The Apple Security Report: Repeating the Big Lie!
August 4th, 2006It appears that Apple can’t do anything these days without confronting the “Big Spin!” from certain journalists who seem to type faster than they can think. Take the most recent Security Update for Panther and Tiger users. It contained loads of fixes for security-related issues; over two dozen, in fact, for 10.4 users.
While I don’t want to minimize the importance of security leaks that cover networking, Internet access, image files and so on, there’s one compelling fact about all this: There is no published report, anywhere, indicating that anyone has been harmed by any of these issues! Not one!
That takes me to a certain misleading article entitled “Cybercrooks constantly find new ways into PCs” from USA Today’s Byron Acohido. On the surface, you’d think it covers the newest techniques used by these Internet criminals to hack into personal computers, but a lot of it spreads more unvarnished fear-infested nonsense about the vulnerability of Macs to malware.
The spin starts with two quotes from Marc Maiffret, who is identified as “lead researcher at security firm eEye.” The first is that “it’s more than a Microsoft world,” which sounds innocuous enough on the surface.
Then Acohido uses the next sentence to frame his argument: “People are starting to realize it’s a lot easier to find vulnerabilities in third-party software that doesn’t have the level of scrutiny of Microsoft’s products.”
The implication here is that hitting targets that are not normally on the radar may be a better way for criminals to succeed at their dirty work. This seems true, so far as it goes, and it doesn’t seem to be an effort to trash Apple. But it comes soon enough.
First there is the report that “since January 2005, Apple has had to fix 65% more security holes than Microsoft,” listing 262 vulnerabilities for the former, compared with 157 for the latter. Mozilla had 150 and Adobe had 45.
Aside from Microsoft, how many users were actually infected by these security holes? Acohido quotes Apple’s Lynn Fox as saying that “There has never been a widespread attack on any software Apple has produced.”
Is this being disputed? Well, Acohido points claims that “At least two Apple attacks have been detected this year,” and mentions the infamous iChat virus, Oompa-Loompa, as one of them. He doesn’t include the known fact that the worm, which masqueraded as an alleged set of photos of the next version of the Mac OS, maybe impacted a few hundred people at the most, and then only on local or Bonjour networks, not on standard iChat connections, which use AOL’s AIM network.
Throughout the article, you’ll find claims about potential infections, not reality, and, when you ignore the spin, you come away with the same conclusion: Malware still affects Microsoft’s operating system and applications. While there are security leaks elsewhere too, the Cyberbrooks aren’t necessarily using them as alternatives to gaining control of PCs.
In other words, the title and the implication in the article that Macs are in immediate danger are basically false!
Update: The September 2006 issue of Consumer Reports continues the FUD. In an article on “Cyber Insecurity,” it is estimated that the total damage caused to personal computer users in the U.S. in the past two years is $7.8 billion. Fair enough, but the anonymous authors don’t make any effort to break down the damage so the reader knows which computing platforms are affected, and to what degree. To muddy the waters still further, the article spreads the illusion that Mac users are impacted, stating that “far fewer Macintosh users reported such infections” and goes on to list alleged vulnerabilities with Mac OS X and Safari.
Sorry, Consumer Reports, but that won’t cut it. That horrendous damage figure is all Windows, despite your implications to the contrary.
However, this isn’t to say that a Mac security leak can’t or won’t be exploited. It would be irresponsible to suggest that it can never happen. But as long as you and I remain vigilant, and Apple continues to plug holes whenever they are found, the dangers will be reduced.
At the same time, I would recommend that, if you share files or mail with Windows users, do everyone a favor and install some Mac virus protection software. Even if there’s no immediate threat to Mac OS X, there will be, and the companies that develop this software will protect you as soon as they learn about it. In the meantime, you’ll be protecting the people you know who use Windows, because these same programs also block infections that impact that platform too.
When it comes to virus protection, my favorite right now is Intego’s VirusBarrier X4. It seems to have little or no impact on system performance, and doesn’t add lots of junk to your operating system.
Print This Post
Great article!
Talk about securty holes! I’m sure you have already heard about the ‘Apple MacBook that got hacked in under a minute (via airport)? It fits right into the ‘misleading’ Apple-bashing news.
Sorce: http://daringfireball.net/2006/08/krebs_followup
regarding the Hack a Macbook in a minute, please refer to http://www.daringfireball.net. John Gruber has some interesting questions regarding why the “hackers” did not use an Apple Airport card in their tests, instead relying on a third party card and implicating the Apple wireless drivers without any proof. I’m not saying that Apple’s driver offers enhanced security, but their demo did nothing to promote this.
If Macs arent in immediate danger, why make the security updates available?
Reason: If Apple (or any other OS developer) does not provide security patches, the journalists will continue to bash them and broadcast the exploit until hackers really start to do damage. Years ago, Apple and Microsoft would just ignore discoveries of security holes. But not anymore. The media (tech journalists) keep them on thier toes.
Although dangers exist, you’ll find only the crack hacker has the skills to actually do something. The average Joe wouldnt know where to begin. Unfortunately we have this thing called the internet. All it takes is one bad guy to distribute the details of how to use the exploit and then suddenly many bad guys attempt to hack into systems.
Challenge to readers: go and google some PC exploit and then intentially try to hack into some system. Bet you (the average user) cant do it. Go ahead and prove it to yourself.
The famous (or infamous) Mackbook hacking in under a minute thing is something that affects ALL the computers that use the same wireless driver (yes, the Wintel machines too. It was suggested Apple was using third party wireless drivers). But hey, it sells better if you say that is a problem that affects to Apple machines. Ok, this can be serious, but theres no reason to not it make very clear, so PC users are not victim of something like that.
Eva said: “If Macs arent in immediate danger, why make the security updates available?”
Well, I agree with you. And I must say that I prefer to have a system patched (wether or not there are threats in the wild). I don’t like potential threats, so keep’em coming Apple. You know, the “security through obscurity” doesn’t do for me, because the bad guys work “in total obscurity”. You made a very good point about the ones who have a ‘know how’ and the ones with ‘skills to harm’ your computer. But still, there are virus, spyware….(not in the Macintosh world, at least that i’m aware)
About security, I think is dumb enough to think an operative system or any kind of software (whatever its manufacture would be) is perfect and 100% bulletproof. Vulnerabilities and flaws (which the bad guys will take advantage of) will ever exist. Macs have revealed themselves as more secure than PCs (which does not mean that are invulnerable. Look how many problems with escalation of privilege, or writing arbitrary code problems have been). I guess marketshare also helpes (and no, I’m not telling that this is only the reason of the lack of great incidents with Macs).
Indeed. What about this new Intel ‘Flip 4 Mac’ installer? This is a major security issue and if I can believe the author, Apple is ignorant to the problem.
Sorce: http://www.bynkii.com/archives/2006/08/fixing_the_stupidity_of_the_fl.html