Canadian Mac Forums at ehMac banner
1 - 20 of 20 Posts

·
Premium Member
Joined
·
1,819 Posts
There's no mention on the security vulnerability of older versions of the OS. I have to assume that they're vulnerable as well, but there seems to be no options for those of us that can't upgrade to the latest OS.

That's why I'll never buy another Mac. This built in obsolescence is outrageous.
 
  • Like
Reactions: pm-r

·
Premium Member
Joined
·
1,762 Posts
There's no mention on the security vulnerability of older versions of the OS. I have to assume that they're vulnerable as well, but there seems to be no options for those of us that can't upgrade to the latest OS.

That's why I'll never buy another Mac. This built in obsolescence is outrageous.
CVE-2022-32893 is fixed with Safari 15.6.1 on macOS Big Sur and macOS Catalina. CVE-2022-32894 is the kernel vulnerability. It's not entirely clear but so far it seems to be Monterey-only.
 

·
Registered
Joined
·
117 Posts
There's no mention on the security vulnerability of older versions of the OS. I have to assume that they're vulnerable as well, but there seems to be no options for those of us that can't upgrade to the latest OS.
Well, first, that's not true. There are plenty of third party anti-virus utilities that will protect you from any exploit in the wild for the Macintosh. There are even entirely free ones. So you are flush with options.

Second, even if you have an older Mac, and even if it has a potential vulnerability that isn't patched, it's highly unlikely that you are going to see an exploit for that vulnerability.

Here’s the thing. Modern malware is almost exclusively written for financial gain. (With the odd bit of malware written to target a particular socio-political group, usually in the far east. These exploits usually aren’t seen in the west.) Whether it is to serve up ads, or to scam users out of their money, it is all about a profit motive.

In addition, modern malware tends to take a significant amount of time and money to write. The Mac isn’t easy to write malware for, and when a potential vulnerability in the Mac is found, the bad guys have to strike as quickly as possible before it is patched. But “striking quickly” usually still means that it will take months to push out a new exploit, representing a large investment in time and money.

Also, since it apparently has proven to be exceedingly difficult to write actual viruses (i.e. self-propagating/diseminating malware) for the Mac, any malware written for the Mac will almost certainly be a Trojan Horse that will be very difficult to disseminate to a large audience before it is discovered and shut down.

So, the bad guys are looking for potential vulnerabilities that Apple doesn’t know about, which are likely to go unpatched for many months into the future, they want any exploit that they write to have the maximum number of potential victims, and they want to be able to reach as many of those victims as possible, as quickly as possible. This is all a difficult feat.

Presumably, even if older versions of the Mac OS are just as vulnerable to a newly discovered potential vulnerability in the Macintosh as newer Macs are, once the majority of newer Macs have been patched, it will become uneconomical for the bad guys to target this vulnerability. By the time that the bad guys are able to push an exploit out, there will be way too few potential targets left to infect to be able to recoup the investment of time and money they put into creating the exploit.

At least that's the way that it has tended to work out in the past. Owners of old Macs haven’t been beset by unpatched-against malware. Estimates of the numbers of users still using older versions of the Macintosh OS tend to show that there are surprisingly few users of versions that are so old that they no longer receive any security updates from Apple.

Global macOS version market share 2018-2021 | Statista

So, older Macs by themselves simply aren’t a viable target for malware writers. And existing malware that can no longer effectively target recent Macs tends not to remain in the wild because it can’t self-replicate/disseminate, so it isn’t a significant threat to older Macs.

If it does occur that there is a bit of malware in the wild that is patched in newer Macs, but which is still going around infecting older Macs (and this has been the case years ago), it’s extremely likely that someone in the Macintosh community will come up with a free patch (which, once again, was the case in the past).

As long as Apple remains fairly diligent about patching against security vulnerabilities in the most recent versions of the Mac OS, the entire Macintosh community should remain safe due to a sort of “herd immunity” effect.

That's why I'll never buy another Mac. This built in obsolescence is outrageous.
Well, best of luck to you finding an operating system and computing platform better than the Macintosh. I'm sure that we will all miss you. Please write now and then and tell us all about how much better your (different) computer is. I'm sure that we would all be fascinated to hear about what that better computer is.
 

·
Registered
Joined
·
368 Posts
Great post, Randy. I have a bit of a dilemma in this regard.

When I did a fresh install of 10.13.6, I failed to notice the subsequent Security Updates were not installed.

But when I try to install what is presumably the latest Security Update for this OS, 2020-006, it won't complete & tells me this update is no longer recommended.

Think I should try again?

