Can a Mac get infected by merely going to a website, or is this a problem exclusive to some versions of IE?

Thanks,
Rob

That kind of exploit can occur on any platform. In practice it's relatively rare. But yes, it can happen.

All of the Mac malware I'm aware of has to be explicitly installed by the user (http://reviews.cnet.com/8301-13727_7-20063683-263.html). They usually masquerade as security or maintenance programs ("speed up your computer" and the like).

In other words, no.

In theory, yes. Such attacks have been demonstrated multiple times at the Pwn2Own competition (http://en.m.wikipedia.org/wiki/Pwn2Own). More practically jailbreakme.com (http://jailbreakme.com) has used PDF exploits to jailbreak iOS.

In practice, no.

In practice, no.

Do you work for Apple? The answer to the question, as asked, is "yes."

The unfortunate truth is that Apple's Safari has, all-told, as many or more exploits as any other company's browser, and Apple is particularly lackadaisical about patching them, which is why they usually lose Pwn2Own, and usually have more open exploits at any given time. (They're also pretty bad about patching exploits in related technology-- their version of the Java runtime, for example.)

The reason these holes aren't being exploited is because the economic incentive to do so isn't there-- building a botnet of a few million Macs isn't worth it when it's far more profitable to spent the same amount of time on your exploit and getting a botnet of a few billion Windows PCs.

Do you work for Apple? The answer to the question, as asked, is "yes."

The unfortunate truth is that Apple's Safari has, all-told, as many or more exploits as any other company's browser, and Apple is particularly lackadaisical about patching them, which is why they usually lose Pwn2Own, and usually have more open exploits at any given time. (They're also pretty bad about patching exploits in related technology-- their version of the Java runtime, for example.)

The reason these holes aren't being exploited is because the economic incentive to do so isn't there-- building a botnet of a few million Macs isn't worth it when it's far more profitable to spent the same amount of time on your exploit and getting a botnet of a few billion Windows PCs.

No, I don’t work for Apple.
But, I hear the same, tired arguments all the time from Windows fanboys about how the Mac is “just as vulnerable” to malware as Windows.
And, it just isn’t true.
As far as I know, there are zero (non, nada, zilch) drive-by attacks that are capable of infecting an OS X system running the current version of system software (10.7.2).
This number may possibly increase to single digits if third-party software (Flash/Acrobat) is installed, but I believe that running the current versions of that software brings the number back to zero.

If you can show me a drive-by attack that exists in the wild, I will post a retraction.

Safari loses Pwn2Own first every single year. There are tons of exploits out there. Apple invariably takes months to patch those exploits, even after they are documented and demonstrated.

As I said above the reason (the ONLY reason) they're aren't exploited is because the financial incentive isn't there. You don't see them "in the wild" not because the guys writing exploits for botnets are incompetent (on the contrary-- they're bypassing far more secure browsers), but because they haven't bothered.

But that could change at any moment. Telling people they're completely safe because they use Apple products is dangerous and irresponsible.

To get back to the OP's question, it definitely is not restricted to a single browser (the OP asks about Internet Explorer). In theory, it can happen with any operating system and any browser. In practice, some pieces of software and some operating systems have more vulnerabilities or are the subject of more attacks (depending on who you speak to.)

For these types of debates (viruses on Mac vs. Windows), I like to use this metric to gauge the real-world probabilities: do a search on the threads in GQ discussing viruses, and count how many of the people who have a virus infect their machine have Windows vs. how many people are running Macintosh OS X. From my reading, all the questions I've seen on the board asking to get rid of a virus were from people who used the Windows operating system.

For these types of debates (viruses on Mac vs. Windows), I like to use this metric to gauge the real-world probabilities: do a search on the threads in GQ discussing viruses, and count how many of the people who have a virus infect their machine have Windows vs. how many people are running Macintosh OS X. From my reading, all the questions I've seen on the board asking to get rid of a virus were from people who used the Windows operating system.

Many many many more people use Windows than Macs, so of course you're going to see more questions relating to Windows machines.

If you are asking if, theoretically, a Mac can get malware under certain circumstances, the answer is yes.

If you are asking if, practically speaking, you need to install antivirus software on your Mac, the answer is no.

Many many many more people use Windows than Macs, so of course you're going to see more questions relating to Windows machines.I can't remember a single question on the boards from someone who had a virus on a Macintosh. Have you ever seen one?

I can't remember a single question on the boards from someone who had a virus on a Macintosh. Have you ever seen one?
I think I can remember at least one. But yes, reports of Mac malware are certainly disproportionately low compared to Windows.

I think it's mainly because so many Windows users still run with administrator privileges (equivalent to root in Unix-like systems). Even with protective privilege-reducing mechanisms Microsoft has added to recent versions of Windows, I still don't think it's a good idea to do that. If Windows users all used non-privileged accounts that would dramatically reduce the effectiveness of malware.

Safari loses Pwn2Own first every single year. There are tons of exploits out there. Apple invariably takes months to patch those exploits, even after they are documented and demonstrated.

Plus, there are many browsers other than Safari that run on Macs.

I still haven't seen anyone present evidence that a Mac can be infected by the conditions stated in the OP:
Can a Mac get infected by merely going to a website
This means: no explicit downloading of files.

I still haven't seen anyone present evidence that a Mac can be infected by the conditions stated in the OP:

This means: no explicit downloading of files.

Jailbreakme.com definitely showed that this could be done. The authors designed the page to execute the attack only after user confirmation, but this is for user convenience only (so already-jail broken devices don't get re-jail broken, so users can read about it first, etc). There is no technical impediment to executing the attack as soon as the page loads. It just loaded a PDF in a hidden IFRAME.

Jailbreakme.com definitely showed that this could be done. The authors designed the page to execute the attack only after user confirmation, but this is for user convenience only (so already-jail broken devices don't get re-jail broken, so users can read about it first, etc). There is no technical impediment to executing the attack as soon as the page loads. It just loaded a PDF in a hidden IFRAME.

I've never heard of a jailbroken Mac.

I think I can remember at least one. But yes, reports of Mac malware are certainly disproportionately low compared to Windows.

A little under 10% of Web surfers in 2011 were Mac users, so in my reading forums it's vastly disproportionately low. Although that's just based on my anecdotal observations reading forums.


I think it's mainly because so many Windows users still run with administrator privileges (equivalent to root in Unix-like systems). Even with protective privilege-reducing mechanisms Microsoft has added to recent versions of Windows, I still don't think it's a good idea to do that. If Windows users all used non-privileged accounts that would dramatically reduce the effectiveness of malware.

In my experience, virtually all Mac users run as administrators. I ran a consumer networking company for 7 years, including our customer service operations, and with one of our products the default software we shipped with didn't work on limited accounts. Maybe 10 in 50,000 customers called up with a problem and we'd send them an alternative version that would work on non-admin accounts.

Frankly it was an embarrassing bug that we should have fixed but so few Mac users run non-admin accounts I never invested the development time.

Mac admin accounts don't actually run as administrators all the time, they work principally like UAC does on Vista, 2008 and 7.

In my experience, virtually all Mac users run as administrators.
That surprises me. According to Apple themselves, root is disabled in OSX by default (http://support.apple.com/kb/HT1528). Certainly, in other Unix-like OSes it is not usual to run as root all the time.
I'm not an OSX guy, but I see that there is an intermediate sort of account called an adminstrator user, not as powerful as its Windows namesake.

That surprises me. According to Apple themselves, root is disabled in OSX by default (http://support.apple.com/kb/HT1528). Certainly, in other Unix-like OSes it is not usual to run as root all the time.
I'm not an OSX guy, but I see that there is an intermediate sort of account called an adminstrator user, not as powerful as its Windows namesake.

It'd be more accurate to say that the OS X Admin account is equivalent in virtually every meaningful way to the Windows Admin account. In all my years of using OS X I've needed to use the actual root account twice. Once last year to fix a bug Apple introduced in SMB sharing and one other time I don't recall the details of.

And as I alluded to, we develop hardware drivers (kernel extensions in OS X terms) so if the Admin account were particularly limited I'd have noticed. You're right though it is not the same as root.

In my experience, virtually all Mac users run as administrators.In my experience, any Mac user sophisticated enough to understand what an administrator login is, runs as a normal user.

OSX makes this quite easy - If I ever want to install or updated something in the Applications directory, it asks for the admin username and password. Waaay easier than the Windows User access Control.

I can't remember a single question on the boards from someone who had a virus on a Macintosh. Have you ever seen one?Remove Mac Defender (Uninstall Guide) (http://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=1&ved=0CC4QFjAA&url=http%3A%2F%2Fwww.bleepingcomputer.com%2Fvirus-removal%2Fremove-mac-defender&ei=sTAkT8aCKsfl0QGT59C1Dw&usg=AFQjCNFywzBYQFBK55nwm06FZZNSkVt5mw)
Remove Mac Protector (Uninstall Guide) (http://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=2&ved=0CDUQFjAB&url=http%3A%2F%2Fwww.bleepingcomputer.com%2Fvirus-removal%2Fremove-mac-protector&ei=sTAkT8aCKsfl0QGT59C1Dw&usg=AFQjCNHv3Ai6TGBEN9jxYN466dInsMwoLQ)
Remove Mac Shield (Uninstall Guide) (http://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=3&ved=0CDwQFjAC&url=http%3A%2F%2Fwww.bleepingcomputer.com%2Fvirus-removal%2Fremove-mac-shield&ei=sTAkT8aCKsfl0QGT59C1Dw&usg=AFQjCNGqquGL8wsAtkW34ANv-jp-3qgemQ)
Remove Mac Guard or MacGuard (Uninstall Guide) (http://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=1&ved=0CEIQFjAA&url=http%3A%2F%2Fwww.bleepingcomputer.com%2Fvirus-removal%2Fremove-mac-guard&ei=kDEkT_TXHaTi0QHK5-WDCQ&usg=AFQjCNHNIywi977kXOYxGkehuI5ShxF5HQ)

No, I don’t work for Apple.
But, I hear the same, tired arguments all the time from Windows fanboys about how the Mac is “just as vulnerable” to malware as Windows.
And, it just isn’t true.
As far as I know, there are zero (non, nada, zilch) drive-by attacks that are capable of infecting an OS X system running the current version of system software (10.7.2).You misunderstand the underlying cause, though. The main reason that you aren't plagued by malware when you use minority operating systems has nothing to do with possibility, and everything to do with the motivations of malware author. Macs represent about 6.5% of the global market, in total. If you want to establish a bot-net, or target people's personal information, you're not going to start by identifying an exploit in a particular subset of that group using a particular flavour of OS.

If you focus on Lion, you're now looking about 5% of that 6.5%., and by the time you get down to the level of 10.7.2, you're looking at 10% of 5% of 6.5%, so you could expect your hack to affect fewer than one in 30,000 visitors to your website.

This is why you don't see malware targeted at Macs in practice - it's not because it's not possible, it's because there's no percentage in it.

Every year, there are examples of how Macs are vulnerable to browser attacks (http://www.appleinsider.com/articles/10/03/25/apples_iphone_safari_on_mac_exploited_at_annual_hacking_contest.html) from merely visiting a webpage, but they remain academic exercises.

If tomorrow the majority of internet users moved over to Mac or (Ubuntu, or whatever) they then the day after tomorrow there would be a sizeable market for anti-virus solutions for that platform.

You don't need to be a "Windows fanboy" to point this out, it's just common sense. (As a matter of fact I dual boot Windows/Linux and only use Windows when I'm planning on using specific applications, in part to take advantage of Linux's "security through obscurity" for casual browsing - but I harbour no illusions that this is down to the Mint community being better at security than Microsoft and presenting no vulnerabilities - just no vulnerabilities that it's worth anyone's time to exploit.)

OSX makes this quite easy - If I ever want to install or updated something in the Applications directory, it asks for the admin username and password. Waaay easier than the Windows User access Control.
To be fair, that sounds very much like how it is running Windows 7 under a non-privileged account. I only see the admin password prompt when I install things, or do other admin-y things like looking at processes that don't belong to me. That said, there are some aspects of the way Windows raises privileges that are not as good as Unix-like OSes.

Do you work for Apple? The answer to the question, as asked, is "yes."

The unfortunate truth is that Apple's Safari has, all-told, as many or more exploits as any other company's browser, and Apple is particularly lackadaisical about patching them, which is why they usually lose Pwn2Own, and usually have more open exploits at any given time. (They're also pretty bad about patching exploits in related technology-- their version of the Java runtime, for example.)

The reason these holes aren't being exploited is because the economic incentive to do so isn't there-- building a botnet of a few million Macs isn't worth it when it's far more profitable to spent the same amount of time on your exploit and getting a botnet of a few billion Windows PCs.

