Paul Thurrott's SuperSite for Windows
Home > Type > News > Respected consumer advocacy group recommends against using Safari

Respected consumer advocacy group recommends against using Safari

Aug. 6, 2008 Paul Thurrott | Paul Thurrott's Supersite for Windows

And heck, that’s just common sense. I’ve recommended that all along, for Windows users. But what’s interesting about the Consumer Reports recommendation is that it’s aimed specifically at Mac users:

Mac users should scrap Apple's Safari and replace it with a browser that offers antiphishing protection, such as Mozilla's Firefox or Opera Software's Opera, Consumer Reports said today as it unveiled its annual Internet security survey.

Mac users are just as likely to fall for the fake sites as people running Windows, Fox said. "There is no significant difference" between the two groups -- Mac and Windows users -- regarding the likelihood of giving away information, he said. "Mac users are indistinguishable from Windows users here."

But users going online with Safari are leaving themselves at risk because the browser doesn't include tools to warn when a site is, or might be, dangerous. "The browser of choice for most Mac users, Apple's Safari, has no phishing protection," said Consumer Reports.

Until Apple adds antiphishing tools, the publication recommended that Mac users steer clear of Safari.

"The Mac [phishing statistics] were pretty interesting," said Fox, who named it as one of the current survey's biggest surprises. "Mac users think that they don't need to worry about viruses and spyware," he said. "But e-mail is the weak vector on the Mac."

Most phishing attacks begin when a user receives an e-mail message -- perhaps one posing as from his bank -- that includes a link to a malicious Web site.

"This is the one area where the Mac doesn't have an advantage in security," Fox continued. "Significantly fewer Mac users were using antiphishing technologies, but they were pretty much identical to Windows users about giving personal information.

"Windows users are used to being paranoid about not clicking," he said. "Mac users aren't, even though they say, 'Antivirus software, who needs it?'"

Fox also noted that users running Windows Vista reported significantly fewer instances of spyware or other malware infections than did people relying on Windows XP.

I do have a Consumer Reports subscription, but didn’t actually see this information in the cited report.

Thanks Jonathan.

