[TheSpaz]

Has there ever been an actual virus for Mac OS X. I have this PC friend arguing with me that Mac's can get viruses just as easily as PCs and she said she talked to an IT specialist and he said Mac's can easily get viruses because they have Norton for the Mac.

I'd like to know that I DO know what I'm talking about when I say that there has never been an OS X virus to date... and she doesn't believe me...

So if there's a computer super tech out there that would love to prove her wrong... please post here because I want her to realize that it's not just some fantasy I have in my head.

[timmerk]

no there has not been. norton for mac finds mac viruses from the late 80s and early 90s, and all of the Windows viruses.

[larkost]

The only thing that Mac's currently have to worry about (currently being the last 5 years or so) are Word/Excel macro-viruses (they are cross platform... more or less). And most of those are harmless on the Mac side because we don't have a "C:" drive (which they are looking for).

So if you have not bought Microsoft Office, then you don't have to worry. You can even feel safe opening Word files in TextEdit (or Pages, or NeoOffice/J, or....) because the macro's (and thus the macro-viruses) don't run.

Funny story... I once had a person have really weird files start to show up on their hard drive. It turns out that the person had named their hard drive "C:" on a whim, and a MS Word macro-virus was writing files all over it... no damage, but a lot of mess.

[pat++]

There has been no virus to date on Mac OS X. I wonder how Norton manage to sell Anti-virus software on Mac. They probably sell it to people like your friend who think virus do exist on Mac....

[CharlesS]

Originally Posted by larkost

Funny story... I once had a person have really weird files start to show up on their hard drive. It turns out that the person had named their hard drive "C:" on a whim, and a MS Word macro-virus was writing files all over it... no damage, but a lot of mess.

How would that even be possible? The colon (':') is the path delimiter on HFS+.

Are you sure your friend isn't pulling your leg?

[CatOne]

Originally Posted by CharlesS

How would that even be possible? The colon (':') is the path delimiter on HFS+.

Are you sure your friend isn't pulling your leg?

Not sure. However, do note that Macro viruses CAN live on an OS X machine. If a PC user sends you an infected Word or Excel document, and you pass it to someone else, it *is* an infected document. It may be that Word or Excel can also be affected and infect FURTHER Office documents, until you run Norton on an OS X machine. Your machine can certainly be a "Typhoid Mary," but whether it can infect other documents, I'm not sure.

That said, there aren't any OS X specific viruses I know of. There have been a few trojans, but it's trivially easy to write a trojan, for ANY OS.

[CharlesS]

Yeah, macro viruses can run on OS X. What I'm questioning is his friend being able to name a hard drive "C:" on the Mac, which isn't possible.

[jay3ld]

he could of used a program or something. unix? single user mode?

there might be ways. you can do almost anything you want with your computers now day.

[CharlesS]

Originally Posted by jay3ld

he could of used a program or something. unix? single user mode?

there might be ways. you can do almost anything you want with your computers now day.

No, as long as his hard disk is HFS+, it is impossible to have a colon in the pathname, because the colon is the HFS+ path delimiter. It is not possible to have a colon in any filename on an HFS+ disk, period. The best you could do would be to put a slash in the pathname, so it would look like a colon in the shell, which displays slashes as colons to avoid conflicting with the POSIX path delimiter, the slash. However, to a Carbon app such as Word or the Finder, a slash will appear as a slash, and there is no way you are going to see a colon in a file name. The only way this would be possible would be if Word's macros used the same colon-slash translation that the shell does, but being from Microsoft, I have no idea why they would do that. It would seem more likely to me that it would use the backslash as the path delimiter, as that's what's used in Windows.

[Millennium]

There are, at least thus far, no true viruses for OSX. One person claims to have written a worm, but he has taken pains to keep it from getting out into the wild (then again, he promised to release source code but has not done it, so his claims are somewhat in doubt). There are also a couple of crude rootkits, but these cannot spread on their own; someone has to trick you into downloading and running them yourself.

