Apple's Craig Federighi admits to an unacceptable 'level of malware' on macOS

Cal Jeffrey

Posts: 3,662   +1,129
Staff member
Bottom line: Apple's image was marred a bit after Craig Federighi testified yesterday. The Cupertino SVP told the court that macOS has a problem with malware. Windows security has long been a whipping post for Apple when marketing its computers. Admitting that it has a malware problem does not look good, but does it damage Apple's defense?

On Wednesday, Craig Federighi testified in the Epic Games v. Apple trial. Presented with the fact that users are not locked into getting software from the App Store on macOS, he was asked why iOS did not follow the same model. Protocol notes, Federighi admitted that macOS is not perfect and currently has a problem with malware that Apple finds unacceptable.

"Today, we have a level of malware on the Mac that we don't find acceptable," explained Federighi, Apple's senior vice president of software engineering. "If you took Mac security techniques and applied them to the iOS ecosystem, with all those devices, all that value, it would get run over to a degree dramatically worse than is already happening on the Mac."

For years, Apple has bragged about Macs being more secure than Windows, so it appeared Federighi was throwing Mac security under the bus. However, he added that Apple's bar for protection against malware is much higher and that macOS is still more secure than Windows.

Federighi also pointed out that there is less than one-tenth the number of macOS users compared to iOS. Having that many devices out in the wild makes iOS a much more tempting target for malware.

How much, if any, damage Federighi's testimony has done to Apple's case remains to be seen. Epic's attack foundation is that since Apple allows Mac users to download from outside the App Store, it should allow iPhone users the same freedom.

From a legal standpoint, making yourself or your company look foolish is not grounds enough to rule in favor. Federighi's reasoning for not mimicking the macOS platform on the iPhone still refutes Epic's argument. As far as the judge is concerned, the question is not whether Apple is left with egg on its face, but whether or not allowing sideloading on iOS will help or harm the consumer.

Permalink to story.

 

yRaz

Posts: 4,814   +5,998
Linux? You mean macos? Linux is the opposite of obscurity being mostly open source.
when he says obscurity I believe he is talking about since lots of people didn't use macOS(at one point), hackers didn't focus on it. What people don't realize is that Linux is used EVERYWHERE. For lack of a better way of saying, things governing a light switch could be using functions that came from a Linux kernel. Everything from a light switch in your car to the largest computers in the world are using some type of Linux. They might have compiled their own linux kernel to run your smart toaster, but that doesn't stop it from being Linux.

I'll leave what OS is best for personal needs up to the preference of the individual, but Linux is the most widely used operating system used in the world and not by a small margin.
 

Squid Surprise

Posts: 5,335   +4,982
Linux is the most widely used operating system used in the world and not by a small margin.
Not Linux... but *nix derived OSes...

And being open-sources makes you LESS secure, not more secure.

If hackers don’t know the source code, it’s harder to find vulnerabilities...
 

summermick

Posts: 147   +177
I bought and installed Malwarebytes on my Macbook and never caught anything, so I guess the anti-malware has been pretending the whole time
 

yRaz

Posts: 4,814   +5,998
Not Linux... but *nix derived OSes...

And being open-sources makes you LESS secure, not more secure.

If hackers don’t know the source code, it’s harder to find vulnerabilities...
The whole GNU/Linux/unix conversation is outside the scope of my sh*t posting.

That said, I'd argue that with so many critical systems running on Linux or Linux derived OS's that it is a focus of security experts. I'd argue further that it being open source makes it easier for security experts and whitehat hackers to find potential security flaws. It's not windows where they force you to upgrade. If you are confident that your current version is secure you can run that until you've properly audited the new version.

You also don't have to upgrade the whole thing. If yRaz v420.69 has a fix to some issue in v420.68 you can modify just that one part without upgrading to the new version.
 

psycros

Posts: 4,461   +6,650
Not Linux... but *nix derived OSes...

And being open-sources makes you LESS secure, not more secure.

If hackers don’t know the source code, it’s harder to find vulnerabilities...

Weird, because the most used closed-source OS on Earth - Microsoft Windows - has been exploited to spread malware MAGNITUDES more often than Linux despite the fact that more servers run Linux than any other OS.
 

NeoMorpheus

Posts: 1,393   +2,960
He is using the same text book maneuver that our beloved governments use to ram stupid law down our throats, example, the terrorism boogiemen.

This will be the excuse they needed to finally enable GateKeeper full on and force everyone to use the app store, which of course means a nice cut for apple.

Worse part? The rabid cult members that blindly obey anything that cupertino say are actually happy with losing the options.

Want to test this? Go to Ars Technica (the most devout temple of the rabid ones) and tell them that you want to be able to sideload apps on their sacred iOS devices.

I will be here with the band-aids...
 

jpuroila

Posts: 390   +242
Not Linux... but *nix derived OSes...

And being open-sources makes you LESS secure, not more secure.

If hackers don’t know the source code, it’s harder to find vulnerabilities...
Yeah, that's why Firefox and Chrome are known for being so much less secure than IE. Oh wait...

There's exactly zero evidence that being open source makes you less secure. If anything, the statistics prove the opposite.
 

Watzupken

Posts: 702   +588
I bought and installed Malwarebytes on my Macbook and never caught anything, so I guess the anti-malware has been pretending the whole time
I think he is referring to MacOS in general being more susceptible to malware because people can install applications outside of the app store. You may not get hit by malware does not mean that there is no malware. I've been using Windows for decades and rarely do I get hit with virus/ malware, but that does not mean that is little to no malware out in the wild targeting Windows OS. It all boils down to how prudent the user is.
 

ypsylon

Posts: 525   +544
Comparing Windows and MacOS is kind of redundant.

MacOS is more secure in every way simply because it's based on much more secure core principle of *nix platform. In a way I think Apple cannot enforce total lock-down of a desktop environment. Simply isn't feasible long term and it can hurt bottom line badly. Look no further what 3D artist did after Apple ditched (arrogantly) nVidia support after HS. People said FO and moved to Winblows and never looked back. That's consumer/revenue lost.

Microsoft for decades just ignored in many respects security. W95/98/Me were absolute poop storm. NT was not widely spread, but even so it was still full of holes until it's death in 3.51. Yes, yes XP, Vista, 7,8,10 are all newer NTs, but only ~W7 M$ slowly started to see the issue.

Keep in mind malware was rare before Internet. It required physical access to physical hardware 99% of cases. Now it's ancient history. 1 piece of malware with 0-day exploit found can be multiplied 3 billion times in 3 seconds flat across the planet.

That's why I support Apple stance on iOS/iPadOS. MacOS is different beast. Many companies (like research institutions) will not allow their top secret IP scrutinized by 3rd party (Apple).
 

Theinsanegamer

Posts: 3,769   +6,592
Not Linux... but *nix derived OSes...

And being open-sources makes you LESS secure, not more secure.

If hackers don’t know the source code, it’s harder to find vulnerabilities...
If security researchers dont know the source code, its harder to find vulnerabilities too.
 

Cubi Dorf

Posts: 372   +244
I am never had malware on Mac. I am not believe apple cannot solve malware in other ways that is not so extreme self-serving.
 

Plutoisaplanet

Posts: 848   +1,362
If security researchers dont know the source code, its harder to find vulnerabilities too.
True, but that adds to the appeal of finding a vulnerability for black hat security experts. Without assistance like a bug bounty or source code, white hat security experts have almost no incentive to help find vulnerabilities to submit to the company.
 

Squid Surprise

Posts: 5,335   +4,982
If security researchers dont know the source code, its harder to find vulnerabilities too.
And that's not a problem.... as long as black hat ones can't find them either....

Regardless of the OS, hackers WILL find vulnerabilities.... but people tend to look at Windows and say "it's so insecure, look at all the exploits"...

There ARE vulnerabilities - but we see them so readily because there are more PCs with Windows than any other OS - so more hackers target Windows than any other OS.

While *nix is a larger OS, most of the things that have it as their OS aren't as desirable to hack - or as accessible...

The illusion that *nix is more secure is simply that... an illusion... there are numerous exploits - many public, many private, that hackers constantly use to compromise systems.

One of the main things that makes ALL OSes insecure though, is the inability (or unwillingness) to keep them patched and up-to-date!

How many times do we see a release like "the following systems are vulnerable if they are version X or below..." If everyone kept their systems updated, we'd see far less hacking.
 

Cubi Dorf

Posts: 372   +244
A lot of factor to determine security. Having source code is meaning there are no back door or intentional vulnerability in place to exploit for spying. Bugs are main factor security issues. Simplicity of code is big factor to bugs. More code usually is meaning more bugs. How it is design. More complex design can having more bugs leading to more vulnerability. How is it maintain. big factors. Many commercial software is having only one programmer working it with little or no checking because that costing money. How integrated it is with other systems. Integration can create problem. How many features it is having. Extra feature add potential vulnerability. Many linux program are not even have gui. There is much factor to security other than if code is readable. It is making much assumption to make the statement that open source code is more vulnerable. Every web browser in current use is open sourcing at least majority of code. Old IE and old Edge were having more security issue and they were replace by open source browser engine.


Not Linux... but *nix derived OSes...

And being open-sources makes you LESS secure, not more secure.

If hackers don’t know the source code, it’s harder to find vulnerabilities...
 

yRaz

Posts: 4,814   +5,998
While *nix is a larger OS, most of the things that have it as their OS aren't as desirable to hack - or as accessible...
Aren't as desirable such as login servers, banking information, critical systems that run pipelines or government servers?
 

Squid Surprise

Posts: 5,335   +4,982
Aren't as desirable such as login servers, banking information, critical systems that run pipelines or government servers?
But those are the minority of *nix devices... the majority are smartphones... and while they are desirable for hackers, the #1 target is still personal computers - and the VAST majority of those have Windows on them.
 

yRaz

Posts: 4,814   +5,998
But those are the minority of *nix devices... the majority are smartphones... and while they are desirable for hackers, the #1 target is still personal computers - and the VAST majority of those have Windows on them.
Those I cited may be a "minority" but there is still a sh*t ton. And considering how much stuff runs threw the cloud I would actually like to see the numbers on that. I'm not saying you're incorrect, that's something I've heard many times before but I've never actually seen numbers on it. I always questioned that.

Something else I would like to note is that android is essentially just a Linux kernel used to run Java applications. It's not really useful for much outside of that. I don't know squat about iOS but I can't imagine it is too different
 

Dimitriid

Posts: 2,249   +4,363
Linux isn't secure if you don't apply the security patches asap.
Ssl heartbleed & shellshock attacks are the examples
The difference is that some Linux distributions often don't have commercial pressures to introduce what should be feature updates as regular patches: If you decide to auto update on a Debian based distro that's set up properly (And yes this means sticking to official and tested repositories only for example) there's far less chances of you getting any issues as the known-to-work software that uses newer features stays on one state until the devs decided it has gone through sufficient testing and then it usually becomes a feature update for many new features on the software to be implemented.

Windows on the other hand does so little proper testing that this doesn't happens: It's not the security patches that are the issue, it's the untested feature updates that have unforeseen effects on even security patches because they were never properly tested.

That's not to say there aren't *other* Linux distros that still have better resilience to breaking down because of the underlying structure of the OS but are still unsable-by-nature and don't try to appeal to newbies: Arch Linux is for example as untested as Windows but the barrier of entry is so steep to even install it that inexperienced users are never going to use it as a daily driver so when it breaks down (In the case of Arch, this is not an "if" but a "when" btw) it just doesn't affects nearly as many users and those affected are usually adept enough to recover or roll back the changes if needed without widespread panic.
 

yRaz

Posts: 4,814   +5,998
That's not to say there aren't *other* Linux distros that still have better resilience to breaking down because of the underlying structure of the OS but are still unsable-by-nature and don't try to appeal to newbies: Arch Linux is for example as untested as Windows but the barrier of entry is so steep to even install it that inexperienced users are never going to use it as a daily driver so when it breaks down (In the case of Arch, this is not an "if" but a "when" btw) it just doesn't affects nearly as many users and those affected are usually adept enough to recover or roll back the changes if needed without widespread panic.
Arch Linux is the autistic man child of the autistic man child world. I've never met anyone that actually uses Arch Linux. It's Either Ubuntu or Mint for home use or usually Debian in a professional setting where you just make your own distro for what you need.