The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


Mac Malware Guide : How do I protect myself?

Published June 17th, 2012 at 8:50 PM EDT, modified February 20th, 2013 at 8:12 AM EDT

Protecting yourself, whether you use AV software or not, is the most important aspect of avoiding malware.  The biggest part of that is keeping up with updates, not only for your system but for all your software.  Security vulnerabilities are being found and fixed by software companies all the time.  These vulnerabilities often provide ways for hackers to take advantage of weak points in the system or in an app to install something on your machine.  One would think that, once an update had been released to close these security holes, hackers would abandon any attempt to take advantage of them, but data has shown this not to be the case. Such updates actually provide hackers with a precise method to use to strike at machines that have not been updated.  Since many people never install updates, hackers know they can continue to use those vulnerabilities long after they have been patched.

For example, the Flashback malware took advantage (initially) of vulnerabilities that had already been patched. Similarly, a Microsoft Office vulnerability that had been fixed by an update in late 2009 was taken advantage of by malware (Sabpab) that first appeared in early 2012. So install updates! If you don’t, you’re keeping vulnerabilities that the bad guys have been made aware of and may exploit.

Be wary of Java

Java (not JavaScript, which is different) is a huge source of potential problems, as has been mentioned in previous sections. It is also a good idea to keep it turned off in your web browser unless you specifically need it. (And I would suggest that that need should be truly desperate to warrant allowing Java to run!) Almost all the malware that appeared in 2012 took advantage of Java to install itself. Some used vulnerabilities to install themselves without any user interaction required. Although those vulnerabilities have been patched, new Java vulnerabilities are being found all the time. On June 12, 2012, for example, Apple released a Java update that fixed no less than a dozen new vulnerabilities.  I don’t trust Java at all because of that sort of thing, and don’t even have it installed on my system at the moment.  (As of Mac OS X 10.7, Java is an optional install.)

A malicious Java applet asking for access

Java applets can also obtain deeper access to your system through an official-looking request like the one shown at right. Many users will not understand what they are being asked to approve, and due to the nature of the request, and the fact that it sounds like you’re granting access to something from Apple. Although this technically qualifies as trojan behavior, it is far more dangerous than the usual trojans, which require the user to download and then run something.

Because of these problems with Java, I highly recommend not installing Java in the first place on a Mac running Mac OS X 10.7 (Lion) or 10.8 (Mountain Lion). On older systems, Java should be disabled in the web browser. In Safari, this is done by unchecking Enable Java in the Security pane of the preferences window (accessed by choosing Preferences from the Safari menu):

In Firefox, select Add-ons from the Tools menu, and in the Plugins pane, disable anything related to Java:

If you cannot disable Java in your web browser for some reason – for example, if your work requires Java or you’re a hopeless Runescape addict – then my advice is to keep it turned off except when you are visiting sites that you absolutely need Java for, and that you trust.  Of course, that could require lots of trips to the preferences in your browser to turn Java on and off.  It may be more convenient to use a secondary browser.  Keep Java turned on in one browser and use it only for trusted sites that require Java.  Use your other browser for all other sites.

For more about using Java safely, see Using Java in Mac OS X.

Other troublesome web technologies

JavaScript is not related to Java, and can’t really be used at the same level for installing malware. The worst thing that JavaScript can do is download something malicious onto your computer, but it can’t open or install that malicious app. Keep your downloads folder empty, so that these surreptitious downloads are easy to notice, and you won’t find them later and open them out of curiosity. Turning off JavaScript will cripple many sites and really won’t give you that much gain in security. If you really want to disable JavaScript, a good choice would be to use JavaScript Blocker in Safari or NoScript in Firefox to selectively allow or block JavaScripts on each site. Using such software gives greater control over JavaScript, but can be a bit of a pain in the neck.

Flash is another issue, as there are always Flash-based exploits going around. Most of the time, these exploits have only affected Windows machines, but they have also been used to infect Macs. For this reason – well, and also because I just hate Flash – I always recommend blocking Flash on a site-by-site basis. In Safari, the ClickToFlash extension can be used to block unwanted Flash content, loading it only when requested by the user. For Safari 5.1 or later, get Marc Hoyois’ ClickToFlash extension. For older versions of Safari, use the older ClickToFlash plug-in. Alternately, using Chrome could be greatly beneficial, as Chrome has similar “click to play” functionality built-in and wraps Flash in an additional sandbox, making it more secure.

Avoiding trojans

Beyond the issues mentioned above, you should maintain a healthy skepticism to protect yourself against more mundane trojans. In particular, don’t open any application from an unknown source. Okay, I hear you, you’re not sure what the difference is between a known and unknown source. The following are examples of an unknown, and possibly untrustworthy, source:

  • Anything from a web site claiming you have viruses (a web site cannot scan your machine for malware!)
  • E-mail attachments from someone you don’t know
  • E-mail attachments from someone you know, but who you also know has absolutely no judgement about what they would open
  • E-mail attachments from someone you know that you were not expecting
  • Anything sent to you via online means other than e-mail (messaging software, web forums, etc) from someone you don’t know
  • Web sites visited by clicking a link in an e-mail from someone you don’t know
  • Anything on most peer-to-peer file sharing networks (eg, torrents)
  • Anything from a web site with no name (ie, something like http://123.456.78.90)

So, how does this compare to things that you can trust? Here are a few examples of trustworthy sources:

  • E-mail (or other online messaging) attachments you were expecting or from someone whose judgement you trust.
  • Downloads from a reputable web site
  • A few peer-to-peer sharing apps that have protection in place to ensure the file you are downloading is the same as a master file from a trusted source

The trickiest part of the trusted list is figuring out if a web site is reputable. Remember that a web site’s domain name (ie, www.somesite.com) must be registered with a name, address and phone number, making it traceable to someone. A web site without a name, where the address is a string of four numbers, does not have a domain name to make it so easily traceable. Of course, there’s nothing to say that a domain name couldn’t be registered with false information, so if you aren’t sure about the site, try looking for the software in the App Store (found in the Applications folder in Mac OS X 10.6.6 or later) or asking on the Apple Support Communities site. You could also try searching on Google or Yahoo to see if you can find reliable references to the program by some other third party. It would also be a good idea to download a Web of Trust plug-in for your web browser to help identify shady web sites.

When it comes to peer-to-peer file sharing programs, some people use them as a fast way to download legitimate software. However, you ultimately don’t know who you’re downloading it from. Peer-to-peer networks are one of the biggest sources of illegal software, music and movies on the internet, and as such are also one of the biggest sources of malware. It’s easy to be anonymous on a peer-to-peer network, and anonymity is important when doing something illegal, like distributing malware.  This is not just a theoretical concern, as Mac malware has been distributed in the past on peer-to-peer networks, masquerading as pirated copies of prominent Mac software.  Just avoid these networks entirely!

I also recommend keeping the download folder used by your web browser empty. When you download something, don’t leave it in the download folder indefinitely. If you wish to keep the item, move it to some other location, and if you don’t put it straight in the trash. This will help to prevent “sneak” downloads, where a script on a web page will download something onto your machine without your requesting it. It is much easier to notice such a rogue download in an empty download folder than in one that is crowded, and this reduces the chance that you might find it later and open it, wondering what it is.

Other security issues

Care should also be taken on open wireless networks (those that do not require passwords to access). You never know who else is on such a network with you. Such a person could send you an unsolicited file via instant messaging, copy a malicious app into an unsecured public folder if you have file sharing turned on, and any number of other possible exploits. One particularly nasty technique that has become popular is to fool your machine into thinking there is a software update available, and when you allow it to download and install, it actually downloads malware.  So never install software updates that your machine tells you about while on an open wireless network!

It’s also fairly easy for someone with inexpensive hardware and free software to sit there on the same network and watch every packet of data going to and from your machine. The guy at the next table in Panera could be reading your e-mail along with you! The (rather unlikely) possibility of a hacker using information you’re transmitting to get access to your machine and install malware while you’re eating your panini is only one of many dangers in such a situation. There are many other more likely possibilities. So, be cautious what you do in such environments.

There are many other security issues that you would be wise to be aware of. Even the issue of what you do on an open wireless network is only very peripherally related to malware; there are much bigger, and more likely, dangers that don’t involve malware at all. For more information on such topics, see Apple’s Mac OS X Security Configuration Guides.

Finally, it’s very important to maintain a frequently-updated set of backups, just in case you ever do fall victim of malware that erases your hard drive. (See my Mac Backup Guide for more information about backups.)

<- Do I need anti-virus software? Am I infected? ->

Post to Twitter


This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.