[Love Calm Quiet]

With Symantec (& zdnet) making noise about OS X vulnerabilities, what do think of Apple's efforts to address security issues? I know they've been traditionally (some might say arrogantly) silent about discussing the issues before they have a fix ready to release.

Is Apple getting ready to get stung and lose its (at least *perceived*) edge over Windows?

[JLL]

Originally posted by Love Calm Quiet:
I know they've been traditionally (some might say arrogantly) silent about discussing the issues before they have a fix ready to release.

Isn't it standard practice not to tell about a security hole before a patch is available?

[gopikrishna]

JLL:

What's concerned me is that when someone discloses a vulnerability, I don't hear warnings from Apple from about protective steps to take, ways to reduce one's vulnerability... times/places/usages when one might want to know one is vulnerable.

But then, I don't follow MS closely enough to know if they offer that sort of warning or not.

Call me silly, but I'd love to have the company fess up to an issue... and reassure me they're working on it. Maybe that doesn't do anything... but (as a customer) I appreciate hearing from a company that it is attending to problems.

[Millennium]

Originally posted by JLL:
Isn't it standard practice not to tell about a security hole before a patch is available?

The standard practice is to tell the company first, and allow a reasonable amount of time for a patch to be made before telling anyone else. If the patch isn't out in a reasonable amount of time, then you disclose the bug more widely, as a means of forcing the issue.

Thus far, Apple has been pretty good about responding to issues for most things. It's worth noting, though that most security issues thus far haven't been in Apple code, so it's powerless to fix the bug until the actual author of the code pushes updates and Apple has tested them. Could you provide a link to the Symantec bulletin?

[gopikrishna]

From MacNN home:

http://www.zdnet.com.au/news/securit...9185387,00.htm

[Love Calm Quiet]

ZDNET article claims that "In its seventh bi-annual Internet Security Threat Report, Symantec said..."

But (strangely) I dont' see this bi-annual report linked at the Symantec home page

Maybe it's a better story for ZD than it is for Symantec?

[macsfromnowon]

The Symantec report can be accessed (apparently - I was too lazy to do the "free registration" hassle) at

http://enterprisesecurity.symantec.c...articleid=1539

It is intriguing that zdnet thought that "Mac Vulnerability" was the most gripping item in a "biannual security threat report." (almost as sexy as an ipod, eh?)

[CharlesS]

Well, the fact that OS X doesn't leave any ports open by default (try port-scanning a Mac with the firewall off to see what I mean) means that at least we shouldn't see anything of the likes of Blaster or Sasser...

[zzarg]

.... of most of the so-called security companies to produce a decent firewall / anti-virus / anti-trojan / anti-spyware app that works, is fail-safe with respect to updating rules before allowing access, doesn't slow the machine to a crawl and doesn't clutter your screen with unnecessary alerts, pop-ups and self-congratulatory messages the vast majority of the PC products are failures. And the likes of Mcafee and Symantec are way up there in the list of failures. The only reliable PC anti-virus solution I've found, FWIW is NOD32 - it does a clean, efficient job and (touch wood) hasn't let me down in 4 years.

They now see the Mac as another captive market - because it does such a good job of insulating designers and other creatives from the nuts-and-bolts, a little bit of Fear Uncertainty and Doubt will help them shift a few licences for another ill-conceived, ill-executed product while they in turn inflame the market with dire warnings of doom if people don't buy their latest, greatest offering.

While I'm the first to admit that although the Mac isn't 100% secure (if it was we wouldn't need todays security update and the others before it) it's foundation is pretty solid (heck, if Microsoft took the decision to re-write from the core upwards the same could probably be said for the next generation of Windows) - but we can't afford to get complacent... so far with a 3% market share (oft quoted, but I can't find an 'official' source, although my web logs tend to agree) growing maybe to 5% next year the target audience for the sad people who write these viruses (rather than actually applying their skills and talent to useful causes) may start to see OSX as a more interesting challenge and a way to get their 15 minutes of fame....

A lot of the onus however has to go on the users as well... take decent prophylactic measures. Be wary about where you surf, what you install, what dialogue boxes you click yes on, what attachments from strangers (or out of character ones from friends) you open and you instantly reduce the risk. Education will help, and it will force the AV companies to stop issuing press releases and start focussing on actually working to solve the problem in a good way

[SystemPreffs]

"A lot of the onus however has to go on the users as well..."

Yes, I know that. But I still think that having a system that <b>helps</b> the neophyte users (like my grandparents) know when it's safe to click on a link or enter a password is really needed.

Do you think Macs are easier to teach "safe surfing" on than PCs?

[zzarg]

Originally posted by SystemPreffs:
"A lot of the onus however has to go on the users as well..."

Yes, I know that. But I still think that having a system that helps the neophyte users (like my grandparents) know when it's safe to click on a link or enter a password is really needed.

Do you think Macs are easier to teach "safe surfing" on than PCs?

Sadly there's no real difference between Mac and PC in terms of a platform to teach safe surfing. The good news at the moment however is the risks (at least of virus or trojan infection) are a lot lower on the Mac than on the PC.
Phishing and related risks however are pretty much identical on both platforms, and as such it's down to 'off-line' education to make sure people are aware of the risks.

[gopikrishna]

I'm wet behind the ears about protection... other than safe surfing and abstaining (from stupid link-clicking in email). And like everybody else I know who Macs, I'm a virus-virgin (touch wood).

But friends using PCs have talked about all the spyware on their machines. Is there anything else I should know about keeping safe from spyware on my Mac, given today's latest "sky could be falling" alert:

http://www.macnn.com/articles/05/03/...rity.warnings/ ?

Is it worth my time investing in something like a "Mac Bible" to understand these risks better?

Thanks for advising a noob!

[Millennium]

Originally posted by gopikrishna:
I'm wet behind the ears about protection... other than safe surfing and abstaining (from stupid link-clicking in email). And like everybody else I know who Macs, I'm a virus-virgin (touch wood).

But friends using PCs have talked about all the spyware on their machines. Is there anything else I should know about keeping safe from spyware on my Mac, given today's latest "sky could be falling" alert:

http://www.macnn.com/articles/05/03/...rity.warnings/ ?

Is it worth my time investing in something like a "Mac Bible" to understand these risks better?

Thanks for advising a noob!

Actually, you've pretty much got it. If you know how to keep yourself safe on Windows already, those same habits will be more than sufficient to keep you safe on the Mac.

The only other thing I can think of is to never give your password to anything -not even the computer- unless you know what it's trying to do. If you're not logging into a machine, changing a directory or setting you don't ordinarily have access to, or installing software, and the system suddenly throws a password dialog in your face, then something is probably wrong.