Malware and How to Avoid it on a Mac

The following is a slightly modified version of a posting I made to Apple’s Mac User Group volunteers mailing list. Since that posting is all over the web anyway, I guess I can put it on my homepage as well.

As there seems to be quite a bit of confusion, here’s a sort of lengthy explanation of the whole issue, for those who are interested in the topic. (without any sort of warranty, usual disclaimers apply). For German readers, see also the slides from my talk at the MUG Stuttgart.

I’ll first explain a bit about cookies, and will then move on the issue of malicious software, such as spyware. As some of the earlier posters have written, Mac OS X comes with a more secure default setting than most PCs running Windows. This unfortunately does not mean that Macs are completely immune against attacks. Therefore I’ve included some basic precautionary measures at the end that may help against malicious software on a Mac. Of course, there is no guarantee this will actually help if the Mac platform becomes a target for those kinds of attacks the Windows platform is currently subjected to, but it may well reduce the impact of such an attack …


A cookie is simply a tiny bit of textual information a website can store on your hard disk. Nothing more. A cookie by itself is not causing any harm, imagine a tiny box on your computer where a web site can store a very small amount of data and retrieve it later, for example on your next visit.

Cookies are used by web sites to store your preferences, remember if you have already used their site, check if you are logged in etc. Most cookies will simply consist of a unique identifier that web sites then use to look up your data (profile, preferences, ads already seen, …) in a database on their side.

The danger from cookies comes from their ability to be used for tracking people/identities. Advertising networks use this to determine what ads to show, and, if enough web sites work together in using a shared cookie, they can build up a complete web usage profile of a person. You can prevent most of this by setting Safari’s cookie policy to accept cookies “only from the sites you navigate to”. And there is one more issue caused by cookies: if a web browser is shared among users (for example in an internet cafe), a subsequent user may be able to access a password-protected website used by an earlier user if that website has stored the login information in a cookie on the computer. This can easily prevented by disabling cookies or deleting them after using the browser.

If cookies cause any malfunction, this may be the web site’s fault. Either they’ve set the cookie incorrectly, or are processing a correct cookie’s content incorrectly. The cookie “database” on your computer may also have been corrupted due to a programming error or a crash. Nothing of this has to do with spyware, even though eBay’s support may claim so 😉

Malicious software

The Basics

Mac OS X supports the fundamental Unix concepts of different users and permissions for files (and programs). You probably all know that a user on a Mac with OS X can only read and write files that have appropriate permissions. The same is true for running (opening) applications. I won’t go into any further details here.

Say Jane Doe’s username is “jane”, then all programs she runs are being run on her behalf, as the user “jane”. These programs can only read or modify files and run other programs that Jane would have access to if she were using the Finder. If Jane ends up running a malicious program, it will be able to do everything she is allowed to do (in the worst case read/destroy all her files and generally wreak havoc), but not compromise the whole system.

If Jane has admin rights on her computer, she can also run programs with administrator (“root” account) privileges after entering her password correctly. A program run this way is then able to read and write any file on the system and run any other program. If Jane runs a malicious program _and_ enters her password, not only her files, but the whole system may become compromised.

Windows users, in contrast, tend to work as the admin user all the time and don’t have to enter an admin password for running programs as the administrator. Keep in mind that Windows (at least 2000 and XP) does support different levels of permissions, it’s just not widely used in a home user setting.

What does this mean? If you run an application on your Mac that turns out to be malicious, your _personal_ data (documents, music, email, pictures, …) is not really any safer than on a Windows system. But your whole system (operating system, other users) will be a lot safer than on a standard Windows computer _unless_ you grant access by entering your password from an admin account.

Note that all of the above scenarios would still require user actions for a malicious program to run and possibly spread itself to other machines. If this were the only way for malicious software to be run and getting a chance to spread, we would not have such a big problem with malicious Windows software either. But unfortunately, there’s a multitude of ways how malicious software may end up running on a computer without a user consciously running it.

How malicious software may get on a system

I will illustrate just one way how malicious programs get run on a system without the user consciously running the programm: Software is vulnerable to something called “buffer overflows”. Basically this allows “data” in a computer’s memory to sneak into a place where it may end up being run as if it were program code. An attacker can carefully craft that data so it actually does something “useful” (= malicious) when this happens.

This has in the past been a problem for all kinds of software that accepts data input from potentially malicious sources, such as web browsers, email clients, and all the different kind of network services exposed by a computer (web server, remote login, file sharing, …).

These bugs occur from time to time, despite software developers taking care to write correct program code. They do occur on Mac OS X systems, too. Therefore it is important to always have the most current version of your software and operating system installed, and to disable all network services you don’t need (the latter is the default configuration with OS X, and in recent times Windows has also moved to a similar default setup after bugs in its running services have enabled several malicious programs, so-called worms, to spread).

As I said, this is just one way a malicious program could get run on a computer. Others include, for example, programs disguised as data files attached to emails (a problem with some Windows email clients, some of which even automatically execute the code without the user having to actively click on the attachment).

How to prevent it

There are some rules that every Mac user should follow in order to keep their system safe and prepared for the occurrence of malicious software “in the wild”:

  • Keep your operating system up-to-date (use Software Update)
  • Keep your application software up-to-date
  • Install and run only software from sources you trust. This doesn’t mean you can’t download software from the internet. But do keep in mind that everyone can put an app up on Versiontracker or on a website.
  • Do not enable network services you don’t absolutely need.
  • Only open email attachments, iChat file transfers etc. from people you know and that you are actually expecting (keep in mind that a “From:” address in an email address can be easily faked!)

In conclusion, I think it’s important that Mac users don’t ignore the security issues that do occur with any computer. There is no need for the kind of panic that Mac anti-virus software vendors tend to create from time to time to boost their sales, but Mac users do need to be aware that there are good chances Macs will be targeted by malicious software at some point and that there are simple measures they can take to reduce the impact of such an attack should it occur.