Are Macs susceptible to malware from merely visiting a website?

Can a Mac get infected by merely going to a website, or is this a problem exclusive to some versions of IE?

Thanks,
Rob

That kind of exploit can occur on any platform. In practice it’s relatively rare. But yes, it can happen.

All of the Mac malware I’m aware of has to be explicitly installed by the user. They usually masquerade as security or maintenance programs (“speed up your computer” and the like).

In other words, no.

In theory, yes. Such attacks have been demonstrated multiple times at the Pwn2Own competition. More practically jailbreakme.com has used PDF exploits to jailbreak iOS.

In practice, no.

Do you work for Apple? The answer to the question, as asked, is “yes.”

The unfortunate truth is that Apple’s Safari has, all-told, as many or more exploits as any other company’s browser, and Apple is particularly lackadaisical about patching them, which is why they usually lose Pwn2Own, and usually have more open exploits at any given time. (They’re also pretty bad about patching exploits in related technology-- their version of the Java runtime, for example.)

The reason these holes aren’t being exploited is because the economic incentive to do so isn’t there-- building a botnet of a few million Macs isn’t worth it when it’s far more profitable to spent the same amount of time on your exploit and getting a botnet of a few billion Windows PCs.

No, I don’t work for Apple.
But, I hear the same, tired arguments all the time from Windows fanboys about how the Mac is “just as vulnerable” to malware as Windows.
And, it just isn’t true.
As far as I know, there are zero (non, nada, zilch) drive-by attacks that are capable of infecting an OS X system running the current version of system software (10.7.2).
This number may possibly increase to single digits if third-party software (Flash/Acrobat) is installed, but I believe that running the current versions of that software brings the number back to zero.

If you can show me a drive-by attack that exists* in the wild, * I will post a retraction.

Safari loses Pwn2Own first every single year. There are tons of exploits out there. Apple invariably takes *months *to patch those exploits, even after they are documented and demonstrated.

As I said above the reason (the ONLY reason) they’re aren’t exploited is because the financial incentive isn’t there. You don’t see them “in the wild” not because the guys writing exploits for botnets are incompetent (on the contrary-- they’re bypassing far more secure browsers), but because they haven’t bothered.

But that could change at any moment. Telling people they’re completely safe because they use Apple products is dangerous and irresponsible.

To get back to the OP’s question, it definitely is not restricted to a single browser (the OP asks about Internet Explorer). In theory, it can happen with any operating system and any browser. In practice, some pieces of software and some operating systems have more vulnerabilities or are the subject of more attacks (depending on who you speak to.)

For these types of debates (viruses on Mac vs. Windows), I like to use this metric to gauge the real-world probabilities: do a search on the threads in GQ discussing viruses, and count how many of the people who have a virus infect their machine have Windows vs. how many people are running Macintosh OS X. From my reading, all the questions I’ve seen on the board asking to get rid of a virus were from people who used the Windows operating system.

Many many many more people *use *Windows than Macs, so of course you’re going to see more questions relating to Windows machines.

If you are asking if, theoretically, a Mac can get malware under certain circumstances, the answer is yes.

If you are asking if, practically speaking, you need to install antivirus software on your Mac, the answer is no.

I can’t remember a single question on the boards from someone who had a virus on a Macintosh. Have you ever seen one?

I think I can remember at least one. But yes, reports of Mac malware are certainly disproportionately low compared to Windows.

I think it’s mainly because so many Windows users still run with administrator privileges (equivalent to root in Unix-like systems). Even with protective privilege-reducing mechanisms Microsoft has added to recent versions of Windows, I still don’t think it’s a good idea to do that. If Windows users all used non-privileged accounts that would dramatically reduce the effectiveness of malware.

Plus, there are many browsers other than Safari that run on Macs.

I still haven’t seen anyone present evidence that a Mac can be infected by the conditions stated in the OP:

This means: no explicit downloading of files.

Jailbreakme.com definitely showed that this could be done. The authors designed the page to execute the attack only after user confirmation, but this is for user convenience only (so already-jail broken devices don’t get re-jail broken, so users can read about it first, etc). There is no technical impediment to executing the attack as soon as the page loads. It just loaded a PDF in a hidden IFRAME.

I’ve never heard of a jailbroken Mac.

A little under 10% of Web surfers in 2011 were Mac users, so in my reading forums it’s vastly disproportionately low. Although that’s just based on my anecdotal observations reading forums.

In my experience, virtually all Mac users run as administrators. I ran a consumer networking company for 7 years, including our customer service operations, and with one of our products the default software we shipped with didn’t work on limited accounts. Maybe 10 in 50,000 customers called up with a problem and we’d send them an alternative version that would work on non-admin accounts.

Frankly it was an embarrassing bug that we should have fixed but so few Mac users run non-admin accounts I never invested the development time.

Mac admin accounts don’t actually run as administrators all the time, they work principally like UAC does on Vista, 2008 and 7.

That surprises me. According to Apple themselves, root is disabled in OSX by default (http://support.apple.com/kb/HT1528). Certainly, in other Unix-like OSes it is not usual to run as root all the time.
I’m not an OSX guy, but I see that there is an intermediate sort of account called an adminstrator user, not as powerful as its Windows namesake.

It’d be more accurate to say that the OS X Admin account is equivalent in virtually every meaningful way to the Windows Admin account. In all my years of using OS X I’ve needed to use the actual root account twice. Once last year to fix a bug Apple introduced in SMB sharing and one other time I don’t recall the details of.

And as I alluded to, we develop hardware drivers (kernel extensions in OS X terms) so if the Admin account were particularly limited I’d have noticed. You’re right though it is not the same as root.