[philaquilina]

As someone who used to sell Mac computers, I used to get asked the question "Is it true macs never get viruses?", to which I replied "No that's not true." (It was just an apple reseller store afterall so I was never compelled to bend the facts.) I'd try to explain the caveats a bit: a smaller market share and the unix based operating system requiring more permissions, yada yada, being "prohibitive" to an attack but still vulnerable. Still, for 3 years that question came up a few times a week, even as apple started taking off (2006-2009 ish) and grabbing more and more of the market.

I guess it was just amazing to me how disinformation like that flows so freely. It probably started out with the caveats but eventually got boiled down to "Macs never get viruses". And what computer company is going to publicly correct that statement?

[superuser2]

Yes, it is correct that Macs can get viruses. Where people get upset is when you generalize this to say that because >1 virus exists, OSX presents no significant advantage over Windows.

Viruses are not a fact of life for Mac users. Talk to anyone who uses or services Macs; you'll be hard-pressed to find anyone who's even seen an OSX virus. Whereas for Windows power-users, cleaning viruses for friends/parents is practically a rite of passage.

OSX is still dramatically safer in terms of your actual risk of a random remote attack. Whether this is economics or superior engineering, or how Windows and OSX stand up to deliberate attackers, I will not pretend to know.

[vectorpush]

Viruses are not a fact of life for Mac users.

Neither are trojans, and that is exactly why this trojan has manifested so successfully. Windows users are mostly hardened to the basic threats of the internet (don't open a random exe etc), and are cognizant of the reality that malicious software does target them. Non-technical Mac users have been lulled into a false sense of security that will eventually make them a more vulnerable target than a Windows user (as Win7 and OSX pretty much stand shoulder to shoulder in terms of security).

OSX is still dramatically safer in terms of your actual risk of a random remote attack.

What is your evidence for this?

[superuser2]

I've done ~15 Windows reinstalls in the last few years, and every single one of them was malware masquerading as anti-virus software. OSX's reputation may make Mac users feel invincible, but Windows users' knowledge of their vulnerability opens them to pretty effective scare tactics.

In fact, it hit my house twice, and I'm not exactly incompetent: Win7, Security Essentials, kept on top of Windows Update, no admin privileges for little brother or mom, updated Firefox, etc. The last time, it turned out we were behind on Java updates - it popped up in the systray 5 or 6 times a day for a few months and the few times my dad tried to allow the update, it failed. I didn't know about that until I was in the room while my brother was using the machine and I saw a dialog that looked an awful lot like Windows reminding you to install AV but not quite right. No way anyone else would have noticed that the background gradient was just a bit off. Did a scan... MSE was showing me 20 different Java exploits and "Anti"virus 2012 wouldn't let me open Firefox again outside of safe mode. Not something my parents would be able to deal with when I'm not there; they would have had to pay somebody. Its replacement will be a Mac; they like OSX better anyway.

I worked for a small-business IT firm for 3 summers and have never seen or heard of OSX malware except from the blogosphere/HN/media. We took our clients' security pretty seriously - corporate domains, enforced Automatic Updates, no idiots with local admin, corporate endpoint antivirus, antivirus in the spam filter, Sonicwalls, Firefox wherever possible, etc. Still, we got virus calls pretty frequently. I would usually babysit the reinstalls at a reduced rate, but when I wasn't interning, businesses were shelling out $150/hour for that. To be fair, most were XP, but there were a few virus calls for Win7.

I don't have statistics, but if you're going to claim OSX has fallen as far as Windows in terms of infection rate, I think the burden is on you to show some data. Again, just as many family friends running OSX as Windows; I've had Macs die (my MBP's motherboard gave out right after 4 years), I've had Macs run out of disk space, I've had the PowerPC/Intel switch lose my family a lot of money because perfectly good ~2006 machines can't run a modern OS or Flash/Firefox/iTunes, but I've never seen malware for OSX.

[vectorpush]

I've done ~15 Windows reinstalls in the last few years

So what? I've reinstalled Windows three times since Windows 7, and it's never been due to a virus. The last company I worked at was a Windows shop that also had 0 malware problems. Anecdotes are pointless in this discussion.