Which is why I wonder why virus writers don't target Mac more. I don't believe a Mac is invulnerable. But many/most Windows PCs are armed to the gills with anti-virus protection and stuff like that (or perhaps I'm being too optimistic here with what PC users do--I'm just using my experience when I was a Windows user and fellow Windows users I know, although I'm sure it's not a representative sample), while Mac users surf without a condom. Even though Mac has far less market share, wouldn't virus writers love the opportunity to infect pretty much any system that comes in contact with their virus, in addition to the notoriety for being the guys that finally broke the tired boast that Macs don't need virus protection? I mean, wouldn't that stroke your ego as a virus writer more than releasing yet another PC virus? Why isn't someone doing that? I'm not saying that in a snarky manner--I sincerely believe Macs are vulnerable. I just wonder why nobody has come along to claim that notoriety. I admit, I'd be the first to get that virus, as I've never bothered with safe surfing habits on my Mac. Every couple of years, I've run a virus scan, just to see, but nothing has ever come up.

In my experience, any Mac user sophisticated enough to understand what an administrator login is, runs as a normal user.

OSX makes this quite easy - If I ever want to install or updated something in the Applications directory, it asks for the admin username and password. Waaay easier than the Windows User access Control.

I run as Administrator on my Mac, and it still asks me to enter my password (even though I already did that when I logged into the account) every time I try to install something.

But many/most Windows PCs are armed to the gills with anti-virus protection and stuff like that [...] Even though Mac has far less market share, wouldn't virus writers love the opportunity to infect pretty much any system that comes in contact with their virus, in addition to the notoriety for being the guys that finally broke the tired boast that Macs don't need virus protection?Basic OS security will insure that you're not going to be able to infect "pretty much any system" - a typical exploit will have a much narrower opportunity of infection. (My back-of-the-envelope above didn't even fine it down to "What browser is being used?")

Take away practical motivation ('cuz there's diddly) and assume someone is just after "notoriety" - there's still very little chance of making a splash because you just don't have the density of vulnerable systems required for any sort of dramatic epidemic.

I just wonder why nobody has come along to claim that notoriety. I admit, I'd be the first to get that virus, as I've never bothered with safe surfing habits on my Mac. Every couple of years, I've run a virus scan, just to see, but nothing has ever come up.
Yeah, that aspect of the argument has always seemed suspect to me. If the market is split 95% - 5% between two operating systems that are about equally vulnerable, then yes, hackers will attack the 95% system. But surely, that operating system will respond by becoming steadily more secure, until eventually the 5% system looks like a more lucrative target. Smaller prey, but easier to kill, as it were.

I guess the argument is that we haven't reached that point. Maybe there's an equilibrium where a rump of particularly innocent/complacent Windows users, say 20%, continue to provide paychecks for malware authors, which is still high enough to make OSX not worth bothering with. Meanwhile, the other 80% of Windows users go about their business unmolested. That would mean that Windows users do indeed have to be more careful. But not hugely more careful. They only have to be in the upper 80%. Basic common sense should do it.

That presumes the major reason for infecting systems is to make money from fraudulent antivirus software, or harvest credit cards. Another motivation for malware writers is creating a botnet to send out spam, or mount denial of service attacks on websites. In that case, sheer numbers of targets determines which OS to attack. The smaller target simply can't produce the critical mass for an effective botnet.

To be fair, that sounds very much like how it is running Windows 7 under a non-privileged account. I only see the admin password prompt when I install things, or do other admin-y things like looking at processes that don't belong to me. That said, there are some aspects of the way Windows raises privileges that are not as good as Unix-like OSes.

Honestly the status of UAC on Win7 is a mess. I had a batch script that installs and configures our main CAD/CAE program at work that worked ok in Win XP (using the msiexec command), however in Win7 I have to turn down the UAC control lever down to the lowest setting (then I have to restart the system to take effect). Only after this will the script work. Right clicking the batch file and "Run this as Administrator" does not work. It fails with some cryptic error, unless the UAC is turned down.

Long story short, the administrator privilege escalation scheme in Windows is ill-designed and not even the baked-in utilities provided by MS work correctly. Comparing to the baked-in security protocols of Unix and Linux, Windows' seems added on with a thumbtack. Sad.

But surely, that operating system will respond by becoming steadily more secure, until eventually the 5% system looks like a more lucrative target.Keep in mind that malware authors depend on their work being distributed before countermeasures are deployed (whether it's a 3rd party anti-virus or an OS patch.)

You need to spread to systems with the same vulnerability. The "5% system" is never going to be useful for a virus or worm, because by the time you're looking at the statistical significance of the actual, specific vulnerability, it becomes clear that there's no point in investing time hitting up random IP ranges or raiding contact details or whatever in the hopes of spreading the infection, because it's never going to get much past "Hey, I got one!" It's like playing the cellular automata "Game of Life" but limiting yourself to placing cells at least three spaces apart - it's never going to pay off.

That presumes the major reason for infecting systems is to make money from fraudulent antivirus software, or harvest credit cards. Another motivation for malware writers is creating a botnet to send out spam, or mount denial of service attacks on websites. In that case, sheer numbers of targets determines which OS to attack. The smaller target simply can't produce the critical mass for an effective botnet.
I don't buy that the number of Mac users today is too small to achieve the "critical mass" that you speak of. Given the rapid growth in computer usage, that would have meant that ten or so years ago there were too few Windows users for malware to be viable then. But it was. If it was viable on Windows then, it is viable on OSX now.

The "5% system" is never going to be useful for a virus or worm, because by the time you're looking at the statistical significance of the actual, specific vulnerability, it becomes clear that there's no point in investing time hitting up random IP ranges or raiding contact details or whatever in the hopes of spreading the infection, because it's never going to get much past "Hey, I got one!
I'm probably being a bit slow here, but I'm afraid I don't understand your point. Could you maybe rephrase it?

Would we call it macware??

I'm probably being a bit slow here, but I'm afraid I don't understand your point. Could you maybe rephrase it?Well, start with the vulnerability you intend to exploit. Like, say you observe that you can disguise a .vbs file with a phony .txt extension in certain flavours of Windows, when it's received as an attachment in Outlook, and get code to execute that way. Hurrah! Now to spread your creation, you're going to have the code send an e-mail with such a deceitful attachment (containing a copy of itself) to the first 100 e-mail addresses in the user's Outlook contacts.

The worm will spread exponentially, assuming that a significant number of recipients at each hop is similarly vulnerable - but each attempt at replication is also an advertisement which will make the worm more vulnerable to countermeasures as virus definitions are updated and word of mouth spreads about the symptoms of infection. This is going to pay dividends if your target is "runs Windows XP vx.x AND uses Outlook versions X -through-Y AND gullible enough to open mystery attachment assumed to be from friend." (Assuming that it's still 2000 and XP is still a going concern - this describes the ILOVEYOU virus that enjoyed such wide distribution at that time.)

If you start by targeting an OS used by a 15% subset on a hardware platform that makes up 6% of the total market, and then use an exploit that applies to Entourage, you're not going to get anywhere of it - because an insignificant number of your contacts are going to be similarly vulnerable - statistically, less than one of your contacts is likely to be a match.

If if you manage to get something that makes some sort of anemic process, the security community will have ample time to respond before it gets anywhere. This is why people don't bother to try.

None of those are viruses, they're malware masquerading as legit applications. All of them have to be explicitly installed by the user.

None of those are viruses, they're malware masquerading as legit applications. All of them have to be explicitly installed by the user.How quaint; the 1985 definition of a virus.

[QUOTE=Blakeyrat;14713674

The reason these holes aren't being exploited is because the economic incentive to do so isn't there-- building a botnet of a few million Macs isn't worth it when it's far more profitable to spent the same amount of time on your exploit and getting a botnet of a few billion Windows PCs.[/QUOTE]

now what a ridiculous assertion. There has never ever been any bot net numbering in the billions. The biggest ones out there are between 10 to 20 million. The most common ones are way smaller than that.

If you were writing a virus exploiting a particular vulnerability in the system, there is equal opportunity to find a similar sized populations of computers meeting the criteria to run your malicious code. Windows pcs also have great diversity in terms of hardware, meaning that certain components like drivers will vary a lot from model to model. That acts as a barrier to the billion sized botnet. Also consider that there are an even higher number of windows versions out there, and even more troubling, Windows users are known to be reticent of installing updates from Microsoft, so the billions of windows computers are subdivided into thousands of subvariations with different system software running on them

How quaint; the 1985 definition of a virus.

And still a useful one at that.

And still a useful one at that.Only if you are still using floppy drives.

Only if you are still using floppy drives.

A computer virus hides itself within an apparently normal file, then exploiting a weak vulnerable section of the system. The correlation to real biological viruses is quite good. The succeptibility of a system to viruses gives you an idea of how robust it is. The easier it is to find system vulnerabilities, the more viruses that will exist.

This has nothing to do with floppy drives.

and even more troubling, Windows users are known to be reticent of installing updates from Microsoft, so the billions of windows computers are subdivided into thousands of subvariations with different system software running on them

I was going to mention this. We Mac users tend to be all, "Hot damn! New version of OS X! Load 'er up!" as soon as Apple releases it. Whereas, from everything I've read, there are tons of Windows users who just continue using whatever version their computer came with and thus they don't benefit from the security improvements contained in subesquent version.

Somebody else mentioned the "what browser?" (and what e-mail client) issue as well. A malware author can, I think, be fairly confident that the huge majority of Windows users are going to be using IE and OE. I, and many of the Mac users I've talked to, use a huge variety of browsers/clients other than Safari and Apple Mail. So the percentage of (Mac OS X + Safari + Mail) users is even smaller than the percentage of just "Mac users".

I was going to mention this. We Mac users tend to be all, "Hot damn! New version of OS X! Load 'er up!" as soon as Apple releases it. Whereas, from everything I've read, there are tons of Windows users who just continue using whatever version their computer came with and thus they don't benefit from the security improvements contained in subesquent version.

One other thing the Apple side has going for it, it tends to have a fairly computer saavy user base. If you had the kind of installed base windows does, with a more typical idjits/to users ratio, you would see Mac's getting doors kicked in just as often.

I still haven't seen anyone present evidence that a Mac can be infected by the conditions stated in the OP:

Read the link to Pwn2own. That is exactly the criteria they are looking for, driveby exploits, click on a link to the site and BAM!

Read the link to Pwn2own. That is exactly the criteria they are looking for, driveby exploits, click on a link to the site and BAM!

Proof-of-concept does not a malware make.

Remove Mac Defender (Uninstall Guide) (http://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=1&ved=0CC4QFjAA&url=http%3A%2F%2Fwww.bleepingcomputer.com%2Fvirus-removal%2Fremove-mac-defender&ei=sTAkT8aCKsfl0QGT59C1Dw&usg=AFQjCNFywzBYQFBK55nwm06FZZNSkVt5mw)
Remove Mac Protector (Uninstall Guide) (http://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=2&ved=0CDUQFjAB&url=http%3A%2F%2Fwww.bleepingcomputer.com%2Fvirus-removal%2Fremove-mac-protector&ei=sTAkT8aCKsfl0QGT59C1Dw&usg=AFQjCNHv3Ai6TGBEN9jxYN466dInsMwoLQ)
Remove Mac Shield (Uninstall Guide) (http://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=3&ved=0CDwQFjAC&url=http%3A%2F%2Fwww.bleepingcomputer.com%2Fvirus-removal%2Fremove-mac-shield&ei=sTAkT8aCKsfl0QGT59C1Dw&usg=AFQjCNGqquGL8wsAtkW34ANv-jp-3qgemQ)
Remove Mac Guard or MacGuard (Uninstall Guide) (http://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=1&ved=0CEIQFjAA&url=http%3A%2F%2Fwww.bleepingcomputer.com%2Fvirus-removal%2Fremove-mac-guard&ei=kDEkT_TXHaTi0QHK5-WDCQ&usg=AFQjCNHNIywi977kXOYxGkehuI5ShxF5HQ)

These aren't viruses, according to the descriptions at the linked sites. These are programs the user has to install. If the definition of "vulnerability" is that the computer can have software installed on it by the user, then Macs are vulnerable. But I think this is a ridiculously overly broad definition of "virus". Several of us propeller heads played with a floppy disk infected with Michaelangelo on a couple of non-networked PCs in the mid 80's and had fun watching it insert itself and watching an antivirus program detect and remove it. Then we scared our pants off by realizing we had infected a machine we did not think we were going to infect. We were NEVER installing software consciously. Even mid-80's viruses were far more insidious than the scam programs above, which are basically just programs that are difficult to uninstall.

When buying my first Mac a couple years ago I researched the virus issue carefully, and have dug back in a couple of times. The closest thing to a virus that I could find was something that could attack a session of Microsoft Windows running in a sandbox (which of course is always possible) and could leak out of the sandbox (which is a true security flaw in the Mac OS). As I understand, it did not act as a virus per se within Mac's OS, so it was not a Mac virus, just a security flaw.

These aren't viruses, according to the descriptions at the linked sites. These are programs the user has to install.By that definition, neither are the vast majority of malware infecting PCs today. I don't see how pedantry about the difference betweeen viruses, worms, malware and spyware contributes to the discussion about the relative security of PCs and Macs.

How quaint; the 1985 definition of a virus.How quaint. Physicians still see differences between food poisoning and viruses.

