backtop


Print 83 comment(s) - last by nycromes.. on May 25 at 8:44 AM


Apple hopes that if it pretends that malware doesn't exist its customers will believe so too. Apple techs are under strict orders not to help customers who are suffering from malware infe

Employees claim ~6 percent of Macs are now infected by malware, though many Mac owners are convinced their computers are "immune" to such problems.  (Source: Cult of Mac)

Microsoft actually helps protect its customers from malware programs and acknowledges they exist. It even offers its customers free protection.  (Source: iTech News Net)
Jobs and company hope to keep customers ignorant of the truth

Apple, Inc. (AAPL) long had the good fortune (from a certain perspective) of not being very popular with consumers and thus gaining security through obscurity.  With millions of Macs in the wild and Apple sitting pretty in fourth place in PC sales, though, the company is seeing an increasing number of malware attacks.

I. The Customers Want the Truth?  They Can't HANDLE the Truth!

In response to these attacks Apple has reportedly implemented a policy which is equal measures bizarre and baffling -- it's telling technicians to adopt a "don't ask don't tell" policy with regards to customers complaints about malware, feigning ignorance on the topic.

An Apple Store Genius (store technician) leaked internal documents to ArsTechnica.  One memo reads:

Apple Internal Use Only - Issue/Investigation in Progress - Confidential Information - Do Not Disclose Externally

Symptoms

Customers may call AppleCare to report and issue with malware (trojan) software known as Mac Defender or Mac Security, or because they are concerned that their Mac could become infected.  The name may vary as new variants are released onto the internet.  This malware is installed from malicious websites.

Products Affected

Mac OS X 10.6, Mac OS X 10.5, Mac OS X 10.4

A second memo adds:

Important

    • Do not confirm or deny that any such software has been installed.
    • Do not attempt to remove or uninstall any malware software.
    • Do not send escalations or contact Tier 2 for support about removing the software or provide impact data.
    • Do not refer customers to the Apple Retail Store.  The ARS does not provide any additional support for malware.

The disgusted Apple employee is quoted as stating, "Frankly, it's Social Engineering at it's finest.  In some respects, I feel a little bad for the people hit by this, but at the same time, I can't help but be frustrated that people inherently trust everything they're prompted to do on their machines. The beauty of Mac OS X is its security model. That people blindly enter a password is going to be the undoing of it."

(The employee's comments allude to that Apple's OS requires users to verify installations using a feature similar to the UAC found in Windows 7.)

II. How Widespread is the problem?

Andy says that in the past about 0.2 percent of service Macs were suffering from some kind of malware -- "most always DNS trojans."  Now that number soared to around 5.8 percent, mostly thanks to MacDefender -- a trojan that DailyTech previously reported on.

The employee states, "There's been a very real uptick in the number of malware instances we've seen."

"With regard to how the company is dealing with it, the answer is not very well," he adds. "As you know, OS X requires an admin user to authenticate and OK the install for pretty much anything that's not drag and drop. The response has been a case of 'they installed it, so it's not our problem.' Until something that makes use of a zero-day exploit hits, I really doubt that we're going to do anything, technology wise, to address this."

But is the OS X security model really superior to Windows 7?

Famed Mac security expert Charlie Miller, who won multiple years for the fast Mac hack at Pwn2Own, comments, "Mac OS X is no more secure than any other operating system. It has vulnerabilities, and it will let you download and run malware. The difference is that there simply isn't that much malware written for it. The bad guys have focused all their energies at Windows, which makes up the vast majority of the computers out there. However, as market share for Macs continues to inch up, that equation is going to change and bad guys will begin to focus in on Macs, if that hasn't already started to happen. And as I mentioned above, Macs are no more inherently secure than Windows, so when the bad guys decide to go after them with gusto, it'll get ugly fast."

Other hackers have also commented that OS X 10.6 ("Snow Leopard") has inferior security to Windows 7.  To boot, Apple doesn't provide users with free antimalware software like Microsoft Corp. (MSFT) does.

III. How Long Can Apple Keep up the Charade?

In recent months botnet-forming worms and trojans have targeted OS X.  Most of these pieces of malware have been amateurish efforts, though, or works in progress.  Nonetheless it remains a very real possibility that Apple could one day see a serious attack.

The question remains how long Apple can continue to manage to deceive its customers and obfuscate the fact that its platform has malware on it, and that the threat is growing.