I didn't know about that until I was in the room while my brother was using the machine and I saw a dialog that looked an awful lot like Windows reminding you to install AV but not quite right. No way anyone else would have noticed that the background gradient was just a bit off.

Yes, your brother was the victim of a social engineering attack, the exact technique used to infect these Mac users. Windows systems aren't inherently less secure, and every terrible ailment described in your post is the result of voluntary action taken by the user.

I don't have statistics, but if you're going to claim OSX has fallen as far as Windows in terms of infection rate, I think the burden is on you to show some data.

No. The onus is on you to demonstrate how Windows 7 is inherently less secure than OSX. You're making vague assertions about how Windows is less secure but you haven't given specific examples of why that is true, only anecdotes that anyone can counter (or bolster) with personal exeprience.

The bottom line is, short of 0-days, both systems are equally secure.

[superuser2]

You are constraining your discussing to Windows 7. I am not. XP may have disappeared from the life of a non-corporate programmer, it's still everywhere for me. Hence the impedance mismatch. Most of our shop's customers did not see a business need to upgrade, and acquaintances that can afford to buy new computers while their old ones are still running (however poorly) tend to be Mac users anyway.

>every terrible ailment described in your post is the result of voluntary action taken by the user.

No, it was a remote Java exploit. The dialog was to get you to pay for it after it had already installed.

The point is that despite all this talk about OSX viruses, malware is still not a part of day-to-day life with Macs to anywhere near the extent it is with Windows (when you include XP).

[vectorpush]

You are constraining your discussing to Windows 7. I am not. XP may have disappeared from the life of a non-corporate programmer

Well what version of OSX are you using to make your comparison? SP3 to 10.8? Either way, there isn't some nebulous security gap between OSX and Windows, vulnerabilities exist in all systems and a responsible vendor patches them when they're discovered.

Please show me how to remotely compromise an up to date SP3 machine. Yes, there are exploits that exist at points in time, but the same is true of OSX, just google "OSX exploit".

malware is still not a part of day-to-day life with Macs to anywhere near the extent it is with Windows

All that proves is that there is more malware targeting Windows, it speaks nothing to the inherent security of the system since malware can't install itself.

[mark_integerdsv]

Your attempts at maintaining blissful ignorance of the probability of attack are very sweet and your final sentence could perhaps hold up as logically holding some water (I'd argue that you, like the poster to whom you are replying, have taken a very narrow view to support your position) ...the fact is that in practice and for the average user your assertion is flat out false.

[wallflower]

> every single single one of them was malware masquerading as anti-virus software.

I'm curious what you think about Malwarebytes Anti-Malware - this was the only product that was able to clean my father's Win7 PC for Antivirus 2012 (by booting into safe mode with networking and running the cleaner). Paid for the Pro version. A little difficult to get working with the Symantec virus scanner but worth every penny for not having to make the trip to my parents to clean malware since...

[gnaffle]

If most trojans and viruses are still made for Windows, how can this statement not be true? If you took a random sampling of infected websites or virus emails, the large majority would probably be targeted at Windows.

Actual risk of a _targeted_ attack is a different matter.

[vacri]

OSX is still dramatically safer in terms of your actual risk of a random remote attack.

It certainly was in the WinXP years due to a far superior security model, but I'm curious if this is still the case with modern windows.

[acdha]

The developer mindset on Windows is still stuck in the 90s, and most of the exploits are due to the laggards who've never taken the user experience for updating very seriously (Adobe, Sun/Oracle, various streaming video players, etc.) or treating security as an optional feature and installing with insecure defaults (see previous list).

Mac culture has been less user-hostile for a long time so Mac apps usually have e.g. automatic updaters (and rarely the crazy login-to-vendor-website-to-download insanity) and lack installers, making it less common to require authentication or slop things around the entire filesystem. This is not perfect but it avoids some of the pathologies which Microsoft (and Chrome) are slowly dragging the Windows community out of.

[muyuu]

I've had new Mac users insist that I recommend an antivirus for them. Users who had very safe habits, didn't download basically any software or visit warez sites. They simply - and very sadly IMO - cannot reconcile the idea of a world where AV software is not completely necessary.

They'd only make their computer slower but hey, it's their choice.

[brazzy]

Dude, you need to update your mental threat model. These days, there's no such thing as "safe habits" - you're up against drive-by downloads that exploit browser or plugin vulnerabilities and are delivered by all kinds of perfectly normal websites that just happen to be vulnerable to SQL injection.

[muyuu]

My cousin, for instance, uses her Mac as a word processor, email reader, Wikipedia reader or DVD player 90% of the time. Works in TextEdit, doesn't download basically anything at all. Does everything basically inside Apple's walled garden. The only "dangerous" thing she did in the past is using MSN for Windows. This could mean automatically receiving payloads and run them by just having an infected contact, because of Microsoft's "wise" defaults. This doesn't happen on Adium. I think she doesn't login to that network much anymore, now it's all about Jabber (gtalk) and Skype I reckon.

Unless Apple started injecting payloads there's basically no plausible way to get her infected. She doesn't even "browse the net" for the most part, doesn't click on links, doesn't give a f.

There are safe habits. AV companies would like to have you thinking you're always about to have your nix based system rooted, but this is damn unlikely for most people not using dodgy sites. I fancy my chances to get struck by lightning above her chances of having her system compromised, and I don't get out of my house scared.

[mkr-hn]

Malware creators are going to get more creative and more dangerous now that Windows is better and Macs are more popular. Technical countermeasures can only do so much against a determined mind with a strong incentive.

[super_mario]

Windows is now better? What the fuck. You do realize this is Java exploit, and that recent versions of OS X don't even ship with Java. And on top of that this "malware" asks user for their admin password to install itself. And on top of that if you have dev tools or any of the popular system monitoring utilities it gives up!

Contrast that with typical Windows situation where no user cooperation is required to get infected.

[prophetjohn]

Cool down, turbo, he's saying that Windows has improved from what it was in previous versions, not that Windows is better than OS X (the horror!)

[super_mario]

He's also edited his post to make it less ambiguous.

[mkr-hn]

I don't recall it being more ambiguous at any point, but my brain is bad at keeping revisions. Even if you're right, it doesn't excuse the tone.

[mkr-hn]

Drop the hostility and reread what I said. I didn't say "Windows is now better than Macs."

[jister]

>> Viruses are not a fact of life for Mac users. Talk to anyone who uses or services Macs; you'll be hard-pressed to find anyone who's even seen an OSX virus. Whereas for Windows power-users, cleaning viruses for friends/parents is practically a rite of passage.

That's because the market share of Mac is so small that no smart virus developer would even bother wasting their time creating one.

On the other hand, create a powerful virus for Windows and the next day your on CNN.

[simonw]

These days I think you'd be much MORE likely to get press coverage for a virus that targets OS X than for one that targets Windows.

[phillco]

Didn't Apple used to claim that Macs didn't get viruses? I can't remember. (This would be at least several years ago, when Mac malware was still fully theoretical.) It's possible they never stated it directly, and the phrase was spread by fans.

To be fair, their slogan is currently "Macs don't get PC viruses" [1]. Which is true. Although, devilishly close enough to blur the two in somebody's mind.

[1] http://www.apple.com/why-mac/better-os/

[philaquilina]

Whoa, no kidding. The majority of people are not going to stop on those two letters and consciously differentiate "virus" from "PC virus."

[pazimzadeh]

"A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers."

Pretty clear.

[mindrag]

It's not at all clear. It's deliberately ambiguous. If they wanted it to be clear they would have said "Macs are only susceptible to a fraction of the number of viruses plaguing Windows-based computers."

[akent]

Clear? One possible interpretation of just that statement alone could easily give the impression that viruses in general are therefore not an issue for Macs.

[esolyt]

There are two possible ways to interpret this:

1. "A Mac is susceptible to viruses. But it is not susceptible to viruses plaguing Windows-based computers."

2. "A Mac isn’t susceptible to viruses, whereas a Windows-based computer is susceptible to thousands of viruses."

The fact that you still get viruses, but they just don't happen to be the same viruses, isn't worth stating. So as a customer, it is very unlikely that I would infer the former (Meaning 1) from the statement. Yet it is what is meant.

I would personally call this misleading (and dangerously close to lying).

[nextparadigms]

No, it's not clear. It implies that the Mac can't get any viruses.

[rbarooah]

No. If they didn't qualify it with "PC" it would have that implication. By qualifying it, they make it unambiguous.

[el_presidente]

They're implying that only PCs have viruses.

[bnr]

Next sentence: "That’s thanks to built-in defenses in Mac OS X that keep you safe, without any work on your part."

I guess they should be "thanking" the general incompatibility with Windows binaries.

[vacri]

Given that macs are PCs, being personal computers, it's not true that macs don't get PC viruses.

[ealloc]

I believe "PC" has historically meant (or often been used to imply) "IBM PC compatible" (http://en.wikipedia.org/wiki/IBM_PC_compatible) which Apple/Mac was not, until they switched to x86.

[vacri]

The problem is that viruses don't relate to the architecture - otherwise linux and *bsd (on the x86 platform) would have also been windows-like with their malware.

I know I'm playing semantic games here, but so is Apple with this slogan :)

[rbarooah]

In the context of Apple's "Mac vs PC" campaign, does anyone seriously have doubt about what they mean by a PC?

[vacri]

I know I'm playing semantic games here, but so is Apple with this slogan :)

[rmc]

In the general public's eyes Macs are computers, so yes they are PCs. In the Appleland, "PC" is synonomous with "Microsoft Windows", and hence Apple Macs aren't PCs.

I had a long time Apple user ask me if I had a Mac or PC. I was using Ubuntu Linux at the time, so I said PC :P

[Mattelfesso]

You should have just said, "Linux". Mac users make this distinction because they constantly need to inform I.T. manager's that they are not using a Microsoft Windows OS. Originally, this meant an IBM-PC or an IBM-PC compatible computer, but it was a whole lot easier to just say "PC". I'm sure Linux users also need to explain to their network admins that they're running Linux.

The term "PC" persists not just for historical reasons, but because its hard to come up with a replacement term. A "Mac" refers both to hardware and the OS, whereas a "PC" means "Windows OS running on Windows-compatible computer". I suppose we could replace the term "PC" with "WOS-ROWCC".

[craigmccaskill]

I was going to post the exact same thing, but spent the last five minutes searching site:apple.com virus for a direct quote. Seems they've changed their lingo as I definitely remember (around the time of the whole mac vs pc campaign) a definite statement about not getting viruses at all.

[rudyfink]

Maybe this ( https://www.youtube.com/watch?v=GQb_Q8WRL_g ) (MAC v. PC advertisement on viruses) is what you were thinking of?

[lawnchair_larry]

For even the most generous interpretations of "several", Mac viruses were not merely theoretical several years ago.

[Xuzz]

The interesting part is that I still haven't seen one traditional "virus" — even is thing appears to still be just social engineering users to install it, by pretending to be Flash Player. I can't imagine it's that much more difficult to actually find an OS X vulnerability to propagate with, but I still haven't seen any.

Edit: It appears this uses a Java vulnerability, rather than the fake-Flash Player-installer that it was originally reported using (possibly an older variation of the same malware). So that's no longer accurate!

[FireBeyond]

And almost no Windows "malware" in the last decade has been a traditional "virus" either. Trojans, social engineering, all so much easier.

[eli]

I disagree. Visiting a malicious website or opening an email that exploits a vulnerability in your os or software is very common.

[FireBeyond]

Citation? The last thing along those lines I'd heard of was the PNG(?) exploit.

[eli]

Well, for one, the Java vulnerability discussed in linked article is actively being exploited on Windows to install that obnoxious fake "Antivirus 2012" malware.

[DanBC]

And those are not viruses unless they self-replicate.

[enfoster]

I would consider the series of Sasser and Bagle worms during 2004 to be a traditional virus.

[ZephyrP]

Exploit kits are big these days!

[rmc]

The interesting part is that I still haven't seen one traditional "virus"

Originally, when it was just us geeks using computers, 'virus', 'malware', 'trojan', etc. where different terms for different things.

Now a days, 'virus' is used by the general public & media to refer to any sort of bad programme that should be removed.

[cooldeal]

Doesn't it use a Java exploit?

From the article:

>..the most recent variant from earlier this week targeted an unpatched Java vulnerability within Mac OS X. That is, it was unpatched (at the time) by Apple—Oracle had released a fix for the vulnerability in February of this year, but Apple didn't send out a fix until earlier this week, after news began to spread about the latest Flashback variant.

>..the malware installs itself after you visit a compromised or malicious webpage, so if you're on the Internet, you're potentially at risk.

Where is the social engineering part?

[mbreese]

Well, it does have to get the user's permission to install it first...

From the F-Secure site: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashb...

On execution, the malware will prompt the unsuspecting user for the administrator password. Whether or not the user inputs the administrator password, the malware will attempt to infect the system, though entering the password will affect how the infection is done.

If infection is successful, the malware will modify the contents of certain webpages displayed by web browsers; the specific webpages targeted and changes made are determined based on configuration information retrieved by the malware from a remote server.

[cooldeal]

Did you even read the page you linked or the text you pasted?

It specifically states that the malware will infect the machine even if the user does not give permission.

[mbreese]

Well, I feel stupid. I just skimmed it after going through the detection steps. I missed the part where it installs itself to a different location if it doesn't get the user's password.

[barista]

Well this had to happen at some point. Though it has a small marketshare and is based on unix, given the kind of demographic that uses a mac, (richer, more connected, etc) it is very lucrative for trojans to infect a mac and steal personal information, identity. It's unfortunate that people have this misunderstanding that macs don't get viruses and are actually not careful when using a mac.

[dsrguru]

I don't think small market share was ever really a reason that Mac OS X didn't get traditional viruses. UNIX-based servers have always had a huge market share, and since servers are presumably a more desirable target of infection and cracking than home computers are, we would have seen traditional viruses hit UNIX machines a long time ago if it were realistically doable. Also, before Mac OS X became as popular as it is now, there were lots of Windows users who hated Apple fanboys and would have loved to write a wide-spread virus that targeted Mac OS X if possible. But it seems like Windows, especially pre-NT and pre-Vista and pre-7, but even now, has a unique vulnerability to traditional viruses. Obviously, Mac OS X can still get hit by trojans if people use intelligent social engineering, but I feel it's still not too much of a semantic exaggeration to say "Macs don't get viruses."

[felipeota]

There are a lot more Windows desktops than UNIX servers. Just picture that every UNIX server is in average serving more than one Windows machine.

Also, it is way easier to attack a desktop than a server. Desktop users are more careless than server admins and have many more different applications malware can use to gain access: im apps, browsers, media players, pdf viewers, flash runtimes, etc. To attack a server you have to find an exploit using an http, ftp or ssh request to a limited and more secure, in general, set of programs.

Apple is growing very fast and it is finding itself in that position now. You can see that in the new security measures of the Mac App Store. By limiting what apps itself can do you limit what malware gaining access to those apps can do. Maybe Microsoft should have done something similar to prevent Windows from being the virus hub.

[cooldeal]

This virus spreads from visiting malicious websites or websites with malicious ads. Since not much browsing happens on servers, there is no reason to target them.

>lso, before Mac OS X became as popular as it is now, there were lots of Windows users who hated Apple fanboys and would have loved to write a wide-spread virus that targeted Mac OS X if possible

What? Does that mean that some Windows viruses were written by Mac fanboys to make Windows look bad?

> But it seems like Windows, especially pre-NT and pre-Vista and pre-7, but even now, has a unique vulnerability to traditional viruses

How? Can you explain what you mean by Windows having a unique vulnerability that is not present on a Mac?

> Obviously, Mac OS X can still get hit by trojans if people use intelligent social engineering,

Again, this is a drive by exploit from a web page, not social engineering. Why is this so hard to grasp?

[dsrguru]

> This virus spreads from visiting malicious websites or websites with malicious ads. Since not much browsing happens on servers, there is no reason to target them.

Servers have a lot more information (thousands of credit cards, email addresses, passwords, etc.) than desktops. Criminals who seek personal gain rather than just mayhem would target servers.

> Does that mean that some Windows viruses were written by Mac fanboys to make Windows look bad?

No. To use sociological terms, Windows was the dominate group, Mac OS X the subordinate. When Mac OS X was starting to come into vogue in the first half of the 2000s, there were many fanboys that kept bragging about how their computers were infinitely better than "PCs", and everyone who grew up in the 90s and 2000s has surely had conversations with Windows users, often gamers or early /b/ users, who had almost a religious vitriolic hatred towards every aspect of Apple--Mac OS X, Mac computers, fanboys, "one-button mice", etc. Now that Mac OS X is accepted as a well designed OS, those fanboys and that hatred seem to be much less visible, although now lots of people dislike Apple for becoming the new Microsoft with regards to patent lawsuits, but I digress. The point is that whenever such vitriol exists, there are people dying to prove that they're right, in this case that Mac OS X wasn't immune to viruses like the "mactards" (that's one of the terms they called Apple fanboys) claimed. Did you really not witness this phenomenon of hatred in the early 2000s?

> How? Can you explain what you mean by Windows having a unique vulnerability that is not present on a Mac?

Mac OS X is essentially the Aqua window system atop Darwin, the OS's underlying system that descends from FreeBSD. As a form of UNIX, it does not give non-root users direct kernel access. Windows doesn't have this very logical restriction, and more and more ways are discovered to exploit this. Windows Vista and 7 have tried to mend this flawed infrastructure by asking users to explicitly authorize everything, but we all know how that's worked out.

> Again, this is a drive by exploit from a web page, not social engineering.

Escalation was allowed from the JRE vulnerability, but it was my understanding that initial authorization had to be given to run it. Edit: I just reread the article and it appears that this was a self-installing trojan. If that's the case, that certainly shows that vulnerabilities that allow self-installation as opposed to just privilege escalation do show up in Mac OS X from time to time, but from my limited experience, the main way to make use of trojans targeting Mac OS X is to use social engineering to install them (e.g. take advantage of the fact that Finder hides file extensions by default, and then change an executable's icon to that of an image, and then preserve the metadata in an archive) and then take advantage of a security vulnerability that allows privilege escalation. Such vulnerabilities are incredibly rare in Mac OS X since unlike Windows, kernel space is isolated from users.

[fpgeek]

> Such vulnerabilities are incredibly rare in Mac OS X since unlike Windows, kernel space is isolated from users.

That's just flat wrong and hasn't been true for an OS Microsoft has supported for mainstream use since 2003 [1]. Windows XP and all current Windows releases are based on the protected NT kernel which debuted in 1993 (with Windows NT 3.1). In fact, Microsoft and Apple stopped shipping OSes with unprotected kernels in the same year (2001) with Windows XP and OS X "Cheetah", respectively.

Look, Microsoft has made a lot of mistakes with respect to security (bad defaults, running as Administrator too often, too many low-level bugs, ...). Since OS X, Apple has had a much better security track record. That's why it is so frustrating to see people criticize Microsoft for mistakes they fixed a long time ago instead of focusing on current (or at least recent) issues.

[1] When Microsoft downgraded Windows 98/98SE/ME to paid support and critical security fixes only: http://support.microsoft.com/gp/lifean18

[dsrguru]

That can't be true. If NT-based versions of Windows implemented a system call mechanism that protected the kernel from users, XP wouldn't have been ridden with viruses, and there would have been no purpose in giving Vista and 7 the access control mechanism to warn users of potentially harmful system calls. By the way, Cheatah just refers to the original Mac OS X. Your phrasing "stopped shipping OSes with unprotected kernels ... [starting with] Cheetah" makes it sound like Mac OS X initially didn't have this protection, which is not the case.

[fpgeek]

First, Cheetah wasn't the first Mac OS X. There was Mac OS X Server 1.0 in 1999 (see: Wikipedia). Cheetah was the first desktop-oriented version of Mac OS X.

Second, I didn't imply that prior versions Mac OS X didn't have kernel protection, I implied that prior versions of Mac OS didn't have kernel protection. This is indisputably true (see: Mac OS 9). Personally, I find Windows / Mac OS parallel surprisingly close here: Windows ME is to Windows XP as Mac OS 9 is to Mac OS X Cheetah.

Third, UAC (User Account Control), the access control introduced with Windows Vista, is almost entirely unrelated to kernel protection (except that UAC would probably be pointless without it). The problem UAC tries to solve is "users running as an administrator too often", not "the kernel isn't protected from user programs". In other words, it is Windows' answer to sudo, not a fundamental change to the Windows kernel.