How quaint. Physicians still see differences between food poisoning and viruses.When your computer gets salmonella, I will concede.

When your computer gets salmonella, I will concede.It can't, any more than it being a Mac, it can be infected by a computer virus.

By that definition, neither are the vast majority of malware infecting PCs today. I don't see how pedantry about the difference betweeen viruses, worms, malware and spyware contributes to the discussion about the relative security of PCs and Macs.

It's valid to talk about both malware in a general sense and specific capabilities.

If (hypothetically) malware is able to execute arbitrary code on one platform, and not able to on another platform, that's an important distinction that will influence the types of precautions required.

By that definition, neither are the vast majority of malware infecting PCs today. I don't see how pedantry about the difference betweeen viruses, worms, malware and spyware contributes to the discussion about the relative security of PCs and Macs.

Pedantry? Pedantry??

People who want to be safer with their computers should take one approach to dealing with viruses, and another approach to dealing with malware the user would have to install. A good approach to dealing with viruses would be to buy a Mac, because Macs are relatively more secure against viruses. Very much so, as far as I can tell. A good approach to dealing with malware the user would have to install could include learning more about recognizing malware for what it is.

Does this help explain the contribution to the discussion?

Wow this thread is still going.

Two quick comments:

@The Niply Elder: I was using hyperbole; I didn't *literally* mean you could infect billions of PCs.

@everyone: It's obvious that arguing with beowulff is useless, he's not going to change his mind regardless of how much factual information he's presented with.

A good approach to dealing with viruses would be to buy a Mac, because Macs are relatively more secure against viruses.

The point many of us are trying to make is its security through obscurity. Just like a disease, if it can only infect or be transmitted by 10% of the population, its not going to spread, even if it does, it will be very slow to do so.

Viruses as we see them today are a criminal enterprise. They attack the broadest base to get the greatest possible effect for the least work.

As far as user installed files..... many of my customers get the virus by downloading what they think is a tuneup utility.

Just like we have all seen beautifully done paypal phishing emails there are some very well done ads/sites handing out malware. I as a computer tech have seen twice now a fake "antivirus app" that the interface was damn near identical to AVG, like took me a few seconds of "something dont quite look right" to know it wasnt. IF I had been clicking along like I often do, I would probably have fallen for it to.

Also, trying to split hairs about what is a virus, malware, spyware, rootkit, trojan, is irrelevant to anyone outside the AV software business. Its all bad stuff that does bad things. There are only a handful of people on this board that would know the difference between a rootkit and a rutabaga if it was in their computer.

Wow this thread is still going.

Two quick comments:

@The Niply Elder: I was using hyperbole; I didn't *literally* mean you could infect billions of PCs.

@everyone: It's obvious that arguing with beowulff is useless, he's not going to change his mind regardless of how much factual information he's presented with.

No, that’s not true.
But so far, no one has presented any credible evidence.
Believe me, I have worked in this field for a long time. I do embedded controller design, and I’m far from clueless when it comes to computer systems.
I have supported Macs as a side business since 1985, so I dare say that I am much more conversant with the risks than most people.

The problem with all of the arguments presented so far is they conflate theoretical vulnerabilities with real-world risk. That’s like saying that the Pope is just as likely to get AIDS as a male hooker. After all, they both have the same ability to get infected, right?

OS X is far from an impregnable fortress, but right now, the chance of someone getting malware installed by visiting a website is zero. This may change in the future, but currently, I would never recommend my clients install anti-virus software, since that is a cure that much worse than the disease.

I have supported Macs as a side business since 1985, so I dare say that I am much more conversant with the risks than most people.

Then you remember the era when practically EVERY Mac-formatted 3.5" floppy disk had at least one virus on it. (Of course that was back before the mafia took over, so the virus dynamics were different then.)

The problem with all of the arguments presented so far is they conflate theoretical vulnerabilities with real-world risk. That’s like saying that the Pope is just as likely to get AIDS as a male hooker. After all, they both have the same ability to get infected, right?

OS X is far from an impregnable fortress, but right now, the chance of someone getting malware installed by visiting a website is zero. This may change in the future, but currently, I would never recommend my clients install anti-virus software, since that is a cure that much worse than the disease.

But that's what the original question was. "Is it possible?" The answer is, "yes. Yes it is possible." End of story.

You seem to simultaneously be aware that Macs can get infected by visiting a webpage, yet wanting to answer "no" to the question... which is mind-bending to me, and I honestly don't understand where you're coming from.

That BS.
It’s “possible” that I could become President. Will it ever happen? No.

I find it irresponsible (and disingenuous) to try to put OS X systems into the same risk category as Windows machines. The risk level is simply not comparable.

If you are going to insist on saying that it’s “possible”, at the very least you should add that the current threat level is zero or close to it.

I suspect that the OP was looking for a real-world threat assessment, not some pedantic argument of the security merits of the various OSs.

The point many of us are trying to make is its security through obscurity. Just like a disease, if it can only infect or be transmitted by 10% of the population, its not going to spread, even if it does, it will be very slow to do so.

While security through obscurity is clearly a significant factor, it doesn't eliminate the possibility that one platform can be substantially more secure than another (note I said possibility).

I've worked on software from different companies and different individuals and it's not all the same. Some companies put out well designed and well written software and some companies are the polar opposite, and some companies have both good and bad.


Based on Pwn2Own, it's clear the answer to the OP is: yes, they are susceptible

But the bigger question of whether Mac is overall "more secure" than Windows probably requires some good definitions in advance and more data from the experts.

I think the only way to get beowulff to post anything other than fanboy nonsense would be to look up some recently published Macsploits, write a virus that takes over his web browser, and use it to post a rational message in his name for him

Same goes for basically all the Mac super-proponents here..

Then again, I guess it's just human nature not to believe that something bad can happen until it does. I used to work at Microsoft, and I was incredulous when my personal computer running Windows 7 in a non-privileged account got infected by horrible malware. (I was trawling the seedy depths of the internet for a DRM-free version of an ebook I purchased). I mentioned it to some of my coworkers (not on the Windows 7 team), and they straight up refused to believe that it was possible, haha.

OP, as someone else stated, the final, most trustworthy word on the subject is:
- Is it POSSIBLE to get infected? Yes
- Is it PROBABLE that your computer will ever get infected? No, not unless MacOS really takes off. So you don't really need to do your piracy through a hole in a sheet (that's what I call my linux virtual machine running a copy of Firefox with NoScript installed)

I can't remember a single question on the boards from someone who had a virus on a Macintosh. Have you ever seen one?

I think I can remember at least one.Really? If you could find it, I would love to see it.

Remove Mac Defender (Uninstall Guide) (http://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=1&ved=0CC4QFjAA&url=http%3A%2F%2Fwww.bleepingcomputer.com%2Fvirus-removal%2Fremove-mac-defender&ei=sTAkT8aCKsfl0QGT59C1Dw&usg=AFQjCNFywzBYQFBK55nwm06FZZNSkVt5mw)
Remove Mac Protector (Uninstall Guide) (http://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=2&ved=0CDUQFjAB&url=http%3A%2F%2Fwww.bleepingcomputer.com%2Fvirus-removal%2Fremove-mac-protector&ei=sTAkT8aCKsfl0QGT59C1Dw&usg=AFQjCNHv3Ai6TGBEN9jxYN466dInsMwoLQ)
Remove Mac Shield (Uninstall Guide) (http://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=3&ved=0CDwQFjAC&url=http%3A%2F%2Fwww.bleepingcomputer.com%2Fvirus-removal%2Fremove-mac-shield&ei=sTAkT8aCKsfl0QGT59C1Dw&usg=AFQjCNGqquGL8wsAtkW34ANv-jp-3qgemQ)
Remove Mac Guard or MacGuard (Uninstall Guide) (http://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=1&ved=0CEIQFjAA&url=http%3A%2F%2Fwww.bleepingcomputer.com%2Fvirus-removal%2Fremove-mac-guard&ei=kDEkT_TXHaTi0QHK5-WDCQ&usg=AFQjCNHNIywi977kXOYxGkehuI5ShxF5HQ)
Those are not people posting on the boards saying they got a virus, those are instructions on how to remove malware if you did get it. I could find thousands of posts like that for a Windows machine.

I've had different Macintoshes for about 25 years now. I used to go to Apple club meetings. There were plenty of clueless users at the Apple club, and never once did I hear anyone ask about help getting rid of a virus. (Some people "thought" they had a virus, but it was always a setting that needed to be changed in the control panel or something like that.) The son of one of my friends has worked at the genius bar at an Apple store for a couple of years now. I asked him this week-end and he said he has never had anyone come in with a virus.

Like I said before, I agree that it's theoretically possible. But in practice, I have never seen it happen. Whereas, at the SDMB (I use this as a reference because we all post here), I have seen many posts asking about how to get rid of a Windows virus, and some of thoses posts come from people who are pretty knowledgeable about computers.

Quoth Larry Mudd:
You misunderstand the underlying cause, though. The main reason that you aren't plagued by malware when you use minority operating systems has nothing to do with possibility, and everything to do with the motivations of malware author. Macs represent about 6.5% of the global market, in total.Two problems with this. First of all, the market share of Macs compared to PCs is completely irrelevant. Virus writers don't care if you just bought a computer; they care about whether you have a computer. The relevant number here is actually installed base (that is, what proportion of computers in use are of a given type), not market share. And the installed base of Macs is about 10% (it's higher than their market share because Mac users tend to go longer without replacing their computers).

Second, if I told any businessman that he could expand his base by 10% for relatively little effort, any one of them, in any line of business at all, would jump at the chance. Why should the virus-writers be any different? Sure, it makes sense to put more effort into grabbing the 90%, but it doesn't make any sense to not put any effort towards that last 10 at all.

And the answer to the OP's question is that, no, it's not possible for a Mac to contract a virus merely by visiting a webpage, since no such webpage exists. Such a website surely could exist, but it doesn't. And until such time as it does exist, the answer remains the same.

Those are not people posting on the boards saying they got a virus, those are instructions on how to remove malware if you did get it.Then I misunderstood you.

And the answer to the OP's question is that, no, it's not possible for a Mac to contract a virus merely by visiting a webpage, since no such webpage exists. Such a website surely could exist, but it doesn't. And until such time as it does exist, the answer remains the same.

Actually the answer doesn't change at all: yes they are susceptible as proven by Pwn2Own

It could not be anymore black and white than that, they are "susceptible".


Furthermore, stating that such a website doesn't exist is quite a claim given the number of sites and pages on the internet. How would you know for sure?

You misunderstand the underlying cause, though. The main reason that you aren't plagued by malware when you use minority operating systems has nothing to do with possibility, and everything to do with the motivations of malware author. Macs represent about 6.5% of the global market, in total. If you want to establish a bot-net, or target people's personal information, you're not going to start by identifying an exploit in a particular subset of that group using a particular flavour of OS.


I don't buy this argument. That's assuming the only reason to write a virus is to make a profit. In fact, many of the first viruses were written for fun, for the challenge of it, or just to be colossal dicks. There are hackers out there for whom creating a Mac virus would be a major ego boost. Just the notion that Macs are hard to write viruses for should have alienated teenagers everywhere rolling up their sleeves and saying "Watch this".

Actually the answer doesn't change at all: yes they are susceptible as proven by Pwn2Own

It could not be anymore black and white than that, they are "susceptible".
Can the Empire State Building be moved by a single truck? Certainly, a truck could be built that could do it, so the answer is "yes", right?

I don't buy this argument. That's assuming the only reason to write a virus is to make a profit.

The day of random kid writing an effective virus to be a dick is over. Commercial AV apps are far too good to be kicked over by part time script kiddies with any kind of consistency.

Can the Empire State Building be moved by a single truck? Certainly, a truck could be built that could do it, so the answer is "yes", right?

A couple guys just spent a few weeks to hack a Mac in Pwn2Own.

In this post you are equating that to moving the empire state building with a truck.

Could you please explain why you think something that took a few man weeks to accomplish is as difficult and unlikely as moving the empire stat building with a truck? Your reasoning is not clear.

You guys are right. Through this rock-solid logic you have proven beyond a shadow of a doubt that MacOS is COMPLETELY IMPERVIOUS to viruses, and the only way to get a virus is to download an executable, install it, and give it administrative privileges intentionally.

Pwn2own means nothing, if anything Steve Jobs probably put it there just to test our faith

Second, if I told any businessman that he could expand his base by 10% for relatively little effort, any one of them, in any line of business at all, would jump at the chance.
Well, except for videogame makers that aren't Blizzard.

Then you remember the era when practically EVERY Mac-formatted 3.5" floppy disk had at least one virus on it.

If this isn't a whoosh, please supply a cite.

I've used Macs since 1989, had my own since 1991 and have been on the net since that time.

My machines have never fallen victim to any malware, let alone a virus, from System 6.0.8 to OS 10.7.2 (the most recent at this writing). Over that time, I've run every net connection from ZTerm to Netscape to IE, and Mozilla's first offerings to Safari, Firefox, Thunderbird and Mail, without any useless anti-virus app chewing up the processing cycles.