This said, viruses for other platforms are not magically destroyed when they encounter a Mac. They cannot infect the Mac, because they cannot run, but the files still exist, and if they are given to someone on the appropriate platform then that person could be infected. This is why virus scanners for OSX scan for viruses belonging to other platforms.

This said, we are not invincible. There are ways that a true virus could be written. The person who claimed to have written a worm documented many of them, and even though he never released source code he did release those documents; the reasoning behind them is quite sound. I also wasn't completely accurate when I said that viruses on other platforms cannot infect a Mac. Theoretically, there are three ways that this can happen:

• If you are running Windows through Virtual PC, then Windows viruses can affect the emulated environment. Theoretically they could also infect any Mac folders that you shared with the Windows environment, but they could not spread further than that.
• If you use Classic, then Classic viruses can theoretically affect OSX (because of the way Classic works, it has to bypass most of the OSX security mechanisms). However, OSX is different enough from OS9 that most OS9 viruses can't actually do anything.
• If you use Microsoft Office, then macro viruses can theoretically affect OSX. However, as with Classic, most of these viruses were written for a different platform and do not work well -if at all- witht the "alien" OSX environment.

Note that in all of these cases, the viruses are dependent on specific programs in order to work. If you do not use these, then viruses from other platforms cannot affect you.

[Geobunny]

Not going to rehash what others have said here, but FWIW, I agree, there are no viruses for OS X.

However, as Millennium has said, virus scanners DO exist for Mac OS X and you should maybe think about getting one - if not to protect your friends, then for your own peace of mind should a Mac virus appear in the future. <cue shameless plug.....> http://www.clamxav.com

[TETENAL]

Originally Posted by TheSpaz

IT specialist and he said Mac's can easily get viruses because they have Norton for the Mac.

"IT specialist".

(I refrain from including the Angry Flower comic picture since it's slightly off topic.)

[Eriamjh]

I thought that widgets could easily execute harmful code and be installed without your knowledge (you may be asked for a paswword).

[eyadams]

she talked to an IT specialist and he said Mac's can easily get viruses because they have Norton for the Mac.

That's a clever way to analyze it, but it's a case of putting the cart before the horse. I think there are two reasons Norton exists for the Mac. The first others have already pointed out: there are some VERY old viruses for the "Classic" Mac OS (about 40, I think), and PC viruses can be propagated by a Mac (even though a Mac cannot be infected). The other reason is company policies often require the use of virus checking software, and if a Mac is going to be used it must have one, even if it never, ever finds anything.

[Millennium]

Originally Posted by Eriamjh

I thought that widgets could easily execute harmful code and be installed without your knowledge (you may be asked for a paswword).

Widgets can in fact execute harmful code. Anything that can execute code can execute harmful code, unless you've completely neutered the environment (case in point: standard JavaScript).

The bit about installing without the user's knowledge was true in 10.4.0, but I think it was fixed in 10.4.1. It now requires a password before installing widgets. I'd prefer that auto-install be removed completely -downloading the widget and double-clicking it is not a significant burden for the user, but it's an enormous hurdle for malicious code to overcome- but I suppose the password dialog is at least something.

[Tsilou B.]

Originally Posted by CharlesS

Yeah, macro viruses can run on OS X. What I'm questioning is his friend being able to name a hard drive "C:" on the Mac, which isn't possible.

Probably the hard drive was named just "C", without the colon. If the macro virus then tries to save a file called C:\Windows\explorer.exe or something like that, the Mac should be able to save a file called "\Windows\explorer.exe" to the root directory of the hard drive called "C".

[sniffer]

Macs dont use backslash in paths either. *sigh*

[Chuckit]

They can use a backslash in paths — as part of the filename, which is what Tsilou suggested.

[sniffer]

edit: nevermind. I didn't read the thread carefully enough.

