Firefox add-ons are a potential security hazard — not as bad as IE ActiveX plug-ins, but still a potential threat. Many Web-based attacks that target Firefox don't aim for the program executable itself. Rather, they seek to undermine add-ons — files which may not be binaries and so may not be assumed to be at risk — and the support structure for the program.
Most of the danger comes from add-ons that pretend to be legitimate. For example, one add-on pretended to be the Adobe Flash Player, insisted on "updating" itself and dropped malware into the system.
One would think that antivirus programs would be a good first line of defense, but they have a spotty record of detecting things like this. For instance, the overlay.xul attack described above was still being ignored by many prominent antivirus engines (Symantec, Panda, Kaspersky, Trend Micro) even after a month of being in the wild. The SANS researchers who examined this threat ran it through an online virus-scanning service and were dismayed at how few applications flagged it as malicious.
One possible workaround is to use a non-installed version of Firefox such as Mozilla Firefox Portable Edition, which can run in any directory or even from a removable drive. If the program becomes infected, it can be kept segregated from the rest of your applications, and is easier to clean up and reset without damaging your user data. (Another possible workaround is to use a different browser entirely, but that might be more effort than it's worth.)
Many people switch to the Macintosh out of a sense that the Mac's a safer platform. By and large, it is, but threats do exist in the wild, whether piggybacked on pirated software or as the result of vulnerabilities in the platform itself. Most dangerous of all, though, is a false sense of security: users can be duped no matter what they're running.
Mac security-product creators Intego released a report (PDF) in 2009 that examined Mac malware and kernel vulnerabilities. There's not a lot of Mac malware in the wild — Intego found most of it in pirated copies of commercial applications (iWork '09, Adobe Photoshop) available on peer-to-peer file-sharing networks.
The kernel issues are also worth noting (the report notes that one was discovered in April 2009), but more worrisome are vulnerabilities in Safari. The browser has been shown time and again to be a weak link in OS X's security chain. Debates rage on about whether Macs are attacked less because of their minority share or because they are less vulnerable, but that doesn't make any attack on the platform less troublesome.
Most important of all, though, is the user at the keyboard. Mac users are no less vulnerable to social engineering — and no less apt to download pirated software that turns out to be loaded with Trojans — than those using other platforms.
A false sense of security is a bad habit to cultivate, especially if Mac adoption continues to climb. What's crucial is that users not assume that simply changing platforms is by itself a defense mechanism. It can stave off some obvious problems, but it won't eliminate all of them for all time.
To that end, Mac users need to keep apps updated (not too hard by itself), but also stay conscious of their security as a platform-neutral issue. Rip-off artists are loyal to no OS, and a bug in Safari can be just as problematic as a bug in IE. (The same goes for Linux as well: A scam run past someone using Firefox in Ubuntu is still a scam by any other name.)
Users should also stay informed about threats in the wild that might not seem like any of their concern at first. Malware is not just becoming more aggressive, it's jumping platforms and diversifying across them, targeting the user rather than the platform. Consider the Firefox XUL hijack described earlier: that was an attack that could be staged on multiple editions of Firefox, since the files attacked were not platform-specific.
And Mac users should avoid pirated software, for security (as well as ethical) reasons. The threat from such things may be marginal now, but that doesn't mean it'll always be that way.
(For some additional tips, you might want to check out this article: 15 easy fixes for Mac security risks.)
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts