Viruses on OS X

[Tetano]

create a virus isn't impossible... at the moment it's easier for windows for the presence on-line of virus-building tools which provide the necessary codes for every virus part... recently i haven't read of any new vulnerability in osX, but, for example, the latest update for iTunes was released to fix a potential security hole, with an exploit available on-line

[Andrew Adamson]

I realize there is a huge difference between a virus/trojans/worms that target the OS and those that target specific applications and services, but the vast majority of users don't care about what kind of virus they have once they realize their MP3s have all been overwritten or that their hard drive has become an FTP drop box for pr0n. They will undoubtedly blame the operating system since the virus doesn't affect Windows. Given the huge range of 'web enabled' applications running on the Mac, I see a day soon when 'OS X viruses' do start to appear. The obvious efforts of Apple to simplify the firewalling process give me little confidence, given that I have yet to see one outgoing request get stopped by it.

For example, on my own Mac, I have PHP 4.3.10 installed and running -- in fact it was running from the day I bought this machine (along with Perl and Python, and probably several other scripting languages I don't use or care about). If you are a budding programmer, this is amazing since it means you don't have to compile or install a thing. But this version of PHP still has 'multiple vulnerabilities' according to Secunia.org. As a PHP programmer, I know the risks are tiny, since I do all of my own coding and I don't use my box to serve anything to the web. But I can imagine lots of other users loading all sorts of self-installing web applications onto their boxes without the slightest awareness that they are exposing their machines to danger. Load on PHPNuke or some other OSS content management system, you have added another layer of vulnerabilities. Add some extenstion and you are down another layer.

As for OS X's 'inherently stronger' permissions... Every week I read more about Linux exploits that 'escalate permissions' or install 'rootkits', phrases I had never heard of before I moved to Unix. "Stronger" is not "impervious". Yes, Windows is a much bigger target. Yes, it significantly easier to attack. And, yes, it takes little more than a cut and a paste to build a virus that can take down a few thousand Windows machines. But I am willing to wager there are a few serious crackers out there working on breaking your Mac right now, just for the credit of being able to say, 'I was the first.'

Don't get me wrong. I left Windows specifically because of Microsoft's half-baked approach to security (the GDIPlus.dll vulnerability was the straw that broke my camel's back). I feel immeasurably happier and safer with the Mac. But to suggest even for a moment that OS X is 'safe' in any concrete sense is to speak words that will surely come back to haunt you.

[ex2bot]

I don't believe it is safe, only safer. Nor do I believe it is completely secure, only more secure.

As for protecting Windows users from a virus, I don't forward attachments. I understand that viruses could be spread via email in ways other than as an attachment. But that's what _their_ virus checkers are for, right?

Doug

[TommyWillB]

...For example, on my own Mac, I have PHP 4.3.10 installed and running -- in fact it was running from the day I bought this machine (along with Perl and Python, and probably several other scripting languages I don't use or care about)...

That's not true.

OSX does not ship with Apache/PHP running!

If it was running "from the day (you) bought" it, that's because YOU turned it ON while exploring your new machine!

Besides, its pretty d#*n hard to exploit PHP if you don't actually have PHP scripts in your docroot... And Apple absolutely does not ship OS X with any PHP scripts active.

[Andrew Adamson]

That's not true.

OSX does not ship with Apache/PHP running!

If it was running "from the day (you) bought" it, that's because YOU turned it ON while exploring your new machine!

Besides, its pretty d#*n hard to exploit PHP if you don't actually have PHP scripts in your docroot... And Apple absolutely does not ship OS X with any PHP scripts active.

Excuse me. Did I say Apache? Go to the command prompt and type 'php', you get PHP. I sure do. That is what I am talking about.

My specific issue with PHP (and Perl, Python, &c) is this. First, I am not that concerned that some anonymous cracker can connect to the user's machine to do nefarious things in PHP because at the moment I don't think they can (at least not without the user's help). The firewall seems to me to be pretty solid and will stop inbound anonymous traffic, and without Apache running as a service, there is no easy way to contact PHP from the outside world -- without my help. Fine. We're on the same page on this one. My first problem is that they have installed an extrememly powerful, scriptable language that has documented vulnerabilities, including techniques (certainly in Linux) to ESCALATE permissions to root, and which the VAST majority of users aren't aware of and won't use (you can argue for leaving Python installed because a lot of installers are written in it, but PHP???). The second is that they, at least at present, do not seem to be offering any patches to bring it up to the present release through the automatic update process. The third is that the firewall does not appear to stop OUTbound traffic of any kind, and does not alert the users to any new traffic patterns AND (from what I can see) does not stop inbound responses to that traffic. Install BitTorrent, it works just fine without tuning the firewall. Install a PHP Spambot, it works just fine too, I reckon.

So, again, my worries are 1) known vulnerabilities, 2) no automatic patching to current builds, 3) no way to warn users of new processes or stop outbound traffic.

[Satcomer]

So, again, my worries are 1) known vulnerabilities, 2) no automatic patching to current builds, 3) no way to warn users of new processes or stop outbound traffic.

1) I know the Mac probably has some kind of vulnerability. Please show us ANY computer (especially one that connects to a network) that doesn't any vulnerability. It is an arms race between the makers of software/hardware and the ones trying to break codes.

2) There is a way to track most all outbound traffic (and you WILL BE surprised) called Little Snitch. It will notify you of most all outgoing traffic.

[TommyWillB]

Excuse me. Did I say Apache? Go to the command prompt and type 'php', you get PHP. I sure do. That is what I am talking about...

Okay... I understand your point about PHP command line (Apple did not originally have that enabled) vs. over HTTP, but I'm still confused as to why this is such a big concern.

You yourself admit:

...I am not that concerned that some anonymous cracker can connect to the user's machine to do nefarious things in PHP because at the moment I don't think they can (at least not without the user's help). The firewall seems to me to be pretty solid and will stop inbound anonymous traffic, and without Apache running as a service, there is no easy way to contact PHP from the outside world

So if you are worried about novice users, what's the issue... It's not like they are going to install some PHP script that does all of the network conenction issues you talk about.

If you're advanced enough to do things like that, then you're responsible for proceeding at your own risk. Nothing Apple can do about that.


Ragarding the patching, Apple has done several updates to PHP... They don't do them as fast as they are released, but a hell of a lot faster than other OS's are updated.

[TommyWillB]

...2) There is a way to track most all outbound traffic (and you WILL BE surprised) called Little Snitch. It will notify you of most all outgoing traffic.

I agree. Little Snitch is great.

I use it. I love it. I too would like to see Apple add someting like it to the base OS X install.