(11/29/13) Hack attempts are extra common in the year-end season. Many people are getting forged mail or text messages, ostensibly from Google, saying "your mail has been hacked." Forged messages from UPS, banks, etc with ZIP attachments containing virus droppers are also spreading: I get a few a week. Don't open ZIP attachments unless you are sure they are not forged; scan such files for virus before using.
(08/06/13) There are new phishing scam emails: one that says "your account has been suspended" and appears to come from Apple and one that appears to be a connection request on LinedIn. Don't Click Links In Email unless you are sure they are not forged.
Criminals are working hard to get you to run their programs on your Mac. If you click on a link in a malicious e-mail or view a web page that contains an attack, your computer can be infected with malware. This can cost you money and time, get you in trouble with friends and the law, steal your identity, or mess up your computer.
If Facebook, or any web page, says you should install a Flash upgrade or a Video Codec, DON'T CLICK IT. Don't Install "Mac Defender", or similar fake anti-virus scareware.
See "Known Mac Malware" below.
Here is a nice page on malware: Mac Malware Guide: Am I Infected?
Also, lease read the page on Loss Protection.
Almost all malware out there is not actually viruses but Trojan Horses. That is, the threats are programs that trick YOU into typing your admin password and installing them. For example, if you get a mail message that says "From: Microsoft" and has a link to click that will update Microsoft Word, DON'T. Similarly for mail that appears to be from PayPal, EBay, or your bank. (Mail senders can be forged. Links in mail may not go where you think.) If you're browsing a web page and you get a popup window that wants you to update your Flash player, DON'T. (There are multiple fake updaters for Flash, some spread via Facebook.) There are current attacks on Macs that do these things.
To update Apple software, start with themenu item. To update non-Apple software safely, restart your browser, type in the URL of the company website, e.g. java.com, and find and download the update. (Some software, such as Adobe Flash, has an "automatic update" option. Turn it on.)
I have written elsewhere about general suggestions on home computer security. Summary:
See my Frequently Asked Questions about Security.
Here is a nice general article on the Intego blog that discusses what "secure" means to you. How to Tell if Your Computer is Secure (in 5 Questions or Less)
Here is a little explanation of threats and countermeasures. Notice that in these scenarios, the first word is You. Reminds me of the old joke: "Doctor, it hurts when I go like this." "So, don't do that."
|Your Mistake||Bad Guy Action||How Likely||How to Avoid|
You download some malicious software and install it, or open an attachment sent to you in mail, or view a malicious website that asks to install some software, or view an innocent website that that shows infected ads, or view a social website message.
You are asked to permit the installation of software or to accept a self-signed certificate, and you click OK.
You use an insecure connection, and an attacker pops up a fake software update notice, and you click OK.
|The Trojan Horse malware you installed gets control of your computer. The malware can steal or modify your data, get your online banking passwords, or attack other computers.||
There are multiple attacks aimed at Mac users. See below.
Some of them use Facebook to send you to the attack site, infect your computer, and spread by sending messages to all your Facebook friends.
|You insert a disc containing some malicious software and install it. During this process you are asked to permit the installation and you click OK.||The Trojan Horse malware you installed gets control of your computer. The malware can steal or modify your data, get your online banking passwords, or attack other computers.||Possible in theory. This used to be how viruses propagated in the 90s.||
|You connect your computer to the Internet without using a hardware firewall.||A malicious computer on the Internet sends messages to your computer that trick it into installing programs that take control of your computer. The programs can steal or modify your data, get your online banking passwords, or attack other computers.||Possible in theory, mostly a movie plot. (The "Slammer" worm infected thousands of Windows computers within a few minutes this way in 2003.)||
|You import an infected Microsoft Word, Excel, or PowerPoint document or mail attachment and open it. The file may have been infected maliciously by an attacker, or accidentally by a previous victim.||A "macro virus" in the document alters Office templates to cause Word, Excel, or PowerPoint to infect subsequent documents, and possibly do other malicious actions, from displaying strange messages up to corrupting or disclosing your data.||Rare these days.||
|You leave your computer unattended.||A malicious person steals data from your computer or installs hardware or software that allows your computer to be taken over, and you don't notice. The malware can steal or modify your data, get your online banking passwords, or attack other computers.||This attack is common in movies, but probably rare in real life.||
|You have an administrator password that is blank or easily guessed. You turned on File Sharing in .||A malicious person on the same local network connects to your files and steals data or installs malware. The malware can steal or modify your data, get your online banking passwords, or attack other computers. This includes others using the same wireless access point.||Unless you override the Macintosh defaults, you are reasonably safe.||
|You use wireless.||A malicious person intercepts your wireless traffic and reads or modifies your communications, or they observe your web logins and steal your login credentials (Google "firesheep"). When you browse a web page, an attacker can inject code into the page that pops up a faked software update request: if you install such an update, the attacker could take over your computer.||This is a growth area. There are many reports of "evil twin" wireless hot spots, especially in airports, coffee shops, and hotel areas. These attacks work equally well on Macs and PCs, so the bad guys have more incentive.||
* indicates measures that might work in theory but I have not tried.
