On May 24, Apple posted a support forum entry on how to avoid or remove the MacDefender malware that's been plaguing an unknown number of users since early May. And I'm glad they did. But the support forum is way overdue, and Apple's standard method of responding to user issues--ignore them until they won't go away and then issue a response when the outcry gets too loud--simply won't fly where user security is at stake.
Mac users are a juicy, unprotected target for hackers, phishers, and scammers, and Apple needs to drop the impenetrable fortress act and help them raise the drawbridge.
MacDefender and its malicious software variants have been landing on Macs since at least May 2, when Intego and Sophos first reported on a massive SEO poisoning scheme that had Windows and Mac users alike clicking on malicious links and becoming infected with a Trojan program.
My colleague Ed Bott's attempts to bring the MacDefender issue to light were a fascinating saga all their own. Bott faced massive backlash from Apple users who insisted there was no malware problem--or if there was, it paled in comparison with the security nightmare that is Windows (their words, not mine). Fanboys accused him of inventing the whole tale. And John Gruber of Daring Fireball denounced the MacDefender concerns and said Bott was "crying wolf."
Nevertheless, the problem persisted, and the support calls increased. And then a source inside Apple support told Bott that Apple had issued new instructions for support reps to follow when handling MacDefender cases. Those instructions? Don't help them.
The full text of the instructions are here. Support reps were told not to tell customers infected with MacDefender how to force quit Safari, remove items from the start-up process, or how to force quit the Mac Defender process--and not to refer those customers to forums where they might actually find help. Support reps were also instructed to dodge "general" questions that might lead to resolutions if they knew the customer was calling about MacDefender. Why? Because the customer (the victim of this malware, to be clear) was trying to ask "obvious questions to skirt our policy."
So, when Apple--more than three weeks after this malicious software appeared in the wild--got around to posting a support forum on how to remove or avoid MacDefender, it was also nearly a week after Google reportedly killed a lot of the poison links that were infecting people in the first place, a week after CNET and others, and at least one support memo too late to demonstrate a serious commitment to customer security.
As both Mac defenders (if you will) and critics alike point out, this behavior is Apple's standard operating procedure for dealing with problems of imperfection. MacBook discoloration and whining? Deny or ignore for weeks, then eventually fix the problem. Cracks in MacBooks? Never happened. Defective display reports on iMacs that cropped up in 2007? Ignore for years and continue to ship problem displays until 2010, when you say they've been fixed. The ? Ignore, deny, and quietly fix case-by-case. iPhone 4 death grip issues? , then eventually hold a press conference and offer free bumpers.
From the perspective of, say, John Gruber at Daring Fireball, this approach represents a commitment to decisive action that leaves the customer hanging for a brief, uncomfortable period, then ultimately results in a satisfactory outcome. From my perspective, it represents a commitment first and foremost to not admitting fault, canny observation of which way the media winds are blowing, and action only after outcry has reached a sufficiently intolerable din.
But whatever the reasoning behind this silence-then-solution pattern, it won't work as a response to security issues. Phishing attacks, Trojans, even viruses are not hardware problems that can be fixed in future revs or by the helpful Genius Bar--and by all accounts, these attacks are becoming ever more common and there's every reason to believe Macs will be increasingly a target, according to Sophos researchers.
And why shouldn't they be? After all, Mac users are uniquely trained not to be security aware, thanks to all those years of being told that Macs don't get viruses. When it comes to falling for phishing attacks and cheerfully installing malware (after all, what Mac user should be afraid to install software? Macs don't get viruses!), Mac users are like sheep ready to be led to the slaughter. And today's phishermen are sharpening their hooks.
This is not an attack on the security of the operating system--any OS is hackable, for one thing, and phishing attacks rely less on zero-day vulnerabilities and more on the complacency of an unsuspecting victim. Mac users? Pretty unsuspecting. Heck, when a friend of mine told me, two weeks ago, about a storm of porn pop-ups plaguing his Mac, I said, "it sounds like a virus, but it can't be. It's your Mac!"
If Apple's future response to security issues is to take weeks to respond, instruct support reps to obfuscate or refuse to help customers, or continue to act like an unsinkable Titanic of security, they'll only put users more at risk. Hackers will happily take advantage of any delays in response.
In fact, while researchers believe the initial MacDefender Trojan was, perhaps, a proof of concept, by May 25 it had evolved into a variant that, according to this article, didn't need an administrator password to install itself, bypassed system folders, and installed itself in your user account folder. That's a much more dangerous piece of software than it was when it started, and a pretty scary precedent.
Let's hope the next Trojan to come along doesn't get such a helpful window of opportunity. No one is immune from attack, not even Mac users. And Apple needs to take care of its customers (who include me!) without its own support reps having to act like anonymous whistleblowers to get the word out. Security is a whole new game on the Mac--time to think different.