Apple Virus Commercial
I just saw Apple ad where they were touting the fact that last year there were a 114,000 known viruses for Windows, and the MAC had none.
I think this is a terrible strategy. I felt the same way when the Mozilla Foundation started using similar arguments for why you should use Firefox instead of Internet Explorer. Shortly after they started the Firefox is safer than IE campaign, vulnerabilities were uncovered in the software. I bet they were feeling kind of silly after that, certainly that particular marketing campaign seemed to ease into the background.
I could be wrong here, but a likely reason there aren’t viruses circulating for MACs is due to the lack market share. It’s certainly not that they are invulnerable; it’s just that no one is motivated to fool with the platform.
I searched on CERT’s site and quickly found a handful of buffer overflows and other security issues for Apple software (for both MAC and windows) that have been published over the last year. It is these sorts of vulnerabilities that allow for viruses and worms to wreak havoc on a system. Given the fact that these vulnerabilities existed tells me someone could write a virus or worm for the platform, if they were so motivated.
It is inevitable, in today’s world, that any complex piece of software is going have bugs that can be exploited. When a company starts touting how much more secure it is than a competitor is like saying, “Nah-nah-a-boo-boo, you can’t catch me.” Well sooner or later you will get caught, and just like in the school yard, it won’t be pretty.
4 responses to “Apple Virus Commercial”
Man, I hope Meghan doesn’t read this.
HI, MEGHAN! Please don’t tell me how much Macs suck, ok, honey?
I was under the impression that because you had to type a password in order to load any software in OSX it made it quite difficult for viruses, worms, etc. Am I mistaken? Probably, though I’m pretty sure David told me that, but oh well. I’m nun two smaart wif da computters.
I must admit to thiking the same thing when I saw that comercial. I was saying, “Shh. Shhhh. SHHHHHHHH!”
What you say is true; it is more difficult for these things because of the tiered authentication. But it is not impossible. It is the same reason you don’t see a lot of this stuff for UNIX.
Typically a buffer overflow can allow arbitrary code execution on your machine, usually at the privilege level of the software being exploited. Once you get a toe hold in a machine it is usually not much of a stretch to gain root (or admin) level privileges. Not to mention you can wreak havoc on all of things owned by the privilege level of the user the exploit was perpetrated against.
Sometimes these things can be scripted, which is when you see a wide spread outbreak.
Now here are a couple of examples: One of the CERT advisories was for Quicktime, which could be exploited by a specially crafted QTIF image. All someone would have to do is entice you to download this file and view it in the Quicktime viewer (which since these files are associated with Quicktime would happen automatically). Another was in Safari; with this one a specially crafted HTML document (or web page) would trigger the problem (and since Safari is the browser of choice by most MAC users …).
Hey Will, go check out http://stratusnine.com/I.will.own.your.computer.html — just kidding.
BTW: I don’t think MAC sucks, quite the contrary, but don’t think Windows sucks either. Each is just a tool, and some tools are better for certain jobs than others. I just thought this particular ad campaign was short sighted, and could eventually lead to egg on Apple’s face.
“You just couldn’t pass up the opportunity to say “Nah-nah-a-boo-boo” :) I respect that.”
CERT released another advisery on MacOS yesterday. I’ve included the overview below, the interesting thing is this — may allow a remote attacker to bypass security restrictions.
Overview
Apple has released Security Update 2006-004 to correct multiple vulnerabilities affecting Mac OS X, Mac OS X Server, Safari web browser, Mail, and other products. The most serious of these vulnerabilities may allow a remote attacker to execute arbitrary code. Impacts of other vulnerabilities include bypass of security restrictions and denial of service.
Man, I hope Meghan doesn’t read this.
HI, MEGHAN! Please don’t tell me how much Macs suck, ok, honey?
I was under the impression that because you had to type a password in order to load any software in OSX it made it quite difficult for viruses, worms, etc. Am I mistaken? Probably, though I’m pretty sure David told me that, but oh well. I’m nun two smaart wif da computters.
I must admit to thiking the same thing when I saw that comercial. I was saying, “Shh. Shhhh. SHHHHHHHH!”
What you say is true; it is more difficult for these things because of the tiered authentication. But it is not impossible. It is the same reason you don’t see a lot of this stuff for UNIX.
Typically a buffer overflow can allow arbitrary code execution on your machine, usually at the privilege level of the software being exploited. Once you get a toe hold in a machine it is usually not much of a stretch to gain root (or admin) level privileges. Not to mention you can wreak havoc on all of things owned by the privilege level of the user the exploit was perpetrated against.
Sometimes these things can be scripted, which is when you see a wide spread outbreak.
Now here are a couple of examples: One of the CERT advisories was for Quicktime, which could be exploited by a specially crafted QTIF image. All someone would have to do is entice you to download this file and view it in the Quicktime viewer (which since these files are associated with Quicktime would happen automatically). Another was in Safari; with this one a specially crafted HTML document (or web page) would trigger the problem (and since Safari is the browser of choice by most MAC users …).
Hey Will, go check out http://stratusnine.com/I.will.own.your.computer.html — just kidding.
BTW: I don’t think MAC sucks, quite the contrary, but don’t think Windows sucks either. Each is just a tool, and some tools are better for certain jobs than others. I just thought this particular ad campaign was short sighted, and could eventually lead to egg on Apple’s face.
“You just couldn’t pass up the opportunity to say “Nah-nah-a-boo-boo” :) I respect that.”
CERT released another advisery on MacOS yesterday. I’ve included the overview below, the interesting thing is this — may allow a remote attacker to bypass security restrictions.
Overview
Apple has released Security Update 2006-004 to correct multiple vulnerabilities affecting Mac OS X, Mac OS X Server, Safari web browser, Mail, and other products. The most serious of these vulnerabilities may allow a remote attacker to execute arbitrary code. Impacts of other vulnerabilities include bypass of security restrictions and denial of service.