Use common sense. To avoid malware problems, use good sense when surfing and clicking: don't click on links in mail from strangers, and don't install software from untrusted sources. Don't enter sensitive information, like credit card numbers, into untrusted or insecure web pages. Be suspicious. Watch out for scams and fraud. Here is a nice article: Mac security: scams and fraud.
I installed the free version of the ClamXAV anti-malware scanner on my Mac. This program does not splice into Mail or the file system to watch for new files: it only scans directories you point it at. So far it has not found any problems on my computer, when I use it to check attachments sent me by others.
Malware scanners can check your whole hard drive, or selected files, when you tell them to. Malware checkers attach themselves into programs on your computer, such as Mail, and check files when they enter your computer; to do this they have to hook into applications and system facilities in ways that the malware cannot bypass. Such hookups are sometimes broken by OS updates, or lead to problems using your computer, or consume excessive resources.
Anti-malware programs' definition files must be updated very often in order to be useful. Anti-malware companies constantly capture and analyze new malware that is designed to evade existing detectors. Then they update their malware definitions and detection methods, and make updates available to you. Your computer can be attacked before you get protection installed. Recently, there have been multiple malware variants released in a single day, faster than the anti-malware software can be updated to catch it. See Rich Mogull's article "Do You Need Mac Antivirus Software in 2013?" for his view.
Mac anti-malware packages are available from Sophos, Intego, F-Secure, PC Tools, BitDefender, McAfee, ClamXav, Norton, SecureMac, and Avast!. They all claim to the the best.
Beware: the bad guys are sending out spam email offering you fake anti-virus software. I get a couple of these a day. If you install it, it may pretend to work, while taking over your system.
(January 2013) Another Java vulnerability has been discovered that allows applets to bypass security controls. It only affects Java 7, which is not installed by default on Macs. Applets exploiting this hole are being served as advertisements from "major websites." It is safest to disable the Java plugin in your web browsers, so no applets can run; this is how recent updates from Apple set it. If you enable Java in your browser or install Java 7, be careful not to visit untrusted web sites. (Oracle has promised a patch on Tuesday Jan 15. Supposedly they knew about this problem in August 2012.)
(January 2013) Two vulnerabilities in Ruby on Rails make over 200,000 websites exploitable. Clicking on an infected website could lead to multiple attacks: some might try to spoof popup windows that ask for your password, and others might find a hole that can be exploited without asking. Hacking toolkits are expected to exploit both holes soon. Click cautiously and apply security patches when available.
(August 2012) More malware that can infect Macs has been discovered. Click cautiously and apply security patches when available.
(Apr-June 2012) The FBI is investigating cases where malware was installed on travelers' laptops through application software updates on hotel internet connections. Several Trojan Horse attacks are also being distributed via infected Microsoft Word files. Make sure you apply the latest update to Word 2011. (Only Snow Leopard and below are vulnerable to this attack.) There is also a serious security threat that attacks Macs that just visit an infected web page: the malware tries to steal financial passwords from your computer. It has been estimated that over 500,000 Macs have been infected. Protect your computer by installing the Apple update for Java from . See the page on The Flashback Malware for detailed instructions.
(April 2012) There are recent attacks on Macs that send infected Word documents in e-mail attachments. These exploit a hole that Microsoft patched years ago. Make sure your Microsoft products are up-to-date, by using the built-in Microsoft updater.
(March 2012) The various incarnations of the Flashback Trojan use ever changing tricks to get you to install it. Vist a hacked website, and you may see dialog boxes requesting your admin password with various excuses (such as a fake password dialog box from "Software Update"), or you may see a request to accept a certificate that claims to be from Apple but is not. If you get fooled, you are in big trouble: the Trojan will install code into your browser so it can steal your banking passwords and watch your traffic. Many blogs have been hacked recently, to send malware to your browser or redirect it to a malicious page that does so. Using Firefox with FlashBlock and NoScript or Chrome with ScriptNo will help catch these attacks. OpenDNS will also prevent access to some malicious URLs. Make sure you have Java up to date, and do not accept fake (self signed) Apple certificates.
(December 2011) Trojan Horse attacks are spreading via social network sites like Facebook, telling you you have to update Adobe Flash. This is a social engineering Trojan that wants to steal your banking passwords. I have also been seeing Facebook postings that point to a video that will "make you laugh in the first 26 seconds." These have spread to many people's accounts, so I think it is a Facebook worm. Hint: in Facebook Account Settings, Security, make sure you set "Secure Browsing" on. I turn off all "platform apps" as well.