The biggest pre-internet (hence floppy-distribution) virus threat was thanks to Microsoft Word (surprise, surprise) for Mac. They could screw up Word but they couldn't affect the Mac OS or any other app in the machine, including other applications.

The safety-through-Mac-obscurity argument doesn't hold water. Six hours after the first 10,000 downloads of Vista's beta, warnings of viruses written exclusively for it were all over the web. Millions upon millions of net-connected Macs are too few to be bothered with, but a mere 10,000 Vista boxes aren't?

But whether the safety-through-obscurity myth is believed or not makes no difference to the reality that since OS 10 was released more than a decade ago, there have been no Mac viruses. Trojans, requiring a user's permission to load, are another matter. But on any computer platform, there can be no protection against stupid.

If this isn't a whoosh, please supply a cite.

I've used Macs since 1989, had my own since 1991 and have been on the net since that time.

Hard to cite stuff pre-web, but here's a Usenet post that lists a bunch:

http://groups.google.com/group/alt.answers/browse_thread/thread/859a5735b38b5fd1/4fa6382255a4a64a?q=mac+system+6+viruses#4fa6382255a4a64a

My machines have never fallen victim to any malware, let alone a virus, from System 6.0.8 to OS 10.7.2 (the most recent at this writing). Over that time, I've run every net connection from ZTerm to Netscape to IE, and Mozilla's first offerings to Safari, Firefox, Thunderbird and Mail, without any useless anti-virus app chewing up the processing cycles.

You were honestly lucky if you never had System 6 or System 7 get infected via floppy. Either that, or you never exchanged disks with anybody.

The biggest pre-internet (hence floppy-distribution) virus threat was thanks to Microsoft Word (surprise, surprise) for Mac. They could screw up Word but they couldn't affect the Mac OS or any other app in the machine, including other applications.

HyperCard was a big one too, when it shipped by default on Mac systems.

The safety-through-Mac-obscurity argument doesn't hold water. Six hours after the first 10,000 downloads of Vista's beta, warnings of viruses written exclusively for it were all over the web.

Your turn for a cite.

Millions upon millions of net-connected Macs are too few to be bothered with, but a mere 10,000 Vista boxes aren't?

Except that the total of Vista boxes was expected to increase by leaps and bounds, where the total number of Mac boxes (at that time at least) was expected to stay level. As it turns out, Vista wasn't as popular as everybody thought it was going to be, but at the time the beta came out, nobody knew that.

I'm not necessarily saying you're wrong, I'm just saying your example doesn't back-up your argument.

But whether the safety-through-obscurity myth is believed or not makes no difference to the reality that since OS 10 was released more than a decade ago, there have been no Mac viruses. Trojans, requiring a user's permission to load, are another matter. But on any computer platform, there can be no protection against stupid.

And yet, it's possible for an OS X-running computer to get infected by a virus by simply opening a web page.

What's the relevance of System 6 or 7 vira, anyway? Those were a completely, utterly, absolutely different operating system, from the ground up, from any modern Mac OS. All they prove is that virus writers will write viruses even for a minority OS, given the opportunity.

Two problems with this. [...] installed base of Macs is about 10% (it's higher than their market share because Mac users tend to go longer without replacing their computers).Unbiased estimates still put the installed base at ~5%, so that's neither here nor there.Second, if I told any businessman that he could expand his base by 10% for relatively little effort, any one of them, in any line of business at all, would jump at the chance. Why should the virus-writers be any different?[ Sure, it makes sense to put more effort into grabbing the 90%, but it doesn't make any sense to not put any effort towards that last 10 at all./quote]Because there is absolutely no analogy between something like app development and the propagation of a worm or virus. A worm or virus requires a relatively high percentage of similarly vulnerable machines per point-of-contact - by its nature it has to target the most common systems, because if it doesn't, it's going to be cleaned up before it manages to infect another system. [quote]And the answer to the OP's question is that, no, it's not possible for a Mac to contract a virus merely by visiting a webpage, since no such webpage exists. Such a website surely could exist, but it doesn't. And until such time as it does exist, the answer remains the same.But it's repeatedly demonstrated that it is possible.

Nobody is arguing that a current Mac user need worry about such things - this would clearly be contrary to common experience. Nevertheless, that does not change the fact that individual systems running minority operating systems (OSX or a flavour of Linux or whatever) are no less vulnerable than Windows systems. It is useful to understand why these vulnerabilities aren't exploited, though - and that's precisely because there isn't enough density of vulnerable systems to exploit it in any meaningful way.

Yes, you can engineer a page that'll get code to execute on a Mac. (Or Linux, or whatever.) But to what end? If you have a worm that depends on X exploit of the OS for privilege elevation and Y exploit of Z mail client for propagation, it's a complete waste of time unless it can quickly spread to similarly vulnerable systems.

I enjoy the liberty of visiting even the dodgiest corners of the internet with my metaphorical pants down without worrying for a moment about malware - but I don't delude myself that it's because the basement nerds that make up the Ubuntu or Mint communities have produced an invulnerable OS. This confidence and security comes from not being an attractive target for this sort of attack - not that there's anything wrong with that.

But it would be irresponsible to put about the idea that minority operating systems are intrinsically more secure. If they were, everyone could just switch platforms tomorrow and nobody would ever have to spend three frustrating hours disinfecting their mom's or their brother-in-law's poxy, malware-ridden laptop ever again. But the reality is that if everyone switched camps tomorrow, it would take about a month before things were exactly the same again.

I've used Macs since 1989, had my own since 1991 and have been on the net since that time.

My machines have never fallen victim to any malware, let alone a virus, from System 6.0.8 to OS 10.7.2 (the most recent at this writing).

And what are we to conclude from your expereince? That Mac security is superior to PCs? Try again. The safety-through-Mac-obscurity argument doesn't hold water. Six hours after the first 10,000 downloads of Vista's beta, warnings of viruses written exclusively for it were all over the web. Millions upon millions of net-connected Macs are too few to be bothered with, but a mere 10,000 Vista boxes aren't?And you don't think the malware writers were anticipating 100 million Vista boxes in the first year (http://news.cnet.com/8301-13860_3-9861391-56.html)?

Having been a hardcore Mac user since '92, in that time I've never encountered any sort of virus, malware, trojan, etc.

I take it for granted actually, at this point; it's something I don't even think about. But I can't believe it's impossible for a virus to proliferate across a slice of the modern MacOSX user base (iOS, even?).

Time will tell, and we may get caught with our pants down someday, but so far, the ride has been sweet.

A couple guys just spent a few weeks to hack a Mac in Pwn2Own.

In this post you are equating that to moving the empire state building with a truck.

Could you please explain why you think something that took a few man weeks to accomplish is as difficult and unlikely as moving the empire stat building with a truck? Your reasoning is not clear.

Are you going to explain your comment Chronos?

The day of random kid writing an effective virus to be a dick is over. Commercial AV apps are far too good to be kicked over by part time script kiddies with any kind of consistency.

Interesting argument. Not particularly convincing though.

a. Kids don't write viruses any more because AV apps are too good.

b. Practically no one using a Mac uses AV software.

To me, this would imply that Macs would be an even more appealing target. Especially because the kinds of hackers who would revel in this challenge are not "script kiddies" who attempt to hack systems using a cookbook of known exploits, but people who actually are willing to do the heavy lifting of creating new ones.

And yet, it's possible for an OS X-running computer to get infected by a virus by simply opening a web page.No, it isn't. The contest hacker was given the machine's password.

Your turn for a cite.I ran a web search for vista beta viruses. Here are four links from the list of hits from that search, [/URL][URL="http://www.cheapest-computer-hardware-software.com/first-vista-virus.html"]here (http://www.cheapest-computer-hardware-software.com/vista-beta-release-update.html), here (http://homepage.mac.com/rmansfield/thislamp/files/dee0be158ad161afef6f7b0d04a1ce88-46.html), here (https://www.pcworld.com/article/122125/first_family_of_windows_vista_viruses_unleashed.html) and here (http://www.v3.co.uk/v3-uk/news/1967136/windows-vista-virus-attack).

And yet, it's possible for an OS X-running computer to get infected by a virus by simply opening a web page.From 2009, one of many sites (http://www.mac-forums.com/forums/os-x-operating-system/167703-true-mac-os-x-hacked-under-20-seconds.html) with this information: Yes, Mac OS X was "hacked" during a contest.... but only after the contest organizers removed any security measures and the "hackers" were given direct and local client access to the machine they were "hacking".

In other words, in a real world environment they would not have been successful and the answer would be "No". . . .As well, the 2008 contest regarding Safari: (http://www.mac-forums.com/forums/apple-rumors-reports/102560-mba-hacked-2-minutes-while-vista-ubuntu-stand-strong.html)No one was able to execute code on any of the systems on Wednesday, the first day of the contest, when hacks were limited to over-the-network techniques on the operating systems themselves. But on the second day, the rules changed to allow attacks delivered by tricking someone to visit a maliciously crafted Web site, or open an e-mail.

That isn't hacking, that is social engineering. Take note, that no person was able to actually 'hack' into the Mac until the rules were changed. Just like last year. They couldn't touch the Mac until the rules were changed and severely improbable situations were allowed to take place. . . .I cannot find anything saying a virus entered a Mac simply by opening a web page.

Because there is absolutely no analogy between something like app development and the propagation of a worm or virus. A worm or virus requires a relatively high percentage of similarly vulnerable machines per point-of-contact - by its nature it has to target the most common systems, because if it doesn't, it's going to be cleaned up before it manages to infect another system. We're not talking about things that propagate from infected machines to other machines. We're talking about things that propagate from a website to machines that visit that website. For such a route of infection, what you see is what you get on the userbase.

Are you going to explain your comment Chronos?Sure. My point is that it's possible to build a truck that could move the Empire State Building, but no such truck actually exists, and thus it's reasonable to say that the Empire State Building can't be moved by truck. By analogy, it's possible to create a webpage that would infect a Mac, but no such webpage actually exists, and thus it's reasonable to say that a Mac can't be infected by a webpage. Where does the analogy break down?

From 2009, one of many sites (http://www.mac-forums.com/forums/os-x-operating-system/167703-true-mac-os-x-hacked-under-20-seconds.html) with this information:Yes, Mac OS X was "hacked" during a contest.... but only after the contest organizers removed any security measures and the "hackers" were given direct and local client access to the machine they were "hacking".

In other words, in a real world environment they would not have been successful and the answer would be "No". . . .
That is just a ludicrous out-of-ass assertion by an Apple fanboy desperately trying to reconcile their universe-shattering cognitive dissonance. It's absurd to suggest that organizers of CanSecWest would disable security measures and then offer cash prizes to hack various platforms. This is a security community initiative with the aim of identifying and rectifying zero day vulnerabilities, and the exploits used are peer-reviewed and published after the vulnerabilities are addressed.

As well, the 2008 contest regarding Safari: (http://www.mac-forums.com/forums/apple-rumors-reports/102560-mba-hacked-2-minutes-while-vista-ubuntu-stand-strong.html)No one was able to execute code on any of the systems on Wednesday, the first day of the contest, when hacks were limited to over-the-network techniques on the operating systems themselves. But on the second day, the rules changed to allow attacks delivered by tricking someone to visit a maliciously crafted Web site, or open an e-mail.

That isn't hacking, that is social engineering.I cannot find anything saying a virus entered a Mac simply by opening a web page.Your link above says exactly that, it's just that the person describing it found it necessary to declare that attacks on mail clients or web browsers aren't really hacking, in order to preserve a belief in the intrinsic invulnerability of their platform which is held as an article of faith, even when it's contrary to common sense. The protest that the "rules were changed" is meaningless, as the contest is traditionally structured to have different targets of attack on each day.We're not talking about things that propagate from infected machines to other machines. We're talking about things that propagate from a website to machines that visit that website. For such a route of infection, what you see is what you get on the userbase.Most malware is written with propagation in mind. Even for the small subset of malware which does not (say, exclusively limited to browser hijacking or pop-up display) Macs are not a practical target for much the same reason - rate of potential infection is not attractive enough to make the effort worthwhile, because the exploit will be noticed and patched before an attractive number of systems are affected.

The net result is the same, Apple or Linux users don't have to worry about these sorts of attacks. It's silly to argue that they're impossible, though - minority systems actual security have exactly the same sorts of vulnerabilities - the immunity comes from their relative obscurity.

Sure. My point is that it's possible to build a truck that could move the Empire State Building, but no such truck actually exists, and thus it's reasonable to say that the Empire State Building can't be moved by truck. By analogy, it's possible to create a webpage that would infect a Mac, but no such webpage actually exists, and thus it's reasonable to say that a Mac can't be infected by a webpage. Where does the analogy break down?

I think it breaks down in the following ways:
1) Someone did build a truck and it only took a few man weaks - it's not as difficult as your analogy tries to imply

2) Just because you personally are unaware of a website with this type of malware doesn't mean there aren't any out there


People that write these things for financial gain typically want them to be undetectable. That very attribute is giving you the sense that they must not exist, I think that is a naive conclusion given that we know people have demonstrated this type of malware.