Lastly, I'd appreciate your suggestions for free AV software. I've been using free Malwarebytes but it tells me its updates are not current & "Check for Updates" does nothing. Scanning still works but it worries me I'm out of date to threats.

Thank you!
 

·
Registered
Joined
·
117 Posts
... when I try to install what is presumably the latest Security Update for this OS, 2020-006, it won't complete & tells me this update is no longer recommended.
Let me suggest that you try this free utility:

SilentKnight (free)
https://eclecticlight.co/lockrattler-systhist/

SilentKnight checks to see if you have the latest Apple security update installed, and if you don't, you can download and install it right from within the program.

Lastly, I'd appreciate your suggestions for free AV software. I've been using free Malwarebytes but it tells me its updates are not current & "Check for Updates" does nothing. Scanning still works but it worries me I'm out of date to threats.
I'm extremely leery of MalwareBytes since they came out with the nagware/commercial version. Download:
EasyFind (free)
https://www.devontechnologies.com/apps/freeware

and do a search for "MalwareBytes" on your Mac if you have MalwareBytes installed. You will find as many as 24 files (the number, oddly, varies for each user) for MalwareBytes installed all over your system. What do you think that they are all doing? I'd use EasyFind to delete all traces of MalwareBytes from your system.

I now recommend this very similar, but entirely free program instead of MalwareBytes for dealing with adware:

DetectX Swift (free)
https://sqwarq.com/detectx/

While DetectX Swift is a very effective product for dealing with adware, contrary to what it says on their Web site, it is not a comprehensive anti-malware program.

For comprehensively dealing with malware I recommend:

VirusBarrier Free Edition (free)
https://itunes.apple.com/us/app/VirusBarrier-Scanner/id1200445649
This is a full version of Intego's excellent commercial anti-virus program VirusBarrier [usually $40/year] minus some [but not all] of the automated scanning features in the commercial version. This isn't just a nice free product, in the past VirusBarrier has won all the believable third party anti-virus comparison tests.
 

·
Registered
Joined
·
368 Posts
Thanks, Randy.

That Eclectic Light article is really helpful! I have now updated HS to the max.

I’m not sure if a user should use more than one malware checker. MWB seems to work free. Should I care what those 24 pieces are doing? I mean, it’s overreach but so what? (FAF found 24!)

A checker, of course, is only as good as its updates!

Doesn’t EasyFind do the same job as Find Any File? (Also donationware.)

Ha! And I’ve just pared my appls down to the roots. I’ll keep these on hand. Lessee if I use them!

Don’t think anybody is targeting HS fogeys! I sure don’t think I need automated scanning. Have enough trouble with backing up fairly regularly!


bests,
CJ
 

·
Premium Member
Joined
·
16,567 Posts
SilentKnight checks to see if you have the latest Apple security update installed, and if you don't, you can download and install it right from within the program.

Well, I must say, it blows my mind as to why one would need a third party utility to check to see if one of Apple's most vital pieces of software is actually installed, updated, or not. That seems completely unbelievable but not unheard-of compared to some of their other, installed or not, software weirdness...

Is Apple actually unable or incapable to do any checking of their installation or update on their own supposedly critical security software??? Amazing if that is so...

Anyway, it's nice to know there's a free utility to do the checking if one needs...



- Patrick
=======
 

·
Registered
Joined
·
117 Posts
I’m not sure if a user should use more than one malware checker. MWB seems to work free. Should I care what those 24 pieces are doing? I mean, it’s overreach but so what? (FAF found 24!)
Well...hmmm...think about it. You're using a free utility. So they aren't making money from you paying for the utility. How might they be making their money? Might it be the same way that Google makes their money from their free utilities? Might those 24 files be doing something like...spying on you?

When I see a software application that has installed a huge number of files deeply in my Mac's system, for no discernible reason, that rings an alarm bell in my head. It doesn't for you?

Doesn’t EasyFind do the same job as Find Any File? (Also donationware.)
EasyFind is free, not donationware. But, yes, they do the same thing. The point isn't that you specifically need EasyFind, but that I was suggesting that you use something that will search everywhere on your hard drive. Spotlight won't suffice at it only searches where Apple wants you to be searching.
 

·
Registered
Joined
·
16 Posts
Well, first, that's not true. There are plenty of third party anti-virus utilities that will protect you from any exploit in the wild for the Macintosh. There are even entirely free ones. So you are flush with options.

Second, even if you have an older Mac, and even if it has a potential vulnerability that isn't patched, it's highly unlikely that you are going to see an exploit for that vulnerability.