(November 2011) Trojan Horses claiming to be pirated graphic applications were uploaded to Pirate Bay as BitTorrent files. Installing these will add a back door that would let strangers take control of your Mac, steal your data, and use your computer to generate Bitcoins. Using pirated software is risky.
(October 2011) Trojan Horses disguised as Flash Player Installers attack Macs.
(June 2011) A Facebook attack is spreading Windows malware and Mac scareware via a video hosted in India passed by "Like" flags.
(May 2011) A Trojan Horse fake anti-virus called "Mac Defender," "Mac Protector," "Mac Guard," and other names was discovered. Like many PC fake anti-virus attacks, if you visit a malicious web page, you'll see a fake scan and a WARNING that your computer is infected. An installer is automatically downloaded (and Safari will even open it if you have "Open 'safe' files after downloading" checked). DO NOT INSTALL IT. If you run this installer, it will ask for permission to install on your computer, and if you allow it, it will install a fake anti-virus program which will pretend to scan for viruses and then ask for your credit card number to "clean" your Mac. Intego has a nice article on it. (If you use Firefox as a web browser, and use the NoScript plugin, it won't be able to run.) If you installed it already, see this Apple article. As of 6/1/11, Apple provides a security update to 10.6.7 that will prevent installation of the malware and remove it if it is found.
(May 2011) A new "Crime Kit" for malware writers was published. It makes it easy for bad guys to attack Macs. We may see more attacks.
(November 2010) Microsoft announced that a Trojan Horse file claiming to be OSXDriverUpdates.tar has been distributed by multiple web sites. If a user downloads and installs this software, it will install an agent on their computer that a remote attacker can use to take over the computer.
(October 2010) Symantec described a Trojan Horse that spreads via Facebook. It affects Windows, Mac, and Linux computers and is written in Java. A Facebook user gets a message like "is this you in the video" or "i am going to end my life" that appears to come from a friend. If the user clicks on the link, the malicious web page may ask to install software, or may silently install it. Infected computers will message all the user's Facebook friends, try to steal bank passwords, and install a backdoor in the computer.
(June 2010) Anti-virus company Intego found that some freeware programs for the Mac install spyware that copies a lot of your personal information and sends it in encrypted messages to a company called comScope. If you installed screen savers from "7art" or "MishInc FLV To Mp3", they asked for an administrator password and installed software that monitors your application usage, Internet browsing, and chat sessions, and goes through all your files. The software's license agreement says it does this, but nobody reads the fine print. You can opt out or run the uninstaller to get rid of it. A version of this software has existed for Windows since 2008. (This is a Trojan Horse, not a "virus," since it does not spread to other computers by itself.) Intego calls the software "OSX/OpinionSpy" and its Virus Barrier software alerts and offers to remove the spyware.
(2009) A Mac anti-virus vendor announced that there was a Trojan Horse program published on BitTorrent aimed at Macs. If you downloaded a pirated copy of "iWork 09" from BitTorrent, it asked for your administrator password during installation, and then installed software that allows a bad guy to read all your files, control your computer, and so on. Avoid installing software from unknown sources. (I am a professional programmer, and like to get paid for my work. I assume my fellow programmers do too. So I avoid pirated software anyway.)
Because I am a "security guy," I put up with some inconvenience to keep my computers more secure. Everyone's security situation is different, and these tactics may be too much, or not enough, for people with different concerns. The measures you should take depend on what you are trying to defend against, and the value to you of the information on your computer that you want to protect. (Many of these measures also work or have analogues on other systems such as Linux and Unix.) Some of these steps may be too detailed for the general reader, but perhaps they will suggest the complexity of the security problem and the need to use multiple solutions.
Apple has produced Security Feature Guides for OS versions from 10.3 (Panther) to 10.6 (Snow Leopard) with advice from the NSA. They are very thorough. There are some security measures that I have not chosen, after considering my security risks:
Macs used to have fewer security problems than Windows because hackers concentrated on the flaws in Windows, but those days have passed. Over time, Windows has improved, and Apple should be working hard to improve also. Mac OS, Windows, Linux, and other Unix descendants are all written in the C language using informal processes. Brilliant programmers have failed to produce secure systems using this approach in many years of trying.
It is your responsibility to keep informed about your computer's security. Attackers will continue to try new ways to break into your computer and your online accounts. Even if you were fully protected yesterday, some new attack might be discovered tomorrow.
I think Microsoft does a better job with their code auditing than folks like Apple do. We've only seen a scratching of the surface as far as Apple vulnerabilities because nobody cares to find them. There's nothing inherent with Apple themselves and their development.
-- Marc Maiffret, former hacker