From 2009, one of many sites (http://www.mac-forums.com/forums/os-x-operating-system/167703-true-mac-os-x-hacked-under-20-seconds.html) with this information: As well, the 2008 contest regarding Safari: (http://www.mac-forums.com/forums/apple-rumors-reports/102560-mba-hacked-2-minutes-while-vista-ubuntu-stand-strong.html)I cannot find anything saying a virus entered a Mac simply by opening a web page.

You will notice win7 also repelled day 1 efforts, they are not even bothering with direct peer to peer exploits for the last few years, the whole contest is attacking a machine by browsing or email.

From the wikipedia page

five seconds after the browser visited its specially crafted malicious web page, it had both launched the platform calculator application (a standard harmless payload to demonstrate that arbitrary code has been executed) and written a file to the hard disk (to demonstrate that the sandbox had been bypassed).

No they didnt install a virus, the simply proved you can force writing of files to the hard drive and run executable files. However if you can do that, you can do so with any program you might want to including installation of viruses.

No OS is somehow magically able to repel a virus because its a virus. A virus is a program if the program has permission to execute, it does, period.

No, it isn't. The contest hacker was given the machine's password.

Uh no, if they did they could have easily defeated it peer to peer.

What's the relevance of System 6 or 7 vira, anyway? Those were a completely, utterly, absolutely different operating system, from the ground up, from any modern Mac OS. All they prove is that virus writers will write viruses even for a minority OS, given the opportunity.

I wasn't saying it was relevant to the topic (someone asked for a cite, so I dug one up!)

I was just:
1) Pointing out the absurdity (to me) that the company that made one of the LEAST secure OSes EVER now has a (apparently) unassailable rock-solid reputation for security
2) Reminiscing with a fellow Mac Classic user

OK. Giving the hacker all the information needed to enter the Mac after he failed for a full day without it (these "test rules" repeated each year), he broke in, which proves my Mac is as likely or more likely to load malware than any Windows system the tens or hundreds of thousands viruses and other malware written for that platform.

So a bank manager goes home for the night after turning off all burgler alarms and leaving the bank's doors and vault open, and after pasting to the doorknob a map of the building's layout with a huge "Welcome" in red letters printed at the top. The bank is robbed.

This starts a worldwide debate as to whether locked banks, locked vaults, functioning burgler alarms and no Welcome maps are any safer than a bank with all the security of a wide-open tent.

Got it.

I ran a web search for vista beta viruses. Here are four links from the list of hits from that search, [/URL][URL="http://www.cheapest-computer-hardware-software.com/first-vista-virus.html"]here (http://www.cheapest-computer-hardware-software.com/vista-beta-release-update.html), here (http://homepage.mac.com/rmansfield/thislamp/files/dee0be158ad161afef6f7b0d04a1ce88-46.html), here (https://www.pcworld.com/article/122125/first_family_of_windows_vista_viruses_unleashed.html) and here (http://www.v3.co.uk/v3-uk/news/1967136/windows-vista-virus-attack).

From 2009, one of many sites (http://www.mac-forums.com/forums/os-x-operating-system/167703-true-mac-os-x-hacked-under-20-seconds.html) with this information: As well, the 2008 contest regarding Safari: (http://www.mac-forums.com/forums/apple-rumors-reports/102560-mba-hacked-2-minutes-while-vista-ubuntu-stand-strong.html)I cannot find anything saying a virus entered a Mac simply by opening a web page.

Oh for cripes' sake.

Ok, Pwn2Own is a STAGED contest. During the first stage, only network access to the (default configuration) OS is allowed-- I believe no machines have ever been hacked during the first stage before, but I'm not looking that up and I'm not providing a cite, so take that with a grain of salt.

The second stage, you are given a password and the goal is to prove you can break the "sandbox" the OS/browser creates between the Internet and the local filesystem. This is the stage at which the exact type of malware talked about in the original post of this thread is invariably demonstrated on Safari/OS X. The reason is, if you can defeat the sandbox, you can install executable code on the client's machine. Obviously, you need to be able to log-in to the computer to do this, so obviously the password to the computer is provided.

There are also additional stages which aren't relevant to the discussion.

Let's be 100% clear:

1) Nobody's saying Apple is completely incompetent at basic OS security (i.e. they lose stage 1 of Pwn2Own), that's a ridiculous assertion. Don't get your Apple-loving underpants in a bunch over this. That said, there is a lot of room for improvement from Apple on this front, and I would argue that (measured objectively) fully-updated OS X is not as secure as fully-updated Windows 7.

2) Pwn2Own provides the User password because, for the exact type of attack we're talking about (that is, a user visiting a webpage, not a remote code execution), they need to log into the machine to open the browser and visit the damned webpage. Duh. Of course the password is provided. That is the point.

3) Regardless of the security of OS X, it's secure enough to defeat the casual "write it for a lark" virus writers, and doesn't have the installed base to be desirable to the criminal virus writers. The guys winning Pwn2Own are "white hat" hackers, usually ones who have already reported the security hole to Apple, or who do so immediate after winning the contest. In one case, Pwn2Own was won using an exploit that Apple had already been made aware of weeks before, but at the time of the contest they still hadn't patched it.

But the answer to the question asked in the original post of this thread is still yes. Yes, it's possible. Yes, that exact scenario has been demonstrated-- several years in a row-- at Pwn2Own and elsewhere. Yes, yes, yes.

OK. Giving the hacker all the information needed to enter the Mac after he failed for a full day without it (these "test rules" repeated each year), he broke in, which proves my Mac is as likely or more likely to load malware than any Windows system the tens or hundreds of thousands viruses and other malware written for that platform.

We're not talking about "entering" the Mac (whatever that even means), you're moving the goalposts. We're talking about the Mac user visiting a website and, with no additional action on their part, ending up with a malicious program installed.

To demonstrate that exploit, you have to be able to log in to the Mac to visit the website in the first place. So yes, of course they give out the Mac's password. How else could it possibly work?

To me, this would imply that Macs would be an even more appealing target. Especially because the kinds of hackers who would revel in this challenge are not "script kiddies" who attempt to hack systems using a cookbook of known exploits, but people who actually are willing to do the heavy lifting of creating new ones.

The next part of the problem is you have to move fast, new exploits are discovered all the time and are usually fairly quickly patched. So you basically have to

Know the OS well enough to find exploits on your own

Find a new exploit.

Find a way to propagate it

Exploit Opal

Benefit from it/seek recognition before its discovered by others and/or patched.

Therefore you end up needing a team to work quickly, teams usually cost money.

Every time you add another layer of complexity you make it less likely that someone to succeed. Only a small fraction of all users are mac users, a tiny fraction of those can program in mac environments, a tiny fraction of those know OS writing intimately enough to pick apart the OS, and only a small fraction of those are so inclined to do so.

You have alot of forces working against a virus, and not all viruses work well enough to infect a broad enough base. I have a certain begrudging respect for the people that do this kind of stuff, it is not easy.

We're not talking about "entering" the Mac (whatever that even means), you're moving the goalposts. We're talking about the Mac user visiting a website and, with no additional action on their part, ending up with a malicious program installed.

To demonstrate that exploit, you have to be able to log in to the Mac to visit the website in the first place. So yes, of course they give out the Mac's password. How else could it possibly work?

The contestant does not need the password. They can have a judge log into the machine and visit the website without the contestant knowing the password.

Don't get your Apple-loving underpants in a bunch over this.For the record, I'm not an I love Apple, right or wrong/purple Kool-Aid drinker/Steve-Jobs-is-Christ Mac maniac.

There's plenty about Apple in general and this OS in particular I dislike, and with each update the list grows longer. I'm considering Linux.

Question about the Mac password comments: Do we mean an admin password? Or just the password of a user, without admin rights?

It would be harder to put malware on a Mac without using a password that had admin rights attached to it. If users can prevent some exploit by not doing everyday work with admin rights, it's worth working this way (I always have).

beowulff, I actually quite like your Pope analogy, because it can be extended to illustrate the problem a lot of people are having with your position.

As you posit, it is extremely unlikely that the Pope is currently infected with AIDS. If you were to have sex with the Pope today, you could be pretty much certain that you'd remain disease-free, far moreso than if you banged your average streetwalker.

Now, imagine that fact is used to successfully convince every potential john in the world to have sex with the Pope instead. How do you think the odds would stack up then?

Same deal with Macs. Yes, if you personally were using a Mac right this moment, you would have a lesser chance of a passive malware infection than someone using an unprotected Windows machine. The problem is, that rationale isn't sustainable. Convince enough people to go over to the Mac side, and the protection you'd gained from security-by-obscurity falls apart as malware authors target that platform instead.

I know your original question dealt only with the practicalities of the current landscape, but I (and, I imagine, others) honestly can't help but read further into it...besides fodder for a "switch to Macs" argument, what use could there be for that information?

Sure - at some time in the future it may be possible that the malware situation on OS X is as bad as Windows. I've never stated that OS X is immune to attack.
But today is not that day.
To imply that OS X users need to worry about contracting malware by browsing a website today is FUD of the worst kind. There are threats that Mac users need to be concerned with, and those are IMHO, far more dangerous than any drive-by attack is likely to be. Trojans and other social engineering attacks are much harder to prevent, and are much more likely to seriously compromise a user's security (e.g. - giving away your bank account information).
So, I prefer to rank the threats, and spend 0% of my worry about drive-by attacks (while at the same time, following all of the Mac news sites to see if anything significant develops).

Can it really be the case that two (or three, or any number really) quite different operating systems are, at a technical level, equally vulnerable to attacks? It seems unlikely the chips would just happen to fall that way.

To imply that OS X users need to worry about contracting malware by browsing a website today is FUD of the worst kind.Sure it would be - that's probably why you won't find anything in this thread apart from people factually answering a GQ ("Yes, it is possible,") while taking care to explain that it is not a practical concern and elaborating on the reasons why the current user experience is that you can indeed browse where you like without undue concern about a rogue website installing malware on your Mac.

To modify your Empire State Building analogy so that it is actually isomorphic to the positions taken in this thread:

Question: Is it possible to build a 100-storey building outside city limits, or is this something you only find in certain urban centers?


Answer: Yes, of course it's possible, but for practical reasons developers will never consider it outside of city centers - it just never going to be profitable to undertake such a project.

Objection: It's impossible, the ground is simply too soft as you approach the suburbs to support such a structure. And never mind about the eccentric Saudi that's built a tower in a remote area every year for the past decade just as an ostentatious display, those aren't really 100 storey buildings - they're uninhabited.

Well, start with the vulnerability you intend to exploit. Like, say you observe that you can disguise a .vbs file with a phony .txt extension in certain flavours of Windows, when it's received as an attachment in Outlook, and get code to execute that way. Hurrah! Now to spread your creation, you're going to have the code send an e-mail with such a deceitful attachment (containing a copy of itself) to the first 100 e-mail addresses in the user's Outlook contacts.



Now I know that the thread has advanced a bit since this comment, but this kind of false belief held quoted above really baffles me.

The key in the adobe thread: 100.

Huh? 100? Now why in the world would any body do that?
Why would any programmer hard code a limit to a code loop?
Hard coding is a no-no in programming standards, period.

Hard coding to fixed numbers in loops always leads to errors, why is why it's never done.

It's much safer to put dynamic limits, such as email.addressbook.length - 1

And fundamentally the ridiculousness of the above assertion hinges on the fact that people with last names starting with ABC are not more likely to be hit with malware than people with last names starting with XYZ.

In the end, the OS with the best engineering comes out on top. Unix and Linux have five decades worth of system engineering and philosophy strengthening every line of code against each other.

Windows is pure utter rotten dipalidated outmoded pathetic laughable ugly shit.

.?

Windows is pure utter rotten dipalidated outmoded pathetic laughable ugly shit.Now do OS X. Pleaeeese?

Few observations:

I can't tell whether OS or political threads attract more fanboys.

I maintain Macs, Linux and Win boxes in our home office. I'm such a slut.

After X years of seeing the "Hi Opal" reference, I'd never seen it seem so ... tawdry. Not sure why.

Chronos, one of the bastions of rigour, has completely stunned me with such a hastily and sloppily constructed analogy. Rather than dig in your heels, ditch the ESB/truck analogy and think of something more apt. Your point will still stand but you'd be rid of such a bizarre distraction.

%@*#ing articles about technology that have no date information should be pitted. WTF people?

This is interesting. Emphasis in original (http://countermeasures.trendmicro.eu/targetted-attack-designed-to-infect-both-macs-and-pcs/):
In this case, following the link would be a Very Bad Idea, because it will lead you to a malicious website designed to infect both Macs and PCs with a DNS changing Trojan which at the time of writing has low-to non-existent detection rates by security vendors (although Trend Micro customers would already have been protected from visiting the known malicious site using our Smart Protection Network).

Huh? 100? Now why in the world would any body do that? You'd have to ask "Spyder," the twat that's responsible for the ILOVEYOU (http://en.wikipedia.org/wiki/ILOVEYOU) worm, which was one of the most pervasive worms in history. That's what he did.

Why? Maybe it was a shamefully lazy way of keeping his process from crashing as a result of trying to reference a non-existent address. The point is that if the author had identified parallel vulnerabilities in OS X and had attempted to target them, rather than being one of the most devastating attacks in history, it would have gotten absolutely nowhere. This is a simple exercise in game theory.

Even if the script contains no counter element, the net result is the same. Melissa (http://en.wikipedia.org/wiki/Melissa_(computer_worm))'s spread was virulent although it only affected people running both Outlook 97 and Word 97. A worm that relied on exploiting Apple Mail V1 and Appleworks 5 together would similarly fizzle, even if it had a larger pool of potential addresses. (Though I see Melissa was actually limited to 40.) The density of affected systems is not sufficient for a rapid spread - and the resulting window of vulnerability is necessarily too small to be worthwhile.

The contestant does not need the password. They can have a judge log into the machine and visit the website without the contestant knowing the password.

The contest doesn't state *how* the sandbox should be broken-- visiting a website is merely one of many possible methods-- they just judge *if* it was broken.

The reason the website is used every year is simply that it's the easiest way. You can prepare it in advance, and it's a lot more "showy" to hack the machine in 10 seconds than it is to fumble around for an hour. If Apple's security was tighter, of course, this would no longer be an option for OS X and they'd have to move on to more difficult-to-execute attacks.

Can it really be the case that two (or three, or any number really) quite different operating systems are, at a technical level, equally vulnerable to attacks? It seems unlikely the chips would just happen to fall that way.

Technically, my personal belief is that Windows 7 is actually less vulnerable to attack for several reasons. Microsoft has definitely (in the last 5 years) been extremely aggressive in adopting security technologies, they respond very, very quickly to reported attacks, they ensure all of their developers are going through the latest and best security training and auditing all code that ends up in their shipping products.

Again, that's not to say Apple is pathetic or hopeless at security, just to say that Microsoft does more, and does it more consistently.

Of course, it's hard to actually *prove* this in a world where Windows is attacked 100 times more than any of the competing OSes, and unfortunately we don't have an alternate universe with equal OS marketshare available to use for an A/B test.

Of course, it's hard to actually *prove* this in a world where Windows is attacked 100 times more than any of the competing OSes, and unfortunately we don't have an alternate universe with equal OS marketshare available to use for an A/B test.

how about mobiles?

Ok not the same market share ratios but....

Let me propose an idea to you then, in order to mitigate the effects of malware, we just need to modify the marketshare of computer operating systems. We will have the US Justice Department utterly dismantle Microsoft's virtual monopoly by requiring a significant surcharge attached to every MS Windows computer, then taking those funds to subsidize other operating system companies. We will have a group of let's say 10 subsidized companies: Red Hat, Canonical, Attachmate, Debian Inc, Amiga Inc., Computer System Research Group Inc., Oracle, HP, IBM and Apple. The respective subsudized benefits will be inversely proportional to the marketshare of each company, until roughly speaking they all have roughly the same desktop operating system marketshare of ~9% (including Microsoft). Additionally, the bulk of the surcharge funds (70%) will go to various independent software companies to subsidize the adaptation of cross-platform code, such that their products will run on any computer. Finally, the surcharge on MS products and the subsequent subsidy will be eliminated upon the balance of the above 11 companies marketshare, plus/minus a wiggle factor of 50%. This way, no one company will be significantly bigger than any other, thus all operating systems in use across the world will be "obscure" and we will all benefit from that secure through obscurity theory. All computer viruses, worms, trojans, rootkits, adware, and miscellaneous malware will cease to utterly exist when no one operating system has enough "density" to make any spread vector viable.

Finally, the point of my whole diatribe is that, if in fact Windows OS is targeted exclusively because it is the only vector with enough "density", then every time you choose to purchase a Windows PC, you are complicit in the worldwide cybercrime epidemic. You choose to buy Windows, therefore making the system density higher, thus enabling the criminals. Guilty. Direct cause and effect. If you simply choose to not buy Windows until its density is low enough to make malware epidemics possible then you have a real chance to end the wave of crime that we all ultimately pay for through taxes and insurance fees to fight against. The current situation is utterly distorted, shifting the true economic cost of running a Windows PC over to the general taxpayers. Also, if you oppose any aggressive governmental action to swiftly ending Microsoft's monopoly, then you are also directly complicit in enabling cyber criminals.


So. Check and a-fucking mate, my friend. :D

I've never heard of a jailbroken Mac.

Whoa...seriously?? :eek: Granted, I use jailbreak.com usually for iPad/iPhone/iPod Touch systems, but I know a few folks who have their regular Mac laptops jailbroken (mostly for pirated apps). I don't know of anyone who has a desktop system jailbroken, but I assume it's the same thing.

As for the OP, I've never heard of a Mac IOS getting infected just by opening a website, but Mac viruses in general are sparse compared to Windows OS. As some folks have noted, that's mostly because, relatively speaking, there just aren't as many Macs out there, so hackers, especially the for profit kind, aren't going to spend as much effort developing them.

ETA: And I have no dog in the Mac vs PC fight...most of my systems are Linux, with most of my carry around stuff being Apple (I have an iPad 2, an iPhone 4S and an iPod Touch, though I'm weening myself off of it, as the phone does everything the Touch does, including playing my Audible.com audio books, music and everything else...and that way I only have to carry the phone and iPad and I'm good to go)

-XT

Jailbroken Mac? They run *.dmgs just fine, no matter where you find them. What is there to jailbreak exactly?

Additionally, the bulk of the surcharge funds (70%) will go to various independent software companies to subsidize the adaptation of cross-platform code, such that their products will run on any computer.

Amusingly enough, Apple is pretty much the only one on that list who files lawsuits against people running their OS on hardware other than their own.

then every time you choose to purchase a Windows PC, you are complicit in the worldwide cybercrime epidemic. You choose to buy Windows, therefore making the system density higher, thus enabling the criminals. Guilty. Direct cause and effect.

So. Check and a-fucking mate, my friend. :D

I see you talking, but all I hear is the Steve Jobs marketing machine begging desperately for a cookie.

Amusingly enough, Apple is pretty much the only one on that list who files lawsuits against people running their OS on hardware other than their own.


And this has nothing to do with anything discussed in this thread.


I see you talking, but all I hear is the Steve Jobs marketing machine begging desperately for a cookie.

If somehow you did then I beg you to reread my hypothetical fix to malware.

You see, the Microsoft apologists insist that Windows is so super duper redonkulous that it's a victim of itself and its popularity.

So then let's fix that.

If you carefully parse my argument it's not an anti Microsoft or pro apple anything. It's anti monopoly. It's a fundamental rule of economics that free markets should not be dominated by by anyone player.

Instead if we have active government prevention of anyone company gaining more than 5 - 9% marketshare, then the density of any one OS will remain below the critical malware vector threshold, and cybercrime will cease to exist altogether.

But until government takes any kind of action resembling my hypothetical proposed scenario (notice how I also included some really small players, and some nonprofits, and some nonexistent companies...), the fact of the matter stands that if you buy Windows, and explain away the systemic malware problem as a simple issue of popularity, then you are complicit in making the problem worse by actively spending your dollars on destabilizing the system.

In the end, the OS with the best engineering comes out on top. Unix and Linux have five decades worth of system engineering and philosophy strengthening every line of code against each other.

Windows is pure utter rotten dipalidated outmoded pathetic laughable ugly shit.
So one really old operating system, Unix (born 1970), benefits from having decades of engineering behind it, but another more recent OS, Windows NT and its descendants (born ca. 1990), is outmoded?

Truth is, they're both old-school designs. As for Linux, it is not the same thing as Unix, but still, it comes from the early 90s and was not exactly cutting edge then.

Malware didn't even exist in 1970, and sure enough Unix was insecure, by today's standards. All of these OSes have had security bolted on retrospectively. If any of them had security "engineered in" from the start, it is more likely the ones that came later.

You see, the Microsoft apologists insist that Windows is so super duper redonkulous that it's a victim of itself and its popularity.

So then let's fix that.

If you carefully parse my argument it's not an anti Microsoft or pro apple anything. It's anti monopoly. It's a fundamental rule of economics that free markets should not be dominated by by anyone player.I'm going to respond as though this suggestion was made in earnest, although intuitively my guess would be that it's a strict piss-take. (I hope it is, anyway.)

First, far from being apologia for Microsoft, the observation that dominant systems will necessarily be targeted by malware to the near-exclusion of minority systems is commonsensical, and understood by anyone who spends any amount of time concerned with network security. It is very easy to mistake rational comments on this topic as "playing favourites," but it is naive and emotional to automatically do that.

If Apple (or Redhat, or whatever) provided a platform that was significantly and objectively more secure in a way that would scale up, IT professionals would move over en masse.

As for your suggestion of mandated fragmentation of the market as a security measure, you must be aware that an approach like this is a non-starter due to the benefit of the use of common systems outweighing the detriment by such a large degree. People need to work together, and that frequently means that their computers need to, as well. To provide a real benefit, you'd have to go beyond just providing different operating environments, you would have to develop separate applications from the ground up for each platform, or else you're gong to end up with the same vulnerabilities in apps compiled to run on multiple systems. This is quite apart from the benefit passed on to the consumer through economies of scale - obviously if we developed 10 comparable systems in parallel with an expected user base of 10%, the cost to the end user would be unsupportable.

You are suggesting that people ought to incur enormous expense and absurd inconvenience in order to mitigate the problem of malware, but do you really think that the trade-off would be worthwhile? I administrate and provide support to a fifty-user Windows network. Since the beginning of 2007, I recall two instances of malware finding its way onto our network. (One of which occurred when an pushed upgrade of our AV client failed for one workstation which was running the 64-bit version of Vista, leaving the user with their pants down for months before anyone noticed.) Both penetrations were easily cleaned up. This frequency of infection is in spite of a wide-open internet policy, with no web reputation filters in place.

During the same time I have helped maybe half-a-dozen employees clean annoying spyware off their from-home laptops. It's not the sort of problem that needs extraordinary solutions. Users need to be minimally vigilant and sensible in their habits. Of course, this is asking a lot of some home users, and caring friends ought to do their best to move those users over to less-targeted systems in order to minimize their risk. (Supporting my elderly mother got a lot easier after I set her up with a nice locked-down linux laptop that did what she needed and not a bit more.)

I=
If Apple (or Redhat, or whatever) provided a platform that was significantly and objectively more secure in a way that would scale up, IT professionals would move over en masse.=

Ignoring the rest of your post, this is a patently ridiculous statement.

Although security is a concern to IT departments, there are many other considerations that put it pretty far down on the list. For example - does my proposed new OS support the enormous investment in software already purchased?

It's my experience that IT professionals already have, long ago, moved over en masse to various Linux distributions.

Our IT department moved to Macs years ago for exactly that reason. As a high tech company, there is a lot of concern about company secrets and IP. Our difficulty is that all of our instruments still run on Windows, and that's not going to change because instrument companies assume their customers are all Windows. The fact is, few companies will switch because nobody else is switching.

Although security is a concern to IT departments, there are many other considerations that put it pretty far down on the list. Obviously, but when I say IT professionals en masse, I mean from the developer on up. If Linux was objectively significantly more secure than Windows (and not merely infrequently targeted,) developers would exploit that fir industries where security is paramount.

If Apple (or Redhat, or whatever) provided a platform that was significantly and objectively more secure in a way that would scale up, IT professionals would move over en masse.
This is clearly wrong. Back in the days of Windows XP, I remember reading many times that OpenBSD Unix was the most secure operating system. That didn't mean that people switched to it for desktop applications.

This is clearly wrong. Back in the days of Windows XP, I remember reading many times that OpenBSD Unix was the most secure operating system. That didn't mean that people switched to it for desktop applications.OpenBSD's touted security is in large part owing to the philosophy of "nothing not necessary". It is a great OS if you want to build a box that's going to to quietly do its single purpose.

But that philosophy can't scale up to general purpose. The more services you add, the more risk you have. Linus famously slagged OpenBSD for concentrating on security so single -mindedly that everything else suffered - and having lived with an OpenBSD web server I am not mystified that the entire industry has not arrayed itself around openBSD. :D

Obviously, but when I say IT professionals en masse, I mean from the developer on up. If Linux was objectively significantly more secure than Windows (and not merely infrequently targeted,) developers would exploit that fir industries where security is paramount.

Is this serious? It's beyond academic at this point that Linux is more secure. You can make the argument that windows is catching up, but Windows is new at being good. Linux has had practice. I'm not saying Linux is immune to anything, but there's a difference between windows and linux, and it isn't just market share. More servers run unix/linux than Windows, and the important internet infrastructure runs unix/linux, so where is all the malware for that?

The DoD uses Linux for their command and control system that runs wars, and they created a high security Linux distribution for use by telecommuters too. There's an example of exploiting Linux for use where security is paramount. But think about that for a second. If you're the DoD and want to create a secure system for telecommuters, you simply can't do it with windows. You can buy windows off the shelf and try to make it more secure but you don't have access to the underlying system. With Linux, you can build from scratch to be more secure and to fit your specific needs.