Here’s the thing. Modern malware is almost exclusively written for financial gain. (With the odd bit of malware written to target a particular socio-political group, usually in the far east. These exploits usually aren’t seen in the west.) Whether it is to serve up ads, or to scam users out of their money, it is all about a profit motive.

In addition, modern malware tends to take a significant amount of time and money to write. The Mac isn’t easy to write malware for, and when a potential vulnerability in the Mac is found, the bad guys have to strike as quickly as possible before it is patched. But “striking quickly” usually still means that it will take months to push out a new exploit, representing a large investment in time and money.

Also, since it apparently has proven to be exceedingly difficult to write actual viruses (i.e. self-propagating/diseminating malware) for the Mac, any malware written for the Mac will almost certainly be a Trojan Horse that will be very difficult to disseminate to a large audience before it is discovered and shut down.

So, the bad guys are looking for potential vulnerabilities that Apple doesn’t know about, which are likely to go unpatched for many months into the future, they want any exploit that they write to have the maximum number of potential victims, and they want to be able to reach as many of those victims as possible, as quickly as possible. This is all a difficult feat.

Presumably, even if older versions of the Mac OS are just as vulnerable to a newly discovered potential vulnerability in the Macintosh as newer Macs are, once the majority of newer Macs have been patched, it will become uneconomical for the bad guys to target this vulnerability. By the time that the bad guys are able to push an exploit out, there will be way too few potential targets left to infect to be able to recoup the investment of time and money they put into creating the exploit.

At least that's the way that it has tended to work out in the past. Owners of old Macs haven’t been beset by unpatched-against malware. Estimates of the numbers of users still using older versions of the Macintosh OS tend to show that there are surprisingly few users of versions that are so old that they no longer receive any security updates from Apple.

Global macOS version market share 2018-2021 | Statista

So, older Macs by themselves simply aren’t a viable target for malware writers. And existing malware that can no longer effectively target recent Macs tends not to remain in the wild because it can’t self-replicate/disseminate, so it isn’t a significant threat to older Macs.

If it does occur that there is a bit of malware in the wild that is patched in newer Macs, but which is still going around infecting older Macs (and this has been the case years ago), it’s extremely likely that someone in the Macintosh community will come up with a free patch (which, once again, was the case in the past).

As long as Apple remains fairly diligent about patching against security vulnerabilities in the most recent versions of the Mac OS, the entire Macintosh community should remain safe due to a sort of “herd immunity” effect.



Well, best of luck to you finding an operating system and computing platform better than the Macintosh. I'm sure that we will all miss you. Please write now and then and tell us all about how much better your (different) computer is. I'm sure that we would all be fascinated to hear about what that better computer is.
Randy,
What can I say. You are a Godsend. I have deleted Malwarebytes, thanks to EasyFind. I installed the latest XProtect, thanks to SilentKnight. I, also, was able to delete a malware called WeatherRadar.zip, that none of my malware apps, including Malwarebytes, ever detected, thanks Intego VirusBarrier Scanner.

Tonight, I feel significantly more secure and I am a happy camper

Thanks again, Glenn
 

·
Registered
Joined
·
4 Posts
I'm extremely leery of MalwareBytes since they came out with the nagware/commercial version.
Randy, I'm not sure I understand this criticism. It's perfectly easy to continue to use Malwarebytes for free without hassles. It's a supported use case, and not one that we have any intention of ever changing.

and do a search for "MalwareBytes" on your Mac if you have MalwareBytes installed. You will find as many as 24 files (the number, oddly, varies for each user) for MalwareBytes installed all over your system. What do you think that they are all doing? I'd use EasyFind to delete all traces of MalwareBytes from your system.
I can easily tell you what they're doing, if you had asked.

You make this sound so nefarious. Why? If I use EasyFind to search for "1Password" on my system, I find 89 items. Is there something nefarious about that? No. Most of these files found with EasyFind are not "doing" anything, much less anything unwanted.

For others reading, if you have Malwarebytes installed and you decide to remove it, please don't do it this way. This is nothing against EasyFind, which is an excellent tool for finding things... but it is absolutely NOT the right tool for uninstalling software. Instead, use the Malwarebytes uninstaller, which will properly remove everything, ensuring that any actively running Malwarebytes processes are terminated without requiring a restart.

The uninstaller is very easy to use... just open the app and choose Uninstall Malwarebytes from the Help menu. You will need to enter an admin password to allow this, but you would need to enter an admin password to remove some of the files regardless how you do it, and that password is only seen by macOS, as part of the macOS authentication process, not by Malwarebytes.
 

·
Registered
Joined
·
4 Posts
Well...hmmm...think about it. You're using a free utility. So they aren't making money from you paying for the utility. How might they be making their money? Might it be the same way that Google makes their money from their free utilities? Might those 24 files be doing something like...spying on you?
No. They are not. Randy, please stop this kind of nonsense. Malwarebytes absolutely does not sell or in any other way monetize data from users. You can easily read our privacy policy and find out what we're collecting and why, and as someone who hates data collection and strongly advocates against collection of anything we don't truly need, I can tell you there's nothing sneaky there. If we started doing the same things with data collection that Google and Facebook do, we'd lose large numbers of employees who strongly dislike those practices.

If anyone has questions about what any Malwarebytes file is doing, just ask. I'll answer.

If anyone has questions about what we do with data, just ask. I recently answered an inquiry about this sort of thing in great detail: telemetry. malwarebytes.com

One of the core tenets at Malwarebytes is "no nonsense." And you should know that I live by that, Randy, as we've known each other a long time. I will speak plainly if you just ask.
 

·
Premium Member
Joined
·
16,567 Posts
Randy, I'm not sure I understand this criticism. It's perfectly easy to continue to use Malwarebytes for free without hassles. It's a supported use case, and not one that we have any intention of ever changing.
+1. I completely agree.

If anyone has questions about what any Malwarebytes file is doing, just ask. I'll answer.
Thank you for your valid comments and welcome to ehMac.ca forums.

And I have appreciated using your free Malwarebytes software, even long before it was called Malwarebytes, something like "Safe Mac" or "AdwareMedic" I think or some such name I can't really remember correctly. Anyway, definitely appreciated by myself and I am sure many others regardless of some commenter's comments.

No. They are not. Randy, please stop this kind of nonsense. Malwarebytes absolutely does not sell or in any other way monetize data from users.
I find it quite interesting, or should I say frustrating if not hypocritical, why and how some "free" applications or utilities are labelled as trustworthy by some while other applications are not, with no qualifications included or added regardless of judgement.

And in the same breath by the same commenters, if a developer dares charge a few dollars for his utility, such commentators suggest there is another similar product available that is "free", making it supposedly a better choice as being the implication. Strange.



- Patrick
=======
 

·
Registered
Joined
·
4 Posts
Thank you for your valid comments and welcome to ehMac.ca forums.
Thanks! :)

I find it quite interesting, or should I say frustrating if not hypocritical, why and how some "free" applications or utilities are labelled as trustworthy by some while other applications are not, with no qualifications included or added regardless of judgement.

And in the same breath by the same commenters, if a developer dares charge a few dollars for his utility, such commentators suggest there is another similar product available that is "free", making it supposedly a better choice being the implication.
Yeah, it's a catch-22. In order to make money, free products have to: 1) ask for donations (or something similar), 2) display advertising of some kind, or 3) monetize user data. Or, of course, 4) not make money. Some great folks make really great free tools out of the goodness of their hearts, without looking to earn any money from them, in the great spirit of the good old days of the internet, but that's more and more rare these days.

But in contrast, when I joined Malwarebytes and started working on a product that had paid-for features, some folks viewed that as "selling out." Making money became a bad thing, even though I was making money with AdwareMedic via donations. In reality, you can do way more with Malwarebytes for free than you could with AdwareMedic... and far more securely to boot. (I gave a talk recently where I used AdwareMedic as an example of what NOT to do, and how to use it to gain root privileges. Be glad I'm not the one writing the Malwarebytes code! :LOL: )

Unfortunately, there are some players in the security industry that give the rest of it a bad name, and leads to increased willingness to believe the worst.
 

·
Registered
Joined
·
117 Posts
Randy, I'm not sure I understand this criticism. It's perfectly easy to continue to use Malwarebytes for free without hassles.
II thought that my concerns were clear, and they really have nothing to do with whether or not Malwarebytes is free. The free vs. pay argument sounds to be purposely obfuscating the issue that I was pointing out.

For others reading, if you have Malwarebytes installed and you decide to remove it, please don't do it this way. This is nothing against EasyFind, which is an excellent tool for finding things... but it is absolutely NOT the right tool for uninstalling software. Instead, use the Malwarebytes uninstaller, which will properly remove everything, ensuring that any actively running Malwarebytes processes are terminated without requiring a restart.
The very fact that Malwarebytes has components that are running outside and separate from the main program itself, thus requiring a special uninstaller program to remove them, seems very disturbing to me.

I'm not going to get into an argument with you over it, but Malwarebytes has had dishonest advertising in the past, and it now has a very invasive program, at a low level in the Mac OS. There are alternatives to Malwarebytes for which I can't level the same concerns, so personally I recommend them over Malwarebytes.

There are, of course, weasels who would invite someone like you here to argue over this, and speak out of both sides of their mouth. Other list members should take note of this.
 

·
Registered
Joined
·
4 Posts
II thought that my concerns were clear, and they really have nothing to do with whether or not Malwarebytes is free. The free vs. pay argument sounds to be purposely obfuscating the issue that I was pointing out.
Randy, these were your own words, which I was addressing:

Randy B. Singer said:
Well...hmmm...think about it. You're using a free utility. So they aren't making money from you paying for the utility. How might they be making their money? Might it be the same way that Google makes their money from their free utilities? Might those 24 files be doing something like...spying on you?
You implied that, because we offer a free product, that we must be spying on you. These were your words, part of your argument, and I have every right to defend my product against such false claims.

The very fact that Malwarebytes has components that are running outside and separate from the main program itself, thus requiring a special uninstaller program to remove them, seems very disturbing to me.
Are you, perhaps, familiar with Zoom? Or maybe Adobe Photoshop? Maybe Microsoft Office? These are simply a few examples from among countless other apps that also have "components that are running outside and separate from the main program." This is far from unusual and is not, in and of itself, in any way disturbing. It is the way that countless third-party programs for macOS have worked for decades. Almost since the very earliest days of the Macintosh, in fact.

Malwarebytes stores files in standard macOS locations where such files are meant to be stored, unlike some other apps. And it provides an uninstaller that will clean up all of them, unlike some... Microsoft Office, for example.

In contrast, I could show you numerous malicious programs that don't do this. I can show you malicious apps that use login items completely included inside the app itself. Such login items run without the user's knowledge and have never been visible anywhere that the user could see them, until changes Apple has made to Ventura. Yet these are somehow safer than the files that Malwarebytes installs openly?

What exactly is your concern here, and why are you not leveling that same concern at Zoom, Adobe, Microsoft, and countless others? This begins to seem like axe-grinding rather than legitimate criticism. If you have something more concrete that is concerning you, let's hear it.

There are, of course, weasels who would invite someone like you here to argue over this, and speak out of both sides of their mouth. Other list members should take note of this.
So, wait a minute here... you're saying that someone who made me aware of the things you were saying about me and my product behind my back is a "weasel?" When I show up here to defend myself, you get mad, thinking that someone told me what you were saying, and then accuse me of lying? That's rich, Randy. I'm disappointed.

News flash: you're on the internet. Anyone can see what you're saying. If you don't want someone to see what you're writing, maybe you should think about not writing it on a public forum in the first place.
 

·
Registered
Joined
·
117 Posts
What exactly is your concern here, and why are you not leveling that same concern at Zoom, Adobe, Microsoft, and countless others?
Exactly. Many folks DO have those same concerns about those programs. In fact, when Covid hit and Zoom became extremely popular overnight, folks leveled a lot of criticism at Zoom for being extremely suspect with regard to security. In response, and seeing the need to become more trustworthy during the crisis, Zoom quickly re-engineered it's platform to be less invasive and more trustworthy. (Many folks STILL have their doubts about how trustworthy Zoom is.)

I assume that I don't need to tell you how many (most?) folks feel about how trustworthy Microsoft and Adobe are. Brilliant examples, thank you.

So, wait a minute here... you're saying that someone who made me aware of the things you were saying about me and my product behind my back is a "weasel?"
Oh yes, he is most definitely a weasel. He's outed himself to everyone here. (But from what I'm hearing, it's not a huge revelation.)

As far as the things that I've said about you and your product "behind your back" (in a very public forum)....I haven't said anything derogatory about you personally (in fact, I've called you "a superhero") other than that you are now an employee of a company and you have a vested interest. Don't try to tell me that you don't. If you didn't you'd still be writing articles doing unbiased reviews and comparison tests of all the AV programs available. But you aren't. You are now a commercial developer on a payroll. No one expects you to say anything other than that your company's product is great. Forgive me, but most developers know enough to STFU in a forum such as this, unless they can simply point to unbiased testing of their product from a source with no financial interest (most AV testing sites these days are either thinly veiled shill sites, or they are extremely suspect because they don't divulge their methodology and their results don't pass the smell test). Ironically, the last really good, reliable source for that was your own SafeMac Web site (which I still often cite to even though it is mostly out of date).
 
1 - 20 of 20 Posts
Top