But the line still seems to be working on the most gullible of Mac users.  For example in our coverage of the MacDefender infection one pro-Apple commentator and self proclaimed "expert", "TonySwash" wrote:

In the real world actual and successful malware attacks on Macs are virtually unknown, and if there are any at all the number is vanishingly small.

...

The really embarrassing thing is not that Windows get's (sic) all that malware, that's just the result of piss poor design decisions going back decades, what's really shameful is the way that some Windows fans choose to deal with this reality. They deny it. It's not Microsoft or Windows faults (sic), it's everybody's problem, or if it's not everybody's problem then its (sic) some sort of perverse reflection of Windows strength (sic).

Eventually Apple may have to face the music, though, particularly if customers take legal action against it for feigning ignorance, now that corporate documents have revealed that Apple is well aware of the attacks on its platform.

There's plenty of things you can fault Microsoft and the Windows platform for, but one thing you can say in their favor is that at least when they encounter malware they try to help customers and counter rather than claiming their products are "magic" and have no problems.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Relying on users typing in a password?
By tng on 5/20/2011 1:43:23 PM , Rating: 2
quote:
Sorry, that's not a security model.

No, it is an excuse for Apple to pass the buck......

"They had to input a password to install malware, so it is not our fault", security has nothing to do with it.


RE: Relying on users typing in a password?
By cjohnson2136 on 5/20/2011 1:45:21 PM , Rating: 2
Any computer security person is laughing because if a password is their security model, they all know that security needs multiple layers. A password means nothing.


RE: Relying on users typing in a password?
By Solandri on 5/20/2011 2:39:18 PM , Rating: 5
OS X inherits its security model from Unix (it traces its roots back to BSD/Unix and NeXTStep). Unix was designed from the get-go as a shared multi-user system running on a mainframe with users logging in through terminals. Consequently, it has a rather robust security model. Apps run in user-space with only the minimum permissions needed to get the app to run. If you absolutely must have additional permissions, the app must ask for elevation to root privileges, which is when the user has to type in the root password.

Windows comes from the opposite direction. It started off with MS-DOS, which was a single-user OS. The user had full access to the entire system at all times. Consequently, most Windows apps were written assuming they had full access to the entire system - they assume they have root access. A lot of them broke when Vista introduced the Unix-style security model of apps only getting minimum permissions by default, which led to a lot of companies sticking with XP. Even today, 4 years after Vista was introduced, when I'm helping migrate clients' systems to new hardware, I call up the producer of the vertical app the company runs, and get told their solution to getting their software running under Vista or Win7 is to turn off Windows' UAC security.

I agree that Apple's dismissal of these security issues is ludicrous. But OS X's fundamental security model is better than Windows', and probably better than Linux's due to it being single-source (fewer unforeseen interactions to watch out for).


RE: Relying on users typing in a password?
By KoolAidMan1 on 5/20/11, Rating: 0
RE: Relying on users typing in a password?
By semicolon on 5/21/2011 10:53:10 AM , Rating: 3
Actually, the current Windows operating systems do not have a lineage that leads back to MS-DOS. Since Windows 2000, all versions of Windows have derived from the Windows NT kernal. Windows NT was a new development, originally from the joint Microsoft-IBM development of OS/2, and doesn't have any relationship with MS-DOS. In fact, the kernal has more in common with DEC VMS or RSX-11.


RE: Relying on users typing in a password?
By KoolAidMan1 on 5/21/2011 1:18:06 PM , Rating: 2
True, but what he is saying regarding the lineage of the Windows security model and where it changed with Vista still stands.


By nycromes on 5/25/2011 8:44:34 AM , Rating: 2
Regardless of the lineage, there will always be a tradeoff between convenience and security. The weakest link will always be the user. This is the case on all OSes and will continue to be until people learn not to trust popups, links, and messages.

You can put in all the security you want into an OS, many users will turn it off. If they can't turn it off and its too much they will switch to another OS. Not to mention, they will still blindly follow pop up messages directing them to install some app. People want both convenience and security, but we have yet to determine an effective way to accomplish this. The best way to eliminate these threats is to educate users on safe computing. People are going to use computers so lets teach them the safest way to use computers. Force the hackers to find the bugs in software rather than social engineer users into installing their malware.


"DailyTech is the best kept secret on the Internet." -- Larry Barber














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki