These Antivirus Security Myths Just Won’t Die

November 16, 2016

“Macs don’t get viruses”

We’ve all heard these famous words, and yet while at first read it might make sense it is, sadly, a complete myth.

To help clear up any confusion about whether your computer is probably being used by hackers to take down vast numbers of websites, Sophos Security’s Paul Ducklin has arrived just in the nick of time to clear up two of tech’s greatest myths.

Here begins the first lesson:

1. Macs don’t get malware

Actually, we’ve got to be honest here: as far as this Zombie Myth goes, things are improving all the time, even though we aren’t quite there yet.

Mac malware arguments used to go like this:

Fanboy: Macs don’t get malware.
Denouncer: Yes they do.
Fanboy: No, they don’t.
Denouncer: Do so.
Fanboy: Do not.

There wasn’t much you could add to this, other than to say, “In truth, Macs can, and have, and do get malware, albeit not very often due to Macs being a minority platform,” but that only served to head the argument off into another dead end.

The thing about Macs and malware is not so much whether Macs do or don’t get it as the sorts of misleading explanations that we still hear from a small core of Mac evangelists, such as:

  • Macs may get malware, but they don’t get viruses, and that’s what matters.

Viruses, indeed, are a special subset of malware that can spread all on its own, but the truth is that most malware threats these days, for Windows, Mac, Linux or even the Internet of Things, are non-viral.

Of course, once your passwords are copied, your files stolen, your data ransomed and your customers are out of pocket, then the distinction between self-spreading viruses and malware distributed directly by cybercrooks becomes largely irrelevant.

  • If a user has to click on anything to help along the infection, it doesn’t count as malware.

Tell that to the Privacy Commissioner.

  • Macs are more secure because they’re based on Unix.

So was the infamous Morris Worm, the world’s first fast-spreading internet virus of 2 November 1988

2. Windows XP is good enough


Windows XP came out 15 years ago, and even looking back through rose-tinted spectacles, we remember the first few years of its life as ones during which the only thing that matched the scale of its adoption was the amount of vitriol that was poured all over it.

Indeed, XP was almost recklessly insecure by modern standards: no stack protection, no data execution prevention, no address randomisation, hardly any heap protection…

…and if those digital countermeasures mean nothing to you, all that matters is to know that XP had a rather limited ability to protect itself from buggy software that wrote to the wrong places in memory.

Those who remembered MS-DOS knew that Windows was far better than DOS: under DOS you could always play with other people’s files, programs and memory, and even legitimate programs often did so in order to squeeze extra performance out of the slow and limited PCs of the day.

Windows protected you from yourself, up to a point, but determined crooks quickly learned to find holes and security bypasses with what would be considered disdainful ease today.

Malware, some people went so far as to say, was actually Microsoft’s fault, and any and all security software was essentially a cop-out that simply helped Microsoft hide in denial, instead of forcing it to face its foes.

In truth, most other operating systems at that time were architecturally very similar to Windows, and shared the same sort of security weaknesses, such as frangible stacks and heaps, predictable load addresses, bug-prone software development languages and practices and haphazard procedures for patching.

So we just can’t understand, in 2016, why a significant minority is now vocally trumpeting that Windows XP is, in fact, the best thing ever; that all newer Windows versions are inferior; and that it’s all a scam by Microsoft to get them to spend $120 for an upgrade for the first time in more than a decade.

Leave a Reply

Your email address will not be published. Required fields are marked *