The hardest part of talking about computer security is getting everyone to agree on the nature of the problem. It’s especially frustrating when you’re trying to weigh the pros and cons of different strategies with someone whose view of the PC security landscape is outdated and inaccurate.
Case in point: What’s the best way to deal with malicious software on PCs and Macs?
You can’t answer that question—you can’t even start talking about it—until you know how malware gets installed in the first place. And there’s where the disconnect begins.
Judging from the reactions to my recent posts on OS X and malware, the Mac community has a pretty consistent collective understanding of how computer security works. Their worldview is based on opinions that might have been close to the mark in 2004 or 2005 but are just plain wrong in 2011.
They think, incorrectly, that Windows is inherently insecure. They assume, with no support, that large numbers of PC users are infected every year just by visiting websites or opening e-mails. And they believe, sincerely but also incorrectly, that OS X is inherently secure and that they are basically immune as long as they avoid doing stupid things.
Here’s the reality, for PCs and Macs:
- The traditional labels for malware categories—viruses, worms, Trojans, and so on—aren’t nearly as meaningful as they were 10 years ago.
- If you install security updates regularly, your risk of being affected by a drive-by download is virtually zero.
- A very small number of malware families account for virtually all malware infections.
- The overwhelming majority of malware is installed by the victim, who is fooled by social engineering.
Much of the discussion I read comes down to shorthand, like this: “There’s malware [on Macs], yes. No viruses though.”
I have read variations on this theme over and over again in the Talkback section of this blog recently:
Mac Defender is NOT a virus. … Mac OS X has ALWAYS been free of viruses… as opposed to Windows which has hundreds of thousands of viruses and new ones coming each day.
Indeed, that obsession with the word virus is a recurring theme in Apple’s support forums. Search for the phrase “there are no viruses” at discussions.apple.com and you’ll find plenty of examples, like this one from January 2011:
There are no viruses that run on OSX. None. Zip. Zero.
There is some “malware,” such as Trojans, for Macs, though. But (unlike viruses that can get onto your system without your knowledge), you must approve their installation (via your Admin password) and/or operation (via the “This application was downloaded from the internet …” prompt).
Sorry, but that’s not true. The Mac Defender gang already proved they can sidestep the requirement to enter an Administrator password. They already convinced tens of thousands of victims to install a small program that then downloads and installs additional malware without any user interaction. And it’s just a matter of time and financial motivation before they begin whacking at vulnerabilities in OS X.
And categories don’t matter. These days, actual viruses are almost unheard of. Melissa, back in the late 1990s was a real virus, the kind that copied itself to documents and spread via e-mail. Today, security professionals are more interested in what a particular family of malicious code does. The delivery mechanism is usually separate.
If this were simply a matter of semantics, I would let it slide. But it’s not. The obsession with these technical labels reflects a dangerously outdated view of computer security. If you can’t see past those labels and get an accurate view of the current threat landscape, you won’t be able to make smart, informed decisions for yourself or for others.
Or, put another way: We can’t even have a discussion if one side thinks the world is flat and the other thinks it’s round.
So let me give you the lay of the security landscape that PCs and Macs share in 2011, starting with how malware gets on PCs and Macs in the first place.