If Apple (or Redhat, or whatever) provided a platform that was significantly and objectively more secure in a way that would scale up, IT professionals would move over en masse.

As for your suggestion of mandated fragmentation of the market as a security measure, you must be aware that an approach like this is a non-starter due to the benefit of the use of common systems outweighing the detriment by such a large degree. People need to work together, and that frequently means that their computers need to, as well. To provide a real benefit, you'd have to go beyond just providing different operating environments, you would have to develop separate applications from the ground up for each platform, or else you're gong to end up with the same vulnerabilities in apps compiled to run on multiple systems. This is quite apart from the benefit passed on to the consumer through economies of scale - obviously if we developed 10 comparable systems in parallel with an expected user base of 10%, the cost to the end user would be unsupportable.

Really? But why do you think the cost is unsupportable? Macs marketshare is estimated at anywhere from 5 to 10% depending on the location , and the marginal cost is quite minimal. For instance, I priced two decent workstations, on Dell one Apple. The price range was $5k, the price differential was ~7%. Not exactly the same hardware specs but pretty ran close. This not anywhere near unsupportable price difference, with all due respect.



You are suggesting that people ought to incur enormous expense and absurd inconvenience in order to mitigate the problem of malware, but do you really think that the trade-off would be worthwhile? I administrate and provide support to a fifty-user Windows network. Since the beginning of 2007, I recall two instances of malware finding its way onto our network. (One of which occurred when an pushed upgrade of our AV client failed for one workstation which was running the 64-bit version of Vista, leaving the user with their pants down for months before anyone noticed.) Both penetrations were easily cleaned up. This frequency of infection is in spite of a wide-open internet policy, with no web reputation filters in place.

During the same time I have helped maybe half-a-dozen employees clean annoying spyware off their from-home laptops. It's not the sort of problem that needs extraordinary solutions. Users need to be minimally vigilant and sensible in their habits. Of course, this is asking a lot of some home users, and caring friends ought to do their best to move those users over to less-targeted systems in order to minimize their risk. (Supporting my elderly mother got a [i]lot easier after I set her up with a nice locked-down linux laptop that did what she needed and not a bit more.)

I understand what you are saying, however you just have anecdotal evidence in play here nothing more.

From a statistical point it's undisputed that Windows is penetrated more often than anything else out there, for whatever reason that may be.


And as for the supposed IT exodus away from Windows to anything else more secure... Unfortunately in my neck of the woods I can't expect much from my IT guys. Any problem more complicated than double click Setup.exe>Next>Next>Next>Finish is a nonstarter for me. True story: the local building network switch has (had) a backup power supply whose battery took a dump. The little smart battery enclosure was beeping for weeks warning of impending doom, and the IT dept did nothing. Finally starting this year the power supply momentarily cutoff, cutting off all computers in the southeast wing of the building from any network connection, causing all engineers running their simulation jobs to lose contact with the license server, thus ending all batched jobs. Every single day. For three weeks. I wouldn't trust these fuckers to even wash my car right. And suffice it to say that these are "Certified" Microsoft professionals. this is jut one of a million stories that I could relate around the bonfire...

No my friend, the problem with Windows insecurity is much more insidious, much more pervasive and much more fundamental.

Lousy engineering, terrible managerial decisions, government inaction to protecting the consumer, poor training, lacking education, anticompetitive business decisions are the explanation to the current worldwide cybercrime epidemic.

But I'll play ball. Windows is simply more violated with a ten meter pole than everything else out there simply because it's the most popular.

Then, whenever you support that popularity (actively with your dollars, or passively with your opinions) you are complicit in the wave of cybercrime by enabling an easy environment for criminals to spead their malware.

How do you justify your actions? How do you rationalize your responsibility? How do you see your actions not also have moral requirement to contribute to the end of cybercrime?

I see the destruction of the current Microsoft status quo as the solution to cybercrime. You should join me.

Is this serious? It's beyond academic at this point that Linux is more secure.Not in any objective sense, though. (And I say this as a Linux nerd.) Windows compares favorably (http://news.softpedia.com/news/Windows-vs-Apple-Mac-OS-X-vs-Red-Hat-Linux-82966.shtml) when you look at it.
More servers run unix/linux than Windows, and the important internet infrastructure runs unix/linux, so where is all the malware for that?Again, this is one of those things that everybody knows which isn't actually true. Somewhere around two thirds of servers are running some flavour of Windows these days. I like running Apache under some flavour of Linux for webservers, but it's not because Apache is more secure than ISS, it's because I don't think it begins to make any kind of sense to blow a chunk of your budget on licensing if you don't need to. Neither Apache or ISS currently has any clear security advantage - although when I set up a new web server for my company in 2007 that would be processing credit card orders and dealing with sensitive information, I opted to go with ISS, because it had only three vulnerabilities identified in the five years before that, compared with more than thirty for Apache. (Which I nevertheless love and still prefer.)With Linux, you can build from scratch to be more secure and to fit your specific needs.Yes, and you derive real security from this approach - but that doesn't really get you anywhere when you're talking about rolling out a general-purpose OS.Lousy engineering, terrible managerial decisions, government inaction to protecting the consumer, poor training, lacking education, anticompetitive business decisions are the explanation to the current worldwide cybercrime epidemic.In GQ? Really?

.In GQ? Really?

oh I thought we left that territory at post #2.

So what happened to the script kiddies? I get that from a business perspective it makes little sense to go after any OS but Windows. But that has nothing to do with script kiddies; writing viruses to randomly delete files or cause other low- to high-end mischief never had a profit motive. Is breaking windows and petty vandalism no fun anymore? Did Windows and the security industry make it so spreading viruses takes more than what SKs have available to them? Did a lot of the time and interest get bled off to open source projects from Linux to FF extensions so the interest has waned? Have idle malice's targets shifted to DNS and assorted attacks on Web sites and the personal havock-causing virus is passée?

I guess I understand that in 1994 there were so few Macs online (and aside from differences in security) that exploits and viruses wouldn't have been able to promulgate--though then again I don't understand why PC viruses were common before the Internet when critical mass wasn't an issue. But without understanding where the SKs went, I don't see why there aren't lots of malcontents writing Mac viruses just to piss off Apple fanboys. It's not that it's impossible, I just don't understand where the undercurrent of destruction flowed off to.

Again, this is one of those things that everybody knows which isn't actually true. Somewhere around two thirds of servers are running some flavour of Windows these days.

Cite? I was using Microsoft's own numbers, but I think they were 1-2 years old. Did they overtake the market that rapidly?

Cite? I was using Microsoft's own numbers, but I think they were 1-2 years old. Did they overtake the market that rapidly?Here ya go (http://www.datacenterfix.com/operating-systems-used-data-centers).* By 2013, Windows will have about 70% of the server operating system installed base (paid and non-paid), Linux over 24%, Unix about 5%, and all other operating systems 0.4%.

* Linux and Windows' server operating system installed bases are growing while the Unix installed base is declining at a rate of more than 10% per year.This is two years old and data-center centric, of course. It does reflect what you see when you get out there, though - and in general business use Windows servers are favoured more heavily than that.

If you carefully parse my argument it's not an anti Microsoft or pro apple anything. It's anti monopoly. It's a fundamental rule of economics that free markets should not be dominated by by anyone player.

No its idiotic and unsupportable unless you force software to all be made in 10 different OS versions or be platform independent which would effectively crush small developers who have excellent single platfom applications that lack the resources to build and support other OS versions. What happens when your computer dies and you need another mac because you have $17,000 worth of mac video editing software that you use for your video production business. Sorry sir there is an 8 month waiting list so as not to exceed market share :D

Nobody is forcing anyone to run a certain platform. if you want Dos 6.22 on a PC someone will be willing to load it for you. I would be the first one to admit, if Apple backed off on the lawsuits, MacOS would explode overnight but it would not be on Apple hardware. The reason MacOS is the narrow market it is, is because Apple wants it that way.

Here ya go (http://www.datacenterfix.com/operating-systems-used-data-centers).This is two years old and data-center centric, of course. It does reflect what you see when you get out there, though - and in general business use Windows servers are favoured more heavily than that.

Linux is still around 60%. http://en.m.wikipedia.org/wiki/Usage_share_of_operating_systems#Servers of all servers, which is also what a head honcho from Microsoft has said publicly. So, windows may be used more in data centers but linux is hardly obscure. Where is the malware?

Linux is still around 60%. http://en.m.wikipedia.org/wiki/Usage_share_of_operating_systems#Servers of all servers,...You will note how that number is arrived at, though:Notes: W3Techs survey in August 2011 checked the top 1 million Web servers (according to Alexa). Security Space survey in August 2009 checked 38,549,333 publicly accessible Web servers. Netcraft SSL survey[56] in January 2009 also checked 1,014,301 publicly accessible Web servers, but the survey is only valid for SSL Web servers and it is not a good measure for our purpose.Of course if you limit your scope to web servers, you're going to have a number which is dominated by Linux deployments. This is my preferred platform for rolling out a web server, too - because it gets it done admirably, and is very budget friendly. If you just want a box to sit there and serve up HTTP requests, it makes no sense to splash out for another Server 2008 license.

Note also that the Netcraft survey of web servers referenced in the notes found that Windows had a higher share than any other OS category, with a slight advantage over Linux. Why do you suppose this disparity occurs where the utilization of SSL indicates that this subset of servers is specifically concerned with establishing a secure connection?...but linux is hardly obscure. Where is the malware?As you would expect, it presents the most problem on the platform that presents the most attractive target, according to the numbers. Yeah, that's Linux/Apache. Bear with me, here.

Much has been made of a Google security report from 2007 that found that, as a vector for malware distribution, IIS seemed to be the popular choice, as the split of malware between Apache and IIS (worldwide) was virtually equal, in spite of the dominance of Apache as a web-server. This lead to a lot of clucking about how IIS was twice as likely to host malware than Apache. ("Aha!" you say, "just as I thought!")

However, if you look at the report itself (http://googleonlinesecurity.blogspot.com/2007/06/web-server-software-and-malware.html), you'll note that the weight on the IIS side is entirely from China and Korea, where it is usual to run unlicensed, unsupported, un-updated and unpatchable copies of Windows Server. All other countries represented show IIS as responsible for a share of malware which is proportionately considerably less than the server distribution, which may suggest that IIS (running on a legit system) is actually in the obscure sense more secure than Apache. (Again, not necessarily because it is more vulnerable, but because there is a greater benefit to the bad guy to work on exploiting its vulnerabilities.)

That said, I still choose to deploy Apache in most cases, because its benefits obviously outweigh this concern if I just want a basic webserver and I don't want to pay through the nose for it.

OpenBSD's touted security is in large part owing to the philosophy of "nothing not necessary". It is a great OS if you want to build a box that's going to to quietly do its single purpose.

But that philosophy can't scale up to general purpose.Which is why I disagree with your statement "if an operating system were more secure, everyone would be migrating to it on masse." There are a lot more things to consider than just security.

I don't understand why PC viruses were common before the Internet when critical mass wasn't an issue.Sorry, I missed this earlier. A proper virus propagates by appending itself to executable files. Because they were carried from machine to machine on physical media, they had good opportunity to find similarly vulnerable machines. When this was the most common method of distribution, a smaller market share didn't provide the same sort of immunity.

* By 2013, Windows will have about 70% of the server operating system installed base (paid and non-paid), Linux over 24%, Unix about 5%, and all other operating systems 0.4%.
A peculiar claim, given that Linux is a subset of Unix.

...and, missed that.Which is why I disagree with your statement "if an operating system were more secure, everyone would be migrating to it on masse." There are a lot more things to consider than just security.:D That's why my statement was a bit more qualified than that... but to make the same point while avoiding the complication of other necessary considerations about changing platforms, let's just say "If Apple (or Redhat, or whoever) utilized security strategies which could scale up to provide a significantly more secure platform, Microsoft would shamelessly rip them off and implement those strategies for Windows." :p

If you're just looking at actual vulnerabilities, OS X is in the same neighborhood as Windows. If you're looking at the typical window of vulnerability, MS performs better. (Arguably because they have to, while Apple can afford to take their time about releasing patches, because there's' not a lot of pressure from people actually exploiting them.)

Topically, Apple released the third update for 10.7 just a couple days ago, (incidentally getting around to patching some cross-platform vulnerabilities which MS patched three months ago) and many users are reporting (https://discussions.apple.com/thread/3703113?start=0&tstart=0) that the update has the unfortunate side-effect of causing every application to crash consistently.

No big deal - but imagine the howls and declarations of shameful incompetence if this happened on an OS that was a bit more prominent.A peculiar claim, given that Linux is a subset of Unix.Not really. Linux is "Unix-like." "Linux Is Not UniX." "Gnu is Not Unix."

