Around the beginning of May, malware targeting the Mac OS X platform hit the web. By the end of June, the bad guys behind the attack seemingly called it a day and the Mac Defender malware (and variants on the original) vanished from the web.
So how did Apple choose to deal with this emerging threat? Simple - it released silent updates to counter each of the variants. And overall it seems like the plan worked. But was this the best way of dealing with a malware attack?
The Mac Defender attack was one that will be familiar to most Windows power users - victims are redirected to a web page made to looks like an OS screen which goes on to inform them that their system is infected with malware and that they should download a solution - problem is, the 'solution' offered isn't actually a solution but instead a scam program that asks for money to remove none-existent malware. The attack relies on startling users into downloading and then installing malware onto their own machines - clever, but not all that sophisticated.
Now, I'm not saying that Mac owners down need antivirus (I think they do - it's a small price to pay for piece of mind), and I'm not saying that Mac Defender wasn't a good proof of concept that proved that Mac users were just as vulnerable to social engineering as Windows users are (it was). But it seems that Apple's tactic of blocking malware within the OS with updates was a pretty successful maneuver. Sure, it seemed somewhat kludgy, and it was taking Apple too long to counter the variants with updates, but Apple's new to this anti malware game. And without a doubt Apple will have learnt a number of valuable lessons when dealing with this malware attack that it can carry forward to future attacks.
And there will undoubtedly be future attacks.
It's also important to put the attack into context. While it is likely that several thousand people were hit, in the overall scheme of things, it was a small attack (despite the headline hyperventilation that you might have come across).
Note: Credit also has to be given to Google for dealing with the poisoned search results that were being used to herd victims (both Windows and Mac user) to malware booby trapped websites.
How will Apple respond to a future attack? We don't know. Personally, I think that Apple would benefit from acquiring a security firm, but a company sitting on a $76 billion cash pile isn't exactly going to be limited in options. I don't think that Apple will make a big deal of security threats (because, rightly or wrongly, that's not how Apple does things).
However, there are problems with Apple's current approach to security.
- The File Quarantine system only applies to the Safari browser. So if you're using another browser, you're not protected. Does Apple plan to extend protection to folks using other browsers?
- The File Quarantine system still allows users to easily open bad files. Bug or feature?
- Apple is only offering protection for Mac OS X v10.6.7/Mac OS X Server v10.6.7 or later. If you're on an earlier version, tough. Will this change? How long will Apple offer patches for existing operating systems?
- A tit-for-tat war of attrition with the bad guys might have work while Apple is fighting one bad guy, but how will that scale up if Apple is having to fend off multiple attacks?
As someone who uses a Mac, I wouldn't mind getting answers to some of these questions.