Posted by: David Harley | June 19, 2010

Apple, AV and Good Manners

Someone posted a very rude comment to my last post here. I originally approved it, despite the ugliness of the way it was expressed, because it made some points worth addressing. However, as I composed my reply, I got increasing irritated with the allusions to pimps and touting and fabricated statistics, so I made up a policy for this web site on the spot.

I don’t have a problem with dissent and debate, even heated debate. I don’t mind if you have a poor opinion of the AV industry in general, though I’d point out that we are individuals, not “types”. But I will not approve any comment that isn’t reasonably polite and badmouths individuals gratuitously.

Bill, if you want to resubmit your comment in a way that doesn’t suggest that I, or respected colleagues in the security industry, are crooks, charlatans and liars, I’ll be happy to approve it. In the meantime, I’ll attempt to deal with the points you made: briefly, since I have a plane to catch.

You don’t see the information about Mac threats because you’re not looking for it. Some of the threat types that concern us are actually described (not in detail) in the 2010 EICAR paper available from the resources page. I’m also building a Mac-specific information resource here, but because I’m not being paid for maintaining this site, it has to be done when I have time, and that doesn’t happen very often. It is time-consuming because, whatever you may think to the contrary, I intend it to be accurate.

The list in that paper is not a complete description of every threat type, let alone every variant, just a rough indicator. The point is that vendors have many hundreds  of unique binary samples of OS X malware. That’s a fleabite compared to the 40 million or so Windows-targeting malicious programs we see right now, and it’s not necessarily the best way to measure, but it’s certainly more than three.

The number of Apple machines or users affected is indeterminable. ESET does gather some statistics (not at all surreptitiously) from users who choose to allow the anonymised and automated reporting mechanism in the product to operate, but it only gives a snapshot view of a subset of the computer-using population, which is why we never publish data based on those figures. To do so would certainly be more misleading than helpful.

I know for a fact that it’s very compared to the numbers of people affected by Windows malware. So? No-one is saying Mac users have to take precautions against OS X – targeting malware. If you want to gamble, be my guest: at the moment, the odds are on your side, if you don’t fall for social engineering trickery. 

AV products are silently updated several times a day. But that’s what people expect from them. Apple, however,  has added detection for just one item of malware since Snow Leopard was introduced. As a countermeasure against malcode, that’s pathetic, but what’s iniquitous about it is that the company is doing it silently because it’s still pushing the “there is no Mac malware” line even while trying, however ineffectively, to counter Mac malware. That’s obviously for marketing reasons. I don’t expect any business not to do any marketing, but that is edging towards deception. What, you don’t think Apple is in the marketing business? Hmm…

I know where most malware comes from. And I was an advocate of on-access scanning long before I was assimilated by the security industry. The point about Apple’s flawed implementation is that it looks for specific malware in a context in which it won’t find it. Intego’s report is quite comprehensive and detailed on that point: I suggest that you read it before you denounce it (or me) as wrong.

David Harley CITP FBCS CISSP
Mac Virus Administrator
Small Blue-Green World
AVIEN Chief Operations Officer

Also blogging at:
http://avien.net/blog/
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://chainmailcheck.wordpress.com
http://amtso.wordpress.com

Advertisements

Responses

  1. Hi David!

    First, the second hyperlink saying (on this site) shows an 404 error.

    Second, I agree with you on this matter!

    • Thanks (for the heads-up _and_ the support!) I can’t seem to get a reliable direct link to that file, but going from the resources/papers page seems to work, so I’ve changed the text slightly to reflect that. I’ll have to look at it again when I’m not travelling.

  2. Thanks for the paper link. I’ll check it out.

    I suppose what I was trying to say was that it’s in the interest of the AV companies and their employees to make consumers as aware as possible of the existence of malware, and it’s in Apple’s interest to provide an environment where the consumer does not need to be aware of the existence of malware.

    It would be nice if there were some unbiased 3rd party that could provide some perspective on the debate, potentially using statistics provided by AV companies. Until then, consumers can only make poorly-educated guesses about which vested interest they should trust more.

    • Bill, that’s a fair summary. I try to keep this site and comment independent, but I do have a security company hat too, and I don’t claim to be totally impartial. Statistics… well, that’s a difficult area. Let me think about that.

  3. I presume everytime I do a Security Update on Mac OS X, it is because some new vulnerability has been discovered, and Apple is on top of it. It seems like guarding against a couple hundred malware programs is much easier to stay on top of than several million. And of course, Unix has plenty of security vulnerabilities: it is written in C, after all…

    • Jeremy, that sounds as if you’re equating vulnerabilities with malware. Unfortunately, Apple is unable to update the vulnerability in the human/computer interface that most current threats exploit.

      Incidentally, I spent last week at ESET’s virus lab, discussing, among other things, Mac malware detection. From that discussion, it seems that your estimate of “a couple hundred malware programs” is way, way too low.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: