Macs no longer immune to viruses

I really couldn’t believe my eyes when I read this one. I saw this article listed on Google News this evening, and couldn’t help but read it. As if any real experts would have ever thought that a Mac was immune to a virus. Perhaps that’s where my intense dislike of self-proclaimed experts comes from. Not this time. After reading the article closely , I came to a different conclusion. I don’t think the ‘security experts’ are to blame. I think this is a case of the media distorting something they know nothing about in an effort to publish something which will attract attention.

It would be too easy to summarily dismiss this article as Microsoft sponsored rhetoric, given that it was published on MSNBC so I’ll attack this from a marginally different angle. Indeed, what people should be worried about is the fact that there is what appears to me as intentionally misleading information contained within. I know that there will be people out there reading this who were considering buying a Mac. These non-geeks will be less inclined to do so after reading that article. Imagine… using a computer and getting a virus. Wait a tic. I’ve been using computers (including Windows) for years, and I honestly don’t remember the last time a virus actually infected my computer.

Newsflash people. It’s called anti-virus software. That, coupled with anti-spam software, and the self control to stop forwarding everything I get to my buddies and not clicking on attachments from people I don’t know. Maybe I’m overprotected. Perhaps I need to drink more before reading my email. A lot more.

But back to my point. There are several subtle inaccuracies in the article and I’ll point out a few of them. First, lets take a look at one of the bullets on the second page which lends credibility to the article.

“The SANS Institute, a computer-security organization in Bethesda, Md., added Mac OS X to its 2005 list of the top-20 Internet vulnerabilities. It was the first time the Mac has been included since the experts started compiling the list in 2000.”

Hmm. Well, I worked at Pedestal Software for two years developing security policy files for Fortune 100 companies starting back in 2003. One of our policy files was based directly off of this very SANS vulnerability list. Even three years ago, there were Mac vulnerabilities listed on the SANS web site in the form of Safari and Unix services.

Upon closer inspection it would appear that they’re saying this is the first time that ‘the Mac’ has been included… as a stand alone entry they must mean. Of course. I’m glad to see that was pointed out so the people who don’t know anything about SANS would realize what the article really meant.

The fact is that SANS completely reorganized their vulnerabilities list this past November. The list used to be just a Windows top 10 list and a generic Unix top 10 list, resulting in the top 20 vulnerabilities. From the looks of it, they’ve taken a lot of software that used to be on both lists and combined them into a cross-platform section. Then made ‘Windows vulnerabilities’ as a section (which has five sub-sections) and Unix vulnerabilities (which has two sub-sections). Seems a bit of a lopsided comparison if you ask me. Better buy your lifetime supply of Twinkies. The world might run out of food sometime soon as well, key word being ‘sometime’.

In addition, the list of vulnerabilities from SANS is a somewhat arbitrary list. It’s made up of what a general census of people across the security industry think are a collection of high risk vulnerabilities mitigated by how widespread they may be. If a vulnerability was discovered for Red Hat 5.0 (and only Red Hat 5.0) that could give anyone root access by browsing to the URL of the machine with Firefox, it would not make the list. It would be considered a medium to low level threat because not many people are running that specific version of the software. The same vulnerability on Windows XP would be critical and would certainly make the list because of the sheer number of computers that could be affected. It should be obvious to the casual observer that as a company achieves market share, even relatively minor problems could appear on the SANS list because of the number of computers with that software installed.

I don’t believe the fact that OSX has made the list is as much an indicator that it’s severely vulnerable as it is an indicator that the Mac is gaining market share. If I were to hazard a guess, I’d be hard pressed to keep OSX out of the top five highest installed bases of Linux or Unix variants, thus making any vulnerabilities discovered in the operating system more widespread.

Here’s another truth laced comment that lends credibility to the story:

“Less than a week after Daines was attacked in mid-February, a 25-year-old computer security researcher released three benign Mac-based worms to prove a serious vulnerability in Mac OS X could be exploited. Apple asked the man, Kevin Finisterre, to hold off publishing the code until it could patch the flaw.”

Forgive my cynicism, but after a flaw, bug, exploit or virus has been discovered, don’t you think that the chances are pretty high that someone else could do it too, especially after having seen it done and being shown the hole in which to look for the white rabbit? It’s not even clear from reading the passage that the two incidents are related in any way, shape or form. They may not be at all, but they appear to be if you don’t dig down into the sentence, which most people will not do.

Need another example of how slanted this article is towards gaining exposure and credibility?

Point: “The bottom line is we still feel more comfortable using a Mac than a (Windows) PC,” said Alan Paller, director of research for SANS.
Counterpoint: “But as Daines can attest, there are no guarantees.”

Here we have a quote from the Director of Research at SANS resolutely stating that they feel better using a Mac than a PC and the author of the article undercuts it with a statement from a guy named Daines who is a Chemical Engineer. Not a security guy. Not even a computer guy. A Chemical Engineer. For the record, in case someone misunderstands this, I’m not saying Daines is not smart. I’m saying he’s not in his element. There’s a big difference. So, the author combats the opinion of a highly specialized computer person with an incredibly obvious fact that you certainly can’t argue with. That’s pretty gutsy. I’m surprised this article hasn’t been crucified by the geek world. Perhaps it has, and I just haven’t noticed. The same counterpoint could be applied to nearly any argument.

Point: “We need to cut our CO2 emissions to reduce global warming.”
Counterpoint: “But as Daines can attest, there are no guarantees.”

Point: “If you start a company with great people, you’re bound to make great products.”
Counterpoint: “But as Daines can attest, there are no guarantees.”

Point: “If Admiral Kirk had continued firing on Kahn’s ship and killed him when he had the chance, Spock would never have died and his son would never have been killed.”
Counterpoint: “But as Daines can attest, there are no guarantees.”

Catch my drift? Your average person will read that statement in the article and instantly agree with it, and how could you not?

There are a few other truth-laced inaccuracies that I could point out, but I think I’d just be wasting my time. I don’t blame this article on the security experts. I blame it on the media who seem to be acting more and more irresponsible. They need to do their homework, and when they don’t, I think it’s the duty of the geek world to call them out on it, asking questions like: “What are they not telling me?” or “Is that really true?”

The sad fact of the matter is that people read the news so that they don’t have to do the research themselves to find out the information. The expectation is that the news is relatively accurate and relatively unbiased. In my mind, this article doesn’t qualify as either. I wouldn’t be so annoyed if the article were just inaccurate or just biased. It’s the combination that really bothers me.

The sole saving grace here? This story has been rated a 2 out of 5 by 354 users on MSNBC’s website so perhaps there is some justice in the world.

Leave a Reply