Open Season on Macs?

« Porn-Loving Mac Users in Trojan's Crosshairs | Main | Will a "Do Not Track" List Just Encourage More Ads? »

November 2, 2007

Yesterday’s entry on the new Mac trojan was flip and failed to soberly assess the very real threat posed by a piece of malware that targets very horny, very stupid people. Wired has more serious people saying more serious things, though, including a researcher who says “Apple’s day has finally come, and Apple users are going to get hit hard … OS X is the new Windows 98.”

Fortunately, I have a calendar for predictions so I’m adding this one for 11/2/2009. The next one I get to check on, by the way, is my friend Sven’s prediction that “Spartacus” is due for a lavish remake. He has until January, at which point we can safely conclude that Peter Jackson’s “Lord of the Rings” did not represent a rising tide that lifted all “epic movies that feature swords … lots of swords” boats.

My counter-prediction: We’ll see more of this kind of thing, but I think the pending Mac Ragnarok is still a little bit away.

The “finally” in that leading quote struck me, because … well … I use the word “finally” when discussing things I’ve been waiting for and anticipating. But I let it go because it doesn’t pay to read into these things.

Alex Eckelberry of Sunbelt was a little more transparent in his glee:

“Is this just childlike schadenfreude on my part? You tell me. For years, we’ve heard snorts of derision from Mac users about the poor security of PCs. Yet that supercilious attitude (as we know from our history books) is patently dangerous, because it creates a false sense of security. Now, Mac users will need to be a bit more careful out there (‘cause when Joey wants his pr0n, he wants it now!). On the heels of the poorly-secured release of Leopard, we now find that there is no perfect protection against ~~human stupidity~~ social engineering, even for a Mac user.”

“We now find”?

I had no idea that was in dispute. Actually … it wasn’t, and that entry wasn’t so much qualified not long after being posted so much as it was deprecated in favor of a more standard security industry truism:

“Let’s not ourselves in the security space get complacent.”

Fine advice. Nobody should be complacent.

But I don’t think this story is “big” so much as it is “interesting.” And it’s the latter primarily because it appears to be the first, as Eckelberry pointed out, “targeted, real attack on Mac users by a professional malware group.”

Some day malware historians will note the date in a timeline, perhaps, but I’ll wager the entry will always be qualified:

“OSX.RSPlug.A was noteworthy for being the first Mac-targeting malware of its sort, but the first widely successful OS X attack didn’t occur until …”

There are two things that do have me concerned, though:

Leopard’s firewall might or might not be very good, but it definitely does not come in a particularly comprehensible interface if you know what you’re doing
Time Machine runs deleted applications, which means even when users remove an app because they learn it has a vulnerability, their overall security posture is still poor, because the app is still lurking back there in their Time Machine history, easily activated:

“Apparently, some don’t understand why this is a bug. Let me give you a simple example: You find out Adium (for example) has an available exploit that the developers haven’t patched yet. You remove Adium, but it continues to exist in your backup. You visit a web page that activates the Adium bug, and Adium is launched from your backup. That you can launch Adium from your backup is not a bug. That Mac OS X will do so automatically without confirmation is a bug. The backup should be considered a vault for the user, not Launch Services.”

That link also points out that you can remove all the backups of something from your system, but the method it offers (“the context menu”) isn’t exactly right. You have to use the gear menu on a Time Machine window. Hat-tip to Tech-Recipes for the scoop and a screenshot of just what it is you’re looking for.

Tags: leopard, mac, malware, security, unseemly gloating