[macintologist]

Off-topic, about the Dashboard widget problem. If you DO happen to install a harmful Dashboard widget, there should be an easier way to uninstall a Widget like click-n-drag instead of having to go into your Library/Widgets folder. What a PITA for beginner and intermediate users :/

[Chuckit]

Coincidentally, there will be.

[ghporter]

Chuck is right. We can expect the virus writers to start targeting OS X more once the Intel-based Macs start coming out because (IMHO) they will become more popular and the market share will increase. Or because it will look like a new challenge for them. Either way, it's just a matter of time.

I'm glad that this thread has not been hijacked by someone who flatly claims that OS X is immune to viruses-because that's simply not true. ANY OS can be attacked, and it is a mathematical certainty that OS X is NOT perfect. NO operating system CAN BE perfect-it is mathematically impossible. This is something they kicked us in the head with in college; it is almost trivial to mathematically prove that an item of software (from the tiniest routine to a complete OS) has some flaw or other.

[CharlesS]

Originally Posted by Chuckit

They can use a backslash in paths — as part of the filename, which is what Tsilou suggested.

I would expect that Word would convert the backslash to whatever happens to be the proper path delimiter on the host OS. At least, I would hope it would work this way; if not, it would be unbelievably clunky.

[Superchicken]

We had an admin at College who refused to let any of the computers in dorm use anything but port 8080 because otherwise we could be sending viruses and not know it. I explained to him that I had a Mac and that there was no chance I could get a virus. He said that Macs could still pass on viruses. I was extremely frustrated. The guy knew jack but windows. These sorts of people aren't IT specialists. They're windows specialists at best. M$ drones at worst.

[sniffer]

Originally Posted by ghporter

Chuck is right. We can expect the virus writers to start targeting OS X more once the Intel-based Macs start coming out because (IMHO) they will become more popular and the market share will increase. Or because it will look like a new challenge for them. Either way, it's just a matter of time.

Sure it will, but somehow I doubt we'll see much of the craziness that we have seen on the Windows side where your vanilla installation is practical infected by plugging it on the net. I mean, there can be security issues handling insecure contents in a webbrowser or email clients – but if your OS is hosed by plugging it in for software updates, that implies that there is some terrible bad design decisions going on. I do have trouble swallowing the markedshare argument that I think people buy to easily. It's not that it doesn't count for anything, but hey – OS X is build on FreeBSD. The foundation is pretty stable/conservative. It's probably in the user interact areas we should worry, like security issues with dashboards widgets for example.

[Tsilou B.]

Originally Posted by CharlesS

I would expect that Word would convert the backslash to whatever happens to be the proper path delimiter on the host OS. At least, I would hope it would work this way; if not, it would be unbelievably clunky.

Don't forget, this software is made by Microsoft...

EDIT: I just tested this, Word does not convert the path delimiters. The same macro that saved a file called "test.txt" to the directory "C:\Tsilou\" on my PC saved a file called "\Tsilou\test.txt" to my Mac hard drive after I renamed the drive to "C" and launched the macro with Word 2004.

[nonhuman]

Originally Posted by Superchicken

We had an admin at College who refused to let any of the computers in dorm use anything but port 8080 because otherwise we could be sending viruses and not know it. I explained to him that I had a Mac and that there was no chance I could get a virus. He said that Macs could still pass on viruses. I was extremely frustrated. The guy knew jack but windows. These sorts of people aren't IT specialists. They're windows specialists at best. M$ drones at worst.

He was right.

[Chuckit]

How will blocking everything but 8080 stop a person from intentionally passing on an infected file via that port? He seems to have thought worms were capable of replicating themselves over the network through a Mac, which ain't right.

[Tyre MacAdmin]

Originally Posted by Tsilou B.

Don't forget, this software is made by Microsoft...

Who could possibly forget that?

[CharlesS]

Originally Posted by Tsilou B.

Don't forget, this software is made by Microsoft...

