Leander Kahney has written a column on the latest spate of Mac malware scares, and generally – correctly – sums them up as “a load of crap”. People like me are interested in them because they’re novel, and because they (correctly) put to bed the idea that the Mac is somehow completely immune from malware (and yes, I have seen this argued).
However, I’m going to take Leander to task over one thing: his apparently lack of belief in the power of social engineering.
The Leap-A malware was a poorly-programmed Trojan horse that relied on “social engineering,” or trickery to perform its nasty function. There’s a simple way to protect against this kind of threat — common sense — and in testament to this, a lot of people didn’t fall for it.
I’m not going to catch a virus this way any more than I’m going to send money to the honorable Dr. Mobuntu, head of the Central Bank of Nigeria.
Perhaps Leander ought to go read this page of stories about people who have been caught out by the “419 Nigeria” scam. Or perhaps he ought to look at the list of the most commonly reported Windows infections, all of which rely on fooling people into opening attachments. Malware writers use social engineering because social engineering works. With probably around 900 million PCs in use in the world, the majority of which run Windows, all you need is one in 10,000 people to be suckers to make an awful lot of money – or, if you’re seeding malware infect an awful lot of machines.
A couple of places on the net have linked to a claim by the makers of Podner, a product for converting video into a format ready for the iPod, that Apple has asked them to change the name as it violates their trademark.
Reading the actually emails Apple has sent, it seems like this isn’t quite true. In fact, Splasm asked for a license to use the Apple logo, which the company normally permits to third parties who make Mac software, and for the product to be listed on the Mac OS X Downloads site. Apple declined these requests, claiming that the “Podner” name wasn’t consistent with its guidelines for use of its trademarks. What Apple didn’t do was send any kind of legal letter requesting a name change – it basically just said “It’s too close to our trademarks – change it and we’ll be happy to list you and license our logo.”
But there’s a catch. Looking through Apple’s list of trademarks, I don’t see any mention of “pod”. iPod, sure. But not Pod, which is – of course – so generic that Apple would be nuts to trademark it. Also, I note that Apple is perfectly happy with other portions of trademarks being used – Logitech, for example, don’t seem to have a problem with “QuickCam”, despite “QuickTime” being an Apple trademark.
I’m kind of hoping that this is all the result of an over-zealous Steveoid thinking he’s “protecting Apple trademarks” rather than a serious attempt to extend Apple’s intellectual property to cover the word “Pod”. But, these days, when corporations seem intent on destroying the whole system of intellectual property by making it look ridiculous, you never know.
Heise Online has a further report on the Mac OS X/Safari vulnerability, claiming that it also affects Mail.
One user on the MacRumors forums notes that this makes it easy to write a worm that spreads via email. This would exploit the security hole (AKA “user friendly feature”) that Apple introduced to Address Book a while ago, where an application can quickly and easily read all your contact’s details without any user notification – something that I’ve been complaining is a potential security hole for some time.
George Ou at ZDNet has a round up about the critical flaw found in Safari yesterday that potentially allows a malicious web page to execute a shell script on your Mac. Thanks to JDB for the heads-up on this one.
What does it do? To quote George:
Heise online is reporting that a new critical vulnerability for Mac OS X has been discovered and it appears to have ramifications beyond the Safari brows (thanks to SANS and SunbeltBLOG for the link).� The problem is severe because a user simply needs to visit a malicious website and shell scripts with launch with zero user interaction!
Given that security holes in Mac OS X are nothing new, what really interests me is the reaction of Mac users in the comments. Most are, of course, concerned, sensible responses that either ask for details on how to fix it or ask how much of a problem it really is.
But there’s also the handful – and they ARE a handful – who either deny that it’s a “real” problem, point fingers at Windows users in a “you’re still worse, buddy!” way, or blame the messenger – whether they messenger is a security company, journalist or a user who’s published the details.
These modes of thinking leave me shaking my head. Why are people so reluctant to admit that an OS isn’t completely secure? Why are they reluctant to take additional security steps, like running in non-admin user mode, using additional security measures like Paranoid Android or – blasphemy! – using anti-virus software?