as I'm not (read: can't afford to be) a mac zealot... and frankly, I find them annoying too. but i'd like a little honest reporting
the key is in the sentence: "users shouldn't use their administrator accounts". Following up with your 'tedious' claim is a little dishonest -- fact is, Mac is more secure _because_ users don't need to run as administrator all the time. Windows is weakened by the fact that one invariably has to run as administrator, (MS tried to remedy this with their 'power user' setting but I've yet to see it work sufficiently).
-p
CW: May I suggest that you might be a little less eager to sling around these accusations of "dishonest journalism" ? What's "dishonest" about pointing out suggestions for precautions? For that matter, why is it tedious to point out the fact that Mac users need to be a little more careful these days?
Posted by: peter at February 22, 2006 11:02 AM
When Tiger was first released, Symantec AV was incompatible, I blame Apple as they failed to check backward compatibility. We licence Symantec at work, so this was a problem. This was a conversation I had at the time:
Concerned new Mac user: "Has this got Anti-Virus on it?"
Me: "No. I can’t install our AV at the moment, Tiger’s incompatible"
Nearby Mac salesmen: "It doesn’t matter, there are no viruses for Macs"
ME: "That’s not quite true, they’re rare but they exist"
Mac Guy (arrogantly): "NAME ONE!"
Of course I couldn’t name one, I'm not a walking virus definition file after all. Point being that with Apple constantly saying their computers are risk free, they are part of the cause of the typical Mac user’s attitude.
Posted by: wilbert at February 22, 2006 11:44 AM
This whole Mac virus thing is very important. It does a couple of things. Firstly, it highlights that there is no such thing as a 100% secured computer. As I've said in many corporate presentations, if you really want to secure your data disconnect the network cable, bury the computer in concrete and drop it to the bottom of the ocean. Short of that you need to take a prgamatic approach.
Use antivirus software (Mac users note - even if you can't be infected you can still be a carrier), treat all unexpected attachments as suspicious and never open any joke email attachments.
This latest exploit though is quite nasty. It's worth looking at
http://forums.appletalk.com.au/index.php?showtopic=16903&st=0&
for some further information on this nasty. It highlights that automatically opening any file is just dumb.
Respected journalist and writer Jerry Pournelle recommends that you turn any email preview pane to plain text only so that malicious HTML won't execute when you preview an email.
Posted by: Anthony Caruana at February 22, 2006 02:00 PM