EDIT: I just tested this, Word does not convert the path delimiters. The same macro that saved a file called "test.txt" to the directory "C&#58;\Tsilou\" on my PC saved a file called "\Tsilou\test.txt" to my Mac hard drive after I renamed the drive to "C" and launched the macro with Word 2004.

Holy cow. So much for cross-platform!

Oh well, the only thing most people ever use macros for is viruses anyway...

[ghporter]

Originally Posted by CharlesS

Holy cow. So much for cross-platform!

All Microsoft says is that files are compatible, not anything about where they might be stored.

Oh well, the only thing most people ever use macros for is viruses anyway...

Actually macros are very important in doing things like formatting documents consistently-particularly when multiple authors work on the document. My wife found a commercial product for writing APA-style papers that turned out to be a set of macros that handled citations, bibilography entries, and a score of other formatting and other details. But any user who uses macros should be aware of what he intends to use, and have programs like Word notify him when a macro is called so he can decide whether or not to allow it.

Whether he understood it or not, that college IT guy was right; Macs CAN pass macro viruses even if they aren't infected by them. I don't get the port 8080-only bit, but that's beside the point.

[mpancha]

Originally Posted by Chuckit

How will blocking everything but 8080 stop a person from intentionally passing on an infected file via that port? He seems to have thought worms were capable of replicating themselves over the network through a Mac, which ain't right.

If they're anythign like the IT dept at places I've worked in the past, they are just misinformed, and beleive if they pass everythign through a single port its safer. *shrug*...

or its like other companies I've worked at who beleive if they only allow one single port, they can control what programs you use. For example, one company I worked at tried to block AIM access by blocking whichever port it is that AIM uses. However, port 80 was open b/c well, everythign we used internally and extrenally was web based... a simple setting change in AIM lets u specify which port to use to get in and out of your network. Lots of IT depts dont realize that you can change which port a program uses to match what your network allows.

lots of possibilities explanations...

[Millennium]

Originally Posted by Chuckit

How will blocking everything but 8080 stop a person from intentionally passing on an infected file via that port?

It won't. At all. For that matter, it won't even stop a person from unintentionally passing on infected files via that port, if he's tricked into downloading a virus or Trojan through other means.

One thing it's important to realize is that most network staff have very little if any clue as to what they're actually doing. The sooner one accepts this, the sooner things begin to at least make some sort of sense. And, for that matter, the sooner solutions appear.

Consider this little gem: can you ping Google? If you don't know, then just open up the Terminal and type the following:

Code:
ping www.google.com

The Terminal will either say it can't ping it or will start churning out pings; press Control-C (not Command-C) to stop it if this happens. If you can ping Google -and you probably can, because most firewalls let pings through even if they don't let anything else through- then you can get out. This is where the power of OSX's Unix underpinnings really start to show.

Behold Ping Tunnel, a nifty little program which piggybacks all your Internet traffic onto plain ICMP pings. Installing this on OSX is not an easy process, but it can be made to work. Assuming there's another non-firewalled machine somewhere on the Internet which you can use, this will punch through almost any firewall, simply because most sysadmins -even the competent ones- will let ordinary pings through while blocking virtually everything else. I wouldn't run a server on it, but when you absolutely, positively need to get out to the Internet it can work wonders.

[Chuckit]

Incidentally, the firewall at one of the places I work actually won't let pings go through. Web and e-mail still work, but not pings. Pretty weird.

[ghporter]

I have just had a thought about the "port 8080" issue. That may be the ONLY port the IT folks have open in a corporate-level firewall. By forcing everyone to go through that one port, they only have to configure one port. Now this is Not A Good Policy, and it tends to make any possible investigation of where an intrusion might be coming from moot, but it makes lazy admins happy. Does that sound like the situation?

Chuck, by not allowing pings, the firewall effectively "stealths" the inside network. No "through pings" means that intruders can't map the internal network-which is A Good Thing.