As a Mac owner, I've always been pleased by the relative stability of the Apple operating system and comforted by Mac's relative freedom from malware. Not too long ago, one security expert told me that while he'd seen Mac malware, he could count the number of serious incidents on a couple of hands.
A couple recent events have made me wonder. First, there was a report from Ed Bott at ZDNet on What a Mac Malware Attempt Looks Like. Then there was my own momentary exposure to what Bott described: an attempted "drive-by download" on my Macbook Pro by something known as the "Mac Defender Trojan." So could Bott - who earlier this month warned ominously that Malware for Macs Is on Its Way - possibly be right?
The response has been heated, to say the least.
Bott recently tried to answer concerns that he was just "crying wolf," with a follow-up piece here that includes informal - and anonymous - confirmation from inside Appledom, where he says a call-center employee told him:
I can tell you for a fact, many, many people are falling for this attack. Our call volume here at AppleCare is 4-5x higher than normal and [the overwhelming majority] of our calls are about this Mac Defender and its aliases. Many frustrated Mac users think their Mac is impervious to viruses and think this is a real warning from Apple. I really wish I could say not many people will fall for this, but in this last week, we have had nothing but Mac Defender and similar calls.
Bott, who usually writes about the Microsoft universe, says the attack strategy is one familiar to those who have encountered Windows malware. It relies on code that makes a Mac user believe that his or her machine is already infected, and urges the use to install a "solution":
This campaign is obviously preying on the fears of recent Mac converts and technical unsophisticates, who might believe that their Mac really is infected. After that, it tried to convince me to install the program using the same set of social engineering tricks that this sort of attack employs on a Windows PC.
That seems to match what I witnessed, and dodged. But what about the significance of the underlying threat to my computer?
Andrew Jaquith at securityweek.com says Don't Panic Over the Latest Mac Malware Story.
Jaquith asks the "who benefits?" question - aside from Bott, whom he defends as a "fellow writer and geek - and concludes that the answer is security-software companies and a certain kind of IT professional "who seems to derive a perverse pleasure from the prospect of seeing Mac customers deal with the same daily security annoyances they have been putting up with for years."
What does Jaquith recommend?
As with malware on Windows, remedies include both technical fixes and policy recommendations. If you are a home or small business Mac customer, you should take sensible technical precautions. For example, you should reduce the likelihood that the most popular target for attackers — the browser — will be compromised, by turning off defaults settings that OS X foolishly ships with. Switch off the Java plugin and turn off the setting that causes Safari to open "safe" files after downloading, such as less-safe-than-they-used-to-be PDF files. Use a Flash blocker such as ClickToFlash to prevent another potential point of compromise. Turn on your Mac's application firewall. If you are highly security-conscious, you may also want to encrypt your home directory using FileVault, protect access to your computer's firmware with a password, use a password wallet such as 1Password, or consider using an outbound firewall such as Little Snitch . Whether you feel you need a Mac anti-virus program is a judgment call; personally, I feel that it is still overkill. If you work in a large enterprise that uses Apple Remote Desktop or a cross-platform desktop management tool, your admins can implement these technical precautions in an automated way.
From the policy perspective, this current round of Mac malware predictions gives employers a good excuse to reinforce existing policies about social engineering and fake-antivirus scams. Bott's recent posts describe how many Mac customers apparently fell for the fake anti-virus scam that led them to unwittingly download the Mac Defender Trojan horse. Fake AV is not a uniquely Mac problem; just the other day, for example, a family member using a Windows laptop nearly fell for a similar scam. And in 2006, a Harvard study called "Why Phishing Works" showed that the best phishing websites fooled 90% of participants. Both of these examples show that susceptibility to trickery is a platform-independent problem.
Jaquith concedes that there's no "magic unicorn Unix-y pixie powder that makes [Mac's OS] less vulnerable to security flaws than Windows. But it is equally true that the Mac remains a less risky platform than Windows because of the fewer strains of malware written for OS X. By 'fewer' I mean 99% fewer: a hundred malware samples versus 50 million. The Mac also has a much less evolved malware supply chain. By 'less evolved' I mean 'nonexistent,' this one example notwithstanding.
He's right: It's not time to panic - or spend hundreds of dollars on needless fixes.