Discuss this Article 77

subzerohitman721
on Aug 6, 2008
I think this report speaks to a lot of people. Consumer Reports is a very respect publication. Many will see this and avoid Safari because of the source. Its one publication which I view several months a year. Most people will see this and consider it golden advice. However, I'm feel like I have a bone to pick with some of the Mac respondents in here. The Mac owners should be flooding Culpertino's email server with complaints and demanding that Apple get to work fixing security. Apple clearly has work to do on the security side, and a few of the resident Mac guys act like somebody's slapped their mothers. The Mac customers have the both moral and ethical obligation to hold Apple to task. You guys constantly rail on Microsoft about its problems. Turnabout is fair play as far as I am concerned. Safari, Quicktime, iTunes on Windows, and Mobile Me are all showing an theme of insecure products and services from Apple. Some Mac users are blindly listening to ignorant marketing and not holding Apple accountable. I'm not happy that iTunes on Windows is a whopping 77 MB of hard drive space. Can we say excessive code bloat? What will it take for the Mac community to wake up? A blaster/sasser like experience to shut down enough machines before the community changes it ways? Many on the Windows side learned a lot from blaster and sasser. I guess thats why Vista users are safer today than their Mac counterparts. Before someone says that doesn't happen anymore, if you were paying attention to the news, the Chinese/ Russian hackers of their respective nations are alive and hacking. What if they decide to exploit that carpet bomb attack on the Macs. Imagine the next day's headlines... Example: Chinese hackers carpet bomb all Apple Mac's online. Millions of Macs compromised, Mac websites taken down. Windows OSes immune to attacks. I hope I never have to wake up to this headline. Imagine what that will do to Apple's stock and to customer confidence? Fiction you say? Never say never. The exploits aren't going to plug themselves. Perhaps Apple should take a page out of Microsoft's recent history and put Snow Leopard on hold while they fix Safari, Quicktime, iTunes, and Mobile Me. Before my example becomes tomorrows headline.
RunTimeError
on Aug 6, 2008
"Running a browser without a phishing filter is a BAD IDEA. Period" Clicking on every damn link that it emailed to you is an even worse idea. At some point it's up to the end user to have some amount of brains no matter what platform you use. Of course, this is merely a pipe dream. It's a sad fact that Average Joe will see an email that says the Bank lost all their info and they should CLICK HERE NOW TO RE-ENTER IT ALL BEFORE IT'S TOO LATE!!!! Can you imagine these same people walking into a bank and having the teller say to their face: "I'm sorry we lost all your info. You have no access to your money"? They'd freak the hell out. Yet there is some mystical quality to the Internet that turns regular Joes and Janes into trusting, drooling idiots.
johnpapola
on Aug 6, 2008
How to use OpenDNS to provide powerful anti-phishing to Safari and all mac browsers: http://www.macworld.com/article/134874/2008/08/opendnsphish.html?lsrc=rs...
RunTimeError
on Aug 6, 2008
I'm sorry, I'm taking the bait... "I'm not happy that iTunes on Windows is a whopping 77 MB of hard drive space. Can we say excessive code bloat?" In a day and age where 500GB hard drives are the norm, 77MB is nothing. Hell, even Vistas 15GB footprint is nothing. And by the way: most Mac users are taking Apple to task. We use Firefox :)
Snakedoctor1
on Aug 6, 2008
OpenDNS rocks. If you get a free account you can tie it in with a free dyndns account and then any traffic coming into your circuit (home broadband) can use the OpenDNS filters that you choose. Great stuff if you have kids.
johnpapola
on Aug 6, 2008
Funny... this site formats links in a way that isn't safe. Notice the "...". Just an observation.
Dipsh t Admin
on Aug 6, 2008
That links is actually quite safe the way it is displayed, since the full domain name is displayed, which is the first place to look for a phish. "Clicking on every damn link that it emailed to you is an even worse idea." That sound all find and dandy, but the phishers are getting better at their games, making pages that are only discernible by the super astute. I typically look for grammar mistakes, particularly capitalization. However, asking regular people to do this analysis is just not going to work. A phishing filter is really a minimum requirement these days. OpenDNS is great, but asking home users to go through these steps is really asking way too much.
joe-dokes
on Aug 6, 2008
My issue with anti-fishing technology is that it might give a false sense of security, in the same way that anti-virus software can provide a false sense of security. Since none of these technologies is anywhere near 100% and one could argue even 75%, they may in fact encourage stupid behavior. That being said, I've run across a total of about a dozen phishing emails in the past year, they ranged in quality from laughable to scary, scary as in they look good enough that had I not been aware of the types of scams people run, and the techniques people use they may have fooled me, fortunately my wife believes everything is scam. Ironically, my wife found a phishing scam that used the LA Times. A job ad was placed in the paper that when researched was a classic Nigerian scam, yet the Ad was placed in a reputable paper. Like I said, SCARY. All that being said, some are critical of Apple security practices. Mainly because they don't publicize ANY of them. Without starting a debate about disclosure I will say that up until now their model is working. Could it face serious problems in the future sure, but it probably has the expertise and resources to respond appropriately. For example, from late 2007 to early 2008 Apple was hit with a bunch of vulnerabilities in Quicktime, a program so reviled on these boards many refuse to run it. Yet, Apple did respond, they added a number of fixes to by February of 08. While there have been and will continue to be security updates for both iTunes and Quicktime, the active exploitation of Quicktime by hackers has subsided. They further strengthened Quicktime in June. http://www.eweek.com/c/a/Security/Apple-Adds-AntiHacker-Features-to-Quic... So while Mac OS X has not been a target, Quicktime has and Apple did respond, maybe not in the way you would've liked, but they did respond. Will Apple add anti phishing features? Don't know, hope that when they do they're good. Regards Joe Dokes
shark47
on Aug 7, 2008
"That sound all find and dandy, but the phishers are getting better at their games, making pages that are only discernible by the super astute." I think domain highlighting in IE8 should be a very useful when combined with the phishing filter. It's a simple feature that's probably not "cool" enough to make people switch, but might actually help a lot.
Waethorn
on Aug 7, 2008
@Mackies: The "Smart car" is considered one of the most dangerous cars to drive in because of poor safety features (very short crumple zones, etc.) and ultra-compactness. It's essentially a casket on wheels. However, the usage rate is very low, and you don't hear about many major accident rates with it as a result. There haven't been any major disasters with it yet, but the time will come when somebody gets into what would be a minor fender-bender in any other vehicle but dies a gruesome, bloody death, making people rethink their decision to own one. >:P So when can I expect you to put a downpayment on yours?
Waethorn
on Aug 7, 2008
....I should also point out that the Smart car has also been called "attractive", "sexy" and "easy to use". Food for thought.
Dude1313
on Aug 7, 2008
Waethorn said: It's not just about social engineering or viruses. Corporate security companies pan OS X's security for the workplace once the investigators pass through the superfluous fog of "impenetration" that Apple creates in their marketing for the OS. The source code is open, so as a buddy of mine that works for a major enterprise IT security firm likes to say: "it's like giving the hijackers the blueprints for the WTC with a big arrow that says "CRASH HERE"." Funny thing is you keep saying this but then offer up no proof other then "My friend says".... Harsh, but so very true
lotsamystuff
on Aug 7, 2008
"Funny thing is you keep saying this but then offer up no proof other then "My friend says"...." Yeah, Wae's the king of anecdotal evidence. He's regaled us several times with his fascinating stories of malfunctioning Macs in Apple stores, frustrated consumers at Best Buy, and his own customers who straggle into his basement with their non-working Macs and beg him to replace them with a home-built Vista box. I guess that's why he hangs out at Apple stores looking for customers—they make great fodder for his comments. But back on topic... I think the CR recommendation makes since. Safari has clearly lagged behind in offering phishing protection, and although one could argue with the efficacy of such "protection", the fact is it's part of what should be considered standard on a modern browser. Better alternatives are available, and they should be seriously considered.
johnpapola
on Aug 7, 2008
I think everyone reasonable can agree that Apple needs to do more from a communication standpoint. Those that say it's "impossible" for them don't know the company that well. Apple's Joe Schor, product manager for Aperture is very directly engaged with the community. In fact, all of the pro-apps are. It's a market Apple knows well and has a long relationship with. They just need to realize that being opaque doesn't always serve them elsewhere. Security starts and stops with the user and having a false sense of security is worse than anything. That's something Apple needs to fight. They are correct that the Mac's track record on attack is superior. Superior by a margin far in excess of their marketshare. It's not like the mac gets 3.5% of all attacks. It gets almost zero. That's not proportional. So they have a reasonable case to bring to consumer who have been burned on windows. It's fair for them to say "we're a safer neighborhood". They just can't encourage users to leave the doors unlocked.
tayme
on Aug 7, 2008
@joe-dokes - "Could it face serious problems in the future sure, but it probably has the expertise and resources to respond appropriately." You mean like they did here? http://www.scmagazineus.com/Apple-patches-for-DNS-flaw/article/113260/ "After waiting since the beginning of July, Apple has put out a patch for the DNS cache poisoning flaw discovered by security researcher Dan Kaminsky. Cisco, Microsoft, Sun Microsystems and many Linux versions put out a fix for the flaw on July 8, when it was first disclosed. Apple had taken some heat when it did not release its patch then, too. Andrew Storms, director of security operations for nCircle, said in a blog post that some of the patches for components in Apple's systems are incomplete." Apple needs to get serious about security and quit assuming that they are invulnerable. As an Apple customer, I have sent an email asking why this took a month longer than any other company and why it is still not fully patched...have any of you? --tayme
Waethorn
on Aug 7, 2008
"Funny thing is you keep saying this but then offer up no proof other then "My friend says"...." You obviously know nothing about security firms (obviously), but there's something called an NDA at most of them. Flaws and exploits are not discussed openly in public. Apple follows this example to a tee - in fact, they deny all knowledge of it.
Snakedoctor1
on Aug 7, 2008
@tayme, This all happened a year ago with MS http://www.itjungle.com/two/two042507-story02.html In fact in that case some third party company came out with a patch because MS was dragging its feet. Most people did not go with the 3rd party patch for fear of compatibility problems, and I agree with that. Apple probably had to do more testing. Also the # of Bind DNS servers running on OS X, exposed to the internet, its probably so low they could have waited a year and not been hit. This would only have probably only affected OS X server running DNS in a DMZ that was open to the internet. Never have even seen this. Usually its cheap Linux box doing this or an appliance. Some all Windows shops will use some low powered Windows box, but I have never seen a OS X DNS server.
Dude1313
on Aug 7, 2008
Waethorn said: "Funny thing is you keep saying this but then offer up no proof other then "My friend says"...." You obviously know nothing about security firms (obviously), but there's something called an NDA at most of them. Flaws and exploits are not discussed openly in public. Apple follows this example to a tee - in fact, they deny all knowledge of it. Yeah and he seems to be perfectly fine with discussing things with you... or at the very least it makes convenient fodder for you lack facts backing it up.
tayme
on Aug 7, 2008
@Snake - Oh, I agree that MS has dragged their feet at times...but recently they have improved security practices greatly. I also know that not too many places use OS X as a DNS Server and that OS X has BIND disabled by default. I was responding to joe-dokes' post, which gave the standard response that would leave one to falsely believe that Apple is "better" at security response than all other OS makers... --tayme
Waethorn
on Aug 7, 2008
"Yeah and he seems to be perfectly fine with discussing things with you..." Considering that it was about a shared client whos two dedicated networks consist of one of Mac's, running OS X Server (Tiger), and the other consisting of Windows Server 2003 R2 (which I'm currently in charge of), and they completely failed a wire-line penetration test on their Mac network, having been successfully had customer information databases stolen, overwritten, and then deleted by an outside source, I'd say that working together with a buddy of mine already in the security industry wasn't disclosing any unnecessary information. I sure had a laugh about it anyway. BTW: The client now does quarterly remote penetration tests through my buddy's company. So far, the Windows network hasn't been penetrated. The Mac one failed 4 more tests after the initial incident about a year ago. Both systems have security updates deployed automatically to client machines too.
Snakedoctor1
on Aug 7, 2008
@Waethorn do you come up with this stuff your self or do you have some Word Macro that cranks out this fiction? We cold all post BS about My Vista is fine, My XP never crashes, My Mac has no problems.....BLAH....BLAH...BLAH.....YAWN! I could find plenty links like this that are pro-Apple based on its security.... http://www.forbes.com/technology/2007/12/20/apple-army-hackers-tech-secu... And probably the same for Windblows as well.
Waethorn
on Aug 7, 2008
"do you come up with this stuff your self or do you have some Word Macro that cranks out this fiction?" You mean like Mossberg's reviews? Sorry, but no matter how hard you push those fingers in your ears, it's the absolute truth.
johnpapola
on Aug 7, 2008
@snake and everyone else that's reasonable, just ignore Waethorn. At some point, he'll tire of posting his apple-bashing garbage into a vacuum. Responding just feeds his obsessive need to stroke his ego with self-declared victories in these discussions. I've turned over a new leaf in this regard. I'm hoping it will stick.
subzerohitman721
on Aug 7, 2008
@johnpapola... Regarding your comments on Apple doing better with communication, I agree. I believe that Apple should disclose exactly which bug fixes are being applied by updates and patches. If they did that, that would go along way in acknowledging the problems and correcting them. I also agree with you that users must acknowledge that the false sense of security does begin and end with the user. My own user experience has conditioned me to check updates at least once a week. I update my anti-virus every 2 to 3 days. It was this routine that protected my then XP system when Blaster hit back in 03. I think once people have a update and maintenance routine, computing will be a lot more stable. Then we can argue about other things. Peace.
johnpapola
on Aug 7, 2008
@Sub, Agreed on all fronts. I think the thing is that OSX did have structural advantages over windows, including the admin password requirement for software installation. Vista has brought parity, and probably superiority to Windows over OSX... so now it's more about marketshare... though it's hard to deny the dearth of attacks given the visibility of the Mac. Again, it's not like they are getting 3.5% of viruses and trojan horses and the rest. So I find that interesting. The mac's "resurgence" has been in the news for years now, so I'm frankly amazed at the lack of a serious, broad attack. There's something there that's not easily explained away by "tiny marketshare".
shark47
on Aug 7, 2008
" Again, it's not like they are getting 3.5% of viruses and trojan horses and the rest. So I find that interesting. The mac's "resurgence" has been in the news for years now, so I'm frankly amazed at the lack of a serious, broad attack. There's something there that's not easily explained away by "tiny marketshare"." Read the book 'The Tipping Point' by Malcolm Gladwell.
Waethorn
on Aug 7, 2008
"I believe that Apple should disclose exactly which bug fixes are being applied by updates and patches. If they did that, that would go along way in acknowledging the problems and correcting them." I second that. For a company that relies heavily on open-source software at the core (and for john's claim that they are so "open"), they sure like to keep their secrets hidden behind the BSD license. Luckily there are companies like Secunia, as well as my buddy's firm that acknowledge their flaws for them.

Please or Register to post comments.

Related Articles

IT/Dev Connections

Las Vegas
September 30th - October 4th

Paul ThurottYou'll have the opportunity to experience:
• 120 Technical
Sessions
• Networking with Peers
• Expert Speakers


Come See Paul Thurrott & Mary Jo Foley in Person!

Register Now

Office 365 InfoCenter

Get the latest insight and info from Paul

Read Now!

What I Use
Apr. 18, 2013
Article

What I Use: On the Road 20

Every so often, I publish an updated version of my “What I Use” document, which details the technology products and services I actually use day-to-day. Since I’m currently on my third business trip in five weeks, this is perhaps an ideal time to discuss the technology products I rely on when I travel and a few related points....More
Mar. 6, 2013
Article

What I Use: March 2013 33

Lots of changes since November, including a new PC-based home server running Windows 8, several new smart phones, new PCs and tablets, new cloud backup, Office 365 Home Premium and a nice doubling of my Internet speeds courtesy of Verizon FIOS....More
WinSuperSite.com
Related Penton Sites
Copyright © 2013 Penton Media, Inc