"If Apple (or Redhat, or whoever) utilized security strategies which could scale up to provide a significantly more secure platform, Microsoft would shamelessly rip them off and implement those strategies for Windows."You mean, like the introduction of UAC in Vista? I think they already did.
Topically, Apple released the third update for 10.7 just a couple days ago, (incidentally getting around to patching some cross-platform vulnerabilities which MS patched three months ago) and many users are reporting (https://discussions.apple.com/thread/3703113?start=0&tstart=0) that the update has the unfortunate side-effect of causing every application to crash consistently.Unrelated to this thread, but just for the record, I doubt it's that frequent of an issue. I know of four people that upgraded (including me, on a desktop and a laptop) and none of us had those problems.

By the way, something I noticed again yesterday, so I'll just throw it out there: a neat security feature that I think Windows should emulate from Mac OS X. On my Mac at home, if I download a program through my browser and install it, the first time I run the program I see a message saying "this program was downloaded from the Internet, are you sure you want to open it?"

By the way, something I noticed again yesterday, so I'll just throw it out there: a neat security feature that I think Windows should emulate from Mac OS X. On my Mac at home, if I download a program through my browser and install it, the first time I run the program I see a message saying "this program was downloaded from the Internet, are you sure you want to open it?"That's been present since XP - though the wording is more like "While programs downloaded from the internet can be useful, this type of file can harm your computer. Do you want to run this file?"Unrelated to this thread, but just for the record, I doubt it's that frequent of an issue.Oh, I would never pretend that it was anything other than what it is - hence the "no big deal." This sort of thing happens, and the bigger the user base, the more people are affected. (Similar problems with the simultaneous rollout of the update for Snow Leopard.)

That distraction aside, I mentioned this update because it patches 19 vulnerabilities which could allow arbitrary code execution, and speaks to the OP's original question.

That's been present since XP - though the wording is more like "While programs downloaded from the internet can be useful, this type of file can harm your computer. Do you want to run this file?"You know what, you're right! I don't install software nearly as much on my Windows machines (I only use Windows at work) and it does do that sometimes, though when I tried it on two downloads it did it for one and not the other?!?
I guess I forgot because for Windows, it happens when you run the installer for a program, whereas on the Mac, you run the application itself directly because the installation is typically just a "copy this .exe file to the applications folder".

I guess I forgot because for Windows, it happens when you run the installer for a program...It'll do it with any .exe.

Windows Server 2008 takes this idea far enough to actually be a little annoying. All executable files that are copied from the internet or across a network automatically have an attribute set: "Block execution of this file." No easy-to-accidentally-click-through dialog box for you - it'll just flatly say "You do not have sufficient privileges to open this file." If you don't know that you need to right-click the file, select "properties" and uncheck "Block execution" before you try to run it, you're not trusted to correctly answer a "yes" or "no" question. :D

It'll do it with any .exe.Yes, what I meant is that the file you download is usually an installer for the program and not the program itself.
Though, like I said, I just tried it with two programs I downloaded, and one of them did not show the message when I double-clicked on the "installer.exe". I wonder why that is?

Yes, what I meant is that the file you download is usually an installer for the program and not the program itself.Ah, gotcha.Though, like I said, I just tried it with two programs I downloaded, and one of them did not show the message when I double-clicked on the "installer.exe". I wonder why that is?Dunno - that is odd.

This logic is getting a little too circular for me to care about anymore. But a few points...

Not in any objective sense, though. (And I say this as a Linux nerd.) Windows compares favorably (http://news.softpedia.com/news/Windows-vs-Apple-Mac-OS-X-vs-Red-Hat-Linux-82966.shtml) when you look at it.

I just now got a chance to look at that and I don't know what this is supposed to prove. It is basically a survey showing how long it takes for different operating systems to issue patches. Turns out microsoft is the quickest and Red Hat was second, but all of Red Hat's patches were for third party applications and all of Microsofts were their own. Red Hat had no vulnerabilities but issued fixes for third party applications. Windows did have vulnerabilities. This proves... I dunno, doesn't it kind of show windows to be less secure?

Note also that the Netcraft survey of web servers referenced in the notes found that Windows had a higher share than any other OS category, with a slight advantage over Linux. Why do you suppose this disparity occurs where the utilization of SSL indicates that this subset of servers is specifically concerned with establishing a secure connection?

That's from 2009, but they apparently don't have anything newer. The numbers from the survey were:

Windows - 41.59%
Linux - 41.02%

Windows having a higher share than any other OS category may be technically true but it's a rather bold statement given the difference is only half a percent.

But if you click "Analysis by individual operating system" you'll see that out of windows' numbers, all but 4% were running Windows Server 2003. This is 11 months after server 2008 was released.

I think this goes against the idea that if Linux were more secure, everyone would migrate to it. People get the systems that are popular or that management has heard of and they stick with it. When components die, they replace them with the newer version of what died instead of hiring people who know a new system and can integrate it with the systems they've been using for years. That's why the vast majority of windows SSL servers were running Server 2003 a year after Server 2008 had been released. How are they going to migrate to Linux if they can't even migrate to the current Windows?

If you go to the main page (http://news.netcraft.com/ssl-survey/) and look at the graph, you'll see windows making a steady decline and Linux making a steady gain until they practically tied at the time of the survey. If the trend continued, it would be safe to assume Linux has well overtaken Windows by now.

It shows a long term decline in windows usage, a steady rise by linux. Isn't that kinda the opposite of what you're arguing?

My main point is that Linux is not more secure because it's obscure. Half (of more) of the internet runs on Linux, making it a really attractive target.

You've steered the arguments toward IIS being as secure as Linux, but IIS ain't Windows. Granted, it's the closest thing Windows has to compare with linux, but you're comparing the most secure thing microsoft has against the only thing linux has and declaring them equal. Ok, maybe they are, but by definition, that must mean the rest of microsoft products are inferior to linux.

In 2010 there were 4 new Windows viruses per minute and 0 for Linux. No one thought to make a single one that targeted half the servers on the internet?

Yes, what I meant is that the file you download is usually an installer for the program and not the program itself.
Though, like I said, I just tried it with two programs I downloaded, and one of them did not show the message when I double-clicked on the "installer.exe". I wonder why that is?

Yes, I encounter this sort of thing very often too. This behavior is precisely the type of thing that supports my earlier argument that Windows does not have "baked-in" security features like Unix and Linux. Yes on the surface of things Windows has some sort of annoying popup that you click through. But very often it does not appear. My hypothesis is that this symptom comes from the same fundamental design rot that allows hackers everywhere violate Windows at will.

Just this afternoon I was at work installing Ansys Fluent on my Win 7 workstation. If I double click on setup.exe then accept the UAC popup, then follow the typical prompts, I obtain a, get this partial installation of Fluent ( I mean wtf?). But! If I right click on setup.exe then Run as Administrator the accept the UAC popup and follow as normal, I get the proper installation.

How is this kind of shit even possible? But it happens. And a million little variations of this kind of inconsistent behavior pervades Windows. You honestly cannot say with a straight face that Windows was designed with security in mind. Saying that it has security attached like a post it note is being a little too generous, a little too British overstatement ;) .

Well, I'll be darned. Someone +does+ think it's worthwhile to target Macs.

http://arstechnica.com/apple/news/2012/04/flashback-trojan-reportedly-controls-half-a-million-macs-and-counting.ars

Yes, infection route was passively visiting a website - make sure your updates are current to this week.

Here is the specific update. (http://support.apple.com/kb/HT5228)

Yeah, Apple have not exactly covered themselves in glory with this one. Since they took over responsibility for Java on the Mac they have not kept pace with updates, and this one was fixed by Oracle in January, yet only now do Apple scramble to get a fix out. Being a long time Mac fanboi, I'm not pleased. With luck they will be stung by the adverse publicity this generates and lift their game. Exactly what will be done about sorting out existing infections remains to be seen. Apple need to have a really solid story about this.

I just now got a chance to look at that and I don't know what this is supposed to prove. It is basically a survey showing how long it takes for different operating systems to issue patches. Turns out microsoft is the quickest and Red Hat was second,...

While it's important to fix things quickly, that metric says nothing about the number of vulnerabilities for a particular OS.

I think it's ok to say MS is good at fixing, but to present that as an argument for Win being more secure than the other OS's being compared is illogical.

In 2010 there were 4 new Windows viruses per minute and 0 for Linux. No one thought to make a single one that targeted half the servers on the internet?

Because Servers are not browsing the web
Because Server admin teams don't fall for "For $300 you can get lifetime virus cleanup services."
Because server admin teams often run in isolated test environments before rolling out to the working servers.

Its kinda like asking "Why don't more people rob police stations, there is lots of cash, drugs, and guns there"

and thats just the locker room....:D .....even more in the evidence storage area.

There's recently been a Trojan reported (http://www.bbc.com/news/technology-17675314) that exploits a java security flaw in OSX v10.6 and 10.7, the Java update (http://support.apple.com/kb/HT5244) released on April 3rd. is supposed to fix the java vulnerability by this "Flashback" malware

This article might be relevant.
Apple Macs spreading Windows malware
http://www.todayonline.com/World/EDC120425-0000115/Apple-Macs-spreading-Windows-malware

550,000 Macs infected with Flashback virus (http://www.h-online.com/security/news/item/Flashback-numbers-not-going-down-still-over-half-a-million-1547542.html)Initial reports of drops in the number of systems infected with the Flashback Mac malware are being corrected – the adjusted number is now back to around 550,000 systems.

This article might be relevant.
Apple Macs spreading Windows malware
http://www.todayonline.com/World/EDC120425-0000115/Apple-Macs-spreading-Windows-malwareThe revelation that Macs can pass on Windows viruses is like blowing the lid off the eons-old conspiracy of silence that water is wet.

An infected Windows machines sends an email to a Mac. The infection can do nothing to the Mac, but if the Mac forwards the infected email to another Windows box, the infection is spread to the second Windows box. This has been the case since Day 1.

"Revealing" this as new, or worse yet, news, is hilarious.

Yes, what I meant is that the file you download is usually an installer for the program and not the program itself.
Though, like I said, I just tried it with two programs I downloaded, and one of them did not show the message when I double-clicked on the "installer.exe". I wonder why that is?

This is off-topic, but the answer is code-signing. Microsoft has a mechanism by which installers can "sign" themselves with an SSL certificate (much like a HTTPS website), and it trusts installers that are signed that way and doesn't give you that dialog.

Then the question becomes, "well, owning a SSL cert doesn't really make it secure, right?" which is a valid issue, but since it applies to every single HTTPS site on the web as well, Microsoft's not any worse than anybody else about that.

I'm not sure if Apple has any form of code signing set up. If they do, and if the installer/application is signed, I wager it also would not ask about executing it.

Yes, I encounter this sort of thing very often too. This behavior is precisely the type of thing that supports my earlier argument that Windows does not have "baked-in" security features like Unix and Linux. Yes on the surface of things Windows has some sort of annoying popup that you click through. But very often it does not appear. My hypothesis is that this symptom comes from the same fundamental design rot that allows hackers everywhere violate Windows at will.

How is this kind of shit even possible? But it happens. And a million little variations of this kind of inconsistent behavior pervades Windows. You honestly cannot say with a straight face that Windows was designed with security in mind. Saying that it has security attached like a post it note is being a little too generous, a little too British overstatement ;) .

Seriously?

Look, Windows trusts SSL-signed applications. This is no better or worse (from a security perspective) than Firefox trusting SSL-signed websites or SSL-signed Java applets.

Just because you don't understand why Windows asks you for some applications and not for others doesn't make it evidence of a lack of "baked-in security", or that Microsoft's programmers are bad at their jobs, or some kind of conspiracy on Microsoft's part. It just means you don't understand what's going on.

As for your UAC complaint, it seems your problem in that case is that Windows 7 has too much security, and won't let your application get away with the crap it was getting away with on XP.

I'm not sure if Apple has any form of code signing set up. If they do, and if the installer/application is signed, I wager it also would not ask about executing it.
My Mac warns me every time I try to install something I've downloaded. However, it doesn't warn about something being installed from a disk. I recently installed Adobe Photoshop CS5, and the installer also secretly installed a little 3rd-party utility called "Growl" that scans my whole Applications folder and looks for updates on the Internet. I didn't know what this thing was that kept popping up alerts telling me about updates to this and that, so I found what it was and went to their web site. It turns out they were aware that it was getting automatically installed along with Photoshop, without user permission, and were kind of annoyed about that (and have told Adobe to desist). They had a handy uninstall utility for those of us who wanted to remove it.

they are no longer being called virus free by Apple.

Apple itself has changed its tune. as this article says

http://www.telegraph.co.uk/technology/apple/9355995/Apple-drops-virus-immunity-claim-for-Macs.html so Apple no longer claims to be immune to virus's (sp?)
600,000 people got infected so we can now say that yes Macs get infected (big old roll eyes)!

PCmag says "Following April's Flashback Trojan - which hit more than 550,000 Macs - Apple recently removed from its website the claim that its Mac operating system is not susceptible to PC viruses."

So maybe now the fanboys can just stop, IT people have always known it would happen sooner or later. 500,000 to 600,000 infections would qualify for "out in the wild" I would think.